Ensuring the Security of Social Networks… Even When Users Reveal Too Much

On June 7, 2016, followers of the NFL’s Twitter feed were surprised when they read the announcement …

We regret to inform our fans that our commissioner, Robert Goodell, has passed away. He was 57. #RIP

As it turns out, Goodell was actually in good health and preparing to oversee another football season.

The culprit was a hacker, never identified, who had somehow got his hands on the account credentials to the NFL’s Twitter feed and decided to have a little fun with the account’s almost 20 million followers.

The news faded fast. It seems like hardly a week goes by without some celebrity social media account getting hacked– a situation that has social media executives scrambling to build teams of skilled cybersecurity professionals.

How Social Media Provides an Attack Vector for Hackers

It’s not just user accounts on social media networks that hackers target. In fact, the hackers that attempt to break in and commandeer social media accounts for the purpose of putting up amusing or embarrassing posts are harmless pranksters compared to the real cybercriminals.

With its broad reach and the engrained trust that users place in their network of friends and followers, serious cybercriminals think of social media primarily as a delivery mechanism for more nefarious payloads designed to compromise more valuable data. Data like:

  • Bank accounts
  • Personal contact information
  • Business account credentials

Cross-site scripting attacks (XSS) were once the vehicle of choice for such hackers. XSS takes advantage of users’ ability to post raw code that will be viewed in other users’ browsers. By carefully crafting Javascript executable code, hackers could exploit vulnerabilities on millions of individual PCs when their owners simply view a particular post.

Hackers are Becoming More Clever… and More Brazen

For the most part, social media security experts have been successful at filtering such attacks, but hackers have become subtler in their approach. Now, attacks are executed through obfuscated links that take users directly to websites that mount direct attacks on browsers, particularly browsers that haven’t been patched with the latest security updates.

More and more, hackers are also simply contacting users directly and posing as the social media site’s information security team under the ironic guise of protecting the user’s personal information. By convincing users that they have already been hacked, they spook them into revealing usernames and passwords so the problem can be “fixed.”

Fake offers for discounted or free goods or services are also propagated through social networks as a way to collect personal data or account credentials.

The most cunning level of social media attack is the targeted social engineering exploit. In 2014, Security Week reported that Iranian hackers created fake personas specifically crafted to connect with and “friend” media and government targets of interest. The hackers then cultivated a level of trust that allowed highly specific spearphishing attacks against those targets as a way to collect login data for secure government and business systems.

The attack used multiple social networks simultaneously and was reportedly successful at delivering malware and obtaining credentials that led to secure systems being compromised. Because the attack profile mimicked the typical use of the social networks, security teams failed to pick up on the effort for more than three years.

Protecting Social Media Users … From Themselves

The fault behind security breaches rarely rests with the social network itself. In most cases it’s just the hackee’s weak password that’s to blame.

Still, the headlines can be merciless: “Details of 33 Million Twitter Accounts Hacked and Posted Online.”

Even though the fine print admits that the credentials were stolen because of email exposure and breaches at other companies that had nothing to do with Twitter, social media companies are usually the ones that end up with a black eye.

This presents a particular challenge to information security professionals working for social network companies who not only have to defend their own networks and staff against cyberattacks (even Mark Zuckerberg has not been immune), but also have to find tactful and expedient ways to protect users from themselves.

Proactive Policing and User Education

Twitter information security staff find themselves in the awkward position of trolling the dark web, looking for evidence of user account breaches they are not directly responsible for, and notifying users proactively, before their Twitter accounts could actually be hijacked.

Most social media platforms are moving heavily into user education as a core information security strategy. Sites now encourage the use of:

  • Password managers (which ensure uniqueness and complexity in site passwords without requiring memorization or insecure storage of those passwords)
  • Two-factor authentication
  • Secure HTTP encryption

In fact, many sites are moving to require HTTPS encryption on all pages, attempting to preemptively block many possible man-in-the-middle attacks.

OK – Users Aren’t Always to Blame: A History of Mistakes and the Dark Secret of Open APIs

Social media sites have also had plenty of internal security failings. With the vast amounts of personal information they collect, maintaining confidentiality sometimes takes a backseat to functionality.

Back in 2013, Facebook inadvertently exposed personal information from more than six million users through a glitch that allowed contacts to access more information than they were supposed to have access to.

Many users are also concerned with a different sort of compromise, one either tacitly or officially sanctioned by the social media company itself. As reported by public interest research group Pro Publica in 2012, third-party companies use APIs (Application Programming Interfaces) and bulk data download functions that social media companies provide to harvest personal information on users and resell it to marketing firms and other businesses.

Although this sort of activity may violate the terms of use, in some cases company executives might decide to explicitly allow it.

And by their very nature, social media networks can be vulnerable to certain types of manipulation that aren’t necessarily identifiable to conventional security screening techniques.

For identity thieves, personal information is highly coveted, but social networks are explicitly designed to make sharing things like birthdays, contact info and other personal information easy for users. Cybersecurity professionals have to walk a fine line in deciding how much control to exercise, how much control users should have, and how much information to leave out of social networks so they can function properly without becoming excessively risky to use.

Back to Top