Just because a social networking site says it is secure, and even if it has “TRUSTe,” “Hacker Safe” or other security and privacy assurance stamps on the site, it does not mean that bad things cannot happen. Take Facebook as a case in point.
Many security and privacy issues have plagued the highly popular TRUSTe stamped Facebook.
Many of the bad things are a result of what the site participants themselves have done, such as posting their personally identifiable information (PII) without restricting access, allowing everyone to see, and then identity theft, cybercrime and even physical harm has resulted.
However, the security of the Facebook site and supporting infrastructure is also something that should not be assumed is bullet-proof; no organization is 100% secure.
On August 13, the “secret operational code” for the Facebook site was published online.
“The company blamed the leaked code on a “bug” that meant that it was published accidentally, and said users should not be concerned. Facebook’s spokeswoman, Brandee Barker, said: “It was not a security breach and did not compromise user data in any way.””
Regardless of what Brandee says, this was a security incident.
This strongly indicates Facebook had a lack of security to protect the code adequately. While this does not necessarily mean that the personal information on Facebook can now be accessed, it does point out the need to check into the security of social networking sites before using them. There is never a guarantee that the information you post on social networking sites will be safe from criminals, and others up to no good, at all times.
The article provided the following advice:
“Online safety tips
· Use complex and random passwords wherever possible, and try to use different passwords for every service you are registered with
¬∑ Choose specific security questions – not your mother’s maiden name or birthplace. “What colour did you paint the fence in 1973 is not something a hacker
could find out, even from Facebook,” says Graham Cluley of the internet security firm Sophos
· Make virtual friends only with people you know and if you have doubts over their identity then check
· Be prepared for the consequences if you make your address or telephone number available online
· Avoid using machines accessed by the public, such as in internet cafes, and if you do, log out properly
¬∑ Print Email”
I want to expand upon some of these. Everyone using social networking sites need to do so cautiously. These are just a few of the security precautions to follow:
* Do not post your social security number, birth date, credit card numbers, or other information that could be used for identity theft or other crimes. Not even if you think you have your site secured and only your trusted friends can get access. Remember that once you give information to someone else, it will be very easy for them to allow others to get to that information…even if they didn’t mean to.
* Use good passwords. Create them using a combination of numbers and letters, upper and lower case if possible, along with characters if possible. Do not use something that others could easily guess, such as birthdates or family member names. Most people do not have a different password for every Internet site used…this could end up being hundreds for some folks. Most people can get by using the same good complex password according to the TYPES of sites used. For example, using the same good password for all the social networking sites, using the same good password for the association/membership sites, etc. You should use unique passwords for each of your banks and other financial sites, though, if at all possible…you don’t want someone being able to get to all your money by knowing just one password.
* Choose security questions that are not discoverable by others. Yes, do not use your mother’s maiden name or birthplace. Instead use a fact that is not recorded somewhere, such as, “What was the name of your first pet?” I’m not sure many people would remember something they painted in 1973…most cannot remember activities such as this beyond a few days, let alone years.
* “Make virtual friends only with people you know.” Yes, always remember, “on the Internet nobody knows you are a dog!” What a great toon…it is so true, I love it! If you have any doubts about someone, it is best not to allow them to be part of your network of friends.
* If you post your address or telephone number online, others on the network may show up at your door! Don’t post this information for your own safety. If you want to share your contact information with someone you know and trust, send it directly to him or her within an email (preferably encrypted).
* Once you post a photo or video on the Internet others can copy it and potentially post it in lots of other places. You will likely never be able to get the images all off the Internet. Never post what you don’t want others to copy and post elsewhere. AndyITGuy recently pointed to a fantastic public announcement message that Roger at Infosecblog talked about that vividly demonstrates this. Check it out…it would be a fantastic awareness communication for you to use.
* Don’t visit the social networking sites on public computers, such as in airports or in coffee shops and Internet cafes. Your information could be stored on them without your knowledge and accessed by others after you leave. I’ve found far too much PII on public computers that were not completely logged off. Plus, I’ve found some PII within the notepad files of public computers. There are many more ways in which public computers store the users’ PII than most people are aware of.
* Well, if you print email, make sure you get it out of the printer before someone else does! At one company I know a middle manager, whose office was right next to the department printer, would make it a habit of checking the printer tray every time he heard the printer. He amassed a huge amount of other people’s messages within one of his deep filing cabinet drawers.
Tags: andyitguy, awareness and training, facebook, hacker safe, Information Security, infosecblog, IT compliance, policies and procedures, privacy, risk management, social network, truste