The impact and adoption of Social Networking as a media of communication, information sharing, interaction etc. is a given in today’s world. Facebook now talks about having 400 million users, 50% of which access the service every day! LinkedIn the so to say “professional social networking service” has 60 million users. Since inception in 2003, LinkedIn took 1.4 years to reach the first million and the last million was reached in only 12 days. India has over 3 million users on LinkedIn and yes India is the fastest growing user base across the world.
There have been several discussions around the security of the social networking sites, user risks, should the services be allowed by organizations etc. To me the benefits and adaptation of these services is so high that it would eventually be classified as a must have service on the internet, very much like email. Hence it would not be possible for organizations to block or curtail users from using social networking services.
Most if not all social networking service providers are taking active measures to protect their services and users, e.g. is the Safety Center of Facebook, which provides secure usage tips to several types of user profiles. Most of us follow the basic secure usage guidelines like:
- Don’t disclose private information
- Changing passwords
- Not accepting invites from unknown people
- Antivirus protection
- Checking privacy policies of the service providers
- Checking default configuration and settings etc.
However I think we need to focus a lot more on what I term as the “legitimate mistakes” which we commit. I call these legitimate as there seems to be nothing apparently wrong with what we have done, but it still leads to a security risk. I would provide few examples to illustrate the point.
During a specific project one our security specialist was testing a customer’s core application website. The website was configured well with proper security on the deployment environment. Hence the specialist was not able to find the usual vulnerabilities which he could exploit. His interim report said that site is secure and he doesn’t think that there are any vulnerabilities. However the next day he reverted that he was able to crack the admin password and hence the complete web service were exposed. The method he used as the first step to the credentials was very simple but effective. He used another low profile website of the customer and tried to login with the administrators name. He used the “forgot password” option, the security question for which was “Where did you go for your honeymoon”. He then searched for the administrators account on Facebook, got to know his wife’s name, who in turn had posted their honeymoon pictures on Flickr. It was easy for him to guess that they had gone to Kumarakom for their honeymoon.
From the administrators point of view, he doesn’t seem to have done anything wrong from a secure usage standpoint and nor his wife. Maybe her Flickr album should not have been public. This is an example of a “legitimate mistake”.
Lets take my own example, the only social networking service I use is LinkedIn. I use it not only for connecting with my professional contacts but also for “serious” services such as hiring, initiating contacts with business prospects or partners, using the TripIT add-on to plan my travel and to know who are in the vicinity etc. I have derived several benefits from LinkedIn e.g. lower higher costs, initiation professional contacts leading to business or partnerships, better utilization of time during travel etc. But time and again I tend to use LinkedIn to exploit “legitimate mistakes”.
E.g. when I see someone joining a job group, I can guess that he/she might be looking for a change. When I see one of my contacts connect with someone from competition, I know it’s time to act. I can review the profile of potential contacts to know their background, or I can go to the part where it tells me who has seen my profile and come to know who has been checking on me. I am sure others are exploiting my “legitimate mistakes” as well.
In summary the message is clear, none of us can stay away from social networking services, it’s important to use a service which seems secure and credible. It’s also important to follow the basic secure usage guidelines. However we still need to look at the “legitimate mistakes” we might make and be more careful and aware. All good services need users to consider “responsible usage” seriously, it’s always easier to watch out for the big mistakes, the smaller ones slip through and sometimes cause major damage.