Hacking Social Media

The first comment I get when speaking about social media security is almost always, “so what, it’s social media.” Followed quickly by, “I’m not important anyway.” Mix that with comments like, “I’ve got nothing to hide.” and you have a society that can be happily insecure.

In december a hacked social media account gave a 30-something a rude awaking as he was let go from his job for derogatory posts made over three days which his employer found highly offensive. Even when he tried to tell them these posts were the result of being hacked, the damage had been done. Merry christmas from hacking trolls. He was ‘unimportant’ right?

What are the reasons for these attacks on social media?

Fun and Games

For many hackers out there they deface websites and social media for fun and recognition. It works a bit like graffiti really. “Check out what I did!” or “LOLZ the KKK now follows the United Negro College Fund and Black Lives Matter!” It’s all fun and games until…

Forced Shares

In this use of a hacked social media account the hackers share information that is either offensive or is fictitious though appearing to be legitimate. The malicious intent may have many drivers, but the consequences can be devastating.

One of the social media admins at Associated Press got their account hacked which led to a sell off on Wall Street do to mis information. The credibility of the Associated Press was highly damaged that day. While it’s impossible to calculate the total costs this one fake tweet cost the market $136 Billion dollars. While money can be remade, reputations are much harder to repair.

Another example involved a teenager who was outed as gay. The fall out on social media from friends and family of this 15 year old who lived in a very religiously conservative mormon community resulted in his suicide.

Setting Up for Greater Attacks

The most common of the forced shares which can have widespread consequences is the phishing link. Here your friends on social media will be directed to a page that can really harm them. As it comes from you, a trusted friend and seems ligit, this attack can have disastrous affect on your friends and family.

Phishing is the attempt to acquire sensitive information such as usernames, passwords, credit card details and other sensitive information which allows for a wide variety of attacks against the target. Often phishing sites also try to install malware. With the zero day malware (new viruses and malware with no detection algorithm) these phishing sites pose a great threat to personal and corporate security.

Many times there are greater reasons then fun and games or embarrassing a person or company. Social media has brought Social Engineering to the forefront of security risks. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. Social media makes gathering the information about you easier too.

This can affect everyone

Identity Theft, Social Engineering, opening doors to phishing, malware, ransomware, and worse await you on the internet. Social media hacking contributes to these issues and more.

Everyone should be using strong passwords for social media. They should be using authentication helpers provided by many of the social media companies. Facebook for example has a wonderful feature that insists you verify new browsers or app installs. It is not good practice alone, but necessity to utilize these features. Especially if you use your social media account to admin a corporate page.

You may think that you’re not ‘important’ or ‘have nothing to hide’ but you are most definitely wrong. Privacy is important. There are real world consequences that you can face if you don’t better secure your social media accounts now. Start with better passwords, add some encryption, look into the security features offered by sites like facebook and twitter and above all, don’t be gullible!

Revisiting Privacy

Privacy: the state or condition of being free from being observed or disturbed by other people.

What is privacy? From one perspective, Privacy is what was once called freedom and liberty. From another it is to have a reasonable trust that what you have, discuss or know not to become general knowledge.

We can maintain our privacy in numerous ways. The catch-all and best of course is not to go anywhere or say anything, though our social nature precludes that as being reasonable. Which brings me to the question: What is reasonable privacy?

This is where opinion, emotion and ideals clash. FBI vs. Apple is one of the current examples. Our ideals of freedom and liberty (a.k.a. privacy) have taught us that a court or judiciary should find reasonable and probable cause to infringe on our privacy. However when we have seen the government abuse this privilege we logically take steps to prevent it. From Apple and other tech leaders (e.g. Amazon, Microsoft, Google, IBM, Facebook, etc.) have had real concerns and costs associated with the government’s requests (warrants) and been told that they must conform to the requests in secret. Their logical action is to limit their own ability to conform with encryption.

As an individual, you now have the means to keep your privacy in an electronic format better then just 20 years ago. You feel safe that this security has been provided to you even when you do not understand the technology and methodologies involved. I call this “a reasonable expectation of security.” Herein lies yet another issue with privacy and technology. You.

Through our reasonable expectation of privacy we have a reasonable expectation of security with the technology we use. We expect that our messages, emails, social media posts (the ones we have restricted to friends) and our computers to be safe. In general only 15% of adults understand the basics of information technology security according to research done at CYLab at Carnegie Mellon University. The basics are limited to things such as having a good password and installing a virus scanner on your computer.

It’s true that MS Windows come with antivirus protection built … Unfortunately, Microsoft’s free antivirus tools will not protect your computer from modern malware. While apple has a firewall, your Mac does not have antivirus by default. Linux has both a firewall and free antivirus available, though many distributions of Linux do not have them installed and active at install. Over 50% of smart phones have little to no antivirus anti malware installed. 75% of personal computers are not adequately protected against harm.

Ultimately, the security of your computer or smartphone is dependent upon your own actions and software purchased. What risks should you be thinking about?

  • Malware stealing your passwords and login information
  • Ransomware that prevents you from using your computer or files
  • A hacker using your computer to attack others
  • Someone breaking into your system and altering or stealing files
  • Someone stealing your computer and accessing your personal information

All of these are risks, many of these attacks can result in either social engineering (Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.) or outright identity theft. In the end, hackers or criminals want to gain value from what they do. There is an almost unlimited number of attacks that can result in their profit and your loss.

If you’re wanting a simple and interactive primer, watch the video below and try the game they discuss.

When I speak with people about privacy and security, I hear many people exclaim, “I have nothing to hide.” These people have a naive worldview where they have never had a breach or identity theft. I envy these people far more then they know. Their naïvety of what is a daily occurrence for so many people leaves me feeling the same as watching a small child act without fear. It does not change any of the real world facts or dangers, but they have the super power of ignorance on their side.

Much of our privacy concerns are directed at the government. William Edward Binney in 2001 and Snowden in 2013 have highlighted the governments reach. FBI vs. Apple has reawoken the DOJ’s reach through the judicial branch of government. These are real issues and on-going reaches to attain more power. One lady interviewed in Belgium today (March 22, 2016) following the bombings said, “They [the government] need to take away our privacy to get these people. Do it now.” This reactionary ideal has real consequences.

Many of us want to utilize all the wonderful internet tools which help us keep in touch, track our favorite sports and to even manage our shopping list. Yet people have no idea how internet businesses use and transfer personal data to others. Many people and policy makers are only just now discussing the reality that many businesses, online and off, quietly seek to identify consumers personally and sell information about them to others. The information is transferred to data brokers, repackaged and sold.

The not so new Information-Intensive Business Model relies on keeping people in the dark as they know that people object to this collection activity. Some of the selling points they offer businesses:

  • “We can secretly identify the address of your customer.”
  • “Not just the identity, but how they felt while visiting your store.”

Keeping things secret is important to businesses that purchase these services to avoid “losing customers who feel that you’re invading their privacy.” This business model is more prevalent then many people want to believe. Some of their software is even considered malware by leading security firms.

Consider this: without bothering to ask or tell you, retail stores are using systems that capture a unique, unchangeable identifier from your phone to track your movements and to identify you on your next visit. Currently this tracking is done on a pseudonymous basis. But how long do you think it will take for retailers to link the phone identifier to your contact information? And what remedy will you have—aside from leaving your phone at home—once this linkage occurs?

Connect this tracking with your point of sale system and link their credit information. Further connect this with facial & emotion recognition software which links social media accounts and you start to see the depth of this invasion of your privacy. Consider that your employer may use all this connected information in their human resources systems and you may not feel you have nothing to hide any longer.

There is not a single “Where should the line be drawn between Personal Privacy and Security?” statement. As the line is not just between you and the government, but businesses, marketers and data brokers which capitalize all this data for their customers in all areas of our lives. The data is not just being used any longer to place ads in your browser window. They are an integral part of the profiling done to you by almost every business, even your employer.

FILM: 'Nineteen Eighty-Four' (1984) starring John Hurt and Richard Burton. big-brother-orwell FILM -rally-privacy-loss free pic

FILM: ‘Nineteen Eighty-Four’ (1984) starring John Hurt and Richard Burton.

Big Brother is not just watching you. Big Brother is judging you.

Events have had a major impact on public attitudes on this issue. Terrorist attacks generate increased anxieties. For instance, the San Bernardino and Paris shootings in late 2015 had a striking impact. A Pew Research Center survey in December found that 56% of Americans were more concerned that the government’s anti-terror policies have not gone far enough to protect the country, compared with 28% who expressed concern that the policies have gone too far in restricting the average person’s civil liberties. Just two years earlier, amid the furor over Edward Snowden’s revelations about National Security Agency surveillance programs, more said their bigger concern was that anti-terror programs had gone too far in restricting civil liberties (47%) rather than not far enough in protecting the country (35%).

There is an ongoing conversation about privacy. While there are groups on the side of Privacy such as Electronic Frontier Foundation, EPIC, the Center for Digital Democracy, Consumer Watchdog, Patient Privacy Rights, U.S. PIRG and the Privacy Rights Clearinghouse there are also over 175 governments and the many thousands of bureaus they contain with their own wishes. Were this the limit of players the conversation could be simple, but when you throw in the 10,000+ businesses that profit off violating your privacy, everything gets even more complex.

Pew Research stated: “One consistent finding over the years about public attitudes related to privacy and societal security is that people’s answers often depend on the context. The language of the questions we ask sometimes affects the way people respond.”

The conversation about Privacy and Security is a complex one. It is far better to be involved in this discussion then not. What actions can you take to get involved? You could read primers on the issues and threats. You can get involved with a group that supports some of your opinions about privacy. Better, get involved in more then one group. Most importantly, even if you have not had your privacy breached by the government, criminals or businesses you should become aware of the threat and how it can be used against you and others.

Colin Bennett of the University of Victoria, Author of The Privacy Advocates: “A lot of privacy advocacy is not only about privacy, It’s about honesty, and it’s about trust. And when a reputation has been damaged because a company has been seen to not have been entirely open about its policy, then that privacy message can resonate more effectively.”

So who owns the data about you? When we hear about the companies profiting hugely off our data it raises a natural question. Why don’t we benefit from it? Why don’t we get a say in how data about us is used?

The conversation about Privacy and Security is a complex. It is far better to be involved in this discussion then not. What actions can you take to get involved? You could read primers on the issues and threats. You can get involved with a group that supports some of your opinions about privacy. Better, get involved in more then one group. Most importantly, even if you have not had your privacy breached by the government, criminals or businesses you should become aware of the threat and how it can be used against you and others.

Primers:

Americans feel the tensions between privacy and security concerns by Pew Research

The Privacy Advocates: Resisting the Spread of Surveillance (MIT Press) by Colin Bennett

Nothing to Hide: The False Tradeoff between Privacy and Security by Daniel J. Solove

Lockdown: Your Life: A Step-by-Step Manual for Securing Your Computer, Smart Phone, Online Banking Sessions & your Life From Identity Thieves by Aaron Anderson

Securing Your Computer to Maintain Your Privacy from Privacy Rights Clearinghouse

Free advice while limited is a useful place to start

Something to read and think about: Animal Farm and 1984 by George Orwell or watch the movie: 1984 with John Hurt