[Part 6 of an occasional series, updating a blog series I ran in early 2009 to reflect changes in the threat landscape. This series will also be available shortly as a white paper.]
Social Networks Can Be Very Anti-Social
Don’t disclose sensitive information on websites like FaceBook or LinkedIn if you can’t be sure that you can limit access to those data. Even information that in itself is innocuous can be combined with other harmless information and used in social engineering attacks.
In 2010, it’s more than likely that we’ll see increased targeting of social networks, such as Facebook, LinkedIn, Twitter in the US, and Orkut and Hi5 in South America. Attackers will be looking for data they can exploit from a social engineering standpoint, but they’ll also be looking for cross-site scripting and replicable malware attacks on the web sites as well as their APIs (Application Programming Interfaces).
Data mining (both legitimate and criminal) will have a wider range of effects on individuals, and some of those effects will be far from beneficial. A notable example is Facebook's lack of commitment to a realistic security model, which would be a very significant supplement to its rather generic security centre advice. It seems to me that Facebook is encouraging its users to share as much information as possible while essentially making them responsible for the security of their own data.
This isn't unique to Facebook, of course, or even to Web 2.0 providers in general. But some such services are grooming us to accept that it's legitimate for an ever-wider pool of data to be used to monitor our behaviour. It’s becoming harder to distinguish between appropriate and illicit use of personal data, in terms both of targeting advertised content and services, and of monitoring for security purposes by financial and governmental institutions, for instance. Lines are sometimes very blurred between legitimate and criminal data mining in some of these areas, and there are questions to be asked about validation: see http://www.eset.com/threat-center/blog/2009/12/14/your-data-and-your-credit-card and my article at, among other places, http://www.eurograduate.com/article.asp?id=3015&pid=1.
Privacy tends to diminish where it's in the way of commercial rather than political interests. So, ironically enough, there will be particular and ongoing interest in data leakage where it affects public bodies, but selling on of information at the backdoor by more-or-less legal means will continue as it always has, though it's starting to attract some attention. This may be less true in Europe, where data protection and other directives -already- give some formal weight to the principle that organizations should only hold as much personal data as they need, rather than what they want. On the other hand, the libertarian lobby in the US may eventually take more notice of this issue, and its potential influence is considerable.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/