Social Networking: The Dark Side
© 2009 FrontLine Security (Vol 4, No 1)

When it comes to social networking, it’s not what you know, or even who you know – it’s who knows you. And that’s pretty much where the trouble starts.

Social networks like Facebook, Twitter, MySpace, and LinkedIn are the increasingly popular community services that are designed to help people stay in touch. According to Nielsen Company research, more than two-thirds of the world’s Internet population visit social networking sites at least once a month, and nearly 10% of all time spent online is devoted to social networking.

In addition, growth in “member communities” is now twice that of any of the other five most popular sectors – and that includes search and email. The total amount of time spent by more than 100 million users on Facebook alone increased by a whopping 556% from December 2007 to December 2008.

With growth this fast, a reach this large, and a community of relatively undisciplined users, social networks are attracting scammers and criminals. The bulk of social networkers are between the ages of 18 and 49 – prime employment years, and ages where a mistake today could haunt them for many years into the future.

Social networking is designed to invite quick, off-the-cuff comments and updates. Facebook asks, “What’s on your mind?” while Twitter asks, “What are you doing?” Unfortunately, many users type in answers without thinking. One bright star “tweeted” the following on Twitter:

“Cisco just offered me a job! Now I have to weigh the utility of a fatty paycheck against the daily commute to San Jose and hating the work.”

Since Twitter is an open network that anyone can read, her prospective employer read her “tweet” and now she doesn’t have to worry about the commute or her level of job satisfaction.

Another rocket scientist took some time off from work, telling her employer she couldn’t work in front of a computer and needed to lie in the dark. Unfortunately, during the time she was supposed to be too sick to use a computer, she was happily updating her Facebook page. After seeing the minute-to-minute updates, her employer decided to give her all the time in the world to update her Facebook page, since she’d no longer be needing to report to her job.

Many employers are also concerned that their employees will leak confidential corporate information via social networks, spend way too much work time playing with Twitter and Facebook, and possibly compromise the company’s security.

What does your so-called “friends list” say about you? I’m not a big social networker, but I maintain a rarely-used Facebook page. Most of my Facebook “friends” are people I don’t know, but felt obligated to accept into my friends list when they told me they were fans of my writing.

I decided to visit the Facebook page of one potential “friend,” only to discover that this European was a member of the Communist party. I work with the American national security apparatus and I can’t be “friending” a member of the Communist party. Then, one day, another “friend” (also someone I don’t know), invited me to his:

“Family Fun Show/Paul’s B-DAY Party – Turning 27 means Party Hats, Heroin, and Dead Hookers”

Even though it’s clear there was an attempt at humor, I couldn’t be involved in anything like this and immediately “unfriended” the guy.

But here’s the thing: what you say on Twitter and Facebook will be archived for years. A search done in 2029 – when Paul is Barack Obama’s age – will likely turn up his party invitation. And while Paul might just be a young, carefree guy now, what if Paul wants an important job or one where his reputation and character are important? Will “Party Hats, Heroin, and Dead Hookers” be his downfall?

Will a log of Twitter or Facebook postings provide future “palling around with terrorists” albatrosses for candidates in 2012 and beyond?

Malware, phishing and identity scams
A recent poll of IT managers by antivirus vendor Sophos indicate that a quarter of businesses have been the victim of spam, phishing or malware attacks via sites like Twitter, Facebook, LinkedIn and MySpace.

Because social networking sites are public and reveal to the entire world who your circle of contacts is, con artists are able to use the information to trick unsuspecting users into sending money to foreign nations. Rather than receiving a spam message from an African prince, users are now getting desperate pleas that appear to come from their own friends, apparently in trouble and needing help urgently.

Many of these sites offer “apps” (small application programs that users can install) to run on their social networking sites. These apps are often pushed by friends who are unaware of hidden malware contained in the software. Sophos reports than nearly one third of users have been spammed on social networking sites, while almost one fourth (21%) of users have been the victim of targeted phishing or malware attacks.

Physical security and stalking
Finally, we come to the most scary aspect of social networking — issues of physical security. Kids, women, and other often-targeted potential victims are actively providing almost a complete roadmap to attack. Social networking users constantly post what they’re doing, where they’re heading, who their friends are, and even, using newer networks that show their physical locations... exactly they actually are at any given time.

The potential for horror is enormous. If a criminal can easily find out where you are, what stores you frequent, what your daily habits are, who your friends are, and even what your personal food, entertainment, and beverage preferences are, you can be targeted with a level of ease never before possible.

The bottom line
As a cybersecurity expert, social networks scare the heck out of me. I accept that they’re here to stay and that they’re likely to become even more pervasive. But I worry that there is a deep and dangerous dark side to social networks, and I worry about the potential victims.

Lockdown or lockout will probably never work. It’s unlikely we’ll be able to keep users off these networks. But education might help. Like walking through a dangerous neighborhood, vulnerable, alone, and at night, users of social networks are at great risk. But if we can train them to keep identifying information off the Internet, think about what they say and type, and be aware and cautious, maybe social networking users will be just a little more safe.

David Gewirtz is the Cyberterrorism Advisor for the International Association for Counterterrorism and Security Professionals, a member of the FBI’s InfraGard program, and a member of the U.S. Naval Institute. He can be reached at
© FrontLine Security 2009