Facebook security and privacy pitfalls

In this interview, Andrei Serbanoiu, Online Threats Researcher at Bitdefender, discusses Facebook security and privacy pitfalls, the dangers of sharing on the social network, and offers insight for CISOs.

What are Facebook’s most significant security and privacy pitfalls and how do cybercriminals take advantage of them?
The most significant security pitfalls on Facebook are the open settings of personal information (public by default) and the trusted environment that allows scams to be posted at a really fast pace from one timeline to another.

In recent years, we’ve noticed an increasing number of fake profiles spreading malicious and fraudulent links on the social network. If a bogus profile is eventually taken down, scammers are able to create a new one in a matter of seconds; the same situation goes with dangerous websites and scams. Just a couple of days ago, Britons and users worldwide got infected on Facebook with a Trojan replicated on 6,000 different websites due to a scam that lured users with fake videos of their friends naked.

Our recent research also showed a migration towards Facebook sponsored ads. As they are encapsulated inside a trustworthy environment and have become part of the social network, more users are likely to fall for suspicious ads than for a general spam message. These adverts are hard to control by the social network due to the design of the platform that allows the creators of third-party applications to use whatever ad network they consider fit.

Is it more dangerous to over-share on Facebook today than it was a few years ago?
Over-sharing on Facebook today is more dangerous than a few years ago because users now tend to share personal information on different websites and social networks at the same time.

Malware creators now have a variety of cyber-crime tools at hand. Starting from people search engines to real-time data bases with companies, employees and interests, pictures, geo-locations targeted through “innocent” Android apps, hackers have a range of weapons at their disposal to use against users and enterprises.

Besides the complexity of cybercrime tools that may be used for targeted attacks, hackers also take advantage of the increasing number of unwary Facebook users who over-share private details. There are cases when users shared pictures with their new passports without blurring any detail. Over-sharing not only helps social media advertisers but also allows cyber-criminals to better pick their targets for precise and successful campaigns.

Facebook has a very comprehensive list of targeting options that range from certain age groups, to specific geographical areas, education groups or even specific interests (in a company or a domain). This allows for a very precise targeting of persons exposed to the message, unlike the very coarse one used in traditional spam-based advertising.

Over-sharing itself is encapsulated in the social network’s policy which exposes non-savvy users to its open privacy settings, including open profile and pictures and private information being made public by default. The recent launch of Graph Search feature also helped scammers to take advantage of the increasing over-sharing of information. Only security-conscious users rushed to lock down their privacy settings to keep personal details far from intruders. Graph Search allows everyone to find old posts, status updates and every comment, photo caption and check-in users ever posted on the platform since opening an account.

Should the CISO be concerned about what type of information employees are posting on Facebook?
Every CISO should be concerned about the types of information employees are sharing on Facebook and other social networks as well. Facebook, in particular, offers a really open environment where people’s private life and jobs interfere on a regular basis. As soon as a Facebook user fills in his personal information regarding his employer, he is no longer just sharing his personal details, but also corporate information. The ability to search through people’s friend lists and timelines, the wide variety of open profiles and the fast propagation of pictures and messages are all vulnerabilities that the CISO should consider.

The CISO is not only technically supervising the company’s security, but also has to put in place a strategy to maintain the corporation’s vision while protecting the technology. The CISO should keep in mind that Facebook is a fruitful environment for cyber-crime business and this could directly affect his work. Imagine how bad a targeted attack could affect the entire company after an employee falls for a social engineer, for example.

The role of a CISO is continuously evolving, so he should always keep up with the trends as his employees do. Maybe in a few years he will be concerned about appropriate standards and controls of micro-blogging platforms focusing on viral videos or of online newspapers created by employees themselves.

What threats do you expect to seriously evolve in the next five years, and what should users be on the lookout for?
I have been carrying out research on social network security for a couple of years and I’m astonished to discover that users continue to fall for the same types of scams and vulnerabilities despite the mitigation of the media, security companies and experts. However, I expect a wider number of cyber-criminals to create fake profiles for targeted attacks as focusing on a smaller and weaker prey could eventually bring them more money.

Users should be on the lookout for scams promising new promotions, vouchers and freebies, including new tech apparitions. They should also keep an eye on messages promising morbid details and videos of celebrities that have passed away. Facebook ads are also a dangerous environment that will probably be exploited heavily in the next five years too.