Can Cyber Criminals Exploit Postings on Facebook and Twitter?
by MITZI PERDUE
May 18, 2012
Supposing it was you who put up this innocent-looking Facebook post. That post would be guaranteed to worry Mark Herschberg, an MIT-trained cryptographer. As a New York-based cyber-security expert and CTO, he would find a number of causes for concern since he knows that women are particularly vulnerable to misuse of information used in social media.
"Your Facebook/Twitter status and photos say a lot about you," he says, adding, "A determined person may already have found out that you're a women, learned where you live and whether you live alone. With that post, the bad guy now knows that you're not home. That post could set you up for a robbery or even a physical attack."
He goes on to say, "On top of that, the bad guy also knows it's your birthday, and if he's a determined cyber-criminal, this could help him hack your identity."
Identity theft is a serious issue for women. According to the Affinion Security Center, 17% percent of female identity theft victims have lost $1,000 or more due to the crime, versus only 10% of males.
If you were talking with Mark about this, you might answer him, "But I keep my Twitter and Facebook accounts private. Why should I worry?"
His answer: "Even if you have your privacy settings set to friends of friends, some of those friends might be easy-going and accept all friend requests, and now you have a hole in your security. Cybercriminals are out there, looking to exploit those kinds of holes."
Herschberg also warns about a new tactic used by cybercriminals to exploit your social media information: spear phishing. Unlike traditional spam, spear phishing is highly targeted, and the sender may impersonate a friend or colleague while creating a message using details that apply specifically to you, details he or she learned from your social media accounts. The message may invite you to a conference on a topic that interests you, or ask you to check out a report on a topic they've learned is important to you. The goal is to get you to click on an infectious attachment or visit a malicious website so the cybercriminals can get sensitive information such as passwords. He recommends contacting your friend or associate to ask if they really did send the e-mail.
Jody Westby heads Global Cyber Risk, a cyber security company in Washington, DC. She agrees about the dangers of putting information on line, and since she knows that women are most often the ones who talk with and train their children about on-line safety, she wants women to be vigilant on behalf of their children. "Today children need to know not to give out their full name, or where they go to school, or their phone number when online unless they know the person."
Brian Krebs, an internet security journalist in Washington, DC, says beware of financial risks lurking in sudden, strange messages. "A hallmark of a malicious program," he says, "is, they try to get you to act quickly." For example, "Your credit card has expired. Click this link immediately or we will cancel your account."
Krebs recommends, "If you get an e-mail that purports to be from your bank and asks for information, or asks you to click a link and log in, it is very often a scam or a trap. If you have questions about whether one of these email addresses a real problem, call your financial institution. Do not reply to the message or take any other action!"
It's never a good idea to respond to spam, but if it comes from your friend or family, it can be tricky. It might be real; it could mean their account was hacked.
So pause when you get e-mails that seem to come from a friend or relative or co-worker with short messages like, "Hey, check out this movie I saw, it's really funny," or "OMG! There's a video of you posted online that's awful!" or "Check out the attached file!"
Like Herschberg, Krebs recommends writing back and asking, "Did you send this?"
Krebs predicts that in a disconcerting number of cases, the intent of the message wasn't at all friendly.
He also cautions against forwarding chain letters of the sort that tell you something wonderful will happen if you forward it to 10 of your friends. Chain letters are often generated by spammers as an exceptionally effective way for them to harvest current addresses. The chain letters are carefully worded to touch your heartstrings or religious or political beliefs, but don't forward them unless you're wishing more spam on yourself and your friends.
Chain letters that have PowerPoint presentations of, for example, irresistibly beautiful scenes from China or scantily clad ladies from Russia, may have hidden behind them malicious programs that can take control of your computer.
Almost everyone in cyber security says to exercise extreme caution when opening attachments or clicking links. As Krebs says, "It may be good for instant gratification, but it can also be good for an instant bad day."
1. Change your passwords every 90 to 180 days.
2. Don't use the same password for different accounts. If someone is able to crack one password, you don't want him or her able to attack all your accounts.
3. Choose passwords that have a combination of numbers and upper and lower case letters. (One lady at the Fifth Avenue Apple Store in Manhattan uses the address of her dog's vet preceded by her first boyfriend's initials, so it comes out something like this: BAF348W94th. Three months later, she'll change it to her dentist's address and still later, she'll use the address of a local restaurant.)
4. Be careful about using passwords on public computers, which could have spyware or key loggers installed on them.
5. Keep all your software up to date, especially JAVA, which is a vector for malware.
6. If you have an iPhone or an iPad, activate their password protection. There are thieves in major cities who specialize in targeting people with iPhones or iPads in order to harvest information to sell to identity thieves.
Assuming you have virus protection software, you're part way to cyber security, but your computer with software protection is like a castle surrounded by a mote. The software can protect you, but not if you lower the drawbridge and open the castle gate.
Mitzi Perdue is a Maryland-based writer and former syndicated columnist with the Scripps Howard News Service. Her hobby is computer programming.