Vulnerabilities / Threats

4/19/2018
02:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Securing Social Media: National Safety, Privacy Concerns

It's a critical time for social media platforms and the government agencies and private businesses and individuals using them.

RSA CONFERENCE 2018 – San Francisco – Governments and businesses around the world are navigating concerns around social media, which is playing an increasingly important role in both national and enterprise security.

Cyberspace is redrawing borders we haven't seen before, said James Foster, CEO at ZeroFOX, in a session entitled "POTUS is Posting: Social Media and National Security." Borders between people, once based on geography, are now based on apps. He presented a graphic illustrating their size: Facebook has 2 billion  users, YouTube has 1.5 billion, WhatsApp has 1.2 billion, WeChat has 938,000.

"Social media is unavoidable," said Dr. Kenneth Geers, senior research scientist at Comodo Group. Platforms like Twitter and Facebook have greater influence on national security as they become a communication tool for global leaders and an attack vector for threat actors.

The presenters turned to the example of President Donald Trump, who is notorious for sharing updates and making national policy decisions on Twitter. Geers pointed out how the former Secretary of State, who didn't have a good relationship with the President, printed tweets to see the foreign policy of the day from the White House. Earlier on April 18, Trump tweeted an update stating CIA director Mike Pompeo had recently met with Kim Jong Un in North Korea.

"I promise you, people are printing out this tweet to figure out what to do today," said Geers. "The power of social media, to some degree, speaks for itself."

In this sense, Foster said, modern social media is the technological medium for sharing messages the same way television was decades ago. "Like it or not, regardless of the side of the aisle you're on, this is the new communication form for government, and it's not going to go away," Foster said. "Of course war can be declared on social media, for the first time in history."

The power and reach of social media extends to threat actors, who are leveraging it as a platform in increasingly large and dangerous attacks. It's a perfect area for information operations and false accounts; after all, social media provides the perfect amount of anonymity and distance for attackers to fire their virtual weapons from afar.

We should believe half of what we hear and see on social media, said Geers. When it comes to national security, everything is suspicious. Accounts and activity are easy to fake. As an example of account hijacking, he pointed to a fake Twitter account for the US Central Command. The account had a broad reach of 110,000 followers, giving its owners a great deal of influence.

"Social media and cyberattacks are more important than we think if they have any impact on national security at a high level," Geers noted.

In the private sector, one of the biggest threats to the business will be fraudulent and spoofed accounts, Foster pointed out. With social as their platform, attackers can get to the two most important groups of enterprise targets: employees and customers. It puts businesses in a strange position: to what extent do employees' social media accounts pose a threat? How do they govern social media? Are they responsible for protecting employees' accounts?

Foster and Geers outlined several steps organizations can take to lessen the risk of social media-based threats in the enterprise. Their recommendations: work with the communications teams to build a social media policy and dictate what can and cannot be posted. Tell employees how to report abuses and potential threats. Teach best practices for hardening their accounts, and establish a policy around breach notifications and lost credentials.

Data Privacy: An Ongoing Issue

Alongside national security, data privacy is another critical issue facing social platforms and users today. A few days ago, Facebook shed more light on its privacy practices. The social media giant has been in the thick of controversial congressional hearings on how it uses customer data, and its account holders want to know what's going on.

People are placing higher value on their privacy and showing greater concern for how companies use their information. In a 10,000-person study conducted by Harris Poll and sponsored by IBM, researchers found 78% of US respondents say an organization's ability to keep their data private is "extremely important" but only 20% "completely trust" them to do so.

In one post, Facebook explained its reasoning for collecting data when users aren't on the platform. Several websites and apps use Facebook services, like its login and analytics tools, to personalize their content. When users visit a site or app that uses its services, Facebook gets info even when the user is logged out - or doesn't have a Facebook account at all.

"There are three main ways in which Facebook uses the information we get from other websites and apps: providing our services to these sites or apps, improving safety and security on Facebook, and enhancing our own products and services," wrote product management director David Baser in a blog post discussing its data usage and users' information control.

In a follow-up post the next day, Erin Egan, vice president and chief privacy officer for policy, and vice president and deputy general counsel Ashlie Beringer explained how Facebook is complying with new privacy laws and adding new protections.

As part of continued privacy efforts, Facebook plans to ask for users' input on various aspects of their activity on the platform. People will be able to weigh in on ads based on data from Facebook partners, information in their profiles, and facial recognition technology. It's also rolling out new GDPR-compliant tools to access, delete, and download information.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/20/2018 | 9:19:11 AM
3 Reasons for FaceBook Data Acquisition
Those are high level categories for why facebook gathers data but I find they can be somewhat ambiguous as to what data they correlate. I think a good exercise would be to have those three categories mapped to data sets provided by the user and an privacy agreement from the user for agreement in accordance with providing those data sets.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/20/2018 | 9:10:12 AM
Social Media at the Public and Private Sectors
Similar to how private sectors set policies to "try" and control the data flow into the social media ether, the same approach should be true for public sectors. Regardless of what side of the political fence you are on, tweets around the ongoings of the United States need to be vetted. They should not come from one individual before this validation because there can and will be implications towards national security.
Microsoft Fixes 11 Critical, 39 Important Vulns
Kelly Sheridan, Staff Editor, Dark Reading,  6/12/2018
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12580
PUBLISHED: 2018-06-19
library/DBTech/Security/Action/Sessions.php in DragonByte vBSecurity 3.x through 3.3.0 for vBulletin 3 and vBulletin 4 allows self-XSS via $session['user_agent'] in the "Login Sessions" feature.
CVE-2018-12578
PUBLISHED: 2018-06-19
There is a heap-based buffer overflow in bmp_compress1_row in appliers.cpp in sam2p 0.49.4 that leads to a denial of service or possibly unspecified other impact.
CVE-2018-1061
PUBLISHED: 2018-06-19
python before versions 2.7.15, 3.4.9, 3.5.6 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.
CVE-2018-1073
PUBLISHED: 2018-06-19
The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.
CVE-2018-12557
PUBLISHED: 2018-06-19
An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could ...