Vulnerabilities / Threats

4/19/2018
02:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Securing Social Media: National Safety, Privacy Concerns

It's a critical time for social media platforms and the government agencies and private businesses and individuals using them.

RSA CONFERENCE 2018 – San Francisco – Governments and businesses around the world are navigating concerns around social media, which is playing an increasingly important role in both national and enterprise security.

Cyberspace is redrawing borders we haven't seen before, said James Foster, CEO at ZeroFOX, in a session entitled "POTUS is Posting: Social Media and National Security." Borders between people, once based on geography, are now based on apps. He presented a graphic illustrating their size: Facebook has 2 billion  users, YouTube has 1.5 billion, WhatsApp has 1.2 billion, WeChat has 938,000.

"Social media is unavoidable," said Dr. Kenneth Geers, senior research scientist at Comodo Group. Platforms like Twitter and Facebook have greater influence on national security as they become a communication tool for global leaders and an attack vector for threat actors.

The presenters turned to the example of President Donald Trump, who is notorious for sharing updates and making national policy decisions on Twitter. Geers pointed out how the former Secretary of State, who didn't have a good relationship with the President, printed tweets to see the foreign policy of the day from the White House. Earlier on April 18, Trump tweeted an update stating CIA director Mike Pompeo had recently met with Kim Jong Un in North Korea.

"I promise you, people are printing out this tweet to figure out what to do today," said Geers. "The power of social media, to some degree, speaks for itself."

In this sense, Foster said, modern social media is the technological medium for sharing messages the same way television was decades ago. "Like it or not, regardless of the side of the aisle you're on, this is the new communication form for government, and it's not going to go away," Foster said. "Of course war can be declared on social media, for the first time in history."

The power and reach of social media extends to threat actors, who are leveraging it as a platform in increasingly large and dangerous attacks. It's a perfect area for information operations and false accounts; after all, social media provides the perfect amount of anonymity and distance for attackers to fire their virtual weapons from afar.

We should believe half of what we hear and see on social media, said Geers. When it comes to national security, everything is suspicious. Accounts and activity are easy to fake. As an example of account hijacking, he pointed to a fake Twitter account for the US Central Command. The account had a broad reach of 110,000 followers, giving its owners a great deal of influence.

"Social media and cyberattacks are more important than we think if they have any impact on national security at a high level," Geers noted.

In the private sector, one of the biggest threats to the business will be fraudulent and spoofed accounts, Foster pointed out. With social as their platform, attackers can get to the two most important groups of enterprise targets: employees and customers. It puts businesses in a strange position: to what extent do employees' social media accounts pose a threat? How do they govern social media? Are they responsible for protecting employees' accounts?

Foster and Geers outlined several steps organizations can take to lessen the risk of social media-based threats in the enterprise. Their recommendations: work with the communications teams to build a social media policy and dictate what can and cannot be posted. Tell employees how to report abuses and potential threats. Teach best practices for hardening their accounts, and establish a policy around breach notifications and lost credentials.

Data Privacy: An Ongoing Issue

Alongside national security, data privacy is another critical issue facing social platforms and users today. A few days ago, Facebook shed more light on its privacy practices. The social media giant has been in the thick of controversial congressional hearings on how it uses customer data, and its account holders want to know what's going on.

People are placing higher value on their privacy and showing greater concern for how companies use their information. In a 10,000-person study conducted by Harris Poll and sponsored by IBM, researchers found 78% of US respondents say an organization's ability to keep their data private is "extremely important" but only 20% "completely trust" them to do so.

In one post, Facebook explained its reasoning for collecting data when users aren't on the platform. Several websites and apps use Facebook services, like its login and analytics tools, to personalize their content. When users visit a site or app that uses its services, Facebook gets info even when the user is logged out - or doesn't have a Facebook account at all.

"There are three main ways in which Facebook uses the information we get from other websites and apps: providing our services to these sites or apps, improving safety and security on Facebook, and enhancing our own products and services," wrote product management director David Baser in a blog post discussing its data usage and users' information control.

In a follow-up post the next day, Erin Egan, vice president and chief privacy officer for policy, and vice president and deputy general counsel Ashlie Beringer explained how Facebook is complying with new privacy laws and adding new protections.

As part of continued privacy efforts, Facebook plans to ask for users' input on various aspects of their activity on the platform. People will be able to weigh in on ads based on data from Facebook partners, information in their profiles, and facial recognition technology. It's also rolling out new GDPR-compliant tools to access, delete, and download information.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/20/2018 | 9:19:11 AM
3 Reasons for FaceBook Data Acquisition
Those are high level categories for why facebook gathers data but I find they can be somewhat ambiguous as to what data they correlate. I think a good exercise would be to have those three categories mapped to data sets provided by the user and an privacy agreement from the user for agreement in accordance with providing those data sets.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/20/2018 | 9:10:12 AM
Social Media at the Public and Private Sectors
Similar to how private sectors set policies to "try" and control the data flow into the social media ether, the same approach should be true for public sectors. Regardless of what side of the political fence you are on, tweets around the ongoings of the United States need to be vetted. They should not come from one individual before this validation because there can and will be implications towards national security.
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
8 Security Tips to Gift Your Loved Ones For the Holidays
Steve Zurier, Freelance Writer,  12/18/2018
How to Engage Your Cyber Enemies
Guy Nizan, CEO at Intsights Cyber Intelligence,  12/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16883
PUBLISHED: 2018-12-19
sssd versions from 1.13.0 to before 2.0.0 did not properly restrict access to the infopipe according to the "allowed_uids" configuration parameter. If sensitive information were stored in the user directory, this could be inadvertently disclosed to local attackers.
CVE-2018-17192
PUBLISHED: 2018-12-19
The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on th...
CVE-2018-17193
PUBLISHED: 2018-12-19
The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior ...
CVE-2018-17194
PUBLISHED: 2018-12-19
When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and even...
CVE-2018-17195
PUBLISHED: 2018-12-19
The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, a...