Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/19/2018
02:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Securing Social Media: National Safety, Privacy Concerns

It's a critical time for social media platforms and the government agencies and private businesses and individuals using them.

RSA CONFERENCE 2018 – San Francisco – Governments and businesses around the world are navigating concerns around social media, which is playing an increasingly important role in both national and enterprise security.

Cyberspace is redrawing borders we haven't seen before, said James Foster, CEO at ZeroFOX, in a session entitled "POTUS is Posting: Social Media and National Security." Borders between people, once based on geography, are now based on apps. He presented a graphic illustrating their size: Facebook has 2 billion  users, YouTube has 1.5 billion, WhatsApp has 1.2 billion, WeChat has 938,000.

"Social media is unavoidable," said Dr. Kenneth Geers, senior research scientist at Comodo Group. Platforms like Twitter and Facebook have greater influence on national security as they become a communication tool for global leaders and an attack vector for threat actors.

The presenters turned to the example of President Donald Trump, who is notorious for sharing updates and making national policy decisions on Twitter. Geers pointed out how the former Secretary of State, who didn't have a good relationship with the President, printed tweets to see the foreign policy of the day from the White House. Earlier on April 18, Trump tweeted an update stating CIA director Mike Pompeo had recently met with Kim Jong Un in North Korea.

"I promise you, people are printing out this tweet to figure out what to do today," said Geers. "The power of social media, to some degree, speaks for itself."

In this sense, Foster said, modern social media is the technological medium for sharing messages the same way television was decades ago. "Like it or not, regardless of the side of the aisle you're on, this is the new communication form for government, and it's not going to go away," Foster said. "Of course war can be declared on social media, for the first time in history."

The power and reach of social media extends to threat actors, who are leveraging it as a platform in increasingly large and dangerous attacks. It's a perfect area for information operations and false accounts; after all, social media provides the perfect amount of anonymity and distance for attackers to fire their virtual weapons from afar.

We should believe half of what we hear and see on social media, said Geers. When it comes to national security, everything is suspicious. Accounts and activity are easy to fake. As an example of account hijacking, he pointed to a fake Twitter account for the US Central Command. The account had a broad reach of 110,000 followers, giving its owners a great deal of influence.

"Social media and cyberattacks are more important than we think if they have any impact on national security at a high level," Geers noted.

In the private sector, one of the biggest threats to the business will be fraudulent and spoofed accounts, Foster pointed out. With social as their platform, attackers can get to the two most important groups of enterprise targets: employees and customers. It puts businesses in a strange position: to what extent do employees' social media accounts pose a threat? How do they govern social media? Are they responsible for protecting employees' accounts?

Foster and Geers outlined several steps organizations can take to lessen the risk of social media-based threats in the enterprise. Their recommendations: work with the communications teams to build a social media policy and dictate what can and cannot be posted. Tell employees how to report abuses and potential threats. Teach best practices for hardening their accounts, and establish a policy around breach notifications and lost credentials.

Data Privacy: An Ongoing Issue

Alongside national security, data privacy is another critical issue facing social platforms and users today. A few days ago, Facebook shed more light on its privacy practices. The social media giant has been in the thick of controversial congressional hearings on how it uses customer data, and its account holders want to know what's going on.

People are placing higher value on their privacy and showing greater concern for how companies use their information. In a 10,000-person study conducted by Harris Poll and sponsored by IBM, researchers found 78% of US respondents say an organization's ability to keep their data private is "extremely important" but only 20% "completely trust" them to do so.

In one post, Facebook explained its reasoning for collecting data when users aren't on the platform. Several websites and apps use Facebook services, like its login and analytics tools, to personalize their content. When users visit a site or app that uses its services, Facebook gets info even when the user is logged out - or doesn't have a Facebook account at all.

"There are three main ways in which Facebook uses the information we get from other websites and apps: providing our services to these sites or apps, improving safety and security on Facebook, and enhancing our own products and services," wrote product management director David Baser in a blog post discussing its data usage and users' information control.

In a follow-up post the next day, Erin Egan, vice president and chief privacy officer for policy, and vice president and deputy general counsel Ashlie Beringer explained how Facebook is complying with new privacy laws and adding new protections.

As part of continued privacy efforts, Facebook plans to ask for users' input on various aspects of their activity on the platform. People will be able to weigh in on ads based on data from Facebook partners, information in their profiles, and facial recognition technology. It's also rolling out new GDPR-compliant tools to access, delete, and download information.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/20/2018 | 9:19:11 AM
3 Reasons for FaceBook Data Acquisition
Those are high level categories for why facebook gathers data but I find they can be somewhat ambiguous as to what data they correlate. I think a good exercise would be to have those three categories mapped to data sets provided by the user and an privacy agreement from the user for agreement in accordance with providing those data sets.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/20/2018 | 9:10:12 AM
Social Media at the Public and Private Sectors
Similar to how private sectors set policies to "try" and control the data flow into the social media ether, the same approach should be true for public sectors. Regardless of what side of the political fence you are on, tweets around the ongoings of the United States need to be vetted. They should not come from one individual before this validation because there can and will be implications towards national security.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.