Love them or hate them; social networking sites are here to stay. And we are going to find more ways to use them from home, from work, from smart phones, from shared computers, or from anywhere else they care to. The cat is out of the bag. Now what can we do about it? Like so many millions of others, I've found Facebook and Twitter in the last few months, in addition to the more traditional professional networking sites I've used for years, like Linkedln. But what started as idle curiosity soon grew into addiction.
And I won't really hide the fact out here that most of us including me are addicted to them, the social networking sites like Facebook. They're fun! I've reconnected with many old friends, and I like knowing what they've done with their lives. OK, we're not likely to become best friends again, but I still value that connection we've made again. So the next question that comes up is how secure are these sites? I’ve experienced several classic Web security issues in each of the sites I frequent, and without a doubt there remain quite a few vulnerabilities to be discovered. But that hasn't stopped me from using them. Like any decision involving risk, I've studied the issues, minimized my own exposure, and I'm getting on with what I care to do. Let's start by looking at the issues briefly.
Web Applications
Well, for starters, they are Web applications, and as such they're potentially vulnerable to a plethora of issues, from the OWASP Top-10 and beyond - and yes, there are far more than 10. And don't think for a moment that all web application vulnerabilities solely place the application at risk. Many also put the app's users at risk: cross-site scripting (XSS), cross-site request forgery (CSRF), and others can be used to attack the users quite easily. As a user of a social networking site, you're placing your (and your employer's) data at risk.
Active Content
JavaScript, Java applets, Flash, ActiveX, and many others are all examples of active content. And guess what? Every popular social networking site in existence -or at least with a significant population of users-absolutely requires active content in order for the site to function. The bottom line: by allowing active content into your browser, you are trusting someone else's code to run on your computer safely. Well, what's the big deal? We do that all the time. Well, now the code is dynamic and maintained somewhere else, and you're trusting it every time.
Domain of Trust
Some of the HTML, JavaScript, etc., that arrives in your browser comes form (say) Facebook. Fair enough, if you are going to use Facebook, you will isn’t so discerning. Some of the stuff that comes into it while you’re on Facebook might be provided by someone else: another Facebook user; an attacker; a third party application on Facebook. If your browser trusts Facebook, chance are it’s also going to trust that code. This extends the active content exposure pretty substantially.
User-supplied Content
Users put all sorts of content into their own profiles. URLs pointing to cool sites, photos, etc. If they link to something dangerous-perhaps inadvertently-and you click on it….. Well, you get the drift.
Third party Applications
Most of the popular social networking sites have a third-party application interface for companies to generate their own content. Most of it is pretty innocuous and in the spirit of good clean fun, like a little app that lets you "throw" a virtual snowball at someone else. But, again, it extends that trust boundary in ways you might not want.
So, what can we do to protect ourselves? Here are a few tips to consider:
They're far from obsolete!
Be a bit choosy about your friends:
Easier said than done, but at a minimum, I suggest only accepting friend connections from people you directly know. Of course, they'll come with varying problems, often it's the early adopters who will find them. Turn up the privacy controls: Pretty much all the social networking sites allow you to tune your own privacy controls. Turn those up to "high." Only allow people in your ring of accepted friends to view your information.
Don't click on every link:
When friends send you links to sites, apps, etc., don't just click on them. Hover your mouse over the link, look at it in its entirety, see what data is going to be passed to it, and then decide. You might even cut-and-paste the URL into another browser and go there separately.
Log out of other apps and sites:
To the extent possible and feasible, don't run other Web apps while you're on your social networking site. Shut down your browser completely, re-start it, do your social networking for the day, and then log out.
So that should arm you with a few tips to consider. There's still risk involved with using these sites, and there always will be. You need to decide for yourself if the risks are worth whatever value you perceive in using the sites.
No comments:
Post a Comment