Social networks are all-pervasive, but aren't always safe. Candid Wueest, a Senior Security Researcher at Symantec, has some top tips for keeping yourself safe online.
Businesses are certainly becoming well versed in the advantages of integrating social networking into the workplace - especially as younger digital natives are starting employment.
However, web-based attacks are now the primary vector for malicious activity over the internet, and many of these are increasingly coming from social networks such as Facebook, Twitter, and YouTube.
By hiding behind the reputation and brand trust built by legitimate social networks, spammers are able to distribute an increasing number of malicious and phishing emails, something that recent research shows is only set to grow over time.
With employees increasingly accessing social networking sites on their business PCs and laptops, any attack via social networking platforms can place company data directly at risk.
Here are some of the simple acts that businesses can share with their employees to ensure they are protected from common social network attacks:
Sharing links via Facebook or Twitter is a common act, but avoid clicking on blind links where the destination website cannot be seen in the URL (as is increasingly common with URL-shortening applications such as bit.ly). These links can open you up to malicious attacks and place sensitive company data in a vulnerable position
Avoid including personally identifiable information when communicating online, such as date of birth, postal address, and certainly not bank details. Savvy online criminals can piece together information from different sites in order to steal individual identities and run up massive bills on company credit cards, or even create a fake passport in an employee’s name.
Simple acts, such as developing strong passwords that are changed at least every 45-60 days, can dramatically improve IT security with minimal intrusion on time. Encourage employees not to save passwords on default settings when using the internet, as anyone who misplaces their laptop can make it very easy for the unscrupulous to access sensitive data.
A common phishing attack that users are seeing occurs when criminals hijack social networking accounts and distribute messages to all the contacts in that individual’s contact book. Clicking on a message from a ‘fake friend’ such as this can lead to an external site that allows malicious code to enter your computer system. If you receive a message that seems out of character, always confirm who the sender is before opening.
Don’t cut corners when it comes to anti-virus software. You might think you’re being economical in the short term by simply downloading some free software online but once a malicious piece of software manages to enter your computer, it can cost a fortune to fix, and that £60 can start to feel like a bargain.
BCS, the Chartered Institute for IT, has recently launched a campaign to raise awareness of the importance of safe and secure internet usage. Are you a savvy citizen? Find out at http://savvycitizens.bcs.org.
Regarding fake links: I always right click, copy, paste into Notepad and compare the result. It is then 100% obvious if the link is genuine.
Perhaps web browsers could employ a heuristic for security: if a link says onscreen a.b.c, but the href in the HTML says d.e.f, then issue a warning - simple?
I'm not convinced "Investing" in security software is necessary. It may support the security industry, but many of the free ones are just as good, and some better, than the subscriptions.
http://www.av-comparatives.org has some interesting data to look at.
On the fake friend case number 4.
There were series of mails going round on facebook lately from genuine friends which obviously were not from the said sender, and contained links to an inactive site.
Even friends of mine got a message from me which was obviously fake.
These things are getting more sophisticated than just some random profile sending malicious links.
Do you think that Avast is sufficiently good anti-virus software to protect against malicious attacks?
I feel that as an IT society we are very passive. The plethora of viruses, trogons and other mischievous elements that are prevalent within both the business and private environment are costing us vast amounts of time and money to resolve.
I this that it is about time the industry takes a more active role in tracing the source of these attacks and eliminate it at source.
We as an IT society should be especially on the look-out for those Trojans.
I participated in a charity bike ride last year and the associated website had a "link up with FaceBook" feature. When you used this, it allowed their application to write "begging notes" to your feed without you even knowing. After the first one of these, I blocked its access in the privacy settings, but many of my friends didn't realize this. For many of them the app kept sending notes well after the event was completed, and even after they had surpassed their fund raising goals!
It wasn't even a smart app as it said things like "X has raised $200 of their $150 target. Can you help?"... well, of course... send me a cheque!
Whenever you use a "link with facebook" feature, check the applications settings!
Item 3 has a great title (Set Strong Passwords) and then goes on to negate it by recommending that the password be changed regularly. There was a great article in Usenix's ;login a few years ago that demonstrated that changing a password regularly does not make it strong (http://www.usenix.org/publications/login/2006-12/pdfs/howard.pdf). There *are* good reasons for changing a password regularly (ie in a system admin group where the password is shared and personnel who know it know it move to new roles or companies). If it is your own private account, follow the advice in the article and choose one from a large alphabet!
In response to Colin Campbell's question, in a recent PCPro review, Avast gave better malware discovery results than some of the paid-for software. Bear in mind that it is not a complete suite, though, and that the Linux version lags behind the Windows version.
AVAST is a good antivirus compared to others, I've tested it myself.
In response to James Bowden's suggestion. My (ageing) Eudora email client does exactly that!
Free versions of commercial AV are "loss leaders": their intended audience is people who wouldn't pay for AV. Since AV companies generally have to pay money -somewhere- along the line, free versions are not usually intended for use by businesses, and have limited functionality and support compared to for-fee versions.
I agree with the comment that we are all too passive about security. Our govenrments are reacting to security in the physical terrorist sphere agressively even though mostly the risk is quite low compared to cyberattack. (even if the impact is frighteningly spectacular as delivered by the media). Perhaps governments will have to be more aggressive also in the cyberworld - after all it is a main organ for all types of terrorists. What if we all had a kind of "registered" driving license to pass through any router on the internet. It would not eliminate all types of fraud but would make it much harder to "hit and run":
Yeah I believe computing should be more secure.
On the hand I think ill be going to the market
Interesting that the email that led me to this article and the fourth paragraph breach recommendation 1. I could have right-clicked on the links but I didn't.
Recommendation 3 encourages people to write down passwords.
Re James' first comment - save yourself a few clicks and just hover over the link - you should see the actual URL on the bottom-left (if not, select view > status bar in your browser).
There are browser add-ons and extensions available to handle link obscurity. Check out the free 'Long URL Please' (longurlplease.com) Firefox extension, which expands shortened URLs on-the-fly and replaces them on the page with the full target URL.
All well and good, but these are 5 schoolboy tips. They're standard and you just abide by them right the way across the www.