Image representing Facebook as depicted in Cru...
Image via CrunchBase
Is there such a thing as Social Media Warfare? We have had cyber warfare going on for years now. So it should be an obvious “YES” that Social Media warfare exists. But is that true?  To get to a full blown war opposing sides go through an escalation process. Where are we in this process? From a pure cyber warfare perspective, we are in world war three, many opposing sides, lots of new and improved weapons, completely escalating attacks and no end in sight. Companies are used to conducting vulnerability management and risk assessment. This new war will require new tactics and defense strategies. I think we have seen the first skirmishes of the war. It started with all the spammers morphing their tools into Facebook and Twitter hacking. Then moving into phishing. Then into negative attacks on your reputation by disgruntled customers and competitors. So what is the progression of this coming war? Is there a similarity to how “normal” cyber  warfare started? But why is this war inevitable? The attack vectors in the Social Media War are probably categorized into personal use and corporate use. If these are the assets that needs to be protected, we can then figure out how the assets will be attacked, how will the enemies do reconnaissance, what alliances will be formed and what should be the defense strategies and weapons for defense. The progression of of this war will follow different patterns and there is probably no end in sight.
Action Personal Corporate
Skirmish Home users receiving spam and phishing attacks and scams Corporate users seeing more phishing attacks, attackers going through Linkedin profiles
Protest Actions Users might complain to attorney generals, or write nasty messages about Microsoft Adobe or Apple security weaknesses The IT department is inundated with help desk calls. Companies have the ability to complain to ISPs or event countries about originating attacks.
Negotiations There really isn’t anyone to negotiate with. Writing on your Facebook wall will not do a darn thing. Companies definitely do not want to negotiate. But will see blackmail more and more.
Failed Negotiations The home user is bascially screwed anyway. Succumbing to blackmail will only lead down a bad path.
Declaration of War This is a defacto state with the home user. They are at war whether they know it or not. Companies have to take a proactive approach to security versus reactive. Anticipate the next types of attacks and have a budget to address it.
Launch Attacks and Defend More defend, get your anti-spyware, antivirus, personal firewalls and encryption up to speed. But after that, understand how attackers use Social Media. Spend massive amounts of money on understanding how so fight in the Social media landscape, security hardware and software are not enough.
Allies Join the War The home user can only rely on the Social media companies for basic security. Their will be more collaboration between companies and governments. Perhaps together they have a fighting chance. Regulations are also going to force changes.
Years of Conflict – Never Ending Whats the next thing after Facebook and Twitter? Whatever it is will have its own security challenges. But by that time the home user will probably have given out every bit of personal information on all the Social Media venues anyway. A company can only rely on the right process to secure their social media usage. As technologies change and new sites go live, a good process and social media security policy is all you can rely on.
Winner The ISP, they get to sell bandwidth. The VCs who fund companies like Facebook and Twitter.
I will get into more tactics in the coming war in future posts. Gary Bahadur CEO KRAA Security,  baha@kraasecurity.com http://www.kraasecurity.com http://blog.kraasecurity.com http://twitter.com/kraasecurity *Managed Security Services *Vulnerability Management *Compliance & Policy Development *PGP Security *FREE Website Security Test
Enhanced by Zemanta
Facebook, Inc.
Image via Wikipedia

Information Devaluation Through Phishing

The value of information has been decreasing over time. How do you see this isn the real world? There are two ways, one can be seen from the user perspective and the other from the attacker/bad guy perspective. From a user point of view, the most obvious method to see information devaluation is Facebook, Twitter, MySpace, Linkedin etc. These may be seen as good ways to keep in contact, but look at all the personal data stored in these sites. Enough to authenticate to your bank account with such pieces of data as Name of Dog, Elementary School, Parents Lastname. Everything for secret question authentication. There was just a theft from a bank (http://www.networkworld.com/news/2009/092409-construction-firm-sues-after-588000.html) where the challenge questions were successfully answered.There are many Network security assessment tools to prevent such  phishing ways to get the answer to these challenge questions. The attackers are focusing Phishing efforts on Twitter and Facebook much more these days. Its pretty obvious why, so much information is available here. KRAA Security a Network security audit tool provider twitters, but we try to keep personal things off there. But many people lives their lives on twitter so much, its a mind boggling concept. The Washington post just had an article where the list Facebook as the top phished site (http://voices.washingtonpost.com/securityfix/2009/04/facebook_among_top_phished_web.html). Part of this is the information people post and the Applications developed for it have many ways of phishing your information. Thus a Information security risk assessment is a necessity. So is there is a solution the phishing problem in Social Media? Probably a security penetration test for such websites. Even though the phishing problem will probably get such more extensive as Social Media expands, takes over more aspects of our lives and invades every information dissemination media. Doomed I say. This was a cheerful post. Gary Bahadur baha@kraasecurity.com http://www.kraasecurity.com http://blog.kraasecurity.com http://twitter.com/kraasecurity *Managed Security Services *Vulnerability Management *PGP Security *FREE Website Security Test
Reblog this post [with Zemanta]