Is social network useful or harmful?

Péter HÖLTZL - IT security consultant

Experts have been claiming for years that citizens could become so defenseless due to the electronic central state registers: our personality can be stolen, our acts can be traced, our thoughts can come to light. However, nowadays it is ourselves that provide these pieces of information to everybody and of our own free will. A well done online profile does not only reveal our personality, philosophy upon life, hobbies, family, friendship and workplace circumstances but in our blogs we also give such a detailed account of our everyday activity and thoughts that even the most adverse dictatorship would have never dreamt about.

Social networking is today’s most popular way of "entertainment": it is essentially the place for getting together online communities. (I do not understand why it is common knowledge that technology disaffects people from one another.) Generally we talk about a web interface or application where registered users present their own personality and relationships. These can be completed by other supplementary services, for example blogs, photo albums, group creation, mailing or instant messaging (IM). Most of these web sites continually enrich their services since while costs increase degressively, income grows linearly as a function of the number of users. (Competition is intense since according to experts in a few years only one compatible network will be able to stay alive.)

The main service of community sites for the users is to provide the possibility to share information about themselves with the help of user profiles, based on which they can be found by others. Here every information that one gives about oneself can be found! The question: ‘What can users find out about us?’ is useless to address. Everything! Names, contacts, age, family status, schools, workplaces, fields of interest or anything that the owners of these sites can ask for. A curious user can get to know what are the fields one is interested in, the clubs one frequents, the people one meets. I have even found a club for the travelers of a specific bus line of the public transport company of Budapest. Even some details of our past can be studied with the help of old photos.

Nowadays numerous specialized community portals are available on the Web. There are ones for business life or ones for finding old schoolmates and even for one particular hobby or field of interest.

Social networking has become so popular that the business sphere also wants to get hold of it. It is enough to think about the purchase of the Hungarian iwiw for a record price or about the battle between Google and Microsoft to get hold of Facebook, in which the latter won (Microsoft gave 240 million USD for 1.6% of Facebook, and in this way the total price of Facebook became 15 billion USD. The total sum speaks for itself.) On community sites one can find personalized advertisements – these ad surfaces are far the most expensive and the most precious ones. Community sites are also preferred by HR consultants to enlarge their potential clientele: one often finds job advertisements or direct contacts from companies on these sites. There are special companies that aim at directly these communities: for example to sell avatars (the little icon next to our contributions to forums), special skins, background music, etc. Of course companies operating these sites would also like to benefit from the business by selling advertisement surfaces or even our data and activities. According to estimations, the income related to community site services was above 500 million USD in 2007.

Social networking is not only the playground of businessmen or good-intentioned people. The information accumulated on these sites (myspace has 110 million, facebook 80 million, linkedin 22 million and even the Hungarian iwiw has 1.7 million registered users) are also made use of those who like to fish in troubled water.

Social engineering is the summarizing phrase for frauds that use the means of sociology and psychology (pretexting) in order to reach their aims, namely to obtain information or to make somebody do something that (s)he would never do normally. A typical way of that is a phone call or more frequently an e-mail. The essence of the method is that the attacker pretends to be an inner person so that the victim does not recognize the fraud. The electronic way of this is e.g. phising. Here the aim is the same: to hide from the victim that the mail was written by an outsider with evil intention. There are also some rather weird forms of social engineering, such as personal meeting or searching through the garbage. If the attacker can enter e.g. the office, the so called shoulder surfing (reading the typing of the victim over his/her shoulder) or collecting the passwords stuck on the monitor or under the mouse pad also belong here.

Nowadays it has become difficult to separate social networking from social engineering. Community services are used every day by HR employees of companies for ’tracing’ the applicants. This way they can easily and quickly screen the non-welcome experts, even if they had an attractive CV. The applicant may also find help if (s)he maps the hobbies, contacts, schools of his/her possible new boss.

A friend of mine looked for a software specialist. Only a few clicks in Google, and he has already found a few comments in this really specialist field. Based on the nick of the contributor, he has soon found his iwiw page, and in a few seconds he already had his full name, phone number and workplace. This process would have lasted much longer and would have cost a lot more money if done with an HR company. In this case everything turned out to be all right, but the question how much we can trust these profiles arise. Before handing in a CV anyone could change his/her profile in a way that it shows the expected image. Hence, sometimes even the profiles do not contain the real data.

Community sites not only help those who want to find a job but also those who attack people as they can prepare a more accurate, customized attack. Assault can be addressed to only company managers (whaling) meaning that it is only a few hundred messages instead of the few hundred million deceptive mails distributed in the conventional way.

The important question arises: What can be done against social networking as a safety risk at company level?! Prohibition is not a solution as the greatest risk is not that that the employee uses iwiw during work time but that (s)he shares his/her personal data. However, this is privacy. All that we can do is to circulate recommendations and instructive stories in the company network, since information sharing and safety education are the most efficient preventive measures.