Social engineering via social networks
Social networking is one of the phenomenons that have evolved dramatically in contemporary times. It is noted that this phenomenon has grown from a forte phenomenon to mass acceptance. Although the social networking concept dates as far back as the 1960s,viral growth as well as commercial interests took shape only after the dawn of the Internet. The speedy increase in involvement in modern times has witnessed the integration of a progressive diversification as well as sophistication of intent and usage pattern across a multiplicity of different sites. The Social networking sites like Twitter, MySpace, and Facebook may be grouped into nine fundamental categories, which would include business, dating, common interests, face- to-face facilitation, pets, friends, and photos(Boyd & Ellison 2007).
While the precincts are indistinct, most online social networking sites depict similar core features. It so happens that in these social networking sites an individual presents a ‘profile’. This ‘profile’ is intended to be a depiction of themselves, or of their social networks. Visitors to these sites are meant to peruse these ‘profiles’, with the purpose of being contacted or making contact with other users. The rationale thereof may be to find new occupations, meet new acquaintances or dates, to provide or receive recommendation, and a lot more. The degree of trust that is evident in online users of these social networking sites provides fertile ground for threats engineered by users who have social engineering skills. These social engineering skills are at times used against unsuspecting social network users. This paper posits to investigate these threats as well as their complexities and impact onusers of social networking sites.
Social Networking Sites are basically an explicit kind of external service of online social networks that normally only entails a web browser. Facebook and MySpace are two of the extremely popular social networking sites. Their user base has grown constantly over the recent years. Popularity of diverse social networking sites depends on a variety of aspects for instance geographical spread(Mitnick 2002). Consequently, different social network websites are used in different geographical regions. For example Orkut is the most popular social networking site in Latin America, while Mixi is the most popular in Japan. Target-group is also another factor that influences the popularity of social networking sites. A social networking site such as LinkedIn has professionals as the primary target, while Classmates.com is primarily intended for college and school networks. The main social network websites are normally free. They however, generate profits by the sale to third parties of online marketing services. Accordingly, the traffic of regular users as well as the private information they upload is vital for entrepreneurial accomplishment of the social network websites(Boyd & Ellison 2007).
The social network websites providers, thus design the sites in a manner that the site appeals to the visitors for it to attract more sign-up traffic as well as target wider user levels. Facebook was originally available only to students at HarvardUniversityprior to its rapid expansion to other institutions and universities. The socio-demographic information-pool generated in the social networking sitesis more vital than traffic generated by visitors the sites may draw. Consequently, advertisers on these websites are able to target a definite user pool rather than exclusively relying on contextual promotions such as Yahoo! Publisher Network, Microsoft adCenter, orGoogle Ad Sense (Mitnick et al. 2002).
Social engineering is fundamentally skills employed in taking advantage of the users of social networking sites. These users form the most vulnerable link of information security systems. As highlighted above, they are deceived into releasing information or performing a malicious act in aid of an attacker. It is important to note that social engineering begins with collecting background dataon prospective victims. Whilst this preliminary data is characteristically collected by means of dumpster diving as well as telephone calls, the rising utilization of social network websites brings about an escalating number of accessible social engineering techniques and tools (Pitkänen 2006). Currently these attackers can utilize social networking sites to collect preliminary background information on prospective victims. It is essential to note that people in general usually are of the opinion that they have the requisite abilities to detect these attacks. On the other hand, research reveals that human beings perform dismally in detecting persuasion and lies. Mitnick et al. (2002) to exemplify universal prototypes of attacks of social engineering created a social engineering cycle. The authors were of the opinion that attacks of social engineering constantly do have a precisely defined objective and the perpetrators iterate via the cycle's diverse phases until the objective is accomplished (Mitnick et al. 2002).
Threats engineered by users who have social engineering skills and use them against unsuspecting social network usersmay be referred to as reverse social engineering attacks. Preceding studies have proven that many users of social network websites are inclined to demonstrating a high degree of trust in friendship requests as well as messages sent to them by other users. In normal circumstances, the attacker does not instigate contact with the unsuspecting social network user. On the contrary, the victim is deceived into contacting the attacker on his or her own accord. Consequently, a high measure of trust is instituted between the unsuspecting social network user(victim), and the attacker since the victim in this case is the entity that instituted the relationship. Besides, social networking sites enable the automation of these attacks by making available data in appliance- readable format. In addition, social networking sites provide a communication avenueby providing services like chats and private messages which can be utilized by programmed social engineering bots (Pitkänen 2006). It is imperative to note here that once a social engineering attack takes place successfully, whereby, the attacker has instituted an acquaintance relationship with the victim; the attacker can then instigate a broad range of attacks like influencing victims to click on malevolent links, identity theft, blackmailing, as well as phishing. The rationale of the attacker is primarily to trick the victims into providing sensitive or vital information. These approaches though may be quite effective, since they can reach a sizeable number of prospective victims, has shortcomings. Majority of Internet users are developing suspicious in regard to unsolicited requests in the social networking sites. Nevertheless, preceding research has demonstrated that it is feasible to increase the degree of trust by impersonating a known acquaintance of the targeted victim or by introducing the attack into on-going chat conversations over the internet (Pitkänen 2006).
Generally, Social Engineering attacks may be categorized based on two major features namely; targeted/un-targeted and direct/mediated. In the targeted attack, the attacker centers on a specific user. On the other hand, in the event of an un-targeted attack, the attacker is primarily focused on accessing a wide variety of users as would be possible. It is important to note that in order to execute a targeted attack; the attacker must have knowledge of, or obtain some preceding data in relation to the target. This data may include usernames or e-mail addresses. In the event of a direct attack, the enticement action of the attacker is accessible to the targeted user. For instance, an attacker may publish interesting material or post an enticing message on a website. Mediated attacks, pursue a two-step technique in which the enticement is gathered by an intermediary agent that is subsequently responsible for circulating it, usually in a dissimilar appearance to the targeted users (Pitkänen 2006).
Security and privacy matters related to social network websites
Privacy and security associated to social networking sites are primarily behavioral and not technology matters. The more data an individual posts, the more data becomes accessible for an impending compromise by users who have social engineering skills with malicious intentions. Individuals, who provide confidential, sensitive or classified information regarding themselves or other persons, whether intentionally or unintentionally, pose a greater risk to themselves and other people. Information such as an individual’s social security number, phone number, street address, financial information, or private business information ought not to be published online. Equally, posting videos, audio files or photos, could result into an organization's or an individual's breach of privacy (EMR-ISAC 2010, p.1). Although there are merits to be drawn from the collaborative, distributed techniques promoted by responsible utilization of social networking sites, there are also datasecurity and privacy concerns. The quantity and accessibility of private information accessible on social networking sites has attracted malevolent people who search for opportunities to exploit this data. The same technology that encourages user involvement also makes the sites more vulnerable to malware infection. This malware infection has the potential to blackout an organization's networks. There are also keystroke loggers who have the ability to steal credentials. Common social networking hazards like web application attacks, spear phishing, spoofing, and social engineering endeavor to pilfer a person's identity. These attacks are frequently successful as a result of the supposition of being in trusting environment social networks generate(Boyd & Ellison 2007).
Personal privacy is a vague concept that cannot be defined easily. Privacy is in essence a loosely classified concept. This consequently makes the identification of what precisely endangers privacy as well as devising answers to preserve confidentiality is a complicated endeavor (Solove, 2008). A society cannot promote or realize its confidentiality or even implement privacy laws if only a minority appear to discern the meaning of privacy issues. Individuals find it difficult to articulate confidentiality preferences.
Numerous studies endeavor to establish the implication of confidentiality related matters as well as alertness of privacy to users’ online behavior and practices. As highlighted earlier, the actual privacy risks arise when users reveal identifiable data in regard to themselves online. This information is readily accessible to persons whom they do not essentially know offline, or even in real life. This is stems from the users’ ignorance in regard to privacy concerns (Mitnick et al. 2002).
Govani and Pashley (2005) explored student alertness in relation to confidentiality issues and the accessible privacy safeguard offered by Facebook. The authors established that most of students may be actually conscious of probable repercussions of giving personal information to whole college populace. The students were aware of risks like the hazard of stalking or identity theft. Nonetheless, they are unperturbed at providing personal data online. Although they are conscious of means to curtail the visibility of their personal data, they were reluctant to take any efforts to shield the information. In a separate study, Pitkänen (2006) concludes that users of social networking sites are more often than not simply unaware of the privacy issues involved. They neither feel that the personal risk to them is of considerable magnitude. It has been found that majority of the users of these social networking sites posses a naïve sense regarding the safety of online communities.
Legal facets of Privacy onsocial networking sites
In contemporary times, people communicate increasingly more by means of digital technology, like e-mails, social networking sites, and instant messengers. When utilizing different internet services, such as, Internet forums, or e-shopping, the users create a pool of information about their lifestyle and personality. These are electronic tracks that facilitate third party users of the data uploaded generate a depiction of the users’ activities (Pitkänen 2006). Even though technology as well as data systems are an integral part in day to day life for the majority of individuals in industrial nations, contemporary communications and information systems are quite intricate and may be perplexing. Users of the social network websites generally are ignorant of the sort of data that relates to them is being collected, what quantities, where the data is to be stored, the duration it is to be stored, as well as the manner in which it will be utilized.
From the legal point of view, privacy is principally safe guarded by universal constitutional and human rights, as well as absolutely explicit information protection legislation. The European Union is noted for its leading role in the improvement of the data protection legislation, which has debatably resulted in several instances in too stringent rules. On the other hand, with regard to innovative sort of services, like social networking sites, the legislation still fall short of adequacy. The data protection laws are designed to safeguard individuals against malevolent criminals and over zealous enterprises, but the laws hardly stipulate social relationships among human beings(Govani & Pashley 2005).
Facebook as well as other social networking sites have been on the spotlight facing criticism due to the reality that users’ profiles are by default accessible to an unlimited audience. In the event that a user does not change his privacy settings, the data is visible not only to their acquaintances, but also to all users on same networking site. Gross and Acquisti (2005) posit that the user interface of the service provider could be the reason why users rarely adjust their privacy settings. In any case, privacy features are meaningless, if the end-user fails to use them. Gross and Acquisti (2005) reveal that only a minute amount of Facebook members alter the default privacy references. These privacy references are set to capitalize on the accessibility of the users’ profiles. Despite initiatives to develop usable features and interfaces, most social networking siteusers seldom alter the default settings on numerous software packages they utilize. The reason could be factors such as confusion, time consumption, or the user’s apprehension of risk to mess their settings.
Different forms of socialengineering attackswithin the perspective of online social networking sites
Recommendation-Based (Targeted, Mediated)
In social networking sites, recommendation systems offer relationships among users on the basis of secondary knowledge of users. This secondary knowledge is derived from the interaction amongst registered users, the acquaintance relationships amongst them, as well as other artifacts founded on their interaction within the online social network. For instance, a social networking site may document the fact that a specific user has visited a particular profile, and also log search terms the user has entered. Popular online social networks such as Facebook regularly utilize this data to create recommendations to users. From an attacker's perspective, a recommendation system provides an interesting target. In the event that the attacker is able to manipulate the recommendation system and consequently make the social network give targeted recommendations, the attacker would be able to deceive prospective victims into contacting him (Solove 2008).
Demographic-Based (Un-targeted, Mediated)
Demographic-based systems in online social networks facilitate establishing acquaintances based on the data in an individual’s profile. Several social networking sites, especially the dating sites such as Badoo, utilize this approach as the standard for linking users in similar age group, geographical location or users those who express similar preferences. The attacker in this case would simply generate a profile or several profiles that would depict a high likelihood of allure to certain type of users. The attacker would then wait for prospective victims to instigate contact (Boyd & Ellison 2007).
Visitor Tracking-Based (Targeted, Direct)
Visitor tracking is a facet provided by a number of social networking sites such as Xing, and Friendster. This facet facilitates users to track other users who have visited their profiles online (Solove 2008).
Social networking websites present new openings for interaction. The internet environment is a simple and low-cost way to sustain existing associations and introduce oneself to other users. Nevertheless, the rising number of activities in these online services also provides concerns in the rising cases of confidentiality risks. This study shows that social networking sites users tend to reveal a large quantity of personal data to a huge amount of strong as well as weak connections. In most occasions, this information is given to persons who are total alien to them. As in the majority of comparable studies, the subjects are mainly students and young adults. The outcomes reveal that they lack noteworthy confidentiality concerns, but allege to be reasonably conscious of confidentiality risks. On the whole, the confidentiality risks are supposed to be lesser on social networking sites than is the case in the Internet generally. The reason may be the reality that “the Internet” is gigantic as well as vague. On the other hand, social networking sites are apparently manageable “networks of acquaintances”. It is highly probable that a majority of individuals, who do not utilize social networking sites, do so precisely as a result of confidentiality concerns.
As discussed previously, confidentiality policies tend to be vital. This is due to the fact that they inform the users regarding the processing of confidential information as well as to a degree classify consent that is provided by the users, as they upload their private information into the website.
Social media has been used in companies as a source of free company’s research information. This particular stream of research discusses how the social networking sites like linked in, my space and face book, the contents sharing sites; flickr and You Tube 17 has been used to gather the demographic information on the consumers’ age, gender, and the nationality. It has also been used to acquire information on every consumer’s purchase intentions as well as in gathering real time insights and suggestions for products and services developments. Social media has also been used by companies such as coca cola in their pilot test to test new products and advertisement placement. However, it is quite sad to note that the social media has been used as a too to cause social problems, the problems of social engineering are more that can be quantified. It is therefore necessary for companies and governments alike to take proactive actions in ensuring that the privacy of data provider and users are kept away from the prying eyes of the social engineers. Social media has also been used in companies as a facilitator of consumer ‘swarms’. The ‘lead initiator’ is charged with pace setting like in face book group where people accumulate same interest people so as to negotiate better deals to purchase particular product or service. In this way all the purchasers are posed to get better economic deals, in the same respect the marketer a better opportunity to move his stock and make more orders or clear out any leftover inventory he may be holding. It is also stated in facebook.com, (2007) that, the groups are mainly formed with the purpose of getting the most appropriate deal in any sales-purchase activity.
Boyd, D., & Ellison, N. 2007. “Social Networking Sites: Definition, History, & Scholarship”, Journal of Computer-Mediated Communication, 13(1).
EMR-ISAC. 2010. “Securityand Privacy on Social Networking Sites”, CIP Bulletin 2-10Accessed 25 August 2011 from httpwww.msisac.org/awareness/news/
Govani, T., & Pashley, H. 2005. “Student Awareness of Privacy Implications Using Facebook” Unpublished manuscript Accessed 25 August 2011from http://www.lorrie.cranor.org/courses/fa05/tubzhlp.pdf.
Gross, R. & Acquisti. 2005. “Information Revelation & Privacy in Online Social Networks (The Facebook case)”, in the Proceedings of the 2005 ACM workshop on Privacy in the electronic society, pp. 71 – 80.
Mitnick, K., Simon, W. L., & Wozniak, S.2002.The Art of Deception: Controlling Human Element of Security. Wiley.
Pitkänen, O. 2006. “Technology-Based Research Agenda on Data Protection Law”, in the Proceedings of LawTech 2006, Cambridge, MA, USA.
Sadeh, N., Hong, J., Cranor, L., Fette, I., Kelley, P., Prabaker, M., & Rao, J. 2007. Understanding & Capturing People's Privacy Policies in Mobile Social Networking Application. Personal & Ubiquitous Computing 13(6), 401–12.
Solove, D. J. 2008. Understanding Privacy. Cambridge, MA: Harvard University Press.