Social Networking Site Safety Questioned

An anonymous reader writes to mention a TechNewsWorld article about social networking sites. Researchers are finding these places are goldmines for social engineering exercises. Between worm attacks and simple human observation, sites like MySpace are the perfect place to obtain saleable personal information. From the article: "The danger is real, according to a study conducted by CA and the National Cyber Security Alliance (NCSA). In October, the alliance issued its first social networking study examining the link between specific online behaviors and the potential for becoming a victim of cybercrime. Despite all the publicity about sexual predators on sites like MySpace and FaceBook, the alliance took a different approach by measuring the potential for threats such as fraud, identity theft, computer spyware and viruses. Although 57 percent of people who use social networking sites admit to worrying about becoming a victim of cybercrime, they are still divulging information that may put them at risk, as Boyd suggested. Social networkers are also downloading unknown files from other people's profiles, and responding to unsolicited instant messages that could contain worms, the NCSA reported."

it holds true for myspace

Researchers are finding these places are goldmines for social engineering exercises.

Yeah, well you know what you have wherever there's a goldmine. Gold diggers.

Fix the ohter end?

Should the other end be fixed? Why should it be possible to steal someone's identity with the simple personal details people make available online?

all the best,

drew

Re:Fix the ohter end?

I think the problem is with MySpace's default layout. I mean seriously, doesn't this sidebar information just invite abuse?

General:
Music:
Mother's Maiden Name:
Movies:
Television:
Social Security Number:
Books:
Heroes:

the answer to this is so simple...

Just make your damn profile private! If you are naive enough to think that everyone in the world wants to read your profile, you are probably too naive to understand that everyone's intentions sometimes aren't friendly.

One of our HR people just to prove a point attempted to look at my profile, and then sent me a friend request which I denied for that reason. Making a definitive wall between work and whatever it is that I do at home is very important.

In other news

Never leave home and you'll never catch a cold or get run over by a car. Join the fight against leaving home now!

of course

Its a meeting place for all the morons on the interweb (as called by a few of my friends)

Myspace, hi5, bebo, is just to name a few i see around here in job corps,

ever wonder why AOL Userers got the most phising emails, because most AOL users where morons

Newsflash: People are STILL stupid.

In shocking news today, it was revealed that human stupidity is not relieved by the internet, but is actually exascerbated by it. News at 11:00!

Obviously

They're bound to be havens for social engineers. Those sites are full of people who are usually fairly young, almost guaranteed to click on any link they're sent - especially if from a "friend" on the site - and entirely uninterested in the workings of computers, or the internet.

People don't find these sites anymore. They go online specifically to accumulate profiles, with no knowledge of what they're doing. Of course it's going to go horribly wrong.

Nosey sites

Part of the problem is sites asking for identifying info when you sign up, including passwords, email addresses, real addresses sometimes, or postcodes/zipcodes, dates of birth etc? Why? None of this stuff has anything to do with what I post on Slashdot, my opinions on music, films, games. Having it stored on the site owners server does nothing to aid my attempts to get answers to technical problems on usenet or forums. And I'm not entirely sure it can be said to help reduce trolls and other problems that afflict public sites. If people didn't have to exchange all this info to register on sites etc, and it was only provided when absolutely necessary then maybe people will be more aware of exactly who's asking for it and how safely it'll be stored.

This...just in!

Another recent study said that walking down dark alleys while jiggling your car keys and waving a wad of cash around may increase the likelyhood of muggings.

Automated Privacy Rights

Best practices to protect personal data like IDs should be consistently supported in software if most people are to practice them.

I'm really annoyed every time I have to type my name/address/email into a Web form. How many times have I typed that info in the past 10 years of the Web? Why can't forms include either Javascript or even standardized APIs for requesting the same personal info? In increasing scopes with simple descriptive names. So I don't have to let my info sit cached at so many remote servers with which I do intermittent business, any one of which can leak my info at any time.

I want to see a Web GUI show submittable form sections tagged by their target org. I'd like to subscribe to a service that rates forms by their risk, demonstrated by proven vulnerabilities in distributed reporting databases (or whatever my selected advisor uses to decide its ratings). Many people would pay for such a service to advise how much info to disclose to a given recipient. And many organizations would pay to make using them free, like insurance and bank corps, not to mention governments with insight into the preventive value of informing consumers of disclosure risks, without slowing down acceptable transactions.

People can protect ourselves even more than with just tech fixes. We have the right to privacy in our "papers and effects" [wikipedia.org]: our personal data. We produce a government to protect that privacy. We should specify how they protect it, like requiring all disclosed personal data to be redistributed only within the context of the transaction into which it was delivered, unless explicitly agreed otherwise by the sender. Maybe even a Constitutional Amendment, to make more clear the privacy rights implicit in the Constitution, explicit in the 4th Amendment, but still not protected enough for adequate security in the modern age.

Easy Sum:

Yes, Virginia, there is a such thing as "Ignorant People Who Will Click On Anything Others Send Them"

/P

On the other hand,

Socializing at a bar puts you at greater risk of physical harm. Socializing at a church puts you at greater risk of personal judgment. Socializing at a coffee shop puts you at greater risk of cardiac arrhythmia. Socializing at a restaurant puts you at greater risk of clogged arteries. Not socializing puts you at greater risk of dying alone.

Poison the Well

So spammers and marketers and others are data mining social networking sites. Great, I think it is the duty of each of us to go create a fake site with a fake name and link to a few other people. Heck we can even get creative and talk about "favorite" products. Maybe I'll accidentally post the number of a local law firm claiming it is my home number :)

Teach internet responsibility in school

I think a great way to combat issues like this is to start teaching safe browsing in school. We are already teaching them how to use the computer and how to find information over the internet, but are they teaching them how to use the technology responsibly. When I learned how to use a computer in school, we learned what bugs and viruses were, but they weren't as widespread then, so there was no lesson on how you might get a virus, how to prevent getting that virus, and if you do get a virus, how do you repair your machine. This was also before spyware was understood as well as phishing and identity theft. We all saw the movie "The Net", but no one really thought that could happen to them, and could only be pulled off by some elite hacker out to get you, and only you.

We need to teach the kids that not everyone on the internet is your friend. Not everyone on the internet is who they say they are. You can protect yourself from malware by using safe browsing behavior (don't click OK at every message that pops up, smiley face add-ons are not so smiley). Never give out personal information on the internet unless you are absolutely positive that the person you are giving it to is in fact who they say they are, and there is a legitimate reason for it. This means no SSN, phone number, credit card/bank numbers, address, etc.

Like I said earlier, when I was in school, all of this was not really a concern, so I'm not sure if schools are actually teaching this kind of stuff.

Without these sites, Chris Hanson is unemployed

How many social researchers salivate when they hear "Hi, I'm Chris Hanson with Dateline NBC".

The industry alone should be salivating, for all the pedo-rific jaw dropping action that goes on in a pedo bust.

Without myspace or any of these, what kind of pedos would we watch get busted on Friday night.

There's only so much Michael Jackson to go around.

If you'll excuse me, I just met a 19 (12) year old kid and am going to drive 300 miles away to meet them. (And yes, I always have protection, erotica, booze, and her favorite perfume with me, you know, just in case...)

.

[disclaimer: this is a joke, no cop calling please.]

Brilliant!

So...places where lots of social networking occurs are good places for social engineering?!

Next you'll be telling me that places with lots of water, fish food, and fish habitat are good places to go fishing!

Its a mad world

Isn't it really ironic that these kids put all of their personal info on the internet, but probably won't even tell you their name if you walked up to them in public and asked for it? Stupidity I tell you, welcome to the 21st century of darwinism.

Re:Let take to noobs what they deserve

How to spot a "noob": Poster cannot write grammatically correct, coherent, English sentences.