Written by: Sean Michael Kerner
As National Cyber Security Awareness Month (NCSAM) draws to a close, it's important to re-examine one of the most fertile attack surfaces for modern attackers, social media.
It was just a few short months ago in August, when Twitter CEO Jack Dorsey had his account hacked. Although the hack was relatively brief, with attackers only temporarily having control of the Twitter account, it was enough to stoke fear, uncertainty and doubt in the minds of many about social media security in general. After all, if the CEO of one of the world's largest social networking companies can be hacked, how can mere mortals stand a chance?
To be fair, the CEO of Twitter is a high-profile target and the risk profile for Jack Dorsey is likely somewhat different than a typical user. That said, Dorsey was hacked and unravelling the circumstances that enabled that attack can help to illuminate some of the wider threats around social media, as well as best practices to reduce risk.
The publicly disclosed root cause of the breach according to Twitter was not actually a vulnerability within Twitter itself. Rather, "…the phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number."
Twitter had enabled users to post messages via SMS and Dorsey's mobile provider was somehow tricked into giving an un-authorized person access to the number. One of the riskiest areas of social media is the extended network of privileges and authentication.
Privileges and authentication
Whether it's Twitter, Instagram, Facebook or another social media network, all the platforms have various degrees of connectivity with third party tools and services. Those services can be other apps that require a user's credentials, it can be about authentication to log into a service, or it can be for ease of posting with an SMS.
Fundamentally, if a user grants access to a service to post to a social media account, there can potentially be a risk.
It's a wise choice to carefully review and understand what permissions an app is asking for (whether it's for social media access or anything else for that matter) and be mindful of the risk. If an application or service is somehow compromised, even if the security of the primary platform (as was the case with Twitter) is solid, a breach or compromise can occur.
The key lesson is to not grant access to your social media credentials to just any application that asks for it and to routinely prune what apps you have that do you access to minimize risk.
Information sharing / OSINT
Among the most commonly cited pieces of advice when it comes to social media, is to not overshare personal information. As part of NCSAM, US-CERT has an informative infographic warning about privacy and sharing too much.
A skilled attacker can use information shared via social media as part of a methodology that is sometimes referred to as OSINT. In a session in August at the DEF CON security conference in August, a security analyst was able to demonstrate how just the simple fact that someone shared they had renewed a Netflix account could be used as a pivot point to steal banking information in a social engineering attack.
Anything you say online can be used against you, so be mindful of what is shared publicly.
Email by and large remains the primary method for phishing, but there is also a risk on social media as well.
With social media links, which are often truncated short links, it's not as easy to immediately identify the destination URL. DNS-based security solutions (such as Cisco Umbrella) can often block or warn users that they're headed to a known bad site, but it's also incumbent on users to be a bit skeptical and cautious when clicking on social media links from sources they don't know and trust.
For decades, a best practice has been to be careful about web links in general and it's a lesson that follows through to social media.
As with any site, service or application that relies on a username and password for access, social media site credentials are another area of risk.
With the volume of password re-use, password data breaches and credential attacks seemingly always on the rise, the unfortunate truth is that no single password is likely sufficient to secure access. Sure, there are password managers that can be used to help, but what's perhaps even more important is the use of Multi-Factor Authentication.
Multi-factor authentication can help to reduce the risk from a lost or stolen password, but it' not a panacea either. That's what made the Twitter hack in August particularly interesting. At first, there was some question and speculation that perhaps Jack Dorsey wasn't using two factor authentification (he was).
In the final analysis, social media security, is about more than one thing. Having multi-factor authentication is important, not sharing too much personal information, and being mindful of third-party permissions are all steps that can be taken to reduce risk.
Being aware of where risk exists and taking steps to reduce the attack surface is after all, what National Cyber Security Awareness Month is all about.