Kevin Lo Click here to see full sized version.

The social networking website Facebook launched a lawsuit last June against a Toronto-based pornography company for making more than 200,000 attempts to hack into its servers to obtain personal data about its users. Facebook accused Istra Holdings Inc., which does business under the name SlickCash, and other defendants, of trying to obtain personal information about the popular site’s subscribers to use, presumably, to send them information about its adult services. Facebook has not said what information, if any, was compromised.

Why would Facebook be targeted? Because it is a virtual cornucopia of personal information about more than eight million Canadians – one city, Toronto, has more Facebook users than anywhere else in the world – and most of them proudly reveal their phone numbers, addresses, likes and dislikes, friends’ names, social clubs and activities, alma maters and other helpful details that must make fraudsters and corporate spies drool with delight.

While corporations and professional firms such as law practices tend to focus their attention on controlling and restricting employee access to Internet sites while at work, they rarely consider the potential danger presented by social network sites such as Facebook, MySpace, YouTube and personal blogs that their staff might be using legitimately in their own time.
Recent years have seen an enormous rise in social engineering, in which hackers and spies use personal and corporate information, obtained by various methods of subterfuge, to infiltrate a company, usually by hacking into their computer system. Once inside, they can do untold damage, including stealing corporate secrets, sabotaging (and possibly holding for ransom) the company’s information technology network, or perpetrating numerous types of fraudulent activities.

One of the newest ways they obtain the information that allows them to hack in is to acquire confidential information, online, by posing as friends in social networking sites.

A U.S. Senate subcommittee on investigations called social engineering a “high tech version of the old confidence game.” The perpetrators use a variety of ways to exploit the social networking sites. Often they simply pose as a friend and see if the people they target will accept them as such, which allows them access to the intimate details posted on many peoples’ profiles. They then use that information to either ask their “friend” for confidential information – perhaps by engaging them in seemingly harmless banter about passwords at work – or to pose as the person.

For example, when they note that a person is off sick on a certain day – and many users detail on Facebook what they are doing each day – they call in to the office and pose as the employee. Using details obtained from the absent employee’s profile, they con someone at the office to provide information that allows them to hack into the company’s network.
Furthermore, many users will add and accept Facebook “novelty applications” indiscriminately to their profile without reading through the fine prints associated with the installation.  These applications often look benign and innocent, but users may have unknowingly given authority for others to collect their personal data by rushing through the installation or use of such applications.

The U.S. firm RocketReady uses techniques such as this to show corporate clients how vulnerable they are to social engineering attacks. According to RocketReady, it is able to employ easily obtained information to discover passwords and other sensitive corporate information at an approximately 30 to 35 per cent success rate.

Identity theft is another obvious concern. In a 16-month period between February 2005 and July 2006, approximately 88 personal records were reported stolen from corporations in the U.S. in 214 separate personal data loss instances, meaning there were many others, as few companies will voluntarily admit their security systems were compromised.
What can legal counsel do to advise clients, as well as their own security practitioners, on ways to reduce or prevent such threats from employees using social networking sites? Possible approaches might include:

• Creating a social media policy for use outside the office. Prohibit using the company name in personal profiles and electronic correspondence to make it more difficult for an imposter to pose as an employee from another office.
• Educate employees. Make sure employees are aware of the dangers from con artists. Encourage them to be careful about what information they post and who they accept as “friends.” 
• Ban web2.0 applications in the office if you work with sensitive information. Spam is a major part of social engineering. People click and download disguised malicious software that can penetrate a computer and then the entire network.
• Conduct regular internal audits to see where the company name comes up on the worldwide web. Electronic discovery identifies key players, irregular patterns, data transfer and even common key words used in Google searches. In addition to capturing the data, forensic IT experts preserve the information to make sure it will stand up in a court of law.
  

Although sites such as Facebook can pose potential dangers to a company, they can also be helpful. Consider setting up an official company site that is controlled and monitored. It can be beneficial, for example, for recruiting purposes.

Kevin Lo, CISSP, CCE, EnCE, is an electronic discovery expert at LECG Canada.