20080130

Social Networking Threat: XPFA

Link

Okay - I didn't find a new kind of vulnerability or identify some brand new threat. We've seen lots and lots of cases like these:

  • A teacher fired for material they had on their MySpace page
  • People not getting a job because of information they put on their Facebook profile
  • People complaining that somebody close to them got their password and changed information on their social networking profile
What surprises me is that actually exploiting the non-existence of a profile isn't more prevalent. The idea that employers are looking at employees' or candidates' social networking profiles is no surprise. And if many people know that it's common, why don't we see more hijacking of a non-existent identity? If a person doesn't have a Facebook profile, but they have enemies, why aren't enemies falsifying profiles?

This has two benefits for attackers. The first is the revenge or get-even factor. If I can falsify somebody's private life and prevent them from getting a job, promotion, or even a date, is that of value to me? Depending on the job, promotion, or date at stake, the profile stalker could gain financially - think of all the domain squatting that took place in the early to mid 90's. Will we see a similar trend in individuals to protect their "personal brand"? Will we see indie rock bands have to change their band name when a disgruntled ticket buyer makes a fake version of their site on the social networking site du-jour?

The consequences of this to the victimized person are clear. Their name has been slandered by somebody who knew enough information about the victim to make a convincing (yet false) page. They will have to take time to build a new, true identity. They will have to take the time to explain to potential employers that there's a fake out there.

But companies are at risk as well. Companies who use this practice could potentially miss the best candidates, or be relying on false information. They could get rid of the best employees by relying on information they don't know to be real. This is the same story as small town teachers getting fired because parents found liquor bottles in the teacher's trash bin on Tuesday night (whether it was put there by the teacher or not). And I don't think we know for sure there won't be litigation in early termination or whatnot because of falsified social networking information. (Most states are "right to work" states, meaning you can be fired for no reason, so the potential for this is low).

All that being said, a couple of colleagues and I came up with a new name for the vulnerability: Cross-Personality Framing Attacks or XPFA. We'll find out if the name gets any traction.

So how do ordinary users protect themselves? For those who do use social networking sites, I recommend using a different password for that site than any other, and change it frequently. Of course, I recommend this anyway. And limit the visibility of the information on the site. And don't put anything on there you wouldn't want your mom to see.

For those who don't use social networking sites (or the most popular ones), I'm not sure how much protection there really is other than claim your spot early. The problem is that you'd have to keep your profile public and up-to-date with completely benign information in order to get it linked high in search engines. Which is sad - the way to protect yourself from a fake social networking profile is to use social networking?

Perhaps the best solution for users is not to make enemies. And the best solutions for companies is to make sure they know the site is for real before trusting it.

Incidentally, I neither condone nor condemn employers using this practice. I don't necessarily like it, but in general, it is information that people want for the public to be aware of. If I were hiring somebody who had written a book, I would probably at least skim the book before hiring them. Is this that much different?

0 comments: