May 2011 – The Social Media Security Podcast

Taking over the Facebook Page “buy now” button (Part 1 of 2)

Posted under Facebook, Social Media, Social Networking, Uncategorized on May 25th, 2011 by jruffer

As I have been testing the security settings of companies social media strategies, I have consistently noticed two things, marketing is desperately trying to find its ROI and IT/Security doesn’t even know they have a FB page. I do agree that after a number of months, it is time to show the CFO that spending that insame amount of time on their social media sites is worth the payroll checks. Unfortunately, analytics alone have been a blurry way of making that compelling argument and can be defeated by saying, if, I had put those payroll checks into google…I could see our ROI in a nice neat report. This is one of the reasons that marketing is jumping head first into technologies like Shoutlet, payvment or others (FB E-commerce). Why not sell your items on your FB Page? Your team has worked extremely hard to get thousands of new users to click follow/like. Ultimately, this is going to be the future of pages but because IT/Security is not involved in the social media process it also opens a HUGE GAPPING HOLE in your security policy and procedures. And of course here is your example:

The policy of company ACME is “no social networking allowed” on internal networks. Sites are being blocked at the firewall with rules and enforced with a content filtering tool. IT/Security has done its job with social media, right? BUT an exception is made for Marketing because they are special people. A FB page was created as well as an E-Commerce app installed without consulting IT/Security. I know this because after taking over the FB page using our friends Cain and Able, I replaced just one of the “buy now” buttons to redirect it my site and used analytics to see how many people clicked this button. Showing this to Director of IT he replied “I didn’t even know we had a FB Page.” Part two is coming…but I leave you with this..

Who is in charge of these buttons? Have these tools been tested and approved by IT/Sec before you took the 6 mins to install on your facebook page? What permissions are you giving this solution? HEY! IT/Sec does your company have a FB page? Have you seen it lately? Is it part of your compliance testing?

Firesheep’s Revenge

Posted under Facebook, Google Buzz, LinkedIn, Social Media, Social Networking, Twitter, Uncategorized on May 2nd, 2011 by jruffer

No, this is not an article on the new version or even newly added super hero features for firesheep? #titlefail? Maybe but please read on then decide.

I know firesheep has lost its shiny coin syndrome with most but the attack is still working quite well in the field. While the readers/listeners have been doing a good job of enabling secure browsing options in Twitter and Facebook, we still have a long way to go. Please keep spreading the word and keep pleading to social networking sites to enable secure browsing by default. So, Why the “Firesheep’s Revenge” title? Well these last month’s, a couple of us have been testing common social media monitoring (SMM) tools. These tools are generally used by small businesses, internal marketing, or external marketing companies to help update social media accounts without the hassle of logging into every social networking site individually. We have been testing these SSM’s and found that:

http://hootsuite.com/dashboard#
http://sproutsocial.com/dashboard
http://standard.cotweet.com/channels#

Are not using secure browsing by default, allowing us to hijack sessions. What does this mean? Well by adding your social media accounts into these SMM tools, you are granting the tool permission or full control over that account(s). By gaining control over the tool we are bypassing all the hard work you did by enabling secure browsing in each of your twitter and facebook accounts. Try explaining to the VP of Marketing that even though you checked the “defeat firesheep” box it still works. And not only will it work on Facebook/Twitter but now LinkedIn, Foursquare, ping.fm and Ning accounts all in one interface. Most of the time we were looking at full access to the corporations social media strategy. So, we are right back to where we started, teaching the user that security is usually the last thing on the mind of these rapid development firms. If you do not see the option of “secure browsing”, then please be careful of where you update your social media accounts. Ask your tool makers where this option is located. If they do not have this option then maybe you should look for another tool.

James F. Ruffer III
Unixbox
@jruffer