The race for the most personal Twitter followers

I have had a great reply on this topic while going around the USA talking about social media security.  During my talk I give an example of why it is NOT okay to allow just anyone the right to follow you or vise versa.

I choose a volunteer out of the crowd.  Usually a nice looking woman because…why not.  I give a hypothetical situation.  We were dating and things are starting to get serious.  So serious that I take her to meet my mom for the first time. While we are at my ma’s house, I introduce her to my new brother-in-law.  My brother-in-law was in charge of bringing the dinner rolls and once again forgot.  He asks her to go to the Italian (not french) bakery down the road with him to get these rolls.  She says yes.  While they are picking up the rolls he notices that he forgot his wallet and asked her for $4.98 to cover the rolls.  She just happens to have $5.00 in her left pocket.

Would she give him the $5.00 and why?

The answer has always been “yes” and because he is associated or was introduced to her by me.  There is an applied level of trust set prior to them going to the bakery.  Well this level of trust in my opinion can be accomplished within twitter.  If I follow you and we start having a friendly conversation(your favorite sports team) I will then go after your friends and family for a small amount to help me with my “cure/run/walk”.  All I have to do is introduce myself as your friend as they can see our past conversations in twitter.  I  have had a over 90% success rate of getting their followers to click my cause link.  This success is based on the applied trust between two strangers.  So although it is really #kwel to have 70,000 twitter followers it can also cost your friends and family $4.98

For more information feel free…info@unixbox.ws

Taking over the Facebook Page “buy now” button (Part 2 of 2)

As I have been testing the security settings of companies social media strategies, I have consistently noticed two things, marketing is desperately trying to find its ROI and IT/Security doesn’t even know they have a FB page.  I do agree that after a number of months, it is time to show the CFO that spending that insame amount of time on their social media sites is worth the payroll checks. Unfortunately, analytics alone have been a blurry way of making that compelling argument and can be defeated by saying, if, I had put those payroll checks into google…I could see our ROI in a nice neat report. This is one of the reasons that marketing is jumping head first into technologies like Shoutlet, payvment or others (FB E-commerce). Why not sell your items on your FB Page?  Your team has worked extremely hard to get thousands of new users to click follow/like. Ultimately, this is going to be the future of pages but because IT/Security is not involved in the social media process it also opens a HUGE GAPPING HOLE in your security policy and procedures. And of course here is your example:

The policy of company ACME is “no social networking allowed” on internal networks.  Sites are being blocked at the firewall with rules and enforced with a content filtering tool. IT/Security has done its job with social media, right? BUT an exception is made for Marketing because they are special people. A FB page was created as well as an E-Commerce app installed without consulting IT/Security. I know this because after taking over the FB page using our friends Cain and Able, I replaced just one of the “buy now” buttons to redirect it my site and used analytics to see how many people clicked this button.  Showing this to Director of IT he replied “I didn’t even know we had a FB Page.”

Part 2

After this meeting we agreed to stop and allow IT/ Security to be a part of the implementation of this new e-com solution and lock down this new site.  After a couple of months we were given the green light that all social media was secure and our attacks would now #fail.  Well they were wrong!  Here is what happened;  Technology constantly changes and therefor we should also be constantly training/testing these changes.  Yes, all https was checked.  Yes, they read www.socialmediasecurity.com on a regular basis.  But they forgot to monitor their social media accounts like they would an email server.  There is still a core failure in my opinion of Facebook pages.  Who?!? owns the data and when is it okay to monitor the admins personal accounts? Because these users of the pages still enjoy using Facebook for personal use. They do not apply the corporate rules to their personal accounts nor should they if that is how they live.  So, we are either forced to create fake accounts or all share one admin account.  Well with our testing we are still targeting the admins of these pages.  There are many many ways to gain access to their accounts and once in, we only have to create our own evil twin account to keep access.  Example: if Bob Alice is the admin of the page just create another Bob Alice and copy the information including the  profile imagine and allow this new user admin rights to the page.  Most common users will just think this is a Facebook glitch and it is showing their profile twice. But in reality it is a way for us to keep a constant admin account to this system.  If you maintain a Facebook page you know that admins just lose their rights to the page all the time out of the blue.  So constantly adding the same person is a regular process.  If the company was monitoring its data it would see these changes or see that there were in fact 2 different accounts attached to this page.  But we are not monitoring these accounts, yet. Social media security can be a full time job depending on the risk and frequency of the sites.   For more information feel free as always to email me.  info@unixbox.ws

Social Media Security Podcast 24 – Personal Social Media Accounts, Cree.py, ProfileSpy, App Privacy

This is the 24th episode of the Social Media Security Podcast recorded April 6, 2011.  This episode was hosted by Tom Eston and Scott Wright with special guest James Ruffer. Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes and follow us on Twitter.  Thanks for listening!