Thank you to Tom for allowing me to participate with social media security dot com. The guys in this community have been great resources in helping me to spread the word on the insecurities with social media. This year, I have been reaching beyond the security space, speaking to many social media clubs, podcampers and O’Reilly conferences only to realize something disheartening. Not enough people hear or are listening to us! I am going to start posting some real experiences to help with the questions of “why should I care about social media security?”
This week at Podcampnashville I was able to demo firesheep and in 3 mins and 48 secs, 64 accounts were in my sidebar waiting for me to double click. After the demo I had some great questions and just like that the session was over. Later a young lady came to me and admitted she was 1 of the 64 in the sidebar. She asked me to show her what I “could” of done with her account. She was not really impressed or scared that I could of updated the profile, chat with friends or add creepy users. Then fear came very quickly when I changed from the user account to the PAGES she had admin rights.
She is in charge of the facebook pages of 12 major medical practices in the area. I have to be honest she rocked at maintaining these pages. Impressed by her work, I asked how long she had into these pages and followers. Time was in the 1000’s of hours and also in the $100,000 range of billable time. My final question to her was…what would she do if all of this time and money came crashing down by some idiot at a camp running a free Moz Plug-in. She said she would hunt them down. She was kidding of course but I was a little scared to be honest. We went over some settings and she is now going to help spread the word. 1 out of 64 down.
Facebook Pages security is basically in the hands of the personal accounts of the admins. This is one reason why the CSO should care…
Things that make you go HMMMM? <- point to head -Arsenio Hall
Facebook terms and conditions state that you have to have a personal Facebook account to administrate your company page. Facebook company pages allow multiple users to have access to share content. Are you monitoring or making sure the people with access is meeting your company security standards? If an employee has left, is Facebook Page access part of the account removal process?
Share with your friends!
Great post! This goes to something I’m seeing becoming a more general concern among CSO’s – misuse of Administrator rights within the organization. Many IT staff (with Admin privileges) don’t realize the potential impacts from compromise of an admin account with lots of rights. It’s sad that Facebook’s admin model is very weak for limiting or isolating privileges. We should try to post a diagram illustrating how Facebook pages rely on average, everyday, low-security user credentials. One of the basic security principles this whole situation is clearly violating is that of “least privilege.” Accounts (and users) should not have more rights than they need for their intended purpose. More people would probably be concerned if they understood more of the “use cases” that lead to compromise.
Also, it’s sad that so many people are still susceptible to Firesheep. Turn on “persistent SSL” in Facebook (and any other major sites that offer it), people!
– Scott
[…] and Twitter The one protection a user has is enabling secure browsing with the https setting. In a recent post on the Social Media Security blog , he explained how with access, a hacker can control every aspect of the victim’s Facebook […]
[…] a recent post on the Social Media Security blog, he explained how with access, a hacker can control every aspect of the victim’s Facebook […]
[…] a recent post on the Social Media Security blog, he explained how with access, a hacker can control every aspect of the victims Facebook profile, […]
[…] Security: How To Create A Complex Password [Infographic]Social Media Security Basics InfographicSocial Media Security /* Thanks to Web Designer Wall for writing about this technique: […]