When social networking sites such as MySpace, Facebook, Linkedin, Plaxo, etc. started to emerge years ago, the first IT people to take notice were systems administrators who, under pressure from business managers, started looking for the ways to restrict or block employees’ access to these web sites. Managers started to get concerned with loss of productivity as many employees werespending better part of the workday updating their MySpace or Facebook page.

Recently, the focus is shifting to the security impact of social networking sites. Security professionals are becoming increasingly aware of potentially harmful information that is posted on Facebook, MySpace, Tweeter and even LinkedIn.  The fact is that criminals, terrorists and competitors are carefully watching all the social sites in order to take advantage of the information posted there.  Sometimes they go beyond passively collecting information into trying to solicit information from specific individuals. An interesting variance of “phishing” is often used on sites such as LinkedIn and Facebook where malicious users typically create a group, name it after the company they are interested in, invite few individuals whose profile shows that they work, then let the group grow and expand. The control over the group enables them to harvest valuable information about the company and use it to further their goals.

Here is the example of using social sites to obtain insight into competitor’s plans – the fashion industry executive is planning a trip to China, her kid posts on Facebook “Oh, my mom is going to China next week” (includes the city and province, which by the way is known for specializing in making designer hand bags ). As this company does not (yet) have a line of hand bags, competitors put two and two together and take steps to neutralize upcoming market expansion by the target company.

There are much more serious potential consequences of disclosing trip (or other personal) information about high profile corporate officers by their family members or coworkers, on social networking sites. Terrorist and criminals can use the information to develop kidnapping or assassination scenarios.

Because of the high profile of individual involved, probably the best example is the last year’s incident when the wife of John Sawers, at that time the future Chief of British Secret Intelligence Service (MI6), posted family details on her Facebook page without any privacy protection on her account. The posted information included family photos, location of their London apartment, usual whereabouts of their three children and Sir Sawers’ parents. The incident raised security concerns and Sir Sawers wife’s actions were described as serious error and potentially damaging not only to their personal security but to the sensitive post he was about to take, as publishing this kind of personal information left him open to criticism and blackmail.

The bottom line is – security professionals should always stay on alert and be ready to face new challenges even if they come out of apparently harmless places such as social networking sites.

No Comments