Some dos and don'ts when using social networks
Beardsley said the best thing you can do is support your company's nondisclosure agreement. "When you got hired, you signed an NDA if you work in technology at all, or any kind of engineering, or biochemistry, or pharmaceuticals. There are all of these NDAs, so read them. Because when you write your resume or you tell people online what you do for a living, you may be violating it, and your HR department and your legal department can search these sites just as much as the bad guys. They can become your adversary in this scenario."
As for the IT side, Beardsley said, it's on a per-company, per-organisation basis when deciding whether you want to allow social networking at work. "It would be naive to think there aren't vulnerabilities in them," he said. "So, for IT departments, they need to realise that this is an attack vector. It's not just fun. It's not just a productivity stealer."
Real-world example
Beardsley noted that the Better Business Bureau recently had a problem. While the problem wasn't directly related to Facebook, MySpace, or LinkedIn, criminals were able to view complaints made online to the BBB and then tailor a special spam campaign toward them. Like social networking attacks, the criminals were able to identify the recipient by name and some recent history, therefore conveying a sense of legitimacy and trust.
"The advice that people give for trying to identify phishing ... is that typically [spammers] don't address you by name. Typically they would address you as "dear valued customer" or "dear potential investor" or something like that. When someone addresses you by name, and they seem to know at least one detail about your recent history, people tend to trust that a lot more than the "dear valued investor" letters." This type of "spear-phishing" will become common in the near future, said Beardsley.
E-mail can be spoofed
We've lived with the fact that e-mail can be spoofed for years. While plans exist to make e-mail more easily authenticated, Beardsley said nobody's picking up on them. "I guess it's not that big of a deal yet.
"I have no idea what the percentage is of money lost to phishing campaigns, as opposed to money generated by the Internet. I suspect it's lower than most sales taxes. So it's probably not that big of a deal in the grand scheme of things. But if I lose US$5,000 to a phishing campaign, that's a big deal for me." And probably for you as well.
Play video
There are currently no comments for this post.