“Social engineering” has a number of meanings. For the security world “social engineering” is a way of fooling you into disclosing information. It’s nothing new, but with social media sites like Facebook, it has become easier for the criminal to find targets willing to enter their personal information. There’s games; interesting links; plausible messages from your colleague telling you to add your details to the department’s spread-sheet on Google Docs. The only way to be sure you don’t fall prey is to abstain from everything, but, one day there will come a need to find out which of the Simpsons you are most like, so you should be vigilant!
Some types of information that you should never give out on these types of quizzes include: your mother’s maiden name, personal banking details, passwords, other PII (Personally Identifiable Information) like where you live, social security number, phone number. This is common sense, but ask yourself “If someone was out to get me, my family, or my department, could any of this information help them?” For background reading for a lot of this there are some excellent sources, including the SANS Institute Reading Room site, e.g. Which Disney© Princess are YOU? [PDF]
The EET team offers advice and a range of courses about engaging with your audience using social media, and others help you to improve your security and your privacy online – run with the Information Security team. To protect yourself, here’s some things you could do immediately to reduce your risk to the kinds of social engineering attacks which are out there:
- You should be backing everything up. (IT Services runs a HFS service for staff and postgraduates in the University);
- Turn on two-factor authentication, now. With social media our username is usually public, it’s either your email address or it’s your profile name. So the criminal only has to guess the password. Two-factor authentication means two pieces of info are needed to access the account. Think of it like a shopping transaction, to pay with my bank card I use something I have (my card) and something I know, my PIN;
- Tweak your privacy settings, Facebook and LinkedIn are making it much easier for you to protect your privacy but you have to do this yourself.
- Surf the Internet defensively – don’t click a link which is obviously trying to provoke, or entice you to click when you probably shouldn’t. Now we all know this, but if you receive a direct message on Twitter from someone whose email you would normally react to immediately – then when their account is hacked and you receive a message from them you might just click that link! Especially if you’re in a rush, or checking in on your mobile.
- When you’ve more time why not check carefully that Twitter direct message you received, ask whoever supposedly sent it to you – did they really send that? Some posts or messages are hoaxes, and there are sources that help you check if it is a scam. Enter some of the text in a search engine, and read e.g. snopes.com or facecrooks.com.
All of these (and much more) are illustrated on the handouts for our course on “Security and Privacy Online: Social Media” along with references for further reading, which you can download from the Portfolio site. Or you can attend the workshop, it runs every term.
Here’s an image which reminds you about where to post and what, “Status conscious?” from “Breaking Copy: A Copywriting Blog“: