Will social media hurt your business?

Due to the radical growth of social media, never before in history have we shared so much personal information with others. This could include information on our family, our possessions, our tastes, locations and visual media, such as photographs, to the point of some people sharing pregnancy scans on social networks, meaning that some of us appear on sites like Facebook before even being born! Of course, as much as we like to socialise and interact online, it can have significant drawbacks…

Criminal Misuse of Social Media

There are many cases of criminals misusing the data we share to assist their criminal activities. Statistics suggest social media is a primary tool for researching potential targets by house burglars. There is also an emerging trend that suggests businesses and government institutions are also being targeted via social media. This is executed by the predators focusing on individuals that could either be employed there or are sub-contractors and provide services to the target organisation.

Individuals or smaller companies are sometimes more attractive to criminals in order to attack or infiltrate targeted organisations. These smaller companies may sub-contract to larger targets, such as the military or aerospace, but often a smaller firm may have a lower awareness and less advanced security than their large client and this provides a way in for the criminal element.

Geographic Data

Many social media apps on smart devices share geo-locational data by default, sharing information from the device GPS. If a user is tweeting from their workplace, then there is a chance that someone is watching this and linking this person to the organisation. By using open source intelligence tools they can look at the social network user and tie locations to their other messages, resulting in being able to locate their home and other commonly visited places. This is just the beginning.

If the location services or GPS is activated for a smart phone camera, any photographs taken will incorporate data showing where the photograph was taken. This photograph may then be uploaded to the Internet and can easily be traced back to the location at which it was taken. Bear in mind that a friend or family member you’ve shared the image with could easily and innocently upload it without your knowledge. It is good practice to ensure GPS for your smart device camera is always switched off.

Data ‘Breadcrumb Trails’

I like to refer to the data we share online as ‘breadcrumb trails’, where one piece of data can lead to another:
• How many of us have the same username on different social media?
• How many of us have webmail addresses, such as Hotmail, that are prefixed by our username?
These are just two examples of how snippets of personal information can be linked together to create a trail leading towards a larger and fuller profile of our lives and actions.

Within my training and consultancy work I use a series of real life anonymised case studies to demonstrate the power of breadcrumb trails. I start by showing geo-located tweets coming from a building in the Middle East. I identify the user, his job, his home address, his family, his hobbies, and his car and so on. I then take his social network username and do a basic Google search, identifying many other social network accounts he owns. Some of the other accounts have geo-tagged photographs of the user, including some of children to whom he is related. If a criminal finds this information, what could he do?

Organisations, Children and Risk

Information on children can be used as a very powerful and emotive weapon for blackmail or extortion. As well as information that kids share online about themselves, many parents share too much online about their children. Details of children’s names, schools, social activities, parties and where they may be going can be another ‘jigsaw piece’ that criminals can use against us. By knowing which team ‘Jimmy’ plays for, supported by a visit to his team’s website that displays forthcoming fixtures, this can be used to frighten a parent into carrying out certain actions to protect their child.

These actions might be something that to them seem relatively benign, such as inserting a USB memory stick into a PC at work. This USB device may contain software that could bypass the network security and automatically steal data, sending it to the criminal. Alternatively they may require the targeted person to physically take something for them or maybe leave a door or gate ajar for them. This sort of criminal action is especially effective if the criminals can see that the targeted employee is working away from home, which could easily be calculated by monitoring social network messages.

Paedophiles are also very adept at gathering the information and photographs of our children from social networks. While this may not always be a direct threat to the children themselves, the fact that they may be using innocent images in online groups and forums is very unpleasant and can be distressing.

Being Truthful?

When creating social media accounts I would advise to not be totally truthful when completing personal details. I must point out that this will most likely breach the service provider’s terms & conditions, but it helps break the breadcrumb trail regarding your identity. You should consider opening an email account specifically for that social media account and not use it for anything else. You may also not want to be totally truthful about your location or birth date. It is reported that Andy Smith, an Internet security chief at the UK cabinet office controversially suggested the idea of using false information for online accounts “a very sensible thing to do”. Ethically some may question how right or wrong this is, but protecting your identity is crucial. Using the same email address between different accounts can make it very easy to verify the accounts belong to the same person.

Knowing Your Apps

Many social network users use apps that run within their social media accounts. A good example of this is the proliferation of games available to play within Facebook. Very few us read the terms and conditions for these though and are generally unaware of the information that the apps can access. Some can access our contact information, personal details such as mobile phone number and email, or can post messages on our behalf for our friends to see. Some also have knowledge of our location, which is not something we would necessarily want to share with strangers.
Our concerns about sharing such information may vary, depending on how strongly we value our privacy. Should this information get into the wrong hands, then this is when our problems really begin.

David Benford is managing director of Blackstage Forensics. An internationally renowned security expert, he specialises in criminal risks derived from online social media, Internet, geo-locational data, smart phones and Open Source Intelligence. As well as training law enforcement, government operatives and corporations in this field, David lectures in cybercrime and digital forensics at the University of Derby. He is an experienced digital forensic scientist and a published academic, and has recently delivered specialist training and consultancy to organisations such as NATO, the European Commission, the Council of the European Union, diplomats, intelligence agencies, multiple police agencies globally, as well as several celebrities.