By Joseph Kashi, for the Redoubt Reporter
This week, we’ll consider some insidious and nasty computer security problems.
Not long ago, social networking over the Internet was limited to teens and college students seeking to network with their peers through linked pages that had the appearance of a personal Web site, such as Facebook.
Soon, Facebook became a multibillion dollar rage, spawning even less secure teen sites, like Bebo, and business networking sites such as LinkedIn. These are not your father’s Web sites.
Social networking groups typically obtain all the contact information contained in your e-mail address book and make your personal information available to nearly everyone on this planet, and most nearby stars. Suddenly, everyone listed in your address book, likely including people whom you loathe, is suddenly broadcast to the known universe as your “friends.” Social networking sites then propagate your name and address to thousands of other “friends” as offered links. It’s not something you even have much control over.
When this happens, there are obvious confidentiality issues for professionals such as attorneys, physicians and psychologists. There are also more subtle concerns, for which there are no silver bullet solutions.
In fact, I just received an e-mail from the technology-savvy risk manager of a major legal malpractice insurance company, who told me that he decided to totally avoid any social network media. He’s confident that he’ll have the last laugh on his children, who now tease him for being “so 20th century.” I’ve decided to stay away from it for a few years until security features catch up with popularity.
Because Internet social networking is both widely popular and also immature technologically, it’s a nearly ideal target for fraud and malicious software. Over the past few weeks alone, several major security holes have been exploited in Facebook that resulted in literally millions of problems, including one exploit that sent phony and embarrassing e-mails to “friends.” These e-mails purport to come from the victim’s Facebook account. The newly popular Twitter cell phone text messaging service and many “free” greeting card sites have also experienced similar problems recently.
There’s an old adage that, “On the Internet, no one knows that you’re a dog,” and nowhere is that truer than in social networking. One of the more serious problems is “cyberstalking,” which can take many forms. These are real and serious concerns and they happen far more often on the Kenai Peninsula than most of us would imagine, or like.
Even here in Alaska, it’s common to see yet another news article about someone being arrested for serious crimes that used social networking Web sites as the mechanism to prey upon others. Teens pretend to be adults of consenting age. Adults trawl for children and teens, often pretending to be something, or someone, else. There’s really no easy way for anyone to check behind that cloak of anonymity.
Then again, there are always the traditional anonymous accusations, which are basically a modern update to what used to be called a poison pen letter. With the advent of social networking media, these can be so quickly and broadly dispersed over the Internet that reputations built up over a lifetime can be damaged in the moment of a mouse click.
Middle school students hack into each other’s social media pages and post really nasty, false material about the victim, sometimes to break up cliques or to interfere with other social relationships. In fact, one school administrator related a recent incident where a father broke down into tears when he saw what his daughter had posted on another girl’s Web site.
Beside blatant harassment and threats, cyber-bullying and cyber-stalking can take many forms. Many of us may recall how a 13-year-old girl was led on over social media and then harassed and insulted to the point of suicide. The rise of social media and linked “friends” makes it even easier to obtain quite a bit of personal information about individuals.
I’ve recently seen local instances where adults barred by court order from any direct, unsupervised contact with a teen hired another teen to comb through social networking media, locate the teen’s Bebo page, and then initiate surreptitious contact. Luckily, in this instance, the teen understood that this was in violation, retained hard copies of the contact attempts, and then brought them to the attention of a responsible adult.
Some social networking contacts, usually involving financial data and identity theft attempts, are actually quite convincing and often involve surreptitiously redirected Web site pages. The director of the FBI, whose job description requires a healthy amount of appropriate paranoia, recently discussed how he, too, nearly fell for an apparently legitimate bank contact.
Similarly, the technology director of prominent Internet security vendor AVG wrote only this week about how he nearly fell for an identity theft scheme that claimed his credit card was being used fraudulently by someone else, and then used information about his sister-in-law, gleaned from her Facebook page, to convince him that the inquiry was legitimate. Only at the last minute did he recall that he had never given this information out to anyone as a security verification and that the inquiry had to be a scam.
These were close calls for top security professionals and serve as a strong warning to all of us to be very careful about unsolicited or unexpected Internet contacts.
Social networking sites are full of security holes and have the real potential for nasty “pranks” by persons purporting to be someone else. For these reasons, I prefer to avoid social networking media, even though it’s the current rage for professionals and businesses trying to market themselves inexpensively in a tough economy.
At this point, I still prefer to use a securely hosted Web site and regular e-mail. If I’m not sure that a message is from an already-trusted source, I will find and verify a telephone number through the phone company’s dial-up directory information (NOT a phone number contained in a suspect e-mail!) and place a phone call.
One recent scam that hit Soldotna claimed that the Federal Trade Commission, in reality the U.S. government’s fraud and consumer protection watchdog, was allegedly participating in transporting the winnings of a lottery that the person had never actually entered.
The e-mail had a nice but surreptitiously redirected Web site and phone number claiming to be the FTC and directing the supposed winner to send several thousand dollars to ensure armored car delivery of the alleged cash. For sheer brass, claiming to be the FTC as part of a scam had to be some kind of record. Of course, just calling directory information in Washington, D.C., and getting the published number for the FTC’s consumer protection division would immediately discredit that particular scam, assuming that the “winner” called a verified FTC phone number.
Most of the problems associated with social networking groups are not traditional computer viruses or other malicious software. As a result, they’re usually not caught by traditional anti-virus or other Internet security programs. Rather, these sorts of scams, which seem more common around the holidays and tax time, use “social engineering” to prey upon the basic trust and decency of most people. Remember, if you’re not at least somewhat paranoid about these things, you’re not being careful enough.
There are a few technical precautions you can take. Always use a comprehensive Internet security software suite. Always use both a software firewall on each computer and a hardware firewall in the router that connects your computers to the DSL network. Turn on Micorsoft’s “anti-phishing” filter — it may give you at least some warning about Web sites that hijack Web addresses and secretly redirect users to a fraudulent Web site. Turn on Microsoft’s malicious Web address checking tools in Internet Explorer 8.
If you’re not sure, then be very cautious. Use the phone, verify phone numbers using public directory information and then call back. Don’t give out financial information over the Internet. In fact, recent federal consumer protection rules require that credit card information be carefully protected by legitimate vendors.
Finally, remember what professional economists call the “American rule” in economics: “If it sounds too good to be true, then it probably is.”
Traditional e-mail is not immune to malicious exploits like these. In fact, a number of tacky e-mails purportedly came from my regular ACS Alaska business e-mail account but never got through my own firewall into my computers. Instead, it seems that some automated hacker found my e-mail somewhere, probably on my office Web site, and then just bounced phony e-mails off the ACS server. ACS claimed in several e-mail exchanges that there was little that they could do to prevent that, but e-mail filtering by an ISP is not exactly black magic anymore. In fact, when my ACS e-mails were bounced back by some businesses and nonprofit corporations, I checked with other local and Pacific Northwest Internet Service Providers, who told me that they actually filter out the traffic from ACS e-mail servers as a security measure. Enough said. I suspect that they could do better.
Finally, use common sense and common decency. There are many self-inflicted wounds among social networking users. Typically, these arise as a result of people treating their Facebook or similar page as if it were a very private diary or a padded room within which to vent the most intemperate comments. It’s not private — indeed, the entire universe probably reads it.
Recently, I’ve read of many attorneys and judges who have had major ethical problems as a result of what they’ve published on their social networking pages — negative comments about clients, really nasty statements about judges who have ruled against them, and many other sins of the sort of loose lips that sink ships.
Quite a number of these attorneys and judges have faced ethics inquiries as a result. To avoid further problems, the Florida Supreme Court, in fact, has recently restricted the use of Internet social networking by judges in Florida.
So, although no one may know that you’re a dog on the Internet, they can find out just about everything else about you through your social networking pages and links. Be appropriately paranoid.
Local attorney Joe Kashi received his bachelor’s and master’s degrees from MIT and his law degree from Georgetown University. He has published many articles about computer technology, law practice and digital photography in national media since 1990. Many of his technology and photography articles can be accessed through his Web site, http://www.kashilaw.com.