Cookie stealing, credential harvesting, and social engineering can lead to accounts being compromised. This can happen due to weak passwords, not reviewing privacy settings, and lack of overall security best practice
This article is focused on social media accounts, the risks involved, and security/privacy practices you can use to better protect your data. There are benefits to social media however, there are many risks that one must become aware of.
Is creating a social media profile a good idea?
The answer is yes! Let’s face it, most everyone wants to connect to their peers in one way or another. This is possible but there are considerations to security and privacy. This comes down to device settings, browser settings, and profile settings.
- Device settings-Disable location services, look at the publisher information, reviews, visit the website of the developer, watch out for Chinese and Russian-made applications as these are notorious for utilizing backdoors in their applications for which to insert trojans.
In addition, advanced persistent threat (APT) attacker groups hail from these countries making these applications even more risky. Do your research and don’t blindly download anything.
- Browser settings-Disabling trackers and 3rd party cookies will help to prevent potential intrusions into your account. When an attacker analyzes web traffic and captures cookies, they have a lot of power. The traffic you send to an email server (for example) can be captured and decrypted/analyzed with software such as Sslstrip or Wireshark.
Malicious activities can be executed with your session cookies and device information. Accounts can be logged in to, network traffic captured/replayed for man-in-the-middle attacks, or offline analysis, just to name a few.
Consider using a private browser like DuckDuckGo, which can be used as a browser or browser extension to Google Chrome (for example). This browser/extension doesn’t save trackers, cookies, or personal information, making it a great privacy option. I use it myself!
- Profile settings-Avoid making personal information public as this can make yourself a target. A good example is Linkedin; it is a site primarily made for career networking. However, it is also a watering hole for malicious foreign nationalists.
I can tell you first-hand I have been approached by suspicious-looking individuals who request to be a part of my network. Of course, I promptly blocked them and reviewed my resume and public profile for data that might be chum for the sharks 😉
You can have good control over your profiles but you must remain vigilant and check your settings regularly. Sometimes when the platform is updated, you won’t get a notification to review your security and privacy settings.
These device settings will often reset back to their defaults upon update to the server. Staying proactive and thorough is a good practice for checking your settings.
Social media best practice
Social media is an awesome platform for interacting with your friends and family. There are some well-known applications such as Linkedin that are professional networking sites. Even though social networking is fun to use, there are a plethora of insecurities.
By default, several social media sites don’t have the recommended security controls enabled. Yes, there may be some like recovery email or private profile enabled; but there are several more settings to review to lock down your profile.
Here are some things you can do to secure your social media account:
- Make your profile private not public.
This will ensure strangers can’t visit your page and see information about you that only friends/family should see. This includes but is not limited to likes/shares, photos, and postings.
In addition, an attacker can have more difficulty depending on the social media platform, to social engineer you because of the private profile.
An attacker may be forced to message you directly in which case you would make the sound decision to accept the message or block the user. It is always safe to stay cautious in this situation.
- Refrain from making numbers and addresses public
Don’t post birth dates, phone number, email addresses, or any current job information on the profile unless it is a private profile. This will help make social engineering a more difficult task for attackers.
- Disable Location services
This will help to prevent attackers from seeing your frequently visited locations including your home. Also, this can help to deter targeted ads sent to you which can contain even more malware! Enabling your location unnecessarily will juist give you more of a digital footprint and make you easy to attack.
- Enable two-factor authentication
Enabling 2FA will make it much harder for an attacker to access your account. Getting a hold of your account and authentication device is difficult but not impossible. Unfortunately, there is so much you can do to prevent cyber incidents.
There will always be someone more skilled than you and can, eventually get around the security countermeasures you put in place. You must remain vigilant on your devices and constantly practice good security and privacy to be safe on the net.
What are the risks of insecure social media profiles or devices?
Failing to sanitize your social media profiles can have detrimental effects on your digital footprint, social life, personal life, and possible financial situation.
For example, a malicious user can social engineer your social media page and gather birth dates, phone numbers, email addresses, and liked content like music/video artists or games and movies.
All of this info can be used to create a ‘profile’ of you as a specific target. Spending time researching and engineering a target can ensure success at spear-phishing them or worse.
Anything with numbers, especially birth dates and phone numbers can contribute to an attackers’ word list. These are lists comprised of gathered words specific to a victim or words from the dictionary. The word list is then used alongside a password-cracking tool like Hydra.
Are there risks to mobile devices?
Yes there are absolutely!
Most mobile devices are designed with Linux OS kernels; and with that, almost all attacks can be performed against Linux hosts. So what does that tell you? NO device is 100% safe.
The risks involved are very similar to PC hosts. There are some security risks unique to mobile devices such as applications from app stores. A user shouldn’t download apps from an app store that’s not legit.
This means app stores such as
- Feral apps
are full of malicious downloads that aren’t verified by any trusted application association. That being said, these are among the ‘not-recommended’ application stores.
Opt for the AppStore (for Apple OS) and Google Play store (for Android OS) for maximum safety. In addition, Samsung puts out a decent app store as well. With any of these, however, it is extremely important to note several details BEFORE downloading an application.
- Reading the reviews and star rating-They may indicate app store abuse, virus spreading, or other security concerns
- Reviewing the developer’s contact information and country of origin-This can be helpful in determining the legitimacy of the application. For example, if the app doesn’t have contact information then it probably isn’t; ’t a legitimate app.
- Review the permissions that the app requires or may ask for-The app permissions should match the utility of the app. For example, a calculator app should require hardly any permissions, but if it asks for or requires your camera, location, or contacts, this should be raising flags with you.
Also, be mindful of the app you are wanting to download and why. If you need a wifi analyzer application keep in mind what information you are allowing that app to have access to. You can also deny/allow apps certain permissions in your device settings.
Upon further examination of the application, one should research the developer. Researching the developer of the application can tell you a lot about what the app is about and the country of origin. Like I have mentioned in previous articles, one should avoid downloading apps from China, Iran, Russia, Iran, and North Korean origin.
Applications/developers from these countries pose risks relating to spyware, adware, and other malware propagating on your mobile devices. This poses a risk especially high for users that are employed by the U.S. government.
Examples of apps and developers to avoid are (but not limited to):
- Mobile Legends
- Mafia City
- ByteDance (Developer)
- Cafe Bazaar (Developer)
- TGBS CO. (Developer)
- Kaspersky Internet Security (Developer)
To summarize this article, social media and applications are awesome but there are several security concerns that must not be ignored. The developer information of apps, permissions of apps, browser settings, location data, and data shared on social media.
Exercising and practicing good overall cybersecurity best practices will decrease the risk of attack, make networking safer, and help to minimize account/identity theft. Be sure to constantly check for updates to your devices as well!