Date:11/01/2009 URL: http://www.thehindu.com/2009/01/11/stories/2009011154581000.htm
National Social networking sites are vulnerable Sruthi Krishnan Accessing them through mobile phones can be a double jeopardy Kiruba: Tomorrow's company outing looks doubtful. The tourist operator still hasn't managed to get diesel yet. Bummer. about 15 hours ago from web. Kiruba: We woke up at 5.30 a.m. to get diesel only to find a mile-long queue! about 1 hour ago from web. "Someone told me that a bunk in Kilpauk had diesel," says Kiruba Shankar, CEO of Business Blogging, a firm in Chennai, who is a regular user of Twitter, about the response he got for his 'Tweet.' A micro-blog, Twitter updates are answers kept in check by a 140-character limit to the question "What are you doing right now?" If Kiruba had checked Barack Obama's Twitter account on January 5, he would have been pleasantly surprised to know that if he participated in a survey on Obama, he would win $500 in gasoline (petrol). It turned out that Twitter had come under attack. A 'dictionary method,' which tries common English words as passwords, was used to break the password of one of Twitter's staffers. The password "happiness" led an 18-year-old to gain administrative control, Wired magazine's blog reported. Soon, celebrity Twitter-users, including Obama and Britney Spears, found their accounts misbehaving. As social networking sites such as Twitter are increasingly accessed through mobile phones, there is a double jeopardy, as both the site and your phone are vulnerable. "Generally, mobile phones are not very secure. Combine that with rushed-to-market social networking services with poor security such as Twitter, and chances of losing data, identity theft, fraud goes up exponentially," says Ramakrishnan Sundaram, Managing Director & Director of Operations at MPower Mobile, Inc, which operates a global mobile banking and payments network. Citing a research paper of Google, '(Under)mining Privacy in Social Networks,' which will be presented at the Web 2.0 Security and Privacy 2009 meeting, Mr. Sundaram points to other vulnerabilities of social networking sites. Suppose someone can merge your business profile details from a site such as Linkedin and add it to your Orkut profile, they have details which you would not have intended them to know about. As social networking sites are great repositories of personal information aggregated in one place, they are more attractive to attackers, says Mr. Sundaram, adding that they also tend to be less secure than banking websites. "With increasing e-commerce applications on social networking websites, they are going to be targeted more and more. Also, a big threat is the new aggregation tools that integrate accounts on multiple social networking websites. They allow identity thieves to get more information easily." Phone security has not made much inroads. "The greater capabilities of today's smart phones are definitely making hacker attacks more possible," says Srinivasan Ramakrishnan, a manager with Google whose research interests include data privacy and security. "Internet access via WiFi is included as standard in recent years in most modern smart phones, and this can be quite a weak spot for attackers if not protected properly," he adds. Trying to save on data carrier charges, people connect to open WiFi networks, he says, which can be dangerous if the wireless access point has "gone rogue," which means it is controlled by an attacker. Users should understand that "in reality these are not just phones, but small computers without the same level of protective features as larger devices and should be treated with sufficient caution." There is not yet a huge market for security products on phones, says Mr. Srinivasan Ramakrishnan. "Meanwhile, leaving sensitive data on devices that you have little control over is generally a bad idea," he says, "Further, don't leave bluetooth turned on to accept anonymous connection requests or leave WiFi turned on to latch on to unknown WiFi access points. The fewer chances there are for unknown people to connect to your device the safer you are. Using a simple phone without a data connection (i.e. GPRS, EDGE, 3G) is a very good way of being safe." *** Tips for password safety * Never give out data about yourself in a public forum which can compromise you. Things like your full date of birth, your mother's name, your place of birth and your phone number should ideally never be available in one place. * Use different passwords for each service you use. Use strong meaningless passwords and use a password utility or even a notebook to note them down. * Be aware of at least the basic technology of any service that you use. * Never respond to requests for personal information from people you don't know. Never click on links in email unless you have very strong anti-virus filters. Never follow links in email to any banking or other important website - always enter your website URL yourself in the browser or select it from a bookmark. To unsubscribe send a message to [email protected] with the subject unsubscribe. To change your subscription to digest mode or make any other changes, please visit the list home page at http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in
