Businesses should ensure employees do not base system passwords on personal information because this is easily...
stolen from social media sites, according to security firm Imperva.
Safeguarding the passwords of privileged users of IT systems is something all businesses need to deal with, said Noa Bar-Yosef, Imperva’s senior security strategist.
"Businesses should not rely on social media sites for security; controls should be at source," she told Computer Weekly.
A study by Imperva revealed that hackers with a variety of different motives have developed a range of techniques for stealing information from social media sites such as Facebook.
"These sites are a treasure trove of valuable information for hackers. The problem is that few people recognise the fact that information should be regarded as sensitive," said Bar-Yosef.
This is illustrated by the fact that hacker Christopher Chaney was able to take advantage of the "forgot password" feature to break into several celebrity social media accounts.
Chaney admitted to authorities that he was able to answer the security questions using publicly accessible data to gain access to his celebrity victims' accounts.
Businesses need to be aware, said Bar-Yosef, that hackers for profit, social and political causes, competitors and nation states are all accessing information in social media and other online services.
This information goes far beyond what is accessible by users, she said, and includes geo-location data and chat logs, providing information about organisational structures and discussion topics.
The data also enables hackers to build detailed profiles of individuals that can be used either for extortion or for crafting highly plausible phishing e-mails or e-mails that carry data-stealing malware.
Imperva's researchers found that the main method hackers use to gain access to social media accounts is getting the password.
Passwords can be acquired using keystroke loggers, phishing e-mails and brute-force attacks in which the attacker uses automated methods to guess passwords.
A less common way of gaining access to social media accounts is to hack into an administrator account at the service provider.
This requires effort and is not as common as stealing passwords, but it is the "holy grail" of attacks as it provides the hacker with all the data that is inaccessible to users, said Bar-Yosef.
Other more sophisticated methods of breaking into social media and other online accounts include "data-slurping" applications and stealing "cookies" containing user credentials.
However, many of these tools are now becoming available on underground forums, lowering the barrier to entry and enabling just about any hacker to access this kind of data, said Bar-Yosef.
Businesses should also note that some hackers listen to Wi-Fi networks, and although Facebook has introduced encryption for all activities such as status updates, this is not enabled by default.
"If businesses allow employees to access social networks, they should ensure that all users enable the secure browsing option under account security settings," said Bar-Yosef.
In the light of these revelations, she said businesses should map all potentially sensitive data by understanding what hackers are looking for and ensure appropriate controls are put in place.
Businesses should also be able to detect malware not only of internal machines, but also on customer and partner machines that may be connecting to their networks, and be able to detect any anomalous activity on their networks to keep sensitive data safe.