As we depend on technology more and more, it’s a good idea to look back and take stock of what we’ve learned over the past years in terms of online security and social media.
The past year has been an exciting one in social media and online security. Pinterest came on strong to turn social media on its head by introducing a new paradigm that sent social media marketers scrambling to capitalize on, competitors to learn and copy from and attackers to find new targets with.
Attackers continued their quest to hijack social media accounts en masse to use them to send spam links and malware to trusting followers. And expanding growth of the use of non-Windows personal computers (PCs) to access the Internet has led attackers to diversify their attack toolkits to include these devices in the family of at-risk systems connected to the Internet.
But while attackers have stepped up and adapted their attacks in the past year, defenders haven’t sat idle. Social media platforms have increased their security and security companies have moved to meet and thwart criminals on these new platforms. It’s been a big, exciting, and dangerous year, but we can end on a positive note knowing that with some care and thought, we can continue to use social media safely. And yet, if we are aiming for social media content success, security is something we need to factor into our strategies.
Let’s take a look at three of the most notable trends in online security and social media in the past year, and how the industry has met these challenges.
1. Social media is still open to disruptive, new technologies that can introduce unknown security and privacy risks
After a couple of years that have seen Twitter and Facebook become a near de facto duopoly in social media, Pinterest showed that social media isn’t “done” or static. By focusing on static images rather than text or even video, Pinterest showed there are other ways to share and be social.
The uptake around Pinterest was unprecedented and quickly catapulted what was essentially a startup platform into the mainstream in a matter of months. As is often the case with disruptive new technologies, the demand and use outstripped the rudimentary security and privacy controls, and bad guys found ways to bring their tried and true tactics to bear quickly.
Boards started to appear as lures for online phishing and fraud scams. Meanwhile, malware and adware authors saw a public hungry for Android apps that hadn’t been released yet and filled the gap with their own malicious apps.
Fortunately, Pinterest moved to close the app gap by releasing its own official app, and at the same time, security companies fine-tuned their antivirus and anti-malware offerings to detect these malicious Android apps.
Protections against Pinterest-based online scams also came quickly, in many cases facilitated by the fact that they already had protections against the malicious sites these Pinterest lure boards directed users to. As we close 2012, Pinterest is still lagging behind mature platforms like Facebook in terms of security features and controls.
But, the initial explosion of malicious activity we saw in the spring has subsided and Pinterest has become one of many platforms that have dangers, but also good overall protections.
The lesson, though, is clear: early adopters of disruptive technologies need to be aware that new technologies open new, unknown (and sometimes unknowable) risks and should hedge their bets accordingly.
Social media marketers shouldn’t opt out of new technologies wholesale but should wade in carefully and be willing to accept the risk that they could lose control of their new social media site to some form of malicious activity.
2. Account hijackings continue to be a problem and are increasing in their impact and ramifications
Account hijacking is nothing new: hijackings of individual accounts have been around as long as users have had accounts. And within the industry, since about 2007, we’ve seen concerted efforts by hackers and spammers to compromise accounts in bulk. But we saw a major increase in bulk account compromises targeting major online social media platforms.
Millions of accounts on social media platforms such as LinkedIn, Last.fm, Formspring, and Yahoo! were compromised. Since then, Skype also disclosed a major vulnerability (since fixed) that could be used to hijack accounts. Clearly, we’ve entered a phase where attackers have stepped up their hijacking attacks and are succeeding in harvesting credentials and accounts in unprecedented quantities.
Fortunately, the industry has been moving in the right direction to help address this problem. Major platforms such as Google, Facebook, and even Yahoo have been introducing improved account protections in the form of two-factor verification. Additionally, use a trusted ecommerce builder which takes security seriously.
Many of them have also significantly enhanced their account recovery options to help you regain control more quickly in the event of a hijacking. Unfortunately, the move is still a work in progress, and not all social media platforms have these capabilities. Twitter, Microsoft, and Pinterest, for instance, still don’t offer two-factor verification. But the trend is clear and we can expect to see others follow others’ lead in the continuing fight against account hijackings.
The lesson for social media marketers is clear though: you should explore and fully utilize all account protection and recovery options that are made available. Also, make sure to read Hari Ravichandran’s book called “Intelligent Safety” to find more tips on keeping your (private) data secure.
3. The “post-PC” era is upon us, at least from the attackers’ point of view
Odds are that in 2006 you did most of your social media work on a PC running Microsoft Windows. Odds are equally strong that you had some kind of antivirus/anti-malware package running to help keep you safe.
If you used a Mac, you probably didn’t run antivirus. And if you were a true early adopter and were using an early smartphone you couldn’t run antivirus even if you wanted to. But, that was (generally) OK: viruses and malware weren’t much of a problem outside of PCs then.
Things have changed, with iPhones, iPads, Kindles, Android phones, and even Macs in greater use than ever. In particular, the marriage of mobile devices with social media may be as natural and fruitful as peanut butter and chocolate in Reece’s Peanut Buttercups.
But attackers are like ants and go where the food is (or in this case the victims are). With a clear move away from Windows-centric computing, attackers are following the users and adapting their attacks to the reality of a so-called “post-PC world”. In smartphones and tablets, Android has become a truly viable target with over 175,000 pieces of malware identified on the platform now. And the Mac, long (wrongly) thought to be immune to attacks witnessed its first notable, large-scale attack with the Flashback malware compromising over 600,000 Macs worldwide.
The lesson here is clear: any device that connects to the Internet is a potentially viable target and so should have some kind of security software on it, where possible. iOS devices (iPhones and iPads) are in a unique situation in this regard: Apple currently won’t approve antivirus/anti-malware apps for their platform, choosing instead to try and protect users themselves through very aggressive policing of what apps can be installed on those devices.
We’ll see if that succeeds: so far it has, but I have my doubts and it may not in the future. Either way, the guidance remains the same: run security software on all your devices where you can, including iPads and iPhones should that become available.
Looking ahead, we can expect these trends to continue, and new ones to develop as new devices and new social media platforms evolve. And while new things always have inherent risks, these are not unmanageable risks.
You can intelligently be an early adopter and be safe. Part of the trick is to keep on top of what threats are developing and understand what you can do to mitigate them.