SecuritySkeptic.COM: Dave Piscitello's Security Journal

This page uses style sheets created by Ruthsarian Labs

Wed, 24 Jun 2009 00:00:00 00, 733

Facebook

I finally created a Facebook account, but not for any of the conventional reasons folks join social networks.

I worry about impersonation and reputational harm.

Perhaps I'm too long in the security business, but I began to consider how easy it would be for someone with malicious intent to create a social networking account for a targeted identity. For folks who have considerable online "visibility", this isn't really that difficult. Let's assume I'm targeted. All a miscreant needs is an email account to which the membership confirmation email for Dave Piscitello is sent. Once he confirms the account, he can populate the newly created account with personal information he gathers from other sources: my personal page at SecuritySkeptic.com, bios at Core Competence. ICANN, and conferences where I've given presentations, etc. provide enough information for a convincing deception, especially if the deception targets colleagues over family. Next, the miscreant begins building a social network. Since social network sites constantly suggest friends to add, this is trivial. As the miscreant grows a friends list, he can use my Facebook wall or the walls of my colleagues, family and friends to post abusive, insulting or libelous comments, lies or misinformation. He can intimate that I'm unhappy with my employer, my wife or children. He can post photos that might be embarrassing, or for a truly worst case scenario, use the account for predatory or porn publishing purposes.

It's quite likely that someone who really knows me will undoubtedly contact me using one of my legitimate email accounts or phone numbers to read me the riot act or fire me. At this point, however, my Facebook situation is no different from any web defacement attack. I've been victimized and I'll have to take action to recover from the incident. I've got to contact the social network operator, provide compelling evidence of the impersonation, and get the page removed. And like all defacement attacks, my reputation is tarnished. Not a pretty picture, is it?

There are too many social networks to join purely for defensive purposes. Perhaps having *one* that is truly mine is somewhat comforting. At the very least, perhaps I will create a social network identity that is sufficiently mine to repudiate claims that an impostor might make on other sites. Or perhaps I should open a chocolate cafe near a local Starbucks and get out of this business before the paranoids come to get me.

Archived at http://www.securityskeptic.com/arc20090601.htm#BlogID733 by Dave Piscitello

Dave Piscitello is president and principal consultant at Core Competence, Inc.. A 30-year network, Internet and security veteran, Dave provides advisory and consulting for security and broadband access companies, *SPs, and Fortune 100 companies. An enthusiastic writer, Dave has published books on Internetworking and VoIP Security, and has written hundreds of articles, product reviews, and editorials for print and online publications, including BCR, Network World, Infoworld, WatchGuard Technologies' Live Security, SecurityPipeline, Network World, ISSA Journal, ENISA, and Information Security Magazine. Dave is currently a Senior Security Technologist at ICANN. He serves on ICANN's Security and Stability Advisory Committee and is a member of the APWG. Dave maintains a personal security blog at www.securityskeptic.com .

The Security Skeptic