Friday, 13 September 2013

Staking a Claim in Social Media

This week I had a call from a lawyer who said that social media accounts in the name of one of their clients had been created and were being used for malicious purposes.  They wanted to know what they could do about it.

When deploying security controls we need to consider prevention, detection and response, and this case is no different.

Prevention.

There are a significant number of people - many of them in very senior roles - who wear as a badge of honour that they don't have any social media accounts.  Saying "I don't understand this new-fangled social media" may sound reasonable today, but 100 years ago the same people would have been saying "I don't understand this new-fangled electricity", and then gone on to sink their fortunes into steam power.

I'm not suggesting that everyone become Facebook addicts.  However I am definitely recommending that all companies and anyone with a senior role go out and register accounts on all of the major social media sites, as a prevention against anyone else doing it in their name.  There is no validation of who registers an account, and due to an interesting bootstrapping problem it really is impossible for the social media providers to confirm the identities.  Twitter's blue tick isn't the answer.

We did this with domain names a decade ago, and we have to do it all over again with social media now.

Detection.

Search for yourself on the search engine of your choice.  While it might be vanity, it also will allow you to determine if anyone else is pretending to be you.  Most of the major search engines allow you to set up alerts on new pages that they find with a given term, and you can use this as a detection mechanism against imposters.

This may be practical if you have a distinctive name, but is going to be quite difficult for the John Smiths of the world.  Even my name isn't unique in my own city, so getting in first and registering early becomes very important.

Response.

If and when someone does register a social media account in your name, there are a limited number of things that can be done about it.  It is always possible that they really do have the same name as you, and you got in late, in which case unless they are committing fraud by pretending to be you specifically you have no comeback.  Consult your lawyer on defamation laws in your jurisdiction as your only response.

Just like the domain squatters of the last decade, we now have social media squatters.  They can be dealt with in similar ways: (a) pay them what they ask to get the identity back; (b) raise a complaint with the social media provider; or (c) call the lawyers.  The difference here is that the social media providers are for profit companies, rather than not for profit organisations, and they don't have the same social responsibilities.

Ironic, isn't it.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com
 

Friday, 6 September 2013

Political Insecurity

Australia will be going to a national election in early September, and the only security that appears on the platform of any of the major parties is the political security that comes through a populist agenda, rather than a strong stand on securing the intellectual capital of the nation.

The Government’s job should be to set high level policy, and help us help ourselves, rather than try to protect us from every movie plot threat.  This is what I'd like to see on the next government's agenda.

#1.  Include cyber security in the education curriculum.  At the moment the only area of interest is cyber-bullying (“Won’t someone think of the children!”) but this isn’t enough, and is a misdirection of resources.  The problem is much bigger than that.

#2.  Make software vendors liable for the faults in their products.  If a car crashes because it wasn’t designed properly, the manufacturer gets sued.  If you lose your bank account because the software you use wasn’t designed properly, you lose and the manufacturer points to an EULA that says they aren’t liable.

#3.  Engage with the private sector.  We are better at practical and pragmatic security than they are.  So work with us instead of the military industrial complex, who only want to ramp up the cyberwar rhetoric to get even more money from the public purse.

Make your vote count.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com