As 2012 draws to a close, it’s a good time to look back and take stock of what we’ve learned over the past year in terms of online security and social media.
The past year has been an exciting one in social media and online security. Pinterest came on strong to turn social media on its head by introducing a new paradigm that sent social media marketers scrambling to capitalize on, competitors to learn and copy from and attackers to find new targets with. Attackers continued their quest to hijack social media accounts en masse to use them to send spam links and malware to trusting followers. And expanding growth of use of non-Windows personal computers (PCs) to access the Internet has led attackers to diversify their attack toolkits to include these devices in the family of at-risk systems connected to the Internet.
But while attackers have stepped up and adapted their attacks in the past year, defenders haven’t sat idle. Social media platforms have increased their security and security companies have moved to meet and thwart criminals on these new platforms. It’s been a big, exciting and dangerous year, but we can end on a positive note knowing that with some care and thought, we can continue to use social media safely.
Let’s take a look at three of the most notable trends in online security and social media in the past year, and how the industry has met these challenges.
1. Social Media is still open to disruptive, new technologies that can introduce unknown security and privacy risks: After a couple of years that has seen Twitter and Facebook become a near de facto duopoly in social media, Pinterest showed that social media isn’t “done” or static. By focusing on static images rather than text or even video, Pinterest showed there are other ways to share and be social. The uptake around Pinterest was unprecedented and quickly catapulted what was essentially a startup platform into the mainstream in a matter of months. As is often the case with disruptive new technologies, the demand and use outstripped the rudimentary security and privacy controls and bad guys found ways to bring their tried and true tactics to bear quickly. Boards started to appear as lures for online phishing and fraud scams. Meanwhile malware and adware authors saw a public hungry for Android apps that hadn’t been released yet, and filled the gap with their own malicious apps.
Fortunately, Pinterest moved to close the app gap by releasing their own official app and at the same time security companies fine-tuned their antivirus and anti-malware offerings to detect these malicious Android apps. Protections against Pinterest-based online scams also came quickly, in many cases facilitated by the fact that they already had protections against the malicious sites these Pinterest lure boards directed users to. As we close 2012, Pinterest is still lagging behind mature platforms like Facebook in terms of security features and controls. But, the initial explosion of malicious activity we saw in the spring has subsided and Pinterest has become one of many platforms that has dangers, but also good overall protections.
The lesson, though, is clear: early adopters of disruptive technologies need to be aware that new technologies open new, unknown (and sometimes unknowable) risks and should hedge their bets accordingly. Social media marketers shouldn’t opt out of new technologies wholesale, but should wade in carefully and be willing to accept the risk that you could lose control of your new social media site to some form of malicious activity.
2. Account hijackings continue to be a problem and are increasing in their impact and ramifications: Account hijacking is nothing new: hijackings of individual accounts have been around as long as users have had accounts. And within the industry, since about 2007, we’ve seen concerted efforts by hackers and spammers to compromise accounts in bulk. But 2012 saw a major increase in bulk account compromises targeting major online social media platforms. As I mentioned in my July column, What to Do about Passwords: 5 Tips for Password Management in a Social Media World, millions of accounts on social media platforms such as LinkedIn, Last.fm, Formspring and Yahoo! were compromised. Since then, Skype also disclosed a major vulnerability (since fixed) that could be used to hijack accounts. Clearly, we’ve entered a phase where attackers have stepped up their hijacking attacks and are succeeding in harvesting credentials and accounts in unprecedented quantities.
Fortunately, the industry has been moving in the right direction to help address this problem. Major platforms such as Google, Facebook and even Yahoo have been introducing improved account protections in the form of two-factor verification. Many of them have also significantly enhanced their account recovery options to help you regain control more quickly in the event of a hijacking. Unfortunately, the move is still a work in progress and not all social media platforms have these capabilities. Twitter, Microsoft and Pinterest, for instance, still don’t offer two factor verification. But the trend is clear and we can expect to see others follow others’ lead in the continuing fight against account hijackings.
The lesson for social media marketers is clear though: you should explore and fully utilize all account protection and recovery options that are made available. And, as I outlined in my June column, Recovering from the Worst: What to Do When Your Social Media Channel is Hijacked, you should have a plan in place to recover should this happen to you.
3. The “post-PC” era is upon us, at least from the attackers’ point of view: Odds are that in 2006 you did most of your social media work on a PC running Microsoft Windows.Christoph Odds are equally strong that you had some kind of antivirus/anti-malware package running to help keep you safe. If you used a Mac, you probably didn’t run antivirus. And if you were a true early adopter and were using an early smartphone you couldn’t run antivirus even if you wanted to. But, that was (generally) OK: viruses and malware weren’t much of a problem outside of PCs then.
Things have changed in 2012, with iPhones, iPads, Kindles, Android phones and even Macs in greater use than ever. In particular, the marriage of mobile devices with social media may be as natural and fruitful as peanut butter and chocolate in Reece’s Peanut Buttercups.
But attackers are like ants and go where the food is (or in this case the victims are). With a clear move away from Windows-centric computing in 2012 attackers are following the users and adapting their attacks to the reality of a so-called “post-PC world”. In smartphones and tablets, Android has become a truely viable target with over 175,000 pieces of malware identified on the platform now. And the Mac, long (wrongly) thought to be immune to attacks witnessed its first notable, large scale attack with the Flashback malware compromising over 600,000 Macs worldwide.
The lesson from 2012 here is clear: any device that connects to the Internet is a potentially viable target and so should have some kind of security software on it, where possible. iOS devices (iPhones and iPads) are in a unique situation in this regard: Apple currently won’t approve antivirus/anti-malware apps for their platform, choosing instead to try and protect users themselves through very aggressive policing of what apps can be installed on those devices. We’ll see if that succeeds: so far it has, but I have my doubts and it may not in the future. Either way, the guidance remains the same: run security software on all your devices where you can, including iPads and iPhones should that become available.
Looking ahead to 2013, we can expect these trends to continue, and new ones to develop as new devices and new social media platforms evolve. And while new things always have inherent risk, 2012 shows it’s not unmanageable risk. You can intelligently be an early adopter and be safe. Part of the trick is to keep on top of what threats are developing and understand what you can do to mitigate them. On my end, I’ll continue my work here to help you understand what you can do to do be a leading edge, but safe social marketer.