When people talk about hacking and social networks, they're not referring to the common definition of hacking, which is using malicious code or backdoors in computer networks to damage systems or steal proprietary information. Hacking into social networks requires very little technical skill. It's much more of a psychological game -- using information on personal profiles to win a complete stranger's trust.
This second type of hacking is called social engineering. Social engineering uses persuasive psychological techniques to exploit the weakest link in the information security system: people [source: SearchSecurity.com]. Examples of social engineering scams could be:
- Calling a systems administrator posing as an angry executive who forgot his password and needs to access his computer immediately.
- Posing as a bank employee and calling a customer to ask for his credit card number.
- Pretending to lose your key card and kindly asking an employee to let you into the office.
When creating a profile page on a social network, many people fail to consider the possible security risks. The more personal and professional information you include on your public profile, the easier it is for a hacker to exploit that information to gain your trust.
Let's say you're an engineer and you blog about one of your current projects on your Facebook page. A hacker can use that information to pose as an employee from that company. He has your name and your position in the company, so you're liable to trust him. Now he can try to get a password out of you or proprietary information that he can sell to your competitors.
The security advantage of most online social networks is that only your "friends" or members of your network can see your complete profile. That's only effective if you're extremely selective about whom you include in your network. If you accept invitations from absolutely everyone, one of those people may potentially be a hacker.
The problem with online social networks is that they have no built-in authentication system to verify that someone is indeed who they say they are [source: OnLamp.com]. A hacker can create a free profile on a site like LinkedIn, designing his profile to match perfectly with the business interests of his target. If the target accepts the hacker as a connection, then the hacker suddenly has access to information on all of the target's other connections. With all that information, it's possible to construct an elaborate identity theft scam.
To fight back against social engineering, the key is awareness [source: SecurityFocus.com]. If you know that social engineering hackers exist, you'll be more careful about what you post on your online profiles. And if you're familiar with common social engineering scams, you'll recognize a con when it's happening instead of when it's too late.
On the next page, we'll talk about social-networking sites for information technology professionals.