Looking at the specific nature of the attacks, this seems like more than FUD. It is something to be taken seriously, given the deep penetration of these sites in the business world. But don't be spooked by headlines suggesting this threat is something new. It has existed since the day these programs went live.
Social networking is increasingly part of our daily lives. For some, it's as natural as breathing. People post status updates to their Facebook pages from their mobile phones (my dopey but lovable cousin likes to do this while driving to work at rush hour). The line between real business and personal business is mushy and deteriorating. This makes it a tempting target for those who would exploit security holes in the technology. That's especially true when it comes to social engineering attacks -- where the bad guy sends out what appears to be legitimate messages from legitimate contacts, duping people into opening messages and URLs that are laced with malicious code.
My use of these programs shows how the line between the personal and professional has blurred.
I use LinkedIn exclusively for business. I use it to build my base of contacts in the security world and it has become an online Rolodex of sorts. When I'm looking for people to interview for something I'm writing or I want to assign guest columns, I reach out to people on LinkedIn. From there, I set up phone interviews or go back and forth by e-mail for those who are more strapped for time. It has become what the old-fashioned phonebook and Rolodex were to me 15 years ago, when my journalism career began.
I use Twitter to make quick contact with my security sources and to ask general questions of those in my network. But it often becomes a place where we just chat about everyday life, TV shows and the weather. The casual nature of it makes Twitter a particularly easy target, as we saw with the recent Twitter incidents.
Then there's Facebook, the grayest program of all for me. Most of my security contacts are on there and I often use it to get a business-related message out. I also use it to display all the content I create for CSOonline, as do many of my colleagues and industry associates.
But Facebook has mostly become a place to reconnect with former classmates, long-lost friends and family members. One week a bunch of former college-mates came out of the woodwork. Then it was everyone I worked with earlier in my career. Then everyone I went to high school with materialized, followed by people I went to grammar school with. Meantime, one family member after another signed up, and now we connect through Facebook more than we ever did by phone. (That's especially the case for me. I was never particularly good at keeping up with family by phone, but I zip them Facebook messages much more often.)
With all of this cross-activity, I have to stay sharp in case some hacker sends me a message claiming to be an old classmate or a PR person with a security story to pitch. Sometimes we click on URLs without giving it a second thought. But in the virtual world, we can't do that anymore. The dangers are too great.
Some PR folks will see this as an opportunity to barrage me with e-mails whenever there's a way to work Twitter, Facebook or LinkedIn into a scary pitch. They shouldn't bother.
My view is that social networking sites have always been at risk. The recent Twitter headlines make this look like something new but it isn't. So PR pitches on this will likely leave me cold.
That said, social networkers need to take care when wandering around these sites and run away whenever someone on these sites asks for their credit card number or any other personal information.
Think of it this way: The virtual world has more or less fused with the real world. If you are on Facebook, you are visiting real neighborhoods and traveling real highways.
One must be as careful navigating these places as they would if they were venturing down a dark alley at night.
About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD - overhyped security threats that ultimately have little impact on a CSO's daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry's most egregious FUD, send an e-mail to firstname.lastname@example.org.