Cool as McCumber

July 20, 2010
Anti-social networking

My professional life takes me to some pretty cool places. I've got a great job. Some guys get to consult in Rome, Tokyo and Barcelona - big deal. My patch is the United States, and for some reason, neither techies in Ka'apalua on Maui nor CIOs in Miami seem to need cyber security help. Just this year, I managed to be in Minneapolis for the first arctic freeze and snowstorm of the season. I wandered into in Madison, Wisconsin, in time to marvel at the ice fishing shanties on Lake Monona, and was stuck at O'Hare overnight due to a freak storm. I am now planning my first-ever visit to Deadwood, South Dakota. You jealous yet?

My most recent highlight was a speaking event in Charleston, West Virginia. Lucky me. Hey, I'm not down on West Virginia like those late-night comedians. I grew up in a gritty industrial town, so I always feel at home at the breakfast diner graced by a portrait of Elvis, or the restaurant where bleu cheese dressing is considered exotic. Room service? Forget about it. However, I had been asked to speak on the topic of social networking threats. Apparently this gathering of eastern-state technologists felt this was a timely topic. What would I say to them?

My personal experience with social networking has been lackluster to say the least. Yes, I have a Facebook account, but I limit it to family only. It's bad enough I hear from weirdoes, creepy strangers, and stalkers on LinkedIn. It seems many people enjoy using social networking to give you a voyeur's peephole into their life. It's marvelous to pop open the app on your BlackBerry and find out that a relative feels it's time they got ready for bed, and another saying she's ready for her boyfriend to return from a trip followed by kissy-huggy hearts and lips symbols. Yech. Others feel you need to be aware of their upcoming dentist appointment, or the fact they just changed the oil in their truck.

There are also a variety of games that allow you to send endless overtures to your Facebook homies hoping they'll join in the fun. Unfortunately for them, I'm not fun. Someone once graciously sent me, unbidden, a cute baby calf they found wandering lost on their virtual farm. It was seeking a new home. A week later, I sent them a thank you note saying I had been enjoying veal all week. A macho Facebooker was considerate enough to hook me up with a hit man and a "secret" cache of weapons. I replied that I had taken advantage of the gifts to take out a contract on the stupid cat he always posts about. One generous relative sent me some gold coins to help me get started raising fish. I had my lawyer serve him with Breach of Contract papers when the gold coins in question were determined to be virtual. I'm waiting for him to pay up. I've already been secretly advised not to attend the family reunion this year.

I have recently been reading books about our founding fathers. Benjamin Franklin left his wife behind in Pennsylvania and lived for years at a time in Europe. He had to manage his marriage, home and business interests back in America by written correspondence with a system that would inject months of delay - if the recipient got them at all. In addition, he was engaged in writing evocative pleas for the recognition of a new nation to world leaders. His writing had import. Thomas Jefferson used to create encrypted messages simply as a mind game for his correspondents. One such letter took over two hundred fifty years to decode by trained cryptanalysts. Jefferson made words count; and we tell dozens of people about our underwear purchases. We are such losers.

Am I the only one whose underwhelmed with social networking? Sure, it's a boon to have communication with people who would not normally correspond, but I find it difficult to define the security-relevant issues beneath the overwhelming avalanche of banal minutiae. How can we debate privacy concerns among people who, with apparent relish, feel free to publicly expose the tiniest of life's details? It's best, then, to step back from the actual posts, tweets and blogs and look at the system itself.

The security problems inherent in social networking have more to do with the interconnected system we build that others may wish to exploit. We establish digital relationships and create a community of trust; however, that trust - the cornerstone of security - is what leaves us vulnerable. External actors may endeavor to either exfiltrate data we feel we are sharing only with trusted parties. They can take this information and use it for their gain. Others may choose to infiltrate that network and exploit the implied trust we have among family and friends.

Like digital con artists seeking to use our own trust relationships, these human threats seek to use our social networks for their gain. They may choose to work surreptitiously through hidden programs, or they may seek to hide behind a false identity.

We must be on the alert and use both technology - as it is available - and a keen awareness of the risks of social networking. As a minimum, we should each send a scammer a dozen lost baby calves to tend. That might slow them down.
John McCumber is a security and risk professional, and is the author of "Assessing and Managing Security Risk in IT Systems: A Structured Methodology," from Auerbach Publications. If you have a comment or question for him, please e-mail John at: [email protected].