All Work and No (Social) Play Keeps Organizations

This is a nice story that’s set the world talking. What about? First, about us living in a small and highly interconnected (virtual) world. Second, about today’s ant hill being tomorrow’s Everest.

For me, this story started not long ago. In March, 2011, a piece of news that aimed, at most, to steal a smile off the lips of those concerned with the BIG issues of humanity’s data security sprouted merrily and had its brief moment. This was the story of an Australian MP’s staff member who got approval to use her work computer to play a particular Facebook game, described as her “[…] version of doodling, a mental chewing gum of sorts.”

Funny, right? Believers in the theory of employee empowerment (myself included) will jump for joy at the thought of workers around the world being able to free themselves from the chains of automatic and repetitive work by getting some fun now and then (or, at least, by doing something that will ease their strained nerves). You may argue that we’re a very, very far cry from the dreary factory worker’s condition that Simone Weil described in her essay Experience de la vie d`usine (Marseille, 1941-1942), and that this game-playing request might just be a whim. I grant you that. My interest here is of a different nature. Does the respective employee have the knowledge and skills to prevent and counter the possible data security risks of this practice?

Before I hear you calling me a “traitor of the hard (over-worked) worker’s cause”, take a look at this other piece of news here. Nothing is “officially” 100% confirmed, but the message is pretty clear: playing social games through the Facebook platform on government or on any other organization’s computers can be dangerous.

The article points to a phishing toolbar as the possible cause of this incident.  What else can cause this type of mishap?

Cybercriminals target social networking hubs due to the millions of contacts, e-mail addresses, pictures, and other sensitive data they may contain. When social network members install applications in their accounts, they grant various Permissions which allow the app creators to access parts of their private data.
From that point, this data can be transferred from the social network cloud to the private cloud of third parties and then stolen very easily.

Details such as the users’ lists of friends (info made available due to the “Access my basic info” permission) can be easily exploited by attackers. A potential intruder could gather data on the size of the organization, its hierarchy, employees’ work expertise and IT&C savvy, etc. This information might pinpoint the most vulnerable employee who could be later tricked into revealing even more sensitive data that will provide the backdoor into the organization’s network. Moreover, once a malicious application has asked permission to access a user’s Newsfeed, the cybercriminals behind the app will be able to monitor what the user does (e.g. what games he/she plays the most) and deliver tricky messages (i.e. various phishing baits) to him/her at the right time. In fact, timing is crucial with such targeted attacks.

In the case of social games, security risks appear when users seek game bonuses or cheats and end up liking unknown pages, sharing and posting messages advertising the fake bonus/cheat granting scheme, and, sometimes, taking a survey or downloading a credits/bonus generator.

Each of these operations has its security price. Liking an unknown page means subscribing to all sorts of e-troubles that may originate from it – malware and phishing included. Sharing the scam will ensure its success, as users’ friends get into the loop as well. Surveys, even if they’re not just a decoy, will waste users’ time. Bonus-themed scams that include “a copy and paste this code into your browser” step are likely to result in session hijacking and in the victims’ account being plastered with automatic messages encouraging others to click and enhance their chances in the game.

In a wilder, riskier scenario, the social game fan starts looking for tips and tricks to improve his or her results outside the platform. In the example below (screenshot from a recent message and link posted on pastebin), the user is supposedly going to find out how to win all Facebook games.

 

This link actually leads to a fake survey page. Taking these surveys is a waste of time at best At worst, and not uncommonly, it’s a sure way to other shady sites that help spread malicious code.

This puts things into a whole new perspective, doesn’t it?

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.