Social Media Cyberhealth
We live our entire lives on our devices. They have become an extension of us, and without them, life gets slightly more inconvenient. We have passwords, banking information, addresses, loved-ones information, medical information; a SEA of information, on these tiny computers. Most people don’t think about what could be done if a hacker gains access to the information that is on our phones; consequently, the same occurs in social media users with their accounts. The past 5 years have been filled with legal troubles for major social media organizations, ranging from poor data protection/gross misuse to under-secured platforms with limited user protections. Everyone must understand the dangers of having too much information on social media, as it can be used against you in multiple malicious ways.
The most influential media platforms have various degrees of cybersecurity presence, but the one currently under copious scrutiny is:
As of recently, Twitter has had an egregious relationship with cybersecurity. They are publicly known to have little to no separation of confidential information and data privacy from developers and administrators working within their company. With the whistleblowing from Pieter “Mudge” Zatko, there have been several serious security concerns, ranging from internal abuse to foreign conspiracy. The list of these issues is as follows
Twitter is riddled with security vulnerabilities stemming from the fact that the company allows employees to work directly on Twitter’s live product and interact with actual user data. Normally, developers must use dummy data to perform coding and testing, all in specialized sandboxes that do not interact with the main products consumers use
Zatko learned of several incidents where employees had deliberately installed spyware on their computers.
The company has approximately one security incident per week
Twitter does not delete users’ data after they cancel their accounts and has misled regulators about whether it deletes the data as required to do
Twitter does not know how many bots there may be on the platform, and executives choose not to find out as it may harm their reputation and valuation
More than half of Twitter’s 500,000 servers run on outdated software and lack basic security standards
Twitter is vulnerable to foreign exploitation. Foreign governments that gain access to the company could harm U.S. national security. Zatko alleges that Twitter’s current CEO proposed making concessions to Russia and has taken money from Chinese sources and shared information that could potentially lead to identifying Chinese Twitter users who have accessed the platform, despite government censorship.
Twitter is violating the terms of an 11-year-old settlement with the Federal Trade Commission. Zatko claims twitter has misled regulators about handling user data and claiming it had a robust cybersecurity plan
All of these claims were made in August 2022, while Twitter was battling Elon Musk in court for attempting to finagle out of a $44 billion contract to buy the platform. More recently, we all know he lost and has now assumed control of the platform, but, unfortunately, this trend of negligence has continued, if not exacerbated with his reign. As recently as this month, the platform has suffered:
Multiple top security officials, including the chief security officer, chief privacy officer, chief compliance officer, and head of trust and safety were dismissed from or left the company. This raises serious questions about the company’s abilities to fend off hackers.
Musk’s decision to monetize verification led to an uptake of fraudulent user accounts, while many of these accounts were not vastly influential, there is the fear of malicious actors impersonating vital communication channels like emergency service or political accounts. An example of this was somewhat identified with the creation of a fake Mcdonald’s Twitter account to distribute malware.0000000000000000000000000000
Enhanced connections with China and Russia (allegedly), two of the U.S.’s top adversaries, as Musk has relationships with both for sales and production. The concern is whether foreign investors would have access to user data
The intention to open Twitter’s algorithm to the public (exposing code to the world also exposes potential vulnerabilities that could potentially be exploited)
Instagram is a social media app owned and operated by Facebook. CEO and founder, Mark Zuckerberg, was ordered to appear in front of congress (2018) regarding user data privacy issues and allegations of foreign collusion in the 2016 presidential election; a clear attempt of our legislative branch to crack down on tech companies’ freedom.
Since then both platforms have made a point of providing individuals with blatant information on how to secure their accounts, though, of course, neither platform is perfect (especially with the number of phishing messages most can say they’ve had)
Instagram’s cybersecurity practices seem to be more user based, as they make a point to provide for and inform of the various security practices users can utilize to secure their accounts from common phishing attacks and stolen credentials. Instagram advises its users to
Pick a strong password. Use a combination of at least six numbers, letters, and special characters, while also avoiding repetition.
Change password regularly, especially if you see a message from Instagram asking you to do so. During automated security checks, Instagram sometimes recovers login information stolen from other sites.
Turn on two-factor authentication for additional security
Make sure your email account is secure. Anyone who can read your email can probably also access your Instagram account. Change the passwords for all of your email accounts and make sure that no two are the same.
Download your data. You can keep a backup of your data by requesting a copy of everything you’ve shared on Instagram in a machine-readable HTML or JSON format.
Log out of Instagram when you use a computer or phone you share with other people. Do not check the “Remember me” box when logging in from a public computer, as this will keep you logged in even after you close the browser
Never give your password to someone you don’t know and trust
Think about the validity and necessity before authorizing any third-party apps to access your Instagram account.
One of the most promising cybersecurity practices in this article, Facebook has mapped out every aspect of its steps to make its platform a safe and private place for its users. They implement these safeguards via the following procedures:
Physical and Environmental Security: Facebook security measures will include controls designed to provide reasonable assurance that physical access to Facebook data centers is limited to authorized persons and that environmental controls are established to detect, prevent, and control destruction due to environmental hazards. The controls will include
Logging and auditing of physical access to the data center by employees and contractors
Camera surveillance systems at the data center
Systems that monitor and control the temperature and humidity of the computer equipment at the data center
Power supply and backup generators at the data center
Procedures for secure deletion and disposal of data, subject to the Applicable Product Terms
Protocols requiring ID cards for entry to all Facebook facilities for all personnel working on the Applicable Products
Personnel
Training: Facebook will ensure that all personnel access to Covered Data undergoes security training
Screening and Background Checks: Facebook will have a process for
Verifying the identity of the personnel with access to Covered Data
Performing background checks, where legally permissible on personnel working on or supporting aspects pertaining to the Applicable Products per Facebook standards.
Personnel Security Breach: Facebook will take disciplinary action in the event of unauthorized access to Covered Data by Facebook personnel, including, where legally permissible, punishments up to and including termination.
Security Testing: Facebook will perform regular security and vulnerability testing to assess whether key controls are implemented properly and are effective
Access Control
Password Management: Facebook has established and will maintain procedures for password management for its personnel, designed to ensure passwords are personal to each individual, and inaccessible to unauthorized persons including at a minimum:
Password provisioning, including procedures designed to verify the identity of the user prior to a new, replacement, or temporary password
Cryptographically protecting passwords when stored in computer systems or transit over the network
Altering default passwords from vendors
Strong passwords relative to their intended use
Education on good password practices
Access Management: Facebook will also control and monitor its personnel’s access to its systems using the following:
Established procedures for changing and revoking access rights and user IDs, without undue delay
Established procedures for reporting and revoking compromised access credentials
maintaining appropriate security logs including where applicable with userid and timestamp
Synchronizing clocks with NTP
Logging the following minimum user access management events:
Authorization changes
Failed and successful authentication and access attempts
Read and write operations
Communications Security
Network Security
Facebook will employ technology that is consistent with industry standards for network segregation
Remote network access to Facebook systems will require encrypted communication via secured protocols and use of multi-factor authentication
Protection of Data in Transit
Facebook will enforce use of appropriate protocols designed to protect the confidentiality of data in transit over public networks
Vulnerability Management: Facebook has instituted and will maintain a vulnerability management program covering the Applicable Products that include definitions of roles and responsibilities for vulnerability monitoring, vulnerability risk assessment, and patch deployment
Security Incident Management
Security Incident Response: Facebook will maintain a security incident response plan for monitoring, detecting, and handling possible security incidents affecting Covered Data. the security incident response plan at least includes definitions of roles and responsibilities, communication, and post -mortem reviews, including root cause analysis and remediation plans
Monitoring: Facebook will monitor for any security breaches and malicious activity affecting Covered Data
Snapchat
There a quite a few worries Snapchat poses to the security of its user’s data. While their entire platform is centered around being a somewhat secretive and private app with features like “For my Eyes Only” and disappearing messages between users. Here are some of the main concerns for the app if a potential cyber attack were to come to fruition:
The true nature of the “disappearing” messages: According to Forbes forensic experts, these messages can be recovered through the proper reverse engineering tactics, making sent/deleted photos, videos, and chats open to unauthorized access even after they have disappeared from the app. The founder Evan Spiegel has been asked about this vulnerability and his response was essentially, “there will always be ways to reverse engineer technology products– but that spoils the fun!” A very lax response to a potentially catastrophic user privacy issue
There is end-to-end encryption for the network, but it only applies to snaps (picture and video messages), while individual and group chats remain insecure in that aspect.
Memories on Snapchat are a place where users can store pictures and videos from their entire Snapchat history, serving as small digital time capsules for those who choose to utilize the feature. Still, because they are stored on Snapchat’s servers, these memories could be exposed in the event of a cyber attack.
The use of the Snap Map is a large concern, serving as an issue of personal security for the user. Allowing your friends and followers to view your various locations at any time could pose serious issues, especially if you are not aware of who could be watching your location. It is recommended to turn your profile to Ghost Mode on the app to disable your ability to be tracked in real-time.
Snapchat has implemented quite a few privacy settings to ease users' minds about the use of the app, and protect the user privilege that must exist for any social media application to thrive. They are as follows:
Protection of your phone number: Snapchat settings allow you to toggle whether or not other users can find your Snapchat account using your mobile number. If you are concerned about privacy, you should turn this feature off.
Don't Share your Location: this one is self-explanatory, definitely say no to sharing your location with Snap Maps when prompted.
Enable Two-Factor Authentication: this requires a bit of information besides your password to log in to your Snapchat account. This means if you try to log in from a new device, you will receive a code via text message that you will use to verify your identity. Adding this additional step of authentication will make it more difficult for someone to access your account if your password gets cracked
Use My Eyes Only: If you have certain photos or videos stored in your Memories that you would rather keep private, you can move them to ‘My Eyes Only.’ This requires you to enter a passcode before viewing any of this content
Only Let Friends Contact You: Snapchat lets you control who can contact you– your friends or everyone. Only allowing your friends to contact you, minimizes the potential for things like harassment or cyber-bullying by giving you the ability to prevent these people from contacting you.
Control Who Can See Your Stories: You can choose to allow everyone to view your story, your friends, or a custom list of people
Hide Yourself in “Quick Add”: You may show up in another Snapchatter’s Quick Add if you share a mutual friend or another connection. Allowing just anyone to follow you could pose potential problems, like unsolicited messages or phishing scandals
Don't Add Random Users: If you don't know who a person is who adds you as a friend, then you should not ass them. These accounts are often spammers or could send you phishing attacks. If you add these people they may be able to view your story or location in Snaps Maps.
TikTok
TikTok, the motherload in the discussion of data privacy and national security, is last on our list, addressing some of the more recent, pressing issues not only users, but the United States government are implicating the application of. The accusations at hand are the collection and sharing of American user data with the CCP (Chinese Communist Party) to surveil American citizens and gain a greater advantage over the United States. Now we know there has been conflict between China and the U.S. for decades, as the Cold War tensions continue to plague the biases and expectations each country holds over the other. This is exacerbated by the Chinese app TikTok becoming one of the most widely used applications in the world, with close to a billion users, this is a minefield for potential illegal use of private data. These are just a few of the issues government officials and cybersecurity professionals are worried about:
Collection of PII and User Data: The data TikTok collects from users contains sensitive information and is often taken without the user’s explicit knowledge. This data includes device brand and model, mobile carrier, browsing history, app and file names and types, keystroke patterns or rhythms, wireless connections, and geolocations. They also state the collection of age, image, personal contacts, relationship status, preferences, and other data collected through single sign-on allowing users to sign into TikTok from other platforms in their Privacy Policy. Now if you think all this is intrusive, it gets much deeper.
TikTok has faced multiple lawsuits alleging they collect biometric data from users, including facial geometry, iris scans, voice recognition, and fingerprints. Unlike the other data being collected, biometrics represent the physical user and are therefore of high national intelligence value.
Violations of COPPA: TikTok collects data from all age groups and, in doing so, regularly violates the Children’s Online Privacy Protection Rule of 1998. This piece of legislation places responsibility on the developers of child-focused apps and demands accountability for the lawful or unlawful access of the PII of children under 13 years old without parental consent.
Censorship: According to leaked documents, the company instructs their moderators to remove any undesirable content pertaining to topics sensitive to the Chinese Communist Party (CCP)
This is the only social media platform on this list that does not boil down solely to malicious attackers, but to national security itself. There is far too much about the inner workings of TikTok that is unknown to decision-makers and cybersecurity officials alike, making TikTok an app many should be weary of using if they have worries about being surveilled.
Sources:
https://www.facebook.com/legal/terms/data_security_terms
https://www.cnbc.com/2018/04/11/facebook-ceo-mark-zuckerberg-testimony-key-points.html
https://cvgstrategy.com/fbi-expresses-concerns-about-tiktok-user-data/
https://www.cisecurity.org/insights/blog/why-tiktok-is-the-latest-security-threat
http://choosetoencrypt.com/privacy/is-snapchat-privacy-friendly/
https://help.instagram.com/369001149843369
