Last week I presented a three hour awareness workshop for a large university.  When you live and breath security on a daily basis, what you take for granted as common knowledge you quickly remember is not so common. For me, it really hits home when you see the light bulbs click and people begin to realize just how dangerous it can be on the Internet.   One of the key topics we discussed was social networking sites and how to protect your information.   When it comes to social networking,  I  teach people that there is ultimately no privacy, that they should assume anything they post on a social networking site, regardless of privacy controls, will eventually be public information.  Social networking sites are a marvelous tool if you want the world to know something, but terrible for keeping secrets. Five reasons for this.
  1. Privacy controls can be confusing, especially when you start involving not only individuals but groups.  It is easy for people to make a mistake and accidently share something they did not want to.
  2. Even if you figure out all the controls, they probably are going to change on you anyways.  What you thought was protected or private information may all the sudden become public.
  3. Most people trust too openly on social networking sites and often 'friend' individuals they have never met in person or barely know.
  4. Even if you know and trust everyone you have friended, what happens if one of their accounts gets hacked?  Your privacy now depends on the security of your friends.  The more friends you have the more of an issue this can become.
  5. Third party apps are a breeding ground for privacy leaks.  There is no organization that officially reviews/approves applications.  As such it is possible for apps to have misconfigurations, be designed to aggressively harvest information, or even designed with malicious intent.
The odds of one of these events happening are relatively low.  But when combined together, the odds increase to the point that what you thought was private may no longer stay private.  Do not get me wrong, sites like Facebook are a powerful and amazing tool (read how Facebook impacted Tunisia).  But people must also understand its limitations and risks, and that is where security awareness training can come in. NOTE:  Added 28 Jan, 2011.  Here is another recent development with social networking sites.  Lawyers are now mining sites such as Facebook to collect evidence to be used in trials.