In today’s connected world, many of us are members of at least one, if not more, social networking services. The influence and reach of social media enterprises, such as Facebook (more than 600M active users per month) and Twitter (more than 140M active users), is staggering and as communications tools they offer a global reach delivering almost instantaneous communications to huge multinational audiences. Social media is attractive for hacktivists because it is a forum for people on the Internet and where big discussions take place. Hijack a forum like this and you have an effective soapbox to get your message across. Hardly a day passes without news of another high profile breach by hacktivists and social media influencers are in the crosshairs. Are social media and hacktivism two ideas that are made for each other? Let's explore some thoughts and ideas and you can make up your own mind.
Two sides of social media
The ability of social media to spread news quickly is powerful, and obviously, has great potential for positive use but, like many things in life, it also has potential to be abused. In the case of the recent tragic events in Boston, the tweets started almost immediately and helped keep people informed and also warned people away from the area. Many of the tweets came from “citizen journalists” who were actually on the ground as the events unfolded and were able to describe first-hand what they witnessed. Even in the aftermath of that event, social media played a major part in helping to track down the suspects behind the tragic event. Law enforcement issued a general plea for information and the public gladly did what they could by publishing information, pictures, and videos of the event on the public forums provided by social media sites. Law enforcement was able to utilize this information available to put the pieces together.
The downside of this highly visible means of public participation when looking for suspects in a highly charged situation, such as this, is that individuals may be wrongly accused. This is exactly what happened on certain social media sites where, notably, the Reddit service drew the most criticism. On their site users took the role not only of citizen journalist, but as citizen investigator too. Users began to look at the details and photos posted on the site and pieced together their own—and, as it turned out, incorrect—conclusions on the matter. False information and allegations began to circulate and took on a life of their own.
Power of social media
The business of news is all about influencing people and social media provides a large audience to be influenced. Influence is such a fundamental concept in social media that there are even services which attempt to measure how much influence a user has in the social media space. Services, such as Klout, are designed to address how much influence a user has by using algorithms to measure a person’s “clout,” reflected by a number between 1 and 100, with a higher score indicates a higher level of influence.
The news industry has long recognized the power of social media, not only for influencing people but also for gathering information. Today, just about all news outlets have a social media presence to receive and broadcast news to interested audiences. Twitter is the default choice to quickly get information out there. The 140 character limit on tweets forces users to be succinct and focus on main points when communicating. Since many Twitter users use the service on their mobile device and people generally have their mobile device near them all day, information can quickly reach people and be shared again (retweeted) propagating throughout the service's user population (“going viral”).
Indeed, services like Twitter reach mass audiences and in turn hold a strong level of influence. Then when trusted media brands enter the social media space, their power of influence and reach is further magnified. We have seen how big news stories often drive follow-up events. Major disasters or terrorist acts have an immediate impact on stock markets. For example, the stock market crashed immediately following the September 11 attacks in 2001—and that happened before the advent of modern day social media services. Recently it was reckoned that the next market crash will be tweeted and given the role social media now plays in society there is no reason to doubt that. What is to stop criminals from perpetrating "pump and dump" stock market fraud by spreading market-moving rumors in social media which cause wild movements in stock prices? This is particularly true as professional trading systems are now even designed to “read” news headlines and react to news autonomously.
Hacktivism and social media
Hacktivism is a modern-day evolution of traditional activism brought about by a confluence of technology, politics, and people power. While traditional activism still has its place, activist activity is increasingly being conducted online. There are likely a myriad of reasons why this is the case but one thing is for sure, activists have caught on to the powers of social media and the Internet as tools to further their cause. Many of them actively use Twitter to communicate and coordinate worldwide activities.
Ultimately, hacktivists aim to draw attention to their causes which, naturally, makes big influencers their biggest targets. With so much power and influence under the control of trusted brand’s social media accounts it is not too difficult to see that hacktivists would try compromise these accounts and leverage some of the influence for themselves. We have all heard of various celebrity, politician, and corporate social media accounts being hacked, bogus messages being sent, and much of it relatively harmless. But what if a highly influential account is hacked and a plausible but fake message about some disaster or terrorist attack is broadcast to a nation? The possibility for causing panic and disruption is clear. Unfortunately, this type of activity is set to be become an increasingly common phenomenon.
While much of the hacktivists’ attention is focused on the perceived injustices of governments and big business, along with global issues, they also zone in on local issues too.
How are attackers getting in?
In recent months, there has been an increase of hacktivism activity. This activity is largely focused on hacking into legitimate social media service accounts and defacing them or posting false messages. In general, these social media accounts are protected only by password based authentication. The only thing that stands between an attacker and your loyal base of social media followers is a short series of characters. While in some cases, passwords may be guessed due to a bad choice of passwords, there are other ways in which an attacker could get at the password and gain access. It has been proven that people are often the weakest link in many security systems, so it makes sense to exploit this weakness through social engineering. In recent attacks of this type, attackers gained access by sending phishing emails that, at their core, just asked the user for the login details, but disguised the request to make it look legitimate. For example, phishing emails may present users with a link and ask them to log in using the link to verify their account, but in reality their password is being stolen. Attacks of this type have been tried and tested, and found to be effective.
Another way in is to exploit weaknesses in the lost password feature. The feature is not only convenient for users, but also for mischief makers too. There are a plethora of implementations for handling lost user passwords. Some will just ask the user to specify an email address and it will send a new password. Other types will ask a security question, but often times the security questions themselves are insecure, and ask where the user was born or where they went to school. This type of information can be obtained relatively easily on the Internet. Couple this with password reuse and users who do not change their passwords frequently and it is easy to see that there is an opportunity for attack here.
No silver bullet
The Internet and the social media services enabled by it are truly revolutionary, but many of them are built in such a way that enables anonymous and irresponsible messaging. For example, when a person signs up for a social media account, they are asked for personal details during the sign process, but how many people actually provide real names and contact details when signing up for these accounts? There may be legitimate reasons for providing false information, particularly in the light of all the data breaches into large and well known websites in recent times, but the ability to access these services without being traceable makes them ripe for abuse. It’s interesting to consider whether people would be as inclined to carry out malicious activities on the Web if they knew they could be easily traced and held accountable for their actions.
Given the potential influence behind the brands who own social media accounts, the question for legitimate account owners and social media service providers is: shouldn’t the protection of these accounts be of the highest priority? We are all waking up to the risks posed but unfortunately, there is no single silver bullet that can stop all misuse. Responsibility for account protection is a shared one. The social media industry could do more to help protect against misuse and unauthorized access, but at the same time, account owners could do more too.
Social media service provider’s role
Social media sites could ensure that if account login attempts fail repeatedly, further attempts are either delayed by temporary suspensions to slow down brute force attempts or have the account locked and notification sent to the owner. Some services even track the list of IP addresses used to access the service and will notify the owner if a new IP is used to access the service, which could indicate a possible breach of the account.
Social media service providers can help by implementing improved security around authentication and authorization, and more secure storage and handling of personal information. Many websites are increasingly turning to two factor authentication (2FA) to increase account login security. This is a welcome and necessary measure, but they could potentially do more. How about requiring two factor authorization before messages can be sent? This could help prevent unauthorized messages from being sent, even if the main account password was compromised.
Service providers could also introduce tiered accounts with different access levels; this would be particularly useful for business users on social media. Not everybody in a business needs to be able to send messages, so the ability to manage user access controls would be beneficial. HootSuite is an example of a service that offers granular user access controls for managing social media accounts and may be a helpful add-on service for business users. Subscriber and follower management is another feature area that could be explored. Google had an interesting idea with the concept of circles, which allows for selective sharing of information, and goes some way towards addressing this. When you boil it down, the problem is this: accounts in most social networking sites are designed around a person, who is unlikely to need or want different access control levels for their own account, and not a brand or a company. This situation makes the current mapping of requirements between a commercial or brand entity and a personal social media user account a somewhat uncomfortable fit.
Users can help matters by being better educated against social engineering attacks, equipping themselves with good quality protection software, and practicing better security hygiene such as better choice and handling of passwords. For example, according to a recent report by Ofcom (UK communications industry regulator), over half of the adults in the UK use the same password across multiple websites. This statistic is very likely mirrored in other parts of the world and is not encouraging at all from a security standpoint. Users of social media would be well advised to beef up on their security awareness training because technology only represents a small part of the solution to this problem.
As some commentators say, it’s a bit of a wild west in the social media space right now, freedom of speech and civil liberties is hugely important, but so is the responsibility that comes with it. Back to my original question: Are social media and hacktivism made for each other? Of course that is not true, both can exist quite happily without the other. Social media was not created to be a platform for hacktivism and it would be beneficial if hacktivism was not carried out through it. However, social media does amplify the power of hacktivism and because of that, it represents a highly effective and attractive avenue for hacktivists to carry out their activities.