Security and Privacy Issues of Social media apps

Aim

The aim of this advisory is to sensitize personnel on security and privacy issues related to usage of instant messaging and social media applications.

Background

Instant Messaging applications such as Whatsapp, Telegram, Signal, Facebook Messenger, Skype etc. and social media apps such as Facebook, Twitter, Linkedln etc. are being used by all personnel and their family members. However, many a times, advertently or inadvertently, sensitive information gets leaked through these media. Some of the risks associated with these are given in succeeding paragraphs.

Associated Risks

• Instant Messaging Applications : Threat actors have  been  using various methods to stage all sons of phishing attacks. Nowadays, an attacker can send custom SMS/ MMS messages to modify the network and internet settings in the device via clever social engineering campaigns. In recent case involving Whatsapp, the attackers, using cleverly crafted custom message or attachments stole sensitive data and monitored camera/ microphone of the individual (CVE -2019-11931) thereby putting the individual under virtual surveillance device.
• Social Media Applications : Social Media Sites can also pose risks such as exposure to inappropriate or upsetting content like mean, aggressive, violent or sexual comments or images. Moreover, after compromise of an individual’s credentials, the malicious actor can upload inappropriate content such as embarrassing or provocative photos or videos of the individual or his close friends/ relatives, share personal information with strangers, cyber bullying etc. thereby causing much inconvenience/ reputation damage. In a recent case after compromising the social media account.

Guidelines

In order to safeguard personnel from various risks indicated above, following are recommended:-

• Messaging Applications : Secure your messaging application using security and privacy settings in the applications as indicated below:
• Privacy setting : Control your privacy settings to ensure that your personal data is visible only to you selected contacts. Other should not be able to see your information.
• Identify the Sender:  Always request Account Info of the sender of the messages while you receive any messages or attachments. Open all types at attachments after verifying the sender.
• Post Messages as Required: You should have information about all the group members. Only post relevant messages which are applicable to the group members.
• Clear Chats Periodically :  Clear messages inside a chat so that the information is not stored more than the required duration. Make the habit of cleaning messages in a periodic manner.
• Read Receipts : Turn off read receipts to avoid somebody from monitoring your active hours.
• Spams: Delete and repon spam as in general  most spammers also send malwares.
• Join Relevant groups only : Leave the groups if you are added by someone you don’t know. Even if you know the person who added you, monitor the group for some time and quit if the same is not relevant to you.
• Blocking : Block unwanted/ unknown users and ensure that group members are known persons.
• Access Restriction : Enable  two  factor/  multi  factor authentication/ verification like app lock/ OTP etc. to avoid unauthorized access.
• Selection of Application : Use apps which inherently provide better security/ privacy. Comparison of various apps is placed at Appendix.
• Social Media Applications : Following is recommended in order to secure your Social Media Account:-
• Use a strong password : The password must be complex which includes upper case, lower case, symbols and numeric values. The same needs to be sufficiently long. Use different passwords for different applications.
• Set up Security Answers : Set up security questions and answers to recover your account in case of an attack. This option is available on most social media sites.
• Device Security : If you have a social networking applications installed in your phone, protect your device with a strong password.
• Be selective with Friend Requests : You should have a friends list with only the persons who you know personally. If you do not know the person, do not accept their request. It could be a fake account.
• Click Links with Caution : Social Media Accounts are regularly hacked. Look our for the language or content that does not sound like something your friend would post.
• Be careful while sharing data : Do not reveal sensitive personal information i.e, home address, financial information, phone number etc. The more you post, the easier it is to have your identity stolen.
• Anti - Virus Software : Licensed Anti - Virus Software needs to be used to protect your operating system and applications.
• Read the site's Privacy Policy : Read the privacy policy of the site / application and use its privacy and security settings to control who can see your personal information.

Source : Ministry of Defence Cyber Cell