Security threats to social media technologies
Abstract:
This chapter begins by discussing what security means. There must be objectives that one wishes to attain and security controls are utilized to realize them. Some public service organizations, such as government departments, are continuously under attack. The chapter outlines the security threats that social media sites are particularly susceptible to, which will enable readers to appreciate the importance of having robust security measures. Social engineering and associated problems such as handling unsolicited messages (opening files, hyperlinks, and problems associated with communicating with strangers) are also described. The topic of “trust” is discussed, and this does not just include trust in one’s communication with strangers. There could be legal and regulatory ramifications of not trying to combat risks. Risks include identity theft, malware, and damage to a public service department’s reputation. All manner of erroneous communication could take place. One also needs to be aware of privacy concerns associated with using web applications within social media sites.
Security
Generally, security is considered to be a state of freedom from risk or danger. Computer security deals with risks, threats, and mechanisms in relation to computing systems: “A computer is secure if you can depend on it and its software to behave as you expect” (Garfinkel, Spafford, and Schwartz, 2003). Computer security also involves the measures to preserve a system in a secure state, and was defined by Gollmann, (2001) as follows: “Computer security deals with the techniques employed to maintain security within a computer system.” These two definitions of computer security may be suitable for an isolated system, but can fall short of defining a modern computing system. Computing systems are no longer conceived of as having a centralized architecture. Also, a system that is connected to other systems is exposed to many additional security threats. For these reasons, a comprehensive definition of security is required.
What are security objectives?
In this book the topic of what is required of security is divided into two: security objectives and security controls, which are discussed in Chapter 4. Security objectives are high-level goals, while families of security controls specify how the objectives are realized. A security objective can be described as a “statement of an intent to counter identified threats and/or satisfy identified organisation security policies and/or assumptions” (Common Criteria Project, 2009) and computer security is “the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources” (Swanson and Guttman, 1996). Included in this definition are three terms that are generally regarded as the high-level security objectives – integrity, availability, and confidentiality. Firesmith (2003) gives a very comprehensive discussion of the general security of a software application and identifies 11 security “objectives,” three of which are described below:
“Confidentiality” is associated with the word “privacy” – preventing the unauthorized disclosure of information (Dept of Trade and Industry, 1991), ensuring that information can only be accessed by those authorized to do so. Thus confidentiality “provides protection against the unauthorized notice of stored, processed, or transferred information” (Wolter, Menzel, and Meinel, 2008).
“Integrity” in the context of social media is “the prevention of the unauthorised modification of information” (Dept of Trade and Industry, 1991); it “requires that only authorized users can alter information in authorized ways” (Ferraiolo, Kuhn, and Chandramouli, 2003). Information that has integrity is proper (intact, correct, and complete) (Wolter, Menzel, and Meinel, 2008), and transferred, processed, or stored data can only be modified with proper rights. If data and communications are trustworthy they have integrity (Firesmith, 2003).
“Availability” in the context of social media is “the prevention of unauthorised withholding of information or resources” (Dept of Trade and Industry, 1991). This security objective “ensures that data, resources and services, which are needed for the proper functioning of a system, are available at each point in time regarding the requested quality of service” (Wolter, Menzel, and Meinel, 2008).
Trust
Trust is described by Mayer, Davis, and Schoorman (1995) as “the willingness of a party to be vulnerable to the actions of another party based on the expectation that the other will perform a particular action important to the trustor, irrespective of the ability to monitor or control that other party.” Privacy is important for successful online interactions, as is trust (Coppola, Hiltz, and Rotter, 2004; Jarvenpaa, and Leidner, 1998; Piccoli and Ives, 2003), as it determines what people are willing to share. Figure 3.1 highlights some of the concerns that users have with social networking sites, which get in the way of what they wish to do, and Figure 3.2 shows some aspects of what constitutes “trust.”
A survey of 117 college students examining their levels of concern about trust and privacy within social networking sites showed that “the existence of trust and the willingness to share information do not automatically translate into new social interaction” (Dwyer, Hiltz, and Passerini, 2007). Research on Facebook has found that individuals made personal information available despite having concerns about privacy (Debatin et al., 2009). Furthermore, a survey about privacy in online social networks in Malaysian universities found that “people show different behaviour in online social networks towards creating new connections” and “people seem to be more open in online social networks and are more willing to share information about themselves than in the real world.” The users “think they know about potential threats, but they still did not use privacy enablers” (Mohtasebi and Borazjani, 2010). Moreover, a survey among 205 college students by Fogel and Nehmad (2009) about risk taking, trust, and privacy concerns in social network communities found the following:
Individuals with profiles on social networking websites have greater risk taking attitudes than those who do not; greater risk taking attitudes exist among men than women. Facebook has a greater sense of trust than MySpace. General privacy concerns and identity information disclosure concerns are of greater concern to women than men. Greater percentages of men than women display their phone numbers and home addresses on social networking websites.
Although one might do one’s best to keep personal information private on a social networking site, there is a non-transparent undercurrent that one is not normally aware of. Figure 3.3 highlights some of the issues.
Users of social networking sites need to adhere to the advice “trust, but verify.”
Threats to information systems in the public sector
The public sector is sometimes the target of malicious attacks to its information systems, and government information systems are in a constant state of attack from malicious individuals. In a speech in Canberra on July 19, 2012, Nick Warner, the director-general of the Australian Secret Intelligence Service, listed key threats, one of which is cyber threats.
One source of threats is the international hacking group called Anonymous, which has attacked Chinese government websites, protesting about China’s internet restrictions. Anonymous China has a Twitter account on which its members list the websites it has hacked. China has sometimes denied that the websites were ever hacked. An Associated Press article published widely in early April 2012, see for example Muncaster (2012), said that the message left by Anonymous on the websites read: “Dear Chinese government, you are not infallible, today websites are hacked, tomorrow it will be your vile regime that will fall… What you are doing today to your Great People, tomorrow will be inflicted to you. With no mercy.” The message also gave instructions to users on how to bypass the internet restrictions. More widely, Anonymous has hacked websites worldwide in an attempt to oppose restrictions on file-sharing sites and WikiLeaks. The motive of Anonymous is not always clear. Sometimes the group can be a force for good. In October 2011 it took down child pornography sites and released the names of 1500 people who used one of the sites (BBC News, 2011).
Examples of other hacking groups include AnonOps, a subgroup of Anonymous, LulzSec, and AntiSec. In 2011, 58 percent of data stolen from corporations was attributed to activist groups (Verizon, 2012). In 2012, four alleged members of LulzSec were accused of conspiring to bring down the websites of the CIA and the UK’s Serious Organised Crime Agency (BBC News, 2012). Ryan Ackroyd, 25, was the last of the four to appear in court on March 16, 2012, and the four were also charged with allegedly being responsible for plotting to hack into other systems, including those of the National Health Service and News International. It was alleged that the four members of LulzSec plotted together and with others to carry out distributed denial-of-service attacks, to flood websites so as to prevent them from functioning (BBC News, 2012). This followed high profile attacks on Sony (Rashid, 2011), the cosmetics group Lush (King and Arthur, 2011), and Stratfor (Williams, 2011). The latter attack was launched by hacktivists linked to Anonymous and occurred on Christmas Eve 2011. The attack compromised more than 50,000 credit card numbers, which were used to make numerous donations to charity.
Such groups with access to large computing power (for example a government) can attack a target persistently in “advanced persistent threats.” China conducts a large amount of information security research and the US government is concerned that this could be put to ill effect (Krekel, Adams, and Bakos, 2012). Such groups can be organized sufficiently well so as to carry out strategies analogous to military ones: reconnoitering, infiltrating, and “establishing a beachhead.” They can find a “backdoor” – a way in that is undetected. They can gain unauthorized access to data, termed “exfiltration.” Journalists have shown us how easy it is to tap into the phones and computers of people in the public eye. Just imagine what a technically able and well-funded hacker could do. Those hacking into computers as a means of protesting about something are said to be “hacktivists.” Some, as above, seek to gain publicity, put a message across, or embarrass the victims while others do not wish their attack to be discovered. Large-scale attacks such as those described above and attacks such as denial-of-service attacks are termed “mass attacks.” Some of them exploit the vulnerabilities present in software. Threats from hactivism include damage to a public service department’s reputation, disclosure of sensitive information, and the costs associated with dealing with the attack and cleaning up after it.
There are “white hat hackers” and “black hat hackers.” The former are ethical hackers, for example those in the IT department of an organization who are deliberately trying to hack into the organization’s systems to test their security controls. The latter category includes those who wish to hack for malicious reasons.
Hackers have succeeded in stealing passwords from major sites. An article in Computer Fraud & Security in 2012 stated: “The leaking of passwords from three major websites has highlighted the dangers of poor password protection practices. LinkedIn, eHarmony and Last.fm all suffered breaches within a few days of each other, leading some pundits to suggest either common weaknesses or the same attackers, although there’s so far no evidence to support either contention” (“Password Hacks…,” 2012). The article describes attempts to explore how hackers attack social media websites.
There is a variety of security threats to social media technologies; for example, as well as “Password Hacks Show Major Sites Are Vulnerable,” mentioned above, other articles in the June 2012 issue of Computer Fraud & Security were entitled “Dissecting a hacktivist attack,” “Challenges in PII [Professional Indemnity Insurance] Data Protection,” “Disguising the Dangers: Hiding Attacks Behind Modern Masks,” “Cyber Crimes: Preparing to Fight Insider Threats,” and “Interview: Philip Lieberman and the Human Factor.”
Some threats are confidence tricks, whose practitioners are sometimes called “scam artists.” There are also the threats of blackmail, bribery, break-ins, bugging, hacking, viruses, computer worms, and so on. Examples of worms are Stuxnet and Duqu. A small number of technical threats to social media technologies are described in Appendix 3. Another problem is personal information being gathered, analyzed, and sold without an individual’s consent. Worse still, the information can be used in ways that are not in the best interests of the individual.
An individual may use one password for many accounts. This saves effort in memorizing or recording passwords, but if one account is compromised then so are all the others covered by the password in question. The saving grace can be the uniqueness of the user’s ID, but unfortunately some user IDs are simply a person’s email address, and offer no protection.
Threats to social media sites
When the number of people using social networking in a public sector department rises it leads to a rise in security risks for the department. When there is a large number of users there is likely to be a large number of security risks.
When users use a social media site they do not know how vulnerable the site is to security breaches. Although a security standard has recently been developed for web application developers to adhere to, it is difficult to know if a particular site is adhering to it or not. The standard is the Application Security Verification Standard, developed by the Open Web Application Security Project. It specifies four levels of security control provision.
Social engineering
“Social engineering” is the term used when someone acquires confidential personal information from a user fraudulently with the purpose of exploiting it or committing identity theft (Figures 3.4 and 3.5).
The types of information that can often be found on social media sites describing an individual include information about:
There is a tendency for users to publish more information than is necessary for maintaining communication with other social media users. Others can copy and make use of this information, including photos, videos and audio files. “Dumpster diving” is the term used for looking for physical or virtual scraps of information to help someone carry out social engineering.
Blagging
The term “blagging” is given to two activities: obtaining personal information without the owner’s consent, and recklessly using personal information.
Phishing or sending unsolicited messages
Social engineering carried out by sending a message via an email or social media site, often indiscriminately, is called “phishing.” It is also possible to target an individual or an identified group of people, which is called “spear phishing,” or “whaling” when the individual or group is powerful.
Phishing by sending unsolicited social media messages raises additional security implications as these messages are not subjected to the checks performed by email systems, which attempt to identify phishing messages and act on them. Furthermore, users can create rules to direct some messages to the junk email or deleted items folders. Most web browsers include a phishing filter, which helps detect suspicious websites by comparing a site against a list of known rogue sites and checking to see whether a website fits the profile of a phishing website.
A message is more likely to be taken seriously if it contains information about the receiver. This could have been found from information that is publicly available, for example on a social media site, or it could have been stolen. The more the message is tailored to the receiver, the easier it is to pass through systems that filter out spam and messages with virus links and attachments, as the messages do not fit the pattern of typical rogue communication.
Spoofing
A message sent from someone pretending to be someone else is known as “spoofing.” A message could appear to come from a particular address yet be sent from another address. Scam artists use graphics in messages to make them seem legitimate. It is very difficult for social media sites to control this sort of malpractice.
Other scams
There are many other scams. For example, email messages asking the recipient to send them money because the sender, who appears to be a friend or acquaintance of the recipient, is stranded somewhere, or threatening them that their account will be closed if they do not respond to a message. Cybercriminals often suggest that a user’s security has been compromised, and the message shown in Figure 3.6 is an example of this trick. Some of the features that typify are rogue message are shown. Also note the peculiar capitalisation, word use, and punctuation in the message. Appendix 4 shows examples of unsolicited rogue messages.
A massive “botnet,” referred to as the Grum botnet, which sent out millions of spam emails per day, was shut down in 2012 in a multi-country effort. It made use of infected computers and caused them to send out spam. The bodies responsible for shutting it down are FireEye (a UK computer security company); the Spamhaus Project (international); and CERT-GIB, the Computer Security Incident Response Team of Group-IB, a Russian computer security company.
Threats when opening received files
Files can be attached to email and social media messages which are infected or contain a form of malicious code. Once again, those sending infected files know that recipients are more likely to open them if they know the file’s source or the filename is relevant. For example, if you receive a message with an attachment that looks as though it has come from one of your colleagues, you may well open it without first verifying that it is safe to do so.
Hyperlinks
Clicking a link in a message could cause a malicious web page to be displayed, which installs malware, sending malicious script to the user’s browser in what is called a “drive-by download.” Also, a website might have hyperlinks to an .exe file, which will execute when double clicking the hyperlink. Browsers prevent such hyperlink action from automatically running any downloaded executable without displaying some form of dialog box prompt to the user.
It is possible to get a rough idea of where a link is taking a user by looking at its URL, but note that the link that you see does not necessarily take you to that address. To see where the link is taking you, you have to position the mouse cursor over the link. In the example shown in Figure 3.7, the real web address for the link is revealed, and is written in the box. Notice that the URL link to this fictional company’s website does not direct users to where they believe it will go, but instead takes them to another site. Furthermore, there are services that will take a URL and rename it. This is particularly useful in Twitter tweets where the number of characters is limited.
TinyURL and bit.ly are example URL shortening services, which were developed to replace long URLs with short ones. However, they pose a problem as they can be used by malicious individuals to obscure the actual URL. A short URL could have a hyperlink to anywhere! Examples of social media sites that use short URLs include Facebook, LinkedIn, and Twitter. Even if the website is legitimate it may have been compromised with malicious scripts that will be downloaded to the user’s browser when the web page is displayed.
A phisher could register a domain name that contains a brand name within it. Also, a cybercriminal might own a website whose domain contains some elements similar to the name of a well-known company, but where the company name has been slightly altered. A scam artist could spoof a popular website, perhaps a company’s website. This phony site can be referred to as a “scam site” (Figure 3.8). Messages could have a hyperlink to such a website, which could be directed to a phony pop-up window.
Cross-site scripting
Consider a website that informs you of the weather at a given location – www.dummyweather.com. You receive a message from a social media site with a link to the weather website:
You click on the link. The website looks up the ZIP code in its database and cannot find it so it sends a message to the browser:
This has echoed back the ZIP code. There is no problem here.
Let us look at another case. This time the link has been sent from a hacker:
Instead of putting in a postcode the hacker has inserted HTML code (possibly including JavaScript). If the website does not check that a valid ZIP code is being specified then it will send to the user’s browser “No details for” and then send the HTML code to the browser. This code will be executed. The hacker could arrange it so that the user’s browser displays a rogue message on the weather web page. Alternatively, the hacker could arrange it so that a cookie on the user’s computer is sent to a website owned by the hacker. This cookie could contain sensitive data, such as credit card details or a password. The cookie was only ever intended to be seen by a certain website (e.g. a bank) but is now being sent to the hacker’s website.
One of the security principles of websites is that any scripting code sent by the website to the user’s browser should originate from the website. In the above example, this principle is being violated, and such cases are given the name “cross-site scripting.”
Cross-site request forgery
Cross-site request forgery is similar in operation to cross-site scripting but it allows a hacker to send unauthorized messages to the genuine website that is being accessed by the victim. For example, it is possible to send a message to withdraw money from an online bank account and direct this to the hacker.
Threats when building up a relationship
Making new friends online increases privacy and security risks. One form of social engineering occurs when a criminal on a social media site tries to befriend others in order to build up trust and extract confidential private information. The criminal can create a fake Facebook profile or a bogus Twitter account. For example, in Australia an employee of Telstra impersonated a government minister on Twitter (LeMay, 2009). On social media sites there are difficulties in establishing the authenticity of the person with whom one appears to be communicating, and in determining the accuracy of posts. Social media providers sometimes appear weak at detecting compromised accounts and subsequently restoring them. Another ploy for criminals is to try to befriend someone by claiming to have something in common.
Web applications within social media sites
A problem with web-based applications such as social media sites, e.g. Facebook, is the availability of other applications that users can install, which allow users to run third-party applications such as games, and functionality to personalize their page. This grants the application access to all a user’s personal information, irrespective of any privacy setting made in the social media site (Thomas, Grier, and Nicol, 2010). The vast majority of these applications only need basic personal details of a user. Furthermore, anyone can write an application, so some applications have no security controls. Worse still, an application could have been developed by a cyber criminal.
Other social media threats
Abuse of a social media site can occur in other ways:
During unrest in Iran, Habitat added Twitter tags like “Iran” and “Mousavi” to its messages so that people seeking news of Iran would be directed to this furniture retailer.
Spammers use social networking.
Some websites enable users to set up an account quickly using existing log-in information from a social networking site. This is called a “social log-in.”
The impacts of social media malpractice
When social media malpractice is targeted at public sector bodies, private or confidential public sector information can be revealed, perhaps inadvertently. Such information could be used to support an argument, perhaps wrongly, or be misinterpreted. This can lead to embarrassment to the public sector body, damage its reputation, and reduce citizens’ confidence in it, particularly in the relevant department’s online delivery. Overall, malpractice can involve cybercrime, cyber-espionage, hacktivism, terrorism, or cyber-warfare.
Legal and regulatory risks
If a regulatory body has concerns about compliance, there could be a regulatory investigation of a department’s data (including electronic data). Similarly, following legal proceedings, a request could be made for an e-disclosure. This involves e-discovery – looking for electronic data. The risk of malpractice is increasing. It is difficult to control all the data emanating from an organization, and to save it in a form that is searchable for compliance may be prohibitively expensive.
Departments need to change their lax attitude to the use of Web 2.0 involving departmental information. There need to be retention management rules for email, instant messaging, and social media communication, but there are a number of difficulties associated with e-discovery and retention rules when using social media sites: the public service department is not in control of the site; there are different forms of content (text, photos, videos, etc.); the functionality changes frequently; the type of permission required to see an item of data changes frequently; some content (such as a Wikipedia page) is continually being edited; and discourse could be spread across several sites.
There are particular problems with Facebook. This social networking service allows users to set up a “Like page” for a person, organization, idea, etc., best thought of as a fan club where fans can find out about current happenings. Any website can be amended to include code so that information can be passed from the website to Facebook, in what is called a “social plug-in.” An example is a “Like button”; clicking this on a website causes information to be sent from the website to the user’s Facebook account. In August 2011, the Data Protection Commissioner’s Office called on all institutions in the federal state of Schleswig-Holstein, Germany, not to use Facebook “Like pages” or social plug-ins, following concerns over data protection.
Specific threats: examples and applications
Cloud computing
In cloud computing the management of much of a public sector department’s IT facilities is transferred to the cloud service provider. The increased use of cloud computing is likely to draw the attention of attackers to the services and the platforms on which they run. Furthermore, a cloud service provider offers considerable resources for those willing to pay for them. Attackers could use these resources, with no doubt stolen funds, for example to tackle encryption.
There is potential confusion over which law applies if the user is located in a different country from the cloud service provider. Example legislation includes the USA Patriot Act and data protection legislation from the European Commission. In specific cases, perhaps a compromise has to be reached. In any case, it might be extremely difficult to prove that personal information has been wrongly accessed.
Law enforcement and intelligence agencies
Facebook has been used to plan offline criminal activity, to boast about it, and to perform illegal online activity, such as cyber-stalking. There is also the problem of “trolling,” where a user posts a message that is designed to disrupt an online discussion, sometimes in a provocative way, and sometimes constituting harassment. Citizens could send messages relating to rumors, or containing errors, misleading information, distortions of the truth, or deliberately deceptive information, which information could be widely circulated. In December 2010, the police in the UK reported that since January 2010 they had received 7545 calls from the public about Facebook (Gill, 2010).
There are possible risks to the use of social media by law enforcement agencies, such as revealing confidential information, naming undercover agents, and risks to reputation when complaints have not been responded to sufficiently. The data collected about citizens might not be held securely and could be accessed by those without permission to do so.
Some social media communication is in the public domain, such as tweets; other types are private and intended to be read only by those decided by the sender, for example direct messages in Twitter. There is a risk that surveillance activity by law enforcement and intelligence agencies could adversely affect the social and economic benefits of the web, for example, by curbing the free exchange of ideas.
Communication during emergencies
The question arises as to whether the content of a tweet contains valid information or is just rumor. Mendoza, Poblete, and Castillo (2010) conducted a study of tweets sent during an earthquake and found that tweets containing rumors were questioned by recipients more that those containing valid information. Sutton, Palen, and Shklovski (2008) also found that backchannel communication is becoming an increasingly accepted source of accurate information, so much so that it is being used by traditional media and emergency managers.
References
BBC News. Hackers Take Down Child Pornography Sites. October 24, available at: http://www. bbc. com/news/technology-15428203, 2011.
BBC News. Lulzsec Hacking Accused Ryan Ackroyd in Court. March 16, available at: http://www. bbc. co. uk/news/uk-england-17399149, 2012.
Common Criteria Project. Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model, 2009. [Version 3. 1, Revision 3, Final, CCMB-2009–07–001. ].
Coppola, N. W., Hiltz, S. R., Rotter, N. G. Building Trust in Virtual Teams. IEEE Transactions on Professional Communication. 2004; 47(2):95–104.
Debatin, B., Lovejoy, J. P., Horn, A. -K., Hughes, B. N. Facebook and Online Privacy: Attitudes, Behaviors, and Unintended Consequences. Journal of Computer-Mediated Communication. 2009; 15(1):83–108.
Dept of Trade and Industry. Information Technology Security Evaluation Criteria, Harmonized Criteria of France, Germany, the Netherlands, the United Kingdom. Department of Trade and Industry, London, 1991.
Dwyer, C., Hiltz, R. S., Passerini, K. Trust and Privacy Concern With Social Networking Sites: a Comparison of Facebook and MySpace. In: paper given at the Thirteen Americas Conference on Information Systems. Colorado: Keystone; 2007.
Ferraiolo, D. F., Kuhn, D. R., Chandramouli, R. Role-Based Access Control. Artech House; 2003.
Firesmith, D. G. Engineering Security Requirements. Journal of Object Technology. 2003; 2(1):53–68.
Fogel, J., Nehmad, E. Internet Social Network Communities: Risk Taking, Trust, and Privacy Concerns. Computers in Human Behavior. 2009; 25(1):153–160.
Garfinkel, S., Spafford, G., Schwartz, A. Practical UNIX and Internet Security. O’Reilly Media; 2003.
Gill, C., The Facebook Crimewave Hits 100,000 in the Last Five Years Daily Mail, December 14, available at. http://www. dailymail. co. uk/news/article-1338223/Facebook-crime-rises-540-cent-3-years-police-chiefs-16-forces-reveal. html, 2010
Gollmann, D. Computer Security. John Wiley and Sons; 2011.
Jarvenpaa, S. L., Leidner, D. E. Communication and Trust in Global Virtual Teams. Journal of Computer-Mediated Communication. 3(4), 1998.
King, M., Arthur, C., Lush Website Hack Sees Customers Defrauded Guardian, January 21, available at. http://www. guardian. co. uk/money/2011/jan/21/lush-website-hack-customers-fraud, 2011
Krekel, B., Adams, P., Bakos, G. Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage. available at: http://www. uscc. gov/Research/occupying-information-high-ground-chinese-capabilities-computer-network-operations-and, 2012.
LeMay, R., Fake Conroy claims Telstra sacking, 2009. [ZDNet, March 25. ].
Mayer, R. C., Davis, J. H., Schoorman, F. D. An Integrative Model of Organizational Trust. Academy of Management Review. 1995; 20(3):712.
Mendoza, M., Poblete, B., Castillo, C., “Twitter Under Crisis: Can we trust what we RT?”, First Workshop on Social Media Analysis (SOMA ’10), 2010. [Washington, D. C. ].
Mohtasebi, A. and Borazjani, P. N. (2010) “Privacy Concerns in Social Networks and Online Communities”, paper given at the VALA2010 Conference.
Muncaster, P. Anonymous Turns Its Fire on China. The Register, April 5, available at: http://www. theregister. co. uk/2012/04/05/anonymous_china_hacks/, 2012.
“Password Hacks Show Major Sites Are Vulnerable” (2012) Computer Fraud & Security 6:1 and 3.
Piccoli, G., Ives, B. Trust and the Unintended Effects of Behavior Control in Virtual Teams. MIS Quarterly. 2003; 27(3):365–395.
Rashid, F. Y. Sony Data Breach Was Camouflaged by Anonymous DDoS Attack. eWeek. 2011. [May 5].
Sutton, J., Palen, L., Shklovski, I., Backchannels on the Front Lines: Emergent Uses of Social Media in the 2007 Southern California WildfiresFiedrich F., Van der Walle B., eds. Proceedings of the 5th International ISCRAM Conference, 2008. [Washington, D. C. ].
Swanson, M., Guttman, B., Generally Accepted Principles and Practices for Securing Information Technology Systems, 1996. [NIST National Institute of Standards and Technology, US Department of Commerce].
Thomas, K., Grier, C., Nicol, D. M. UnFriendly: Multi-party Privacy Risks in Social Networks. In: Atallah M. J., Hopper N. J., eds. Privacy Enhancing Technologies. Heidelberg and Berlin: Springer, 2010. [Lecture Notes in Computer Science].
Verizon. 2012 Data Breach Investigations Report. available at: http://www. verizonbusiness. com/resources/reports/rp_data-breach-investigations-report-2012_en_xg. pdf, 2012.
Williams, C., Anonymous ‘Robin Hood’ Hacking Attack Hits Major Firms Telegraph, December 28, available at. http://www. telegraph. co. uk/technology/news/8980453/Anonymous-Robin-Hood-hacking-attack-hits-major-firms. html, 2011
Wolter, C., Menzel, M., Meinel, C. Modelling Security Goals in Business Processes. In: Kuehne T., Reisig W., Steimann F., eds. Modellierung 2008. Gesellschaft fuer Informatik: Bonn, 2008. [Lecture Notes in Informatics].