“She’s armed with technology”

… but is she security conscious?

I was reading my RSS reader when I came across this blog article from the WSJ: http://blogs.wsj.com/digits/2009/06/26/how-moms-feel-about-social-media/?mod=rss_WSJBlog and it really got me thinking. How many of these sites have been set up securely? How many of these moms are putting up their private details not thinking about the possible consequences of what happens if the site gets compromised?

Many of these sites are set up by women (and men) with the best of intentions.  They either have a bit of tech knowledge or they hire someone with the coding experience to set up the website. They make sure that they have some of the bells and whistles like private messaging, email lists, and message boards. The user interfaces are scrutinized to make sure they are user-friendly and easy to navigate. But how much attention is given to whether there are vulnerabilities in the server that is running the software? Who maintains the server and makes sure it’s patched and has AV on it? Is the software itself buggy and vulnerable to attack? Are they doing enough to protect their users?

Here’s a great example. I’m a member of several mom-centric social networks. One of which was in fact compromised. The servers had been compromised with an SQL injection attack. The hackers then trashed many of the templates for the site (fortunately they had decent backups and could restore the templates) and stole all the user information, including things like birthdays, usernames, passwords and email addresses. They sent a broadcast once control of the site was regained, but the damage was done. Every user had been compromised and their info was out in the world.

All except mine.

I never give correct personal details (such as birthdays) to websites.  While I appreciate that in general such information is collected for demographic stats, there really is no need for specific birthdays, mother’s maiden names, etc. More people should really think about what it is they put on the enrollment forms. With a name, address and birthdate, identities can be stolen.

Security here is two-fold. Not only should the site be secure, but the people using them should also be wary and on the lookout for links from people they may  or may not know, not giving out personal details and using secure passwords that are not the same as their email passwords or banking passwords.