Scammers get better tools for tapping social networks

Exomind was developed to understand social networks' negative impacts on privacy, he said. "In general, by anticipating what bad guys can do and proposing counter-measures we help the larger Internet community."

Hugh Thompson, program committee chairman and a member of the RSA Conference Board, said that the intelligence that such tools can help gather from social and other sites poses an emerging risk for enterprises.

Employees can directly or indirectly disclose a lot of information about their companies on social sites that can compromise company information or security, he said.

For example, an employee suddenly changing social networking relationships, or new relationships between employees of two different companies could signal an impending partnership between the two companies. A Twitter message from Bentonville, Ark., about a meeting with a company headquartered there could signal a new or blossoming relationship with Wal-Mart, he said.

Similarly, a sudden increase in the number of job seekers from within a company could signal impending layoffs, Thompson said. "If you suddenly see people recommending a number of other people, it could mean they are hoping for some reciprocity, maybe because they are looking for a job," Thompson said.

"If you see this behavior from one person, that doesn't tell you much. But if you see it across five or 10 people who are all in the same group," that could be an indicator of a broader trend, he said.

The availability of such tools highlights the need for individuals to be especially careful about what they disclose on social networking sites.

The tools enable easier discovery -- and correlation of seemingly random bits of data -- to uncover previously undetected relationships and trends, he said. Even if users don't reveal sensitive data outright, they often reveal enough about themselves and their workplaces in different sites to enable a profile to be built, Thompson said.

"Nobody has really understood the risk of data being correlated" from across multiple sites in the manner enabled by tools like Maltego and Exomind, Thompson said. "People tend to put business-related things on LinkedIn but then have this weird mix of personal and business information [on sites such as Facebook.]"

Ira Winkler, president of the Internet Security Advisors Group, author of Spies Among Us and a Computerworld columnist, said, "Frankly the tools suck from a protecting-your-privacy perspective."

"These things are inevitable, but they basically lower the bar for performing more advanced attacks like spear phishing and the like," Winkler said.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Knowledge Center.