Friday, November 20, 2009

10 Facebook Don'ts


Facebook is more popular than ever. The site frequently goes through
changes, but how many people use the same schedule of improvements on
their own profile? The new features added to Facebook are opening new
windows for vulnerability. A compromised account is a backdoor to more
serious attacks on email or banking.

Today I will show you 10 things
you should stop doing on Facebook in order to take back your security
and close the open door.

-Stop posting your phone numbers. Last week I explored a Facebook
attack that harvests the phonebook feature. Remember that your number
is exposed to your friends, and therefore you're relying on their
security practices as well as your own to protect you. If a phisher
can spoof your number, they have an extra layer of authenticity in
convincing your friends you are in trouble and need money fast.

-Put down the games. I know the Mafia can't take Cuba without you, but
it's time to stop. The top games on Facebook have been hacked, and
it's just a matter of time before the one you play is next. It's
arguable that the damage is already done with the games and
applications you've already allowed, but don't sign up for any new
ones! Third party apps are not guaranteed to be secure, and you should
not trust them with your credentials.

-Don't trust chat. It shouldn't take Chris Hansen to tell everyone that the person on the other end of your chat session could be anyone. The chat feature on Facebook should be treated as a public conversation. Never give out any private information, even if you're positive you are talking to your friend.

-Refresh your personal info. Take a fresh look at your profile from
the perspective of a social engineer. Does your profile tell a story
about you? What information can you cut out? Many security questions
ask about personal details about primary school and pets. Delete any
photos or profile details that may relate to those kinds of questions.

-Don't use the lazy emails. Facebook will fill your email inbox with
notifications, and the links to easily respond. Instead of following
the links in email, open up a fresh tab and go to facebook.com
directly. Facebook and most social networks are targets for email
spoofing. Otherwise you'll be entering your login password at
facebock.com!

-Don't friend acquaintances. Think of the friends list as a circle of
trust. If you don't know the person well enough to trust their
security savvy, than you're very unlikely to recognize the behavior of
a phisher pretending to be them. 500 friends means 500 possible
inroads to a social engineering or phishing attack. Tone down the
number.

-Don't keep an old password! Changing your password short circuits many trivial forms of attack. Facebook is a high risk target for Identity Theft, especially if you're using applications frequently. How about doing it now!

-Photos are forever. Make it clear to your friends and family that you do not want those pictures of you in your birthday suit on anyone's profile. (As opposed to the one of you in a suit on your birthday!) Pictures give behavioral information to an attacker. Bruce Schneier calls this "incidental data" in his Taxonomy of Social Networking Data. There he makes the assumption that incidental data is information that you did not create about yourself, and therefore do not control. I would add that although much of it is outside your control, there are ways to influence your friend's posting behavior overall. Also, Facebook gives users the ability to "untag" themselves in pictures. While the damage is already done in the short term, you've influenced long term vulnerability.

-Don't forget @mentions. This new feature brings more incidental data. Be respectful of your neighbor's privacy. Ask yourself if having a friend's entire profile pinned to your comment like a big arrow is actually necessary for the joke to be funny.

-Don't trust other websites. Facebook is everywhere now. The same trust rules apply to the Facebook Login feature that is spreading to other websites. If you don't trust the website you're on, then signing in with the Facebook credential does not give you an added layer of protection, but rather hands your password to strangers.

This list may seem counterproductive to the efforts Facebook makes to create a global connected community. While I am interested in being a part of such a community, I go into it with eyes open. Just like wearing a wallet belt when I go to huge tourist destinations, I want to be smart about visiting the hugely popular social networking sites online. It may not be the coolest thing to do, but in the end I found that my friends didn't even notice I had taken these safety precautions. Now the camera bag I stuffed in my shirt... that was a different matter.

9 comments:

Dario said...

Hi Marisa,

I would like to translate this post into Spanish to spread these useful "dont's" because everybody deserve to enjoy Internet and Facebook without black hats around :)

If you want, please, contact me via Twitter (@im_dario).

Jay said...

- phone numbers: So, you also suggest that we explicitly unlist ourselves from all telephone directories, and chase after 123people and all of its ilk to be removed from their databases in which we never asked to be included anyway? impractical. Posting, or not posting, a phone number on a Facebook profile, is a matter of how much convenience the Facebook users wishes to give (privacy settings somewhat controllable) others in contacting them by telephone. It isn't a "hack me" sign stuck to their back.

- games (applications generally): Unless you're saying that the hacks to the games include script injections which can capture your Facebook login credentials, as much as I hate, hide, and block almost all applications so that they a) don't waste my screen space, and b) can't access my Facebook information, I would like to see more detail about how applications would get a Facebook user's actual login credentials?

- chat: Other than the usual, that if you "friend" someone without an offline confirmation that they are who you think they are, and that their account could have been taken over, how is Facebook chat any more public than, say, email?

- refresh your personal data: Good general advice.

- lazy emails: I think this can be simplified to "don't click on links in emails". Good general advice.

- lazy emails, take 2: I don't rely on Facebook's email system. I like to have my emails on my own technology (or at least that technology commercially contracted by me). Then I know I won't have a problem extracting the data at a later time if I wish. (Security risk: Availability). Not to mention that Facebook's email system is rather rudimentary.

- acquaintances: Depends on why you use Facebook. If it is to expand your circle of contacts (I have seen a growing number of people blurring the line between Professional and Social networking sites), then by all means "friend" acquaintances. Just do it - as with all connections - with forethought about what information will be shared.

- passwords: Change passwords regularly, and don't use the same password on several sites. Good general advice. Personal recommendation: a password vault program, such as Lastpass, because we all simply have too many passwords now to remember them, and without a technology crutch we simply are forced to get lazy and re-use passwords and change them too infrequently.

(to be continued)

Jay said...

(continuation of my earlier comment; sorry for the length!)

- photos are forever: I forget who, but someone much better a writer than I recently penned a very nice article regarding how "privacy" is better considered a question of trust than of anonymity. Offline and online, we must manage who are our (real) friends and acquaintances, including setting their expectations of our privacy intentions, such as what photos to take and where to disseminate them. Each person runs the risk, every time s/he does anything which might come back to haunt him/her, in any forum where anyone else is present. Photos on Facebook are not different. Facebook makes it easier, but not conceptually different for them to make the mistake of doing something silly (or worse) among company who can't be *trusted* to maintain the privacy of the act.

@mentions - I have set my Facebook privacy settings to limit all accesses to my information to my own "friends", nothing is set to "friend of friends" (and some are set to "only me"). Refer back to privacy = a trust problem. Nonetheless, the advice is good - again, refer back to privacy = a trust problem: your friends are trusting you to make wise decisions with their privacy!

- other websites: In the sense that I yesterday permitted a Windows Mobile 6.5 application to know my Facebook credentials for easier integration, yes I'm trusting something else to act on my behalf, which could result in the loss of my control over my Facebook account. But I suspect there was something else behind that, please elaborate?

As Marisa said, this is all intentioned more at helping people go in to the Social Networking world with open eyes. My responses here are to acknowledge that our digital houses have some open, unlocked, unlockable, insecurable doors and windows (see the phone number comment), so we also need to avoid creating a usability problem by attempting to secure things which actually buy us very little when taken in the context of our whole digital selves. All balance should be taken in balance :-)

Cheers,
Jay Libove, CISSP, CIPP

Marisa Fagan said...

Jay,

Thanks for the thoughtful response to my 10 Facebook suggestions. It seems you've got a great understanding of what it means to use it "with open eyes." I will try to respond to your questions below.

Phone Numbers: This point came organically from a few conversations about "what 's the worst that could happen with the information Facebook has." It seemed to me that many people did not know how easily their number could be spoofed. The goal of this post is to make people realize they are making a real choice of convenience over vulnerability. For those that choose to keep their number online, my suggestion may help them catch a phisher later by being suspicious. 123People may have phone numbers, but attackers like convenience too, and if there's low-hanging fruit, they will use it. Regarding privacy settings, remember it's not your own practices but your inner circle's as well that matter.

Games: For the most part, the game attack is a phishing game. But there have been instances of spyware downloads. http://www.fortiguard.com/advisory/FGA-2007-16.html

Chat: You've got it exactly that it is the possibility for taking the account over that is my main concern. It is my opinion that Facebook is a higher target for these kinds of attacks than other popular chat clients, and therefore it is less desirable for sensitive information. I also notice that the Chat feature is not explicitly described in Facebook's privacy policy.

Inbox: I don't have any anecdotal evidence about the Facebook Inbox feature, but I generally don't use it either. "Right tool for the job" and such. I don't see the Inbox feature in Facebook's privacy policy either. I would infer though that it's fair game for the harvesting they already do.

Acquaintances: Absolutely, some people do use Facebook to grow a contact list. I think the people most vulnerable are the "line-blurrers" who can provide a link to both personal and professional vectors. That is why I strongly suggest people take a critical look at all the information they provide Facebook, not just the pieces outside their privacy settings. The most common response I hear to this list is "What's the worst that could happen?" and for everyone that answer is slightly different.

Passwords: Thank you for the LastPass recommendation!

Photos: Perhaps here is where this post becomes the most "broad." It is difficult to write suggestions for Facebook users when there are so many different types. Obviously some people are fine with living the life that is photo friendly, and therefore have no worries. But Facebook has a reputation for hosting some really gem-like moments, and I tried to address that, as do they.

Other Websites: I should clarify that up to this point I don't have evidence that the Facebook Connect feature has been compromised. I do think there are trust issues, and the chance to spoof or imitate the feature by password phishers is possible. If a site looks suspicious than the appearance of "Facebook Connect" is NOT a way to login to the site more securely. It is a convenience feature, and should not be mistaken for a security feature.

Thanks again for taking the time to comment on my post, and for giving me the opportunity to elaborate on some points.

Take care,
Marisa

Marisa Fagan said...

As an addition to the "photos" suggestion, recently a woman lost her health insurance benefits because of photos of her on Facebook belying her health condition.

"IBM staffer posts pics on Facebook, loses benefits" by Chris Matyszczyk on CNet News.
http://news.cnet.com/8301-17852_3-10404633-71.html

Split SSystem said...

really good to know, and tell others... congrats to the post, but i want to say something:
you can solve all secure issues with one rule:
don't publishing your [really] personal info in any place...
always work to me =)

and is good to remember, is important give some credit to developers that work hard to give better experience to users, bringing us new features and ideas.

after all, if we do not use resources such as 3rd party connections, how it will become mature?

in any case, very good post!

Anonymous said...

http://bum-zack.blogspot.com/2009/12/missing-facebook-functions.html

Anonymous said...

Well I agree but I think the collection should prepare more info then it has.

Nora said...

I wonder if you realize that your warnings are still in a kind of "techno-speak" that will not relate to the average Facebook user. Most people over the age of 30 don't know what Phishing is. If they don't understand your cautions they are certainly not going to follow them. You need to write a more commonly spoken article on why these things are dangerous.