tag:blogger.com,1999:blog-37798047.post8205975354508541913..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: 10 Facebook Don'tsDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-37798047.post-16377563141343795022010-05-15T19:45:53.544-04:002010-05-15T19:45:53.544-04:00I wonder if you realize that your warnings are sti...I wonder if you realize that your warnings are still in a kind of "techno-speak" that will not relate to the average Facebook user. Most people over the age of 30 don't know what Phishing is. If they don't understand your cautions they are certainly not going to follow them. You need to write a more commonly spoken article on why these things are dangerous.Unknownhttps://www.blogger.com/profile/03246121809228659234noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-79115832951994553582009-12-26T19:25:59.239-05:002009-12-26T19:25:59.239-05:00Well I agree but I think the collection should pre...Well I agree but I think the collection should prepare more info then it has.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-33473893767896766872009-12-11T16:27:32.587-05:002009-12-11T16:27:32.587-05:00http://bum-zack.blogspot.com/2009/12/missing-faceb...http://bum-zack.blogspot.com/2009/12/missing-facebook-functions.htmlAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-66188334311795442542009-11-27T01:16:24.193-05:002009-11-27T01:16:24.193-05:00really good to know, and tell others... congrats t...really good to know, and tell others... congrats to the post, but i want to say something:<br />you can solve all secure issues with one rule:<br />don't publishing your [really] personal info in any place...<br />always work to me =)<br /><br />and is good to remember, is important give some credit to developers that work hard to give better experience to users, bringing us new features and ideas.<br /><br />after all, if we do not use resources such as 3rd party connections, how it will become mature?<br /><br />in any case, very good post!sploitMasterhttps://www.blogger.com/profile/09345676903679349477noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-19351895217634367432009-11-24T21:46:38.126-05:002009-11-24T21:46:38.126-05:00As an addition to the "photos" suggestio...As an addition to the "photos" suggestion, recently a woman lost her health insurance benefits because of photos of her on Facebook belying her health condition.<br /><br />"IBM staffer posts pics on Facebook, loses benefits" by Chris Matyszczyk on CNet News.<br />http://news.cnet.com/8301-17852_3-10404633-71.htmlMarisa Faganhttps://www.blogger.com/profile/01185065599379609480noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-67228863758879590012009-11-23T21:08:57.258-05:002009-11-23T21:08:57.258-05:00Jay,
Thanks for the thoughtful response to my 10 ...Jay,<br /><br />Thanks for the thoughtful response to my 10 Facebook suggestions. It seems you've got a great understanding of what it means to use it "with open eyes." I will try to respond to your questions below.<br /><br />Phone Numbers: This point came organically from a few conversations about "what 's the worst that could happen with the information Facebook has." It seemed to me that many people did not know how easily their number could be spoofed. The goal of this post is to make people realize they are making a real choice of convenience over vulnerability. For those that choose to keep their number online, my suggestion may help them catch a phisher later by being suspicious. 123People may have phone numbers, but attackers like convenience too, and if there's low-hanging fruit, they will use it. Regarding privacy settings, remember it's not your own practices but your inner circle's as well that matter. <br /><br />Games: For the most part, the game attack is a phishing game. But there have been instances of spyware downloads. http://www.fortiguard.com/advisory/FGA-2007-16.html <br /><br />Chat: You've got it exactly that it is the possibility for taking the account over that is my main concern. It is my opinion that Facebook is a higher target for these kinds of attacks than other popular chat clients, and therefore it is less desirable for sensitive information. I also notice that the Chat feature is not explicitly described in Facebook's privacy policy. <br /><br />Inbox: I don't have any anecdotal evidence about the Facebook Inbox feature, but I generally don't use it either. "Right tool for the job" and such. I don't see the Inbox feature in Facebook's privacy policy either. I would infer though that it's fair game for the harvesting they already do. <br /><br />Acquaintances: Absolutely, some people do use Facebook to grow a contact list. I think the people most vulnerable are the "line-blurrers" who can provide a link to both personal and professional vectors. That is why I strongly suggest people take a critical look at all the information they provide Facebook, not just the pieces outside their privacy settings. The most common response I hear to this list is "What's the worst that could happen?" and for everyone that answer is slightly different.<br /><br />Passwords: Thank you for the LastPass recommendation!<br /><br />Photos: Perhaps here is where this post becomes the most "broad." It is difficult to write suggestions for Facebook users when there are so many different types. Obviously some people are fine with living the life that is photo friendly, and therefore have no worries. But Facebook has a reputation for hosting some really gem-like moments, and I tried to address that, as do they.<br /><br />Other Websites: I should clarify that up to this point I don't have evidence that the Facebook Connect feature has been compromised. I do think there are trust issues, and the chance to spoof or imitate the feature by password phishers is possible. If a site looks suspicious than the appearance of "Facebook Connect" is NOT a way to login to the site more securely. It is a convenience feature, and should not be mistaken for a security feature.<br /><br />Thanks again for taking the time to comment on my post, and for giving me the opportunity to elaborate on some points. <br /><br />Take care,<br />MarisaMarisa Faganhttps://www.blogger.com/profile/01185065599379609480noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-48672053914896501962009-11-22T02:26:13.996-05:002009-11-22T02:26:13.996-05:00(continuation of my earlier comment; sorry for the...(continuation of my earlier comment; sorry for the length!)<br /><br />- photos are forever: I forget who, but someone much better a writer than I recently penned a very nice article regarding how "privacy" is better considered a question of trust than of anonymity. Offline and online, we must manage who are our (real) friends and acquaintances, including setting their expectations of our privacy intentions, such as what photos to take and where to disseminate them. Each person runs the risk, every time s/he does anything which might come back to haunt him/her, in any forum where anyone else is present. Photos on Facebook are not different. Facebook makes it easier, but not conceptually different for them to make the mistake of doing something silly (or worse) among company who can't be *trusted* to maintain the privacy of the act. <br /><br />@mentions - I have set my Facebook privacy settings to limit all accesses to my information to my own "friends", nothing is set to "friend of friends" (and some are set to "only me"). Refer back to privacy = a trust problem. Nonetheless, the advice is good - again, refer back to privacy = a trust problem: your friends are trusting you to make wise decisions with their privacy!<br /><br />- other websites: In the sense that I yesterday permitted a Windows Mobile 6.5 application to know my Facebook credentials for easier integration, yes I'm trusting something else to act on my behalf, which could result in the loss of my control over my Facebook account. But I suspect there was something else behind that, please elaborate?<br /><br />As Marisa said, this is all intentioned more at helping people go in to the Social Networking world with open eyes. My responses here are to acknowledge that our digital houses have some open, unlocked, unlockable, insecurable doors and windows (see the phone number comment), so we also need to avoid creating a usability problem by attempting to secure things which actually buy us very little when taken in the context of our whole digital selves. All balance should be taken in balance :-)<br /><br />Cheers,<br />Jay Libove, CISSP, CIPPAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-87280729670052711922009-11-22T02:25:48.322-05:002009-11-22T02:25:48.322-05:00- phone numbers: So, you also suggest that we expl...- phone numbers: So, you also suggest that we explicitly unlist ourselves from all telephone directories, and chase after 123people and all of its ilk to be removed from their databases in which we never asked to be included anyway? impractical. Posting, or not posting, a phone number on a Facebook profile, is a matter of how much convenience the Facebook users wishes to give (privacy settings somewhat controllable) others in contacting them by telephone. It isn't a "hack me" sign stuck to their back.<br /><br />- games (applications generally): Unless you're saying that the hacks to the games include script injections which can capture your Facebook login credentials, as much as I hate, hide, and block almost all applications so that they a) don't waste my screen space, and b) can't access my Facebook information, I would like to see more detail about how applications would get a Facebook user's actual login credentials?<br /><br />- chat: Other than the usual, that if you "friend" someone without an offline confirmation that they are who you think they are, and that their account could have been taken over, how is Facebook chat any more public than, say, email?<br /><br />- refresh your personal data: Good general advice.<br /><br />- lazy emails: I think this can be simplified to "don't click on links in emails". Good general advice. <br /><br />- lazy emails, take 2: I don't rely on Facebook's email system. I like to have my emails on my own technology (or at least that technology commercially contracted by me). Then I know I won't have a problem extracting the data at a later time if I wish. (Security risk: Availability). Not to mention that Facebook's email system is rather rudimentary.<br /><br />- acquaintances: Depends on why you use Facebook. If it is to expand your circle of contacts (I have seen a growing number of people blurring the line between Professional and Social networking sites), then by all means "friend" acquaintances. Just do it - as with all connections - with forethought about what information will be shared.<br /><br />- passwords: Change passwords regularly, and don't use the same password on several sites. Good general advice. Personal recommendation: a password vault program, such as Lastpass, because we all simply have too many passwords now to remember them, and without a technology crutch we simply are forced to get lazy and re-use passwords and change them too infrequently.<br /><br />(to be continued)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-7619162897843611832009-11-21T16:46:21.752-05:002009-11-21T16:46:21.752-05:00Hi Marisa,
I would like to translate this post in...Hi Marisa,<br /><br />I would like to translate this post into Spanish to spread these useful "dont's" because everybody deserve to enjoy Internet and Facebook without black hats around :)<br /><br />If you want, please, contact me via Twitter (@im_dario).Anonymoushttps://www.blogger.com/profile/03241005807496396929noreply@blogger.com