The perils of popular Facebook

Malta Info Security

Archives

August 2008
July 2008
June 2008
Recent...
Older...

Quicksearch

Join our Google Group

RE: CISA Instructor

Re: CISA Instructor

CISA Instructor

Need expert advice

Re: June test

Poll box

Are you planning to obtain a security certification in 2008?
Yes
No
Maybe

Archives

Statistics

Last entry: 2008-08-14 21:06
100 entries written
62 comments have been made

Home | Contact Us

REQUEST SECURITY CERTIFICATION INFORMATION

Monday, June 9. 2008

Posted by Donald Tabone in Articles

Comments (4)
Trackbacks (0)
1022 hits

The perils of popular Facebook

An article written for the Sunday Times of Malta - IT Supplement dated 8-6-2008

Often enough, most people tend to have their own way of perceiving how secure they actual are when doing things online. Indeed a lot of people tend to be naive and prefer not to think of what can go wrong right after they post or publish something personal about themselves or even others.

The way we perceive how secure we are, largely depends on past personal experiences. If you ever suffered some sort of data loss due to a virus - you would know exactly what I mean - in that - once bitten twice shy. So worst memory tends to prevail over your decisions and even perceptions of how secure you really are. More over, misconceptions surround us such as "I have antivirus software, so I am secure" or “I have a firewall, so I am safe”. The reality is that to be secure you need to employ a suite of tools (antivirus being one of them) to help you reduce your risk exposure to an acceptable level.

These days there is a lot of talk about Facebook. First off - it is a social networking tool which anybody can freely sign up for and use. So far so good! One of reasons it is so popular with people (in particular with youngsters) is that it allows for virtual social interactivity - therefore somewhat redefining the way people meet, talk and share things with each other. In many ways I feel it has affected our social culture. If you feel shy, then you can look for your soul mate online without having to sweat it out before you pluck up enough courage to go talk to a guy/girl face to face. One facility Facebook offers is the ability to check how compatible you are with different people and linkup to different friends through existing friends to build a spider web of friends. One idea might be - the more friends you accumulate online (say on Facebook) the more popular you are perceived to be. At face value, Facebook sounds cool especially if you are a budding teen. So where's the catch?



Facebook is free. This means that anyone can sign up and disguise
him/her self to be whoever he/she decides to be. The first thing to
realise is that people might not be who they actually say they are. You
might think you are conversing with a certain person age x however in
reality this might not be so. Why would people want to do this? There
are various reasons why – not all of which are good and therefore any
enthusiast of social networking tools (such as Facebook) must be aware
of this. Don't trust who other people say they are - and this goes for
all ages. The bottom line is that it is a fantastic tool for social
engineering which in simplified terms means using the "art of
deception" to obtain what is normally personal privileged information.
Pay attention to who you accept as being your friend.

Next, the issue of privacy comes into play. By uploading pictures of
yourself and friends of yours you are publicly saying that these can be
shared. For obvious reasons your friend might have not wanted to share
some embarrassing photos. Unknowingly you might have even put your
friends reputation at stake. It's easy enough to pull pictures off
Facebook - but let’s remember that the Internet caches pictures and
once uploaded it is difficult to be certain that a previously uploaded
picture indeed cannot be found any longer. Avoid mapping your life or
that of others to Facebook or similar tools and upload stuff that you
feel is safe to share with the world.


Next in line we also ought to be aware that human resources (HR)
departments are now using tools like Maltego from Paterva. Maltego is
one example of a tool which can be used to determine the relationships
and real world links between people and websites (amongst many other
things) and graphically display it. One might have a perfect academic
record, however having personal pictures publicly showing off an
embarrassing side of you could and probably will reflect badly on your
curriculum. So before you 'flame' someone online, remember that if its
on the net and there is your name to it, there is a very good chance
that search engines will pick it up with a simple search. Remember that
it’s becoming common practice for HR departments to cross-reference
people before interviews.

Facebook Applications: I receive a tonne of invitations from various
friends of mine to install particular applications that have all sorts
of bells and whistles attached to them. Some are cool and fun to have -
others claim to let you know things like who viewed your profile -
something which actually goes against the privacy rules of Facebook.
These small applications are third party programs the intention of
which is not always good as they sometimes aim to capture some
information which breaches your privacy and usage policies. The issue
here is that we get so inundated with requests to install applications
that habit gets you accepting them all - the end result being that
you're not really paying attention to what sort of application you've
actually clicked on and installed. Consider these programs as mini
programs which function within Facebook - and there always is a catch -
so read the small print before you install any sort of application. Be
aware that Facebook does in fact prompt you for your consent to share
personal details – so vet them before blindly clicking away.

Last but not least - never share your password with anyone.
Unfortunately passwords alone are a very weak form of security and
there are countless reasons one could give which go beyond the scope of
this article. The last thing you would want is to have someone else
login to your account and change some personal detail of yours to
something embarrassing. Alas passwords depend on human nature and being
complex it has a lot of design flaws/features therefore its good to
keep in mind that passwords can be easily compromised and that they are
certainly not intended to be shared.
It is not my intention to paint a dark picture about Facebook or any
other social networking tool, rather the scope of this article is to
promote awareness of some of the consequences brought about by not
being responsible when posting or replying to people online. If there
is one thing that I'd like you to take away, it would be a typical
mindset such as "When online, responsibility is paramount - respect the
privacy of others and pay attention to who you trust"



Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

I was one of the first Facebook developers here in Malta before it started gaining momentum it has today. From my brief experience developing on Facebook, I think Facebook's APIs restrict spam to a certain extent and protect the user's privacy who install a Facebook application. For instance, I cannot use Facebook's API, to act like a 'virus' - sending invites on its own to all friends of the user who installed the application. Furthermore, if a person who is not a friend of the developer, but installed the application through a second-degree invite, the developer still cannot see the user's photos, or see his profile, if the user's privacy settings are correctly set.

In general, when a user installs a Facebook application, he/she needs to make sure that the checkbox 'allow application to access person information' is unchecked. This results in the application not knowing that the user is online, and therefore if the application needs to push updates (example feeds), the user is not affected. Of course, this makes the application quite useless, but if you're really paranoid, you can use approach.

My other recommendation is that since we often install applications and not use most them after a certain amount of time, we uninstall such dormant applications.

Coincidentally, I am planning another Facebook application very soon :-)
#1 James Attard (Homepage) on 2008-06-30 09:34 (Reply)
More about Facebook privacy:

http://www.zdnet.com.au/news/security/soa/Logged-in-or-out-Facebook-is-watching-you/0,130061744,339284281,00.htm
#2 James Attard (Homepage) on 2008-07-18 11:35 (Reply)
A photo that can steal your Facebook account ! What next?

They call this type of file a GIFAR, a contraction of GIF (graphics interchange format) and JAR (Java Archive), the two file types that are mixed. At Black Hat, the researchers will show attendees how to create the GIFAR but omit a few key details to prevent it from being used immediately in any widespread attack.

To the Web server, the file looks exactly like a .gif file. However, a browser's Java virtual machine will open it up as a Java Archive file and then run it as an applet. That gives the attacker an opportunity to run Java code in the victim's browser. The browser then treats this malicious applet as though it were written by the Web site's developers.

Follow the link if you;d like to learn how the attack works...

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111298&intsrc=hm_list
#3 Donald (Homepage) on 2008-08-04 08:37 (Reply)
in reply to my previous comment -> here's what's next... Worms spread via spam on Facebook and MySpace - as reported by theregister.co.uk http://www.theregister.co.uk/2008/08/01/myspace_facebook_worm/

Miscreants have created a pair of worms targeting MySpace and Facebook users. Two variants of a new worm - dubbed Koobface - are the first to use social engineering sites to press-gang infected machines into botnets, warns net security firm Kaspersky Lab.

When a user with an infected machine accesses his MySpace account the Koobface-A variant posts links to a malicious website in the commentaries of friends' accounts. Koobface-B, which targets Facebook users, sends spam messages to an infected users' friends through the social networking site.
#4 donald (Homepage) on 2008-08-04 11:16 (Reply)

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
 

Frontpage - Top level

Calendar

Back August '08 Forward
Mon Tue Wed Thu Fri Sat Sun
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31

Categories


All categories

Quick links

Linkedin public profile

Blog Administration

Open login screen

RSS Feed
Please consider sending us a small donation to keep this site going. Click the PayPal logo below. Thank you!