Support us by visiting our sponsors and win a €20 Amazon Voucher every month
Computime

Follow maltainfosec on TwitterTwitter or RSS 2.0 feed

Jun 9

An article written for the Sunday Times of Malta - IT Supplement dated 8-6-2008

Often enough, most people tend to have their own way of perceiving how secure they actual are when doing things online. Indeed a lot of people tend to be naive and prefer not to think of what can go wrong right after they post or publish something personal about themselves or even others.

The way we perceive how secure we are, largely depends on past personal experiences. If you ever suffered some sort of data loss due to a virus - you would know exactly what I mean - in that - once bitten twice shy. So worst memory tends to prevail over your decisions and even perceptions of how secure you really are. More over, misconceptions surround us such as "I have antivirus software, so I am secure" or “I have a firewall, so I am safe”. The reality is that to be secure you need to employ a suite of tools (antivirus being one of them) to help you reduce your risk exposure to an acceptable level.

These days there is a lot of talk about Facebook. First off - it is a social networking tool which anybody can freely sign up for and use. So far so good! One of reasons it is so popular with people (in particular with youngsters) is that it allows for virtual social interactivity - therefore somewhat redefining the way people meet, talk and share things with each other. In many ways I feel it has affected our social culture. If you feel shy, then you can look for your soul mate online without having to sweat it out before you pluck up enough courage to go talk to a guy/girl face to face. One facility Facebook offers is the ability to check how compatible you are with different people and linkup to different friends through existing friends to build a spider web of friends. One idea might be - the more friends you accumulate online (say on Facebook) the more popular you are perceived to be. At face value, Facebook sounds cool especially if you are a budding teen. So where's the catch?



Facebook is free. This means that anyone can sign up and disguise him/her self to be whoever he/she decides to be. The first thing to
realise is that people might not be who they actually say they are. You might think you are conversing with a certain person age x however in reality this might not be so. Why would people want to do this? There are various reasons why – not all of which are good and therefore any enthusiast of social networking tools (such as Facebook) must be aware of this. Don't trust who other people say they are - and this goes for all ages. The bottom line is that it is a fantastic tool for social engineering which in simplified terms means using the "art of deception" to obtain what is normally personal privileged information.
Pay attention to who you accept as being your friend.

Next, the issue of privacy comes into play. By uploading pictures of
yourself and friends of yours you are publicly saying that these can be shared. For obvious reasons your friend might have not wanted to share some embarrassing photos. Unknowingly you might have even put your friends reputation at stake. It's easy enough to pull pictures off Facebook - but let’s remember that the Internet caches pictures and once uploaded it is difficult to be certain that a previously uploaded picture indeed cannot be found any longer. Avoid mapping your life or that of others to Facebook or similar tools and upload stuff that you feel is safe to share with the world.

Next in line we also ought to be aware that human resources (HR)
departments are now using tools like Maltego from Paterva. Maltego is one example of a tool which can be used to determine the relationships and real world links between people and websites (amongst many other things) and graphically display it. One might have a perfect academic record, however having personal pictures publicly showing off an embarrassing side of you could and probably will reflect badly on your curriculum. So before you 'flame' someone online, remember that if its on the net and there is your name to it, there is a very good chance that search engines will pick it up with a simple search. Remember that it’s becoming common practice for HR departments to cross-reference people before interviews.

Facebook Applications: I receive a tonne of invitations from various
friends of mine to install particular applications that have all sorts of bells and whistles attached to them. Some are cool and fun to have -
others claim to let you know things like who viewed your profile - something which actually goes against the privacy rules of Facebook.
These small applications are third party programs the intention of which is not always good as they sometimes aim to capture some
information which breaches your privacy and usage policies. The issue here is that we get so inundated with requests to install applications that habit gets you accepting them all - the end result being that you're not really paying attention to what sort of application you've actually clicked on and installed. Consider these programs as mini programs which function within Facebook - and there always is a catch - so read the small print before you install any sort of application. Be aware that Facebook does in fact prompt you for your consent to share personal details – so vet them before blindly clicking away.

Last but not least - never share your password with anyone.
Unfortunately passwords alone are a very weak form of security and there are countless reasons one could give which go beyond the scope of this article. The last thing you would want is to have someone else login to your account and change some personal detail of yours to something embarrassing. Alas passwords depend on human nature and being complex it has a lot of design flaws/features therefore its good to keep in mind that passwords can be easily compromised and that they arecertainly not intended to be shared.
It is not my intention to paint a dark picture about Facebook or any other social networking tool, rather the scope of this article is to
promote awareness of some of the consequences brought about by not being responsible when posting or replying to people online. If there is one thing that I'd like you to take away, it would be a typical mindset such as "When online, responsibility is paramount - respect the privacy of others and pay attention to who you trust"

Posted by Donald Tabone

6726 hits

2 Trackbacks

  1. Malta Info Security

    Facebook Privacy & Security
    I'm sure most of you have heard about how Social networking sites like Facebook are being criticized due to 'privacy' issues.  You may have also read the article that was featured not so long ago, on this website.Now, thanks to Spylogic.net we have a gui

  2. Malta Info Security

    The promises and perils of Twitter
    Once again on social networking sites, I came across an excellent article by Tim Bass entitled The Promises and perl of Twitter which reminded of an article I had written for the Times of Malta entitled The perils of popular facebook For those who are

4 Comments

Display comments as(Linear | Threaded)
  1. James Attard says:

    I was one of the first Facebook developers here in Malta before it started gaining momentum it has today. From my brief experience developing on Facebook, I think Facebook's APIs restrict spam to a certain extent and protect the user's privacy who install a Facebook application. For instance, I cannot use Facebook's API, to act like a 'virus' - sending invites on its own to all friends of the user who installed the application. Furthermore, if a person who is not a friend of the developer, but installed the application through a second-degree invite, the developer still cannot see the user's photos, or see his profile, if the user's privacy settings are correctly set.

    In general, when a user installs a Facebook application, he/she needs to make sure that the checkbox 'allow application to access person information' is unchecked. This results in the application not knowing that the user is online, and therefore if the application needs to push updates (example feeds), the user is not affected. Of course, this makes the application quite useless, but if you're really paranoid, you can use approach.

    My other recommendation is that since we often install applications and not use most them after a certain amount of time, we uninstall such dormant applications.

    Coincidentally, I am planning another Facebook application very soon :-)

  2. James Attard says:

    More about Facebook privacy:

    http://www.zdnet.com.au/news/security/soa/Logged-in-or-out-Facebook-is-watching-you/0,130061744,339284281,00.htm

  3. Donald says:

    A photo that can steal your Facebook account ! What next?

    They call this type of file a GIFAR, a contraction of GIF (graphics interchange format) and JAR (Java Archive), the two file types that are mixed. At Black Hat, the researchers will show attendees how to create the GIFAR but omit a few key details to prevent it from being used immediately in any widespread attack.

    To the Web server, the file looks exactly like a .gif file. However, a browser's Java virtual machine will open it up as a Java Archive file and then run it as an applet. That gives the attacker an opportunity to run Java code in the victim's browser. The browser then treats this malicious applet as though it were written by the Web site's developers.

    Follow the link if you;d like to learn how the attack works...

    http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111298&intsrc=hm_list

  4. donald says:

    in reply to my previous comment -> here's what's next... Worms spread via spam on Facebook and MySpace - as reported by theregister.co.uk http://www.theregister.co.uk/2008/08/01/myspace_facebook_worm/

    Miscreants have created a pair of worms targeting MySpace and Facebook users. Two variants of a new worm - dubbed Koobface - are the first to use social engineering sites to press-gang infected machines into botnets, warns net security firm Kaspersky Lab.

    When a user with an infected machine accesses his MySpace account the Koobface-A variant posts links to a malicious website in the commentaries of friends' accounts. Koobface-B, which targets Facebook users, sends spam messages to an infected users' friends through the social networking site.

Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Please consider sending us a small donation to keep this site going. Click the PayPal logo below. Thank you!