We’ve Moved!

The Social Media Security Podcast has been recently changed to the Shared Security Podcast.  For details on this move please read this blog post.  Your current podcast subscription should automatically update via iTunes or other podcast player.  Want to listen or subscribe to old Social Media Security Podcast episodes? Check out our archive page. Show descriptions are noted below on this website.

Please follow us on our new Twitter and like us on our updated Facebook page.  Our new website is located at sharedsecurity.net. Thanks for listening to the podcast over the years and we look forward to many more!

-Shared Security Podcast Hosts, Scott Wright and Tom Eston

The New Facebook Graph Search: How to Protect Your Privacy

Over the last several months, Facebook has been making significant design and UI changes. Besides the newsfeed changes announced several weeks ago, Facebook has recently begun rolling out a large change in the way you search for information through the platform. While this feature is still in “beta” status, you can tell if you have the new Graph Search by looking at the top left side of your Facebook profile (Figure 1). You will see a search area called “Search for people, places and things”.

 

facebook_privacy_settings_graph_search

Figure 1 – Location of the Facebook Graph Search on Your Profile Page

 

The Facebook Graph Search is a new implementation of search which retrieves information that comes from Facebook’s Graph. This new feature brings powerful capabilities for finding out more about your friends’ “likes” and activities. It also provides attackers with a more efficient way to glean information for social engineering attacks and other intelligence gathering activities.

What’s the Facebook Graph?

Think of the Facebook Graph as a very large database of personal information from (literally) a billion Facebook users. This information is categorized by what you and your friends like as well as what you’ve posted, what’s in your profile, locations you’ve visited, and tagged pictures. The Facebook Graph has evolved over the years in order to correlate as much information as possible, making it very easy to search.

What’s the Privacy Concern?

The issue is that anything you’ve ever posted publically, “Liked,” or were ever tagged in can be quickly searched. Additionally, other information that you’ve posted in your profile, such as your hometown, relationship status, and employer now become searchable. For example, those party pictures you were tagged in four years ago doing things you would never do anymore can be searched by your friends and possibly the friends of your friends; or worse, anyone with a Facebook account.

The Graph Search opens up lots of new and interesting search possibilities that we’ve yet to see on a social network. Here’s one example: Suppose you are a single male looking for single females. You can simply search for “photos of friends of my friends who are single and female” and find pictures of all the single females that are friends of your friends. Interesting, huh? How about the intelligence gathering aspects of these types of searches? For example, search for “<Insert Company> employees located in <Insert City> and you will have a list of targets for social engineering or more. For some other eye opening searches, I recommend you read this blog which shows some interesting privacy ramifications of creative searches.

How to Protect Your Privacy

First, check out Facebook’s “Activity Log” (Figure 2) which can be found under Privacy Settings and Tools in your Privacy Settings.

 

facebook_privacy_settings_activity_log

Figure 2 – Location of Facebook’s Activity Log

 

Next, if you want to change the privacy settings for all posts you’ve shared with Friends of Friends or with the Public, you can select “Limit Past Posts,” which will automatically change the privacy settings on all past posts (Figure 3).

 

facebook_privacy_settings_activity_log2

Figure 3 – Selecting “Limit Past Posts” changes privacy settings for all posts set to Friends of Friends or Public

 

 

You will also want to make sure you review the following items in your Activity Log (Figure 4): Your Posts (especially those set to Public or Friends of Friends), Posts You’re Tagged In, Posts by Others, and Your Photos. It doesn’t hurt to also review your Likes to make sure there is nothing you liked that you don’t want coming up in a search.

 

facebook_privacy_settings_activity_log_photos_tags

Figure 4 – Items to Review in Your Activity Log

 

Lastly, carefully review your Facebook Privacy settings especially if you haven’t looked at them in a while. The Facebook Graph Search makes these settings more important than ever. Be sure to download SecureState’s recently revised Facebook Privacy & Security Guide which walks you through the recommended privacy settings while still allowing you to be social. The updated guide includes details on Facebook Graph Search and other important privacy settings. I encourage you to share this guide with friends and family.

Looking For More Information on Social Media Privacy?

SecureState has just released a comprehensive whitepaper by Ken Smith of SecureState’s Profiling & Penetration Team entitled “The Problem with Privacy”. I highly recommend you download and read this whitepaper to find out what the latest threats to your privacy are when using Social Media.

Cross-Posted from the SecureState Blog

Social Media Security Website and Podcast Reloaded!

Since 2009, I’ve been maintaining the popular Facebook Privacy & Security Guide that has been used by several universities and government agencies as well as regular users of Facebook.  If you’re not familiar with my guide, it’s a simple two page handout that walks you through recommended privacy and security settings for your Facebook profile.

The guide has been a labor of love but also required frequent updates since Facebook has drastically changed the privacy controls as well as the layout within the Facebook platform over the years.  Needless to say it’s been tough to keep the guide updated and also tough to keep it to a single page so that it can be easily distributed.  Today, I’m happy to announce that my company SecureState is now officially sponsoring the guide so that it can be maintained with frequent updates!  Having said that, I’m announcing today the release of the fourth version of the Facebook Privacy & Security Guide, updated with the latest information on Facebook’s privacy and security settings.  Please download and distribute to friends and family.

Also around the same time I started the guide, I started the Social Media Security website and podcast.  The podcast is still being recorded monthly and co-hosted by myself and Scott Wright.  Today we also released our 30th episode along with a website redesign for socialmediasecurity.com.  I’d like to thank the podcast’s new sponsor SecureState for the new design and support of the podcast.  Special thanks go to DigiP over at Tick Tock Computers for putting together a great site redesign and logo.  I look forward to recording more podcasts and getting the word out on how to safely use social media!

Facebook Privacy and Security Article on ConsumerReports

I wanted to pass along a really good article on Facebook Privacy that was released on ConsumerReports.org.  There are some good quotes from others in the security and privacy community including Kevin Johnson and Ed Skoudis.  Check out the article here:

http://www.consumerreports.org/cro/magazine/2012/06/facebook-your-privacy/index.htm

 

Facebook Privacy & Security Guide Updated to v3.0

I’ve finally updated the Facebook Privacy & Security Guide to version 3.0.  This is a major revision which includes directions on how to set the latest privacy and security controls in Facebook.  Maintaining this guide has been challenging over the last year as Facebook has made major changes multiple times in regards to the way privacy settings are enabled.  Having said that, this is a great time to use my guide and review what your privacy settings are.  Things like enabling secure browsing, login approvals and limiting the audience to what you post are more important then ever.

As always, feel free to distribute this guide to friends and family!  Happy Thanksgiving!

Download v3.0 of the Facebook Privacy & Security Guide here

Social Zombies Gone Wild: Totally Exposed and Uncensored

Kevin Johnson and Tom Eston gave the third and final “Social Zombies” talk at Notacon 8 this weekend.  This talk focused on how social networks are using geolocation and the abuse of location based services.

“Social networks have jumped onto the geolocation bandwagon with location-based tweets, status updates, check-ins, mayorships, and more. This doesn’t take into account EXIF, QR codes, and advancements in HTML 5 geo implementations, which are being built into these location-based services. This is often implemented and enabled without the user even knowing it. In fact, geolocation is one of the hottest technologies being used in everything from web browsers to mobile devices. As social networks throw our location coordinates around like candy, its only natural that bad things will happen and abuse will become more popular. This presentation will cover how social networks and other websites are currently using location-based services, what they plan on doing with it, and a discussion on the current privacy and security issues. We will also discuss the latest geolocation hacking techniques and will release custom code that can abuse all of the features being discussed.”

Slides are on SlideShare below:

Two New Social Media Security White Papers Released

My employer (SecureState) has released two white papers as part of our Social Media Security Awareness Month.  You can also download some cool wallpaper for this month created by Rob our graphic designer (see the picture on the right).  🙂

First is some research several of my colleagues and I worked on.  The paper is titled: “Profiling User Passwords on Social Networks”.  The paper discusses the password problem that we all know and love as well as how you can determine passwords by what individuals post on their profiles.  We dive into tools from Robin Wood, Mark Baggett and others that can be used to pull keywords from profiles and other sources to create wordlists.  These wordlists can be used for brute force attacks on user accounts.  Next, we look at password complexity of several popular social networks with some research around brute force controls that some of the social networks have implemented, or in some cases haven’t.  Lastly, we discuss some things that users of social networks can do when choosing passwords.  You can download my paper here.

The other paper released is titled: “Security Gaps in Social Media Websites for Children Open Door to Attackers Aiming To Prey On Children” by my colleague Scott White.  In his paper he looks at the security of social media websites specifically designed for children.  This is some very detailed research and sheds some light on how predators are using these sites to target children as well as some issues that are unique to these types of social media websites.  You can download Scott’s paper here.

Speaking of social media…I’ll be presenting “Social Impact: Risks and Rewards of Social Media” at the Information Security Summit this Friday at 10am.  I’ll have the slide deck posted shortly after the conference.

Share and Enjoy


FacebookTwitterDeliciousDiggStumbleUponAdd to favoritesEmailRSS


Hacking Your Location With Facebook Places

I just published a post over on the SecureState blog about how to hack your location using Facebook Places.  The post brings up some interesting questions about how social networks are going to have a problem with fake location check-in’s. In the meantime, it’s a way to have fun with your friends…:-)

Share and Enjoy


FacebookTwitterDeliciousDiggStumbleUponAdd to favoritesEmailRSS


1 2 3 6