Facebooks Proposed Privacy Changes: What You Need to Know

I won’t put together a long post about the recently proposed Facebook Privacy Policy/Statement of Rights and Responsibilities changes.  There are already some very good analysis on the subject.  However, below are links to some of the best blog posts and research to check out.  Note that the comment period ends on April 3, 2010 at 12am PDT.  Make your comments on the Facebook Site Governance document page here.

Links to the proposed changes
Facebook Privacy Policy and Statement of Rights and Responsibilities Updates

Detailed Analysis Worth Reading
Facebook Proposes Broad Updates To Governing Docs — Our Analysis (from Inside Facebook)
How Facebook is Adding an Identity Layer to the Internet (from theharmonyguy)
Yet Again, Facebook Misunderstands Privacy (from MichaelZimmer.org)
Facebook Again to Test Privacy Boundaries (from Fred Stutzman)
Is Facebook Unliking Privacy? (from the ACLU of Northern California)

Also, be sure to check out Social Media Security Podcast Episode 12 which will be released soon!  Scott Wright and I will be talking about these changes with some analysis as well.

Social Media Security Podcast 11 – Google Buzz, Geostalking, Twitter’s Phishing Filter

This is the 11th episode of the Social Media Security Podcast recorded March 15, 2010.  Sorry for the delay on releasing this!  We should be back on our biweekly schedule soon.  This episode was hosted by Tom Eston and Scott Wright.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Facebook Privacy & Security Guide v2.0: Updated with New Privacy Changes

I have updated and released version 2.0 of the popular Facebook Privacy & Security Guide.  Version 2.0 reflects the recent changes that Facebook made to it’s privacy settings.  In addition, I added a new section titled “Blocking and Creating Friend Lists” and expanded on how your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages are now publicly available information.

Download the new version of the Facebook Privacy & Security Guide here.
You can also get to the guide from: socialmediasecurit… and from the top of Socialmediasecurity.com under “Guides”.

Can you remove public access to your friend list?
One tip I didn’t have room for in the guide around these new changes is the following.  You can remove the ability for your “Friend List” to be viewed in public searches by selecting the Edit “pencil” in the Friends box on your profile page and unchecking the box.  Here is a screen shot of this.  Unfortunately, this control is all or nothing but the good news is your Friends can still see your friends list.  You may also want review your application settings so application “boxes” are not showing on your public profile as well.  More information can be found on Facebook’s blog post about these issues (hat tip to @mubix for pointing this out).

Like before please send any feedback on the guide to feedback[ aT ]socialmediasecurity.com.  The companion video is being worked and should be up shortly as well.

Should you use Twitter for Online Banking?

Today, a credit union in St. Louis, MO called Vantage Credit Union announced that they are offering a service through Twitter called tweetMyMoney to conduct online banking.  Banking credentials, PINs and account information are not passed through tweets made via direct message to the @myvcu Twitter account (from the FAQ listed on the bank’s website), only commands to get account balance, recent transactions, etc.

However, there are a few potential security issues/concerns with this type of service.  While it seems that VCU has made this system with good intentions, most of these concerns center around the fact that you are putting in requests for account information and even transferring money to other accounts through Twitter which is a third-party service not owned or managed by the bank.

  • Plain and simple, Twitter is a third-party service.  When you send a direct message (DM) to another Twitter user this message is stored on Twitter’s servers.  Not the banks.  The bank is simply retrieving these messages.  You should never have any expectation of privacy from DMs *at all*.  Sure, they are “private” to you and the user you are sending it to but think about who on Twitter’s end might be able to view these DMs.  Remember, security at Twitter is not very important currently as we have seen several times in very recent history.
  • What about the scenario of a local “man-in-the-middle” attack where someone could be sniffing your network traffic to modify your banking requests?  A simple attack like this could easily compromise the users Twitter account.  Guess what, people like to reuse user id’s and passwords…we all know where that could lead to.  I am not sure if they are using any form of two-factor authentication for their online banking application so you may only need a login id and password to access a compromised online banking account.  Again, not sure this is the case with VCU but yes, some banks are still using single factor authentication!
  • How about the security of the @myvcu Twitter account you send your direct messages to?  Attackers *will* target this account, it’s only a matter of time.  You are trusting that the folks at VCU are properly securing this account and there are no vulnerabilities or exploits on the Twitter site to compromise the account as well.  It also looks like this account is used for communicating with customers…it could be possible that these credentials could be phished and/or compromised through multiple avenues of attack.
  • I question the correspondence authentication codes that they have put in place.  Relying on the user to change these multiple codes is an interesting choice.  I could see this being spoofed quite easily.
  • Lastly, the users of this system could also be targeted if say a user accidentally tweeted something like “#l5d 7” to their followers instead of by DM (known as #dmfail)?  Attackers can easily script a bot to look for these patterns and target these users.

I don’t want to knock the folks at VCU as it seems that they are a very “progressive” bank and it looks like they want to push the envelope of new technology.  My opinion is that it just seems that there are too many points of security “fail” in this system.  Potential failures in the Twitter service, @myvcu account and Twitter users of the VCU system in addition to the third-party privacy concerns all make for something that you shouldn’t be trusting your online banking to.  Social networks are not for online banking in any form…srsly.

Thanks to @rogueclown and @nickhacks for the tweets and comments about this new service.

New Version Released: Facebook Privacy & Security Guide

Facebook has made some changes to the privacy settings for Facebook profiles since the last time I updated the Facebook Privacy & Security Guide which was back on it’s original release (October 2008).  As with all things on the web…we want to keep this guide as current as possible so users of Facebook know how to configure each of the privacy settings in their profile.  Updates in this version (v1.1) include:

  • News Feed and Wall settings have been updated.  Facebook removed settings such as “time and date” and streamlined other settings
  • I have provided more information on how Facebook applications work and how you should configure your application privacy settings based on if your friends install an application
  • Updated information about Facebook Ads, Facebook Connect settings and Beacon websites

Click here to download the new version of the Facebook Privacy & Security Guide (v1.1)
(if you are downloading this to your browser, be sure to clear your browser cache prior to downloading as you may have the old version in your cache.  Better to do a “Save Link As…”)

As usual, please send any feedback about the guide to feedback[aT]socialmediasecurity.com or post a comment below.  As a supplement to this guide, stay tuned for a video walk through which we plan to post on YouTube and also make it available for free download.  If you have any other suggestions for user awareness guides, articles, video’s etc…consider joining our mailing list.

A Closer Look at Twitter’s New Terms of Service

On September 10th Twitter released a new Terms of Service (ToS) that you as a user of Twitter should be aware of.  Some of the changes related to privacy and security are noted below with my comments in bold:

  • The Content you submit, post, or display will be able to be viewed by other users of the Services and through third party services and websites. 
    This should be obvious but by using Twitter you should have no expectation of privacy at all (even with a “private” profile).
  • In consideration for Twitter granting you access to and use of the Services, you agree that Twitter and its third party providers and partners may place such advertising on the Services or in connection with the display of Content or information from the Services whether submitted by you or others. 
    Twitter has to make money somehow so don’t be shocked when you see ad’s being generated based on the content of your tweets.

  • You are responsible for safeguarding the password that you use to access the Services and for any activities or actions under your password. We encourage you to use “strong” passwords (passwords that use a combination of upper and lower case letters, numbers and symbols) with your account. Twitter cannot and will not be liable for any loss or damage arising from your failure to comply with the above requirements. 
    This shouldn’t be a surprise either.  If your password gets owned by a hacker, Twitter is not responsible.  However, I still think that Twitter should require stronger passwords on their end.
  • You understand that by using the Services, you may be exposed to Content that might be offensive, harmful, inaccurate or otherwise inappropriate, or in some cases, postings that have been mislabeled or are otherwise deceptive. 
    Disinformation is a popular tactic on Twitter used by spammers as well as people that want to spread incorrect information about news and other topics.  Twitter is not responsible for this type of behavior.  You don’t believe *everything* you read on Twitter right? :-)
  • By submitting, posting or displaying Content on or through the Services, you grant us a worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods (now known or later developed).
    Sure, the content you post is yours but whatever you post can be modified, retransmitted, etc by Twitter and third-party apps that interact with Twitter.
  • …you have to use the Twitter API if you want to reproduce, modify, create derivative works, distribute, sell, transfer, publicly display, publicly perform, transmit, or otherwise use the Content or Services. 
    This is the reason that the Twitter API is so open and also the primary reason that spammers and other people with bad intent can take advantage of the service.
  • You may not do any of the following while accessing or using the Services: (i) access, tamper with, or use non-public areas of the Services, Twitter’s computer systems, or the technical delivery systems of Twitter’s providers; (ii) probe, scan, or test the vulnerability of any system or network or breach or circumvent any security or authentication measures…
    This is interesting to me.  So if you are a security researcher you cannot “test” Twitter for vulnerabilities.  That would include fuzzing and/or doing simple tests for XSS.  So if you find a vulnerability on Twitter and disclose it to them can they delete your account, or report you to law enforcement?  Remember kids…don’t test for vulnerabilities without permission first. :-)
  • …or (v) interfere with, or disrupt, (or attempt to do so), the access of any user, host or network, including, without limitation, sending a virus, overloading, flooding, spamming, mail-bombing the Services, or by scripting the creation of Content in such a manner as to interfere with or create an undue burden on the Services.
    The part about flooding and mail-bombing the Services relates to the recent Twitter DD0S I suspect.
  • Twitter will not be responsible or liable for any harm to your computer system, loss of data, or other harm that results from your access to or use of the Services, or any Content. You also agree that Twitter has no responsibility or liability for the deletion of, or the failure to store or to transmit, any Content and other communications maintained by the Services. We make no warranty that the Services will meet your requirements or be available on an uninterrupted, secure, or error-free basis.
    If you use Twitter (or any social network for that matter) don’t assume that it’s “secure”.  They don’t guarantee security an you shouldn’t either.  Also, if you see the Fail Whale…it’s also not guarantee of service availability. :-)

These are the main changes that I picked out related to privacy and security.  However, you should really read the full ToS as it has gotten more detailed then the previous version.  I would suspect more communication from Twitter on future changes to the ToS.

Social Media Security Podcast 1 – Zombies, Bad Facebook Apps, Twitter SPAM

skullThis is the first episode of the Social Media Security Podcast.  This episode was hosted by Scott Wright and Tom Eston.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback[aT]socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  Thanks for listening!

**You can subscribe to the podcast now in iTunes!

ACLU Facebook Quiz Exposes Privacy Issues in Facebook

While we would normally not recommend you take any of those annoying Facebook Quizes, we found one that has some merit and value.

The ACLU has developed a Facebook Quiz about Facebook privacy.  If you didn’t know…Facebook Quizzes are simply Facebook applications.  So by taking any quiz, the quiz developer has access to any of your potentially private information including…your friends information.

Take the quiz to find out more and support the efforts of the ACLU via this petition to help change Facebook’s policy on applications and what they can access.

1 2 3