Users Bamboozled and Policies Eroded – Is Facebook still the valuable tool you thought it was?

Geek level: Very Low. Editorial observations and deep, introspective questions…

I just wanted to give props to some folks who are really getting the impact of the changes to  Facebook privacy policies and settings, and trying to get the message across in different ways.

Facebook privacy settings are getting so complicated, few people seem to know the implications. And as a result, most don’t bother changing them. For those of you who remember what it was like to try to program a VCR back in the 1980’s and 90’s, what goes around comes around. The comparison is scary, as tweeted by Robert Nunez and Tom Watson – “Facebook privacy settings are the new programming your VCR”

(See http://www.preoccupations.org/2010/05/facebook-2010.html )

I heard about this observation while listening to This Week in Google (at http://www.twit.tv), when Jeff Jarvis mentioned it. Leo Laporte then added, “It’s like we’re all on flashing 12:00’s”  (If you don’t remember, it’s sort of like having a digital clock that loses power and forgets what time it is.) For the old VCRs, you had to go in and reset the time, then you had to set the channels and times you want to record. It was so complicated, many people just left them with the flashing 12:00’s. I can relate to that, along with many others I’ve heard from, regarding Facebook’s increasingly convoluted privacy settings.

Facebook just seems to want people to give up on protecting their privacy. To paraphrase Jarvis, it seems strange that instead of leveraging the trust of its 400 million users, and taking the opportunity to establish itself as the “protectors” of our identities on the Net, Facebook is carelessly exploiting that trust to its fullest extent for short term profit. Too bad for them, and for all of us.

Also in that same episode of TWIG, Jeff Jarvis referred to the Electronic Freedom Foundation’s (EFF) timeline of Facebook privacy policies over the years. It’s interesting to see how convoluted it’s become since their first privacy statement in 2005, which read:

No personal information that you submit to Thefacebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings.

(from http://www.eff.org/deeplinks/2010/04/facebook-timeline )

Now, as of April 2010, the policy reads…

When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends’ names, profile pictures, gender, user IDs, connections and any content shared using the Everyone privacy setting. … The default privacy setting for certain types of information you post on Facebook is set to “everyone.” … Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection.

So, did you know this? Or have you quit Facebook – for good, or in protest – due to these moves? Or will it take one more move toward the cliff?

Not surprisingly, I don’t use Facebook for anything very personal. The stuff I put there is all pretty boring, say my friends. But if you joined a long time ago and have a significant amount of personal information in Facebook, you might want to read today’s Facebook privacy policies and consider how likely it is that what you thought was protected (by the default settings at the time you joined) may inevitably become public at some point.

Today’s trending topics might as well be “Facebook privacy settings changed” and “Facebook privacy policies changed“. So, if you still feel that privacy represents a fundamental personal value, we’d all like to know, “What value does Facebook continue to bring you as a tool, and is it worth the cost?”

Facebooks Proposed Privacy Changes: What You Need to Know

I won’t put together a long post about the recently proposed Facebook Privacy Policy/Statement of Rights and Responsibilities changes.  There are already some very good analysis on the subject.  However, below are links to some of the best blog posts and research to check out.  Note that the comment period ends on April 3, 2010 at 12am PDT.  Make your comments on the Facebook Site Governance document page here.

Links to the proposed changes
Facebook Privacy Policy and Statement of Rights and Responsibilities Updates

Detailed Analysis Worth Reading
Facebook Proposes Broad Updates To Governing Docs — Our Analysis (from Inside Facebook)
How Facebook is Adding an Identity Layer to the Internet (from theharmonyguy)
Yet Again, Facebook Misunderstands Privacy (from MichaelZimmer.org)
Facebook Again to Test Privacy Boundaries (from Fred Stutzman)
Is Facebook Unliking Privacy? (from the ACLU of Northern California)

Also, be sure to check out Social Media Security Podcast Episode 12 which will be released soon!  Scott Wright and I will be talking about these changes with some analysis as well.

Security pros use layered techniques, but so do attackers

For many years security professionals have advocated using layered safeguards to reduce the risk of threats. While many organizations do employ multiple technologies like firewalls, anti-virus and intrusion detection to try to stop hackers, these guys are getting very good at navigating our layers of security. It’s like the old Mario and Donkey Kong video games where you had to jump over land mines, climb ladders, wait for doors to open and avoid swinging obstacles to reach the bonus prizes.

As an example of how many layers they are able to traverse, consider the reported attack on a financial institution’s enterprise network, which started life as a hacked Facebook account. (Click HERE for the full story.)

To make a long story short the attackers did the following:

  1. They captured the Facebook credentials of an individual who worked for a financial institution
  2. They then scanned the user’s Facebook profile to find recent social events involving co-workers on Facebook (finding a company picnic)
  3. They then sent emails to multiple Facebook friends who were co-workers saying, “Hey, have a look at the pictures I took at the company picnic!”
  4. The emails contained links to malicious web pages that attempted to launch a keylogger on the victims’ computers.
  5. They then scanned the keystrokes of an employee whose laptop had become infected with the keylogger and found the authentication credentials for the corporate VPN
  6. They infiltrated the VPN and infected a computer inside the corporate perimeter and performed vulnerability scans around the network to find servers with sensitive information on them.

The attack lasted as long as 2 weeks. If the attackers’ vulnerability scans had not been so “noisy”, they may not have been noticed, and the company could have suffered severe losses in terms of costly data breaches and corrupted databases, as well as system repairs.

So, what will happen now? Will the company add another layer of security to prevent a similar attack in the future? Probably… and these attackers will probably move on to other organizations with a bit less security. The cat and mouse game continues.

What’s interesting in this story is that the initial attack on the employees’ Facebook friends is pretty hard to defend against, since nothing seemed out of the ordinary. There really was a corporate picnic!

What would you do next if you were a security manager at this financial institution?

Social Media Security Podcast 8 – Would You Commit Social Media Suicide?

This is the 8th episode of the Social Media Security Podcast recorded January 8, 2010.  This episode was hosted by Tom Eston, Kevin Johnson and Scott Wright.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Fifteen significant social media & security events of 2009

I recently co-authored an article with Jennifer Leggio from ZDNet on the Fifteen significant social media & security events of 2009.  Be sure to check it out as there were *many* high profile attacks on social networks and their users this year.  The article also provides a preview of what we might see in 2010.  Thanks again to Jennifer for putting this article together!

Social Media Security Podcast 4 – Death by Twitter, Open Source Intelligence, Policies, Google Wave

skullThis is the 4th episode of the Social Media Security Podcast recorded November 6, 2009.  This episode was hosted by Scott Wright, Tom Eston and Kevin Johnson.  Below are the show notes, links to articles and news mentioned in the podcast:

  • More scams on Twitter including the recent IQ quiz attack.  Disinformation on social networks…someone died example..are you sure they are really dead?
  • Tom talks about his Open Source Intelligence Gathering talk that he recently gave.  How do you find information posted about your company on social networks and why should you look?  Now is probably a good time for your company to create a social media strategy and then develop a Internet postings policy around this strategy.
  • Cisco has a great Internet posting policy to reference when created one for your company.
  • Scott talks about creating a postings policy for your company.  Here is a link to the Forrester book titled “Groundswell” that talks about creating a social media strategy.
  • Kevin talks about Google Wave.  What is it and why would we want to use this?  What are some of the security issues with Google Wave?  Check out the great research that theharmonyguy has been doing on Google Wave.
  • Developers! Please start coding securely from the beginning of the project! ktksbai.
  • Be sure to follow us on Twitter to stay up-to-date on all the latest news in the world of social media security!

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast now in iTunes! Thanks for listening!

New Version Released: Facebook Privacy & Security Guide

Facebook has made some changes to the privacy settings for Facebook profiles since the last time I updated the Facebook Privacy & Security Guide which was back on it’s original release (October 2008).  As with all things on the web…we want to keep this guide as current as possible so users of Facebook know how to configure each of the privacy settings in their profile.  Updates in this version (v1.1) include:

  • News Feed and Wall settings have been updated.  Facebook removed settings such as “time and date” and streamlined other settings
  • I have provided more information on how Facebook applications work and how you should configure your application privacy settings based on if your friends install an application
  • Updated information about Facebook Ads, Facebook Connect settings and Beacon websites

Click here to download the new version of the Facebook Privacy & Security Guide (v1.1)
(if you are downloading this to your browser, be sure to clear your browser cache prior to downloading as you may have the old version in your cache.  Better to do a “Save Link As…”)

As usual, please send any feedback about the guide to feedback[aT]socialmediasecurity.com or post a comment below.  As a supplement to this guide, stay tuned for a video walk through which we plan to post on YouTube and also make it available for free download.  If you have any other suggestions for user awareness guides, articles, video’s etc…consider joining our mailing list.

Social Media Security Podcast 1 – Zombies, Bad Facebook Apps, Twitter SPAM

skullThis is the first episode of the Social Media Security Podcast.  This episode was hosted by Scott Wright and Tom Eston.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback[aT]socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  Thanks for listening!

**You can subscribe to the podcast now in iTunes!

1 2 3