Facebooks Proposed Privacy Changes: What You Need to Know

I won’t put together a long post about the recently proposed Facebook Privacy Policy/Statement of Rights and Responsibilities changes.  There are already some very good analysis on the subject.  However, below are links to some of the best blog posts and research to check out.  Note that the comment period ends on April 3, 2010 at 12am PDT.  Make your comments on the Facebook Site Governance document page here.

Links to the proposed changes
Facebook Privacy Policy and Statement of Rights and Responsibilities Updates

Detailed Analysis Worth Reading
Facebook Proposes Broad Updates To Governing Docs — Our Analysis (from Inside Facebook)
How Facebook is Adding an Identity Layer to the Internet (from theharmonyguy)
Yet Again, Facebook Misunderstands Privacy (from MichaelZimmer.org)
Facebook Again to Test Privacy Boundaries (from Fred Stutzman)
Is Facebook Unliking Privacy? (from the ACLU of Northern California)

Also, be sure to check out Social Media Security Podcast Episode 12 which will be released soon!  Scott Wright and I will be talking about these changes with some analysis as well.

Security pros use layered techniques, but so do attackers

For many years security professionals have advocated using layered safeguards to reduce the risk of threats. While many organizations do employ multiple technologies like firewalls, anti-virus and intrusion detection to try to stop hackers, these guys are getting very good at navigating our layers of security. It’s like the old Mario and Donkey Kong video games where you had to jump over land mines, climb ladders, wait for doors to open and avoid swinging obstacles to reach the bonus prizes.

As an example of how many layers they are able to traverse, consider the reported attack on a financial institution’s enterprise network, which started life as a hacked Facebook account. (Click HERE for the full story.)

To make a long story short the attackers did the following:

  1. They captured the Facebook credentials of an individual who worked for a financial institution
  2. They then scanned the user’s Facebook profile to find recent social events involving co-workers on Facebook (finding a company picnic)
  3. They then sent emails to multiple Facebook friends who were co-workers saying, “Hey, have a look at the pictures I took at the company picnic!”
  4. The emails contained links to malicious web pages that attempted to launch a keylogger on the victims’ computers.
  5. They then scanned the keystrokes of an employee whose laptop had become infected with the keylogger and found the authentication credentials for the corporate VPN
  6. They infiltrated the VPN and infected a computer inside the corporate perimeter and performed vulnerability scans around the network to find servers with sensitive information on them.

The attack lasted as long as 2 weeks. If the attackers’ vulnerability scans had not been so “noisy”, they may not have been noticed, and the company could have suffered severe losses in terms of costly data breaches and corrupted databases, as well as system repairs.

So, what will happen now? Will the company add another layer of security to prevent a similar attack in the future? Probably… and these attackers will probably move on to other organizations with a bit less security. The cat and mouse game continues.

What’s interesting in this story is that the initial attack on the employees’ Facebook friends is pretty hard to defend against, since nothing seemed out of the ordinary. There really was a corporate picnic!

What would you do next if you were a security manager at this financial institution?

Social Media Security Podcast 10 – Shmoocon, Geo-Location, Social Media Policies, CyberStalking

This is the 10th episode of the Social Media Security Podcast recorded February 8, 2010.  This episode was hosted by Tom Eston and Scott Wright.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Social Media Security Podcast 9 – Defensio, Blippy.com, Relationships and Social Media

This is the 9th episode of the Social Media Security Podcast recorded January 26, 2010.  This episode was hosted by Tom Eston and Scott Wright.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Social Media Security Podcast 8 – Would You Commit Social Media Suicide?

This is the 8th episode of the Social Media Security Podcast recorded January 8, 2010.  This episode was hosted by Tom Eston, Kevin Johnson and Scott Wright.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Social Media Security Podcast 7 – New Facebook Privacy Settings, Twitter Lists, FTC and Bloggers

This is the 7th episode of the Social Media Security Podcast recorded December 21, 2009.  This episode was hosted by Scott Wright and Tom Eston.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Facebook Application Privacy Confusion Continues

Many technology journalists and privacy advocates have criticized aspects of Facebook’s new privacy controls and default settings. But I’ve noticed one aspect to the changes that I find disappointing, and thus far I’ve not seen it noted elsewhere.

You may recall that earlier this year, Facebook came under scrutiny by the Privacy Commissioner of Canada. Several concerns the Commissioner’s office raised related to Facebook applications. Readers of this blog were already quite familiar with privacy issues relating to applications, but the Canadian investigation brought them to the forefront, and Facebook responded by promising sweeping changes to their platform.

When the new privacy controls launched on my own Facebook profile, I took a look at the section for “Applications and Websites.” At first, my feelings were mixed. Facebook had finally made it clear that the checkboxes of various fields you could elect to share applied only to applications your friends used. (The previous setup was far more confusing and led to even major technology sites errantly reporting that the controls applied to applications you used as well.) But Facebook had also removed the option to exempt yourself from the Platform completely.

But then I clicked the button to “Learn More” about what I shared when using applications and web sites. I’ve long talked about the need to educate users, so perhaps this would finally clarify how much access applications have. Instead, I was stunned to read this statement:

When you visit a Facebook-enhanced application or website, it may access any information you have made visible to Everyone (Edit Profile Privacy) as well as your publicly available information. This includes your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages. The application will request your permission to access any additional information it needs.

Excuse me?

At first, I thought this was simply false. The way I read it, authorizing an application gave it access to your PAI and anything visible to “Everyone,” but if the application also wanted, say, your favorite movies, it would ask you first. While Facebook has vowed to eventually roll out such a setup, it has not yet appeared and was not promised to be fully in place until fall of next year.

But then I realized what the paragraph was actually communicating. An application has access to your PAI and anything visible to “Everyone” as soon as you stop by – no authorization necessary. (This may lead to a few surprises and scares in the near future.) That last bit about requesting your permission for any additional information refers to authorizing the application. In other words, if the application needs any more data, it will request authorization – which gives it access to all of your personal data.

Some may counter that the confusion here lies with me alone, and I ought not presume that users will make the same mistake. However, given that users have already been trained to authorize applications before using them at all (not to mention whether users even distinguish applications from the Facebook brand), I’m quite certain this new paragraph will continue to produce the sort of myths I’ve seen published about the old application privacy settings. In any event, Facebook has resorted to language that could at best be described as somewhat vague.

Please correct me if you think I’m wrong, but I find the last sentence of Facebook’s new explanation very misleading. It gives the impression that applications will politely ask users for more personal details if they become particularly necessary, when in fact most people who use a given application have already authorized it and thus already given it full access to personal profile information.

After all of the controversies, studies, confusions, misstatements, and problems that have come about this past year regarding privacy and Facebook applications, and especially in light of the previous pressure from Canada, I would have thought that Facebook would take this opportunity to add a more thorough and clear exposition of what applications can access and do with user information. Perhaps I’m being too hard on their new attempt. But if the past is any indication, I expect user misunderstandings over Facebook applications to persist.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Facebook Privacy & Security Guide Video Released

I finally got around to recording and editing the video walkthrough of the Facebook Privacy & Security Guide.

The video clocks in at about 18 minutes.  I also included information about email/text alerts, how applications work, Facebook Ads, and how to hide your friends list from public searches.  Stay tuned for other guides and videos for MySpace, Twitter and LinkedIn.

Want to help with these guides and videos?  Join the volunteer mailing list or send me an email at feedback [At ] socialmediasecurity.com.

1 4 5 6 7 8 16