Social Networking – Page 4 – The Social Media Security Podcast

New Version Released: Facebook Privacy & Security Guide

Posted under Facebook, Privacy, Social Media, Social Networking on September 15th, 2009 by Tom

Facebook has made some changes to the privacy settings for Facebook profiles since the last time I updated the Facebook Privacy & Security Guide which was back on it’s original release (October 2008). As with all things on the web…we want to keep this guide as current as possible so users of Facebook know how to configure each of the privacy settings in their profile. Updates in this version (v1.1) include:

News Feed and Wall settings have been updated. Facebook removed settings such as “time and date” and streamlined other settings
I have provided more information on how Facebook applications work and how you should configure your application privacy settings based on if your friends install an application
Updated information about Facebook Ads, Facebook Connect settings and Beacon websites

Click here to download the new version of the Facebook Privacy & Security Guide (v1.1)
(if you are downloading this to your browser, be sure to clear your browser cache prior to downloading as you may have the old version in your cache. Better to do a “Save Link As…”)

As usual, please send any feedback about the guide to feedback[aT]socialmediasecurity.com or post a comment below. As a supplement to this guide, stay tuned for a video walk through which we plan to post on YouTube and also make it available for free download. If you have any other suggestions for user awareness guides, articles, video’s etc…consider joining our mailing list.

A Closer Look at Twitter’s New Terms of Service

Posted under Privacy, Social Networking, Twitter on September 12th, 2009 by Tom

On September 10th Twitter released a new Terms of Service (ToS) that you as a user of Twitter should be aware of. Some of the changes related to privacy and security are noted below with my comments in bold:

The Content you submit, post, or display will be able to be viewed by other users of the Services and through third party services and websites.
This should be obvious but by using Twitter you should have no expectation of privacy at all (even with a “private” profile).

In consideration for Twitter granting you access to and use of the Services, you agree that Twitter and its third party providers and partners may place such advertising on the Services or in connection with the display of Content or information from the Services whether submitted by you or others.
Twitter has to make money somehow so don’t be shocked when you see ad’s being generated based on the content of your tweets.

You are responsible for safeguarding the password that you use to access the Services and for any activities or actions under your password. We encourage you to use “strong” passwords (passwords that use a combination of upper and lower case letters, numbers and symbols) with your account. Twitter cannot and will not be liable for any loss or damage arising from your failure to comply with the above requirements.
This shouldn’t be a surprise either. If your password gets owned by a hacker, Twitter is not responsible. However, I still think that Twitter should require stronger passwords on their end.

You understand that by using the Services, you may be exposed to Content that might be offensive, harmful, inaccurate or otherwise inappropriate, or in some cases, postings that have been mislabeled or are otherwise deceptive.
Disinformation is a popular tactic on Twitter used by spammers as well as people that want to spread incorrect information about news and other topics. Twitter is not responsible for this type of behavior. You don’t believe *everything* you read on Twitter right? 🙂

By submitting, posting or displaying Content on or through the Services, you grant us a worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods (now known or later developed).
Sure, the content you post is yours but whatever you post can be modified, retransmitted, etc by Twitter and third-party apps that interact with Twitter.

…you have to use the Twitter API if you want to reproduce, modify, create derivative works, distribute, sell, transfer, publicly display, publicly perform, transmit, or otherwise use the Content or Services.
This is the reason that the Twitter API is so open and also the primary reason that spammers and other people with bad intent can take advantage of the service.

You may not do any of the following while accessing or using the Services: (i) access, tamper with, or use non-public areas of the Services, Twitter’s computer systems, or the technical delivery systems of Twitter’s providers; (ii) probe, scan, or test the vulnerability of any system or network or breach or circumvent any security or authentication measures…
This is interesting to me. So if you are a security researcher you cannot “test” Twitter for vulnerabilities. That would include fuzzing and/or doing simple tests for XSS. So if you find a vulnerability on Twitter and disclose it to them can they delete your account, or report you to law enforcement? Remember kids…don’t test for vulnerabilities without permission first. 🙂

…or (v) interfere with, or disrupt, (or attempt to do so), the access of any user, host or network, including, without limitation, sending a virus, overloading, flooding, spamming, mail-bombing the Services, or by scripting the creation of Content in such a manner as to interfere with or create an undue burden on the Services.
The part about flooding and mail-bombing the Services relates to the recent Twitter DD0S I suspect.

Twitter will not be responsible or liable for any harm to your computer system, loss of data, or other harm that results from your access to or use of the Services, or any Content. You also agree that Twitter has no responsibility or liability for the deletion of, or the failure to store or to transmit, any Content and other communications maintained by the Services. We make no warranty that the Services will meet your requirements or be available on an uninterrupted, secure, or error-free basis.
If you use Twitter (or any social network for that matter) don’t assume that it’s “secure”. They don’t guarantee security an you shouldn’t either. Also, if you see the Fail Whale…it’s also not guarantee of service availability. 🙂

These are the main changes that I picked out related to privacy and security. However, you should really read the full ToS as it has gotten more detailed then the previous version. I would suspect more communication from Twitter on future changes to the ToS.

Vote for Inherent Dangers of Real-Time Social Networking panel at #SXSW

Posted under Social Media, Social Networking on August 18th, 2009 by Tom

We were happy to see that one of the panels up for selection at the South by Southwest (SXSW) Interactive Festival next year (March 12-16, 2010) is a panel about the security of social networks called “Inherent Dangers of Real-Time Social Networking”. The way panel selections work st SXSW is that they are up for open voting which ends on September 4th. Basically the voting works like this (from the SXSW site):

“SXSW is a community-driven event. So, knowing what kinds of topics you want to hear at the event next March is extremely important to us. Your voting accounts for about 30% of the decision-making process for any given programming slot.

Also important is the input of the SXSW Advisory Board, which is a group of industry professionals from across the US and around the world. The final part of the panel decision-making equation is the input of the SXSW staff.”

So yes, you have a big part in the selection process! This panel includes the following participants:

Jennifer Leggio (@mediaphyter), ZDNet
John Adams (@netik), Twitter operations and security incident response team
Damon Cortesi (@dacort), security consultant at Sevicron, founder of TweetStats, Twitter app developer
Mike Murray (@mmurray), CISO of Foreground Security

Awesome, awesome group for this panel. Here is the description of the panel (from the SXSW PanelPicker site):

“There’s plenty of chatter about social media and security issues, from social engineering to the naïveté of users. This panel of experts will explore how cyber criminals are taking advantage of socnets flaws and lack of user awareness, and what both individuals and companies can do to help protect themselves.”

Since this is one of the biggest media conferences of the year, we highly encourage you to vote for this panel. This will be one not to miss if selected! What are you waiting for? Go vote now!

Old News: Twitter can be used for Botnet Command & Control

Posted under Contributors, Social Networking on August 13th, 2009 by Tom

Shocking but true…today a researcher discovered that Twitter has been used for command and control of a botnet which may have been used by Brazilian hackers to steal online banking login information. Kudos to the researcher, Jose Nazario, who found this. It was an interesting read to say the least. The bot would basically look for base64 encoded commands on a Twitter account to download malware via RSS feeds with obfuscated (shortened) URL’s. Interesting…sounds a lot like Robin Wood’s tool KreiosC2 which was released at DEFCON 17. I even did this demo showing what else? Base64 encoded commands. Ironically, I showed off the first version of this code at Notacon 6 back in April of this year. Keep in mind, KreiosC2 can be used for legitimate tasks like controlling things at home remotely via Twitter. I highly recommend you read Robin’s detailed write-up on how KreiosC2 functions.

What I find fascinating (like most things in security) is that now that there has been a real confirmed case of using Twitter for botnet C2 (Command & Control) the media seems to be jumping on it and even trying to determine “why it took so long for hackers to take Twitter to the dark side”. Well, you can’t say we didn’t warn you.

The point that Robin, myself and others were trying to make way back in April was that this is a real threat and the bad guys have probably started to use Twitter for C2 even before Robin put out the code! We were hoping that by releasing the code Twitter (and others) would see this as perhaps an early warning of things to come and perhaps prepare some defense for it (yes, we know it’s hard to put a defense together for something like this). Now that we have a confirmed case used for malicious purposes we hope Twitter takes this seriously and can combat future C2 channels used for very bad things. It always takes something bad to happen to create change…where have you heard that before?

Share and Enjoy

• Facebook • Twitter • Delicious • Digg • StumbleUpon • Add to favorites • Email • RSS

Sex Offenders in IL Banned from Social Networking Sites

Posted under Privacy, Social Media, Social Networking on August 13th, 2009 by Tom

There was an interesting post on Mashable today about a new law that was just passed in Illinois by the governor Pat Quinn. Basically, it bans sex offenders from using social networking sites. The problem is that social networking is so loosely defined that this could mean any news site or blog. Think about Facebook Connect or anything that shows a profile picture with media links and/or text. In addition, how would this stop a sex offender from using an alias and/or fake name on these sites (if you can even define what these sites are)?

There is some interesting conversation brewing around this one especially around the fact that just by peeing in public you are considered a sex offender in 13 states!

Read the entire article on Mashable here.

« Previous 1 2 3 4 5 6 7 Next »