Taking over the Facebook Page “buy now” button (Part 1 of 2)

As I have been testing the security settings of companies social media strategies, I have consistently noticed two things, marketing is desperately trying to find its ROI and IT/Security doesn’t even know they have a FB page.  I do agree that after a number of months, it is time to show the CFO that spending that insame amount of time on their social media sites is worth the payroll checks. Unfortunately, analytics alone have been a blurry way of making that compelling argument and can be defeated by saying, if, I had put those payroll checks into google…I could see our ROI in a nice neat report. This is one of the reasons that marketing is jumping head first into technologies like Shoutlet, payvment or others (FB E-commerce). Why not sell your items on your FB Page?  Your team has worked extremely hard to get thousands of new users to click follow/like. Ultimately, this is going to be the future of pages but because IT/Security is not involved in the social media process it also opens a HUGE GAPPING HOLE in your security policy and procedures. And of course here is your example:

The policy of company ACME is “no social networking allowed” on internal networks.  Sites are being blocked at the firewall with rules and enforced with a content filtering tool. IT/Security has done its job with social media, right? BUT an exception is made for Marketing because they are special people. A FB page was created as well as an E-Commerce app installed without consulting IT/Security. I know this because after taking over the FB page using our friends Cain and Able, I replaced just one of the “buy now” buttons to redirect it my site and used analytics to see how many people clicked this button.  Showing this to Director of IT he replied “I didn’t even know we had a FB Page.” Part two is coming…but I leave you with this..

Who is in charge of these buttons?  Have these tools been tested and approved by IT/Sec before you took the 6 mins to install on your facebook page? What permissions are you giving this solution? HEY! IT/Sec does your company have a FB page?  Have you seen it lately? Is it part of your compliance testing?

Firesheep’s Revenge

No, this is not an article on the new version or even newly added super hero features for firesheep? #titlefail? Maybe but please read on then decide.

I know firesheep has lost its shiny coin syndrome with most but the attack is still working quite well in the field.  While the readers/listeners have been doing a good job of enabling secure browsing options in Twitter and Facebook, we still have a long way to go. Please keep spreading the word and keep pleading to social networking sites to enable secure browsing by default.  So, Why the “Firesheep’s Revenge” title?  Well these last month’s, a couple of us have been testing common social media monitoring (SMM) tools.  These tools are generally used by small businesses, internal marketing, or external marketing companies to help update social media accounts without the hassle of logging into every social networking site individually.  We have been testing these SSM’s and found that:


Are not using secure browsing by default, allowing us to hijack sessions.  What does this mean? Well by adding your social media accounts into these SMM tools, you are granting the tool permission or full control over that account(s). By gaining control over the tool we are bypassing all the hard work you did by enabling secure browsing in each of your twitter and facebook accounts.  Try explaining to the VP of Marketing that even though you checked the “defeat firesheep” box it still works. And not only will it work on Facebook/Twitter but now LinkedIn, Foursquare, ping.fm and Ning accounts all in one interface. Most of the time we were looking at full access to the corporations social media strategy. So, we are right back to where we started, teaching the user that security is usually the last thing on the mind of these rapid development firms. If you do not see the option of “secure browsing”, then please be careful of where you update your social media accounts. Ask your tool makers where this option is located.  If they do not have this option then maybe you should look for another tool.

James F. Ruffer III

Social Zombies Gone Wild: Totally Exposed and Uncensored

Kevin Johnson and Tom Eston gave the third and final “Social Zombies” talk at Notacon 8 this weekend.  This talk focused on how social networks are using geolocation and the abuse of location based services.

“Social networks have jumped onto the geolocation bandwagon with location-based tweets, status updates, check-ins, mayorships, and more. This doesn’t take into account EXIF, QR codes, and advancements in HTML 5 geo implementations, which are being built into these location-based services. This is often implemented and enabled without the user even knowing it. In fact, geolocation is one of the hottest technologies being used in everything from web browsers to mobile devices. As social networks throw our location coordinates around like candy, its only natural that bad things will happen and abuse will become more popular. This presentation will cover how social networks and other websites are currently using location-based services, what they plan on doing with it, and a discussion on the current privacy and security issues. We will also discuss the latest geolocation hacking techniques and will release custom code that can abuse all of the features being discussed.”

Slides are on SlideShare below:

Why Should the CSO Care About an Employee’s Personal Social Media Account?

Thank you to Tom for allowing me to participate with social media security dot com. The guys in this community have been great resources in helping me to spread the word on the insecurities with social media. This year, I have been reaching beyond the security space, speaking to many social media clubs, podcampers and O’Reilly conferences only to realize something disheartening. Not enough people hear or are listening to us! I am going to start posting some real experiences to help with the questions of “why should I care about social media security?”

This week at Podcampnashville I was able to demo firesheep and in 3 mins and 48 secs, 64 accounts were in my sidebar waiting for me to double click. After the demo I had some great questions and just like that the session was over.  Later a young lady came to me and admitted she was 1 of the 64 in the sidebar. She asked me to show her what I “could” of done with her account. She was not really impressed or scared that I could of updated the profile, chat with friends or add creepy users.  Then fear came very quickly when I changed from the user account to the PAGES she had admin rights.

She is in charge of the facebook pages of 12 major medical practices in the area. I have to be honest she rocked at maintaining these pages. Impressed by her work, I asked how long she had into these pages and followers. Time was in the 1000’s of hours and also in the $100,000 range of billable time.  My final question to her was…what would she do if all of this time and money came crashing down by some idiot at a camp running a free Moz Plug-in. She said she would hunt them down. She was kidding of course but I was a little scared to be honest. We went over some settings and she is now going to help spread the word. 1 out of 64 down.

Facebook Pages security is basically in the hands of the personal accounts of the admins.  This is one reason why the CSO should care…

Things that make you go HMMMM? <- point to head -Arsenio Hall
Facebook terms and conditions state that you have to have a personal Facebook account to administrate your company page. Facebook company pages allow multiple users to have access to share content.  Are you monitoring or making sure the people with access is meeting your company security standards? If an employee has left, is Facebook Page access part of the account removal process?

Dispelling The Myths Of Facebook Privacy And Security

There are many misconceptions about the security of Facebook, Facebook applications, and the frequent scams that seem to plague the world’s largest social network.  To help set the record straight, I would like to shed a bit of reality on the most common myths about Facebook security and privacy today. These are real examples of statements that I have encountered regarding Facebook and their privacy controls and security measures.  Some have surprising truth to them and others are completely false and misleading.  I’ve broken these myths into three areas: Facebook applications, privacy, and security myths. 

Facebook To Facebook’s credit, Facebook has made considerable strides over the last few years by implementing new security and privacy controls as well as getting the Facebook security team more visible.  Some of the newer implementations, such as full site SSL and social authentication, will continue to improve the security of Facebook.  Unfortunately, many of these myths will still persist.  This is because users will believe what they want to believe despite new controls and efforts being put in place by Facebook.

Facebook Application Myths

Myth: All Facebook applications are created and managed by Facebook.
Facebook applications are not developed or maintained by Facebook.  They are all developed, maintained, and managed by third-party companies.  Facebook simply provides an API (Application Programming Interface) for developers to “interact” with Facebook and its data.  For example, Farmville is created by the company Zynga.  Zynga only uses the Facebook API to interact with Facebook.  One common misconception is that these applications “look and feel” like they are part of Facebook so the applications can be trusted.  This is not true.  The Facebook API is designed to allow seamless integration so it provides users with a more integrated Facebook experience. To make matters worse, Facebook recently announced that they will now allow iframes within page tab applications.  This means that a malicious developer can easily do things like redirect users to malicious web sites or use JavaScript to do a host of other things to the user.

Myth: Facebook reviews all applications for security vulnerabilities, scams, or frauds.
In general it would be very difficult with Facebook’s current application developer model to review the code for all Facebook applications.  According to Facebook’s official statistics, people on Facebook install 20 million applications every day and according to an older statistics page I found dated November 2010 there were approximately 550,000 active applications.  This is an extremely large amount of applications to check for security issues.  This problem also becomes more challenging when developers release new code or updates to existing applications.  How is Facebook currently addressing this issue?  Facebook made a statement in this recent InformationWeek article talking about how they review applications.  Facebook claimed to have a dedicated security team that “does robust review of all third-party applications, using a risk-based approach.”

“That means that we first look at velocity, number of users, types of data shared, and prioritize,” the statement read. “This ensures that the team is focused on addressing the biggest risks, rather than just doing a cursory review at the time that an app is first launched.”

In other words, they look at applications that fall into specific categories because it would be near impossible to check every single application.  There is also no mention if Facebook conducts a code review of applications selected for review.  The bad news, of course, is that once Facebook shuts down one rogue, malicious application another one is easily right behind it to take its place.

Myth: Facebook applications don’t have typical web security flaws.
  Facebook applications can be developed insecurely just like any other web based application.  In fact, in 2009 security researcher theharmonyguy conducted the “Month of Facebook Bugs” exposing security flaws in many of the popular Facebook applications at the time.  These flaws included XSS (Cross-Site Scripting) which can be used to attack the users of applications, SQLi (SQL Injection) which can be used to extract personal or private information from the database of applications, and ClickJacking or LikeJacking which can be used to initiate actions without the user’s knowledge. 

Myth: Facebook is responsible for any information you provide to Facebook or third-party applications.
This is a tricky one.  At the end of the day, you’re responsible for what you post and any information you provide Facebook or third-party applications.  There is no guarantee that Facebook or third-party application developers will not misuse or sell your information.  This has happened in the recent past.

Myth: Facebook allows developers to do whatever they want with their applications and can collect your personal information.
Facebook has certain policies that you can read for yourself about what a developer can or can’t do.  It’s important to note that Facebook used to be more restrictive with these rules in the past.  For example, application developers could only keep personal data collected for 24 hours.  Facebook has now removed this restriction and has relaxed many other policies so it’s easier for developers to integrate with Facebook.  Having said that, it’s hard for Facebook to truly “enforce” these policies unless a malicious application is reviewed by them or it’s reported to the Facebook security team.  It’s a battle that is going to be very hard to win based on the current way Facebook allows applications to be developed.

Facebook Privacy Myths

Myth: Facebook reviews all third-party companies that collect your personal information.
In certain cases like when your friends visit an “Instant Personalization” partner like Yelp and the third party can see your information the Facebook privacy policy states that “we require these websites and applications to go through an approval process, and to enter into separate agreements designed to protect your privacy.”  What that means is up for debate but what we do know is that you should be cautious when using Instant Personalization as you may be revealing information about your friends as well.

Myth: Facebook takes user privacy seriously.
Facebook will try to tell you that they do take your privacy seriously as noted in their privacy policy.  However, Facebook also has a vested interest in collecting your information.  After all, it’s how they make money.  Double edged sword?  It certainly is!  The more information you share the more valuable you are to Facebook.  You should always take your privacy on Facebook seriously as they may not always have your best interest at heart.

Myth: Facebook has very little privacy controls.
This is false.  In fact, Facebook has made great strides over the years in providing its user base with easier to use privacy controls.  I’ve seen this myself while putting together my Facebook Privacy & Security Guide over the years.  The problem has become that many users don’t know where these settings are or how to use them.  Facebook also hasn’t done a great job of communicating changes to privacy settings in the past.  Users of Facebook and computer users in general have become immune to pop-ups and hard to read sign-in notifications.  It’s simply become easier for users to just “click through” so they can get to what they want in Facebook.

Myth: Facebook makes it easy for users to delete their accounts.
The truth is that the process of deleting your Facebook account has gotten only slightly better over the years but still remains a confusing one.  For example, here is one guide that walks you through the procedure.  Facebook still has account “deactivation” as the first step in the account deletion process, which many users still find confusing.  Many users are also confused between “deactivation” and “deletion.”  Others think that by successfully deleting their account all the information including pictures they posted are removed from Facebook forever.  While Facebook may say they remove all of your information, you still can’t stop others from copying it or saving those party pictures of you to their hard drive.  The rule to remember is that once you post something on Facebook, you should always think of it as public information.

Facebook Security Myths

Myth: Facebook scams are mostly variations of the same one over the years.
Many of the Facebook scams found are simple variations of text messaging, promotion give-a-ways (iPads, iPods [insert latest hot gadget here]), who visited your profile (ProfileSpy), and improvements to existing Facebook services like chat and instant messaging.  In fact, one scam I blogged about over a year ago is still being used today.  The basic rule to remember is that if something is popular in our culture, such as tech products that everyone wants, it’s most likely going to be used for scams and frauds.  Remember the old rule: if it sounds too good to be true, it probably is.

Myth: I can’t get a virus or malware by using Facebook
  All it takes is clicking on a malicious link from one of your friends, installing a rogue application, or falling for one of the many scams that offer “free” stuff.  Facebook is doing a better job of cleaning up malicious links and other related activity.  However, the Koobface worm and associated variants are still a problem and adapt well to attempts by Facebook to rid them from the platform.

Myth: I can trust my friends on Facebook because they would never send me anything malicious.
It’s always nice to trust your friends but this gets complicated on Facebook.  Social Network worms such as Koobface as well as hijacked or stolen accounts are frequently used to social engineer Facebook users to click on a link or send money to foreign countries.  All of these scams exploit the trust relationships that you have with people you know.  It’s a simple and highly effective technique that’s still being used today.

Myth: Facebook does not have a security team or a way to report security issues/SPAM/scams.
Contrary to popular belief, Facebook does have a security team and ways to report security and privacy issues.  In the past, many of these types of requests would have met the infamous “Facebook Blackhole” in which emails or support requests were never answered.  Recently, there have been many improvements to help communicate the presence of this team.  For example, you can “like” the Facebook security page, report a compromised account, learn how to report security vulnerabilities, as well as get good tips on what to do when you see security issues.

Facebook Privacy & Security Guide Updated to v2.3

Just a quick post that I have updated the Facebook Privacy & Security Guide to include information on configuring the privacy settings for Facebook Places.  You can find this on the first page under “Sharing on Facebook”.  Stay tuned for more information on Facebook Places in the next day or so!

Download the updated Facebook Privacy & Security Guide here (pdf download).

Users Bamboozled and Policies Eroded – Is Facebook still the valuable tool you thought it was?

Geek level: Very Low. Editorial observations and deep, introspective questions…

I just wanted to give props to some folks who are really getting the impact of the changes to  Facebook privacy policies and settings, and trying to get the message across in different ways.

Facebook privacy settings are getting so complicated, few people seem to know the implications. And as a result, most don’t bother changing them. For those of you who remember what it was like to try to program a VCR back in the 1980’s and 90’s, what goes around comes around. The comparison is scary, as tweeted by Robert Nunez and Tom Watson – “Facebook privacy settings are the new programming your VCR”

(See http://www.preoccupations.org/2010/05/facebook-2010.html )

I heard about this observation while listening to This Week in Google (at http://www.twit.tv), when Jeff Jarvis mentioned it. Leo Laporte then added, “It’s like we’re all on flashing 12:00’s”  (If you don’t remember, it’s sort of like having a digital clock that loses power and forgets what time it is.) For the old VCRs, you had to go in and reset the time, then you had to set the channels and times you want to record. It was so complicated, many people just left them with the flashing 12:00’s. I can relate to that, along with many others I’ve heard from, regarding Facebook’s increasingly convoluted privacy settings.

Facebook just seems to want people to give up on protecting their privacy. To paraphrase Jarvis, it seems strange that instead of leveraging the trust of its 400 million users, and taking the opportunity to establish itself as the “protectors” of our identities on the Net, Facebook is carelessly exploiting that trust to its fullest extent for short term profit. Too bad for them, and for all of us.

Also in that same episode of TWIG, Jeff Jarvis referred to the Electronic Freedom Foundation’s (EFF) timeline of Facebook privacy policies over the years. It’s interesting to see how convoluted it’s become since their first privacy statement in 2005, which read:

No personal information that you submit to Thefacebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings.

(from http://www.eff.org/deeplinks/2010/04/facebook-timeline )

Now, as of April 2010, the policy reads…

When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends’ names, profile pictures, gender, user IDs, connections and any content shared using the Everyone privacy setting. … The default privacy setting for certain types of information you post on Facebook is set to “everyone.” … Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection.

So, did you know this? Or have you quit Facebook – for good, or in protest – due to these moves? Or will it take one more move toward the cliff?

Not surprisingly, I don’t use Facebook for anything very personal. The stuff I put there is all pretty boring, say my friends. But if you joined a long time ago and have a significant amount of personal information in Facebook, you might want to read today’s Facebook privacy policies and consider how likely it is that what you thought was protected (by the default settings at the time you joined) may inevitably become public at some point.

Today’s trending topics might as well be “Facebook privacy settings changed” and “Facebook privacy policies changed“. So, if you still feel that privacy represents a fundamental personal value, we’d all like to know, “What value does Facebook continue to bring you as a tool, and is it worth the cost?”

Facebooks Proposed Privacy Changes: What You Need to Know

I won’t put together a long post about the recently proposed Facebook Privacy Policy/Statement of Rights and Responsibilities changes.  There are already some very good analysis on the subject.  However, below are links to some of the best blog posts and research to check out.  Note that the comment period ends on April 3, 2010 at 12am PDT.  Make your comments on the Facebook Site Governance document page here.

Links to the proposed changes
Facebook Privacy Policy and Statement of Rights and Responsibilities Updates

Detailed Analysis Worth Reading
Facebook Proposes Broad Updates To Governing Docs — Our Analysis (from Inside Facebook)
How Facebook is Adding an Identity Layer to the Internet (from theharmonyguy)
Yet Again, Facebook Misunderstands Privacy (from MichaelZimmer.org)
Facebook Again to Test Privacy Boundaries (from Fred Stutzman)
Is Facebook Unliking Privacy? (from the ACLU of Northern California)

Also, be sure to check out Social Media Security Podcast Episode 12 which will be released soon!  Scott Wright and I will be talking about these changes with some analysis as well.

1 2 3