Social Zombies Gone Wild: Totally Exposed and Uncensored

Kevin Johnson and Tom Eston gave the third and final “Social Zombies” talk at Notacon 8 this weekend.  This talk focused on how social networks are using geolocation and the abuse of location based services.

“Social networks have jumped onto the geolocation bandwagon with location-based tweets, status updates, check-ins, mayorships, and more. This doesn’t take into account EXIF, QR codes, and advancements in HTML 5 geo implementations, which are being built into these location-based services. This is often implemented and enabled without the user even knowing it. In fact, geolocation is one of the hottest technologies being used in everything from web browsers to mobile devices. As social networks throw our location coordinates around like candy, its only natural that bad things will happen and abuse will become more popular. This presentation will cover how social networks and other websites are currently using location-based services, what they plan on doing with it, and a discussion on the current privacy and security issues. We will also discuss the latest geolocation hacking techniques and will release custom code that can abuse all of the features being discussed.”

Slides are on SlideShare below:

Social Media Security Podcast 24 – Personal Social Media Accounts,, ProfileSpy, App Privacy

This is the 24th episode of the Social Media Security Podcast recorded April 6, 2011.  This episode was hosted by Tom Eston and Scott Wright with special guest James Ruffer. Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes and follow us on Twitter.  Thanks for listening!

Why Should the CSO Care About an Employee’s Personal Social Media Account?

Thank you to Tom for allowing me to participate with social media security dot com. The guys in this community have been great resources in helping me to spread the word on the insecurities with social media. This year, I have been reaching beyond the security space, speaking to many social media clubs, podcampers and O’Reilly conferences only to realize something disheartening. Not enough people hear or are listening to us! I am going to start posting some real experiences to help with the questions of “why should I care about social media security?”

This week at Podcampnashville I was able to demo firesheep and in 3 mins and 48 secs, 64 accounts were in my sidebar waiting for me to double click. After the demo I had some great questions and just like that the session was over.  Later a young lady came to me and admitted she was 1 of the 64 in the sidebar. She asked me to show her what I “could” of done with her account. She was not really impressed or scared that I could of updated the profile, chat with friends or add creepy users.  Then fear came very quickly when I changed from the user account to the PAGES she had admin rights.

She is in charge of the facebook pages of 12 major medical practices in the area. I have to be honest she rocked at maintaining these pages. Impressed by her work, I asked how long she had into these pages and followers. Time was in the 1000’s of hours and also in the $100,000 range of billable time.  My final question to her was…what would she do if all of this time and money came crashing down by some idiot at a camp running a free Moz Plug-in. She said she would hunt them down. She was kidding of course but I was a little scared to be honest. We went over some settings and she is now going to help spread the word. 1 out of 64 down.

Facebook Pages security is basically in the hands of the personal accounts of the admins.  This is one reason why the CSO should care…

Things that make you go HMMMM? <- point to head -Arsenio Hall
Facebook terms and conditions state that you have to have a personal Facebook account to administrate your company page. Facebook company pages allow multiple users to have access to share content.  Are you monitoring or making sure the people with access is meeting your company security standards? If an employee has left, is Facebook Page access part of the account removal process?

Social Media Security Podcast 23 – Recent Changes to Facebook, Enterprise Social Media Tools, Spokeo

This is the 23rd episode of the Social Media Security Podcast recorded February 25th, 2011.  This episode was hosted by Tom Eston and Scott Wright. Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes and follow us on Twitter.  Thanks for listening!

Dispelling The Myths Of Facebook Privacy And Security

There are many misconceptions about the security of Facebook, Facebook applications, and the frequent scams that seem to plague the world’s largest social network.  To help set the record straight, I would like to shed a bit of reality on the most common myths about Facebook security and privacy today. These are real examples of statements that I have encountered regarding Facebook and their privacy controls and security measures.  Some have surprising truth to them and others are completely false and misleading.  I’ve broken these myths into three areas: Facebook applications, privacy, and security myths. 

Facebook To Facebook’s credit, Facebook has made considerable strides over the last few years by implementing new security and privacy controls as well as getting the Facebook security team more visible.  Some of the newer implementations, such as full site SSL and social authentication, will continue to improve the security of Facebook.  Unfortunately, many of these myths will still persist.  This is because users will believe what they want to believe despite new controls and efforts being put in place by Facebook.

Facebook Application Myths

Myth: All Facebook applications are created and managed by Facebook.
Facebook applications are not developed or maintained by Facebook.  They are all developed, maintained, and managed by third-party companies.  Facebook simply provides an API (Application Programming Interface) for developers to “interact” with Facebook and its data.  For example, Farmville is created by the company Zynga.  Zynga only uses the Facebook API to interact with Facebook.  One common misconception is that these applications “look and feel” like they are part of Facebook so the applications can be trusted.  This is not true.  The Facebook API is designed to allow seamless integration so it provides users with a more integrated Facebook experience. To make matters worse, Facebook recently announced that they will now allow iframes within page tab applications.  This means that a malicious developer can easily do things like redirect users to malicious web sites or use JavaScript to do a host of other things to the user.

Myth: Facebook reviews all applications for security vulnerabilities, scams, or frauds.
In general it would be very difficult with Facebook’s current application developer model to review the code for all Facebook applications.  According to Facebook’s official statistics, people on Facebook install 20 million applications every day and according to an older statistics page I found dated November 2010 there were approximately 550,000 active applications.  This is an extremely large amount of applications to check for security issues.  This problem also becomes more challenging when developers release new code or updates to existing applications.  How is Facebook currently addressing this issue?  Facebook made a statement in this recent InformationWeek article talking about how they review applications.  Facebook claimed to have a dedicated security team that “does robust review of all third-party applications, using a risk-based approach.”

“That means that we first look at velocity, number of users, types of data shared, and prioritize,” the statement read. “This ensures that the team is focused on addressing the biggest risks, rather than just doing a cursory review at the time that an app is first launched.”

In other words, they look at applications that fall into specific categories because it would be near impossible to check every single application.  There is also no mention if Facebook conducts a code review of applications selected for review.  The bad news, of course, is that once Facebook shuts down one rogue, malicious application another one is easily right behind it to take its place.

Myth: Facebook applications don’t have typical web security flaws.
  Facebook applications can be developed insecurely just like any other web based application.  In fact, in 2009 security researcher theharmonyguy conducted the “Month of Facebook Bugs” exposing security flaws in many of the popular Facebook applications at the time.  These flaws included XSS (Cross-Site Scripting) which can be used to attack the users of applications, SQLi (SQL Injection) which can be used to extract personal or private information from the database of applications, and ClickJacking or LikeJacking which can be used to initiate actions without the user’s knowledge. 

Myth: Facebook is responsible for any information you provide to Facebook or third-party applications.
This is a tricky one.  At the end of the day, you’re responsible for what you post and any information you provide Facebook or third-party applications.  There is no guarantee that Facebook or third-party application developers will not misuse or sell your information.  This has happened in the recent past.

Myth: Facebook allows developers to do whatever they want with their applications and can collect your personal information.
Facebook has certain policies that you can read for yourself about what a developer can or can’t do.  It’s important to note that Facebook used to be more restrictive with these rules in the past.  For example, application developers could only keep personal data collected for 24 hours.  Facebook has now removed this restriction and has relaxed many other policies so it’s easier for developers to integrate with Facebook.  Having said that, it’s hard for Facebook to truly “enforce” these policies unless a malicious application is reviewed by them or it’s reported to the Facebook security team.  It’s a battle that is going to be very hard to win based on the current way Facebook allows applications to be developed.

Facebook Privacy Myths

Myth: Facebook reviews all third-party companies that collect your personal information.
In certain cases like when your friends visit an “Instant Personalization” partner like Yelp and the third party can see your information the Facebook privacy policy states that “we require these websites and applications to go through an approval process, and to enter into separate agreements designed to protect your privacy.”  What that means is up for debate but what we do know is that you should be cautious when using Instant Personalization as you may be revealing information about your friends as well.

Myth: Facebook takes user privacy seriously.
Facebook will try to tell you that they do take your privacy seriously as noted in their privacy policy.  However, Facebook also has a vested interest in collecting your information.  After all, it’s how they make money.  Double edged sword?  It certainly is!  The more information you share the more valuable you are to Facebook.  You should always take your privacy on Facebook seriously as they may not always have your best interest at heart.

Myth: Facebook has very little privacy controls.
This is false.  In fact, Facebook has made great strides over the years in providing its user base with easier to use privacy controls.  I’ve seen this myself while putting together my Facebook Privacy & Security Guide over the years.  The problem has become that many users don’t know where these settings are or how to use them.  Facebook also hasn’t done a great job of communicating changes to privacy settings in the past.  Users of Facebook and computer users in general have become immune to pop-ups and hard to read sign-in notifications.  It’s simply become easier for users to just “click through” so they can get to what they want in Facebook.

Myth: Facebook makes it easy for users to delete their accounts.
The truth is that the process of deleting your Facebook account has gotten only slightly better over the years but still remains a confusing one.  For example, here is one guide that walks you through the procedure.  Facebook still has account “deactivation” as the first step in the account deletion process, which many users still find confusing.  Many users are also confused between “deactivation” and “deletion.”  Others think that by successfully deleting their account all the information including pictures they posted are removed from Facebook forever.  While Facebook may say they remove all of your information, you still can’t stop others from copying it or saving those party pictures of you to their hard drive.  The rule to remember is that once you post something on Facebook, you should always think of it as public information.

Facebook Security Myths

Myth: Facebook scams are mostly variations of the same one over the years.
Many of the Facebook scams found are simple variations of text messaging, promotion give-a-ways (iPads, iPods [insert latest hot gadget here]), who visited your profile (ProfileSpy), and improvements to existing Facebook services like chat and instant messaging.  In fact, one scam I blogged about over a year ago is still being used today.  The basic rule to remember is that if something is popular in our culture, such as tech products that everyone wants, it’s most likely going to be used for scams and frauds.  Remember the old rule: if it sounds too good to be true, it probably is.

Myth: I can’t get a virus or malware by using Facebook
  All it takes is clicking on a malicious link from one of your friends, installing a rogue application, or falling for one of the many scams that offer “free” stuff.  Facebook is doing a better job of cleaning up malicious links and other related activity.  However, the Koobface worm and associated variants are still a problem and adapt well to attempts by Facebook to rid them from the platform.

Myth: I can trust my friends on Facebook because they would never send me anything malicious.
It’s always nice to trust your friends but this gets complicated on Facebook.  Social Network worms such as Koobface as well as hijacked or stolen accounts are frequently used to social engineer Facebook users to click on a link or send money to foreign countries.  All of these scams exploit the trust relationships that you have with people you know.  It’s a simple and highly effective technique that’s still being used today.

Myth: Facebook does not have a security team or a way to report security issues/SPAM/scams.
Contrary to popular belief, Facebook does have a security team and ways to report security and privacy issues.  In the past, many of these types of requests would have met the infamous “Facebook Blackhole” in which emails or support requests were never answered.  Recently, there have been many improvements to help communicate the presence of this team.  For example, you can “like” the Facebook security page, report a compromised account, learn how to report security vulnerabilities, as well as get good tips on what to do when you see security issues.

Can enterprises use private social media tools for secure collaboration internally?

We know that many organizations are using open source Wiki software and platforms (e.g. Mediawiki) to do collaboration internally without exposing their systems to 600 million other users. But are there any other tools that enterprises can use to mimic the real-time connectivity of social networking sites like Facebook internally?

Why would a business want private social networking tools? Isn’t that an oxymoron?

I believe that enterprises can and will eventually begin to use “internal” or “private” social networks to allow for easier real-time collaboration, while avoiding some of the risks of the “public” social networks – such as social engineering attacks, Koobface attacks, etc. I’d really like to learn more about what the options are for businesses to deploy their own social media tools internally, or in a private cloud. Internal deployments would probably tend to be more secure, with potentially more control over access and authentication of users. But a cloud-based implementation by a trusted service provider might also be quite secure. Either way, the facility would be less of an easy target for attackers.

Have you seen or heard of such a thing? If so, where can I learn more about them? Doing a Google search turns up many hits, but I’d like to hear about some success stories and reviews of these kinds of solutions that could benefit the members of the Streetwise Security Zone as we try to figure out how to leverage the power of social media, in a secure and efficient way.

Also, what are your thoughts? What would it take for enterprises to be able to use social networks and social media tools securely? 

I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn’t mean you can’t have an economical way to address human security risks. Please call or email me at the coordinates below…

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:

Phone: 1-613-693-0997
Twitter ID:

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.



Site Meter

Social Media Security Podcast 22 – Skype Email, Taxonomy of Socnet Data, Facebook Graph API

This is the 22nd episode of the Social Media Security Podcast recorded January 21, 2011.  This episode was hosted by Tom Eston and Scott Wright. Below are the show notes, links to articles and news mentioned in the podcast:

  • Skype credit email as an apology – a new trend we can expect in 2011 from good guys and bad guys.  Screen shot mentioned in the podcast.
    Scott’s note: I searched for posts about this email before clicking on it, and it was actually legitimate. However, this would be a very compelling phishing attack for any organization that recently suffered a PR setback. Any time you get an unexpected email, even if it looks like the circumstances make sense, you need to check on its authenticity. And any organization issuing such an Email should also post an announcement of the campaign on their home page, and issue a press release to make it easy for people to verify the legitimacy of the email.
  • Bruce Schneier’s taxonomy of social network personal data
  • Facebook now tells you about people you know who have found friends using their Friend Finder
    Scott’s note: I always tell people never to enter their email address and password on sites that aren’t their email service. You don’t know what they will do with your password, or if it might be captured. It also exposes your friends to potentially unwanted email messages – e.g. spam.
  • Facebook Lets Developers Ask a User for Their Address, Phone Number in the Graph API
  • Twitter Worm Pushing Rogue Antivirus Scam

Please send any show feedback to feedback [aT] or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes and follow us on Twitter.  Thanks for listening!

Social Media Security Podcast 21 – Facebook Trolls, Cookie Monster, Gawker Breach

This is the 20th episode of the Social Media Security Podcast recorded December 17th 2010.  This episode was hosted by Tom Eston and Scott Wright. Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes and follow us on Twitter.  Thanks for listening!

1 3 4 5 6 7 35