Social Media Security Website and Podcast Reloaded!

Since 2009, I’ve been maintaining the popular Facebook Privacy & Security Guide that has been used by several universities and government agencies as well as regular users of Facebook.  If you’re not familiar with my guide, it’s a simple two page handout that walks you through recommended privacy and security settings for your Facebook profile.

The guide has been a labor of love but also required frequent updates since Facebook has drastically changed the privacy controls as well as the layout within the Facebook platform over the years.  Needless to say it’s been tough to keep the guide updated and also tough to keep it to a single page so that it can be easily distributed.  Today, I’m happy to announce that my company SecureState is now officially sponsoring the guide so that it can be maintained with frequent updates!  Having said that, I’m announcing today the release of the fourth version of the Facebook Privacy & Security Guide, updated with the latest information on Facebook’s privacy and security settings.  Please download and distribute to friends and family.

Also around the same time I started the guide, I started the Social Media Security website and podcast.  The podcast is still being recorded monthly and co-hosted by myself and Scott Wright.  Today we also released our 30th episode along with a website redesign for socialmediasecurity.com.  I’d like to thank the podcast’s new sponsor SecureState for the new design and support of the podcast.  Special thanks go to DigiP over at Tick Tock Computers for putting together a great site redesign and logo.  I look forward to recording more podcasts and getting the word out on how to safely use social media!

Facebook Privacy & Security Guide Updated to v3.0

I’ve finally updated the Facebook Privacy & Security Guide to version 3.0.  This is a major revision which includes directions on how to set the latest privacy and security controls in Facebook.  Maintaining this guide has been challenging over the last year as Facebook has made major changes multiple times in regards to the way privacy settings are enabled.  Having said that, this is a great time to use my guide and review what your privacy settings are.  Things like enabling secure browsing, login approvals and limiting the audience to what you post are more important then ever.

As always, feel free to distribute this guide to friends and family!  Happy Thanksgiving!

Download v3.0 of the Facebook Privacy & Security Guide here

Taking over the Facebook Page “buy now” button (Part 2 of 2)

As I have been testing the security settings of companies social media strategies, I have consistently noticed two things, marketing is desperately trying to find its ROI and IT/Security doesn’t even know they have a FB page.  I do agree that after a number of months, it is time to show the CFO that spending that insame amount of time on their social media sites is worth the payroll checks. Unfortunately, analytics alone have been a blurry way of making that compelling argument and can be defeated by saying, if, I had put those payroll checks into google…I could see our ROI in a nice neat report. This is one of the reasons that marketing is jumping head first into technologies like Shoutlet, payvment or others (FB E-commerce). Why not sell your items on your FB Page?  Your team has worked extremely hard to get thousands of new users to click follow/like. Ultimately, this is going to be the future of pages but because IT/Security is not involved in the social media process it also opens a HUGE GAPPING HOLE in your security policy and procedures. And of course here is your example:

The policy of company ACME is “no social networking allowed” on internal networks.  Sites are being blocked at the firewall with rules and enforced with a content filtering tool. IT/Security has done its job with social media, right? BUT an exception is made for Marketing because they are special people. A FB page was created as well as an E-Commerce app installed without consulting IT/Security. I know this because after taking over the FB page using our friends Cain and Able, I replaced just one of the “buy now” buttons to redirect it my site and used analytics to see how many people clicked this button.  Showing this to Director of IT he replied “I didn’t even know we had a FB Page.”

Part 2

After this meeting we agreed to stop and allow IT/ Security to be a part of the implementation of this new e-com solution and lock down this new site.  After a couple of months we were given the green light that all social media was secure and our attacks would now #fail.  Well they were wrong!  Here is what happened;  Technology constantly changes and therefor we should also be constantly training/testing these changes.  Yes, all https was checked.  Yes, they read www.socialmediasecurity.com on a regular basis.  But they forgot to monitor their social media accounts like they would an email server.  There is still a core failure in my opinion of Facebook pages.  Who?!? owns the data and when is it okay to monitor the admins personal accounts? Because these users of the pages still enjoy using Facebook for personal use. They do not apply the corporate rules to their personal accounts nor should they if that is how they live.  So, we are either forced to create fake accounts or all share one admin account.  Well with our testing we are still targeting the admins of these pages.  There are many many ways to gain access to their accounts and once in, we only have to create our own evil twin account to keep access.  Example: if Bob Alice is the admin of the page just create another Bob Alice and copy the information including the  profile imagine and allow this new user admin rights to the page.  Most common users will just think this is a Facebook glitch and it is showing their profile twice. But in reality it is a way for us to keep a constant admin account to this system.  If you maintain a Facebook page you know that admins just lose their rights to the page all the time out of the blue.  So constantly adding the same person is a regular process.  If the company was monitoring its data it would see these changes or see that there were in fact 2 different accounts attached to this page.  But we are not monitoring these accounts, yet. Social media security can be a full time job depending on the risk and frequency of the sites.   For more information feel free as always to email me.  info@unixbox.ws

Social Zombies Gone Wild: Totally Exposed and Uncensored

Kevin Johnson and Tom Eston gave the third and final “Social Zombies” talk at Notacon 8 this weekend.  This talk focused on how social networks are using geolocation and the abuse of location based services.

“Social networks have jumped onto the geolocation bandwagon with location-based tweets, status updates, check-ins, mayorships, and more. This doesn’t take into account EXIF, QR codes, and advancements in HTML 5 geo implementations, which are being built into these location-based services. This is often implemented and enabled without the user even knowing it. In fact, geolocation is one of the hottest technologies being used in everything from web browsers to mobile devices. As social networks throw our location coordinates around like candy, its only natural that bad things will happen and abuse will become more popular. This presentation will cover how social networks and other websites are currently using location-based services, what they plan on doing with it, and a discussion on the current privacy and security issues. We will also discuss the latest geolocation hacking techniques and will release custom code that can abuse all of the features being discussed.”

Slides are on SlideShare below:

Facebook Privacy & Security Guide Updated to v2.1

The Facebook Privacy & Security Guide has been updated to version 2.1 to reflect recent changes that Facebook has made.  Updates to the guide include minor changes to the privacy navigation structure and details on the new “Instant Personalization” privacy setting.  Also, I included information on Facebook Ads.  Please print it out for your own use or share with friends and family!  Questions and comments can be posted here or sent to feedback[aT]socialmediasecurity.com.

Download the updated version of the Facebook Privacy & Security Guide

Security pros use layered techniques, but so do attackers

For many years security professionals have advocated using layered safeguards to reduce the risk of threats. While many organizations do employ multiple technologies like firewalls, anti-virus and intrusion detection to try to stop hackers, these guys are getting very good at navigating our layers of security. It’s like the old Mario and Donkey Kong video games where you had to jump over land mines, climb ladders, wait for doors to open and avoid swinging obstacles to reach the bonus prizes.

As an example of how many layers they are able to traverse, consider the reported attack on a financial institution’s enterprise network, which started life as a hacked Facebook account. (Click HERE for the full story.)

To make a long story short the attackers did the following:

  1. They captured the Facebook credentials of an individual who worked for a financial institution
  2. They then scanned the user’s Facebook profile to find recent social events involving co-workers on Facebook (finding a company picnic)
  3. They then sent emails to multiple Facebook friends who were co-workers saying, “Hey, have a look at the pictures I took at the company picnic!”
  4. The emails contained links to malicious web pages that attempted to launch a keylogger on the victims’ computers.
  5. They then scanned the keystrokes of an employee whose laptop had become infected with the keylogger and found the authentication credentials for the corporate VPN
  6. They infiltrated the VPN and infected a computer inside the corporate perimeter and performed vulnerability scans around the network to find servers with sensitive information on them.

The attack lasted as long as 2 weeks. If the attackers’ vulnerability scans had not been so “noisy”, they may not have been noticed, and the company could have suffered severe losses in terms of costly data breaches and corrupted databases, as well as system repairs.

So, what will happen now? Will the company add another layer of security to prevent a similar attack in the future? Probably… and these attackers will probably move on to other organizations with a bit less security. The cat and mouse game continues.

What’s interesting in this story is that the initial attack on the employees’ Facebook friends is pretty hard to defend against, since nothing seemed out of the ordinary. There really was a corporate picnic!

What would you do next if you were a security manager at this financial institution?

Fifteen significant social media & security events of 2009

I recently co-authored an article with Jennifer Leggio from ZDNet on the Fifteen significant social media & security events of 2009.  Be sure to check it out as there were *many* high profile attacks on social networks and their users this year.  The article also provides a preview of what we might see in 2010.  Thanks again to Jennifer for putting this article together!

Facebook Privacy & Security Guide v2.0: Updated with New Privacy Changes

I have updated and released version 2.0 of the popular Facebook Privacy & Security Guide.  Version 2.0 reflects the recent changes that Facebook made to it’s privacy settings.  In addition, I added a new section titled “Blocking and Creating Friend Lists” and expanded on how your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages are now publicly available information.

Download the new version of the Facebook Privacy & Security Guide here.
You can also get to the guide from: and from the top of Socialmediasecurity.com under “Guides”.

Can you remove public access to your friend list?
One tip I didn’t have room for in the guide around these new changes is the following.  You can remove the ability for your “Friend List” to be viewed in public searches by selecting the Edit “pencil” in the Friends box on your profile page and unchecking the box.  Here is a screen shot of this.  Unfortunately, this control is all or nothing but the good news is your Friends can still see your friends list.  You may also want review your application settings so application “boxes” are not showing on your public profile as well.  More information can be found on Facebook’s blog post about these issues (hat tip to @mubix for pointing this out).

Like before please send any feedback on the guide to feedback[ aT ]socialmediasecurity.com.  The companion video is being worked and should be up shortly as well.

1 2