Wednesday, August 5, 2009

Secure Your Facebook

There are a lot of things that I encounter that most people don't due to the nature of my work. And honestly, many of the problems I'm called upon to fix can be avoided by taking simple steps to practice what I'd like to think is "common sense" security with a healthy dose of mild paranoia.

That being said, I'm going to relate to you, my top 5 Facebook security tips to help you learn some of these common sense techniques while employing that healthy dose of mild paranoia.

Tip #1: Assume that Facebook (or any social network for that matter) is not secure.
I know you read all the social networking articles about how Facebook has upgraded their security, changed their security settings to protect you better, and so on and so forth. However, there are about the same amount of news articles being posted of how the Facebook security settings didn't work as they were intended which allowed everyone to view your profile information or your friends, how some hacker accessed Facebook account information on hundreds (and thousands) of users exposing login information and other personal data, and the list of flaws could go on.

The point is, as long as there are hackers and identity thieves, there will be flaws in even the most promising security. Assume that nothing is secure.

Tip #2: Don't post anything you would not want a stranger to see.
Just recently, a friend of mine saw that two of his Facebook connections had posted their new cell phone number on their wall. When my friend decided to call them out on such behavior, the two friends replied that only their select friends could see the post based on the security setting used when posting. See Tip #1 above if you believe that the information you've posted and set to secure is indeed secure.

Tip #3: Social Engineering is the hackers tool of choice.
Social engineering is the art of becoming friendly with a person and thereby gaining your trust. Once trust is established, the hacker can then casually get you to disclose your personal information easily and effortlessly.

As part of my student's assignment in my computer security courses, they are taught how to employ social engineering and have the assignment of just watching for signs that someone is using it. One student took those skills to a cell phone kiosk and while chatting casually with a woman about a cell phone she was using, gained information about her 4 digit pin code to lock her phone and that she used that number for everything including ATM machines. By the end of the conversation, he knew where she worked, her full name, and what she did for a living. He did all this by pretending he wanted to buy the phone she was holding in her hand! He was shocked not only by the fact that he was able to effortlessly get this information out of her, but that he, with little training was able to accomplish it.

Keep in mind that most hackers don't need complex scripts or tools to betray you. You give them the information freely every day. And if you have any doubt about that, think about how many times you hear people disclosing personal information while on their cell phones near you!

Tip #4: Pay attention to your friends.
The biggest sign that something isn't right is when your friends start behaving in ways that are not common for them to behave. What I mean by that is, recently, I had one of my Facebook friends inbox me that she was in the U.K. stranded and needed some money to get home. As it turned out, her account was hacked and this message went to all her friends. I knew she wasn't in the U.K. but had just launched a new solo business. Because I was paying attention to her posts and the way she interacts, I didn't fall for the scam.

Many times, account hacks are not so easily detected. For example, a teen received a link from a friend in Facebook chat. The friend always sends various links to him via the chat. The sad news was that the link was to a malware site that totally destroyed his laptop. This situation leads me to Tip # 5 below.

Tip #5: Always err on the side of caution.
This is where the healthy dose of paranoia comes in.

As in the case of the teen given the link from Tip #4 above, the teen should always respond back to the friend before clicking the link. If the hacker is on the friends account, one of two things will happen. Either he/she won't respond back to the chat ping, or they will not be able to answer the question regarding the link properly.

Let me explain. Let's say that this teen and his friend normally share links having to do with monster trucks because they both love them. But they hate cross-overs and SUVs. The teen could have responded to the chat link with the following message, "Is this another video about that awesome Cadillac Escalade?" A hacker, not knowing that their being baited, will respond, "Yes!" Thinking that this should be the appropriate response. If the friend legitimately sent the link, then the friend will definitely ask you if you are a hacker on the account because his friend would never respond like that!

The point is, there is a way to test your friends using very intimate details about your relationship that only the two of you know and has not been publicly announced on your Facebook wall. Obviously, if this teen and his friends bash cross-overs or SUVs, then this example might not work. But I think you get the picture.

Remember, security is a process - not an endpoint.

Bookmark and Share