Security and privacy matters of social networking sites

Introduction
1. Three examples of Facebook’s vulnerability
2. How carefully do Facebook users consider their online privacy?
3. How to protect yourself online?
4. TripIt Auto Import
5. Facebook Connect
Conclusion

Introduction

On large social networking services, there have been growing concerns about users giving out too much personal information. For the Internet generation, social networking sites have become the preferred forum for social interactions. However, because such forums are relatively easy to access, posted content can be reviewed by anyone with an interest in the users’ personal information.

Privacy on social networking sites can be undermined by many factors. For example, users may disclose personal information, sites may not take adequate steps to protect user privacy, and third parties frequently use information posted on social networks for a variety of purposes. In addition, there is a perceived privacy threat in relation to placing too much personal information in the hands of large corporations or governmental bodies, allowing a profile to be produced on an individual’s behavior on which decisions, detrimental to an individual, may be taken.

Facebook is a very popular social networking site, but there are a number of security issues with the site that can put you at serious risk if you aren’t careful. The number of Facebook account hackings seems to be on the increase. „While any online account is in danger of being hacked, Facebook has unique features that make this danger even more likely. For one thing, it is very common to post personal information which can be used to steal your identity. But the significant danger is because it is so easy to run malicious programs that can hack your account,“ explains software engineer Bill Pringle on his website. [9]

1. Three examples of Facebook’s vulnerability

The „ethical attack“ by Ron Bowes

In July, 2010 security consultant Ron Bowes used a piece of code to scan Facebook profiles to collect data of 100 million profiles. The data collected was not hidden by the user’s privacy settings. Bowes then published the list online. This list, which has been shared as a downloadable file, contains the URL of every searchable Facebook user’s profile, their name and unique ID. Bowes said he published the data to highlight privacy issues, but Facebook claimed it was already public information.

„People who use Facebook own their information and have the right to share only what they want, with whom they want, and when they want,“ the statement read. „In this case, information that people have agreed to make public was collected by a single researcher and already exists in Google, Bing, other search engines, as well as on Facebook.“ Facebook has a default setting for privacy that makes some user information publicly available. People have to make a conscious choice to opt-out of the defaults. „This highlights the argument for a higher level of privacy and proves the case for default nondisclosure,“ said Simon Davies from the watchdog Privacy International to the BBC. [2]

BBC’s picture guide for Facebook privacy can be found here.

The Turkish attack

Also in July, 2010 a group of Turkish pranksters decided to abuse Facebook’s translate application and posted a plan on how to do it online. Their actions changed the translation of commonly used words and phrases across the Facebook platform. The word „Like” for example was substituted for another word that rhymes with „Luck“ but begins with an F. The familiar notification in Facebook chat „Your message could not be sent because the user is offline“ became „Your message could not be sent because of your tiny penis“.

The attackers abused the official Facebook Translate interface, a crowdsourcing method for improving the linguistic accuracy of the site. It seems as though the replacement translations did not go past any human eyes before going live. And it is only fortunate that the hole has been exposed through a prank in the first instance and not something more nefarious. „Any online service, whether it’s transaltion or reputation services, which solicits user generated content would be well advised to quality check that content before going live with it,“ says Rik Ferguson on Business Computing World. [3]

These misguided translations were reverted back and the translate application went offline for many languages. However, it is unknown if this was related to the Turkish attack.

Likejacking

Facebook’s software has also proven vulnerable to likejacking – a Facebook-enabled clickjacking attack that tricks users into clicking links that mark the clicked site as one of your Facebook „likes“. [8] Using the wizard provided by Facebook, you can create a button for any URL you want and embed it on your site. „By tricking site visitors into „liking“ something by mistake, spammers could immediately place their links into that person’s News Feed, a feed seen by all of that person’s friends. And since an average Facebook user has 130 friends, even tricking a handful of people into doing this gives the spammer access to hundreds, potentially thousands, more people,“ explains Sarah Perez on Read Write Web. [7]

The term „likejacking“ came from a comment posted by Corey Ballou in another article by Perez, How to „Like“ Anything on the Web (Safely), which is one of the first documented postings explaining the possibility of malicious activity regarding Facebook Like Button. [6]

2. How carefully do Facebook users consider their online privacy?

The number one social networking site in terms of monthly active users, Facebook, has nearly 700 million user accounts and a reported 700 000 new people joining the network every day. [12] But how carefully do Facebook users consider their online privacy? Not enough, according to a study carried out by Sophos Australia at the end of 2009 during which two female Australian Facebook users were created, Daisy Feletin (21, single) and Dinette Stonily (56, married). Each sent a friend request to 100 randomly-selected contacts in their age group, and waited two weeks to see who would respond. [1]

The results were astonishing: 46% of Facebook users accepted friend requests from strangers, 89% of users in their 20s divulged their full birthday, nearly 100% of users posted their email address, and between 30-40% of users listed data about their family and friends. Both groups, younger and older, were very liberal with their email addresses and with their birthdays. This is worrying because these details make an excellent starting point for scammers and social engineers. Nearly half of the youngsters, and nearly one-third of the 50-somethings, also offered up details about friends and family – again, information which scammers and identity fraudsters can exploit to build up an accurate and abusable profile of you and your lifestyle.

Identity thieves can use this information to commit crimes against individuals and their companies. „Ten years ago, getting access to this sort of detail would probably have taken a con-artist or an identify thief several weeks, and have required the on-the-spot services of a private investigator. Sadly, these days, many social networkers are handing over their life story on a plate,“ Paul Ducklin, the Sophos’s Head of Technology in Asia Pacific, said about the results. [1]

3. How to protect yourself online?

Facebook gives users powerful controls to protect themselves online, but it’s up to individuals to check and ensure that appropriate settings are in place. Most social networking services, including Facebook, provide the user with a choice of who can view their profile. To edit information on a certain social networking service account, the social networking sites require you to login with a password to prevent unauthorized users from adding, changing, or removing personal information, pictures, and/or other data.

To bring an example, parents who want to access their child’s MySpace or Facebook account have become a big problem for teenagers who do not want their profile seen. By making their profile private, teens can select who may see their page, allowing only people added as „friends“ to view their profile and preventing unwanted viewing of the profile. Whether it’s parents and their children or individuals and governmental bodies, for instance, whether they’re online or offline, everybody should have the right for privacy and for control over their information.

Because it’s much easier to prevent having your account hacked than to recover from a hacked account, here are some good security practices by software engineer Bill Pringle that should be kept in mind not only for Facebook, but for any other web site account you might have. [9]

• Use Firefox or Chrome instead of Interner Explorer as there are a lot of security problems with IE. Other possible browsers are Safari and Opera.
• Never click on a suspicious link contained in e-mail message or IM. The more a message encourages you to click on a link, the more you should not click on it.
• Use a strong password. Find a balance between a password that is easy for you to remember and one that is hard to guess. It should have at least 6-8 characters, and should include letters and digits or possibly symbols.
• Don’t give out your password. If you have already given out your email address and password, change your password immediately. If, in the future, you need to enter that information, login to your email account, change the password to something simple (like „secret“) and then submit that password. Once you have done what you needed to do, go back into your email account and change your password to something strong.

Facebook offers a very sneaky way of getting you to enter your username and password: by offering to help you find your friends on Facebook. Facebook asks you for your email address and password, and then uses this information to access your address book (list of contacts). They then search Facebook for any matches. The problem, of course, is that your email address and password are now stored inside a Facebook database. And, since Facebook doesn’t have a history of keeping your private information very private, you should be very concerned about that. If you want to find friends on Facebook, search for them using their email address.

• Always logout when you are done. Some websites use cookies to remember who you are so that you don’t have to sign in each time. While this might be convenient when using your desktop at home, it can be disasterous on your laptop, cell phone, or PDA. When you logout, that usually destroys the cookies so that you will have to login the next time.
• Change your password fairly often. If you change your password too often, it makes it hard to remember, and you might start writing it down, which would be very dangerous. The idea is to change your password often enough so that by the time somebody figures out your password, you have changed it.
• Don’t let others use your computer, phone, PDA, etc. They might accidentally download some malicious program, or actually post or send something under your name.
• Run anti-virus and anti-spyware software. Not only should you run anti-virus software, but make sure you get updates on a regular basis. Most people know about anti-virus, but not as many are aware of anti-spyware software. This works similar to anti-virus, but it is looking for programs that do things like track your web browsing.

Sophos Australia gives the following tips for better security on Facebook to secure your personal data and avoid identity theft. [1]

• Don’t blindly accept friends. Treat a friend as the dictionary does, namely „someone whom you know, like and trust.“ A friend is not merely a button you click on. You don’t need, and can’t realistically claim to have, 932 true friends.
• Learn the privacy system of any social networking site you join. Use restrictive settings by default. You can open up to true friends later. Don’t give away too much too soon.
• Assume that everything you reveal on a social networking site will be visible on the internet forever. Once it has been searched, and indexed, and cached, it may later turn up online no matter what steps you take to delete it.

Account settings holds mostly administrative items with little impact to your privacy, but there are a few areas that warrant caution.

• Think whether the option „full alternate name“, which allows you to add your maiden name or nickname to your profile, is a good idea to use. It should be kept in mind that some sites use your maiden name (if applicable) as a security question for account access, so weigh this possibility before disclosing. It is recommended to avoid using a nickname that might give away sensitive information (such as your birth year). Be sure it is different from your bank login username, for example.
• To avoid likejacking, think carefully before you change settings for Facebook Ads. In the wrong hands, information about ads you liked can be handy for socially engineered attacks. The more entities that have access to your information, the greater your risk. It is best to limit this information whenever possible.
• It also makes sense to be careful with linked accounts, including Google, MySpace and OpenID – use them with caution to avoid overexposure.

4. TripIt Auto Import

I would like to bring one personal – and quite enlightening – example of the linked accounts here. As someone who loves to travel often and share these experiences with friends, I’ve been using TripIt – a service that organizes travel plans into an itinerary that has all of your trip details in one place. It is, indeed, a practical tool, especially when you are staying at different hotels, using more than one means of transportation, and need to keep track of your timetable. It can be accessed anytime, either online or from a mobile device. TripIt offers the possibility to sign in with Google and Facebook accounts and allows you to automatically publish when you are planning, departing and returning from a trip. I was aware of this and had the option to share my trips on Facebook activated, as normally I would start a new trip there myself and know when this information was shared.

However, the last time I booked flights for my upcoming summer adventure on Ryanair website, I was rather surprised to find out only a moment later that this information was already published under my Facebook wall posts without me even logging in to TripIt. It took me a while to figure out how this connection from Ryanair to Facebook was created. It turned out that TripIt also offers to auto import travel plans from your inbox, in my case Gmail. And because it recognizes the standard confirmation letters, it auto imported my Ryanair flight details directly from their confirmation e-mail to my TripIt account, created a trip and automatically shared it on my Facebook account. The annoying thing was that I didn’t remember activating the „Auto Import“ option, or perhaps it was activated by default. In one way or another, I felt like I was suddenly rendered powerless and had lost control of my information.

I think it’s a perfect example of overexposure on social networking sites. To avoid this happening to others, and because this information is rather hard to find on TripIt (you need to dig around in their Help Center), here’s a little more about TripIt Auto Import and its security standards. Auto Import claims to be using secure standards. Nonetheless, it would be wise to consider both the security and privacy risks before activating this or similar applications.

Auto Import (beta) connects your Gmail or Google Apps email inbox with your TripIt account. Once connected, your travel plans are automatically added to your TripIt account. You do not have to remember to forward an email. TripIt will scan your inbox multiple times a day for travel plans, then automatically import them into TripIt. You can choose whether to add plans directly to your plans, or keep plans in your private „Unfiled Items“ area until you place them into Trips.

Security for Auto Import

When you setup your Gmail or Google Apps account, TripIt doesn’t ask for or store your password. It uses OAuth (an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications) to authorize access to travel emails from your Gmail or Google Apps inbox, without needing your login credentials. You can revoke OAuth access at any time, either from your TripIt account, or directly from Google.

TripIt uses https (secure communication) to scan the headers of your inbox to look for travel plans. If TripIt finds a travel plan, it will parse the contents of the email for trip related information. If you have an existing trip with overlapping dates, TripIt will add the plan to your trip. If the plan is new, TripIt will create a new trip.

Auto Import is opt in. You can also use TripIt without connecting your email account. If you decide to stop using Auto Import, it can be turned off. [13]

5. Facebook Connect

A more authentic Web or loss of privacy?

In August 2006, Facebook introduced the first version of the Facebook API, enabling users to share their information with the third party websites and applications they choose. In May 2007, the company launched Facebook Platform, which allowed third party developers to build rich social applications within Facebook. In May 2008, the next iteration of Facebook Platform, Facebook Connect, was announced to allow users to „connect“ their Facebook identity, friends and privacy to any site. „These are just a few steps Facebook is taking to make the vision of data portability a reality for users worldwide. We believe the next evolution of data portability is about much more than data. It's about giving users the ability to take their identity and friends with them around the Web, while being able to trust that their information is always up to date and always protected by their privacy settings,“ writes Dave Morin on Facebook Developers website. [4]

Although Facebook Connect is just one example of this new trend involving the portability of our social graphs, it has a leg up on both Google’s Friend Connect and MySpace’s implementation of OpenID. With Google's Friend Connect, they’re relying on the power of their brand, but not everyone has a Google account or a friend graph there. You would be creating an account to have the sake of the account. This doesn’t appeal to anyone. As for OpenID, a mainstream web user does not know what an OpenID is. But everyone is able to wrap their heads around Facebook Connect. „„Login with your Facebook ID“ – that's pretty much as straightforward as it comes,“ says Perez. [5]

Through the seamless Facebook Connect integration, sites can access your Facebook account details and friend graph and move that data back and forth between their site and Facebook. For example, people commenting on a blog using the Moveable Type platform will be able to login via Facebook Connect. Their comment will link to their Facebook profile and the commenting activity itself will make its way back into your activity feed. On Digg, another site adopting Facebook Connect, you can login with your Facebook ID and your digging activity is returned to Facebook, too. TripIt, that connects both your Facebook and your e-mail account, is another example of how easily information is shared between one website and another. The fact that some program scans your inbox to look for travel plans feels as disclosing as the „naked truth“ body scan at the airport. The difference is that online you’re given the option to decide whether it’s something you allow or not whereas at the airport you’re not. So it’s up to individuals to get acquainted with their options and to ensure that appropriate security settings are in place.

Facebook has always known that their value – that is, their monetary value – is selling off bits and pieces of your privacy to advertisers. The „real you“ on Facebook is a holy grail for marketers. With the power to spread that to sites across the entire web, everyone using Facebook needs to think where their line is – that is, how much they are willing to expose – and then act accordingly. „The problem is that this time it might not be something as innocuous as the video you rented at Blockbuster that finds its way back to your Facebook profile. As more of the corporate and business-oriented web adopts Friend Connect, the greater the chance for privacy intrusion,“ warns Perez. [5]

In March, 2010, Facebook proposed a new privacy policy, Pre-Approved Third-Party Websites and Applications, in other words, a possibility of working with some partner websites that, when pre-approved, offer a more personalized experience at the moment you visit the site. [10] Imagine visiting a website and finding that it already knows who you are, where you live, how old you are and who your Facebook friends are, without your ever having given it permission to access that information. How safe do you feel about this? As changes and updates on Facebook Pricacy Policy have become rather frequent, users are encouraged to review the newest proposed changes in their entirety and provide their own thoughts on the Facebook Site Governance Page.

To help ensure online privacy, Google engineer Brian Kennish developed Facebook Disconnect, an extension for the Google Chrome browser, which effectively blocks the transmission of data back to Facebook servers through Facebook Connect on third party websites, while still allowing a user to access the sites. The developer says the project was created on his own time and it is not endorsed or related with his employer. „In light of Facebook’s highly publicized privacy missteps, some users may be rethinking their relationship with the Web’s most popular social network. If you’re one of them, Facebook Disconnect may be for you,“ advises Catharine Smith on HuffPost Tech. [11]

Conclusion

Associating every action you take online with your real identity is problematic even for people who are less concerned about their privacy. Certainly, the most obvious concern relates to people’s personal safety. It’s already reasonably easy to find out information on most people online, especially if the person is not net savvy enough to take extra steps to make that information harder to find. As more people utilize Facebook to stay connected, more and more people are posting personal information without realizing the information is not always private, and that it could even be shared with third parties without their knowledge.

In one way or another, whether you choose to always stay connected or feel like logging out after every login is a wise step to take, learning the privacy system of any social networking site you join and using restrictive settings by default is in everybody’s best interest – both your and your friends’ who you trust and who trust you not to share their personal information. Because on social networks everybody is conneceted and granted access to your profile can be easily used to access your friends’ profiles as well.

To get started

1. Learn the Facebook Privacy Policy: www.facebook.com/policy.php
2. Controll how you share: www.facebook.com/privacy/explanation.php
3. Take the Security Quiz: www.facebook.com/security

References

1. Ducklin, Paul (December 6, 2009). Sophos Australia Facebook ID probe 2009. Nakedsecurity.sophos.com. Retrieved April 26, 2011.
2. Emery, Daniel (July 29, 2010). Details of 100m Facebook users collected and published. Bbc.co.uk. Retrieved April 26, 2011.
3. Ferguson, Rik (July 29, 2010). Facebook Prank, Lost In Translation. Businesscomputingworld.co.uk. Retrieved April 26, 2011.
4. Morin, Dave (May 9, 2008). Announcing Facebook Connect. Developers.facebook.com. Retrieved April 27, 2011.
5. Perez, Sarah (July 25, 2008). Facebook Connect Will Be Game-Changing... and Dangerous. Readwriteweb.com. Retrieved April 27, 2011.
6. Perez, Sarah (April 23, 2010). How to „Like“ Anything on the Web (Safely). Readwriteweb.com. Retrieved April 26, 2011.
7. Perez, Sarah (April 22, 2010). How to Trick Users into Liking Facebook Pages They’re Not On. Readwriteweb.com. Retrieved April 26, 2011.
8. Perez, Sarah (June 1, 2010). "Likejacking" Takes Off on Facebook. Readwriteweb.com. Retrieved April 26, 2011.
9. Pringle, Bill. Facebook security issues. Billpringle.com. Retrieved April 26, 2011.
10. Richter, Michael (March 26, 2010). Another Step in Open Site Governance. Blog.facebook.com. Retrieved April 28, 2011.
11. Smith, Catharine (October 21, 2010). Facebook Disconnect Built By Google Engineer Brian Kennish. Huffingtonpost.com. Retrieved April 28, 2011.
12. Socialbakers – Heart of Facebook Statistics. Socialbakers.com. Retrieved April 25, 2011.
13. TripIt Auto Import. Tripit.com. Retrieved April 27, 2011.