I frequently overhear people I do not know in restaurants and other public settings talking about how they are using Facebook to reconnect with friends and family. Some of the items of discussion I would overhear were very alarming to me. Suspecting I would find the manner in which my friends and family members (e.g., my mother, siblings, nieces and nephews) use Facebook equally alarming, I decided to engage in some research to determine whether there would be enough substance to my observations to warrant the preparation of these materials. In no time I gathered enough substance to my observations to warrant the preparation of these materials.
I have prepared the attached materials to expand my capacity; my hope is those of you I know personally and with whom I have shared these materials will share these materials with your friends and family members. As you will see in these materials, what should be of paramount concern is how you are currently using Facebook. While the security of your Facebook profile is important, you need to be aware if you are using Facebook in such a way where the contents of your profile could inflict harm upon you, your friends and/or your family members.
1. Friend or Foe?
Steven Hamburg
President & CEO, Eclipsecurity, LLC
CEO Eclipsecurity
facebook@eclipsecurity.com
www.eclipsecurity.com
May 2010
Copyright 2010, Eclipsecurity, LLC
2. So Why Have I Prepared These
Materials?
Iffrequently overhear people I do not know in restaurants and other public settings talking about
l h l d k i d h bli i lki b
how they are using Facebook to reconnect with friends and family. Some of the items of
discussion I would overhear were very alarming to me.
Suspecting I would find the manner in which my friends and family members (e.g., my mother,
siblings, nieces and nephews) use Facebook equally alarming, I decided to engage in some
research to determine whether there would be enough substance to my observations to warrant
the preparation of these materials.
In no time I gathered enough substance to my observations to warrant the preparation of these
materials.
I soon became the ‘Facebook police’ for my friends and family members, where I continue to
frequently notify th
f tl tif them when I observe what I consider to be unsafe Facebook usage practices.
h b h t id t b f F b k ti
In each instance, I identify my concern, provide the basis of my concern, and defer to my friends
and family members to make their own informed decisions regarding how they apply the insights I
have imparted.
I have prepared these materials to expand my capacity; my hope is those of you I know personally
and with whom I have shared these materials will share these materials with your friends and
d ith h h h d th t i l ill h th t i l ith fi d d
family members.
My hope is this will serve as the beginning of a new movement; a movement where Facebook
users will redirect primary concerns they may have regarding the security of Facebook itself to
thinking about how each Facebook user uses Facebook. As you will see in these materials, what
should be of paramount concern is how you are currently using Facebook. While the security of
your Facebook profile is important, you need to be aware if you are using Facebook in such a way
where the contents of your profile could inflict harm upon you, your friends and/or your family
members.
2
Copyright 2010, Eclipsecurity, LLC
3. “Disclaimer” and Purpose
• I do not have a personal vendetta against
p g
Facebook
• I am jealous of the brilliant and wealthy individuals
who created Facebook
h dF b k
• Co-Founder & CEO Mark Zuckerberg is 27 years old
with net worth of $4B
• Part of my job description is to be paranoid and
to perform counter-intelligence
p g
• The sole objective of this material is to help you
understand the risks associated with Facebook
use so you may make more i f
k informed decisions
dd i i
regarding future use 3
Copyright 2010, Eclipsecurity, LLC
4. “Disclaimer” and Purpose
• The topic of Facebook use is very controversial,
p y ,
and I recognize that you can do whatever you
want to do in life
• I f h recognize that you may not agree with
further i h ih
some of my perspectives regarding Facebook use,
and pointedly, you may strongly disagree with
pointedly
some of my recommendations
• Again, the sole objective of this material is to help
g , j p
you understand the risks associated with Facebook
use so you may make more informed decisions
regarding future use
4
Copyright 2010, Eclipsecurity, LLC
5. Facebook Pop Quiz
If you answer “yes” to any of these questions, you have failed
this quiz.
1. Do you have photographs of your children on your profile?
2.
2 Do you have names of your children on your profile?
3. Do you have your birth date (i.e., month and
day at a minimum) on your profile?
4. Do you have pictures of your house / where
you live on your profile?
5.
5 Do you post your political views on your profile?
6. Do you post information regarding your medical condition
on your profile?
7. Do you indicate future travel plans on your profile?
8. Do you allow your children to use Facebook? 5
Copyright 2010, Eclipsecurity, LLC
6. Facebook – A Global Target
Which is more secure?
vs.
vs
~ 8% market share ~ 90% market share
6
Copyright 2010, Eclipsecurity, LLC
7. A Word about Mac Security vs.
vs
Windows Security
7
Copyright 2010, Eclipsecurity, LLC
8. A Word about Mac Security vs. Windows Security
y y
8
Copyright 2010, Eclipsecurity, LLC
9. A Word about Mac Security vs.
vs
Windows Security
• Apple has its share of security issues, just as Microsoft
does (highlighted on the previous page are security
updates that have been released for the Mac)
• “Cyber criminals” are employees of opportunity
• If Apples’ total computer market share is approximately 8% and
Microsoft’s total computer market share is approximately 90%, who
would you target?
• Just because you may own a Mac does not mean you
are more secure than you would be if you owned a
Microsoft Windows-based computer
• Apple computers are also attacked by viruses
8a
Copyright 2010, Eclipsecurity, LLC
10. Facebook – A Global Target
• More than 400 million active users
• A of May 15, 2010, global human population was estimated at 6.821 billion
As f M 15 2010 l b l h l ti ti t d t 6 821 billi
• Facebook’s user population is ~6% of the entire human population
• A recent article in Fortune Magazine indicated Facebook is nearing its 500 millionth
user
• 50% of active Facebook users log on to Facebook in any given day
• The average Facebook user has 130 friends
• People spend over 500 billion minutes per month on Facebook
• There are over 160 million objects that people interact with (i.e., pages,
Th illi bj t th t l i t t ith (i
groups and events)
• Average Facebook user is connected to 60 pages, groups and events
• Average Facebook user creates 70 pieces of content each month
• More than 25 billion pieces of content (e.g., web links, news stories, blog
posts, notes and photo albums) are shared each month
• About 70% of Facebook users are located outside the United States
Source: http://www.facebook.com/press/info.php?statistics
9
Copyright 2010, Eclipsecurity, LLC
11. Facebook – A Global Target
• Remain aware of the statistics provided on the
p
previous page as you continue reviewing these
materials
• Thi k about how many people you do not know
Think b h l d k
may take an interest in your Facebook profile, or
that may take an interest in your children’s
children s
Facebook profile, or that may take an interest in
your niece’s / nephew’s Facebook profile, etc…
• Think about how many of these people may take
an interest in such Facebook profiles with
malicious thoughts in mind
• There is a lot to think about! 10
Copyright 2010, Eclipsecurity, LLC
12. Facebook – A Global Target
Top 10 social networking sites (as of April 2010)
1. Facebook
2.
2 Youtube
3. MySpace
4. Twitter
5. Tagged
gg
6. Yahoo! Answers
7. Yahoo! Profiles
8. myYearbook
9. Windows Live Home
10. Mocospace
Source: http://www.socialnetworkingwatch.com/usa-social-networking-ran.html
11
Copyright 2010, Eclipsecurity, LLC
13. Facebook – A Global Target
Picture yourself as being the best at something; maybe you are the
#1 ranked professional tennis player, maybe you are the President of
the United States of America, maybe you are the CEO of Microsoft,
maybe you currently manage 500 people in your company, maybe
you created the award-winning recipe at the latest Pillsbury Bake-
d h d i i i h l Pill b B k
Off® Contest, …
We all know what happens when one is at the top; they become
targets. There is always a community of people that want to ‘de-
throne’ those at the top; it is our competitive nature.
Facebook is currently the #1 social networking site. What are the
threats to your well-being given that you have a Facebook profile?
well being
12
Copyright 2010, Eclipsecurity, LLC
14. Facebook Threat Landscape
Less malicious activity
y More malicious activity
y
Source: http://www.team-cymru.org/ (May 13, 2010) 13
Copyright 2010, Eclipsecurity, LLC
15. Facebook Threat Landscape
The visual provided on the previous page, prepared
p p p g ,p p
by Team Cymru Research NFP, suggests that
extensive malicious activity potentially originates
from the eastern United States and from Europe
Europe.
Leverage this as an illustration of the potential extent
of cyber criminals that exist in our world today. How
y y
many of these cyber criminals have their cross-hairs
set on Facebook as a target?
Note: What is depicted on the world malicious activity map on the
previous page consist solely of approximations. Additionally, the real
individuals behind the malicious activity represented could be far away
from any of the displayed locations, controlling these compromised
systems remotely. 14
Copyright 2010, Eclipsecurity, LLC
16. Facebook Threat Landscape
p
Each individual pixel (i.e., small dot) of the full map represents 4096 IP addresses. The coloration of the map
is scaled in "heatmap" style - if no IP addresses from the block represented by a given pixel were found in our
dataset of malicious activity, it will remain black. If any addresses were found, the pixel will b shaded b
d t t f li i ti it ill i bl k dd f d th i l ill be h d d based d
on the number, starting with blue, transitioning through purple, green, yellow, orange, red, and, finally, to
white for the largest concentrations of malicious activity.
Source: http://www.team-cymru.org/ 15
Copyright 2010, Eclipsecurity, LLC
17. Facebook Threat Landscape
• Referring to the visual on the previous page, an IP (i.e.,
Internet protocol) address is essentially a computer’s phone
number. Each small blue dot indicates there is at least one
IP address (i.e., in simple terms, one computer) within a
range of nearly 4,100 IP addresses (i.e., ~4,100 computers)
that is engaging in malicious activity. From blue, each dot
g g g y ,
transitioning to purple, green, yellow, orange, red, and,
finally, to white indicates increasing concentrations of
malicious activity.
• What is the point of the previous two visualizations? To
ensure you understand that there are numerous individuals
engaging in malicious activity on the Internet, and that a
Internet
sub-set of these individuals are targeting Facebook users.
16
Copyright 2010, Eclipsecurity, LLC
18. Internet Threat Landscape
• Viruses, Trojans, and other forms of malicious software
• “A virus is a small piece of software that piggybacks on real programs.
For example, a virus might attach itself to a program such as a
spreadsheet program. Each time the spreadsheet program runs, the virus
runs, t
too, and it h the chance to reproduce (by attaching to other
d has th h t d (b tt hi t th
programs) or wreak havoc.” – How Computers Work by Marshall Brain
(http://www.howstuffworks.com/virus.htm)
• “A Trojan horse is simply a computer program The program claims to do
A program.
one thing (it may claim to be a game) but instead does damage when
you run it (it may erase your hard disk). Trojan horses have no way to
replicate automatically.” – How Computers Work by Marshall Brain
(http://www.howstuffworks.com/virus.htm)
• Malicious software: Any computer program that has been specifically
designed to inflict harm on a computer or to inflict harm to an
individual using a computer (e.g., by stealing confidential
(e g
information or by causing the loss of critical information on a
computer). 17
Copyright 2010, Eclipsecurity, LLC
19. Internet Threat Landscape
• Now think about those statistics presented on page 9
• More than 400 million active users
• Average user has 130 friends
• People spend over 500 billion minutes per month on Facebook
• More than 160 million objects Facebook users interact with
h 60 ll b b k h
• Average user is connected to 60 pages, groups and events
• More than 25 billion pieces of content shared each month
• Now ask yourself these questions:
k lf h
• How many active users are injecting pieces of Facebook content with
malicious software?
• How does it make you feel that you may have no way of knowing whether a
piece of Facebook content contains malicious software that could harm either
your computer or important data on your computer?
• Could your being exposed to malicious software on Facebook cause you to
inadvertently spread the virus / Trojan to your Facebook friends? Could this
d l d h b kf d ? ld h
result in your causing your friends’ personal information to be
inappropriately disclosed, thereby compromising their safety? 18
Copyright 2010, Eclipsecurity, LLC
20. Internet Threat Landscape
• Social engineering
• This is the art of using people’s helpful nature against
them for personal gain
• If someone wants you, a complete stranger, to provide
them with something in your possession, what is the key
enabler for ensuring their success? Information.
g
• What information does your Facebook profile provide that
could enable a malicious person to subject you to social
engineering?
• Refer to these real-life examples:
http://www.msnbc.msn.com/id/32671543/ns/technology_and_science-security/
and http://socialharbor.com/blog/facebook-money-transfer-scam/
19
Copyright 2010, Eclipsecurity, LLC
21. Internet Threat Landscape
• Users that are criminals
• Thieves
• Malicious brokers (sellers of compiled personal
information)
• Pedophiles and predators
• Serial killers
• Egomaniacs (i.e., hacking / malicious activity solely for
notoriety)
What information does your Facebook profile
provide that could enable a thief, malicious broker,
pedophile, predator,
pedophile predator serial killer, egomaniac etc.,
killer egomaniac, etc
to achieve their ultimate goals?
20
Copyright 2010, Eclipsecurity, LLC
22. Copyright 2010, Eclipsecurity, LLC
Internet Threat Landscape
• Cyberbullies
y
The data
compiled f
il d for
the survey
represented
in this bar
chart was
compiled in
February
2010.
2010
9 21
Source: Cyberbullying Research Center – www.cyberbullying.us
23. Internet Threat Landscape
• Now that you have a better understanding of the
types of malicious people that may be targeting
Facebook users, are you going to change the way
you are currently using Facebook?
tl i F b k?
• Wh t are you going t t ll others you know that are
What i to tell th k th t
currently using Facebook?
22
Copyright 2010, Eclipsecurity, LLC
24. How Secure is
your Facebook
Profile?
Use a very strong
and complex
password; the
password is the
only security that is
within your control
ithin o cont ol
that prevents others
from accessing and
modifying (i.e., vs.
viewing) your
Facebook profile.
If you think Facebook profiles do not get hacked, read the article
located at: http://redtape.msnbc.com/2009/01/post-1.html. 23
Copyright 2010, Eclipsecurity, LLC
25. How Secure is your Facebook Profile?
• I use a freely available piece of software called Password Safe. It is
available for download at http://passwordsafe sourceforge net/
http://passwordsafe.sourceforge.net/.
• As you can see in the lower right-hand corner of the visual provided
on the previous page, at the time I prepared these materials, I had
445 total entries in my Password Safe. What does this mean? This
y
means I have 445 distinct user accounts consisting of, at a
minimum, a user name and a password.
• Perhaps you use the same user name and password for all of your
accounts, or perhaps you have heard others complain about their
, p p y p
inability to commit distinct user names and passwords to memory for
multiple user accounts?
• The benefit of using Password Safe or similar software is you only
need to commit a single password to memory. This single password
becomes your key to unlock access to all of your remaining user
accounts.
• Make sure that single password you must commit to memory is
one that will be virtually impossible for any one else to guess
24
Copyright 2010, Eclipsecurity, LLC
26. A Word About Passwords
• Passwords that protect personal items of vital
p p
importance / value
• Examples include an online banking account, anything that
contains personal information (e.g., Facebook accounts), and
p ( g, ),
certainly the password required to access the equivalent of a
Password Safe
• Make passwords very complex and virtually impossible to
guess
• Passwords should consist of at least 8 to 10 alphanumeric
characters with special characters; example: Yz6*!13Gh%
• M passwords are typically a minimum of 15 characters long
My d t i ll i i f h t l
• Using a tool, such as Password Safe, enables you to use
extremely complex passwords and varying user names that
need not be committed to memory y
• Note: Make sure you are aware of whether the passwords
you use to access certain systems are case-sensitive 25
Copyright 2010, Eclipsecurity, LLC
27. Disconcerting Facebook
g
Usage Scenarios
14 year old girl
26
Copyright 2010, Eclipsecurity, LLC
28. Disconcerting Facebook Usage
Scenarios
Review the contents of the previous page and consider the following from a
p p g g
predator’s point of view, or perhaps from the perspective of a person (maybe a
fellow student) that is obsessed with the 14 year-old girl that has included
‘likes and interests’ in her Facebook profile:
1. “Due to the fact she is in the class of 2014, I know that she is 14 years old.”
2. “I know which high school the girl attends every day school is in session.”
3. “I can use what she has posted regarding her likes and interests to gain her
interest in me.”
4. “Reviewing other content provided in her Facebook profile, I will know who
her friends are, where she lives, and where she may be in the future.”
5. “I am confident she is vulnerable, but if I am unsuccessful in achieving my
objectives with her, I will target one of her friends.”
Something additional to think about: Is there content in your child’s
Facebook profile that makes it easy f others to deduce your child’s birth
f for
date?
27
Copyright 2010, Eclipsecurity, LLC
29. Disconcerting Facebook Usage
Scenarios
1. Rigorously monitor your children’s Facebook content and Facebook
activity
a. Perhaps make the condition that if your children are to be permitted to
p y p
use Facebook, you will be capable of accessing your children’s Facebook
profile, and you will be permitted to modify and / or remove any content,
at your discretion, from your children’s profile
2. Consider not allowing your children to use Facebook until they reach
gy y
a certain age
a. It is important to realize that children and adults alike with many friends
are conduits to numerous other children and adults
a.
a Then a question comes to mind: Are you potentially doing something that
could compromise the safety / well-being of your Facebook friends?
My wife and I currently do not allow our children to use Facebook,
and my wife currently does not use Facebook in any capacity.
28
Copyright 2010, Eclipsecurity, LLC
30. Disconcerting Facebook Usage
Scenarios
“My parents are so cool. They let me go to the Hawthorne
yp y g
Shopping Mall on my own, which is where I am now!”
– 12 year old girl’s posting on her Facebook profile
All I have to say about this is any one in vicinity of
Hawthorne Shopping Mall knows that a 12 year old girl is
all alone. Such people know what this girl looks like,
alone like
knows her interests, and has access to any other
information that may assist such people in achieving
whatever objectives they may have in mind.
j y y
I contacted this child’s mother, who happens to be a
very close friend of mine, and she accessed her
daughter’s Facebook profile and removed this posting
immediately. 29
Copyright 2010, Eclipsecurity, LLC
31. Disconcerting Facebook Usage Scenarios
Refrain from including personal information
that
th t could be used to compromise your
ld b dt i
identity
1.
1 Do t
D not provide your entire birth date in your profile; if you must,
id ti bi th d t i fil t
provide only your birth month
2. Do not provide your home address; if you must, provide only the
state in which you reside
3. Consider not posting photos of your home / neighborhood
4. Consider not becoming a ‘friend’ with your mother if she is still
using her maiden name
I am currently following all four recommendations above and I never
will provide any information that could compromise my identity 30
Copyright 2010, Eclipsecurity, LLC
32. A Word about Identity Theft:
It Won’t Happen To Me!
• Identity theft is not biased; it affects every one
• Identity theft is the fastest growing non-violent crime in the
U.S.
US
• 2009 identity theft statistics indicate the following:
• 11.1 million adults in the U.S. were victims of identity theft in 2009:
That’s 21 people victimized each minute!
• The total fraud amount was $54 billion
• The average identity theft victim spent 21 hours resolving the crime
• 4.8% of the U.S. population was a victim of identity fraud in 2009
• 13% of identity fraud crimes were committed by someone the victim
knew
Source: http://www.spendonlife.com/blog/2010-identity-theft-statistics
31
Copyright 2010, Eclipsecurity, LLC
33. A Word about Identity Theft
• Review the statistics on the previous page again
and ask yourself this simple question
y p q
• “Have I included information in my Facebook profile
that could potentially be used to compromise my
identity?
identity?”
• Remember 13% of identity fraud crimes
Remember,
committed in the U.S. in 2009 were performed by
people the victims knew
32
Copyright 2010, Eclipsecurity, LLC
34. A Word about Identity Theft:
W d b t Id tit Th ft
What’s an Identity?
Are you really what you eat? You are your personally identifiable
information (PII)
• Name • Mortgage
• Number and gender information
of children • Civil judgments
• Birth dates • Bankruptcies
• Addresses • Ethnicity
• Telephone numbers • Religion
• Driver’s license • Hobbies
• Marital status • Purchases
33
Copyright 2010, Eclipsecurity, LLC
35. A Word about Identity Theft:
Personally Identifiable Information
• Personally identifiable information is any
information that could be used by someone to
identify you as an individual
d f d d l
• Some information about you may not be able to be
used in isolation to identify you; however, in
combination with other information, it could be
used to identify you
d d f
• Plain and simple: Protect your PII as you would
protect any other valuables (e.g., money) 34
Copyright 2010, Eclipsecurity, LLC
36. A Word about Identity Theft:
Identity Theft Explained
• Two primary types of identity theft
economic crimes
• Account takeover
k
• Thief acquires a person's existing
credit account information and uses it
to purchase products and services
• Typically executed in less than two
days
• Perpetrators often transition to another
target before anyone notices a crime
has occurred 35
Copyright 2010, Eclipsecurity, LLC
37. A Word about Identity Theft:
Identity Theft Explained
• Two primary types of identity theft economic
crimes (continued)
• Identity theft / “true name fraud”
• Thief uses another person's social security number
and other PII to fraudulently open new accounts
and obtain financial gain
• Victims typically unaware that fraudulent activity
has occurred for an extended period of time
• Thief may continue activity for months / years
36
Copyright 2010, Eclipsecurity, LLC
38. A Word about Identity Theft:
y
Notable Identity Theft Incidents Impacting
Companies You Know
TJX (TJ Maxx, Marshalls, and others)
Maxx Marshalls
Initial hacking incident occurred
More than 94M consumers impacted
More than $250M in fines and court settlements
Gap Inc.
G I
A laptop containing PII of job applicants was stolen from the offices of an experienced
third-party vendor that manages job applicant data
Home Depot
A laptop computer containing about 10 000 employees' PII was stolen from a regional
10,000
manager's car
Blockbuster
A Sarasota resident found 400 membership forms and employment applications containing
PII in a trash container
United Healthcare
Posted PII of doctors at Columbia University’s faculty practice on a public Web site
American Red Cross
Six boxes containing employees PII left unattended in public hallway for more
employees’
than six hours
Source: http://www.privacyrights.org/ar/ChronDataBreaches.htm 37
Copyright 2010, Eclipsecurity, LLC
39. A Word about Identity Theft:
Tally of Identity Theft Incidents
Total number of impacted people???
More than 354
o e t a 35
Million since
January 2005
y
Source: http://www.privacyrights.org/ar/ChronDataBreaches.htm 38
Copyright 2010, Eclipsecurity, LLC
40. A Word about Identity Theft:
y
An Example of how PII in Your Facebook
Profile Could be Used Against You
g
http://www.pcworld.com/printable/article/id,184522/printable.html
"People aren't just handing over their own life story to criminals," Ducklin commented. "They're
betraying people close to them too, by helping those cybercrooks build up a detailed picture of their life
and their milieu. This is an identity scammer s dream “
milieu scammer's dream.
IT security firm Sophos has announced its latest probe into how easy it is to steal identities via Facebook
and found that user negligence is worst in 2009. "We assumed things would be better in 2009 but the
situation is worse. This really is a wake-up call," said Paul Ducklin, head of technology, Sophos Asia-
Pacific (Sydney). Ducklin who led the Facebook probe said they created two fictitious users with names
(Sydney) Ducklin, probe,
based on anagrams of the words "false identity" and "stolen identity." He said 21-year-old "Daisy
Felettin" was represented by a picture of a toy rubber duck bought at a US $2 shop; 56-year-old "Dinette
Stonily" posted a profile picture of two cats lying on a rug. Each sent out 100 friend requests to
randomly-chosen Facebook users in their age group.
Within two weeks, a total of 95 strangers chose to become friends with Daisy or Dinette -- an even
higher response rate then when Sophos first performed the experiment two years ago with a
plastic frog. Worse still, Ducklin said, in the latest study, eight Facebookers befriended Dinette
without even being asked. Ducklin said 89% of the 20-somethings and 57% of the 50-
somethings who befriended Daisy and Dinette also gave away their full date of birth "Nearly all the
birth.
others suppressed their year of birth, but this is often easy to calculate or to guess from other
information given out," he said, adding that even worse, just under half of the 20-ish crowd,
and just under a third of the 50-ish crowd, gave away personal information about their friends 39
and family. Copyright 2010, Eclipsecurity, LLC
41. A Word about Identity Theft:
y
An Example of how PII in your Facebook
Profile Could be Used Against You
g
http://www.pcworld.com/printable/article/id,184522/printable.html (continued)
Sophos is calling on users of social networking sites to think much more strictly about what it means to
accept someone as a friend. "We're not trying to be killjoys," Ducklin explained. "We just want you to be
much more circumspect about whom you choose to trust online.“ Graham Cl l
h i t b t h h t t t li “ G h Cluley, senior technology
i t h l
consultant for Sophos, revealed that 10 years ago it would have taken several weeks for con artists and
identity thieves to gather such kind of information about a single person. "Social networks have made it
easier for the bad guys to scoop up information about innocent members of the public. Everyone must
learn to be more careful about how they share information online, or risk becoming the victims of
y , g
identity thieves.“
Sophos produced the following top tips for users who want to protect themselves from identity thieves
on Facebook: Don't blindly accept friends. Treat a friend as the dictionary does, namely "someone whom
you know, like and trust." A friend is not merely a button you click on. You don't need, and can't
realistically claim to have, 932 true friends. Learn the privacy system of any social networking site you
join. Use restrictive settings by default. You can open up to true friends later. Don't give away too
much too soon. Assume that everything you reveal on a social networking site will be visible on
the internet for ever. Once it has been searched, and indexed, and cached, it may later turn up
online no matter what steps you take to delete it it.
"Our honeymoon period with social networking sites ought to be over by now -- but many
users still have a 'couldn't care less' attitude to their personal data," Ducklin added.
40
Copyright 2010, Eclipsecurity, LLC
42. Disconcerting Facebook Usage Scenarios
“Burglary: Occurred between 7/31/09 and 8/16/09 on <street name withheld>
Residents returned from vacation to find that someone unknown forced open a rear
p
door and ransacked the house. It is unknown at this time what is missing. The
resident did not register for a vacation house watch, there is no alarm on the
residence, and the children had posted the whereabouts of the family on FaceBook.”
– Neighborhood police blotter
1. Never announce an impending vacation or impending business travel
2. Consider not announcing funeral arrangements for the passing of a family
member or friend
a. Burglars leverage obituaries and information pertaining to funeral arrangements so they
may gain access to vacant homes. You should always have someone stay at your home
when attending a family members’ funeral.
I am currently following both recommendations above and wait until after I return
from a vacation / business travel before incorporating any relevant information in
my profile
41
Copyright 2010, Eclipsecurity, LLC
43. Disconcerting Facebook
g
Usage Scenarios
Think twice about content in your Facebook
p
profile that could be career-limiting
g
1. Consider refraining from presenting your political
points-of-view
2. Do not post anything that would be perceived as offensive
by co-workers, your boss or your employer
3. Do not post anything confidential in nature applying to your
employer
4. Do not disclose anything regarding your personal health or the
health of your children
5.
5 Never use profanity
6. Do not post content during working
hours
I do not leverage Facebook as a platform to vocalize my political
views, and I will always practice the remaining recommendations.
You never know who may see your Facebook
y y
profile, and once created, it may never cease
to exist.
42
Copyright 2010, Eclipsecurity, LLC
44. Disconcerting Facebook Usage
Scenarios
• With the advent of the Internet, search engines, and social networking sites,
employers are using these evolving resources in support of their recruitment
processes
• Could information regarding your medical condition posted in your Facebook profile
cause a prospective employer to remove you from consideration? Could it
compromise your ability to file an insurance claim or compromise a lawsuit in the
future?
• Discussing politics could become contentious; could posting your political views
gp p gy p
compromise your ability to f find a new job? Could it alienate you f
from your co-
workers?
• Your children will be employees one day. Is there something currently in their
Facebook profiles that could compromise their ability to get a job in the future?
• I th
Is there anything i your Facebook profile that your children and / or friends may
thi in F b k fil th t hild d fi d
find embarrassing or insulting?
Note: I am not an attorney; however, I am aware that it may be unlawful for
prospective employers
p ospecti e emplo e s and acti e employers to use this t pe of info mation in a
active emplo e s se type information
discriminatory way.
43
Copyright 2010, Eclipsecurity, LLC
45. Disconcerting Facebook Usage Scenarios
Showcasing your family members
1. Re-think
1 R thi k posting photos of your children in your Facebook
ti h t f hild i F b k
profile
a. Are you aware of others who are posting photos and names of
your children?
2. Re-think including the names of your children in your
Facebook profile
I do not ever plan to include photos of my family members in
my Facebook profile.
44
Copyright 2010, Eclipsecurity, LLC
46. Disconcerting Facebook Usage Scenarios
It is impossible for you to control what others say about
you, what content they may include about you, what
photos they may have or take of you that they may post
in their Facebook profile, how they may interact with your
Facebook friends, how they may incorporate information
about your children and other family members that are
y y
Facebook users, etc.
It is a worthwhile exercise to reflect upon these aspects
that are not within your control and begin to understand
what existing content in your Facebook profile should be
removed, and the nature of information you should
refrain f
f from including in your Facebook profile in the
l d b k fl h
future.
45
Copyright 2010, Eclipsecurity, LLC
47. Disconcerting Facebook Usage Scenarios
“I can not believe <John Doe> fired you; what a <expletive> idiot. These
g y
guys are so stupid, this workplace is a joke. If they didn’t pay me so much
p , p j y p y
money I’d have been out of here way before you were terminated; the
money is just too good to leave !”
– Employee being groomed to become a Senior Partner at an accounting
firm whose employment was since terminated
f h l d
Wondering what happened?
A co-worker was fired The employee quoted above was very close friends
co worker fired.
with this co-worker. The co-worker configured her Facebook account to
send all correspondences, updates, etc. to the email account she was
provided by her employer. After the co-worker was fired, her email account
was disabled, and all incoming emails sent to her were received in the
accounting firm’s ‘catchall’ email account. An administrator at the
accounting firm that received all catchall emails retrieved and reviewed
this email from the employee being groomed to become a Senior Partner
Partner.
In response to his sentiments, the Senior Partners and Owners of the
firm terminated his employment. 46
Copyright 2010, Eclipsecurity, LLC
48. Disconcerting Facebook Usage Scenarios
Do not configure Facebook to send any notices /
correspondences to an email account given to you by
your employer; if you must, use only your personal email
account (
t (e.g., Y h ! and GM il)
Yahoo! d GMail)
While I am self-employed, I still have not configured
self employed
Facebook to send notices / correspondences to my
company email account. Further, I have configured
Facebook to not send me any notices / correspondences.
I always log into my Facebook profile in order to view
any updates and correspondences.
y p p
47
Copyright 2010, Eclipsecurity, LLC
49. A Word about Email Security
1. Email, by default, is not secure
2. Send unsecured email with the expectation that it
p
could be disclosed to anyone in the world
3. The more popular your email service provider,
the more susceptible you are to malicious activity
Examples: Your emails may be more likely to be
intercepted or spoofed (i.e., a malicious person may
send defamatory / offensive and other inappropriate
dd f ff i d h i i
emails that appear to have been sent by you to both
people you do and do not know – e.g., the “From”
field i th
fi ld in the recipient’s email Inbox would contain
i i t’ il I b ld t i
yourname@yahoo.com)
48
Copyright 2010, Eclipsecurity, LLC
50. Disconcerting Facebook Usage Scenarios
Think before you use Facebook applications
You are subject to privacy policies and terms of use that are unique
to each application; a lot to review and monitor on an ongoing basis.
Using Facebook applications may compromise your Facebook friends’
privacy.
49
Copyright 2010, Eclipsecurity, LLC
51. A Word about Privacy Policies
and Terms of Use Provisions
Source: http://nces.ed.gov/naal/kf_demographics.asp
50
Copyright 2010, Eclipsecurity, LLC
52. A Word about Privacy Policies and
Terms of Use Provisions
Some privacy policies and terms of use provisions are
well written and some are not. Some are easy to
interpret
inte p et and others may require a lawyer’s mindset to
othe s ma eq i e la e ’s
decipher.
As may be seen from the statistics provided on the
previous page, there is a large community of individuals
who, if they took the time to review respective Facebook
application-related privacy policies and terms of use
provisions, would likely lack the literacy required to fully
understand what is being communicated in written
form.
51
Copyright 2010, Eclipsecurity, LLC
53. Want More Proof Regarding Risks
Associated with Facebook Use?
Take the time to
a et et e
review all privacy
and security options
at your disposal and
configure them to
what makes the
most sense for you,
your family and your
friends
This Account Security option is an acknowledgment by Facebook that its users are being
targeted by malicious people. I have included this to demonstrate one thing: Facebook
itself understands it is a global target, and you need to understand this too!
52
Copyright 2010, Eclipsecurity, LLC
54. A Word about Facebook’s Privacy Policy
Facebook s
and Privacy Settings
Plain and simple, Facebook has received a
substantial amount of bad publicity regarding its
privacy policy and its privacy settings; both are a
l d b h
moving target. If you decide to post personal
information about yourself, your children, other
y ,y ,
family members and friends, I urge you to frequently
review Facebook’s privacy policy and Facebook’s
privacy settings
settings.
Historically, many times Facebook has created a new
privacy setting, Facebook by default has chosen
corresponding privacy settings that prove to be risky to
its users.
53
Copyright 2010, Eclipsecurity, LLC
55. Closing Thoughts
1. Just be careful. Think about the reasons why you do not wear an imprint of your social security card
on your shirt, the measures you employ to keep your family safe, why you do not broadcast to the
world how much money you earn annually, etc.
2. Life is complicated these days and no one needs to introduce more complexity and risk into their
p y p y
lives. If you decide to be conscientious regarding how you use Facebook, it imposes a substantial
burden upon you.
3. It is not just yourself you are potentially subjecting to risk; your Facebook use could be harming your
friends and family members.
4.
4 Reflect upon why you are using Facebook and focus your usage on achieving your Facebook usage
objectives.
a. Consider only becoming ‘friends’ with people you know; many Facebook users connect with anyone in order to maximize the
number of Facebook friends they have
5. For the most part, it is not Facebook that is insecure; it is the manner in which numerous people use
Facebook that makes their personal / professional lives less secure
secure.
6. Share what you have learned with others; increase their awareness. If these materials have been
helpful to you, share these materials with your friends and family members. Making informed
decisions regarding Facebook use requires sufficient awareness.
7. You may not agree with some or most of the content in these materials. You may think everything
outlined in these materials is obvious. However, my observation of my friends’ use of Facebook
has demonstrated a number of instances where the basic principles in these materials are not
being followed, resulting in people introducing unnecessary and undesirable risk into their
lives. If you do not find much value in these materials, do not allow your opinion prevent
you from sharing these materials with others who likely will benefit from the topics this
material addresses.
8. Together, let’s start a movement. Let’s reduce the unnecessary and undesirable risks
facing Facebook users one person at a time! 54
Copyright 2010, Eclipsecurity, LLC
56. Contact Me if You
Have Questions!
Nevada
West Vi i i
W t Virginia
Contact Information
Steven Hamburg,
St H b
President & CEO, Eclipsecurity, LLC
facebook@eclipsecurity.com