Tuesday, June 19, 2012

Facebook privacy settings

There have been a lot of changes recently to the privacy settings available in Facebook.  I've been asked by a few of my friends what settings should they look at/fix?  Well, here's a quick explanation of the current Facebook privacy settings.

Default privacy setting: This is the audience for which each post will automatically be made available.  This setting can be changed in each individual post as well.
  • "Public".  With this setting, all of your posts will automatically be available to all Facebook users.  Probably not a good idea.
  • "Friends".  Only friends will automatically see your posts.  There may be instances however where friends of friends or others that are tagged in photos may also see those posts.
  • "Custom".  This allows you to more tightly control who automatically sees your posts.  You can create lists of people to see your posts, maybe a subset of your friends, or simply set the default to "Only Me".  If you use the "Only Me" setting, you are the only one ever going to see any of your posts unless you change the settings on each one once you make the post.  There are a few other handy settings in there that allow you to set up lists of specific people to hide your posts from and also a checkbox to hide the posts from friends of people you tagged.
How you connect: There are 3 settings in here that control how you connect with others.

  • Who can look you up using the email address or phone number you provided?  It appears the default setting here is "Everyone".  It would be a good idea to change this to "Friends".  This would actually be a good place for another selection choice that would even narrow the audience down even more or completely opt-out of allowing anyone to search on phone number or email address.  Until then, it may be a better idea not to even supply a phone number or external email address in the first place.
  • Who can send you friend requests?  Really not many choices here - "Everyone" or "Friends of Friends". Take your pick on whether you want friend requests or not.
  • Who can send you Facebook messages?   Spam and messages with malicious content are all over the place.  While Facebook tries to do the best they can to eliminate those messages, a lot still get through.  This is a setting that you should definitely change from the default of "Everyone" to "Friends".
Timeline and Tagging:  These settings allow you to control your timeline posts and people tagging you.
  • Who can post on your timeline?  You can change this to "No One" if you don't want anyone to post anything to your timeline.  Maybe?  See the next option.
  • Who can see what others post on your timeline?  This one allows you to customize from "Everyone" down to specific lists of individuals.  Not sure how this one actually works if you select "No One" else to post to your timeline.  Not allowing others to post to your timeline would mean there is nothing for anyone else to see.  Regardless, at least change this to "Friends"
  • Review posts friends tag you in before they appear on your timeline?  By turning this on, you have to approve all posts that have you tagged before they are published.
  • Who can see posts you've been tagged in on your timeline?  This one also lets you choose from "Everyone" down to specific lists of individuals.  At a minimum, change this to "Friends".
  • Review tags friends add to your own posts on Facebook?  Turning this on allows you to block tags that others may add to your posts.  This is a good idea to prevent a lot of people you don't really know from gaining access to your posts.  Basically, once somebody is tagged in a post, they have access to it and in most cases friends of that person also gain access.
  • Who sees tag suggestions when photos that look like you are uploaded?  If you haven't noticed, Facebook may suggest tags when you post photos that contain recognizable images of other Facebook users. The default seems to be "Friends", but it's a good idea to change this to "No One".  This helps control photos that can potentially get linked to you.
 Ads, Apps and Websites: Settings to see what types of data each installed apps supposedly need.
  • Apps you use.  This displays the apps you currently have installed on Facebook. It's a good idea to check through this list and see if any of the apps are no longer in use.  If that is the case, remove them.  There is an "Edit Settings" button that will allow you to "edit" the settings for each of the apps, but don't get too excited.  Most of the apps simply have this huge list of data they require (really?) and no means to control any of that data except by removing the app itself.
  • How people bring your info into apps they use.  This is a good one to look through.  The default used to be (maybe it still is) that all your info is automatically available to apps your friends may be running.  This is your personal info like your birthday, photos, hometown, etc.  Honestly, I can't think of a good reason to have any of the boxes checked here.  
  • Instant personalization.   This allows you to see and share personal Facebook data when going to sites like Yelp, Bing and Zynga.  Since it's not always clear how any external site will use your data, it's a good idea to uncheck the box here.
  • Public search.  This controls whether internet search engines like Google will display your timeline if somebody happens to search on your name.  Removing the check from the box means that your timeline should not appear in internet searches.
  • Ads.  There are two basic settings involved here.  The first is to possibly show your information in third party ads in the future.  While Facebook claims to not provide this info at the current time, it's curious this choice is even available.  Select "No One".  The second setting involves Facebook ads.  Select "No One" here as well.
Limit the audience for past posts:  This will allow you to change the audience for past posts you have previously made from "Friends of friends" or "Everyone" to "Friends".  It's a good way to go back and tighten up who can see your older posts instead of going to each post and changing the audience setting.

Blocked People and Apps:  This allows you to set up ignore lists for invites, apps and other interaction from Facebook users.

There are also a few other settings scattered around that you should look at:
  • Under Account settings, go to Security.   The first setting listed, "Secure Browsing"should be enabled.  This allows for the use of https by default.  What this does is provides some level of encryption between the browser and the server so the data passed back and forth is not in the clear or easily readable.
  • Control what others see on your timeline/profile.
    • If you really need people to wish you a happy birthday, just list the month and day, not the year.  Your complete birthday is widely used as a means of verification and should never be posted for all to see.
    • If you feel the need to post an email address, use either a Facebook email address or a "throw-away" address that you don't really use anywhere else.
    • Don't post your full address or phone numbers.  It is just safer to not post this stuff where you may not have complete control over who sees it.
    • Please, please, please don't post any information on Facebook or any other public web site that provides clues as to what you might use for passwords or challenge questions.  Don't make it easy for somebody to guess your passwords.
This is by no means an exhaustive list.  Settings and capabilities change from time to time, so be aware of what kind of data you are posting and who may have access to that data.

Wednesday, June 6, 2012

Leaked passwords

Very rarely do you have control over how your password is stored on any web site or external server.  There is always the possibility passwords can be retrieved and then subsequently cracked.  Hopefully most sites take extreme care and perform some sort of encryption, but there are probably still cases where passwords are stored in the clear.  No trick to cracking those.  

The latest LinkedIn password leak (see also here or here), sounds like the passwords were retrieved in a simple, unsalted SHA-1 hash format.  While that makes it a little harder to crack, it is far from impossible.  If that is the case, you can run a "known" word against the SHA-1 algorithm and then see if the resulting hashed string matches anything on the leaked list.  While that could take a long time one-by-one, it is simple enough to automate against any dictionary or list of common passwords.  And as has been publicized in numerous reports, most passwords are a) relatively simple to guess and b) reused for multiple accounts.  You almost have to treat each password as single use, changing it often, making it complex enough to avoid casual cracking yet easy enough to use.  Sounds pretty simple, right?

Monday, June 4, 2012

First Monday in June

Some interesting items from the last week:

Bogus hotel confirmation messages: Email based scam that confirms reservations to a hotel that you did not make.  With more people making summer vacation plans, it is a good time for this scam.  Generally the message looks like almost any confirmation message you would get when booking a hotel, except these tease you with only a hint of the booking information.  To get the "real" information, you need to open the attachment.  The problem is the attachment has embedded malware that infects your machine.  Just resist the urge to click links and read attachments in email.  See more info at Naked Security blog.

New videos they don't want you to see: With all the gruesome headlines over the past few weeks, scammers are taking full advantage and using the lure of "previously unseen footage" to get their marks to click links.  Lots of social networking messages floating around out there.  Resist the temptation to follow any of these links.  I'm beginning to sense a theme here.  Security News Daily article.

Citadel and Reveton ransomware: Apparently this new Citadel malware will direct you to a site that downloads the reveton ransomware.  Once it is in place, you are told you are in trouble with the U.S. Dept of Justice and you need to pay a $100 fine or the computer stays locked and you will be  prosecuted.  Even if you pay the "fine", Citadel stays resident and can be used for bank fraud and other scams.  IC3 published this announcement. More info at ThreatPost.

Roaming around VMware vSphere 5: Researchers have shown it is possible to bust out of an image running on VMware's vSphere 5 and get up into some of the host server information.  With this information and some knowledge of the server layout, it seems possible to gain access to the physical drives on the host server and possibly even parse data out of the other images running on the server.  They note this was all done on ESXi5 server with all current patches.  More detailed info at ENRW blog.

More schools tracking kids: A Texas school district has decided to start a pilot program to issue student ID cards with RFID chips.  The claim is the district is missing out on thousands of dollars in funding because of incorrect attendance figures.  The student IDs will allow administrators to track the location of students within the school buildings when taking attendance.  I guess the old fashioned way of taking roll just doesn't cut it nowadays?  So I'm sure attendance will go up using this method, since all you need to do is give your ID card to a friend to carry around.  Article from the San Antonio Express-News has more info.

Flame: I guess I should say something about Flame.  Everyone else has.  Really not sure what to say, because it seems everything possible has been said about it, over and over and over.  Right now it's too hard to figure out what is fact and what is FUD.