Posts

Facebook Apps Leaking Your Information

A report was recently published claiming that nearly 100,000 Facebook apps have been leaking  access codes belonging to millions of users’ profiles. Symantec released the report and said that an app security flaw may have given apps and other third parties access to users’  profiles. Facebook maintains that they have no evidence of this occurring.

In their report, Symantec wrote:

We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.

These “access tokens” help apps interact with your profile.They are most often used to post updates from the application to your wall. When you add the applications to your profile you, as the Facebook user, is giving the apps access to your information by accepting their conditions.  According to the investigation, these tokens were included in URLs sent to the application host and were then sent to advertisers and analytics platforms. If the recipient recognized the codes (meaning they have to be qualified to read and write HTML code), they could gain access to the user’s wall’s and profile.

It was announced on Tuesday that the flaw has been fixed by Facebook, but I still recommend that you change your password. And don’t just change it every time Facebook experiences a breach, but every few months. By keeping all of your passwords current and original, you are decreasing the chances that you will be hacked and that your accounts (financial, social, and otherwise) will be compromised.

John Sileo is one of America’s leading Social Networking Security Speakers. You can learn more about Facebook Safety and how to protect yourself online here. His clients include the Department of Defense, Pfizer and the FDIC. To learn more about having him speak at your next meeting or conference, contact him by email or on 800.258.8076.

Facebook Nigerian Scam Costs Victim $300,000+

At this point, we are all pretty used to the classic Nigerian Scam. Someone who is recently wealthy needs your help to gain access to the funds. They will let you keep $1 million if you will simply send them your bank account number so he can transfer $30 million to you. Its a dream come true to most!

What happens when that same scam is used on Facebook by one of your friends, by someone you trust? The results can be disastrous. One woman was scammed out of $366,000 because she felt sorry for the scammer’s sob story. The woman contacted the local authorities after realizing she had been conned by her Facebook “friend”. Police arrested six male suspects in Kepong, all allegedly connected to the Facebook scam: two Nigerians, two Bangladeshis, and two Malaysians. Investigators only managed to recover $5,000 in cash of the victim’s money, although they also seized 18 ATM cards, seven cell phones, and a laptop.

At least in this case the men were apprehended. In most scams of this nature there is no chance of finding the scammers and the money is long gone. Even when one of your Facebook friends asks you for something (money, help, information), your first reaction should be healthy skepticism. Verify that what they are saying is true (call them before sending money). Often times, a thief will take over a friend’s account or create a false account in order to gain your trust and eventually, your money.

John Sileo trains organizations on how to keep employees from falling for fraud based on data they have posted on Facebook. His clients include the Department of Defense, Pfizer, Homeland Security, FDIC, FTC, Federal Reserve Bank, Blue Cross Blue Shield and hundreds of corporations and organizations of all sizes. Learn more about his high-content financial speeches.

Geotag, You're It! Disabling GPS Coordinates

Geotagging allows others to track your location even though you don’t know it.

With the increased use of Internet-enabled mobile devices such as the Blackberry, Droid and iPhone, geotagging has seen a huge increase in popularity. When social media users take a picture or video and upload it to their page, they are probably transmitting far more data than they think. With the ability to quickly add GPS information to media, smartphones make geotagging a simple task.

So What is Geotagging?

Simply, geotagging is where location or geographical information, such as your GPS coordinates, are added and embedded to different types of media (.jpg, .mov files, etc.). Invisible to the naked eye and the casual observer, geotags are part of the meta-data, or underlying data about the data, that accompanies each file. Examples of meta-data include when the file was created or modified, by whom, using what device and software. This data is often loaded on to your computer along with the original file.  Browser plug-ins and certain software programs can reveal the location information to anyone who wants to see it.

Twittervision makes great use of geotagging. Twittervision is a web mashup combining Twitter with Google Maps to create a real time display of tweets across a map (see photo above).  It also has a 3D mode that displays a globe of the Earth which spins to pinpoint arriving messages from Twitter.

So, who would want to know where you are?

While most of the uses are not fully apparent yet, your real-time location can reveal your home address, work address, places you visit often and at what time of day. It can reveal if you go to the doctor, a lawyer, a court date, or any other type of private meeting. Geotags make it very easy for friends, relatives, bosses, spouses, parents, enemies, law enforcement, stalkers, and thieves to know exactly where you are.

Telling everyone on your Facebook status that you are out for the evening can invite burglars; geotagging can do the same without you updating your status in any way.  By taking a picture at the Barry Manilow concert and uploading it to your twitter account, you are broadcasting the fact that you are probably over 40, away from home and, thanks to the geotag, exactly how far away you are.

If you’ve never seen Minority Report with Tom Cruise (where ads are served up to you on giant screens based on biometrics and your current location as you walk through the city ), it’s worth your time. Of course the movie exaggerates reality, that is one of the hallmarks of science fiction. But it does so in order to make you think about the possibilities and future realities. And that is exactly what corporations are doing. Using geotags that you upload into social networks (photos, videos, check-ins), they can see that you enjoy Starbucks and live in a certain neighborhood, so they may purchase a billboard in the area or more likely, target an ad to you on your Facebook wall. Although this can seem harmless, it will eventually raise larger concerns on consumer privacy.

In this fast paced electronic world, more and more people are using smartphones and therefore we can expect an increased use of geotags in the future. The problem with geotagging is that since it is not visible to the naked eye, most people don’t even realize they are sharing their location data. So what if you don’t want to transmit your location data?

Keeping location data private can be difficult, but here are some places to start:

  • Understand that anytime you take a picture, video or post an update from a networked device (somehow connected to the internet), your location is probably being appended to the file, even though it is hidden from you. As with all things technological, there are advantages and disadvantages to all features. Location based services also allow you to use handy tools like maps; give you Big Brother-like power in tracking your kids’ whereabouts, and allow thieves to burgle you when no one is home using tools like Foursquare and Facebook Places.
  • Disable geotagging application by application on your iPhone 4. In your phone, go to Settings, General, Location Services. Here you can set which applications can access your GPS coordinates, or disable the feature entirely (which could cause you problems using maps, restaurant finders, etc.)
  • Disable geotagging for photos on your BlackBerry. Go into picture-taking mode (HomeScreen, click the Camera icon), press the Menu button and choose “Options”. Set the “Geotagging” setting to “Disabled”. Finally, save the updated settings.
  • Disable geotagging for photos on your Droid. Start the Camera app (this is the menu on the left side of the camera application; it slides out from left to right). Select “Store Location” and make sure it is set to “Off”.
  • Although Facebook does remove geotags from uploaded photos, other social networking sites do not. Look into your privacy settings and turn off location sharing. As mentioned above, you can generally turn this feature off in your camera or phone as well.
  • Take particular care if you are uploading photos to a website where strangers will see them — such as Craigslist or Ebay.
  • Consider installing a plug-in on your browser to reveal location data – such as Exif Viewer for Firefox or Opanda IExif for Internet Explorer, so you can see geotagged data for yourself.
  • Take the time to stay informed about geotagging and other types of new technologies. By knowing what is out there, you can ensure the next photo or piece of media you upload won’t share your location with the World Wide Web.

John Sileo speaks professionally about social media exposure, identity theft and cyber crime for the Department of Defense, Fortune 1000 companies and any organization that wants to protect the profitability of their private information. Contact him directly on 800.258.8076 or visit his speaker’s website at www.ThinkLikeASpy.com.

Facebook Privacy Breach – Eventually, We'll Lose our Trust

According to a Wall Street Journal investigation, Facebook apps are sharing more about you than you think.

The Journal stated in their article, Facebook in Privacy Breach, that many of the most popular applications on the site are transmitting personal information about you and even your friends to third party advertisers and data companies. Apps such as BumperSticker, Marketplace, or Zynga’s Farmville (with over 50 million users) can be sharing your Facebook User ID with these companies. This can give as little information as your name, or as much as your entire Facebook Profile. In some cases, your data is being shared even if you have set your Facebook privacy settings to disallow this type of sharing.

According to the Journal:

“The most expansive use of Facebook user information uncovered by the Journal involved RapLeaf. The  San Francisco Company compiles and sells profiles of individuals based in part on their online activities.. The Journal found that some LOLapps applications, as well as the Family Tree application, were transmitting user’s Facebook ID numbers to RapLeaf. RapLeaf then linked those ID numbers to dossiers it had previously assembled on those individuals… RapLeaf then embedded that information in an Internet-tracking file known as a cookie.”

RapLeaf in turn transmitted this Facebook ID and user information to a dozen other advertising firms.

Rapleaf has said that it was inadvertent and they are working to fix the data leakage problem. On their website they have posted a response to the article.

“RapLeaf has taken extra steps to strip out identifying information from referrer URLs…When we discovered that Facebook IDs were being passed to ad networks by applications that we work with, we immediately researched the cause and implemented a solution to cease the transmissions.  As of last week, no Facebook IDs are being transmitted to ad networks in conjunction with the use of any RapLeaf service”.

This Facebook privacy breach is affecting tens of millions of users and even those that have taken the proper precautions with high privacy settings.

This revelation goes against my latest post Facebook, Cigarettes and Information Control. I used this post to make users aware that although there are privacy issues with Facebook, they have given you the proper controls to protect yourself. The Wall Street Journal investigation clearly shows that Facebook is not doing their part. While you can supposedly better secure your privacy settings after last week, Facebook is clearly not holding their third party applications to the same standard.

Many of these third-party applications have declared that they are not keeping or using this data. Regardless, the transmission of this information violates the Facebook Privacy Policy. Facebook has said that it is the applications that are violating their privacy policy – not them directly. A Facebook spokesperson had this to say:

“Our technical systems have always been complimented by strong policy enforcement, and we will continue to rely on both to keep people in control of their information.”

Many wonder if there is there anything you can do to prevent this or protect themselves from personal data leakage. The answer right now – is no.  Because many of the most popular applications used on Facebook are transmitting your personal data, it is hard to do much more than adjust your privacy settings to the highest level and realize that you are trading the security and privacy of your personal information in order to connect with your Facebook friends. This is where Facebook needs to step up and deliver on what they promise their users. If you go the extra mile to hide your personal information from third parties, they need to make sure that your information is protected.

Facebook’s Law Enforcement Phone Option | Sileo

Facebook: Press 2 For Law Enforcement

I received an email last night from a well-known TV anchor wanting my input on a new Facebook issue.  He’d read that when calling Facebook Headquarters, the automated attendant comes on and gives you options to reach each department, and the second option was to press 2 for “law enforcement.”

It could seem odd to many, but it’s true. If you call the Facebook Headquarters (650-543-4800) and reach the switchboard, the 1st option is “For customer support, press 1” and the second option is “For Facebook law enforcement, press 2”. Law enforcement comes ahead of business development, marketing, press, and employment verification in the list of options.  When you press 2, the next message says: “This message is only for members of law enforcement. Please note that due to a very large volume of incoming calls, the current call back time is two to four business days. For a faster response, please leave your work authorized email address… A member of Facebook’s security team will email in a timely manner.” Which means that Facebook is very busy fielding calls from law enforcement.

The anchor, and the rest of us, want to know why!

Facebook receives all kinds of requests by law enforcement, as it is essentially a diary of each and every user. Don’t confuse it with a typical diary of the pre Web 2.0 era. The modern diary (or dossier, as I more commonly refer to social networking profiles) is a photo journal, video log, friendship org chart, location status, written history, browsing analyzer, that is so effective because it can be so addictive. In other words, the Facebook activity of an average user is a digital representation of  that user’s identity. So, to net it out, here several reasons law enforcement officers call Facebook:

  • Tracking listed sex offenders for inappropriate use of the Internet
  • Civil dispute subpoenas (domestic cases, child custody, harassment, etc.)
  • Evidence used in the discovery process (establishing intent, state of mind, relationships, etc.)
  • Cases of libel or defamation
  • Terrorist activity tracking and fundraising
  • Background checks for local, regional and federal governmental positions
  • Background checks on potential jurors (see tomorrow’s story about a juror who was dismissed because of a Facebook post)

This is a fascinating and under-reported aspect of social networks – they are providing an open book on people (for good and evil) that used to take investigators (and scammers) weeks or months to collect. All you really need is a subpoena, or to friend the person on whom you are collecting data.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.