Posts

Facebook Apps Leaking Your Information

A report was recently published claiming that nearly 100,000 Facebook apps have been leaking  access codes belonging to millions of users’ profiles. Symantec released the report and said that an app security flaw may have given apps and other third parties access to users’  profiles. Facebook maintains that they have no evidence of this occurring.

In their report, Symantec wrote:

We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.

These “access tokens” help apps interact with your profile.They are most often used to post updates from the application to your wall. When you add the applications to your profile you, as the Facebook user, is giving the apps access to your information by accepting their conditions.  According to the investigation, these tokens were included in URLs sent to the application host and were then sent to advertisers and analytics platforms. If the recipient recognized the codes (meaning they have to be qualified to read and write HTML code), they could gain access to the user’s wall’s and profile.

It was announced on Tuesday that the flaw has been fixed by Facebook, but I still recommend that you change your password. And don’t just change it every time Facebook experiences a breach, but every few months. By keeping all of your passwords current and original, you are decreasing the chances that you will be hacked and that your accounts (financial, social, and otherwise) will be compromised.

John Sileo is one of America’s leading Social Networking Security Speakers. You can learn more about Facebook Safety and how to protect yourself online here. His clients include the Department of Defense, Pfizer and the FDIC. To learn more about having him speak at your next meeting or conference, contact him by email or on 800.258.8076.

Facebook Nigerian Scam Costs Victim $300,000+

,

At this point, we are all pretty used to the classic Nigerian Scam. Someone who is recently wealthy needs your help to gain access to the funds. They will let you keep $1 million if you will simply send them your bank account number so he can transfer $30 million to you. Its a dream come true to most!

What happens when that same scam is used on Facebook by one of your friends, by someone you trust? The results can be disastrous. One woman was scammed out of $366,000 because she felt sorry for the scammer’s sob story. The woman contacted the local authorities after realizing she had been conned by her Facebook “friend”. Police arrested six male suspects in Kepong, all allegedly connected to the Facebook scam: two Nigerians, two Bangladeshis, and two Malaysians. Investigators only managed to recover $5,000 in cash of the victim’s money, although they also seized 18 ATM cards, seven cell phones, and a laptop.

At least in this case the men were apprehended. In most scams of this nature there is no chance of finding the scammers and the money is long gone. Even when one of your Facebook friends asks you for something (money, help, information), your first reaction should be healthy skepticism. Verify that what they are saying is true (call them before sending money). Often times, a thief will take over a friend’s account or create a false account in order to gain your trust and eventually, your money.

John Sileo trains organizations on how to keep employees from falling for fraud based on data they have posted on Facebook. His clients include the Department of Defense, Pfizer, Homeland Security, FDIC, FTC, Federal Reserve Bank, Blue Cross Blue Shield and hundreds of corporations and organizations of all sizes. Learn more about his high-content financial speeches.

Geotag, You're It! Disabling GPS Coordinates

,

Geotagging allows others to track your location even though you don’t know it.

With the increased use of Internet-enabled mobile devices such as the Blackberry, Droid and iPhone, geotagging has seen a huge increase in popularity. When social media users take a picture or video and upload it to their page, they are probably transmitting far more data than they think. With the ability to quickly add GPS information to media, smartphones make geotagging a simple task.

So What is Geotagging?

Simply, geotagging is where location or geographical information, such as your GPS coordinates, are added and embedded to different types of media (.jpg, .mov files, etc.). Invisible to the naked eye and the casual observer, geotags are part of the meta-data, or underlying data about the data, that accompanies each file. Examples of meta-data include when the file was created or modified, by whom, using what device and software. This data is often loaded on to your computer along with the original file.  Browser plug-ins and certain software programs can reveal the location information to anyone who wants to see it.

Twittervision makes great use of geotagging. Twittervision is a web mashup combining Twitter with Google Maps to create a real time display of tweets across a map (see photo above).  It also has a 3D mode that displays a globe of the Earth which spins to pinpoint arriving messages from Twitter.

So, who would want to know where you are?

While most of the uses are not fully apparent yet, your real-time location can reveal your home address, work address, places you visit often and at what time of day. It can reveal if you go to the doctor, a lawyer, a court date, or any other type of private meeting. Geotags make it very easy for friends, relatives, bosses, spouses, parents, enemies, law enforcement, stalkers, and thieves to know exactly where you are.

Telling everyone on your Facebook status that you are out for the evening can invite burglars; geotagging can do the same without you updating your status in any way.  By taking a picture at the Barry Manilow concert and uploading it to your twitter account, you are broadcasting the fact that you are probably over 40, away from home and, thanks to the geotag, exactly how far away you are.

If you’ve never seen Minority Report with Tom Cruise (where ads are served up to you on giant screens based on biometrics and your current location as you walk through the city ), it’s worth your time. Of course the movie exaggerates reality, that is one of the hallmarks of science fiction. But it does so in order to make you think about the possibilities and future realities. And that is exactly what corporations are doing. Using geotags that you upload into social networks (photos, videos, check-ins), they can see that you enjoy Starbucks and live in a certain neighborhood, so they may purchase a billboard in the area or more likely, target an ad to you on your Facebook wall. Although this can seem harmless, it will eventually raise larger concerns on consumer privacy.

In this fast paced electronic world, more and more people are using smartphones and therefore we can expect an increased use of geotags in the future. The problem with geotagging is that since it is not visible to the naked eye, most people don’t even realize they are sharing their location data. So what if you don’t want to transmit your location data?

Keeping location data private can be difficult, but here are some places to start:

  • Understand that anytime you take a picture, video or post an update from a networked device (somehow connected to the internet), your location is probably being appended to the file, even though it is hidden from you. As with all things technological, there are advantages and disadvantages to all features. Location based services also allow you to use handy tools like maps; give you Big Brother-like power in tracking your kids’ whereabouts, and allow thieves to burgle you when no one is home using tools like Foursquare and Facebook Places.
  • Disable geotagging application by application on your iPhone 4. In your phone, go to Settings, General, Location Services. Here you can set which applications can access your GPS coordinates, or disable the feature entirely (which could cause you problems using maps, restaurant finders, etc.)
  • Disable geotagging for photos on your BlackBerry. Go into picture-taking mode (HomeScreen, click the Camera icon), press the Menu button and choose “Options”. Set the “Geotagging” setting to “Disabled”. Finally, save the updated settings.
  • Disable geotagging for photos on your Droid. Start the Camera app (this is the menu on the left side of the camera application; it slides out from left to right). Select “Store Location” and make sure it is set to “Off”.
  • Although Facebook does remove geotags from uploaded photos, other social networking sites do not. Look into your privacy settings and turn off location sharing. As mentioned above, you can generally turn this feature off in your camera or phone as well.
  • Take particular care if you are uploading photos to a website where strangers will see them — such as Craigslist or Ebay.
  • Consider installing a plug-in on your browser to reveal location data – such as Exif Viewer for Firefox or Opanda IExif for Internet Explorer, so you can see geotagged data for yourself.
  • Take the time to stay informed about geotagging and other types of new technologies. By knowing what is out there, you can ensure the next photo or piece of media you upload won’t share your location with the World Wide Web.

John Sileo speaks professionally about social media exposure, identity theft and cyber crime for the Department of Defense, Fortune 1000 companies and any organization that wants to protect the profitability of their private information. Contact him directly on 800.258.8076 or visit his speaker’s website at www.ThinkLikeASpy.com.

Facebook Privacy Breach – Eventually, We'll Lose our Trust

,

According to a Wall Street Journal investigation, Facebook apps are sharing more about you than you think.

The Journal stated in their article, Facebook in Privacy Breach, that many of the most popular applications on the site are transmitting personal information about you and even your friends to third party advertisers and data companies. Apps such as BumperSticker, Marketplace, or Zynga’s Farmville (with over 50 million users) can be sharing your Facebook User ID with these companies. This can give as little information as your name, or as much as your entire Facebook Profile. In some cases, your data is being shared even if you have set your Facebook privacy settings to disallow this type of sharing.

According to the Journal:

“The most expansive use of Facebook user information uncovered by the Journal involved RapLeaf. The  San Francisco Company compiles and sells profiles of individuals based in part on their online activities.. The Journal found that some LOLapps applications, as well as the Family Tree application, were transmitting user’s Facebook ID numbers to RapLeaf. RapLeaf then linked those ID numbers to dossiers it had previously assembled on those individuals… RapLeaf then embedded that information in an Internet-tracking file known as a cookie.”

RapLeaf in turn transmitted this Facebook ID and user information to a dozen other advertising firms.

Rapleaf has said that it was inadvertent and they are working to fix the data leakage problem. On their website they have posted a response to the article.

“RapLeaf has taken extra steps to strip out identifying information from referrer URLs…When we discovered that Facebook IDs were being passed to ad networks by applications that we work with, we immediately researched the cause and implemented a solution to cease the transmissions.  As of last week, no Facebook IDs are being transmitted to ad networks in conjunction with the use of any RapLeaf service”.

This Facebook privacy breach is affecting tens of millions of users and even those that have taken the proper precautions with high privacy settings.

This revelation goes against my latest post Facebook, Cigarettes and Information Control. I used this post to make users aware that although there are privacy issues with Facebook, they have given you the proper controls to protect yourself. The Wall Street Journal investigation clearly shows that Facebook is not doing their part. While you can supposedly better secure your privacy settings after last week, Facebook is clearly not holding their third party applications to the same standard.

Many of these third-party applications have declared that they are not keeping or using this data. Regardless, the transmission of this information violates the Facebook Privacy Policy. Facebook has said that it is the applications that are violating their privacy policy – not them directly. A Facebook spokesperson had this to say:

“Our technical systems have always been complimented by strong policy enforcement, and we will continue to rely on both to keep people in control of their information.”

Many wonder if there is there anything you can do to prevent this or protect themselves from personal data leakage. The answer right now – is no.  Because many of the most popular applications used on Facebook are transmitting your personal data, it is hard to do much more than adjust your privacy settings to the highest level and realize that you are trading the security and privacy of your personal information in order to connect with your Facebook friends. This is where Facebook needs to step up and deliver on what they promise their users. If you go the extra mile to hide your personal information from third parties, they need to make sure that your information is protected.

Facebook’s Law Enforcement Phone Option | Sileo

,

Facebook: Press 2 For Law Enforcement

I received an email last night from a well-known TV anchor wanting my input on a new Facebook issue.  He’d read that when calling Facebook Headquarters, the automated attendant comes on and gives you options to reach each department, and the second option was to press 2 for “law enforcement.”

It could seem odd to many, but it’s true. If you call the Facebook Headquarters (650-543-4800) and reach the switchboard, the 1st option is “For customer support, press 1” and the second option is “For Facebook law enforcement, press 2”. Law enforcement comes ahead of business development, marketing, press, and employment verification in the list of options.  When you press 2, the next message says: “This message is only for members of law enforcement. Please note that due to a very large volume of incoming calls, the current call back time is two to four business days. For a faster response, please leave your work authorized email address… A member of Facebook’s security team will email in a timely manner.” Which means that Facebook is very busy fielding calls from law enforcement.

The anchor, and the rest of us, want to know why!

Facebook receives all kinds of requests by law enforcement, as it is essentially a diary of each and every user. Don’t confuse it with a typical diary of the pre Web 2.0 era. The modern diary (or dossier, as I more commonly refer to social networking profiles) is a photo journal, video log, friendship org chart, location status, written history, browsing analyzer, that is so effective because it can be so addictive. In other words, the Facebook activity of an average user is a digital representation of  that user’s identity. So, to net it out, here several reasons law enforcement officers call Facebook:

  • Tracking listed sex offenders for inappropriate use of the Internet
  • Civil dispute subpoenas (domestic cases, child custody, harassment, etc.)
  • Evidence used in the discovery process (establishing intent, state of mind, relationships, etc.)
  • Cases of libel or defamation
  • Terrorist activity tracking and fundraising
  • Background checks for local, regional and federal governmental positions
  • Background checks on potential jurors (see tomorrow’s story about a juror who was dismissed because of a Facebook post)

This is a fascinating and under-reported aspect of social networks – they are providing an open book on people (for good and evil) that used to take investigators (and scammers) weeks or months to collect. All you really need is a subpoena, or to friend the person on whom you are collecting data.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

[youtube http://www.youtube.com/watch?v=VgwQPhpRPd0&rel=0]

How to Disable Facebook Places

,

Last week Facebook introduced a new location tracking application called Facebook Places. This gives users the ability to check in with Facebook from their mobile device and update their friends (and even tag their friends) on where they are. What many Facebook users don’t realize is that this tool is currently activated by default, and in order to turn it off, users have to go in and adjust their privacy settings. Until you do that, your friends can check you in to different locations (and you may not even be there!).

Here is the step by step process to disable Facebook Places:

1. Log into your Facebook account, and at the top right drop down menu under Account click Privacy Settings.Once you are in Privacy Settings you will see this screen:

2. Click Custom (if that isn’t your selection already) and then click below 0n Customize Settings.

3. You should see the following screen, where you will need to make 2 changes – first, to Things I share and then to Things others share. Under Things I share click on the drop-down box next to Places I check in to click custom and chose to make this visible to  Only Me.

5. Scroll down on the Customize page to Things others share:

Under Things others share click Disabled to the right of Friends can check me in to Places.

One More Thing…

There is one last step you should take. You need to adjust one last setting that allows third-party applications (such as quizzes and games) used by your friends to access your location data. Facebook makes it difficult by stating that you only need to “uncheck the new box in your Privacy Settings under “Applications and Websites.” Facebook should have specified which box they were talking about, and they should NOT have turned this on by default. Alas, in reality, we’re not working with what Facebook should do, but what we must do to turn off data leakage.

Go back to the main privacy page (above) and under the heading, “Applications and Websites.”click on “Edit your settings.” You should now be looking at a screen similar to the one below. Click on the “Edit Settings” button across from “Info accessible through your friends.”

You should see a pop-up window (like the one below) that lists a variety of identity information from your profile including biography, birthday, hometown, current city, and so forth. Any of these items that are checked off are available to third-party applications used by your friends.

Find the checkbox called “Places I check in to,” and uncheck it (if you don’t want third-party applications that your friends use to harvest your check-in data). While you are here, uncheck any other data that you don’t want your friends sharing with corporate America.

TIP: Third-party applications you use personally can gather your geographic data only if you authorize that application to do so. The downside is that if you don’t want an application to access your location data then you won’t be able to use that application.

These steps will help tighten your security and minimize the amount of location tracking data that is stored and shared. Facebook, however, will always reserve the right to collect and utilize this data internally, but that’s the price you pay for using Facebook. Although this disables Facebook Places now, it is best to stay current on the changes that Facebook is making and always check your privacy settings to make sure that you are protected.

John Sileo became one of America’s leading Social Networking Security Speakers. You can learn more about Facebook Safety and how to protect yourself online here. His clients include the Department of Defense, Pfizer and the FDIC. To learn more about having him speak at your next meeting or conference, contact him by email or on 800.258.8076.

Facebook 'Dislike Button' is a Scam!

According to Cnet.com, security firm Sophos has highlighted yet another scam that’s zipping around Facebook in the form of a third-party application, this one spreading in the form of links claiming to be from friends that encourage members to install a Facebook “dislike button.”

Sophos wrote about the scam in a post on Monday,  pointing out that a link to it tends to appear in wall posts that appear to be from the user’s friends (“I just got the Dislike button, so now I can dislike all of your dumb posts lol!!”) but which are actually automated messages from friends who have already been duped. The scam’s purpose is to force users to complete a survey contained in the application, a bit of trickery that has already been known to be perpetuated through scam links like “Justin Bieber trying to flirt” and “Anaconda coughs up a hippo,” the two of which presumably would be enticing to rather different demographics of Facebook users.

As Facebook’s surging membership numbers have blazed past 500 million around the world, its channels of fast social connection and messaging have become a prime target for scammers and viruses.This one’s particularly nasty because a “dislike button,” offering some kind of counterpoint to Facebook’s own “like” button is something that many members have been clamoring for.

Continue Reading the Article

John Sileo is a information security expert that speaks professionally to organizations that want to protect their profits against identity theft, social media exposure and corporate espionage. His recent clients include the Department of Defense, FDIC, FTC and Pfizer.

Facebook Status Update Leads to Robbery

,

When you are ‘friends’ with people on Facebook that you are not actually friends with, how do you know whether they have good intentions?

A recent segment on CNN discusses the risks that you may be taking while updating your Facebook status. You don’t know who is looking at your private information because it’s truly not private – it’s public. Keri McMullen found this out the hard way after she posted a simple status message that she was going to see a band with her fiancé. It only took the burglars calling the venue to find out what time the show was to let them know when they could break into her home. The burglars showed up 35 minutes after the McMullens left for the concert.

It is that simple. You post a casual message to your “friends” that could turn into a nightmare where, like Keri, you lose upwards of $11,000 in personal property. They were lucky that they had cameras installed in the home and were able to catch the perpetrators on film. After posting pictures of them on her Facebook page (a good use of social networking), another friend recognized the intruders as Keri’s high school classmates.

Keri’s experience shows other Facebook users that, even though you may have known an individual at one time, if you do not interact with them and know their character now, then how can you trust them? Remember you don’t have to be Facebook friends with everyone you have ever spoken to. By keeping your ‘friends’ limited, you are lessening your risk of becoming a victim. No matter what privacy setting you have on your Facebook profile, your posts are public, permanent and exploitable.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

[youtube http://www.youtube.com/watch?v=VgwQPhpRPd0&rel=0]

Facebook Hits 500 Million Users: 3rd Largest Country

Facebook has the Population of the Third Largest Country

Wednesday, July 21, 2010 marked a big day for Facebook. CEO and founder Mark Zuckerberg announced in a blog post that the social networking website hit over 500 million users in only 6 years.

If you take a look at the worlds largest countries in terms of population (as of today according to Wikipedia) you find that China is #1 with 1,339,130,000, India is #2 with 1,184,513,000 and #3 is the United States with only 309,944,000. This would mean that if Facebook were a real country with their population of 500,000,000, then it would clearly surpass the USA for the #3 ranking.

Many believe that Facebook will hit a billion users in less than a year by looking the rapid growth they have encountered since their founding.  With their fast expansion the privacy issues on the website keep mounting as well. Make sure when you are using Facebook you are using it with the best possible protections – your common sense. Click here to learn more on Facebook Safety for users and parents of users.

John Sileo became one of America’s leading Social Networking Speakers & sought after Identity Theft Experts after he lost his business and more than $300,000 to identity theft and data breach. John’s latest book Privacy Means Profit, hit stands August 9, 2010 and bridges the gap between personal identity theft and corporate data breach. His clients include the Department of Defense, Pfizer and the FDIC. To learn more about having him speak at your next meeting or conference, contact him by email or on 800.258.8076.

Why Facebook Privacy Settings Don't Matter

,

A new article in PC world discusses why the privacy settings on Facebook don’t matter – it instead blames the user for their own data breach. It recommends that those on Facebook should use their common sense and think in the long term. By controlling what you share and only sharing what is responsible Facebook is no longer in charge of your privacy.

Why Facebook Privacy Settings Don’t Matter

John C. Dvorak – I find it endlessly amusing how so many articles are written about Facebook and its cavalier lack of concern over privacy issues (case in point: Read Dan Costa’s column). A large community is up in arms over the fact that Facebook consistently changes the way it operates and constantly resets the privacy settings of the users to nil, as in NO PRIVACY.

This amuses me because it seems as if the majority of Facebook users don’t even know about or care about the privacy settings. Once in a while some old lady is flabbergasted by the fact that anyone can write on her wall, sure. And once in a blue moon some teenage girl says she “didn’t know” her teachers could see her comments. All the while the users of Facebook are increasing by the millions as the complaints are increasing by the thousands, thus amounting to nothing of consequence.

Now there is a movement to create an open-source version of the social network to address all these concerns, and it may or may not be successful, but it doesn’t matter since most users have so little regard for their own privacy. They’re too busy publishing humiliating pictures of themselves on Facebook, Flickr and elsewhere. It always seems to be a good idea at the time.

And why do Americans continue to do these dumb things? It’s a unique reflection of the short-term thinking that plagues the culture. We always hear about this phenomenon regarding the activities of American corporations, which always seem to be thinking short-term to appease the investors. They do things quarter by quarter instead of thinking toward the long future.

Continue Reading…

John Sileo is the award-winning author of Stolen Lives, Privacy Means Profit and the Facebook Safety Survival Guide. His professional speaking clients include the Department of Defense, the FTC, FDIC, Pfizer, Prudential and hundreds of other organizations that care about their information privacy. Contact him directly on 800.258.8076.