Your SlideShare is downloading. ×
Facebook Friend Or Foe
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Facebook Friend Or Foe


Published on

I frequently overhear people I do not know in restaurants and other public settings talking about how they are using Facebook to reconnect with friends and family. Some of the items of discussion I …

I frequently overhear people I do not know in restaurants and other public settings talking about how they are using Facebook to reconnect with friends and family. Some of the items of discussion I would overhear were very alarming to me. Suspecting I would find the manner in which my friends and family members (e.g., my mother, siblings, nieces and nephews) use Facebook equally alarming, I decided to engage in some research to determine whether there would be enough substance to my observations to warrant the preparation of these materials. In no time I gathered enough substance to my observations to warrant the preparation of these materials.

I have prepared the attached materials to expand my capacity; my hope is those of you I know personally and with whom I have shared these materials will share these materials with your friends and family members. As you will see in these materials, what should be of paramount concern is how you are currently using Facebook. While the security of your Facebook profile is important, you need to be aware if you are using Facebook in such a way where the contents of your profile could inflict harm upon you, your friends and/or your family members.

Published in: Technology, Education

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Friend or Foe? Steven Hamburg President & CEO, Eclipsecurity, LLC CEO Eclipsecurity May 2010 Copyright 2010, Eclipsecurity, LLC
  • 2. So Why Have I Prepared These Materials? Iffrequently overhear people I do not know in restaurants and other public settings talking about l h l d k i d h bli i lki b how they are using Facebook to reconnect with friends and family. Some of the items of discussion I would overhear were very alarming to me. Suspecting I would find the manner in which my friends and family members (e.g., my mother, siblings, nieces and nephews) use Facebook equally alarming, I decided to engage in some research to determine whether there would be enough substance to my observations to warrant the preparation of these materials. In no time I gathered enough substance to my observations to warrant the preparation of these materials. I soon became the ‘Facebook police’ for my friends and family members, where I continue to frequently notify th f tl tif them when I observe what I consider to be unsafe Facebook usage practices. h b h t id t b f F b k ti In each instance, I identify my concern, provide the basis of my concern, and defer to my friends and family members to make their own informed decisions regarding how they apply the insights I have imparted. I have prepared these materials to expand my capacity; my hope is those of you I know personally and with whom I have shared these materials will share these materials with your friends and d ith h h h d th t i l ill h th t i l ith fi d d family members. My hope is this will serve as the beginning of a new movement; a movement where Facebook users will redirect primary concerns they may have regarding the security of Facebook itself to thinking about how each Facebook user uses Facebook. As you will see in these materials, what should be of paramount concern is how you are currently using Facebook. While the security of your Facebook profile is important, you need to be aware if you are using Facebook in such a way where the contents of your profile could inflict harm upon you, your friends and/or your family members. 2 Copyright 2010, Eclipsecurity, LLC
  • 3. “Disclaimer” and Purpose • I do not have a personal vendetta against p g Facebook • I am jealous of the brilliant and wealthy individuals who created Facebook h dF b k • Co-Founder & CEO Mark Zuckerberg is 27 years old with net worth of $4B • Part of my job description is to be paranoid and to perform counter-intelligence p g • The sole objective of this material is to help you understand the risks associated with Facebook use so you may make more i f k informed decisions dd i i regarding future use 3 Copyright 2010, Eclipsecurity, LLC
  • 4. “Disclaimer” and Purpose • The topic of Facebook use is very controversial, p y , and I recognize that you can do whatever you want to do in life • I f h recognize that you may not agree with further i h ih some of my perspectives regarding Facebook use, and pointedly, you may strongly disagree with pointedly some of my recommendations • Again, the sole objective of this material is to help g , j p you understand the risks associated with Facebook use so you may make more informed decisions regarding future use 4 Copyright 2010, Eclipsecurity, LLC
  • 5. Facebook Pop Quiz If you answer “yes” to any of these questions, you have failed this quiz. 1. Do you have photographs of your children on your profile? 2. 2 Do you have names of your children on your profile? 3. Do you have your birth date (i.e., month and day at a minimum) on your profile? 4. Do you have pictures of your house / where you live on your profile? 5. 5 Do you post your political views on your profile? 6. Do you post information regarding your medical condition on your profile? 7. Do you indicate future travel plans on your profile? 8. Do you allow your children to use Facebook? 5 Copyright 2010, Eclipsecurity, LLC
  • 6. Facebook – A Global Target Which is more secure? vs. vs ~ 8% market share ~ 90% market share 6 Copyright 2010, Eclipsecurity, LLC
  • 7. A Word about Mac Security vs. vs Windows Security 7 Copyright 2010, Eclipsecurity, LLC
  • 8. A Word about Mac Security vs. Windows Security y y 8 Copyright 2010, Eclipsecurity, LLC
  • 9. A Word about Mac Security vs. vs Windows Security • Apple has its share of security issues, just as Microsoft does (highlighted on the previous page are security updates that have been released for the Mac) • “Cyber criminals” are employees of opportunity • If Apples’ total computer market share is approximately 8% and Microsoft’s total computer market share is approximately 90%, who would you target? • Just because you may own a Mac does not mean you are more secure than you would be if you owned a Microsoft Windows-based computer • Apple computers are also attacked by viruses 8a Copyright 2010, Eclipsecurity, LLC
  • 10. Facebook – A Global Target • More than 400 million active users • A of May 15, 2010, global human population was estimated at 6.821 billion As f M 15 2010 l b l h l ti ti t d t 6 821 billi • Facebook’s user population is ~6% of the entire human population • A recent article in Fortune Magazine indicated Facebook is nearing its 500 millionth user • 50% of active Facebook users log on to Facebook in any given day • The average Facebook user has 130 friends • People spend over 500 billion minutes per month on Facebook • There are over 160 million objects that people interact with (i.e., pages, Th illi bj t th t l i t t ith (i groups and events) • Average Facebook user is connected to 60 pages, groups and events • Average Facebook user creates 70 pieces of content each month • More than 25 billion pieces of content (e.g., web links, news stories, blog posts, notes and photo albums) are shared each month • About 70% of Facebook users are located outside the United States Source: 9 Copyright 2010, Eclipsecurity, LLC
  • 11. Facebook – A Global Target • Remain aware of the statistics provided on the p previous page as you continue reviewing these materials • Thi k about how many people you do not know Think b h l d k may take an interest in your Facebook profile, or that may take an interest in your children’s children s Facebook profile, or that may take an interest in your niece’s / nephew’s Facebook profile, etc… • Think about how many of these people may take an interest in such Facebook profiles with malicious thoughts in mind • There is a lot to think about! 10 Copyright 2010, Eclipsecurity, LLC
  • 12. Facebook – A Global Target Top 10 social networking sites (as of April 2010) 1. Facebook 2. 2 Youtube 3. MySpace 4. Twitter 5. Tagged gg 6. Yahoo! Answers 7. Yahoo! Profiles 8. myYearbook 9. Windows Live Home 10. Mocospace Source: 11 Copyright 2010, Eclipsecurity, LLC
  • 13. Facebook – A Global Target Picture yourself as being the best at something; maybe you are the #1 ranked professional tennis player, maybe you are the President of the United States of America, maybe you are the CEO of Microsoft, maybe you currently manage 500 people in your company, maybe you created the award-winning recipe at the latest Pillsbury Bake- d h d i i i h l Pill b B k Off® Contest, … We all know what happens when one is at the top; they become targets. There is always a community of people that want to ‘de- throne’ those at the top; it is our competitive nature. Facebook is currently the #1 social networking site. What are the threats to your well-being given that you have a Facebook profile? well being 12 Copyright 2010, Eclipsecurity, LLC
  • 14. Facebook Threat Landscape Less malicious activity y More malicious activity y Source: (May 13, 2010) 13 Copyright 2010, Eclipsecurity, LLC
  • 15. Facebook Threat Landscape The visual provided on the previous page, prepared p p p g ,p p by Team Cymru Research NFP, suggests that extensive malicious activity potentially originates from the eastern United States and from Europe Europe. Leverage this as an illustration of the potential extent of cyber criminals that exist in our world today. How y y many of these cyber criminals have their cross-hairs set on Facebook as a target? Note: What is depicted on the world malicious activity map on the previous page consist solely of approximations. Additionally, the real individuals behind the malicious activity represented could be far away from any of the displayed locations, controlling these compromised systems remotely. 14 Copyright 2010, Eclipsecurity, LLC
  • 16. Facebook Threat Landscape p Each individual pixel (i.e., small dot) of the full map represents 4096 IP addresses. The coloration of the map is scaled in "heatmap" style - if no IP addresses from the block represented by a given pixel were found in our dataset of malicious activity, it will remain black. If any addresses were found, the pixel will b shaded b d t t f li i ti it ill i bl k dd f d th i l ill be h d d based d on the number, starting with blue, transitioning through purple, green, yellow, orange, red, and, finally, to white for the largest concentrations of malicious activity. Source: 15 Copyright 2010, Eclipsecurity, LLC
  • 17. Facebook Threat Landscape • Referring to the visual on the previous page, an IP (i.e., Internet protocol) address is essentially a computer’s phone number. Each small blue dot indicates there is at least one IP address (i.e., in simple terms, one computer) within a range of nearly 4,100 IP addresses (i.e., ~4,100 computers) that is engaging in malicious activity. From blue, each dot g g g y , transitioning to purple, green, yellow, orange, red, and, finally, to white indicates increasing concentrations of malicious activity. • What is the point of the previous two visualizations? To ensure you understand that there are numerous individuals engaging in malicious activity on the Internet, and that a Internet sub-set of these individuals are targeting Facebook users. 16 Copyright 2010, Eclipsecurity, LLC
  • 18. Internet Threat Landscape • Viruses, Trojans, and other forms of malicious software • “A virus is a small piece of software that piggybacks on real programs. For example, a virus might attach itself to a program such as a spreadsheet program. Each time the spreadsheet program runs, the virus runs, t too, and it h the chance to reproduce (by attaching to other d has th h t d (b tt hi t th programs) or wreak havoc.” – How Computers Work by Marshall Brain ( • “A Trojan horse is simply a computer program The program claims to do A program. one thing (it may claim to be a game) but instead does damage when you run it (it may erase your hard disk). Trojan horses have no way to replicate automatically.” – How Computers Work by Marshall Brain ( • Malicious software: Any computer program that has been specifically designed to inflict harm on a computer or to inflict harm to an individual using a computer (e.g., by stealing confidential (e g information or by causing the loss of critical information on a computer). 17 Copyright 2010, Eclipsecurity, LLC
  • 19. Internet Threat Landscape • Now think about those statistics presented on page 9 • More than 400 million active users • Average user has 130 friends • People spend over 500 billion minutes per month on Facebook • More than 160 million objects Facebook users interact with h 60 ll b b k h • Average user is connected to 60 pages, groups and events • More than 25 billion pieces of content shared each month • Now ask yourself these questions: k lf h • How many active users are injecting pieces of Facebook content with malicious software? • How does it make you feel that you may have no way of knowing whether a piece of Facebook content contains malicious software that could harm either your computer or important data on your computer? • Could your being exposed to malicious software on Facebook cause you to inadvertently spread the virus / Trojan to your Facebook friends? Could this d l d h b kf d ? ld h result in your causing your friends’ personal information to be inappropriately disclosed, thereby compromising their safety? 18 Copyright 2010, Eclipsecurity, LLC
  • 20. Internet Threat Landscape • Social engineering • This is the art of using people’s helpful nature against them for personal gain • If someone wants you, a complete stranger, to provide them with something in your possession, what is the key enabler for ensuring their success? Information. g • What information does your Facebook profile provide that could enable a malicious person to subject you to social engineering? • Refer to these real-life examples: and 19 Copyright 2010, Eclipsecurity, LLC
  • 21. Internet Threat Landscape • Users that are criminals • Thieves • Malicious brokers (sellers of compiled personal information) • Pedophiles and predators • Serial killers • Egomaniacs (i.e., hacking / malicious activity solely for notoriety) What information does your Facebook profile provide that could enable a thief, malicious broker, pedophile, predator, pedophile predator serial killer, egomaniac etc., killer egomaniac, etc to achieve their ultimate goals? 20 Copyright 2010, Eclipsecurity, LLC
  • 22. Copyright 2010, Eclipsecurity, LLC Internet Threat Landscape • Cyberbullies y The data compiled f il d for the survey represented in this bar chart was compiled in February 2010. 2010 9 21 Source: Cyberbullying Research Center –
  • 23. Internet Threat Landscape • Now that you have a better understanding of the types of malicious people that may be targeting Facebook users, are you going to change the way you are currently using Facebook? tl i F b k? • Wh t are you going t t ll others you know that are What i to tell th k th t currently using Facebook? 22 Copyright 2010, Eclipsecurity, LLC
  • 24. How Secure is your Facebook Profile? Use a very strong and complex password; the password is the only security that is within your control ithin o cont ol that prevents others from accessing and modifying (i.e., vs. viewing) your Facebook profile. If you think Facebook profiles do not get hacked, read the article located at: 23 Copyright 2010, Eclipsecurity, LLC
  • 25. How Secure is your Facebook Profile? • I use a freely available piece of software called Password Safe. It is available for download at http://passwordsafe sourceforge net/ • As you can see in the lower right-hand corner of the visual provided on the previous page, at the time I prepared these materials, I had 445 total entries in my Password Safe. What does this mean? This y means I have 445 distinct user accounts consisting of, at a minimum, a user name and a password. • Perhaps you use the same user name and password for all of your accounts, or perhaps you have heard others complain about their , p p y p inability to commit distinct user names and passwords to memory for multiple user accounts? • The benefit of using Password Safe or similar software is you only need to commit a single password to memory. This single password becomes your key to unlock access to all of your remaining user accounts. • Make sure that single password you must commit to memory is one that will be virtually impossible for any one else to guess 24 Copyright 2010, Eclipsecurity, LLC
  • 26. A Word About Passwords • Passwords that protect personal items of vital p p importance / value • Examples include an online banking account, anything that contains personal information (e.g., Facebook accounts), and p ( g, ), certainly the password required to access the equivalent of a Password Safe • Make passwords very complex and virtually impossible to guess • Passwords should consist of at least 8 to 10 alphanumeric characters with special characters; example: Yz6*!13Gh% • M passwords are typically a minimum of 15 characters long My d t i ll i i f h t l • Using a tool, such as Password Safe, enables you to use extremely complex passwords and varying user names that need not be committed to memory y • Note: Make sure you are aware of whether the passwords you use to access certain systems are case-sensitive 25 Copyright 2010, Eclipsecurity, LLC
  • 27. Disconcerting Facebook g Usage Scenarios 14 year old girl 26 Copyright 2010, Eclipsecurity, LLC
  • 28. Disconcerting Facebook Usage Scenarios Review the contents of the previous page and consider the following from a p p g g predator’s point of view, or perhaps from the perspective of a person (maybe a fellow student) that is obsessed with the 14 year-old girl that has included ‘likes and interests’ in her Facebook profile: 1. “Due to the fact she is in the class of 2014, I know that she is 14 years old.” 2. “I know which high school the girl attends every day school is in session.” 3. “I can use what she has posted regarding her likes and interests to gain her interest in me.” 4. “Reviewing other content provided in her Facebook profile, I will know who her friends are, where she lives, and where she may be in the future.” 5. “I am confident she is vulnerable, but if I am unsuccessful in achieving my objectives with her, I will target one of her friends.” Something additional to think about: Is there content in your child’s Facebook profile that makes it easy f others to deduce your child’s birth f for date? 27 Copyright 2010, Eclipsecurity, LLC
  • 29. Disconcerting Facebook Usage Scenarios 1. Rigorously monitor your children’s Facebook content and Facebook activity a. Perhaps make the condition that if your children are to be permitted to p y p use Facebook, you will be capable of accessing your children’s Facebook profile, and you will be permitted to modify and / or remove any content, at your discretion, from your children’s profile 2. Consider not allowing your children to use Facebook until they reach gy y a certain age a. It is important to realize that children and adults alike with many friends are conduits to numerous other children and adults a. a Then a question comes to mind: Are you potentially doing something that could compromise the safety / well-being of your Facebook friends? My wife and I currently do not allow our children to use Facebook, and my wife currently does not use Facebook in any capacity. 28 Copyright 2010, Eclipsecurity, LLC
  • 30. Disconcerting Facebook Usage Scenarios “My parents are so cool. They let me go to the Hawthorne yp y g Shopping Mall on my own, which is where I am now!” – 12 year old girl’s posting on her Facebook profile All I have to say about this is any one in vicinity of Hawthorne Shopping Mall knows that a 12 year old girl is all alone. Such people know what this girl looks like, alone like knows her interests, and has access to any other information that may assist such people in achieving whatever objectives they may have in mind. j y y I contacted this child’s mother, who happens to be a very close friend of mine, and she accessed her daughter’s Facebook profile and removed this posting immediately. 29 Copyright 2010, Eclipsecurity, LLC
  • 31. Disconcerting Facebook Usage Scenarios Refrain from including personal information that th t could be used to compromise your ld b dt i identity 1. 1 Do t D not provide your entire birth date in your profile; if you must, id ti bi th d t i fil t provide only your birth month 2. Do not provide your home address; if you must, provide only the state in which you reside 3. Consider not posting photos of your home / neighborhood 4. Consider not becoming a ‘friend’ with your mother if she is still using her maiden name I am currently following all four recommendations above and I never will provide any information that could compromise my identity 30 Copyright 2010, Eclipsecurity, LLC
  • 32. A Word about Identity Theft: It Won’t Happen To Me! • Identity theft is not biased; it affects every one • Identity theft is the fastest growing non-violent crime in the U.S. US • 2009 identity theft statistics indicate the following: • 11.1 million adults in the U.S. were victims of identity theft in 2009: That’s 21 people victimized each minute! • The total fraud amount was $54 billion • The average identity theft victim spent 21 hours resolving the crime • 4.8% of the U.S. population was a victim of identity fraud in 2009 • 13% of identity fraud crimes were committed by someone the victim knew Source: 31 Copyright 2010, Eclipsecurity, LLC
  • 33. A Word about Identity Theft • Review the statistics on the previous page again and ask yourself this simple question y p q • “Have I included information in my Facebook profile that could potentially be used to compromise my identity? identity?” • Remember 13% of identity fraud crimes Remember, committed in the U.S. in 2009 were performed by people the victims knew 32 Copyright 2010, Eclipsecurity, LLC
  • 34. A Word about Identity Theft: W d b t Id tit Th ft What’s an Identity? Are you really what you eat? You are your personally identifiable information (PII) • Name • Mortgage • Number and gender information of children • Civil judgments • Birth dates • Bankruptcies • Addresses • Ethnicity • Telephone numbers • Religion • Driver’s license • Hobbies • Marital status • Purchases 33 Copyright 2010, Eclipsecurity, LLC
  • 35. A Word about Identity Theft: Personally Identifiable Information • Personally identifiable information is any information that could be used by someone to identify you as an individual d f d d l • Some information about you may not be able to be used in isolation to identify you; however, in combination with other information, it could be used to identify you d d f • Plain and simple: Protect your PII as you would protect any other valuables (e.g., money) 34 Copyright 2010, Eclipsecurity, LLC
  • 36. A Word about Identity Theft: Identity Theft Explained • Two primary types of identity theft economic crimes • Account takeover k • Thief acquires a person's existing credit account information and uses it to purchase products and services • Typically executed in less than two days • Perpetrators often transition to another target before anyone notices a crime has occurred 35 Copyright 2010, Eclipsecurity, LLC
  • 37. A Word about Identity Theft: Identity Theft Explained • Two primary types of identity theft economic crimes (continued) • Identity theft / “true name fraud” • Thief uses another person's social security number and other PII to fraudulently open new accounts and obtain financial gain • Victims typically unaware that fraudulent activity has occurred for an extended period of time • Thief may continue activity for months / years 36 Copyright 2010, Eclipsecurity, LLC
  • 38. A Word about Identity Theft: y Notable Identity Theft Incidents Impacting Companies You Know TJX (TJ Maxx, Marshalls, and others) Maxx Marshalls Initial hacking incident occurred More than 94M consumers impacted More than $250M in fines and court settlements Gap Inc. G I A laptop containing PII of job applicants was stolen from the offices of an experienced third-party vendor that manages job applicant data Home Depot A laptop computer containing about 10 000 employees' PII was stolen from a regional 10,000 manager's car Blockbuster A Sarasota resident found 400 membership forms and employment applications containing PII in a trash container United Healthcare Posted PII of doctors at Columbia University’s faculty practice on a public Web site American Red Cross Six boxes containing employees PII left unattended in public hallway for more employees’ than six hours Source: 37 Copyright 2010, Eclipsecurity, LLC
  • 39. A Word about Identity Theft: Tally of Identity Theft Incidents Total number of impacted people??? More than 354 o e t a 35 Million since January 2005 y Source: 38 Copyright 2010, Eclipsecurity, LLC
  • 40. A Word about Identity Theft: y An Example of how PII in Your Facebook Profile Could be Used Against You g,184522/printable.html "People aren't just handing over their own life story to criminals," Ducklin commented. "They're betraying people close to them too, by helping those cybercrooks build up a detailed picture of their life and their milieu. This is an identity scammer s dream “ milieu scammer's dream. IT security firm Sophos has announced its latest probe into how easy it is to steal identities via Facebook and found that user negligence is worst in 2009. "We assumed things would be better in 2009 but the situation is worse. This really is a wake-up call," said Paul Ducklin, head of technology, Sophos Asia- Pacific (Sydney). Ducklin who led the Facebook probe said they created two fictitious users with names (Sydney) Ducklin, probe, based on anagrams of the words "false identity" and "stolen identity." He said 21-year-old "Daisy Felettin" was represented by a picture of a toy rubber duck bought at a US $2 shop; 56-year-old "Dinette Stonily" posted a profile picture of two cats lying on a rug. Each sent out 100 friend requests to randomly-chosen Facebook users in their age group. Within two weeks, a total of 95 strangers chose to become friends with Daisy or Dinette -- an even higher response rate then when Sophos first performed the experiment two years ago with a plastic frog. Worse still, Ducklin said, in the latest study, eight Facebookers befriended Dinette without even being asked. Ducklin said 89% of the 20-somethings and 57% of the 50- somethings who befriended Daisy and Dinette also gave away their full date of birth "Nearly all the birth. others suppressed their year of birth, but this is often easy to calculate or to guess from other information given out," he said, adding that even worse, just under half of the 20-ish crowd, and just under a third of the 50-ish crowd, gave away personal information about their friends 39 and family. Copyright 2010, Eclipsecurity, LLC
  • 41. A Word about Identity Theft: y An Example of how PII in your Facebook Profile Could be Used Against You g,184522/printable.html (continued) Sophos is calling on users of social networking sites to think much more strictly about what it means to accept someone as a friend. "We're not trying to be killjoys," Ducklin explained. "We just want you to be much more circumspect about whom you choose to trust online.“ Graham Cl l h i t b t h h t t t li “ G h Cluley, senior technology i t h l consultant for Sophos, revealed that 10 years ago it would have taken several weeks for con artists and identity thieves to gather such kind of information about a single person. "Social networks have made it easier for the bad guys to scoop up information about innocent members of the public. Everyone must learn to be more careful about how they share information online, or risk becoming the victims of y , g identity thieves.“ Sophos produced the following top tips for users who want to protect themselves from identity thieves on Facebook: Don't blindly accept friends. Treat a friend as the dictionary does, namely "someone whom you know, like and trust." A friend is not merely a button you click on. You don't need, and can't realistically claim to have, 932 true friends. Learn the privacy system of any social networking site you join. Use restrictive settings by default. You can open up to true friends later. Don't give away too much too soon. Assume that everything you reveal on a social networking site will be visible on the internet for ever. Once it has been searched, and indexed, and cached, it may later turn up online no matter what steps you take to delete it it. "Our honeymoon period with social networking sites ought to be over by now -- but many users still have a 'couldn't care less' attitude to their personal data," Ducklin added. 40 Copyright 2010, Eclipsecurity, LLC
  • 42. Disconcerting Facebook Usage Scenarios “Burglary: Occurred between 7/31/09 and 8/16/09 on <street name withheld> Residents returned from vacation to find that someone unknown forced open a rear p door and ransacked the house. It is unknown at this time what is missing. The resident did not register for a vacation house watch, there is no alarm on the residence, and the children had posted the whereabouts of the family on FaceBook.” – Neighborhood police blotter 1. Never announce an impending vacation or impending business travel 2. Consider not announcing funeral arrangements for the passing of a family member or friend a. Burglars leverage obituaries and information pertaining to funeral arrangements so they may gain access to vacant homes. You should always have someone stay at your home when attending a family members’ funeral. I am currently following both recommendations above and wait until after I return from a vacation / business travel before incorporating any relevant information in my profile 41 Copyright 2010, Eclipsecurity, LLC
  • 43. Disconcerting Facebook g Usage Scenarios Think twice about content in your Facebook p profile that could be career-limiting g 1. Consider refraining from presenting your political points-of-view 2. Do not post anything that would be perceived as offensive by co-workers, your boss or your employer 3. Do not post anything confidential in nature applying to your employer 4. Do not disclose anything regarding your personal health or the health of your children 5. 5 Never use profanity 6. Do not post content during working hours I do not leverage Facebook as a platform to vocalize my political views, and I will always practice the remaining recommendations. You never know who may see your Facebook y y profile, and once created, it may never cease to exist. 42 Copyright 2010, Eclipsecurity, LLC
  • 44. Disconcerting Facebook Usage Scenarios • With the advent of the Internet, search engines, and social networking sites, employers are using these evolving resources in support of their recruitment processes • Could information regarding your medical condition posted in your Facebook profile cause a prospective employer to remove you from consideration? Could it compromise your ability to file an insurance claim or compromise a lawsuit in the future? • Discussing politics could become contentious; could posting your political views gp p gy p compromise your ability to f find a new job? Could it alienate you f from your co- workers? • Your children will be employees one day. Is there something currently in their Facebook profiles that could compromise their ability to get a job in the future? • I th Is there anything i your Facebook profile that your children and / or friends may thi in F b k fil th t hild d fi d find embarrassing or insulting? Note: I am not an attorney; however, I am aware that it may be unlawful for prospective employers p ospecti e emplo e s and acti e employers to use this t pe of info mation in a active emplo e s se type information discriminatory way. 43 Copyright 2010, Eclipsecurity, LLC
  • 45. Disconcerting Facebook Usage Scenarios Showcasing your family members 1. Re-think 1 R thi k posting photos of your children in your Facebook ti h t f hild i F b k profile a. Are you aware of others who are posting photos and names of your children? 2. Re-think including the names of your children in your Facebook profile I do not ever plan to include photos of my family members in my Facebook profile. 44 Copyright 2010, Eclipsecurity, LLC
  • 46. Disconcerting Facebook Usage Scenarios It is impossible for you to control what others say about you, what content they may include about you, what photos they may have or take of you that they may post in their Facebook profile, how they may interact with your Facebook friends, how they may incorporate information about your children and other family members that are y y Facebook users, etc. It is a worthwhile exercise to reflect upon these aspects that are not within your control and begin to understand what existing content in your Facebook profile should be removed, and the nature of information you should refrain f f from including in your Facebook profile in the l d b k fl h future. 45 Copyright 2010, Eclipsecurity, LLC
  • 47. Disconcerting Facebook Usage Scenarios “I can not believe <John Doe> fired you; what a <expletive> idiot. These g y guys are so stupid, this workplace is a joke. If they didn’t pay me so much p , p j y p y money I’d have been out of here way before you were terminated; the money is just too good to leave !” – Employee being groomed to become a Senior Partner at an accounting firm whose employment was since terminated f h l d Wondering what happened? A co-worker was fired The employee quoted above was very close friends co worker fired. with this co-worker. The co-worker configured her Facebook account to send all correspondences, updates, etc. to the email account she was provided by her employer. After the co-worker was fired, her email account was disabled, and all incoming emails sent to her were received in the accounting firm’s ‘catchall’ email account. An administrator at the accounting firm that received all catchall emails retrieved and reviewed this email from the employee being groomed to become a Senior Partner Partner. In response to his sentiments, the Senior Partners and Owners of the firm terminated his employment. 46 Copyright 2010, Eclipsecurity, LLC
  • 48. Disconcerting Facebook Usage Scenarios Do not configure Facebook to send any notices / correspondences to an email account given to you by your employer; if you must, use only your personal email account ( t (e.g., Y h ! and GM il) Yahoo! d GMail) While I am self-employed, I still have not configured self employed Facebook to send notices / correspondences to my company email account. Further, I have configured Facebook to not send me any notices / correspondences. I always log into my Facebook profile in order to view any updates and correspondences. y p p 47 Copyright 2010, Eclipsecurity, LLC
  • 49. A Word about Email Security 1. Email, by default, is not secure 2. Send unsecured email with the expectation that it p could be disclosed to anyone in the world 3. The more popular your email service provider, the more susceptible you are to malicious activity Examples: Your emails may be more likely to be intercepted or spoofed (i.e., a malicious person may send defamatory / offensive and other inappropriate dd f ff i d h i i emails that appear to have been sent by you to both people you do and do not know – e.g., the “From” field i th fi ld in the recipient’s email Inbox would contain i i t’ il I b ld t i 48 Copyright 2010, Eclipsecurity, LLC
  • 50. Disconcerting Facebook Usage Scenarios Think before you use Facebook applications You are subject to privacy policies and terms of use that are unique to each application; a lot to review and monitor on an ongoing basis. Using Facebook applications may compromise your Facebook friends’ privacy. 49 Copyright 2010, Eclipsecurity, LLC
  • 51. A Word about Privacy Policies and Terms of Use Provisions Source: 50 Copyright 2010, Eclipsecurity, LLC
  • 52. A Word about Privacy Policies and Terms of Use Provisions Some privacy policies and terms of use provisions are well written and some are not. Some are easy to interpret inte p et and others may require a lawyer’s mindset to othe s ma eq i e la e ’s decipher. As may be seen from the statistics provided on the previous page, there is a large community of individuals who, if they took the time to review respective Facebook application-related privacy policies and terms of use provisions, would likely lack the literacy required to fully understand what is being communicated in written form. 51 Copyright 2010, Eclipsecurity, LLC
  • 53. Want More Proof Regarding Risks Associated with Facebook Use? Take the time to a et et e review all privacy and security options at your disposal and configure them to what makes the most sense for you, your family and your friends This Account Security option is an acknowledgment by Facebook that its users are being targeted by malicious people. I have included this to demonstrate one thing: Facebook itself understands it is a global target, and you need to understand this too! 52 Copyright 2010, Eclipsecurity, LLC
  • 54. A Word about Facebook’s Privacy Policy Facebook s and Privacy Settings Plain and simple, Facebook has received a substantial amount of bad publicity regarding its privacy policy and its privacy settings; both are a l d b h moving target. If you decide to post personal information about yourself, your children, other y ,y , family members and friends, I urge you to frequently review Facebook’s privacy policy and Facebook’s privacy settings settings. Historically, many times Facebook has created a new privacy setting, Facebook by default has chosen corresponding privacy settings that prove to be risky to its users. 53 Copyright 2010, Eclipsecurity, LLC
  • 55. Closing Thoughts 1. Just be careful. Think about the reasons why you do not wear an imprint of your social security card on your shirt, the measures you employ to keep your family safe, why you do not broadcast to the world how much money you earn annually, etc. 2. Life is complicated these days and no one needs to introduce more complexity and risk into their p y p y lives. If you decide to be conscientious regarding how you use Facebook, it imposes a substantial burden upon you. 3. It is not just yourself you are potentially subjecting to risk; your Facebook use could be harming your friends and family members. 4. 4 Reflect upon why you are using Facebook and focus your usage on achieving your Facebook usage objectives. a. Consider only becoming ‘friends’ with people you know; many Facebook users connect with anyone in order to maximize the number of Facebook friends they have 5. For the most part, it is not Facebook that is insecure; it is the manner in which numerous people use Facebook that makes their personal / professional lives less secure secure. 6. Share what you have learned with others; increase their awareness. If these materials have been helpful to you, share these materials with your friends and family members. Making informed decisions regarding Facebook use requires sufficient awareness. 7. You may not agree with some or most of the content in these materials. You may think everything outlined in these materials is obvious. However, my observation of my friends’ use of Facebook has demonstrated a number of instances where the basic principles in these materials are not being followed, resulting in people introducing unnecessary and undesirable risk into their lives. If you do not find much value in these materials, do not allow your opinion prevent you from sharing these materials with others who likely will benefit from the topics this material addresses. 8. Together, let’s start a movement. Let’s reduce the unnecessary and undesirable risks facing Facebook users one person at a time! 54 Copyright 2010, Eclipsecurity, LLC
  • 56. Contact Me if You Have Questions! Nevada West Vi i i W t Virginia Contact Information Steven Hamburg, St H b President & CEO, Eclipsecurity, LLC