Basics     Social Network Privacy     Guide – II     This series of articles about security trips how to make social     n...
Social Network Privacy Guide – IIFigure 2. MentionsFigure 3. RepliesSome basic terms and definitions                      ...
Basics     • 	 credit card information                                • 	 User posts unrelated updates to the tag     • 	 ...
Social Network Privacy Guide – II        • 	 Some more relate to the technical limits:      messages when clicking on them...
Basics     stored in his address book. Therefore, check                    you may be interested to hide your username    ...
Social Network Privacy Guide – IIyour password means Twitter developers is on               need to know it usually takes ...
Basics        • 	 The service/application used to post the          If you want to add a mobile number perform with       ...
Social Network Privacy Guide – IIon Facebook and Twitter. Quoting, on Twitter you           General Activity on Twittermay...
Basics     Figure 17. Delete Account     Figure 18. Delete Tweet     his person icon whereupon select Block. Forward      ...
Social Network Privacy II
Upcoming SlideShare
Loading in …5
×

Social Network Privacy II

9,382 views

Published on

This series of articles about security trips how to make social networking is more secure on the top social networks. Part II. Twitter.

hakin9.org/hakin9-0812-57-malware/

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
9,382
On SlideShare
0
From Embeds
0
Number of Embeds
1,774
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Social Network Privacy II

  1. 1. Basics Social Network Privacy Guide – II This series of articles about security trips how to make social networking is more secure on the top social networks. What you will learn… What you should know… • The most useful ideas and advice how to use a lot of social • Basic knowledge how to find and setup security setting on so- networks mixing fun and business cial networks • What does the most known social network offer to keep your • Clear understanding of your goal when you start to use a new data in privacy social network S ocial networking services are kind of on- search engines like Google, Yahoo or Bing. This line service that focuses on building so- is so-called individual-centred service whereas cial relations among people shared their online community services are group-centred information about themselves. This informa- based on user abilities to share ideas, activi- tion filled their profiles makes users possible ties, events, and interests within their individual to search and extract necessary information. It networks. means the search will analyse only the actual contents you want (images, video, text, calendar Chapter I. Security beyond the whole events). Such representation is often based on Picture each user profile as set of social links, interests, Part II. Twitter public data, and other linked services. Current Twitter has come in 2006 as a people group tell- trend has fast been growing to control mecha- ing what they were doing right now as soon as nism unification for a long time. Each of these happens like “woke up” or “overslept”. Now it social services meets with users desires to less is social place to leave messages limited up to inputting about them. Thats why you are allowed 140 characters long as kind of SMS messages. to be sign up/in by Facebook button or Twitter These messages create your so-called timeline button following which you can start to organi- that can be followed and these messages can zation your own networks groups by involving be marked as favorite, retwetted, and replied. others friends via email, social address book or Direct messages limited up to 140 characters switching your profile into public zone indexed by too. Figure 1. Normal Tweets28 08/2012
  2. 2. Social Network Privacy Guide – IIFigure 2. MentionsFigure 3. RepliesSome basic terms and definitions owners are following the sender or both ofTimeline them. Also, replies may be found in the recipi-A Twitter timeline collects stream of Tweets listed ents Mentions and Interactions tabs and neverin real-time order with newest updates are at the on anyone’s profile page, unless they wrote ortop into you will land by view of your homepage. sent the message. If your Tweets are private, it means no one is allowed to see any of yourTypes of Tweets tweets unless you have given them the right to follow you. Thus, when you send a @reply• Normal Tweets look like as shown on Figure 1 or mention, only profiles approved by you will and are represent a message not more than be able to see them else you have to unprotect 140 characters by itself that appear on send- your tweets to make them and your account er’s page and his timeline and on other profile’s public. timeline who are allowed to be seen updates in • Direct messages is usually non-public mes- order to privacy settings. Not that, it has never sage sent directly to someone who follows been appeared on someone profile until it will you or sends directly to you from some- be retweeted. one you follow. Other cases are not allowed.• Mentions look like as shown on Figure 2 and It stores in direct messages folders of send- are represent the same message including er and recipient as well as on recipient mobile another’s username preceded by “@” placed device or email if (s-)he turn on this feature(-s) I message after one word at least, e.g. “This (Figure 4). @yurychemerkin is mention for…” Mentions usually appear on sender’s profile among The common privacy rules public tweets or someone timeline if this per- Twitter considers the posting another person’s pri- son is following a sender. In addition, men- vate and confidential information as a violation of tions may be found in the recipients Mentions the Twitter Rules. Such information may be: and Interactions tabs, which is accessible only by them. As a normal tweets, it has nev- er been appeared on someone profile until this person wrote the message.• Replies: look like as shown on Figure 3 and are represent a message similar to the men- tions except position of “@user- name”. Now it must be placed at the beginning of message, e.g. “@yurychemerkin your blog is cool!” Replies appear on pro- file page or on timeline, whose Figure 4. Direct messageswww.hakin9.org/en 29
  3. 3. Basics • credit card information • User posts unrelated updates to the tag • social security or other national identity num- started with # bers • User sends too many duplicated referrals • addresses or locations that are considered and started with @, especially when it looks like treated as private a spam • non-public, personal phone numbers • User adds too many unrelated users to lists • non-public, personal email addresses with spam goal • User describe false or misleading interests Anyway, you may make report about it through area the link (https://support.twitter.com/forms/abusive- • “Aggressive following” means a misbal- user). ance between user’s followers and followed Twitter solution in protection his users from spam list. For example, user cannot follow 10,000 and abuse is by permanent suspension if anyone people if only 100 people follow him. When engaging in the activities specified below: users reach 2000 followed they have to wait until they get more followers in order a mis- • Mass account creation is forbidden for Twitter’s balance users and username squatting and account’s inactivity for more than 6 are forbidden and will be removed • Invitation spam technically disabled users to send an invitation repeats. • Some of declared spam techniques: • User has followed and unfollowed a large amount of users in a short amount of time or repeatedly has done it • User has less followers than he’s following or a large number blocked him • User’s updates consist mainly of links, espe- cially misleading and malware links • User posts too many duplicate data (note, you have to choose a couple of social net- works linked with Twitter if these networks Figure 6. Account tabs are mirrors) Figure 5. Dropdown menu Figure 7. Tab “Account” Settings30 08/2012
  4. 4. Social Network Privacy Guide – II • Some more relate to the technical limits: messages when clicking on them, especially be • Updates/Tweets: 1,000 per day that splits careful when clicking on links that were shortened into semi-hourly intervals and retweets using an external link shortening service. Even if are counted as updates. the link came from a friend, it is possible that their • Changes to Account Email: four per hour. account was compromised and the URL was ac- • Following (daily): The technical follow lim- tually sent out by a spammer. To be sure, you are it is 1,000 per day. on Twitter.com before logging in take a look at the • Following (account-based): Once an ac- URL in the address bar of your browser. Twitter count is following 2,000 other users, ad- domains will always have the http://twitter.com/ ditional follow attempts are limited by ac- or https://twitter.com/ as the base domain. Phish- count-specific ratios. ing websites will often look just like Twitters log-• Pornography must not everywhere (profile, in page, but will actually be a website that is not background, etc.) Twitter. For example, http://twitter.example.com or• Each new created account to replace previous- https://m.twitter.com.up.com. ly suspended by Twitter will suspend too. Twitter SettingFake Twitter Emails Tabs regarded to the Privacy in “Account Settings”.As Twitter does not send emails with attachments To go to the Account Settings click on profile pic-and never requests user’s Twitter password by ture on and choose “Settings” as it is shown onemail, other emails and messages similar to wrote Figure 5.above tend to be a fake. If you received such email, In account section (Figure 6) there are severalyou should to resend (forward) it to the [spoof@ settings e.g. Email address, GPS location, coun-twitter.com] and then delete this email from inbox try and etc. Most of them do not belong to privacywithout downloading any attachments from email. except some you will see on obfuscated Figure 7Phishing is another kind to steal sensitive informa- below:tion when intruders send bulk messages in an at-tempt to revealing such information, like a login • Usernameand password. It happens often through the web- • Email and searching via emailsite appears legitimate. In case of spoofed emails, • Tweet locationsuch email may contain string header “Twitter/ • Tweet PrivacyTwitter Support/” while email address differs from • Connection typereal “@twitter.com”. • Password reset wayFake Web Sites Email address is part of user privacy in wayUser should always check whether or not link that someone may import address book from Gmail,goes to a fake login page and he is at twitter.com Y!Mail, Windows Live or else to the Twitter andbefore logging in. You should check links in direct find anyone who uses the same email-addressFigure 8. Find friendsFigure 9. Delete “Find friends” datawww.hakin9.org/en 31
  5. 5. Basics stored in his address book. Therefore, check you may be interested to hide your username field “Let other find me by my email address” based on your real name. HTTPS has become a should be unchecked. To find someone on Twit- joke is a classic in most popular social networks ter via email address you need click on “#Dis- (Facebook, Twitter, LinkedIn, G+). This improves cover” and “Find Friends” then where five email your account security and protects you if you are services are available (Google, Yahoo, Yandex, using Twitter over an unsecured Internet connec- Hotmail, and AOL). By the way, you need to en- tion, like a public Wi-Fi network, where someone ter your email log in credentials when prompted may be able to eavesdrop on your site activity. If and agree to share your information with Twit- your settings suddenly don’t use this you need to ter. However, you can remove imported contact assign a checked state by several reasons and info from Twitter at any time: there is a block of one of them is that not all fake web-site is al- text under the email provider list where there ready user https like a [hxxp://www.krishnasings. is a link to remove your contacts (Figure 8 and com/] was found in June if it looks like Twitter Figure 9). even. If you want to change password you only Username may not be a point of privacy itself need to type your current password on the web but when it plays opposite searching via email, and retype new password twice. Way to reset Table 1. Main Features ON turns ALL your authorized Twitter updates and notifications on. OFF turns ALL phone notifications off. ON [username] turns on notifications for a specific person on your phone (without “@”). Example: ON Yury- Chemerkin OFF [username] turns off notifications for a specific person on your phone (without “@”). Example: OFF Yury- Chemerkin FOLLOW [username] allows you to start following a specific user, as well as receive SMS notifications. Example: FOLLOW YuryChemerkin, or f YuryChemerkin UNFOLLOW [username] allows you to stop following a specific user. Example: UNFOLLOW YuryChemerkin LEAVE [username] stops receiving SMS notifications for a specific user without having to unfollow them. Exam- ple: LEAVE YuryChemerkin, or l YuryChemerkin STOP, QUIT, END, CAN- will deactivate your account if you are an SMS-only user. CEL or UNSUBSCRIBE Table 2. Additional Features @[username] + message shows your Tweet as a reply directed at another person. Example: @YuryChemerkin newpost D [username] + message sends that person a Direct Message that goes to their device, and saves in their web archive. RT [username] sends that users latest Tweet to your followers (also known as a Retweet). SET LOCATION [place name] updates the location field in your profile. Example: set location Moscow SET BIO edits your Bio information on your Twitter profile. Example: set bio Im a writer in Hakin9! SET LANGUAGE [language name] selects the language youd like to receive notifications in. Example: set language Russian SET NAME [name here] sets the name field on your Twitter profile. Example: set name Yury Chemerkin SET URL [url here] sets the URL field on your profile. Example: set url http://re.vu/yury.chemerkin WHOIS [username] retrieves the profile information for any public user on Twitter. Example: whois yurychemerkin or w yurychemerkin GET [username] retrieves the latest Twitter update posted by that person. Example: get yury- chemerkin or g yurychemerkin FAV [username] marks that users last Tweet as one of your favorites Examples: fav yurychemerkin, or favorite yurychemerkin STATS [username] this command returns the given users number of followers, how many people theyre following, and their bio information SUGGEST this command returns a listing of Twitter users accounts we think you might enjoy following32 08/2012
  6. 6. Social Network Privacy Guide – IIyour password means Twitter developers is on need to know it usually takes around 30 minutesright track. Now you may set password recover- and Twitter grants to delete all location data, buting via phone that maybe more secure than via no one grants to delete location data accumulatesemail. However, in order to I wrote in article “The in Third-Party apps on something RSS news as abackroom message that stolen your deal” (March Twitter is still allowed to gain data for public pro-2011) [http://goo.gl/YUzjk], your SMS messages files via RSS.may include C&C based on SMS for Facebook Twitter Privacy turn on/off your account’s pub-or Twitter. This SMS-management is vulnerable licity and means you need approve everyone toand leads to auto-post anything without asking see you tweet or never manage it. Public Tweetsor notification to the social network additionally as a default setting are visible to anyone whethercharges you and extracts all one-time passwords someone has a Twitter account. If you had pub-you need type to approve on public computers. lic twitter profile at once, then these tweets willBelow I discuss commands and features of SMS always be public and searchable despite chang-exploitation. ing settings. Future tweets that will make after Twitter SMS Commands It can help you to per- you turn on privacy will be protected. This optionform certain actions, like following a user or mark- may often be interested to control who sees youring a friends update as a favorite (see in Main messages. Moreover, links you made via “t.co”Features and Additional Features) (Table 1 and are public, because any links are able to view theTable 2). content through the world except filtering case. By the way, Facebook has SMS command as In addition, when privacy is turn on keep in mindwell but it is shortly than Twitter. You can text to that:the Facebook to update your status, message your • Each follower request have to be approval as Ifriends, receive messages, and wall posts from wrote aboveyour friends as it happens. All SMS commands • Your Tweets will only be visible to users youvesend to number “3223” (Table 3). approved Adding location to the tweets neither for not vul- • Only approved users are able to retweet yournerable for users without context. For example, tweetsuser posts about his travel with location tracking • Protected tweets will not indexed by Twitterduring several months and then he makes a post search, or Google search or any search enginewhen he is in airport. As you see his last tweet and didn’t appear in anywherebut not includes a location data, because it is • All @replies users send to the user A will notenough to rob as a fact nobody is at home. The be seen by him if he wasn’t approved beforemain idea is its non-systemic actions, tweet and • You cannot share permanent links to tweetslocation then intruders need more time and re- with anyone other than your approved follow-sources to analyze dependence; if not, you will be ers. Permanent link is a static URL (except if iteasy caught! If you want delete location info, you was deleted) to the tweet you’ll find in browser ‘s address bar when you click on the tweet and Did you know? then on his details is often include Your service provider may split SMS messages great- • The exact time the tweet was posted er than 160 characters into multiple messages. In this case, the second message will post as a normal Tweet because it does not begin with d+username, as the first message did.Table 3. Facebook Commands Update status is at johns party Add friend by name add john smith (or phone number) add 1234567890 Subscribe to status subscribe john smith Photos help photos Unsubscribe unsubscribe Help help Stop sms stop Start sms on Figure 10. Permanent linkswww.hakin9.org/en 33
  7. 7. Basics • The service/application used to post the If you want to add a mobile number perform with Tweet actions below: • Users who retweeted the tweet • Follow [https://twitter.com/devices] or Tab “Mobile” in account settings leads you to the • Log in to twitter.com phone number management and is represented • Click on the person icon and select Settings by text notifications and sleep settings except fea- from the drop-down menu. ture let you find others by your phone number. It is • Click on the Mobile tab. the same graph extraction as email searching, so • Choose your country and enter your mobile you need to decide whether this feature should be number. checked. Check all of text notifications field is a • Click Activate phone to start verifying your good idea to keep yourself abreast of the news in phone. case your account is hacked. Similar idea is going • You need to send the word GO via text mes- about email notifications settings is allowed you to sage to Twitter 8080 control: • Text the verification code from your phone to that short code. • Notification if direct message, reply or mention received Tab “Profile” mostly is up to you concerning Your • Notification if retweets, following or mark as fa- Name, Location, Web site, and biography ex- vorites happened cept linking with Facebook. You should under- • Notification regarding weekly stories stand if you want separate your tweets and Face- book posts then it’s good idea to create Face- book Page else (if you’re OK with mixing social up- dates) is good idea to link your Twitter to the Face- book profile only and keep Facebook pages for an- other content. Your name is a personal or business identifier or real name that displayed in your profile page and used to identify you to friends, especially if your username is mysterious like @XXX. MakeUseOf wrote an interesting article “Why You Shouldn’t Integrate Facebook, Twitter, & LinkedIn” [http://www.makeuseof.com/tag/integrate-face- book-twitter-linkedin/] where compares positive and negative aspects of linked social life stream Figure 11. Mobile settings Figure 13. Facebook linking Figure 12. Email settings Figure 14. Applications access settings34 08/2012
  8. 8. Social Network Privacy Guide – IIon Facebook and Twitter. Quoting, on Twitter you General Activity on Twittermay want to gain followers by posting a tweet in- Delete accounttentionally designed to get a reaction. While ran- The last feature of tab “account” gives rights todom people will love the snark, the less tech-savvy deactivate your profile by agreeing with it and en-family members may take it seriously, and busi- tering password. Your data is going to keep forness contacts may balk at the controversial nature one month only before it will be deleted. To reac-of it. However, on Facebook you may have some tive your account just login in. When a month ispersonal news that needs sharing with your near- over your account is vanished in a few minutes,est and dearest. While friends and family will be your data in a few days, and indexed data maykeen to hear the news, Twitter people will not care keep as long as it can according to the searchand LinkedIn people may resent what they will un- engine rules, except you write him asking todoubtedly consider spam and/or utter gibberish. wipe your data. (Example for Google is at [http:// Tab “Apps” in account settings allow you to man- www.google.com/support/webmasters/bin/an-age with third-party access. Here you will see app swer.py?answer=64033&ctx=sibling])name, date and time when you granted accessthis application and access type (read, write, di- Delete Tweetrect messages). You can only revoke access or not How to delete account via long-term deactivationto grant access while Facebook gives feature to wrote above. You may want to block someone onset access types you want. Best practices say to Twitter also. In this case, you need go to the profilecheck from time to time this section and revoke ac- page of the person you want to block and click oncess for application you stopped using. On another side you’re allowed control who cansee your Tweets (for Twitter application) on Face-book Application settings by clicking Edit for theTwitter app You still able to change settings to “On-ly for Me” state when no one tweet will be pub-lished on Facebook. Note, some applications mayask Twitter access and never post anything like aChime.In because you setup your default Chime.In way of posting. However, Viadeo make your ac-counts cross-posted as soon as you link them. Figure 16. Delete AccountFigure 15. Applications access settingswww.hakin9.org/en 35
  9. 9. Basics Figure 17. Delete Account Figure 18. Delete Tweet his person icon whereupon select Block. Forward Yury Chemerkin blocked accounts cannot add you in their lists or Graduated at Russian State University for the Humani- follow you until you unblock them, see your profile ties (http://rggu.com/) in 2010. At present postgraduate picture in their timeline. In addition, you can unfol- at RSUH. low or report as spam this person by select “Report Information Security Researcher since 2009 and cur- @username for spam” in that menu. rently works as mobile and social infoSecurity research- To delete tweet. er in Moscow. Locate the Tweet you want to delete and hover Experienced in Reverse Engineering, Software Program- mouse over the message and click Delete then. ming, Cyber & Mobile Security Researching, Documen- However, you cannot delete several tweets at a tation, and Security Writing as regular contributing. time, only manually one by one. Now researching Cloud Security and Social Privacy. Contacts: Grabbing twitter’s data from your account I have a lot of social contacts, that’s way to choose the To this day this feature is available only for Face- most suitable way for you on Re.Vu http://re.vu/yury. book users, while Twitter gives users access only chemerkin to the last few thousand posts made to the site. Regular blog: http://security-through-obscurity. Twitter has been slower to roll out a similar service, blogspot.com although a number of third-party services and de- Regular Email: yury.chemerkin@gmail.com velopers have cobbled together ways to let people Skype: yury.chemerkin sift through portions of Twitter’s vast collection of Other my contacts (blogs, IM, social networks) you will messages. On July 24th article in NY Times was find among http links and social icons before TimeLine published to announce that now Twitter is working section on Re.Vu on a tool to let their users to have exported all of their tweets that means tweet will be downloaded into a file.36 08/2012

×