How to protect your data privacy on social networks

Studies have said public speaking makes as many as 3 out of 4 people anxious. But that was before Facebook.

The 650 million people on Facebook suggest that most of us are getting over—or want to get over—that fear of communicating (or at least sharing pictures) in public. In just a few years, Twitter, YouTube and Facebook have given billions of people the chance to connect to an audience they would never had access to before.

But now that you’re becoming comfortable in public, you may begin to wonder: Am I revealing too much? In a world with the NSA, TMZ and Wikileaks, do I have any privacy? Is it possible to be a public person and still protect my information from being misused?

Friday January 28 is Data Privacy Day 2011, an international celebration of the dignity of the individual represented through personal information. Protecting your irreplaceable data is our mission and we take this mission very seriously. (Here is F-Secure’s Privacy Policy.)

The risks

The more visible, attractive or rich you are, the more you’re a target for the haters, the stalkers and online criminals of the 21st century. Heck, if you have a credit card, you’re a target for both the online criminals and unscrupulous marketers of the world.

Sharing personal information in an age where data can travel faster than lightning requires a 21st century view of data privacy. Some think it’s vain to worry about privacy. But don’t think about your ego, think about social engineering.

Wiktionary describes social engineering as “The practice of tricking a user into giving, or giving access to, sensitive information, thereby bypassing most or all protection.” Criminals have discovered that human error is the easiest vulnerability to exploit. If you’re not careful, your private data (or even public data) can be used to fool you into making mistakes that even your award-winning Internet Security can’t prevent.

Ignorance may be bliss, but it’s not an excuse. Once your private data is stolen, you’ll have to deal with the consequences. The good news is that you can do a lot to make your data more secure

My nephew once told me, “Facebook is so easy that even old people can use it.” And by old people, he meant me.

I agree with my nephew. Most people who use social media don’t suffer significant negative consequences for doing so—or there wouldn’t be millions of new people trying it every day. Stories of people being fired or arrested for what they’ve done on Facebook are rare. But they get lots of attention because Facebook is the superstar everyone knows.

Only a small percentage of those on social media fall victim to the worst of identity theft, malware or scams. And that’s still too many people suffering needlessly—especially because most of these scourges are avoidable.

The lessons

If you learned to manage the benefits and risks of email, you can do the same for social media. Here a few things you can do to help keep your private data private.

1. Decide why you’re social networking.
For some, social networking is an extension of your private life. You mostly interact with people you know or would like to know in the real world. The main topics of conversation are personal. Even when you delve into entertainment or politics or sports, it’s about sharing opinions to have fun and connect. Intimacy is the goal so private things are often shared nonchalantly. For instance, you might reveal what you did on a day when you played hooky from school or work.

For others, social networking is like interacting at a conference. You’re seeking out people in your industry or whom you admire. Conversation is like a cocktail party—being interesting and on-topic matters. When you talk about entertainment or politics or sports, it’s a way to network and establish trust. You want people to feel like they know you, but getting too personal too fast raises red flags. For instance, you may reveal what you did on your vacation but only in a way that you wouldn’t mind your boss reading.

For a growing number of people, social network is a chance to build a little fame or fortune. You’re looking for an audience who trusts and enjoys you to the point you might even sell them things. You converse with fellow influencers and friends but you also broadcast for a targeted or general audience. When you talk about entertainment or politics or sports, you’re entertaining or engaging an audience while establishing expertise. You may share extremely private details or never talk about your personal life. Either way, you’re establishing a persona that’s relatable to the audience you’re trying to attract. For instance, you may reveal a joke a well-known person shared with you.

By the time you’re out of college for a few years, most people have tried out some variation of each of these approaches to social media. And your approach definitely affects your data security.

The rule is: the bigger the audience you seek, the more you have to think about the information you share.

All of us have to protect our ID, account and phone numbers, our address and our Mother’s maiden name. But if you’re an aspiring Disney star or class president, you have to think about which pictures you take—since you know they’ll all be posted eventually. And George Clooney probably shouldn’t use Foursquare to share his location unless he wants to spend his day shaking hands or filing restraining orders.

We all need to be cautious about sharing details that can be used to scam us. If you achieve, or accidentally achieve, fame, your privacy will become even more precious. So if you want to be internet famous, you need to be savvy about which information you share online—or you’ll have to hire people who are.

2. Secure your systems
Don’t use the default password for your voicemail or anything. Use strong, unique passwords for all your accounts. Don’t use work email addresses or passwords for social accounts. Put security software on your PC and your mobile device, if possible. Password protect your Wi-Fi networks. Turn on secure browsing on Facebook. Put a remote lock on your mobile phone. Always lock your PC and mobile devices when you aren’t using them. Keep your system and application software updated. (Our free Health Check makes that easy.) Turn off GPS on your phone and pictures if you don’t want strangers to know your location.

3. Choose services you trust
Any store, service or site that has your data, should have a privacy policy. A key feature of a good privacy policy is that your data will not be shared or sold. By 2011, most reputable online businesses have privacy policies that make that basic promise. But in addition to privacy also have to trust that any organization you trust with your data had security that won’t be compromised. Quality can have a price. If privacy is more important to you than cost, you can buy dedicated email services that won’t serve you ads. Regardless if they charge or not, you should only use reputable online services you trust. Before you enter any data into any website, think, “Do I trust this organization?” If there’s any doubt, ask others what they think.

4. On a social network, your information could be shared with everyone– no matter what your privacy settings are.
Twitter is simple. There are two privacy settings: everyone or “Protect my tweets”. But even if you go with the protected option, your approved followers can still retweet your information to everyone. Facebook’s privacy settings are much more complex. They’re so complex that it almost feels like you should get college credits for really using them. Going with “Friends Only” is a good start, then you have to decide if you want your page on Google (if you don’t want your Facebook page to show up on Google, go to Account > Privacy Settings > Apps and Websites: Edit your settings > Public Search: Edit Settings > Uncheck Enable public search)  and if you want to automatically share your information with other websites.

The safest rule is: get your settings right and still assume that what you post could go public so only share information you wouldn’t mind a future boss (or fan) seeing. NEVER share information that could be used to crack your passwords. Also keep in mind that the information you’re sharing that could be used by identity thieves and social engineers.

5. Be available or don’t
There is a difference between following and friending people. You can follow a lot of people but our brains can only handle around 130 friends. Rejecting or ignoring friend requests can be emotionally difficult, but your privacy is more important than others’ feelings. I say follow anyone on Twitter but on Facebook I’d recommend only befriending people you know or trust. And realize that the person is your friend, not their links. If anyone begins to spam you, let them know the problem. If they keep spamming, unfriend them. If anyone harasses you at all, block their communication. If you’re threatened, contact law enforcement.

You have the right to keep your private data secure while living your digital life to the fullest. All you have to do is respect your own data privacy and do your best to make sure that the people and businesses you interact with do the same.

Cheers,
Jason

CC image by Sudhamshu Hebbar

More posts from this topic

crime scene

Help! I lost my wallet, phone and everything! I need 1000 €!

“Sorry for the inconvenience, I'm in Limassol, Cyprus. I am here for a week and I just lost my bag containing all my important items, phone and money at the bus station. I need some help from you. Thanks” Many of you have seen these messages and some of you already know what the name of the game is. Yes, it’s another type of Internet scam, an imposter scam variant. I got this message last week from a photo club acquaintance. Or to be precise, the message was in bad Swedish from Google translate. Here’s what happened. First I got the mail. Needless to say, I never suspected that he was in trouble in Limassol. Instead I called him to check if he was aware of the scam. He was, I wasn’t the first to react. Several others had contacted him before me and some were posting warnings to his friends on Facebook. These scams start by someone breaking in to the victim’s web mail, which was Gmail in this case. This can happen because of a bad password, a phishing attack, malware in the computer or a breach in some other system. Then the scammer checks the settings and correspondence to find out what language the victim is using. The next step is to send a message like the above to all the victim’s contacts. The victim had reacted correctly and changed the Gmail password ASAP. But I wanted to verify and replied to the scam mail anyway, asking what I can do to help. One hour later I got this: “Thanks, I need to borrow about 1000 euros, will pay you back as soon as I get home. Western Union Money Transfer is the fastest option to wire funds to me. All you need to do is find the nearest Western Union shop and the money will be sent in minutes. See details needed WU transfer below. Name: (Redacted) Address: Limassol, Cyprus you must email me the reference number provided on the payment slip as soon as you make the transfer so I can receive money here. Thank you,” Now it should be obvious for everyone how this kind of scam works. Once the scammers get the reference number they just go to Western Union to cash in. Most recipients will not fall for this, but the scammers will get a nice profit if even one or two contacts send money. But wait. To pull this off, the scammers need to retain control over the mail account. They need to send the second mail and receive the reference number. How can this work if the victim had changed his password? This works by utilizing human’s inability to notice tiny details. The scammers will register a new mail account with an address that is almost identical to the victim’s. The first mail comes from the victim’s account, but directs replies to the new account. So the conversation can continue with the new account that people believe belongs to the victim. The new address may have a misspelled name or use a different separator between the first and last names. Or be in a different domain that is almost the same as the real one. The two addresses are totally different for computers, but a human need to pay close attention to notice the difference. How many of you would notice if a mail address changes from say Bill.Gates@gmail.com to BiII_Gates@mail.com? (How many differences do you notice, right answer at the end?) To be honest, I was sloppy too in this case and didn’t at first see the tiny difference. In theory it is also possible that webmail servers may leave active sessions open and let the scammers keep using the hacked account for a while after the password has been changed. I just tested this on Gmail. They close old sessions automatically pretty quickly, but it is anyway a good idea to use the security settings and manually terminate any connection the scammers may have open. I exchanged a couple of mails with this person the day after. He told that the scammers had changed the webmail user interface to Arabic, which probably is a hint about where they are from. I was just about to press send when I remembered to check the mail address. Bummer, the scammer’s address was still there so my reply would not have reached him unless I had typed the address manually. The account’s reply-to was still set to the scammer’s fake account. OK, let’s collect a checklist that helps identifying these scams. If someone asks for urgent help by mail, assume it’s a scam. These scams are a far more common than real requests for help. We are of course all ready to help friends, but are YOU really the one that the victim would contact in this situation? Are you close enough? How likely is it that you are close enough, but still had no clue he was travelling in Cyprus? Creating urgency is a very basic tool for scammers. Something must be done NOW so that people haven't got time to think or talk to others. The scammers may or may not be able to write correct English, but other languages are most likely hilarious Google-translations. Bad grammar is a strong warning sign. Requesting money using Western Union is another red flag. Wire transfer of money provides pretty much zero security for the sender, and scammers like that. Many scammers in this category try to fake an embarrassing situation and ask the recipient to not tell anyone else, to reduce the risk that someone else sees through it. These messages often state that the phone is lost to prevent the recipient from calling to check. But that is exactly what you should do anyway. Next checklist, how to deal with a situation where your account has been hijacked and used for scams. Act promptly. Change the mail account’s passwords. Check the webmail settings and especially the reply-to address. Correct any changed settings. Check for a function in the web mail that terminates open sessions from other devices. Gmail has a “Secure your account” -wizard under the account’s security settings. It’s a good idea to go through it. Inform your friends. A fast Facebook update may reach them before they see the scammer’s mail and prevent someone from falling for it. It also helps raising awareness. And finally, how to not be a victim in the first place. This is really about account security basics. Make sure you use a decent password. It’s easier to maintain good password habits with a password manager. Activate two-factor authentication on your important accounts. I think anyone’s main mail account is important enough for it. Learn to recognize phishing scams as they are a very common way to break into accounts. Maintain proper malware protection on all your devices. Spyware is a common way to steal account passwords. The last checklist is primarily about protecting your account. But that’s not the full picture. Imagine one of your friends falls for the scam and loses 1000 € when your account is hacked. It is kind of nice that someone cares that much about you, but losing money for it is not nice. Yes, the criminal scammer is naturally the primarily responsible. And yes, people who fall for the scam can to some extent blame themselves. But the one with the hacked account carries a piece of responsibility too. He or she could have avoided the whole incident with the tools described above. Caring about your account security is caring about your friends too! And last but not least. Knowledge is as usual the strongest weapon against scams. They work only as long as there are people who don’t recognize the scam pattern. Help fighting scam by spreading the word!   Safe surfing, Micke   PS. The two mail addresses above have 3 significant differences. 1. The name separator has changed from a dot to an underscore. 2. The domain name is mail.com instead of gmail.com. 3. The two lower case Ls in Bill has been replaced with capital I. Each of these changes is enough to make it a totally separate mail address.   Image by Yumi Kimura

Dec 8, 2014
BY 
IMG_3395

5 ways to get ready to ask Mikko anything

It's like a press conference anyone can join from anywhere. And even if you don't have a question, you can upvote the ones you don't like and downvote the ones you do. President Obama did one. Snoop Dogg/Snoop Lion did one. An astronaut did one from outer space. And our Mikko Hypponen will sit down for his second Reddit AMA on December 2 at 8 AM ET. If you have something you've wanted to ask him about online security, great. If not, here are five resources that document some of Mikko's more than two decades in the security industry to prod you or prepare you. 1. Check out this 2004 profile of his work from Vanity Fair. 2. Watch his 3 talks that have been featured on TED.com. [protected-iframe id="7579bbf790267cc081ac7d92d951262c-10874323-9129869" info="https://embed-ssl.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] [protected-iframe id="fdf818f4afa2f7dcb179c5516c44918c-10874323-9129869" info="https://embed-ssl.ted.com/talks/mikko_hypponen_three_types_of_online_attack.html" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] [protected-iframe id="54be2fe9bce28ae991becbe3d4291e56-10874323-9129869" info="https://embed-ssl.ted.com/talks/mikko_hypponen_how_the_nsa_betrayed_the_world_s_trust_time_to_act.html" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] 3. Check out his first AMA, which took place just after his first talk at TEDglobal was published. 4. Take a trip to Pakistan with Mikko to meet the creators of the first PC virus. [protected-iframe id="8c0605f62076aa901ed165dbd3f4fcd7-10874323-9129869" info="//www.youtube-nocookie.com/v/lnedOWfPKT0?version=3&hl=en_US&rel=0" width="640" height="360"] 5. To get a sense of what he's been thinking about recently, watch his most recent talk at Black Hat "Governments as Malware Creators". [protected-iframe id="54b24406f022e81b15ad6dadf2adfc93-10874323-9129869" info="//www.youtube-nocookie.com/v/txknsq5Z5-8?hl=en_US&version=3&rel=0" width="640" height="360"] BONUS: Make sure you follow him on Twitter to get a constant stream of insight about online security, privacy and classic arcade games. Cheers, Sandra

Nov 14, 2014
bash

Shellshock only concerns server admins – WRONG

Yet another high-profile vulnerability in the headlines, Shellshock. This one could be a big issue. The crap could really hit the fan big time if someone creates a worm that infects servers, and that is possible. But the situation seems to be brighter for us ordinary users. The affected component is the Unix/Linux command shell Bash, which is only used by nerdy admins. It is present in Macs as well, but they seem to be unaffected. Linux-based Android does not use Bash and Windows is a totally different world. So we ordinary users can relax and forget about this one. We are not affected. Right? WRONG! Where is your cloud content stored? What kind of software is used to protect your login and password, credit card number, your mail correspondence, your social media updates and all other personal info you store in web-based systems? Exactly. A significant part of that may be on systems that are vulnerable to Shellshock, and that makes you vulnerable. The best protection against vulnerabilities on your own devices is to make sure the automatic update services are enabled and working. That is like outsourcing the worries to professionals, they will create and distribute fixes when vulnerabilities are found. But what about the servers? You have no way to affect how they are managed, and you don’t even know if the services you use are affected. Is there anything you can do? Yes, but only indirectly. This issue is an excellent reminder of some very basic security principles. We have repeated them over and over, but they deserve to be repeated once again now. You can’t control how your web service providers manage their servers, but you can choose which providers you trust. Prefer services that are managed professionally. Remember that you always can, and should, demand more from services you pay for. Never reuse your password on different services. This will not prevent intrusions, but it will limit the damage when someone breaks into the system. You may still be hurt by a Shellshock-based intrusion even if you do this, but the risk should be small and the damage limited. Anyway, you know you have done your part, and its bad luck if an incident hurts you despite that. Safe surfing, Micke   PS. The best way to evaluate a service provider’s security practices is to see how they deal with security incidents. It tells a lot about their attitude, which is crucial in all security work. An incident is bad, but a swift, accurate and open response is very good.   Addition on September 30th. Contrary to what's stated above, Mac computers seem to be affected and Apple has released a patch. It's of course important to keep your device patched, but this does not really affect the main point of this article. Your cloud content is valuable and part of that may be on vulnerable servers.  

Sep 26, 2014
BY