Are you sharing your telephone number on Facebook?
You might be and not even realize it.
A few months ago I signed up for Facebook’s Login Approvals, which required my mobile number. Instantly my number was added and set at my default setting.
If my general privacy setting were “Public”, my number could be one of the 2.5 million phone numbers that Brandon Copley recently harvested from Facebook using the site’s new Open Graph Search.
The app developer from Texas admits that users can use privacy settings to hide their number but still believes this is a violation of users’ trust.
“Facebook is denying its users the right to privacy by allowing our phone numbers to be publicly searchable as the default setting,” Copley told TechCrunch. “This means that anyone with my number knows my Facebook contact information. I may have not told my future employer about my Facebook account, but if I called them on my cell phone they can now know how to find me on Facebook.”
To make sure your phone number isn’t public, go to your profile and click on “Update Info”. Click “Edit” next to your “Contact Information” then click on the audience icon and select the level of sharing you want. I chose “Only Me”.This isn’t the only privacy surprise you should expect as Facebook’s Open Graph Search begins rolling out to the site’s one billion users
The simplest way to make sure you’re only sharing what you want to share is to use our new Safe Profile Beta app, which scans your profile and lets you know how much you’re sharing and how to lock down your profile. But keep reading for more information about the search and how to prepare yourself.
Open Graph Search will definitely change the way people look at Facebook. You can sign up for the waiting list here: http://www.facebook.com/about/graphsearch
Your friends and their friends will be able to search your information in ways you may not expect. And this tool will likely become the “Google” of social—meaning people will go to it first to discover the people based on interests and location, which could get a bit “creepy.”
Some suggest this tool will make it easier for criminals to find information for phishing attacks or repressive governments to crack down on dissidents. You can see some examples of how married people who “like” prostitutes and government employees who “like” racism here: http://actualfacebookgraphsearches.tumblr.com/
However, the good news is that it’s restricted by your privacy settings most of your friends use Facebook pretty sanely, right?
“90% of users get the basics right and the other 10% are hopeless,” F-Secure Security Advisor Sean Sullivan told me. “When the 90% meets the 10%, de-friend the boneheads. Because soon they will reflect on you.”
Since you will not be able to opt out of Open Graph Search, you might want to take a few more steps to make sure you don’t end up on the bad end of a disturbing search made by a friend, family member or potential employer.
Here’s what to do now:
(If you’re one of the 90% of the Facebook users who gets how to use the site, you can skip to step three for tips that relate specifically to Graph Search.)
1. First of all, never post anything you wouldn’t want to end in your mom’s newsfeed.
This will save you from most embarrassment. This means, no pictures, videos or status updates you wouldn’t want to see on the cover of your hometown newspaper. If you do this, you’ll avoid most—but not all trouble that could result from being on Facebook or in its search.
2. Check your privacy settings and unfriend anyone who doesn’t seem to use the site responsibly
You can get fancy and restrict certain things to certain people, but Facebook’s basic privacy settings are “public” or “friends.” We recommend friends, unless you want to open your profile to end up in the search results of anyone in the world.
Find the lock near the upper right hand corner, click on it and select “See more settings” at the bottom of the menu that pops up.
Change every option for “Who can see my stuff?” and “Who can look me up?” pick “friends”.
3. Scrub you history
You can (and should) limit all of your old posts to just your friends. Once you do this, you cannot undo it. But you can go back and adjust each posts individually.
Click at the top right of any Facebook page and select Privacy Settings Find “Limit the audience for posts I’ve shared with friends of friends or Public?” and click Limit Past Posts. Click ”Limit Old Posts”.
4. Check your likes!
This is where Graph search gets “creepy.” Let’s say you liked a band three years ago or your competitor at work or a boy band as joke. Graph Search doesn’t get the joke. What you’ve liked on Facebook is now much more important. And just as you unfriend anyone who worries, go through your likes and unlike any page you don’t want to be associated with. Unfortunately you need to do this page by page.
Go to your profile, click on “Likes.”
They’re organized chronically, so go back in time and unlike away.
5. Turn on “tag review” and take control of your wall.
The most annoying thing about Facebook is that people can tag you in photos you don’t want to be associated with. You can turn on “tag review” and prevent the photos from showing up to your friends but the tag will still be on the photo unless you “report/remove tag.”
Here’s how to turn on “tag review” so photos you don’t approve don’t show up on your profile.
Click on the wheel in the right-hand corner, click on your privacy settings and then click on Timeline and Tagging on the left menu.
Most people want to allow friends to post on your wall but if protecting your images is your priority, you may want to make it available only for you. Either way, it’s a good idea to select “friends” for “Who can see what others post on your timeline?” This will prevent strangers or even potential mates or employers happening to catch your page right as a friend posted some hilariously sick image on your timeline.
We recommend you turn on “Review posts friends tag you in before they appear on your timeline?” This won’t stop your friends from tagging you in something embarrassing but it will stop it from showing up on your wall if they do.
We definitely recommend you enable “Review tags people add to your own posts before the tags appear on Facebook?” This so called tag review will keep you from being in ridiculous tagged pictures or posts that show up in search results. Instead of just popping up on your wall the posts will show up in your activity log where you can approve a tag or asked for it to be removed. To get to your “Activity Log” to approve your tags, go to your profile by clicking on your name on the top navigation. Then click on “Activity Log”
Here’s a Facebook video on how to “report/remove” photos or videos you don’t want to be tagged in.
6. If you want to prevent your friends and family from being associated from you, hide them.
On your profile/timeline page, click “Friends”. In the new screen you’ll see an edit button.
Select “Only Me”.
To hide your family, click “About” below your name, work, school and hometown on your timeline. Under “Relationships and Family” select “Edit” and select “Only Me.”
7. If this is too much work, consider moving somewhere you’ll have lots of privacy—Google+.
[Photo by Milica Sekulic]
Collision is coming to a close today, and what a week it’s been. F-Secure’s Chief Research Officer Mikko Hyppönen was there earlier in the week, and gave a compelling talk on the evolution of cyber crime. He also gave a quick post-talk interview, so check out this Quickfire article to learn who Mikko thinks deserves a slap in the face. F-Secure also ran a basic Wi-Fi experiment at Collision*, similar to ones conducted in 2014 and 2015. While the experiment conducted at Collision had a smaller scope than our previous investigations, it does prove that people are still pretty promiscuous when it comes to connecting to public Wi-Fi hotspots without the proper protection, such as a VPN. In the first two days of Collision, we observed nearly one hundred people connecting to a phony Wi-Fi hotspot. And none of them were encrypting their traffic. Connecting to a phony Wi-Fi hotspot can open the door to all kinds of problems. Hackers have been known to use similar setups to help them “sniff” people’s Internet traffic, allowing them to do things like read personal messages, log the websites people visit, and even steal passwords and other sensitive information. So if you make a habit of using public Wi-Fi hotspots – whether you’re at a tech conference, an airport, a café, or a hotel – you should give Freedome a try to keep you and your private data safe and secure. [Image by Erin Pettigrew | Flickr]
Finland is home to the freest news media in the world, according to Reporters Without Borders. It's fitting, then, that the annual UNESCO World Press Freedom Day conference will be held in Helsinki this year, May 2-4. Freedom of information is a topic that's close to our heart. We were fighting for digital freedom before it was cool - yes, before Edward Snowden. A free press is foundational to a free and open society. A free press keeps leaders and authorities accountable, informs the citizenry about what's happening in their society, and gives a voice to those who wouldn't otherwise have one. Journalists shed light on issues the powers that be would much rather be left in the dark. They ask the tough questions. They tell stories that need to be told. In a nutshell, they provide all of us with the info we need to make the best decisions about our lives, our communities, our societies and our governments, as the American Press Institute puts it. That's a pretty important purpose. But it can also be a dangerous one. Journalists working on controversial stories are often subject to intimidation and harassment, and sometimes imprisonment. Sometimes doing their job means risking their lives. According to the Committee to Protect Journalists, 1189 journalists have been killed worldwide in work-related situations since 1992, when they began counting. 786 of those were murdered. Freedom of the press and digital technology are inextricably intertwined. Journalists' tools and means of communication are digital - so to protect themselves, their stories and their sources, they also need digital tools that enable them to work in privacy. Encrypted email and messaging apps. Secure, private file storage. A password manager to protect their accounts. A VPN to hide their Internet traffic and to access the content they need while they're on assignment abroad. F-Secure at World Press Freedom Day It's because press freedom and technology are so intertwined that it's our honor to participate in this year's World Press Freedom Day conference. Here's how we'll be participating in the program: Mikko Hypponen, Chief Research Officer at F-Secure, will keynote about protecting your rights. Tuesday May 3, 14:00 to 15:45 Erka Koivunen, our Cyber Security Advisor, will participate in a pop-up panel debate on digital security and freedom of speech in practice. Tuesday May 3, 15:45 – 16:15 Sean Sullivan, our Security Advisor, will be on hand to answer journalists' questions about opsec tools and tips. One of our lab researchers, Daavid, will be inspecting visitors' mobile devices for malware. We'll feature our VPN, Freedome. Check out our Twitter feed on May 3 for livestream of Mikko's and Erka's stage time. Banner photo: Getty Images
An employee opens an attachment from someone who claims to be a colleague in a different department. The attachment turns out to be malicious. The company network? Breached. If you follow the constant news about data breaches, you read this stuff all the time. But do you ever wonder how hackers get otherwise smart, professional people to fall for their tricks? How do they know who to email? What to say to get their victim to fall prey? Where do they get the information that gives them a foothold into an organization? The answer is so simple, and just makes too much sense: LinkedIn. Recon made easy The first phase of any targeted hacking scheme is the reconnaissance phase - where the hacker gathers information about the company, employees, their job titles, email addressses, etc. What better place to start than LinkedIn? "LinkedIn is a treasure trove of easily accessible personal information and company IT data," writes penetration tester Trevor Christiansen. "Unbeknownst to most of the employees who post their information on LinkedIn, any hacker looking to wreak havoc on a company’s highly sensitive, business-critical data could find his or her point of entry using this ubiquitous business networking forum." White hat hackers (the good guys) like Christiansen use LinkedIn to gather information too, albeit with a different end purpose in mind - to test and improve an organization's security. F-Secure CEO Christian Fredrikson described two such exercises performed by F-Secure's ethical hacking team in his recent keynote at CeBIT. In one exercise, the hackers targeted employees who mentioned mainframe-related info in their profiles. In the other, they targeted source code developers. So, exactly how do hackers, good and bad, use LinkedIn to gain a foothold into company they intend to hack? Our own white hat hacker, Knud in F-Secure's Cyber Security Services team, describes a common scenario. "You just search for employees working at a target company via the standard LinkedIn interface," he says. "Now, armed with a list of names, you can start Googling them until you find a company email address." Now, he says, you have the email format used in the company. For example, email@example.com. "Shoot off an email to a few random employees asking something stupid like 'Bob, is that you? Long time no see,'" he continues. "With a bit of luck, someone will reply and you'll have the corporate signature. With the corporate signature, plus names, positions and job descriptions people helpfully put on LinkedIn, you can start spoofing internal emails." Building rapport for social engineering Knud points out that the more information people share in their profiles, the easier it is to build rapport. "For example, someone lists their graphic design skills. So you send an email that reads, 'Due to your experience with icon design and great layout skills, I wonder if you have time to take a quick look at something we are working on in <other department>; see attached (malicious) document and get back to me." To gain even more information, a hacker can create a fake profile and then connect with the employee. This gives them greater access to contact details and the person's network. Combined with information gleaned from Facebook or other social networks, such as interests and hobbies, hackers can get a pretty full picture of the employee they intend to target, enabling them to sharpen their spear even more. The best defense So what's an employee to do, scrub your profile of all but the most basic info? Decline to list your employer? Such suggestions would seem to defeat the purpose of LinkedIn, where profile information can hopefully lead to networking opportunities. Companies in turn appreciate the promotion they get via their employees on LinkedIn. Luckily, F-Secure Security Advisor Sean Sullivan doesn't believe self-censorship the answer. "It's not really the problem of the employee to limit what they write on LinkedIn," he says. "A security-minded organization should have a policy that states that employees should be mindful." Indeed, the best weapon against these types of attacks is employee awareness. Your information may be available on LinkedIn, but if you're are aware of the ways hackers exploit that info, you'll be less likely to fall for tricks. Employer-sponsored education on social engineering tactics would help employees learn to be suspicious of any communication that seems even the slightest bit off. Hackers may love LinkedIn, but only as long as it gets them where they want to be. To head them off, awareness is key. Image courtesy of Mambembe Arts & Crafts, flickr.com