Twitter
LinkedIn
Skype (m.close)
More like, how you will ruin your day with Facebook.
Actually, this isn’t about Facebook. It’s really about you and your entire identity online. For most of us, that means Facebook, LinkedIn, Twitter, and other “social media” web sites. I think most of us underestimate, if not completely fail to imagine, the real risk of our online blabbering (speaking of… add “Blogs” to that list of social media web sites). The event that ruins your day isn’t going to happen when you update your status message to say, “Just got to Cancun, suckaaaaas!! Looking forward to three weeks on the beach!” Actually, nevermind, maybe you will get robbed as a result of that status update. Face it, your 300 facebook friends aren’t really your friends. In fact, at least a handful have probably become straight-up criminals in this economy. But no, that isn’t what I had in mind. This vulnerability has been around since the beginning of social media. It’s a vulnerability in Facebook, it’s a vulnerability in MySpace, it was a vulnerability in Friendster, and it’ll be a vulnerability in the systems that are being launched tomorrow. Come to think of it, that isn’t quite accurate either. The vulnerability isn’t in any of those systems, it’s in you. The vulnerability that I’m talking about is plain old gullibility, and the exploit is made possible with social engineering, using all of the information you offer up with Facebook and the rest of your social media identity.
Social Engineering
I’m talking about your online identity being used by criminals as a tool for social engineering. If you aren’t familiar with social engineering, here’s the definition fromWikipedia : “Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques…” Can you imagine how the information in your Facebook profile (and your friend’s profiles, wall posts, photo comments, your blog, your web site, your gmail, and the rest of your online identity) might be used by a persistent group of individuals to trick you into divulging sensitive information? Let me paint a picture for you. A well-funded group of criminals in Russia (yep, still picking on the Russians) is looking to steal your money or your identity. They have a large group of people who are scouring the social web for potential targets. Once a target is identified (you), they create a fictitious Facebook profile for a smokin’ hot young Russian girl who is “Looking for: Love in America, Religion: none.” You arrive at work in the morning, not wanting to focus on work yet, and receive a friend request from her. You figure, what harm could it do? You accept the friend request and you are handed off to the gang’s research team. The research team gathers as much information about you as they possibly can. They look at all of the pictures of you on Facebook, sorted by captions so they can get straight to the good stuff. They look at the events you’ve attended recently. They look at the schools you went to. They look at your looong history of wall posts and conversations that go on in the comments. They have all they need. But wait, before you start unfriending all of the hot Russians, a friend request isn’t the only way they can gain access to your profile information. There are actually many ways, and the list is ever-expanding, for people to gain access to your information on Facebook. For example, all they have to do is get one of your friends to start playing their obnoxious Facebook game, or get you to play it, and when you click that “Allow” button, you are giving up all of your information, and your friends information, to the developers of that game. So anyway, now that the research team has all of the information they need, it is handed off to their team in the US. Your phone rings, and you answer it. “Good afternoon, can I speak with Joe please? Joe, I’m terribly sorry to bother you this afternoon, but I just got off the phone with your friends Rick Fields and Chris Anderson (Joe’s long-time friends from High School marching band) and both of them said you would be a good person for me to talk to. I’m working with Jeff Fossilheimer (the band director) to raise money to send the marching band to San Diego this year for an international competition. Have you heard the band this year? You should, they’re incredible. Anyway, the boosters spent a lot of money on new football uniforms and exercise equipment this year, I mean a lot of money, and an unfortunate accounting error means there isn’t enough money left in the budget to send the band to the competition now. The really sad part is that, up until very recently, the kids thought they were going to the competition. Their dreams have been crushed by a bunch of expensive ellyptical machines. So, Rick and Chris both contributed $20 and said that you could afford a contribution too. So, how about it, can you spare $20 to help these kids win their dreams back from the football team and represent your high school to the world in San Diego?” From Joe’s profile, they could tell that he was a member of the marching band in high school. They could tell that he loved it. They could tell that he and other fellow band-mates still keep in touch and speak fondly of the times they shared there. They could tell that he hated the football team. Once Joe hands over the credit card info, or worse, the debit card info, he’s getting flowers from the Russian mafia. What would you have done? In this very rudimentary, and probably not realistic, case. The goal here was simply getting money, but a more likely goal of an attack would be identity theft. Depending on how valuable a target is, the social engineering may persist, and once they have a credit card number, they can call pretending to be the fraud-prevention department from your credit card company. To verify YOUR identity so that they can help you, you’ll have to give them the last 4 digits of your social and possibly confirm other information. Have you ever gotten one of those calls? Did you give up sensitive information? You would be wise to challenge anyone who calls you and challenges you with a request for sensitive information. Make them prove to you who THEY are before you prove to them who YOU are. If you get a call from “fraud prevention,” hang up and call the number on the back of your credit card. They will route you to the real fraud prevention department to take care of any issues. If you find out that they didn’t try to contact you in the first place, it’s time to start changing passwords, closing credit cards, and seriously consider closing bank accounts. So, the identity thieves will continue hitting you from different directions, across all of your online services, one piece at a time until they have all of the information they need to open a credit card in your name.
Strong Passwords
Finally, one of the most important things you can do to protect yourself from a potentially devastating attack on your identity is to make sure you are using strong passwords. You’ve heard this a thousand times, but why are you still using your dog’s name for your password?Dictionary attacks are a brute force technique that hackers use to get into your accounts to ruin your day, and simple passwords make a dictionary attach very, very easy to execute. In a nutshell, a dictionary attack is one where a hacker simply writes a script that will try to log into your accounts using every word in a long list of potential passwords. When it succeeds, you’re screwed. With cloud computing infrastructures like Amazon’s EC2, hackers have access to an incredible suite of tools for very little money, and the only way to protect yourself is to take the time to come up with a secure password. Here are some tips:
Use passwords that include more than one word
Each word you add to your password exponentially increases the number of possibilities a hacker will have to dream up to guess your password. If there were only 10 words in our lexicon, a two-word password would mean that a hacker would have to check 100 possibilities instead of just 10. Three words would mean 1,000 possibilities.
Use symbols
Most sites allow certain symbols in your password. If a site doesn’t, consider not using it. Symbols, or better yet a sequence of symbols, will greatly increase the randomness of your password while still remaining somewhat easy to remember. Insert a sequence like “#&#$%” into your password to increase it’s strength.
Use upper and lowercase letters
Upper and lowercase letters are another simple and easy-to-remember way to increase the strength of your password. Avoid using a patter, like ThIsOnE, and instead stick to a moReRandOm sequence of capitalization.
Use a phrase that is completely unrelated to your life
If you’re a stock broker, don’t use StockbROker as your password. Don’t use any nouns unless they are part of a phrase like StockbROkerPickleFencEbreaKER. Better yet, make it St0ckbROker!!!$&$PickleFenc3breaKERyoyoyo. That’s a strong password, and if you try, you can actually remember it. Just don’t use that password if you’re a stock broker who blogs about how rich you are and how much you love to break pickle fences.
Read more at Wikipedia
So, how important is it to have a strong password? Let me paint another picture… this time it isn’t hypothetical. It happened last weekend. My parents got an email from a close family friend (pun intended) simply stating that he and his wife were traveling in London and were robbed. They asked if anyone could help them with some emergency cash. My Dad replied to ask what had happened, and for details on how he could help. He waited for a reply, but before it came he got a phone call from the friend who had been robbed. The conversation went something like this:
Friend: “Did you send any money yet?”
Dad: “No.”
Friend: “OK, good. Don’t. We aren’t in London and we didn’t get robbed. Our AOL email account was hacked.”
Dad: “Yikes!”
Friend: “Yikes indeed. I’m calling everyone I can think of who might have been in the address book in our AOL account to tell them not to send money. Thank God someone called me, or I never would have known that this was going on. I’ve already stopped two people who were in the process of wiring money and I have no idea who else might be trying to send money now.”
Dad: “Can’t you send everyone an email?”
Friend: “No, the hackers changed my password on me.”
Dad: “Damn. Did you call AOL?”
Friend: “Yes, but this all happened on a Friday afternoon, and AOL’s fraud department is closed on the weekends.”
Dad: “Ouch. You shouldn’t have used your kid’s name as your password. Didn’t you ever see War Games?”
So, which passwords are you going to change first?