Using Facebook and Twitter safely

You and just about everyone else, it seems, are spending more and more time on Facebook and Twitter, updating statuses and checking friends' tweets. That's all well and good, of course, but the amount of personal information that all of you share in real time, and the level of trust implicit with the social networking sites, do pose particular security and privacy problems.

A recent study from Sophos found that Facebook users reveal a lot of personal information to new friends, including ones they really don't even know or have never met. Using fake profiles, Sophos sent out friend requests to 100 random Facebook users, and more than 40 percent blindly accepted, giving the company access to birth dates, e-mail addresses, phone number and addresses--private information strangers shouldn't have.

The openness of Twitter--anyone can follow anyone else, and posts are indexed in search engines--makes it a nirvana for spammers. Kaspersky says there are nearly 500,000 new unique URLs that appear in Twitter posts daily, and of those, anywhere between 100 and 1,000 are malware attacks.

Here's a look at some of the specific threats users of the sites face and what they can do about it.

FACEBOOK

Problems: Malware, account hijacking, phishing, and social engineering

The biggest malware risk is Koobface, (an anagram of Facebook), which is a worm that targets social networking sites and affects Windows-based computers. Once a computer is infected, it hijacks the Facebook account and sends messages to other friends of the victim, enticing them to click on a link. The link redirects to a Web site where they are prompted to download software ostensibly to watch a video. However, there is no video; only malware that infects the system, blocks access to security sites, and can be used to steal sensitive information from the computer, such as credit card numbers. Infected machines can then be used to spread the worm to others on Facebook, send spam and distribute fake antivirus alerts, said Rik Ferguson, a security researcher at Trend Micro. Koobface now can automatically create new profiles using infected machines, he said.

Facebook accounts can be hijacked in several ways. A brute-force attack can be used to guess passwords. Users can fall for phishing attacks by clicking on links in messages or e-mails purportedly coming from friends that redirect to a fake Facebook log-in page. Or malware such as Koobface can steal passwords.

Social engineering is a huge problem for social networks because the trust that users have for messages and posts from friends can be easily exploited by scammers. Hijacked accounts are used to send everything from spam touting weight loss plans to links that install malware and steal passwords to fake emergency messages saying a friend is stranded in another country and needs someone to send money. Scammers are also sending e-mails that look like they come from Facebook and include an attachment that contains a Trojan.

Solutions: Use antivirus and anti-malware software and keep it up-to-date. Install security updates for operating system and other software. Use software like AVG Linkscanner or McAfee Site Adviser to protect against phishing and malware attacks. Become a fan of the Facebook Security page, which has posts related to all sorts of security issues, tips, resources and other information. If you think you've been infected with Koobface or other malware you should reset your password and notify friends who may have been affected.

Use an up-to-date browser that features an antiphishing black list, such as Firefox 3.0.10 or Internet Explorer 8. Be aware of where you enter your password. Check to see that you are logging in from a legitimate Facebook page with the Facebook.com domain. Be wary of unusual stories or offers that are too good to be true. Verify information with sources directly. Be cautious of any message, post or link that looks suspicious, requires an additional log-in or asks you to download or upgrade software. If a link seems odd or lacks context, don't click on it. Don't click on links or open attachments in suspicious e-mails. You can add a security question from the "Account Settings" page if you would like an additional layer of protection.

Problem: Rogue applications

Facebook doesn't vet every app that appears on the site, which means there is a risk that some apps will have bugs in them or will violate Facebook's privacy policies. Facebook has proven diligent in removing rogue and problem apps quickly when it is notified, but unlike iPhone apps, pretty much anyone can write a Facebook app. "Because the code is not always of professional standard or hosted or audited by Facebook, we've seen innocent apps compromised externally and used to deliver malware, such as fake antivirus," Ferguson said. One rogue app that appeared early in the year sent notifications to Facebook users reporting them in violation of terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users, according to Trend Micro.

Solution: See solutions above, and be cautious about adding applications. Research the developers and perform Web searches to see if anyone has complained about the app. And ask yourself, what value does the app provide? Do I really need to play zombie?

Problem: Privacy leaks due to user error

Because people control who they are friends with on Facebook it is easy for users to have a false sense of security about the privacy of their data and activities on the site. Social engineering attacks, lax security practices by users like using weak passwords and design or implementation problems with the site itself can undermine the privacy protections users rely on. Users who fall for phishing scams and get their accounts hijacked have everything in their account exposed to strangers who can then use the different types of data for identity fraud or to target the victim's friends with social engineering attacks.

Solution: See solutions above. Also, use unique logins and passwords for each Web site you access. Use strong passwords, change them often and don't share them with anyone.

Problem: Privacy leaks due to design or implementation issues

Privacy advocates contend that Facebook's lenient apps approval process, privacy policies and confusing privacy settings put users at risk. Two weeks ago, Facebook asked users to configure their privacy settings. The options were confusing and many people were inclined to just keep the default settings, which are set to make the data visible to the Web rather than opting to use the old settings established by the user. Screenshots and descriptions are detailed on this photo gallery.

Many people have complained that it is difficult to figure out how to change the privacy settings, that they are not intuitive and that there doesn't seem to be one central place for that. And using Facebook Connect with outside apps, like the iPhone app Foursquare, can expose more information than a user expects to share. The new privacy changes at Facebook have prompted the Electronic Privacy Information Center to ask the Federal Trade Commission to investigate.

Facebook encourages people to share their full names, date of birth, home town and other information, all pieces of information that are commonly used in identity fraud. Scammers on underground sites even refer to Facebook as a "free date-of-birth look up service," according to Ferguson. People don't realize that their profile information can be accessed by total strangers who happen to be in the same groups or networks unless they specifically change the settings. People who don't trust random apps--which in general have access to profile information even if it isn't necessary to the function of the app--don't realize that the apps their friends are using also have access to their data. "Friends apps can access most of your profile, interests and groups. There is no way to prevent them from accessing your name, profile, photo, town and gender," said Joseph Bonneau, a PhD candidate in security at the University of Cambridge. In response to user feedback, Facebook made a change that allows users to hide their friend lists from everyone but their friends, a Facebook spokesman said.

Solution: CNET has a tutorial on how to hide your Facebook friends list by clicking on the pencil in the friends box on your profile. Detailed instructions and tips on dealing with Facebook privacy settings are available on the DotRights.org site and on the All Facebook blog. Facebook also has a blog post about the privacy changes.

Problem: Privacy leaks related to marketing

The relationship between the apps and advertisers can also cause problems. Adding an app allows the app to show ads inside the Facebook domain, and that can leak a user's profile information to the advertiser, said Peter Eckersley, a staff technologist at the Electronic Frontier Foundation. Meanwhile, cookies and other browsing tracking technology combined with data from social networks can be used by marketers to identify users for targeted advertising and other purposes, Eckersley said, providing details in a blog post on different ways data can be leaked from social networks to third-party tracking firms. Once marketers know a specific person's user name, they can use that identifier in the URL to get to a user's public profile page, according to Eckersley. "They can create a social graph of your date of birth, city, employment, relationship status, all uniquely codified in a way that can be automatically sucked into a database," he said.

Solution: Pick a good cookie policy for the browser, such as manually approving all cookies or only keeping cookies until the browser is closed. Disable Flash cookies. Use Firefox extensions such as RequestPolicy and NoScript to control when third-party sites can include content or run code in the browser page. Use the Targeted Advertising Cookie Opt-Out plugin or AdBlock Plus to block ads. To hide your IP address and other browser characteristics, use Tor via Torbutton.

Problem: Information used to suppress dissent and target political activists

As with e-mail, blog postings and other public expressions of dissent, Facebook and Twitter have been used by governments to target protesters. The Wall Street Journal reported earlier this month that family members of Iranian Americans had been arrested or questioned because of anti-Iranian government posts on Facebook by members outside the country. In other instances, Iranians living abroad were forced to log into their Facebook accounts or reveal passwords to government officials as they arrived at the Tehran airport and some even had their passports confiscated because of their political posts. In the U.S., the EFF says, officials have taken actions against U.S. citizens based on information discovered on their social networks; the group has sued the CIA and other agencies for allegedly refusing to release information about how they are using such sites in surveillance and investigations.

"Basically, every time you post something to Facebook you should assume that the whole world will know what you've posted, your family, employer, the government, people you don't trust," Eckersley said.

Solution: Think carefully about what information you want to share about yourself and consider only posting information you would want to let the general public see.

TWITTER

Twitter has many of the same malware, phishing, hijacking and social engineering issues that Facebook has, and the solutions for those problems would be the same. Because users don't provide much personal information to Twitter, and can even create accounts using all fake information, and because anyone can follow anyone else, there aren't the same issues with privacy, either. But that makes life easy for spammers.

Security does seem to be a worrisome thing with Twitter. The site has had several serious problems from employee accounts getting compromised. In January, someone hacked into the Twitter internal network -- possibly by guessing the password -- and gained access to the Twitter accounts of President Obama, CNN anchor Rick Sanchez, and 31 other high-profile Twitterers. In May, someone broke into Twitter's network and gained access to 10 accounts, which appeared to include Britney Spears and Ashton Kutcher. In that breach, a hacker was able to gain access to a Twitter employee's Yahoo account through the password recovery system and from there get information from other sites, including access to the employee's Twitter account. And last week, the legitimate account of a Twitter employee was used to hijack the site and redirect visitors to an external page displaying a banner for the "Iranian Cyber Army."

Meanwhile, Twitter was crippled (and Facebook and other sites also affected) by a rare politically motivated denial-of-service attack targeting one user in August. However, that incident reflects more on Twitter's ability to keep the site up in the face of an attack and accessibility than it does about security risks to users.

Twitter users are susceptible to getting their accounts hijacked, and the site has been targeted by clickjacking pranks. In these social engineering attacks, users were encouraged to click on links that distributed the original tweet to all of the Twitter user's followers.

Users with large numbers of followers have an added responsibility to be careful, particularly when setting accounts to automatically post items from news feeds. A malicious post on an unmoderated news feed that venture capitalist Guy Kawasaki was re-tweeting distributed a Trojan to more than 139,000 followers in June.

Kaspersky offers a Krab Krawler tool that analyzes tweets as they get posted on Twitter and blocks any malware associated with them. Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links. And Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Blogger, Gmail, Google and a host of other popular sites. To keep up with security issues on Twitter follow Twitter's Spam Watch account.

Social networks are also susceptible to other serious security problems that can hit any type of Web site. For instance, last week passwords of 32 million stored in plain text on the RockYou site were exposed by a SQL injection attack, according to security firm Imperva. Because the passwords are used on other affiliate sites to the social networking application maker, the breach jeopardized other accounts, like Gmail, Hotmail, and Yahoo.