Home > facebook, hacking, security, social networking > Create your Facebook and MySpace accounts before a hacker does it for you

Create your Facebook and MySpace accounts before a hacker does it for you

I’ve blogged before about the importance of managing your online identity. This week, hackers at the recent Black Hat conference in Las Vegas set out to prove how very important that can be.

At the event, some of hackers participated in an experiment where they created profiles on Facebook and MySpace for prominent individuals. They created Facebook and MySpace accounts for people who had none, and used data that was easily available online to create the phony profiles.  Then the hackers used the spoofed accounts to send invitations to others – to be their Facebook or MySpace friends.  Suprise – the invitations were quickly approved as friends by people who should have known better – some of them prominent security analysts.

So – what’s the moral to this story? Actually, there are many best practices that we all should consider.

1. If you had don’t have a Facebook or MySpace account – then you should set one up immediately. You should have one on both sites – if only to ensure that someone else does not set one up in your name to impersonate you.

2. Don’t include too much detail on your Facebook or MySpace accounts. Some people broadcast an incredible amount of detail about their personal life, including their home address, their cell phone and home phone numbers, and photos that may be a problem later – for example, if they ever need a security clearance. According to computer security specialist Shawn Moyer, “Don’t put anything there [on Facebook or MySpace] that you don’t consider public.” And what you put on your profile can easily be copied by other computers – so it exists long after you have deleted it, as you have no control over other’s server.

3. Don’t accept friend requests from someone that you don’t know. For example, as Esther Dyson states on her Facebook profile: “I don’t respond to friend requests that don’t have a personal message proving I’m not just another entry in someone’s address book. I’m just trying to uphold the Facebook credo that you should actually know your FB friends.”  She attributes the practice of being guarding one’s online security as “online grooming.”

4. Don’t install 3rd party applications for Facebook and MySpace just because a friend of yours has invited you to do so, warned computer security specialists Nathan Hamiel and Shawn Moyer, speaking from the Black Hat conference in Las Vegas. “People are going nuts adding applications they don’t need. . . People know if they go on a computer and download a program they could get a virus. . . They don’t have the same view of how dangerous that can be on a social networking site.”

Social networks really don’t care if you get pawned or not,” Hamiel said, using slang referring to a computer user being dominated and humiliated by hackers.  Manage your own online presence – and your online identity can be a boon, not a bust, to your career and your lifestyle.

And as a final note, I searched Facebook for Nathan Hamiel and Shawn Moyer – and could not find an account for either gentleman.

  1. August 11, 2008 at 7:17 pm

    First of all, thank you for getting it 😉 People assume that since they don’t have a social network presence that their privacy maintains a higher level of integrity, that is obviously not the case.

    Another item a lot of people don’t understand is that by adding applications to their social network pages they are “friending” the application. This gives the application access to everything friends would have access to on your social network page. It also may appear to your friends that the application is “safe” because you use it.

    Some of these applications can have hooks in to the visitors of your profile as well, so you don’t even have to be a friend of the person with an application installed to have some data sent to an application that you don’t even have installed.

    The information collected from these installed applications is often stored on someone else’s systems not belonging to MySpace, Facebook, or any of the other social networking sites. Removing the application doesn’t necessarily (and often doesn’t) remove the information from these 3rd party systems. This information remains persistent for a possibly indefinite period.

    MySpace, Facebook, and other social networks make use of privacy settings that can help protect your information, to a certain extent, from some of these attacks. These settings are not enabled by default, but can very easily (and should) be turned on. I think the ultimate moral of the story (from a privacy perspective) is don’t put anything on a social network that you don’t want everyone to know, even with privacy settings set.

    Of course all of this is moot if the attacker’s goal is something far deeper like attacking your environment, getting you to install malware, or some other nefarious action instead of just attacking your information. A very helpful step is using Firefox with NoScript and AdBlockPlus. Using these to block domains you don’t consider safe. You should be whitelisting domains for scripts in your browser anyway.

    I have a MySpace and Facebook account, I assure you. It is under my real name as well and it was used in our presentation. Both my profiles are very easy to find.

    On a final note, the term is pwnd, not pawned. I think someone was pwnd by their spellchecker 😉 Hopefully our presentation was informative and that everyone was able to get some useful information out of it. That was our ultimate goal.

  2. August 11, 2008 at 10:51 pm

    I think its a bit of overreaction. There will be more social networks that arrive in the future and it seems a bit over the top to go and join each one of them. If someone really wants to steal your identity there is a great deal more they can do besides set up a MySpace profile on you. There are already tons of fake profiles on Myspace and Facebook.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: