Category Archives: Infosec Communicator

  • 6

On the Eve of the Latest Facebook Privacy Fix

Category:Facebook,Information Security,Infosec Communicator,Internet Safety,Privacy,Risk,Social Networking Tags : 

Facebook is releasing its latest privacy fix on Wednesday, May 26. I don’t have high expectations for the new controls as Facebook has not shown any ability to make the controls user friendly, or really understand what their users want for privacy.

A much bigger issue is that we seem to have abrogated OUR responsibility to protect our private information.

Fundamentally, information security is about managing risk. ANY involvement in social networking increases the risk of something negative happening–whether it’s loss of privacy, cyberstalking, identity theft, embarrassment, etc. It’s up to us to manage the risk. We should not expect the same amount of privacy protection from a free service that we would get from a credit card company, hospital, etc.

Although Facebook, Google, LinkedIn are all provided “free” to us, that freedom comes with a price–reduced privacy and some tracking of our web habits.

It’s up to us what we choose to share on social networking sites. We agree to EULAs (end user license agreements) that we click through to get to the “good stuff.” We blithely provide requested personal details and install apps that ask for even more and that tell us up front that they may share our information. Do you have to publish your date of birth? Hometown? 20 favorite things? (I’m just waiting for the next Facebook posting asking us, “What’s your mother’s maiden name?” and urging us to send the posting to all of our friends!)

Yes, Facebook, Google, and the other social networking applications have a responsibility to protect our information. However, WE have the responsibility to share ONLY the information we choose.


  • 0

Safe(r) Use of Social Media: Facebook, Blogging, and Online Privacy

Category:Facebook,Infosec Communicator,Internet Safety,Privacy,Social Networking,Uncategorized

Concerns over Facebook privacy settings have increased steadily, with more and more mainstream media running stories about the issues. Although it is possible to more or less “lockdown” your privacy settings, Facebook makes frequent changes that may require you to review these settings on a regular basis. CNET recently discussed the controversy and suggested two tools to help determine and lockdown your current privacy settings. These tools include SaveFace (a browser helper tool) and a privacy scanning tool from ReclaimPrivacy.org.

I thought it would be useful to share some “safe practices” we created to help Rochester Institute of Technology students practice safer(r) social networking. (It’s never going to be completely Safe.)

Ben

Protecting Your Information: Safe Practices

Keeping your information out of the wrong hands can be fairly easy if you adopt a cautious attitude. Here are some tips to make sure your private information stays private.

Don’t Post Personal Information Online!
It’s the easiest way to keep your information private. Don’t post your full birth date, your address, phone numbers, etc. Don’t hesitate to ask friends to remove embarrassing or sensitive information about you from their posts either.

Use Built-In Privacy Settings
Most social networking sites offer various ways in which you can restrict public access to your profile, such only allowing your “friends” to view your profile. Of course, this only works if you only allow a few people to see your postings-if you have 10,000 “friends” your privacy won’t be very well protected. Your best bet is to disable all the extra options, and re-enable only the ones you know you’ll use. These best practices can be applied to any social networking or blogging website.

Be Wary of Others
Research by Sophos (2007) found that 41% of Facebook users were willing to befriend a plastic green frog named Freddi Staur (an anagram of ID Fraudster), subsequently revealing their personal information. Most sites do not have a rigorous process to verify identity of members so always be cautious when dealing with unfamiliar people online.

Search for Yourself
Find out what information other people have easy access to. Put your name into Google (make sure to use quotes around your name). Try searching for your nicknames, phone numbers, and addresses as well-you might be surprised at what you find. If you don’t want your content publicly searchable, many blogging sites have instructions on how to exclude your posts from appearing in search engine results using something called a “robots text file.”

What Happens on the Web, Stays on the Web

Before posting anything online, remember the maxim “what happens on the web, stays on the web.” Information on the Internet is public and available for anyone to see, and security is never perfect. With browser caching and server backups, there is a good chance that what you post will circulate on the web for years to come. So be safe and think twice about anything you post online.


  • 0

Protect Yourself Online–Anti-Phishing Toolbar

Category:Infosec Communicator,Internet Safety,Social Networking

Today I received an Alert from Google that my name had appeared online. (Being in information security breeds paranoia, so I’d set up  a Google Alert for occurrences of my name online–and for the rest of my family as well!)

The Phishing Attempt

Here’s the Google Alert I received:

Ben Woelk (bwoelk) on Twitter
Infosec Communicator, Trainer and Policy Analyst at RIT. STC Rochester VP. Educause A&T co-chair. Community builder applying Web 2.0 to security awareness.
retwite-dot-appspot-dot-com/bwoelk

Curious to find out where my name had appeared and thinking that Google had alerted me about Twitter, I clicked on the link. (And yes, I really should know better!) Clicking on that link brought me to a site that looked exactly like my Twitter page, a potential phishing site. Or I should say, “almost brought me” to the site?

How did I know it was a phishing site and why didn’t I arrive there?

One indication that it’s a possible phishing site is the URL, which clearly is not Twitter.

The other indication was that my Netcraft Toolbar plugin on Firefox blocked access to the site and asked me to confirm that I wanted to go there. Here’s what the Netcraft Toolbar showed me when I tried to go to the site:

Netcraft warning message

Netcraft warning message

After I chose “No,” my browser window showed:

Netcraft blocked confirmation message

Netcraft blocked site confirmation message

Netcraft Toolbar Features

The toolbar also provided some information about the site itself. The diagram below (captured and edited with TechSmith Snagit 9.x), shows the information the toolbar provides:

Example of Netcraft Toolbar

Netcraft Toolbar at Twitter Homepage

Netcraft and Me

I’ve been using the Netcraft Toolbar for several years and have been pleased with its performance. It blocks known phishing sites and also provides you the opportunity to submit suspect sites to them for verification. If Netcraft decides that it is indeed a phishing site, it serves as a neighborhood watch group and blocks all Netcraft Toolbar users from reaching the site. Netcraft provides versions for both Internet Explorer and Firefox.

Highly recommended!

NOTE: There seems to be a good deal of discussion about whether retwite.appspot.com is really a phishing site or a proxy. Either way, the toolbar works in the same manner to protect from other reported phishing sites.

You may also want to visit the RIT Information Security Safe Practices webpage for more information about protecting yourself and others.


  • 8

Twitter Use at #STC10 Summit

Category:Infosec Communicator,STC,Summit

One of the more surprising things to me at the STC Summit conference this year was the frequent use of Twitter. It was used for arranging informal and “official” Tweetups and for summarizing the content of various sessions. It seemed like there were a lot of different people tweeting, but I wasn’t sure how many people were involved and exactly what they were tweeting about. Although I didn’t conduct a rigorous analysis, I think the results are interesting.

Methodology and results

I set up an RSS feed in Google Reader prior to the conference so I wouldn’t “miss anything.”  Google Reader provided the following Twitter frequency graph. (The orange bar is the number of tweets I had read.)

summit 10 twitters

Graph of Twitter use during and immediately after Summit STC10

After manually exporting the tweets from the Google Reader RSS feed to a notepad file and removing the hash tags “#stc10” and “#stc11,” I produced the Wordle below. (And yes, I’m sure there was a better way to do this!)

Summit STC10 Tweets

Wordle of the tweets containing #stc10 or #stc11 from 4/30 through 5/6/10

Using the online word frequency analyzer and phrase analyzer at https://www.writewords.org.uk, I was able to get a sense of whose Twitter handles appeared most frequently at Summit.

Top Ten Eleven Twitter Handles (Occurrences)

125 techcom
108 afox98
85 bwoelk
83 whitneyhess
80 willsansbury
79 techcommdood
68 suredoc
65 stc_org
63 debdebtig
63 sushiblu + jgillenwater87
58 ninety7

Selected Keywords (Occurrences)

434 stc
339 rt
121 great
106 sig
95 dallas
89 summit
69 content
67 session
67 good
64 conference
43 tweetup
41 community
31 dinner

Negative Words (Occurrences)

10 bad
3 terrible
1 sucks
1 suffering

Contrary to some expectations, “beer” was not the most commonly used word in the tweets appearing only 13 times. (I’m not sure if there’s any correlation, but “karaoke” also appeared 13 times.)

Conclusions

In my opinion, Twitter provided a sense of community and a “conference within a conference.” Most tweets were positive, implying that many of the Twitter users enjoyed the conference. Very few of the tweets were negative, and usually referred to specific sessions or problems with the site for the Tweetup. Personally, I found that using Twitter enabled me to make connections that I never would have attempted had they started face to face.

Prior to Summit, I had not been a heavy Twitter user, although I had tied postings from two Facebook Pages I administer,  RIT Information Security and STC Rochester,  to Twitter accounts.  I look forward to using it at future conferences and seeing what new connections it enables.

The “raw” data is available upon request.


Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 2,235 other subscribers

Categories

Support Introverted Leadership on Patreon

Blubrry affiliate banner