SOCIAL NETWORKING

Keith Watson, CISSP-ISSAP, CISAInformation Assurance Research Engineer, CERIAS

SECURITY AND PRIVACY

Find Me Online

• ikawnoclast.com• facebook.com/ikawnoclast • twitter.com/ikawnoclast• linkedin.com/in/keithwatson

• Please tweet as we go with #puaware

Overview

• Own Your Space• Definitions and Terms• Questions• Passwords, Systems, Networks• Things to Keep in Mind• Service Specific Configuration Options

Own Your Space

A Guide to Facebook Security

• A guide to risks and security features of Facebook

• Available in English since August 2011• Translated into seven languages• Arabic version available in mid February 2012• http://ow.ly/8EYsb (guide)• http://ownyourspace.net/

Terms

CC-licensed photos by Dr Noah Lott, bnanative on flickr

Types of Services

• Networking– Facebook, Google+, Linkedin, Twitter

• Content Sharing– Pinterest, Facebook, Dropbox, Google Drive

• Location-based Services– foursquare, Google Latitude, Facebook, Gowalla

Types of Protection

• Security– Prevention of malicious action to systems, info

• Safety– Prevention from physical or mental harm

• Privacy– Prevention of exposing sensitive or private info

Default Privacy Modes

• “Mostly open”– The default sharing mode is public– You must choose to keep content private

• “Mostly closed”– The default sharing mode is private– You must choose to share content

Questions

CC-licensed photos by Colin_K, Mario Belluci, Horia Varian on flickr

Why is it free?

• If a service does not charge you money, then you are paying in other ways– Marketing and Advertising– Privacy

• Facebook has 1 Billion monthly active users – Revenues for Q2’12: $1.18 Billion, 84% from ads

• Linkedin Marketing Solutions: $63.1 Million• Twitter uses Promoted Tweets based on you

What are the risks?

• Privacy• Reputation• Data• Access• Control• Employment• Legal Proceedings

What should I do?

• Realize that social networking is not free• Review the security/privacy settings of sites

you use periodically• Stop using it!?• Deactivate or delete your accounts!?• Extract your data• Assume the worst case scenario is possible– Prepare for it

Your Memory and System Have Issues

CC-licensed photos by ecastro, allaboutgeorge, TounuTouji on flickr

Passwords and Password Tools

• Weak/short passwords can be discovered– Brute password breaking is cheaper today

• Strong passwords are needed, everywhere• You have too many passwords to remember!• Use a password tool to manage passwords– 1Password, LastPass, PasswordSafe, RoboForm– Browser integration, mobile platforms

• Use one-time password systems

System Security

• Stay up to date with software– Especially Flash Player, Java, web browsers

• Upgrade your OS!– XP is now 11 years old; support ended in 2009

• Remove internet software you do not use• Install anti-malware software– If it’s a Purdue system, this is software is free!– Make sure it’s updating

• Your regular account should not be an admin

Network Security

• Avoid using open WiFi connections– A WPA2 connection with public password is safer

• Use a virtual private network (VPN)– Purdue’s VPN available to Career Account users

• Enable your OS or anti-malware firewall• Enable your home router’s firewall for devices• Disconnect your system from the network

when not needed

Things to Keep in Mind

CC-licensed photo by joguldi on flickr

Content Sharing Privacy

• Before you post, ask the following:– Will this post/picture cause a problem for me?– Can I say this in front of my mother?

• Divide your Friends into groups, lists, or circles• Limit the number of people that see it• Share public information with the public• Share inner thoughts and personal feelings

with close friends

Networking Privacy

• Do not Friend or Connect with people that you have not met in person or know well

• Reject Friend requests and Connections• Having a lot of Friends works can against you– Facebook may ask you to identify your Friends

• Limit your visibility on services

Location Privacy and Safety

• Limit your check-in information to friends only• Never check in at your home, school, work• A mayorship is a public “office”• Avoid public lists for a location• Do not let friends check you in• Review posts you are tagged in

Service Specific Configuration Options

Google Security and Privacy

• Enable 2-step verification– Use Google Authenticator or text-based codes– Applies to (almost) all Google services

• Create Google+ circles based on sharing needs• Turn off geo location data in photos• Turn off “find my face” in photos and videos• Manage your Dashboard data

Facebook Security Tools

• Enable – Secure Browsing– Login Notifications (text and email)– Login Approvals (text and mobile Code Generator)

• Select your Trusted Friends• Review and Monitor– Recognized Devices– Active Sessions

• Delete old and unused Apps

Facebook Privacy Tools

• Limit App access to your data• Set your default audience to Friends• Customize your timeline content settings– Who can post, tag you, tag reviews– Disable tag suggestions for photos uploaded

• Limit search engine inclusion• Limit third-party and social ads• Limit info that can be included by others in apps

Dropbox Security and Privacy

• Enable two-step verification• Disable LAN sync on laptops• Do not put sensitive data into Dropbox• Encrypt files if needed• Unlink old devices• Review Apps linked to your account• Turn on email for new devices and apps added• Review your shared folders periodically

Twitter Security and Privacy

• Enable Protect My Tweets• Enable HTTPS• Require personal information for password

reset• Disable location data for tweets– Delete old location data too

Linkedin Privacy

• Turn off data sharing with third-party apps and sites

• Consider changing your photo visibility, activity broadcasts

• Remove Twitter access• Disable ads from third-party sites• Enable full-time SSL connections

Foursquare Privacy

• Do not include yourself in lists of people checked into a location

• Do not earn mayorships• Do not let friends check you into places• Do not let venue managers see you

Stay Safe

• Stay up to date on software and settings• Be selective when choosing friends• Using your thinkin’ before you’re tweetin’!• Be mysterious