Facebook Hacking, Security, and Privacy Concerns

Thursday, November 11, 2010

Bozidar Spirovski


Article by Alexis Bonari

It’s not hacking if users’ privacy settings are searchable, right? It depends on who you ask. Current Facebook privacy settings come with a recommendation that urges users to leave their pages searchable to everyone.

The logic behind this is as follows: “If you’re visible to fewer people, it may prevent you from connecting with your real world friends.

But staying searchable has led to the harvesting and publication of information that includes names and profile URLs for over 100 million Facebook users.

Skull Security and Information Distribution

Ron Bowes of Skull Security did some simple reconnaissance on Facebook for some hard data to use in his research on how people choose passwords. Ron is working to figure out how many usernames are based on people’s given names (jsmith is a popular choice).

By proving that usernames and passwords can be easily extracted from basic information, Ron hopes to teach people how to make their accounts more secure.

In the Facebook incident, he collected only names (which could be actual names or usernames) and URLs of all searchable profiles (about 1/5 of Facebook users), then posted the information as a 3GB file that could be downloaded by anyone with Internet access.

Facebook spokesman Andrew Noyes has said that this information could be collected from any phone book, but the URLs collected couldn’t be extracted from the White Pages.

Finding these URLs could be a frustrating trial-and-error process based only on names from a phone book, but thanks to Ron, they’re now accessible to anyone who’d like a neatly packaged list of searchable Facebook users.

The Problem with Being Searchable

Contrary to Facebook’s recommendations, users might consider changing their privacy settings to “unsearchable.” Here’s the minimum amount of information that can be gathered from a profile: name, profile picture, gender, and networks.

Facebook reserves the right to keep this information visible on every account, and accessibility can only be limited through the “searchable/unsearchable” setting. So with a URL provided by Skull Security, anyone can now view this information unless these accounts’ users make them unsearchable.

The problem with this is that advertisers are extremely interested in what seems like basic information because they can make surprising inferences based on the simplest data.

The best-case scenario, then, is more targeted advertising. The degree of potential damage depends on searchable accounts’ other privacy settings.

For example, if you can be searched and you’ve made your list of friends accessible to anyone, your friends’ information is now accessible even if they’ve made their accounts unsearchable.

Deciding on Your Privacy Settings

If you’re on Facebook, go to “Account” and “Privacy Settings” to edit your preferences. If you click on “View settings” under “Basic Directory Information,” you can preview your profile to see how it looks to someone who isn’t on your friends list.

You might be surprised at the amount of information that’s accessible.

Change your “Basic Directory Information” to control how searchable you are, who can send you friend requests and messages, and who can see your friend list, education, work, current city, hometown, interests, and other pages (choices are Everyone, Friends and Networks, Friends of Friends, or Friends Only).

Under “Sharing on Facebook,” you can customize the rest of your settings, which are organized under the topics “Things I share,” “Things others share,” and “Contact information.”

Even if you’re not concerned about your own information, it’s courteous to protect friends and family by selecting “Friends Only” for accessibility to your friends list, family, relationships, and everything under “Things others share.”

At the very least, accept Facebook’s loose minimum recommendation for privacy settings. You can select “Recommended” under “Sharing on Facebook” to do this.

This is a guest post by Alexis Bonari. She is a freelance writer and blog junkie. She is a passionate blogger on the topic of education and free college scholarships. In her spare time, she enjoys square-foot gardening, swimming, and avoiding her laptop.

Possibly Related Articles:
Facebook Privacy Hacking Social Media
Post Rating I Like this!
adil majeed for this very reason i stopped logging into facebook account about a year ago
adil majeed however the real question is,how much an individual user wants to be known to others, this is where searchable option is recommended and mostly people go for this
Paul Gillin Great post, and very useful advice on how to identify what people can learn about you. One mounting security threat on Facebook is phishing attacks, which occur when people are too promiscuous about whom they friend and then end up clicking on a link they shouldn't. Interesting article from one of IBM's top security experts on this: http://www.theinfoboom.com/articles/jack-danahy-gone-phishing-with-the-lures-of-social-networking/
Chard Charles I realized that issue on facebook from day one and made my profile not searchable and only allowed friends to have access to profile information. I've also started recommending family and friends to do the same...
em vee This one's a no-brainer: stay away from Facebook.

It has absolutely no real value, and will never be secure.

Just say no to Facebook.

Focus on reality instead.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.