Social network privacy guide

DEFENSE Social Network Privacy Guide This series of articles about security trips how to make social networking is more secure on the top social networks. What you will learn… What you should know… • The most useful ideas and advice how to use a lot of social networks mixing fun and business • What does the most known social network ofer to keep your data in privacy • Basic knowledge how to �nd and setup security setting on social networks • Clear understanding of your goal when you start to use a new social network S ocial networking services are kind of online service that focuses on building social relations among people shared their information about themselves. This information filled their profiles makes users possible to search and extract necessary information. It means the search will analyze only the actual contents you want (images, video, text, calendar events). Such representation is often based on each user profile as set of social links, interests, public data, and other linked services. Current trend has fast been growing to control mechanism unification for a long time. Each of these social services meets with users desires to less inputting about them. That’s why you are allowed to be sign up/in by Facebook button or Twitter button following which you can start to organization your own networks groups by involving others friends via email, social address book or switching your profile into public zone indexed by search engines like Google, Yahoo or Bing. This is so-called individual-centered service whereas online community services are group-centered based on user abilities to share ideas, activities, events, and interests within their individual networks. Web-based social networking services make it possible to connect people who share interests and activities across political, economic, and geographic borders. Through e-mail and instant messaging, online communities are created where a gift economy and reciprocal altruism are encouraged through cooperation. Information is particularly suited to gift 22 economy, as information is a nonrival good and can be gifted at practically no cost (Figure 1). Social networking services share a variety of technical features. The most basic of these are visible profiles with a list of “friends” who are also users of the site. A profile is generated from fields filled by users, such as Figure 1. Reciprocal altruism 04/2012 Social Network Privacy Guide age, location, interests, etc. Many sites allow users to post blog entries, search for others with similar interests create groups shared their interests, and upload or stream live videos. Real-time feature allows users to contribute with content type of which is broadcast as live radio or television broadcasts. Companies have begun to merge business technologies and solutions with new interactive communities that connect individuals based on shared business needs or experiences, sometimes by providing additional tools and applications, like LinkedIn. Social networks are becoming one of the most popular tools to build your own brand image despite if enterprise you are or individual specialist. Moreover, you can to learn about new technologies and competitors. It’s a powerful way to the students/workers to be involved with their professionals for internship and job opportunities using these services. The easiest way to understand social networking is to think of it like high school. You had friends in school, and you knew quite a few people even if you weren’t friends with all of them, but it’s likely that you didn’t know everyone. If you’ve ever moved to a new school – or if you can imagine moving to a new school – you start out with no friends. After attending classes, you start meeting people, and as you meet them, you begin associating with those that have similar interests. Getting started with social networking is much the same as starting at a new school. At first, you don’t have any friends. But as you join groups, you begin to meet people, and you build a friends list of those with similar interests. Social networking is based on a certain structure that allows people to both express their individuality and meet people with similar interests. Profile is main check-list to become part of each social network by describing yourself. It is a typical records like where you live, what your hometown is, how old you are, who’s your favorite actor/singer, and what’s your favorite book/song and etc. • • • • • • • Friends are common type of trusted members of the site that are allowed to post comments on your profile or send you private messages regarding your social IT policy. It changes from one social network to another, e.g. LinkedIn refers to them as connections without ability to create lists of your friends like Facebook. Groups help you find people with similar interests or meet up in discussions specific topics. Discussions bring interaction building between users’ by discussion boards and polls. Media is some kind of features to post pictures, music, video clips and other related your interests. Notes extend social profile place them as short commentaries or drafts. Blogs are another feature of some social networks underlay in ability to create your own blog entries. It’s also different per each service. For example, it has the same name on MySpace, while it named Pages on Facebook. Many social services allow to cross=post into your blog, Facebook pages, wall/ feed and etc. Applications are popular kind of widgets usually located on application market (Figure 2-6). Figure 2. Social Networks used Social networks have a privacy issues like any technology especially emerging technology. Privacy concerns with social networking services have been raised growing concerns amongst users on the dangers of giving out too much personal information Figure 3. Problems experienced on social networks Figure 4. The social networks are least blocked on workplaces www.hakin9.org/en 23 DEFENSE that can be leaked to the hands of large corporations or governmental bodies, allowing a profile to be produced on an individual’s behavior on which decisions, detrimental to an individual, may be taken. Privacy on social networks can be too complex to build and upgrade by many factors like inadequate way of protection, third parties frequently nullify IT policy because their applications and services post information on social networks for a variety of purposes mainly in public. Many social networking services, such as Facebook, provide the user with a choice of who can view their profile. This prevents unauthorized user(s) from accessing their information. Users disclose identity-relevant information via their profile to others. This information is referential, directly referring to a person, or attributive, describing attributes to the data subject. Although most laws and regulations restrict the access to referential information, attributive information is not protected as such. However, the aggregation of large amounts of attributive information poses new privacy risks. Information spreads faster through a Social Networks than through a real-life network. Information might be disclosed to a group of people unexpectedly, because the digital information is easy copyable, can be stored indefinitely and is searchable. The usage of most of these websites is free, and social networks have to make money by generating revenues from the relevant information of their users. The most common way to achieve this is to create marketing profiles of users and serve them with targeted ads. Social Network Sites track the activity of their users on their own websites and those of their marketing partners. They are able to gather unprecedented amounts of secondary personal information on their users, sometimes even without the informed consent of the users. The information on the websites can easily be used to damage someone’s reputation. Of course, these points aren’t obliged to affect all social users, but most of them. Architecture of vulnerability emerges personal data become public after what there’s no legal document granted protection of them. It’s true for American Law, it’s also true for Figure 5. % who feel unsafe on the social networks 24 Russian, and I suppose it’s true for most countries at world, because it is hard to proof that the facts are private when a user posts them on public-profile and the monetary damage is in this case difficult to measure. There’s a main privacy risk for social users that social network don’t suggest any control over your relevant information by default. Moreover, others like friends can post information about the user, which can only be deleted after the fact, if possible at all. Security behind default setting For example, despite of insecurity by default existence Facebook has extremely detailed setting brought ability to set up the of desirable privacy aspects. However, these settings change often; you may think you know everything there is about them, only to be greeted with a completely different layout and a bunch of new options the next time you visit the dreaded Facebook Privacy Settings page. Nowadays there several good practices researching Facebook Privacy such “MakeUseOf” as one of the most full detailed whitepaper. Unfortunately, there is no one whitepaper around it after Facebook TimeLine was introduced. It extremely redesigned privacy management versus manner that’s was before. That’s why this issue is hot for now. Also, I’m going to cover not only Facebook but Twitter, LinkedIn, MySpace, Windows Live, Google, YouTube, Viadeo, etc. I’m going to discuss social privacy policy as well as smart web-services that help everyone to keep their social network cleaner and inform about some kind of harmful events. Before I present details of social privacy I’d to highlight the general ideas of privacy and their justifiability. As you know each network has a so-called a trust member connection often named as Friends, Connection or somehow in this manner. Some of social networks like Facebook bring difference between all your social friends. This feature is known as Friend Lists. The first mention covers idea to avoid naming any list as Friend; if you really want to name like this then name it like Fr-i-e-n-d-s, for example. You have to distinguish sense between headers of your list and term in general use. Figure 6. Displeasure with privacy controls in social networks 04/2012 Social Network Privacy Guide Anyway your list may cross, because it’s normal like a “Security Friends”, “Security Blog Readers” and “NonSecurity Blog Reader” where the “Security Friends” and “Security Blog Readers” are possible to cross while “Blog Readers” may include both of readers like security, non-security, or your publishing team’ friends. It’s up to because some posts you will do aren’t applicable to intersection set. In that case, you can include “black list” that won’t see you posts as well as select people you want exclude from seeing, or select people as white list. Each case is different therefore there’s no unique solution for that, because you may have a lot of “black list” people that difficult to exclude by selecting and vice versa you may have a lot of friends in white list. However, each group (friend list) is applicable for unique privacy setting you made. Next insecurity statement is around removing yourself from Facebook or search engine results. It’s unique for each case again, and you mustn’t think about privacy among specific networks. A simple example, you’ve a Facebook account that has a protection like this meant you can’t be found on web or Facebook. Also you have a LinkedIn account that public where you can place information about your Facebook account or job-searcher account like HeadHunter. So, it’s obvious hasn’t enough to remove yourself from only one social network if you want totally anonymous within a scope of this conception. As you can see, there’s a lot of side attack vector to know your Facebook account. Another example, you’ve a friend on Facebook who’s have a public friends list for his friends which has the public list by-turn. You wouldn’t bring oneself to hide friends list. Sometimes, it’s enough to find out information about you, too. Moreover, you can be tagged on photos; however it lies in privacy management to ask moderation. In the last case, you’ll receive asking on your timeline to decide whether agree with it or not. So, somewhere your social contact or reference about it is being found with the lapse of time. Photo tagging is one of discussed insecurity points. Everyone is hurry to say, not tag your photos even if it’s profile picture. It’s quite justifiability, because of the blog picture can be indexed my search engine, or Google avatar are indexing. It means you already have at least minimum indexed photos but it doesn’t mean you should tag everything everywhere and everybody. You may tag among your friends but you must be sure that they don’t have some kind of public profile that brings your photos on the web. Yes, some of your friends don’t want to live public lives so it can only be recommendation for everyone to hide their friends list while in scope of Facebook legal documents you may only ask your friend follow this idea; however other his friend can ask him to show. It remembers me my first article about BlackBerry where I discuss key-stoke www.hakin9.org/en emulation and ability to photoscreen password when it’s free from asterisks (Hakin9 2011 #2, Is data secure on the password protected blackberry device). You’re as an administrator can to disable feature of password unmasking. If you do like this you’ll get a user-device that totally wiped when user spend all password attempts. That was why you shouldn’t do like this and should check installed programs as well as installed modules on your BlackBerry device and track malicious active on GUI-side. Your birthday, relationship and other sensitive information should be hided from eyes except you have a strong reason not to do like this. It should be hided cause of only one reason: there’s no legal document to grant protection for your private data if it’s easy available on web or search engine. It doesn’t matter much whether it’s Facebook legal documents or country legal documents. Other sensitive information like your IM data or your emails should be opened only around a minimum data, because it’s not a just a service that helps you to memorize them. On other hand, there’s no need to hide it if you public blog have the same quantity of ways how anyone can contact with you. Applications often bring useful features like filtering or another extending of your social profile. Unfortunately, a little of them prefer to give you non-posting features by default while other tends to retell for all Facebook about actions you made. Sometimes, you have a time by chance after you installed it and before application will do reposting your action. It’s time to correctly set up all notification from such programs. The most applicable way to set notification is “only for me”, because I know rarely cases when I have to tell anyone about it. No one application breaks your privacy policy; you only should realize that you have to recreate a new level of you privacy. It means any application only asks you about available social data and possible actions and application aren’t being covered by the base policy. The typical social privacy policy declares that “We allow you to choose the information you provide to friends and networks through our social network. Our network architecture and your privacy settings allow you to make informed choices about who has access to your information. We do not provide contact information to third party marketers without your permission.” It changes from one to another while a sense is providing setting feature where you should set your privacy vision. The main reason why any service is subjected to criticism is the default account settings allow for anyone in a shared network to view a user’s entire profile. It’s right; your default account must restrict any actions even for you. However, even Wizard Privacy Manager will appear on any social service after your first login, such Privacy Wizard makes no difference because you have to set privacy for all your social flows. Sometimes 25 DEFENSE Facebook comes in criticism because of that despite of security feature that switch allowability of your profile into “only for you”. Police is always behind any security trick and tips because they might legitimately ask to access your friend’s data exposing your actions to a public court case if you shared something private with him. • • • • • Work and Education History by Year Pages Relationships and Family Living Chapter I. Security beyond the whole picture Part I. Facebook Pro�le Before we start talking about security options we need to examine what our profile looks like after timeline is accepted. Each profile has following parts: • • • • Basic Info About You Contact Info Favorite Quotations Figure 7. “About you” section The best Facebook privacy rules [Figure 46] The most sharing cases cover by following security settings that enough to keep privacy • • • • • • • Public Public includes people who are not your friends on Facebook and people who are not in your school or work networks. Friends of friends The Friends of Friends option is available for minors only as the maximum audience they can share with. It allows minors to share with friends and their friends. Friends This option lets you post stuf to your friends on Facebook. If anyone else is tagged in a post, it becomes some kind of Friends because the audience expands to also include the tagged person and their friends. Friends except Acquaintances All friends except acquaintances list Only Me This option let’s see something only for you. The most interesting when you don’t want to share your birthday, but you need to �ll it to pass social networks agreement Custom The Custom privacy setting lets you specify who is able and not able to view the content you share. When you choose Custom a pop-up box will appear. From the box, you can choose to share with or exclude speci�c networks, friends, and Friend Lists. In other words, you can make content visible to speci�c people or make content visible to work or school networks that you belong to, hide content from speci�c people or hide content from everyone so that only you can see it. Friends List Diferent friends list you made including auto created list by city tag or company tag The top of public data on Facebook (according to MakeUseOf) • • Things that are always public include questions, comments on Facebook help pages, comments on application help pages, showing up as an attendee at a public event, your -name and current pro�le picture-, your gender and your networks. Things that most people think is private (but are public by default) include Google search results, letting applications your friends use know your information, pages you “like”, allowing websites and applications you use know your information, instant personalization by Facebook partner sites, ability to add you as a friend, ability to send you a message, status updates, bio & favorite quotes, current location, hometown, interests, relationships and family. Did you know? To see how your public pro�le looks like follow Home->Account Setting->Subscribers->”Want to know what subscribers can see? View your public timeline”. 26 04/2012 Social Network Privacy Guide Figure 8. „Basic info” section The About Me section [Figure 7] stores all information you want put to this section. This section can be available not only for public, your friends or only you, it’s completely set up to choose by list or specific person who can or can’t see this part. The Basic info section [Figure 8] stores all information which can be used to fill other non-Facebook profile by clicking sing up button; also each social application tend to use this part. Basic info includes your sex, birthday date, your current relation status, your languages, political views and other. All records except your sex are controlling in the same way like previous section by choosing any one to see. Your birthday record has two ways to control where the first way is stronger. First way is to choose who can see it; second way is choosing whether or not publishes this in timeline [Figure 9]. Figure 9. „Birthday” (Basic info) on timeline www.hakin9.org/en Figure 10. „Contact info” section The Contact info section [Figure 10] stores your emails account, mobile/work/home phone numbers, your IMs, your address and web site. Each email is available to be public or private for anyone or for selected persons. The best idea to set your Facebook email to public, because if somebody doesn’t have a Facebook Account (s-)he always can send you message via traditional email even if it’s Facebook email address. Other emails should set into “Friends” or “Only Me” state. The last state is most applicable if you keep your IMs as public information. Each of your phones are allow to separately controlling too despite of group tag such works, mobile, fax, home, etc. Scope of your Address, city, zip is controlling as an entire, therefore you must decide if Facebook is one of eBay account to fill too much details as they ask or not. Web-site record often refers to public blog, live journals or your own web-site. As for me, I place this link to the http://re.vu/yury.chemerkin site stored all social account in one place. It means I can hide all of my social contacts on Facebook except re.vu link. It’s completely up to you whether Facebook more privacy than re.vu if you start to receive a lot spam of not. Figure 11. „Live” section 27 DEFENSE Figure 12. „Relationships and Family” section Figure 13. „Pages” section The Favorite Quotations section is the same with About Me section, so I miss this. The Live section [Figure 11] stores two part information about your current city and your hometown site. They are both easy controlled separately. If you want to be easy found my these points while someone wants to connect with old-friends you should set this position to public and make sure that profile are searchable for Facebook and not for all internet. The Relationships and Family section [Figure 12] stores your current relationship which also can be controlled accurate within specific person and Family relation about your uncles, wife, children and etc. Good idea to set family relations visible only for person who involved in it to avoid any embarrassments except cases you has other reason to merge this list with another friends list, for example to build genealogical tree. The Pages section [Figure 13] provides one way controlling your pages consisted on showing those or not. Pages are for organizations, businesses, celebrities, and bands to broadcast great information in an official, public manner to people who choose to connect with them. Similar to profiles (timelines), Pages can be enhanced with applications that help the entity communicate and engage with their audiences, and capture new audiences virally through friend recommendations, News Feed stories, Facebook events, and beyond. On the Manage Permissions tab where you can set country and age restrictions to control who is able to search for and like your Page as well as control posting preferences and manage your moderation blocklist from this tab. If you’re logged in to Facebook and visit a website with the Like button or another social plugin, your browser sends us information about your visit. Since the Like button is a little piece of Facebook embedded on another website, your browser is sending information about the request to load Facebook content on that page. Facebook records somewhat of this information like your user 28 ID, the website you’re visiting, the date and time, and other browser-related information. In case you’re not logged on Facebook, Facebook receives the web page you’re visiting, the date and time, and other browserrelated information. Facebook delete or anonymize the information we receive within 90 days also. The Work and Education section [Figure 14] provides three categorizes separately controlled by each user regarding to place you’ve worked, your Unis and your high schools. You’re allowed to fill this by position, city, positions description, time period, your project with their description, time period and persons involved if they’re available on Facebook and approved this information. Adding your employer to the Education and Work section of your profile (timeline) will not automatically add you to your work network; you have to join manually. The History by Year section built on previous and noneditable. It’s a part of your public timeline for anyone, friends or specific persons. You can’t hide the whole history, but can’t hide some part of them by hiding by privacy settings or deleting items from you profile/timeline. Also, your profile provides notes, likes as kind of your interests, your mapped places, photo albums, and friends’ visibility for others. Figure 14. „Work and Education” section 04/2012 Social Network Privacy Guide Figure 15. „Notes” section The Notes section [Figure 15] stores your draft notes and released notes. The draft notes are private by default while released notes are public by default. Therefore you need to check desirable visibility of them. The Favorites section (or likes, or interests) stores [Figure 16] your interests about music, books, movies, television, games, sports teams, your activities, other interests and other pages you liked once. Each of these sections is separately controlled too. All your likes are built into likes’ timeline by date and time. The Maps section is also known as mapped places via photos. Despite of that, it includes you work and education cities and countries that you can’t control by choosing specific person or group while your photos are allowed to be restricted to see by selected persons or persons’ list. With the new sharing tool, you and others can create posts and add location in other words, anyone who can see a post can see a tag of you in that post, including posts with location if you weren’t remove these tags. Figure 16. „Favourites” section www.hakin9.org/en Figure 17. „Reporting/Blocking” section The Photo albums section provide you to choose privacy of photos by controlling friends list, Album Name, Place, Date (Year, Month and Day are completely separately) and Description. The privacy setting for your Cover Photos album is always public. You can’t changes privacy of specific photos; regarding to specific photos you can choose tags, location, description, involved persons, and comments. If you share a high resolution photo or album with someone, that person will be able to download those photos. If you tag someone in a photo, the Friends audience for that photo becomes extended Friends meaning. That means the audience expands to include friends of anyone who is tagged in that photo. Anyone who can see a photo can also like or comment on it. If you want to share specific album with people who is not on Facebook you should to find a “public link” at the bottom of the page and send this link to friends or posting it on a website will allow everyone who clicks on it to view that album. Notice that this link Figure 18. „News feed customization” section 29 DEFENSE Figure 21. „Events” section will always work, even if you add photos or change your album privacy settings. Note that a video is almost the same with photos. The Friends section indicates who can see your list of friends. Point from here [Figure 17] user can build Friends list, unfriend someone or block specific person. To block any person user need to choose report/block feature on friend page to see reporting wizard. I miss several options like fake timeline, inappropriate photos and mention you to feature “My Friend is annoying me”. This features covers subscribing news from your friends when you can minimize news feed [Figure 18] for specific person. You also can unsubscribe from all friend updates by choosing option “Unsubscribe from …”. If you want to unfriend somebody you should know that public news as subscription are still keeping while blocking person leads to interrupting of any interactions between two profiles. If you want to build friend list check your existed list [Figure 19] because, if anyone on Facebook add place of work and education or his city then (s-)he automatically adds to your list named “City area” or “Family list”. You’re allowed to create lists crossed between each other, like your work lists can crossed with Security list or Writing list, or Reader List. The News Feed section [Figure 20] stores content is visible only for you except case when you share it for others. You’re allowed to sort news by clicking “Most Recent” to see stories in the order they were posted, or by clicking “Top Stories” to see the most interesting stories at the top of your News Feed. Also, you filter by friend lists or subscribers list. The Events section [Figure 21] stores your upcoming events at first, and then declined, past, suggested event and birthdays with ability to export all events as an entire calendar to Outlook, Google, Yahoo, and etc. When you create [Figure 22] event you can make this as public even when anyone can join and be added to the event guest list without receiving an invitation or being approved by an admin and invite-only when events can only be seen by people who have received invitations and cannot be found in public search results. Both types can hide invite-list. If you join public events then information about that will appear on your timeline. Public events will appear in your newsfeed after creating by others but if you invited all invitations store in events section. The Messages section stores absolutely private messages you’ve received and sent. By default, anyone on Facebook can send you a message, and if you set up a Facebook email address, anyone outside of Facebook can send you email too. Emails from friends and their friends go directly to your main Messages folder, and everything else goes to the “Other folder” within your Messages. You can modify who can send you Facebook messages and email by using the “How You Connect” that’s discussing further. Only emails Figure 20. „News feed” section Figure 22. „Create event” section Figure 19. „Friends List” section 30 04/2012 Social Network Privacy Guide Figure 23. Facebook settings from people that fall within the message privacy setting you choose will be delivered to your Facebook Messages; all messages are sent outside Facebook to @facebook.com address still appear in your inbox folder. Also, you report messages as a spam. The Chat section extends previous but allows you to control your privacy when you go to online. If you manage friend lists on chat, you may see some of your friends listed as “offline.” To appear online to any friend, update your privacy settings or click on their names to start chatting. You can hide yourself from all or some by: • • • • • • • Go offline to all friends by selecting Go Offline. Go offline to some friends, but stay online (available) for others by selecting Advanced Settings. Go offline to one person by clicking at the top of your chat window with that person and selecting Go Offline to X. Facebook Advanced settings provide a few different visibility options to be: Stay online (available) to most friends and go offline (unavailable) to specific friends or friend lists. Stay offline (unavailable) to most friends and go online (available) to specific friends or friend lists Go offline (unavailable) to all friends can see posts in the group unless you’re added to the closed group by another member and your request is approved. The secret groups cannot be found in searches, and non-members can’t see anything about the group, including its name and member list. The name of the group will not display on the profiles (timelines) of members. To join a secret group, you need to be added by a member of the group. However, if you have non-friends are in the same group as you, this does not mean that they can see any more of your profile (timeline) information than your privacy settings allow. The Invite Friends section help you find all friends that join to social network by the same their email addresses stored in your address book of Google, Yahoo, AOL, and etc. Note, the Facebook starts store all your contacts once added .csv file or grant pair email address plus password. If your email service is allowed to use onetime password such as Google then you may type this password and then remove it from Google service; if not then you may change password before you grant to Facebook your own address book and change again after you’ve finished adding. By the way, you can remove all stored contacts from invite history by clicking “Manage imported contacts” and then remove all contacts by following link https://www.facebook.com/ contact_importer/remove_uploads.php. Settings Let’s start with final Facebook security features. Please, keep in mind that some features may depend on country. You can use your Facebook account as primary profile as well as profile page [Figure 23]. There are two setting groups are available for your primary profile with their subgroups (keeping Facebook Settings notation): • Account setting [Figure 24] • General • Security • Notifications • Subscribers • Apps • Mobile • Payments • Facebook Ads Privacy setting [Figure 45] • Default Privacy • How you connect • How Tags Work • Apps and Websites • Limit the Audience for Past Posts • Blocked People and Apps The Group section extend page to allow anyone (or anyone member) to post something in this group. Depends on the group’s administration you may find open, close and private groups. Anyone on Facebook can see the open group and join them. That means the group will appear in search results and all content that members post is visible to anyone viewing the group while group members of closed type of groups • Figure 24. General account settings Account settings show a brief overview of your common setting like GUI Language, your password, www.hakin9.org/en 31 DEFENSE Figure 29. Facebook email veri�cation Figure 25. Name setting Figure 30. Linked accounts’ settings Figure 26. Username settings email account, name, linked accounts, mobile management features and others typical settings. On General tab the name record [Figure 25] is available to type your Full Name as well as Language specific name that help your friends see your name in the way that’s most natural for them if they use Facebook in the same language as your language-specific name. Despite some social networks like LinkedIn you can’t set any kind of your last name obfuscation, such as “Yury C.“, to show this to public or friends of friends. Your username record [Figure 26] indicates yours identity to show how easy anyone could find you or not. You may keep your numeric to be more private or put any random characters at this field, but you can do it only at once. Your email record [Figure 27] indicates primary email, Facebook email and ability to store your email address for your friends if they download their own copy of Facebook information. Set of primary emails allow user to sign via pair “email address” plus “password” where email address maybe on Hotmail or Yahoo. To add new email you should click “Add another email”, type a new email address and your current password and save changes. For example, I type “[email protected]” and I need to verify it [Figure 28] by following link from received emails messages [Figure 29]. By agreeing to share user email address, user’s giving an app permission to send user email to user’s primary Facebook email address while user changes it. Your Facebook email is good idea to keep privacy because you can put it to public information to allow anyone sends you email on “[email protected]” as well as “[email protected]” and keep your real email address in secret. The Password record is obvious to type and re-type password because Facebook reminds you how long your password doesn’t change, e.g. 7 month ago. Linked account allows to you easy sign in into Facebook, but it’s not a good idea if you’re use a shared PC in a caf?. Note, that it’s not the same crossposting news via several social networks. Practical Figure 27. Email settings Figure 28. Email con�rmation settings 32 Figure 31. Linked accounts’ settings 04/2012 Social Network Privacy Guide Figure 32. Secure browsing settings Figure 33. Login noti�cation settings Figure 34. Login approvals’ settings valuable is very disputable. Following link [Figure 31] named “Download your Facebook Information” is a good way to check how many information stores on Facebook data-centers as important part of controlling what you share. In addition, this copy may be very useful in case you lost your mobile phone contained many photos. When you download there is no way to select desirable data to download. The entire zip file you download covers following data types according last Facebook news: • • • • • • • • • Your profile or timeline information (as your contact information, interests, groups) Wall or timeline posts and content that you and your friends have posted to your profile (timeline) Photos and videos that you have uploaded to your account Your friend list Your friends’ names and some of their email (if they’ve allowed this in their account settings) addresses Notes you have created Events to which you have Your sent and received messages Any comments that you and your friends have made on your Wall or timeline posts, photos, and other profile or timeline content made on posts and photos. When file will be ready you’ve received an email notification that provides link to download. A typical time is around 5 hours. When you download your information, Facebook requires you to confirm your identity before you can complete the process. First of all, Facebook send an email to the email addresses that’s listed on your Facebook account to ensure that you initiated the process. Once you receive the email, you will have to re-enter your password. If you are using a public computer or one you do not use regularly, you may also have to solve a friend photo captcha or an SMS captcha via your mobile phone. On Security tab Facebook shows a basic security setting of controlling your identity when try to login or while your browsing on Facebook. Security Browsing is clearly to understand and must be set into “https” type. However, some applications can’t manage with this setting like a FBRSS. So, when you need to extract new RSS links regarding to your friends or fun-pages you should switch it, open application and switch back this setting. Login notifications as a feature is very useful to be informed if anyone has pass a successfully login to kick out somebody and change password or pair “email plus password”. Recently feature is text notification if you provide Facebook with your mobile phone number despite you’re 24-hour online like BlackBerry user to get emails and control this. Login approvals [Figure 34] as a feature is very strong feature to use, because it’s expand the previous setting give you two-factor authentication by verifying all unrecognized attempts to login into your Facebook account. Login approvals use text message (SMS) confirmations to bet you to enter a security code that Facebook text to your mobile phone. If you lose your phone you can always log in using a recognized computer. Applications Passwords are useful to don’t save your real Facebook password anywhere you have to. A set of recognized devices [Figure 36] fills anytime when verify new “device” after successfully login. Each record store the last This file excludes any other friends information that non-related your profile even if it’s a comments you’ve Figure 35. Facebok one-time password’s settings www.hakin9.org/en Figure 36. Recognized devices settings 33 DEFENSE Figure 40. Subscribers’ settings Figure 37. Active sessions settings Figure 38. Facebook account deactivation settings date of use, therefore if you’ve can’t use it during two month, you should remove these devices with an easy conscience. The active sessions [Figure 37] are some kind of recognized devices because indicates all your non-sign out activities. Some of them maybe mobile as Wikitude, or some activities you forget on shared PC or work PC. Also, you can deactivate your account [Figure 38] by reason, for example, you already have one more account stored more relevant information, or you create one only for test. As you can see on Figure 38, if you have developed applications or Facebook pages you should to choose close them or keep in non-editable state; you’re allow reassign new admins for yours groups too. Figure 39. Noti�cation settings 34 The Facebook Notification tab brings [Figure 39] control to be inform about any events happened by selecting all or only desirable events. This features leads more to security control than simple notification because you’ll know if you tagged on somebody photos except strange trend to post photos like scenic wallpapers on which amount of friends tagged. To avoiding spam you’re allow to check sending important news per day with summary news at the weekend. This isn’t powerful way to avoid scam or get the most important updates on Facebook; some more useful web-services and tools are going to discuss in the second chapter of article. The Facebook Subscribers tab shows [Figure 40] summary settings about your public posts. If this feature checked anyone, who want get news from you, is allowed to subscribe and read posts if they are not added as friends by you. It’s useful for famous people, magazine, journalists. There you should decide who can comment your public posts among your friends, their friends or anyone including subscribers. Facebook improves publish feature of your account by linking with Twitter as one-way interaction from Facebook to the Twitter or from your Facebook pages to Twitter. To build backward linkage you should set up your Twitter account. That’s why YouTube or MySpace account features is more powerful by providing ability to select the right notification way inside account. From this tab you can see what of your posts are public at current time by looking public part of your timeline. Figure 41. Applications’ settings – 1 04/2012 Social Network Privacy Guide Figure 42. Applications’ settings – 2 The Applications tab is a first serious tab for security management. As I wrote before any social application doesn’t know anything about your profile privacy settings, and build privacy over them. Application start as very useful to inform your friends crossing several networks like MySpace [Figure 41] by reposting your updates from MySpace to Facebook until the duplicate quantity is exceed any reasonable limits. In mention of that any technical part of social networks can be rebuilt such social applications regarding to the automatically cross-posting aren’t a good way to keep privacy you forget what social networks are linked or posting your like about video on YouTube (by accident or not) to professional group like LinkedIn or Viadeo. Anyway you set up privacy settings for any application to control what types of your friends can be notified about your activity. Causes of these settings are part of Facebook Account Privacy Settings I discuss it further. A comparing the Figure 41 and Figure 42 shows that application asks you about required and additional permissions. Thus, my “Paper.li” application has an additional permission about posting to Facebook in my name. If you don’t need to give such permission you’re allow to remove it. Each application a static permission like data set [Figure 43] you granted. Such information is often to extract your basic information. It’s discussing further, but you should note that the basic information often Figure 43. Data requesting per application www.hakin9.org/en may include you public part when application install. Finally, any application like NutshellMail should be set to only me visibility because the logic sense is around extending your social notifications only for you. It’s some kind of the best informing and interacting with the top social networks by emails. The Facebook Mobile tab extend interaction by receiving and sending sms; there’s no tips about security except one that I mentioned in my 3rd article on April 2011 “The Backroom Message That’s Stolen Your Deal”. Idea was based in misleading with text messages are the totally seems like Facebook messages or Twitter messages to attack your account. The Facebook Payments tab is totally the same as a previous tab because it’s only improving your social accounts by using online payments methods. The security idea is based on that you mustn’t to link your real credit card. Instead of real card you should make “Virtual Card” or special card which would have a limited quantity of money. As far as I am concerned I use a Virtual QIWI card (http://qiwi.com/en/) for all online payments. It’s very easy to destroy virtual and create new when Steam Community hacked and or your baking data may published. The Facebook Ads tab allows [Figure 44] controlling your likes on any advertisements you’ll see on Facebook. Facebook strives to show relevant and interesting advertisements to you and your friends. The content of a Facebook Ad is sometimes paired with news about social actions (e.g., liking a Page) that your friends have taken. Your friends might see news about the social actions you have taken in Facebook Ads. This news will only be shown to your confirmed friends and will adhere to applicable privacy settings you’ve set for your account. If a photo is used, it is your profile photo and not from your photo albums. There are no many variations how control user activity, so the most suitable set is equal to “No One” despite of only friends can see, because you can’t choose list of friends who can see it. Figure 44. Facebook advertisement settings 35 DEFENSE Figure 45. Facebook general privacy settings Figure 47. Custom Privacy Setting Privacy Settings The most powerful window to manage is shown on Figure 46 and includes following items: • • • • • • Public Public includes people who are not your friends on Facebook and people who are not in your school or work networks. Friends of friends The Friends of Friends option is available for minors only as the maximum audience they can share with. It allows minors to share with friends and their friends. Friends This option lets you post stuff to your friends on Facebook. If anyone else is tagged in a post, it becomes some kind of Friends because the audience expands to also include the tagged person and their friends. Friends except Acquaintances All friends except acquaintances list Only Me This option let’s see something only for you. The most interesting when you don’t want to share your birthday, but you need to fill it to pass social networks agreement Custom The Custom privacy setting lets you specify who is able and not able to view the content you share. Figure 46. The best Facebook privacy rules 36 • When you choose Custom a pop-up box will appear. From the box, you can choose to share with or exclude specific networks, friends, and Friend Lists. In other words, you can make content visible to specific people or make content visible to work or school networks that you belong to, hide content from specific people or hide content from everyone so that only you can see it. Friends List Different friends list you made including auto created list by city tag or company tag Most of them are obvious but first section named “Default Privacy” is most important because default security is a top fault when your private information becomes public. While “Public” and “Friends” sections are clear to understand, the section “Custom” regards to “Friends” by default. You have to set up custom section because if you use any application that doesn’t provide you a fullmanagement when posting news or photos, these three section always available for any application. Custom Privacy settings [Figure 47] include the white list of people of those posts are going to visible, black list of people who doesn’t see your update and third list of tagged friends. White list covers friends of friends, friends, only me and Figure 48. How you connect settings 04/2012 Social Network Privacy Guide Figure 49. Received email outside Facebook specific person and lists while black list covers only specific people and list. Moreover, you have to input black list setting manually, but with suggestion if you remember how exactly person/list was named. The How you connect section [Figure 48] stores security records about five parts: • • • • • Who can look up your timeline by name or contact info? This part restricted via options limited by everyone, friend of friends and friends subscribers Who can send you friend requests? This part restricted via options limited by everyone, friend of friends subscribers Who can send you Facebook messages? This part restricted via options limited by everyone, friend of friends and friends subscribers. However, don’t forget a [email protected] email address you set public to receive [Figure 49] emails. If restrict here “everyone” option you continue to receive emails messages sent directly by @facebook.com address Who can post on your timeline? This part restricted via options limited by friend subscribers and only me. Moreover, applications are equals you (it depends on your application settings). You can also control what your friends are going to post on your timeline in section “How Tags Work” Who can see posts by others on your timeline? This part restricted via options limited by Public, Friends of friends, Friends, Friends except Acquaintances, Only Me, Custom, Friends List The How Tag Work section [Figure 50] stores security records linking between all Facebook substances may be linked. A tag links a person, page, or place to something you post, like a status update or a photo. For example, you can tag a photo to say who’s in the photo or post a status update and say who you’re with. Tagging people, pages and places in your posts lets others know more about who you’re with, what’s on your mind and where you are. When you tag someone, they’ll be notified. When someone adds a tag of you to a post, your friends may see what you’re tagged in on Facebook. The tagged post also goes on your profile (timeline). If you’d like, you can turn on Profile (Timeline) Review to review and approve each tagged www.hakin9.org/en post before it goes on your profile (timeline) or exclude some people from seeing tagged posts of you on your Wall (timeline). Also, tagging successfully works in the same way wherever you post even private groups. However, when you post to a group you can only tag other group members. So, when you tag someone, the audience you selected for your post can see as well as friends of the person you tagged (if the audience is set to Friends or more). • • • • Timeline Review of posts friends tag you in before they go on your timeline This part restricted via only two options (enable and disable) to control whether user has to approve posts where (s-)he tagged in before they go on your timeline. Tag Review of tags that friends want to add to your posts This part restricted via only two options (enable and disable) to control tags that your friends add to your content before they appear on Facebook. Tag Suggestions when friends upload photos that look like you This part restricted via options limited by Friends and No one (Only Me) to control audience who can tag suggestions while photo is uploading. Friends Can Check You Into Places using the mobile Places app This part restricted via only two options (enable and disable) to control map placed that be appear in your timeline with mobile applications. It’s strongly recommended to turn on timeline preview to maximize cases you tagged and mapped to receive a notification when you’re tagged in a post, including those with location. However, anyone can tag you in their posts, including when they also add location. But, if someone you’re not friends with tags you, you’ll receive a request to approve the tag before it appears on your profile (timeline). If you want to block someone from tagging you’ll be surprised because there’s no suitable feature for doing that; Instead, you have to turn on Profile (Timeline) Figure 50. How tag works 37 DEFENSE Figure 53. Limitation for old posts Figure 51. Application and web-site settings • Review to approve all tags before they show up on your profile (timeline) and/or remove tags from location stories that you don’t want to be included in. The Apps and Websites section [Figure 51] stores security records about four parts: • • Apps you use Settings of application security were discussed in account settings and are totally the same. When you grant that permission, apps can store the information they receive, but they are not allowed to transfer your information without your consent or use your information for advertisements. Deleting an app from your profile (timeline) simply means that it will no longer have access to any new information that you share. If you would like a developer to permanently delete all of your information, you will need to contact the developer directly. How people bring your info to apps they use [Figure 52] This part covers all records of your basic information, your media links, education and works, your interesting (likes) including application activities, your web-site and online status. It regards only to application your friends use and not for previous privacy. Therefore the most rational points you may check are Bio (About Figure 52. Public data for friends’ application 38 • • you), your web-site, your links, notes and interests, your current city and work’n’education. Well, it bring some promotion on one hand, on other hand may minimize this list or uncheck all. Instant personalization Instant personalization covers cases when user uses several social services like Bing, Pandora, TripAdvisor, Yelp, Docs by providing information that user has made public. If you want provide this information you may uncheck this feature. Moreover, it’s a two-sided way; if you uncheck it you can’t activities when your friends use these websites as well as no one cans your activities because you don’t share information. Instant personalization tends to extract mostly public information includes your name, profile picture, gender, networks, friend list, and any information you choose to share as Public. To access any non-public information, these websites must ask for explicit permission. Public search Public search covers visibility of your profile for search engine by checking this feature. However, almost all search engines cache information, your timeline information may be available for a period of time after you turn public search off. Everyone not logged on Facebook can see your name, profile picture, gender and networks as basic information that always visible to everyone; also your friend list and your likes, activities and interests if it was set up as public information. The Limit the Audience for Past Posts section [Figure 53] stores security record to narrow your content Figure 54. Facebook blocking 04/2012 visibility from public to friends only except tagged persons. If you’re concerned about who can see your past posts, there’s a privacy tool to limit the audience for anything you’ve shared with more than your friends except public posts, however: • • • • • • You can’t undo this action. This may result in people losing access to things that they previously commented on. People who are tagged and their friends can always see those posts as well. The tool limits visibility of past posts that were available to more than friends on your Wall (timeline); it doesn’t make any posts that had a more private or custom setting open to Friends. You also have the option to individually change the audience of your posts. Just go to the post you want to change and choose a different audience. People who are tagged and their friends may see those posts as well. The Blocked People and Apps section [Figure 54] stores records such as, blocked users by name or email, blocked application and event invites by name as well as blocked application. Restricting the privacy setting for Profile Visibility only limits other people’s ability to view your tagged photos via your profile (timeline). It does not limit the ability of others to view these photos elsewhere on the site. Please keep in mind that the person who uploaded a photo chooses the audience for that photo. If other people are able to view photos you are tagged in, then it is because the owner of the photos has most likely set the privacy of the photo album so that everyone can see the photos in it. While there is the option to block people from viewing the “Photos of” section on your own profile (timeline), there is no way to restrict the visibility of a photo that you didn’t upload. ����������������������������������� ������������������������������������������� ����������������������������������������� ������������������������������������������ ����������������������������������� ������������������������������������������ ����������������������������������������� ���������������������������������������� ������������������������������������������ ������������������������������������� ���������������������������������������� ����������������������������������������� ������������������������������������������ YURY CHEMERKIN ������������������������������������������ Graduated at Russian State University for the Humanities (http://rggu.com/) in 2010. At present postgraduate at RSUH. Information Security Researcher since 2009 and currently works as mobile and social infosecurity researcher in Moscow. Experienced in Reverse Engineering, Software Programming, Cyber & Mobile Security Researching, Documentation, Security Writing as regular contributing. Now researchingCloud Security and Social Privacy. Contacts: I have a lot of social contacts, that’s way you’re able to choose the most suitable way for you. Regular blog: http://security-through-obscurity.blogspot.com Regular Email: [email protected] Skype: yury.chemerkin Other my contacts (blogs, IM, social networks) you’ll �nd among http links and social icons before TimeLine section on Re.Vu: http://re.vu/yury.chemerkin www.hakin9.org/en ����������� ������������������������ ����������������������������������� �������������� ��������������������� ������������������ ������������������������� ������������������������ ����������������������� ������������������������