Safer Social Networking

Information Security & Privacy Office

Agenda

• About social networking

• Risks

– Things you can’t control

• Malware, privacy policies

– Things you can control – TMI and over sharing

• Reputation and lifestyle, personal safety, burglary

risk

• Protecting your family

– TMI, “the talk”, cyber bullying

Why Social Networking

• To connect

• To share

• To keep in

contact

Mind-Boggling Facebook Stats

• Almost 600 million active users

• 50% of active users log on to

Facebook in any given day

• Average user has 130 friends

• People spend over 700 billion minutes

per month on Facebook

Twitter Stats

• Twitter has over 175 million users

• Twitters users tweet 95 million times per day

• People read about 3 billion tweets daily

Social Networking Is

Here To Stay

• Americans spend

nearly 25% of their

time online on social

networking sites and

blogs

– Up from 15.8 percent

just a year ago

(43 percent increase)

Pop Quiz

• Why do thieves rob banks?

Pop Quiz

• Why do thieves rob banks?

• That’s where the money is!

– Willie Sutton

Pop Quiz

• Why do bad guys attack Facebook and

Twitter?

Pop Quiz

• Why do bad guys attack Facebook and

Twitter?

• That’s where the people are!

What Do Bad Guys Want?

• Money

– From ID theft / fraud

– From sending spam

– From selling ads or info about you to marketers

What Do Bad Guys Need?

• For ID theft / fraud

– Your personal info

– Your account credentials

– Your money (by tricking you into giving)

• For sending spam

– Your email account / credentials

– Control of your PC

• For ads and marketing

– Info about you – demographics, likes, hobbies, friends, location

How Do Bad Guys Get It?

• Your personal info and/or

account credentials

– Keystroke loggers

– Phishing scams

• We lost your password,

please give it to us

– Hack attack / password

crack

• Control of your PC

– Virus / worm

• Your money

– Scam

• I’m stuck in Canada, please

wire money

• I’m a Nigerian prince, help me

get money out of my country

• Info about you

– Spyware

– Info you provide (posts,

mail lists, location)

– Info collected (sites visited,

items purchased)

Passwords

• 75% individuals use same password for social

networking and email

• What’s the risk?

– Social networking sites are notorious for

being hacked (passwords stolen)

• Use one password only for social networking

– Learn more: attend Password Cracking 101, Friday 10/22

Bad Guys Using Social Nets

• Abusing features

– Like using bogus accounts to send massive amounts of friend

requests

• Creating malicious apps

– Likes ones that send spam in your name

• Example: January 2010, bad guys set up a Facebook

group protesting a rumor that Facebook was going to

begin charging for its services

– Group appeared to be a legitimate forum for users unhappy with

the proposal, but was actually a vehicle for spreading malware

It’s Not Just

Facebook • October 2010 – LinkedIn fake contact requests

– Email appears to be a contact request sent from

LinkedIn – “click to view the request”

– Users who click on the link are routed to an

intermediary website with the notification “Please wait

... 4 seconds”

– Then users are redirected to Google

– Malware Bugat is downloaded to PC in the 4 seconds

• Bugat harvests info during online banking sessions

Twitter Hack – Sept 21, 2010

• A flaw allowed pop-ups

and third-party websites

to open just by mousing

over a link

• Wife of the former British

Prime Minister, Sarah

Brown’s Twitter page

attempted to redirect

visitors to a Japanese

hardcore porn site

How Are Social Nets

Using Your Info?

Facebook Privacy Policy –

Verbatims • Facebook is designed to make it easy for you to find and connect with

others. For this reason, your name and profile picture do not have privacy

settings. If you are uncomfortable with sharing your profile picture, you

should delete it (or not add one).

• Some of the content you share and the actions you take will show up on

your friends’ home pages and other pages they visit.

• Information set to “everyone” is publicly available information, just like your

name, profile picture, and connections. Such information may, for example,

be accessed by everyone on the Internet (including people not logged into

Facebook), be indexed by third party search engines, and be imported,

exported, distributed, and redistributed by us and others without privacy

limitations. Such information may also be associated with you, including

your name and profile picture, even outside of Facebook, such as on public

search engines and when you visit other sites on the internet. The default

privacy setting for certain types of information you post on Facebook is set

to “everyone.”

Oops!

• A 14-year-old from Hertfordshire, UK invited 15 Facebook friends to

her birthday party

– She included her address on the Facebook invitation

• She got 21,000 RSVPs from Facebook users around the globe

• Teen forgot to mark the Facebook event as private

• Mom canceled the party, revoked the girl’s Internet privileges, and

called the police in case strangers decided to show up

• If you plan to use Facebook to invite friends, uncheck the little box

next to the “anyone can view and RSVP” setting before clicking the

“Create Event” button

Facebook Privacy Policy –

Ilene’s Opinions • Facebook’s privacy policies are confusing

• Facebook’s privacy settings are confusing

• Facebook changes its privacy policies without warning (and has

been known to reset some settings to “everyone”)

• Facebook shares info about you with its partners

• You cannot control privacy policies – but you can control what info

your provide

– Just consider everything you post available to the world

Late Breaking News –

10/7/2010

Things You Can Control

Reputation and Lifestyle

• Millersville University refused to give Stacy

Snyder a teaching credential

– Stacy was weeks away from graduating

• School officials saw Stacy’s photo on

MySpace

– Labeled “drunken pirate”

– School accused her of

promoting underage drinking

Reputation and Lifestyle

• CA company, Social Intelligence, searches

social networks to help companies decide if they

want to hire you

– Systematically trolls social networks for evidence of

bad character

– Looks for racy photos, comments about drugs and

alcohol…

• Evaluates you in categories

– Poor judgment, gangs, drugs and drug lingo,

demonstrating potentially violent behavior…

Reputation and Lifestyle

• On Facebook, wife learns of husband’s

2nd wedding

Think Before You Post

Pop Quiz

• What key piece of info do these folks want

to know about you?

– Stalkers

– Potential dates

– Bullies

– Curious

– Predators

– Muggers

– Marketers

Pop Quiz

• What key piece of info do these folks

want to know about you?

– Stalkers

– Potential dates

– Bullies

– Curious

– Predators

– Muggers

– Marketers Lo

ca

tio

n

So, where are you?

• I’m on vacation! • This concert’s amazing!

So, where aren’t you?

Yes – It Really Happens

• Nashua, NH: 50 home

burglaries in August 2010

• Suspects used social networking

sites to identify victims who

posted online that they would not

be home at a certain time

• Police recovered between

$100,000 and $200,000 worth of

stolen property

Think Before You Post

Kids’ Pictures Online

• 80% of children under the age of two have their pictures

online via sites like Facebook

• 33% have their photos online at just a few weeks of age

• Risk?

– Privacy, reputation, ID theft, predator, and pedophilia concerns

• Imagine: Kids today have an online presence by the

time they are two years old – a presence that will be built

on throughout their whole lives

Protecting Your Family

• Only 9% of 16–24 year olds are concerned

about security

• 92% of parents are concerned that their kids

share too much information online

Definition: Internet Meme

• Concept that spreads rapidly via the Internet (goes viral)

Memes and Internet Cruelty

• Tweens post rumors online about 11-year old Jessi’s sexual

activities

• Jessi posts a video response to refute the rumors and threatens to

kill her online tormentors

• Furor builds – people begin playing pranks on Jessi and causing her

parents to become aware of the problem

– Receive phone calls that are recorded and posted to the Internet

– Parents film an “emotional” response and post it on YouTube

• Goes viral – people create spoof videos, fake photos…

• State police investigate the alleged bullying and insist Jessi be sent

to mental heath facility because they believe she might be suicidal

• Jessi and parents are interviewed on CBS

• July 10–22, 2010, Florida

Sexting

• Sexting: Texting a racy photo of yourself (or just a body

part) from your cell phone to another phone, emailing it

to a friend, or posting it to your online profile page

• Percentage of teens who have posted nude or semi-

nude pictures or videos of themselves:

– 20% of teens overall

– 22% of teen girls

– 18% of teen boys

– 11% of young teen girls

13-16

Sexting: It’s not just for kids

Tiger Woods Brett Favre

Serious Consequences:

Internet Cruelty Kills • 13-year old Hope sexted a photo of her breasts to her boyfriend

• A girl from school got her hands on the photo and sent it to students

at six different schools in the area

• Before Hope could do anything to stop it, the photo went viral

• The school alerted Hope’s parents

• 11-, 12-, and 13-year-olds bullied Hope and wrote horrible things

about her on a MySpace page called the “Shields Middle School

Burn Book” and started a “Hope Hater Page”

– Burn book: Like a diary, but you write mean things about people who are

supposed to be your friends (from movie “Mean Girls”)

• Hope used her favorite scarves to hang herself from her canopy bed

Cyber Bullying

• Definition – Using Internet email, instant messaging, chat

rooms, pagers, cell phones, or other technologies to

deliberately and repeatedly hurt, taunt, ridicule, threaten

or intimidate someone

• Nearly half of American tweens and teens are being

impacted by it

• Seven in 10 teens surveyed who have experienced

cyber bullying don’t tell parents about it

Responding to Cyber Bullying

• Don’t delete (may need evidence)

• Don’t escalate – don’t respond

• Do tell parents, school, and/or

authorities

• Use email filters to block

messages from bullies

• Set firm limits on cell phone

and internet use

• Outline your expectations and have consequences

#1 Technical Control

(Protection Strategy)

Put the family PC in the middle of the living room

#1 Soft Control – The “Talk”

• Have “The Talk” with kids (and spouse!)

– Make it a conversation, not a lecture

• Key points

– Online actions have real-world consequences

– Be careful when posting – you can’t take it back

• They can’t hide behind what they post

– Trust their gut if they’re suspicious

• Predators are out there

– Some info should stay private

• Full name, address, picture, location…

• Never meet an online contact alone and without

your knowledge

Warn Family about Scams

• Example: iTunes Phish

– You get email that says

you made expensive

iTunes purchase

– “Click here” to see or

dispute the purchase

– Malware is loaded to your device (usually to

steal banking info / credentials)

#2 Take Inventory

• Review all gadgets that can take / store photos or videos

– Cell phones, webcams, video consoles (XBox, Wii), iPods, mp3

players...

• View saved images

– Promise you won’t hit the roof if

you find something bad

• Watch what you buy

– Don’t purchase devices that can take

or send messages

– Drop texting and/or image-sending capability from cell service

• Consider blocking/monitoring/parental control software

#3 Teach Family

Think Before You Post

Fed Protection: COPPA

• Children’s Online Privacy Protection Act

• Commercial websites

that collect information

from kids under 13

must get “Verifiable

Parental Consent”

Summary

• Be vigilant online and be skeptical about giving up personal info

• Talk to family about good online safety and security habits, including

protecting their personal information and their reputation

– Know what sites your family visits online

• Make sure your family knows they can come to you if something

online makes them uncomfortable, including what others are posting

about them, unwanted contacts, and questions they have about

staying safe online

• Verify privacy settings and don’t over share

Resources

• Wired Safety

– http://www.wiredsafety.org/index.html

• FTC’s OnGuard Online

– http://www.onguardonline.gov/

• Kamaron Institute Cyber Bullying Solutions

– http://kamaron.org/Bullying-Solutions

• Microsoft’s Page on Online Predators (with link to Parental Controls)

– http://www.microsoft.com/protect/parents/social/predators.aspx

• PC Magazine’s review of parental control software

– http://www.pcmag.com/article2/0,2817,2346997,00.asp

• Electronic Privacy Information Center (EPIC)

– http://epic.org/

Questions? Contact

ispo@phoenix.gov