Security Experts:

"OMG I Can't Believe That was You on Facebook!"

The inevitable has happened. Pornographic and violent images, many including gore and abuse, some even photo shopped to look like your friends, appeared on users’ profile pages on Facebook last Monday. While the true numbers and how it happened probably won’t be known for some time, experts in the field of Internet security are calling it a “widespread” spam attack and one of the worst security breaches in social media to date.

It definitely is raising concerns about Facebook vulnerabilities to hackers. It appears good old social engineering was used to trick users into copying and pasting malicious code into their browser bars. From there, hackers gained access to profiles and were able to post anything. Then, any of the user’s Facebook friends could see the images.

Facebook Security TipsFacebook issued this statement: "Protecting the people who use Facebook from spam and malicious content is a top priority for us and we are always working to improve our systems to isolate and remove material that violates our terms. We have recently experienced an increase in reports and we are investigating and addressing the issue."

In some instances, the promise of free or “awesome” discounts on vacations or products prompted users to make the “click” and then they were doomed. There may be more to this hack than meets the eye.

That’s just the beginning. Victims don't see the images on their own news feeds, because the graphic pictures only appear to the users' friends. Before you know it, friends are sending you emails with question marks – that is, until people figure out what is going on.

Hackers could be sending false messages to family and friends asking about private information, and this should cause even greater alarm because information is out there, in the hands of… well, anyone. Now that it is known how to hack Facebook, they could have a widespread copycat hack problem on our hands.

How is this happening? People are being tagged in photos, and because people are curious by nature and the first instinct is to see who tagged them and what photo was tagged.

It doesn’t get any better. Facebook is in the middle of settling complaints with the U.S. government over charges that it misled users about its use of their personal information. Facebook would need to obtain users' consent before making changes" to its privacy policies, which in the past it has not. Secondary to that complaint is the way Facebook stores and uses data.

Facebook would need to obtain users' consent before making changes to its privacy policies, which in the past it has not. Secondary to that complaint is the way Facebook stores and uses data.

I believe the recent Facebook hack is more than gruesome pictures and pornography. There may be a large “footprinting” element at work. It seems easy to breach Facebook, but the underlying modus operatis here may be to get through company security, in search of sensitive, lucrative data.

Not all companies ban social media in the workplace. When it is banned, employees have been known to download software that will seek out and destroy firewalls, and any other preventative measures aimed at curbing social media use in the workplace. In such a scenario, IT will not be aware of such gaps, at least not right away. As we know, and as we have written in the past, hackers will go around the globe just to exploit that one hole. Companies who allow employees to use social media at work are saying, “Walk right in.”

Companies that allow social media, and want to be protected, should require a sound security education program, and take the open approach of, “you can knock at the door but no one will answer” because, to the educated worker, OMG I saw you on that YouTube video, will raise antennas.

But that is for workplace users. How do we educate the 700-million Facebook users, who, for the most part have no experience with Internet security? We can start by going back to some basic security measures.

Change your Facebook password.

It is a simple, yet proven protection.

Hackers are clever and more than Internet savvy; they can create fake websites that looks like Facebook and trick you into logging in. They are phishing with one goal in mind – to get your password.

Facebook, a company that hopes to reach the 1-billion user mark by 2013, is becoming a great place for social engineering. It is reported by Facebook that 30 percent of people use the same password for all of their accounts.

I always recommend that you change your password often and make them complicated. . I like to use phrases for my password and substitute some letters for number such as Im0fft0tewaterc00ler. This same set or rule applies to all your passwords for all other user accounts.

Those Facebook apps

Straight to the point! Get rid of apps you no longer use, or apps you see on Facebook that you don’t remember you downloaded, or was tricked into downloading.

It’s been known for some time that Facebook apps require permissions, and these permissions can be changed, but not all apps can be changed. Contact your friends because if you have any rogue apps, then it is possible the same apps were unknowingly transferred to their Facebook account.

Don’t “like” anyone

So Facebook users really enjoy being social to the point of liking everything that is posted. Facebook makes it easy for people to click and provides a “like” button, called “like jacking”, another form of social engineering. Briefly, behind the “like” button could be hiding embedded images, which could turn on a malware program and unknowingly spin in coding with no good intent.

Facebook ‘s "like" button is one commonly used route for hackers. IT is one of those don’t blame me, says the hacker, because Facebook makes it so easy, and quite frankly, it has been called “user self-inflicted”. That would mean that every time someone clicks on anything, anywhere, in any media, it is self-inflicted, which is rubbish.

There is a way to prevent it. Here is a benign script that pops up a test alert in your browser, enter this into your URL bar: javascript:alert('test'); You can find more information from Zscaler on this here.

Apparently, Facebook has determined who hacked them, but are unwillingly to go public for legal reasons.

Nevertheless , Like many companies who have been hacked, Facebook could be facing a loss of reputation and a decline in users. Facebook user accounts are hacked 600,000 times a day, for 0.006 percent of its users.

The website has 800 million members who spend more than a total of 700 billion minutes on the site per month.

If users click off Facebook in large numbers it won’t be good for the bottom line, or the mega website’s reputation.

A small endnote to this story: the hacktivist collective, Anonymous, created some commotion in August by saying that on November 5, 2011 they would take down Facebook. Anonymous is known for targeting the likes of Fortune 500 companies like HBGary Federal, Law Enforcemnet Agencies, Bank of America and others. While there is no evidence that Facebook was hacked by Anonymous, it’s a possibility in the future.

Related Reading: Facebook vs. Privacy - What You Can do to Protect Your Privacy

Terry Cutler is a co-founder of Digital Locksmiths, an IT security and data defense firm based in Montreal and serves as the company's Chief Technology Officer and Certified Ethical Hacker. Prior to joining Digital Locksmiths, he was a Premium Support Engineer for Novell in Canada where he analyzed network vulnerabilities and transitioned security technologies into production. In addition to being a licensed private investigator in Canada, Terry is an internationally known author, trainer, speaker, and security consultant, Terry has appeared in numerous national television and radio programs and is very active on the conference circuit. Follow Terry on Twitter at @TerryPCutler