Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

“OMG I Can’t Believe That was You on Facebook!”

The inevitable has happened. Pornographic and violent images, many including gore and abuse, some even photo shopped to look like your friends, appeared on users’ profile pages on Facebook last Monday. While the true numbers and how it happened probably won’t be known for some time, experts in the field of Internet security are calling it a “widespread” spam attack and one of the worst security breaches in social media to date.

The inevitable has happened. Pornographic and violent images, many including gore and abuse, some even photo shopped to look like your friends, appeared on users’ profile pages on Facebook last Monday. While the true numbers and how it happened probably won’t be known for some time, experts in the field of Internet security are calling it a “widespread” spam attack and one of the worst security breaches in social media to date.

It definitely is raising concerns about Facebook vulnerabilities to hackers. It appears good old social engineering was used to trick users into copying and pasting malicious code into their browser bars. From there, hackers gained access to profiles and were able to post anything. Then, any of the user’s Facebook friends could see the images.

Facebook Security TipsFacebook issued this statement: “Protecting the people who use Facebook from spam and malicious content is a top priority for us and we are always working to improve our systems to isolate and remove material that violates our terms. We have recently experienced an increase in reports and we are investigating and addressing the issue.”

In some instances, the promise of free or “awesome” discounts on vacations or products prompted users to make the “click” and then they were doomed. There may be more to this hack than meets the eye.

That’s just the beginning. Victims don’t see the images on their own news feeds, because the graphic pictures only appear to the users’ friends. Before you know it, friends are sending you emails with question marks – that is, until people figure out what is going on.

Hackers could be sending false messages to family and friends asking about private information, and this should cause even greater alarm because information is out there, in the hands of… well, anyone. Now that it is known how to hack Facebook, they could have a widespread copycat hack problem on our hands.

How is this happening? People are being tagged in photos, and because people are curious by nature and the first instinct is to see who tagged them and what photo was tagged.

It doesn’t get any better. Facebook is in the middle of settling complaints with the U.S. government over charges that it misled users about its use of their personal information. Facebook would need to obtain users’ consent before making changes” to its privacy policies, which in the past it has not. Secondary to that complaint is the way Facebook stores and uses data.

Facebook would need to obtain users’ consent before making changes to its privacy policies, which in the past it has not. Secondary to that complaint is the way Facebook stores and uses data.

Advertisement. Scroll to continue reading.

I believe the recent Facebook hack is more than gruesome pictures and pornography. There may be a large “footprinting” element at work. It seems easy to breach Facebook, but the underlying modus operatis here may be to get through company security, in search of sensitive, lucrative data.

Not all companies ban social media in the workplace. When it is banned, employees have been known to download software that will seek out and destroy firewalls, and any other preventative measures aimed at curbing social media use in the workplace. In such a scenario, IT will not be aware of such gaps, at least not right away. As we know, and as we have written in the past, hackers will go around the globe just to exploit that one hole. Companies who allow employees to use social media at work are saying, “Walk right in.”

Companies that allow social media, and want to be protected, should require a sound security education program, and take the open approach of, “you can knock at the door but no one will answer” because, to the educated worker, OMG I saw you on that YouTube video, will raise antennas.

But that is for workplace users. How do we educate the 700-million Facebook users, who, for the most part have no experience with Internet security? We can start by going back to some basic security measures.

Change your Facebook password.

It is a simple, yet proven protection.

Hackers are clever and more than Internet savvy; they can create fake websites that looks like Facebook and trick you into logging in. They are phishing with one goal in mind – to get your password.

Facebook, a company that hopes to reach the 1-billion user mark by 2013, is becoming a great place for social engineering. It is reported by Facebook that 30 percent of people use the same password for all of their accounts.

I always recommend that you change your password often and make them complicated. . I like to use phrases for my password and substitute some letters for number such as Im0fft0tewaterc00ler. This same set or rule applies to all your passwords for all other user accounts.

Those Facebook apps

Straight to the point! Get rid of apps you no longer use, or apps you see on Facebook that you don’t remember you downloaded, or was tricked into downloading.

It’s been known for some time that Facebook apps require permissions, and these permissions can be changed, but not all apps can be changed. Contact your friends because if you have any rogue apps, then it is possible the same apps were unknowingly transferred to their Facebook account.

Don’t “like” anyone

So Facebook users really enjoy being social to the point of liking everything that is posted. Facebook makes it easy for people to click and provides a “like” button, called “like jacking”, another form of social engineering. Briefly, behind the “like” button could be hiding embedded images, which could turn on a malware program and unknowingly spin in coding with no good intent.

Facebook ‘s “like” button is one commonly used route for hackers. IT is one of those don’t blame me, says the hacker, because Facebook makes it so easy, and quite frankly, it has been called “user self-inflicted”. That would mean that every time someone clicks on anything, anywhere, in any media, it is self-inflicted, which is rubbish.

There is a way to prevent it. Here is a benign script that pops up a test alert in your browser, enter this into your URL bar: javascript:alert(‘test’); You can find more information from Zscaler on this here.

Apparently, Facebook has determined who hacked them, but are unwillingly to go public for legal reasons.

Nevertheless , Like many companies who have been hacked, Facebook could be facing a loss of reputation and a decline in users. Facebook user accounts are hacked 600,000 times a day, for 0.006 percent of its users.

The website has 800 million members who spend more than a total of 700 billion minutes on the site per month.

If users click off Facebook in large numbers it won’t be good for the bottom line, or the mega website’s reputation.

A small endnote to this story: the hacktivist collective, Anonymous, created some commotion in August by saying that on November 5, 2011 they would take down Facebook. Anonymous is known for targeting the likes of Fortune 500 companies like HBGary Federal, Law Enforcemnet Agencies, Bank of America and others. While there is no evidence that Facebook was hacked by Anonymous, it’s a possibility in the future.

Related Reading: Facebook vs. Privacy – What You Can do to Protect Your Privacy

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.