Site blog

Picture of Bob Gilmore
by Bob Gilmore - Monday, 16 July 2018, 11:30 AM
Anyone in the world

Protecting your privacy on social media

Bob Gilmore
16 July 2018

Contents

{ Not for Moodle - Moodle drops the id's! }


The internet has opened our eyes to a whole world of new opportunities, from business to our personal lives. But take a look at any news programme and you’ll likely hear stories of privacy breaches and information sharing scams. This happens across the internet and social media platforms, but one of the biggest ones creating headlines today is Facebook.

Facebook privacy and security is back in the news again with bugs sharing user content to the world and breaches of security exposing user data. Facebook is an extremely useful tool, so going cold turkey is not an option for many people. The question then becomes, what can I do to protect myself?

But why does this happen?

The Internet is full of free stuff. The stuff stays free because the creators are selling advertising to their customers. The more data about you they have, the better value the advertising becomes; they can more accurately target you with ads you might actually click on.

Almost every game, quiz or survey wants to hook into Facebook these days. Play on-line with your friends or let them know just how awesome you are at 70's music trivia. These things can be fun, however they are often intended as data gathering tools, designed to find out information about you.

Linking the results of a fun quiz to Facebook is a win for both Facebook and the quiz maker. Both sides get more information about you than they had before. That you're interested in taking a quiz on 70's music not only indicates the type of music you like, but it can also reveal information about your personality type, political interests and more.

And it's not always about advertising and selling you stuff. Scammers and hackers can use this information for a variety of reasons.

The Cambridge Analytica breach made use of surveys that attempt to determine your ocean score: how you rate according to the big five psychological traits of Openness, Conscientiousness, Extraversion, Agreeableness and Neuroticism. On top of this, they get the information Facebook already knows. This depends on exactly what you've shared with Facebook, but usually includes gender, age, likes and more. Even worse, against Facebook's own rules, they then gathered information about the friends of those who completed the surveys.

For Cambridge Analytica, it then became relatively easy to target specific Facebook users and attempt to stir up specific emotions with the intention of exerting pressure on the outcome of the 2017 US elections.

The thing is, we like to play games and do fun quizzes, so what can we do to protect ourselves while still enjoying the free stuff? There are also good reasons to use Facebook's connection features beyond entertainment. Security is hard and getting it wrong is potentially a huge embarrassment, as anyone caught up in the Ashley Madison breach will tell you.

At least Facebook, Google and Microsoft (the big three security providers) have dedicated security teams. Using their security to access apps and websites make sense. It also means you do not have accounts scattered and forgotten across the Internet which could become a problem later.

Facebook privacy and security settings

This document was written in July 2018. Facebook regularly changes what settings are available and where they are located, so if you can't find a setting mentioned here, use the Google search engine to track it down.
All the images were taken on a desktop PC. You may have to hunt around a little to find these settings on the mobile apps available from the Apple Store or Google Play, but they are all there. Again, Google is your friend when tracking these down.
What can others see?

It's sometimes useful to see what your Facebook page looks like publicly or to specific friends.

  • Click your profile button, then click the  button on your cover image and chose View as.


Profile information

Your profile contains information like your gender, date of birth and more. Most people like getting birthday greetings and advertising which schools they went to or where they work. You can, however, selectively hide any of this from your time line. That way people can wish you a happy birthday, without knowing how old you actually are!

  • Click your profile button then click About.

There are lots of settings in here. The settings are grouped into categories, for example the Contact and basic info category shown below. From here you can add or edit details and choose who can see those details.

  • Choose a category to view or edit.
  • To add information, click the appropriate + Add button, for example the to add a mobile phone.
  • To edit information, hover the mouse over it. A new Edit option will appear, with an icon indicating the current privacy setting. Clicking edit will let you change the information and also who is allowed to see it.

You should always hide your primary Facebook email address or phone number; the one you use to log in with. If this information is public, then you've given away half of what a hijacker needs to gain access to your account.
Privacy

Several other core privacy features are not in the About page, instead they are located in the Privacy Settings page.

  • Click the Facebook menu button and choose Settings.

  • Click the Privacy group of settings.


  • Each setting has an Edit button where you can control who sees specific information.
  • By far one of the most important controls is "Who can see your friends list?" This should be set to Friends or Only me. This one setting is used by so many malicious apps and scammers to spread around their wares. With this setting locked down, you are significantly less likely to be a target and less likely to accidentally spread problems if you are targeted. It's not foolproof; if your friends don't also lock down this setting then some information, such as Mutual Friends, sneaks through.
  • You should probably also set your email and phone to Friends and turn off search, unless you're using Facebook for publicity.
Security

Facebook can be deeply personal to a lot of people, containing memories, favourite photos, friends come and gone. Making sure you are never locked out of your account and that it is secure is therefore something most people should consider. Unfortunately, these options are often quite technical, so just a quick overview of them follows.

  • As with privacy, the security features are in the Facebook menu under Settings, then Security and login.

Hrm, that's a worry, I've haven't been to Blackball recently! The location can be doubtful sometimes, especially on the West Coast and even more so if you're like me and never turn location services on.

  • This is where you change your Facebook password.
  • App passwords is a useful feature. With this setting activated, logging into your Facebook account from another site or app will use a different password from your normal Facebook password. This makes it less likely malicious sites or apps can gain access to your account.

  • Most of the time, you can reset your password if you have the same phone or email you signed up with. Choosing friends to help when you're locked out is an extra layer of safety if your account is ever unable to be accessed. This might be because you have forgotten your details or perhaps lost your phone you sign in with. You'll need three to five friends or family members you trust to set up this feature.

Apps and websites

This last set of privacy and security settings gives you control over which apps you have linked to your Facebook account, allowing you to see and remove them.

It's worth reviewing this page regularly to check what has access and if you really want that access to continue.

Conclusion

Facebook privacy and security is a big topic and there is lots happening! The settings outlined above are a sample of the most important ones to consider. There are still going to be bugs in the software that cause issues and there will still be security breaches. However armed with these tools you can make a start protecting your own data from the most common threats.

Finding the balance between security and convenience has been an area of concern for as long as we've tried to lock stuff away. Taking the time to look over your Facebook page and its settings helps you find the balance that is right for you and also for your friends. You can't break anything, so get in there and have a look!

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

https://www.xkcd.com/936/

[ Modified: Wednesday, 18 July 2018, 4:42 PM ]
 
Anyone in the world

Since the news broke of the vulnerability in OpenSSLs implementation of the Heartbeat protocols, dubbed Heart Bleed, a lot of websites have been scrambling to get patches installed.For the most part, this is proceeding quickly and successfully, at least for the big sites.

OpenSSL is the open source SSL/TSL implementation used by, basically, everybody to secure communications between server and client computers; Websites, Instant Messaging, VPNs, wait staff in restaurants, you name it. The bug appears to have been introduced in 2011 and has been known about since 2012, at least in the wild, which means a lot of people could potentially have been affected.

The bug which exposes a small 64KB chunk of memory in the client or server which can, if the attacker is lucky, expose just about any secured information; passwords, credit cards, security keys, etc.

Here is the official announcement: https://heartbleed.com/. Laughably, that the page is secured by a certificate that is not issued by a major security provider, so the page generates a certificate error when visited. 

Slashdot, as usual, provides a good summary and lots of link: http://it.slashdot.org/story/14/04/09/235217/heartbleed-openssl-vulnerability-a-technical-remediation

However, this blog post is not about all the official news. It's about how it can affect a regular consumer:

  • Almost all home (A)DSL routers are based on one version or another of the Linux kernel.
  • They almost all implement some form of remote administration so support staff can access your router if there are any problems.
  • This remote administration is often enabled by default if your router was supplied by your Internet Service Provider.
  • The remote administration almost certainly uses OpenSSL for security, although you can't easily find out.
  • If your router was manufactured after mid 2011, or has had a firmware update since then, it is very likely it will have this bug.
  • If you have ever used the Internet to enter a password, credit card number or other detail, it is possible that you could be at risk.

remoteaccess.png
Disable your ADSL routers remote access.

Without wanting to stir up any more concern, this is a potentially serious risk and one that is going to be with us for a very long time because the manufacturers of these devices are notoriously slow to provide software updates to them, especially if they are no longer sold.

So, my advice to any user of broadband internet: find the remote administration of your ADSL router and disable it.

[ Modified: Friday, 11 April 2014, 8:08 AM ]