CounterMeasures - A Security Blog � Facebook

It’s International Change Your Password Day!

Rik Ferguson — Wed, 01 Feb 2012 14:01:41 +0000

under Creative Commons from Arenamontanus' Flickr

Treat your password like your toothbrush, don’t let anyone else use it and change it every six months. (Clifford Stoll)

What does this mean for you? Well if you’re the type of person who tends to reuse your password across multiple web sites today’s the day to get out there and start changing that password and breaking that habit. Criminals may well already have your email address and common password, they may also have the answers to your security questions, which also tend to get reused.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple process to achieving this.

First, what NOT to do

- Do not use a word from a dictionary

- Do not use names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

- Do not use the same password for multiple different purposes.

- Do not share you passwords with anyone else, ever.

Brute forcing tools use dictionary attacks and hybrid dictionary attacks (where dictionary words are automatically modified using the common number/special character substitutions). So it is not sufficient to take a dictionary word and just change a few letters to numbers (Password into P455w0rd! for example) these sorts of password can be cracked in a matter of minutes

Here’s how you do it.

1- Think of a phrase you can easily remember, for example:

“Mötley Crüe and Adam and the Ants were the soundtrack of my youth.”

2- Take the initial letter of each of those words:

MCAAATAWTSOMY

This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !£$&+ for example, let’s change cases first:

MCaAatAwtSomY

Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

As a special point of interest, a great character to include in passwords (if you have a UK keyboard) is the £ symbol, as it is overlooked by many of the mainstream password brute forcing tools, so maybe we could end up with:

Mc+A&tAwTs0mY£

Now you have a secure password, you need to devise a way to differentiate it for each site you use. For example you could put the first and last letters of the web site name at the beginning and end of your complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school” or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember!

Guess, I’d better go and change my passwords…

The mobile threat: FUD or MUD

Rik Ferguson — Mon, 21 Nov 2011 13:38:21 +0000

Preface: This blog is not about open source vs closed, it’s also not about Android vs iOS or any other mobile operating system. It’s about criminals vs people, it’s about hype and reality and it’s about knee-jerk self-preservation vs openness and consideration.

Last Wednesday, Chris DiBona (Open Source Programs Manager at Google Inc.) made a post on his Google+ profile hitting out at claims about “open source being inherently insecure’ and that android is festooned with viruses because of that and because we do not exert apple like controls over the app market“.

While Chris does make some reasonable points regarding the comparative resilience and security of open source code, I can’t help but feel that he is wilfully missing the point when it comes to the current threat landscape that confronts smartphone users today. I’ll deal with the points I disagree with in the same sequence that Chris raises them:

1 – “All the major vendors have app markets, and all the major vendors have apps that do bad things, are discovered, and are dropped from the markets.”

Yes Chris, the major vendors all distribute apps based on the Marketplace or App Store model. One or more rogue or plain malicious apps have been discovered in most of those distribution channels and some of them get removed. Some of them even get removed in a timely fashion. Perhaps this is where some of the criticism based on “openness” has been misunderstood. As far as I am concerned, the problem pertinent to Android is not that the OS itself is open source, like I said you made some valid points about that, but that the app distribution mechanism is entirely open. Android embraces the concept of multiple third party marketplaces in addition to the “official” marketplace, even in the “official” marketplace there is no upfront vetting of code or functionality. Couple that with the undeniable and deserved popularity of the platform, it is no surprise that criminals are already actively exploiting an opportunity here. It’s not the open source, it’s the openness of the source.

2 – “Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself.”

Well now, this seems to be plainly stating that there is no malware problem for the popular mobile platforms. The weight of evidence (not to mention criminal intent) would seem to be heavily against you here Chris and Android itself seems to be the target of choice. TrendLabs for example have documented a 1410% increase in Android malware in the period January to July 2011. Let me be very clear. I am well aware that this rate of increase is starting from a low base, those four figure increases are not as shocking as they may at first appear. In raw numbers the total amount of malware is of course orders of magnitude lower than for example the Wintel platform. However the more important figure is not the total number of malware, but the rate of increase of that malware quarter on quarter and year on year. That demonstrates current, active and sustained criminal interest in the mobile platform. It’s not complicated, criminals follow consumers; always have, always will.

3 – “If you read an analyst report about ‘viruses’ infecting ios, android or rim, you now know that analyst firm is not honest and is staffed with charlatans. There is probably an exception, but extraordinary claims need extraordinary evidence. If you read a report from a vendor that trys to sell you something based on protecting android, rim or ios from viruses they are also likely as not to be scammers and charlatans. ”

I think the figures referenced above and the litany of mobile woe researched and documented by TrendLabs here speak for themselves. This clinging desperately to the term “virus” in a last ditch attempt to demonstrate that a platform is free of malware is exactly the same language I have heard from MacOS enthusiasts (I am one before you flame me) who have been historically unwilling to admit that now the criminals are after them as well. It may well be that there are no viruses in the strictest definition of the term Chris, where do you stand on criminal malware for mobile devices?

4 – “Please note: Policy engines, and those tools that manage devices from an corporate IT department are not the same thing at all, but sometimes marketers in companies that sell such things sometimes tack on ‘virus’ protection. That part is a lie, tell your vendor to cut it out.”

So we agree that security of mobile devices extends far beyond the threat from malware. Of course there is loss, theft, inappropriate access, device tracking, web-based threats through social networking or phishing for example and many other areas to consider (by the way this is important for the consumer too) but advising your users to request that vendors remove functionality designed to detect malicious software? Well I guess that’s one way to make a platform appear malware free…

Am I ashamed of myself? Not at all. I’d prefer to offer protection against a growing threat to personal and business security than to bury my head in the sand and defend my stance with wild accusation.

Your post very much accuses security vendors of FUD, sowing Fear, Uncertainty and Doubt. I hope I have demonstrated that is very much not the case. Maybe your outburst was more a case of MUD? Myopic Unalloyed Denial.

The mystery of the “hacked” Facebook accounts

Rik Ferguson — Wed, 19 Oct 2011 14:30:36 +0000

After a day of investigation it seems that “Team SwaStika” may be attempting to take credit for compromising account details that they really had nothing to do with.

The two lists of hacked accounts (Part 1 and Part 2) have both been circulated online before the Pastebin posts were made by Team SwaStika. The list entitled Part 1 appears to have been doing the rounds on various underground forums for the better part of a year. The second list entitled Part 2 by Team SwaStika is much more recent. The first evidence I can find of the accounts listed in Part 2 is only 19 days old.

A list with content exactly matching this second Pastebin post by Team SwaStika was uploaded to a compromised website by the better known group of hackers Group Hp-Hack. Group Hp-Hack is a Saudi Arabian hacker group that has previously gained notoriety in August of this year for defacing the websites of Joomla Canada and ethicalhackingcourses.com (which remains defaced to this day).

The html list of alleged Facebook logins uploaded to a compromised web server was created in Microsoft Word and has a creation date of 1st October 2011 but was posted with the claim (in Arabic) that the list only represents 10% of the 7 million accounts that were breached by Group Hp-Hack.

Group Hp-Hack defacement

I have informed the owners of the compromised server and advised them to remove the content and once again passed this information to Facebook’s security team

Over 10,000 Facebook account details hacked and published

Rik Ferguson — Tue, 18 Oct 2011 12:02:51 +0000

An update to this investigation is available here.
_____________________________________________________________________________________________________
A hacking group calling themselves “Team Swastika” have published what they claim to be the usernames and passwords for over ten thousand Facebook accounts on Pastebin, an online service for sharing large quantities of text data online. It should be noted that the PR agency for Facebook in the UK gave me the following statement, “This does not represent a hack of Facebook or anyone’s Facebook profiles. Our security experts have reviewed this data and found it to be a set of e-mail and password combinations that are not associated with any live Facebook accounts“.

Team Swastika are a new arrival on the hacking scene, having announced their “launch” only six days ago. although they have only one tweet to their name they have already caused concern by publishing database tables and user credentials stolen from the websites of the Indian Embassy in Nepal and the Government of Bhutan, apparently by SQL injection attack.

This latest publication of what they claim to be more than ten thousand Facebook user credentials is without context and with no indication of the means by which they were stolen. The posts themselves have already been removed by Pastebin but I managed to get a look at them before this happened…

Stolen credentials for Facebook accounts

The compromised user accounts come from all over the globe, and a quick glance through the list of associated passwords shows that the majority of affected users are not using complex passwords, with many being simply a derivation of the user name, a favourite football club or a short numerical password.

The ongoing effect of such a large scale compromise can be disastrous for affected users, particularly if the password is shared for multiple accounts. It can lead to compromise of the victim’s email account which can act as the skeleton key for many other online services, as any password reset procedure will normally pass through the account owner’s email inbox for verification. regaining control of a compromised account can be a costly and time consuming process, as this recent victim explains.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to achieve this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

I have not verified if the credentials as posted are legitimate, for reasons of privacy, but have passed the full list of affected accounts on to Facebook security so that they can warn and protect their users.

Making the most of Facebook privacy – Part III

Rik Ferguson — Tue, 11 Oct 2011 12:04:07 +0000

The full guide to Facebook security settings is now available for download Making the Most Out of Facebook’s Privacy Settings.

The first part of this series can be found here, and part two here.

Lists – Control privacy when you post

Use the Facebook lists feature to divide your friends into lists. This is a great feature for protecting your privacy because it allows you to select an individual audience for each one of your status updates or wall posts, be aware though it is not possible to individualise the audience for your “Likes”.

Facebook offers three default lists; Close Friends, Acquaintances and Restricted. Dividing friends between “Close friends” and “Acquaintances” will influence how much or how little they show up in your news feed. Adding a friend to the “Restricted” list means they will only be able to see content that you make “Public”. Facebook has also introduced the concept of Smart Lists, these could be related to where you live, where you work, or where you went to school for example.

If you add a friend to any of the “Close Friends”, “Acquaintances” or “Restricted” lists, they will not be informed. However, be aware that if you add a friend to a Smart List that is related to a place of work or college for example, they will receive a notification that you have done so and will be able to approve that information for posting to their own timeline. You can also create custom lists and again your friends will not be notified if they are added to these lists. It is worth noting that when you share content with a specific list of friends, your friends will not see the name of the list you have shared it with, but they will see that you have chosen a restricted audience for your post and they will be able to see every individual name in that group.

Subscriptions

Subscriptions is a new Facebook feature that allows you to follow the public activity of people on Facebook, without having to add them as a friend. Of course this means that the possibility exists for people to follow your content, without you having accepted them as a friend as well. It’s one more reason to tightly control your privacy on Facebook. For example, default behaviour on Facebook if you defriend someone is that they will remain subscribed to you and able to see any public content and perhaps content that is shared by mutual friends too, unless you do something about it. If you want to enable or disable the permission for other users to subscribe to your content, go to your timeline and click the arrow to expand the view of your “favourites boxes”. You will see the subscriptions box, click the box and you will be able either to click the “Allow subscribers” box or, more advisedly a “Settings” button where you will be able to turn it off.

Events

Any “Public” event you have responded to will feature on your timeline and will be shared with the public, meaning that anyone viewing your Facebook profile will be able to see these events. To hide these events from your timeline, view your timeline, click “View Activity” and select “Events” from the activity type drop down menu that appears on the right. You may then hide any events you wish from being displayed on your timeline.

Check yourself out!

If you want to check how the changes you have made have affected the information you share you can view your own timeline as another Facebook user would see it, or as it is visible to the general public. To do this, select the downward pointing arrow just to the right of “View Activity”, select “View As…” and type the name of the friend whose view of your profile you wish to preview, or click the “public” link. This is a great way of identifying those last few pesky events, photos, videos or stories that may still be publicly visible. You can then find each unique event in your Activity Log and refine the audience to whom it is visible or remove it entirely from your timeline.

Five rules to remember…

1. If you post on someone’s wall then you cannot control the privacy of your post . The visibility of the comment is defined by the original post which may be less restricitve than you want, for example, “Friends of Friends”.

2. If you restrict the audience of a post in order that certain friends cannot see it that restriction should not be considered final. If someone later posts a comment that tags a Facebook user who was not a part of the original audience, then the entire thread and original post will be visible to that person. Be careful what you post.

3. If you post on, or respond to an invitation to a public event or a public page; you cannot control the privacy of your post. You can only hide it from your timeline after the post has been made.

4. If you post on a friends wall where their privacy setting is “friends of friends”, then any of your friends who are on your Restricted list will be able to see that post, because they are your friends.

5. This means that anything you post which is “Public” or “Friends of friends” (either by your own settings or those of the recipient) may show up in the ticker of people you do not necessarily know, have restricted or have defriended.

Making the most of Facebook privacy – Part II

Rik Ferguson — Tue, 11 Oct 2011 11:40:14 +0000

The full guide to Facebook security settings is now available for download Making the Most Out of Facebook’s Privacy Settings.

The first part in this series of posts can be found here.

Now it gets more granular… Let’s look at “Privacy Settings” which can be accessed through the drop down menu in the top right of your Facebook page.

Facebook privacy settings

How you connect:

Change the setting for “Who can look up your timeline by name or contact info”, “Who can post on your timeline” and “Who can see posts by others on your timeline” to Friends. The default setting is Everyone except for “Who can see posts by others” which defaults to Friends of Friends, this setting is the cause of much of the noise in the ticker that so upset everyone when it was introduced.

The settings for “Who can send you messages” and “Who can send you friend requests” are just a question of how contactable you want to be, personal preference, again the default is Everyone.

How tags work:

Set Timeline Review to On. This does not stop you from being tagged in posts and those posts and tags will still appear in others’ feeds if they are connected to the originator or to someone else tagged in the photo, but they won’t appear on your wall/Timeline until you approve them. By default this is turned off.

Set Tag Review to On. When someone tags your content, you must review before it is posted. This is useful because once a person is tagged in a picture, post or comment, both that person and their own friends can see the content. Content you may not have wanted to share more widely. By default this is turned off.

Set Maximum Timeline Visibility to Friends. This controls the maximum extent of who can view posts to your *own* timeline. Don’t forget this content may have initially been posted on someone else’s wall and you cannot restrict the visibility of the original post. By default this is set to Friends of Friends.

Set Tag Suggestions to Off. This feature will suggest your name when someone uploads a picture that Facebook thinks looks like you. By default this is turned on.

Set Friends can check you into Places to Off – that way, you’re not going to get checked in to somewhere you would rather have kept secret, or even somewhere you never were. By default this is turned on.

Apps and websites

The Information accessible through your friends section controls what information about you can be accessed by Apps that your friends may have installed. Deselect every check box in this section. You will find that by default they are almost all allowed.

Instant personalisation shares Facebook data with certain partner websites. If the option is available, uncheck the box to turn it off. If it is greyed out it means that Instant personalisation is not yet available to your account. Note that it is turned on by default, so try to remember to keep an eye on it because you are not able to disable until the feature is already turned on…

Public Search, if you’ve been following the recommendations so far, this feature should already be off because you changed Who can look up your timeline to Friends only.

Limit the audience for past posts. Click Manage past post visibility and then click Limit old posts. This will ensure that any posts you have made in the previous years on Facebook will have their privacy restricted to Friends only. Unfortunately there is no indicator that tells you whether you have previously done this, so if you’re unsure, just do it again.

Part three of this series is available here.

Making the most of Facebook privacy – Part I

Rik Ferguson — Tue, 11 Oct 2011 11:07:29 +0000

The full guide to Facebook security settings is now available for download Making the Most Out of Facebook’s Privacy Settings.

Since the long list of new features recently unveiled has begun to be rolled out for all Facebook users; I have been receiving ever-increasing amounts of questions from friends, colleagues and Countermeasures readers concerned with how their online privacy may be affected. So I have put together this guide to Making the Most of Facebook Privacy in 2011. I refer to the forthcoming Facebook feature “Timeline” a lot in this post, but don’t be fooled these settings are available right now, even if you haven’t enabled Timeline yet.

Don’t Get Facejaked

So initially, let’s get to the recommended settings for locking down your Facebook security without having a negative effect on your enjoyment of the social network. Follow the three steps in this earlier blog article to help protect your account from unauthorised access, so-called “facejacking”.

Lock Out Leakage

With that out of the way, let’s go on to tweak your account and privacy setting to better protect the content you share and control the audience with whom you share it. Let’s look at “Account Settings” which can be accessed through the drop down menu in the top right of your Facebook page.

Facebook Account Settings

App & Adverts

In this menu you should review the individual permissions that you have allowed the Apps that you have installed. Have a first pass through this list and remove any apps you no longer use. Then review individual permissions by clicking the Edit link next to each remaining App. Some permissions are required for an App to work but many optional permissions can be revoked here. At the same time, ensure that the App itself is not giving out too much information by changing the setting “Who can see posts and activity from this app” to “Friends” unless you have specific Apps that you wish to grant greater visibility.

Finally, in the Facebook Adverts section, change the Third party advert settings and Edit Social Advert settings to No one. The default setting here is Friends.

Protect Your Privacy

The changes to Facebook have radically changed the ways in which we can share content with our friends, friends of friends and the general public. There are two main ways to configure this privacy; when you post through the Facebook interface or when you post through a device or App that doesn’t allow per post privacy settings. To configure these settings select Privacy Settings which is accessed through the same drop down menu as above.

Facebook Privacy

The Default Privacy setting only applies to posts made through an interface or App that doesn’t support inline sharing controls. I recommend setting this to Friends, the default setting again is Public.

In the next part of this blog series, I detail some of the more specific settings for controlling how you share information and perhaps more importantly, how information is shared about you.

Part two of this series is available here.

It ain’t the Timeline, it’s the Ticker, Doc.

Rik Ferguson — Fri, 23 Sep 2011 22:38:12 +0000

Ever since the forthcoming Facebook profile changes announced earlier this week at the f8 Facebook Developer Conference, there has been a lot of talk online about how the new Timeline layout of your user profile will affect your privacy.

Essentially Facebook is taking all of the information that you have already entered into the social network, your profile, your photos, your posts, comments and other’s comments about you and presenting it in clickable chronological order. This has given some commentators cause for concern. Not I.

I’ll admit that when I first read about the changes I was a little worried, even to the point where I messaged my girlfriend to express my concern (I know, geek). So I thought to myself, “Ferguson, don’t be so negative, at least check it out first before going off the deep end.”

So I logged into Facebook and enabled the new Timeline view (it’s not publicly released yet, but here’s how you can get it in advance) and to be honest I loved what I saw. It’s pretty, it’s intuitive and it certainly says a lot more about me (it’s a profile after all) than the previous layout.

Enough of the aesthetics though, what of the security concerns? The thing that led me to write this blog was an article by Gregg Keizer which featured commentary from Sophos’ Chet Wisniewski. Chet is of the opinion that the new layout simplifies the procedure of data mining any given individual, he says “Timeline makes it a heck of a lot easier [for attackers] to collect information on people“. He’s right too, If I had previously wanted to look at everything someone had ever done on Facebook , it would mean a aeons of clicking to load older posts. Now it’s all presented in a scrollable timeline, much more simple. So why do I disagree?

Timeline certainly makes it easier for anyone who has access to my profile to find out about my Facebook past, but my profile is set to private. Not only that I am also very selective about who I add as a friend on Facebook. In all honesty I really don’t mind my friends data-mining me if they have nothing better to do on a rainy afternoon. I’d have to wonder why, but hey, whatever turns your crank… Incidentally, Timeline also let’s you work out who has “unfriended” you.

Of course if my profile was configured to be viewable to the general public, or if I added just anyone as a friend, then timeline would indeed add a whole new set of concerns. To be honest though, if your Facebook profile is publicly viewable or your an inveterate befriender of stranger, you have far bigger concerns already… None of you do that, do you?

There has to be something that worries me in the new Facebook though, and as my fellow Tweeter Kurt Wismer agreed, it’s the Ticker. You’ve seen the Ticker, right? It’s the new scrolling display of updates int he top right corner of your Facebook page. Why do I worry about the Ticker? It publishes all your activities, including check-ins, in real time to all your friends, including your interactions with people and groups those friends don’t know (if that content is public). This is very much a stalker enabler. Now not only can I watch what you are doing on Facebook with people I know, I can also see when you comment, post or like something I have no connection to whatsoever, this is A Bad Thing.

For now, there’s not not you can do about this other than appeal for Facebook to reconfigure this functionality and apply the same kind of discretion any normal person applies in real-life. There is current a groundswell of people posting the following status and for now it’s the only option you have…

Here’s the text in case you want to copy/paste.

“Please do me a favour: please hover over my name here, wait for the box to load and then hover over the “Subscribe” link. Then uncheck the “Comments and likes” choice. I would rather my comments on friends’ posts not be republished. Thanks** Then repost if you don’t want your EVERY MOVE posted on the right for everyone to see! :) i’ll do the same for you if you want. just click “like.”

Anonymous vows to attack Facebook?

Rik Ferguson — Wed, 10 Aug 2011 12:25:50 +0000

In a new video, Anonymous or at least an element of the “loose online collective” (how much am I growing to despise that term?) has announced plans for a coordinated attack on Facebook to be launched on the auspicious date (at least here in the UK) of the 5th of November. The video calls for volunteers to join the assault but does not give any details on planned activity. The video should for now be treated with suspicion. It was posted almost a month ago and yet has not been widely publicised, or publicised at all, on the usual Anonymous channels. The Twitter profiles that appear to be associated are inactive, and in a masterstroke of irony, there’s even a Facebook page for it

According to the video, Facebook deserves to be “killed” for a number of reasons

1 – They store personal information and do not delete it – “even if you “delete” your account, all your personal info stays on Facebook and can be recovered at any time. Changing the privacy settings to make your Facebook account more “private” is also a delusion. Facebook knows more about you than your family“.

2 – They sell rights of access to your data to external agencies - “Facebook has been selling information to government agencies and giving clandestine access to information security firms so that they can spy on people from all around the world. Some of these so-called whitehat infosec firms are working for authoritarian governments, such as those of Egypt and Syria”

Having set out their reasons, they sign off with the message “We exist without nationality, without religious bias. We have the right to not be surveilled, not be stalked, and not be used for profit. We have the right to not live as slaves.”

Let’s examine these accusations. Firstly data retention; according to Facebook’s own Privacy Policy “When you delete an account, it is permanently deleted from Facebook.” which seems pretty clear cut. There is a later caveat in a section dealing with backup copies of data that states, “Removed and deleted information may persist in backup copies for up to 90 days, but will not be available to others.” Of course if you have chosen to share information on Facebook and that information has been further shared by your friends or contacts, then you must consider it has passed beyond your control. This is the primary reason why caution should always be uppermost in your mind when posting anything online. On the face of it, point 1 of the Anonymous gripe seems invalid.

Secondly, Facebook sells information to third parties? Again a squint at the Privacy Policy tells us Facebook’s approach to this matter; “We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities.”

So, without getting into a debate about the rights and wrongs of specific governments around the globe, Facebook is certainly open that they will share information in response to requests from both US and “foreign” jurisdictions under the laws applicable in that jurisdiction. What is the lesson to take from this? If you are a Facebook user and you consider that your local government or law enforcement may take unwanted interest in your social networking activities then pay very close attention to the information that you disclose, both on your personal profile and in your activities on the website. If you are engaging in activity which your government would rather you didn’t, be aware that a legal or civil request to this social networking provider may well be honoured.

The biggest and most important point though is this. Facebook is voluntary. You join Facebook because you want to. You provide information of your own volition and essentially at your own risk. If Facebook does know more about you than your own family, it is only because you told them. Conversely, while the social networking provider does provide relatively granular controls over how and who you share your data with, it is certainly my opinion that the default settings on an account are still too open, and the mechanisms for controlling sharing too complex.

Posting information anywhere online is similar to pasting up a notice in a global meeting hall and should be treated in that way. Even if you restrict access to your information to only your friends, you cannot control how that information is further shared by people within your circle of trust. If you aren’t happy to stand in a crowded shopping centre and repeatedly shout out your telephone number, you shouldn’t be making it available online, anywhere.

However, the thing that bothers me most in the Anonymous announcement is the phrase “One day you will look back on this and realise what we have done here is right, you will thank the rulers of the internet, we are not harming you but saving you“. Joseph Goebbels once said something very similar, “It is the absolute right of the State [the rulers of the internet?] to supervise the formation of public opinion.“.

“For your own good is a persuasive argument that will eventually make a man agree to his own destruction.” – Janet Frame.

The Facebook kidnap & robbery

Rik Ferguson — Fri, 29 Jul 2011 10:05:38 +0000

In what appears to be a well-planned and pre-meditated crime the safe in a Carrefour supermarket was emptied by criminals with the help of a Facebook friendship.

At the beginning of February, the manager of the supermarket made an interesting new friend on Facebook, a girl by the name of Katrien Van Loo. The relationship blossomed and pretty soon, the victim was invited over for a cosy dinner for two, presumably to further his acquaintance with his new-found friend. This was on the 15th of February this year. Police are now releasing images in an appeal for witnesses. The Belgian Police report is here.

When the victim arrived at ten-thirty that evening, he discovered that he had in fact been lured to an empty building with the bait set by this fake Facebook profile. He was quickly overpowered by two men who gagged and blindfolded him and forced him to hand over the keys to his own apartment.

While one of the criminals stayed with the victim, the other took the stolen keys and visited the unfortunate supermarket manager’s home. He found the keys to the supermarket and left the building and while doing so was filmed on closed-circuit cameras in the building.

Suspect in Belgian burglary from CCTV footage

Shortly after midnight, the vault of the store was emptied by a third accomplice, he was also caught on camera. The suspects can be seen in video footage prepared by the Belgian police. Suspect in Belgian Facebook burglary. It is worthy of note that both suspects are left-handed.

If you recognise these suspects, or have any information regarding this crime, the Belgian authorities would love to hear from you. You can call the local toll-free number 0800 / 30.30.0 or use this online form.

If you are a Facebook user, remember, anyone can be anyone online. Never admit unknown people to your circle of trust; you jeopardise your own safety and privacy as well as that of the friends who may be posting on your wall. If you ever decide to meet a stranger, don’t repeat this guy’s mistakes. Do it first in a public place and do not go alone. Trust should be earned, not given.

If you receive a friend request from someone you don’t recognise there are a few things you can check. Do you have any friends in common? If you do not, this should raise a suspicion flag. If you can see any info on the person do you have anything else such as schools or workplaces in common? Does the profile have a photo and if so is it one that you recognise? If you cannot see any info, mutual friends or photo, it’s a definite no-no.

Even if this stuff all checks out and you are still suspicious, begin by simply sending a message to the person, asking how they know you or how they found you on Facebook. If it turns out to be a speculative friend request, my recommendation would be to ignore it and go out for a beer instead.