Hi all...
I just don't seem to write as many posts as I'd like, but I don't want this space to go to waste. If you have some topics you'd like to write about, please let me know. I'd love to add some new authors to this blog.
Let me know at matt @ binint.com or DM on Twitter @_remnant_.
Matt's Twitter
Facebook is rolling out the new Privacy options today. There are a couple good things and a couple bad things. I suggest reading this article by the EFF for a good breakdown on the new changes. Sadly, your friends still have some bearing over how your information is used. In my opinion, Applications still get way too much leeway on what personal information they are able to see, collect, and use.
To maximize your privacy, I suggest the following changes. This guide should walk you through each screen and make sure you don't miss anything important.
The basic Privacy Settings screen looks like this:
Start with the first group, Profile Information. There are several settings to update and every choice within this group should be set to "Friends Only". You'll have to click the Edit Settings button for Photo Albums and set each album to "Friends Only" as well.
The next group is Contact Information. This is how my settings look, but you may want to adjust for your own tastes.
The next group is Applications and Websites. The options here are:
For "What you share", click on Learn More and you'll see an info screen. Click the link in the very last sentence or just go here.
Click on "Edit Settings" for each application. Change the options to "Friends Only". You might want to look at the "Additional Permissions" to see if the application can post to your stream.
Also, on the top right of this screen there is the drop down box labeled "Show". Make sure you go through all of those screens so that you don't miss any applications.
A quick note about Applications... make sure you delete any Applications you aren't using. Every application has access to your personal information and this really isn't a good thing. Take it straight from the creator of Mafia Wars.
The next group within Applications and Websites is "What Your Friends Can Share About You". Uncheck everything and then click Save Changes.
The last two sections, "Blocked Applications" and "Ignore Application Invites" probably don't need to be edited.
The fourth main section is Search. In this section you will need to Uncheck "Allow Indexing" and set "Appear in Search Results" to "Friends of Friends" or "Friends Only". This section will help restrict the general public from finding your profile. Again, the point of this article and the settings presented is to protect your privacy.
The last main section is Block List and probably doesn't need to be edited at this time.
Now we've walked through the main sections to protect your privacy. This is a great first step, but as the EFF article points out
Looking even closer at the new Facebook privacy changes, things get downright ugly when it comes to controlling who gets to see personal information such as your list of friends. Under the new regime, Facebook treats that information — along with your name, profile picture, current city, gender, networks, and the pages that you are a "fan" of — as "publicly available information" or "PAI."To help minimize what you're sharing with the public, you'll have to change some of this info as well.
To begin, click on "Edit My Profile" underneath your profile picture. Uncheck "Show my sex in my profile" and make sure the dropdown box underneath your birthday is set to "Don't show my birthday in my profile".
Next find the box on the lefthand pane that shows your friends. Click on the pencil and uncheck the box that says "Show my friends on my profile".
Your profile picture is displayed publicly despite your Photo Album settings. If you're not comfortable showing your picture to the world, change it to something else.
The final pieces of information will have to be removed entirely if you don't want them publicly displayed. Current City, Networks, Recent Activity, and Fan Pages are all publicly available. I deleted everything (although I really didn't have much to begin with).
To see how your new Profile looks to the public, click on Privacy Settings, Profile Information, and then Preview Profile. If there is any information displayed that you don't want, go back through the settings and remove it. Again, some things must be manually deleted.
After following these steps, the only information I have publicly displayed is my name, my fake profile picture, and one Fan Page.
Good luck changing your settings. If there was something I missed, please let me know in the comments. If you have trouble changing a setting, let me know that as well and I'll try to help you out.
Here is a news story that Jim and I participated in on Facebook and securing your private information.
http://www.wowt.com/home/headlines/67332677.html
Another article came along regarding Facebook security and hijacked applications. What I found most interesting was this quote:
On top of all these security issues, in August many Facebook users were surprised to discover the vast amounts of personal information they were revealing by their use of Facebook quizzes. Even if you limit access to your profile through privacy settings, Facebook quiz applications can see everything on your profile page when you take a quiz...or even when your friend takes one. To make matters worse, Facebook does not screen developers for trustworthiness nor do they require developers to comply with a privacy policy."...or even when your friend takes one." I've always thought that it's kind of shady that quizzes and applications can access my friends' personal data. I shy away from the apps and quizzes for this specific reason. But, are my friends providing me the same courtesy? By being on Facebook, am I putting my personal information security in my friends' hands? Facebook has done better with increased privacy settings, and hopefully users have changed those settings to be more restrictive.
If I was a malicious user, I would absolutely create as many quizzes as I could that would take advantage of the automatic data mining capabilities of Facebook.
It seems like a recurring theme on this blog lately, but be careful of what you post online.
Wow. We all know that social networking can be "bad". Here are a few recent articles.
- Exclusive: U.S. Spies Buy Stake in Firm That Monitors Blogs, Tweets
- How Social Networking Can Hurt You
- How Hackers Find Your Weak Spots
- Opinion: Twitter, Facebook Security Depends on Vigilant Developers, Sensible Users
- Researcher: Hackers Hijack Some Facebook Apps
- Facebook, Twitter users beware: Crooks are a mouse click away
- Does your social class determine your online social network?
Stan B. Walters is well known as "The Lie Guy". He gets a fair amount of press and I've attended his Kinesic Interview and Interrogation course. Stan often uses current events to illustrate his techniques and talking points. In his most recent blog post, he takes on the "Balloon Boy" family.
We now know that the balloon stunt was a hoax. Stan mentions that "it all came down to the verbal and nonverbal cues of deception generated by the Heenes." Unfortunately, he doesn't go into any detail on what he thinks those cues were. However, there are a few listed in the CNN article linked above.
Stan talks about narrative based interviews as a way of gathering information. You can learn a lot from just listening to someone talk and watching their body language. He also mentions that the interviewer needs to be aware of what signals they are giving back to the interviewee. These are a lot of the same points I tried to make in the Social Engineering Podcast and Stan's post is a good read.
I've been waiting for an Android phone to hit Verizon for a while, so I've been following some mobile phone blogs. This post from Boy Genius Report was interesting to me on the cell phone forensics front.
One of Cellebrite's selling points for forensic use is that they often get previews of new devices in order to get their units up to speed for use in the carrier's stores. The photos in the BGR post (if real) certainly give some credibility to that statement. I wonder if other cell forensic suites get similar updates.
I mentioned a few posts back that I've been helping contribute content over at Social-Engineer.org. Today they released their first podcast and I was lucky enough to be the interview guest. The podcast builds on this post I did a while back about interviewing techniques.
I think the podcast presents some useful information. Even though the topic is interrogation, pieces of the conversation should be useful in everyday interaction.
Give it a listen and let me know what you think. If you RSS and don't want to come back here to leave comments, hit me up on Twitter @_remnant_ .
Thanks to everyone over at Social-Engineer.org for making a great site and some fun times.
For those forensic folk that may have not have seen this, I did a review of FTK3 for the good folks over at Forensic 4Cast. Check it out here, http://4cast.whitfields.org/?p=438.
Also, follow the 4Cast guys on Twitter at @Schizophreud and @englishgit.
It's not hard to look around and see that people are posting way too much personal information online. There are tons of articles about it and now we can even find out if you're gay or straight.
Most of the information seems harmless and a lot of people don't care if others know about their personal lives. But how much trouble can it get you in to? One couple thinks their Twitter posts led to their burglary.
Is it that easy?! Let's find out...
Chirpcity.com let's you search tweets by location. I chose a random city from the list and then searched for all tweets mentioning "vacation".
How lucky that the first result includes a potential victim. I don't want to get a real person in trouble here and create a ready-made victim, so I'm blocking out all identifying information. Plus, I don't think this person is actually going to be gone for five weeks during the school year as their Twitter feed also says they're a student. See how quickly we can learn about someone?
Ok, so let's go look at Twitter profile.
Now we're getting somewhere. Our second webpage gave us their last name and website address. If we wanted to learn more we could check out their webpage to hopefully see what kind of stuff they might have we could steal. Now we just need to find out where they live. Cue Zabasearch.com!
This was the most recent entry was for this person. I blacked out all the personal info so it doesn't look like much, but I now have a middle initial and possible address. I guess I could double check with other people searching sites. For a low monthly fee I could even subscribe to a data mining site and have instant information that includes much more than this!
Using free resources and five minutes of my time I located a potential victim and her address. I suppose it would be worth it to spend another 30 minutes and drive by the address to scope it out. Of course, if I really was a criminal I would have found multiple victims to go check out.
I guess it really is that easy. Be careful everybody!
What does everyone use for instant messaging and VOIP? Skype is such a great product but has been plagued lately by some bad press.
It's EULA has been plaguing people for a while and the new trojan causes worries as well. With all the lawsuits, will Skype even be around in two years?
Right now there seem to be more benefits than pitfalls, as communications are encrypted and it's one of the most recognizable IM/VOIP platforms.
But for the future, are there any other good programs I should check out?
It looks like it's been a few months since the last post. Both Jim and I have been busy with work and other outside projects. I plan to start posting more often and get the site back on track.
One of the side projects Jim and I have been involved with is www.social-engineer.org. We've both contributed content to the framework and plan on being active there as well.
More soon...
As we talked previously on here before about PS3 forensics, I thought I would do a quick followup. There has been some advancement in the area of decrypting PS3s, though the process is not currently in a state that it could be considered a first stop for the average investigation.
The process requires a couple drives, the original PS3, and an amount of time. I will not be testing it out myself, but if anyone wants to try please leave a comment on how it works for you. You can see all the details up here.
Up at the Offensive Security blog, we put up a little introduction to the forensic additions to Backtrack in this new version.
I have been really enjoying the new BT, a very well put together OS. (And to think, I used to be a BSD head.) The forensic additions to it are really simple, but do the job. I tested them out quite a bit, and everything came back clean. As it is a new forensic tool, I don't suggest anyone use it until they test it out.
Any problems with the forensic side are on me. Let me know if anything comes up, but I am confident that it is going to be very useful. The offsec and remote-exploit crew really put together something special here.
Informer subscribers have access to the Pre-Final version of BT4!
With this install, all future updates will be released though a simple apt-get upgrade. So if you don't have a subscription to Informer already, do so now then not have to DL an updated version again.New version has an installer, forensic boot mode, etc etc. I have been using it for a bit here, and it is a great update to the older versions. There are a ton of videos on how to interact with it up at the Offensive-Security blog.
Subscribe to:
Posts (Atom)