1. A top cyber security expert tells you how to be safe on social networks

    David GewirtzEvents of the last few weeks have shown the world how important social media can be. Most of the news about events in Iran have come from Facebook pages and Twitter. Some are even calling the events in Iran a social media revolution. We can only imagine how vital these links are to those in that besieged country at this time.

    But there’s a dark side to social networking too. As Facebook and Twitter become more poular there are those who would use them to scam, rob, and do worse. There have been reports of criminals using Twitter and Facebook to track peoples’s movements to rob, stalk, and assault them. Even now cyber criminals are at work on ways to exploit social networking.
    Social networks are a fun and exciting way to reach out to friends and family, but they are also a potential dangerous place. Learn to protect yourself. Don’t miss a word of this interview with David Gewirtz.  
    David Gewirtz is the Cyberterrorism Advisor for the International Association for Counterterrorism & Security Professionals and a columnist for The Journal of Counterterrorism and Homeland Security. He is a member of the FBI’s InfraGard program, the security partnership between the FBI and industry.
    He is also author of the book, Where Have All The Emails Gone? How Something as Seemingly Benign as White House Email Can Have Freaky National Security Consequences, which explores the controversy from a technical perspective.
    DD: What are the dangers of social networking on Facebook and how can you protect yourself?
    DG: I’ve broken it out into four categories: employment, reputation, malware, and physical risk.

    On the employment side, saying the wrong thing online can lead to career suicide, especially since employers and prospective employers are likely to see what you say. There’s also liability issues if you say something about an employer, someone who might be in litigation with your company could use your statements against them.

    On the reputation side, something you say now could haunt you for years into the future. People have been known to post the most inappropriate things, which then stick with them for years. Imagine dating someone and having them do a Google search and the first thing they find is the day you got dumped, and so you posted about how much you hate the opposite sex. Or something you did that was borderline illegal. If you want a big job, sometime in the future, these posts could keep you out of the game.

    Malware, phishing and identity scams can cause you serious financial loss. Posting personally-identifiable information helps criminals build a profile about you, and enough awareness about your friends, interests, habits that they can pose as someone you know and con you out of way too much money.

    In the case of physical security and stalking, social networks give stalkers and other scary people an almost minute-by-minute update on your habits and haunts. Even thinking about that is scary.

    There are two rules to protecting yourself: think before you post and don’t post personally-identifiable information, such as addresses, phone numbers, and especially birthdates.

    DD: In a recent article you mentioned new scams that involved online banking. Can you describe how these scams work and what should we watch out for?
    DG: Oh, they are legion, changing constantly, and highly creative. One of the most common is called phishing, where a criminal organization tries to fool you into thinking your on your bank’s Web site when, in fact, you’re on a clone that looks identical, typing everything they need to suck you dry. There’s a form of phishing calls spear phishing, where criminals target specific individuals by gathering lots of detailed information and using that in the scam.

    What to watch out for: don’t give out personally-identifiable information and don’t go to your bank’s web site from an email or Facebook posting.

    DD: Recently, I received emails claiming to be from one of my email providers claiming they were going to delete all of my email if "I did not take action” and they needed my user name and password.  I’m a little paranoid, so I deleted it and checked that my Norton was on. Is this a new type of scam?
    DW: Yes, it’s a scam. Even if it weren’t, which would be worse? Losing all your email or letting some criminal have access to your email identity and then do things like retrieve passwords to your banking system? But it’s a scam. No legitimate provider will ever, ever, ever ask you for your user name and password. Ever.

    DD:  How can malware enter your computer if you use good security software such as Norton or similar, and keep it updated. Are you still vulnerable to attack?
    DG: Yes it can, and that’s something very scary. Much of the security source code for our anti-virus and anti-malware products has been provided to nation states suh as China as a condition of being allowed to sell into their country. Of course, those countries are often the ones that do the online scamming and penetration, so it’s kind of like hanging your house key on a ribbon on your front door.

    The best answer is to keep updating virus definitions and keep paying attention to the security space as more and more information is known. This is an arms race and as the good guys develop protections, the bad guys develop penetrations and on and on and on. I know it’s scary. I wish it weren’t.

    DD:  There are obviously some vitally important news applications to Twitter, but it seems very unwise to broadcast one’s movements on an open network. Have there been security problems resulting from these practices? And are there precautions that people should take when using Twitter to avoid being victimized?
    DW: Yes. I strongly recommend being somewhat circumspect with your movements. If you want to tell people you’re going to a restaurant, it’s perfectly fine to tweet "I’m going to a restaurant". But don’t specify which one. But, really, there’s no good reason to be that public about your movements. Remember, Twitter and Facebook aren’t relations just between you and your friends. Everyone can see what you say.

    DD: I make it a practice to post events only after they have they happened on Facebook. I also follow this practice in my column.  I am not worried about my friends’ behavior, but I have no way of controlling who they allow to see their pages. Am I being paranoid?
    DW: As much as we’d like to say there’s no risk, imagine if you’ve got a jilted boyfriend or someone who’s been stalking you. Back before I was married, I dated my share of wackos and had one or two scary stalking situations. Now, I’m a big guy and can handle just about anything, but if you’re not able to protect yourself, letting someone who’s out to do you harm know exactly where you are is dangerous.

    Even letting people know where you’ve been can be an issue if a habit profile can be derived. Better safe than sorry. Besides, how many people really need to know what you had for lunch today? Really?

    What aspects of social networking seem the most benign, but are actually the most dangerous?
    DW: I think the term "friend" in Facebook is a real problem because somewhere, deep down in our animal brain, once we hear "friend", we think the people on the list are people to trust. I would far prefer Facebook use the term "contact" or "connection" or even "people I know". Also, now that people "friend" me, I have to think about who of these people I want to have it known are my friends.

    I wrote in FrontLine Security that I don’t use Facebook all that much, but generally have allowed fans to "friend" me because it just seemed polite to honor their enthusiasm for my work. But when I looked at one fan who asked to friend me who happened to be from Europe, I noticed his Facebook page said he was a member of the Communist party. Now, I work with homeland security, law enforcement, and am part of a special FBI program and the last thing I wanted was a so-called friend who was a Communist.

    I had another instance of a fan who I’d allowed to friend me who suddenly sent me an invite to attend his birthday party, where (and this was obviously a joke) "turning 27 means party hats, heroin, and dead hookers". Even in jest, I can’t have someone who says stuff like that as a friend or even a "friend".

    In both cases, I didn’t know these people.

    There are a bunch of other risk areas, but I really think the questions asked like "What’s on your mind?" and "What are you doing?" can be the most risky. Speaking personally, it’s never, ever a good idea for me to share what’s actually on my mind! Although, sadly, if you really were able to look inside my head, you’d probably see a mix of images of my wife, big, juicy steaks, chocolate, and the latest Playstation games.

    DD: Finally, how can we interact, do business, keep in touch –and be safe? Is it too much to ask?
    DW: It’s really pretty simple. Be smart. If you wouldn’t run naked through your local town hall or library with your whoo-hah showing, you probably shouldn’t do the verbal equivalent online. Be a little paranoid. If you wouldn’t give your car keys to every stranger you encounter, don’t give your passwords out to every email you get. If you wouldn’t bring someone’s can full of rotting garbage into your home just because they asked, so don’t open attachments or run programs just because someone asks you.

    As Ronald Reagan once said, "trust, but verify". Interpreting what he meant for today’s world: keep an open mind, but don’t let an open mind also be an open wallet or open computer.

    For more information abut David Gewirtz or security related issues http://www.davidgewirtz.com