Technical Tidbits™

There are a lot of things that I encounter that most people don’t due to the nature of my work.  And honestly, many of the problems I’m called upon to fix can be avoided by taking simple steps to practice what I’d like to think is “common sense” security with a healthy dose of mild paranoia.

That being said, I’m going to relate to you, my top 5 Facebook security tips to help you learn some of these common sense techniques while employing that healthy dose of mild paranoia.

Tip #1: Assume that Facebook (or any social network for that matter) is not secure.

I know you read all the social networking articles about how Facebook has upgraded their security, changed their security settings to protect you better, and so on and so forth.  However, there are about the same amount of news articles being posted of how the Facebook security settings didn’t work as they were intended which allowed everyone to view your profile information or your friends, how some hacker accessed Facebook account information on hundreds (and thousands) of users exposing login information and other personal data, and the list of flaws could go on.

The point is, as long as there are hackers and identity thieves, there will be flaws in even the most promising security. Assume that nothing is secure.

Tip #2: Don’t post anything you would not want a stranger to see.

Just recently, a friend of mine saw that two of his Facebook connections had posted their new cell phone number on their wall. When my friend decided to call them out on such behavior, the two friends replied that only their select friends could see the post based on the security setting used when posting.  See Tip #1 above if you believe that the information you’ve posted and set to secure is indeed secure.

Tip #3: Social Engineering is the hackers tool of choice.

Social engineering is the art of becoming friendly with a person and thereby gaining your trust. Once trust is established, the hacker can then casually get you to disclose your personal information easily and effortlessly.

As part of my student’s assignment in my computer security courses, they are taught how to employ social engineering and have the assignment of just watching for signs that someone is using it. One student took those skills to a cell phone kiosk and while chatting casually with a woman about a cell phone she was using, gained information about her 4 digit pin code to lock her phone and that she used that number for everything including ATM machines.  By the end of the conversation, he knew where she worked, her full name, and what she did for a living. He did all this by pretending he wanted to buy the phone she was holding in her hand! He was shocked not only by the fact that he was able to effortlessly get this information out of her, but that he, with little training was able to accomplish it.

Keep in mind that most hackers don’t need complex scripts or tools to betray you. You give them the information freely every day.  And if you have any doubt about that, think about how many times you hear people disclosing personal information while on their cell phones near you!

Tip #4: Pay attention to your friends.

The biggest sign that something isn’t right is when your friends start behaving in ways that are not common for them to behave. What I mean by that is, recently, I had one of my Facebook friends inbox me that she was in the U.K. stranded and needed some money to get home.  As it turned out, her account was hacked and this message went to all her friends.  I knew she wasn’t in the U.K. but had just launched a new solo business. Because I was paying attention to her posts and the way she interacts, I didn’t fall for the scam.

Many times, account hacks are not so easily detected. For example, a teen received a link from a friend in Facebook chat. The friend always sends various links to him via the chat. The sad news was that the link was to a malware site that totally destroyed his laptop.  This situation leads me to Tip # 5 below.

Tip #5: Always err on the side of caution.

This is where the healthy dose of paranoia comes in.

As in the case of the teen given the link from Tip #4 above, the teen should always respond back to the friend before clicking the link.  If the hacker is on the friends account, one of two things will happen. Either he/she won’t respond back to the chat ping, or they will not be able to answer the question regarding the link properly.

Let me explain.  Let’s say that this teen and his friend normally share links having to do with monster trucks because they both love them. But they hate cross-overs and SUVs.  The teen could have responded to the chat link with the following message, “Is this another video about that awesome Cadillac Escalade?”  A hacker, not knowing that their being baited, will respond, “Yes!”  Thinking that this should be the appropriate response. If the friend legitimately sent the link, then the friend will definitely ask you if you are a hacker on the account because his friend would never respond like that!

The point is, there is a way to test your friends using very intimate details about your relationship that only the two of you know and has not been publicly announced on your Facebook wall. Obviously, if this teen and his friends bash cross-overs or SUVs, then this example might not work. But I think you get the picture.

Remember, security is a process – not an endpoint.

I have to admire what Google has done to try to stay on top of security issues. Kudo’s  to Google for recording my IP address and alerting me when I sign in that another IP address has accessed my account. Thank you Google.

But! I about had a heart attack this morning!

I use my gmail account for a ton of reasons – mainly, I am too involved on the web to open my Thunderbird – which I now hate since upgrading to the 3.0 version. But that’s another story for another blog post.

Anyway, I log in this morning to check out the last minute details about the radio show this morning (which was AWESOME I might add!), and they notify me that my account has been accessed by another IP address. YIKES!

Did I get compromised by corresponding with a certain individual who has had his network taken over by the hacking underground? Did I tick off someone with an article, a blog post? WTF?

What is important to note in this post is that I remembered what I did the day before which helped me track down the culprit. And this is what I want you to learn from this. Don’t panic!

Gmail advised me to change my password. I’m using 344 bit encryption in my password. It’s over 30 characters long! How could anyone have hacked that?

So I copied the IP address that they said was the one that accessed my email account. The culprit came from 209.18.68.125.  Ok, good! I have an IP address of the lousy hacker.

I do a search on WhatIsMyIp.com and find this:

(Click to see larger image)

That still tells me nothing! As far as I know, I haven’t ticked off any hackers in New Jersey!  But it’s also a corporate network which add to my suspicion that this isn’t a hack at all. Hackers wouldn’t use a corporate network! At least not REAL hackers!

Okay, so then whom might that be?

That’s when my thoughts raced back to what I did yesterday.  I did allow a new website to access my Gmail contacts so I could tell them that I was now on a new social networking site.  What the heck was the name of it? Oh yes! IMfaceplate.com! (If you want to see my profile, it’s here: DebbieMahler)

So, now I do a “Whois” lookup for IMfaceplate.com!  And in the image below you’ll see where I put a red box around the Name Servers for the website:

(Click for larger view)

Now, look between the first graphic of my WhatIs look up of the IP address and the second graphic of the WhoIs look up. See how easy that was!

So, when I allowed the site access to my Gmail account so I could grab my contacts list, it actually logged into my account and Gmail recorded the IP address! Pretty cool security feature, I must say! But also a huge panic attack on my part this morning!

The take-away from this post is, don’t panic if you get the notice from Gmail that you’ve been hacked. Do a simple look up like I have and see if it jogs your memory about what you were doing the day of or before the alleged hack attack.

If you still can’t find the culprit, change your password. I’m not going to preach about passwords in this post because I’ve written articles about how to create a secure password until I’m blue in the face!  But if you must have a refresher course, here’s an easy read!)

That being said, I was not hacked but I did change my 30+ password anyway!

Now, I would be remiss in commenting about this IMFaceplate.com while I’m on the subject. I don’t know if it’s going to catch on.  It’s simple enough to sign up for an account but do we really need another social networking site? I mean really?

That aside, I met the owner on my twitter account. I kind of got spammed – so to speak – but that’s another post too! Suffice it to say that after getting off to a rather shaky start, he’s really a good guy trying to promote his business.  Luke Risley, (@BIGtime222) is really a nice person and a great new twitter friend.

Now, whether I need a new social network or not, I’m supporting him in his endeavor and signed up! Ya never know, it might be the next big thing! You just can’t tell these days!

In the last edition of the Technical Tidbits™ Newsletter, I promised to explain why my blog structure suddenly appeared exposed prompting readers to ask me, “Was your blog hacked?”

First of all, no, my blog was not hacked. Although I must tell you that many have tried and continue to try!

As my students have learned, exposing the structure of a website – as in what happened to my blog recently – is a big security hazard. That’s why I’m really upset with how it happened and more notably, who did it!

When you host your domain with a shared hosting server, you are limited under the terms of your paid service as to how much draw or resources can be used by your site. If you go over the amount of “demand” that the hosting company feels you should be draining from them for a long period of time, they will do whatever they need to do to stop the drain.

In LunarPages defense – and any web hosting company for that matter – it is unfair to have one person draining the resources of a server causing others sharing their service to suffer a loss.

What I take exception to in this case, is that LunarPages didn’t warn me, they just disabled the front page of my blog – the index.php page. They just renamed it to something else to stop the draw, which resulted in my entire blog installation – folders, files and all – being exposed to the public.

Why is this bad?

The short version is, if a hacker or person with malicious intent sees the structure of the server, the person can then determine the operating system that the server is using. Once that’s determined, the person can look for a known vulnerability on the server to use as a method of attack.

Seeing my folder structure also indicates an “unsecure” site, which then prompts a malicious user to search even harder to find a way in.

As soon as I found that my front page (index.php) had been disabled, I discovered that something on my front page was pulling too many resources from the server prompting the shut down of my blogs front page.

Two plug-ins could have possibly been the culprit and I disabled them immediately and put the page back in place. The two extremely active plug-ins that day were the Facebook Connect, and GDI Star Rating plug-ins.

So, I confirmed with the LunarPages engineers that my site was no longer drawing excess resources, they monitored it for three days to make sure it had stopped, and all is back to normal.

Now, notice I said the “engineers” were monitoring my site? Herein lies the problem with this event. Engineers are very good at what they do but they had no clue why I was so upset about the disabling of my front page. They did not understand the security risk they had put me in!

In turn, I vowed that this would NOT happen again so in order to monitor what activity was taking place on and within my blog I installed a special little script. This script actually surprised me with how well it worked! I have over 3000 lines of information with some very interesting data! But I will explain that in an upcoming newsletter. I want my newsletter subscribers to hear about this first!

This also prompted me to think about how many of you that are running WP blog sites and are clueless to marginally clueless about your WP security.

So, I decided to create a Mother’s Day offer, or sale, if you will. For one week only from May 9, 2010 (Mother’s Day) through 11:59:59 PM CDT on Saturday, May 15, 2010, I will secure your WordPress Blog for $50. And that will include installing my nifty new script and I’ll tell you how to read the results if needed.

What does it include?

• Removal of your default admin account – if you have it and replace it with a proper, secure login.
• Check out the security settings within your site and your database and make adjustments as needed.
• Install the basic security plugins that you should have installed.
• Check your users for a hidden admin account.
• Check your database for malware code.
• Install my script and accompanying file to monitor all activity on your site.
• Teach you how to read the results – if necessary.
• And if you require upgrading at all, I will back-up everything and install your upgrades.

Now if that’s not an offer you can’t refuse, I don’t know what is!  I normally charge $99 just to secure a site and it doesn’t include all these extras. So, if you’ve been thinking you need to do something about your security, now’s the time to do it!

Once I’ve received your payment, I will contact you to get your site information. Do not send any identifying blog logins or passwords into the payment order form or on this site! I will get them from you securely.

Make your choice of paying by Paypal or Google Checkout and get peace of mind today!