An IT/business magazine called Information Age, apparently aimed at executives with interest and responsibilities in IT, hit my letterbox this morning. That’s an actual magazine with real paper pages: remember those? Seeing as it’s Saturday, I took it back to bed with me to look through while I had the first coffee of the day, and found an interesting opinion piece called Trapped in the Matrix (you can read it online here, if you’re interested).
The anonymous author tells how her Facebook account was hacked, she thinks by a "technically savvy, vindictive ex-boyfriend". Not an uncommon scenario, unfortunately: it’s a recurring theme on a "security clinic" page to which I contribute.
In this case, the victim’s page was "awash with libellous material" causing her to worry about her job, friends and reputation. Not nice for her, but equally disquieting is the inadequacy of the responses she reports receiving from Facebook:
She also cites an article in the New York Times by Maria Aspan, called "How Sticky is Facebook Membership? Just Try Breaking Free", so I looked for that too. Fascinating. And possibly useful: it includes a couple of resources for people who are determined to get their Facebook accounts deleted, a task that seems to be on a par with jelly-herding and nailing cats to the wall. Or something like that.
Apparently one Magnus Wallin of Stockholm has founded a Facebook group, “How to permanently delete your facebook account” which at the time the article was written (about a year ago) was close to reaching 4,300 members. While I’m having a hard time getting my head round the idea of a Facebook group about deleting Facebook accounts – is that something like a prison camp escape committee? – the size of that group certainly tells us something about the size of the problem.
The "Matrix" author also claims that if you google "hacked Facebook account" you’ll get "not a list of sites committed to helping victims, but a list of sites teaching people how to hack into accounts". Actually, I’d expect to get both types of hit to that search term, plus requests from hacked Facebook account holders asking for help: and when I tried it, that’s pretty much what I got. Looking at some of those links in detail, I found an interesting mixture:
In general, the most successful Facebook attack is probably phishing via Facebook messaging or other messaging systems, including standard email. In general, this is designed either to trick people into sharing their passwords directly, or to persuade them to run malicious programs like Koobface by passing them off as patches, videos and so on. One particularly feeble-minded attack is to pass round snippets of javascript and suggest to the potential victim that he should paste it into his address bar and "see what happens". Not recommended…
Security companies are well aware of the general problems with social network sites, but sometimes threats are difficult to track, due to the proprietary nature of the network. So while you should certainly have and maintain security software such as antimalware (I can recommend a good scanner if you don’t have one!!!) you shouldn’t rely on it to save you from thinking about your own security. It never ceases to amuse me that so many users of social networking sites want to be my friend. The thing to be aware of is that on the Internet, not everyone who seems friendly has benevolent intentions.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
