Back in January of this year, I wrote about Facebook’s impending Graph Search feature (“Facebook Graph Search Cutting Bait for Phishers“) which was set to greatly improve its existing feeble search engine as well as outrage privacy watchdogs. Based upon the feedback the developers received from the small test group to which it was originally released, Facebook went back to the drawing board, and have now decided that Graph Search is ready for its debut.
Unlike the search engine we all know and use, Facebook’s new search engine will rely heavily on the various layers of data that it has accumulated on it’s millions of users, allowing you to perform searches that list “friends who like trucks and football” or “single women in Los Angeles who like Ethiopian food”. Obviously, the results are heavily dependent upon how much information everyone shares about themselves on Facebook, but Facebook is confident that the results will be eye opening.
What this means for you:
If you haven’t heard me mention it before, there’s no better time than the present to log into your Facebook account and check your privacy settings, even if you don’t use it often, or you haven’t updated your profile since you created the account oh so many years ago. If you haven’t logged into Facebook in the past year, they have made a lot of changes to settings and security that will probably bewilder the savviest of users. I linked a guide written by the EFF on Facebook’s privacy settings here: “Tighten Up Your Facebook Security”, and Facebook is also taking a more proactive approach by warning you when you log in that Graph Search is coming and provides you a link to your privacy settings.
Yesterday I posted about the real possibility of cybercriminals and spammers using Facebook’s upcoming “Graph Search” as a means to easily sort out and research potential targets. The Electronic Frontier Foundation, ever on the lookout for our privacy (even when we won’t do it ourselves), has put together an excellent guide on all the settings you should review in Facebook to make sure the data you want to be hidden from the general public stays that way.
What this means for you:
If you’ve ever taken a stroll (or even a dedicated walkthrough) of Facebook’s privacy settings, you probably gave it up for being unnecessary and complicated. Hopefully my previous article made you reconsider the “unnecessary” stance, and now EFF gives you a step-by-step guide to setting the privacy settings to what you want them to be. The only thing better would be having me sitting with you personally to go through each step and doing it for you. I could totally do that if you like, but while I was doing it, I’d be giving you a (possibly boring) lecture on why you should be learning how to do this for yourself, etc. Your privacy and security is important enough that you should understand exactly how Facebook shares your personal information. We are entering a period of time where getting duped by hackers is moving from nuisance to an actual threat on your livelihood and possibly even your personal safety, and the best defense is knowledge and preparedness.
Remember the announcement of Facebook’s new “Graph Search” feature? No? I don’t blame you. Until most folks can get their hands on it and see what it can do with data from people they know, it’s hard to envision how Facebook’s “innovation” is important. Security analysts, of course, eat and breath this stuff, and as they are trained (and expected) to do, they have extrapolated how this powerful social media search tool could be put to nefarious use. Christopher Hadnagy (Social-Engineer.org) put it succinctly:
Usually, a phisher or spammer collects a couple hundred email addresses and they’re hoping 10 percent of those who get it have an interest in what the email is about. With this tool, it gives a malicious person the ability to figure out whom to target with a particular message because they know their interests.
In case you aren’t aware how “phishing” works, the core conceit is focused on fooling the reader into clicking on links and providing confidential information to a counterfeit website. Phishing is most effective when the target gets an email that seems legitimate, e.g. using graphics and fake address from bank with which they already do business. Instead of having to rely on statistical probability, phishers can now target with ruthless efficiency any data available through Facebook’s Graph Search.
What this means for you:
If you are an avid user of Facebook with a tendency to openly share just about everything through social media, your data is already out there and viewable. If you are a casual Facebook user, but haven’t taken the time to adjust your privacy setttings, your data is already out there and viewable. Nothing has changed in that regard. However, up until now, you had a very, very thin layer of protection through the concept of “security through obscurity”. In other words, the sheer, overwhelming amount of data that is available greatly reduces your chances of being randomly identified and targeted. Think of it as wandering into the Library of Congress where the only way to find something was to know exactly what it was called and where it was located physically in the building.
Facebook’s Graph Search gives anyone the ability to search for anything in Facebook using a natural language query like, “Show me all the books on 19th century bridges built in the US with wood.” If those books are in the library and are viewable to the public, then they would be delivered in a tidy page that could be reloaded and refreshed whenever the search was needed. Here’s the key: the data is viewable only by those to whom you’ve granted permission to view. If you allow the public to see your contact information and “Likes”, that data will be viewable by not only your friends, but the internet, including the aforementioned phishers. If you haven’t reviewed the privacy and security permissions on your Facebook account, now is a good time to do so.