|Facebook: A Hacker's Point of View|
Hacking a Needle in a Haystack
Even though we’re older, we’re wiser; but we’re more likely than teens to want to connect with old friends. We want to get in on the fun.
You may be one in a million who use Facebook—or make that one in 300 million. You may also count yourself among the safest of the safe Internet users. You have spyware, firewalls and every security update imaginable on your computer. But don’t get a false sense of security. You may not be able to win the lottery, but you can get picked as the hackee du jour on Facebook.
Your Facebook postings, messages, photographs and even personal chats are never safe from hackers, but what’s worse is hackers can use the Facebook doorway to delve so deep into your life there’ll be no turning back.
It was early morning when the telephone started ringing. Friends, and that’s officially “Facebook Friends,” started calling me to see if I was in a troubled situation.
My “friends” on Facebook had received a Facebook message saying I was stranded in London after being beaten and robbed of all my money and identification. The message said I needed money immediately to fly home, and that the Embassy was trying to help me.
“I knew you weren’t in London, but the odd thing was, it appeared that you were available online to chat,” said Patty Apo of St. Peters. “I was chatting with someone who claimed to be you. The hacker had the nerve to chat with me online, telling me to send money through Western Union.”
Luckily, my “Facebook Friends” all laughed at the message. First, because they knew I wasn’t in London and secondly, they knew that I knew they certainly didn’t have any money.
A Cape Girardeau woman wasn’t as fortunate. She made the news after she was duped out of $2,500 after receiving the same scam message through Facebook by someone posing as her real-life friend also claiming to be stuck in England and in need of emergency funds.
It began when Grace Parry realized she could not access her Facebook account. Police said someone hacked into the account, posed as Parry and sent out messages saying she and her husband were being detained in London and needed money.
A friend of Parry's got several of those messages, as well as a call from a man with a British accent who claimed to be immigration official.
Cape Girardeau police spokesman Sgt. Jason Selzer said, “She sent three different wire transfers to London.”
Lt. Selzer said there's probably no good way for the woman who was scammed to get her money back, and said there’s no 100 percent guaranteed way to protect yourself online. He encouraged people to change their passwords often and to be careful about posting personal information on Facebook.
In other cases, Trojans are picked up on Facebook. And that’s what you really have to worry about. In one case, hackers stole a woman’s Facebook account and started sending pornographic photos to her Facebook friends. The cases go on and on. Police can’t help, and trying to speak to a Facebook “human” is more than impossible.
Hacking tips from a “hacker for hire”
Cyber crime is rapidly spreading on Facebook. Fraudsters prey on users who think the world's top social networking site is a safe haven on the Internet.
Dave Chronister, who with his wife, Renee, own Parameter Security of O’Fallon, an “ethical hacking,” company. He says in order to beat a hacker; you have to think like one.
“The real danger lies in not getting hacked on Facebook, but the information you put on Facebook,” says Chronister. “Just because there are 300 million people using Facebook, most people think it’s safe. But you gotta ask yourself, ‘Why is New York more dangerous than O’Fallon?’ Because there are more people and more criminals.”
Chronister adds, “There are a lot of computer illiterate people on Facebook, and it’s a treasure trove for criminals, especially with Facebook’s idea of not locking down their system. I can put an application out there on Facebook and take control of 10,000 machines. Then, pull the application and get off, and they’d never find me.”
Run a search for “Facebook hacking” and you’ll get 730,000 options for Facebook hacking software free downloads. There are also instructions on how to lift passwords.
Cyber crime is spreading fast on Facebook because such scams target and exploit those naive to the dark side of social networking, Chronister said.
“Facebook is the social network du jour. Attackers go where the people go. Always,” said Mary Landesman, a senior researcher at Web security company ScanSafe.
In the cases sited here, the hackers knew how to get passwords, and then changed the email address using the victim’s names on new emails set up on public email sites like MSN Live or Google Mail. Then, they go about their hacking business.
It’s another story and a long, hard road when it comes to having the fraudulent email deleted so other scams aren’t perpetrated in your name.
Facebook Applications: “Danger Will Robinson”
If the cyber criminals want to get someone’s personal information, they can easily do it through social networking sites, Chronister said.
“Facebook is a cesspool when it comes to malware,” said Chronister. “It comes down to the Facebook applications—the simple, innocent-looking applications that ask things like, ‘How many children will I have, or who would you want to be stranded on an island with.’ The applications are created by other companies, and there are a lot of applications that Facebook doesn’t test.”
Chronister said cyber criminals have started imbedding malicious codes in these applications so they can steal your password. If you use the applications, you give it permission to grab info from your account.
“I found one application had a Trojan embedded that would get on your system and have full access to your computer,” Chronister said. “They can watch your keystrokes, see your financial data, turn on your webcam and watch you, and do pretty much anything on your computer they want to do.”
Facebook says the applications are third party programs, and it’s not their problem, Chronister said.
“If you’ve gotten on to an application and there is malware, chances are that it could already have attacked your system,” Chronister said. “Trojans and viruses can be caught with an antivirus program, but most hackers know how to make something undetectable. Anti virus software will create a definition, matching the pattern of it, then hackers will change the makeup of the virus. I’m not a programmer, but I can make a Trojan in about 15 minutes.”
He adds, “If the guy is good enough to create a program for Facebook, he’s good enough to create a Trojan,” Chronister said. “They aren’t very sophisticated and if you’re running the application on your local computer, even if it’s on Facebook, it’s running on your system. If there is malware on it, it can have full access to your system. If your antivirus software can’t find it, the only way to get rid of it is to reformat your system. Trojans scare me to death. If I think I have them, I reformat. When you reformat, you lose everything on your system, but it’s the only way you can get rid of them.”
Hacking happens to the best
Chronister is hired by companies to test their network. If a company comes to him, he’s often asked to look at the people who work there, and the vulnerability they may have on their computers.
“I become the bad guy for this engagement, and I become a hacker. The big difference is that once I am able to get in. I tell them this is how I was able to get in and how you can strengthen your network,” said Chronister, who works with numerous financial institutions, healthcare companies and companies that take credit card information. “They have to trust me. I look at Facebook, MySpace, Twitter, and I can find out a lot about a person. If I’m able to link a person who works at the company and know they’re a big Corvette fan, I start to email info on Corvettes. They’ll click on it. It gives me a peek into their life and makes it easy to send them to phishing websites that will be successful.”
Chronister sited the issue last year when Alaskan Gov. Sarah Palin had her email hacked. Most of the time changing your password involves answering three questions: where were you born, your birth date, who was your high school sweetheart. Everybody knows she married her high school sweetheart, Chronister said. That’s how a guy got in and hacked her email, he said.
“When you look on Facebook, most of the information to answer change of password questions is found on social networking sights. Sending that information out can be very, very dangerous,” Chronister said. “You may say OK, ‘I’m just sharing it with friends, and it’s not extremely harmful,’ but if I can get nuggets of information about you on Facebook and other places, it becomes very dangerous and leaves the Facebook realm. Maybe the info you put on Facebook is the info I need to reset your banking information.”
Use it, but don’t lose it
“If I have info out there, I realize anything I put out is public domain,” Chronister said. “If it comes back to me in an email, or someone trying to get hold of me because of that info, I do my counter efforts. I don’t put my birthday, my phone number, and even when they ask your mother’s maiden name, I lie. They don’t care, it’s just wording. I use another word. What’s your favorite color? Cat. They don’t care. All in all, the social networking phenomenon is a hacker's dream—being able to get all of that information all at once. And it really comes down to assuming it’s safe.”
Chronister recommends using two or three Google or Yahoo email accounts if you have to sign up for something, Use them as spam accounts.
The Nigerian scams spider the Internet looking for information and email addresses. Facebook is a good place to start; Twitter is a good place, Chronister said.
“It’s kind of a template in how they work. It’s always the exact same information. The reason they keep using that is that it’s successful,” Chronister said. “You throw a net in and see how many fish will sit there. They do it because it works.”
Chronister said he was recently “attacking a company,” and one of the things he was looking for in this very non-technical company was employee email addresses. He found one guy who did genealogy, so he started searching the Internet for his email address. He was found on a genealogy site, looking for a family in a county in Tennessee.
“I got Google maps, figured out the county next to it, went on the genealogy site, and changed the last name of all the people in the list. Embedded a Trojan and emailed him as a person on that board. I can make my email look like anybody else’s,” Chronister said. “Within 30 minutes, I was in his work computer and had full access to his entire network. I went over my findings and the president of the company said he didn’t think there was any harm in it. The guy said he did it on his break at lunch, and on his way out, he said in 20 years (of searching genealogy records) he realized he was wrong. One email was able to convince him he had been wrong for 20 years.”
No one is safe
“If this was a war, we would be losing big time,” Chronister said. “It’s basically the bad guys have control of everything, while we say we’re safe, we’re safe, we’re safe.”
Chronister said during a recent “think tank” meeting, discussing infiltration of the underground economy, he found that you can go on certain channels, and there are people selling bank accounts and first class plane tickets to anywhere for $100.
“If you think about it, the hacker has to have full access to some major airline or travel agency computers. It’s scary. I’ve worked with things before and Trojans are on the systems dealing with bank accounts. Hackers just sit there and watch customer information. If there’s a mentality that it won’t happen to me, you’re wrong. That is one of the main reasons we’re losing the war. It gets scary.”
Another computer security company who wanted not to be identified “for security reasons” said they ban the use of Facebook by companies they serve.
“No, I don’t use Facebook,” said the company owner. “Generally, however, we tell customers that whatever application you are using, use the vendors’ suggested security measures.”
Will Facebook help?
If you read the fine print, which most of us don’t, Facebook says it can’t guarantee Web security. Ultimately, Facebook says, members are responsible for their own security.
“We do our best to keep Facebook safe, but we cannot guarantee it,” Facebook says in a warning in a section of the site on the terms and conditions of use, which members might not bother to read. (http://www.facebook.com/terms.php)
In defense of Facebook, when criminal activity is detected on one account, Facebook quickly looks for similar patterns in others and either deletes bad emails or resets passwords to compromised accounts. Facebook does have a fraud investigator and a fraud analyst, according to the careers section of its website.
But, according to that fine print, “You own all of the content and information you post on Facebook and you can control how it is shared through your privacy and application settings.”
When you publish content or information using the "everyone" setting, it means that everyone, including people off of Facebook, will have access to that information and Facebook has no control over what they do with it.
When you add an application and use Platform, your content and information is shared with the application. Facebook requires the applications to respect your privacy settings, and when it comes to “safety” regulations; it’s an “on-your-honor” issue such as “You will not use Facebook to do anything unlawful, misleading, malicious or discriminatory.”
The list of “you will nots” goes on and on.
According to Facebook security warnings, you should always be careful when sending friend requests to, or accepting friend requests from people you do not know in the real world. It is always risky to meet anyone in person whom you don't know through real world friends.
Always follow these important safety tips when using Facebook:
First thing to remember is when you get a Facebook friend request, ask how do you know that person is a real request or a fake request?
Click on “View Friends” and you’ll see a list of friends connected to that individual. A criminal could then use this publicly available information by taking down the names, and saving the profile picture to their hard disk for later use. With the friends’ information collected, they next set up a new Facebook account, and because of the user-friendliness of Facebook, it can be done in 60 seconds or less.
First way to deal with this is to setup a limited profile list so that only a “friends” can see your profile. Secondly, be sure to add people to the blocked list if you don’t want to share your entire profile.
Set a rule to add friends only, don’t add strangers.
Look at the name and picture carefully. Also click on the “Name” to see the complete profile. If the profile has little details, then chances are it could be a fictitious account.
Look for the “You have no friends in common” line. If this person is a friend of yours, there should be some connections. If this person who’s inviting you is a brand new Facebook user with no friends, reject it. Always be careful rather than be sorry.
Many people tend to have so many friend requests to deal with that they simply look at the name and picture only, and then click the “Confirm” button. Don’t be one of these people. Always be careful.