Viewpoints on Social Networking Websites from Security Risks Standpoint

Social Networking Websites (SNWs) such as Facebook, Twitter, and LinkedIn, have become integral parts of daily online ecosystem. They are crucially instrumental in personal and professional networking, invaluable as sales and marketing tools,  and in keeping society informed of daily incidents in several walks of life. SNWs are interesting for at least two key features: huge number of users and high-degree of trust among users.

However, apart from vulnerabilities arising from SNWs like any other software, personal details exposed on these sites and lack of secure defaults coupled with exploitative misuses of miscreants pose a huge security threat on users of SNWs. In fact, there is no single countermeasure that fits all to protect innocent users from such security risks when using SNWs. In blend with mainstream security gadgets, such as Anti-viruses, Firewalls, Intrusion Detection Systems, and organizational policies and procedures, it is worth-noting and asking ourselves the following seemingly simple but critical questions before we render ourselves digitally-naked on the online stage, where anyone can 'see' us from anywhere, anytime. 

Do you really know who you are going to be friends with?

For some people, amazingly though, being on a SNW means just swelling the number of friends, especially on professional SNWs like LinkedIn where more connections is mistakenly taken as an indicator of shiny professional profile. When the only variable is just the number of friends, we obviously risk connecting to fake identities, real kidnappers, real identity thieves, or even terrorists. A useful piece of advice in this regard is to think a bit before deciding to confirm a friend request. Do you know that person? Why you have to confirm that friend request? Just to add one more 'person' to your network? Would't it make sense to have 100 friends -that you know and trust well  than 1000 friends -you neither know well nor trust much?

Do you know how others may use what you post?

Imagine that you are on Facebook and you update your status. Most people just breath-out their emotions without double-thinking the implications and consequences. One may claim that "whatever my status update says, I am sharing it with my friends". Unfortunately, a significant number of users on SNWs have friends they don't know at all or have never met in person (Ask yourself "Do I really know all my friends?" I am sure you will find a couple of them you never knew or met at all). Given this situation, a status update like "Going for summer vacation to Miami Beach for 3 weeks from tomorrow" could mean "please go and rob my house before i come back" to one of your friends on Facebook whom you never knew/met but is actually a Burglar. Of course, I am deliberately exaggerating the scenario here as more information is needed to go to your house (like your address), which is not that difficult to find from profile information or prior information you posted somewhere in this small digital world.

So you think everything a friend shares(recommends) is safe?

A friend may, out of good will, share with you a web link to something (news, picture, video) that he stumbled up on or got it from other friends. Imagine a current topic that is likely to catch your (and your friends') attention. The moment you login to your Facebook account, you see a link to a video of that current topic and you can't wait to click on the link and watch the video. Unfortunately, the moment you click the link, a malware  downloads to your computer(phone) and this malware steals your login information (such as your online banking credential).  Just to be specific here, on your Facebook wall, if you end up with something like "OMG! Did you see this picture of you?", "Secret details about XYZ's death!", "I am trapped in Heaven. Please send me money", "Are you brilliant than Albert Einestein? Test your IQ", it is an indication of spam. So, ask yourself "Do I really have to click on this?". If you do, the most likely consequence is that your device is infected with a malware or your account is hijacked to impersonate you and infect your friends the same way. In a different occasion, you may end up with recommendations from a friend to add another friend, invitations to join a group or to like some website. As there are legitimate and honest recommendations and invitations, there are also illegitimate and totally fake ones crafted by cyber-criminals that exploit the prior trust built between you and your friends. This gets terrible especially when the recommending friend is someone who you know little about. In some cases, your friend's account might be compromised and the cyber-criminal may impersonate and share/recommend/invite you on behalf of your friend(s). 

You still think applications or games are benign?

It is a common fact that there are useful and harmless applications on SNWs (e.g., birthday reminders, games, card sending apps). But, what is overlooked by most users and is well exploited by cyber-criminals is the rich set of permissions granted by innocent users to such applications. In most cases, users do not notice the kind of personal details they are giving away when installing such applications. To say the least, giving away your birth date, relationship status, email, phone, and the like will be a gold mine for targeted spam campaigns and identity theft. The risk is not only limited to harvesting private information which could be sold to other cyber-criminals. Often times, the applications are packaged with malware that steals your credentials for email, banks, and other critical online services. Even worse, if a malicious app/game is installed on your mobile phone, it may erase your data or impersonate you. Therefore, the general advice in this context is to keep an open eye on the permissions asked by these applications and to refrain from installing them when too much of your personal detail is asked in exchange.

Do you really separate personal life from professional life?

The people, the content, the rules, and the norms are different by design when you communicate and share with your family(and friends) and colleagues. It is important to cluster your community so that you can customize what you share to the appropriate profile of the community. Or even better, you may have separate accounts (although not that easy when there is an overlap of people from different groups in your network). Needless to mention, you don't want to share with your boss a half-naked and terribly drunk photo of you. Some companies checkout your social network profile before they decide to offer you a position and some have even asked the credentials of job candidates to check their details on SNWs (although this is now protected by law in some countries as it is clearly against privacy).

Do you really control your share-meter?

It is okay to once in a while get wild and share success (excitement) stories of yourself and your company. But, in doing so, if you leak private and/or confidential information that may wet the appetite of cyber-criminals, you obviously are suffering from hyper-sharing syndrome. Some companies have enforced policies on what their employees can share publicly (including on SNWs) of the company. If your company has such policies, get the policies right before you find yourself in a court hearing.

Everyday Best Practices to Stay Safe Online

As more and more people are getting connected to and undertaking critical daily activities on the Internet, a lot more risks are emerging posing threats to sensitive and private information we manage online.  In the online security chain, however cutting-edge security gadgets we deploy at different layers, a seemingly benign interaction on the Web could lead to devastating outcomes such as loosing our critical credentials and conceiving malware that compromises our devices.

The most difficult vulnerability in the online security arena is the human vulnerability which is easily exploited by attackers. By sticking to simple measures and staying 'reasonably paranoid' we can significantly raise the bar against attackers and stay more vigilant against manipulations. Although impractical to absolutely quantify, it is repeatedly suggested that most of the attacks can be avoided if people consistently adhere to the following simple but effective measures:

Think Before You Click
Be cautious whenever you click a link on: any page, pop-up dialog, email text, and social media applications. The risk is that after a click, you have lost the control and just because of the single click you did, you might end up with: malware downloaded on your device and steals your credentials, you get redirected to another page with more dangerous attacks, the link you clicked is automatically shared with your friends on social network without you noticing it and hence propagating the infection to your friends, friends of friends, an so on. Clicking on email attachments also requires careful examination even if the email is from someone you know and trust, because the antiviral software of the mail provider may not thwart all attacks (specially the new ones).

Stay Up-to-Date
On a daily basis (if not hourly), the must-to-update list includes antiviral software, operating system, web browser, and browser extensions (e.g., video player, PDF renderer). Most of the current providers, allow doing the updates online and some (e.g. Google Chrome Browser) even allow silent update without bothering you as a user.

Have Strong Password Policy
Passwords should be complex enough to challenge password cracking techniques and memorizable by the owner. A commonly suggested mix requires alphabets (uppercase and lowercase), digits, and special punctuations (e.g., ?, $, &, !) and the length should be eight characters or more. Never imagine using a dictionary word as a password because it is just a piece of cake for password cracker software. Be sure not to use a password that people who know you can guess (e.g., your lover's name, phone number). Studies show that many people are still using the same (and very obvious) password across multiple websites. The disaster with this is obvious. Once you lose your password you risk giving a master key to open all the doors you have locked. Under no circumstance, you have to write down your password somewhere or tell it to any other person. There is one more thing to keep your passwords more robust - change your passwords with reasonable frequency and in situations you are suspicious that your password might have been compromised. There is this analogy about passwords and pants which humorously conveys most of the message "Passwords are like pants. You shouldn't leave them out where people can see them. You should change them regularly. And you shouldn't loan them out to strangers."


Be Cautious of What You Publicize about Yourself
The rule of thumb is that you have to limit the amount of personal information you make publicly available on the Internet, especially via social networks. You never know, your basic information(e.g., email address, phone number, location)may be harvested and used in malicious activities such as spam campaigns and phishing scams. Never disclose any confidential, personal or financial information unless and until you can confirm that and request for such information is legitimate. Review your bank, credit card, and credit information frequently for irregularities and report immediately to your bank in case you observe suspicious activities. Avoid banking or shopping online from public computers (e.g., Internet Cafes) which are likely to be compromised with malware and may have a wrongly configured or unencrypted Wi-Fi connections. Use HTTPs when connecting via Wi-Fi networks to your email, social media and sharing websites. Check the settings and preferences of the applications and websites you are using. Look for the green browser address bar, HTTPS, and recognizable trust marks when you visit websites where you are required to login or share any personal information.

Simple Diagnosis of Your Website using Google Safe Browsing

As an Admin, Web Master or owner of a website, one might need to do a quick check of the wellbeing of a website. A handy way to do so is to use the Google Safe Browsing Diagnostic page. It is as simple as sending an HTTP request of the form: http://www.google.com/safebrowsing/diagnostic?site=http://pausethenreflect.blogspot.com. In this request, we are asking the Google Safe Browsing API what it knows about the website http://pausethenreflect.blogspot.com for the last 90 days regarding its safety. The diagnostic page (see below) shows up with a couple of details about the page. In the diagnosis result, four important questions are answered by the Google Safe Browsing Service.

Diagnostic page for http://pausethenreflect.blogspot.com

Suspicious?

First, if the site( part of it e.g. a page, a subdomain etc.) is currently listed as suspicious. If suspicious, how many times in the last 90 days that the site (part of it) appeared to be suspicious is included in the diagnostics.

Infections?

Secondly, if Google has analyzed the website over the past 90 days, it shows the number of pages analyzed and how many of the pages were found to allow download(and installation) of malicious software without the user noticing it. It also includes the last time the site was visited by Google and the last time a malicious content/activity is detected. In addition to the timing, the type and number of actual attack payloads (e.g., trojans, exploits), hosting of malware, and the networks on which the site is hosted are shown.

Malware Bridge?

The third diagnostic result tells whether the site has acted as an intermediary for malware distribution over the last 90 days. If so, the results indicate the number and type of malware distribution and the malware hosting target sites.

Malware Host?

The fourth part of the diagnosis tells whether the site is hosting (has hosted) malware over the past 90 days.

The diagnostic page is based on large-scale daily analysis of millions of websites for malicious activities. The diagnostic result may not be so impressing if the website is not already crawled and indexed by Google. But, once the website is analyzed, Google repeats the analysis frequently to give up-to-date diagnostic results.

Although not absolutely bullet-proof, using the Google Diagnostic Page is a free, simple, quick, and insightful first step in understanding the wellbeing of a website, before trying more advanced analysis techniques.

Blacklists of Known (Suspected) Malicious URLs, Domain Names, and IP Addresses

In an attempt to consolidate pointers to blacklists of malicious/suspected URLs, domains, and IPs, I thought of sharing this list I compiled. The lists vary in data format, freshness, usage restrictions, and collection methodology. I personally use such lists as starters for collecting potentially malicious targets on the Web. So, before using these lists for serious experiments, it is obviously important to independently verify whether they are really linked to and in deed initiate some malicious activity. One method is to use a honeyclient such as HoneyC or Capture-HPC.  

I hope to update this list every month as new blacklists may be born, some blacklists may perish, some may become too old to be useful, or some turn to commercial. 

Useful Blacklists:

• PhishTank Phishing Blacklist
• Malware Blacklist of URLs and IPs
• Malware Domain List
• Malicious Hosts List
• Malicious Code and Domain Blacklist
• Malware Domain and Spyware List
• Malware and Phishing sites
• SpyEye Binary URLs
• ZeuS Binary URLs
• Spywared Malicious Domains
• Trend Micro Top 10 Vulnerabilities
• VX Vault Malware Blacklist
• Malekal Malware Blacklist
• BadMalweb Malicious URLs
• IBlock List
• Project Honeypot Malicious IPs
• Chinese and Korean IP Blocks
• ZeuS IP Block List
• No Think Malware Archive, Network Activity and Honeypot Statistics
• Spam Domain Blacklist
• Wikimedia Spam Blacklist
• Most Aggressively Spreading Malware Binaries
• ATLAS from Arbor Networks
• CLEAN-MX Realtime Database
• CYMRU Bogon List
• Shadow Server IP and URLs

Note: This list is by no means exhaustive.

Remarks on note-worthy thoughts

From my random chatting with people from different walks of life, I just thought of making few remarks about few. In particular, how we deal with critics, perceiving one's own self, curiosity, doing one's best, originality, and skin color . Here follows my naive reflections about these thoughts partly based on Things We Forget. I understand that we might have heard of all these thoughts in a number of occasions, but for me it is easier said than done (myself included!).

One's Self: accept yourself. If you are in a fight against yourself to accept yourself the way you are, there is no rational in accepting others unless you are officially declaring yourself as a lifetime pretender. Be yourself or you risk spending your life living someone else's life. There is no double self. There is only one oneself. So, focus on the only one self which is yourself. There is no better competitor than yourself with you. So, compete only with yourself and collaborate more with others. The sweetest and the most meaningful victory is one that you achieve on yourself as it takes a great deal of gut to first: accept your weaknesses, second: deal with your weaknesses, and third: transform your weaknesses to opportunities to improve yourself. You are what you are not what you say you are.

Stay curios. The world is full of unanswered questions and quite often this questions are embedded within the answers we gave to prior questions. On top of imagination, curiosity demands nothing more than passion and endurance. Be ready to go the extra mile it takes to embrace new ideas and analyze them so as to see the merits and demerits and make wise arguments. Change what you can and accept what you can't change. When possible, find a way. When not, make one yourself.

Doing One's Best: Do your best as there is a big difference between failing without trying and failing while trying your best. Dare to fail and confront embarrassment by first dreaming and then doing. Trying your best doesn't just mean sweating on one strategy. Rather, breaking the routine and challenging the status-quo to approach a problem from many different directions and in doing so, care well about the means so much as you do care about the end. In fact, expect the best outcome but also be equally prepared for the worst. Do what you love and love what you do and remember to have an attentive eye to spot-out and celebrate success (no matter small it might be). Start small, in small achievements see the big picture and aim high.

Originality: Be original, don't imitate or copy others. Every individual has something that every other individual doesn't have.

Voice for the Voiceless: Not all people are lucky enough to have their voices heard. Be, the voice for those who don't have one.

Critics: on any occasion, fearlessly welcome and be grateful to criticism as it is a rare opportunity people offer you and only people who care about you do criticize you. In fact, they could have kept quite and let you live with your weaknesses.

Amazingness: Be amazing. Being alive and sensing that you are alive by itself is amazing.

Skin Color: For you can't and didn't decide the color of your skin, be comfortable with it. Another skin color is just another color. A rose is always a rose by any name or color. Color is about appearance, not about substance.

Practical Wisdom: Lessons from Barry Schwartz

In February 2009, Barry Schwartz (an American Psychologist) gave a talk on "Practical Wisdom" at TED. It has been quite a while since I listened to his great talk but one recent encounter of a highly educated friend of mine proudly selling his moral for what he calls "privilege and successful life" triggered my memory. 

Barry's major thesis focuses on the gradual degradation of wisdom in the modern American Society. However, I think that almost all arguments he made hold mostly true elsewhere in the world. Citing what Aristotle told us about practical wisdom, "Practical wisdom is the combination of moral will and moral skill", Barry emphases that wisdom is usually measured by how often and how right we do the right thing as compared to what is expected/required or profitable.

 This mysterious world is full of rules and procedures in different walks of life. Rules often impair our imagination and our potential to think outside the box. For the world to operate in an orderly manner and to deal with the chaos we invented ourselves, the importance of rules is of course undebatable. But, for a person to do the right thing, following rules may not always lead to the right outcomes. Sometimes, by completely disregarding rules, one can rightly use his moral skills to do the right thing under the cloud of ill-thought rules for the sake of serving his fellows.

The question of being wise comes when one has to make the right exceptions to the right rules under the right circumstances for the right aim and in pursuit of serving the right people. This requires and depends on experience, compassion, selflessness, failures and the ability to invest on our stupidity to learn from failures and protect others from repeating the mistakes we made. As the saying goes "A wise person is made not born".

 So, if we are wondering that being brilliant implies being wise, there is more to wisdom than just brilliance. Of course, we need to have both the theoretical grasp and the practical exposure of a subject to be of some help to the people we serve. Brilliance is just one ingredient to cook wisdom. The bottom line in my view is, it is one thing to be brilliant, rich, or even famous, all these gadgets are of no meaning if they are not firlmy-wrapped with wisdom. A wise person is like a Jazz musician-using notes on the page but dancing around them, inventing combinations to the situation and the people at hand. A wise person knows how and when to improvise. The TED talk is here.