Staying Secure on Social Media

Lately, phishers and scammers and spammers have been at it again — luring unsuspecting users to divulge their credentials on popular social networks and (for some) installing malicious software on their computer. So far, I haven’t really seen any identity theft of the offline variety with it, but nothing precludes unscrupulous souls from accessing your email, perusing your personal information and using your reputation to spread their scams to your friends. And when I say you, I mean you as the first person and not the third-person omniscient use.

We’ve experienced it on AOL and AIM. We’ve seen it with PayPal and eBay. We’ve survived through it with banks and even the IRS and DHS. “It” is phishing, and it has been around for us for quite some time; enough time for us to begin to accept that not everything on the Web is exactly how it appears. But with the addictiveness, virility and social equity housed on Facebook and Twitter, it’s bound to leak out through exploits…

…Exploits on human trust. We trust each other — generally speaking at least and when someone has a funny video or a cool new site to check out we click and click and click and obliterate any barriers to premium content by typing in our username and password. No matter how many times AOL OpsSec, PayPal/eBay Security, Facebook Security or Twitter @Spam attempts to mitigate abuse, but they’re helpless. Only as helpless as the users on the network who tend to experience lapses in better judgment when clicking links.

You’d think that after the wide-spread, known phishing attack against MySpace affecting at least 34,000 accounts, we’d know that we don’t need to login twice to the same Website that we already have an active session on. Especially not to see pictures, videos or other “live-cams.”

The trend is that networks needed to educate users about how their social networks operate, limit the mystique and make their content easy to access. The biggest move MySpace in the war against phishing was to redirect all third-party URLs with their own filtering system (msplinks) that could be used to identify suspicious sites (e.g. shady referring URL data, unusual spikes, etc) and to quickly disable unsafe links. At the same time, users hit their gateway page warning users to not login on the next site they click. I think that was probably one of the most risky but much-needed moves their security team made to preserve their network integrity.

I only noticed Facebook’s Security presence about two months ago. At that, I had to opt-in and become a fan to receive timely updates. On Twitter, they rarely disclose current phishing exploits evident across the network, until it affects a large segment of their users. Even then, their own employees aren’t secured behind the firewall to access empowered admin tools. On MySpace, I notice the usual “Tom” messages advising to be cautious — so I’m assuming user behavior hasn’t changed on that social network. (Despite this, my relic of a blog entry on how to recover from a MySpace phishing attack still rakes hundreds of hits daily.)

Yes, I know Twitter has now secured their network [mostly] by now. I’m pointing out how susceptible employee accounts are to abuse, brute force or by guessing “happiness” as the admin password. It’s embarassing to say the least, especially after all the abuse of empowered AOL accounts (Guides/HOSTs/CLs/RNGRs) back when they were as hot as cracking the @goldman account. Why isn’t Twitter using RSA SecurIDs? Clearly, they need it.

In the interest of helping you and anyone else who doesn’t want their Facebook, Twitter, MySpace, AOL, Bank, Workstation or other social presences hacked, I’ve put together a comprehensive, yet sensible and understandable list of tips to secure accounts. All my advice comes from real experience — I’ve helped others recover their accounts, I’ve worked closely helping people securing their computer from malware and I’ve even have stripes of black on my hat. (Don’t worry, I don’t meddle in that crap anymore.)

Real-world Tips on How to Stay Secure in Social Media

1. Don’t use the same password across social networks, email accounts or other Websites. While a tough rule to follow, if you invest a few hours on Saturday morning, you can accomplish this. Likewise, don’t use the same “recovery” questions such as your favorite restaurant (we all know you love Red Lobster, Applebee’s or Olive Garden). This will significantly help you contain the vulnerability to one specific network when you get hacked. Otherwise, if you like to panic about changing your passwords on 15 different networks and 5 different email addresses, be my guest.
2. Don’t use memorable or cognitive patterns when using numbers in passwords. It’s no longer cute to use “69″ or “666″ or “321″ in passwords, it’s gullible at best. Be smart and choose truly random numbers. Make the numbers have no relation to you or what you do. While most drive-by phishing attacks won’t relate to this, it will limit attacks where the attacker has some knowledge about you. Don’t use pet names, either.
3. Be smart when clicking links. How reputable is “be.at” or “goldbase.be” or “areps.at” … you got you look at multiple factors in the hyperlink, what’s being linked and who it’s from. Here are a several factors I consider on every link I click:
   • Do I know this person?
     
   • Have they posted relevant links before?
   • What is the call to action here… to watch a video, download something or what?
   • How tech-savvy is the person?
     
   • What country does the TLD reside in, do I trust them?
   • Was this message to me automated or did they send it themselves?
4. Never enter your password twice on a Website. (Except if you’re an AOL user, the proxies drop your IP sessions, go get a real browser.) Because of the advent of Cookies, you don’t need to enter your credentials twice on sites as long as you stay logged in. While some might claim it’s a privacy matter, it can be a simple means to minimize simple phishing attacks.
5. Use a real Web browser that is current with “phishing protection” enabled. Great candidates for the “good” browser are Mozilla Firefox 3, Google Chrome (self-updating) or Microsoft Internet Explorer 8. Updated browsers such as these will improve Web performance, usability, security and will auto block phishing sites through cooperation from Google and other commercial anti-phishing solutions (that Microsoft has partnered with).
6. Be cautious of any unusual activities of your friends’ online activities. Does your boss usually send links  about getting kicked in the groin, or does your girlfriend typically send links to getting $500 gift cards? Take the legitimate reputation of someone and hold it up against what they send online. Now, if you have an accountant who is sharing tax tips — that’s more than likely legitimate, but always consider the above factors.
7. For Twitter users: Never give your Twitter ID and password to a site that promises followers or some type elevated status. Twitter staff is in the midst of limiting abusive uses of the Twitter API (which is how these sites work). While the activity itself isn’t harmful, do you really want your reputation and endorsements in the hands of another entity? Use your best judgment. Besides, why would you need to utilize mass follow/unfollow services if you are Tweeting content that people enjoy?
8. Never open any executables (.exe or .pif) or permit any ‘video plugins’. Malicious software usually comes in the form of trojans and rootkits. While an innocculous installation of that video plugin or that cute game seems convenient, consider that your permission for the Russians to use your computer to engage in click fraud or effectively turning your PC into a spammer’s safe haven. If you want to watch videos, even pirated ones, the best video player is VLCPlayer.
9. Use current, updated and reputable anti-virus software. No two geeks will agree on which anti-virus software to use, but if you use either of the top four recommend solutions, you’ll be fine. AVG, Avast!, BitDefender, Avira are very good security suites to consider. As usual, only use one anti-virus software. If you want to compare the current top anti-virus software, swing by AV-Comparatives for an independent and scientific head-to-head comparison. For home/non-commercial uses, you don’t need to pay for them.
10. If you spread a lot of link love, do everyone a favor and use a security toolbar. My favorite ones are Web of Trust (MyWOT) or McAfee Site Advisor to be sure you’re not sending people to known malicious Websites. These sites offer a simple understanding as to how safe or potentially dangerous Websites are with Red/Yellow/Green ratings as well as reviews from users.
11. Be smart and ask around about companies and applications before you use them. Don’t install something just because someone said it’s fricken sweet. Do your research and make an informed decision before installing that next cool application. Usually people (incl. developers) who are passionate about a topic watch a specific terms like “TweetDeck” or “Facebook” will be on the lookout for each other and warn you to risks.

Understand my reasoning for laying this advice out. I’ve helped thousands of users over the years and I’ve seen a lot of patterns. People just don’t know and I can’t blame them. I spend all day on the Web so they don’t have to. It’s very noble of me to go out and be a source of information for users to ask. While these 11 tips won’t totally secure you from any attack, it sure as heck will keep you a lot safer and more aware of your ‘responsibilities’ in keeping your account secure.

While we’re on related topics, I recommend you read my other articles about safety and security in social media and networking:

• Social Networking Safety Tips (for Parents)
• Social Media Frustrations: Trolls, Psychos and Haters
• Street Fight Videos (and other Abuses in Social Media)
• Facebook Spam: You’ve Got to be Kidding, Right?

Feel welcome to share this post with anyone you feel should read it. I’m interested in your thoughts on this entry in the comments below, especially if you have additional tips to provide.