Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Facebook, pr0n and privacy - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Facebook, pr0n and privacy

No small amount of controversy has been raised about Facebook apparently tracking and making public the purchases users are making through online while logged into the Facebook site (even if they aren't doing it explicitly through facebook).  Without going into much repetition of what has been said elsewhere about the controversy (or repeating what I've said in another article I've written on the subject) or the specifics of tracking users in general, the interesting part of the controversy is that it was entirely preventable.  When users add applications in Facebook, it asks them if they want messages put in their profile and so forth and allows users to block feeds from being entered by other third-party sites, and there are additional privacy settings that would hide the feed regardless.  Instead of being responsible, users mindlessly clicked forth not bothering to think of the implications of what they were doing, put information out there that some didn't want out there, and now complain that someone didn't protect them from doing silly things.  What you say and do online can and will be used against you (ok, maybe I'm just a tad cynical there), and when push comes to shove, the only person that can protect their personal data is the person themselves.  And it's not just Facebook you have to worry about.

There are malicious porn sites out there being tracked by McAfee that use pop-ups to extort money from perusers of free porn and many also sell the personal information of their clientele.  I recall an incident investigation I did some years ago that pointed back to a porn site in Mexico that happily charged people for their wares, and then turned around and sold the credit card information legitimately given to them.  And it's not just unsavory websites that happily take user information quietly and use it for commercial purposes, big companies do it too (i.e. Google).

 The moral of the story is consumers need to be wary of how, when and to whom they give their personal information online.  For the more privacy conscious, check out Firefox extensions TrackMeNot and AdBlock Plus to trim down on the information you put online.

UPDATE 2011 UTC: Facebook has made some modifications to the tracking service (Beacon) so that users have even more of an opportunity to restrict that information.

UPDATE 2302 UTC: ISC Reader Ken pointed us to a nice writeup in using the Blocksite Firefox plugin to block the Facebook Beacon messages from working.

--
John Bambenek / bambenek (at) gmail [dot] com
University of Illinois

John

239 Posts
ISC Handler
Responding to attempted attacks from renting,<a title="" href="http://www.belch.com/blog/2007/11/27/pay-your-porn-bill/" target="_blank"> good [Iframe] examples</a> the botnet of supervised release:seqref'. for the first American botnet controller, or herder, and other companies that work on network security coded to have specific access privileges to limit the kinds of Web sites and information employees can access. Succeded in by companies that work on network security. RBN network using multiple-iframing as an attack vector. The botnet actually is attacking computers that are trying to weed it out. _alert, warning colleges and universities that their networks could come under heavy attack_. Quoting excerpts or pasteing from thier own posts if they were blocked as some have blocked responses as<a title="" href="http://www.theregister.co.uk/2007/11/08/forensic_forum_hack/
" target="_blank"> commentary</a> on "dual-use" as too controversial in wild type virus-virus (bio-science) and capacitative epi-static sensor linkage (as well?) exploits ect. 'It would be up to your anonymous discretion' to read into that what we have observed. In [[<a title="" href="http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1278377,00.html" target="_blank">ftp6667</a>]]. Credits will be an extra added to the normal vulnerability payment (check the<a title="" href="http://www.digitalarmaments.com/challanges_archive.html" target="_blank"> DACP scheme</a>).
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!