Posts

“Clickjacking” and “Likejacking” – Be Aware!

, , ,

None of us wants to be part of a scam that allows links to be forwarded as if from a friend, invading their privacy and endangering their sensitive  information. It’s not always easy to avoid bad sites but by just being aware of the problem, you can become more adept. The following article is a summary of an original post By Rob Spiegel, E-Commerce Times.

In its on-going effort to mitigate spam activity, Facebook filed a lawsuit against a company that allegedly ran a “likejacking” operation. “We’re hopeful that this kind of pressure will deter large scale spammers and scammers,” said Facebook spokesperson Andrew Noyes. The state of Washington is also applying pressure, having mounted a similar lawsuit against the same company. Both suits were filed citing violation of the CAN-SPAM Act, which prohibits the sending of misleading electronic communications.  Facebook and Washington state filed federal lawsuits on Thursday against Adscend Media for “clickjacking,” a form of spamming that fools users into visiting advertising sites and divulging personal information.


“Likejacking” is similar; victims are tricked into using Facebook’s Like button to spread spam. Users believe links to spam sites are being sent to them by friends, and the advertiser collects money from clients for every user misdirected. A prominent example is the indictment in California of self-proclaimed “spam king” Sanford Wallace in August, Noyes said. “Two years ago, Facebook sued him, and a U.S. court ordered him to pay a (US)$711 million judgment. Now he faces serious jail time for this illegal conduct.” Facebook also secured a $360.5 million judgment against spammer Philip Porembski, said Noyes, which “followed an $873 million spam judgment in 2008 against Adam Guerbuez and Atlantis Blue Capital for sending sleazy messages to our users.” The Guerbuez judgment was the largest award ever under the CAN-SPAM Act, he noted.

Clickjacking is a programming technique that employs a seemingly innocent button to trick users into visiting sites unintentionally. Likejacking is a similar technique that utilizes Facebook’s Like button. The technique is also referred to as “UI redressing.” Clickjacking is “quite well understood,” Roger Kay, founder and principal of Endpoint Technologies, told the E-Commerce Times. “It is used by both legit and illegit programs.” Both clickjacking and likejacking are designed to trick users.

“When someone browsing clicks on a site, the site can execute arbitrary code in the browser,” said Kay. “It can set a cookie, say, for Amazon (Nasdaq: AMZN), or do more nefarious things, like inject malware designed to call other malware later.” Clickjacking has been prevalent for years, and likejacking has become similarly entrenched. Many users of Facebook have likely experienced it in the form of a product-related message that seemed to be from a friend. “The use of the technique is widespread,” said Kay. “Consumers need to use better judgment about which links they click on.”

Links can be forwarded as if from friends, and some come-ons are pitched just right to get around the user’s suspicions he noted.”If you’re the target of a spear phish, then the attack is tailored to you,” said Kay. “So, avoiding bad sites becomes a kind of ninja art everyone must learn.”

 

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper60 Minutes or Fox Business1.800.258.8076.

Are Your Kids Safe Online?

,

As a parent you are often worried about what your kids are being exposed to on the Internet. Apparently so are Facebook and the PTA. They have teamed up to teach parents and children about responsible Internet use. They plan to cover cyber-bullying, internet safety and security and “citizenship online,” according to a news release.

“Nothing is more important to us than the well-being of the people, especially the many teenagers, who use Facebook,” said Sheryl Sandberg, Facebook’s chief operating officer.

Facebook is the number one social media site with over 500 million users and a minimum age requirement of 13. Even that requirement can be easily fudged because Facebook has no way of verifying a user’s age besides asking for their birth date when they register. Parents are having trouble deciding whether to let their children join Facebook prematurely and what they should be cautious of if they do so.

Learn more on Protecting Your Children Online.

It is important to be educated when dealing with any form of social media or social networking website. Social networking is immensely powerful and is here for the long run, but we must learn to harness and control it. You should know the ins and outs, pros and cons, risks and rewards to using these online tools. Because teens and children don’t necessarily have the life experiences to recognize the risks, parents must educate themselves and pass that knowledge on with open and honest discussions on Facebook and Online Safety.

John Sileo became one of America’s leading Social Networking Speakers & sought after Identity Theft Experts after he lost his business and more than $300,000 to identity theft and data breach. His clients include the Department of Defense, Pfizer and the FDIC. To learn more about having him speak at your next meeting or conference, contact him by email or on 800.258.8076.

Facebook Safety Survival Guide

,

Introducing the Newest Guide to Protect you & your family’s identity:

Facebook Safety
Survival Guide

Includes the

Parents’ Guide to Online Safety

Order your copy Today to get our special introductory pricing of $12.95 or order the Ebook below for only $9.95 !

There is no final word on how to use Facebook safely. Here’s why: social networking and the web change too quickly. The social network you use today is not the same one you will use tomorrow or next month. The privacy settings, functionality, connectability and features are constantly evolving, which means that almost no one has a handle on every aspect of this topic. Those who tell you that they have the final answer are probably selling you something you shouldn’t buy.

This Survival Guide is an evolving document that I started writing for my young daughters and my employees, and is an attempt to give you a snapshot of some of the safety and privacy issues as they exist right now. Social networking, texting, instant messaging, video messaging, blogging – these are all amazing tools that our kids and employees use natively, as part of their everyday lives. In fact, they probably understand social networking better than most adults and executives. But they don’t necessarily have the life experiences to recognize the risks. I’d like to make their online vigilance and discretion just as native, so that they learn to protect the personal information they put on the web before it becomes a problem. Social networking is immensely powerful and is here for the long run, but we must learn to harness and control it.

So whether you are reading this to help protect your own online presence, or the reputation and sensitive data inside of your business, or to bulletproof your kids from some of the harmful forces on the web, the Facebook Safety Survival Guide should get you started.

This Facebook Safety Guide includes:

  • Action Item Checklist for Facebook Safety
  • Action Item Checklist for Parents’ Guide to Online Safety

Part I: Facebook Safety Survival Guide

  • Protecting People We Care About
  • Social Networking’s Secret Weapon: Trust
  • Fifteen Hazards of Social Networking
  • Fifteen Steps to Safer Facebooking
  • 10 Types of Information to Keep Private
  • Customize Your Privacy Settings: Control Who Can See Your Personal Information & A Tool to Test Your Facebook Privacy
  • How Do I Delete My Facebook Account?
  • How To Deactivate Your Facebook Account
  • How To Delete Your Facebook Account

Part II: Parents’ Guide to Online Safety

  • Socializing Online: Sexting & Cyberbullying
  • Communicating Online & Phishing
  • Mobile Phones: Socializing and Communicating on the Go & Texting
  • Protect Your Computers: P2P File Sharing & Parental Controls

© Copyright 2010 John D. Sileo All Rights Reserved

John Sileo became one of America’s leading Social Networking Speakers & sought after Identity Theft Experts after he lost his business and more than $300,000 to identity theft and data breach. His clients include the Department of Defense, Pfizer and the FDIC. To learn more about having him speak at your next meeting or conference, contact him by email or on 800.258.8076.

Using the iPhone 4 to Spy on Competitors

,

Steve Jobs unveiled Apple’s new iPhone 4 on June 7 in San Francisco. While the new features keep the iPhone at the forefront of technology, they also cause some privacy concerns.

One concern that carries over from previous iPhone models is the Always-on iPhone Apps that track your every move through the GPS navigation system. Back in April, Apple began allowing location-tracking applications to run in the background.  So, for example, companies like FourSquare, Yelp, and Facebook can continuously track your location, providing automatic notifications  to your friends when you are less than 1/2 mile away from them, if you allow them.

For example, I just had a highly confidential client meeting at the client’s corporate headquarters. To the  uninitiated, that means that the company I was visiting is probably having data theft issues (and has brought me in to help). If the media finds out that they are having these issues before the company has had a chance to start the damage control process, their stock will drop far faster than if they have prepared for the news to go public. If Facebook or FourSquare is broadcasting my whereabouts, my followers already know which company is having the problem, their competitors know it (if they are following my GPS broadcasts), and the media sits and waits for me to enter the building. Luckily, I’m not well-known enough for anyone to care, but just in case, I don’t broadcast my whereabouts. Other, far more influential people, do so without thinking twice about it. Which goes to show you that there are ways to utilize all of the cool new technology without letting it control you. With the right knowledge, you can take control of how your information is utilized.

Apple does realize the privacy concerns with location tracking and gives users a way to control how much information is shared.  When you open an app, the top bar will show a little arrow in the right-hand corner, indicating location awareness (pictured to the right). There will also be a dashboard where you can toggle location-tracking permissions on and off for different apps. Regardless, this means that more companies will have access you your location than before.

High-definition video is a second tool that will be used by data spies. What could be easier than for an identity thief to pretend they are on the phone as they are actually filming you typing in your ATM PIN in front of them? Why does iPhone 4 change the game? Because Hi-definition means that they can stand further away and still get high quality video with which to read your data. A simple sweep of an office desk, a client file, etc. with high definition video gives me all of the documents I need to learn more about your company. Think of it as a spy camera that provides thousands of pictures a minute and is hidden as the most ubiquitous device on the planet – a cell phone. It’s a powerful tool both for good and bad.

There is no silver bullet solution to the new problems posed by GPS and Hi-Def video. As we teach in our Privacy Survival Boot Camps, what is required is an integrated privacy plan that implements some of the following steps:

  • Social Networking and GPS proper usage guidelines to make users aware of the consequences of their actions using these tools
  • Classification systems and clean-desk policies (so that a confidential document isn’t left out on the desktop to be filmed in the first place)
  • Access privileges (to keep non-authorized personnel from accessing sensitive areas)
  • Employee fraud training (to make everyone in the company aware of these issues and give them more detailed tools to protect themselves and the company)

The iPhone 4 is a wonderful business tool that will drastically increase the productivity and connectivity of the workforce. But like any powerful tool, it can be used for dishonest purposes. The first step is to educate yourself and your staff on how these tools can be used, for good or evil.

John Sileo is the award-winning author of Stolen Lives and Privacy Means Profit (Wiley, August 2010), a professional Financial Speaker and America’s leading identity theft expert. His clients include the Department of Defense, FTC, FDIC and Pfizer; his recent media appearances include 60 Minutes. Contact him on 800.258.8076.

Identity Theft Threat from Copiers

, , ,

Your business-class photocopier is essentially a computer that can be hacked. It has a hard drive and saves an image of everything you copy. Customer data, invoices, employee records, intellectual capital, personal identity. This is not new information – we’ve been writing about it for years. But the press is finally beginning to pay attention because they have seen for themselves the type of data that can be extracted from corporations by purchasing their used copiers (see the excellent CBS video to the left).

If you’ve attended on of my Privacy Survival Boot Camps or have seen me speak for your organization, you will recognize the spy terminology used below that I use to train on effectively evaluating privacy risks.  Here is a brief primer to help you get started on protecting your business from this threat:

Stopping Photo Copier Information Leakage

  1. Verify whether or not your existing copier has a hard drive. You should contact the business that sold you the copier for details. If you do have a hard drive, ask them if it is password protect and encrypted (unless you paid something extra when you bought it, it is not).
  2. Ask them how you can take control of the situation. Is there a way to regularly scrub the hard drive (e.g., after each copy job, once the hard drive is through speeding up that particular job)?
  3. What are your options? Can you purchase an encryption feature that blocks unauthorized access to your photocopier? If your copier is on your local network, are outside users easily able to hack into the hard drive?
  4. Stop using public photocopiers to copy private materials (Kinkos, CopyMax, Library, etc.) as you have no idea how they store or dispose of the images containing your sensitive data.
  5. Stop using your hard-drive based photocopier to copy sensitive documents. Purchase an inexpensive photocopier (like an HP) to copy sensitive documents. The cost per page will be more (especially if it uses ink instead of toner), but the long term cost of excessive data storage will save you in the long run. Remember, your data is just like money to a data thief.

If you are serious about protecting your business, start with the items above and then bring an information privacy professional to your organization to help you with this and the handful of other data security issues that face your organization.