facebook

A class action lawsuit has been filed against Facebook over changes that the social networking site made to its privacy settings last November and December.

• you, your networks,
  
• your whereabouts,
  
• interests,
  
• religion,
  
• political views,
  
• who you know,
  
• who you communicate with most,
  
• how you communicate,
  
• what you say
• to whom you say it
• and so forth...
  

According to Simon Dumenco over at Wired, Facebook is too creepy to offer business value. I certainly agree that there are aspects of Facebook that might be creepy, but I do not think that alone is the main reason to not use Facebook in a business environment.

A couple of his comments are good, though:

"The ease with which Facebook can be used to broadcast your whereabouts adds a particularly disturbing dimension for executives who would surround themselves with security in real life but are lulled into complacency by Facebook's tidy veneer. Last year, the British military sent a directive to its army units to avoid revealing their service connections online—"Be particularly careful if you are on Facebook, MySpace, or Friends Reunited"—fearing that, yes, Al Qaeda could use them to track prey. Your business competitors might not be terrorists per se, but Facebook can be useful for anyone trying to poach your M.V.P.’s."

I think this point is valuable to Twitter, Plaxo and LinkedIn too - they all love the Status update these days.

Another point, made by David Weinberger is particularly interesting:

"Younger people violate older people's idea of proper behavior when it comes to privacy,"

Now, is this a challenge for the younger people, or for the older ones? Who needs to adopt? The Young? The Old? The Wise? Or heaven forbid - me?

----

More on Facebook:

• Facebook open to ID-theft
• Howto use Facebook to gather Intelligence, Part 1
• Howto use Facebook to gather intelligence, part 2
• Facebook exploited

In the previous part, we saw how you could use Facebook to collect e-mail addresses by offering something of perceived value to your victims. And you built a list of minimum 10 000 e-mails with only 5 minutes work.

This is part two of the How-to about collecting information of potential victims from sites like Facebook. This part is a Bonus – where I tell you how to collect more than only the e-mail and name of your victims – I tell you how you can build a full profile of your victim!

Warning: This work is tedious, and requires attention to detail and long-term persistency.

BONUS: Build a complete victims profile, not only e-mails and names!

1. Make people add themselves to your group

Now, go to your group setting page on the Facebook Group you added in Part 1 of this How-to. Make sure that you set it up to Group Type: Open group. This will ensure that everybody can join the group, and then invite their friends to do the same.

Why do you want this? Simply by making your victims advertising the great offer you give, so more people will show up and give you their e-mails.

2. Start investigating your group members

This is easy. Just browse the list of members. When you see something pretty (as in potentially easily exploitable), take a look at the profile. If the profile is not available, take a look at their friends. Most people think that showing off their friends cannot give away anything about themselves, so it is safe. You know better, right? You will, read on!

Here we have a list of friends of a potential victim. We can see that this person is either very popular (618 friends), or is playing a game like yours – collecting!

Note the location of the friends, usually you will see that they tend to gather in one or only a few geographical areas. Also note the profile pictures, pictures can tell you a lot about the person. Look at dress code, location, styling and other clues as to who this person is.

3. Invite and collect

If you decide that you like the person (or you decide that he/she is a nice victim), you may invite him/her to be your friend. Say something like “Hi, I am the group manager of…I’d like to add you as a friend…” Most will say yes. Particularly if you hint that she/he is very close to get the prize, and you only need to confirm some info…Be creative!

Now you have full access to all the stuff this person shares with friends.

4. Harvest info

With full access, start to add to your database the following data:

• interests
• books read / enjoyed
• favourite quotes
• marriage status, birthday, age
• friends, and particularly those who communicate using Wall and similar applications

If you follow your victim for some time, you will start notice that you can start to know this person very well – only by viewing the information posted on the profile.

5. Use the info

You still in there, are you?

Why would you want this kind of information about someone you do not know?

These are some of the reasons we know others use when they do this kind of exercise:

• Looking for “easy” offers for sex or violence. Just read the newspapers.
• Finding out when you leave your home (vacation, work hours), and pay you a visit when you are not there. This is not a house calling, but a house clearing.
• Selling the information (spammers, criminals)
• ID-theft – the more I know, the easier it is to learn more about you
• Intelligence – companies, criminals and countries collect information that might be useful in the future
• Research (my excuse) – see how much you can learn without warning the victim

One example, found on the Register today, is lax control in banks and financial institutions:

“Merchant Securities Group Limited also failed to verify the identities of customers that contacted the firm by telephone. Instead, the firm relied on being able to recognise customers' voices and talking with them informally about personal matters such as holidays or hobbies. Personal account numbers which could be used with a customer's name to access account information were included in routine letters.”

See where I am getting? The more I know, the more I get. Now I got your money too!

Warning: Keep in mind that in some countries, what you are doing may be considered illegal.

Note: You do know what YOU share on your profile, right?

This how-to describes in detail how to collect live, real email addresses from live, real people around the world. Most importantly, it will show you how you can collect 10 000 e-mails in less than 5 minutes work!

In addition, this How-to will help you collect additional information about your target: like photo; full name; list of friends; and potentially also mail address; phone numbers and list their favourite books.

So let’s get on with it!

1. Set up an email box on Yahoo, Google or similar tool

This is easy. Just pop on over to; Yahoo Mail; Google Mail; or any other free web based e-mail services out there. I know you are able to set up the account without my help.

Get back here and move to step two when you are done!

Set the e-mail to automatically forward all e-mails to a different account, preferably on a system you can control – either directly, or by POP/IMAP. You want to do this to save you some work later one!

You do not want to use your own name, though, but you knew that, right?

2. Get a Facebook (or pick any other social networking site) account

Just register with a plausible name (Jim Johnson, Donna James or similar). This is free, and typically available to anyone, and this is where you will meet your victims. Consider using the same name as in step one, this adds to credibility.

TIP: You may consider using a western name, preferably a woman name, as it sounds less daunting and more secure.

Now, it is out of the scope of this How-to to discuss how to set up your account. So, I just skip on to the next part, and you do too as soon as your Facebook account is up and running!

3. Set up a group on Facebook

And yes, you guessed it; how to set up the group is out of the scope of this group. But believe you me, it is plenty easy!!

Give it a winning title - Free gift! Or: Free trip to Dubai!

Why you need it? This is where you will plant your seeds of seduction – where you will promote your give-away, and where your victims will understand why it is so important to give you their e-mail address for free – no strings attached!

So, now you got a group on Facebook. Time to use it!

4. Add a prize!

When you want something, you should always offer something. The bigger, and more realistic, the prize, the better it is! Here is one example:

Yes, I noted more realistic above, I know…But – the purpose is to offer something that is realistic to your victims – and they are not as smart as you are, obviously. Thus, this one count as realistic.

And, unless you really want to do so, there is no need to actually give away the prize. I would strongly suggest you do NOT give it away, and use it yourself instead. Or spend your cash on something else. Your victims will never know they did not win.

Period.

5. Ask for something simple/cheap compared to the prize

By asking for something that is perceived as not dangerous to give you – like an e-mail address – you are more likely to succeed. But we do now that most anyone will be happy to share their favourite password if you give them a chocolate, so do as you like. On the other side, when you get the e-mail, you got plenty of opportunity to ask for more later on too.

So go ahead and ask for it! Make sure you add your collecting e-mail box where they can send their request for the prize, giving away their name and e-mail. Put it out there – like this:

And voila – now you got a large amount of e-mail addresses available. Addresses you can use to send nice offers of pills, travels and other stuff your customers pay you to offer to your list!

6. Collect and use

Now you have a large amount of e-mails on your account, it is time to download and put them to work. By installing any kind of e-mail harvesting tool on your e-mail client (many available, find your favourit), you are now able to take the e-mail addresses and their corresponding names from your in-box, and into a database tool.

And as e-mails keeps coming in, your database grows. High quality e-mails with real people on the other side. A great value to spammers.

So start selling it to the highest bidder!

And if someone complains about getting spam? Well, that is not what you are doing, of course. You only provide your customers with fresh e-mail addresses with real people on the receiving side!

The emails are collected, and you may now use them to send out outrages offers of pills, lottery winners and other nice-to-have stuff. But, why stop there?

Get back tomorrow to read about how to build a complete profile of your targets! That part is a Bonus – where I tell you how to collect more than only the e-mail and name of your victims – where I tell you how you can build a full profile of your victim!

Facebook (and a number of other platforms in the Social Networking revolution) enables great minds to do great things. Many of us uses these services on a regular basis (daily, hourly, or even every moment of the waking hours). 

I for one is a huge fan of networking, and using networking sites enables me to communicate and stay in touch with old and new contacts easily. On the other hand, I recognize the security challenges - namely the ID-theft and the social engineering (SE) possibilities that is enabled through such services. 

One of the messages I try to convey in speeches and trainings is the threat that Facebook Apps may be. Granting an application access to your profile, automatically enables that application to harvest a huge amount of data about you and your friends. Now, most applications are "for real" - thus doing only the thing it claims to do. Still, imagine a business manager sitting on 10s of thousands of users and their data, in need for money. It would be extremely easy to use the data already harvested,  as well as rewrite the application to be more aggressive in it's harvesting. 

The other scenario is malicious apps appearing cool and fun and a "must have". These apps would offer you a service (chocolate) as a killer app - something you just have to have. And you would invite all your friends to use it too. By offering the coolest, it will become popular, and thus the road is open to harvest and use information. Information that you normally only would share with friends only.   

---

In enters the Social Engineer. Uses the information about you, collates it with other info shared on other sites, creating a complete profile of you, your interests, your family, friends, co-workers, neighbors and so forth. 

Perhaps one day he bumps in to you at the local mall. Or calls you because "someone said that you could be interested in ..." 

Having a complete profile of you, he (she) would know all the answers, and thrill you into doing anything. Given enough time, and a valuable target, there are no limits to what can be achieved. 

---

Given this outlook - perhaps it is best to continue as before - in ignorance. Hoping that "it will never happen to me".  

---

I gotta run.

Just got this incredible, almost unbelievable, opportunity! This complete stranger called me out of nowhere!

See you in a bit!  

---

Ka-zing. 

---

(Thanks to Liquidmatrix / Dave Lewis. And man, do I love that cartoon!)

Except – this particular post was written in English, by a Norwegian. Further, the message pointed to a service I had a very hard time imagining that my contact would be promoting.

Yes, yes, I know, I am a bit too paranoid!

Anyway, I contacted my friend, and as I suspected, she had not posted this – or the 150 other messages posted to her contacts. I started to poke around a bit, and pretty soon she admitted that she had experienced other strange episodes lately.

One of the other signs where that when on MSN, MSN would disconnect her, stating that she where being loged on using a different computer. Unlike some of us, she only had one computer she used for this.

I started to suspect that a key logger or other spyware had infected her computer, and made sure that she changed her log on details (username and passwords) on all the services she uses – and that she did so from a different computer.

The next step now is to reformat and reinstall the OS and applications – just to make sure that any software that may have been hidden is gone for good. Did I mention I am paranoid?

I also told her to go to the police – not because I think they can do anything about this event – but to make sure the event ends up in the statistics.

She may have picked up the key logger while browsing the net. She might have got it through a download – or by an email from a friend. Or by a large number of other means available to hackers. She might also have left her credentials while using her friends computer.

It does not really matter in this case. What does matter is her statement when I started to ask about the spam message on Facebook:

“I received reactions from my other contacts too – and I told them I had not done it. I thought it was just a system error, and wasted no more time considering it”.

(Emphasized by me)

And here we have the base of the challenge – normal users are not able to tell a threat from an error. Heck, sometimes us pro’s have problems with the very same challenge! And as threats evolve, and gets better at hiding, the harder it gets to know for sure.

I remember reading about this a while back – how all the errors in IT-systems have taught users that when unexpected things happen, it is just an error. Just restart and get on with it. (Please provide link if you know the story – I am unable to find it…).

And the result today is that when you do not understand what is going on with the computer, you just write it off as a “system error”, and get’s back on to what you where doing.

We spend a large amount of time to teach users how to deal with security. But if we are not able to teach them the difference between a system error and a plain security threat – how can we ever expect to succeed?

The interest children (of all ages) put forward sometimes also turns in a bad direction. Children use Facebook and similar services to ditch out negative comments of classmates and friends. Comments like “You look like shit on that picture” may easily be perceived just a negative as a blow in the stomach out in the courtyard.

The question arises – what can we as parents do to avoid this? Three things come to mind:

1. Avoid all exposure to the ‘net and computers. Doable? Probably, but will be tough. Smart? Sure, if you want your kids to be left outside. Desirable? Not unless you enjoy sticking your head in the sand.
2. Leave the kids do whateva. Doable? Sure, just look the other way. Smart? Sure – just don’t act surprises when the police, child molesters and other visitors knocks on your front door. Desirable? Not if you care.
3. Be an active part of the experience. Doable? Might be hard, but absolutely! Smart? Obviously – it will require some investment in time on your part, but you will learn a lot of computers and the ‘net in general, you will learn a lot about your kid(s), and you may be able to share your opinions and common sense. Desirable? Well, if you need ME to answer for you, you may want to review the two other options…

So how can you take active part in the experience? In the workshops I run for parents, I make the parents come up a few simple rules. Usually these rules follow these lines:

1. Take active part – by asking questions and being interested. Try to follow the use of technology – even though it seems abstract and difficult. Some possible means:
1. weekly/monthly meeting to discuss what is going on
2. Contracts – kids love contracts – add some control, and make sure you include incentives!
2. Dare to ask questions if you do not understand what is going on. Also involve other parents.
1. “Do you know the real names of your friends on MSN?” This question gives you an idea if your kid chats with friends, and may help you determine that “Jon” really is a 45-year old child molester in your neighboring county.
2. How do you use “x” (insert Facebook, MSN, MySpace, or whatever you wonder about)? This question may help you understand what is going on, and how these tools are used – in positive and negative ways.
3. Do you know if anyone at your school/class/group has received any negative comments/mails/threats? This question may help you determine if harassment is taking place.
3. Take control. Make sure you and your kid understand that there are some rules, and that those rules are to be followed.
4. Allow for privacy. Make sure your kid (and yourself) realizes that although you need to have a certain control, he/she has rights to privacy. Thus, build a relationship based on trust. (See point 1.b above).
5. Encourage your kids to actively use the technology. Even if you do not understand it all (I know I don’t), you may still help your kid get the most of the ‘net by encouraging the use. Learn a few basic rules, like source control (i.e. the higher the number of sources on the ‘net, the higher the likeliness of the accuracy of the information), and that nothing is certain even if it says so on the Internet.
6. Be aware of privacy rights, copyright notices and user licenses. Many services are free in monetary terms, but you have to give up some rights (information, use of images etc).
7. Not only Gold is glimmering. Particularly true for younger kids – but the ads gets better every day. The point is to teach your kid to be critical, and not click on everything that seems cool/nice/shiny etc. Many security threats are installed simply by a click.
8. Keep updated. Make sure that your computer, your software and yourself is updated at regular intervals. Your computer and software have patches – very often automatic updates that you only need to enable. To update yourself, take active part. Spend some time every week to read and study the technology, discuss with other parents and teachers.
9. Use the technology – make sure to install and use the security software necessary. Firewalls, Antivirus, Antispam and similar tools are the bare minimum.
10. Enjoy! Have fun! This may seem opposite to the other rules – but if you are not having fun, what is the point?

Please contact the author with your comments – and feel free to add your own ideas and rules.

Dear anonymous (I would much rather prefer to say Dear John),

First - I post this as a blogpost instead of a reply to your comment on my post about Jamparii. 

Thank you for your input. As I know you are not only claiming to do what you say, but actually are trying to build your own tool for business networking, I would much rather that you did enter your own name, John.

However, what you are pointing at is true in all new ventures. It does take capital to build success. And there are several different paths to choose from. Jim has chosen one path, and John, you took another path.

My experience tells me that the path of money alone is not enough. To build a successful networking site, you need quality. You need content. You need active users. And you need a value proposition to your users.

Linkedin, Xing and Facebook are three successful networking tools, but they are very different. Ecademy and Viadeo are others. Myspace and Orcut are there too. Just to name a few of your competitors. They offer value. Distinctive value. And they have success. 

You need to present a clear value to me before I will even consider your new tool. No matter how you choose to finance you venture. Scam or not.

This is about risk as well. Do you have what it takes to break the bank? Did you consider all options? Have you done your homework, so you know how to position yourself?

What if you fail? What if it takes twice the time to break even? Or three times the time? What if you only secure half the funds you need? What if only one tenth of the required users actually signs up? 

So the question to you two competitors - do you have the BUZZ?