Hand-out: Security and Privacy online: Social Media University of Oxford Information Security: http://www.it.ox.ac.uk/infosec/ Social media is a target for “social engineering attacks”. But you can: 1. 2. 3. 4. 5. 6. 7. Set up two-factor authentication to keep attackers out of your accounts Set your privacy settings (but don’t expect anonymity) Be cautious, about apps, friends and connections, posts (don’t overshare) Set up Trusted Contacts in Facebook Set Admin Roles for your work’s page in Facebook Moderate your blog and set your blog’s security and other settings Attend the Security, and Engage social media courses and activities What is “social engineering”? Read www.sans.org/reading_room/whitepapers/privacy/disney-princess-you_33328 [PDF] In security, this has a very different meaning from the political or economic term. Social engineering is a way of fooling you into disclosing information. It’s nothing new, but with social media sites like Facebook, it has become easier than ever to harvest personal information from unsuspecting targets. By obtaining personal information from your account - simple details like your birthday, your phone number, or your location - hackers might be able to unlock the “account recovery” features of your other online accounts. This might eventually lead to your credit card information or your identity. A “ladder of access” can be put together. It’s common sense but the information you should never give out on social media games or quizzes includes: Mother’s maiden name Personal banking details Password Other Personally Identifiable Info (PII) where you live, social security or phone number. Ask yourself “If someone was out to get me, my family, or my department, could any of this information help them?” What can go wrong? Hacked! Mat Honan, WIRED: “How Apple and Amazon security flaws led to my epic hacking” www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/ Set up 2-step verification for Google When you’re signed in to Gmail > Gear wheel > Settings > Accounts and Import > Change account settings > Other Google Account > settings > Security [left hand menu] > 2-step verification > Settings > Go through the process of having a six-digit verification code sent to you via text or an automated phone call. Education Enhancement team in Academic IT Services Information Security, IT Services Nov 2013, p1 Set up login approval for Facebook When you’re logged in to Facebook > Gear wheel [top right corner] > Account Settings > Security [left hand menu] > Login Approvals > Edit > Then check box “Require a security code to access my account from unknown browsers” [“An unknown browser is a computer or phone you haven’t used before] > Follow the instructions, e.g. identify devices or your mobile number > And to enter the 6digit PIN texted to you Set up a verification code for Twitter When signed in to Twitter > Settings > Account security > Require a verification code when I sign in. [You need to add a phone to your Twitter account to enable this.] And / Or > Settings > Account security > Require personal information to reset my password What can go wrong? Privacy www.nytimes.com/2009/07/06/world/europe/06britain.html Set my privacy settings in LinkedIn Move your cursor over your name (top right of any LinkedIn page) and select the Settings option or https://www.linkedin.com/settings Manage the ads I see: Settings > Account > Privacy Controls > Manage Advert Preferences Sharing my data with third party apps: Settings > Account > Groups, Companies and Applications > Privacy Controls > Manage Advertising Preferences > o Turn on/off data sharing with 3rd party applications o Manage settings for LinkedIn plugins on third-party sites Mail from third-parties: Settings> Account > Email Preferences > Turn on/off partner InMail Visibility of my connections: Settings > Account > Profile > Select who can see connections Visibility of my “Profile” picture: Settings > Account > Profile > Change your profile photo & visibility Visibility of my “Profile” content: Settings > Account > Profile > Select what others see when you've viewed their profile Visibility of my “Profile” content: > Settings go to Account > Profile > Edit your public profile Set my privacy settings in Facebook Who can see my future posts? Public / Friends / Friends of Friends: Change this setting every time I post or add a photo. E.g.: Logged in to Facebook > Click the privacy settings [padlock icon top-right corner of the page] > Who can see my stuff? > Use Activity Log. Use Activity Log: To review all my Facebook posts and what I'm tagged in What do other people see on my Timeline? Whose messages do I want filtered into my Inbox? Education Enhancement team in Academic IT Services Information Security, IT Services Nov 2013, p2 Who can send me friend requests? How do I stop someone from bothering me? Other Privacy Settings and Tools in Facebook Click the Padlock icon in the top right of Facebook > Privacy Settings > o Who can see my stuff? > Scroll down to the bottom > See More Settings > To limit the Audience for old posts on my timeline o Who can look me up using the email address or phone number I provided? Do I want other search engines to link to my Timeline? o How my account interacts with ads: Gear icon > Privacy Settings > Adverts (left hand margin) > Facebook Adverts: Third Party Sites > Edit > If we allow [apps or networks to use your name or picture in adverts] in the future, show my information to = No-one Ads & Friends > Edit > Pair my social actions with adverts for = No-one o Who can see who I’m friends with in Facebook? On my Profile page > Friends > Edit > Who can see your friend list? On my Profile page > Update info> scroll down to > Relationship/Family o What info am I sharing with Facebook apps: Gear icon > Privacy Settings > Apps [left] Review what else am I sharing on Facebook o Verify the audience settings when you: “Like” a page; change links and details on “About Me” (religious and political views, relationship status and location); Post. Be careful what you post, where you post, and when: Don’t over share, e.g. on holidays and beware of shoulder surfing etc. Use https, always, and be careful of public wi-fi hotspots Beware of social media hoaxes, read www.snopes.com, www.facecrooks.com and other guides. The worst of these hoaxes are attempts to gain access to your data. o E.g. How to Lockdown Your Facebook Account For Maximum Privacy and Security http://facecrooks.com/Internet-Safety-Privacy/how-to-lockdown-your-facebook-accountfor-maximum-privacy-and-security.html and Facebook Graph App Privacy www.snopes.com/computer/facebook/graphapp.asp Be careful when responding to “trolls” IT Services courses and advice: “Social Engage” and Security and safety online Beware of shortened URLs Shortening of URLs is essential (e.g. Twitter 140 ch.), and we’ve lost the human / automated check for the Web address. So before you click: search for the information using a search engine do you trust the source that sends the shortened link, is it really from your friend, ask them? is it provoking an emotional response, or exciting / sensational? Is it too good to be true? examine the target address by using a links expanding service, like www.longURL.org in Twitter hover your cursor over shortened links to see the full address Education Enhancement team in Academic IT Services Information Security, IT Services Nov 2013, p3 install a plug-in (add-on, extension) to expand shortened links on any website Read email in plain text (before viewing the HTML version), and don’t automatically download pictures Be selective of friends and connections: “On the Internet nobody knows you’re a dog!” http://en.wikipedia.org/wiki/File:Internet_dog.jpg Don’t auto-follow on Twitter Be cautious of Apps Read e.g. “The Socialbot network: when bots socialize for fame and money” 2012, University of British Columbia http://lersse-dl.ece.ubc.ca/record/264/files/ACSAC_2011.pdf A solution is to ensure that you use the "Friends" or "Custom Settings" to restrict who can view your postings, and ask your Friends to do the same. The problem seems to arise when people use the "Friends of Friends" or "Public" settings. What can go wrong? Hung-over!? “What Happens At Mardi Gras Parties…” 12 Feb 2013 by Sarah Downey on Abine blog “Online Privacy” www.abine.com/blog/2013/what-happens-at-mardi-gras-parties-ends-up-on-facebook/ Other important Facebook privacy settings you can change: Who can post on your timeline and who can see what others post there Review posts that friends tag you in before they appear on your timeline Who can see [face recognition] when photos that “look like you” are uploaded What can go wrong? Compromise your future career! E.g. 1OneMinuteNews on YouTube: http://youtu.be/s-QIN0rsb5I Shoulder surfing! Also be careful when using public Wi-Fi spots and public computers (hotel foyer etc.) Use secure Web connections (“S” in https = “always-on SSL” (Secure Sockets Layer)): o LinkedIn: Settings > Account > Manage security settings o Twitter: Settings > HTTPS Only o Gmail: Gear wheel > Settings > Browser connection: > Always use https Set up Trusted Contacts in Facebook This lets your friends help you if you’re having trouble logging into your account - maybe you forgot your password or worse you’ve been hacked - it’s an account recovery feature: https://www.facebook.com/notes/facebook-security/introducing-trusted-contacts/10151362774980766 Choose 3-5 people: who use Facebook frequently; you trust, like friends you’d give a spare key to your house; who are not likely to lock you out of your account for a joke! you can reach without using Facebook, ideally over the phone or in person, since you’ll need to contact them when you can’t log in. The more friends you choose, the more people who can help you when you need it. Education Enhancement team in Academic IT Services Information Security, IT Services Nov 2013, p4 Set Admin Roles for your work’s page in Facebook If anyone has their Facebook account compromised, then pages under their control are in jeopardy: Assign different roles to staff when they contribute to the Facebook of your department or project see https://www.facebook.com/help/583181978367528; Require all admins to have Login Approvals enabled on their Facebook account. This requires users to enter a code they receive via text message if Facebook doesn’t recognize the device they are logging in from. So, even if a hacker obtains their password, they still wouldn’t be able to access their Facebook account (and your page) without the code; Have more than one trusted person as a page admin. If the primary admin changes job or is otherwise unavailable, you will still want to have access to the page. Take responsibility for your blog and for others’ comments Don't post anything online that you wouldn't say in person Be selective about posting about your on-going research, although social media is an excellent way to share “prototypes” Be cautious about posting photos or the names of other people if you are involved in a sensitive issue Do take responsibility not just for your own words, but for the comments you allow: o Don’t bulk approve comments, be careful when approving via emails, NB plain text o When is it acceptable to delete comments from a blog post? Label your tolerance level for abusive comments Accommodate negative responses and respond if appropriate Delete comments because of “content” or spam “Deleting Principles” on ‘Talking Philosophy: The Philosophers' Magazine Blog’ blog.talkingphilosophy.com/?p=2174 Social Media guidance from IT Services Engage Social Media http://blogs.it.ox.ac.uk/engage/, “Oxford 23 things”, Engage podcasts What can go wrong? Trolls Dr Melissa Terras, UCL on “Is blogging and tweeting about research papers worth it?”: podcasts.ox.ac.uk/search?terms=Is+blogging+and+tweeting+about+research+papers+worth+it What can go wrong? Online bullying and sexual harassment “Put yourself out there, but you’re on your own with the cybercreeps” (Times Higher Education 21 November 2013) - a study by scholar who was harassed online finds that academics are vulnerable (Dr Sara Perry, lecturer, University of York): www.timeshighereducation.co.uk/news/academics-face-the-cybercreeps-alone/2009183.article What if I think I’m being harassed or bullied (in any way)? o Follow the University’s advice www.admin.ox.ac.uk/eop/harassmentadvice/ and What if I am being harassed on social media? o “Block” that person’s account, and follow the site’s procedure to report this www.admin.ox.ac.uk/ouss/psafety/ Education Enhancement team in Academic IT Services Information Security, IT Services Nov 2013, p5 Make a social media response guide Based on your Unit’s culture: The University; Research organisation; Funding body; College. “The US Air Force Blog Assessment” chart as featured in www.globalnerdy.com/2008/12/30/the-air-forces-rules-of-engagement-for-blogging/ “Online Social Networking” by UK government authorities ESG & CPNI www.cpni.gov.uk/documents/publications/2010/2010032-gpg_online_social_networking.pdf The moderator’s responsibilities Check the comments settings for your blog, e.g. “Blogger Commenting Options” from eHow www.ehow.com/info_10013556_blogger-commenting-options.html Check the security settings of your blog e.g. “Essential WordPress Security Tips” www.tipsandtricks-hq.com/essential-wordpress-security-tips-is-your-blog-protected-987 What if: I entered my password on the wrong site? o Immediately MUST go to a different trusted computer and change your account's password, and you MUST contact your IT helpdesk. Also contact e.g. phishing@it.ox.ac.uk who want to know about attempts to hack University accounts. My Twitter account has been hacked: o If your account has been compromised but you're still able to log in: https://support.twitter.com/articles/31796-my-account-has-been-compromised# o If you think you've been hacked and you're unable to log in with your username and password: https://support.twitter.com/articles/185703-my-account-has-been-hacked# My Facebook account has been hacked: o Use your ‘Trusted Contacts’ https://www.facebook.com/notes/facebooksecurity/introducing-trusted-contacts/10151362774980766 and http://www.facebook.com/hacked I think someone else’s account in the University has been hacked? o Contact them direct & their local IT support, and e.g. phishing@it.ox.ac.uk Be safe and secure online – courses and advice Safe surfing; Spotting phishing scams; Cloud document security; Social media; Secure passwords; Data protection; Secure your PC or Mac; and an Overview Advice on InfoSec pages e.g. “Protect Yourself” www.it.ox.ac.uk/infosec/ and the University’s Information Security Policy, and the team’s Toolkit. ASK! The Education Enhancement in Academic IT Services http://blogs.it.ox.ac.uk/eet/ Licence Hand-out: "Security and Privacy online: Social Media" by the InfoSec team, University of Oxford, is licensed as Creative Commons Attribution-Non-Commercial-Share Alike 2.0 UK: England & Wales (http://creativecommons.org/licenses/by-nc-sa/2.0/uk/) Education Enhancement team in Academic IT Services Information Security, IT Services Nov 2013, p6