Hand-out: Security and Privacy online: Social Media
University of Oxford Information Security: http://www.it.ox.ac.uk/infosec/
Social media is a target for “social engineering attacks”. But you can:
1.
2.
3.
4.
5.
6.
7.
Set up two-factor authentication to keep attackers out of your accounts
Set your privacy settings (but don’t expect anonymity)
Be cautious, about apps, friends and connections, posts (don’t overshare)
Set up Trusted Contacts in Facebook
Set Admin Roles for your work’s page in Facebook
Moderate your blog and set your blog’s security and other settings
Attend the Security, and Engage social media courses and activities
What is “social engineering”?
Read www.sans.org/reading_room/whitepapers/privacy/disney-princess-you_33328 [PDF]
In security, this has a very different meaning from the political or economic term. Social engineering
is a way of fooling you into disclosing information. It’s nothing new, but with social media sites like
Facebook, it has become easier than ever to harvest personal information from unsuspecting
targets.
By obtaining personal information from your account - simple details like your birthday, your phone
number, or your location - hackers might be able to unlock the “account recovery” features of your
other online accounts. This might eventually lead to your credit card information or your identity. A
“ladder of access” can be put together. It’s common sense but the information you should never
give out on social media games or quizzes includes:




Mother’s maiden name
Personal banking details
Password
Other Personally Identifiable Info (PII) where you live, social security or phone number.
Ask yourself “If someone was out to get me, my family, or my department, could any of this
information help them?”
What can go wrong? Hacked!
Mat Honan, WIRED: “How Apple and Amazon security flaws led to my epic hacking”
www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/
Set up 2-step verification for Google
When you’re signed in to Gmail > Gear wheel > Settings > Accounts
and Import > Change account settings > Other Google Account >
settings > Security [left hand menu] > 2-step verification > Settings >
Go through the process of having a six-digit verification code sent to
you via text or an automated phone call.
Education Enhancement team in Academic IT Services
Information Security, IT Services
Nov 2013, p1
Set up login approval for Facebook
When you’re logged in to Facebook > Gear wheel [top right corner] > Account Settings > Security
[left hand menu] > Login Approvals > Edit > Then check box “Require a security code to access my
account from unknown browsers” [“An unknown browser is a computer or phone you haven’t used
before] > Follow the instructions, e.g. identify devices or your mobile number > And to enter the 6digit PIN texted to you
Set up a verification code for Twitter
When signed in to Twitter > Settings > Account security > Require a verification code when I sign in.
[You need to add a phone to your Twitter account to enable this.]
And / Or > Settings > Account security > Require personal information to reset my password
What can go wrong? Privacy
www.nytimes.com/2009/07/06/world/europe/06britain.html
Set my privacy settings in
LinkedIn
Move your cursor over your
name (top right of any LinkedIn
page) and select the Settings
option or
https://www.linkedin.com/settings







Manage the ads I see:
Settings > Account > Privacy Controls > Manage Advert Preferences
Sharing my data with third party apps: Settings > Account > Groups, Companies and
Applications > Privacy Controls > Manage Advertising Preferences >
o Turn on/off data sharing with 3rd party applications
o Manage settings for LinkedIn plugins on third-party sites
Mail from third-parties: Settings> Account > Email Preferences > Turn on/off partner InMail
Visibility of my connections: Settings > Account > Profile > Select who can see connections
Visibility of my “Profile” picture: Settings > Account > Profile > Change your profile photo &
visibility
Visibility of my “Profile” content: Settings > Account > Profile > Select what others see when
you've viewed their profile
Visibility of my “Profile” content: > Settings go to Account > Profile > Edit your public profile
Set my privacy settings in Facebook
Who can see my future posts? Public / Friends / Friends of Friends: Change this setting every time I
post or add a photo. E.g.:
Logged in to Facebook > Click the privacy settings [padlock icon top-right corner of the page] > Who
can see my stuff? > Use Activity Log.



Use Activity Log: To review all my Facebook posts and what I'm tagged in
What do other people see on my Timeline?
Whose messages do I want filtered into my Inbox?
Education Enhancement team in Academic IT Services
Information Security, IT Services
Nov 2013, p2


Who can send me friend requests?
How do I stop someone from bothering me?
Other Privacy Settings and Tools in Facebook
 Click the Padlock icon in the top right of Facebook >
Privacy Settings >
o Who can see my stuff? > Scroll down to the
bottom > See More Settings > To limit the
Audience for old posts on my timeline
o Who can look me up using the email address
or phone number I provided? Do I want other
search engines to link to my Timeline?
o How my account interacts with ads: Gear icon > Privacy Settings > Adverts (left hand
margin) > Facebook Adverts:
 Third Party Sites > Edit > If we allow [apps or networks to use your name or
picture in adverts] in the future, show my information to = No-one
 Ads & Friends > Edit > Pair my social actions with adverts for = No-one
o Who can see who I’m friends with in Facebook? On my Profile page >
 Friends > Edit > Who can see your friend list?
 On my Profile page > Update info> scroll down to > Relationship/Family
o What info am I sharing with Facebook apps: Gear icon > Privacy Settings > Apps [left]
 Review what else am I sharing on Facebook
o Verify the audience settings when you: “Like” a page; change links and details on
“About Me” (religious and political views, relationship status and location); Post.
Be careful what you post, where you post, and when:



Don’t over share, e.g. on holidays and beware of shoulder surfing etc.
Use https, always, and be careful of public wi-fi hotspots
Beware of social media hoaxes, read www.snopes.com, www.facecrooks.com and other guides.
The worst of these hoaxes are attempts to gain access to your data.
o E.g. How to Lockdown Your Facebook Account For Maximum Privacy and Security
http://facecrooks.com/Internet-Safety-Privacy/how-to-lockdown-your-facebook-accountfor-maximum-privacy-and-security.html and Facebook Graph App Privacy
www.snopes.com/computer/facebook/graphapp.asp


Be careful when responding to “trolls”
IT Services courses and advice: “Social Engage” and Security and safety online
Beware of shortened URLs
Shortening of URLs is essential (e.g. Twitter 140 ch.), and we’ve lost the human / automated check
for the Web address. So before you click:





search for the information using a search engine
do you trust the source that sends the shortened link, is it really from your friend, ask them?
is it provoking an emotional response, or exciting / sensational? Is it too good to be true?
examine the target address by using a links expanding service, like www.longURL.org
in Twitter hover your cursor over shortened links to see the full address
Education Enhancement team in Academic IT Services
Information Security, IT Services
Nov 2013, p3


install a plug-in (add-on, extension) to expand shortened links on any website
Read email in plain text (before viewing the HTML version), and don’t automatically
download pictures
Be selective of friends and connections:
 “On the Internet nobody knows you’re a dog!” http://en.wikipedia.org/wiki/File:Internet_dog.jpg
 Don’t auto-follow on Twitter
 Be cautious of Apps
 Read e.g. “The Socialbot network: when bots socialize for fame and money” 2012, University
of British Columbia http://lersse-dl.ece.ubc.ca/record/264/files/ACSAC_2011.pdf
 A solution is to ensure that you use the "Friends" or "Custom Settings" to restrict who can
view your postings, and ask your Friends to do the same. The problem seems to arise when
people use the "Friends of Friends" or "Public" settings.
What can go wrong? Hung-over!?
“What Happens At Mardi Gras Parties…” 12 Feb 2013 by Sarah Downey on Abine blog “Online
Privacy” www.abine.com/blog/2013/what-happens-at-mardi-gras-parties-ends-up-on-facebook/ Other
important Facebook privacy settings you can change:



Who can post on your timeline and who can see what others post there
Review posts that friends tag you in before they appear on your timeline
Who can see [face recognition] when photos that “look like you” are uploaded
What can go wrong? Compromise your future career!
E.g. 1OneMinuteNews on YouTube: http://youtu.be/s-QIN0rsb5I
Shoulder surfing!
 Also be careful when using public Wi-Fi spots and public computers (hotel foyer etc.)
 Use secure Web connections (“S” in https = “always-on SSL” (Secure Sockets Layer)):
o LinkedIn: Settings > Account > Manage security settings
o Twitter: Settings > HTTPS Only
o Gmail: Gear wheel > Settings > Browser connection: > Always use https
Set up Trusted Contacts in Facebook
This lets your friends help you if you’re having trouble logging into your account - maybe you forgot
your password or worse you’ve been hacked - it’s an account recovery feature:
https://www.facebook.com/notes/facebook-security/introducing-trusted-contacts/10151362774980766
Choose 3-5 people:




who use Facebook frequently;
you trust, like friends you’d give a spare key to your house;
who are not likely to lock you out of your account for a joke!
you can reach without using Facebook, ideally over the phone or in person, since you’ll need
to contact them when you can’t log in.
The more friends you choose, the more people who can help you when you need it.
Education Enhancement team in Academic IT Services
Information Security, IT Services
Nov 2013, p4
Set Admin Roles for your work’s page in Facebook
If anyone has their Facebook account compromised, then pages under their control are in jeopardy:



Assign different roles to staff when they contribute to the Facebook of your department or
project see https://www.facebook.com/help/583181978367528;
Require all admins to have Login Approvals enabled on their Facebook account. This requires
users to enter a code they receive via text message if Facebook doesn’t recognize the device
they are logging in from. So, even if a hacker obtains their password, they still wouldn’t be
able to access their Facebook account (and your page) without the code;
Have more than one trusted person as a page admin. If the primary admin changes job or is
otherwise unavailable, you will still want to have access to the page.
Take responsibility for your blog and for others’ comments




Don't post anything online that you wouldn't say in person
Be selective about posting about your on-going research, although social media is an
excellent way to share “prototypes”
Be cautious about posting photos or the names of other people if you are involved in a
sensitive issue
Do take responsibility not just for your own words, but for the comments you allow:
o Don’t bulk approve comments, be careful when approving via emails, NB plain text
o When is it acceptable to delete comments from a blog post?
 Label your tolerance level for abusive comments
 Accommodate negative responses and respond if appropriate
 Delete comments because of “content” or spam
 “Deleting Principles” on ‘Talking Philosophy: The Philosophers' Magazine
Blog’ blog.talkingphilosophy.com/?p=2174
Social Media guidance from IT Services
Engage Social Media http://blogs.it.ox.ac.uk/engage/, “Oxford 23 things”, Engage podcasts
What can go wrong? Trolls
Dr Melissa Terras, UCL on “Is blogging and tweeting about research papers worth it?”:
podcasts.ox.ac.uk/search?terms=Is+blogging+and+tweeting+about+research+papers+worth+it
What can go wrong? Online bullying and sexual harassment
“Put yourself out there, but you’re on your own with the cybercreeps” (Times Higher Education 21
November 2013) - a study by scholar who was harassed online finds that academics are vulnerable
(Dr Sara Perry, lecturer, University of York):
www.timeshighereducation.co.uk/news/academics-face-the-cybercreeps-alone/2009183.article

What if I think I’m being harassed or bullied (in any way)?
o Follow the University’s advice www.admin.ox.ac.uk/eop/harassmentadvice/ and

What if I am being harassed on social media?
o “Block” that person’s account, and follow the site’s procedure to report this
www.admin.ox.ac.uk/ouss/psafety/
Education Enhancement team in Academic IT Services
Information Security, IT Services
Nov 2013, p5
Make a social media response guide
 Based on your Unit’s culture: The University; Research organisation; Funding body; College.
 “The US Air Force Blog Assessment” chart as featured in
www.globalnerdy.com/2008/12/30/the-air-forces-rules-of-engagement-for-blogging/

“Online Social Networking” by UK government authorities ESG & CPNI
www.cpni.gov.uk/documents/publications/2010/2010032-gpg_online_social_networking.pdf
The moderator’s responsibilities
 Check the comments settings for your blog, e.g. “Blogger Commenting Options” from eHow
www.ehow.com/info_10013556_blogger-commenting-options.html

Check the security settings of your blog e.g. “Essential WordPress Security Tips”
www.tipsandtricks-hq.com/essential-wordpress-security-tips-is-your-blog-protected-987
What if:


I entered my password on the wrong site?
o Immediately MUST go to a different trusted computer and change your account's
password, and you MUST contact your IT helpdesk. Also contact e.g.
phishing@it.ox.ac.uk who want to know about attempts to hack University accounts.
My Twitter account has been hacked:
o If your account has been compromised but you're still able to log in:
https://support.twitter.com/articles/31796-my-account-has-been-compromised#
o

If you think you've been hacked and you're unable to log in with your username and
password: https://support.twitter.com/articles/185703-my-account-has-been-hacked#
My Facebook account has been hacked:
o Use your ‘Trusted Contacts’ https://www.facebook.com/notes/facebooksecurity/introducing-trusted-contacts/10151362774980766 and
http://www.facebook.com/hacked

I think someone else’s account in the University has been hacked?
o Contact them direct & their local IT support, and e.g. phishing@it.ox.ac.uk
Be safe and secure online – courses and advice

Safe surfing; Spotting phishing scams; Cloud document security; Social media; Secure
passwords; Data protection; Secure your PC or Mac; and an Overview
Advice on InfoSec pages e.g. “Protect Yourself”
www.it.ox.ac.uk/infosec/ and the University’s Information Security Policy, and the team’s Toolkit.
ASK!
The Education Enhancement in Academic IT Services http://blogs.it.ox.ac.uk/eet/
Licence
Hand-out: "Security and Privacy online: Social Media" by the InfoSec team,
University of Oxford, is licensed as Creative Commons Attribution-Non-Commercial-Share Alike 2.0
UK: England & Wales (http://creativecommons.org/licenses/by-nc-sa/2.0/uk/)
Education Enhancement team in Academic IT Services
Information Security, IT Services
Nov 2013, p6