Friday, July 30, 2010

Facebook Security

How collection of Facebook data affects you

The Facebook Data Torrent Debacle: Q&A

Security concerns over Facebook have been raised yet again after a security consultant collected the names and profile URLs for 171 million Facebook accounts from publicly available information. The consultant, Ron Bowes, then uploaded the data as a torrent file allowing anyone with a computer connection to download the data.


Simon Davies a representative of the U.K.-based privacy watchdog Privacy International accused Facebook of negligence over the data mining technique, according to the BBC. Facebook, however, told the British news service that Bowes actions haven't exposed anything new since all the information Bowes collected was already public.

So what are the security risks? Should you be concerned? Let's take a look.

What data was collected?

Ron Bowes, a security consultant and blogger at Skull Security, used a piece of computer script to scan Facebook profiles listed in Facebook's public profile directory. Using the script Bowes collected the names and profile URLs for every publicly searchable Facebook profile. All together, Bowes said he was able to collect names and Web addresses for 171 million Facebook users. That's a little more than a third Facebook's 500 million users. (Click image above to zoom)

What did he do with the data?

Bowes compiled this list of text into a file and made it available online as a downloadable torrent.

How many people have downloaded the torrent?

The Pirate Bay lists 2923 seeds and 9473 leechers for the torrent file at the time of this writing. Seeds are people who have downloaded the entire file and are uploading to others. Leechers are actively downloading the file.

Is this a big deal?

That depends on who you ask. Facebook points out that some of the data Bowes collected was already available through search engines like Google and Bing. The entire data set is also available to any user signed into Facebook. So the data was already publicly available, and nobody's private Facebook data has been compromised. Nevertheless, this is the first time that 171 million Facebook profile names have been collected into one set of files that can be easily analyzed and searched by anyone.

What could a malicious hacker use the data for?

As Bowes pointed out in a blog post, someone could use this data as a starting point to find other publicly available user data on Facebook. After all, you have to wonder how many of these 171 million Facebook users have publicly exposed e-mail addresses, phone numbers and other information on their profiles?

It has been proven time and again that the more a bad guy knows about you the greater your security risk is. Collecting personal data allowed a French hacker to steal confidential corporate documents at Twitter. Researchers were alarmed when Netflix wanted to release anonymous user data including age, gender and ZIP code for the Netflix Prize 2. Security researchers said the data dump by Netflix was irresponsible since it is possible to narrow down a person's identity just by knowing their age and ZIP code. The contest was eventually canceled. One Carnegie-Mellon study also found a flaw in the social security numbering system that could allow a sophisticated hacker using data mining techniques to uncover up to 47 social security numbers a minute.

How do I know if my name was caught in the data dump?

From your Facebook profile dashboard click on 'Account' in the upper right hand side of your dashboard. Select 'Privacy Settings,' and then on the next page under 'Basic Directory Information' click on 'View Settings.' You should see a page similar to the image above. If the first listing called "Search for me on Facebook" is set to "Everyone." Then chances are, your name and profile URL are in the torrent file. (Click image to zoom)

You should also check to see if external search engines like Google and Bing are indexing your profile. To do this go back to your main privacy settings page, and at the bottom click on the "Edit Settings" button next to "Public Search." On the next page, if the "Enable public search" check box is ticked then search engines are indexing your profile. To stop this just uncheck the box and then click on "Back to Applications."

My name is not in the public directory should I be concerned?

If you were not in the public directory Bowes says your name is not in the torrent file. However, you could be exposed to similar data mining techniques in the future. Bowes says that if any of your Facebook connections have made their friends lists public then your profile could easily be found through data mining your friends' profiles.

What can I do to keep my information private?

The biggest concern isn't so much about your name and profile URL being exposed. The greater concern, for you anyway, is the publicly available information contained on your profile page.

To protect yourself, you may want to reconsider your current privacy settings. To do that visit your Facebook profile's Basic Directory Information page by following the steps listed above or just click here.

On the top right of the page you should see a button that says "Preview My Profile." Clicking that button will show you all the information you make public on Facebook. Data you may want to consider hiding includes your hometown, birth date, age, phone number, current city and e-mail address.

So what do you say? Is Bowes' data dump making your rethink your Facebook profile settings or are you not concerned?

No comments: