Hand-ut:d:Nthing (scial media security settings with Facebk used in examples) University f Oxfrd Infrmatin Security infsec@it.x.ac.uk: www.it.x.ac.uk/infsec/prtectyurself/scialmedia/ Scial engineering is a way f fling yu int disclsing infrmatin. It s nthing new, but with scial media sites like Facebk, it has becme easier than ever t harvest persnal infrmatin frm unsuspecting targets. By btaining persnal infrmatin frm yur accunt - simple details like yur birthday, yur phne number, r yur lcatin - hackers might be able t unlck the accunt recvery features f yur ther nline accunts. This might eventually lead t yur credit card infrmatin r yur identity. A ladder f access can be put tgether. It s cmmn sense but the infrmatin yu shuld never give ut n scial media games r quizzes includes: Mther s maiden name Persnal banking details Passwrd Other Persnally Identifiable Inf (PII) where yu live, scial security r phne number. Ask yurself If smene was ut t get me, my family, r my department, culd any f this infrmatin help them? Scial Media is a target fr scial engineering attacks. But yu can: 1. Set up Lgin Apprval t keep attackers ut f yur accunt Use a strng and unique passphrase Set up Trusted Cntacts t help yu when yu get hacked 2. Use secure Web cnnectins https:// 3. Secure yur privacy settings (and dn t vershare, and dn t expect annymity) 4. fllw scial media guidelines t prtect ther staff and readers 5. knw what t d if hacked! 1. The examples in this hand-ut use Facebk, the principles are the same fr blgs, YuTube, Twitter, Ggle+ and Gmail, etc. G t an Internet brwser n the cmputer and enter www.facebk.cm/ in the Web address bar. Lgin t Facebk. Educatin Enhancement team in Academic IT Services Infrmatin Security, IT Services Feb 2015, p1
1a. Set up lgin apprval fr Facebk Lgin Apprvals is Facebk s tw-factr authenticatin feature (an added layer f security that requires a cde t be entered t cmplete the lgin prcess if Facebk desn t recgnise this device). When yu re lgged in t Facebk: CLICK Dwn arrw [tp right crner] CLICK Settings [near the bttm f the menu] CLICK Security [left hand menu] >> main menu: Lgin Apprvals >> CLICK Edit Educatin Enhancement team in Academic IT Services Infrmatin Security, IT Services Feb 2015, p2
Then check bx Require a security cde t access my accunt frm unknwn brwsers [An unknwn brwser is a cmputer r phne yu haven t used befre] Fllw the instructins, e.g. identify devices r yur mbile number And t enter the 6-digit PIN texted t yu And if yu als have Facebk as an app n yur tablet r phne, instead f texting yu the secret cde the Facebk app will generate a cde fr yu t use. T d this, frm the Security settings screen: CLICK Edit next t Cde Generatr. And yu can print a list f cdes. Click n the Get Cdes link in the Lgin Apprvals sectin. A printed list will be helpful if: yu knw that yu aren t ging t have access t yur phne mbile signal is pr yu are traveling yur phne dies a lt And t get ntified when it lks like smene else is trying t access yur accunt CLICK Edit next t Lgin ntificatins. Yu shuld set-up tw-factr authenticatin n any sites that ffer it: including Twitter, Ggle/Gmail, LinkedIn, etc. This means a hacker has t have nt nly yur username and passwrd, but t als have access t yur mbile device. Use a dedicated email address fr Facebk If yu use an email accunt that yu als use fr banking r ther sensitive infrmatin, then all f these are at risk if yur Facebk accunt is ever hacked. Change t a new email address frm ne f the free email prviders like gmail. Use a strng and unique passphrase n Facebk Dn t use the same passphrase n any ther accunt - yu MUST nt use yur Oxfrd passphrase! Fr help in chsing a strng passphrase see http://www.it.x.ac.uk/infsec/prtectyurself/passwrds/ 1b. Set up Trusted Cntacts in Facebk This lets yur friends help yu if yu re having truble lgging int yur accunt - maybe yu frgt yur passphrase r wrse yu ve been hacked - it s an accunt recvery feature. Chse 3-5 peple: wh use Facebk frequently; yu trust, like friends yu d give a spare key t yur huse; wh are nt likely t lck yu ut f yur accunt fr a jke! yu can reach withut using Facebk, ideally ver the phne r in persn, since yu ll need t cntact them when yu can t lg in. The mre friends yu chse, the mre peple wh can help yu when yu need it. G t the Security menu (find ut hw in 1a. abve) i.e.: Educatin Enhancement team in Academic IT Services Infrmatin Security, IT Services Feb 2015, p3
CLICK Dwn arrw [tp right crner] CLICK Settings [near the bttm f the menu] CLICK Security [left hand menu] >> main menu: Trusted Cntacts >> CLICK Edit 2. Use secure Web cnnectins https:// Be careful when using public Wi-Fi spts and public cmputers (htel fyer etc.). Pay clse attentin when asked t sign in nline. Mst imprtantly, check t see if the Web address begins with https:// The s means that yur cnnectin t the website is encrypted and mre resistant t snping. Facebk uses https by default. S if https des nt display in the Web address r a padlck is nt visible (in sme Internet brwsers this culd be n the left r the right f the address) then lgut. 3. Be mre mysterius and secure yur privacy settings 3a. Be careful what yu pst, where yu pst, and when: Dn t ver share, e.g. n hlidays Think abut yur children s safety (and their future digital identity) Beware f shulder-surfing (when smene watches yu and can see yu enter yur passwrd etc.) Educatin Enhancement team in Academic IT Services Infrmatin Security, IT Services Feb 2015, p4
3b. Reputatin E.g. 1OneMinuteNews n YuTube: http://yutu.be/s-qin0rsb5i 3c. Can yu spt a scial media hax? Beware f scial media haxes. The wrst f these haxes are attempts t gain access t yur data. Yur Facebk culd get hacked r yur accunt culd be used t trick yur friends. Be suspicius f everything n Facebk and surf the Internet defensively. Dn't click a link which says Hey is this really a picture f yu? Spt key phrases used in scams like sentences that begin with Did yu knw...? and Can yu believe...? These phrases entice yu t click when yu prbably shuldn't. Never enter yur passwrd. On Facebk fllw www.facebk.cm/facecrks and www.facebk.cm/snpes/ Check if a pst is a hax r a scam e.g. by entering sme f the text in a search engine, r www.snpes.cm r www.facecrks.cm and ther guides. 3d. Future psts and psting nw 3d. i. When yu pst r change yur Abut n Facebk yu shuld check that the audience setting is set t Friends r smething mre restrictive. (Exceptins will be when yu re using Facebk as an engagement channel fr wrk.) 3d. ii. T change wh can see yur future psts t Friends - When yu re lgged in t Facebk: CLICK Padlck [tp right crner] >> CLICK Wh can see my stuff? Educatin Enhancement team in Academic IT Services Infrmatin Security, IT Services Feb 2015, p5
CLICK Friends at Wh can see my future psts? 3d. iii. T see what yur timeline lks like t a specific friend: Click What d ther peple see n my Timeline? This lets yu see what yur timeline lks like t the Public And yu can type in the name f a specific friend ver the wrds View as Specific Persn 3e. Set ther Privacy settings 3e. i. When yu re lgged in t Facebk: CLICK Padlck [tp right crner] CLICK Wh can cntact me? Set wh can send yu friend requests. If yu want peple frm yur past t be able t lcate yu, then yu ll have t set this t Everyne. Select if yu want Basic r Strict filtering fr yur inbx. Learn hw d yu stp smene frm bthering yu? 3e. ii. Then CLICK See Mre Settings: (screensht verleaf) Set Friends fr Wh can lk yu up using the email address yu prvided? Set Friends fr Wh can lk yu up using the phne number yu prvided? Set N fr D yu want ther search engines t link t yur Timeline? Educatin Enhancement team in Academic IT Services Infrmatin Security, IT Services Feb 2015, p6
BLOCKING MENU 3e. iii. Then CLICK Blcking in the left hand menu (screensht abve): Set the Restricted List fr friends that yu nly want t share public items with. Set the App blcking ptins t restrict invites frm annying applicatins and friends. Blck users t stp smene frm seeing yur psts, frm tagging yu, inviting yu, & chat. 3e. iv. Then CLICK Adverts in the left hand menu Edit these settings t N ne Click Opt ut n the sectin abut Adverts Based n Yur Use f Websites r Apps Outside f Facebk Educatin Enhancement team in Academic IT Services Infrmatin Security, IT Services Feb 2015, p7
3f. Review yur past Use Activity Lg t view yur psts, what yu ve been tagged in, phts etc. Yu can edit, r delete individual items Yu can lk at ALL phts fr example, and change the audience settings fr all When yu delete remember that if smething has been nline fr nly a little while cpies may exist smewhere else 3g. & 3h. Change in yur privacy settings hw yu want friends t tag yu r pst n yur timeline CLICK Timeline and Tagging in the left hand menu Edit Wh can add things t my timeline? Edit Wh can pst n yur timeline? Edit if yu want t Review psts that friends tag yu in befre they appear n yur Timeline? Edit Wh can see things n my timeline? Manage tags peple add and tagging suggestins: Edit Review tags peple add t yur wn psts befre the tags appear n Facebk? Edit When yu're tagged in a pst, wh d yu want t add t the audience if they aren't already in it? Edit [may be unavailable] Wh sees tag suggestins when phts that lk like yu are upladed? (this is smething like facial recgnitin) Educatin Enhancement team in Academic IT Services Infrmatin Security, IT Services Feb 2015, p8
3i. Set yur friend list visibility t Only Me When cyber criminals hijack a Facebk accunt they extract as much data as pssible fr identity theft, and fraud, and t search fr mre victims. E.g. they culd create clned prfiles f yur accunt and then target everyne n yur friends list. Similarly, yu prtect yurself a bit mre when a friend s accunt is hacked. G t yur timeline CLICK Friends (belw yur cver image) CLICK the pen icn t Manage yur friend list CLICK Edit Privacy CLICK Only Me 3j. Manage yur apps G t the Settings menu CLICK Apps in the left hand menu Educatin Enhancement team in Academic IT Services Infrmatin Security, IT Services Feb 2015, p9
Mve yur muse ver an app CLICK the pen icn next t the app t Edit Settings Fr every app: Tggle thrugh the detailed settings E.g. what apps yu re using utside f Facebk E.g. cntrl the persnal infrmatin that ther apps can btain E.g. review the privacy settings n psts made with lder versins f Facebk s mbile apps Delete any app which appears t invasive Delete any app yu dn t use anymre If yu use Facebk n a phne r a tablet cnsider the permissins and terms f use that the app Facebk Messenger requires, e.g. see http://facecrks.cm/ and search fr messenger 3k. Install an ad-blcker n yur Internet brwser E.g. in the Ggle Chrme brwser g t the settings icn (like a menu with multiple hrizntal lines). Scrll dwn t Settings. Clicks Extensins in the left menu. Click Get mre extensins and search ad-blcker. Try AdBlck Plus r ne f the thers. 4. Scial media plicies and respnse guides There are guidelines abut scial media: Online Scial Netwrking by UK gvernment authrities ESG and CPNI http://www.cpni.gv.uk/dcuments/publicatins/2010/2010032-gpg_nline_scial_netwrking.pdf Scial Media fr Staff Plicy Template by Jisc Legal http://jiscleg.al/smediaplicy There are scial media guidelines in preparatin by HR plicy writers at the University f Oxfrd, and by UCISA. IT Services ffers advice n engaging nline with yur audiences. Fr example yu can adapt the suggestins abut mderating cmments in yur blg and prtecting yur readers frm spam and wrse t mst scial media platfrms: Creating a WrdPress Site - securing yur blg: https://creatingawrdpresssite.wrdpress.cm/categry/security/ e.g. Set rles fr the team, with mre than ne trusted persn as admin (and all admins shuld enable 2-factr authenticatin): https://creatingawrdpresssite.wrdpress.cm/2015/01/30/assign-different-rleseducatin Enhancement team in Academic IT Services Infrmatin Security, IT Services Feb 2015, p10
t-peple-wh-cntribute-t-yur-blg/ and mderate cmments and label tlerance level fr negative respnses: https://creatingawrdpresssite.wrdpress.cm/2014/06/09/prtect-yur-blg/ Ideas fr hw t cpe with trlls, nline bullying and sexual harassment, including Creating a better Internet tgether! In the Educatin Enhancement Team Blg: https://blgs.it.x.ac.uk/eet/2014/02/13/creating-a-better-internet-tgether/ 5. What if yu re hacked? The Infrmatin Security team are beginning t gather advice n ur website, as well as prviding sme guidance fr scial media use in wrk: http://help.it.x.ac.uk/service/infrmatin-security If yu entered yur scial media passwrd n the wrng site, there is help ut there! Immediately yu MUST g t a different trusted cmputer and change yur accunt's passwrd, and yu MUST cntact yur lcal IT supprt. Twitter: https://supprt.twitter.cm/articles/185703-my-accunt-has-been-hacked https://supprt.twitter.cm/articles/31796-my-accunt-has-been-cmprmised Facebk: t reprt yur accunt has been hacked https://www.facebk.cm/hacked Facebk help centre https://www.facebk.cm/help/131719720300233/ and Facecrks guides include: Fur Things Yu Need T D If Yur Facebk Accunt Gets Hacked http://facecrks.cm/safety-center/fur-things-yu-need-t-d-if-yur-facebkaccunt-gets-hacked.html/ Hw a Friend s Hacked Facebk Accunt Can Cmprmise Yur Privacy and Security http://facecrks.cm/internet-safety-privacy/hw-a-friends-hacked-facebkaccunt-can-cmprmise-yur-privacy-and-security.html Fake Facebk Prfiles and Pages the Tls f Scammers, Bullies and Thieves http://facecrks.cm/scam-watch/fake-facebk-prfiles-and-pages-the-tls-fscammers-bullies-and-thieves.html Yur Oxfrd username and passwrds: If yur Oxfrd email passwrd r yur single sign-n (SSO) has been given away cntact IT Services, e.g. phishing@it.x.ac.uk D the same if yu think smene else in the University has had their accunt hacked. Licence Hand-ut: " d: scial media security settings " by the Infrmatin Security team, University f Oxfrd, is licensed as Creative Cmmns Attributin-Nn-Cmmercial-Share Alike 2.0 UK: England & Wales ( http://creativecmmns.rg/licenses/by-nc-sa/2.0/uk/ ) Educatin Enhancement team in Academic IT Services Infrmatin Security, IT Services Feb 2015, p11