Is one of your facebook friends a criminal?

or

Is teaching non-geeks and especially 16-30yr old non-geeks about online safety/security  futile?

Note: Names, dates, timescales  and details  have been changed to protect the innocent and the guilty.

This last couple of days a ”friend” of mine, lets call him Peter,  has been assisting a police force (not Hampshire police)in using facebook to gather some publicly available information regarding someone… let’s call him/her “Penelope” . “Penelope” is involved in crime, in fact “Penelope” is involved in more serious crime then perhaps she even knows. “Penelople” is a pawn in a scam which I’ll blog about some other day.  The scam that she’s involved with, is one of many scams (419′s, Romance scams etc) originating from the same place.  It’s organized crime for sure; Proper, nasty, organized crime.

So why should you care? 

Well, you or your son/daughter may well be facebook-friends with “Penelope”, or another “Penelope”.  “Penelope” is a criminal, and “Penelope” is almost certainly facebook-friends with more serious criminals, and so on, and you/your son/daughter are sharing all sorts of useful information with “Penelope” and her friends.

Still don’t get it?

Peter,  the one who was helping the police, was shocked by what he found out while surfing publicly available information on facebook.  This shouldn’t have been a surprise to him, but it was. This is what shocked him…

• People will  ”facebook-friend” just about anyone, often having many hundreds, if not thousands of “friends”. Essentially they’re promiscuous social networkers, collecting “friends” like they’re in some kind of race to have to most facebook-friends.
• People post all sorts of personal  information.  Real DoB, telephone numbers, email addresses etc.
• They also post when they’re going on holiday and arguably more useful, when the entire family are going on holiday, where they’re going and for how long.
• Their photo’s depict their houses (where key’s hang) , flat screen TV’s,  games consoles, laptops etc etc

and finally…

• Somewhat revealing/saucy/provocative  pictures of themselves. Not just regular pictures, but provocative – not a great idea really.  This is especially concerning if this is your daughter (I’m guessing boys are less of a target).  Do all those hundreds of “friends” have your daughters best interests at heart….?  maybe, but maybe not.

Your personal information + criminals = potentially very bad news

I must stress that the criminals we looked at, are linked to other, more serious criminals and so on.  I wouldn’t rely on  some honor-between-thieves mentality.

How easily do you or your kids compromise your Security/Privacy?

Peter decided he wanted to see just how easy it would be to make some new friends and essentially be invited into their homes (well, their facebook wall, info and photos).

Peter set up an account on facebook a few days ago, it was linked to an account on gmail that he’d also set up a couple of days ago.  Had it not been Peters real name, he’d have been breaking facebooks Terms of Service (thought I’d point that out).

Armed with his account,  he uploaded a profile photo and some basic information.

Now let’s assume “Penelope”‘s facebook wall wasn’t open to everyone (for arguments sake) and that  Peter wanted to see what “Penelope” was up to.  Fortunately for Peter, he could facebook search for “Penelope” using her email address (He found her email address on another social network via a regular google search).  From here, Peter was able to see “Penelope”‘s friends, all 804 of them (maybe a few more or less).  FWIW, if you don’t have the email address, you could just find your marks friends on another social network site/google, and search for you mark via their friends list.  Peter tells me that works just fine.

Since Peter wasn’t able to see “Penelope”‘s Wall or Photo’s so he decided to make friends with some of “Penelope”‘s friends (after all, she has over 800, what’s another matter?) .  Why?   Well, “Penelope”‘s settings were obviously not set to allow “Everyone” so maybe they were set to  allow ”Friends of Friends”.

Armed with this thought, Peter  figured he’d pick the friends of “Penelope” who had more than 1000 friends (Yes, 1000! WTF? You’d be forever attending birthday parties) and “friend” them. Sure, some would say “who are you? go away”, but Peter only needed one “friend” to test his theory, pretty good odds.

5 minutes later and Peter was friends with one of “Penelope”‘s friends.  Bingo! “Penelope”‘s Photos! Yes!   Peter continued  “friending” a few more of “Penelope”‘s friends.  A few (less than 5)of them had some vetting questions that went a little like this via facebook chat.

“Penelope”‘s friend #1 : Hey, do I know you?

Peter : You know my friend “Penelope” in Basildon.  Forgive me, I’m just getting started on fb

“Penelope”‘s friend #1 : “Penelope”? nah it’s ok?

“Penelope”‘s friend  #2:  Hey, do I know you?

Peter: I’m a friend of “Penelope”‘s, just getting started and that. I added a few people and might have added too many.

“Penelope”‘s friend #2 : eh man cool, well “Penelope”‘s my sister lol

Within a couple of hours, Peter had 14 new friends.  Not bad.  He also had photo’s of “Penelope” at an event and the dates of the event, so he figured he’d try to facebook-friend “Penelope”. “Penelope” was a little more suspicious than her friends, here’s roughly how that  chat went…

“Penelope” : Hey, do I know you ?

Peter : Hey, yeah. We were at <event> a few weeks ago. You and some others people suggested I should get on facebook.

“Penelope”: I dont remember you, lol are you sure?

Peter: yeah, it was <date>, you were talking about your new dog.  I could sure use some help getting started with facebook.

“Penelope”: Well you know a lot of my friends so you must be cool

That was it… friends. I hope these people don’t get jobs with airport security.  Can you imagine?

Airport securty : Have you got anything to declare?

Bad guy: No

Airport security : OK. thanks have a safe flight

Peter didn’t find anyone not friending him. In fact, in two days Peter had 50 “friends” including “Penelope” and her sister.

What’s the point?

If you and/or your kids have hundreds and hundreds of “friends”, do you know if one of them is involved in crime and *if* they’re involved in crime, how interested do you think they’ll be when you/your child announces that your going on holiday for a week… somewhere hot?  How interested do you think they’ll be that you’ve got a new flat-screen TV?  How easy do you think it would be for a criminal/burglar to invent a very plausible story to satisfy your neighbours.

“Oh, I’m looking after the house while X & Y are on holiday, their daught XYZ is friends with my daughter ABC… Looks like someones broken the window so I’m just boarding it up.”

If they’re an altogether different criminal (there’s some sick people out there), how interested do you think they’d be that your daughter is going to XYZ party?  They might be especially interested if your daughter has posted picture after picture after picture of themselves wearing arguably provocative outfits…

…I’m not suggesting your kids shouldn’t dress up (fancy dress is fun after all) , but maybe you or they don’t really want those types of pictures plastered all over the Internet, together with their location, address, phone number.

I’m also not suggesting to avoid social networks altogether, after all, they’re great fun and a great way to keep in contact with people.

What can you do to protect yourself a little bit better?

1. Lock down your facebook privacy settings.

Here’s an article you might find useful. Let me know if you find other useful articles.  http://thenetwork.typepad.com/architectureofideas/2010/02/from-private-to-public-building-a-teenagers-capacity-to-network-pt-1.html

The following two screen shots show “bad” versus “good” privacy options.

2. Don’t accept invites from friends you don’t know (and know to be them) or set up two accounts… no wait, that breaks the facebook Terms of Service. You could use one social media platform (say, Twitter) for broad public stuff and lock down the other platform (Say facebook) to friends you really know.

3. Don’t put your phone number, home address or your primary email address on facebook. There’s no need

4. You might consider using an alias, a different name or nickname (although, I guess most people aren’t that paranoid).

5. Don’t advertise when you’re going on holiday, especially if the whole family are going along and your house is empty. MrsSuggmeister also suggests that you don’t tell people when you’re in the pub (good tip).

6. Easy on the saucy/provocative pictures.

7. Posting pics of your kids?  Just bear in mind those pics could result in some playground teasing if your photo’s are open to the world.

Of course, there’s an unwritten caveat with all digital content.  Just because something is private today, doesn’t mean that it will be private tomorrow. i.e. If you really want to keep something under wraps, don’t put it on a social media site, don’t email it, don’t put it on the web.

Conclusion

I asked the question “Is teaching non-geeks and especially 18-30yr old non-geeks about online safety/security  futile?”

Well, there are always going to be some deaf ears, and for the current batch of 16-30 year olds, it’s probably a little late to radically change behaviours, but that doesn’t mean we should give up.

I also have a vague recollection that Bruce Potter commented  “Privacy is dead, just get over it”, although I could be wrong about that and if I am.. sorry Bruce.   In any case, it’s pretty true. As a society we walked head long into this non-private state.  Just because privacy is arguably dead, doesn’t mean we should broadcast every detail of our lives in a Truman Show-esq manner.

Back to answering the question. Based on Peters observations, I’d suggest that internet safety should incorporated in the school curriculum in the same way that the following are:

• road safety
• sex education
• anti smoking / anti drug awareness
• and in some places… cooking (food technology or whatever it’s call these days)

So NO, it’s not futile, but we do have to teach this stuff and drive it home, just like we have for the above.

If people are educated to be able to make an informed choice to flaunt their privacy, that’s for them/their parents to decide, but they have to understand its probably irreversible.

Bonus material for Maltego geeks

Peter provided this view on “Penelope” and her links to really bad guys (maybe they are linked to really, really bad guys).  He used @singe’s Facebook transforms for Maltego… and they worked a dream. The image below (click on it, for a bigger version), shows you (or your son/daughter), “Penelope” and then her direct link to a really bad guy (you don’t want to mess with really bad guys).

That’s how close you are might be to really serious nasty business.

Maltego justs gets better and better doesn’t it

Oh, final thought… if you need to scrape information for something like facebook (performing repeated clicks to display “older posts”), head over to iOpus and check out iMacros.