Friday, 7 September 2007

Facebook: Welcome to the World of Google Hacking

To be completely honest, sites like Facebook has the same appeal to me as reality TV, which almost zero! Anyway a friend of mine a couple months back bullied me into setting up an account on Facebook. But being a typical paranoid security guy, I didn’t upload any photos or post any personal information, other than my name and a fake Date of Birth, I guess it’s the most boring Facebook page on the whole site!

The way I understood it, Facebook was suppose to be a private network, where you add links and share your personal information including work and educational history with friends, work colleagues and former class mates etc. Significantly you either had to accept an invite or have your own invite accepted by another party, before your information is shared.

But here’s the big scary change, Facebook are now allowing members personal information to be accessible by everyone, even non-members. We are not just talking private pictures either, but information such as people’s date of birth, which is often used as a typical security question, especially when you are asked to prove who you are or asked to reset a password.

Within the next few weeks, Facebook profiles will be indexed and be fully searchable by search engines like Google and Yahoo. The art of “Google Hacking” is about searching for information about a target (person), for example a fraudster may have already obtained some of your private details elsewhere, they will then use a search engine like Google to fill in all the blanks, building the full picture and completing the profile, this is especially common place when you are talking about identify theft, which is on the rise in the UK.

You might be really surprised what’s searchable on Google about you, just give it go. When demonstrating Google hacking in the past, I have actually found people’s mobile phone numbers and even full home addresses.
Apparently there is a way to prevent your Facebook profile details to going into search engines like Google, but a friend of mine, who is an avid Facebook user, couldn't find the option to do it.

7 comments:

Tyler Reguly said...

Can you say FUD?

Have you read, or even looked at what is available to the public, or did you just see 'Profile' and 'Search Engine' and come to your own conclusion?

Facebook will be making LIMITED profiles available, these profiles contain even less information than is contained in Facebooks current search results.

Addresses, Dates of Birth, Messages, Contact Info, Pictures (other than your profile thumbnail) will NOT be available unless you go into your privacy settings and purposely make them available.

So your name and potentially a picture of you will be available... Big Deal.. I'm sure I could find that anywhere.. Hell WhitePages.com gives me at least your name and full address and even guesses at your age (within a 5 year range) and Progressive will tell me which cars you own.

So I really don't see how this bothers you.. It's your name.. you are misrepresenting what is available and spreading FUD... You label yourself the IT Security Expert but what you are doing here is disgraceful... you're attempting to frighten people with no reason (other than your hatred of social network sites).

Mike Gates said...
This comment has been removed by a blog administrator.
Dave Whitelegg CISSP said...

Sorry on reflextion I had to delete the comments in response to original comment on this blog entry. PLEASE DO NOT MAKE PERSONAL INSULTING COMMENTS, it's not clever and doesn't serve the point of this blog, although I really value opinons and different points of view.

Mike Gates said...

Tyler can you say Naive?

Clearly you don't know the first thing about privacy and internet security, have you any idea what you talking about and Facebook's track record?

I think you are well out of debt here, I suggest you start reading up on the subject, try http://privacy.cs.cmu.edu/courses/dp1/refs/facebook/FaceBook.pdf rather than immaturely posting comments on subjects you know little about. If there something you disagree with in a blog, go ahead and make your point, you really must be insecure if you feel you need to try and character assassinate while making your feeble points. Just wake up and smell the coffee well ya.

Dave I'm disappointed, how come you removed my comments yesterday and left this kids insulting comments up? That Love / hate with Google mate, I can relate ;)

Dave Whitelegg CISSP said...

Thank you for your comments Mike, I think you know which words forced me to reject your original post; I'm glad you found time to reword and repost, you are right Facebook has had its privacy issues in the past.

That link you posted about Facebook was slightly dated but still a very interesting read and a good reminder to those not fully in the know, it covers most of the reasons why I don't encourage (I don't hate) social networking sites, just to correct your link (you missed the .pdf off) http://privacy.cs.cmu.edu/courses/dp1/refs/facebook/FaceBook.pdf

I'm not going to waste my time responding to the original comments, as I plan to do post on the ills of social networking sites and "Google Hacking Techniques" later in the month, as for personal digs against me, when you have been in Information Security as long as I have, you become really thick skinned, it's water off my back, but many thanks for your support.

I will say this on Social network sites, I often go into the Schools to educate the children (and indirectly their parents) about the dangers of the internet, it is part of my volunteer work as CISSP, the number of parents who are completely oblivious to what their kids are posting online is really frightening, and then there's the really bad stuff I have come across, like kids videoing bullying (by just attacking the victim for the sake of it) with their mobile phones and uploading it...I'm rambling on again aren't I...

Anonymous said...

ok people it is not about privacy settings we aren't morons we do that shit but the problem is that people get our passwords from programs and hack in our accout pretending t be us... yes this has happend t me and i don't want to no some idiot envice that u have to keep ur password hiden cause i do very much so the issue is what can we d to stop them from doing that not seeing our stuff but by talking to our firnds and saying mean stuff pretending to be us

Syarifbajaber said...

you can h*ck facebook, google, gmail and more.
with java script left behind h*cking with html basic properties.
how?
simple, just create new email yahoo and 30 hour old ago. you have verification from new mail.
javascript with html just basic pro h*cking all for email, banking and security provider big work.
thank's for your all info..