To share or not to share… that is the question

   Let me just throw this out there: The safest and most secure social networking profile is the one that doesn’t exist.  In a recent conversation I had with Martin Roesch, author of Snort and CTO of Sourcefire, he sad that “If you want to minimize your risks, then talking to anyone and sharing any information about yourself that has value is a bad idea but then, getting on a social network probably isn’t for you”.  You’re probably reading this article because you’d like to continue enjoying social networking site, we’ll move right along.

Passwords?  NO, Passphrases!

   I’ll spare you the greater passphrase lecture for later, but for now trust me that passphrases are more secure than passwords.  Instead of something like “Br549!” as a password, use something like “I like my cat his name is Bill.”  The idea is that by using a sentence the passphrase will inherently be longer, and thus harder to crack and harder to steal.  It also makes it easier to remember, so you’ll be less likely to write it down.  Here’s the problem though, only Facebook really supports them (good job guys).  MySpace limits your password to a maximum of 10 characters (come on, really?) and Twitter won’t let you use spaces in your passphrase.  So why have this conversation to begin with?  Well, for now at least you can make your Facebook password REALLY secure.  For the others, you’ll have to resort to good old fashioned complex passwords using upper and lower case letters, numbers, and special characters (Yeah, I know.. that’s a big giant fail whale).

To change your password in Facebook, hover over the Settings link in the upper right hand corner and choose Account Settings.  From there click the Change link out from the Password heading

Change your MySpace password by clicking the My Account button and choosing the Password link.  You’ll need to enter your current password, the new password, and then type out the Captcha letters in the image it shows.

To change your password on Twitter, click the Settings link and choose the Password tab.  You’ll again need to enter your current and new passwords.

You’re how old again?

   In my mind, the next step to protecting your identity online is totally removing your birth date from your profiles.  Publishing this information seems like a good idea because it lets your friends and family track your birthday better and it further identifies you to your friends. The problem is it further identifies you to your friends!  If we think about it, our birthday is used quite frequently as a means to authenticate us.  The last time you visited your doctor’s office they undoubtedly asked you your name and date of birth as soon as you walked through the door.  In addition to this, researchers at Carnegie-Mellon University recently discovered that they could guess your social security number simply by knowing the town you were born in (another common piece of information we share about ourselves) and the date you were born (click here for the full article).  You really don’t need further reasoning than that.  Just get rid of it. 

On Facebook, your birthday can be listed two different places.  One is the information panel on the side

…and the other is on the info page of your profile, under Basic Information 

You can actually make it disappear from both places simply by clicking the Edit Information button on the Info page and then choosing Don’t show my birthday in my profile from the dropdown listing.

While you’re at it, go ahead and change the birthday listed to something other than your real birthday.  This may seem like a bit of overkill, however a recent Facebook hack which allowed people who weren’t your friends to view your personal info (click here for the full article) reminds us that it’s best just to not have that information listed at all (yes, you may be surprised to find out that I wasn’t really born on Independence Day).

On MySpace this same operation is done by clicking the triangle next to the profile listing and then choosing Edit Profile.

Once there, click the Basic Info and edit away (this is done the same way regardless of if you’re using the original profile tool or the new Profile 2.0 setup).

Both Facebook and MySpace require that you’re at least 13 years of age for your profiles to be publically searchable (parents take note; it’s a common practice for children to say they’re older than they really are so it’s easier for their friends to find them online… it also makes it easier for “you know who” to find them as well) so keep that in mind when you’re making up a new birthday.

Twitter doesn’t even ask you to provide this information.

Yo Momma!

   Another feature of Facebook is the ability to list your family members.  This is can be done by either using the Family Members section of your Basic Info page or through add-on apps like the Family Tree App (more on these apps in a second).

As harmless as this may seem, it is a common practice for women to list their maiden name in their profiles.  By associating your children with yourself and listing your maiden name, we’ve given away a critical security question answer commonly used by credit card companies and home security companies.  You’ll note that more established online family tree websites, like ancestry.com, will hide all pertinent information about your relatives that are still living for this very reason.  Again, just get rid of it!  This is done by again editing your Info page and clicking “cancel relationship”.

Even if your children are not old enough to own credit cards yet, I’d still recommend doing this.  At this point it’s really hard to tell how long this information could possibly hang around (potentially forever), and at the end of the day it’s just not necessary for the social networking experience.  

Ummm… I’m sorry sir, but you’re not on the list.

   The next recommendation I’d make is that you consider making your profiles private.  This is somewhat of a site culture thing, so I won’t harp on this one too much.  The culture on Facebook is to have your profiles limited to only your friends.  MySpace is kind of in the middle with some people protecting their profiles and some people not, and your age really almost defines which of those camps you fall into.  Twitter on the other hand is arguably useless if you lock your profiles down, although I’ll add that with the influx of spam accounts people are slowly migrating in that direction.  With this in mind I would offer that if you choose to leave your profiles open for public viewing, remember that your profile is open for public viewing! Stating that you’re going to be out of town for the next two weeks probably isn’t the best idea (click here for an article on man who found this out the hard way).  It’s easy enough to use sites like anywho.com to combine your name and current city to come up with your street address.  Oh, and saying that you hate your boss is probably not a good idea either.  Employers are watching (click here for the full article). 

   If your profile is currently public and you’d like to make it private, here’s how it’s done.  In Facebook, hover over the Settings link in the upper right-hand corner and choose Privacy Settings.

On the next page, click the Profile link and you’ll be taken to a page that allows you to edit who can see your Basic and Contact Information.  On both of those pages, ensure that all are set to Only Friends.

Facebook has recently announced that it will be adding more granularity to its security settings in the near future.  This translates to potentially more confusion on how to keep your updates and posts private.  Check back to this site for updated information as soon as the changes are made.

   On MySpace this is accomplished by clicking the My Account button in the upper right hand corner and then clicking the Privacy link.  If you’re using the original profile type you’ll select Only My Friends Can View My Profile, however if you’re using the new Profile 2.0, you’ll need to select that for each category listed.

   On Twitter, click the Settings link in the upper right hand corner.  Scroll to the bottom of the Account tab and you’ll notice a check box that says Protect My Updates.  This will make your updates viewable only to those people who are following you, and will ask you to approve any new followers.

In addition to the note given about the fact that some of your previous updates could still be searchable, also take note that you’ll need to go through your current followers and block those that you don’t want to see your posts. 

It’s all about the apps man!

   The last thing I’ll mention is concerning Facebook apps.  I can’t tell you how many times I’ve been invited to join Mafia Wars on Facebook, and quite simply I’m just not interested.  What does this have to do with security?  We just don’t know who wrote these applications, and they all want direct access to your personal information.  To my knowledge nothing catastrophic has happened because of installed apps yet, but it seems to like an accident waiting to happen.  My advice: ignore the requests and don’t install add-ons.  If you’ve got a burning desire to install them, at the very least stick to the more widely known ones that have been around for a while.  For good measure, look at your current list of installed applications and see if there are some you can get rid of.  To accomplish this, click the Applications button in the bottom left hand corner of your Facebook page and choose Edit Applications.

From the Show dropdown box, choose Authorized

This will now present you with a page that lists all the applications that are authorized in your profile.  You may be surprised what you find.  To remove an application from your profile, click the X out from the application.  It will prompt you with a message asking if you’re sure, click Remove.

   So there you have it… at the very least a good start to protecting your identity while using social networking sites.  The ultimate goal is that you at least consider what it is you’re sharing with the greater internet community… and hopefully think twice before telling the world everything.

Be careful out there guys! =)

– Dan Thompson