Google+ Gets a “+1″ for Browser Security | The Barracuda Labs Internet Security Blog

Google+ Gets a “+1″ for Browser Security | The Barracuda Labs Internet Security Blog.

Barracuda compares Google+ vs Facebook with respect to SSL and Secure Headers. Google+ wins.

Lenny Zeltser on Information Security — Why There Are Fewer LinkedIn Scams and Malware Than Facebook Ones

Lenny Zeltser on Information Security — Why There Are Fewer LinkedIn Scams and Malware Than Facebook Ones.

Lenny Zeltser received some very good answers as to why there are fewer scams on LinkedIn than Facebook.

I think this is the best answer:

People’s LinkedIn interactions have a professional perspective. This frame of mind doesn’t generate the same social/emotional response as Facebook, which makes them more resistant to being tricked, suggested @adamshostack. In addition, @marypcbuk pointed out that people tend to pay more attention to their LinkedIn interactions, because they police their professional activities more carefully than personal ones.

Facebook interactions are much more free flowing and emotional while LinkedIn, being professionally oriented, interactions are more thoughtful. On LinkedIn people are more cautious because they are more concerned with their reputations.

The other answers definitely have merit as well.

Facebook scam: Guy that lives on my street killed his girlfriend today

Facebook scam: Guy that lives in my street killed his girlfriend today.

Social Engineering creativity knows no bounds.

This one has been spreading for a couple of days, posing as a news story from one of your Facebook friends that someone who lives in their street has killed his girlfriend.

If you have been hit by scams like this on Facebook, and are struggling to clean-up your profile, here’s a YouTube video I made which describes what steps you need to take.

Schneier on Security: Risk Reduction Strategies on Social Networking Sites

Schneier on Security: Risk Reduction Strategies on Social Networking Sites.

Two good ways to reduce security risks on social networking sites

  • super-logoff – deactivate and log off
  • wall-scrubbing – delete wall messages and status updates

Thoreau Would Have Wanted You to Block Access to Facebook

Thoreau Would Have Wanted You to Block Access to Facebook.

John Pescatore harkens back 59 years ago to the first direct dial transcontinental telephone call and 100 years before that when the telegraph was spreading throughout the U.S., comparing that to Facebook.

Same thing going on in security today – next generation firewalls and secure web gateways are way less about blocking and way more about securely enabling connectivity of people and applications – applications like social networking…

Here are Cymbel’s links to next generation firewalls and secure web gateways.

Microsoft responds to Firesheep cookie-jacking tool – The H Security: News and Features

Microsoft responds to Firesheep cookie-jacking tool – The H Security: News and Features.

It’s hard to believe that Firesheep is only two weeks old. In response to Firesheep,  Microsoft said it will convert its Hotmail / Windows Live email service to SSL. Google did this for Gmail some time ago, well before Firesheep.

Facebook says it will also address the issue in the coming months.

So there is no doubt that more and more web traffic will be SSL encrypted and hidden from corporate control. I wrote about this last week, Easy fix for Firesheep creates a problem for enterprises.

Easy fix for Firesheep creates a problem for enterprises

Using SSL encryption to connect to social networks like Facebook and Twitter mitigates the risk of your credentials being stolen when you are using public WiFi networks to connect to the Internet. But it creates a problem for enterprises attempting to control the use of social networking because most firewalls and Intrusion Prevention Systems are blind to SSL traffic.

The recent publication of Firesheep, and the subsequent download of over 104,000 copies of the Firefox plug-in in the last 24 hours, highlights this well understood security flaw in the way social networking sites communicate with their users. Firesheep sniffs the WiFi network traffic to capture your user name and the established session ID for any of 26 sites including Facebook, Twitter, Amazon, and the NYTimes. This allows the Firesheep user to access any of these sites as you!! This not only will reveal your personal information to the Firesheep user, but allow him/her to impersonate you.

This article, Firefox Add-on Firesheep Brings Hacking to the Masses, provides a very good detailed explanation of how Firesheep works. The article also describes several readily available tools which enable or force the use of SSL for all traffic to sites that accept SSL. In other words, rather than just encrypting the exhange of identification and password credentials, all traffic is encrypted.

There is no doubt that using SSL is a good privacy protection control. However, SSL encrypted sessions will make it more difficult for enterprises to control the use of social networking because most firewalls and IPSs are not capable of decrypting SSL traffic. In other words, most firewalls and IPSs are blind to SSL traffic. An exception is Palo Alto Networks, the industry leading Next Generation Firewall.

Facebook Insecurity as a Microcosm of All The World’s Security Problems

Facebook Insecurity as a Microcosm of All The World’s Security Problems.

Gartner’s John Pescatore weighs in on the latest chapter in the ongoing Facebook privacy controversy.

Basically, what you see is Facebook taking several steps to protect its customers – advertisers. If they were trying to protect Facebook users, they would have taken very different steps. Because what you don’t see is any real attention to actually addressing the real vulnerabilities.

So, the key takeaway: make sure that you are the actual customer when you trust your data or your customers’ data to a social network or cloud service provider, or any other 3rd party for that matter. A cloud provider can claim they are better at running a data center than you are, but if they are focusing on protecting their advertising revenue, not your data, that claim is meaningless.

Facebook Advertisers Can Glean Private Data – NYTimes.com

Facebook Advertisers Can Glean Private Data – NYTimes.com.

Privacy vulnerabilities continue to be revealed on social networking sites like Facebook and MySpace reports the NYTimes. The Times describes two research papers which discuss how unethical advertisers can game social networks to determine people’s private profile information like sexual orientation.

Facebook counters that it has tools in place to prevent unethical advertiser behavior. However, Facebook realizes it needs to do more. In fact, Facebook announced that it proposing encrypting user IDs as a way to prevent the sharing of IDs with data brokers. But Facebook admits this will only “address the inadvertent sharing of this information on Facebook.”

Mashable weighs in with the obvious question, “Frankly, we think that encrypting the UID parameters within an iFrame is a good idea and a good first step towards accountability. Our big question is: Why is this only happening now?”

If you are looking for a clearer technical explanation of what the fuss is all about and the limited step Facebook is proposing read Ars Technica’s, Facebook touts encryption as solution to security flaw.

Inside Facebook security, and how to better protect your account | Graham Cluley’s blog

Inside Facebook security, and how to better protect your account | Graham Cluley’s blog.

Improve your Facebook account security by changing the default setting under “Account Security” for “Would you like to receive notifications for logins from new devices?”

The default is no. Change it to yes.

If I understand this correctly, you will get notified when any third party application logs in to post a message.

There is a caveat though:

Of course, one thing to beware is that it would be easy for hackers to fake an email to appear as though it were one of the messages from Facebook, warning you that your account had been accessed. And if in a blind panic you clicked on a link in that bogus email, you might be taken to a phishing site.

Or worse.