Cell Phone Pictures are Risky Business

I’ve spoken (but not yet written) on this and think it’s worthy of posting to read:

Check Your Settings: Cell Phone Pictures Are Risky Business – Yahoo! News

Answer this question and paste the answer in your facebook status!!!


Let me repeat.  No.

No. No. No. No. No. No. No.

Why all the negativity you ask?

EXAMPLE: Where were you born?  Paste this question into your Facebook status (along with the answer) and tell all your friends where you were born.  Ask them to do the same!

Anyone what to guess what one of the most common questions people use for the password reset function on their bank accounts, credit card websites, or email?  If you post this information, along with your email, it gives someone most of the critical pieces of information needed to compromise an account.

What about this?

Answer these 10 questions and paste to your status.  Tell your friends to do the same and see how much you have in common:

  1. Where were you born?
  2. What is your sign?
  3. What is your favorite color?
  4. What is your favorite food?
  5. What do you do?
  6. What is your favorite movie?
  7. Are you a (insert a sports team name here) fan?
  8. Mac or PC?
  9. Dog or Cat?
  10. If you could go anywhere in the world where would you go?

I attended a presentation lately where this was said “if these people are REALLY your friends, they already know all this”.  So please don’t use that as a reason/excuse why you are publicising this information on your Facebook profile.  Most people may have technically “friended” you, but are loose social connections at best.

Given the number of changes to the Facebook security settings with the fact most people don’t have this set correctly, you can quickly see where these type of posts give entirely too much information to someone who shares a group with you or is a friend of a friend.

Since your profile already provides your location, maybe birthday, school, email address, etc.  One can approximate enough information to figure out where you are and how old.  In most locations there are probably 2-3 major banks in an area too.  So, one should have enough information to target your online banking account and/or your email account.  They aren’t going to have to guess or break your password.  They’re going to use all the information they’ve gathered about you to reset your password.

Anyone recall the issue with Sarah Palin’s email being “hacked’?  Well “hacked” is giving the guy a bit too much credit.  Socially engineered it more appropriate.  He simply went to her email service (which was known to be Yahoo),  to the password reset function, clicked on it and it prompted him:

  1. “What is your birthday”
  2. “Where did you meet your husband?”
  3. “What is your zipcode?”

If you were to have gone to the governors website at the time, it proudly displayed two interesting pieces of information.  She met her Husband Todd in High School and she spent her entire life in Wasilla.  Since Wasilla only had two zip codes, it was easy to guess.  A simple Wiki search will tell you  her birthday.

So since we are not all high-profile public figures with a ton of information about us on the Internet (though if you are, thanks for reading my post!), it’s probably best that we don’t voluntarily put this information out there for anyone to snag.

Here’s my litmus test: Would this be something you’d feel comfortable telling a stranger on the street?  Probably not.

Just say no! BlackBerry + Facebook = Security FAIL

Point 1:

I’m not the biggest fan of any RIM device, though I do utilize one for my job.

Point 2:

I support the development of applications for mobile devices.  Applications are key to driving the adoption and growth of many of the new “smart” (and I use that term loosely) phones on the market.

Point 3:

Applications, regardless of what platform they are developed for, should all be done securely and efficiently.  And in that order.

What the heck does all this have to do with the BlackBerry and Facebook????

Here: http://www.spylogic.net/2010/02/facebook-spam-on-blackberry-devices/

Thanks to the guys that really spend a lot of time reviewing social media stuff (specially Tom Eston and Kevin Johnson), they have noted that specifically crafted SPAM messages will show up as a Facebook notification in your Facebook for Blackberry application.

What makes this troublesome from an information protection standpoint is that, the Facebook application is actively scanning your email inbox.  In the case of many, many Blackberry users, this is not your personal email, but your corporate email.  Of the 13,934,752 monthly active users (according to facebook.com) I’m sure you all read the EULA when you installed the app right?  That’s another post…

To be fair, this is how the application is presented to the end user: “Facebook for BlackBerry smartphones allows BlackBerry smartphone users to connect their friends’ profile pictures, Facebook names, and company names to existing BlackBerry smartphone contacts in the Contacts application. Facebook for BlackBerry smartphones updates the caller ID pictures of your synchronized friends with their latest profile pictures.”

So in order to do this, you have full access to contact names.  So if you’re on a corporate BES, the information contained therein is your corporate email directory?  Uh, yeah.  So corporate BlackBerry users with the Facebook app are willingly providing a valid contact list for their entire company.  My understanding of SPAM and capitalism is that this is quite valuable information and can be sold to email distribution list providers quite readily.  Can someone please point me to the data management policy that protects this information from disclosure?  I’d be ecstatic if it existed.

To all the BlackBerry users:

Rather than send out 14,000,000 apologizes, I put it out there now.  Sorry.  But if you have this app installed on your BlackBerry.  Uninstall it.  NOW! Do not finish reading this post, uninstall the app and come back to finish the post.


I trust (which is always a bad thing) when you provide a singed application that you have performed a review of how the application performs on your device and that it doesn’t do anything we don’t expect.  Like skim our emails and contact information.  Much like an application requests permission to utilize your GPS coordinates (which is another bad thing) why would you not have the same request when an application wants access to your personal information and email?

Let me check here… Options – Security Options – Application Permissions -….  hmmm I’m sure the app is on here, let me look again…

Options – Security Options – Application Permissions -… nothing.  So, when I install Facebook for BlackBerry devices, it doesn’t ask me for any permissions?  NONE?!?  FAIL!

But wait, during the setup there is an option to “allow” access to your messages, calendar, and contacts.  First, the statement that it will send a copy of your contacts to the FaceBook site should be alarming enough.  But worse yet, it seems that turning all these off during the setup did not affect a SPAM’ers ability to inject a properly crafted email.  I infer from this that it still reads emails from your message list.  So can I expect it will also send contacts even if I ask it not to?

To all BES admins (you know who you are):  (updated May2010)

It appears that RIM may be slightly ad odds with the application developers here.  In the 5.0 release of BES, the settings that allow an end user to do this are set to FASLE by default.  Which is what I would expect those settings to be. It is my hope at this point that you are running BES 5.0.  If so, please make certain the IT policy Disable Organizer Data Access for Social Networking Applications is used.  I also understand that this is backwards compatible to BES 4.x installs, so everyone has the opportunity to enable this policy.