Sophos Labs has a great post about the Facebook attack they are calling “likejacking”. The way it works, in brief, is that an enticing item shows up on your wall or, even a bit more disturbingly, on any website. You click, and then the attacker cleverly gets you to infect yourself with malware.

One of the key defenses you can take against such attacks, other than to never click any links ever, is to be logged out of Facebook when you visit other websites. You can read a bit more on some of the risks involved with Facebook’s interaction with other websites in this earlier post, and, of course, I always recommend you read my post on how to increase the security of your Facebook activity.

Bombing Facebook For Profit

The Atlantic’s Nicholas Jackson on the recent rash of Facebook spam links

From the article:

As soon as you click on any of the videos, you’re taken to FouTube, YoTube, FbVideo or another site where, once you take a second to look around, you’ll probably notice something is amiss and close your browser’s window. But by then it’s too late: The video has already been posted to your own Facebook wall as if you wanted to recommend it to all of your friends and, because we all spend too much time on the site, several have probably seen it.

But they tell you the solution, too (other than not clicking on the link in the first place):

To clean up your trail, visit your own wall and delete the shared post immediately.

And one security company, Sophos, chimes in:

if your phone number is shared on your wall, you might want to keep an eye on the bill.

If you followed my advice and tightened up your profile, you probably have nothing to fear.

Facebook Snitch Spy Bitches

Damn, this party turned ugly.

You may not have noticed, but Facebook is stalking you across thousand upon thousands of websites. The idea is that they are “helping” you by extending your numbly bumble “social graph” across these websites. They call this the Facebook Social Plugin, and I plan to do a little research into exactly *how* it works.

As far as you’re concerned, you did everything right. You followed my advice on how to set up your profile. You disabled social ads. You disabled every frivolous and narc-level plugin you could find. 

You may not have even cared. Even though you disabled Instant Personalization, you noticed that, from time-to-time, you would see your contacts’ activities prominently featured on, say,

This is seriously uncool, and you probably don’t want to allow this to continue to happen to you. Here’s why:

Despite the fact that Facebook pledges to never share your information with the websites enabled with Social Plugin, the fact is that there is no way Facebook isn’t tracking your activity on all of these sites. What’s the big deal with that, you say? Well, sit for a spell.

Facebook is proud of it’s developer-driven culture. What this means is that features are added to Facebook and the product is constantly modified without any real “product” people guiding it. I’m not saying that’s a bad approach, nor am I saying Facebook makes bad products, but what I’m saying is that you are placing a lot of trust in people who may not be thinking of anything other than delivering something that they think is cool, without regard for impact.

Put another way, imagine the worst case developer caricature. He’s got a healthy dose of geek ego. He thinks he’s smarter than you. He thinks he knows what you want. Yes, he’s a he, and he has a lot of issues. But he’s feeling like he’s on top of the world. He makes good money for being so young. He’s at a company with a valuation that seems to climb by about a billion a month. He’s full of himself, and he’s in a competitive, chauvinistic culture. 

Would such a person care if he were to, say, implement a feature that you couldn’t turn off that might creep you out with its tracking abilities? Would he do it without warning you it was coming? Would such a guy be capable of implementing something even more creepy and weird or even defective and potentially dangerous?

This is what you’re dealing with, so just exercise a bit of caution and keep partying. He’ll probably try to impress you at the party, but you’ll notice his halitosis and lack of ability to make eye contact right away. Ignore him and have a beer.


My initial tests have shown that in-private mode helps a lot, but can be a pain. So your best bet, for now, is to install the excellent Ghostery plugin or add-on for your browser.

So here are your options:

  1. Use the “private browsing” feature of your browser at all times
  2. Use a dedicated browser for Facebook only. Use another for all of your other web surfing.
  3. Use Ghostery to block tracking on all sorts of sites (I recommend this no matter if you’re bugged by Facebook’s spy behavior or not).
  4. Disable access to the Facebook platform across the board, which will break all of your Facebook and application integration.
  5. Always log out of Facebook after each use and don’t visit any other sites while you’re logged into Facebook. This is Facebook’s official guidance if you do not want to see Social Plugin results.
  6. Quit Facebook. Delete your account. Leave the party and die in the gutter.

Facebook: Worry Less, Have More Fun

Facebook Is One Hell of A Good Party

Facebook is one of the funnest parties on the Internet. It’s the first social network where, truly, just about *everybody* has joined. This fact leads to all sorts of goodness. You can use Facebook to connect with long-lost friends, meet interesting new people, keep up with family, spread your love, and see if you former flame got justice in the end.

But the problem with Facebook is that the default settings leave what is likely more information than you’d like exposed to the Internet. 

I will show you a way to help keep your information a bit safer while allowing you to be a full-on Facebook swinger.

I imagine most information security people — at least the ones who are fun enough to party on Facebook — have already configured their Facebook this way. But this little how-to is aimed at people who don’t (and don’t want to) sit around thinking about security and privacy all the time.

Before we get down to the step-by-step and the clicky-clicky of configuring your Facebook, let’s talk about security theory. I promise, this is just lightweight stuff, and actually mildly interesting.

Deny All

Deny All is not just a killer Bettie Serveert tune, it’s also a security mindset. It has an opposite, which is often phrased as Permit Any.

This is the language of network security and it’s also a behavior. Ultimately, it’s behind the way a lot of the stuff on your computer works.

Antivirus software works on a Permit Any principle — or at least it has traditionally. What that means is that the software watches what you’re doing and allows pretty much anything to happen unless it sees something it can identify as “BAD”, such as a piece of malicious code. 

The way it typically works is that the security software has a definition of bad things inside of it. When the software sees something bad, it squashes it. 

The problem is that all sorts of bad things can happen, and these bad things may have not yet been added to your security software’s definition of bad things. Which means you are totally unprotected from bummers of the unknown type.

There are entire product lines, companies and even industries based on this model. Typically called “pattern matching”, these things are squashing threats all over the map. They sell something that helps a lot, but if you scratch your head and give it a think, you’ll see that there’s a giant flaw in the logic.

The opposite end of the spectrum is to allow basically nothing to happen, and only allow things which you think are good.

Of course, the hard part is figuring out what is good in the first place — especially in a very complicated environment. This is why, for now, this is not very common.

I’ll write more about this later, but the “Default Deny” or “Deny All” or “Anomaly Detection” or whatever form it takes is probably the future of a lot of network and information security efforts.

Fortunately, it’s a lot easier to determine what (and who) is good on Facebook. So we can implement what is basically the cutting edge security thinking of the future — today!

Tighten That Face

The first step to tightening up your Facebook is to create a list. This list will be used to contain the people you want to see your information. 

You can get fancy here. You could make a “Family” list, or a “Coworkers” list. Think about what you share on Facebook and who you would like to see it. You can make it as complicated as you want. Just remember that you’ll have to manage what you set up and, in general, complexity is the enemy of security.

You start to create a list by finding the “Friends” link on the left side.


You’ll see a big “Create a list” link. Go ahead and give it a click and a layer of Facebook will pop up over what you were doing.


Click in the upper left corner to give it a name. You can type the name once you have clicked.

In our case, we’re just making one list. We’ll call it “Secure List” for illustrative purposes. But like I said, you can call it anything you want and you can make as many as you want. Remember, though, that these are not Groups. You are creating a List. Be sure to add at least one person to the list and save the changes.

You can now use your list in the privacy settings of Facebook. Click on Account, then Privacy Settings. You’ll get something like this:


Facebook deserves kudos for radically simplifying and clarifying this section of the site. But the problem persists: any friend request of “like” on a page automatically makes it so the person or entities behind that action can now see your information and activity. Fortunately, we’re here to tighten that up. 

On this page, you’ll see several groupings of information and activities. Decide who you want to see each type, and then assign the list you have created to the appropriate grouping. Below, I’m changing who can see my education and work experience.


Here is where we undo the “Allow Any” and make it a “Deny All”. Click “Customize” and then when shown the Custom privacy settings,select “Specific People” and enter your list (or lists) name in the resulting box.


If you’re really getting fancy, you can also maintain an “evil people” list and add them in the “Hide this from” area, but I’d argue that you should probably just unfriend any buzzkills or agents of evil.

Don’t forget to do the complicated part. There’s a hard-to-see link which allows you to also customize the privacy settings for the items that actually matter. I highlighted the link in this screenshot:


It will take a few minutes, but be sure and go through each of these and limit the audience to what you can accept.

As a bonus, you can now use the list to control access to individually posted items or photo albums (this is when a “Family” list comes in handy if you have little chitlins running around the house and want to show off their photos with some degree of privacy).

Pour Another Drink

The last task is to decide who should be in your “cool kids” (thx Elliott) list. Go back to your “Friends” section and edit the list you made in the first step. Depending on how many Friends you have, this will take a bit of time. You can now accept friend requests and Like pages while not worrying too much about accidentally disclosing information. Until you *explicity* add somebody to your list, they shouldn’t be able to see your information. This is handy if you have the Facebook for iPhone app, which doesn’t allow you to accept a friend request and simultaneously assign the friend to a list. 

Play around with lists a bit. Facebook has made some nifty default filters, such as “recently added”, which is handy for assessing who gets into the party or not.

Once everything is complete, you have greatly reduced your Facebook privacy and hacking threats.

And that means you can keep partying.

Just stop installing all those f*****g Facebook apps.

A Final Note

I recommend that you treat everything you do on Facbook as public. What you did above helped to keep certain information from unwanted attention. However, no matter how you set the thing up, you’re relying on the implementation to work. The tools at your disposal are only as good as the developers and processes that created them. There will be bugs. There can be misconfiguration or drunken and drugged out system administrators.

You never know.

Don’t post anything on Facebook which you would truly want to keep secret.