Facebook, the most popular social networking site just implemented a bunch of new privacy settings for its users. The new privacy settings are being promoted by Facebook as making it easier for its users to control their information and consolidating the number of pages and privacy options. I have previously published an indepth Privacy Settings for Facebook. This guide reproduces most of the privacy settings shared earlier and more to match Facebook’s new privacy controls.

Facebook gives its users options around privacy and security where you can configure privacy settings to restrict access to your Facebook profile information. So whether you are an established Facebook user or a new user getting your feet wet in the world of social networking, here are the top privacy settings for Facebook you should follow to help protect your profile including photos and your personal information.

1. Create friends lists: This is the most important task you need to perform on your way to enforce better Facebook privacy. In order to create a new friends list on Facebook, log into Facebook and at the top right, under Account, click on Edit Friends. Once on this page, you see a list in the left side/column of the page. Click on Friends at the top and in the new page, click on the Create New List at the top of the page.

2. Control your Basic Directory Information

This section lets you customize your Facebook directory information, which is the information that people searching for you, whether on Facebook or on a search engine might use to find you. You can customize this using the lists you created earlier. Facebook recommends that you share all of this information to everyone but this is not necessary.

• Search for me on Facebook: This lets people find you on Facebook. I would recommend you choose everyone here.
• Send me friend requests: This option lets people send you friend requests. Again, I would recommend you choose everyone here.
• Send me messages: This lets people you haven’t connected with yet send you a message before adding you as a friend. Again, I would recommend you choose everyone here.
• See my friends list: I would highly recommend you customize this option.
• Similarly, customize the remaining options on who can see your education history, work information, your current city and hometown and any other interests and fan pages. It is important you customize them, because say you become a fan of a controversial page, it will most likely show up when someone searches for you on Google or other search engine. Watch what you share with the world.

3. Customize your Facebook privacy settings

Don’t let this be YOU

4. Applications, Games and Websites

5. Block Lists on Facebook

This section lets you block people from interacting with you or seeing your information on Facebook. You can also specify friends you want to ignore application invites from, and see a list of the specific applications that you’ve blocked from accessing your information and contacting you. For example, do you hate seeing Farmville and Mafia Wars requests from your friends or seeing their Farmville updates on your wall?

6. Block Facebook Ads

Ads shown within Facebook recently caused a lot of controversy with the usage of your photos in ads. Facebook came out and countered that these rumors were related to third party applications, and not ads shown by Facebook. If in doubt check out what happens if you happened to use the “Have Sex!” application (warning: clicking on link will take you to this application) and could result in potential embarrassment by such feeds being published on your profile.

Have Sex ! application posting on your Facebook wall

Facebook also said that those ads violated their policies by misusing profile photos and did not give third party applications or ad networks the right to use your name or picture in ads. In either case, if this is allowed in the future, this setting will govern the usage of your information.

• Under Account -> Account Settings, click on the Facebook Ads on extreme right tab.
• In the option under Allow ads on platform pages to show my information to, select No one and Save Changes. At the bottom of the page, under show my social actions in Facebook Ads to No one.
• Follow the Set Application security Facebook privacy settings below.

Facebook third party ad privacy settings

TrueCrypt is a free open source disk encryption software that works on both Windows and Linux platforms. Data stored on an encrypted volume cannot be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. TrueCrypt does this by creating a virtual hard drive that will read and write encrypted files on the fly. The advantage of using TrueCrypt is that you need not download it everywhere. All you need are the files truecrypt.exe, truecrypt.sys and the volume file you create which you can carry on your flash drive.

Step by Step Tutorial on how to encrypt your hard disk or data or message using TrueCrypt

Step # 1: Download and install TrueCrypt

Step # 2: Once you Launch TrueCrypt, Click on “Create Volume” button. This launches the Volume Creation wizard that prepares the encryped drive location. Next, choose ” Create a Standard TrueCrypt Volume” and hit Next. Next, click on “Select File” button. Browse to a place where you want to store your encryped files. For example, let me create secret stuff. Note: This is not the file you want to encrypt. Think of this as a Folder Name which in turn would contain the files you want to encrypt later on. Hit Next

Step # 3: Next, you need to choose your Encryption Algorithm. The default AES is the accepted industry standard and pretty much sets the current bar on encryption. Select AES. Hit Next. If you want more information about the Encryption options, TrueCrypt has some information on Encryption Algorithms and Hash Algorithms.

Step # 4: Now, choose the size of the virtual drive. If you have an external hard drive or a flash drive which you want encrypted, then choose “Select Device” in the step above and put in the limit you want to set.

In this example, I want to create a single file which is confidential to me. So I choose a size of 100 MB.

Step # 5: Now choose your Volume Password. This is the most important step. TrueCrypt wants you to punch in like 20 something characters for a strong password. Although there is no minimum limit, the max limit is 64 characters. For 20 something characters, choose a passphrase instead of coming up with a strong password and then copying and pasting the password somewhere else in plain text.

Step # 6: Format the volume now. TrueCrypt gathers random information from your system including the location of your mouse pointer and uses this information to format the location you selected earlier. Note: When you hit the “format” button, you are not formatting or erasing your hard drive. You are ONLY formatting the drive location file which in this case would be the askstudent.secrets file I created earlier. Congratulations, you now have an encrypted volume location.

Step # 7: Now that you have an encrypted volume, how do you access or store files in that drive. In TrueCrypt, choose “Select File” and browse to the file, in this case secret stuff which you created earlier. TrueCrypt lists a list of drive letters available on your computer. I choose Z: Now, select the “Mount” button after which you have to enter the master password you created earlier.

Step # 8: Your virtual drive is now created. Go to My Computer and there will be a new one listed as “Local Disk Z:”. This is now like any other drive, only encryped. So you can drag and drop or use “save as” and save your files to this drive. Once you are done, in TrueCrypt, select the mounted drive(Z:) and then select the “dismount” button. Once you do this, all you are left with is secret stuff which you can then burn or zip it or email it or store it in your thumb drive.

This morning, I was prompted by Firefox that it had disabled the .NET Framework Assistant and the Windows Presentation Foundation addons. The popup concluded with the message that these addons have been known to cause stability or security issues with Firefox.

This is very interesting with vendors taking a proactive approach with kill switch functionality with known security vulnerabilities. To Microsoft’s credit, they are letting Mozilla block the addon until users go and patch. According to http://blogs.technet.com/srd/archive/2009/10/12/ms09-054.aspx Firefox users are “safe” from beeing exploited via the security issue, after having KB974455 (the Cumulative Security Update for Internet Explorer) installed.

Here is Mozilla security blog entry announcing this block, which Mozilla is implementing using its blocking mechanism.

If you are one of those people who wish to get their hands dirty, you can nuke it with regedit.

• For x86 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Mozilla > Firefox > Extensions
• For x64 machines, Go to the folder HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Mozilla > Firefox > Extensions
• Delete key name ‘{20a82645-c095-46ed-80e3-08825760534b}’

The plugin is hiding in C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (and C:\WINDOWS\Microsoft.NET\Framework\v4.0.20506\WPF\NPWPF.dll if you have the .NET 4.0 beta).

• Remove HKEY_LOCAL_MACHINE>SOFTWARE>MozillaPlugins>@microsoft.com>WPF,version=3.5
• And HKEY_LOCAL_MACHINE>SOFTWARE>MozillaPlugins>@microsoft.com>WPF, version=4.0 if you have the 4.0 beta

This article is part # 3 in the series on Penetration Testing. The first in this series talks about Penetration testing as a profession and a general introduction. The second introduces you to some critical keywords and security tips you need to be aware of before proceeding through the rest of this series.  

When you are performing the role of a security/pen tester, sometimes just having the right tools and skills is not enough. Either they are not enough or there are easier ways to get the management to understand how easy it is for someone to walk in and walk out with the keys to their “fort”.

One of the first things I want to share with you is what my Professor of a Security Class I took while I was an Undergrad at Florida Tech shared with us. So, he was performing a penetration test at a company and he was negotiating the price for which he is willing to perform the pen test of the company’s network. Apparantly, the company was driving a hard bargain. Finally, it reached an ultimatum situation and so the company asks… “why should we pay you so many X dollars more? Are you that Good?” or something on those lines. So my professor excuses himself from the meeting room on the pretext of using the rest room. He walks around the floor on which the meeting was set up. Here is what he finds. He finds passwords on Employees monitors, including in front of an employee who had an “Emergency Response Team” sign sitting outside his cube. As he is walking past he sees the Project Manager’s laptop bag with disks and flash drives in it, sitting outside near the receptionist or an employee’s desk. He just informs the lady that he was told to bring the bag inside, takes out the flash drive. He logs into one of the terminals, grabs some credentials stored on the flash drive, makes printouts of some confidential documents and brings it back to the meeting room, all within a time frame of around 5-10 minutes. No one asked any questions. My professor got the price he asked for and more and the company had an excellent pen test analysis done.

So what is the moral of this story: No matter how strong your filters are set or firewall configured. You must always take caution against the insider attack. You are only as strong as your weakest link. In this business, sometimes, we need to employ tactics such as social engineering amongst others to get our job done. In this article, I will talk about some of these tactics.

1. Using a Keylogger:  Keystroke logging (often called keylogging) is a diagnostic used in software development that captures the user’s keystrokes. It can be useful to determine sources of error in computer systems and is sometimes used to measure employee productivity on certain clerical tasks. Such systems are also highly useful for law enforcement and espionage—for instance, providing a means to obtain passwords or encryption keys and thus bypassing other security measures. A simple google search on download keyloggers gives you plenty of results. You might want to use a professional keylogger tool such as KeyKatcher or KeyGhost. While you are performing a security test on a system, keyloggers can be a helpful tool. However, please make sure that you have permission from the company to do something like this.

2. The ability to pick locks: Okay, this is one skill I don’t have too but if you are performing the role of a pen tester, remember that if something was stolen or picked from the company, it rather be you than some attacker. When performing a test, know the kinds of locks used by the company to secure its prime assets such as server rooms etc. While most companies these days are using card access, you might be in luck if they are using the traditional lock. An excellent paper highlighting the need for physical security is the “MIT Guide to Lock Picking” by an author who calls himself Ted the Tool. If you are going in this direction, contact your nearest law enforcement agency, fill out the necessary forms and get certified. The ability to pick the lock of a server room could be a valuable asset while performing a security test at a company. Again, please make sure you have permission from the company to do something like this.

Related Articles:

1. Introduction to Ethical Hacking and Penetration Testing

2. Important Computer Security Definitions and Terminologies

An Introduction to Ethical hacking through the eyes of a pen tester and hopefully helps anyone reading this blog on how to protect and secure a network by understanding how a Hacker operates and understanding their tools and methodologies.

Why would I want to publish such a series of articles; because, I did not want to be part of the problem anymore. The need to know and understand Computer Security has passed the realm of just security professionals. The web is an ugly place out there with hackers and crackers lurking at every corner selling their Trojans and the rest of their goods in the malicious code dept, trying to install Botnets and seeking to profit from your mistakes or rather lack of security awareness.
Every other day, you see articles on the newspaper and on the web on identity theft or credit card numbers being stolen from compromised database servers. The need for security professions who know networks and understand how Hackers operate is growing every day which companies utilizing such security professionals to test and break into their network before the bad guys do and patch up their security infrastructure. It is here that we, the “security tester” or “penetration tester” come in.

So what will you learn in this series on Penetration Testing?
I will try to offer you a structured approach to security and penetration testing. I will also try to explain in-depth some of the tools which hackers typically use. Remember you are trying to be the Ethical hacker and you need to know how to use and implement the tools of the trade.

A network is only as secure as its weakest link. You are trying to discover vulnerabilities within a network and find that weak link before the bad guys.

Disclaimer: You will learn about some tools and methodologies which are not meant to be used for Hacking purposes. Hacking or compromising a computer or a network is illegal in many parts of the world. Please use them to further understand how computer security works.  If you are trying to take up the role as a penetration tester for a company, make sure you have a contract signed with the client and what you can and cannot do clearly defined. Also, make sure you read your ISP’s contract and their acceptable use policy defining any scanning software such as port scanners. Anytime you run something that denies a user access to a system or a network resource is illegal.