Your Facebook is a GOLD MINE for hackers

Here's what you can do to protect yourself

Every now and then I see a bunch of my Facebook friends copy/paste a post to their profile that allows them to share some nostalgia. Here's the latest:

While it can be fun to participate, it's wise to be careful and ever-vigilant with the information you're sharing in a post like this.

Why? What's the harm here?

Here's what happens.

It doesn't matter who started the very first post, whether they had ulterior motives, or whether they did it just for fun.

But here's what DOES matter. Try searching Facebook for “a reunion of friends”. Here's a generic search link to make it easy for you.

Scroll down to the “Public Posts” section and take a look at all of the results. Here's what my search looked like (and I don't know or follow ANY of these people):

Facebook Public Posts

The search results went on and on, giving me dozens of posts to look through.

Another way to get all these results is simply click the hashtag found in most of the posts: #AReunionOfFriends

You might think, “So what? It's just a bunch of people having fun.” Well, yes, obviously that's true (otherwise nobody would engage.)

But, here's the thing. You've got 2 types of data miners: marketers and hackers.

Marketers want to learn more about you so that they can educate or convince you to buy their products.

Hackers want to learn more about you so they can exploit you and your sensitive account information.

What can they DO with this information?

They harvest it. They do some further research on you, find out your birthday, your spouse's name, your pets name, where you went on your honeymoon, your addresses and phone numbers (current and previous), kids' names, and anything else they can find.

All this information goes into a text file and is processed by a password cracking utility that runs through millions of password combinations in just a few minutes.

“My password is complex – they'll never guess it.”

Here's how many people create a password. They'll start with something like a friend's name or a pet's name. Let's use “Fido”.

Then they'll mix-in some 4-digit number, like their street address. Let's say the address is “4846”. But they want to be clever, so they put the address backwards: “6484”.

And maybe they need a special character. So they put “!” at the end.

So here's the password they come up with” “Fido6484!”

Seems complex enough, right?

The problem is that the dog's name and the street address are incredibly easy to figure out. The hacker simply dumps that information (along with all the rest of meaningless data they've gathered on you) into a program that sifts through all of the possible passwords until it figures out the match.

And for the sake of completeness, I'll point out that they don't even need to be entering these passwords directly into the Facebook server or any live server. It's easy-enough to gather network packets and password hashes (encrypted versions of the password) and crack the hash, which is essentially the same as entering the password in the server and getting an “invalid password, try again” response, several million times.

“But who would really go through the effort of hacking ME?”

I don't BLAME anyone for this mindset, because it really comes down to awareness. We're just not that aware of what's going on. I've painted this scenario from the perspective of one hacker sitting in a dimly-lit room late at night in a basement.

Here's the reality. It's not always people that are directly carrying out these attacks. It's programs written by people that crawl through the Internet and social media, gathering and correlating data on you and everyone you know, as well as password hashes from network sniffing and packet captures.

When was the last time you connected to an open wifi network? Are you connected to one right now? All of your network packets are visible to everyone else on the network. Sure, your Facebook activity is “protected” through TLS – by using the https encryption protocol. All that means is that your passwords and activity are encrypted to a known standard. It's a GOOD standard – but it's only as good as your password, and how well you protect your personal information.

Back to the point of effort. If this were some guy in a dark hoodie trying to “hack” you, you'd probably be right in thinking that you're not a worthy target. Most people aren't.

But check out this video, “The Anatomy of An Attack” by Cisco. It's a simple social engineering tactic. That video doesn't talk about cracking passwords, but rather exploiting people's trust in order to deploy ransomware on a “protected” network.

Here's What You Can Do To Protect Yourself

I'm all for the enjoyment we can have by participating in fun social shares and maintaining relationships through Facebook and Twitter. It's really amazing what we have now that we didn't 10 years ago.

The good news is that it's not terribly difficult to keep yourself safe from being hacked – but it does require some vigilance. Here are a few tips to help you become a difficult target.

1. Use a good password management application

I use 1Password. There's also LastPass and others, but I've been using 1Password since 2012 and it's fantastic.

The point of a good password management app is that it's more secure than keeping your passwords in a spreadsheet or written down somewhere. It also makes it very easy to generate incredibly strong passwords. The benefit is that you just need to remember a single password to access the app and decrypt the database. I love 1Password because nothing is stored on their servers, so I'm not relying on 1Password servers to keep my passwords safe.

2. Use a completely random password that isn't made up of anything to do with you

Don't use “Fido6484!” as I mentioned above. Eventually, some automated program could gather enough information about you and process all the permutations of “Fido”, “4846”, and “!” in the perfect order. “Fido6484!” is just as vulnerable as “fiDo6484!” or “F6i4!d8o4”. It's all about the ability to process large numbers of passwords in all their possible permutations. If you have a password like “Fido6484!”, you might as well just use “123456Seven”. (Don't.)

Use something like “mrL3LQvoTnruys9QYfjCwJR” or “concept-ewer-wooer-confound”. Both of those were randomly generated by 1Password just as I wrote this paragraph.


3. Never use the same password more than once

My 1Password database has almost 600 logins. Not a single one of them are the same. Well, maybe a few of them are – and I'm working on that. But more than 90% of them are strong passwords that I don't actually know off the top of my head.

The reality is that there are very few passwords that we actually need to remember, as long as we have a good password management app like 1Password. I really just need to remember 2 passwords: my computer password, and my 1Password password. With that, I can access my entire password database.

The other benefit of keeping a different password for everything is because eventually web sites get hacked, and companies lose their databases. Search your email history for “data breach”, “security notice”, or the word “compromise”. You'll probably find some emails similar to this one from LinkedIn:


4. Change your passwords regularly

It's good practice to change your passwords every few months. The reason for this is because even if you do have a relatively strong password, a hacker can steal a database (like LinkedIn's or Sony's) and run it through a hash cracker. It takes an incredible amount of cpu power and time, unless they're a nation with a lot of resources and a bunch of FPGA's dedicated to cracking hashes (*ahem*, Russia? China?) Normally it would take many, many  months or years to crack through hashes. If you change your password before they crack the encrypted database hashes, you're safe.

5. Avoid public wifi networks (whaaaaaat???) [Okay, just be careful and use a VPN…]

They're free, and they're great. Except when they're not. And they're not great when attackers are on the same wifi network capturing packets that they can process later.

Worse, it's easy for an attacker to spoof a public network and cause a man-in-the-middle attack. This happens when you inadvertently connect to an attacker's wifi hotspot, instead of the legitimate one hanging off the ceiling in your favourite coffee shop. In this situation, ALL of your traffic is passing through an attacker's equipment, and can be saved for analysis later.

Use your 3G/LTE connection, or use a trusted VPN service.

A new, healthier mindset? (It's not about being paranoid!)

Ok, so now you've got a few tips and hopefully a new mindset toward your activity and password integrity. The point here is to get you thinking a bit more vigilantly about how to protect your information, and how to keep your passwords strong so you don't get hacked. Sometimes people get hacked and their email account is used to send out spam to try to social-engineer their friends and families into clicking a link. Sometimes people get hacked and become victims of identity theft.

But with the right mindset, you can enjoy all of the lovely modern technologies we have like social media and ubiquitous wifi.

You don't have to be paranoid. Just be vigilant.

Question: Did you have any ‘light bulb' or ‘a-ha' moments from reading this? What would you like to know more about? You can leave a comment by clicking here.


Please note: I reserve the right to delete comments that are offensive or off-topic.