Start-to-finish SSL encryption is a very good thing when it works. And it usually does. Google has offered always-on encryption for more than two years on the GMail platform. Now Microsoft’s Hotmail features the same thing, almost. Here’s what I got when I tried to set it up (emphasis added):

Connect with HTTPS

• Account Connect with HTTPS

Using HTTPS will help keep your account secure from hackers-especially if you commonly use public computers or unsecure wireless connections.

Important note: Turning on HTTPS will work for Hotmail over the web, but it will cause errors if you try to access Hotmail through programs like:

• Outlook Hotmail Connector
• Windows Live Mail
• The Windows Live application for Windows Mobile and Nokia

If you only need a temporary HTTPS connection, enter “https” in front of the web address instead of “http”.

The page then gives you the option to use HTTPS automatically or manually, citing the important note above. I don’t use Outlook or Windows Live Mail, so I opted for automatic.

I’m sure they’ll get this resolved as they are aware of the issues according to this blog post. Here’s an excerpt:

To enable HTTPS for your Hotmail inbox, calendar, and contacts, go to https://account.live.com/ManageSSL. Once you enable this feature, all of your future connections to Hotmail will be delivered over SSL.

Some connections to Hotmail won’t be available if you turn on HTTPS, including:

• Outlook Hotmail Connector
• Windows Live Mail
• The Windows Live application for Windows Mobile (version 6.5 and earlier) and Symbian

We’re constantly working to continue providing great security for our customers, so stay tuned.

Still, watered down or not, it’s much more secure than it was.

. . . you have sent us lots of feedback. We’ve listened carefully in order to figure out the best next steps. We recognize that we made a lot of changes, so we really wanted to take the time to understand your feedback and make sure we address your concerns.

The number one thing we’ve heard is that there just needs to be a simpler way to control your information. We’ve always offered a lot of controls, but if you find them too hard to use then you won’t feel like you have control. Unless you feel in control, then you won’t be comfortable sharing and our service will be less useful for you. We agree we need to improve this.

Today we’re starting to roll out some changes that will make all of these controls a lot simpler. We’ve focused on three things: a single control for your content, more powerful controls for your basic information and an easy control to turn off all applications.

What do you think?

The tool is called “Reclaim Privacy” and I want to acknowledge Gizmo’s Best-ever Freeware for sending me the alert. Here’s the scoop:

Reclaim Privacy is written in Javascript.  It’s free and open source, so anyone who has concerns over its motives can easily check to see that it isn’t doing anything that it shouldn’t.

To use it, go to www.reclaimprivacy.org and add the utility to your browser favorites.  Then log into Facebook and go to your security settings page (there’s a link on the reclaimprivacy site to help you).  Then run the Reclaim Privacy script by selecting it from your bookmarked favorites, and the analysis of your security exposure will be ready in just a second or 2.

Here’s what it looks like:

This reminds me of Secunia’s PSI vulnerability scanner that I’ve written about on numerous occasions; the difference is that Reclaim Privacy is application-specific.

I never did arrive a perfect “secure” score on all things, but the “caution” items don’t bother me – I’ve set my Facebook account privacy settings to a level that I’m comfortable with.

If you use Facebook, give this tool a try and let me know what you think.

Consider this (based on an actual incident): You’re employed by a financial firm; you have a Facebook page; you’re the coordinator for the annual company picnic; and, many of your co-workers also have Facebook pages and are in your group of friends. Sounds OK, right? Just a gathering of co-workers on a social network.

Well, think again. The cyber-criminals had a field day with it.

The crooks noticed this social circle, noting that they all worked for a firm that might be a good target. Attempts to hack the Facebook accounts were rewarded with a successful attempt against the person I mentioned above. The criminals now were able to impersonate the victim. The crooks sent messages out to the victim’s friends with a subject similar to “Look who I caught on camera at the company picnic.” The messages contained what looked like a link to some photos, but was really a link to a malicious site that contained malware in the form of a keylogger program.

You’re a friend of the victim, and you get a message from them. No problem, they’re your friend on Facebook and a co-worker whom you trust. Naturally, you think it’s safe, so you open the email and click on the link. You’re infected with a keylogger program. On your company laptop. That you use to access the corporate VPN at home and on the road.

Tonight, you have a report that’s due and you’ve just finished it, so you log into the VPN, access the secure data repository and upload your file. The bad guys have a complete recording of everything you just did…

The criminals managed to log in to the corporate VPN and spent the better part of two weeks mapping the network to see what they could steal. The good news is that the slime bags were discovered, but not before they had already compromised two of the central database servers and had taken full control of them.

Trust no one and never click links until you are sure where they lead.

That’s a real world example, but the scam also happens in cyberspace. In fact, here is an actual notice I got from the administrator of a social network that I happen to be a member of:

I am posting this as a warning… not from this site itself, but as a caution about other members and all sites in general.

It has been brought to my attention that a member of this site has been
befriending other members, asking for their emails and pics of them …
and subsequently getting to the point of asking the member to invite
them to their home (by filling out a request and visa for them to come
to the states).

Any complaints of such on any of my sites will warrant immediate suspension… no warning.

THIS IS NOT appropriate behavior or etiquette for internet sites anywhere at any time.  Please do not give out your emails unless you are doing business with someone or you know them WELL ENOUGH to do so.
You are encouraged to use very wise judgment on doing anything that could
jeopardize your being.  Please be cautious of such requests.

Sincerely, [name not revealed for security purposes]

Does this sound familiar to you? Please warn anyone you know who is being scammed in this way.

To pull off a spear phishing attack, for example, all an attacker has to do is search for Company A’s employees on a social networking site and then pose as someone within the organization — such as the head of human resources — and email the employee addresses he finds, for example. A phony HR spear phish could look something like this, Sophos’s Cluley says: “Dear Fred Jones, Congratulations on joining XYZ Company. Click on this link to access our HR Intranet and then log in with your regular network username and password so we can update our files.”

A newbie to the company could easily fall for the ploy and hand over access to the corporate network, he says.

How can you prevent such a thing? It’s difficult at best; probably close to impossible because you have to educate your employees to never post your company name in personal profiles. It only takes one scrap of information to cause problems and the bad guys aren’t far away:

…the “six degrees of separation” rule applies on most social networks: You’re only a few hops away from a bad guy. “We know that there are bad people on these networks using them to steal information,” Cluley says. “You may be only a half a dozen hops from an identity thief if we’re all connected.”

The solution to having good security is, always has been, and always will be increasing the security awareness of everyone in the company from the janitor to the CEO. It requires a continuous educational process to instill a security mindset into people; it requires eternal vigilance on the part of those responsible for managing security. It’s not easy. When it comes right down to it, security uber-expert Bruce Schneier sums it up best:

“The user’s going to pick dancing pigs over security every time.”

Some people are very free with their personal information, even going so far as to provide their phone number, email address, full street address, etc. Not really a good idea, but what can you do about it?

For starters, don’t answer all of the questions in a social networking profile and for sure, don’t give your real birthday. Who will know? If you have family and close friends who know your real numbers, you can explain that it’s a security precaution–they certainly won’t care. And what difference does it make if your profile says your birthday is 07/24/73 when it’s really 08/16/75?

We’re social creatures and tend to be trusting, but there’s no need to be at risk. A little misdirection when posting your personal information is something you’ll probably never have reason to regret.

The openness of Web 2.0 sites in general makes these complicated attacks virtually unnecessary, but it is possible using CSRF to utilize a hacked MySpace account to jump across to Facebook and wreak havoc. One security specialist noted that as long as users are allowed to use code in one form or another in profiles and comments–especially with links to external content–there are going to be security problems.

That seems to be the real issue here. XSS and CSRF, while possible, probably aren’t even necessary for hackers to compromise accounts; they’re already open enough to be vulnerable.

Nothing is private on the socials; you have to consider everything public. What you write in posts on your own wall, others’ walls, comments, your tweets if you have them linked to your Facebook, is out there just like a 20-foot high billboard on a busy expressway. And the consequences of revealing things that are better kept private can range from mildly embarrassing to loss of professional reputation and employment. Employers often access the socials to conduct a pre-check on a prospective employee to find out how they function away from the work environment.

What to do? Here’s some advice:

1. If you’d be embarrassed if someone found out about it, don’t post a photo or talk about it.
2. If you hate your job, find a better one; don’t whine online. See “How To Lose a Job Via Facebook In 140 Characters or Less.”
3. On Facebook, use the new privacy settings to be very choosy about who can see what.
4. Be aware of the connections you have in common on both personal and professional networks.

A rogue application called “Secret Crush” was circulating around Facebook earlier this year, spreading spyware instead of love. (See ‘Secret Crush’ Spreads Spyware, Not Love.) It sent victims an invitation to find out who has a secret “crush” on him or her, and lured them into installing and running the Secret Crush app, which spread spyware via an iFrame. The attack got more advanced and worm-like when it required the victim to invite at least five friends before learning who their “crush” was.

This is an example of an application deliberately written as a weapon of attack, but as we all know even the best applications have security holes. Considering the social sites are under constant attack by crackers, those security holes can be exploited to compromise your profile, your pages, even your PC. So the next time someone wants to send you a virtual hug,  heart or handshake, don’t just blindly accept it.