Friends know that I’m about as close to Web secure as you can get without being flat-out paranoid. I’ve hardly ever gotten a virus, despite doing a lot of exploration. I have effective email filters set up, and I’m adept at spotting those emails that appear to come from people are know, but really aren’t, i.e., spoofed.

Nevertheless, the only thing that never changes is that things change. I’m being tested right now via Facebook. I’m pointing to this post from there, in fact, as a fuller explanation for my FB friends, and also as a general warning to everyone else. Here’s the background, and the potential benefit to readers.

First, I got an “email” from a friend inside FB with a subject line “You are veryy goood at posiing to a spy cameraa!” That should have been a dead giveaway, and had I gotten that in regular email I would have deleted it without reading it. But I haven’t seen stuff like this inside FB, and my friend sometimes has an interesting sense of humor, so I opened it. The message consisted only of “HA-HA-HA” and a link. Yep, folks, I clicked the link. The page contained only gibberish, and I quickly closed the browser.

The speed at which I closed the browser matters not. Computers are fast. It was just an instinct. Still, I think I am safe, and I’ll tell you why in a moment.

It’s probably worth mentioning that, unless I’m mistaken, my friend isn’t very geeky, doesn’t mess with computers a lot except at work. On the one hand, that may mean she’s more likely to get taken in by a phishing email. On the other hand, it also may mean that she’s less likely to be surfing into unfamiliar Web sites, which is where a lot of this stuff comes from. I suspect my unexamined assumptions leaned toward the latter.

A couple of days later, I got a Wall-to-Wall post from another friend who is geeky. (I hope both of them realize I mean no insult to either.) Flip the assumptions above to their exact opposite. Add in the “I’ve never seen phishing stuff inside FB” factor. Stir in a pinch of “he doesn’t post much, and this seems spelled correctly.” Yep, I clicked.

The resulting page even looked like a real page, but I couldn’t see that it had anything to do with me. So I emailed him.

Nope. Didn’t come from him. He confesses (and I don’t mind putting this out there since I haven’t identified him) that he had clicked on such a link himself. He hardly ever uses FB, so at the moment he is deleting his account and will start over. I haven’t asked him yet (and I will update this post after I find out) whether he could see “his” own post on the Wall-to-Wall. If so, that’s an easy way to check if you’ve been compromised–just look at your Inbox and your Wall postings. If there are things there that purport to come from you and you don’t remember them, either you’ve been phished or you are developing dementia.

What worries me is the possibility that friends can see these things and the supposed sender can’t. So I’ll ask him to see what his experience was.

[UPDATE: Haven’t heard back from him, so I don’t know for sure. I’m hoping a Russian virus didn’t kill him or something.]

So I’m doing two things with this post. First, I’m alerting my FB friends so they can watch for any suspicious posts from me. I very seldom do Wall postings or Wall-to-Wall, and when I do it is almost always in reply to one. If you get a weird message (well, weirder than usual) from me, check with me before clicking anything. If you can see it and I can’t, then it is truly something to be worried about. And in that case, the only way to find out is to ask. On the other hand, if you alert me to something and I can see it, then at least we’ll learn the necessity of checking your own postings.

And if nothing happens then we’ll know that the security measures I take actually do work. [UPDATE: So far, no one has indicated getting any spam that appears to come from me, so I think it must have worked.]

Which leads me to the second thing I’m doing with this post: talking a little about my security.

  • I use a Mac. I know that this is not guaranteed protection. IMHO, Mac users in general may be overconfident. I can see phishing scams as being particularly problematic to the overconfident, since they can work because of social engineering as opposed to straight hacking. Why? Because you’re already logged into your computer. If you click something that grants a permission, then the nasty has all the access it needs. Still, this is quite a bit of protection since there are a lot more nasties writing code that only runs on Windows than for Mac or Linux. You’re probably not going to run out and pop a couple thousand dollars on a Mac when your $400 Windows machine gets you around. I am not trying to engage in computer snobbery here, but I will tell you that I have found the Macbook I’m using to be worth it for a number of reasons. Regardless, it may be one of the reasons I’ve dodged this bullet, if in fact I have.
  • I use Firefox. While Firefox is certainly not invulnerable, it has a better security record (in my relatively unsophisticated estimation) than Internet Explorer, and it has different vulnerabilities. Since IE still has the bulk of the browser market, most code designed to exploit a vulnerability targets IE.
  • Firefox is very cool partly because of the availability of add-ons. I have a number of them that help protect me. One of my favorites is Noscript. As its name implies, it prevents scripts (e.g., javascript) from running on a page unless you grant permission, and it works on a site-by-site basis unless you foolishly grant blanket permission. Why would you do that if you went to the trouble of installing the thing? It has tremendous options for each page, so that you can allow only certain scripts, revoke permissions, temporarily grant permission on a script-by-script basis, etc. Since I had never been to either of the problem pages before, I’m certain that no scripts were able to run. This may, ultimately, have been what protected me, if such is actually the case.

If my friends don’t get spammed from me in the next few days, then I will figure I dodged the bullet, and that this security works. I would recommend Firefox and the Noscript add-on regardless. If I’ve dodged the bullet, I’ll get positively evangelistic about it.

Share this, please!