Securing Your Social Media Accounts
In a world of social engineering and continuous attacks against your social media profiles, come learn about simple methods to secure your social media accounts, and making sure any possible attacker will have a hard time “getting in”. Presented by Val Vesa, Community Manager at Cloudflare.
Hello, everyone, and welcome to Cloudflare TV. I've been waiting to say that for a long time.
Although the title of this segment is securing your social media profiles, this doesn't mean that social media is all bad and also does not mean that it needs to be secured because it's bad.
Just checking with my colleagues to see if I'm actually live.
Hope I am. I'll go on. So as you have heard just before this segment.
Yes, so we are live. So as you have heard just before this segment, if you watched live, not everything on social media is bad.
But still, the title of my presentation today is securing social media profiles.
Not how to use them, not how to have fun on social media, but about security.
And this is because they combine security and social media, which are two of my favorite subjects to talk about.
I'll try to go slow. I'll try to fill the 30 minutes we have today. But I want to make sure that you know that next week I'll come back with a very deep step by step tutorial on how to do this yourself.
But first, just wanted to let you know that we are live from multiple locations across the world.
And myself, I'm streaming now from Cluj, that's in the center of legendary Transylvania, famous historic region of Romania.
Before going into any of the contents of today's segment, please email livestudio at Cloudflare.tv.
I'm going to say it again, livestudio at Cloudflare.tv.
And let me know, where did you find out about my segment today?
Was it on Facebook? Was it on Twitter? Was it on LinkedIn? Was it on any other social platform?
Please let me know. My colleagues in the green room will receive all of your questions and will let me know.
I just want to see how many of you are here because you find out about the segment from social media and which platform.
Okay, going on. Also, for the entire duration of this segment, if you have any questions at all, please email the same email address, livestudio at Cloudflare.tv.
And one of my colleagues in the green room, thank you, Sylvia, Dane, and whoever else is with you there helping us, will send it to my phone.
If you see me looking at my left, your right, it's because I'm checking my phone to see both time so we don't go over.
And also, if you have any questions that are being sent to me.
And also, please be aware, I'm just being notified as they say, they told me right now that all of the sessions are being recorded.
So most likely you are going to be, you know, to be checking them later if you can watch this live, that's okay.
So again, you can send any of your questions live at livestudio at Cloudflare.tv.
Even if you watch this after it's live, you can still email the same email address and the questions will get to me, passed on by my colleagues.
Now, I just want to take a moment here and do an introduction.
It's a real story, something that actually happened to me.
We were on vacation in Greece with my wife and our children a few years ago.
And it was about 6 a.m. maybe where, you know, some of you who are very familiar with using social media actually start recognizing the specific sounds made by each of the platforms sending their notifications to you, right?
You know exactly how WhatsApp sounds like.
You know exactly how Facebook Messenger sounds like.
And also, you know specifically how Twitter sounds like, don't you? So exactly 6 a.m., something about that, it's like, boom, hundreds of messages on my phone.
All of them from concerned friends and family members asking about a particular adult post I supposedly just made an hour before when, of course, I was in Greece in a bed sleeping.
Imagine the stress, the shock, the anger. And as I go on, think about yourself.
If you have ever been in a situation like that, I'm sure you've been stressed, angry.
You know, I just woke up instantly, couldn't sleep. I took my phone and I started browsing my Facebook account, trying to locate the content first.
Of course, I deleted it. And then two very important questions came to my mind.
How did this happen? I was number one. And what should I do to never let it happen again?
How did this happen? After some searching, I found out that actually it was an app.
It was loaded from a third -party website where, of course, I was too lazy to properly register for whatever service they were providing.
And I chose the famous go with, you know, log in with Facebook option instead of going with first name, last name, email, password.
You know the drill. And I'm sure you've done it many times before because it's easier, right?
It's faster to just go log in with Facebook.
You are already logged on on another tab or another browser with Facebook.
So why not just go? So what should I do to never let this happen again?
This brings us to the topic of our live segment today.
So I will walk you through the steps that I took to secure my own personal social media profiles.
And I started with the hack one that morning, which was Facebook.
And then I invite you to do the same thing afterwards.
So when the segment is over, try to verify and go through the steps that I'm going to say here.
And see if you find any issues with your own social profiles.
And again, like I said, please email any of the questions you have during the segment to livestudio at claford.tv.
And I will have a few minutes at the end of this presentation to try to answer your questions.
But if I can't get to all of the questions, or if you're maybe not very comfortable with sending the questions live, you can please email that email address and all of the questions will get to me privately.
And I will respond to each one of you via email. Okay, so all of your private information, all of the questions that you're asking, they're not going to be posted anywhere else, only between me and you.
So let's go on. What steps did I take after finding out that I was hacked?
Basically, that's the word. My Facebook account was hacked.
Just give me a second. Of course, the first thing that I did was change the Facebook password, right?
The first thing that occurred to my mind was, oh, most likely they have my Facebook password.
Password, sorry. So I have to change it.
And while doing so, I employed something that I didn't do before, because my initial password was something, well, I'm not going to tell you my password, but it was very easy to guess, and it was something that was very personal to me, and most likely a very generic word you all use a lot, and it involved I love you.
What I did was I installed LastPass, and I strongly recommend that if you check any of your social profiles right now and you find out that your password is so easy to remember, so easy to just say it in a word or two words or something like that, make sure you do this first.
Regenerate and change your Facebook password or any other social media profile password, and make sure you use a password manager.
I use LastPass, but there's also 1Password and so many others that you can use.
By the way, you can send me an email and let me know what password managers you're using.
And then the second thing that I did was change that password, the same password that I had on Facebook, everywhere else where I was using it.
Because to my shame, because I should have known better working in security, I have used the same password that I used on Facebook on another site.
And the first thing that I did was make sure to go there and change that password again, even if that account was not hacked, even if it wasn't, you know, there was no suspicious activity in the account.
I just wanted to be sure. So this is one major thing that I want you guys to take with you home.
Password reuse is a huge mistake.
If you have a password for a service, make sure that password, like I said, unique, a very strong password generated by a password manager is only used for that profile, for that service.
Never reuse it. Number three, first step. I reviewed all of the apps that had access to my account.
In our case, again, we're talking about my Facebook profile, but this is valid for any social media platform.
You have a tremendous number of apps, which throughout your online activity and history, most likely you have granted access to your Twitter profile, Facebook profile, LinkedIn profile, Gmail, you know, Pinterest, so many others.
And you forgot about it.
And they still have access to your account. They can do various things there.
They can read your posts. They can read your friends list. They can see who you are talking to.
They can see where you're checking in and so on.
So review all of your apps and make sure only the ones you're safe with, maybe even the ones issued by your employer or the company you work for or, you know, anybody else that you feel is safe.
And you can also do this, by the way. I don't have this in my notes, but I'm just thinking about it now.
If you need for a specific moment of the day or for an hour or so on, if you need to have a specific app access your social media profile, that's fine.
Guess what? You can remove access afterwards.
So if that app is no longer doing anything to help you, you know, achieve whatever goal you needed on your social profile, just go and disable access.
And by the way, now with Facebook, it's even easier to do that. So review all your apps, all of the apps that have access to your social profile, and make sure you only allow the ones who actually need to be there.
Step four, review pending friend invites.
I'm sure if you check your phone right now, you have a list of maybe one, ten, hundred, thousands for, you know, those of you who are famous.
Check that list. See who they are. Reject anyone you don't know or you don't want to have as a friend on social media.
And why? Because there's a very big chance that some of those are fake, are bots, or fake profiles who are only there to lure you into accepting their friendship so that then they can, let's say, deploy various attack methods, which we will talk about next week, in trying to gain access or even to hack your account and hack others from your account.
Because imagine if John Doe, who is actually not a person, asks for a friend connection with you on Facebook, and you allow it, and they're not real, they're just a bot, they're just a system, they're just a software somebody's using to hack your account.
From your account, he or she will be able to send more invitations to others from your friends list, to which now guess what?
He has access. So, of course, more of your friends will most likely be hacked as well.
Step four. Step five, sorry. I'm watching my phone also just to make sure I don't go over time.
Enable two-factor authentication.
2FA, as most of you maybe say, but two-factor authentication. This means that every time you log in to your Facebook, to your Twitter, to your LinkedIn account, you'll also need to enter a unique code sent on your phone by the social media website.
Time consuming? Maybe. But I will not risk it. I would rather never do the step that I did some years ago, when I took the easy, short, apparently more comfortable method of just logging in with Facebook, instead of creating an actual account.
So, again, enable 2FA may limit the speed by which you will log into your social media profile, but I can guarantee you it will make your account so much more safe and secure.
Step six. Review privacy levels. What this means, and now, again, going back to Facebook, if you go to Menu, Settings, Privacy, and simply pick what you feel comfortable with.
If you want all of your social media profile posts from now on to only be shown to you alone, you know, me only, maybe you want to just keep notes for yourself from a trip you're taking or from a place you're visiting, and you don't want to post that instant that you're there, let's say Greece, if we started with Greece, you can set that.
You can have that as a default setting.
Everything I post is going to be shown only to me.
It's only going to be shown to my friends, or it's going to be public. You can choose that.
Also, step seven, review who is allowed to tag you. I wanted to make sure, in my case, that I am notified of any upcoming tags and approve them by each, you know, one by one, myself, manually.
So if you set that in your Facebook profile, you know, for the sake of this example, that means that every time somebody tags you, so somebody posts an image, a video, a message somewhere saying, I was with Val in Bucharest, but they've never been with me.
They've never been in the same building or in the same country with me, but they can see that on social media.
Guess what? With this setting applied, every time they do that, I get a notification saying, hey, were you with John Doe in Bucharest two hours ago?
No, I wasn't even in Bucharest in months because, hey, we're in lockdown. Well, this is not a happy setting, but I'm just saying I wasn't in Bucharest because I'm in lockdown.
Checking the phone again, 15 minutes to go. Step eight, this is a very important one, and I wrote down some words that I want to say to you.
Beware of social media engineering, or social engineering as they call it, and phishing.
Well, social media engineering is done many times through the method of using phishing.
But what this is, social engineering is the manipulation of people into performing actions or divulging confidential information.
Criminals will use social engineering tactics because it's, guess what, easier to trick an individual to exploit the software.
It's very difficult to crack or to hack or to, you know, force someone into giving you secrets, but it's much easier if you trick them.
So that's how social engineering is used. Social engineering can be done through emails.
You know, like I said, they send you a phished email. It looks like Facebook just notified you, you know, welcome to Facebook.
By the way, your password is going to expire in two days.
Please click here to reset your password. And that's not an email from Facebook.
So if you're not aware and you click, most likely you're going to actually give your real Facebook password, even if it's very good password, even if it's a, you know, password manager generated password.
If you're giving it out to them, they'll have it.
They will log into your account. And guess what?
They will go through the same steps. What if this guy used the same password that he's using on Facebook, on his Gmail account, on his corporate account, on his so many other accounts.
So be aware of that. These attackers often use a sense of urgency.
So they will tell you, like I said, you only have two days. If you don't click this two days, your Facebook account is gone.
Or they do the same thing with banks.
You know, this is your bank. If you don't click this account to change your password, your online banker will be shut down in 48 hours.
Again, be aware.
And all this malicious links will most likely be impersonating a trusted individual.
Now we have been seeing a lot of LinkedIn activities lately.
For example, people who claim to be working with you, you know, in the same company, but actually not colleagues.
And if you work for an employer that has a large number of employees, like hundreds, maybe thousands, that's going to be so much easier for somebody to try to snoop in and trick you into accepting a so -called colleague on LinkedIn.
And I'm talking about LinkedIn because this is actually happening.
We have seen this staggering amount of growing attacks on social media, specifically for LinkedIn.
So please be aware if you're using LinkedIn, always check twice.
If you have an internal tool, which most likely you have, that actually lists all of your colleagues, who they are, what's their title, what team they work in, so on, who's their manager, maybe they're new.
And it's not a shame to say, you know, sorry if somebody is asking you to connect with them on LinkedIn today, and you're only going to do that tomorrow or in three days, because guess what?
You wanted to check and make sure that's not going to be a problem.
You know, your manager, your company, your employer, they'll never say, why didn't you approve them immediately?
Most likely, hopefully, which I strongly suggest you to do, they will applaud you and say, thank you for using a very wise method of making sure that this person actually exists and is belonging to the team that they say they are belonging to.
And again, people join companies all the time.
You're not expected to know everyone by heart and just say, oh, you know, John Doe just joined the marketing team two days ago, and he's asking you to approve his friend request on LinkedIn.
You don't have to do it just because his name and his title and his company sounds like he's working for your company.
Again, be aware. Step number nine, which is something that I have to say, I am guilty of a lot of the times, and this is maybe because I actually manage social media professionally.
So I have to be logged on to all of these accounts, but use the logout option.
Use it. It's there for that purpose. If you use Facebook, if you use Twitter, if you use LinkedIn, if you use Pinterest, any of the social platforms today for an hour, for five hours, three days in a row, when you close your laptop, you know, before you actually log off of your computer, go and click that button that says log out from your Facebook, from your Twitter, from a LinkedIn.
It's safe. It's recommended.
I'll explain next week in more detail why exactly that is so important.
Step 10, or the last step in our list is before posting. So before you post anything on social media, again, I'm referring here to Facebook specifically, but it can be on any other social platform.
How long are we on time? Oh, 10 more minutes.
Okay. Sylvia, if we have any questions, please start putting them in the chat, just so I'm aware, so I can gauge my time correctly.
So before posting check, is this a public, friends only, specific people targeted post?
So if you want to post anything that is available and is intended to be available for everybody, you know, publicly to see and experience, that's fine.
But check, do an inform, a conscious choice of checking.
If you want just friends only to see that maybe you're with family and with kids and you want just your friends, your actual friends on Facebook to see the photo of your minor child, taking a bath or, you know, swimming in the sea or whatever you guys are doing, having fun, make sure you check.
Is it friends only before you post? Also, you can do specific people. So if you only want your wife, your friends, your family members, whoever to see a specific post, make sure you check that before you click the post button.
Again, I know it may slow down. Maybe you see something very interesting and you forget and you post it publicly.
That could happen. But then you have another choice.
You can go back to the post, click edit privacy options. And guess what?
Mark it as friends only or specific people and so on. So there's always a choice, but it's much better.
And it's much safer if you check before posting.
Okay. Just give me a second. Okay.
Before posting also check. Do I want this location tag allowed in here? So if you're in a specific location, you're posting a photo.
Do you really want people to know that you are in that theater house or at the zoo or, you know, whatever else, maybe you don't want them to know.
Maybe you want to keep your location safe. Maybe you want your friends and the general audience not to know that you're not at home right now.
And then your house is, you know, inhabited. So anybody can go in and possibly steal stuff.
It could happen. Also, if you check in on specific locations, so let's say you want that location tag.
Okay, fine. You decided, do you really want that recommended hotel or resort or whatever the place you're at to be showing up there?
Because Facebook, for example, does that if you check in and in a specific resort, you'll have that information bar under your post saying, would you like to recommend X, Y, Z location?
You can choose before posting if you want to allow that or not.
Also think about this. Does the photo or the video include any private or sensitive details?
Now, this is very important. Remember all those posts you see on maybe Twitter most, but also on Facebook of people getting their new, you know, gold Amex card and they're holding it to the camera and say, oh my God, I'm so happy.
No, I finally got it. Or a new passport. You finally got your passport.
This is very common news in Europe. I mean, getting a passport, that's just such a big deal, but I know for a fact, and, you know, speaking with so many of the U S citizens that when they get a passport, that's really an event.
The family has an event that the person feels that this is a special thing when actually got the passport.
Most of them, guess what? We'll do the same thing. This is my passport.
Oh my God, I don't have a passport. Private details in plain sight. Anybody can see your first name, last name, some other details.
Think about it. Do you want that out?
Also, maybe you have private details captured on a laptop screen.
So maybe you do a selfie and you're in front of your computer and some information that is maybe from work or maybe some other private information, maybe medical details, maybe who, I mean, so many things that could appear in a frame of a photo of a photo.
I'm a huge passionate photographer and I always understand the possibility that before you post anything in a photo, you should check, you know, look in the corners, look on the right side, look on the left side.
Do I have anything in here that might become an issue for me?
And if not, and if yes, don't post it easy.
Also, do you have any minors in the frame? You know, maybe you're some at some public place and you want to take a photo of, I don't know, just think about it.
Niagara Falls, right? So many people that crowded or other famous locations in the world.
Like, you know, you, you go to the Eiffel tower in Paris, or you go to the Fontana di Trevi in Italy.
So many people are around you. When you take those photos, you might be getting some minors in there.
Do you really want them in there?
Think about it. Again, if you have any questions during today's segment, I will check my phone, but if there's no questions, we only have five minutes to go.
And I just wanted to say this out as an invitation.
If you recently had your social media profiles hacked, or if you had any issues, any of the issues that I've explained above, please reach out.
You can send an email to the same email address, live studio at Cloudflare.tv.
They will be passed on to me. And I will try as much as I can, as much as I have time, to personally reach out to you and try to help you audit your social media profile and see if everything is in good standing.
If you don't know exactly how to perform the privacy settings I've explained here, again, I will be back next week with a session specifically for this.
We'll go with a screen share.
We, you know, we choose a social media profile that I will maybe invent, or we'll see how we can, I'm not going to be able to share my own, but we'll go through real life accounts so you can see how we can, you can do that.
I have tremendous respect for anybody asking questions.
And that's not because it's, it's a shame to ask a question.
I think it's an act of courage. I think allowing yourself to be educated and to hear somebody explaining to you something that maybe you're not very aware of or very familiar with.
I think that's very good.
I do it all the time. And if you're somebody that knows me, you know, that I ask a lot of questions and I'm not afraid to ask questions.
And I think that's how we learn.
And before I go, I just want to say that for those of you speaking French, I'm happy to say that the next segment is going to be completely in French and is entitled, let me see if I can read this right.
Comment deployer son blog sur Cloudflare, which meaning, which means more or less how to deploy your blog on Cloudflare.
So I will meet you tomorrow, the same time to talk about how to secure your registrar account so that all of your domains are safe and goodbye.
I think my colleagues will take it away and most likely you're going to go into the French presentation again.
Don't forget to email live studio at Cloudflare.tv with any questions and I'll be happy to answer.
Thank you for your time. Bye.
What is a bot?
A bot is a software application that operates on a network. Bots are programmed to automatically perform certain tasks.
Bots can be good or bad.
Good bots conduct useful tasks like indexing content for search engines, detecting copyright infringement and providing customer service.
Bad bots conduct malicious tasks like generating fraudulent clicks, scraping content, spreading spam and carrying out cyber attacks.
Whether they're helpful or harmful, most bots are automated to imitate and perform simple human behavior on the web at a much faster rate than an actual human user.
For example, search engines use bots to constantly crawl web pages and index content for search, a process that would take an astronomical amount of time for any human user to execute.