The Hidden Face of Facebook Security

Facebook actually does have some exceptionally talented security professionals. They have almost no depth in privacy, but they have real security talent. A part of the problem is that the Facebook culture is anti-security and that is a very tough obstacle for their security professionals.

Facebook security is by marketing design. Take a look at www.facebook.com. Do you see the word security anywhere? No, it isn’t there. At the bottom of the page there is the word “Privacy”, but that’s marketing. You really have to dig to find security information at Facebook, or else know where to find it.

So, since no decision maker at Facebook has the common sense to put links to security information available on Facebook anywhere that a normal person could and would actually find it, I’ll share with you the few places I do know to find it.

You can go to www.facebook.com/security and get some information there. This should be a prominent link on their landing page, but it is not there. Another thing you can do is go to the Facebook blog at blog.facebook.com. Now not all of the blog posts are about security, but some are. A recent post tells of a change that will make Facebook safer to use on unsecured WIFI connections. The truth is, I have not yet been able to find the setting and the feature is improperly implemented, if it does exist at all. There should be a very visible option at the time you log in to use https for the whole session, and it should be an opt-out feature. That is to say you should have to choose not to use https or else you will use a secure connection. The blog about this new feature, which is undoubtedly a reaction to FireSheep, is at http://blog.facebook.com/blog.php?post=486790652130.

Another blog post from last year told of the ability to use one-time passwords. This is something you should do if you are going to log onto Facebook from a public computer, live in the US, and have a mobile phone. That blog is at http://blog.facebook.com/blog.php?post=436800707130. The idea is that if the computer has a keystroke logger on it, at least your primary password will not be compromised.

I’m not sure if Facebook tries very hard to conceal their security information from the masses or simply makes no attempt at all to show it. It really isn’t fair to the security professionals there, but it is important for you to know where to find the information and read it.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center – ESET LLC

Author ESET Research, ESET

  • John

    You have temporarily turned off secure browsing in order to access an unsupported application. To enable secure browsing again, please logout and login again.
     
    That's what I found upon checking this setting again.  

  • amy

    I found out my facebook account was hacked , my boyfriend had someone who works for facebook do this, I want to report it but doiesnt seem a way. ALso I tried to do a secure feature which asked me to change my password now that I did it it wont let me back into facebook what do I do?

    • David Harley

      Amy, you need to check out the Account Security section at the Facebook Help Centre (under facebook.com/help/security).

  • binish

    hi i want 2 remove my secrity qusetion of facebook plz tell me how?
     

    • David Harley

      Binish, I don’t think you’re supposed to be able to change or delete it, but Facebook support could presumably tell you definitively.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
27 Jan 2011
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.