As the sun is setting and I breathe some of the night time air I am inspired to write about Facebook. Yes, *the* Facebook, the third largest country if it were a physical place with boundaries under a common rule of law and government. When many people use a service such as this, it bears attention and especially when it comes to knowing about security and privacy (and our team at the Cyber Threat Analysis Center have written about Facebook plenty [tags + categories]). Chances are a person has an account with Facebook.com and chances are a person has studied and understood the various controls that Facebook provides to turn the dials on privacy and security settings for maximum comfort and desirability.
All bets aside, my goal is to step through those dials in this article. Feel free to comment and help make improvements, as has been done in my recent article on “No Chocolates for my Passwords Please!” Also, please click on any images which appear small to render the full size. Similarly, I have a blog on LinkedIn Privacy readers may peruse.
Once logged into your account on Facebook, we visit from the upper right hand screen under "Account", the "Privacy Settings". Subsequent images and text are based around a framework or technique to activate if one's goals are to have pretty tight security and privacy (as much as can be) when keeping an account with Facebook. Use as a guide or model, and execute your own technique — hence your own mileage may vary (see free will). Be sure to check out "Controlling how you share", a resource at Facebook.
Notice that there are canned options to elect along the left hand side. These are common to Facebook and are found in almost all settings across the board. Better enumerated as:
"Recommended" is not part of the "across the board" values. In the image above, "Custom" has been selected and to replicate it, simply click the link that reads "Customize Settings" and observe the following image.
This brings you to the "Things I Share" and other Sharing sections to be witnessed momentarily. Pay particular attention to "Posts by me", as Facebook announces your selection here is considered the "Default" behavior for Privacy when posting including status updates and photos.
Here, two groups are referenced called "Family" and "Family – Extended". Reference them as examples as a person may define their own. This is an exercise to show a person how settings may be customized.
Next we move to "Things Others Share" and "Contact Information".
Omitted from this screen are Email Address and Phone Number. However, such settings may look like thus:
Next we quickly look at "Posts by Me" to see what the typical "across the board" enumeration looks like for a selection options:
See? Yielding to "Custom", one may better control their privacy requirements. Delving into "Custom" we see the following screens (I broke them up just for this article):
Options to Display, and Options to Hide.
Here is a sample image of Places and Checking in, and the option to have a person be included. Pictures above has this disabled and is shown under "Things I Shared > Include me in 'People Here Now' after I check in".
Further information on this feature may be explored here.
To learn more about this feature, click here. Notice, the option to disable is activated.
Places? OK for more reading at Facebook on this topic, click here.
If you have albums or photos, they may be grouped into a gallery display at this point. Simply adjust your settings as shown below, for Profile Pictures.
Now let us go Back to the Privacy Settings page and explore Applications and websites settings.
If a person has options displaying here for particular applications or games, one will see the kind of information such selections have access to on one's account.
Notice in this example the only option a person has is to "Remove" the "Posts to my Wall" selection. The others are required. "Access my basic information" shares everything one has made publicly available with the application.
Some extra options for applcations:
Visually, this is what that looks like:
Here are some further options for this section:
One to explore is "Info accessible through your friends" and the various options that provides are shown below:
Now we move onto "Instant Personalization", more information available here.
Notice, the option to "Enable" is on the bottom. Prior to entering this screen Facebook displays the next image which may be explored in further detail here.
Next we check out "Public Search". Again, the option to "Enable" is on the bottom.
Facebook provides folks the ability to block users, application invites, and event invites. Screen shown below:
Then there is "Connecting on Facebook" settings, a quick overview in one place. Here is an example. Note, "Send you friend requests" cannot be further closed down from "Friends of Friends".
We are complete with what Facebook considers "Privacy Settings". Next we check out "Account Settings".
One section worth highlighting is "enable login approvals" in this section. If a person has not previously enabled it, here is what may be expected:
"Next" prompts a person to confirm a phone:
As has been written by CTAC's own Randy Abrams earlier this year, I bring it up again as this option does enable Facebook surfing encryption to help prevent attacks from applications like Firesheep. Facebook has a roadmap that ensures applications will migrate to HTTPS mode and I wrote about it here, for your pleasure.
Further below on this Facebook page one will notice tracking of account activity. A person may spot any potential malicious activity.
Breaches can and do occur, and the only way to truly protect one's information is to not have it online. However, that does sort of defeat the purpose of social networking. Still, if a person wants to deactivate their account from Facebook, on the same page simply click "deactivate".
David Harley, a CTAC Senior Fellow also wrote about Facebook Ads here. I explore this with some images.
There exist two settings to potentially adjust:
Plus, here is some additional reading as reference:
Notice the option is on the bottm. If enabled, advertisements will serve up your name as having "liked" something. If a person does not want their names showing up in ads, simple disable this entry.
To learn more:
I like tooling around with passwords, and how they may be used. Here is where Facebook has its password management system.
Notice the little "?" on the "New Password" line? Click it to reveal suggestions for a strong password:
Checking into the Basic Information page, it is a person's choice to fill this data in or not. For maximum privacy, the recommendation is to keep it blank. Do you want other companies (or Facebook) to have enhanced information on you?
Similarly, the contact information (email addresses and websites are not depicted in this snapshot):
Recall the default post setting earlier in this article? Here is where it comes into play on your new feed.
The lock icon next to Share shows the same common information referred to earlier. Reviewing:
Yes, that default setting has pretty large implications on your posting activity.
And if a person does not want to remain private or be found on Facebook, simply visit this setting.
Search Engines will find you on Facebook's open directory, and other aggregation sites. Your information will be publicly available on these third party sites with no Facebook affiliation. Such sites run their own advertisements. One to take note of is Facepinch.com.
Another thing to be mindful of if a person has someone from their past making them feel uncomfortable, keeping your profile public and switching your privacy settings to "Everyone" may not be such a good thing. Our CEO Andrew Lee explores a particular scam under the title "Is your ‘stalker ex’ still creeping your Facebook page?"
Although not a feature directly available on www.Facebook.com, the Outlook Social Connector (OSC) for Facebook enables a person to tap into their social network from the site and view friend updates, posts, photos in a secured manner. The following image from the Office Blog shows how a person can tap into their social community right from Microsoft Outlook.
It also serves as a reminder that information you store online may be shared virtually anywhere and without your knowledge. Thus the purpose for this article to spread awareness and education.
Notice how "Michael" posted photos and they are made available right in the OSC. One can make application level adjustments on your Facebook settings referenced earlier under the Apps, Games and Websites section. For more information on the Outlook Social Connector privacy and security, read this article. Last year I enabled surveillance on my computer while testing the Outlook Social Connector and can confirm communications were secure. Perhaps in a future blog we shall explore the technical side of this.
This has been a walk through of lots of information. Some at a high level, and some diving a little deeper. In future articles (as in past), CTAC explores a knob here and a dial there to varying degrees on depth. It is my hope this blog article served its purpose as a model and a framework for having an account on Facebook. For further reading, please see:
Use HTTPS! https://www.facebook.com/about/login/
Following the same methods, I will next publish a blog focused on LinkedIn. In the meantime, feel free to jump to a new article by Randy on "LinkedIn Security and The Rapture".
Finally as I always inquire, a call out to folks who want to share your framework or models is sent. Please feel free to comment and help improve the community.
From your friendly neighborhood Cyber Threat Analysis Center. Cheers!
Paul Laudanski, Director of Cyber Threat Analysis Center
Author ESET Research, ESET