As the sun is setting and I breathe some of the night time air I am inspired to write about Facebook.  Yes, *the* Facebook, the third largest country if it were a physical place with boundaries under a common rule of law and government.  When many people use a service such as this, it bears attention and especially when it comes to knowing about security and privacy (and our team at the Cyber Threat Analysis Center have written about Facebook plenty [tags + categories]).  Chances are a person has an account with and chances are a person has studied and understood the various controls that Facebook provides to turn the dials on privacy and security settings for maximum comfort and desirability. 

All bets aside, my goal is to step through those dials in this article.  Feel free to comment and help make improvements, as has been done in my recent article on “No Chocolates for my Passwords Please!”  Also, please click on any images which appear small to render the full size.  Similarly, I have a blog on LinkedIn Privacy readers may peruse.

Facebook Country

 Privacy Settings

Once logged into your account on Facebook, we visit from the upper right hand screen under "Account", the "Privacy Settings".  Subsequent images and text are based around a framework or technique to activate if one's goals are to have pretty tight security and privacy (as much as can be) when keeping an account with Facebook.  Use as a guide or model, and execute your own technique -- hence your own mileage may vary (see free will).  Be sure to check out "Controlling how you share", a resource at Facebook.

Account > Privacy Settings


Facebook Privacy Settings

Notice that there are canned options to elect along the left hand side.  These are common to Facebook and are found in almost all settings across the board.  Better enumerated as:

  1. Everyone
  2. Friends of Friends
  3. Friends Only
  4. Recommended
  5. Custom

"Recommended" is not part of the "across the board" values.  In the image above, "Custom" has been selected and to replicate it, simply click the link that reads "Customize Settings" and observe the following image.

Account > Privacy Settings > Customize Settings > Things I Share


Facebook Customize Settings

This brings you to the "Things I Share" and other Sharing sections to be witnessed momentarily.  Pay particular attention to "Posts by me", as Facebook announces your selection here is considered the "Default" behavior for Privacy when posting including status updates and photos.

Here, two groups are referenced called "Family" and "Family - Extended".  Reference them as examples as a person may define their own.  This is an exercise to show a person how settings may be customized.

Next we move to "Things Others Share" and "Contact Information".

Account > Privacy Settings > Customize Settings > (Things Others Share and Contact Information)


Facebook "Things Others Share" and "Contact Information"

Omitted from this screen are Email Address and Phone Number.  However, such settings may look like thus:

Facebook Privacy Settings for Email and Contact Info

Account > Privacy Settings > Customize Settings > Things I Share > Posts by Me

Next we quickly look at "Posts by Me" to see what the typical "across the board" enumeration looks like for a selection options:

Facebook Settings Enumerated

See?  Yielding to "Custom", one may better control their privacy requirements. Delving into "Custom" we see the following screens (I broke them up just for this article):

Facebook Customize Granular

Facebook Customize Granular

Options to Display, and Options to Hide.

Account > Privacy Settings > Customize Settings > Things I Share > Include me in "People Here Now" after I check in

Here is a sample image of Places and Checking in, and the option to have a person be included.  Pictures above has this disabled and is shown under "Things I Shared > Include me in 'People Here Now' after I check in".

Facebook Places

Account > Privacy Settings > Customize Settings > Things Others Share > Photos and videos you're tagged in


Facebook Photos and videos you're tagged in

Further information on this feature may be explored here.

Account > Privacy Settings > Customize Settings > Things Others Share > Suggest photos of me to friends


Facebook Suggest photos of me to friends

To learn more about this feature, click here.  Notice, the option to disable is activated.

Account > Privacy Settings > Customize Settings > Things Others Share > Friends can check me in to Places

Places?  OK for more reading at Facebook on this topic, click here.

Facebook Places


Facebook Friends can check me in to Places

Account > Privacy Settings > Customize Settings > Things I Share > Edit privacy settings for existing photo albums and videos

If you have albums or photos, they may be grouped into a gallery display at this point.  Simply adjust your settings as shown below, for Profile Pictures.

Facebook Profile Pictures Setting

Now let us  go Back to the Privacy Settings page and explore Applications and websites settings.

Account > Privacy Settings > Apps, Games and Websites


Facebook Apps Games and Websites

If a person has options displaying here for particular applications or games, one will see the kind of information such selections have access to on one's account. 

Facebook Applications, Games and Websites Access

Notice in this example the only option a person has is to "Remove" the "Posts to my Wall" selection.  The others are required.  "Access my basic information" shares everything one has made publicly available with the application.

Some extra options for applcations:

  1. Remove the application
  2. Turn off all applications (link disabled)

Visually, this is what that looks like:

Facebook Application Options

Here are some further options for this section:

Facebook Apps, Games and Websites Further Settings

Account > Privacy Settings > Apps, Games and Websites > Info accessible through your friends

One to explore is "Info accessible through your friends" and the various options that provides are shown below:

Facebook info accessible through your friends

Account > Privacy Settings > Apps, Games and Websites > Instant Personalization

Now we move onto "Instant Personalization", more information available here.

Facebook Instant Personalization

Notice, the option to "Enable" is on the bottom.  Prior to entering this screen Facebook displays the next image which may be explored in further detail here.

Facebook Understanding Instant Personalization


Account > Privacy Settings > Apps, Games and Websites > Public Search

Next we check out "Public Search".  Again, the option to "Enable" is on the bottom.

Facebook Public Search

Account > Privacy Settings > Block Lists

Facebook provides folks the ability to block users, application invites, and event invites.  Screen shown below:

Facebook Block Lists

Account > Privacy Settings > Connecting on Facebook

Then there is "Connecting on Facebook" settings, a quick overview in one place.  Here is an example.  Note, "Send you friend requests" cannot be further closed down from "Friends of Friends".

Connecting on Facebook

Account > Account Settings

We are complete with what Facebook considers "Privacy Settings".  Next we check out "Account Settings".

Account > Account Settings > Account Security

One section worth highlighting is "enable login approvals" in this section.  If a person has not previously enabled it, here is what may be expected:

Facebook turn on login approvals

"Next" prompts a person to confirm a phone:

Facebook confirm your phone

As has been written by CTAC's own Randy Abrams earlier this year, I bring it up again as this option does enable Facebook surfing encryption to help prevent attacks from applications like Firesheep.  Facebook has a roadmap that ensures applications will migrate to HTTPS mode and I wrote about it here, for your pleasure.

Facebook Account Security

Further below on this Facebook page one will notice tracking of account activity.  A person may spot any potential malicious activity.

Facebook Recognized Devices

Facebook Account Activity

Breaches can and do occur, and the only way to truly protect one's information is to not have it online.  However, that does sort of defeat the purpose of social networking.  Still, if a person wants to deactivate their account from Facebook, on the same page simply click "deactivate".

Facebook deactivate account

David Harley, a CTAC Senior Fellow also wrote about Facebook Ads here.  I explore this with some images.

Account > Account Settings > Facebook Ads


Facebook Ads

There exist two settings to potentially adjust:

  1. Edit third party ad settings
  2. Edit social ads setting

Plus, here is some additional reading as reference:

Account > Account Settings > Facebook Ads > Ads shown by third parties


Facebook Ads shown by third parties

Account > Account Settings > Facebook Ads > Edit social ads setting

Notice the option is on the bottm.  If enabled, advertisements will serve up your name as having "liked" something.  If a person does not want their names showing up in ads, simple disable this entry.

Facebook social ads settings

To learn more:

Account > Account Settings

I like tooling around with passwords, and how they may be used.  Here is where Facebook has its password management system.

Facebook Password

Notice the little "?" on the "New Password" line?  Click it to reveal suggestions for a strong password:

Facebook Create a Strong Password

Edit my Profile!/editprofile.php

Checking into the Basic Information page, it is a person's choice to fill this data in or not.  For maximum privacy, the recommendation is to keep it blank.  Do you want other companies (or Facebook) to have enhanced information on you?

Facebook Edit my Profile Basic Information

Similarly, the contact information (email addresses and websites are not depicted in this snapshot):

Facebook contact information

My Wall

Recall the default post setting earlier in this article?  Here is where it comes into play on your new feed.

Facebook News Feed - Your wall

The lock icon next to Share shows the same common information referred to earlier.  Reviewing:

Facebook Status Update Share Customization

Yes, that default setting has pretty large implications on your posting activity.

Facebook default posts

Public Directory

And if a person does not want to remain private or be found on Facebook, simply visit this setting.

Search for you on Facebook

Search Engines will find you on Facebook's open directory, and other aggregation sites.  Your information will be publicly available on these third party sites with no Facebook affiliation.  Such sites run their own advertisements.  One to take note of is

Another thing to be mindful of if a person has someone from their past making them feel uncomfortable, keeping your profile public and switching your privacy settings to "Everyone" may not be such a good thing.  Our CEO Andrew Lee explores a particular scam under the title "Is your ‘stalker ex’ still creeping your Facebook page?"

Outlook Social Connector for Facebook

Although not a feature directly available on, the Outlook Social Connector (OSC) for Facebook enables a person to tap into their social network from the site and view friend updates, posts, photos in a secured manner. The following image from the Office Blog shows how a person can tap into their social community right from Microsoft Outlook. 

It also serves as a reminder that information you store online may be shared virtually anywhere and without your knowledge.  Thus the purpose for this article to spread awareness and education.

Facebook Outlook Social Connector

Notice how "Michael" posted photos and they are made available right in the OSC.  One can make application level adjustments on your Facebook settings referenced earlier under the Apps, Games and Websites section. For more information on the Outlook Social Connector privacy and security, read this article. Last year I enabled surveillance on my computer while testing the Outlook Social Connector and can confirm communications were secure.  Perhaps in a future blog we shall explore the technical side of this.

Additional Reading

This has been a walk through of lots of information. Some at a high level, and some diving a little deeper.  In future articles (as in past), CTAC explores a knob here and a dial there to varying degrees on depth.  It is my hope this blog article served its purpose as a model and a framework for having an account on Facebook.  For further reading, please see:

Sign in & Surf Safely


Following the same methods, I will next publish a blog focused on LinkedIn.  In the meantime, feel free to jump to a new article by Randy on "LinkedIn Security and The Rapture".

Finally as I always inquire, a call out to folks who want to share your framework or models is sent.  Please feel free to comment and help improve the community.

From your friendly neighborhood Cyber Threat Analysis Center.  Cheers!

exclusive download


Paul Laudanski, Director of Cyber Threat Analysis Center