Experts renew call for greater Facebook security

While world's most popular social networking site continues to face threats daily and users remain unfazed, industry players urge Facebook team to relook security from user perspective.
Written by Tyler Thia, Contributor

With security threats continuing to plague Facebook, such as the recent abuse of CEO Mark Zuckerberg's fan page, experts have renewed calls for the social networking site to step up user protection and education.

Zuckerberg was not the only prominent personality to suffer from a Facebook page hack last month--French President Nicholas Sarkozy was also a victim, according to the Huffington Post. The two high-profile incidents happened in the same week.

Yet Facebook, according to these security observers, remains extremely popular despite these incidents and other threats such as rogue apps.

On one hand, Facebook wants compelling applications to attract new subscribers and increase the amount of time users spend on the site. However, there are less than stringent controls on developers.

"Anyone can sign up and create a bogus Facebook application," said Chester Wisniewski, senior security advisor at Sophos, in an e-mail interview, adding that users who are affected can be redirected to malicious URLs without being prompted."

This, he explained, happened with the Koobface worm, which prompted users to download a "FacebookPhotos###.exe" file even before requesting permission for data access.

Wisniewski added that this form of "clickjacking" still occurs, but Facebook claims it is a "browser problem".

In an earlier report published by ZDNet Asia's sister site CNET, Facebook's chief security officer Joe Sullivans was quoted as saying the team does not practice the "gatekeeper approach" when it comes to apps vetting. Instead, it "devotes its energy to the ones that could cause the most damage if they were bad".

Measures taken, but more can be done
To its credit, Facebook has activated "advanced security controls" to protect at-risk accounts. According to the CNET report, when an account is detected as having an unusually large number of posts, or posting dubious links, the "roadblocks" devised by the team will direct the user to a McAfee cleanup tool that can be used immediately.

The team, which includes staff dedicated to incident response, has also just rolled out the HTTPS (hypertext transfer protocol secure) encryption feature for all activities, not just password entering.

Still, the approach was challenged by Wisniewski, who claimed that security should be adopted from "inside out", such as configuring the firewall, and not the other way round. To that end, Facebook should make HTTPS a default, not something for the user to opt into, he argued.

"Facebook has taken the opposite approach and I feel [its] users will pay the price in privacy and security until it chooses to implement stronger privacy controls in reaction to these incidents," said Wisniewski.

Randy Abrams, ESET's director of technical education, also agreed Facebook can do more for its users. "Facebook doesn't consider security to be enough of a priority to even mention the word on the log-in screen.

"Facebook can and should do a lot more to promote security education with their users."

Users an 'unsolved vulnerability'
Likening Facebook to an "operating system" such as Microsoft Windows, Abrams said it will be subject to security breaches and not be able to protect everyone.

"An operating system is designed to run programs, but it can't know if the program is good or bad," he explained.

While Facebook is far from facing a security crisis, Abrams said its users remain "the biggest unsolved vulnerability which Facebook falls flat on its face".

Sophos' Wisniewski concurred, noting that users "simply don't care" about security.

Users, he pointed out, do not seem to be aware of the security issues associated with Facebook; security breaches have also not stopped those concerned and worried about their profiles, from logging in and sharing their lives on the site.

Other sites beware
Other social media sites are also equally at risk, even though their user base may be smaller, warned both experts.

According to Abrams, apart from the user base, there are risk factors such as ease of attack and an attacker's own motivations. "Other social media sites are equally susceptible but may not get as much attention from the criminal element," he said, adding that criminals are always on the lookout for vulnerabilities.

No matter how secure a Web site is, users cannot prevent their profiles from getting hacked, said Abrams and Wisnewski. One important way of staying safe is to limit the information that is made public, they noted.

In addition, users should set strong passwords that are not recycled for other sites, and enable the HTTPS option when it is available in the profile.

"Ultimately if a social media site is hacked badly enough then your profile and all of its information is owned by someone else. The risk is rather small, but it is there, so think carefully about what information you put online anywhere," Abrams warned.

Editorial standards