Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

July 19 2011

7 Things Facebook Should Do To Increase Security [OPINION]


This post reflects the opinions of the author and not necessarily those of Mashable as a publication.

Eugene Kaspersky is CEO of Kaspersky Lab, the company he co-founded in 1997, which is now the world’s largest, privately-held anti-malware company. You can follow him on Twitter @e_kaspersky and his blog at eugene.kaspersky.com.

For the past seven years we have seen how Facebook has dramatically changed the way people communicate while it has formed a new culture of online socializing.

For most people, Facebook has been about keeping in touch with friends and family in a totally new way. But for security researchers, such as myself, it has led to seven years of new challenges for the security industry. The main issue with social networking and security is that social networks are, well, social, and when the human mind gets involved, vulnerabilities can be exploited. I’m talking about human vulnerabilities, those against which it’s hard to defend.

Many Facebook users lack knowledge and experience about how to protect themselves in the social networking environment, which has made the situation worse. Facebook appeals to new Internet users who often lack the computer savvy to identify online threats, and the most vulnerable segment of the audience — kids — have little life experience required to make reasonable decisions.

Because of this, I believe Facebook needs to enhance the security and privacy features of its site so the problems don’t escalate out of control. With the help of my colleagues, here are seven key recommendations I believe will make Facebook a safer place:


1. Enforce Full HTTPS Browsing


This way, all users can make sure no one is snooping into their conversations, even if they’re browsing Facebook through an untrusted Internet connection. Additionally, it will render attack tools such as Firesheep completely useless.

I admire the fact that Facebook has enabled optional HTTPS browsing in its recent security features roll-out. However, I don’t think the option is clearly marked enough for most users to find and utilize it. Therefore, I feel that this feature should be made mandatory for everyone.


2. Implement Two-Factor Authentication


Banks are offering e-tokens to their customers to safely access their online banking accounts; but in a world where social networking sites are becoming more and more important to what we do online, users should also have the same technology available for protecting their Facebook accounts.

This option should be enforced and mandatory, otherwise it may easily be lost in the depth of account settings. Following Facebook’s initiative to send verification codes via SMS, I suggest the company develop a mobile application that will generate a one-time password in addition to the master password. This way, an attacker would have to compromise not one, but two devices to access a Facebook account. This is not an easy task even for an experienced hacker.


3. Make Clear Which Facebook Apps Are Trusted


Malicious Facebook apps are being analyzed and reported by researchers on a daily basis. Facebook needs to perform a thorough security check and approve all incoming applications to make sure no malicious app makes its way onto a user’s profile.

At the very least, allow users to add a list of trusted/approved applications to his or her profile. If the person wants to use an application that is not trusted, they should be able to run it in some sort of “profile sandbox,” so that any malicious activity would not affect their friends and family.


4. Tighten the “Recommended” Privacy Controls


Currently, Facebook’s recommended privacy settings easily allow for an attacker to become the friend of a friend of a target, and consequently to access data needed to reset a password for an email account, or to misuse other personal information. Why does Facebook allow “everyone” to access status, photos, posts, bio, favorite quotes and family and relationships by default?

In the security market we follow a simple rule that works: “Disable everything, then enable the things you really need.” If Facebooks wants to take steps to actually make its site safer, the default setting should make personal information visible only to friends. Allow the users to decide later whether they want to change their data exposure.


5. Allow Permanent Deletion of Facebook Accounts


Permanently deleting a Facebook account should … permanently delete the account. Respect the user’s will to entirely wipe out his presence on Facebook, without worrying that some materials have been left available on the Internet, and make permanent account deletion a simpler process that doesn’t require a special request to Facebook customer support.


6. Commit to Parental Controls


Allow parents to set up limited-access accounts for their children, as sub-accounts under their own Facebook presences. The limited sub-accounts could automatically be turned into full-access accounts once children reach the age of consent.

My colleagues and I support initiatives to protect users under 18, as expressed in California’s SB242, which extends the opportunities for parents to control their children’s social media accounts.


7. Better Educate Users


I value Facebook’s commitment to educate users about security and privacy in social networks, including the initiative to set up dedicated Pages to these topics (Facebook Safety, Facebook Security and Facebook Privacy). However, no matter what sort of protection surrounds Facebook users, those privacy features will remain useless should users lack the awareness.

For this reason, I recommend extending the practice by introducing more opportunities for user education. A good example would be to launch daily webinars that cover the most important aspects of Facebook security in the clearest and simplest way possible for the general public.

It is also the belied of myself and my colleagues that a closer interaction with security vendors will assist in building a stronger community to bolster critical Facebook initiatives and allow for more informed decisions. An advisory board consisting of the most authoritative experts in the security community, and regular summits to review past and future initiatives could bring additional value to the development of a safer Facebook.

These are seven realistic, doable and actionable steps that can dramatically increase the safety and privacy of Facebook’s users. Of course, no technology can guarantee 100% security as long as the human factor is involved. Still, Facebook can and should do everything it can to protect its users and keep them safe.

Image courtesy of iStockphoto, malerapaso

More About: facebook, letter, mark zuckerberg, op-ed, Opinion, privacy, safety, security, social media

For more Social Media coverage:


April 20 2010

10 Nations Send Open Letter to Google: Protect Our Privacy

In a letter addressed to Google CEO Eric Schmidt, the Commissioner of Canada Jennifer Stoddart and the heads of the data protection authorities in France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain and the United Kingdom have expressed their concern about various privacy issues connected to some of Google’s services.

Two of these services are highlighted in the letter: Google Buzz and Street View. “We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws,” the letter says. It then highlights Google’s biggest error when it comes to Buzz: “In essence, you took Google Mail (Gmail), a private, one-to-one web-based e-mail service, and converted it into a social networking service, raising concern among users that their personal information was being disclosed.”

This is quite an accurate description of the privacy problems with Buzz. Google did promptly react, which is also mentioned in the letter: “To your credit, Google apologized and moved quickly to stem the damage.”

“Unfortunately,” the letter continues, “Google Buzz is not an isolated case.” The letter goes on to describe the issues that arose from Google Street View service, which has caused numerous privacy complaints since it was launched. “In that instance, you addressed privacy concerns related to such matters as the retention of unblurred facial images only after the fact, and there is continued concern about the adequacy of the information you provide before the images are captured,” the letter claims.

Finally, the letter asks for a response from Google, and lists some broad principles that Google should incorporate in its online services:

  • collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
  • providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
  • creating privacy-protective default settings;
  • ensuring that privacy control settings are prominent and easy to use;
  • ensuring that all personal data is adequately protected, and
  • giving people simple procedures for deleting their accounts and honoring their requests in a timely way.

Since Google often highlights its commitment to preserving user privacy, it probably won’t be pleased to see such a stern reaction from the representatives of 10 countries. However, the privacy blunder that was Buzz and the numerous complaints about Street View will probably continue to fuel the sentiment that privacy is not exactly Google’s primary concern.

The full text of the letter is available here.



For more technology coverage, follow Mashable Tech on Twitter or become a fan on Facebook



Tags: Google, letter, privacy


Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!

Schweinderl