1. Enforce Full HTTPS Browsing
This way, all users can make sure no one is snooping into their conversations, even if they’re browsing Facebook through an untrusted Internet connection. Additionally, it will render attack tools such as Firesheepcompletely useless.
I admire the fact that Facebook has enabled optional HTTPS browsing in its recent security features roll-out. However, I don’t think t
This way, all users can make sure no one is snooping into their conversations, even if they’re browsing Facebook through an untrusted Internet connection. Additionally, it will render attack tools such as Firesheepcompletely useless.
I admire the fact that Facebook has enabled optional HTTPS browsing in its recent security features roll-out. However, I don’t think t
he
option is clearly marked enough for most users to find and utilize it.
Therefore, I feel that this feature should be made mandatory for
everyone.
2. Implement Two-Factor Authentication
Banks are offering e-tokens to their customers to safely access their online banking accounts; but in a world where social networking sites are becoming more and more important to what we do online, users should also have the same technology available for protecting their Facebook accounts.
This option should be enforced and mandatory, otherwise it may easily be lost in the depth of account settings. Following Facebook’s initiative to send verification codes via SMS, I suggest the company develop a mobile application that will generate a one-time password in addition to the master password. This way, an attacker would have to compromise not one, but two devices to access a Facebook account. This is not an easy task even for an experienced hacker.
3. Make Clear Which Facebook Apps Are Trusted
Malicious Facebook apps are being analyzed and reported by researchers on a daily basis. Facebook needs to perform a thorough security check and approve all incoming applications to make sure no malicious app makes its way onto a user’s profile.
At the very least, allow users to add a list of trusted/approved applications to his or her profile. If the person wants to use an application that is not trusted, they should be able to run it in some sort of “profile sandbox,” so that any malicious activity would not affect their friends and family.
4. Tighten the “Recommended” Privacy Controls
Currently, Facebook’s recommended privacy settings easily allow for an attacker to become the friend of a friend of a target, and consequently to access data needed to reset a password for an email account, or to misuse other personal information. Why does Facebook allow “everyone” to access status, photos, posts, bio, favorite quotes and family and relationships by default?
In the security market we follow a simple rule that works: “Disable everything, then enable the things you really need.” If Facebooks wants to take steps to actually make its site safer, the default setting should make personal information visible only to friends. Allow the users to decide later whether they want to change their data exposure.
2. Implement Two-Factor Authentication
Banks are offering e-tokens to their customers to safely access their online banking accounts; but in a world where social networking sites are becoming more and more important to what we do online, users should also have the same technology available for protecting their Facebook accounts.
This option should be enforced and mandatory, otherwise it may easily be lost in the depth of account settings. Following Facebook’s initiative to send verification codes via SMS, I suggest the company develop a mobile application that will generate a one-time password in addition to the master password. This way, an attacker would have to compromise not one, but two devices to access a Facebook account. This is not an easy task even for an experienced hacker.
3. Make Clear Which Facebook Apps Are Trusted
Malicious Facebook apps are being analyzed and reported by researchers on a daily basis. Facebook needs to perform a thorough security check and approve all incoming applications to make sure no malicious app makes its way onto a user’s profile.
At the very least, allow users to add a list of trusted/approved applications to his or her profile. If the person wants to use an application that is not trusted, they should be able to run it in some sort of “profile sandbox,” so that any malicious activity would not affect their friends and family.
4. Tighten the “Recommended” Privacy Controls
Currently, Facebook’s recommended privacy settings easily allow for an attacker to become the friend of a friend of a target, and consequently to access data needed to reset a password for an email account, or to misuse other personal information. Why does Facebook allow “everyone” to access status, photos, posts, bio, favorite quotes and family and relationships by default?
In the security market we follow a simple rule that works: “Disable everything, then enable the things you really need.” If Facebooks wants to take steps to actually make its site safer, the default setting should make personal information visible only to friends. Allow the users to decide later whether they want to change their data exposure.
No comments:
Post a Comment