The state of Facebook security

Filed Under: Facebook, Malware, Phishing, Rogue applications, Social networks, Spam

The Register
There's an in-depth piece published today by John Leyden, The Register's security correspondent, describing the different opinions of Facebook and Sophos when it comes to security on the world's most popular social network.

In a nutshell, Facebook disputes the findings of our recent Security Threat Report which discovered an increasing proportion of Facebook users say that they had encountered spam, malware and phishing attacks on the social network.

One thing is certain, and is unlikely to be news that's welcomed at Facebook HQ. There is a growing perception out there that Facebook isn't the safest of places to be.

Take for instance, the 'Social Security' poll results we released earlier this week - asking the opinion of over 1200 computer users. We asked them which social network they felt posed the biggest security risk, and Facebook won by a country mile with 82%.

Facebook considered the biggest security risk

That's a significant rise from the 60% who felt Facebook was the riskiest when we first asked the question a year ago.

Whether you agree with us or Facebook about whether cybercriminals are exploiting the network more than ever before, The Register's article is recommended reading.

In particular, pay attention to the second part of The Register's article, where I am reported describing some of the steps that Facebook could take to make it much harder for rogue applications to cause problems for their users.

I also believe that Facebook should be more proactive about warning its users about outbreaks - rather like we do on the Sophos Facebook page.


Sophos Facebook page

Facebook's official security page has over 3.6 million fans - just imagine how well they could help stamp out a fast-spreading scam or new malware attack if they were told what to look out for.

Because rogue apps are a real problem on the site - spreading virally, and earning the bad guys money.

I know that the guys at Facebook Security are well-intentioned and understand the issues, but because the company's bosses have chosen to allow anyone to write apps for the Facebook platform there is a huge amount of abuse. Facebook Security is effectively playing whack-a-mole, hammering the latest rogue app whenever they happen to spot it, and hoping that not too many accounts were compromised in the meantime.

Unfortunately, quite often Facebook Security don't seem to spot the scams until they have spread far and wide.

As The Register reports:

Facebook may talk a good game but a quick search (viewable only if logged into Facebook and safe providing you don't click on the links) shows hundreds of victims have installed a rogue app that falsely promises the ability to "see who has viewed your profile".

Rogue application posts

Please be careful not to click on those search result links, as they are pointing to rogue apps like the ones we have described in many of our articles before... and they've been spreading quite happily all week long.

My hope is that Facebook will treat both security and privacy as a higher priority in 2011, and do more to prevent incidents happening in the first place rather than trying to clean up the mess afterwards.

If they don't, then there's an ever-growing proportion of the internet which is going to have to learn to take a much greater level of care when it comes to their personal information and social networking accounts in the future.

And as more and more companies allow their users to access the sites from the workplace (which is the correct approach in my opinion) the repercussions could also be felt in the business world.

Check out The Register's article now.

, , , , , ,

You might like

13 Responses to The state of Facebook security

  1. Bill Nelson · 1317 days ago

    Monday afternoon, 01/17/2010, I started getting inquiries from some of my friends about an e-mail from me that I soon realised that I had never sent. Puzzled, I checked my "Sent" folder: Nothing! Pretty soon, two "Failure Notice" from something called "MAILER-DAEMON" appeared in my Spam folder. It had stolen my Yahoo Contacts list (My Address Book) and sent no msg, just a link to a Canadian Pharmaceuticals Company (Viagra and Cialis) to a random list of entities on my Contacts List. Bother!
    I have spent the last few days and nights telling my friends and corporate correspondents that IT WASN'T ME! If anyone in Internet Security is interested, I have saved all related correspondence, and I devoutly wish that sombody who knows what to do will do sometning about Mailer-Daemon and get banished, and, if possible, punished.
    Yours Very Truly, Bill Nelson

  2. my FB neighbor keeps posting this: (what does it mean)???
    My profile views are : 82649
    Girls Views : 32981
    Boys Views : 49668
    Check yours at [LINK]

  3. Randy Knobloch · 1316 days ago

    Your plug-in like API's prevent this site from loading as fast as it could.
    Social API plug-ins are the Bane of the Internet since no one can defend from them.

    They datamine any Browser available.

    Other than that, the article by the Reg was a good one.

  4. Mrs. W · 1316 days ago

    But Graham, Facebook _does_ have a whitelist of ad providers. Too bad their whitelisting appears to be just about meaningless:
    http://www.insidefacebook.com/2011/01/21/facebook...

    “These providers are not approved by nor affiliated with Facebook and, therefore, it is your responsibility as the developer to ensure compliance with Facebook’s Advertising Guidelines even though the companies on this list have agreed to the policies as well.”

    Delegation of security resposibility to everyone else is not the same as being secure.

  5. FB has given my computer a virus 3 times in the last 6 months.... cube crusher has been the source once or twice

  6. I am sad to say that I have seen many accounts taken over recently by thoes who either arnt listening to the warnings or refuse to believe that the risk is great until too late. I myself was a victim and even though write a Mafia Wars Blog have found it necessary to add a whole different section to it addressing the security of accounts of my readers and others. Obviously Facebook is not doing the job, just stop by the help section and look at the pleas of members needing their help with security issues and never getting a respose that is sad.

  7. John Dee · 1315 days ago

    Well, all 'good' things must come to an end. So long Facebook. Too bad you got so big you forgot how to be intimate with your users.
    Reading all this stuff about how you don't seem to be willing to take care of these issues reinforces the awful truth; Too Big To Fail.

  8. teejuu · 1314 days ago

    [quote]
    "And as more and more companies allow their users to access the sites from the workplace (which is the correct approach in my opinion) the repercussions could also be felt in the business world."[/quote]

    I'd be interested in knowing why you feel this is the correct approach as we are in the process of banning FB in the work place. Mainly because of productivity, and while I agree that there should be a process in place for handling this our organisation does little about processes believing that technology is the solution for recitfying bad behaviour.

    • A few things colour my view on this.

      One is that social networks are here to stay - whether you like them or not - and they will become an ever more important method for companies to communicate with their customers. Yes, there are security concerns - but you can also argue that there are security concerns with email and web. If email and the web were invented today then there would no doubt be many sysadmins who would argue for them to be banned in the enterprise because of security and productivity concerns - but we all recognise the positive things they can bring too.

      If you're not engaged on social networks then you'll be at a competitive disadvantage to your rivals who are on them. As more and more young people use social networks as their primary method of communication (for many, email is becoming largely irrelevant) it's going to be important that your staff are able to take advantage of it too.

      If you do a blanket ban on social networks - can you be confident that that's going to fix the problem? Your users will be just as able to access them via their smartphones and other devices, waltzing past any corporate security you may have in place on your regular network.

      A few years ago we saw many companies blocking access to social networks, but that number is reducing all the time. More and more we see firms trying to *control* and *secure* social network usage - making it safer for them to be used in the workplace.

      Of course, there may be productivity issues with some users utterly addicted to sites like Facebook - but that's really no different to people being addicted to sports websites or playing scrabble online.

      Of course, each company to their own and we recognise that there are some departments in some firms where it may be less acceptable to access social networks than others.. but don't doubt that they are here to stay, and are going to become more and more important for both consumers and businesses alike.

      Hope that helps explain my thinking.

    • Mrs. W · 1314 days ago

      Some have found that Twitter and Facebook are good for productivity.
      http://www.itproportal.com/2009/4/2/surfing-faceb...

      And I agree. I used to work as an editor, proofreader, and style guide enforcer, and it was brain-numbing. I took plenty of browse and Facebook breaks. It also helped morale -- most of the team was on Facebook, so we were more connected with each other as a result.

      You have to have a fundamental trust in people. If they're not productive, banning a particular service won't solve that. You either hired the wrong person (or hired them for the wrong position), or your environment is structured in such a way that they're no longer passionate about what they do or feel a duty to you and their colleagues to do it.

  9. Richard Wall · 1314 days ago

    In order for there really to be a security risk involved you have to give that site confidential information, or authorise dodgy dealings. One way or another it really comes to a behaviour and education issue. People are using the internet without having any idea of what to avoid or how to deal with the potential risks.

    If everyone was careful, sensible and educated then there wouldn't really be a problem.

    Mind you in the same respect if Facebook would actually get away of this stupid opt-out system and didn't allow apps to post anything or get anything without manual consent perhaps the viral spread would be made far more difficult and act as more of a deterrent.
    Dont allow any app, any information unless the user explicitly allows it and control those apps closer. Realistically, a "Social Network" doesn't need to work with apps the way Facebook does. Integrating 3rd parties into peoples personal information is dangerous and this has proved that. They should be segregating that personal information away from 3rd parties as much as possible. If someone then chooses to purchase something from that vendor they give their details at their own risk as with any other financial transaction.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.