Post from mashable authored by Eugene Kaspersky
Eugene Kaspersky is CEO of Kaspersky Lab, the company he co-founded in 1997, which is now the world’s largest, privately-held anti-malware company. You can follow him on Twitter @e_kaspersky and his blog at eugene.kaspersky.com.
For the past seven years we have seen how Facebook has dramatically changed the way people communicate while it has formed a new culture of online socializing.
For most people, Facebook has been about keeping in touch with friends and family in a totally new way. But for security researchers, such as myself, it has led to seven years of new challenges for the security industry. The main issue with social networking and security is that social networks are, well, social, and when the human mind gets involved, vulnerabilities can be exploited. I’m talking about human vulnerabilities, those against which it’s hard to defend.
Many Facebook users lack knowledge and experience about how to protect themselves in the social networking environment, which has made the situation worse. Facebook appeals to new Internet users who often lack the computer savvy to identify online threats, and the most vulnerable segment of the audience — kids — have little life experience required to make reasonable decisions.
Because of this, I believe Facebook needs to enhance the security and privacy features of its site so the problems don’t escalate out of control. With the help of my colleagues, here are seven key recommendations I believe will make Facebook a safer place:
1. Enforce Full HTTPS Browsing
This way, all users can make sure no one is snooping into their conversations, even if they’re browsing Facebook through an untrusted Internet connection. Additionally, it will render attack tools such as Firesheep completely useless.
I admire the fact that Facebook has enabled optional HTTPS browsing in its recent security features roll-out. However, I don’t think the option is clearly marked enough for most users to find and utilize it. Therefore, I feel that this feature should be made mandatory for everyone.
2. Implement Two-Factor Authentication
Banks are offering e-tokens to their customers to safely access their online banking accounts; but in a world where social networking sites are becoming more and more important to what we do online, users should also have the same technology available for protecting their Facebook accounts.
This option should be enforced and mandatory, otherwise it may easily be lost in the depth of account settings. Following Facebook’s initiative to send verification codes via SMS, I suggest the company develop a mobile application that will generate a one-time password in addition to the master password. This way, an attacker would have to compromise not one, but two devices to access a Facebook account. This is not an easy task even for an experienced hacker.
3. Make Clear Which Facebook Apps Are Trusted
Malicious Facebook apps are being analyzed and reported by researchers on a daily basis. Facebook needs to perform a thorough security check and approve all incoming applications to make sure no malicious app makes its way onto a user’s profile.
At the very least, allow users to add a list of trusted/approved applications to his or her profile. If the person wants to use an application that is not trusted, they should be able to run it in some sort of “profile sandbox,” so that any malicious activity would not affect their friends and family.
4. Tighten the “Recommended” Privacy Controls
Currently, Facebook’s recommended privacy settings easily allow for an attacker to become the friend of a friend of a target, and consequently to access data needed to reset a password for an email account, or to misuse other personal information. Why does Facebook allow “everyone” to access status, photos, posts, bio, favorite quotes and family and relationships by default?
In the security market we follow a simple rule that works: “Disable everything, then enable the things you really need.” If Facebooks wants to take steps to actually make its site safer, the default setting should make personal information visible only to friends. Allow the users to decide later whether they want to change their data exposure.
5. Make Permanent Account Deletion Easier
Permanently deleting a Facebook account should … permanently delete the account. Respect the user’s will to entirely wipe out his presence on Facebook, without worrying that some materials have been left available on the Internet, and make permanent account deletion a simpler process that doesn’t require a special request to Facebook customer support.
6. Commit to Parental Controls
Allow parents to set up limited-access accounts for their children, as sub-accounts under their own Facebook presences. The limited sub-accounts could automatically be turned into full-access accounts once children reach the age of consent.
My colleagues and I support initiatives to protect users under 18, as expressed in California’s SB242, which extends the opportunities for parents to control their children’s social media accounts.
7. Better Educate Users
I value Facebook’s commitment to educate users about security and privacy in social networks, including the initiative to set up dedicated Pages to these topics (Facebook Safety, Facebook Security and Facebook Privacy). However, no matter what sort of protection surrounds Facebook users, those privacy features will remain useless should users lack the awareness.
For this reason, I recommend extending the practice by introducing more opportunities for user education. A good example would be to launch daily webinars that cover the most important aspects of Facebook security in the clearest and simplest way possible for the general public.
It is also the belief of myself and my colleagues that a closer interaction with security vendors will assist in building a stronger community to bolster critical Facebook initiatives and allow for more informed decisions. An advisory board consisting of the most authoritative experts in the security community, and regular summits to review past and future initiatives could bring additional value to the development of a safer Facebook.
These are seven realistic, doable and actionable steps that can dramatically increase the safety and privacy of Facebook’s users. Of course, no technology can guarantee 100% security as long as the human factor is involved. Still, Facebook can and should do everything it can to protect its users and keep them safe.
-
7 Things Facebook Should Do To Increase Security [OPINION] (mashable.com)
-
Bitdefender Steps Up Against Social Network Spam, Releases New Security Suite (readwriteweb.com)
-
Facebook will throw you under the bus (secforall.info)
-
Google+: How Paranoid Are You About Privacy? (thechromesource.com)
-
Oz lawmakers mull Facebook parental snoop rules (go.theregister.com)
-
Google and Facebook splurge on lobbying in Q2 (digitaltrends.com)