Facebook: No ‘Likes’ for Security and Privacy?

Matt Williams discusses recent changes to Facebook:

Facebook announced on Tuesday that only 660,000 of its 1 billion users responded to proposals by the site to allow changes to be made to the governing of the social networking giant. The primary modifications included; increasing the sharing of data between its services, making the rules regarding who can message users more lax and removing the voting system. These refer to every version of Facebook, including the mobile application.

On the face of it, a turnout of 0.06% is a very small figure. And considering that most of the points that the proposals were setting out are security and privacy related, it begs the immediate question; do Facebook users really care about their account security?


As a young person, who has been studying a security related degree, security and privacy on social networking sites is something that I think about regularly. Who is able to contact me? What details am I giving out? And are my embarrassing photos only being limited to a particular number of people or are they being made public?

So why didn’t I answer? I’ve had a Facebook account for a while now. But my allegiances to social networking sites have now switched. Twitter, the growing threat to Facebook, now occupies most of my networking time, so it seems I’ve deemed Facebook to be second in importance in this department. And with a reduction in its value to me, Facebook’s changes to my account fall to the bottom of my ‘to-do list’.

Speaking to my friends about it, they were saying much of the same. For many of them, Twitter is their new top social networking site, so they’re more interested in the security of that rather than Facebook now. It was too time consuming and a response would have been made if longer had been given to answer were other reasons given also. Some simply didn’t care.

But although the impression gathered from the response to the poll is that the changes involved are not important to users, approximately 90% of the respondents to the proposals were against planned changes. So does this actually mean the opposite? If people actually do care about security, why are they so against the changes? A 0.06% response rate might appear small at first, but considering Facebook’s global popularity, it is in fact a sizeable number of people. After all, online petitions to the UK government are gated at only 100,000 respondents.

In my opinion, people are fed up with data sharing to third parties becoming such a prominent feature of Facebook. Details put on the site by users are in the majority of cases for their friends and only for their friends, not for Facebook and the extended services offered, such as advertising. It could also be that there’s a growing element of mistrust between the users and the online giant. Some feel that they cannot trust the social network and may think the changes are one too many. Users are so worn down that they feel their voices won’t be heard anyway, so just resign themselves in apathy, in the hope that they’ll be able to one day export their photos and friends and finally get out.

Daily Mail violates privacy of dead babies

A couple of weeks ago I spoke at the London event of the International Association of Privacy Professionals (IAPP). During my panel, I outlined a few scenarios where there were problems with privacy. The first one was  about a person who was very open and didn’t have many privacy requirements. This person was murdered and the media descended on their open data, putting their photos in the paper to the extreme distress of the family.

A very real example of this happened last week. In a very sad case, a father discovered his two babies dead at home. The Daily Mail subsequently took pictures from Facebook of the father, the mother and both babies and printed them in this article. How is this acceptable? Even if their Facebook settings were such that the pictures were not private to them, I fail to see how it is in the public interest to post the pictures of the babies? This can only have compounded the sorrow for a devastated family.

Faceniff – sniffing Facebook accounts with Android Phones

I’ve been meaning to have a look at ‘Faceniff’ for a while. I came across a good video today which demonstrates it (and has some nice music). It is basically Firesheep for Android. I’ll let the video do the talking, but my advice to people is to go to Facebook, select “Account” (at the top right of the page), choose “Account Settings” and then go over to the left and choose “Security”. Go over to “Secure browsing” and choose the option for “Browse Facebook on a secure connection (https) whenever possible”. This blocks the Faceniff attack. Google changed this to be a default setting a long time ago with gmail. There are plenty of other threats out there when connecting to WiFi access points, so try and be safe.


The problem with facebook one-time passwords

I popped onto facebook this morning to see a former colleague @basexperience post the following:

‎#Facebook facerapers! Grab your friends’ phone and text “otp” to 32665 to get a password for their Facebook account for 20 mins!

Clearly, I was interested. I hadn’t really given much thought to the announcment made by facebook, but I assumed given the recent pressure on Facebook they would have thought about it a bit more.

Taking aside the obvious issues about the fact that most people will already be logged into facebook because their password has been ‘remembered’ (both mobile and desktop browsers), and, let’s not forget the fact that if you’ve got a facebook app on your phone you’re probably logged in too. Let’s put them to one side for a second.

So what facebook have basically done is create a mechanism for anyone to get into a facebook account by (in authentication terms) – “getting something you have”. That’s all. One factor authentication. If they added say a PIN – “something you know” – to the SMS you send to the short message number to get the one-time password that would at least prevent random people getting into your account if you leave your phone on your desk. I won’t go into some of the other issues about exactly how they’re identifying you – by your MSISDN? (phone number?)…

The more annoying thing for me about this is that it has happened before. In America. To a celebrity. To Paris Hilton no less (Register readers delight):

http://www.theregister.co.uk/2005/02/21/paris_hacked/ . In that case, the password provided was a reminder to access the backed-up photos and numbers etc. on the sidekick servers.

Coming back briefly to the ‘remembered’ passwords, to launch my attack today, this helped me as when you first go in you have to enable mobile access for that device by linking the MSISDN to the facebook account.

Thanks to my mate @basexperience for the post.