Facebook


"http://www.sophos.com/en-us/security-news-trends/best-practices/facebook.aspx" By Sophos Ltd

Facebook Best Practices as advised by Sophos Ltd

Introduction

ID fraudsters target Facebook and other social networking sites to harvest information about you. Here's how we recommend you set your Facebook privacy options to protect against online identity theft.

How to adjust your settings

This guide walks you through recommended privacy settings in Facebook, and shows you how to set more secure levels of privacy and reduce the chance of becoming a victim of online identity theft.

General security tips for Facebook

Adjust Facebook privacy settings to help protect your identity

Unlike some other social networking sites, Facebook provides some powerful options to protect you online — but it's up to you to use them!

Read the Facebook Guide to Privacy

At the very bottom of every page on Facebook, there's a "Privacy" link. The linked page is "A guide to privacy on Facebook," which contains the latest privacy functions and policies.

When in doubt, use the "Preview my profile" button on any privacy settings page to check how your information appears to others.

Think carefully about who you allow to become your friend

Once you have accepted someone as your friend they will be able to access any information about you (including photographs) that you have marked as viewable by your friends. You can remove friends at any time should you change your mind about someone.

Show "acquaintances" a slimmed-down version of your profile

You can choose to make people 'acquaintances' who only have access to a slimmed-down version of your profile if you wish. This can be useful if you have associates who you do not wish to give close friend status to, or feel uncomfortable sharing personal information with.

Disable options, then open them one by one

Think about how you want to use Facebook. If it's only to keep in touch with people and be able to contact them then maybe it's better to turn off the bells and whistles. It makes a lot of sense to disable an option until you have decided you do want and need it, rather than start with everything accessible.

Facebook gives users powerful controls to protect themselves online, but it's up to individuals to check and ensure that appropriate settings are in place.

Account settings holds mostly administrative items with little impact to your privacy, but there are a few areas — highlighted below — that warrant caution.

My account: Settings

Option Sophos recommends Why?
Name: Full alternate name (shown when you click "edit" next to name) Be careful People often use this information to be found by their maiden name or nickname, making them easier to find. Keep in mind some sites use your maiden name (if applicable) as a security question for account access, so weigh this possibility before disclosing.
Username Be careful Don't use a nickname that will link you to other accounts you might wish to keep private; avoid using a nickname that might give away sensitive information (for example: your birth year). Be sure it is different from your bank login username, for example.
Linked accounts Be careful Use with caution to avoid overexposure.

My account: Facebook Ads

Option Sophos recommends Why?
Allow ads on platform pages to show my information to: Be careful In the wrong hands, information about ads you liked can be handy for socially engineered attacks. The more entities that have access to your information, the greater your risk. It's best to limit this information whenever possible.
Show my social actions in Facebook Ads to:

 

Facebook allows you to add extra third party applications to your profile. These have a wide array of uses including giving you a weather forecast, allowing you to doodle graffiti on another person's wall, or telling people who your top friends are.

Users should exercise care over which applications they add to their profile as information can be shared with the application's author. Facebook has published terms of service to inform developers of what is and is not acceptable behavior, but there is always the danger that people will abuse the ability.

There are 7 ways to display applications that have access to your profile in the main drop-down menu—it is worth going through these options and clicking "edit settings" for each application to see their permissions.

Application settings

Option Sophos recommends Why?
Events, Gifts, Groups, Links, Notes, Photos, Video—and all other applications Privacy: "Only Friends" As a minimum, we recommend that the information posted by these applications is only shared with friends. Always consider that material you post on the internet may end up in someone else's hands - if the material is likely to compromise your security or embarrass you later think twice about posting it online!

 

Facebook provides users with powerful controls to protect themselves online, but it's up to you to check that appropriate settings are in place. Facebook makes a point in its guide to privacy that they "do not give — and have never given — anyone's data or personally identifiable information to advertisers."

Facebook does, however, allow third-party applications to access information that you make public. And any information you share with friends can be shared to applications as well—if you allow it. As noted below, we recommend that you do not.

Privacy settings: Applications, games and websites

Option Sophos recommends Why?
What you're using Remove any applications you're no longer using or are unfamiliar with Facebook gives you an easy way to remove applications from your profile, and remember applications from games to quizzes to website giveaways. You'd be surprised how quickly the list of applications you're using can grow! Remove any that don't look familiar or that you're no longer using. Any application you use can access your information and provide a way for it to be leaked or stolen. Reduce this risk by reducing the number of applications you use.
Game and application activity "Friends Only" at a minimum, consider making a custom group This option is more of an etiquette issue than anything else. If you have a group of friends that you play games with, consider creating a custom group just for them so only they can see your game-related posts and requests.
Info accessible through your friends Uncheck everything Checking any option on this list allows an application that a friend uses — one that you might not even use — to access that information about you. In general, the less you have under your control, the more vulnerable your information.
Instant personalization Make sure it is unchecked This is an opt-in option to have Facebook partner websites (like Yelp, Pandora and Microsoft Docs) pull your Facebook information and enable greater customization and sharing options. Though these sites are 'trusted partners' of Facebook, they add a layer of risk to your information. Double-check this page and ensure instant personalization is not checked.
Public search Make sure it is unchecked We recommend you disable this option. If it is enabled then search engines can index your information in addition to letting people find you on Facebook using an external search engine. There's no benefit to this, as you will only be linking up with people who are on Facebook. And remember, once your profile has been indexed by a search engine, you lose control over that information and how long it can be seen.

 

"http://www.sophos.com/en-us/security-news-trends/best-practices/facebook.aspx" By Sophos Ltd

Facebook Best Practices as advised by Sophos Ltd

Introduction

ID fraudsters target Facebook and other social networking sites to harvest information about you. Here's how we recommend you set your Facebook privacy options to protect against online identity theft.

How to adjust your settings

This guide walks you through recommended privacy settings in Facebook, and shows you how to set more secure levels of privacy and reduce the chance of becoming a victim of online identity theft.

General security tips for Facebook

Adjust Facebook privacy settings to help protect your identity

Unlike some other social networking sites, Facebook provides some powerful options to protect you online — but it's up to you to use them!

Read the Facebook Guide to Privacy

At the very bottom of every page on Facebook, there's a "Privacy" link. The linked page is "A guide to privacy on Facebook," which contains the latest privacy functions and policies.

When in doubt, use the "Preview my profile" button on any privacy settings page to check how your information appears to others.

Think carefully about who you allow to become your friend

Once you have accepted someone as your friend they will be able to access any information about you (including photographs) that you have marked as viewable by your friends. You can remove friends at any time should you change your mind about someone.

Show "acquaintances" a slimmed-down version of your profile

You can choose to make people 'acquaintances' who only have access to a slimmed-down version of your profile if you wish. This can be useful if you have associates who you do not wish to give close friend status to, or feel uncomfortable sharing personal information with.

Disable options, then open them one by one

Think about how you want to use Facebook. If it's only to keep in touch with people and be able to contact them then maybe it's better to turn off the bells and whistles. It makes a lot of sense to disable an option until you have decided you do want and need it, rather than start with everything accessible.

Only confirmed friends can contact you through Facebook chat; however, we do recommend staying offline from chat unless there is a legitimate reason why someone would need to know you are online.

Be advised that are several examples of scams which run through Facebook chat — a seemingly innocuous message from a friend in trouble could be a hacker who compromised your friend's account in hopes of exploiting it for large sums of cash.

Facebook presents a number of pre-set options for privacy settings: Everyone, Friends of Friends, Friends Only, Recommended and Custom. We do not recommend using Facebook's Recommended setting, which presents a large amount of sensitive information as public. Instead, choose the Custom option and click the "Customize settings" option in the menu.

Once in the Customize Settings menu, in many cases the option to not show information to anyone — to select "Only Me," in other words — is not plainly visible. To make something visible to "Only Me," you have to select "Customize" from the drop-down menu and then choose "Only Me" from the pop-up window that appears.

Privacy settings: Sharing on Facebook — customize settings

Things I share

Option Sophos recommends Why?
Posts by me (default setting) "Only Friends" Personal information can be published on your wall by yourself and others, therefore it is unwise for it to be viewable by the wider Facebook community. For this reason, you should not allow networks to view your wall.
Posts you make to your wall can now vary in security on a post-by-post basis (see the "Status updates and posted items" section), but we recommend you set the default option to "Only Friends."
Family "Friends Only" With information you choose to disclose on Facebook, even if you lock down your profile to entirely Friends Only, you have to remember that there's always a chance that one of your friends may have their account compromised. Information about your family, relationships and interests are rich targets for someone socially engineering an attack against you.
Relationships
Interested in and looking for
Bio and favorite quotations
Website "Only Friends" (at most) Publishing your personal website address is less of a privacy risk than revealing other contact information, providing other private information is not listed on the personal website itself.
Religious and political views "Only Friends" This information may be sensitive, depending on what you posted. Unless you want a potential employer knowing this information, be careful what you post and who you allow to see it.
Birthday "Only Me"—though it's best to not enter this information at all As this is key information in identifying you, not only should you not show your birthday, you should not enter your birth date information into Facebook at all. Should your account be compromised—or worse, should there be a Facebook data breach—you do not want this information falling into the wrong hands.
Edit album privacy for existing photos "Friends only" for all albums Your privacy settings for "Photos and videos I'm tagged in" and your photo albums are not linked, meaning you need to set your album privacy separately from your general photo settings. Just as with your photo and video tags, don't share your albums with anyone outside of your friends.

Things others share

Option Sophos recommends Why?
Photos and Videos of Me "Only Friends" (at most) Photos, videos, posts and comments should only be shared with friends, not with wider networks on Facebook. If pictures or posts may be posted that you think may be embarrassing to you in the future, then tag this option to say only you can view them and ask yourself what can be done to prevent such material being uploaded onto the Internet in future. If you are not comfortable with material appearing on your resume or job application, don't post it online.
If a friend's account is compromised and you have wall postings enabled to friends, this leaves you open for a potential phishing attack. Most people enjoy the interactivity that friend wall posts provide, but always be wary of any links friends may post to your wall (especially if the message doesn't sound like something they'd normally write).
Can comment on posts (Includes status updates, friends' Wall posts, and photos)
Friends can post on my Wall
Can see Wall posts by friends

 

Keep in mind that with the changes rolled out by Facebook in December 2009, certain information about you is now "Publicly Available Information" (PAI), meaning this information is public to any visitor to your profile.

Facebook makes everyone disclose:

  • Full name
  • Profile picture
  • Gender
  • Networks

You can reduce the visibility of this information by opting out of Facebook Search results; however, there is no way to completely opt out of disclosing this information.

Users particularly worried about their security might choose to sanitize the information they disclose — changing the networks you join, for example.

Privacy Settings: Basic Directory Information

Option Sophos recommends Why?
Search for me on Facebook Be careful The extremely paranoid may choose to set this option to "Friends only," though this setting makes search effectively useless. "Friends of Friends" or "Friends and Networks" are slightly more useful — though still locked-down — options.
Send me friend requests "Friends of Friends" As soon as you accept a friend request, your new friend has access to a wealth of information about you that they could potentially exploit. Make sure the people you add as friends are trustworthy and that you can verify their identity.
Send me a message "Only Friends" Accepting a message from someone you do not know or trust leaves users vulnerable to socially engineered scams as well as basic phishing. Don't leave yourself open to this kind of attack. Disable messages from people you don't already know.
See my friend list "Only Friends" Knowing who your friends are could really help out an identity theft, so we suggest making this friends-only at a minimum. Keep in mind that it's not just your own security you need to keep in mind — if a friend's account is compromised, a cybercriminal accessing their account can see your friend list. If this is a concern, set your friend list visibility to "Only Me."
See my education and work "Only Friends" (at most) It may seem innocuous to call out your alma mater or where you grew up, but disclosing education and work information can be very valuable to someone trying to socially engineer a manipulative attack against you.
See my current city and hometown "Only Me"— though it's best to not enter this information at all
See my interests and other Pages "Only Friends" (at most) These are pages that you "like" or fill-in content areas where most people add personality to their profiles; however, they are rife with opportunity to disclose valuable personal information that can assist identity thieves. Additionally, many of these pages can be of a religious, political or personal nature that you might not want to disclose universally. If you are not comfortable with a potential future employer knowing this information, you should keep this information locked down to a friend level or even set to "Only Me." Be careful about what you reveal here.

 

What are rogue applications?

Rogue applications are rife on Facebook. They use social engineering tricks to fool you into giving them permission to access your Facebook profile and the ability to post a link to a rogue application to your page.

Online scammers use rogue Facebook applications to drive traffic to revenue-generating survey scams.

How do survey scams work?

A typical scam works like this:

You see a Facebook message from a friend that promises to show you, say, a shocking picture or video of a Hollywood star.

If you click on the link, you will be taken to the application's Permissions page. This is where Facebook asks you whether you want to allow this application to access your profile.

If you click "Allow", you will briefly be flashed a video, but overlaid will be a survey that you need to complete before you are allowed to see the video.

At the same time, the rogue application will post the message on your Facebook page to share itself with all your Facebook friends and family. Your friends are then encouraged to click on the link and share it with their friends, and so on. This dramatically increases the number of people who ultimately take the online survey.

Surveys like this not only scoop up your personal information, but also earn commission for the scammers. In the worst cases, the survey asks you for your phone number and sign you up for expensive premium rate services. It's time that Facebook users got wise to this trick, and refuse to play ball.

What if I've been infected?

If you've been hit by a scam like this, you should remove references to it from your News Feed, revoke the right of rogue applications to access your profile through "Account/Privacy Settings/Applications and Websites" and edit your profile to remove any unauthorized pages from your Likes and Interests.

If that sounds complicated, why not watch our video on how to clean up after a rogue application has tricked its way onto your Facebook profile.

Watch How to clean up your Facebook profile

Watch now

Become a fan on Facebook
Keep up to date on the latest threats

  • Community of over 60,000 Facebook users
  • Receive early warning of the latest attacks
  • Stay informed about viruses and spyware

With the changes to Facebook's privacy policy — specifically the advent of "Publicly Available Information" (PAI), which includes your name, location and gender — one way to mitigate the risk of PAI misuse is to remove yourself from search entirely.

Privacy Settings: Search

Option Sophos recommends Why?
Facebook Search Results Be careful Facebook's "Publicly Available Information" (PAI) settings means anyone who finds you in a search can see this information. While certainly one of the points of social media is to network with people you have lost touch with, opening your profile to be seen and viewed by absolutely anyone puts your PAI at risk for exploitation.
Public Search Results Uncheck "allow" Sophos recommends that you disable this option. If it is enabled then it allows search engines to index your PAI in addition to letting people find you on Facebook using an external search engine. There is no benefit to this, as you will only be linking up with people who are on Facebook. And remember, once your profile has been indexed by a search engine, you lose control over that information and over how long it can be seen.

 

Facebook now allows you to vary the privacy of what you post to your profile, item-by-item. This added flexibility means you can even restrict visibility of what you post to specific sub-groups of friends.

The default security option for anything you post to your wall — status updates, wall photos, videos, or shared links for example — is set in your Profile Information privacy page under "Posts by me." If you choose to change the setting of a posted item, all you need to do is click the lock icon and select the new security option you'd like to use.

Note that Facebook will notify you that your selection is different from your default option — but only the first time. After that point, be careful that the items you post to your profile are only visible to the right people!