Facebook actually does have some exceptionally talented security professionals. They have almost no depth in privacy, but they have real security talent. A part of the problem is that the Facebook culture is anti-security and that is a very tough obstacle for their security professionals.
Facebook security is by marketing design. Take a look at www.facebook.com. Do you see the word security anywhere? No, it isn’t there. At the bottom of the page there is the word “Privacy”, but that’s marketing. You really have to dig to find security information at Facebook, or else know where to find it.
So, since no decision maker at Facebook has the common sense to put links to security information available on Facebook anywhere that a normal person could and would actually find it, I’ll share with you the few places I do know to find it.
You can go to www.facebook.com/security and get some information there. This should be a prominent link on their landing page, but it is not there. Another thing you can do is go to the Facebook blog at blog.facebook.com. Now not all of the blog posts are about security, but some are. A recent post tells of a change that will make Facebook safer to use on unsecured WIFI connections. The truth is, I have not yet been able to find the setting and the feature is improperly implemented, if it does exist at all. There should be a very visible option at the time you log in to use https for the whole session, and it should be an opt-out feature. That is to say you should have to choose not to use https or else you will use a secure connection. The blog about this new feature, which is undoubtedly a reaction to FireSheep, is at http://blog.facebook.com/blog.php?post=486790652130.
Another blog post from last year told of the ability to use one-time passwords. This is something you should do if you are going to log onto Facebook from a public computer, live in the US, and have a mobile phone. That blog is at http://blog.facebook.com/blog.php?post=436800707130. The idea is that if the computer has a keystroke logger on it, at least your primary password will not be compromised.
I’m not sure if Facebook tries very hard to conceal their security information from the masses or simply makes no attempt at all to show it. It really isn’t fair to the security professionals there, but it is important for you to know where to find the information and read it.
Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center – ESET LLC