INFO SECURITY: Facebook Privacy 101

My self-worth is based on how many FB farm friends I have

When you sign up for Facebook, they tend to want you to fill in as much information about yourself as possible.  They will then take that information and make it available basically to anyone who wants it.

There are 2 ways around letting Facebook just give your information away.

•    Don’t sign up for FB
•    Control your account

The first way is obviously the easiest and best, but then how would you be able to stay in touch with all of those high school plebes that used to pick on you and now want to be your friends?

After you set up your FB account, you’ll want to head on over to the account section.

Once there, you will have a number of options to choose from as far as privacy is concerned.  Someone did a chart of all of the privacy options and I am presenting it here for your review.  It was published by The New York Times and it’s a pretty decent representation of their privacy issues.  It also includes some eye opening statistics on their policy.

Facebook Privacy options (source: NYT) – Click to enlarge

I’m going to take you through each of these individually.

Main FB Account Page

Facebook Ads Tab

This one is easy.  Where it asks if you want to allow ads on platform pages to show my information to, you want to select No One.

Even if you select the other option (friends), it will still allow information to pass.  No one needs to know what ads are being targeted towards me.  This way, it will help reduce the amount of information someone will be able to collect about you.  They won’t be able to tell what political affiliation you are, what games you’re playing, etc.

Settings Tab

Name – your choice what you put in here, but remember anyone can see it.

Username – again, your choice, but again anyone can see it.

E-Mail – This one is fairly straight forward. I suggest however you get a ‘disposable’ e-mail address to use for something like Facebook.

Password – This one should be a very strong password.  It should follow these simple rules;

•    15 Characters (if possible)
•    At least 3 upper case letters
•    At least 3 lower case letters
•    At least 3 numbers
•    At least 3 special characters (!@#$%^^&*)
•    No recognizable names, places, personal identifiable information.
•    An example of a good password would be;
o    F@ao4w8#Y5&vNP!
•    And remember; NEVER share your password with ANYONE.  Not you’re kids, your spouse, your co-workers, NO ONE.  Think of it as a mortal sin.

Linked Accounts – This is other accounts that you can log in with other than you primary account.  I suggest against this as it makes it easier to ‘break into’ your account.

Privacy – We’ll come back to this one

Account Security – I suggest you enable this one.

It tells you if your account is accessed from a device that you haven’t used before.  It’s not a bad idea, even if you use multiple public computers to log into the device.  You’ll be able to track when/where a login has taken place.

Deactivate Account – kind of self explanatory.

Networks Tab

Many people associate themselves to different network within Facebook.  I find this an invasion of my privacy and refuse to ‘join a network’.
What networks do is allows people to track what you do, where you live, where you went to school, a LOT of social engineering stuff.

Using the networks from Facebook, I am able to glean a large amount of information on someone and use it in order to get into their ‘inner circle’ of online friends and could really rape them of whatever information I see fit.

Personal opinion, stay away from associating yourself with networks.

Notifications Tab

This one here is more of an annoyance/notification issue than anything.  Basically, what do you want to be notified of that is happening on Facebook, do you want an e-mail every time someone comments on something, or posts something?  It can get overwhelming and fill up your inbox pretty quick.

Mobile Tab

Again, this is more of an annoyance/notification issue.  Basically you set up your mobile phone so that FB can send it text messages.  Be careful with this one if you don’t have unlimited text messaging as it can rack up SERIOUS cash.

Language Tab

Self Explanatory

Payments Tab

This one here is a DANGEROUS tab.  NEVER NEVER NEVER NEVER enter your credit card into Facebook for ANYTHING.  There is nothing on Facebook worth paying for.  NOTHING.

If you are dumb enough to enter your credit card, you can buy credits to play games (oooo, you can get that mansion on a hill in farm town), buy gifts for people (ooo, you can send someone that virtual dozen of roses) and other miscellaneous FB BS. Please make sure you keep your eyes on your statement and monitor it DAILY.

Enough said.

Applications Page

The applications page of the settings box is pretty much there to let you see what has access and who has access.  You can remove or modify portions of it.  The basics are;

•    Events
•    Gifts
•    Groups
•    Links
•    Notes
•    Photos
•    Video

The edit settings will take you to the security portion of FB so that will be covered a little later.

The ones listed are the only ones that are not able to be removed.  They’re basically needed to use FB at its most minimum state.

All of the settings have multiple options for who can see it.

•    Friends Only (my favorite)
•    Everyone (my least favorite)
•    Friends of Friends (dangerous)
•    Customize (not recommended, easy to make a mistake)

Now the first section we’re going to discuss is the Privacy Settings.  This is probably one of the most important sections in the account area.

Personal Information and Posts

Bio and Favorite Quotations

Personal suggestion is to have this set at Friends Only.  You can set it to one of the others, but remember, no matter what you set it to, do you REALLY know everyone on your FB Friends list personally as well as all of their friends?

Please be careful of this one.  It allows people to see your bio, your posts and your photo albums.  Also, the photo albums each have their own individual “who can see it” settings.

Birthday

Who do you want to know your birthday information?

Interested and looking for

Are you looking for men, women, friends, dates, etc.  Kind of like a dating site portion.

Religious and political views

Dangerous slope here.  Who do you want to know if you’re a Republican, Democrat, Muslim, Christian, Jew, Independent, etc.  Be careful of what you’re putting in here.

Photo Albums

Here’s where you can individually set who is able to see your pictures.  This one is a dangerous one because by default, it reverts to your primary ‘who can see this’ settings.

Posts by me

Basically, who can see what you post, your links, your videos, your photos.  You can leave it as everyone, friends, etc, but if you’re pimping out your website (like I do) or are a Website page (like DVM), I’d leave it as everyone.  (remember, you can choose who sees the photos and videos independently).

Allow friends to post on my wall

This allows people to post comments on your wall directly without responding to a post you put there.  It’s either a yes or no answer, I personally allow it, as you can remove them if necessary.

Posts by friends

This one allows you to control who sees posts that are on your page by your friends.  If your friends regularly post something on your wall and you don’t like people seeing something they post, then tone it down.  If you don’t care what they see, leave it open.  But remember also, you don’t know how your friends have their posting settings, so usually look at it as “everyone can see everything I post” and be careful what you say online.

Comments on Posts

Pretty much who sees the comments on posts that you create.  Everyone?  Friends only?  Depending on what you post on your site, you may want everyone to see it, you may not.

Contact Information

This is where you really want to clamp down on who sees what.  It’s a great source of social engineering information.

Each of them are pretty self explanatory and I just warn you about;

•    What you put in there
•    Who you allow to see it

Friends, Tags and Connections

Again, this is where you want to clamp down on.  And remember to keep in mind;

•    What you put in there
•    Who you allow to see it

Search

This section defines how people find you on Facebook.

The search results allows friends, friends of friends, everyone, etc to find you.  Who do you want to know that you are on Facebook?

You are also able to allow public search results.  It allows you to see a preview of what people will see before you select Allow.  I personally suggest not ‘allowing’ public search results.

Applications and Websites

This is an interesting section.  It allows you to adjust the application settings, activity settings, what you share, what your friends can share about you, etc.  Its a page that should REALLY be looked at closely and manage it wisely.

What you share

This is more of an informational section than anything, you should really take a deep look at it and ask questions if you have any.

What your friends can share about you

This will allow what your friends can share with their friends, applications, etc.  Manage wisely what you allow.  You can allow the following;

•    Status updates
•    Online presence
•    Website
•    Family and relationship status *
•    Relationship details (significant other, looking for, etc.)
•    My videos
•    My links
•    My notes
•    My photos
•    Photos and videos I’m tagged in *
•    About me
•    My birthday
•    My religious and political views

This is where you can really trip yourself up.  If you allow only friends to see your notes, links, photos and videos and then turn around and let your friends share them, you’re basically allowing everyone to see them to begin with.  Again, be careful with this one.

Blocked Applications

This allows you to block apps and friends without having to get rid of them or respond to them.  It allows you to block those annoying “I just won a million bucks using this app, here’s a gift for you to get started playing this game too” notices that show up on your page from your friends.

It also blocks stuff like “I need help in mafia wars, join my crew”.  When I blocked all of those, some people in my friends list disappeared because that’s all they do all day long is play games.  It cleared up my feed quite nicely.

Ignore application invites

If you’re like me and HATE FB apps, you’re going to love this one.  It’ll stop applications from inviting you to play them as well as stop all requests from friends inviting you to play them with them.

Activity on applications and games dashboards

Yeah, you may like to play mahjong or mafia wars, or even pretty little pony princess.  But do you really want your friends, boss or co-workers to know you enjoy the thrill of dressing up your little pony princess and prancing around the magical kingdom?

Didn’t think so…

Instant personalization pilot program

THIS one is interesting.  It sets how FB partners and personalize their features with your public information.  Basically it tells FB what info they can give to their partners without you knowing about it.

By default, it’s ON.  This should be turned OFF.  Never let someone share your information without you knowing about it or consenting.

Partners of theirs are currently Microsoft Docs.com, Pandora and Yelp.  But I’m sure they’ve got their grubby paws out to draw more in and Microsoft currently has more information on me than I want them to have, they don’t need any more.

Block List

This is basically where you have a list of people that you specifically want blocked from your FB page.  Pretty self explanatory, but remember, they can always create a new profile or get a new e-mail address, so it’s not full proof.

I know this is a lot to digest and looking back, I’m not so sure that I want to keep my FB page.  I keep striping things off of it so it’s turning into my personal web site fan page.  Which overall isn’t that bad a thing.

With all of the changes that FB is making to their privacy policy it has gone from 1,004 words in 2005 to currently more words than the Constitution.

Do you really want to sit down and read something like that?  I mean yeah, I’ll read the Constitution (I have many times), but just so my friends, family etc can keep in touch?  No, not really.

Remember some of this when you’re on your FB page and now that you’ve read some of it, don’t be afraid to go out and make sure you have your settings marked correctly.

If you have ANY questions on any of these settings, please don’t hesitate to drop a line and give me your questions.

I can probably tell you what my answer is going to be, right now (don’t allow anyone but friends to see your stuff and don’t allow friends to publish anything), but I’ll try and tailor it to your specific situation.

So, do you use FB?

How do you use it, is it just to keep in touch, something to follow events?

What are your thoughts on the privacy issues concerning FB and their privacy statements.

Till next time.

Editors Note: If you still want to use Facebook for keeping in touch with folks or for seeing whats going on out there then just set up one with a fake name

—————————————————————————————

~Norm W.
Information Security Correspondent

Norm W. is an information security engineer currently employed as a CONUS civilian contractor. He has worked in the computer industry for the past 20 years and holds several security and non-security related IT certifications. Norm has worked with multiple agencies in the private and public sector as well as foreign companies and agencies to resolve information security issues.

Be Sociable, Share!

23 thoughts on “INFO SECURITY: Facebook Privacy 101”

  1. Nice. Well written. Going to post on my FB page for my friends to see! (oh the irony).

      (Quote This Comment)

  2. Great to hear Chris. Glad I could help out.

      (Quote This Comment)

  3. I quit FB and deactivated my account. I like my privacy and I’d rather not let everyone from work and other associates into my personal network of close friends and family. I’m on linkedin and that is good enough for me.

      (Quote This Comment)

  4. Linked in is pretty nice, I’ve kept in contact with a few associates that aren’t on FB that way. They also take their security a little more seriously.

      (Quote This Comment)

  5. Very good article as usual norm. Very comprehensive. I pretty much have my account on lock down. It is under a pseudonym and even with that name you can’t click on it to set up a friend request. A person has to know one of my emails and ask me there.

    I have my friends compartmentalized so that only people in that group that know each other can see what the people in that group can see, etc. I do wish however that they had an approval system to approve what people post before it goes onto your wall, because I am not on it 24/7 to delete something that I don’t like.

    But I am always one step away from deleting the account. Between emails and texts I am not sure a social networking account is needed. I think it is more akin to gossip then actually connecting to anyone. But that is just my opinion.

    Thanks Norm.

      (Quote This Comment)

  6. But I am always one step away from deleting the account.

    Heh…I know what you mean, I’ve been sitting on the deactivate page with my finger over the mouse button many times.

      (Quote This Comment)

  7. Consider any information on facebook comprimised

      (Quote This Comment)

  8. You know fellas, I had not considered using a pseudonym, it’s an idea. I’ll give it some thought.

      (Quote This Comment)

  9. This is a message sent to me on the DVM Facebook page from one of our readers who asked we repost it here:

    “Got an add on for you, Another surprise from Facebook : As of today, there is a NEW PRIVACY setting called “Instant Personalization”that shares data with non-Facebook websites and it is automatically set to “Allow.”

    Go to Account > Privacy Settings > Applications and Websites > Instant Personalization, and uncheck “Allow”. BTW, if your friends don’t do this, they will be sharing information about you.”

      (Quote This Comment)

  10. I think you nailed it right here:

    “Don’t sign up for FB”

      (Quote This Comment)

  11. Heh…I know what you mean, I’ve been sitting on the deactivate page with my finger over the mouse button many times.  

    It is like a lot of things. It is good in theory, I have friends strewn about all over the world and something like this makes it easy to keep in touch. But when it all boils down, stuff like this is for lazy people that don’t want to email. I do wish their privacy settings where a bit more straight forward and just an easy box to check that says don’t share my crap with anyone.

    Then you have the people that are really into it and post whatever random idiotic thought in there head or where they are going. For me as someone that takes my privacy seriously I just don’t get the allure of letting the whole world know what you are up to. Like Twatting, (my name for twitter) that thing boggles my mind as to why in the hell anyone would want to do something like that.

    Also, I do like the picture of Kyle from South Park specifically from the facebook episode. Great episode.

      (Quote This Comment)

  12. Just posted on the Financial Times – FB is looking at privacy changes.

    http://www.ft.com/cms/s/0/c4362372-6515-11df-b648-00144feab49a.html

      (Quote This Comment)

  13. Sorry James, delete this.

    The link is going into a registered site. Linked through Drudgereport

    Just posted on the Financial Times – FB is looking at privacy changes.http://www.ft.com/cms/s/0/c4362372-6515-11df-b648-00144feab49a.html
      

      (Quote This Comment)

  14. I’m not trying to be disrespectful to anyone, but I feel that Facebook is more trouble than it’s worth and will end up like MySpace in a few years if that.

    I’m never surprised that a free networking service makes all their revenue by selling a small amount of advertisement space.

      (Quote This Comment)

  15. Sam,
    It’s never disrespectful to tell the truth, especially in instances like this.

    I agree with you, Facebook is becoming more hassle than it’s worth. As I mentioned above, I’m rarely on it anymore other than shooting links up to a new site posting.

      (Quote This Comment)

    1. It’s never disrespectful to tell the truth now, eh? Then this is how I really feel about FaceBook…

      File: 498203_TWITTER_FACEBOOKx.swf

        (Quote This Comment)

  16. So yeah norm, I got a high school teacher to start an info security unit just based on this article in a far off Canadian town. its a great article BTW

      (Quote This Comment)

  17. “But do you really want your friends, boss or co-workers to know you enjoy the thrill of dressing up your little pony princess and prancing around the magical kingdom?”

    LMFAO!!!! That was priceless!!

    I’m probably the only teenage girl I know that doesn’t do myspace, facebook, or twitter. If you can’t call me or send an email, don’t bother wasting my time. I hate the people around me who spend more time reading twats or FB updates than actually talking with the people beside them. I mean, do people really think they’re so important that they have to tweet to the world that they finished the appetizer and are going to the bathroom?

    *sighs* Seems like I have to dig into a history book to find the good old days when people actually talked to each other at lunch or in the hallway instead of thumbing their iPhones. (and that’s bad coming from a 17 year old)

      (Quote This Comment)

    1. DUDE, SAME HERE, its fucking ridiculous how much time they spend looking at a screen then whats going on around them, guess when they drive into the tree on the side of the road that will give them a darwin award for being stupid right?

        (Quote This Comment)

  18. “I hate the people around me who spend more time reading [i][b]twats[/b][/i] or FB updates than actually talking with the people beside them.”

    Twat lol Yeah, you definitely come from a family with a military background.

      (Quote This Comment)

  19. Twat lol Yeah, you definitely come from a family with a military background.

    Yep. Mom says my first word was FUBAR, but dad says it was something else but he won’t say what. lol

    Anyway, yeah, dad’s on something like his 8th trip or more over there and I just found this site a few days ago and am having a great time reading the article.

      (Quote This Comment)

  20. Imagine all that time people are wasting on FaceBook when they could be reading an article written Norm or James?

    DUDE, SAME HERE, its fucking ridiculous how much time they spend looking at a screen then whats going on around them, guess when they drive into the tree on the side of the road that will give them a darwin award for being stupid right?  

      (Quote This Comment)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Upload Files

You can include images or files in your comment by selecting them below. Once you select a file, it will be uploaded and a link to it added to your comment. You can upload as many images or files as you like and they will all be added to your comment.