Facebook users love announcing to the world that they’ve checked in at Disneyland, uploading hashtag-filled selfies and writing public posts with a little too much information. On more than any other social platform, it seems that Facebook users are most willing to hand Mark Zuckerberg and company their intimate details, such as hometown, college, employer, who they’re dating and birthdate.
But when 4,000 U.S. users were asked if they trust Facebook with their personal data, the answer was a resounding, “No.”
A new study by online identity manager MyLife shows that 82.9 percent of those polled said they did not trust Facebook with their personal information.
Facebook is working to make the Internet a more secure place. The company announced Thursday at the USENIX Security Symposium in San Diego the creation of the Internet Defense Prize — an award recognizing superior quality research that combines a working prototype with great contributions to securing the Internet.
Facebook and USENIX crowned the first winners today. Johannes Dahse and Thorsten Holz, two researchers from Ruhr-Universität Bochum in Germany, were awarded $50,000 for their paper, “Static Detection of Second-Order Vulnerabilities in Web Applications.”
Though Facebook has moved to an HTTPS format, that doesn’t mean the site is completely safe. There’s a general attack on HTTPS-friendly sites called BREACH, which interacts with the technology that usually shields against a different attack called cross-site request forgery (CSRF).
CSRF is used against sites with user accounts, such as Facebook. According to Facebook, the attacker convinces the user’s browser to send plausible web requests to the target website. It’s masked as a common request, so it doesn’t raise any red flags within the browser.
If that works, then the attacker can pose as their victim, sending spam or stealing information.
Facebook detailed in a security blog post how the company protects against these kinds of attacks.
When Facebook sends out emails about notifications — such as a tagged photo or a friend request — it’s usually encrypted with plain text communication protocol STARTTLS, creating a more secure connection. The program has been around for 15 years, but Facebook heard it wasn’t widely deployed. The company wanted to test their own email systems to see how many notification emails were encrypted with STARTTLS.
Facebook found that 76 percent of unique MX hostnames that receive email notifications (which can be in the billions per day) support STARTTLS. Then 58 percent of notification emails are successfully encrypted. Certificate validation passes for roughly half of encrypted email and the other half is opportunistically encrypted. Facebook pointed out that 74 percent of hosts that support STARTTLS also provide Perfect Forward Secrecy.
Facebook CEO Mark Zuckerberg’s new mantra of “Move fast with stable infra,” might not be as sexy as “Move fast and break things,” but it reflects Facebook’s shift in ideology. Now that Facebook is 10 years old and a publicly traded company, it is past the risky startup stage and is in a position to give developers, advertisers and users more stability and security.
Moving away from breaking things, Facebook is putting more control over app permissions and login into the users’ hands. Zuckerberg announced at f8 that users will have more granular controls over what data is shared with apps. Additionally, users afraid of the “Login with Facebook,” button now have a way to sign into an app without sharing any Facebook information at all.
As Zuckerberg emphasized that Facebook is putting people first, he described the new controls:
Over the years, one of the things we’ve heard just over and over again is that people want more control over how they share their information, especially with apps, and they want more say and control over how apps use their data. … We take this really seriously. If people don’t have the tools they need to feel comfortable using your apps, then that’s bad for them and it’s bad for you. It will prevent people from having good personalized experiences and trying out new things, but it also might hurt you and prevent you from getting some new potential customers.
The new Facebook Login flow should be available in the coming weeks, while anonymous login is in beta with a few developers with a wider rollout planned in the next few months.
Facebook rewards white hat researchers who find errors and holes in the social network’s code, but don’t exploit them. In a look ahead at Facebook’s bug bounty program in 2014, Security Engineer Collin Greene examined what the program did in 2013.
Last year, Facebook received 14,763 submissions from researchers — a 246 percent increase from 2012. Of those submissions, 687 were valid and eligible to receive a reward. 6 percent of the eligible bugs were categorized as high severity, prompting a median response time from Facebook in about 6 hours.
Facebook paid out $1.5 million to 330 researchers around the world, with the average reward being $2,204. Most bugs were discovered in non-core properties, such as websites operated by companies acquired by Facebook.
Facebook on Monday released data showing how many requests for data the company has received from the National Security Agency — at least, the range of these requests. From January through June 2013, Facebook received fewer than 1,000 requests for user content data from the NSA, regarding 5,000 to 5,999 accounts.
The newly-announced Facebook privacy settings for new teen accounts may have some positives, but don’t be surprised if it isn’t effective against cyber bullying, but also keeps parents from monitoring their own children’s cyber activities, says one expert.
Facebook’s privacy settings for new teenagers joining the site will at first allow only those the teen has friended to see his or her posts. If users aged 13-17 so choose, they can elect to have their posts public, but the automatic setting is friends-only.
However, will this help keep teens safer on Facebook? Steve Woda, CEO of uKnow.com — a firm that provides social media monitoring of kids’ accounts — doesn’t think these changes will help much.
Last year, Facebook started removing the privacy-checking feature called “Who can look up your timeline by name?” The company announced Thursday that it is officially ending this feature, prompting users to take better control of their individual privacy settings.
Facebook released a minor update to its Android app Wednesday, bringing the structured status updates to more users and giving Android users more access to privacy information.
Now, similar to its education on desktop, Android users can easily tap through to figure out how to control privacy settings on posts and figure out how to block or report harassing users.