Application Security

5/14/2010
11:00 AM
50%
50%

Facebook Adds Two Privacy Tools

Both tools have to do with stopping unknown devices from logging in to a user's Facebook account.

Following Thursday's quickly convened meeting to discuss user privacy concerns, Facebook has unveiled two tools designed to help protect account-holders from scammers and alert users to suspicious activity.

With one tool, users can elect to approve the devices they typically use to log-in and receive e-mail or text notifications. This feature would serve as an alert if another, unselected device is used to access the account.

"For example, you can save your home computer, your school or work computer, and your mobile phone. Once you've done this, whenever someone logs in to your account from a device not on this list, we'll ask the person to name the device," wrote Lev Popov, a software engineer on Facebook's site integrity team, in a company blog.

The opt-in feature is available under the Account Settings page. Users may click the link next to "Account Security," and select the option to receive notifications for log-ins from new devices. The first time users access their Facebook accounts, they must name and save the devices they use to log onto Facebook.

To block suspicious log-ins, if the Facebook system determines if someone is trying to access an account from an unknown device and asks the individual to answer a verification question to prove their identity. Identifiers could include date of birth, identifying a friend in a photograph or answering a previously-provided security question, Popov wrote.

"These questions are designed to be easy for you, and hard for a bad guy, and we've already seen some great results," he said. "Once you've confirmed your identity, you'll have the opportunity to review recent logins on your account and reset your password if you see logins that you don't recognize."

These tools -- which Popov said have been under development for several weeks -- do not, however, address Facebook's policies towards user information and privacy. The European Union's Article 29 Working Party, part of the EU's Justice and Home Affairs' Data Protection division, added its voice to those cautioning Facebook about its approach to user privacy.

Earlier this week, the division wrote to Facebook, stating its dissatisfaction with the site's changes to its privacy settings.

"It is unacceptable that the company fundamentally changed the default settings on its social-networking platform to the detriment of a user," said a statement from the Working Party. "Facebook made the change only days after the company and other social networking sites providers participated at a hearing during the Article 29 Working Party’s plenary meeting in November 2009."

In the U.S., four Senate Democrats have asked the Federal Trade Commission to develop guidelines governing the way social networking sites can use information submitted by users. Privacy groups the Federal Trade Commission and Congress that the social network is violating consumer protection laws.

Facebook hired this month former U.S. Federal Trade Commission chairman Timothy Muris to help defend the popular Web site's privacy practices in Washington, D.C.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-2607
PUBLISHED: 2018-05-21
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users...
CVE-2018-1108
PUBLISHED: 2018-05-21
kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
CVE-2018-11330
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted.
CVE-2018-11331
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
CVE-2018-7687
PUBLISHED: 2018-05-21
The Micro Focus Client for OES before version 2 SP4 IR8a has a vulnerability that could allow a local attacker to elevate privileges via a buffer overflow in ncfsd.sys.