Application Security
5/14/2010
11:00 AM
Connect Directly
RSS
E-Mail
50%
50%

Facebook Adds Two Privacy Tools

Both tools have to do with stopping unknown devices from logging in to a user's Facebook account.

Following Thursday's quickly convened meeting to discuss user privacy concerns, Facebook has unveiled two tools designed to help protect account-holders from scammers and alert users to suspicious activity.

With one tool, users can elect to approve the devices they typically use to log-in and receive e-mail or text notifications. This feature would serve as an alert if another, unselected device is used to access the account.

"For example, you can save your home computer, your school or work computer, and your mobile phone. Once you've done this, whenever someone logs in to your account from a device not on this list, we'll ask the person to name the device," wrote Lev Popov, a software engineer on Facebook's site integrity team, in a company blog.

The opt-in feature is available under the Account Settings page. Users may click the link next to "Account Security," and select the option to receive notifications for log-ins from new devices. The first time users access their Facebook accounts, they must name and save the devices they use to log onto Facebook.

To block suspicious log-ins, if the Facebook system determines if someone is trying to access an account from an unknown device and asks the individual to answer a verification question to prove their identity. Identifiers could include date of birth, identifying a friend in a photograph or answering a previously-provided security question, Popov wrote.

"These questions are designed to be easy for you, and hard for a bad guy, and we've already seen some great results," he said. "Once you've confirmed your identity, you'll have the opportunity to review recent logins on your account and reset your password if you see logins that you don't recognize."

These tools -- which Popov said have been under development for several weeks -- do not, however, address Facebook's policies towards user information and privacy. The European Union's Article 29 Working Party, part of the EU's Justice and Home Affairs' Data Protection division, added its voice to those cautioning Facebook about its approach to user privacy.

Earlier this week, the division wrote to Facebook, stating its dissatisfaction with the site's changes to its privacy settings.

"It is unacceptable that the company fundamentally changed the default settings on its social-networking platform to the detriment of a user," said a statement from the Working Party. "Facebook made the change only days after the company and other social networking sites providers participated at a hearing during the Article 29 Working Party’s plenary meeting in November 2009."

In the U.S., four Senate Democrats have asked the Federal Trade Commission to develop guidelines governing the way social networking sites can use information submitted by users. Privacy groups the Federal Trade Commission and Congress that the social network is violating consumer protection laws.

Facebook hired this month former U.S. Federal Trade Commission chairman Timothy Muris to help defend the popular Web site's privacy practices in Washington, D.C.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
DevOpsí Impact on Application Security
DevOpsí Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, itís a ďdevelopers are from Mars, systems engineers are from VenusĒ situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3090
Published: 2014-09-23
IBM Rational ClearCase 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

CVE-2014-3101
Published: 2014-09-23
The login form in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not insert a delay after a failed authentication attempt, which makes it easier for remote attackers to obtain access via a brute-force attack.

CVE-2014-3103
Published: 2014-09-23
The Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http...

CVE-2014-3104
Published: 2014-09-23
IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

CVE-2014-3105
Published: 2014-09-23
The OSLC integration feature in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account n...

Best of the Web
Dark Reading Radio