Application Security
5/14/2010
11:00 AM
Connect Directly
RSS
E-Mail
50%
50%

Facebook Adds Two Privacy Tools

Both tools have to do with stopping unknown devices from logging in to a user's Facebook account.

Following Thursday's quickly convened meeting to discuss user privacy concerns, Facebook has unveiled two tools designed to help protect account-holders from scammers and alert users to suspicious activity.

With one tool, users can elect to approve the devices they typically use to log-in and receive e-mail or text notifications. This feature would serve as an alert if another, unselected device is used to access the account.

"For example, you can save your home computer, your school or work computer, and your mobile phone. Once you've done this, whenever someone logs in to your account from a device not on this list, we'll ask the person to name the device," wrote Lev Popov, a software engineer on Facebook's site integrity team, in a company blog.

The opt-in feature is available under the Account Settings page. Users may click the link next to "Account Security," and select the option to receive notifications for log-ins from new devices. The first time users access their Facebook accounts, they must name and save the devices they use to log onto Facebook.

To block suspicious log-ins, if the Facebook system determines if someone is trying to access an account from an unknown device and asks the individual to answer a verification question to prove their identity. Identifiers could include date of birth, identifying a friend in a photograph or answering a previously-provided security question, Popov wrote.

"These questions are designed to be easy for you, and hard for a bad guy, and we've already seen some great results," he said. "Once you've confirmed your identity, you'll have the opportunity to review recent logins on your account and reset your password if you see logins that you don't recognize."

These tools -- which Popov said have been under development for several weeks -- do not, however, address Facebook's policies towards user information and privacy. The European Union's Article 29 Working Party, part of the EU's Justice and Home Affairs' Data Protection division, added its voice to those cautioning Facebook about its approach to user privacy.

Earlier this week, the division wrote to Facebook, stating its dissatisfaction with the site's changes to its privacy settings.

"It is unacceptable that the company fundamentally changed the default settings on its social-networking platform to the detriment of a user," said a statement from the Working Party. "Facebook made the change only days after the company and other social networking sites providers participated at a hearing during the Article 29 Working Party’s plenary meeting in November 2009."

In the U.S., four Senate Democrats have asked the Federal Trade Commission to develop guidelines governing the way social networking sites can use information submitted by users. Privacy groups the Federal Trade Commission and Congress that the social network is violating consumer protection laws.

Facebook hired this month former U.S. Federal Trade Commission chairman Timothy Muris to help defend the popular Web site's privacy practices in Washington, D.C.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.