Michael Argast, a security analyst at Sophos, conceded, "Facebook does a reasonably good job of providing privacy controls."
Nonetheless, he insisted that Facebook needs to do a better job making its privacy controls clear to its users. He said that like privacy policies on Web sites, most people don't understand privacy settings. "People end up leaking more information than they intended," he said.
While privacy issues tend to be difficult to assess, due to the fact that the absence of privacy often presents only a theoretical risk rather than an actual loss, security issues present a clearer threat for Facebook and its users.
Fortinet, another security company, on Tuesday identified a Facebook worm that is Google Reader and Picasa to dupe Facebook users into watching a malicious video file. The worm travels as a Facebook message and prompts recipients to watch an online video. In an attempt to appear more credible, the worm points to video embedded in a Google Reader or Picasa page.
"It appears that cyber criminals behind the Facebook worms registered Google Reader accounts (either manually, or automatically via phishing operations or automated captcha solvers) for the sole purpose of loading them with links to malicious sites," said Fortinet researcher Guillaume Lovet in a blog post. "Indeed, upon clicking on the tempting video frame seen in the News Reader..., the victim is redirected to a classic fake-codec (W32/Zlob.NKX!tr.dldr), Trojan-enabled site."
Schnitt said that Facebook was aware of this particular worm and it working to remediate it. He said that only a small percentage of users have been affected. He characterized security issues as "an ongoing battle," and pointed to some of Facebook's security practices. There's automated monitoring and industry cooperation, of course. In cases where user posts appear to be suspicious, Facebook will add a CAPTCHA test that must be passed to publish the post, he explained.
"The bad guys go where the users are," said Schnitt.
And where bad guys go, security companies are sure to follow.
This article was edited on 10/30 to correct the spelling of Michael Argast's name.