2007-08-14

A guide to Facebook's security settings aka Facebook Security for the Unitiated!

Firstly a disclaimer, in my opinion there is no such thing as complete security, there is only ever a solution of best practice in terms of security which can be limited by the online application.

The developers at Facebook have implemented some of the best privacy settings I have seen in a social networking tool. These can be found in the "privacy" menu on the top right of a profile page. Here is my version of proposed default settings:

Profile

  • Profile: "Only my friends" (allows only your added friends to view your profile details.) HIGHEST LEVEL AVAILABLE
  • Status Updates: "Only my friends" (allows only your added friends to view your status updates.) HIGHEST LEVEL AVAILABLE
  • Videos Tagged of You: "Only my friends" (allows only your added friends to view videos of you, can also be set to "only me".)
  • Photos Tagged of You: "Only my friends" (allows only your added friends to view photos of you, can also be set to "only me".)
  • Online Status: "Only my friends" (allows only your added friends to view your online status, can also be set to "only me" or "no one".)
  • Friends: "Only my friends" (allows only your added friends to view your friends list) HIGHEST LEVEL AVAILABLE
  • Wall: "Only my friends" (allows only your added friends to view or add to your wall, can also be set to "only me" or "no one")

Contact Information

  • IM Screen Name: "Only my friends" (allows only your added friends to view your IM screen name.) HIGHEST LEVEL AVAILABLE
  • Mobile Phone: "Only my friends" (allows only your added friends to view your mobile phone details.) HIGHEST LEVEL AVAILABLE
  • Land Phone: "Only my friends" (allows only your added friends to view your landline telephone details.) HIGHEST LEVEL AVAILABLE
  • Current Address: "Only my friends" (allows only your added friends to view your contact address details.) HIGHEST LEVEL AVAILABLE
  • Website: "Only my friends" (allows only your added friends to view your website details.) HIGHEST LEVEL AVAILABLE

Contact emails

  • Personal email addresses: "Only my friends" (allows only your added friends to view your personal email addresses, can also be set to "no one") Facebook also obscures this by displaying it as a graphical image rather than plain text so that automated email address harvesters cannot grab it for spam purposes.
  • Work or organisational email addresses: "No one" (Does not allow anyone to see your work or organisational email address. Ultimately, work and organisational email addresses are for that purpose only. By allowing others to see that email address they can use it for purposes outside of your control, such as sending pornographic material, viral code, phishing emails, etc. Organisations have been known to take legal action against individuals who publish work email addresses because they allow attackers an insight into email address structure, etc. Additionally, it is in your best interest to use a personal email address that is not affiliated to somewhere you might not even be at a year from now!) HIGHEST LEVEL AVAILABLE

Applications in your Profile

These should be on a case-by-case basis, I have set all my applications to be either "no one" or "only my friends". Why on earth would you want to set your posted items to be viewed by everyone in your country level network for example? Simple answer, there isn't one.

Search

  • Who can find me in a search: "Everyone" (Allows all Facebook users to view your public profile, more about your public profile in a minute. This is a good case of security where needed, if you were to lock this setting down to no-one then there would be no point using Facebook! In order for a social network website to work you need to be able to network! However, we can control what the Facebook population can view in a search, more details below.)
  • Allow anyone to see my public search listing: YES (This allows public search engines to view your profile)
  • Allow my public seach listing to be indexed by external search engines: NO (This means that search data cannot be cached by search engines, if you change your name for example, you won't be found from a previously indexed search.)
What Can People Do With My Search Results:
  • See your picture: NO (Why? Isn't a name good enough, let them send you a message first so you can see if you want them to view your picture. People can use photographs for social engineering purposes.) HIGHEST LEVEL AVAILABLE
  • Send you a message: YES (No harm in messages)
  • Poke you: YES (No harm in "poking" :-D )
  • Add you as a friend: YES (People can add you as a friend, of course, this is a reciprocal two step process. Someone can only be your friend if both people add each other as friends and thus confirm the relationship.
  • View your friend list: NO (Why should an otherwise complete stranger be able to see who you are friends with. Take this example, someone who you do not wish to be affiliated with wants to confirm which one of five profiles is you from a search, by viewing your friends list they may be able to confirm which one is you and use your friend list as information to target a social engineering attack.) HIGHEST LEVEL AVAILABLE

News Feed and Mini-Feed

Changing your profile can trigger news alerts regarding those changes to your friends. Whilst your friends are ... well ... your friends, they might not always be your best friends. Certain events you may not wish to advertise to colleagues, co-workers or friends in general. This is my list:
  • Remove Profile Info: NO
  • Write a Wall Post: NO
  • Comment on a Note: NO
  • Comment on a Photo: YES
  • Comment on a Video: YES
  • Comment on a Posted Item: YES
  • Post on a Discussion Board: YES
  • Add a Friend: NO
  • Remove my Relationship Status: NO
  • Leave a Group: NO
  • Leave a Network: NO
  • Show times in my Mini-Feed: NO (Because these times can show when you are online.)

Poke, Message and Friend Request Settings

When you poke, message or add someone as a friend you allow them to see your profile, whilst this is useful you may wish to limit some of the information you allow others to view. These are my settings:
  • Basic Info: NO
  • Contact Info: NO
  • Personal Info: YES
  • Education Info: NO
  • Work Info: NO
  • Wall: NO
  • Photos Tagged of Me: YES
  • Videos Tagged of Me: NO
  • Online Status: NO
  • Status Updates: NO
  • Friends: NO
  • Posted Items: NO
  • Notes: NO
  • Groups: NO

Essentially, if someone wants to know who I am they should only need the most basic of personal information and a photo or two. From there people can then add you as a friend to have access to more information. Any supplemental information such as work, telephone, networks, etc. is purely open to abuse from a social engineer.

Applications

 A little note about Applications, they are written by third parties. Do you really want the writer of an add-in application to see your religious or political views? Or what sex you're interested in? Probably not. Be sure to uncheck all available options in the "What Other Users Can See via the Facebook Platform" settings option.

Block People

Does exactly what it says, this stops the specified users from acessing your profile or even seeing it in a Facebook search. Userful huh? It even blocks unwanted communications from the user within the Facebook tool.

Limited Profile List

This little option allows you to limit your profile to a level specified by you for certain added friends. Useful if you wish to have two different levels of profile; one profile for friends and one for work colleagues for example.
Posted by at
Subscribe to: Post Comments (Atom)