How to Use Facebook Safely

Love them or hate them; social networking sites are here to stay. And your users are going to find ways to use them from home, from work, from smart phones, from shared computers, or from anywhere else they care to.

The whipped cream is out of the can. Now what can we do about it?

Like so many millions of others, I’ve found Facebook and Twitter in the last few months, in addition to the more traditional professional networking sites I’ve used for years, like LinkedIn. But what started as idle curiosity soon grew into addiction.

Yes, my name is Ken and I’m addicted to…

But gosh darn it, they’re fun! I’ve re-connected with many old friends, and I like knowing what they’ve done with their lives. OK, we’re not likely to become best friends again, but I still value that connection we’ve made again.

So, how secure are these sites?

I’ve experienced several classic Web security issues in each of the sites I frequent, and without a doubt there remain many vulnerabilities to be discovered. But that hasn’t stopped me from using them.

Like any decision involving risk, I’ve studied the issues, minimized my own exposure, and I’m getting on with what I care to do.

Let’s start by looking at the issues briefly.

Table Of Contents

• Web apps:
• Active content:
• Domain of trust:
• User-supplied content:
• Third party applications:
• Continue to run NoScript and those other browser security steps:
• Be a bit choosy about your friends:
• Be more than a bit choosy about your apps:
• Don’t click on links willy nilly:
• Log out of other apps and sites:
• RELATED NEWS AND ANALYSIS

Web apps:

Well, for starters, they are Web applications, and as such they’re potentially vulnerable to a plethora of issues, from the OWASP Top-10 and beyond – and yes, there are far more than 10.

And don’t think for a moment that all web application vulnerabilities solely place the application at risk. Many also put the app’s users at risk: cross-site scripting (XSS), cross-site request forgery (CSRF), and others can be used to attack the users quite easily.

As a user of a social networking site, you’re placing your (and your employer’s) data at risk.

Active content:

Long-time readers of this column (hi Mom!) have heard me talk about the dangers of active content many times.

Javascript, Java applets, Flash, ActiveX, and many others are all examples of active content. And guess what? Every popular social networking site in existence – or at least with a significant population of users – absolutely requires active content in order for the site to function.

The bottom line: by allowing active content into your browser, you are trusting someone else’s code to run on your computer safely. Well, what’s the big deal? We do that all the time. Well, now the code is dynamic and maintained somewhere else, and you’re trusting it every time. Gulp!

Domain of trust:

Some of the HTML, Javascript, etc., that arrives in your browser comes from (say) Facebook. Fair enough, if you’re going to use Facebook, you’ll need to trust that content.

But your browser isn’t so discerning. Some of the stuff that comes into it while you’re on Facebook might be provided by someone else: another Facebook user; an attacker; a third party application on Facebook. If your browser trusts Facebook, chances are it’s also going to trust that code. This extends the active content exposure pretty substantially.

User-supplied content:

Users put all sorts of content into their own profiles. URLs pointing to cool sites, photos, etc. If they link to something dangerous—perhaps inadvertently—and you click on it… Well, you get the drift.

Third party applications:

Most of the popular social networking sites have a third-party application interface for companies to generate their own content. Most of it is pretty innocuous and in the spirit of good clean fun, like a little app that lets you “throw” a virtual snowball at someone else. But, again, it extends that trust boundary in ways you might not want.

Next Page: Steps to Protect Yourself

All of these things come with levels of risk. The “double whammy” that I see is the active content combined with the expanded domain of trust. There’s a cross-site scripting launch pad in that combination if ever there were one.

When I’ve written about browser security (as in this comparison of IE vs. Safari vs. Firefox), I’ve advocated browser plug-ins like NoScript to give the user a level of control over active content. The problem is that it only provides a partial solution on social networking sites.

For example, if I tell my NoScript to allow scripts to run from Facebook, I’m allowing all Javascript coming at me from facebook.com to run. As I said, that may or may not be actual Facebook content.

NoScript either trusts a domain or it doesn’t. Clearly, it’s not granular enough for all issues.

So, what can we do to protect ourselves? Here are a few tips to consider:

Continue to run NoScript and those other browser security steps:

They’re far from obsolete!

Be a bit choosy about your friends:

Easier said than done, but at a minimum, I suggest only accepting friend connections from people you directly know. Of course, they’ll come with varying levels of technology “cluelessness,” but it’s still not a good idea to be friends with anyone who figures out how to send a request to you.

Be more than a bit choosy about your apps:

If you have the ability to decide what apps you run and allow within your social network’s site, be choosy. Do you really need every cutesy app that comes along?

Wait for a couple days to see what people (and the media) say about an app before deciding to dive in. If the app has problems, often it’s the early adopters who will find them.

Turn up the privacy controls: Pretty much all the social networking sites allow you to tune your own privacy controls. Turn those up to “high.” Only allow people in your ring of accepted friends to view your information.

Don’t click on links willy nilly:

When friends send you links to sites, apps, etc., don’t just click on them. Hover your mouse over the link, look at it in its entirety, see what data is going to be passed to it, and then decide. You might even cut-and-paste the URL into another browser and go there separately.

Log out of other apps and sites:

To the extent possible and feasible, don’t run other Web apps while you’re on your social networking site. Shut down your browser completely, re-start it, do your social networking for the day, and then log out. There’s good and valid reasons for this that I’ll cover in a future column, but for now, trust me on this.

So that should arm you with a few tips to consider. There’s still risk involved with using these sites, and there always will be. You need to decide for yourself if the risks are worth whatever value you perceive in using the sites.

As for me, I sure wouldn’t give up my Facebook account without a fight.

RELATED NEWS AND ANALYSIS

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2020

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020

• Anticipating The Coming Wave Of AI Enhanced PCs

  FEATURE |  By Rob Enderle,
  September 05, 2020

• The Critical Nature Of IBM’s NLP (Natural Language Processing) Effort

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  August 14, 2020

  SEE ALL
ARTICLES  

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy.

Subscribe