Once again, Facebook founder Mark Zuckerberg was hacked.
Earlier this week, 14 private photos of Zuckerberg were leaked to photo-sharing site Imgur under the headline, “It’s time to fix those security flaws Facebook.” The social network later confirmed that the flaw was the result of a recent code push and was live “for a limited period of time”–affecting not just Zuckerberg’s account, but also an undetermined number of others.
This latest security problem comes one week after Facebook agreed to settle the charges with the FTC that it deceived consumers by telling them they could keep their information on Facebook private, then allowed it to be shared and made public.
Unfortunate timing for Facebook, no doubt. But, according to Mike Geide, senior security researcher at Zscaler ThreatLabZ, a cloud security company, Facebook has stepped up its security measures in the last year, though “there’s certainly room for improvement,” he says.
“Hackers are getting more and more sophisticated with their attacks,” Geide says. “Facebook credentials that are stolen and sold underground are a huge commodity–kind of like email addresses are for spammers.”
As hackers up the ante with attacks, Facebook users need to take extra precautions and exercise better judgment to ensure their accounts–and their personal information–stay safe. Here are four ways to do so.
1. Enable SSL Encryption
In the past, Facebook used HTTPS–Hypertext Transfer Protocol Secure–only when you entered your password. If you’ve shopped or banked online, you might also notice this amped-up security feature, denoted by a small lock icon that appears in your address bar, or just a green address bar. Facebook now applies SSL encryption to all browsing done on the site, and it is strongly recommended if you use public computers or access points, such as at coffee shops, airports or libraries.
To enable this security feature, visit your Account Settings page, then choose “Security” from the options on the left side of the screen. Here, you’ll be able to see whether this option, “Secure Browsing,” is enabled or disabled. Click “Edit” to enable it.
Do note that encrypted pages take longer to load in this mode and that not all third-party apps may support it.
2. Be Wary of Information You Share
The information you share in your profile may seem harmless, but particular pieces are popular “ins” with hackers. Take, for example, your birthday. This piece of data, Geide says, is sometimes used in security questions. Disclosing it at will could put you at risk.
Geide also recommends opting out of the feature that lets you–and your friends–check you into places.
Here’s how to find this setting:
Navigate to your Privacy Settings page and click “Edit Settings” next to “How Tags Work.” Then, turn it off.
Geide says that hackers use your location data not just for physical-world attacks such as stalking and robbery, but for social-engineering attacks, too. One example of this: messaging you to say, “Hey, I met you at XYZ conference last week,” in order to obtain more information or promote a malicious link.
3. Use Applications and Games Sparingly
In the past, rogue Facebook apps have spammed users and hijacked accounts. Facebook has since put a number of safety protocols, such as App Passwords, in place to better vet their apps and ensure security.
App passwords are one-time passwords you use to log into your apps, without needing to enter your Facebook password. To get an app password, go to your Account Settings, then select the Security tab. Click “Edit” next to App Passwords, then follow the prompts.
Geide also recommends carefully reviewing the permissions granted to Facebook apps before you install and use them.
“Applications may use a number of permissions. Because of this, it is best to limit your applications to those that you actually use and have a level of trust for,” he says.
Specifically, Geide recommends paying careful attention to which applications have the ability to write on your wall or message friends, as this could be used to propagate something malicious. Also, check to see what information the application is able to access about you and what content it can read–for example your wall, posts and photos.
“Think about the actual expected behavior of the application,” he says. “And if the level of access that it is requesting doesn’t seem needed for its functionality, the chances are that it’s doing something in addition to what it is advertising.”
4. Log Out of Facebook When You’re Done
When you’re finished browsing Facebook, be sure you log out, Geide says. “This will prevent threats, such as ‘Likejacking,’ that leverage logged-in sessions to Facebook,” he says.
Likejacking is a form of clickjacking, or the malicious technique of tricking users into posting a status update for a site they did not intentionally mean to “like.”
One example of this: In June 2010, hundreds of thousands of users fell victim to likejacking after clicking links that read, “LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE,” and, “This man takes a picture of himself EVERYDAY for 8 years!!”
After clicking the link, users were asked to “click here to continue.” The following page contained a clickjacking worm that posted content to the users’ walls.
If you have forgotten to log out of Facebook from a computer or mobile device, you can do so remotely. From your Account Settings page, click the “Security” tab on the left. Select “Edit” next to Active Sessions.
The following information will show you where you’re logged in on other devices, when you last accessed it and the device. To log out of any of the sessions, just click “End Activity.”
Kristin Burnham covers consumer technology, social networking and Web 2.0 for CIO.com. Follow Kristin on Twitter @kmburnham. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Kristin at [email protected].
