Culture

Facebook HTTPS: False sense of security?

The social network's new encryption setting doesn't work with games and other apps, and it won't protect against the increasing number of malware attacks targeting Facebook users.

Dennis O'Reilly Former CNET contributor

Dennis O'Reilly began writing about workplace technology as an editor for Ziff-Davis' Computer Select, back when CDs were new-fangled, and IBM's PC XT was wowing the crowds at Comdex. He spent more than seven years running PC World's award-winning Here's How section, beginning in 2000. O'Reilly has written about everything from web search to PC security to Microsoft Excel customizations. Along with designing, building, and managing several different web sites, Dennis created the Travel Reference Library, a database of travel guidebook reviews that was converted to the web in 1996 and operated through 2000.

See full bio

Dennis O'Reilly

Feb. 4, 2011 3:34 p.m. PT

3 min read

The rollout of Facebook's new Hypertext Transfer Protocol Secure encryption is about complete. (Elinor Mills described the feature in a post on her InSecurity Complex blog last week.) While encryption is a welcome addition to the social network, it is far from a Facebook security panacea.

To enable encryption in Facebook, click Account in the top-right corner and choose Account Settings. Select Change next to Account Security to view your current settings. Check the option under Security Browsing (https). You may also want to check "Send me an email" under "When a new computer or mobile device logs into this account" to be alerted to possible unauthorized access to your account.

Facebook Account Security settings — Enable Facebook's encryption setting via the Account Security option on your Account Settings page. screenshot by Dennis O'Reilly/CNET

It's great that Facebook is taking steps to protect its customers from scammers and ID thieves, but there's only so much that company or any Web service can do to thwart snoops and malware purveyors. In Facebook's case, the weak link may be games and other applications that remain unencrypted.

Earlier this week Sophos security researcher Graham Cluley wrote in his Naked Security blog about a Facebook flaw discovered by two students. According to Cluley, malware can imitate an app that has been granted permission to access your data and publish to your wall to launch phishing attacks and propagate viruses and Trojans.

The researcher was initially unable to duplicate the attack method because his Facebook security settings were "pretty rigid," but lowering the settings allowed him to gain access to his account via the scam app.

In August 2009 I described how to change the default Facebook security settings to make the service safer. The privacy options have changed somewhat since that time, but the steps for strengthening your Facebook security are about the same. Facebook's own Controlling How You Share page goes into greater detail on the service's security options.

Cluley reports that the students notified Facebook security officials of the flaw and it has been patched. But as the Sophos researcher points out, a complex system such as Facebook is sure to contain other flaws, some of which may be exploited by bad guys.

Facebook users targeted by phishers
As you might expect, Facebook's success has made it a favorite target of Internet scammers. Security vendor Panda Security recently reported on two new malware attacks that attempt to trick Facebook users into opening a bogus e-mail attachment and click a link in an instant message, respectively.

The e-mail warns users that their Facebook account is being used to send spam and their password has been changed. They are instructed to open the message's attachment, which includes a Microsoft Word icon, to find their new password and then to log in and change the password. The attachment opens Word to make users think it's legitimate, but it also opens all their system's ports and connects to mail services in an attempt to send spam, according to PandaLabs researchers.

The link in the fake IM downloads a worm that takes over the person's Facebook account and locks them out, displaying a message when they try to log in stating that the account has been suspended. To reactivate the account, the message instructs them to complete a questionnaire and even promises prizes for doing so.

The questionnaire even asks for the person's cell phone number to receive "data download credits" and a new password to be used to reactivate the account. This breaks several of the cardinal rules of safe computing:

• Don't click links in e-mails or IMs, even if you think you trust the sender. Phishers may have compromised the person's account for use in their nefarious schemes.

• Don't open e-mail attachments you're not expecting without verifying them with the sender beforehand.

• Don't volunteer personal information to any site you don't trust and that doesn't use encryption. Look for "https:" at the start of the URL and the lock icon, either near the address at the top of the screen or in the status bar at the bottom of the screen, depending on your browser.

There will certainly be new, craftier attempts to trick Facebook users into giving thieves and snoops access to their accounts. Protecting against them is every Facebook user's responsibility. It starts by knowing the bad guys are out there waiting for us to drop our guard.