New Facebook Features Focus on Privacy and Malware

blog_fbsec

This week, Facebook has introduced two new privacy and security measures. The first is a new feature that attempts to detect malware on infected devices as they log in to Facebook. The second is a more complete and easy-to-use set of features designed to ensure post privacy.

“Making malware cleanup easier”

On May 20th, 2014, Facebook announced that it will be partnering with two antivirus vendors to implement a new security feature that attempts to detect malware on infected devices during Facebook log in and then offers a free antivirus scanner download to identify and remove the infection. Download will be entirely optional, and Facebook states that after the chosen scanner runs to completion it will remove itself from the device.

While it sounds nice enough, and while it may indeed make the world a little bit more malware-free, this new feature assumes malware infection. That is to say, it’s meant to cleanup malware after the mess has been made. In addition, these scanners will only remove a malware infection if they are able to recognize the malware in question through signature-based means. If a device is infected with a new strain of malware that is not yet registered on one of these scanners, the device will remain infected.

One of the main reasons Emsisoft Anti-Malware is a pay-for-use product is that it provides proactive malware prevention. It does this by combining the scanning power of two engines with heuristic “Behavior Blocking” technology that recognizes and prevents unregistered malware threats. Even better, you don’t need to log in to Facebook for it to work. Emsisoft Anti-Malware runs in the background of your computer continuously, and it is automatically updated several times per day.

“Making it easier to share with who you want”

Facebook’s second new measure announced this week concerns user privacy. Namely, new Facebook users who are posting for the very first time will be set by default to only share that post with Friends. This is a marked change in Facebook’s policy, as since 2009 the default share setting for all new users was to share with Public. No doubt because the social media megalith boasts an average 1 billion active monthly users, this shift has already garnered a lot of attention from writers all over the web – specifically the New York Times.

Facebook product manager Mike Nowak is quoted in that article, stating: “It’s not fun when you share something, and someone you didn’t expect to be able to see it can see it.” Nowak also points to a continual stream of customer complaints – displayed on a real time, big screen monitor at FB headquarters – as impetus for the privacy policy shift. The article also features commentary from Pam Dixon, an advocate from the World Privacy Forum. Dixon states that she “would really like to see some kind of permanent tool that would let people do a privacy checkup anytime they want.”

Facebook’s upcoming “Privacy Checkup” feature might give her just that.

In addition to changing new users’ default share setting to Friends, Facebook writes that it will soon be implementing a “Privacy Checkup” feature for established users. This feature will apparently attempt to consolidate what some have called a convoluted set of privacy features. No specific details about this feature have been released, but according to the initial announcement “checkup” will be initiated by a pop-up window, designed to remind users of how they are sharing their information. Should users click on the window, the checkup will then guide them through their account’s privacy settings.

Facebook, Malware, Privacy, and You

Making announcements of new security features in a week that’s seen an FBI crackdown on BlackShades RAT users, U.S. cyber espionage allegations against China, a data breach at eBay affecting 145 million users, and an IE 8 zero day public disclosure is more than just good PR for Facebook – it’s also a well intentioned reaction to a world of cyber threats.

With roughly 1 billion active monthly users and a gold mine of personal information, Facebook is prime territory for malware authors and identity thieves. Most common among these are silly scams, like early May’s Hack Your Friend’s Facebook, which implicated infected users in Like fraud. Perhaps even more ridiculous (but also more malicious) was the Naked Videos of Your Facebook Friends scam we spotted in March, which had the ability to connect users to a fraudulent webpage where they could download a Trojan repair kit for Adobe Flash.

Facebook malware isn’t always so tongue-and-cheek, though. In fact, that’s far from the case with the iBanking Rogue, which we first spotted in April. iBanking leverages the general public’s increasing concern over Facebook security to create a powerful malware that combines social engineering with multi-device interaction, all aimed at infecting Androids with malware that can monitor everything you do with your smartphone, including banking. As it turns out, iBanking has since grown so popular with cybercriminals it is now selling for around $5000 a pop.

All of these malware developments reflect the fact that Facebook is a massive watering hole, and they don’t even begin to scrape the surface of how a website people use to contain their online identities can be used to stalk, steal, and commit fraud – no malware coding experience required. At the same time, this wealth of easily accessible information is what makes Facebook most powerful as a business, as the social media network’s growth has seen its simultaneous transformation into every online marketers’ favorite tool. It is this trend in particular that will pretty much guarantee that in the years to come the best approach to Facebook privacy will be a “use at your own risk” mindset.

Lastly, it is important to consider that in the world of cyber security, each new measure of protection usually provokes a new, malicious response. As we have seen the iBanking rogue pose as a legitimate security solution for wary users, Facebook’s antivirus scanner push might inspire the creation of more rogue security apps. The upcoming change in Facebook’s privacy policy could similarly spawn phishing emails across the board. Moving forward, probably the best approach to Facebook security will therefore be informed and educated usage. That means a solid password, caution when confronted with requests for action, and no selfies past midnight.

And remember, if you’re running Emsisoft, we’ve got your back.

Have a Great (Malware-Free) Day!

  • Legend

    It’s nice that Facebook take steps towards better security and privacy. But to truly boost their efforts, to give the user better Privacy features, they should give back the users right, to completely delete their account and content. That is for me the ultimate privacy.

  • Legend

    The endless struggle, between security and malware creators, is an endless creative loop. Which is following Newton’s third law, (like many things in life) : For every action there is an equal and opposite reaction. .