cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
CraginS
Defender I

Why Would You Ever Trust Facebook???

And the evidence keeps mounting! The Daily Beast reported that Facebook was telling users they had to provide the passwords to their external e-mail account to validate their FB accounts and keep using them:

‘Beyond Sketchy’: Facebook Demanding Some New Users’ Email Passwords

YHGTBKM!

 

Once FB got caught, (er, asked about the practice), they responded as follows:

"In a statement emailed to The Daily Beast after this story published, Facebook reiterated its claim it doesn’t store the email passwords. But the company also announced it will end the practice altogether.

“We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,” Facebook wrote."

 

Yeah, riiiiight!

 

Please read the full article linked above to be reminded of just how egregiously FB has acted just in the recent past.

 

Hmmm, I wonder if FB has any CISSPs working for them?

If so, I wonder if working for FB constitutes a violation of the (ISC)2 ethical guidelines?

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
8 Replies
Chuxing
Community Champion

Face what?

 


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
Chuxing
Community Champion

"Hmmm, I wonder if FB has any CISSPs working for them?"

 

Oh, yeah,  they have, here's the proof :

 

Untitled.png


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
Shannon
Community Champion

 

Wow, I almost couldn't believe that until I read several news articles online.

 

It's like someone planning a heist, while already standing trial for burglary...

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Shannon
Community Champion

This was one of the articles. A closing statement from a Facebook spokesperson went like this: -

 

'That said, we understand the password verification option isn't the best way to go about this, so we are going to stop offering it.'

 

What they've conveniently refrained from saying is: -

 

'Those who have already provided passwords are strongly advised to change them, as Facebook won't accept responsibility for any compromise that may result directly / indirectly from this.

 

 

Anyone who thought Facebook couldn't sink any lower has seriously underestimated them... Man LOL

 

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
kevinkidder
Newcomer III

I almost couldn't believe this until I read the article. Over the past few years, I have had several conversations with the proverbial "family member of a friend" who was hacked through social engineering by being asked to confirm their email address, password, ssn, phone number, date of birth, astrology sign, blood type, credit card information, VIN of their car, mother's maiden name, etc. to confirm their FB identity. Of course, when I hear these stories, I sadly shake my head at the lack of security awareness that is available to the public. How does a busy mother of 3 who is trying to check in on Facebook ever realize that she is in danger? Who is going to tell her? Who is responsible?

 

To those of us in the security realm, we would recognize these requests immediately as phishing, and dismiss them. In this case though, FB seems to have taken a page from their scammers and is asking for information from their users that they have no right to ask for. 

 

Aside from the obvious, that FB is one of the least secure ways to ever store/share information, how is the public to know? Whether or not FB tightens their security before their eventual demise is yet to be seen, but in the meantime, perhaps there should a FB Security Awareness community providing security outreach services to the public to inform them? 

 

Shannon
Community Champion

 

 


@kevinkidder wrote:

How does a busy mother of 3 who is trying to check in on Facebook ever realize that she is in danger? Who is going to tell her? Who is responsible?


There are multiple parties, each falling into a role with its own responsibility:

 

  1. Regulatory Authority: Usually appointed a government, it should adopt adequate standards & enact laws / enforce regulations to ensure that service users aren't at risk. If the government itself is an avid fan or chooses to remain ignorant / oblivious, there won't be any regulation.
  2. Service Provider: It should assess it's services and ensure that they're compliant with regulations as applicable to it. If there aren't regulations, it probably won't prioritize security, so long as its business isn't affected.
  3. Service User: Users should show diligence, and ensure that using a service won't have unjustified risks. If users lack adequate awareness, little / no caution is going to be exercised by them.

 

As a Service User, I'd want to ensure that I'm careful about what I avail of, since my primary concern is the impact this will have on me, and not the other parties.

 

 

Whether or not FB tightens their security before their eventual demise is yet to be seen, but in the meantime, perhaps there should a FB Security Awareness community providing security outreach services to the public to inform them? 

Awareness is obviously the key here, although imparting it can be challenging. A campaign shouldn't be focused on FaceBook itself --- else people might assume it's biased --- but on IT Security risks and their impacts, with references to Facebook.

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Chuxing
Community Champion

WTF - Welcome to Facebook

 

 

 


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
JoePete
Advocate I


@CraginS wrote:

Facebook was telling users they had to provide the passwords to their external e-mail account to validate their FB accounts and keep using them:


This incident reminds me of a situation about a decade ago involving a hosting provider. I had started using this provider about five years earlier. They were great, of course, then they ended up getting bought up by a competitor who hadn't a clue, but plenty of money. I forget the exact situation but they had some sort of breach and ended up locking out all the accounts with a "weak" passwords. So when I called them up, I ask "Well, I how do you know what my password is?" and the guy proceeds to tell me that he has a form in which he types my username and it spits back my password. So needless to say they became my former hosting provider the next day.

 

Here's the thing, there is nothing proprietary to the value Facebook might offer its users. There are dozens of ways we can stay in touch with people we care about - most of them probably more substantive and personal than FB. Hence, where FB and the folks who have sunk billions into it are counting for their survival is how it can leverage that user base. While we can dress it up however we want, the FB business plan inherently exploits its user base.