Facebook Application Security For the User:
A Brief Introduction

Alex Fernandez-Gatti
Eastern Michigan University
College of Technology
Information Assurance Department
Ypsilanti, Mich

Disclaimer:

This document is intended to be a brief introduction to Facebook application security as it relates to user data and the confidentiality of said data. It does not cover all aspects of Facebook security, or Facebook applications. Please do not take it as such.

This document has been written as part of a research study for Eastern Michigan University. All content is property of the author of the study and must be contacted prior to use in other mediums.

Author Information:
Alex Fernandez-Gatti
(248)232-3377
afernan4@emich.edu

Facebook has become the unequivocal dominating container of information volunteered by users of its service like you and I. Status updates, e-mail addresses, phone numbers, birthdays, pets names, siblings, favorite colors, interests, and significant others are broadcast on ones personal space which is maintained by the individual of which it references. We shout this information to the world and never stop to think what we are telling people about ourselves. Whether it is our friends, an advertiser, an insurance agency, or a potential employer, this information is available to the public if one does not take the proper precautions to protect their information. A majority of us have heard this speech before and have taken the proper precautions of locking down certain albums from Mom and Dad, blocking our ex-boyfriends and ex-girlfriends, and sharing only what we think isn’t personally damaging in the here and now. But there’s something more that most of us haven’t taken a look at before, and that’s what the applications we use can do with our information.

In August of 2009 the ACLU (American Civil Liberties Union) created a Facebook quiz application that asked users a series of questions regarding their knowledge of privacy regarding Facebook applications, over 8,000 participant volunteered to take it. Contained with in the quiz were various bits of information that was pulled from the users account whether it was marked as private or not. The methodology for doing this quite simple, and the developer of the application simply stores the data for use in what ever way they desire. A developer may want to store this information to get a picture of what his audience is so he can charge a higher price to advertisers for the space, or advertisers may collect this data and use it to advertise other products. There is unlimited potential for the gathered information to be used in ways that were originally unintended. The consequences of this information leak are that control over the information is lost.

The results of this research helped fuel a program within Facebook to change the default privacy settings and allow users to control their information more effectively. As it stands though if the user is using any application built on the Facebook application platform that does any data collection, the user is not able to totally opt-out of sharing information through the Facebook Platform. The only method to totally opt-out is to remove all applications from ones profile and then complete the opt-out process. While not perfect, this is a vast improvement from where it was.

Facebook hosts a plethora of information on each of its users, all of it volunteered. Facebook does not ask users to change their privacy settings on a consistent basis however. And while tbe knowledge that privacy settings by default are not very private, is not uncommon knowledge, a good exercise for any Facebook user would be to verify that their account has the level of privacy they desire.

Privacy Settings Location:
1. When logged into your Facebook account, hover your mouse over the word “settings” at the top of the page.
2. Select the word “Privacy”
3. Click on the fourth selection “Applications”
4. Select the “settings” tab above the text displayed on your screen.
5. Verify that the privacy options are as you would like them.

Click here for the 2 question Survey! Please take this, it’s only 2 questions and will help me graduate! Your support is greatly appreciated!

It’s official! I’m teaching NITA 379 – Ethical hacking at Eastern Michigan University in the winter semester of 2010!

A few days ago I was given an offer to get my masters degree for free essentially if I teach a few classes while I’m doing it. The pay would not be good by any stretch of the imagination so I would most certainly have to get a good job to go along with this, which not a big deal at all. With the contacts I have I’m sure I could get something that will make me happy and financially stable while I do the masters program. Both teaching and getting a masters degree are pretty attractive to me at this point in my life, but I would be sacrificing some very good job opportunities that could lead to a few great careers so I’m stuck and having trouble figuring out what the hell I’m going to do…

Masters of Science in Information Assurance @EMU Pros:
1. A Masters degree of any form is a damn good thing on a resume in a time where BS’s and BA’s are becoming common place.
2. To get the masters degree I wouldn’t have to take all that many more classes, maybe a year and a half at most.
3. I will have the support of an educational facility to continue my research.
4. I am already familiar with the faculty members and have an easier time getting things done than if I were to go to another university like Indiana U or Purdue.
5. EMU’s IA program has a lot of very useful and nice connections that are very interesting.
6. I have helped build EMU’s IA program, influenced it, watched it evolve, and grow from a tiny 40 student program to over 200 students now. Currently I’m helping to design and build the new lab, and frankly I want to see my baby grow. It would be very intrinsically rewarding to see new students come in, teach them, watch how they utilize the lab, and see the creativity flow.
7. I already know that I will be a life long student, this new development seems to be a chance to both get paid, and further my education to a higher level degree at the same time while doing something that I love.

Masters of Science in Information Assurance @EMU Cons:
1. Finances may be rough, teachers do not make much, and while I know I can find a good job, masters work is pretty intense.
2. Opportunity knocks once, if I pass up a kick ass job today will I have that same opportunity after the masters program?
3. Will the state of cyber security be the same in the future or is obama’s cyber security initiative a bunch of PR bullshit?

The pro’s are pretty powerful, but I have to admit that in this economy that passing up a kick ass job scares the bejezzus out of me. I’ve been told that it will work out, and yes I feel that is true, I just wonder how it will work out.

I’d appreciate any comments from anyone on this.