Sophos slams Facebook over security measures

Security vendor Sophos has taken social networking giant Facebook to task over the rise of cyber crime on the site.

In a blog posting this week, the company's senior technology consultant, Graham Cluley, pointed to continued failings by the security team at Facebook to implement improved measures, despite continued discussions between the companies.

"Every day, victims report to us numerous incidents of crime and fraud on Facebook," he wrote. "They have been personally affected and are desperate for advice on how to deal with the consequences."

While Cluley welcomed the recent implementation of a hypertext transfer protocol secure (HTTPS) version of the website, he said it was turned off by default.

"Facebook only commits to provide a secure connection `whenever possible'. It should enforce a secure connection all the time, by default."

The network, which attracts more than 500 million active users, has previously been criticised for not offering the secure HTTP feature by default.

Without this protection, he said customers would be at risk of losing personal information to hackers.

Users should also be offered privacy by default.

"Whenever you add a new feature to share additional information about your users, you should not assume that they want this feature turned on," he wrote.

In addition, Cluley said it was "far too easy" to become a developer on Facebook, increasing rhe risk of rogue or malware-ridden applications on the network. Instead, he suggested an approval process that would vet potentially harmful third-party developers from publishing to the site.

The comments come in the wake of fake game applications spreading quickly to take advantage of cultural phenomena like the Twilight movie franchise across Facebook. Recent spates of malware on the site also include automatic tagging of users in nude pictures.

At the time of the Twilight-based scam, Sophos Asia Pacific head of technology, Paul Ducklin, warned that cyber criminals could come back later with the application and mine the user's account or post information to their friends.

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU


Copyright © 2011 IDG Communications, Inc.

Download: EMM vendor comparison chart 2019
Shop Tech Products at Amazon