Social Media security

Keeping yourself secure on the internet remains a very important component of our daily lives seeing as internet access is so ingrained in day-to-day activities. Think ride sharing, online banking, retail shopping, email and so on.

Social media specifically remains a prime attack vector for malicious activities impacting on many internet users’ security. Yet the majority of social media users either don’t know about the security controls available to them to protect their internet access or just don’t take interest in this aspect of their online activities.

This will be a living blog post detailing security controls available to users from various social media services focussing on:

password management – password strength, uniqueness and rotation remain a critical component of online services

privacy – the controls available to users to detail what information can be shared, what can be seen by whom and issue reporting

MFA – multi-factor authentication adds the additional factor onto password access to make login credentials nearly impossible to break

We’ll start off by defining the above 3 aspects and then move into configuring specific social media services, beginning with Facebook.

Password Management

This is a general section that applies to any online service.

PM remains one of the most critical aspects of any online service because it is the main access method for all services. If your password is compromised, and you have no alternate factor, then the attacker will have access to your service profile and any information located there. Chaos ensues …

There are a number of issues with PM as practiced by most online service users:

  • strength – most passwords are of poor quality being short and not using special characters or complexity
  • uniqueness – many passwords are re-used across multiple services; if a password is compromised on one service, then the attacker has access to all other services that use the same password
  • rotation – passwords are kept in use indefinitely; compromised passwords will then continue to work for long periods of time
  • protection – passwords are not adequately secured resulting in potential compromise
  • password protection – although many services include controls to lock accounts based on incorrect login attempts and other aspects of the login process, these controls are very seldom used
  • password and MFA access – although most services have MFA capability, most users do not enable this function

Passwords are a pain in the arse – they are difficult to remember (if sufficiently strong/complex) and it’s almost impossible to retain multiple passwords (eg. 1 per service). So how do we go about making PM easy? We use a password manager. These provide amongst other features:

  • generate strong passwords and maintain consistent password strength
  • generate unique passwords for each service
  • securely store your passwords
  • make your password database available across multiple devices/systems
  • automated credential fill (eg. auto-type)
  • stores additional information securely (eg. banking details)
  • securely share password access with others (eg. family, business)

My recommendation for a password manager is KeePassXC which is known as an offline manager. Note it can still be shared and made available online but it’s ‘offline’ nature means that the manager itself can’t be compromised in the way an online password manager service could.

Typically, you will protect the manager access with one strong/complex master password, and then the manager will control all other service passwords. Only having to remember 1 strong password improves on password usability and management in a big way.

There are also a number of commercial online password management services available including 1Password, BitWarden and LastPass. YMMV so it’s up to you to decide which service suits your requirements.

Privacy

Another very important aspect of online security are privacy controls. These controls (specific to each service) generally provide you with methods of restricting how your information is managed within the service including sharing, visibility and retention.

By restricting and controlling your information, you inherently improve your security posture.

MFA/Multi-Factor Authentication

MFA, also known as 2FA, provides a 2nd component (the password is the first) to the login process. This 2nd component is typically a short-lived code of some kind (OTP/one time password) that is generated on a device/system that only you have access to (eg. a mobile device).

MFA significantly increases the security of the login process making it very difficult for attackers to compromise.

One will typically install an MFA app on your device, then register the 2FA/MFA profile for each online service. When you login to a specific service, you’ll consult the MFA app for the code for that service – if valid, then your login proceeds.

Facebook

The service we all love to hate. But Facebook do have a lot of controls to improve your security and privacy.

Your profile

The more information you provide in your profile, the more is available to attackers so try to limit what information you provide.

  • Select your name in the top right corner of the Facebook page
  • Select “Edit Profile” to the right of your name
  • Selectively add information (or remove as required)

Privacy controls

  • Select the down arrow in the top right corner
  • Select Settings & Privacy
  • Select Privacy Checkup
  • Select each of the Privacy Checkup guides in turn and update the settings as required

Security

  • Select the down arrow in the top right corner
  • Select Settings & Privacy
  • Select Settings
  • Select Security & Login from the left menu

Security – Password

  • Select ‘Login -> Change password’ if you want to set a new/strong/complex password (remember to save your new password in your password manager)
  • Select ‘Login – Save your login information’ and choose whether to stay logged into Facebook on specific devices

Security – MFA/2FA

  • Select ‘Two-factor authentication -> use two-factor authentication’ if you want to setup MFA for Facebook
  • Select ‘Two-factor authentication -> Authorised logins’ to review which devices you have logged into Facebook on – remove unused devices from the list

Security – additional

  • Select ‘Setting up extra security -> Get alerts about unrecognised logins’ and choose how to received alerts

3rd party websites/apps

  • Select ‘Apps and websites’ from the left menu
  • Review (and remove) logins on sites that you no longer use

By using considered settings in the above, you can significantly improve your security posture for Facebook.

I’ll continue this blog post with additional online services at a later date so check back often.