VAR: Sophos Criticism Of Facebook Security 'Misses The Point'

Facebook's often-criticized lack of security and privacy has finally compelled a security company to call it out to fix it. But one security solution provider argues that demanding the social network lock down its own network "misses the point."

In an open letter to Facebook on Monday, Graham Cluley, senior technology consultant at Sophos, gave it to the social networking giant straight. He said its security and privacy leave a lot to be desired and it's up to the company to make it better.

"Every day victims report to us numerous incidents of crime and fraud on Facebook," wrote Cluley in his letter. "They have been personally affected and are desperate for advice on how to deal with the consequences."

But Cluley didn't appear eager to criticize without suggesting possible solutions, recommending three major changes Facebook could implement to further enhance its security posture and protect its users from the risk of malware and phishing attacks.

For starters, Sophos strongly recommended that Facebook quit sharing users' information without their explicit consent. They could do this by creating an opt-in feature allowing users to consciously and willingly share their information as opposed to an opt-out feature, Cluley said.

"Whenever you add a new feature to share additional information about your users, you should not assume that they want this feature turned on," Cluley said.

Another preventative measure Facebook could take is to more closely scrutinize its developers, Cluley said, insisting that only thoroughly vetted and approved third-party developers be allowed to publish apps on a platform shared by more than half a billion users.

"With over one million app developers already registered on the Facebook platform, it is hardly surprising that your service is riddled with rogue applications and viral scams," Cluley said.

Finally, Cluley suggested that Facebook further ensure its users' security by making HTTPS the default option.

"Your users tell us that these are issues they want resolved. So our question is simple: when do you plan to act?" Cluley said.

However, not everyone agrees with Cluley's recommendations. Andrew Plato, president of Anitian Enterprise Security, a Beaverton, Ore.-based solution provider, says that, "Cluley makes good points, but also misses the point. Security needs to understand the business model, before it can start lecturing about improvements."

Next: Facebook Business Model Inherently Not Secure, VARs Say

Plato said that Cluley, like many security researchers, often makes the mistake of imposing a rigid security paradigm on organizations without considering their business model -- often rendering moot many of the subsequent demands related to security.

"It's been clear since the day it was founded that Facebok uses a viral model for growth," Plato said. "In other words, the site grows by spreading from one person to another via their connections. To walk in and say 'that's a bad thing to do, stop it so people can be secure' is tantamount to telling everybody in a church that their religion is wrong. They are not going to respect that."

To enhance Facebook security, Plato instead suggested that the social networking giant make security controls simple and usable and impose better policing on developers by "allowing anyone to be a developer, but if they violate a simple set of privacy rules, bounce them out and delete all their apps and data."

For his own customers suffering from Facebook issues, Plato says that he presents them with basic security guidelines for use, but is also realistic about their ultimate implementation.

"The reality that probably most companies face is that they do absolutely nothing about Facebook usage until there is a serious breach," he said. "Develop some acceptable usage rules and disseminate them to users before there is an issue."