Important security settings on Facebook

Information security is important. Remember that: Without security there is no privacy!Today, E-Crime Expert presents several security measures Facebook has in place for securing your private data and account.

1. Change your password (Frequently)

i. Log on your Facebook Account, go to (click) “Settings” (1)and then click on “Account settings” (2) from the fold down menu(Fig.1).

Fig. 1

ii. Go to and select the “General Settings” menu on the left and then click on the “Edit” tab from the Password field (on the right side of the page). See Fig.2.

Fig. 2

iii. Now, you have to follow the three steps bellow:
-type your current password (for security reasons);
-type your new password (check this blog post here on how to have a strong password);
-type your new password again.
Click “Change password” and your password will be changed. (Fig.3).

Fig.3.

iv. In order to be sure your password is effectively changed on all your devices, select the “Log me out of other devices” box, click on the “Submit” button from the displayed message that appears after you changed your password. That will enable you to sign out from all the devices you are automaticaley logged on. In this way, once you use them again, you will be prompted to type your new password. This is an extra security measure which enables you to protect your information if one of your devices got lost or stollen or when it is shared with other people (Fig. 4).

Fig. 4.

2. Check your active sessions

i. You can also check from where you logged on your account lately.
Click on the “Security settings” tab (see pictures above for how to get there) on the left and then go to the right-bottom of the page and select “Edit” from the “Active sessions” menu (Fig.5)

Fig.5

ii. Now, you can check from where you are logged on during the current session (top of the page) and also, you can check bellow from where you were logged on in your previous sessions.
*Note: if you notice that you appeared logged on from countries you never been or you have not been lately or from devices you do not use that means someone else logged on your account without authorization (Fig.6).
**If you notice any unfamiliar devices or locations, click ‘End Activity’ to end the session and automatically log out someone who’s using your account fraudulently.
Change your password immediately as explained under section 1 of this Blog post!

Fig.6

3. Secure browsing.

i. Go to “Security settings“, as explained above, find the “Login Notifications” menu and click “Edit“. (Fig.7)

Fig.7

ii. Then you can select either “Email” or “Text message“. Or you can always select both! Click “Save changes“.
This will enable you to be notified via email or text message when your Facebook account is accessed from a device that you do not recognize (Fig.8).

Fig.8

iii. Furthermore, you could set up a Log in approval used when login into your account from unknown devices.
Go to “Security settings” (see above) and from there to “Login approvals” (bellow to “Login Notifications”). Click “Edit” and then select the box that reads: “Require a security code to access my account from unknown browsers“. Don’t forget to click “Save changes“. Now you are set for receiving notifications or be prompted a code (that will be delivered via your email or text message as a one-time token) before logging into your Facebook account, from unknown devices (Fig.9).
In order to learn what an unknown or unrecognized device means, keep reading this post bellow.

Fig.9

4. Recognized devices.

You can always set up the devices of your choice when using Facebook.
Go to “Security Settings” (as explained above), click “Edit” on the “Recognized Devices” menu and see which your recognized devices are. Devices will be assigned to your account as recognized when you will first time log on your Facebook account (using a new password) from a certain device (You will be prompted with a message whether you would like to save a certain devices as a recognized device or not). Be careful; do not select as a “Recognized Devices” a computer from school, work, public library or hotel. For this reason and in order to check which are your recognized devices check that menu and see if the devices listed there are the one you trust. If not, you just simply click “Remove” on the right side of a particular device (for example when there is listed a device you used once in a library).
Don’t forget to click “Save changes” as usually (Fig.10).

Fig.10

5. Trusted friends

i. To get set up, visit your “Security Settings” (as explained above), where you can select three to five friends to be your trusted contacts.
Find “Trusted contacts” and click on “Edit” and then on “Chose trusted contacts“(Fig. 11).

Fig.11

ii. Type the names of 3-5 of your trusted friends. You can select them one by one.
Don’t forget to click “Confirm” (Fig.12).

To select good trusted contacts:

– Choose people you trust, like friends you’d give a spare key to your house.
– Choose people you can reach without using Facebook, ideally over the phone or in person, since you’ll need to contact them when you can’t log in.
– Choose more people to help you. The more friends you choose, the more people who can help you when you need it.

Fig.12

iii. As a security measures you’ll be prompted to introduce your account password (even if you are already logged on). Click “Submit” after you are done ( Fig. 13).

Fig. 13

iv. Immediately after, your trusted friends will appear under “Trusted Contacts“. You can now use them all, remove one or all if not pleased with your choice (Fig.14).

Fig.14

v. In order to make sure you are the one who made the selection of your trusted friends, Facebook sends you a message (check your mailbox linked to your Facebook account) confirming you added trusted friends (Fig.15).

If you did not do it, then someone most likely hacked into your account. Change your password immediately!

Fig.15

vi. Using Trusted Contacts

Once you’ve set up your trusted contacts, if you ever have trouble logging in, you’ll have your trusted contacts as an option to help. You just need to call your trusted contacts and let them know you need their help to regain access to your account. Each of them can get a security code for you with instructions on how to help you. Once you get three security codes from your trusted contacts, you can enter them into Facebook to recover your account.

With trusted contacts, there’s no need to worry about remembering the answer to your security question or filling out long web forms to prove who you are. You can recover your account with help from your friends.

***Note: If you have set up your secure browsing, login notifications and chose your recognized devices and you receive an email from Facebook notifying you that someone tried to log on your account on X day from Y location using Z device (and none of those are related to you), then Change your password immediately (as explained under section 1 of this Blog post), because definitely someone tried or succeeded to fraudulently log into your account! (See example in Fig.16).

Fig.16

Any questions can be submitted to: dan@e-crimeexpert.com
Additional information can be found at: http://www.e-crimeexppert.com
To find out more about Dan Manolescu, visit his LinkedIn page here.
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog

Beyond Data Protection – published today!

Dan Manolescu is glad to announce his contribution to the Beyond Data Protection book, published by Springer and available to the public from today, January 31, 2013. You could find Dan’s contribution under the “Data Protection Enforcement: The European Experience – Case Law” chapter.

 This book provides practical approach to address data protection issues in businesses and daily life. It also compares, contrasts and substantiates the different principles and approaches in Asia, Europe and America  and recommends leading best practices to practitioners and stakeholders based on divergent of technologies involved.

​I strongly recommend you to purchase this book considering the excellent material and contribution of several top scholars in the privacy and data protection fields.

You could find  more info about this book here.

This great opportunity would not have been possible without the tremendous work of Noriswadi Ismail, an excellent data protection and privacy scholar and practitioner. He is also the Mastermind behind Quotient Consulting, a boutique firm, which focuses on array of data protection and privacy consulting services such as: Data Diagnosis, Privacy Impact Assessment, Data Protection & Privacy Strategy, Training, Data Protection & Privacy Certification, Public & Private Consultations

In addition, Philipp Fischer’s contribution to this book is remarkable. Philipp is also an outstanding data protection and privacy scholar and professional and he is the CEO of SuiGeneris Consulting, which provides privacy and data security practice, data-use business models and how data flows generate profits. He has extensive underlying subject matter experience at the interface between information security requirements, data protection & – privacy law and economics; especially in information security, quality management, consumer protection, intellectual property, software programming and risk assessment. That enables him to provide strategic business consulting on all aspects of information policy, including privacy, information security and records management.

Last but not least, E-Crime Expert signed  strategic partnerships with Quotient Consulting (with subsidiary in London, UK), and withSuiGeneris Consulting (based in Munich, Germany).

 If you have additional questions, please contact us: dan@e-crimeexpert.com

Password Authentication security: using HASH and SALT

E-Crime Expert presented sometime ago, a video tutorial (click here) on how to create strong passwords. That material it was addressed to regular users.

Today, E-Crime Expert  tries to help regular users understand (not the  information security professionals), how HASH and SALT help protect their passwords in a database (e.g. online stores, web applications, email-service providers, online service providers, etc). 

I. HASH

The HASH value is common for password authentication and security that stores only a “hashed” form of the plaintext password. When a user types in a password on a such system, the password handling software runs through a cryptographic hash (e.g. readable data like a name, transformed into a fixed-size bit string like a combination of random letters and numbers) algorithm, and if the hash value generated from the user’s entry matches the hash stored in the password database, the user is permitted access.

The password itself is not stored in a database but just the hash. Once the user enters the password in a database, the authentication software compares the user’s corresponding hash (for his password) to the exiting hash in the database. If they match, the user is granted access.

Example:

                                    Password:        Dan

Cryptographic hash function:       ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4

The above hash is the corespondent for the user’s password (which is never stored into the database)

Note: the hash string provided above is pure illustrative.

This information security technique is useful for staying protected against dictionary attacks (dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying likely possibilities, such as words in a dictionary).

II.    SALT

When using cryptography for authentication purpose, SALT consists of random bits (random sequence of numbers and letters), creating one of the inputs to a one-way function (this function makes easy for an authentication software to recognize the legitimated sequence of numbers and letters attached to a password but hard for a hacker to guess these bits by inverting the letter and numbers string). The other input is usually a password or passphrase (which is hashed).

Usually the simple SALT comes before the HASH but when double SALTING there will be one SALT before the HASH (password transformed in a bit string) and another after the HASH.

 Example:

          Password:    Dan

              HASH :      ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4

Adding…SALT:     (SALT) aB1cD2eF3G + (HASH) ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4  =  aB1cD2eF3G ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4

Double SALTING:   (SALT) aB1cD2eF3G + (HASH) ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4  +(Different SALT) Ba23Dg54R9G = aB1cD2eF3G ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4   Ba23Dg54R9G

Note: the HASH string and SALT provided above are pure illustrative

Without a SALT, a successful SQL injection (it is a code injection technique that exploits a security vulnerability in a website’s software to retrieve the database contents to the attacker) attack may yield easily crackable passwords. Because many users re-use passwords for multiple sites, the use of a salt is an important component of overall web application security. The benefit provided by using a salted password is also making a lookup table assisted dictionary attack against the stored values impractical.

SALT also makes brute-force attacks (the technique for checking all possible keys until the correct key is found in a database) for cracking large numbers of passwords much slower. Without salts, an attacker who is cracking many passwords at the same time only needs to hash (the random bit string) each password guess once, and compare it to all the hashes. Using SALT, each password will likely have a different bit; so each guess would have to be hashed separately for each SALT, which is much slower since hashing is generally computationally expensive.

Note: This Article is not intended to offer advice to information security professionals but to help regular readers/users understand how their passwords are protected when using online stores, online services, web-based applications, etc, by presenting a basic and general concept of these key features used for authentication security).

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog

Data protection glossary (part 3)

This is the last post of a series brought you by E-Crime Expert, that aims to make the readers and data subject familiar to the most common terminology in order to better understand and protect their personal data and privacy.

You could read the first post here and the second post here.

(R) Reliability (Information Security)

Reliability is the property of consistent intended behavior and results.

Residual Risk (Information Security)

Residual risks are the risks that remain after risk treatment or, in other words, after protective measures were introduced.

Right of rectification

Anyone can have incorrect data relating to him rectified free of charge, and have other data erased if they are irrelevant, incomplete or prohibited, or have the use of those data prohibited. If the controller does not react, the data subject may address the Commission, which will attempt to mediate. The data subject may also submit a complaint to the judicial police.

Right to object

You may always object to the use of your data, provided that you have serious reasons for this. You cannot object to a data processing operation that is required by a law or a regulatory provision, or that is necessary to perform a contract you have entered into. However, you always have the right to object to the illegitimate use of your data and can always object free of charge and without justification if your data are processed for direct marketing purposes.

To object you have to send a dated and signed request, including a document proving your identity (for example a copy of your identity card) to the controller by letter or by fax (a request by e-mail is only accepted with an electronic signature). The request can also be submitted on the spot. The controller then has one month to reply. If he fails to do so or if his reply is not convincing, you can address the Commission, which will try to mediate. You can also take your case to court.

Risk (Information Security)

A risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization (for example a virus deleting a file). It is measured in terms of a combination of the probability of an event and its consequence.

A risk is characterized by two factors: the probability that an incident will occur and the gravity of the potential direct consequences and the indirect impact.

The risk can also depend on time: the situation can become worse after an incident if adjusting measures are not taken in time (for instance a software glitch infecting a database, spyware retrieving passwords, encrypted codes or pin numbers). That way, an innocent incident can have disastrous consequences.

Risk Management (Information Security)

Risk management identifies the most important risks and distinguishes between the risks that have to be taken care of and acceptable risks. It uses security resources that deal with the dangers for personal data according to a scale of priorities. The risk management process constitutes a cycle that is repeated depending on the particular characteristics of the systems and the identified risks. Risk management results in final processes and an updated security policy, and often also in adaptations to the organization and its procedures in order to better take into account possible new risks, as well as the measures that have been taken.

(S) Safe Harbor Principles

In consultation with the European Commission, the American Department of Commerce elaborated the Safe Harbor Principles, intended to facilitate the transfer of personal data from the European Union to theUnited States. If companies make a statement to the American Department of Commerce agreeing with these principles and declaring they are prepared to respect them (meaning, among other things, that the American Federal Trade Commission can check whether theyr respect these principles), they are considered as companies ensuring adequate safeguards for data protection.

Security measures (Information Security)

Security measures, also called “protective measures” or “security controls”, are procedures or decisions that limit risks. Security measures can be effective in several ways: by lessening possible dangers, correcting vulnerabilities or limiting the possible direct consequences or indirect impact. It is also possible to work with time: if incidents are traced better and sooner, action can be taken before the situation gets any worse.

Sensitive data

Certain personal data are more sensitive than others. An individual’s name and address are rather innocent data, but this does not hold true for his political opinions, sexual preferences or judicial past. The Privacy Law regulates registration and use of those sensitive data more strictly in comparison with other personal data.

Sensitive data relate to race, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, suspicions, persecutions and criminal or administrative convictions. In principle, processing such data is prohibited.

Standard Contractual Clauses

For persons wishing to transfer data outside the European Community, the European Commission has elaborated standard contractual clauses, which allow for a data transfer meeting the European legal conditions for data protection (article 25 ff of Directive 95/46/EC). In other words, the parties signing these contracts are considered as parties ensuring adequate safeguards for the protection of privacy.

(T) Threat (Information Security)

A threat is any unexpected event that can damage one of the enterprise’s assets and therefore prejudice personal data protection.

There are environmental threats (fire), technical threats (system failures) or human threats.
Human threats can be accidental (mistakes, forgetfulness, unadapted procedures) or intentional (harmful intent, intrusion, theft), internal (dissemination of information) or external (espionage).

(U) Unambiguous, free and informed consent

Consent is understood:

• to have been freely given. In other words, the data subject was not pressurised to say “yes”;
• to be specific, meaning that the consent relates to a well-defined processing operation;
• to be informed. The data subject has received all useful information about the planned processing.

It is not necessary for the consent to be given in writing, but oral consent does create problems with the burden of proof in case of difficulties.

(V) Vulnerability (Information Security)

Vulnerability is the weakest link of an asset or a group of assets that can be exploited by one or more imminent dangers (developer’s mistake, wrong installation). In most cases vulnerability is due to the fact that an asset is not sufficiently protected, rather than to the asset itself.

Vulnerability in itself is not harmful to the organization. Only when an imminent danger can accidentally use the vulnerability and possible special circumstances, a damaging incident can occur.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Are you used to this terminology? Do you find it useful?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.