Tips to secure Http Headers

Information shared by you on Social Media, Typical examples of information people share on social media :

Personal Information
  • Email.
  • Phone number.
  • Relationship status.
  • Photographs.
  • When and where you holidayed.
  • Who you know and have associated with.
Work Information
  • Previous and current work status.
  • Comments, opinions and other information regarding work colleagues and clients.
Recommendation

It is recommended being careful about with the amount of information you share about yourself and with whom you share it. Without strict privacy settings anyone can see your Facebook profile information. In particular check that your telephone number is not viewable by the public. Also your address should not be on Facebook. This information is already known by friends and family. All users should read and implement the Facebook settings shown in the next following sections.

These sections outline where these settings are located and outline the main areas where security setting should be implemented


1.1 Facebook - Settings Menu

The main settings menu for Facebook is located in the top left of the screen. This is where you will access all the security related settings for your account.

Settings Menu

Recommendation

It is recommended that users access the “Settings” screen and begin a security audit of their account.


1.2. General Account Settings – Name

In the first section we can change the name associated with the account. This can be any name and does not have to be your real name.

General Account Setting

Recommendation

It is recommended that you choose a nick name that people who know you call you in real-life.


1.3 General Account Settings – User name

When posting comments in public forums online, people sometimes choose to remain anonymous and use an online “alias” or pseudonym. This same strategy can be used on social media. Only those close to the person may be aware of the name used as an alias.

This is the name that appears on your timeline.

  • https://www.facebook.com/joh.doe

    This makes it easy to find an account belonging to someone if they are using their name as their Facebook name.

    In “General Account Settings” the “user name” of the account can be changed to be different from the Name.

  • https://www.facebook.com/nick.name General Account Setting Recommendation

    It is recommended that you choose a name that people who know you are familiar with.


1.4 General User Account Settings – Passwords

This screen allows setting or updating the Facebook password.

A strong password should be at least 8 characters using numbers, letters and symbols. It should not contain common dictionary words such as “password” or keyboard sequences like “qwerty” or “abcd1234”.

It is a good practice to use a different password for each social media account / email account. If the same or a similar password was used for all accounts then if one account were to be compromised all others could then be accessed.

Passwords Recommendation

It is recommended to set a strong password, changing the password on a regular basis and not reusing passwords from other sites.

It is also important that this password is kept in a secure location and is not shared with a third-party.


1.5 Signing out of social media / email

It is important to log out of social media. A third-party could gain access to your social media / email account if you have left your account open and the computer is accessible to others.

When you use a computer to sign-in to social media you will stay logged in to that account until the browser is closed.

If you do not log out of facebook.com or choose to let your browser remember your password for social media, anybody with access to your PC can then access your facebook page by typing facebook.com.

Recommendation

On a third-party computer or work computer to :

  • Always sign-out of social media / email accounts before closing the browser.
  • Make sure the browser is closed before leaving the computer.
  • Use a screen saver with a password.
  • If leaving the computer for a few minutes then lock the screen

To lock the screen press ‘Windows key’ and L. Personal computer

  • The above points should be followed for a personal PC / tablet.
  • Always turn off your personal PC / tablet.
  • Know who has access to your personal PC / tablet.
  • Use a password on the PC / tablet.

1.6 Facebook - How to log out

Facebook will keep you logged in to a browser until you actively logout. This is due to small files called “cookies” which are placed in your browser by the websites to help them identify you.

What this means on a site like Facebook is that anybody with access to your PC will connect directly to your Facebook account when they launch the web browser and type in Facebook.


Recommendation

There are a number of methods to ensure your Facebook account does not stay logged in after you close the browser.

Method 1 Logout of Facebook every time you are finished browsing. To do this click “Settings, Log Out”.

facebook logout

Method 2 - Use private browsing options.

This will stop the browser storing your login information and cookies. This is also the recommended way to access Facebook or when using a third-party PC such as a friends or work PC.

Private browsing in the Firefox browser is accessed with the browser menu option New Private Window.


1.7 General Account Settings – Contact

This setting allows you to choose your primary contact. This can be a phone number or an email. There is also an option to allow friends to include your email address in their download information.

facebook contact setting

Recommendation

It is recommended that you unselect “Allow friends to include my email address in Download Your Information”.


1.8 Security Setting – Login Alerts

Login Alerts

Select to get a text to your device when your account has been accessed from an unknown device.

facebook login alert

Recommendation

It is recommended that you choose to get notifications when you device has been accessed from an unknown location and that the notifications are sent to your mobile. It is important to check that the mobile number is your current daily mobile number.


1.9 Security Settings – Login Approvals - Setup Two Factor Authentication - 2FA

Facebook allows you to enable “Login Approvals”. This is commonly known as Two Factor Authentication. It is also known as 2 Step Authentication. It is used as a second layer of authentication.

What this means is that after entering your usual Facebook password from a new browser or device you will be also asked for a second code.

There are generally 3 options when using 2FA

  • Receive a text message to your phone.
  • Use an app on your phone that will generate a new code each time.
  • Use a pre-generated list of codes.
Pre generalized code

Recommendation

It is recommended to enable “Login Approvals”. The option to receive a text to your phone is the easiest method for most people to setup.


1.10 Security Settings – Recognized Devices

Facebook has a setting for recognised devices. You won't get notified or have to confirm your identity when logging in from these devices. Typically, your mobile phone is in this list.

Recognized Devices

Recommendation

It is recommended reviewing the “Recognised Devices” panel and making sure that any old mobile phones, tablets or PC’s are not in the list.


1.11. Security Settings – Where You’re Logged in – Remotely Signing out of Facebook

It is possible to review what devices you are currently logged in to. Facebook has a setting to remotely log out from Facebook on these devices by selecting end activity. This screen also shows the previous logins on other devices. The location of the login device is also shown. In this case, the Facebook user is logged in in both USA and Ireland.

To access this screen, select Security Settings, Where You’re Logged in.

Recognized Devices

Recommendation

It is recommended that you review the “Where you’re logged in” screen on a regular basis. Select “End Activity" for all devices that you do not own or use. You would be typically logged on a phone and also the PC that you are accessing this screen.

Take note of the locations where the account was accessed and review if they are locations you are familiar with as this could give an indication to you that a third-party has accessed your account.


1.12. Security Settings – Profile Picture Login

It is possible to use your profile picture to login to Facebook on you current PC and browser. This option is for a shared trusted PC. If this option is selected, anyone with access to your PC and browser could access your Facebook account by clicking the profile picture in the browser. It is best to disable this option.

Recent login

Recommendation

It is recommended that recommends turning off profile picture login on your account. This is accessed through Security Settings, Profile Picture Login.

Recent list

1.13. Privacy - Settings and Tools

Who can see my stuff

  • Who can see your posts.
  • Review all the posts and things you’re tagged in.
  • Limit the audience for posts you’ve shared with friends of friends and the public.

Who can contact me

  • Who can send you friend requests.

Who can look me up

  • Who can look you up using the email or phone number you provided
  • Do you want search engines outside of Facebook to link to your profile.
setting and tools

Recommendation

It is recommended that reviewing each of the settings in “Privacy and Settings” and making sure that “Friends” is selected as the default option. In particular, check that your telephone number is not viewable by the public.


1.14. Privacy Settings and Tools – Who can Look me up

You name could appear in a google search as a result of information you have made public on Facebook. This feature is more appropriate to a special Facebook page created for an event. It is best not to enable this feature for a normal user.

Privacy Settings and Tools

Recommendation

It is recommended that turning off the feature that allows search engines outside of Facebook to link to your profile. This setting is in “Settings, Privacy”.


1.15. Timeline and Tagging

By default in Facebook, friends and family can share information about you. This can include personal photographs, photographs you are ‘tagged’ in and personal information such as relationship status.

Friends and family can ‘tag’ you in their personal photographs. This can personally identify you to third-parties with access to social media pages of your friends and family.

This menu screen allows you to edit settings related to your Timeline and being “tagged” in photographs.

  • Who can add things to my timeline
    • Who can post on my time line.
    • Review posts friends tag you in before they appear in your timeline.
  • Who can see things on my timeline
    • Review what other people see on your timeline.
    • Who can see posts you’ve been tagged in on your timeline.
  • How can I manage tags people add and tagging suggestions
    • Review tags people add to your own posts before the tags appear on Facebook.
    • Who sees tag suggestions when photos that look like you are uploaded.
Timeline And Taging

Recommendation

It is recommended reviewing the Timeline and Tagging options. The least privilege option should always be chosen. Either chose “Only me” or “Friends”.

The options for “Review post friends tag you in before they appear on your Timeline” and “Review tags people add to your own posts before the tags appear on Facebook” should be enabled.


1.16. Blocking

With the Blocking menu, there is a list of options to restrict or block access to your posts.

  • Restricted List – A friends list with restricted access to you post etc.
  • Block Users – Allows you to block a user.
  • Block messages, app invites, event invites, apps, pages.
Blogging

Recommendation

It is recommended that the blocking feature is used for any contacts who have contacted you but that you do not know. The person will not know that they have been blocked.


1.17. Mobile Settings - Lost Your Phone

There is a feature on this screen to remotely logout of the Facebook app on your phone if it is lost. This protects your account from unauthorized access.

Mobile setting

1.18. Mobile Settings – PIN

There is a setting for using a PIN when accessing Facebook on a mobile. If you enable this feature, you need to prefix every status changing and friend adding text you send to Facebook with your selected PIN. This is to make sure that others will not have access to your account by spoofing your phone number or borrowing your phone.

Mobile setting

Recommendation

It is recommended that this “Mobile PIN” feature is turned on. The PIN should be at least 4 digits in length.


1.19. App Settings

People who can see your information can bring it with them when they use apps. This information includes if you are online, posts on your timeline etc.

App setting

Recommendation

It is recommended that the categories of information shared is limited to the least privilege allowed. In Settings, Apps, Apps Others Use users can select what categories of information is shared.