web analytics

Group Therapy – security and privacy in Facebook groups – Source: securityboulevard.com

group-therapy-–-security-and-privacy-in-facebook-groups-–-source:-securityboulevard.com
Rate this post

Source: securityboulevard.com – Author: David Harley

Having found myself roped into assisting as co-administrator a couple of Facebook groups with security/privacy issues, I thought I should, perhaps, share what little I know about defending your group against scam and spam posts and comments by tightening up group settings.

Caveat: I’ve never really wanted to spend a lot of time administering Facebook groups – in fact I’ve only created one myself that is still active, and I’ll tell you why later – and I haven’t made a lifetime study of the subject. Not even Facebook’s lifetime, let alone my own, which at present is many times longer than Facebook’s. It’s possible, therefore, that I’m not always accurate in my assumptions, and also that an assumption that was accurate when I wrote this was rendered false by changes made by Facebook the day after. But I’ll be as painstakingly accurate as I can. As usual.

Facebook tends to assume that your main ambition and purpose in life is to grow your group at all costs, and preferably devote several hours a day to that task. In fact, there are two main types of groups: private and public.

https://www.facebook.com/help/220336891328465/

Private Groups

A private group is one where only members of the group can see posted content and who are the admins. Furthermore, a private group can be hidden (secret) so that (hopefully) no one can see the group unless they’re already members, or are invited to join. This gives the administrator(s) something close to absolute control over who posts and what is posted, and is particularly appropriate for groups where sensitive information is exchanged. The more tightly controlled the group is, the harder it is for fake profiles to join.

That said, it’s a good idea to remember that Facebook sees everything (or can if it wants to), and is not always scrupulous when it comes to maintaining your privacy: even if/when that’s the company’s intention, it can make mistakes, and its policies and algorithms are generally opaque.

https://www.facebook.com/help/220336891328465/

The trade-off with a private group is that if you’re intending to grow your group, it’s harder for someone who might be interested and an appropriate potential member to happen across it and apply to join.

If you’re attracted by the privacy advantages of a private group and are considering making your public group private, bear in mind that once you’ve gone that route, you can’t revert it to a public group, because that constitutes a breach of the group members’ privacy.

https://www.facebook.com/help/286027304749263?helpref=faq_content

Formerly, this restriction only applied to groups with over 5,000 members, but now applies wholesale.

I don’t administer any private groups, so I shan’t risk any hostages to fortune by considering their privacy settings in detail. It’s worth noting, though, that while even Facebook’s own help pages sometimes contradict each other, it does seem as though there are other restrictions on large (5,000+) groups, such as how often and how many privacy changes can be made.

If this page – https://www.facebook.com/help/214260548594688/ – is still accurate, the settings you can change include enforcing membership approval by an admin or moderator for each subscription request. You can also require the requester to answer one or more questions and base your decision on whether or how the question(s) is or are answered.

Public Groups

Fortunately, since I was first pressganged into helping administer a group, some of the privacy settings formerly unique (as far as I know) to private groups are now available to public groups. While the enforced changes caused some confusion and consternation at first, they seem to me to be an improvement, on the whole. (Gosh, am I saying something positive about Facebook???) Since public groups are, by definition, easier to find, join and share than closed or secret groups, even the most open-by-intent group needs to think about its privacy settings if it’s to avoid some of the unpleasant spam/scam material that may be posted to a group if settings allow. Such material includes, but is certainly not limited to the following, more often than not posted from fake or cloned profiles:

  • Sympathy scams like the posts described here: https://chainmailcheck.wordpress.com/2023/05/13/abusing-communities/
  • Pornographic images, often masquerading as videos, that may attract group members to unhealthy links. These may be intended to trick you into giving away sensitive information, but they may also be intended to upload malware to your device.
  • Fake news about dead or disabled celebrities, again leading to dangerous links.
  • Posts about alleged offers by retailers such as supermarkets giving away coupons or even cash.
  • Recommendations for product links that are at best irrelevant, possibly malicious.

And much more, but I’m not making a special effort to track all these: the above examples are just items that have crossed my radar recently.

When I actually created a group – at any rate, one that is still active – it was in order to replace a page that was becoming increasingly frustrating to administer due to changes introduced by Meta that were overcomplicated, bug-ridden, and based on the assumption that I was running it as a commercial enterprise and constantly needed reminding to take actions that would increase my visibility and non-existent profits (usually by paying Meta for a service I didn’t want). Fortunately, I discovered that I could maintain some visibility (in fact, a public group is required to be visible, not secret) and still get most of the control I wanted. Sorry, but if you want more information on maintaining the security and privacy of Facebook pages, you’ll have to look elsewhere. (Life’s too short: well, mine is probably going to be, and there are other things I want to write about.)

Here’s a selection of the most relevant settings.

  • Participant Approval – if this is off, anyone on Facebook can post or comment, and group members can join chats. (One of the issues I’ve seen kill a group recently was fake profiles posting porn/scam links to chats linked to the group.) If it’s on, however, members and visitors must be approved to post or comment, and only (approved) members can participate in chats.
  • You can also allow both profiles and pages to contribute, or else just profiles. Since some scams are driven by pages masquerading as profiles (only an admin can post to a page, so it’s difficult to flag a scam actually posted on the page), there’s something to be said for not allowing pages. But profiles can, of course, be fake.
  • You can ask up to three questions and invite anyone requesting approval as a member or visitor to answer them: if they don’t answer or answer inappropriately, you can decline to approve them, if Participant Approval is on.
  • You can choose whether or not to allow anonymous posts and edits. My guess is that this will be more desirable in some groups than others: sometimes it’s fair to be reluctant to be identified, but sometimes that privilege can be abused.
  • You can require an administrator or moderator to approve all posts. Clearly, this could be a lot of work in a popular group, but allows control of obviously malicious posts.
  • You can set it so that potential spam posts and comments are held for your approval as an admin.
  • You can set it so that edits to posts must be approved: this helps to address cases where an approved post is edited maliciously by changing a link from something innocuous to something harmful.
  • You can set it so only admins and moderators create chats, or you can set it so that approved members can also create chats.
  • You can allow or disallow whether events, tag events, polls or GIFs can be posted.

NB: the more relaxed your settings, the more you’ll need to set your notifications so that you get to see everything incoming and remove as necessary. Irritating if you happen to have a life outside Facebook, but there it is.

Note also that you can also notify Facebook in many cases for them to run a review: however, if their algorithms are not up-to-scratch (impossible, do I hear you say?) you may find that the thing pops up again and you get a message telling you that the post or comment didn’t contravene their community standards. Sigh…

David Harley


Reluctant FB Group Administrator

*** This is a Security Bloggers Network syndicated blog from Check Chain Mail and Hoaxes authored by David Harley. Read the original post at: https://chainmailcheck.wordpress.com/2023/12/23/group-therapy-security-and-privacy-in-facebook-groups/

Original Post URL: https://securityboulevard.com/2023/12/group-therapy-security-and-privacy-in-facebook-groups/

Category & Tags: SBN News,Security Bloggers Network,David Harley,facebook,Scams – SBN News,Security Bloggers Network,David Harley,facebook,Scams

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Apress
Jump-start Your SOC Analyst Career – A Roadmap to Cybersecurity Success by Apress
Jump-start Your SOC Analyst Career...
FIRE EYE
The Cyber Risk Playbook – What boards of directors and executives should know about Cyber Risk by FireEye.
The Cyber Risk Playbook –...
Unbound Security
The Cybersecurity Acronym Book
The Cybersecurity Acronym Book
CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
Marcos Jaimovich
Presentación “ModoSOC in Real Life” por Marcos Jaimovich en SEGURINFO Chile 2022.
Presentación “ModoSOC in Real Life”...
IBM Security
How much does a data breach cost in 2022? IBM Cost of a Data Breach 2022 Report by IBM Security
How much does a data...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...
Forrester - Allie Mellen
Adapt Or Die: XDR Is On A Collision Course With SIEM And SOAR – EDR Is Dead, Long Live XDR by Allie Mellen – Forrester
Adapt Or Die: XDR Is...
CYBER LEADERSHIP INTITUTE
CISO PLAYBOOK: FIRST 100 DAYS Setting the CISO up for success
CISO PLAYBOOK: FIRST 100 DAYS...

LASTEST PUBLISHED POSTS

National Security Agency
CSI Cloud Top10 Key Management
CSI Cloud Top10 Key Management
CSA Cloud Security Alliance
Defining the Zero TrustProtect Surface
Defining the Zero TrustProtect Surface
HANIM EKEN
CONTAINER SECURITY INTERVIEW QUESTIONS ANSWERS
CONTAINER SECURITY INTERVIEW QUESTIONS ANSWERS
CNIL
PRACTICE GUIDE GDPR – SECURITY OF PERSONAL DATA Version 2024
PRACTICE GUIDE GDPR – SECURITY...
PWNED LABS
Cloud Security Engineer Roadmap
Cloud Security Engineer Roadmap
tutorialspoint.com
Cloud Computing Tutorial Simply Easy Learning
Cloud Computing Tutorial Simply Easy...
SMITHA SRIHARSHA
CISSP Preparation Notes
CISSP Preparation Notes
CISSP Mind Map: All Domains
CISSP Mind Map: All Domains
Lansweeper
CIS 18 CRITICAL SECURITY CONTROLS CHECKLIST
CIS 18 CRITICAL SECURITY CONTROLS...
Semaphore
CI-CD with Docker and Kubernetes
CI-CD with Docker and Kubernetes
EC-MSP
BUSINESS CONTINUITY PLAN & DISASTER RECOVERY PLAN TEMPLATE
BUSINESS CONTINUITY PLAN & DISASTER...
PWC
Building a risk-resilient organisation
Building a risk-resilient organisation

More Latest Published Posts

40 under 40
40 under 40 in CyberSecurity 2024
40 under 40 in CyberSecurity 2024
HADESS
40 Days in DeepDark Web About Crypto Scam
40 Days in DeepDark Web About Crypto Scam
Everbridge
8 Principles of Supply Chain Risk Management
8 Principles of Supply Chain Risk Management
CHAOSSEARCH
Threat Hunter’s Handbook – Using Log Analytics to Find and Neutralize Hidden Threats in Your Environment
Threat Hunter’s Handbook – Using Log Analytics to Find and Neutralize Hidden Threats in Your Environment
ENDGAME
The Hunters Handbook Endgame’s Guide to Adversary Hunting
The Hunters Handbook Endgame’s Guide to Adversary Hunting
THE EU’S MOST THREATENING by EUROPOL
THE EU’S MOST THREATENING by EUROPOL
National Cyber Security Centre
Responding to a cyber incident – a guide for CEOs
Responding to a cyber incident – a guide for CEOs
IGNITE Technologies
CREDENTIAL DUMPING
CREDENTIAL DUMPING
HADESS
Pwning the Domain Lateral Movement
Pwning the Domain Lateral Movement
Jorgen Lanesskog
PING Basic IP Network Troubleshooting
PING Basic IP Network Troubleshooting
TELESOFT
Layer 7 Visibility What are the Benefits?
Layer 7 Visibility What are the Benefits?
TIGERA
Introduction to Kubernetes Networking and Security
Introduction to Kubernetes Networking and Security
Department of Defense's (DoD)
Defense Industrial Base Cybersecurity Strategy 2024
Defense Industrial Base Cybersecurity Strategy 2024
Dummies
Zero Trust Access for Dummies Fortinet
Zero Trust Access for Dummies Fortinet
Homeland Security
Zero Trust Implementation Strategy
Zero Trust Implementation Strategy
National Australia Bank Limited
Your Business and Cyber Security
Your Business and Cyber Security
CYFIRMA
Xeno RAT- A New Remote Access Trojan
Xeno RAT- A New Remote Access Trojan
IGNITE Technologies
Windows Persistence COM Hijacking MITRE T1546 015
Windows Persistence COM Hijacking MITRE T1546 015
IGNITE Technologies
Windows Exploitation Rundll32
Windows Exploitation Rundll32
IGNITE Technologies
Windows Exploitation Msbuild
Windows Exploitation Msbuild
HADESS
Web LLM Attacks
Web LLM Attacks
HADESS
Trended Protocols for Security Stuff
Trended Protocols for Security Stuff
Red Iberoamericana de Protección de Datos
Transferencia Internacional de Datos Personales – Guia de Implementación
Transferencia Internacional de Datos Personales – Guia de Implementación
CYFIRMA
TRACKING RANSOMWARE January 2024
TRACKING RANSOMWARE January 2024
https://www.linkedin.com/in/harunseker/
TOP Cyber Attacks Detected by SIEM Solutions
TOP Cyber Attacks Detected by SIEM Solutions
TRAVARSA
Top 100 Cyber Threats and Solutions 2024
Top 100 Cyber Threats and Solutions 2024
Top 50 Cybersecurity Threats
Top 50 Cybersecurity Threats
OWASP
Top 10 Considerations for Incident Response
Top 10 Considerations for Incident Response