Perimeter
1/5/2010
08:00 PM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Facebook's Security Team Frustrates Cybercriminals

Though Facebook is one of the potentially most virulent platforms on the Internet, its security team is very talented, which makes life for cybercriminals all the more difficult.

Though Facebook is one of the potentially most virulent platforms on the Internet, its security team is very talented, which makes life for cybercriminals all the more difficult.A few nights ago, I received a message from a Facebook friend. Much like other scams I have blogged about (here and here) in the past, it wasn't really her.

In this particular case, it wasn't strictly a worm that had infected her account, but rather a Facebook spam operation. Malware stole her user credentials (username and password), and then in a separate operation used Amazon's EC2 to send a spam message to her friends by the use of Facebook Mobile.

Facebook has control of its systems, which are all owned by the social networking firm. On the surface, its security team should have the tools to combat cybercrime that the rest of us could only dream of. They can, in theory, have a complete view of what's going on, as well as the power to act on it.

When it comes to email, DNS, and other Internet services, incident response requires forensic investigation with access to many resources, and then an uphill battle to mitigate the threat. While Facebook has concerns about protecting legitimate users, commercial interests, and privacy concerns, all it needs to do (at least in theory) is have the right tools and the mandate to act.

How you distinguish between legitimate and malicious users is not always clear-cut. In the spam I received, the link was obfuscated. I had to reconstruct it myself in order to go to the spam site. How do you filter against links that are not clickable? Facebook will find a way; the very fact that spammers now use unclickable links demonstrates that Facebook's security team is doing a good job.

On top of building systems and scripts to make sense of the endless ocean of data and trying to stay ahead of criminals with every reason to misuse and abuse Facebook and its users, Facebook's security team is also proactive. They are open to new ideas. They run with them and create innovative solutions in what, at least from the outside, appears to be in record time. They engage the community and form relationships, which every day proves beneficial for mitigating threats. For a giant, they are surprisingly open and friendly.

The team seems to operate almost like a startup, while maintaining a long-term strategy: When called, they create immediate tactical solutions, like a special forces team. When responding to one of the first Koobface infections in 2007, they coded a solution overnight and removed malicious messages from millions of inboxes. I had the honor to coordinate the global incident response in that particular incident. Everyone involved, from antivirus vendors to ISPs, were happy with Facebook's responsiveness.

Unlike most security departments for large corporations, the Facebook security team is one of the first in the industry outside of service providers to bring the field of security operations to fruition. While many organizations have IDS experts and incident response personnel, their departments' main goal is usually risk analysis and policy. At Facebook, while these issues interest them, they are also much more technical.

They combine the security research team often found at security vendors, trying to research vulnerabilities and malware, with the security operations team often found at large network providers, performing incident response, correlating data, mitigating attacks, and communicating with others around the world.

I am not very pleased with Facebook itself for various reasons, ranging from its horrid privacy policy to the commercial gain it makes by turning a blind eye to applications making commercial use of what is otherwise private user information. But that does not change the fact that its security team is top-notch. I don't often write such glowing reviews of any organization, let alone one with so many security incidents, but I decided that for the new year, the people at Facebook security need to be recognized.

Let's not kid ourselves, though. With 350 million users and 1 million application developers, Facebook is an attractive target. And it's not a secure system, but its talented security team is having an impact. In the coming year, we can expect Facebook attackers to start making more use of applications to scam and infect users, as well as attacking Facebook via other infection vectors, such as email and other Websites.

Facebook, by its nature, is one of the worst security menaces ever created, but unlike other examples from history where sources of new technologies were oblivious to the problems, Facebook's security team is on the job (with special appreciation to Facebook security team members Ryan McGeehan and Alex Rice).

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading. Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.