Perimeter
1/5/2010
08:00 PM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Facebook's Security Team Frustrates Cybercriminals

Though Facebook is one of the potentially most virulent platforms on the Internet, its security team is very talented, which makes life for cybercriminals all the more difficult.

Though Facebook is one of the potentially most virulent platforms on the Internet, its security team is very talented, which makes life for cybercriminals all the more difficult.A few nights ago, I received a message from a Facebook friend. Much like other scams I have blogged about (here and here) in the past, it wasn't really her.

In this particular case, it wasn't strictly a worm that had infected her account, but rather a Facebook spam operation. Malware stole her user credentials (username and password), and then in a separate operation used Amazon's EC2 to send a spam message to her friends by the use of Facebook Mobile.

Facebook has control of its systems, which are all owned by the social networking firm. On the surface, its security team should have the tools to combat cybercrime that the rest of us could only dream of. They can, in theory, have a complete view of what's going on, as well as the power to act on it.

When it comes to email, DNS, and other Internet services, incident response requires forensic investigation with access to many resources, and then an uphill battle to mitigate the threat. While Facebook has concerns about protecting legitimate users, commercial interests, and privacy concerns, all it needs to do (at least in theory) is have the right tools and the mandate to act.

How you distinguish between legitimate and malicious users is not always clear-cut. In the spam I received, the link was obfuscated. I had to reconstruct it myself in order to go to the spam site. How do you filter against links that are not clickable? Facebook will find a way; the very fact that spammers now use unclickable links demonstrates that Facebook's security team is doing a good job.

On top of building systems and scripts to make sense of the endless ocean of data and trying to stay ahead of criminals with every reason to misuse and abuse Facebook and its users, Facebook's security team is also proactive. They are open to new ideas. They run with them and create innovative solutions in what, at least from the outside, appears to be in record time. They engage the community and form relationships, which every day proves beneficial for mitigating threats. For a giant, they are surprisingly open and friendly.

The team seems to operate almost like a startup, while maintaining a long-term strategy: When called, they create immediate tactical solutions, like a special forces team. When responding to one of the first Koobface infections in 2007, they coded a solution overnight and removed malicious messages from millions of inboxes. I had the honor to coordinate the global incident response in that particular incident. Everyone involved, from antivirus vendors to ISPs, were happy with Facebook's responsiveness.

Unlike most security departments for large corporations, the Facebook security team is one of the first in the industry outside of service providers to bring the field of security operations to fruition. While many organizations have IDS experts and incident response personnel, their departments' main goal is usually risk analysis and policy. At Facebook, while these issues interest them, they are also much more technical.

They combine the security research team often found at security vendors, trying to research vulnerabilities and malware, with the security operations team often found at large network providers, performing incident response, correlating data, mitigating attacks, and communicating with others around the world.

I am not very pleased with Facebook itself for various reasons, ranging from its horrid privacy policy to the commercial gain it makes by turning a blind eye to applications making commercial use of what is otherwise private user information. But that does not change the fact that its security team is top-notch. I don't often write such glowing reviews of any organization, let alone one with so many security incidents, but I decided that for the new year, the people at Facebook security need to be recognized.

Let's not kid ourselves, though. With 350 million users and 1 million application developers, Facebook is an attractive target. And it's not a secure system, but its talented security team is having an impact. In the coming year, we can expect Facebook attackers to start making more use of applications to scam and infect users, as well as attacking Facebook via other infection vectors, such as email and other Websites.

Facebook, by its nature, is one of the worst security menaces ever created, but unlike other examples from history where sources of new technologies were oblivious to the problems, Facebook's security team is on the job (with special appreciation to Facebook security team members Ryan McGeehan and Alex Rice).

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading. Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Title Partners Role in Perimeter Security
Title Partners Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.