Perimeter
1/5/2010
08:00 PM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Facebook's Security Team Frustrates Cybercriminals

Though Facebook is one of the potentially most virulent platforms on the Internet, its security team is very talented, which makes life for cybercriminals all the more difficult.

Though Facebook is one of the potentially most virulent platforms on the Internet, its security team is very talented, which makes life for cybercriminals all the more difficult.A few nights ago, I received a message from a Facebook friend. Much like other scams I have blogged about (here and here) in the past, it wasn't really her.

In this particular case, it wasn't strictly a worm that had infected her account, but rather a Facebook spam operation. Malware stole her user credentials (username and password), and then in a separate operation used Amazon's EC2 to send a spam message to her friends by the use of Facebook Mobile.

Facebook has control of its systems, which are all owned by the social networking firm. On the surface, its security team should have the tools to combat cybercrime that the rest of us could only dream of. They can, in theory, have a complete view of what's going on, as well as the power to act on it.

When it comes to email, DNS, and other Internet services, incident response requires forensic investigation with access to many resources, and then an uphill battle to mitigate the threat. While Facebook has concerns about protecting legitimate users, commercial interests, and privacy concerns, all it needs to do (at least in theory) is have the right tools and the mandate to act.

How you distinguish between legitimate and malicious users is not always clear-cut. In the spam I received, the link was obfuscated. I had to reconstruct it myself in order to go to the spam site. How do you filter against links that are not clickable? Facebook will find a way; the very fact that spammers now use unclickable links demonstrates that Facebook's security team is doing a good job.

On top of building systems and scripts to make sense of the endless ocean of data and trying to stay ahead of criminals with every reason to misuse and abuse Facebook and its users, Facebook's security team is also proactive. They are open to new ideas. They run with them and create innovative solutions in what, at least from the outside, appears to be in record time. They engage the community and form relationships, which every day proves beneficial for mitigating threats. For a giant, they are surprisingly open and friendly.

The team seems to operate almost like a startup, while maintaining a long-term strategy: When called, they create immediate tactical solutions, like a special forces team. When responding to one of the first Koobface infections in 2007, they coded a solution overnight and removed malicious messages from millions of inboxes. I had the honor to coordinate the global incident response in that particular incident. Everyone involved, from antivirus vendors to ISPs, were happy with Facebook's responsiveness.

Unlike most security departments for large corporations, the Facebook security team is one of the first in the industry outside of service providers to bring the field of security operations to fruition. While many organizations have IDS experts and incident response personnel, their departments' main goal is usually risk analysis and policy. At Facebook, while these issues interest them, they are also much more technical.

They combine the security research team often found at security vendors, trying to research vulnerabilities and malware, with the security operations team often found at large network providers, performing incident response, correlating data, mitigating attacks, and communicating with others around the world.

I am not very pleased with Facebook itself for various reasons, ranging from its horrid privacy policy to the commercial gain it makes by turning a blind eye to applications making commercial use of what is otherwise private user information. But that does not change the fact that its security team is top-notch. I don't often write such glowing reviews of any organization, let alone one with so many security incidents, but I decided that for the new year, the people at Facebook security need to be recognized.

Let's not kid ourselves, though. With 350 million users and 1 million application developers, Facebook is an attractive target. And it's not a secure system, but its talented security team is having an impact. In the coming year, we can expect Facebook attackers to start making more use of applications to scam and infect users, as well as attacking Facebook via other infection vectors, such as email and other Websites.

Facebook, by its nature, is one of the worst security menaces ever created, but unlike other examples from history where sources of new technologies were oblivious to the problems, Facebook's security team is on the job (with special appreciation to Facebook security team members Ryan McGeehan and Alex Rice).

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web