Vulnerabilities / Threats

7/26/2017
12:00 PM
50%
50%

Facebook Offers $1 Million for New Security Defenses

The social media giant has increased the size of its Internet Defense Prize program in order to spur more research into ways to defend users against the more prevalent and common methods of attack.

BLACK HAT USA – Las Vegas – Facebook is dramatically upping its efforts to entice security researchers to come up with new ways to secure and defend the Internet.

The social media titan is increasing the size of its Internet Defense Prize to $1 million to be doled out in a series of prizes throughout 2018, said Alex Stamos, Facebook's chief security officer, who will deliver the keynote address here today at Black Hat. Facebook last year awarded $100,000 in Internet Defense Prizes, and a total of $250,000 since starting the awards recognition program along with USENIX in 2014.

Facebook's goal is to encourage researchers to develop new ways to defend Internet users against vulnerabilities, and minimize the success rate of attacks, especially those that involve the re-use of the same password on multiple accounts, or duping a newbie Internet user into sharing personal and financial information during the creation of their Internet account.  

It's the simpler day-to-day attacks like these, rather than the ultra-complex and rare 0-day attacks, where at least half of security research should be focusing, Stamos said in an interview with Dark Reading. Stamos says he estimates that offensive research feels like it accounts for 99% of the work being performed and only 1% is devoted to defensive security research.

               [Source: Dawn Kawamoto, Dark Reading]

As part of the Internet Defense Prize competitions, researchers will be given a variety of topics where Facebook would ideally like to see more research, Stamos said.

While a lot of defense researchers are focusing on authentication or new ways to authenticate oneself, Stamos noted that account lifecycle management is also an area of interest.

"What we see less from the research community is understanding that the entire lifecycle of somebody's relationship with an online service has actually security issues throughout it," Stamos said. "There's the creation of the account, what do you do when someone loses their phone, loses their password. These are issues that the bad guys are actually exploiting … so research into the real world would be a great thing to happen."

Facebook is also interested in seeing more research surrounding the worldwide mobile device ecosystem, he said.

"There is a lot of research into the new flaws or ways to exploit fully patched or very expensive devices. But that is not reflective of a huge percentage of the world population," Stamos said.

A large portion of the global population cannot afford smartphones that cost upwards of $600 or $700, but rather use less expensive Android devices that may cost $50 to $100 and are loaded with an older version of the operating system, he noted.

"There is a huge focus on finding 0-Days on iPhones, and while that is a great thing to do, there is almost no research into the real mobile phone ecosystem and what it looks like and how we can keep people safe if we are shipping hundreds and millions of these phones," observed Stamos.

Empathy in Security

Twenty years ago the security industry was fighting for respect and to have companies understand that vulnerabilities needed to be patched, Stamos recalled. Now, however, the security industry has won the fight but the questions of "what do we do now" looms, he said.

Security researchers can improve their defense tactics by developing more empathy for users who are in a lower socioeconomic bracket. For example, a youth living in an underserved community may purchase an older version of a smartphone that is running an operating system that does not have the latest updates. "What would their security experience be like?" Stamos said.

By walking in those users' shoes and developing an empathy for how they may behave when it comes to security, a defensive researcher can catch more things that could potentially go wrong, he noted.

Greater empathy may also come by way of a more diverse workforce. Facebook also announced today it hopes to expand diversity in the security workforce. The company is teaming up with CodePath to develop online and in-classroom cybersecurity courses for Virginia Tech, California State University San Bernardino, Mississippi State University, Merritt College, Hofstra University, and The City College of New York. The classes will be offered starting this academic school year, with students potentially landing an internship at Facebook, Stamos said.

In addition to developing empathy for users, security researchers can also benefit by extending empathy to software developers or other members inside and outside of their tech team at a micro-level, Stamos said. For example, security researchers with dismissive attitudes about finding vulnerabilities in another person's code, may makes those researchers feel smarter, but that does little to effect real change in the security community, Stamos noted.

Security researchers with an empathic nature are also needed at a macro level, which would include working with politicians and law enforcement when they find themselves thrown together, he said, such as the San Bernardino terrorist attack, when government officials were trying to unlock a terrorist's iPhone. Another more recent example relates to the questions that have emerged about Russia's involvement with the US elections and elections in Europe.

Facebook also announced today it will be a founding sponsor of the Defending Digital Democracy Project. This initiative will focus on improving the security around elections and the Democratic process. Facebook will provide financial and technical support to Harvard University's Belfer Center, Stamos said.

Stamos said he has already seen some signs of a movement toward more empathy in security: "We have started to see some security people in our community start to think this way," he said. "I figure we'll do better this time than it taking the next 20 years."

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
LisaB845
50%
50%
LisaB845,
User Rank: Apprentice
8/24/2017 | 4:45:26 AM
professional logo design
this is sad, hackers from darknet are taking control. what are authorities doing?
SEO expert
50%
50%
SEO expert,
User Rank: Apprentice
8/23/2017 | 11:53:33 PM
FB security is a must!
When dealing with a giant like Facebook, security is paramount! It's users and their information is being found, sold and utilized in ways that most people can't even comprehend. Any defense and strategies to tighten security is necessary as this powerhouse company continues to grow. 
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-14185
PUBLISHED: 2018-05-25
An Information Disclosure vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.8 and 5.2 all versions allows SSL VPN web portal users to access internal FortiOS configuration information (eg:addresses) via specifically crafted URLs inside the SSL-VPN web portal.
CVE-2018-8862
PUBLISHED: 2018-05-25
In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) devices, an improper authentication vulnerability caused by specially crafted malicious radio transmissions may allow an attacker to remotely trigger false alarms.
CVE-2018-8864
PUBLISHED: 2018-05-25
In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) devices, a missing encryption of sensitive data vulnerability caused by specially crafted malicious radio transmissions may allow an attacker to remotely trigger false alarms.
CVE-2018-8871
PUBLISHED: 2018-05-25
In Delta Electronics Automation TPEditor version 1.89 or prior, parsing a malformed program file may cause heap-based buffer overflow vulnerability, which may allow remote code execution.
CVE-2017-9641
PUBLISHED: 2018-05-25
PI Coresight 2016 R2 contains a cross-site request forgery vulnerability that may allow access to the PI system. OSIsoft recommends that users upgrade to PI Vision 2017 or greater to mitigate this vulnerability.