Vulnerabilities / Threats

7/26/2017
12:00 PM
50%
50%

Facebook Offers $1 Million for New Security Defenses

The social media giant has increased the size of its Internet Defense Prize program in order to spur more research into ways to defend users against the more prevalent and common methods of attack.

BLACK HAT USA – Las Vegas – Facebook is dramatically upping its efforts to entice security researchers to come up with new ways to secure and defend the Internet.

The social media titan is increasing the size of its Internet Defense Prize to $1 million to be doled out in a series of prizes throughout 2018, said Alex Stamos, Facebook's chief security officer, who will deliver the keynote address here today at Black Hat. Facebook last year awarded $100,000 in Internet Defense Prizes, and a total of $250,000 since starting the awards recognition program along with USENIX in 2014.

Facebook's goal is to encourage researchers to develop new ways to defend Internet users against vulnerabilities, and minimize the success rate of attacks, especially those that involve the re-use of the same password on multiple accounts, or duping a newbie Internet user into sharing personal and financial information during the creation of their Internet account.  

It's the simpler day-to-day attacks like these, rather than the ultra-complex and rare 0-day attacks, where at least half of security research should be focusing, Stamos said in an interview with Dark Reading. Stamos says he estimates that offensive research feels like it accounts for 99% of the work being performed and only 1% is devoted to defensive security research.

               [Source: Dawn Kawamoto, Dark Reading]

As part of the Internet Defense Prize competitions, researchers will be given a variety of topics where Facebook would ideally like to see more research, Stamos said.

While a lot of defense researchers are focusing on authentication or new ways to authenticate oneself, Stamos noted that account lifecycle management is also an area of interest.

"What we see less from the research community is understanding that the entire lifecycle of somebody's relationship with an online service has actually security issues throughout it," Stamos said. "There's the creation of the account, what do you do when someone loses their phone, loses their password. These are issues that the bad guys are actually exploiting … so research into the real world would be a great thing to happen."

Facebook is also interested in seeing more research surrounding the worldwide mobile device ecosystem, he said.

"There is a lot of research into the new flaws or ways to exploit fully patched or very expensive devices. But that is not reflective of a huge percentage of the world population," Stamos said.

A large portion of the global population cannot afford smartphones that cost upwards of $600 or $700, but rather use less expensive Android devices that may cost $50 to $100 and are loaded with an older version of the operating system, he noted.

"There is a huge focus on finding 0-Days on iPhones, and while that is a great thing to do, there is almost no research into the real mobile phone ecosystem and what it looks like and how we can keep people safe if we are shipping hundreds and millions of these phones," observed Stamos.

Empathy in Security

Twenty years ago the security industry was fighting for respect and to have companies understand that vulnerabilities needed to be patched, Stamos recalled. Now, however, the security industry has won the fight but the questions of "what do we do now" looms, he said.

Security researchers can improve their defense tactics by developing more empathy for users who are in a lower socioeconomic bracket. For example, a youth living in an underserved community may purchase an older version of a smartphone that is running an operating system that does not have the latest updates. "What would their security experience be like?" Stamos said.

By walking in those users' shoes and developing an empathy for how they may behave when it comes to security, a defensive researcher can catch more things that could potentially go wrong, he noted.

Greater empathy may also come by way of a more diverse workforce. Facebook also announced today it hopes to expand diversity in the security workforce. The company is teaming up with CodePath to develop online and in-classroom cybersecurity courses for Virginia Tech, California State University San Bernardino, Mississippi State University, Merritt College, Hofstra University, and The City College of New York. The classes will be offered starting this academic school year, with students potentially landing an internship at Facebook, Stamos said.

In addition to developing empathy for users, security researchers can also benefit by extending empathy to software developers or other members inside and outside of their tech team at a micro-level, Stamos said. For example, security researchers with dismissive attitudes about finding vulnerabilities in another person's code, may makes those researchers feel smarter, but that does little to effect real change in the security community, Stamos noted.

Security researchers with an empathic nature are also needed at a macro level, which would include working with politicians and law enforcement when they find themselves thrown together, he said, such as the San Bernardino terrorist attack, when government officials were trying to unlock a terrorist's iPhone. Another more recent example relates to the questions that have emerged about Russia's involvement with the US elections and elections in Europe.

Facebook also announced today it will be a founding sponsor of the Defending Digital Democracy Project. This initiative will focus on improving the security around elections and the Democratic process. Facebook will provide financial and technical support to Harvard University's Belfer Center, Stamos said.

Stamos said he has already seen some signs of a movement toward more empathy in security: "We have started to see some security people in our community start to think this way," he said. "I figure we'll do better this time than it taking the next 20 years."

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
LisaB845
50%
50%
LisaB845,
User Rank: Apprentice
8/24/2017 | 4:45:26 AM
professional logo design
this is sad, hackers from darknet are taking control. what are authorities doing?
SEO expert
50%
50%
SEO expert,
User Rank: Apprentice
8/23/2017 | 11:53:33 PM
FB security is a must!
When dealing with a giant like Facebook, security is paramount! It's users and their information is being found, sold and utilized in ways that most people can't even comprehend. Any defense and strategies to tighten security is necessary as this powerhouse company continues to grow. 
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.