4 min read

Social Networks Fight Back

How major social networks MySpace and Facebook are building up security -- and where their weakest links remain
But Hamiel says social networking firms are conflicted about cracking down on securing their APIs for competitive reasons. "The main draw is functionality," he says. "They don't want to lose any market share to competitors. So they are probably going to be a bit gun-shy about who they turn away from developing apps."

MySpace has also turned outside for some of its security. Earlier this year, the social network began rolling out Cloudmark's Authority service, which detects and filters spam and harmful content in MySpace messages and posts.

"MySpace is different -- most other social networks aren't deploying third-party commercial security services. Others are using their own technology to do it and have developed [the tools] inside the social network," says Jamie de Guerre, chief technology officer at Cloudmark.

De Guerre says the Cloudmark service scans inside MySpace, and then Cloudmark works with MySpace to add elements to the user interface to help report any malicious activity. It also detects suspicious activity, such as a profile making lots of friend requests but not being requested by other users. "Any spam or abuse [reports] come back to our threat network, and we use that data for email or mobile operators to automatically discover new threats quickly," he says.

MySpace's Nigam says Cloudmark's service augments its in-house security measures, such as its homegrown Bloodhound tool that identifies imposter profiles used for spamming purposes, and Watchdogs, a set of tools that track spam content and block or remove it. He says MySpace takes a holistic approach to security.

"We added them to the arsenal of things we're doing to stop bad guys from hurting our users," Nigam says. "Cloudmark's [service] didn't replace anything. We added it to what we're already doing."

MySpace has also stepped up education and awareness among its users, he says, as well as forged partnerships with Microsoft and the Anti-Phishing Working Group to help report and quell phishing attacks. It also hired law enforcement specialists to help with civil lawsuits and criminal reporting of malicious activity spotted on MySpace.

"You have your head in the sand if you don't realize at the end of the day, even with the greatest technology and education, there are going to be times when something bad is going to happen," says Nigam, who is a former federal prosecutor.

Facebook, meanwhile, handles its security operations and development in-house. It filters malicious URLs and keeps a "greylist" of URLs that haven't yet been verified, according to Facebook's spokesperson. "If a user clicks on one of these, we show an interstitial page with a warning letting the person know that he or she is leaving Facebook and should be careful," he says.

The social network also has built its own automated systems to detect Facebook accounts that are likely to be malicious or compromised, such as those that contain messages with malicious links. "Because Facebook is a closed system, we have a tremendous advantage over email. That is, once we detect a phony message, we can delete that message in all inboxes across the site," the Facebook spokesperson says.

And Facebook has been able to slow Koobface infections, he reports. "On the malware front, we've mostly been fighting...Koobface. We've worked with Microsoft to push a solution to Koobface on user machines through Windows Update. By all accounts, our continuing security measures on Facebook combined with Microsoft's measures at the operating system level have been very effective in slowing the spread of the virus," he says. Facebook has slowed the spread of Koobface "to a crawl" with its partnership with Microsoft, he says.

Meanwhile, the weakest links for MySpace and Facebook lay in their third-party applications and in the users of the social networks themselves, experts say. While it's unclear just what more they will do -- either locking down elements of their APIs or more aggressively vetting third-party applications -- the careless or clueless user is still their biggest challenge.

And the social networks are well aware of that: "To combat threats, we need users' help, too," Facebook's spokesperson says. Says MySpace's Nigam: "It's their behavior you want to change. We want them to approach the Net in much the same way they approach their live in the physical world" when it comes to security, he says.

While there are ways to beef up defenses to DDoS attacks, there's no way to really stop them. "There is always a DDoS threat with anything, social networks or not," Hamiel says. "DDoS attacks can't be completely stopped. They can only be mitigated."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.