In this particular case, it wasn't strictly a worm that had infected her account, but rather a Facebook spam operation. Malware stole her user credentials (username and password), and then in a separate operation used Amazon's EC2 to send a spam message to her friends by the use of Facebook Mobile.
Facebook has control of its systems, which are all owned by the social networking firm. On the surface, its security team should have the tools to combat cybercrime that the rest of us could only dream of. They can, in theory, have a complete view of what's going on, as well as the power to act on it.
When it comes to email, DNS, and other Internet services, incident response requires forensic investigation with access to many resources, and then an uphill battle to mitigate the threat. While Facebook has concerns about protecting legitimate users, commercial interests, and privacy concerns, all it needs to do (at least in theory) is have the right tools and the mandate to act.
How you distinguish between legitimate and malicious users is not always clear-cut. In the spam I received, the link was obfuscated. I had to reconstruct it myself in order to go to the spam site. How do you filter against links that are not clickable? Facebook will find a way; the very fact that spammers now use unclickable links demonstrates that Facebook's security team is doing a good job.
On top of building systems and scripts to make sense of the endless ocean of data and trying to stay ahead of criminals with every reason to misuse and abuse Facebook and its users, Facebook's security team is also proactive. They are open to new ideas. They run with them and create innovative solutions in what, at least from the outside, appears to be in record time. They engage the community and form relationships, which every day proves beneficial for mitigating threats. For a giant, they are surprisingly open and friendly.
The team seems to operate almost like a startup, while maintaining a long-term strategy: When called, they create immediate tactical solutions, like a special forces team. When responding to one of the first Koobface infections in 2007, they coded a solution overnight and removed malicious messages from millions of inboxes. I had the honor to coordinate the global incident response in that particular incident. Everyone involved, from antivirus vendors to ISPs, were happy with Facebook's responsiveness.
Unlike most security departments for large corporations, the Facebook security team is one of the first in the industry outside of service providers to bring the field of security operations to fruition. While many organizations have IDS experts and incident response personnel, their departments' main goal is usually risk analysis and policy. At Facebook, while these issues interest them, they are also much more technical.
They combine the security research team often found at security vendors, trying to research vulnerabilities and malware, with the security operations team often found at large network providers, performing incident response, correlating data, mitigating attacks, and communicating with others around the world.
Let's not kid ourselves, though. With 350 million users and 1 million application developers, Facebook is an attractive target. And it's not a secure system, but its talented security team is having an impact. In the coming year, we can expect Facebook attackers to start making more use of applications to scam and infect users, as well as attacking Facebook via other infection vectors, such as email and other Websites.
Facebook, by its nature, is one of the worst security menaces ever created, but unlike other examples from history where sources of new technologies were oblivious to the problems, Facebook's security team is on the job (with special appreciation to Facebook security team members Ryan McGeehan and Alex Rice).
Follow Gadi Evron on Twitter: http://twitter.com/gadievron
Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.