Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12:20 PM
Connect Directly

Facebook Aims To Shape Stronger Security Practices

Facebook is among social platforms focusing on security as social media poses a growing risk to individuals and businesses.

Social media poses a silent but deadly risk to organizations as users adopt a generally relaxed approach to sharing personal and corporate data. IT pros are challenged to secure the constant flood of social activity on business networks.

"It's one of those necessary evils," says Dr. Amelia Estwick, program manager for the National Cybersecurity Institute at Excelsior College, of social networking. "Now, we can't imagine our lives without it."

But social media firms such as Facebook also are raising the bar with security, a move that could ultimately help promote better security practices on its platform. Take Facebook's announcement last month that it now supports physical keys based on the FIDO U2F security standard for stronger and more secure authentication of user accounts. Users can register keys to their Facebook accounts so when they log in, they tap a device plugged into their computer's USB port.

Brad Hill, security engineer at Facebook, acknowledges the need for stronger security on social networks and explains the company's recent efforts to drive change in the industry, specifically for login security and account recovery.

"Security is on everyone's mind right now, on social media, email, etc.," he says. "Everyone is looking for ways they can feel more secure in their online identities and the things they do online. We want to continue making security easier."

Social media's rampant growth, including that of Facebook, has basically opened the door for malware distribution, social engineering, data mining, and a flood of other security threats. 

Evan Blair, co-founder and chief business officer at social media security firm ZeroFOX, explains how hackers are starting to take advantage: "That fundamental scale has created an interesting opportunity for cybercriminals because they can target or exploit virtually any individual, at any organization around the world," he continues. "Everyone is available; everyone is accessible on social media."

People place more trust in their social accounts than they do in email, Blair continues. We're taught to be wary of emailed links, even from those we trust, but we're quick to share personally identifiable information or click links on Facebook, Twitter, and Instagram.

"Because we have no baseline security, we're highly vulnerable to social engineering and spearphishing campaigns," he says, noting how the human interaction on social media drives users' trust in platforms. "The amount of information we share makes us a ripe target."

Companies like Facebook are recognizing the immediate threat to consumers and businesses and launching new initiatives to mitigate risk.

Facebook is a particularly appealing target for threat actors given the scope of its platform, explains Dr. Estwick. "The reason I see Facebook as a bigger problem is the amount of services it provides now," she says. "On Twitter, you send a tweet. On Facebook, you have Facebook Live, Instagram … I don't think users understand what they're getting themselves into when they create a Facebook account."

Facebook Fights Back

On January 26, Facebook announced its support for physical keys for authentication. Facebook's Hill explains how the physical keys make accounts "immune to phishing" because users don’t have to enter a code and the hardware provides cryptographic proof that it's plugged in. While users won't be required to install them, the keys are an obvious choice for people using social media for businesses.

"There's no way you can make a mistake," he says. "Attackers can't compromise it, you can't accidentally give your credentials away."

Further, users can employ the same key for several accounts including Google, Salesforce, Dropbox, and GitHub. Hill hopes by jumping in on this trend, Facebook will encourage users to adopt stronger security measures.

Shortly after it announced U2F security key support, Facebook shared a project with GitHub focused on account recovery. GitHub users can use their Facebook accounts for authentication as part of the GitHub account recovery process.

The idea is to give users an easier and more secure option to recover their accounts. Common methods like recovery emails, SMS messages, and security questions are viewed as both inconvenient and risky as more people go online, Hill says.

Users can set this up by saving an encrypted recovery token with their Facebook account. If they need to recover a GitHub account, they can re-authenticate to Facebook and the token is sent back to GitHub for verification.

"People will always forget their passwords or lose their phones, and we want to make sure they have ways to get into their accounts," says Hill. "Interconnecting networks offers a better option than centralizing things around one account or security questions. We know that stuff isn't secure."

Meantime, social media will continue to be a big target of attackers, ZeroFOX's Blair says.

"We will see more targeted attacks across social media," he says. "We already see a ton making headlines, but we're going to see more hackers targeting employees to gain access to corporate systems. That will continue to become a problem."

On the enterprise side, collaboration apps like Slack will pose a threat despite their intent to drive productivity. Organizations lack control over critical functions: what information is requested of them, which customers and partners join the app, how they engage.

Each social network will tackle the problem differently. Facebook has already started to ramp up its security game and anticipates other platforms will follow suit, experts say.

"We definitely have a huge audience; everybody uses Facebook," says Hill. "I think we're also a player other people in the industry watch. Security-key technology is something the whole industry should be adopting."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-06
The parse_report() function in whoopsie.c in Whoopsie through 0.2.69 mishandles memory allocation failures, which allows an attacker to cause a denial of service via a malformed crash file.
PUBLISHED: 2020-07-06
PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor.
PUBLISHED: 2020-07-06
It's possible to inject JavaScript code via the html method.
PUBLISHED: 2020-07-06
It's possible to use <<script>script> in order to go over the filtering regex.
PUBLISHED: 2020-07-06
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.