Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/8/2017
12:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Facebook Aims To Shape Stronger Security Practices

Facebook is among social platforms focusing on security as social media poses a growing risk to individuals and businesses.

Social media poses a silent but deadly risk to organizations as users adopt a generally relaxed approach to sharing personal and corporate data. IT pros are challenged to secure the constant flood of social activity on business networks.

"It's one of those necessary evils," says Dr. Amelia Estwick, program manager for the National Cybersecurity Institute at Excelsior College, of social networking. "Now, we can't imagine our lives without it."

But social media firms such as Facebook also are raising the bar with security, a move that could ultimately help promote better security practices on its platform. Take Facebook's announcement last month that it now supports physical keys based on the FIDO U2F security standard for stronger and more secure authentication of user accounts. Users can register keys to their Facebook accounts so when they log in, they tap a device plugged into their computer's USB port.

Brad Hill, security engineer at Facebook, acknowledges the need for stronger security on social networks and explains the company's recent efforts to drive change in the industry, specifically for login security and account recovery.

"Security is on everyone's mind right now, on social media, email, etc.," he says. "Everyone is looking for ways they can feel more secure in their online identities and the things they do online. We want to continue making security easier."

Social media's rampant growth, including that of Facebook, has basically opened the door for malware distribution, social engineering, data mining, and a flood of other security threats. 

Evan Blair, co-founder and chief business officer at social media security firm ZeroFOX, explains how hackers are starting to take advantage: "That fundamental scale has created an interesting opportunity for cybercriminals because they can target or exploit virtually any individual, at any organization around the world," he continues. "Everyone is available; everyone is accessible on social media."

People place more trust in their social accounts than they do in email, Blair continues. We're taught to be wary of emailed links, even from those we trust, but we're quick to share personally identifiable information or click links on Facebook, Twitter, and Instagram.

"Because we have no baseline security, we're highly vulnerable to social engineering and spearphishing campaigns," he says, noting how the human interaction on social media drives users' trust in platforms. "The amount of information we share makes us a ripe target."

Companies like Facebook are recognizing the immediate threat to consumers and businesses and launching new initiatives to mitigate risk.

Facebook is a particularly appealing target for threat actors given the scope of its platform, explains Dr. Estwick. "The reason I see Facebook as a bigger problem is the amount of services it provides now," she says. "On Twitter, you send a tweet. On Facebook, you have Facebook Live, Instagram … I don't think users understand what they're getting themselves into when they create a Facebook account."

Facebook Fights Back

On January 26, Facebook announced its support for physical keys for authentication. Facebook's Hill explains how the physical keys make accounts "immune to phishing" because users don’t have to enter a code and the hardware provides cryptographic proof that it's plugged in. While users won't be required to install them, the keys are an obvious choice for people using social media for businesses.

"There's no way you can make a mistake," he says. "Attackers can't compromise it, you can't accidentally give your credentials away."

Further, users can employ the same key for several accounts including Google, Salesforce, Dropbox, and GitHub. Hill hopes by jumping in on this trend, Facebook will encourage users to adopt stronger security measures.

Shortly after it announced U2F security key support, Facebook shared a project with GitHub focused on account recovery. GitHub users can use their Facebook accounts for authentication as part of the GitHub account recovery process.

The idea is to give users an easier and more secure option to recover their accounts. Common methods like recovery emails, SMS messages, and security questions are viewed as both inconvenient and risky as more people go online, Hill says.

Users can set this up by saving an encrypted recovery token with their Facebook account. If they need to recover a GitHub account, they can re-authenticate to Facebook and the token is sent back to GitHub for verification.

"People will always forget their passwords or lose their phones, and we want to make sure they have ways to get into their accounts," says Hill. "Interconnecting networks offers a better option than centralizing things around one account or security questions. We know that stuff isn't secure."

Meantime, social media will continue to be a big target of attackers, ZeroFOX's Blair says.

"We will see more targeted attacks across social media," he says. "We already see a ton making headlines, but we're going to see more hackers targeting employees to gain access to corporate systems. That will continue to become a problem."

On the enterprise side, collaboration apps like Slack will pose a threat despite their intent to drive productivity. Organizations lack control over critical functions: what information is requested of them, which customers and partners join the app, how they engage.

Each social network will tackle the problem differently. Facebook has already started to ramp up its security game and anticipates other platforms will follow suit, experts say.

"We definitely have a huge audience; everybody uses Facebook," says Hill. "I think we're also a player other people in the industry watch. Security-key technology is something the whole industry should be adopting."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26788
PUBLISHED: 2021-03-08
Oryx Embedded CycloneTCP 1.7.6 to 2.0.0, fixed in 2.0.2, is affected by incorrect input validation, which may cause a denial of service (DoS). To exploit the vulnerability, an attacker needs to have TCP connectivity to the target system. Receiving a maliciously crafted TCP packet from an unauthentic...
CVE-2021-23351
PUBLISHED: 2021-03-08
The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in ...
CVE-2009-20001
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.