Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/8/2017
12:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Facebook Aims To Shape Stronger Security Practices

Facebook is among social platforms focusing on security as social media poses a growing risk to individuals and businesses.

Social media poses a silent but deadly risk to organizations as users adopt a generally relaxed approach to sharing personal and corporate data. IT pros are challenged to secure the constant flood of social activity on business networks.

"It's one of those necessary evils," says Dr. Amelia Estwick, program manager for the National Cybersecurity Institute at Excelsior College, of social networking. "Now, we can't imagine our lives without it."

But social media firms such as Facebook also are raising the bar with security, a move that could ultimately help promote better security practices on its platform. Take Facebook's announcement last month that it now supports physical keys based on the FIDO U2F security standard for stronger and more secure authentication of user accounts. Users can register keys to their Facebook accounts so when they log in, they tap a device plugged into their computer's USB port.

Brad Hill, security engineer at Facebook, acknowledges the need for stronger security on social networks and explains the company's recent efforts to drive change in the industry, specifically for login security and account recovery.

"Security is on everyone's mind right now, on social media, email, etc.," he says. "Everyone is looking for ways they can feel more secure in their online identities and the things they do online. We want to continue making security easier."

Social media's rampant growth, including that of Facebook, has basically opened the door for malware distribution, social engineering, data mining, and a flood of other security threats. 

Evan Blair, co-founder and chief business officer at social media security firm ZeroFOX, explains how hackers are starting to take advantage: "That fundamental scale has created an interesting opportunity for cybercriminals because they can target or exploit virtually any individual, at any organization around the world," he continues. "Everyone is available; everyone is accessible on social media."

People place more trust in their social accounts than they do in email, Blair continues. We're taught to be wary of emailed links, even from those we trust, but we're quick to share personally identifiable information or click links on Facebook, Twitter, and Instagram.

"Because we have no baseline security, we're highly vulnerable to social engineering and spearphishing campaigns," he says, noting how the human interaction on social media drives users' trust in platforms. "The amount of information we share makes us a ripe target."

Companies like Facebook are recognizing the immediate threat to consumers and businesses and launching new initiatives to mitigate risk.

Facebook is a particularly appealing target for threat actors given the scope of its platform, explains Dr. Estwick. "The reason I see Facebook as a bigger problem is the amount of services it provides now," she says. "On Twitter, you send a tweet. On Facebook, you have Facebook Live, Instagram … I don't think users understand what they're getting themselves into when they create a Facebook account."

Facebook Fights Back

On January 26, Facebook announced its support for physical keys for authentication. Facebook's Hill explains how the physical keys make accounts "immune to phishing" because users don’t have to enter a code and the hardware provides cryptographic proof that it's plugged in. While users won't be required to install them, the keys are an obvious choice for people using social media for businesses.

"There's no way you can make a mistake," he says. "Attackers can't compromise it, you can't accidentally give your credentials away."

Further, users can employ the same key for several accounts including Google, Salesforce, Dropbox, and GitHub. Hill hopes by jumping in on this trend, Facebook will encourage users to adopt stronger security measures.

Shortly after it announced U2F security key support, Facebook shared a project with GitHub focused on account recovery. GitHub users can use their Facebook accounts for authentication as part of the GitHub account recovery process.

The idea is to give users an easier and more secure option to recover their accounts. Common methods like recovery emails, SMS messages, and security questions are viewed as both inconvenient and risky as more people go online, Hill says.

Users can set this up by saving an encrypted recovery token with their Facebook account. If they need to recover a GitHub account, they can re-authenticate to Facebook and the token is sent back to GitHub for verification.

"People will always forget their passwords or lose their phones, and we want to make sure they have ways to get into their accounts," says Hill. "Interconnecting networks offers a better option than centralizing things around one account or security questions. We know that stuff isn't secure."

Meantime, social media will continue to be a big target of attackers, ZeroFOX's Blair says.

"We will see more targeted attacks across social media," he says. "We already see a ton making headlines, but we're going to see more hackers targeting employees to gain access to corporate systems. That will continue to become a problem."

On the enterprise side, collaboration apps like Slack will pose a threat despite their intent to drive productivity. Organizations lack control over critical functions: what information is requested of them, which customers and partners join the app, how they engage.

Each social network will tackle the problem differently. Facebook has already started to ramp up its security game and anticipates other platforms will follow suit, experts say.

"We definitely have a huge audience; everybody uses Facebook," says Hill. "I think we're also a player other people in the industry watch. Security-key technology is something the whole industry should be adopting."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16246
PUBLISHED: 2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
CVE-2019-17358
PUBLISHED: 2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...
CVE-2019-17428
PUBLISHED: 2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.
CVE-2019-18345
PUBLISHED: 2019-12-12
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrat...
CVE-2019-19198
PUBLISHED: 2019-12-12
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.