Facebook Offers $1 Million for New Security Defenses

BLACK HAT USA – Las Vegas – Facebook is dramatically upping its efforts to entice security researchers to come up with new ways to secure and defend the Internet.

The social media titan is increasing the size of its Internet Defense Prize to $1 million to be doled out in a series of prizes throughout 2018, said Alex Stamos, Facebook's chief security officer, who will deliver the keynote address here today at Black Hat. Facebook last year awarded $100,000 in Internet Defense Prizes, and a total of $250,000 since starting the awards recognition program along with USENIX in 2014.

Facebook's goal is to encourage researchers to develop new ways to defend Internet users against vulnerabilities, and minimize the success rate of attacks, especially those that involve the re-use of the same password on multiple accounts, or duping a newbie Internet user into sharing personal and financial information during the creation of their Internet account.  

It's the simpler day-to-day attacks like these, rather than the ultra-complex and rare 0-day attacks, where at least half of security research should be focusing, Stamos said in an interview with Dark Reading. Stamos says he estimates that offensive research feels like it accounts for 99% of the work being performed and only 1% is devoted to defensive security research.

               [Source: Dawn Kawamoto, Dark Reading]

As part of the Internet Defense Prize competitions, researchers will be given a variety of topics where Facebook would ideally like to see more research, Stamos said.

While a lot of defense researchers are focusing on authentication or new ways to authenticate oneself, Stamos noted that account lifecycle management is also an area of interest.

"What we see less from the research community is understanding that the entire lifecycle of somebody's relationship with an online service has actually security issues throughout it," Stamos said. "There's the creation of the account, what do you do when someone loses their phone, loses their password. These are issues that the bad guys are actually exploiting … so research into the real world would be a great thing to happen."

Facebook is also interested in seeing more research surrounding the worldwide mobile device ecosystem, he said.

"There is a lot of research into the new flaws or ways to exploit fully patched or very expensive devices. But that is not reflective of a huge percentage of the world population," Stamos said.

A large portion of the global population cannot afford smartphones that cost upwards of $600 or $700, but rather use less expensive Android devices that may cost $50 to $100 and are loaded with an older version of the operating system, he noted.

"There is a huge focus on finding 0-Days on iPhones, and while that is a great thing to do, there is almost no research into the real mobile phone ecosystem and what it looks like and how we can keep people safe if we are shipping hundreds and millions of these phones," observed Stamos.

Empathy in Security

Twenty years ago the security industry was fighting for respect and to have companies understand that vulnerabilities needed to be patched, Stamos recalled. Now, however, the security industry has won the fight but the questions of "what do we do now" looms, he said.

Security researchers can improve their defense tactics by developing more empathy for users who are in a lower socioeconomic bracket. For example, a youth living in an underserved community may purchase an older version of a smartphone that is running an operating system that does not have the latest updates. "What would their security experience be like?" Stamos said.

By walking in those users' shoes and developing an empathy for how they may behave when it comes to security, a defensive researcher can catch more things that could potentially go wrong, he noted.

Greater empathy may also come by way of a more diverse workforce. Facebook also announced today it hopes to expand diversity in the security workforce. The company is teaming up with CodePath to develop online and in-classroom cybersecurity courses for Virginia Tech, California State University San Bernardino, Mississippi State University, Merritt College, Hofstra University, and The City College of New York. The classes will be offered starting this academic school year, with students potentially landing an internship at Facebook, Stamos said.

In addition to developing empathy for users, security researchers can also benefit by extending empathy to software developers or other members inside and outside of their tech team at a micro-level, Stamos said. For example, security researchers with dismissive attitudes about finding vulnerabilities in another person's code, may makes those researchers feel smarter, but that does little to effect real change in the security community, Stamos noted.

Security researchers with an empathic nature are also needed at a macro level, which would include working with politicians and law enforcement when they find themselves thrown together, he said, such as the San Bernardino terrorist attack, when government officials were trying to unlock a terrorist's iPhone. Another more recent example relates to the questions that have emerged about Russia's involvement with the US elections and elections in Europe.

Facebook also announced today it will be a founding sponsor of the Defending Digital Democracy Project. This initiative will focus on improving the security around elections and the Democratic process. Facebook will provide financial and technical support to Harvard University's Belfer Center, Stamos said.

Stamos said he has already seen some signs of a movement toward more empathy in security: "We have started to see some security people in our community start to think this way," he said. "I figure we'll do better this time than it taking the next 20 years."

Related Content: