Vulnerabilities / Threats
12:20 PM
Connect Directly

Facebook Aims To Shape Stronger Security Practices

Facebook is among social platforms focusing on security as social media poses a growing risk to individuals and businesses.

Social media poses a silent but deadly risk to organizations as users adopt a generally relaxed approach to sharing personal and corporate data. IT pros are challenged to secure the constant flood of social activity on business networks.

"It's one of those necessary evils," says Dr. Amelia Estwick, program manager for the National Cybersecurity Institute at Excelsior College, of social networking. "Now, we can't imagine our lives without it."

But social media firms such as Facebook also are raising the bar with security, a move that could ultimately help promote better security practices on its platform. Take Facebook's announcement last month that it now supports physical keys based on the FIDO U2F security standard for stronger and more secure authentication of user accounts. Users can register keys to their Facebook accounts so when they log in, they tap a device plugged into their computer's USB port.

Brad Hill, security engineer at Facebook, acknowledges the need for stronger security on social networks and explains the company's recent efforts to drive change in the industry, specifically for login security and account recovery.

"Security is on everyone's mind right now, on social media, email, etc.," he says. "Everyone is looking for ways they can feel more secure in their online identities and the things they do online. We want to continue making security easier."

Social media's rampant growth, including that of Facebook, has basically opened the door for malware distribution, social engineering, data mining, and a flood of other security threats. 

Evan Blair, co-founder and chief business officer at social media security firm ZeroFOX, explains how hackers are starting to take advantage: "That fundamental scale has created an interesting opportunity for cybercriminals because they can target or exploit virtually any individual, at any organization around the world," he continues. "Everyone is available; everyone is accessible on social media."

People place more trust in their social accounts than they do in email, Blair continues. We're taught to be wary of emailed links, even from those we trust, but we're quick to share personally identifiable information or click links on Facebook, Twitter, and Instagram.

"Because we have no baseline security, we're highly vulnerable to social engineering and spearphishing campaigns," he says, noting how the human interaction on social media drives users' trust in platforms. "The amount of information we share makes us a ripe target."

Companies like Facebook are recognizing the immediate threat to consumers and businesses and launching new initiatives to mitigate risk.

Facebook is a particularly appealing target for threat actors given the scope of its platform, explains Dr. Estwick. "The reason I see Facebook as a bigger problem is the amount of services it provides now," she says. "On Twitter, you send a tweet. On Facebook, you have Facebook Live, Instagram … I don't think users understand what they're getting themselves into when they create a Facebook account."

Facebook Fights Back

On January 26, Facebook announced its support for physical keys for authentication. Facebook's Hill explains how the physical keys make accounts "immune to phishing" because users don’t have to enter a code and the hardware provides cryptographic proof that it's plugged in. While users won't be required to install them, the keys are an obvious choice for people using social media for businesses.

"There's no way you can make a mistake," he says. "Attackers can't compromise it, you can't accidentally give your credentials away."

Further, users can employ the same key for several accounts including Google, Salesforce, Dropbox, and GitHub. Hill hopes by jumping in on this trend, Facebook will encourage users to adopt stronger security measures.

Shortly after it announced U2F security key support, Facebook shared a project with GitHub focused on account recovery. GitHub users can use their Facebook accounts for authentication as part of the GitHub account recovery process.

The idea is to give users an easier and more secure option to recover their accounts. Common methods like recovery emails, SMS messages, and security questions are viewed as both inconvenient and risky as more people go online, Hill says.

Users can set this up by saving an encrypted recovery token with their Facebook account. If they need to recover a GitHub account, they can re-authenticate to Facebook and the token is sent back to GitHub for verification.

"People will always forget their passwords or lose their phones, and we want to make sure they have ways to get into their accounts," says Hill. "Interconnecting networks offers a better option than centralizing things around one account or security questions. We know that stuff isn't secure."

Meantime, social media will continue to be a big target of attackers, ZeroFOX's Blair says.

"We will see more targeted attacks across social media," he says. "We already see a ton making headlines, but we're going to see more hackers targeting employees to gain access to corporate systems. That will continue to become a problem."

On the enterprise side, collaboration apps like Slack will pose a threat despite their intent to drive productivity. Organizations lack control over critical functions: what information is requested of them, which customers and partners join the app, how they engage.

Each social network will tackle the problem differently. Facebook has already started to ramp up its security game and anticipates other platforms will follow suit, experts say.

"We definitely have a huge audience; everybody uses Facebook," says Hill. "I think we're also a player other people in the industry watch. Security-key technology is something the whole industry should be adopting."

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.