Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

1/5/2010
08:00 PM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Facebook's Security Team Frustrates Cybercriminals

Though Facebook is one of the potentially most virulent platforms on the Internet, its security team is very talented, which makes life for cybercriminals all the more difficult.

Though Facebook is one of the potentially most virulent platforms on the Internet, its security team is very talented, which makes life for cybercriminals all the more difficult.A few nights ago, I received a message from a Facebook friend. Much like other scams I have blogged about (here and here) in the past, it wasn't really her.

In this particular case, it wasn't strictly a worm that had infected her account, but rather a Facebook spam operation. Malware stole her user credentials (username and password), and then in a separate operation used Amazon's EC2 to send a spam message to her friends by the use of Facebook Mobile.

Facebook has control of its systems, which are all owned by the social networking firm. On the surface, its security team should have the tools to combat cybercrime that the rest of us could only dream of. They can, in theory, have a complete view of what's going on, as well as the power to act on it.

When it comes to email, DNS, and other Internet services, incident response requires forensic investigation with access to many resources, and then an uphill battle to mitigate the threat. While Facebook has concerns about protecting legitimate users, commercial interests, and privacy concerns, all it needs to do (at least in theory) is have the right tools and the mandate to act.

How you distinguish between legitimate and malicious users is not always clear-cut. In the spam I received, the link was obfuscated. I had to reconstruct it myself in order to go to the spam site. How do you filter against links that are not clickable? Facebook will find a way; the very fact that spammers now use unclickable links demonstrates that Facebook's security team is doing a good job.

On top of building systems and scripts to make sense of the endless ocean of data and trying to stay ahead of criminals with every reason to misuse and abuse Facebook and its users, Facebook's security team is also proactive. They are open to new ideas. They run with them and create innovative solutions in what, at least from the outside, appears to be in record time. They engage the community and form relationships, which every day proves beneficial for mitigating threats. For a giant, they are surprisingly open and friendly.

The team seems to operate almost like a startup, while maintaining a long-term strategy: When called, they create immediate tactical solutions, like a special forces team. When responding to one of the first Koobface infections in 2007, they coded a solution overnight and removed malicious messages from millions of inboxes. I had the honor to coordinate the global incident response in that particular incident. Everyone involved, from antivirus vendors to ISPs, were happy with Facebook's responsiveness.

Unlike most security departments for large corporations, the Facebook security team is one of the first in the industry outside of service providers to bring the field of security operations to fruition. While many organizations have IDS experts and incident response personnel, their departments' main goal is usually risk analysis and policy. At Facebook, while these issues interest them, they are also much more technical.

They combine the security research team often found at security vendors, trying to research vulnerabilities and malware, with the security operations team often found at large network providers, performing incident response, correlating data, mitigating attacks, and communicating with others around the world.

I am not very pleased with Facebook itself for various reasons, ranging from its horrid privacy policy to the commercial gain it makes by turning a blind eye to applications making commercial use of what is otherwise private user information. But that does not change the fact that its security team is top-notch. I don't often write such glowing reviews of any organization, let alone one with so many security incidents, but I decided that for the new year, the people at Facebook security need to be recognized.

Let's not kid ourselves, though. With 350 million users and 1 million application developers, Facebook is an attractive target. And it's not a secure system, but its talented security team is having an impact. In the coming year, we can expect Facebook attackers to start making more use of applications to scam and infect users, as well as attacking Facebook via other infection vectors, such as email and other Websites.

Facebook, by its nature, is one of the worst security menaces ever created, but unlike other examples from history where sources of new technologies were oblivious to the problems, Facebook's security team is on the job (with special appreciation to Facebook security team members Ryan McGeehan and Alex Rice).

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading. Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.