Securing Facebook

This month, a photo of spammer Sanford Wallace joined dozens others on a wall inside Facebook's security office, under a banner that reads "scalps".

The self-styled 'Spam King' turned himself in to US police on 4 August, after an indictment (pdf) was sought against him on 11 charges relating to electronic crime.

He was accused of using 500,000 compromised Facebook accounts to post some 27 million spam messages. Such a finding could place Wallace in contempt of court for breaching an order not to access Facebook.

And according to Facebook security manager for investigations and incident Ryan 'Magoo' McGeehan, "once you are on the radar for attacking our users, you never, ever leave".

Facebook was unforgiving to those that exploited its service or attacked 750 million users.

The Spam King's reign may be over, but there was always someone else trying to break into Facebook -- a social network to some and an identity theft White Pages to others.

Some within the online activist group Anonymous threatened to attack Facebook on November 5, Guy Fawkes Day, but Facebook was not particularly troubled.

It was just another threat that would be handled with the same immediacy as every other hacking, spam and social engineering attack against the site, McGeehan said.

McGeehan headed up an incident response team of ten, which chased down spammers and hackers and was part of Facebook’s 300-strong security team.

He said security staff needed to think like black hat hackers, be in a constant state of high alert and assume they were constantly being hacked.

“You need to know your enemy, understand the trends, and the goals [of attackers] from a threat perspective,” he said. “You need to put on your black hat.”

McGeehan said threats had become more sophisticated and financially-motivated during his five years at Facebook, but was not surprised, given its 75-fold growth from 10 million users in that time.

”I’ve seen the evolution of threats from the primordial ooze of security, like 419 scams, fake accounts, to sophisticated threats that we are now dealing with,” he said.

Social security 

Facebook last week launched a 14-page security guide for users, covering everything from phishing and clickjacking, to how to recover a hacked account.

The report highlighted the role of users in securing the website, noting that Facebook scams tended to be harder to identify than email tricks.

"Just as a city paints sidewalks, and pedestrians look both ways before crossing the street, security on Facebook is a responsibility shared between Facebook and the people who use its platform," the site wrote.

In defending Facebook, McGeehan drew heavily on his volunteer work as a member of the HoneyNet Project, for which he worked on web-based and client-side honeynetting.

Facebook also offered bug bounties to security researchers who found vulnerabilities in Facebook’s services.

It has been deluged since revising vulnerability disclosure policies to satisfy the Electronic Frontier Foundation, and regularly paid above minimum advertised amounts.

Earlier this month, one researcher bagged $5000 for a critical vulnerability and was helping Facebook to resolve the flaw.

“The bug bounties are like simulating attacks, all the time,” McGeehan said. “We have had a fantastic response.”

Copyright © SC Magazine, Australia