It is said that if Facebook was a country, it would be the world’s third largest country in the world. Consider some more facts: Facebook has 1.11 billion users. 665 million users visit the site on a daily basis. Developers have created more than 10 million apps on Facebook; a mammoth 4.75 billion items are shared daily by users. Joe Sullivan, Chief Security Officer, Facebook shares how the social networking giant carries out the challenging task of maintaining the security and privacy of its users. Some edited excerpts:
As one of the world’s most visited websites, what are the biggest threats for you as a CSO?
Facebook has always been about trust, and when people log onto the site they need to feel secure throughout their experience. If users have a bad experience, they are much less likely to use the site or meaningfully engage. As such, security must be a priority and we need to invest heavily to provide the most trustworthy and secure experience possible. One of the threats that worries me the most is the risk of a compromised account that can hijack the implicit trust of any person’s network. No matter whether it’s a high-profile individual, major corporation or simply a person who shares family photos, whenever someone loses access to his account, everyone on that person’s network becomes aware of that fact. This undoubtedly undermines trust in the service.
This is why we have built both self-service remediation tools like www.facebook.com/hacked and have hundreds of people across the company who work on security.
Can you give us a brief overview of the volume and complexity of threats you handle everyday at Facebook?
One metric that illustrates our scale, while it dates from 2011, is the fact that six hundred thousand times a day, someone tries to log into accounts using stolen credentials, but we catch these attempts and block them. However, we try to expect and anticipate every possible attack on any given day. Due to our size, we face the same threats as seen everywhere else on the web, but we have developed partnerships, backend systems, and protocols to confront the full range of security challenges we face.
How have threats changed over the years, and how has Facebook responded to these threats?
We are constantly seeing the threatscape change and adapt to our security efforts. For example, during 2011 and through part of 2012, there were a number of Self-XSS spam circulating on the site where users would be tricked into copying and pasting Javascript into their browsers, which would cause spam to spread on their page. However, after we made several improvements to our internal systems and browser vendors instituted changes to their default configurations these threats have faded from the site, but now malicious browser extensions, which were absent a couple of years ago are becoming an emerging threat.
In your view, what are some of the most common mistakes users do on Facebook that lead to their accounts being compromised?
Never ever enter your password unless you are on the Facebook login page and have validated the URL in the address bar. Users all too often enter their password into a phishing site, e-mail or scam, which nullifies many of our security protocols since it’s harder to distinguish the account holder from a scammer if the scammer has the correct password. Never copy and paste code or scripts you do not understand, whether it’s Self-XSS or access token stealing, all too often we see people executing malicious code or sending hackers secret tokens simply because they believe that they can access special features or win a prize without understanding what they’re doing to their account. As a good rule of thumb, if it seems too good to be true, it probably is. Never use the same password for more than one site. One of the first thing a hacker tries when he has someone’s password from another site is to try these credentials on Facebook as we have over 1 billion users and many people reuse their password. If you’re reusing a password across multiple sites, you are as vulnerable as the weakest site’s security. Don’t fall victim and be sure to use strong unique passwords for every site.
How much does Facebook rely on algorithms to weed out fake spam accounts or malware? How successful are algorithms? Where do algorithms stop and where do humans come in?
We encourage people to report anyone they think is doing this, either through the report links we provide on the site or through the contact forms in our help center. We process these reports through our User Operations Team, and this information helps inform our site integrity systems. These technical systems also flag and block potential fake accounts based on name and anomalous site activity. These technical systems parallel the work of our dedicated user operations team, investigating reports and taking action as necessary. We will take varying responses on accounts depending on our level of suspicion. This can span from Social Captcha, to asking for a phone number, to finally asking for a government ID. We use a combination of machine learning and anomaly detection to identify fake accounts. We can train new classifiers in hours and push new rules in minutes. This self-iterating automated infrastructure uses hundreds of features to classify accounts, content and activity with varying levels of confidence. We then use these statistics to present challenges to these users if we believe they may be suspicious. Our site integrity infrastructure combines information from across all involved areas to analyze both short and long-term reputations, combine disparate information into one place, and review known malicious feature sets (example, posting a malicious URL to a stranger) Facebook’s SI infrastructure is robust enough to provide multiple functions, including Storage of SI data, detection, monitoring, alerting, investigation, ML classifiers, training pipeline, and read-time filtering. Beyond these short term measures, our long-term goal is to continually increase the difficulty in creating inauthentic accounts that are used for abusive purposes, infecting people with malware, and compromising user accounts.
Can you give us some examples where you have successfully taken down hackers or cybercriminals, such as the group behind the Koobface worm?
Late last year the FBI announced the arrests of 10 individuals located throughout Eastern Europe, South America, New Zealand, the UK and US linked to the Yahos malware and the Butterfly botnet that infected more than 11 million computer systems and accounted for USD 850 million worldwide. While we had visibility on only a fraction of those 11 million systems, we were able to provide assistance to law enforcement to help identify the malware, and those responsible. From 2010 to October 2012, our security systems were detecting and remediating affected accounts, which gave us invaluable insights to the root cause that we were able to later share with the FBI.
How do you see the role of crowdsourcing in enhancing security? How effective is an initiative like the Facebook Bug Bounty program?
We launched the Bug Bounty program with the goal of finding people around the world who can help improve Facebook’s security. We are glad that there are people in the community who participate in these programs and contribute to everyone’s security. No matter the calibre and number of people we hire here at Facebook Security to help secure our product, we are constantly aware of the fact that there will always be more people out in the community who will be poking at our system anyway. As such, it makes perfect sense to incentivize these people to research constructively and responsibly.
Your advice to CSOs. What must be their approach to tackle security on a day-to-day basis?
I would tell any CSO to focus on being proactive and not simply look at the current threatscape. Truly great security involves building out the capability to not just respond to today’s attacks, but to prepare for tomorrow’s.
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
