X

To stop next spam king, Facebook program helps firms share security info

The company's ThreatExchange program hopes to break longstanding barriers to companies talking about the cybersecurity threats they face. Early indications show they're willing to play along.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read

Last week, a hacker pleaded guilty to his crimes. The self-described "spam king," Sanford Wallace of Las Vegas, acknowledged in court his history of breaking in to Facebook accounts and sending millions of unwanted messages to other users over a period of three months.

Thankfully, the spamming was all he did. A more nefarious hacker, like those who broke in to Sony in November or Ashley Madison this summer, could have done much more damage.

Facebook believes it's come up with a way to stop the next spam king before he even starts. It's called ThreatExchange, and it's a program where companies around the world pool their collective knowledge about hacking attacks to help warn one another of the various methods being used by bad guys. Think of it like Facebook, but for catching hackers.

"We want to be able to disrupt these things more frequently," said Mark Hammell, who manages Facebook's Threat Infrastructure team.

corbis-42-45168912.jpg

Facebook is reporting early success with its ThreatExchange program, which could help Internet companies bring down the hackers targeting them all.

John Fedele/Blend Images/Corbis

If the program is successful, the Internet could become a better place for everyone. The information ThreatExchange could share between companies would not only identify particular hacking attacks, but also find out what they have in common, painting a picture of where hackers are based and what tactics they tend to use.

So why hasn't someone tried this sooner?

Other efforts do exist, including a partnership called Soltra that provides a free repository of threat information for financial service companies. Hewlett-Packard offers a subscription-based service called Threat Central for sharing and analyzing cyberthreat information. Then there's the government. In an executive order this February, President Barack Obama urged more information sharing. And such cooperation may soon be required if the Senate passes a cybersecurity bill in September.

Nonetheless, there are longstanding barriers that have kept more companies from sharing information about hacking attacks. They're often shy to divulge these details for a variety of reasons, including fears of cyberespionage to concerns over customer lawsuits and even the possibility they'd be handing over a competitive advantage.

That attitude is starting to change as hacking becomes more prevalent and high profile, said Alex Rice, an executive at security company HackerOne, who used to work for Facebook. "Pragmatism is breaking through that," he said.

Facebook believes it can encourage this trend by acting as a neutral meeting ground for these companies.

The program works through special software Facebook gives each participating company, which draws the information about cybersecurity threats from the companies' own computers. Employees don't see much more than the same programs they always use to monitor the healthy functioning of their company's technology. But Facebook is watching in the background, and to ensure privacy the company lets users choose what to share and who can see it.

Facebook also isn't charging participants for the service, a key difference that had hobbled past attempts to combine company information in the past.

Early success

Since Facebook announced the program in February, 11,000 organizations have applied to join, Hammell said. So far 90 groups have been selected from across seven industries. That includes big-name Internet companies like PayPal, Yahoo, Pinterest, Tumblr and Microsoft as well as financial institutions, colleges and universities, and defense contractors.

The most notable group not involved is the government, which Facebook says it's not planning to include. Not only could government agencies be subject to public records requests about information they submit, but Facebook is not interested in giving ThreatExchange information to law enforcement, Hammell said.

In all, participants have submitted data and queried the program about 30 million times per month on average, and most are searching out information on malicious software and signs that something that seems dodgy is actually a threat.

Andy Steingruebl, who directs a cybersecurity department at PayPal, said the program works in part because it allows companies to decide whose take on a given threat is worth listening to.

Hackers are always coming up with new ways to disguise their activities, forcing companies to make a judgment call about who's using their websites for legitimate purposes and who's trying to break in. That isn't always easy, Steingruebl said. "People have a hard time agreeing what's bad on the Internet and why it's bad," he said.

As a result, Facebook doesn't analyze the quality of the data companies send, but rather tries to give it context by showing how a range of participants viewed a given potential attack.

Connecting the dots

ThreatExchange isn't focused on one piece of tricky software, like a virus. Instead, it compiles information on where that software is coming from and where it's sending information to. That lets companies know not just to distrust the software, but the sender as well.

"ThreatExchange is really valuable for telling you who's trying to exploit something," Steingruebl said.

Despite that information's value, experts such as Rice say a program like this wouldn't be effective if it wasn't free.

It might sound strange that Facebook -- a company known for selling companies on the ability to send targeted ads to its users -- would collect a trove of sought-after information and simply pass it on for free to its partners. But Facebook has been much more giving toward its peers, letting them see the code it's built for many of its internal systems, among other things.

And the benefit of giving the information away could easily outweigh the cost of putting the program together. It all comes back to the spam king, and the abuse of Facebook that he represents. Increasing communication about spammers and hackers like him could eventually make Facebook a nicer place to hang out, because the whole Internet will be better.

"It was really about making the Internet a safer place in general, for us and everyone else who uses our products," Hammell said.