At Facebook, defense is offense

Led by a former federal high-tech crimes prosecutor, the Facebook security team outsmarts foreign technical attacks, thwarts account hijackers and gets spammers to pay.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
9 min read
Ryan McGeehan, security manager for incident response at Facebook, and Joe Sullivan, Facebook's chief security officer, stand in front of the wall of scalps of spam judgments, actions against child predators, and other wins for the company's security team.
Ryan McGeehan (left), security manager for incident response at Facebook, and Chief Security Officer Joe Sullivan stand in front of the wall of scalps of spam judgments, actions against child predators, and other wins for the company's security team. James Martin/CNET

PALO ALTO, Calif.--The nerve center for Facebook's security team is a room tucked away on the lower level of the company's main building here. The word scalps is painted in big blue stenciled letters on the back wall, which serves as a kind of scrapbook of legal and other wins for the social-networking company.

Taped to the wall are photos of spammers getting served notices of lawsuits, copies of checks defendants have used to settle suits filed by Facebook, mug shots of child predators who were kicked off the site and face criminal charges, cease and desist letters sent to fraudsters who sold fake Facebook accounts, and a letter from a former spam-happy teenager that starts "I appreciate that you spoke to my mom."

The wall of scalps is a source of pride for Facebook's security team and is representative of the company's aggressive, no-holds-barred approach to keeping fraudsters and thieves away from its more than 500 million users.

"We've built an offensive capability," says Joe Sullivan, chief security officer at Facebook. "Filing civil lawsuits is not a PR statement; it's very impactful. We monitor underground forums and the spammers discuss the judgments. It has a deterrent effect."

Indeed, settlement judgments--including the $873 million record judgment in one Facebook case--aren't something to sniff at if you're in it for the money.

Facebook's litigiousness should come as no surprise given Sullivan's background. He joined Facebook in 2008 after working in various security and legal roles at PayPal and eBay for six years and at the U.S. Department of Justice for eight years. He was the first federal prosecutor in a U.S. Attorneys' office working full-time on high-tech crime cases and was a founding member of the Computer Hacking and Intellectual Property Unit in Silicon Valley. Recently, he joined the board of the National Cyber Security Alliance.

"The philosophy predates me, but it's one I'm excited to be a part of," Sullivan told CNET in a recent interview. "You can't just build walls. You have to create incentives for people to not want to cause trouble."

Tunisian passwords
Lately, in addition to trying to keep the bad guys off of Facebook, Sullivan and his team have had to thwart outside attempts to keep some users from the site.

On Christmas Day, the security staff started hearing complaints from political activists in Tunisia--who had been protesting against the government since December--that their Facebook accounts were being compromised. It turned out that Internet Service Providers in that country were injecting malicious code into the Facebook log-in pages that was hijacking users' passwords as they tried to get onto the site, Sullivan said.

"We had to figure out how we could stop this technical attack quickly without breaking the Web site for everyone," he said. "This is the fun part of our job. We get to react to things that no one has dealt with before. Nobody freaked out."

After conferring with tech-savvy representatives from nongovernmental organizations, the U.S. government, and others, Facebook came up with a solution to fix the problem and began rolling it out to users in Tunisia over the next week. After that, the site saw a 15 percent jump in traffic from that country, according to Sullivan.

"We're not getting involved in geopolitical debates," he said. "We're just protecting our users."

That's not the only time the popular social-networking site has found itself in the crossfire between people using the Internet to plan protests and spread information and governments that want to stop them.

Last week, the site reported service disruptions and a drop in traffic from Egypt, where protesters were demanding an end to the 30-year reign of President Hosni Mubarak. And in 2009, Iranians relied on Facebook (and Twitter and YouTube) during antigovernment street protests amid a text messaging and cell phone blackout.

A few months ago, Facebook found itself dealing with another politically sensitive matter when an ISP in a South Asian country that Sullivan declined to name appeared to be doing something fishy. Random pages were popping up on the site for people accessing Facebook from that country.

"One of the largest ISPS in that country was clearly using filtering software directed by the government," Sullivan said. "It broke the Facebook experience by caching the wrong information."

So, Facebook blocked that ISP and told the company it wouldn't allow access to the site until the problem was fixed. "You hear of countries blocking sites like Facebook. Well, sometimes we block them too," Sullivan said.

"We make a judgment call on how to best protect our users. We're not thinking of it from a political standpoint," he said. "We do get lawful government data requests and work with our lawyers on those. But where there is a risk of exposure of (customer) information outside that process, we want to prevent that."

A CNET reporter talks to spokesman Simon Axten, McGeehan and Sullivan in a conference room with a Super Mario video game theme at Facebook headquarters.
A CNET reporter talks to spokesman Simon Axten, McGeehan and Sullivan in a conference room with a Super Mario video game theme at Facebook headquarters. James Martin/CNET
Malware and phishing road blocks
The cases involving governments are few and far between, however. Ninety percent of the time the Facebook security engineers are just trying to prevent financially motivated scammers from taking over user accounts and distributing spam. Overseeing the technical end of that effort for Facebook is Ryan McGeehan, security manager for incident response.

McGeehan, who used to work on Web security for the Federal Reserve Bank and volunteers for the Honeynet Project security research nonprofit, tries to understand the mindset of attackers and anticipate what tricks they might try next.

As a result of his work with the Honeynet Project he is able to predict threats. For example, his team took advantage of a period when the Koobface worm was dormant to research antiphishing techniques before the malware starting attacking again, he said.

"Our detection (technology) had to change," McGeehan said. "We took older technologies and applied them to the malware."

Because account hijacking is so much of a problem due to increasingly clever phishing efforts, Facebook has advanced security features any user can enable and is turning to novel authentication methods for protecting at-risk accounts.

People can have Facebook notify them if their account is being accessed by a device the site does not recognize as being one they normally use. Users also have the option to see all the active sessions associated with their account and close ones they don't want open, from forgetting to log off at an Internet cafe, for example. People can ask the site to send them a onetime password for use on computers they don't trust. And last week, Facebook began rolling out a feature that lets people use HTTPS (Hypertext Transfer Protocol Secure) encryption technology for all of their activity on Facebook, not just when they are typing in the password.

McGeehan's team has devised what it calls "roadblocks" when it detects anomalous activity that would indicate a possible malware infection on the computer or that someone other than the authorized account owner is trying to access the site. For example, if the system notices that an account is sending a large number of messages or making a lot of posts and posting dubious links--activities that could indicate a malware infection--the computer will direct the user to a free browser-based McAfee Clean and Repair tool that can be used immediately.

The company also is using "social authentication" to keep hijackers out of accounts even when they have the password. If the system doesn't recognize the device being used by a particular account to log in, or the location is new, it will force whoever is trying to access an account to prove he or she is the authorized account owner. If the account owner has provided Facebook with a mobile phone number, the system may send a code via text message that can be used to access the account. The person attempting to log in also may have to prove they are the owner of the account by matching names of Facebook friends with their photos as they are presented randomly.

"How do we recognize that the person logging in isn't you? Behind the scenes we have built a robust process to detect that, and we put the person through a flow that only the account owner" could navigate, said McGeehan, who has some patents pending related to the use of the "social graph."

Despite all the efforts, problems are bound to happen as they do at any big Internet Web site. Last week, Facebook reported that a bug in an API (Application Programming Interface) allowed someone who was unauthorized to post to the Fan pages of company CEO Mark Zuckerberg and a couple of other unidentified high-profile accounts, which may or may not have included French President Nicolas Sarkozy's page.

"We have a history of being quick to act on any vulnerability we find," McGeehan said when asked to comment on the glitch. "This is something that separates us from other Web sites."

Privacy matters
A few security professionals who follow Facebook closely concurred with McGeehan's boast and, in general, praised the company's security efforts with regard to attacks on users or data from outside the site. However, several of them voiced concerns about privacy issues related to Facebook's policies and practices for data used for advertising and by third-party apps.

"Their track record has been good on internal security. There have been surprisingly few hacks on their system given the amount of attention they get," said Chester Wisniewski, senior security advisor at antivirus vendor Sophos. "The bigger picture of security at Facebook is how they're handling people targeting the users" by way of malicious or misleading apps distributed by fraudulent developers.

"They seem to be doing a reasonably good job of shutting these things down once they pop up, but what are they doing to prevent fraudulent apps from being created?" he said.

Facebook Chief Security Officer Joe Sullivan
Facebook Chief Security Officer Joe Sullivan James Martin/CNET

Asked whether and how Facebook vets the apps, Sullivan said: "We have a dedicated team and dedicated processes. What people sometimes misinterpret is that it is not an upfront gatekeeper (approach). It's a risk-based approach." Facebook's platform operations team doesn't scrutinize every single app, rather it devotes its energy to the ones that could cause the most damage if they were bad, he said.

"We look at and regularly review apps that are being used," Sullivan said. "Not ones that reached critical mass, but if they show any type of velocity. And velocity can be defined by sheer volume of users, publishing, (if they have) access to more than basic information, complaints."

Facebook also has reined in the ability of apps that formerly were unrestrained in the amount of information they had access to. Now, in order for an app to get access to data beyond what Facebook considers basic information needed for people to search for others on the site, the app must get explicit permission from the user. But Wisniewski said users should have the ability to pick and choose the access rights they want any particular app to have to their data.

"When it comes to privacy stuff they make you opt out, but when it comes to security you have to opt in," he said.

Asked to comment on the privacy concerns, Sullivan said there was a lot of misinformation about Facebook's marketing practices and that, for example, the company does not turn over user information to advertisers.

"Our objective is to give users choice and make sure that choice is transparent, and if a developer wants to say I need these 10 pieces of information for my application, you don't want to force the developer to change their product," he said. "We want to help the user make an informed decision about whether they want to share that information."

Ultimately, the debate centers on what trade-offs Facebook chooses to make to be able to keep growing the platform by attracting developers and ad revenue, and whether users are willing to accept those business decisions.

"Fundamentally, their business is advertising and targeted advertising based on your interest and your profile. Whatever data you upload to their site is grist for the mill so they can sell advertising," said Andrew Walls, a research director at research firm Gartner's security, risk, and privacy group. "They're doing a fair job of exploring the space between privacy expectations of consumers, the business needs of Facebook, and what society at large wants to see happen down the road."