Facebook CSO (Max Kelly)
Axiom 11: That feature can be used in a way that you didn’t think of. Try and find out what it is.
Facebook key security values
- We will diligently pursue attackers of any type
- This could mean taking them to court, but also offering them a job
- We will use all legal means available to identify attackers and their motives
- We will use all legal resource, civil and criminal, to protect our users, protect ourselves, and preclude further attacks
- In line with Facebook corporate values: we will respect the trust our users place in us, we will move fast and leverage our actions to high-order problems
- We will work with the security community and will support and embrace white-hat efforts to assist us as we assist them
Axiom 23: Intelligence is king. Make ever user interaction give you some sort of intel. Then, build the tools to analyze it, Act on it.
Axiom 12: Compliance isn’t security. Put it off as long as you can. If you’re doing things right, it won’t be hard to codify. But, if you’re spending time on compliance too early, you’re getting pwned.
Vulnerabilities –> Threats –> Attacks –> Actors
“Without attacks, threats and vulnerabilities are fine” Max Kelly
- Ignore the threats
- Known about threats, but be realistic
- Are those internal firewalls really necessary?
- Spend your time watching attacks
- They will tell you everything
- Target the actors
- Destroy the ability for them to make money
Axiom 31: Ask your users for help. They want to.
- Classic spam (text, URLs)
- Friend Requests
- Chain Letters
SPAM Defense (automated defenses in real-time)
- Rate Limiting
- User Reports
- Anomaly detection
- String blocking
- Account deletion
- Machine learning
Typical Spam Attack on Facebook
First stage is for an attacker to identify a possible attack vector. Moving forward the attacker begins to collection accounts (either by hijacking accounts, phishing attacks or friending people who you want to spam). Program/purchase scripting software to spam users. Begin spamming. Follow the money!
Facebook responds to this by finding where/how you plan to make money. Where are you forwarding the user to. What is the end goal (malware, advertising, phishing, …)
Facebook actively attempts to disrupt attacks by seeding false phishing lists and tracking who uses the honey-accounts.
Facebook have a number of lawsuits lined up that they are following “at their leisure”
Axiom 66: Sometimes, ignore the rules. The bad guys do all the time.
For more information please see the Blackhat Europe website