Feeds

Facebook security chief: We're not encrypting everything between our data centers just yet

Sullivan on HTTPS, NSA and paranoia

Providing a secure and efficient Helpdesk

A couple of weeks ago Facebook scheduled a press powwow with its chief security officer Joe Sullivan to discuss defenses for the social network and its users. Then, a week later, Sullivan's boss made an angry call to the White House to complain about intelligence agents using Facebook as a conduit for spying on people.

"I don’t think anyone who focusses on security has been surprised by the specific things that we've seen," Sullivan told us today about reports stemming from document leaked by NSA whistleblower Ed Snowden. Those documents suggested US intelligence systems were impersonating the Facebook website so as to silently infect victims' PCs with snooping malware.

"As security people, we're paranoid, so we assume all of these things are happening, but when you actually see concrete evidence of an implementation, that moves it from paranoia to professional security advice."

In a way it was better for Facebook that news of the NSA's man-in-the-middle attacks had come out now rather than when the company was much smaller, he said. The social network had been able to hire enough security talent to allow it to work on protecting itself against government-grade operations while maintaining a focus on guarding its users against more run-of-the-mill criminal hackers.

Facebook doesn’t have one security team per se, Sullivan said, but had different units spread around the company watching for attacks on the network's servers as well as on its visitors. Three years ago the company also started challenging its security team to hack its own staff on the tenth month of the year, dubbed Hacktober.

Hacktober was started because the usual training videos and classroom sessions weren't effective, Sullivan said. Instead the security team originally set up a wall of shame, similar to that used at the Defcon security conference, which listed employees who had let their defenses slip.

But that wasn't very effective either, the team found. Staff resented the wall listing, and so the approach was changed from stick to carrot. Now, if staff spot a hacking attempt and reported it, they get a Hacktober t-shirt. Sullivan reported this proved a strong incentive and fostered an inter-company competition to beat the security testers.

Facebook also hires in outside firms for penetration testing, Sullivan explained. In some case the attackers were given access to s small part of Facebook's internal network and asked to escalate their privileges. The internal security team would then pick up on a series of clues until the intrusion was detected and dealt with.

'If data is going through a building or a cable that someone else controls we need to assume the worst'

Recruiting the wider security community, via Facebook's big bounty program, was also a highly effective technique. In the last three years Facebook has paid out more than two million dollars for reports of vulnerabilities in its software, and has hired three researchers who proved particularly adept at finding flaws in its defenses.

The storm caused by the Snowden leaks has had a silver lining for the industry, Sullivan said, in that it had brought erstwhile competing companies together to work on common security issues.

He detailed one case where another company warned Facebook of a dodgy server that was attempting to install malware on PCs used by the social network's employees. Facebook checked to see none of its own staff had visited the site, and found they had not, but saw that the server had tried to infect workers at 50 other tech firms, too. All were warned as well.

In the meantime Facebook is ramping up its security efforts after it turned out US and UK intelligence agencies were tapping into the connections between web giants' data centers to snoop on netizens.

Yet, Facebook is still not encrypting all internal traffic between its off-site data centers: Sullivan blamed weaknesses in encrypting chunks of data flowing through his company's interconnects. Instead, his team had identified key data streams that needed protecting from eavesdroppers, and is locking them off one by one with their own encrypted channels.

Joe Sullivan

Joe Sullivan

All company staff have to turn on two-factor authentication before logging on to Facebook, and Sullivan said he was heartened by how many Facebook users also wanted to use the extra security. About a third of the user base activated two-factor authentication shortly after the security team added it in 2011.

In 2013 the company doubled its encryption key strength to 2,048-bit and has augmented HTTPS with perfect forward secrecy. “With SSL, there’s going to be a single key that opens every car on the highway, and with perfect forward there’s now a different key for each car,” Sullivan said.

For mobile users the company has developed Conceal for Android, a set of Java APIs that encodes large files using cryptographic algorithms from OpenSSL. The company is also investigating third party apps and checking the security of companies that provide it with leased lines to check there are no data leaks – at least, as far as possible.

"We're looking at literally every point in the movement of data and analyzing the risks. If data is going through a building or a cable that someone else controls we need to assume the worst, in the same way that we assume the worst about every one of our employees," Sullivan said.

"I trust everyone I work with, but also assume that they can get malware on their laptop or they might have their spouse held hostage. Everything can go wrong and it's not about trusting people, it's about removing the risk." ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.