Facebook: Hey guys, come share all your securo-blunders with us!
Serial privacy philanderer launches social network for infosec vulns
Facebook is teaming up with other big names on the interwebs to create a security information sharing portal, dubbed ThreatExchange*, which went live on Wednesday.
ThreatExchange is billed as a platform that enables security professionals to “share threat information more easily, learn from each other's discoveries, and make their own systems safer”.
Facebook said that it’s built in a set of privacy controls so that “participants can help protect any sensitive data by specifying who can see the threat information they contribute.”
Threats like malware, spam and phishing typically go after multiple targets. Sharing threat intelligence improves collective defence against the bad guys, who are already collaborating, the argument goes.
The US Cyber Intelligence Sharing and Protection Act (CISPA), which allows private companies to share customer information with the NSA and others in the name of cybersecurity, has repeatedly failed to clear legislative hurdles.
Under that latest attempt to revive the proposed law, announced by President Obama last month, corporations and government would be obliged to share information about possible computer security vulnerabilities in order to make everyone more secure. The idea sounds like a winner but the problem is that organisations taking part will also pass on customer information to law enforcement, after taking "reasonable" steps to anonymise it. In return, they get threat intelligence from the Feds about the attack landscape.
Privacy activists are dead against the idea, partly because experience has shown it’s very difficult to anonymise data in practice, as well as because of more general fears that information sharing represents another way for the NSA to hoover up yet more data into its vast data centre.
Groups like the Electronic Frontiers Foundation advocate use of information sharing hubs as an alternative. Facebook’s social network for threat sharing fits into that mould, when viewed from a charitable perspective. On the other hand, Facebook has a long history of shifting its privacy goalposts, at least with information supplied by consumers – and this makes the social network a mite difficult to trust.
Head honcho Mark Zuckerberg famously labelled early Facebookers "dumb fucks" for sharing their personal info on his network – which, let’s not forget, exists to allow its customers (i.e. advertisers) to sling better-targeted adverts at consumers.
Maybe Facebook is coming at ThreatExchange from a different angle. In fairness, other web 2.0 firms have already been convinced to collaborate with Facebook on ThreatExchange.
Early partners for ThreatExchange include Bit.ly, Dropbox, Pinterest, Tumblr, Twitter, and Yahoo. Facebook said that it expect new partners to jump on board as the platform grows. Information sharing has been going on in an ad-hoc basis in certain industries, particularly banking, for many years. Yet sharing e-mail and spreadsheets is too ad-hoc and inconsistent. It’s difficult to verify threats, to standardise formats, and for each company to protect its sensitive data. Commercial options can be expensive and many open standards require additional infrastructure, according to Facebook.
Facebook aims to plug the gap in existing approaches with builds on its internal ThreatData system to create a social platform designed for sharing indicators such as bad URLs and domains. Facebook is at pains to emphasise that it's really serious about privacy, at least when it comes to the operation of ThreatExchange.
“We are committed to protecting people's privacy, and we built controls into the platform to help people share with only their intended group every time,” Facebook promises. “Participants choose from a defined set of data types that exclude categories of sensitive data, and a number of safeguards help ensure that threat data isn't accidentally shared broadly.”
“This approach makes it easier for an organisation that may want to share data that needs to be handled with extra sensitivity—for example, a company might want to share specific information only with another company they know to be experiencing the same attack,” it adds.
The social network said that it’s open to refining the structure and implementation of ThreatExchange as the project develops. ®
* An earlier link to the ThreatExchange website included its HTTPS address. This URL, while valid, appeared at the time of editing to be using an invalid HTTPS certificate.