IDG News Service - Facebook is employing aggressive legal means in combination with technical measures in order to stop hackers from abusing its social-networking site, according to its chief security officer, Max Kelly.
The company is constantly under fire from hackers trying to spam its 400 million registered users, harvest their data or run other scams.
Facebook's security team started off with just a few people, said Kelly, who began working at Facebook in 2005 after a stint as an FBI computer forensic analyst. He gave a keynote presentation at the Black Hat security conference on Tuesday.
As many as 10% of Facebook's 1,200 employees are involved in security-related functions for the site, Kelly said. Its core security team consists of 20 people, a site integrity team of around 15 people and 200 others who are part of a user operations team that monitors illegal activity.
With the right data, it is relatively easy to identity where the attacks are coming from, even if a specific individual can't be identified. If an attack is under way, it's important to understand the person's motivation, Kelly said.
"We diligently go after attackers on this site," Kelly said. "We want to know what people are attacking us and why."
Facebook has integrated its security incident response team with its law enforcement team, which allows both groups to use some of the same tools in order to respond to a security incident, Kelly said.
On the technical side, Facebook has automated systems that detect when someone is using the site in a way that is different from the normal user. Those systems can then employ countermeasures, such as limiting the number of messages a user can send, employing CAPTCHAs (Completely Automated Public Turing tests to tell Computers and Humans Apart) and disabling accounts, Kelly said.
Facebook's security teams tends to worry less about vulnerabilities, focusing instead on the actual attacks, Kelly said. It allows Facebook to focus on the individuals behind the attacks and trying to frustrate those attackers.
The site is also rewarding individuals who responsibly disclose security problems by giving them credit on its security page. "If it's a really good hack, we'll probably end up hiring you," Kelly said.
Facebook has pursued a variety of criminal and civil penalties against those who abuse the site, using laws such as the U.S. CAN-SPAM act, which levies penalties of as much as $100 per spam message, Kelly said. Facebook has "dozens" of lawsuits in the works, he said.
The company has had some notable successes with this strategy.
In November 2008, it was awarded one of the largest judgments ever, winning statutory damages of $1.3 billion (later reduced to $873 million). That suit charged Adam Guerbuez of Canada, Atlantis Blue Capital and 25 other unnamed people for falsely obtaining login information for Facebook users and then sending spam to those users' friends. Although the individuals charged are in Canada, Facebook could still pursue the money. Even if it doesn't, the judgment still has an impact, Kelly said.
"It means that any asset that goes through the United States, we have a claim," Kelly said. "It makes the cost of doing business in the U.S. much more prohibitive."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts