Facebook’s Search and Destroy

An article came out yesterday from Clement Genzmer who is a security engineer at Facebook.  His tagline is "searching and destroying malicious links".  Those of us in the business of digital security and safety can certainly identify with that, especially the part where we aim to identify the criminals and work with law enforcement to have them brought to justice.  Truthfully, what I'm really in it for is the constructive aspect — an innate feeling and desire to build something new and offer positive "things" to society.  And that is what brought my attention to the article about Facebook's evolution in security and safety in the hopes of protecting consumers.

Facebook announced the following security measures in a bid to keep their ecosystem free and clear to enable its users to visit and share their lives without fear of infection.  I like having security "just doing its thing" and doing it well.  That involves security engineers and researchers to be vigilant and ever testing new products and services.  Testing to see that we are ahead of cybercriminals and that our proactive and reactive measures are constantly working.

• Malicious Links
  • Facebook in addition to their own systems has partnered with Web of Trust to obtain more information to help its ecosystem.  It is good to see industry working together.
• Clickjacking
  • Measures have been stepped up at Facebook to help detect and block rogue URLs.
• Self-XSS Protection
  • Working with browser providers, Facebook has also increased its own routines to catch potentially virulent URLs being pasted into this framework.

• Login Approvals
  • And not new, although re-announced, this is Facebook's own "multi-factor authentication" system.  In order for it to work, when logging into your profile, Facebook will send a code to your mobile phone.  Input that code, and you are logged in.

Might there be a way for miscreants to circumvent these?  Sure, and that is why security requires vigilance and a certain amount of passion by its practitioners.  Make no doubt about it, as we must pay taxes, so do online thieves (as the physical plane ones) will attempt to steal our information. 

I applaud Facebook for working diligently to help bolster its safety and security architecture for what technically can be defined as a world's third largest country.  When first responders or Emergency Medical Technicians (EMTs) arrive on a medical scene, the first thing taught in training is to make sure the environement is safe and secure and to ultimately ensure that no further damage is done.  Facebook is attempting just that, to ensure that consumers are not damaged by malicious links or account hijackings.  Keep up the good efforts and destroy those malicious links!

On Tuesday, Facebook had blogged they are moving to a more secure API platform.  A roadmap is provided, and it is a good thing because this is yet another tool from their toolbox to assist in making consumer experience more secure:

• July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0 and have new cookie format (without access token).
• September 1: All apps must migrate to OAuth 2.0 and expect an encrypted access token.
• October 1: All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode). This will ensure that users browsing Facebook over HTTPS will have a great experience over a secure connection.

This means that the applications folks like to use on Facebook must support secure URL migrating from HTTP to HTTPS.  Hopefully this will permit for users to have a fully secure browsing session with Facebook limiting session sniffing (for example strangers in your immediate vicinity on a public WiFi using Firesheep).  Watch out for the tell tale sign that you are in HTTPS mode:

Involving industry and security experts to assist in safety and security is key.  Together, we win.