Facebook and other social networks, in response to constant bombardment from phishers, spammers and other cybercriminals, are beefing up security teams and deploying new cyberdefenses.
The security investments represent a concerted effort by social networks to fight back against attackers, who are hell-bent on exploiting these popular platforms to peddle porn and pharmaceuticals, spread malware or simply extract the potentially lucrative user data contained in them.
Among the key new technologies being deployed by social networks are network traffic anomaly systems, which monitor out-of-control Web applications, and other security tools that scan user-generated pages for malicious content.
"Most of these defenses are invisible to users, and while malicious actors are constantly attacking the site, what you see is actually a very small percentage of what's attempted," said Facebook spokesperson Simon Axten. "We¹ve built numerous defenses to combat phishing and malware, including complex automated systems that work behind the scenes to detect and flag Facebook accounts that are likely to be compromised."
Axten said Facebook has focused its resources on monitoring user-generated content and detecting traffic spikes from Web applications tied into its framework. He said the popular social network now has the ability to take action if its systems detect an unusual surge in messages sent in a short period of time, or messages with links that could potentially send users to attack websites.
Facebook attacks and security issues mirror those of the popular microblogging platform Twitter, which dealt with a number of high-profile security incidents in 2009. The year started with the Twitter account hijacking of some of its most popular user accounts. A hacker used a brute-force attack to hijack the accounts of then President elect Barack Obama, CNN anchor Rick Sanchez, and even posted obscene messages to the followers of Britney Spears, using her hijacked account.
Tweets are being constantly monitored for social networking phishing attacks using shortened URLs. But the resource-intensive nature of scanning millions of user-generated 140-character Tweets was highlighted late in the year when Twitter's engineering team was tipped off by security researchers that specially coded messages were being used by savvy botnet operators. The cybercriminals set up legitimate accounts to use the platform as a command-and-control message center to run their zombie army of machines.
Twitter did not respond to a request for an interview on how it was shaping its security strategy to combat the rising threats.
"The sad fact is that when you look at site providers, it's really about driving as much real estate as possible," said Bradley Anstis, who leads a team of security researchers at Orange, Calif.-based security vendor M86 Security. "In the beginning, development dollars were being poured into features that attract more users, and now security is an afterthought."
The biggest problem has been scalability, said noted application security expert Herbert "Hugh" Thompson, founder and chief security strategist at New York-based security education firm People Security and program committee chair of the 2010 RSA Conference. Thompson said social networks have been struggling to keep up with the explosive growth of user-generated content -- the lifeblood of their websites.
"These sites need to do a better job of educating consumers to the risks of posting," Thompson wrote in an email message. "The Web is sticky; once something gets posted, it is cached, syndicated, duplicated, etc., and is probably archived and remains searchable forever."
Until now, there haven't been many incentives for social networks to beef up security systems to defend against social networking attacks, Thompson said. Users only care about security when they feel pain personally, he said, and so far the only user pain is when a site like Twitter experiences an outage and is inaccessible. But if social networks want to take a step forward, Thompson said, account hijacking and impersonation is a problem that should be addressed quickly.
"Taking steps to prevent hijacking is particularly important as more businesses establish a presence on these sites and use it as a trusted communications vehicle for their customers," he said.
Another issue is striking a balance between implementing effective security measures and maintaining an easy-to-use, consistent user experience. Facebook, Twitter and other networks don't want to strangle users by complicating the process of uploading photos and interacting with their connections on their platforms. Their business models depend on sustaining the rich level of content provided by users.
Facebook last year was forced to take action against phishing attacks by suspending thousands of user accounts, many of them legitimate, in the process of weeding out spammers, Axten said. Although the number of suspended accounts is a small percentage of Facebook's user base, the social network thought long and hard about how to suspend the accounts with the least user pain as possible. An account suspension remediation process was designed so users can quickly reset their password and regain control of their account data. It includes a verification process to identify the user is a legitimate owner of the account followed by an automated password setup system that helps users pick a strong password.
"We need users' help too," Axten said. "We work hard to educate users on how to be safe through our blog and the Facebook and Facebook security pages."