In the wake of two recent worm attacks on Facebook, the popular social networking site responded last night with a statement about its security practices. Regarding the attacks, Max Kelly, head of security at Facebook, wrote this in a blog post:
...we spent most of last night working on a fix for a worm, which was targeting people on Facebook and placing messages on Walls urging users to view a video that pretends to be hosted on a Google or YouTube website. We've identified and blocked the ability to link to the malicious websites from anywhere on Facebook.
Have they now? Kelly writes that he and his team are soon headed to Defcon 16 this weekend in Las Vegas to learn how to make the site safer. Perhaps he and his team plan to attend "Satan Is On My Friends List" about securing social networks. But, really, is there a solution for Facebook waiting at Defcon? Probably not, and here's why:
- Making a social network secure is darn near impossible. As fast as Facebook (or any other social network) blocks those known malicious site hackers will come up with new ones. There's no "patch" or "fix" for these issues.
- Why? The major flaw with social networks comes down to user awareness and user responsibility. Kelly correctly states that many people use the Internet without any knowledge of security threats posed by hackers. Which makes these users...
- ...primary targets for online social engineering scams, similar to what was presented with the "Court Jester" malware attack. If users are unaware as to the threats presented by clicking on outside links, they are easily going to be spoofed. Facebook cannot keep its users from clicking off the site and downloading files.
"If a site allows any kind of links at all, then what a user does after they follow that link is really out of control of the social networking site," said Wesley McGrew, who operates McGrew Security. "They can keep blocking the links to malicious sites as they pop up and they can try to educate their user base but that's about it. Facebook is likely at the mercy of the security of each user's home computer."
If a user's home PC gets owned, the malware can navigate the social network much in the same way that a legitimate user can. That could be tough for the Facebook security team to detect as the malware would have similar attributes to the user. While attacks on Facebook applications are not new the hackers' ability to penetrate the Facebook wall is a big deal -- and it's these types of attacks that had a terribly negative effect on MySpace's perceived viability when its pages began to get compromised on a regular basis.
"As a security geek, you can observe the malware's behavior and maybe figure out how it differs from a legit user and block it, but that's an arms race that'll get tougher and tougher," McGrew said. "A lot of this falls on the individual's responsibility. This same kind of worm could happen with any site that allows people to link off to other sites, which is a pretty core feature for any social networking hub."
The same not-so-tech-savvy users who get fooled by these types of hacker traps are the same ones who are going to put the blame on Facebook for not protecting them. This will compromise user trust. To Facebook's credit, part of the blog post does aim to educate these types of users by listing some steps they can take to protect themselves and better communicate suspicious activity to the security team.
But the site -- and other social networks -- needs to do more. Rather than just passively post security notices to the blog, proactively send these notes to all users. Perhaps host some Webinars that teach its users about how to safely navigate around the site. Produce research beyond the blogs. Be more open about the vulnerabilities and acknowledge them when they occur (without providing exploitable details, of course). Maybe Facebook should take the lead and develop a "Secure Social Network Consortium" and partner with other sites and even security companies to boost user awareness.
In the meantime, Facebook can spend some time at Defcon (maybe view how attacks are carried out or recruit folks with an adversarial mindset) and learn how they can improve their own application security, protect against cross-site scripting, request forgery, and so on. But user education needs to come first.