Interview with Joe Sullivan, CSO at Facebook
by Zeljka Zorz - Monday, 27 February 2012.
As the number of Facebook users grows seemingly exponentially, does your security team as well? What security-related problems currently give you the biggest headaches?

We do continue to grow in size, but we are also constantly challenging ourselves to develop in such a way that every employee focused on security has a greater individual impact tomorrow than that person did today. We can do that both by continuing to innovate on our approaches to security and investing in system and infrastructure.

We know that we will always be out-numbered by the bad guys, but we can overcome that by making sure that our systems are up to the challenge. An example of how things change and new headaches arise the sudden increase in what we call self-XSS during last year. Self-XSS attacks used social engineering to trick users into copying-and-pasting malicious javascript into their browser, thereby self-propagating the spam and evading our detection systems. Before the attacks increased dramatically most experts would have doubted that a social engineering scheme could work at such scale.

Fortunately, we reacted quickly and have had success beating it back. In addition to improving internal detection mechanisms, we have worked with browser vendors to make it harder for spammers to take advantage of this vulnerability in the browser, and we have partnered with external companies to make our malicious link detection system more robust. We are still battling this but thankfully it is much less of a headache than it use to be.

I can't remember the last time I saw a bogus or information-collecting app being pushed onto users by third party developers, and I recall them being plentiful at one point in time. How did you solve that particular problem?

We have several different teams that work closely together to ensure people have a great experience when connecting with applications that leverage our platform. Major props go to the platform integrity engineers who have been constantly iterating on the automated systems that we put in place to secure our Platform. Of particular note were the changes we made last July which made significant improvement to the enforcement systems so we can identify and disable apps that violate our policies as quickly as possible.

These changes instituted granular enforcement which selectively disables an app's ability to propagate through Facebook based on the amount of negative user feedback - so that an app that has been reported for abusing chat will have this feature disabled until the developers have made substantial changes. In the future, we are moving to more sophisticated ranking models where the amount of distribution will be a function to the app's quality. Good content will be seen by more people, while lower quality or spammy apps will be seen by fewer people or no one. We believe this will reward apps that provide great experiences while minimizing the negative impact of poor quality apps.

Spotlight

Android Fake ID bug allows malware to impersonate trusted apps

Posted on 29 July 2014.  |  Bluebox Security researchers unearthed a critical Android vulnerability which can be used by malicious applications to impersonate specially recognized trusted apps - and get all the privileges they have - without the user being none the wiser.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Jul 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //