Home > BlackHatEU, Conferences, Security > BlackHatEU : Keynote

BlackHatEU : Keynote

April 14th, 2010 Frank Breedijk Leave a comment Go to comments

By Max Kelly – CSO of Facebook

Black hat Europe

Max Keller moved from running a forensics lab to being the Chief Security Officer of Facebook.

Hit ticket slide is “Security – The facebook way”

Axiom 10: “That feature can be used in a way that you didn’t tink of. Try and find out what it is.”

This rule came into existence when they set up their new service friend finder. Which allows you to upload your address list and check if people where on facebook. It turned out that this service was using a lot of CPU because spammers used the service to validate the existence of email addresses to make their spam lists more valuable.

Rules
In order to cope with attackers facebook uses the following “rules”:
•    We will diligently pursue attackers of any type
•    We will use all legal mean available to identify attackers
•    We will use all legal resources to protect facebook and our users and prevent future attacks
•    Users expect us to handle security incidents for them and we do.
•    If you find a securityhole in facebook and tell us, we won’t take action against you.

Axiom 23: Intelligence is king.

Keep you friends close, keep you enemies closer and don’t tell them who they are.

About the facebook security organization.
Both the Legal Enforcement team and the Security Incident Response team report directly to the CSO. The legal team does not report to the CEO.

Axiom 12: Compliance isn’t security.
Put compliance off as long as you can. If you are doing things right, compliance should be hard to implement. But any time spend on compliance before you absolutely have to is wasted effort.

Return on investment
There are four elements to security.
•    Vulnerabilities are infinite, trying to catch them has a very low return on investment
•    Threats, the ability to use a vulnerability, has a little higher return on investment, but “without attacks, threats and vulnerabilities are fine”
•    Attacks, going after the attack is an efficient way, but
•    Actors. The attacks are used by people for a gain. If you go after the actors, you have the best return on investment.

For example: trying to take the gain out of spamming is a better then trying to remove all possibilities to spam.

Axiom 31: ask your users for help. They want to.
Ultimatly, facebook and its user and have the same vested interests. User can be helpful in detecting precursors to security incidents and are in a certain way the eyes and ears of the facebook security team.

Spam defenses
Max disclosed some of the anti-spam messages used by facebook:
•    Rate limiting
•    User reports
•    Anomaly detection
•    Classifies:
o    String blocking
o    Account deleting
o    Machine learning

A typical spam attack
Spam attacks have a typical MO, Max explains. First the attacker needs to identify the attack. Then the attacker starts to collect accounts. The then attack needs to be scripted, so the software needs to be written or purchased.
These previous phases may go unnoticed. The attacker will the send out messages and direct users outside facebook and try to make a profit.

“Fleshing out” an attack, to make it work, may leave traces. Also the data from honey pots is useful in early identification of (new) attacks.

Account gathering can sometimes be detected because facebook has spread some marked fake account lists in the underground economy.

Attack software is classified by the facebook security team by the bugs in the attack software.

Directing users offsite is the point where facebook can really make a difference, reporting malware to AV vendors, taking down sites, etc. The goal is to reduce the window between the user seeing the message and being able to click on the link and go to the site.

Using the CANSPAM act facebook can get money from the sites being marketed, ultimately getting their cooperation to find the people really responsible for the spam.

Claims against foreign entities are still useful because it enables facebook to seize all assets flowing through the US.

In summary
Going after actors is more and attacks is more usefull the going after threats and vulnerabilities.

Most useful actions lessons:
•    Gether intelligences
•    Know and use the law
•    Keep out of the compliance mindset
•    Indentify and disrupt attacks
•    Use your users

Axiom 66: sometimes, ignore the rules. Bad guys do it all the time.

Categories: BlackHatEU, Conferences, Security Tags: , , , , , ,