LISBON, PORTUGAL: Safety, rather than hard-coded security, is a challenge Facebook is tackling with new initiatives and tools — but it is up to governments worldwide to “set a good example” in keeping citizens safe both online and in the real world.
Speaking to attendees at the Web Summit 2016 technology conference in Lisbon, Portugal on Wednesday, Facebook chief security officer Alex Stamos said that over 1.3 billion people use Facebook every day, and keeping them safe is a mammoth task.
Facebook’s main goal is to make the world more “open and connected,” but according to the executive, it is the right moral path to also make sure that if the world is going to be connected, it needs to become so “safely.”
According to the executive, there is an important difference between security and safety in Facebook’s dictionary. While security focuses on the creation of strong, attack-proof software with few or no vulnerabilities for attackers to exploit, the social media giant is also intent on making sure the network is safe to use.
Today, popular software — such as Adobe Flash, Oracle solutions and the Microsoft Windows operating system, as well as various browsers — are hot targets for cyberattackers to find and exploit vulnerabilities.
As noted by Stamos, today’s threat landscape ensures that vendors can no longer release software into the wild, step back and simply wait and see how users interact with the software.
Instead, to prevent vulnerabilities and bugs from being exploited, Stamos says that Facebook now implements a “safety-orientated building culture” which implements safety in the beginning stages rather than as an afterthought.
In order to do so, the first element of user security Facebook is tackling is the username and password authentication process. The executive said that this system, first introduced in the 1970’s, was “not built for 2016 when we have supercomputers in our pockets,” and as such, the company is turning to two-factor authentication options to try and boost this age-old system.
In addition, Facebook also utilizes Social Graph algorithms with a small subset of your data in order to detect when a login attempt may be fraudulent.
The social media giant is also trying to address account recovery options beyond the usual password link sent in to an email account, which may also be compromised by an attacker. If users lose their password and access to their Facebook account, the company wants to use social connections to verify your identity before unlocking your account.
Instead of email, Facebook will contact some of your closest connections to provide information used for verification purposes.
“We need to keep innovating even for people using the most basic authentication,” Stamos says.
Facebook also revealed that the company works with a number of partners to “obtain” password file dumps which are leaked online. Stamos calls the reuse of passwords the “number one source of harm” online, and keeping this in mind, Facebook scans these dumps against the Facebook user base. If reused passwords are discovered, users are alerted that their accounts may be at risk.
Over the past year, Facebook has tested over one billion passwords and warned “tens of millions” of users that their credentials are being traded on the black market.
Facebook’s Threat Exchange is another project launched with user safety in mind.
The machine learning (ML) platform detects patterns and suspicious activity on the social network and beyond, before sharing threat data ranging from your average spammer to advanced persistent threats (APTs) with other companies.
So far, over 450 companies are participating in the scheme.
“We firmly believe threat-based defense is the future and you cannot keep a system safe unless you know what your adversaries are doing,” the executive noted.
The company also runs the open-source osquery project. The software runs on Facebook’s corporate systems and is used to send rapid-fire SQL queries across the full Facebook infrastructure, as well as to hunt threat actors and send instant responses to keep attackers from damaging the network.
Facebook has begun rolling out end-to-end encryption for both Facebook Messenger and WhatsApp to protect user communication from attacks including man-in-the-middle (MiTM) threats and spying, and also runs a Tor-based .onion alternative to the standard Facebook domain for users, in particular, that are under government censorship and blocking regimes.
In addition, Facebook has relaunched its Safety Center, a resource designed to give users basic knowledge and skills in the privacy and security settings the social network offers alongside safety online as a whole.
Stamos says that if online users are going to maintain a fair level of security and safety, over the next few years, more software vendors need to “think about security from day one.” However, governments including the EU commission and the US also need to rethink their attitudes to security processes including encryption.
Over the past few years we have seen a number of battles between tech giants and government bodies, as well as law enforcement, when it comes to encryption. While encryption itself can protect the communication of citizens worldwide from cyberattack and surveillance, government agencies have wanted vendors to supply everything from intentional backdoors to encryption-breaking software for spying or mobile device access reasons.
“We need to help make the case that we need to build safe, secure and trustworthy software for citizens,” Stamos says. “[But] we also need the EU and US governments to set a good example not for surveillance and censorship, but openness and transparency to keep people safe in the real world.”
Disclaimer: The trip to Lisbon, Portugal was sponsored by Web Summit 2016.