14 DAY TRIAL // Softpedia recently attended the Hack in the Box Amsterdam 2011 security conference where we caught up with Mr. Joe Sullivan, Facebook's chief security officer.
Mr. Sullivan, who prior to taking up the CSO role, served as the company's associate general counsel, was at the conference to discuss Facebook's product security standards and innovations.
We jumped at the occasion to ask him a few questions of our own and he was kind enough to answer them. We hope you'll enjoy reading the interview.
Softpedia: Regardless of their method of propagation, be it rogue apps, clickjacking or simply encouraging people to paste rogue code inside their browser, survey scams are a very common occurrence on Facebook. Can you estimate how fast the company's security team responds to these attacks on average?
[admark=1]Joe Sullivan: We've gotten very good over time at reacting quickly to these scams. At their core, these scams are trying to do distribution. So, we try to look at the distribution curve and stop it very quickly.
I showed a slide today, an example of how we were able to turn around a very fast growing self-XSS situation [pasting code inside the browser's address bar] by adapting our machine learning to trigger on this new pattern.
What you'll typically see is that distribution starts very slowly and looks like normal behavior, but as soon as it spikes, it stands out as anomalous. That's when we have to look at it and see what is the slight variation that allows this one to get through our technical mechanisms.
Softpedia: But in terms of time, can you make an estimate?
Joe Sullivan: It varies dramatically. Most of the time, if it’s just an iteration of an existing type of attack, it will take us a couple of hours at most. But, every so often you see these major shifts, like the self-XSS.
The idea that a person would actually copy and paste a malicious URL into their own browser as opposed to clicking on it was something new. We had to change the educational messaging. We had to do a bunch of changes. So, whereas typically we would respond within an hour to a spike, we were looking at more like 24 hours.
Softpedia: So, is your approach primarily reactive or do you also employ proactive measures?
Joe Sullivan: It is like a chess match in that you have a plan of attack of your own and you expect certain things from the other side, but every so often there is going to be a move that you didn't expect and then you have to step back and adapt to it.
We try and prepare for those situations. We know that those attacks are coming. That means we need to have malware specialists and large teams of engineers who are not working on something else, but who are working on this and know that they're going to have to adapt our code and our messaging. So, we're ready for it when it happens.
Softpedia: You recently introduced a clickjacking mitigation mechanism where users are prompted to confirm a Like action if it looks suspicious. From the outside, it didn't seem to have had much effect, because there were many successful clickjacking attacks after the filter was introduced. How about from your standpoint? Did you see any impact on the frequency of attacks?
Joe Sullivan: I don't have the exact statistics in front of me, the new features had an immediate impact. But, then, once again, the people issuing those attacks changed their behavior. The slide that I showed today, depicting growing attacks and our ability to respond, was actually about the second round of attacks. [The slide showed a spike in attacks and an immediate decrease once Facebook's features kicked in]
Softpedia: You also introduced a new self-XSS filter recently and again, there's been a surge of attacks right after the announcement where it didn't make much of a difference. Does the filter use any heuristics or is it signature-based?
If a new attack comes along, does the filter have the capability to detect it generically, like antivirus products do malware, or does it require a signature being created specifically for that attack?
Joe Sullivan: It's a little bit of both, but I don't want to talk about any of the details because the more we talk about specific defenses, the more we end up having to build additional ones.
Softpedia: For the past year, major online service providers have been pushing towards full-session HTTPS. Facebook has had some problems with implementing this because of all the third-party content integrated into the website via applications, but that is slowly being worked out. Is HTTPS by default, like Gmail has it, a goal for Facebook and, if it is, when do you estimate it will be ready?
Joe Sullivan: Yes, that has been a goal from the start, but I don't think we've given a specific timeline. My hope is that we'll get there by the end of the year, but it depends on a lot of different factors. As you mentioned, rolling out HTTPS is much more complex in an environment like Facebook than probably any other environment where it's been rolled out.
We have a global user base of over 500 million people and each of them has a completely custom page. Your Facebook experience is completely different than mine and is pulling completely different types of content; you're using completely different types of applications. We started out focusing on whether we could get to the point of offering that opt-in experience and, as I mentioned earlier, we already have 30 million people who opted in.
So, right now we're running an HTTPS service for 30 million people around the world and that has been a great learning experience for us. We're seeing where the breakdowns take place, in the handoff to third-party applications, and we're working with developers on how to create that smooth transition.
It's easy to make a single site HTTPS, but in our case we're talking about hundreds of thousands of developers all over the world re-examining their products.
Softpedia: You've recently mandated that all Facebook developers should update their apps to be HTTPS-compatible by October 1st. If and after that happens, do you plan to roll out HTTPS by default for everyone?
Joe Sullivan: At a time after that, we will. There are lots of little technical things that we're going through, but that's the goal.
Softpedia: Like any major Internet company, Facebook must be working with security researchers a lot. Are you looking into setting up a vulnerability reward program like Mozilla and Google already have?
Joe Sullivan: Yes. We're testing a program right now and we hope to launch it pretty soon.
Softpedia: Last year, Facebook announced, at a separate security conference, that it knows the identity of the people behind the notorious Koobface worm. Has there any progress been made in pursuing them legally?
Joe Sullivan: There is an ongoing criminal investigation and we get updates on it regularly, but as a matter of policy we don't talk about ongoing investigations, partially because, if someone hasn't been charged with a crime, we don't want to suggest that they are a criminal and also because we don't want to say something that will hurt the investigation. But, we are optimistic that the investigation is going to be successful.
Softpedia: On the same subject, malware researchers recently pointed out that Koobface activity on Facebook has come to a halt. The worm is still actively used for malware distribution, but it's not spamming on the social network anymore. Can you confirm that, and if yes, what do you think might be the reason for this change?
Joe Sullivan: It's true and I've talked a little during my presentation [opening keynote at HITB2011AMS] about that. We try to exert pressure from a number of different angles. I think that Koobface is an example of a situation where the security community has come together very well and there's been a great deal of information sharing.
We've had a great partnership with McAfee where we've been able to get the signatures into their scanner very quickly. We have had a good dialog with law enforcement and they're building a significant case. We've also seen a number of technical takedowns happen.
I can't get into the minds of the people behind Koobface, but our hope is that, through all of these different efforts we're involved in, we can make it so that Facebook is an economically undesirable environment for them.
Softpedia: But the Koobface gang has always displayed a high degree of innovation in their techniques. Do you think this halt might be more about them hiding due to the legal pressure than their campaigns being blocked too fast?
Joe Sullivan: I don't know. Maybe both or maybe something else altogether. Maybe they found a more lucrative environment. It might be that they're scared or it might be that they're doing something else. From our standpoint, we're just happy that our efforts have worked.
Softpedia: You've recently announced a partnership with Web of Trust (WOT), a community-based URL reputation service. Do you have any other partnerships like this in mind, for example with Phishtank or other similar services?
Joe Sullivan: Yes. We do have plans to roll out this approach with other partners, but we're not ready to announce any of them yet.
Softpedia: Do you already have partnerships in addition to those with Web of Trust and McAfee? Like with anti-spam vendors?
Joe Sullivan: Quite a few, but none that we promote publicly.
Softpedia: Does Facebook make use of Google's open Safe Browsing service which seems to be the most up-to-date blacklist-based one? If not, why not?
Joe Sullivan: We do work closely with Google on security issues, but I don't have anything to announce today about that.
(interview transcribed from audio)
Softpedia.com was an official media partner at HITBSecConf 2011 Amsterdam.
