Defending Facebook
The talks at the monthly Defcon London are often too abstruse for the "geek adjacent". Not so this week, when Chris Palow, Facebook's engineering manager, site integrity London, outlined the site's efforts to defend itself against attackers.
This is no small thing: the law of truly large numbers means that a tiny percentage of a billion users is still a lot of abusers. And Palow has had to scale up very quickly: when he joined five years ago, the company had 30 million users. Today, that's just a little more than a third of the site's *fake* accounts, based on the 83 million the company claimed in its last quarterly SEC filing.
As became rapidly apparent, there are fakes and there are fakes. Most of those 83 million are relatively benign: accounts for people's dogs, public/private variants, duplicate accounts created when a password is lost, and so on. The rest, about 1.5 percent - which is still 14 million - are the troublemakers, spreading spam and malicious links such as the Koobface worm. Eliminating these is important; there is little more damaging to a social network than rampant malware that leverages the social graph to put users in danger in a space they use because they believe it is safe.
This is not an entirely new problem, but none of the prior solutions are really available to Facebook. Prehistoric commercial social environments like CompuServe and AOL, because people paid to use them, could check credit cards. (Yes, the irony was that in the window between sign-up and credit card verification lay a golden opportunity for abusers to harass the rest of the Net from throwaway email accounts.) Usenet and other free services were defenseless against malicious posters, and despite volunteer community efforts most of the audience fled as a result. As a free service whose business model requires scale, Facebook can't require a credit card or heavyweight authentication, and its ad-supported business model means it can't afford to lose any of its audience, so it's damned in all directions. It's also safe to say that the online criminal underground is hugely more developed and expert now.
Fake accounts are the entry points for all sorts of attacks; besides the usual issues of phishing attacks and botnet recruitment, the more fun exploit is using those links to vacuum up people's passwords in order to exploit them on all the other sites across the Web where those same people have used those same passwords.
So a lot of Palow's efforts are directed at making sure those accounts don't get opened in the first place. Detection is a key element; among other techniques is a lightweight captcha-style request to identify a picture.
"It's still easy for one user to have three or four accounts," he said, "but we can catch anyone registering 1 million fakes. Most attacks need scale."
For the small-scale 16-year-old in the bedroom, he joked that the most effective remedy is found in the site's social graph: their moms are on Facebook. In a more complicated case from the Philippines using cheap human labor to open 500 accounts a day in order to spam links selling counterfeit athletic shoes the miscreants talked about their efforts *on* Facebook.
Another key is preventing, or finding and fixing, bugs in the code that runs the site. Among the strategies Palow listed for this, which included general improvements to coding practice such as better testing, regular reviews, and static and dynamic analysis, is befriending the community of people who find and report bugs.
Once accounts have been created, spotting the spammers involves looking for patterns that sound very much like the ones that characterize Usenet spam: are the same URLs being posted across a range of accounts, do those accounts show other signs of malware infection, are they posted excessively on a single channel, and so on.
Other more complex historical attacks include the Tunisian government's effort to steal passwords. Palow also didn't have much nice to say about ad-replacement schemes such as the now-defunct Phorm.
The current hot issue is what Palow calls "toolbars" and I would call browser extensions. Many of these perform valuable functions from the user's point of view, but the price, which most users don't see until it's too late, is that they operate across all open windows, from your insecure reading of the tennis headlines to your banking session. This particular issue is beginning to be locked down by browser vendors, who are implementing content security policies, essentially the equivalent of the Android and iOS curated app stores. As this work is progressing at different rates, in some cases Facebook can leverage the browsers' varying blocking patterns to identify malware.
More complex responses involve partnerships with software and anti-virus vendors. There will be more of this: the latest trend is stealing tokens on Facebook (such as the iPhone Facebook app's token) to enable spamming off-site.
A fellow audience member commented that sometimes it's more effective long-term to let the miscreants ride for a month while you formulate a really heavy response and then drop the anvil. Perhaps: but this is the law of truly large numbers again. When you have a billion users the problem is that during that month a really shocking number of people can be damaged. Palow's life, therefore, is likely to continue to be patch, patch, patch.
Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series.