Inside Facebook’s Efforts To Fortify Security In A Post-Snowden World

At Facebook, the security team isn’t holed up in some basement wearing tinfoil hats. It’s embedded across the company so any department dealing with sensitive data or access has security researchers inside it. Hinting at protecting against government surveillance, Facebook’s chief security officer Joe Sullivan said today that he’s confident enough in the company’s technical security that “Everyone should be coming in the front door with legal process and not coming in any other way.”

Nine months after Edward Snowden revealed just how insecure the Internet is due to secret spying programs by various governments, Sullivan says Facebook hasn’t changed what it’s doing, it’s just being more public about it. For example, today Facebook invited a group of reporters to its Menlo Park headquarters to learn more about its protocols. There Sullivan said “We’re continuing to work on the same things we worked on before [the Snowden revelations].”

Still, the presentation he gave implied security has become a great focus for the social network. Facebook’s CEO Mark Zuckerberg has been speaking out against unauthorized government surveillance, saying the United Stats “blew it” on the NSA scandal. He even posted about calling Obama directly to express his frustration. The company asked the government to let it be more transparent around government data requests, and eventually was able to release a more detailed but still vague report.

That doesn’t mean Facebook doesn’t cooperate with the authorities when necessary or advantageous. Sullivan says that when Facebook encounters big security attacks “Sometimes we do work with law enforcement. We know just playing defence and whack-a-mole and removing those accounts over and over doesn’t make the problem go away, so in that context we’ll build investigations and our own proactive referrals to law enforcement.”

Faccebook Security Architecture

Along with Google and the sensitive info inside Gmail, Facebook is one of the companies with the most to lose if hacked. Its business model hinges on people being comfortable sharing deeply personal information. A security fiasco could shake that confidence, reducing the content shared, which in turn could reduce the time people spend on the site seeing ads.

That’s why inside the company, Facebook has actually tried to make security fun. It’s dubbed October “Hacktober,” and for the last three years it’s spent the month having security teams try everything they can to hack Facebook while the rest of the company tries to stop them. Sullivan says “we’re using gamification. We encouraged [employees] to catch us and started giving out prizes.” The “Hack-o-lantern” t-shirts awarded for thwarting one of these pretend intrusions have become prestigious commodities at the 1 Hacker Way campus. Ars Technica offered a great, deep look at Facebook’s security “war games” last year.

And while security isn’t the sexiest topic, Facebook says its users do care. Sullivan relays that before Facebook made SSL HTTPS encryption of traffic mandatory, over one-third of users voluntarily enabled it.

photo (9)

On the technical side, Facebook is constantly adding new security improvements. Along with adding SSL/HTTPS to encrypt traffic in 2011 and making it the default in 2013, Facebook now uses Perfect Forward Secrecy to strengthen SSL. “With SSL, there’s going to be a single key that opens every car on the highway, and with perfect forward there’s a different key for each car,” Sullivan explains.

Facebook has also bumped up its encryption key size from 1024-bit to 2048-bit RSA keys at the end of 2013. And it’s working to better encrypt the links between its data centers. Facebook is also trying to solve security issues for others by open sourcing systems like Conceal, which helps other Android developers encrypt data they have stored outside their apps and instead in a phone’s SD card.

“You can’t expect security to be perfect,” Sullivan admitted. “On the Internet, the state of security is in a constant sate of improvement.”

Facebook has had its share of troubles. A sophisticated zero-day attack that installed malware on the computers of Facebook employees who visited a compromised iOS SDK site. Facebook said it quarantined and scrubbed the affected devices and worked with police on an investigation. And Facebook got a bit of a black eye when it ignored a security researcher’s tip about a bug that would let anyone post on anyone’s wall. The researcher resorted to proving the exploit by posting to Zuckerberg’s wall.

“I think as a company we’ve matured a lot, we’ve been learning a lot,” Sullivan said of those experiences. He tried not to take a firm stand on the morality of Snowden’s leaks, but Sullivan did conclude, “it’s hard to deal with the constant stops and spurts of stories, and to figure out what’s really going on, but a world more concerned with security and things like encryption…that’s the silver lining on this.”

[Image Credit: WeAreSocialMedia]