Facebook security chief: We're not encrypting everything between our data centers just yet

Sullivan on HTTPS, NSA and paranoia


A couple of weeks ago Facebook scheduled a press powwow with its chief security officer Joe Sullivan to discuss defenses for the social network and its users. Then, a week later, Sullivan's boss made an angry call to the White House to complain about intelligence agents using Facebook as a conduit for spying on people.

"I don’t think anyone who focusses on security has been surprised by the specific things that we've seen," Sullivan told us today about reports stemming from document leaked by NSA whistleblower Ed Snowden. Those documents suggested US intelligence systems were impersonating the Facebook website so as to silently infect victims' PCs with snooping malware.

"As security people, we're paranoid, so we assume all of these things are happening, but when you actually see concrete evidence of an implementation, that moves it from paranoia to professional security advice."

In a way it was better for Facebook that news of the NSA's man-in-the-middle attacks had come out now rather than when the company was much smaller, he said. The social network had been able to hire enough security talent to allow it to work on protecting itself against government-grade operations while maintaining a focus on guarding its users against more run-of-the-mill criminal hackers.

Facebook doesn’t have one security team per se, Sullivan said, but had different units spread around the company watching for attacks on the network's servers as well as on its visitors. Three years ago the company also started challenging its security team to hack its own staff on the tenth month of the year, dubbed Hacktober.

Hacktober was started because the usual training videos and classroom sessions weren't effective, Sullivan said. Instead the security team originally set up a wall of shame, similar to that used at the Defcon security conference, which listed employees who had let their defenses slip.

But that wasn't very effective either, the team found. Staff resented the wall listing, and so the approach was changed from stick to carrot. Now, if staff spot a hacking attempt and reported it, they get a Hacktober t-shirt. Sullivan reported this proved a strong incentive and fostered an inter-company competition to beat the security testers.

Facebook also hires in outside firms for penetration testing, Sullivan explained. In some case the attackers were given access to s small part of Facebook's internal network and asked to escalate their privileges. The internal security team would then pick up on a series of clues until the intrusion was detected and dealt with.

'If data is going through a building or a cable that someone else controls we need to assume the worst'

Recruiting the wider security community, via Facebook's big bounty program, was also a highly effective technique. In the last three years Facebook has paid out more than two million dollars for reports of vulnerabilities in its software, and has hired three researchers who proved particularly adept at finding flaws in its defenses.

The storm caused by the Snowden leaks has had a silver lining for the industry, Sullivan said, in that it had brought erstwhile competing companies together to work on common security issues.

He detailed one case where another company warned Facebook of a dodgy server that was attempting to install malware on PCs used by the social network's employees. Facebook checked to see none of its own staff had visited the site, and found they had not, but saw that the server had tried to infect workers at 50 other tech firms, too. All were warned as well.

In the meantime Facebook is ramping up its security efforts after it turned out US and UK intelligence agencies were tapping into the connections between web giants' data centers to snoop on netizens.

Yet, Facebook is still not encrypting all internal traffic between its off-site data centers: Sullivan blamed weaknesses in encrypting chunks of data flowing through his company's interconnects. Instead, his team had identified key data streams that needed protecting from eavesdroppers, and is locking them off one by one with their own encrypted channels.

Joe Sullivan

Joe Sullivan

All company staff have to turn on two-factor authentication before logging on to Facebook, and Sullivan said he was heartened by how many Facebook users also wanted to use the extra security. About a third of the user base activated two-factor authentication shortly after the security team added it in 2011.

In 2013 the company doubled its encryption key strength to 2,048-bit and has augmented HTTPS with perfect forward secrecy. “With SSL, there’s going to be a single key that opens every car on the highway, and with perfect forward there’s now a different key for each car,” Sullivan said.

For mobile users the company has developed Conceal for Android, a set of Java APIs that encodes large files using cryptographic algorithms from OpenSSL. The company is also investigating third party apps and checking the security of companies that provide it with leased lines to check there are no data leaks – at least, as far as possible.

"We're looking at literally every point in the movement of data and analyzing the risks. If data is going through a building or a cable that someone else controls we need to assume the worst, in the same way that we assume the worst about every one of our employees," Sullivan said.

"I trust everyone I work with, but also assume that they can get malware on their laptop or they might have their spouse held hostage. Everything can go wrong and it's not about trusting people, it's about removing the risk." ®

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021