Facebook vs. Hackers: Win One, Lose OneBy Sean Michael Kerner | Posted 2013-08-19 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
NEWS ANALYSIS: Two incidents late last week illustrate what Facebook is doing right and what it is doing wrong to secure its hundreds of millions of users.
As it turns out, there is some angst in the security research community about the speed with which Facebook actually deals with security researchers overall.
Matt Bergin, senior security consultant and project manager, CORE Security, told eWEEK that Facebook is notoriously slow when processing the payments for their bug-bounty program. Though he added that, in the Shreateh case, Facebook did act in accordance with its own stated policies for disclosure.
"Many companies that offer bug-bounty programs incentivize researchers monetarily, but proper procedures must be executed by both the researcher and the vulnerable company involved," Bergin said. "Researchers who participate in these programs have the obligation to follow these guidelines if they expect to be paid for their efforts."
In addition to bug reports that researchers like Shreateh make to Facebook, the social networking giant also has a number of automated-scanning technologies in place. Last week, one of those automated-scanning technologies detected a malicious pattern in some Facebook Apps, which results in thousand of apps being shut down.
While automated scanning can be a good thing, in this case there were a lot of false positives.
"We started with a broad pattern that correctly matched many thousands of malicious apps but, unfortunately, also matched many of your high-quality apps," Facebook engineer Eugene Zarakhovsky wrote . "When we detected this error, we immediately stopped the process and began work to restore access."
As is the case with the bug-reporting system, security researchers have different viewpoints on the effectiveness of Facebook's automated-scanning technologies. WhiteHat's Grossman said the technologies are, "necessary but not sufficient."
Tim Erlin, director of security and IT risk strategy at Tripwire told eWEEK that, in this case, it sounds like Facebook took the right actions to address the problem as soon as the company found it. "Their automated-scanning efforts are a requirement to run the application business they have," Erlin said. "In cases where an error occurs, transparency is the right policy."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.