Cyber security is back in the public lexicon. And no, its not because it's 'national stay smart online week'.
Hacks and security breaches appear to be increasing in intensity, and as we all saw a couple of weeks ago not even high profile web firms -- like eBay -- are immune. In this new dynamic, ongoing attacks are forcing consumers to clue up on cyber security. And in response, companies are keen to show that they are putting their best foot forward on the topic.
This is perhaps why Facebook's Australian office opened its doors, inviting its hoodie-wearing US-based head of infrastructure security Gregg Stefanick to brief local journalists on its efforts. Chances are, if you are one of Facebook’s 13 million active Australian users, you may have some interest in learning what it’s doing to keep its platform safe.
1. It’s placing (extra) security in the hands of its users.
According to Stefanick, Facebook prides itself on giving its users the ability to add optional extra layers of security to their profile. Many wouldn’t check the security tab in Facebook’s setting, but if you do it would come up with a menu like this.
During the talk it became evident most of Facebook’s existing security started as add-ons and then, as more and more users gained ability to implement them, were rolled into mainstream features.
Stefanick expects this to happen with dual-level authentication. Currently, Facebook users can choose to verify their account using both a password and a text message. He wouldn’t say when this feature would become a must for the platform, but said it would happen when the social media giant felt most of its users would be able to adopt it.
2. It’s paying off hackers for tips
Facebook is funding hackers, but not in a way you might expect. The social media giant frequently hires Red Hat teams -- external security experts -- to attempt to break into its system and report their findings. This technique is pretty common across many high profile tech companies.
One difference that Stefanick points out is that Facebook’s security takes these findings and presents them to the entire company rather than keep them inside the security team. The idea, he explains, is to get all staff working on the platform involved in securing it.
Facebook also runs what's known as a ‘White Hat’ security program, where it pays off anyone who finds an exploit in its system a bounty for revealing it to the company.
“The industry in general was throwing people in jail and threatening them with lawsuits instead of embracing them,” he said. “Over the past couple of year’s it’s gone from ‘hey, we’re going to give you a T-shirt’ to ‘hey, we’re going to pay you money’.”
The company has paid over $2 million to would-be hackers through its White Hat program. Had over 700 actionable submissions in 2013. Yet apparently, Australians aren’t too good at breaking Facebook, as we’ve only received $20,000 of that overall total.
3. It’s trying (where possible) to encrypt everything
Despite the fact it's “hard to deploy," has “performance implications” and “compatibility issues with devices,” Stefanick says encryption is now well and truly “worth investing in”.
If you’re unfamiliar with encryption, it basically turns all data into a mathematic code that requires some form of key -- or cipher -- to crack. This point is that only those who are supposed to have access to the data have access to the cipher. Stefanick’s assurance on encryption as a form of security comes from the Edward Snowden saga, which indicated the NSA was monitoring data on these open channels.
“Snowden validated a lot of things we knew that we needed to protect against,” Stefanick said. “We all had our tin foil hats on because we knew we had to encrypt links between data centres, because we knew someone could do this.”
This being said, not all information at Facebook is encrypted.
“We’ve prioritised encrypting the traffic that is most sensitive at Facebook,” Stefanick said. “We’re moving to a point where all traffic between data centres is encrypted.”
But the practice is spreading. For instance, just last year the company completed a service that encrypts all traffic between mobile devices and Facebook. Just like other security features, this was at first an optional add-on for users and has now been rolled out to encompass all traffic between devices and Facebook.
Why is this important?
Aside from just saving face, security is set to play a much broader role for Facebook going into the future. Trawling across the web, you may have noticed that more and more sites are asking you to verify your identity through a Facebook login rather than forcing you remember another password. This is a growing trend on the web.
Facebook estimates upwards of 30 per cent of all logins harness this system. At the moment, it’s being used as a means to access websites and third-party services, but there is no telling where it may lead. For instance, in the US net infrastructure firm Cisco is experimenting with using Facebook logins as a way to bypass the expected -- but always annoying -- free Wi-Fi admin wall.
Facebook’s mission appears to revolve around abolishing those pages that force you to enter in a user name or password. And in the process, giving the near 5 billion people left in the world without an active Facebook account yet another reason to sign up and use its service.
Harrison Polites travelled to Sydney as a guest of Facebook to attend its security briefing.