VANCOUVER – Working as Facebook’s resident malware researcher is a lonely job, for now. But Nick Bilogorskiy doesn’t expect it to stay that way. In fact, Facebook’s biggest security challenge will be building up its capabilities to identify and tamp down malware infections like the 2009 Koobface worm.

Speaking at the annual Virus Bulletin Conference here, Bilogorskiy said that the company, which has doubled in size in the last year, has made progress in fighting malware and malicious hackers, including the Koobface gang. But the challenges to the burgeoning network are enormous, as users begin to share more content and transact business using Facebook.

Bilogorskiy joined Facebook in March and is the fast-growing company’s first full time malware researcher. With more than 500 million users, Facebook is now the largest U.S. Web site and faces security challenges on a number of fronts, he said in an interview with

Facebook’s security team, which has also doubled in the last year, must respond to law enforcement subpoenas for information on users or network activity associated with crimes, while also monitoring profiles for evidence of malicious activity or hijacking, police an application ecosystem 500,000 applications strong and address the complaints of users.

The 10 person Security Incident Response (SIR) of which he is a part monitors the network for attacks, responds to victims of attacks to restore their account access and works with law enforcement agencies on security matters, he said.

Bilogorskiy said that so far the company is keeping pace with attackers. While he declined to provide hard numbers about the rate of malicious traffic, Bilogorskiy points out that Facebook’s user population has doubled, but attacks have not and that “less than one percent” of all Facebook users have experienced a security incident while using the site, he said.

Facebook has also taken steps to help users affected by cyber crime to recover. They include new countermeasures to combat accounts affected by malware. The Roadblock feature, for example, provides a multi step process by which users can restore account access after being compromised, including education about social media attacks, endpoint scanning and password reset.

A separate, social authentication feature allows users who have been locked out of their account to reset passwords after they have correctly identified the pictures of friends in their network.
However, challenges remain. Bilogorskiy notes that social authentication on can be problematic for avid Facebookers, who often can’t identify their “friends” in a photograph. Challenges face the company as it looks to grow its application ecosystem as well, where Facebook has to balance security with the desire to provide an open and flexible platform for application developers, he said.

While Facebook is considering adding features like stronger, multi faction authentication, Bilogorskiy said that the company is wary of adding too much “friction” into the user experience.  
“When we err, it’s on the side of letting the user be in control,” he said. “Security is a top priority, and needs to be balanced with useability and convenience. We want to make the site as easy to use as possible.”

Facebook’s Platform Operations team reviews applications created for the social network and uses monitoring and user reports to identify and disable malicious programs, but Bilogorskiy said that detailed vetting of application code for Facebook applications prior to their publication was unlikely.

“We don’t want the platform to be closed. We want it to be open – to make it easy for people to create and use applications,” he said.

That’s especially true as Facebook continues its transition from a social network to a e-commerce platform with store fronts and its own currency – Facebook credits – used to purchase real world and virtual goods. However, he said that transition will also bring more attacks targeting Facebook’s 500 million users.

Bilogorskiy notes that Facebook takes credit card data and must comply with Payment Card Industry (PCI) standards. In addition, the company has already seen gray market Web sites targeting demand for Facebook credits used in popular games.

“So far, we’ve been successful at keeping up with threats and making it difficult for malware writers to make much money on our platform,” he said.

Categories: Malware, Web Security