Facebook open-sourced security tool osquery late last month, allowing engineers to write SQL-based queries efficiently and easily to explore operating systems and monitor their infrastructure. In a note on the Protect the Graph page, security engineer Ted Reed offered a look at how osquery can be used to detect suspicious activity within infrastructure.
Protect the Graph
Facebook is experimenting with ways for security-conscious users to access the social network via Tor, and Alec Muffett, a software engineer for security infrastructure in the company’s London office, described the process in a note on the Protect the Graph page.
When Yahoo announced last year that it would allow user names that had been inactive to be claimed by new users, how did Facebook ensure that accounts on the social network that were tied to recycled Yahoo email addresses remained secure? Software engineer Murray Kucherawy detailed the process in a note on the Protect the Graph page.
Facebook continued to mark National Cyber Security Awareness Month with content aimed at explaining the measures it takes to keep its users safe, and the latest addition is a note on the Protect the Graph page from security engineer Chris Long explaining how the social network reacts to the sharing of stolen passwords on public sites.
Facebook continued its focus on security with two announcements Wednesday related to its white-hat program: The social network is doubling the bounties that it will pay out to researchers who discover white-hat bugs its ads code, and it released a “Bounty Hunter’s Guide” containing detailed instructions on how to submit those bugs.
Facebook teamed up with computer-industry association USENIX to launch the Internet Defense Prize, aimed at highlighting research that could significantly improve the security of the Web, and the inaugural winners, Johannes Dahse and Thorsten Holz, researchers from Ruhr-Universität Bochum in Germany, were awarded $50,000 for a paper titled, “Static Detection of Second-Order Vulnerabilities in Web Applications.”
Facebook offered an update on the state of the deployment of the STARTTLS encryption standard, which it originally wrote about in May, saying that 95 percent of its notification emails are now successfully encrypted with both Perfect Forward Secrecy and strict certificate validation.
How does Facebook protect its users against BREACH attacks on HTTPS traffic, as well as cross-site request forgery attacks? Chad Parry, a London-based member of the social network’s security infrastructure team, and Christophe Van Gysel, who contributed to the mitigation of BREACH at Facebook as an intern, answered those questions in detail in a note on the Protect the Graph page.
In a study of one day’s worth of Facebook’s notification email logs, the social network found that 76 percent of unique MX host names that receive its emails support the STARTTLS encryption standard, meaning that 58 percent of its emails were successfully encrypted.
Facebook offered some statistics about its bug bounty program in a note on its Protect the Graph page, saying that it received 14,763 submissions in 2013, up 246 percent from the previous year, and 687 of those submissions qualified for awards.