Saturday, July 31, 2010

The new Facebook issue is the same old Facebook issue, yet again


The Facebook Data Torrent Debacle

Security dude, Ron Bowes, did a couple of notable things. He programmatically gathered, or harvested, names and profile links of 171 million Facebook users. This was publicly available information so he did not have to break into anything to do this. He simply wrote a script to plow through all of the data he could find through Facebook's public profile directory. He then took it and provided a way for people to download the large amount of data that he gathered.

The media (I guess me too at this point) latched on to this and started talking about it. While this is interesting data, the fact of the matter is that it shouldn't be that surprising. If you've made your data public, then that means that people will be able to see it. The fact that only about a third of the total number of Facebook users are in the directory should tell you that many people have changed their settings to prevent this. If you don't want people to see your information, change your permissions so they don't. Or, as always, don't use social networking sites all together if you don't want to be discovered online.

My last thoughts on this are more from a core information security operations perspective. It would seem that Facebook doesn't have anything in place to detect large scale probing, scanning or harvesting data from their sites. There doesn't seem to be any sort of traffic analysis or monitoring of their internet property to detect when someone is working to gather all of the information they can from their site. Facebook seems to have faith in the code that their publishing to the Internet is solid and secure, and that only the information they are intentionally sharing is the only information they're actually sharing. Because of this, I guess they wouldn't necessarily need to have this level of visibility or awareness, but when is the last time any developer or company was 100% sure of their Internet-facing applications and what vulnerabilities they have? Could they have prevented this? Should they have prevented this?

Chris
LABrat.com