To secure Facebook and its 750 million users, it helps to be a spook.
You need to think like a black hat hacker, be in a constant state of high alert and assume you're constantly being hacked.
It's a rational state of mind when you consider Facebook had become a veritable White Pages for identity theft.
And it's one that Ryan ‘Magoo’ McGeehan - the man responsible for incident response at Facebook - has maintained for five years.
McGeehan is Facebook’s chief security technical boffin. His incident response unit of 10 staff chases down spammers and hackers and is part of the company’s 300-strong security team.
“You need to know your enemy, understand the trends, and the goals [of attackers] from a threat perspective,” McGeehan said. “You need to put on your black hat.”
Spam king's reign over
Facebook was unforgiving to those that exploited its service or attacked users.
Two weeks ago, notorious spammer Sanford Wallace, aka “the spam king”, turned himself in to police after an indictment (pdf) was sought against him on 11 charges relating to electronic crime.
He was accused of using 500,000 compromised Facebook accounts to post some 27 million spam messages.
Such a finding could place Wallace in contempt of court for breaching an order not to access Facebook.
“Once you are on the radar for attacking our users, you never, ever leave,” McGeehan said.
Wallace’s face was now the latest of dozens plastered on a wall inside Facebook’s security office, under a banner that reads “scalps”.
But there was always someone else trying to break into Facebook and swindle its users.
Recently, some within the online activist group Anonymous declared war on Facebook.
It is not known what, if any, action will be taken on November 5, Guy Fawkes Day, but Facebook isn’t particularly troubled.
It's just another threat that would be handled with the same immediacy as every other hacking, spam and social engineering attack against the site, McGeehan said.
Threats had become more sophisticated and financially-motivated in the five years since McGeehan joined Facebook, but that’s not surprising, given that the site’s user base has grown from 10 million to a staggering 750 million over the same period.
”I’ve seen the evolution of threats from the primordial ooze of security, like 419 scams, fake accounts, to sophisticated threats that we are now dealing with,” McGeehan said.
Defensive armoury
In defending Facebook, McGeehan draws heavily on his volunteer work as a member of the HoneyNet Project in which he works in web-based and client-side honeynetting.
Facebook also offers bug bounties to security researchers who find vulnerabilities in Facebook’s services.
It has been deluged since revising vulnerability disclosure policies to satisfy the Electronic Frontier Foundation, and has regularly paid above the minimum payment.
Last week, one researcher bagged $5000 for a critical vulnerability and is helping Facebook to resolve the flaw.
“The bug bounties are like simulating attacks, all the time,” McGeehan said. “We have had a fantastic response.”