Facebook defends social networking security

Refutes "social engineering gold mine" tag

Social networking giant Facebook has defended its security and privacy controls in the face of criticism from industry experts, at this year's Infosecurity Europe show in London.

In a keynote at the event, Martyn Croft, head of corporate systems at the Salvation Army, argued that the concerns over corporate use of social networking sites, including lost productivity and malware infection, are "very real".

"It's a social engineering gold mine – a haven for finding out valuable information and it's an easy distribution platform for malware," he added. "For us, brand value is paramount and if we lose it we lose revenue very quickly."

But Max Kelly, chief security officer at Facebook, argued that the firm has gradually improved its security controls over time, to the point where users can now have control over who views any part of their profile on the site. "It is an educational challenge though," he admitted. "Users have top create a privacy model for themselves and that has been an ongoing challenge."

Kelly added that the firm has built up a "strong security team" to deal with issues at the network and application layers, and to investigate potential phishing and spamming attacks using data harvested from users of the site.

"It was in about January time that we became noticed by threatening elements who began to come after us," he said.

Jeremiah Grossman, chief technology officer at web app security firm WhiteHat Security, argued that social networking sites are prime targets for malicious Java script to be uploaded onto them. "It's an easy and effective way to effect the enterprise and because it's all purpose built, it's difficult to protect against; we need a whole new set of solutions," he said.

He suggested that Facebook is reluctant to restrict security too much on the site because it will affect its business model. "It will take risks with security because [ultimately] it's the users getting hacked not Facebook.