Even after many high-profile hacking and phishing attacks on social networking accounts, and constant messages urging people to be vigilant, the biggest problem with web security is still weak passwords.
Speaking at South by South West Interactive (SXSWi), an industry panel of security engineering managers from Twitter, Facebook and Microsoft discussed the approaches they use to secure their web services.
Del Harvey is Director of Trust and Safety at Twitter. "I have a team of 20 folks, which given that the team at Twitter is about 160, is a very large team and we deal with ensuring the user expectations for privacy are there, and when bad things happen we work to fix them."
Harvey says education is an on-going problem: "The current biggest thing that is crucial to our security programme is trying to get users educated about security. Everyone knows at least one person who says 'I use the same password on every site – but it's a really good one', or 'I use different passwords on every site – I take the first letter of the site and the last letter of the site and then I put my birth year in the middle.'
"It's this big wave right now of almost identity theft-based attempts at hacking, not just on Twitter but also on Facebook and on email sites and messenger sites. There's a big push towards not necessarily brute force [attacks] but more specialised. Obviously we still have brute force issues where we deal with, OK they've tried to log into x number of accounts in y amount of time with z combinations of passwords. And then we have rounds of phishing, straight out 'haha this you?' links."
Ryan McGeehan, Security Manager for Incident Response at Facebook, says: "Awareness is a major thing for us, too. The number of individuals who use the same password across multiple sites is astounding.
"So, for instance, if some obscure web forum that you are a part of gets compromised and the database gets leaked, and the passwords are stored in clear text, then the person who stole that database decides to try all of those usernames and passwords on other sites the success rate is astounding.
"It's an awareness issue; it's a security issue for any site that is dealing with usernames and passwords."
AWARENESS ISSUE: Facebook's Ryan McGeehan
Deepak Manohar looks after security on Windows Live products, which include Hotmail, Live Messenger and Windows Live Photo Gallery. "It's my job to work with our developers to ensure we don't have security and privacy issues with our products and to protect your identity from being stolen," he explains.
User awareness is a major concern and a major part of the Windows Live security program, says Manohar.
"The way we break up our security programme is into proactive and reactive security. Proactive security is what we do up front in the developer life cycle, and we break that up into training – every developer at Microsoft goes through at least an hour of security training every year.
"We try to cover the most important security threats in that hour of training. So developers learn how these threats are exploited, how these methods are used by attackers to spread malware and perform phishing attacks."
"For our reactive process, we have an incident monitoring team who scour the internet and search for potential issues that people are talking about regarding our sites, so even if they don't properly disclose it to us, we become aware of it and we take reactive steps to mitigate this."
Your comments (4) Click to add a new comment
tech89
March 14th 2010
4. Why not have a password, and then have a selection of buttons with shapes on them.
A password and one click on a shape to get in would make it hard for phising scams to work.
Security needs to involve something that we don't put into forms on the internet or anything that a computer can compute.
Maybe a general knowledge question before and after you enter your password?
Or some kind of simple mathematics sum that is worked out by using mouse actions (clicks).
Or putting in place a selection of shapes: when a user signs up, they're designated a shape in which they have to click on after or before they enter they're password.
Or question on spotting the error in a sentence (grammar, spelling, pronunciation).
Anything to make the game harder for hackers. Security needs to involve information we do not enter on the internet or pc.
Also different security for different sites and purposes should be implemented. Online shopping and online banking have gone the right way of doing things at the moment.
A password, a pin, and a piece of memorable info works for online banking.
Perhaps social sites could implement time expired passwords like universities do with students. A new password every 6 months or so.
By implementing some of the measures above, this still allows the user to use one password for most situations.
What do you think?
Alert a moderator
bradavon
March 13th 2010
3. I've always thought it the wrong approach that Windows so subtly tells you you have no Anti-Malware or Firewall installed/enabled. Sure we don't want loads of Windows popups so generally Microsoft's stance is correct but when it comes to these it should be a big regular popup on the screen until the user resolves it.
The amount of PCs I use where the user simply ignores the Red (or White in Win7) Security Center warning, in the system tray. If people get bugged enough they will install something, especially when there are very good free options out there.
Alert a moderator
bradavon
March 13th 2010
2. Many sites are to blame though for having way too lax password rules. Why is any site ever allowing passwords such as 'password', the same password as their username or the same password as what's in the first name/last name fields?
Alert a moderator
bradavon
March 13th 2010
1. The thing is, the average web user signs up to multiple websites, forums, online stores. It's simply not practical to have a different password for each.
I use 3-4 different passwords, which at least limits the possible damage.
Alert a moderator
Tell us what you think
You need to Log in or register to post comments