Facebook Spars with Sophos over Security

Sophos and Facebook argue about the extent of the malware threat on the social network.

Facebook is sparring with security firm Sophos over a threat report touching on malware on social networks.

In a report looking back (pdf) on 2010, Sophos reported that a survey of 1,273 people in December 2010 found that 40 percent had been sent malware via social networks, up from 36 percent in December 2009. Additionally, 43 percent admitted being sent phishing attacks, while 67 percent said they had received spam. Both of these numbers were up from December 2009 as well, with previous figures of 30 percent and 57 percent, respectively.

"This isn't just a problem for home users," noted Graham Cluley, senior technology consultant at Sophos. "Many people check their social networking accounts from the workplace, making the sites a potential vector for attacks against businesses."

"There's no doubt that cybercriminals are showing a much higher level of interest in the social networks than ever before, with Facebook being the site they are targeting the most," he added.

Though Facebook acknowledged the challenge posed by security threats, the company took issue with the idea that the social network is a malware minefield. On the contrary, a Facebook spokesperson told eWEEK, the company's data shows that malware, spam and other attacks have decreased in their effectiveness, and it is "much more important to measure effectiveness than it is to measure volume."

"If your spam filter catches all the spam, does it matter that your filter caught 10 percent more?" the spokesperson asked.

Facebook contends it has built more controls into the site to allow users to limit the data that applications are allowed access to, providing a defense against rogue applications by forcing disclosure and user consent to access. The site also works to quickly sanction or remove applications found to be malicious, the spokesperson said.

"We have a dedicated team that does robust review of all third-party applications, using a risk-based approach," the spokesperson told eWEEK. "That means that we first look at velocity/number of users/types of data shared, and then we prioritize. This ensures that the team is focused on addressing the biggest risks, rather than just doing a cursory review at the time that an app is first launched."

Still, Sophos is not the only security company sounding the bell about attacks on social networks. In November, researchers at BitDefender reported that 22.4 percent of the users of its safego application were exposed to malicious posts on Facebook.

"I see two possibilities," blogged Cluley. "Either Facebook simply doesn't get security and privacy. Or it just (doesn't) care. I really hope it's the former."

On Jan. 16, Cluley criticized Facebook for allowing applications to access users' mobile phone numbers and address information, a decision the company rescinded Tuesday after privacy concerns were raised. Despite the controversies regarding security, Facebook said it continues to educate users through the Facebook Security Page, as well as the through the remediation and education process users are put through if their account is found to have been compromised.

"We wholeheartedly agree that education and awareness is the key to combating online security threats and that this issue is something we need to tackle together as an industry," the Facebook spokesperson said. "For our part, we have launched numerous education initiatives and continue to invest heavily in developing complex and innovative systems to protect the people who use Facebook."