Facebook to Give $1 Million in Prize Money to Security Researchers
The social media giant hopes the money will spur more research into ways to defend Internet users against the more prevalent and common methods of attack.
BLACK HAT USA – Las Vegas – Facebook is dramatically upping its bet on a strong security defense, rather than offense.
The social media titan is increasing the size of its Internet Defense Prize to $1 million to be doled out in a series of prizes throughout 2018, said Alex Stamos, Facebook’s chief security officer, who serves as a keynote speaker today at Black Hat. Facebook awarded $100,000 in Internet Defense Prizes last year and a total of $250,000 since starting the awards recognition program with USENIX in 2014.
Facebook’s goal is to entice researchers to develop new ways to defend Internet users against vulnerabilities, and minimize the success rate of the attacks, especially those that are common and prevalent, such as, the re-use of the same password on multiple accounts, or duping a newbie Internet user into sharing personal and financial information during the creation of their Internet account.
It’s the simpler day-to-day attacks like these, rather than the ultra-complex and rare 0-day attacks, where at least half of security research should be focusing, Stamos said. But he estimates that offensive research feels like it accounts for 99% of the work being performed and only 1% is devoted to defensive security research.
As part of the Internet Defense Prize competitions, researchers will be given a variety of topics where Facebook would ideally like to see more research, Stamos said.
While a lot of defense researchers are focusing on authentication or new ways to authenticate oneself, Stamos noted that account lifecycle management is also an area of interest.
“What we see less from the research community is understanding that the entire lifecycle of somebody’s relationship with an online service has actually security issues throughout it,” Stamos said. “There’s the creation of the account, what do you do when someone loses their phone, loses their password. These are issues that the bad guys are actually exploiting … so research into the real world would be a great thing to happen.”
Facebook is also interested in seeing more research surrounding the worldwide mobile device ecosystem, said Stamos.
“There is a lot of research into the new flaws or ways to exploit fully patched or very expensive devices. But that is not reflective of a huge percentage of the world population,” Stamos said.
He explained that a large portion of the world cannot afford smartphones that cost upwards of $600 or $700, but rather use less expensive Android devices that may cost $50 to $100 and are loaded with an older version of the operating system.
“There is a huge focus on finding 0-Days on iPhones and while that is a great thing to do, there is almost no research into the real mobile phone ecosystem and what it looks like and how we can keep people safe if we are shipping hundreds and millions of these phones,” observed Stamos.
Twenty years ago the security industry was fighting for respect and to have companies understand that vulnerabilities needed to be patched, Stamos recalled. Now, however, the security industry has won the fight but the questions of “what do we do now” looms, he said.
Security researchers can improve their defense tactics by developing more empathy for users who are in a lower socioeconomic bracket. For example, a youth living in an underserved community may purchase an older version of a smartphone that is running an operating system that does not have the latest updates. “What would their security experience be like? Stamos asked.
By walking in the users’ shoes and developing an empathy for how they may behave when it comes to security, a defensive researcher can catch more things that could potentially go wrong, he noted.
Greater empathy may also come by way of a more diverse workforce. Facebook also announced today it hopes to expand diversity in the security workforce. The company is teaming up with CodePath to develop online and in-classroom cybersecurity courses for Virginia Tech, California State University San Bernardino, Mississippi State University, Merritt College, Hofstra University, and The City College of New York. The classes will be offered starting this academic school year, with students potentially landing an internship at Facebook, Stamos said.
In addition to developing empathy for users, security researchers can also benefit by extending empathy to software developers or other members inside and outside of their tech team at a micro-level, Stamos said. For example, security researchers with dismissive attitudes about finding vulnerabilities in another person’s code, may makes those researchers feel smarter, but that does little to effect real change in the security community, Stamos noted.
He added that security researchers with an empathic nature are also needed at a macro level, which would include working with politicians and law enforcement when they find themselves thrown together, such as the San Bernardino terrorist attack, when government officials were trying to unlock a terrorist’s iPhone. Another more recent example relate to the questions that have emerged about Russia’s involvement with the US elections and elections in Europe.
Facebook also announced today it will be a founding sponsor of the Defending Digital Democracy Project. This initiative will focus on improving the security around elections and the Democratic process. Facebook will provide financial and technical support to Harvard University’s Belfer Center, Stamos said.
While some people may view bringing about these cultural changes in developing an empathic nature within the security industry similar to asking for a sea change, Stamos said he has already seen improvements: “We have started to see some security people in our community start to think this way,” he said. “I figure we’ll do better this time than it taking the next 20 years.”
Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio