Weak passwords and lack of AV a major issue in social network security

Twitter, Facebook and Microsoft warn of dangers

Twitter s Del Harvey

Even after many high-profile hacking and phishing attacks on social networking accounts, and constant messages urging people to be vigilant, the biggest problem with web security is still weak passwords.

Speaking at South by South West Interactive (SXSWi), an industry panel of security engineering managers from Twitter, Facebook and Microsoft discussed the approaches they use to secure their web services.

Del Harvey is Director of Trust and Safety at Twitter. "I have a team of 20 folks, which given that the team at Twitter is about 160, is a very large team and we deal with ensuring the user expectations for privacy are there, and when bad things happen we work to fix them."

Harvey says education is an on-going problem: "The current biggest thing that is crucial to our security programme is trying to get users educated about security. Everyone knows at least one person who says 'I use the same password on every site – but it's a really good one', or 'I use different passwords on every site – I take the first letter of the site and the last letter of the site and then I put my birth year in the middle.'

"It's this big wave right now of almost identity theft-based attempts at hacking, not just on Twitter but also on Facebook and on email sites and messenger sites. There's a big push towards not necessarily brute force [attacks] but more specialised. Obviously we still have brute force issues where we deal with, OK they've tried to log into x number of accounts in y amount of time with z combinations of passwords. And then we have rounds of phishing, straight out 'haha this you?' links."

Ryan McGeehan, Security Manager for Incident Response at Facebook, says: "Awareness is a major thing for us, too. The number of individuals who use the same password across multiple sites is astounding.

"So, for instance, if some obscure web forum that you are a part of gets compromised and the database gets leaked, and the passwords are stored in clear text, then the person who stole that database decides to try all of those usernames and passwords on other sites the success rate is astounding.

"It's an awareness issue; it's a security issue for any site that is dealing with usernames and passwords."

Ryan mcgeehan

AWARENESS ISSUE: Facebook's Ryan McGeehan

Deepak Manohar looks after security on Windows Live products, which include Hotmail, Live Messenger and Windows Live Photo Gallery. "It's my job to work with our developers to ensure we don't have security and privacy issues with our products and to protect your identity from being stolen," he explains.

User awareness is a major concern and a major part of the Windows Live security program, says Manohar.

"The way we break up our security programme is into proactive and reactive security. Proactive security is what we do up front in the developer life cycle, and we break that up into training – every developer at Microsoft goes through at least an hour of security training every year.

"We try to cover the most important security threats in that hour of training. So developers learn how these threats are exploited, how these methods are used by attackers to spread malware and perform phishing attacks."

"For our reactive process, we have an incident monitoring team who scour the internet and search for potential issues that people are talking about regarding our sites, so even if they don't properly disclose it to us, we become aware of it and we take reactive steps to mitigate this."