A few decades ago, some genius had this outrageous idea: "Let's put everything online." Everything. Measureless reams of information all piled up on the World Wide Web. The audacity of this concept should not go unappreciated.
Cool idea, yes. But how will we FIND anything in this bottomless haystack?
That's what search engines are for. They are built on spiders that crawl and index the Web continuously, and they run on algorithms that rank everything according to its pertinence and influence on any given topic. (Also read Why security pros should master Google.)
Right now, social networking sites are a critical factor in deciding what's influential in search. If a page is frequently shared and liked on Facebook, that page is likely to rise in Google's search results.
Search engine optimization pros, who—like traditional hackers—span a spectrum from white hat to black, noticed this. The darker sorts created a set of tools to help them game the system: XRumer, SEnuke, Hrefer, ScrapeBox, Ignite SEO.
These tools automate two key processes: spamming blogs and forums with comments and links, and creating fake social media profiles that let them share, like or +1 their own sites and pages in massive numbers.
And of course the traditional black-hat hackers have noticed this too. (Colleague Scott Berinato examined this effect with his usual prescience back in 2008.)
If they can build a Web page that includes links to a malicious site or that delivers a drive-by download of a keylogger, and then get that page to rank high in Google results for some apparently innocuous search term, that's a great tool for cybercrime. So they employ XRumer and so forth to build fake profiles on Facebook and elsewhere.
And that's just one of about a million headaches, or opportunities, that Facebook CSO Joe Sullivan has to confront on a daily basis.
Facebook has something like 800 million members—I'm sure it will be higher by the time this issue lands. Both the exploitations of and the potential solutions for modern Web security problems involve not just Facebook, but also Google and Microsoft and indeed the entire Web ecosystem. How can Sullivan help combat a problem of such magnitude? Machine learning, cooperation with search engines, civil lawsuits, user education—pretty much every tool in the security arsenal, and then some. Enjoy his Q&A with freelancer Lauren Gibbons Paul.
It's a job I don't envy, though I'm certainly glad somebody's doing it.