Facebook noticed the attack first. But Mark Hammell and his team couldn’t stop it without help from Tumblr, Pinterest, and others.
This was about a year ago, and basically, a new botnet was using various social networking services—including Facebook, Tumblr, and Pinterest—to push malicious software onto machines across the net. “It was using a variety of web properties to propagate or host content—or just to obfuscate the nature of the attack,” remembers Hammell, who oversees Facebook’s threat infrastructure team, a team dedicated to identifying and suppressing malicious attacks.
So, somewhere in Silicon Valley, Hammell and his team sat down with their counterparts from Tumblr, Pinterest, and other online companies, trading notes on what the attack looked like, how it operated, and how to stop it. “All of us came together in the same room,” Hammell says. “We had to work together for the thing to truly go away—in perpetuity.”
This face-to-face gathering served its purpose, but Hammell and his team also realized that in the long run, they couldn’t arrange a meeting for every botnet that came along. And eventually, they resolved to automate this sort of security powwow. “We needed a way to share this information in real time, so that our systems could actually talk together, rather than putting humans together or sending emails or sending spreadsheets,” Hammell says.
The result is ThreatExchange, a set of application programming interfaces, or APIs, that let disparate companies trade information about the latest online attacks. Built atop the Facebook Platform—the standard set of tools for coding applications atop the company’s worldwide social network—ThreatExchange is already used by Facebook and a handful of other companies, including Tumblr, Pinterest, Twitter, and Yahoo. And though access to the service is strictly controlled, Hammel hopes to include other companies as time goes on.
“We’ve seen this work, and we want to expand it more widely,” he says. And according to a Facebook spokesperson, the service has already signed up two new companies: Dropbox and Bitly.
The tool is a conspicuous example of a recent shift in the world of information security. In the past, online companies were loath to share their security work with the outside world, worrying they would tip their hand to attackers. But increasingly, these companies are now realizing that sharing certain software, data, and techniques can significantly improve security.
Google and Facebook are at the forefront of this movement, and others aren’t far behind. This fall, Facebook open sourced a new tool built to protect its online empire, sharing the code with the world at large. And with their “bug bounty” programs, both Google and Facebook now encourage outside researchers to locate and identify security holes in their systems—something that companies rarely did in years past.
For Rich Mogull, a security analyst and consultant with a company called Securiosis, ThreatExchange is a “great idea.” Though anti-virus companies keep track of malware aimed at individual machines and others security vendors, including Norse Corp., sell access to information about large threats to online businesses, Mogull says, there’s not really a way for companies to rapidly share data with each other.
That’s a much needed thing. But Mogull also warns that its success depends on the details. The trick lies in determining who should have access to the system and who shouldn’t. Open the tool up too far, and miscreants could game the system. Keep the pool of users too small, and you limit the tool’s effectiveness.
Facebook’s Hammell says much the same thing. But like so many others, he’ll tell that at least some sharing is better than none. “The beauty of sharing is that as one of us gets better at dealing with an attack,” he says, “all of us get better.”
More from WIRED: