The Stack Archive

Why has Facebook acquired security start-up PrivateCore?

Mon 18 Aug 2014

Facebook is keeping tight lipped about the terms of the deal, but one only needs to look at back a year to see why the social networking company has decided to acquire security start-up PrivateCore to up its game in order to protect subscribers. Reuters reported on 21st June 2013 that Facebook had admitted to a year long data breach that affected 6 million out of 1.2 billion users worldwide. This led to Facebook users downloading contact data or their list of friends, allowing them to obtain information they were not meant to receive.

Fortunately this privacy breach had a limited impact on its users, and once Facebook were notified of the security breach the bug causing it was fixed within a 24 hour period. The social networking giant comment in a statement this security breach was an embarrassment, and promised to work harder to make sure that its occurrence never happened again. Yet Brazilian computer engineer Reginaldo Silva found another bug in September 2013 relating to OpenID, an authentication system that permits users to access their accounts across more than one online service.

Security pay-out

After Facebook promised to pay anyone who found a million dollar bug, Silva set about the task and upon finding it immediately reported the glitch to the company, enabling the issue to be fixed within the space of three and a half hours. As promised by the firm Silva was paid for his endeavours and received $33,500 for his work. Facebook realised that user data could have once more been compromised if this bug had fallen into the wrong hands, leading to reputational damage.

Facebook wants to protect its users against BREACH and Cross Site Request Forgery (CSRF) attacks, and it says the latter convinces the “victim’s web browser to send plausible web requests to the target website…the browser is then fooled because cross-domain requests are commonplace and they have many legitimate uses.” This allows the attacker to impersonate the victim, send spam to that person or steal information from one of their online accounts. The virus can have a particularly significant impact if it manages to figure out the users’ encrypted CSRF token.

Warning users

In November 2013, following a breach at Adobe which caused a data leak, Facebook took action to warn its users and to help them to secure their accounts. Users of the social network who used the same passwords and user names for both Adobe and Facebook were asked to change their passwords and they were required to answer some additional security questions. So it’s clear that the purchase of PrivateCore is about taking measures to prevent hacking incidents, but the social network may still have to fix other software bugs and security glitches in the future.

Facebook’s Chief Security Officer comments on his timeline that PrivateCore’s “vCage technology protects servers from persistent malware, unauthorised physical access and malicious hardware devices, making it safer to run any application in outsources, hosted and cloud environments.” He added praise to equation, declaring that PrivateCore’s security team are top-notch security veterans with a significant amount of experience.

Integrating PrivateCore

PrivateCore’s founders Oded Horovitz and Steve Weiss gained their experience with the IDF, Google and VMWare, and as a result of the deal they are joining Facebook. The companies say they share a vision of a more connected and secure world. To achieve this ambition they plan to deploy PrivateCore’s “ground-breaking technology” into Facebook’s server stack to protect its users from future security breaches. Both companies declined to make any further comments about the deal.

By Graham Jarvis


feature hacking
Send us a correction about this article Send us a news tip