Imperva CTO has harsh opinions on social networking protections

by Steve Ragan - Mar 18 2010, 17:45

Amichai Shulman, chief technology officer with security firm Imperva, takes a harsh stance on a recent SXSW panel talk and says that social networking sites need to mandate the use of strong passwords, instead of blaming the weak passwords chosen by users for many of the problems the social portals face.

Shulman’s comments come after a panel at SXSW that included representatives from Twitter, Facebook, and Microsoft – each of them given a mandate to focus on security for their respective employers. Shulman said that the panel of experts failed to take into account that people can - and frequently do - choose bad passwords.

“[These social networking sites] should seriously acknowledge their responsibility to these security issues rather than simply throw them back at their users.”

The comments seem to stem from remarks made during the panel talk, which included a common theme centered on poor personal password policy.

“Everyone knows at least one person who says 'I use the same password on every site – but it's a really good one', or 'I use different passwords on every site – I take the first letter of the site and the last letter of the site and then I put my birth year in the middle.',” said Del Harvey, Director of Trust and safety at Twitter.

Facebook sees the same thing. “Awareness is a major thing for us, too. The number of individuals who use the same password across multiple sites is astounding,” added Facebook’s Security Manager for Incident Response, Ryan McGeehan.

However, Microsoft’s representative takes a slightly different stance.

“Many people don't have anti-virus software on their computer - that is the biggest vector, that's affecting us quite a bit. About 60% of legitimate websites have had some security vulnerability in the last year. And these vulnerabilities are used to spread malware to your computer. So my first suggestion is: get anti-virus on your computer and that will help solve the problem,” commented Deepak Manohar, who works with developers at Microsoft to ensure privacy protection for Hotmail, Windows Live Messenger.

According to Shulman, none of these sites should tell users what kind of software to install on their computers. These companies should start to take ownership of the user security issue, and act accordingly.

Software aside, the Imperva CTO’s issue is password enforcement. “…the fact that users of these sites often don't use any IT security software and can be quite gullible at times, it's down to the operators of these sites to mandate the use of strong passwords,” Shulman said.

“Education as to the reasons why strong passwords are required is also useful, but far from essential. Internet history has shown that, if you mandate users to do something in return for a free service, they will do what you wan,” he added.

The truth is Shulman’s remarks seem harsh.

Each of the panelists lives and breathes to offer security and privacy for their social network users. Twitter’s Harvey for example, has a demonstrated passion for supporting Twitter’s user base and protecting them. You can see it in any one of her micro-blogging posts. Sure, Harvey is a public front for Twitter’s security and privacy measures, but to be effective you have to care in the first place, and it’s clear she does.

McGeehan’s comments that the use of the same password on multiple sites was “astounding” are spot on. This, by far, is the largest problem many users online face, and many of them knowingly choose this risk. This frustrates many security operators, and there’s nothing to be done about it, not really.

Security is a fine balance, and if a site forces its users to use stronger passwords, then the users will have issues remembering them. If this happens, then out of frustration alone, a site like Twitter or Facebook risks losing that user.

It’s a risk the social networks do not want to take, because each user adds to their bottom line one way or another. Like it or not, social networking is a business, and you need people to make money.

At the same time, Twitter, Microsoft, and Facebook all are working to discover the invisible line that balances security and user experience.

There’s no perfect formula, which is why you see multiple passwords used all over the place and why there are security problems related to account hijacking, social networks simply cannot control the user’s actions and choices. Users can help themselves by understanding the risks, and know what the consequences are for assuming them.

By now, every user knows layered security; including anti-Virus protection on a computer is a must. However, the other layers are needed as well, including a password that is separate from important online functions, such as banking and social networking.

The reality is, if your social networking profile is hijacked, that will suck and it will cause some minor pain, but it is nothing compared to having your bank account credentials stolen.

Security has always been a team effort, any IT department staffer can tell you this. When it comes to personal security online, it’s no different. Help the social networking sites help you, by keeping your passwords easy to remember, long and separated, while maintaining solid system security (anti-Virus and software patches). On their end, the various social networking sites will develop and enforce account controls that make it harder for criminals to target you.

Around the Web