Facebook hacks its workers into Hacktober smithereens

It was October! The month when slimy worms slither through Facebook! On those cold, dark days when grisly green hands tend to smash through monitors, hungrily grasping at click-happy employees!

At least, that’s what one of Facebook’s posters implied to its employees last month.

This, Facebook told Mashable, was the second year that the company celebrated its annual Hacktober: a month-long event wherein its engineers brewed up simulations of security threats that they then unleashed on staff computers.

After setting the traps, they sat back and waited to see which employees would fall for them, and which would be good-security doobies and report the fishiness, thereby netting themselves some Facebook-emblazoned swag.

Those who ratted out the engineering crew’s phishing scam or other security threats – which were sprinkled throughout the site or sent to company email addresses – got themselves a Facebook-branded shirt, bandana or sticker.

Those damnable souls who were lured into clicking on the booby-traps got sent to hell, aka “further training”.

Terror works well in the corporate culture, Ryan McGeehan, a director on Facebook’s security team, told Mashable:

"Webinars don’t exactly fit in well here, so we wanted to do something unique in line with our hacking culture to teach employees about cybersecurity... We took the theme of October, fear and pranks and created something that is both fun and educational."

He said it was also part of a larger effort to celebrate National Cyber Security Awareness month.

Threats were targeted at groups based on what they might realistically come across in the course of doing their jobs. Afterward, the hack was revealed, along with an explanation of how to prevent such exploits outside of the safety of the simulated environment.

Mashable provided one example of a worm hiding as a fake Facebook news story to demonstrate the speed in which spam spreads across the social network.

The worm was a huge success, McGeehan said, both in terms of employee responsiveness and as a way to test and refine the tools and policy systems Facebook uses for reporting suspicious activity:

"We launched a worm to simulate some of the spam campaigns we see on Facebook and other sites, and this was our grand finale. Within minutes, we were overwhelmed with reports from employees, and it was a wild success."

Jenn Lesser, an operations manager on Facebook’s security team who worked with the internal events and design on the project, said that the company faces the same security lethargy that most businesses deal with: namely, staff don’t care until there’s a problem.

But by then, it’s too late.

There are good lessons here regarding proactive security training – as in, security training that comes alive, vs. the typical quick quiz that fails to engage people on a long-term basis.

Pen-testing your own peeps a la Facebook is a great idea, and you don’t necessarily have to throw any software development resources at it.

Kevin Young, who’s on Adobe’s Information Security Team and has done a good deal of security training with both Utah Valley University College of Technology and Computing students as well as nontechnical people at Risk Management conferences, told me about some of his demos that make security concepts easy to grasp:

• Weak passwords: Young sets up his laptop running the John the Ripper password cracker in a command window. He minimises the PowerPoint presentation so the audience can see the password cracking window on the side. As he works through the slides, he lets the passwords pop up and scroll off the screen. They get the idea pretty quickly, he says.
• Social engineering: Young brings an empty Cisco box to a class and pretends to struggle at the door. A student will almost always open it for him, without checking his credentials.
• Identity theft: Young shows people spoofcard.com, which allows users to call people while displaying a fake name.
• Silly password tricks: Young shows photos of keyboard undersides displaying supposedly unbreakable passwords.
• Take photos: Young takes them for a walk around an organisation and discretely takes a few photographs. He shows them any unattended doorways, for example.

If you’ve got other ways to terrorise your employees into cybersecurity awareness, please share them in the comments section below.

And please, no links to that Facebook meme-of-the-day Brazilian stunt with the fake elevator and the little demon child who popped out of a panel and scared people to the brink of cardiac arrest.

That was just plain creepy.

If you’re on Facebook, consider joining our Facebook page, where you can keep up-to-date on the latest privacy and security issues, and learn about the rogue applications, scams and malware attacks threatening Facebook users.

_{Hacktober poster, courtesy of Mashable}

_{Facebook grim reaper, courtesy of Shutterstock}