Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Facebook Rolled Its Own 0Day For Red Team Exercise

Unknown Lamer posted about a year and a half ago | from the and-yet-they-were-hacked dept.

Facebook 40

chicksdaddy writes "Threatpost has the story of the extreme — even hair-raising — lengths that Facebook's incident response team has gone to in order to prepare the company's staff to be hacked. Among the methods described at the CanSecWest Conference: 'Operation Loopback' in 2012, which was designed to mimic an APT-style attack from China and used what appears to be an internally developed exploit for an internally discovered 0day. From the article: 'McGeehan and his team this time identified a likely attacker — China — and decided to impersonate its tactics. For this one, they recruited an internal engineer as an accomplice. They wanted to get a backdoor into Facebook's production code, so they sent a spear-phishing email containing exploit code for a live zero-day vulnerability to the engineer. He dutifully clicked the link and his machine was promptly compromised. (McGeehan would not identify which product the vulnerability affected, nor how the Facebook team came into possession of it, but said that they disclosed it to the affected vendor before the Loopback exercise and used it before the patch was publicly available.)' Ouch!"

Sorry! There are no comments related to the filter you selected.

They then fired the engineer (0)

Anonymous Coward | about a year and a half ago | (#43128195)

For falling for their elaborate socially engineered social engineering in the guise of testing their system.

Re:They then fired the engineer (-1)

Anonymous Coward | about a year and a half ago | (#43128293)

Fucking morons like you should not be allowed to access the Intertubes.

Way to much time on their hands (0)

oztiks (921504) | about a year and a half ago | (#43128567)

Aren't they supposed to be trying to mobilise their systems so they can knock Google in to irrelevance to gratify their stockholders delusions?

No wait, that's never gonna happen. Might as well fish out some crappy POC from SecurityFocus code it up and and see if their dumb ass hipster engineers will accidentally click on it while thinking it was supposed to be a link to a cute kitty pix. I reckon for their next trick they should start filming their own version of Jackass in the HQ office ... Mark Zuckkerballs taking a blowtorch to his scrotum, who wouldn't pay to see that?

FaceBook doesn't really need to do this, their are dozens of security firms out there that can show them how to hold a secure infrastructure. This seems like just a total waste of time for some reason as to pretend to be a "l33t hax0r" or something. I can't figure what's the method to the madness here ....

Re:Way to much time on their hands (0)

Anonymous Coward | about a year and a half ago | (#43131713)

Aren't they supposed to be trying to mobilise their systems so they can knock Google in to irrelevance to gratify their stockholders delusions?

In what world is Facebook competing with Google?

Oh, right, they've got those ten Google+ users. LOOK OUT, ZUCKSTER.

Competing for advertising revenue (1)

DragonWriter (970822) | about a year and a half ago | (#43131945)

In what world is Facebook competing with Google?

In the world where, despite their different core competencies in terms of engineering ways to attract non-paying users to whom their customers can advertise, both of them actually make the vast majority of their revenue selling online advertising.

Oh, right, they've got those ten Google+ users.

Google+ isn't where Google competes with Facebook directly for money. Social network users aren't either company's paying customers.

Re:Way to much time on their hands (1)

oztiks (921504) | about a year and a half ago | (#43134401)

In what world is Facebook competing with Google?

Advertising revenue genius.

Re:They then fired the engineer (0)

Anonymous Coward | about a year and a half ago | (#43129101)

I hope so. Even secretaries know enough not to click crap. Engineers should be reading email in alpine. No links to click.

Ofcourse It had to be China (2, Insightful)

Anonymous Coward | about a year and a half ago | (#43128265)

I mean, with the soviets gone, Sadam gone, Bin Laden gone, SOMEONE has to step up to be the stereotype arch-enemy of the US. So let's build this image because hey, we just have to learn and be prejudiced with 1 and a half billion people. After all, what good are the chinese for? We don't need them right?

Re:Ofcourse It had to be China (2)

MightyYar (622222) | about a year and a half ago | (#43128299)

They made my computer...

Re:Ofcourse It had to be China (2, Informative)

Anonymous Coward | about a year and a half ago | (#43128331)

It's not about racial prejudice, it's about probability.

Re:Ofcourse It had to be China (1)

davester666 (731373) | about a year and a half ago | (#43128651)

They are probably racist?

Re:Ofcourse It had to be China (1)

fustakrakich (1673220) | about a year and a half ago | (#43128871)

Maybe...

Re:Ofcourse It had to be China (3, Funny)

Anonymous Coward | about a year and a half ago | (#43128391)

If China would rid the world of Facebook, they would be heroes, not the enemy.

Re:Ofcourse It had to be China (0)

Anonymous Coward | about a year and a half ago | (#43134321)

Because we all know the Chinese live in huts or on junks and don't know how to use computers. I mean, it's not like we've ever heard or read about Chinese hackers.

http://www.philly.com/philly/news/nation_world/20130310_For_Chinese_hackers__it_s_all_in_a_workday.html

http://www.washingtonpost.com/blogs/wonkblog/wp/2013/02/25/what-chinas-hackers-get-wrong-about-washington/

http://www.huffingtonpost.com/2013/02/25/chinese-hackers_n_2756914.html

http://www.nytimes.com/2013/03/04/us/us-weighs-risks-and-motives-of-hacking-by-china-or-iran.html?pagewanted=all&_r=0

http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=all

Sounds like Facebook handled it correctly (5, Insightful)

excursive (2823185) | about a year and a half ago | (#43128325)

More companies should do that kind of testing. If only they would spend that much effort on building a reliable user interface...

Re:Sounds like Facebook handled it correctly (0)

Anonymous Coward | about a year and a half ago | (#43128497)

More companies should do that kind of testing.

If only they would spend that much effort on building a reliable user interface...

You seem to have forgotten that you are not FB's customer.

You are their PRODUCT.

They're going to spend as little on their product as they can, and sell it for as much as they can.

Re:Sounds like Facebook handled it correctly (1)

datavirtue (1104259) | about a year and a half ago | (#43128631)

"I hate facebook" is the general consensus among the users, however, they always offer the caveat that it is the only way they can keep in contact with people. FB is a miserable experience, there is no doubt about that.

Re:Sounds like Facebook handled it correctly (1)

excursive (2823185) | about a year and a half ago | (#43128667)

Yes, we're their product, but without product they won't be able to sell ads.

Re:Sounds like Facebook handled it correctly (1)

DuckDodgers (541817) | about a year and a half ago | (#43130419)

As opposed to companies like Verizon, Comcast, AT&T, and Microsoft, where in theory you are the customer, but they treat you just as badly as Facebook does anyway.

Re:Sounds like Facebook handled it correctly (1)

datavirtue (1104259) | about a year and a half ago | (#43128625)

Let me join the rest of world in a big fucking yawn........

Re:Sounds like Facebook handled it correctly (0)

Anonymous Coward | about a year and a half ago | (#43128889)

Yeah, something more like Slashdot's flawless design, like a Zippo lighter it is...

Re:Sounds like Facebook handled it correctly (0)

Anonymous Coward | about a year and a half ago | (#43129329)

Agreed. This falls into modern I.T. best practices just as backups do.

The best jumping-off source for teaching this kind of Network Security Monitoring is http://taosecurity.blogspot.com. i.e. it is not a question of if we'll get hacked, but what our response and containment strategy will be. Often, the best immediate response is to do nothing aside from monitoring while doing packet captures.

Re:Sounds like Facebook handled it correctly (0)

Anonymous Coward | about a year and a half ago | (#43131061)

Very much so.
Doing penetration tests is a very good thing and companies should do it more often if they have their stuff connected to the internet and depend on it working.
Not that it matters on Facebook since people happily post their information all over it.
But at least securing against rogue apps and stuff is a good thing.

Also agreed on the other part. Why can't they just make an easy to use interface?
Why is everything hidden behind a trillion clicks?
Where the hell do UI heads find these people?
UIs in general have gotten far worse in recent years for Facebook and so so many other sites and programs. (don't get me started on Microsoft, I think they hired children to help design interfaces for anything Windows Vista onwards. And I'm actually being serious. Worst interfaces I've ever seen, most obtuse functionality ever, and most ass-backwards design in general)
Slashdot itself isn't even an exception to this. The design itself is fine, it is the trillion sub-domain specific quirks that are annoying as hell.
And what the hell is with that horribly broken "article" only view? Is that supposed to be the mobile view? Why the hell does it never work on any sub-domain ever?
And why does it ever show when I am obviously not using a mobile? (I'm still assuming it actually is a mobile view admittedly)

not really a zeroday exploit... (1)

D-Fly (7665) | about a year and a half ago | (#43128385)

Correct me if I'm wrong but it's not really a zero day 'sploit if it's internally known, the attack is internal penetration testing, and the exploit gets closed before it's known.

Re:not really a zeroday exploit... (1)

DarthBart (640519) | about a year and a half ago | (#43128435)

This is Slashdot, where every exploit is a zero-day exploit. I could release a patch to TRS-DOS 1.3 that makes it ignore passwords and someone here would post it as a zero-day.

But I believe that patch already exists.

Re: not really a zeroday exploit... (0)

Anonymous Coward | about a year and a half ago | (#43128441)

It was an exploit they discovered in software from another vendor, it was in fact 0day up until they notified said vendor

Re:not really a zeroday exploit... (1)

WizADSL (839896) | about a year and a half ago | (#43128505)

I imagine the team(s) that responded to the security threat didn't know it was a drill. I think the idea was to create the situation using a real security hole but with the cooperation of an engineer that was playing the part of a "tricked" employee to allow the vulnerability to be exploited in a realistic way. I ASSUME that the team members responsible for the creation of the exploit program were not part of the team(s) that responded to the incident.

Re:not really a zeroday exploit... (0)

Anonymous Coward | about a year and a half ago | (#43131627)

Sounds like a great way to exploit... pretend to be doing a training exercise.

Re:not really a zeroday exploit... (0)

Anonymous Coward | about a year and a half ago | (#43128509)

In this case it was a 0day because the exploit was not in FB's codebase it was in one of their vendors (Microsoft, Adobe, Oracle, etc.). So it was a 0Day because it got used (by FB against FB) before their was a patch available. It does indeed fit the definition. If it had been in FB's codebase then it would not fit.

Re:not really a zeroday exploit... (1)

datavirtue (1104259) | about a year and a half ago | (#43128649)

Agreed, if it was a 0-day then they would have appointed a team to conduct the exercise in secret. Failing to do this, and truly attack the network, is an academic exercise.

Re:not really a zeroday exploit... (0)

Anonymous Coward | about a year and a half ago | (#43128693)

Correct me if I'm wrong but it's not really a zero day 'sploit if ... the exploit gets closed before it's known.

TFS: "used it before the patch was publicly available"

Re:not really a zeroday exploit... (0)

Anonymous Coward | about a year and a half ago | (#43128839)

And it's not necessarily a "0day" anyhow. From the description, it sounds like it could as easily have been an obvious executable emailed to the target as an approximation of a 0day. It could even have been "hey, run the command line netcat..."

useless attempt (0)

Anonymous Coward | about a year and a half ago | (#43128387)

Lame ass attempt at hacking prevention
we know they have succeeded when the headline is "Zuckerberg double down and loses!"

Coverup (0)

Anonymous Coward | about a year and a half ago | (#43128403)

This is all bullshit.

On Feb 10th, ArsTechnia released the following story: http://arstechnica.com/security/2013/02/at-facebook-zero-day-exploits-backdoor-code-bring-war-games-drill-to-life/ [arstechnica.com]

On Feb 19th, The Register released this: http://www.theregister.co.uk/2013/02/19/apple_hacked/ [theregister.co.uk]

On Feb 20th, CNN released this: http://www.cnn.com/2013/02/20/tech/web/hacked-apple-facebook-twitter [cnn.com]

On the 10th I said they got pwned for real in #misec on freenode, and 9 days later I was proven right. This is nothing more than a publically traded company trying to save face.... or something. But the "wargame" and actual hacking are NOT coincidences.

- ShadowHatesYou

Re:Coverup (0)

Anonymous Coward | about a year and a half ago | (#43128867)

PS: The same company they used for the "wargame" also offers compliance auditting.

My guess is Trustwave(claimed to have done the pentest on the 10th) is also facebook's PCI compliance auditor(for their game microtransactions) , and they rubber stamp:

https://www.trustwave.com/pci-dss-compliance.php [trustwave.com]
https://www.trustwave.com/sas.php [trustwave.com]
https://www.trustwave.com/sox.php [trustwave.com]

-ShadowHatesYou

In 1972.... (0)

Anonymous Coward | about a year and a half ago | (#43128531)

In 1972 an APT commando unit was sent to facebook by an internal engineer for a crime they didn't commit. These men promptly wrote a spear-phising e-mail from a maximum security stockade to the China underground. Today, still wanted by the government, they survive as soldiers of fortune. If you have a zero-day exploit, if no one else can help, and if you can find them, maybe you can hire the APT-Team.

Amateur hour (0)

Anonymous Coward | about a year and a half ago | (#43128539)

Seriously?

When the extortion email arrived, the members of the response team began checking their bank accounts and personal webmail accounts to see whether they had been compromised, as well.

So that's a joke. The fact that they had an accomplice click their "spear phish" intentionally is also a joke, as you can just start with a remote attack platform locally and call it the same. Where were their engagement rules? Oh, there were none? Yeah, let's fuck off on our prod environment playing APT!

"We got onto the developer's system and then put a change into his PHP code and pushed it live," McGeehan said. "That affects a billion users, but the backdoor was designed not to run."

Irresponsible idiots.

Re:Amateur hour (1)

equex (747231) | about a year and a half ago | (#43129635)

hah yeah, they are fucking stone cold

what is this facebook... (0)

Anonymous Coward | about a year and a half ago | (#43129695)

That you speak of?

Re:what is this facebook... (1)

folderol (1965326) | about a year and a half ago | (#43129817)

Bugrit! You beat me to it :)
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?