Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Rolled Its Own 0Day For Red Team Exercise

Posted by Unknown on from the and-yet-they-were-hacked dept.

chicksdaddy writes "Threatpost has the story of the extreme — even hair-raising — lengths that Facebook's incident response team has gone to in order to prepare the company's staff to be hacked. Among the methods described at the CanSecWest Conference: 'Operation Loopback' in 2012, which was designed to mimic an APT-style attack from China and used what appears to be an internally developed exploit for an internally discovered 0day. From the article: 'McGeehan and his team this time identified a likely attacker — China — and decided to impersonate its tactics. For this one, they recruited an internal engineer as an accomplice. They wanted to get a backdoor into Facebook's production code, so they sent a spear-phishing email containing exploit code for a live zero-day vulnerability to the engineer. He dutifully clicked the link and his machine was promptly compromised. (McGeehan would not identify which product the vulnerability affected, nor how the Facebook team came into possession of it, but said that they disclosed it to the affected vendor before the Loopback exercise and used it before the patch was publicly available.)' Ouch!"

40 comments

  1. They then fired the engineer by Anonymous Coward · · Score: 0

    For falling for their elaborate socially engineered social engineering in the guise of testing their system.

    1. Re:They then fired the engineer by Anonymous Coward · · Score: 0

      I hope so. Even secretaries know enough not to click crap. Engineers should be reading email in alpine. No links to click.

  2. Ofcourse It had to be China by Anonymous Coward · · Score: 2, Insightful

    I mean, with the soviets gone, Sadam gone, Bin Laden gone, SOMEONE has to step up to be the stereotype arch-enemy of the US. So let's build this image because hey, we just have to learn and be prejudiced with 1 and a half billion people. After all, what good are the chinese for? We don't need them right?

    1. Re:Ofcourse It had to be China by MightyYar · · Score: 2

      They made my computer...

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    2. Re:Ofcourse It had to be China by Anonymous Coward · · Score: 2, Informative

      It's not about racial prejudice, it's about probability.

    3. Re:Ofcourse It had to be China by Anonymous Coward · · Score: 3, Funny

      If China would rid the world of Facebook, they would be heroes, not the enemy.

    4. Re:Ofcourse It had to be China by davester666 · · Score: 1

      They are probably racist?

      --
      Sleep your way to a whiter smile...date a dentist!
    5. Re:Ofcourse It had to be China by fustakrakich · · Score: 1

      Maybe...

      --
      “He’s not deformed, he’s just drunk!”
    6. Re:Ofcourse It had to be China by Anonymous Coward · · Score: 0

      Because we all know the Chinese live in huts or on junks and don't know how to use computers. I mean, it's not like we've ever heard or read about Chinese hackers.

      http://www.philly.com/philly/news/nation_world/20130310_For_Chinese_hackers__it_s_all_in_a_workday.html

      http://www.washingtonpost.com/blogs/wonkblog/wp/2013/02/25/what-chinas-hackers-get-wrong-about-washington/

      http://www.huffingtonpost.com/2013/02/25/chinese-hackers_n_2756914.html

      http://www.nytimes.com/2013/03/04/us/us-weighs-risks-and-motives-of-hacking-by-china-or-iran.html?pagewanted=all&_r=0

      http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=all

  3. Sounds like Facebook handled it correctly by excursive · · Score: 5, Insightful

    More companies should do that kind of testing. If only they would spend that much effort on building a reliable user interface...

    1. Re:Sounds like Facebook handled it correctly by Anonymous Coward · · Score: 0

      More companies should do that kind of testing.

      If only they would spend that much effort on building a reliable user interface...

      You seem to have forgotten that you are not FB's customer.

      You are their PRODUCT.

      They're going to spend as little on their product as they can, and sell it for as much as they can.

    2. Re:Sounds like Facebook handled it correctly by datavirtue · · Score: 1

      Let me join the rest of world in a big fucking yawn........

      --
      I object to power without constructive purpose. --Spock
    3. Re:Sounds like Facebook handled it correctly by datavirtue · · Score: 1

      "I hate facebook" is the general consensus among the users, however, they always offer the caveat that it is the only way they can keep in contact with people. FB is a miserable experience, there is no doubt about that.

      --
      I object to power without constructive purpose. --Spock
    4. Re:Sounds like Facebook handled it correctly by excursive · · Score: 1

      Yes, we're their product, but without product they won't be able to sell ads.

    5. Re:Sounds like Facebook handled it correctly by Anonymous Coward · · Score: 0

      Yeah, something more like Slashdot's flawless design, like a Zippo lighter it is...

    6. Re:Sounds like Facebook handled it correctly by Anonymous Coward · · Score: 0

      Agreed. This falls into modern I.T. best practices just as backups do.

      The best jumping-off source for teaching this kind of Network Security Monitoring is http://taosecurity.blogspot.com. i.e. it is not a question of if we'll get hacked, but what our response and containment strategy will be. Often, the best immediate response is to do nothing aside from monitoring while doing packet captures.

    7. Re:Sounds like Facebook handled it correctly by DuckDodgers · · Score: 1

      As opposed to companies like Verizon, Comcast, AT&T, and Microsoft, where in theory you are the customer, but they treat you just as badly as Facebook does anyway.

    8. Re:Sounds like Facebook handled it correctly by Anonymous Coward · · Score: 0

      Very much so.
      Doing penetration tests is a very good thing and companies should do it more often if they have their stuff connected to the internet and depend on it working.
      Not that it matters on Facebook since people happily post their information all over it.
      But at least securing against rogue apps and stuff is a good thing.

      Also agreed on the other part. Why can't they just make an easy to use interface?
      Why is everything hidden behind a trillion clicks?
      Where the hell do UI heads find these people?
      UIs in general have gotten far worse in recent years for Facebook and so so many other sites and programs. (don't get me started on Microsoft, I think they hired children to help design interfaces for anything Windows Vista onwards. And I'm actually being serious. Worst interfaces I've ever seen, most obtuse functionality ever, and most ass-backwards design in general)
      Slashdot itself isn't even an exception to this. The design itself is fine, it is the trillion sub-domain specific quirks that are annoying as hell.
      And what the hell is with that horribly broken "article" only view? Is that supposed to be the mobile view? Why the hell does it never work on any sub-domain ever?
      And why does it ever show when I am obviously not using a mobile? (I'm still assuming it actually is a mobile view admittedly)

  4. not really a zeroday exploit... by D-Fly · · Score: 1

    Correct me if I'm wrong but it's not really a zero day 'sploit if it's internally known, the attack is internal penetration testing, and the exploit gets closed before it's known.

    --
    \
    1. Re:not really a zeroday exploit... by DarthBart · · Score: 1

      This is Slashdot, where every exploit is a zero-day exploit. I could release a patch to TRS-DOS 1.3 that makes it ignore passwords and someone here would post it as a zero-day.

      But I believe that patch already exists.

    2. Re: not really a zeroday exploit... by Anonymous Coward · · Score: 0

      It was an exploit they discovered in software from another vendor, it was in fact 0day up until they notified said vendor

    3. Re:not really a zeroday exploit... by WizADSL · · Score: 1

      I imagine the team(s) that responded to the security threat didn't know it was a drill. I think the idea was to create the situation using a real security hole but with the cooperation of an engineer that was playing the part of a "tricked" employee to allow the vulnerability to be exploited in a realistic way. I ASSUME that the team members responsible for the creation of the exploit program were not part of the team(s) that responded to the incident.

    4. Re:not really a zeroday exploit... by Anonymous Coward · · Score: 0

      In this case it was a 0day because the exploit was not in FB's codebase it was in one of their vendors (Microsoft, Adobe, Oracle, etc.). So it was a 0Day because it got used (by FB against FB) before their was a patch available. It does indeed fit the definition. If it had been in FB's codebase then it would not fit.

    5. Re:not really a zeroday exploit... by datavirtue · · Score: 1

      Agreed, if it was a 0-day then they would have appointed a team to conduct the exercise in secret. Failing to do this, and truly attack the network, is an academic exercise.

      --
      I object to power without constructive purpose. --Spock
    6. Re:not really a zeroday exploit... by Anonymous Coward · · Score: 0

      Correct me if I'm wrong but it's not really a zero day 'sploit if ... the exploit gets closed before it's known.

      TFS: "used it before the patch was publicly available"

    7. Re:not really a zeroday exploit... by Anonymous Coward · · Score: 0

      And it's not necessarily a "0day" anyhow. From the description, it sounds like it could as easily have been an obvious executable emailed to the target as an approximation of a 0day. It could even have been "hey, run the command line netcat..."

    8. Re:not really a zeroday exploit... by Anonymous Coward · · Score: 0

      Sounds like a great way to exploit... pretend to be doing a training exercise.

  5. useless attempt by Anonymous Coward · · Score: 0

    Lame ass attempt at hacking prevention
    we know they have succeeded when the headline is "Zuckerberg double down and loses!"

  6. Coverup by Anonymous Coward · · Score: 0

    This is all bullshit.

    On Feb 10th, ArsTechnia released the following story: http://arstechnica.com/security/2013/02/at-facebook-zero-day-exploits-backdoor-code-bring-war-games-drill-to-life/

    On Feb 19th, The Register released this: http://www.theregister.co.uk/2013/02/19/apple_hacked/

    On Feb 20th, CNN released this: http://www.cnn.com/2013/02/20/tech/web/hacked-apple-facebook-twitter

    On the 10th I said they got pwned for real in #misec on freenode, and 9 days later I was proven right. This is nothing more than a publically traded company trying to save face.... or something. But the "wargame" and actual hacking are NOT coincidences.

    - ShadowHatesYou

    1. Re:Coverup by Anonymous Coward · · Score: 0

      PS: The same company they used for the "wargame" also offers compliance auditting.

      My guess is Trustwave(claimed to have done the pentest on the 10th) is also facebook's PCI compliance auditor(for their game microtransactions) , and they rubber stamp:

      https://www.trustwave.com/pci-dss-compliance.php
      https://www.trustwave.com/sas.php
      https://www.trustwave.com/sox.php

      -ShadowHatesYou

  7. In 1972.... by Anonymous Coward · · Score: 0

    In 1972 an APT commando unit was sent to facebook by an internal engineer for a crime they didn't commit. These men promptly wrote a spear-phising e-mail from a maximum security stockade to the China underground. Today, still wanted by the government, they survive as soldiers of fortune. If you have a zero-day exploit, if no one else can help, and if you can find them, maybe you can hire the APT-Team.

  8. Amateur hour by Anonymous Coward · · Score: 0

    Seriously?

    When the extortion email arrived, the members of the response team began checking their bank accounts and personal webmail accounts to see whether they had been compromised, as well.

    So that's a joke. The fact that they had an accomplice click their "spear phish" intentionally is also a joke, as you can just start with a remote attack platform locally and call it the same. Where were their engagement rules? Oh, there were none? Yeah, let's fuck off on our prod environment playing APT!

    "We got onto the developer's system and then put a change into his PHP code and pushed it live," McGeehan said. "That affects a billion users, but the backdoor was designed not to run."

    Irresponsible idiots.

    1. Re:Amateur hour by equex · · Score: 1

      hah yeah, they are fucking stone cold

      --
      Can I light a sig ?
  9. Way to much time on their hands by oztiks · · Score: 0

    Aren't they supposed to be trying to mobilise their systems so they can knock Google in to irrelevance to gratify their stockholders delusions?

    No wait, that's never gonna happen. Might as well fish out some crappy POC from SecurityFocus code it up and and see if their dumb ass hipster engineers will accidentally click on it while thinking it was supposed to be a link to a cute kitty pix. I reckon for their next trick they should start filming their own version of Jackass in the HQ office ... Mark Zuckkerballs taking a blowtorch to his scrotum, who wouldn't pay to see that?

    FaceBook doesn't really need to do this, their are dozens of security firms out there that can show them how to hold a secure infrastructure. This seems like just a total waste of time for some reason as to pretend to be a "l33t hax0r" or something. I can't figure what's the method to the madness here ....

    1. Re:Way to much time on their hands by Anonymous Coward · · Score: 0

      Aren't they supposed to be trying to mobilise their systems so they can knock Google in to irrelevance to gratify their stockholders delusions?

      In what world is Facebook competing with Google?

      Oh, right, they've got those ten Google+ users. LOOK OUT, ZUCKSTER.

    2. Re:Way to much time on their hands by oztiks · · Score: 1

      In what world is Facebook competing with Google?

      Advertising revenue genius.

  10. what is this facebook... by Anonymous Coward · · Score: 0

    That you speak of?

    1. Re:what is this facebook... by folderol · · Score: 1

      Bugrit! You beat me to it :)

  11. Competing for advertising revenue by DragonWriter · · Score: 1

    In what world is Facebook competing with Google?

    In the world where, despite their different core competencies in terms of engineering ways to attract non-paying users to whom their customers can advertise, both of them actually make the vast majority of their revenue selling online advertising.

    Oh, right, they've got those ten Google+ users.

    Google+ isn't where Google competes with Facebook directly for money. Social network users aren't either company's paying customers.