Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Rolled Its Own 0Day For Red Team Exercise

Posted by Unknown on from the and-yet-they-were-hacked dept.

chicksdaddy writes "Threatpost has the story of the extreme — even hair-raising — lengths that Facebook's incident response team has gone to in order to prepare the company's staff to be hacked. Among the methods described at the CanSecWest Conference: 'Operation Loopback' in 2012, which was designed to mimic an APT-style attack from China and used what appears to be an internally developed exploit for an internally discovered 0day. From the article: 'McGeehan and his team this time identified a likely attacker — China — and decided to impersonate its tactics. For this one, they recruited an internal engineer as an accomplice. They wanted to get a backdoor into Facebook's production code, so they sent a spear-phishing email containing exploit code for a live zero-day vulnerability to the engineer. He dutifully clicked the link and his machine was promptly compromised. (McGeehan would not identify which product the vulnerability affected, nor how the Facebook team came into possession of it, but said that they disclosed it to the affected vendor before the Loopback exercise and used it before the patch was publicly available.)' Ouch!"

19 of 40 comments (clear)

  1. Ofcourse It had to be China by Anonymous Coward · · Score: 2, Insightful

    I mean, with the soviets gone, Sadam gone, Bin Laden gone, SOMEONE has to step up to be the stereotype arch-enemy of the US. So let's build this image because hey, we just have to learn and be prejudiced with 1 and a half billion people. After all, what good are the chinese for? We don't need them right?

    1. Re:Ofcourse It had to be China by MightyYar · · Score: 2

      They made my computer...

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    2. Re:Ofcourse It had to be China by Anonymous Coward · · Score: 2, Informative

      It's not about racial prejudice, it's about probability.

    3. Re:Ofcourse It had to be China by Anonymous Coward · · Score: 3, Funny

      If China would rid the world of Facebook, they would be heroes, not the enemy.

    4. Re:Ofcourse It had to be China by davester666 · · Score: 1

      They are probably racist?

      --
      Sleep your way to a whiter smile...date a dentist!
    5. Re:Ofcourse It had to be China by fustakrakich · · Score: 1

      Maybe...

      --
      “He’s not deformed, he’s just drunk!”
  2. Sounds like Facebook handled it correctly by excursive · · Score: 5, Insightful

    More companies should do that kind of testing. If only they would spend that much effort on building a reliable user interface...

    1. Re:Sounds like Facebook handled it correctly by datavirtue · · Score: 1

      Let me join the rest of world in a big fucking yawn........

      --
      I object to power without constructive purpose. --Spock
    2. Re:Sounds like Facebook handled it correctly by datavirtue · · Score: 1

      "I hate facebook" is the general consensus among the users, however, they always offer the caveat that it is the only way they can keep in contact with people. FB is a miserable experience, there is no doubt about that.

      --
      I object to power without constructive purpose. --Spock
    3. Re:Sounds like Facebook handled it correctly by excursive · · Score: 1

      Yes, we're their product, but without product they won't be able to sell ads.

    4. Re:Sounds like Facebook handled it correctly by DuckDodgers · · Score: 1

      As opposed to companies like Verizon, Comcast, AT&T, and Microsoft, where in theory you are the customer, but they treat you just as badly as Facebook does anyway.

  3. not really a zeroday exploit... by D-Fly · · Score: 1

    Correct me if I'm wrong but it's not really a zero day 'sploit if it's internally known, the attack is internal penetration testing, and the exploit gets closed before it's known.

    --
    \
    1. Re:not really a zeroday exploit... by DarthBart · · Score: 1

      This is Slashdot, where every exploit is a zero-day exploit. I could release a patch to TRS-DOS 1.3 that makes it ignore passwords and someone here would post it as a zero-day.

      But I believe that patch already exists.

    2. Re:not really a zeroday exploit... by WizADSL · · Score: 1

      I imagine the team(s) that responded to the security threat didn't know it was a drill. I think the idea was to create the situation using a real security hole but with the cooperation of an engineer that was playing the part of a "tricked" employee to allow the vulnerability to be exploited in a realistic way. I ASSUME that the team members responsible for the creation of the exploit program were not part of the team(s) that responded to the incident.

    3. Re:not really a zeroday exploit... by datavirtue · · Score: 1

      Agreed, if it was a 0-day then they would have appointed a team to conduct the exercise in secret. Failing to do this, and truly attack the network, is an academic exercise.

      --
      I object to power without constructive purpose. --Spock
  4. Re:Amateur hour by equex · · Score: 1

    hah yeah, they are fucking stone cold

    --
    Can I light a sig ?
  5. Re:what is this facebook... by folderol · · Score: 1

    Bugrit! You beat me to it :)

  6. Competing for advertising revenue by DragonWriter · · Score: 1

    In what world is Facebook competing with Google?

    In the world where, despite their different core competencies in terms of engineering ways to attract non-paying users to whom their customers can advertise, both of them actually make the vast majority of their revenue selling online advertising.

    Oh, right, they've got those ten Google+ users.

    Google+ isn't where Google competes with Facebook directly for money. Social network users aren't either company's paying customers.

  7. Re:Way to much time on their hands by oztiks · · Score: 1

    In what world is Facebook competing with Google?

    Advertising revenue genius.