It is being reported that Facebook said an attack on its computer network led to the exposure of information from nearly 50 million of its users. The company discovered the breach earlier this week, finding that attackers had exploited a feature in Facebook’s code that allowed them to take over user accounts. Facebook fixed the vulnerability and notified law enforcement officials.
More than 90 million of Facebook’s users were forced to log out of their accounts Friday morning, a common safety measure for compromised accounts. Facebook said it did not know the origin or identity of the attackers, nor had it fully assessed the scope of the attack. The company is in the beginning stages of its investigation.
Please see below for commentary from cybersecurity experts.
Tim Mackey, senior technical evangelist at Synopsys:
Gary McGraw, Vice President of Security Technology at Synopsys:
Getting software security right is difficult, but not impossible. This breach emphasizes just how important software security is, and how subtle solid security engineering can be. When a feature like “View As” can be turned on its head into an exploit, it indicates a design problem that led to unanticipated security vulnerability. Design flaws like this lurk in the mind boggling complexity of today’s commercial systems, and must be systematically uncovered and corrected when software is being designed and built.”
Sam Curry, Chief Ssecurity Officer at Cybereason:
Paul Bischoff, Privacy Advocate at Comparitech.com:
It’s surprising to me that as popular as Facebook is, no white hat hacker ever discovered and reported this flaw in the past, neither an external pen tester nor Facebook’s internal IT security team. I would be interested to know how long this flaw existed before it was discovered and exploited.”
Rachel Aldighieri, MD at DMA:
We would encourage any concerned users of Facebook to contact the website through its official channels and also follow the updates that they are likely to provide over the next few days. It is important to remain vigilant in checking your account and bank statements to ensure there’s nothing unusual. There’s no need to panic or cancel cards, but if you do see any suspicious activity we recommend contacting your bank immediately.
It is encouraging to see that Facebook have reported the attack promptly and have already begun their investigation into how the breach occurred. It isn’t yet clear how many EU citizens data has been affected but should it come to light that these citizens are among those whose data was breached, Facebook would be subject to hefty fines under GDPR. It appears that the breach was the result of a cyber-attack and not due to negligence, if this is the case then any fines will be proportionate and will take this into account.
However, fines are just one of the risks to organisations like Facebook. We believe the long-term effects on customer trust, share price and public perception could have more lasting damage.
Facebook now has the challenge of re-building the trust of its customer base, a job that might be difficult given the events involving Cambridge Analytica earlier this year. To do this, it’s vital that the organisation focuses its efforts around two of the core principles of the GDPR – accountability and transparency. They need to show that they have done everything possible to ensure such a breach won’t happen again.”
Adam Levin, Founder of CyberScout and author of “Swiped”:
Mark Weiner, CMO at Balbix:
“Even hyper-scale cloud and Internet providers like Facebook, which serves over one-third of the world’s connected users, is prone to vulnerabilities. In this case, their own software for access tokens had the vulnerability, not a third-party component. This latest breach highlights the critical need to continuously and real-time monitor your entire IT infrastructure — not just packaged or cloud apps, but every IT asset and application that touches the network — to ensure vulnerabilities are proactively managed and prioritized by their business risk.”
Jacob Serpa, Product Marketing Manager at Bitglass:
Zohar Alon, Co-founder and CEO at Dome9:
User data is an organization’s most valuable asset and customers trust companies to protect it. Facebook and other organizations must have continuous visibility into their infrastructure so vulnerabilities can be quickly remediated. They must also add more layers of defense to their cybersecurity strategy to prevent login credentials from being compromised in the first place.”
Jeannie Warner, Security Manager at WhiteHat Security:
How it was detected is also interesting – user logins increased dramatically last December. Companies looking to assemble evidence of attack or compromise can look at user behavior and traffic patterns changing as evidence of ‘something different’ that requires investigation. The OWASP Top 10 Risks for Web Application Security Risks was updated a month before the traffic pattern was noticed last December 2017, adding a new item: A10 Insufficient Logging and Monitoring. This attack and the length of time it went undetected and verified represents the truth of that rating and inclusion as a major risk.”
Eric Sheridan, chief scientist at WhiteHat Security:
Greg Annette, Technology Evangelist at Barracuda Networks:
Every new breach further proves that the public needs to preserve and protect their own cloud data, because the providers are not. Free services like Facebook are even less likely to care about user data protection, so the public must take ownership in protecting and preserving data. With Account Takeover attacks on the rise, successful protection requires proactive measures, not a reactive panic. According to recent data, 78% of account takeover incidents result in a phishing email, with the goal of infecting additional accounts, via user impersonation. In order to protect themselves, the public should implement a few baseline proactive measures, including:
- Back up data in a controlled environment. This will allow you to recover any deleted or compromised items.
- Use unique passwords for all services, and where appropriate, use a password manager.
- Enable multi-factor (MFA) or two-factor authentication (2FA) for any and all cloud-based accounts. While you should take personal steps to enable MFA and 2FA, you should also demand these authentication protocols from your vendor if it’s not automatically provided.
Bill Conner, CEO at SonicWall:
Dan Pitman, Principal Security Architect at Alert Logic:
Facebook has identified this was a vulnerability in its website code that allowed the attacker to gain authenticated access, which then allowed them to get effective access permissions for a huge numbers of users, giving the attacker the ability to access those users’ accounts as if they were the user themselves. Forcing a logout on the users changed the access keys to help ensure no use of them remained.
They will be working to establish if any of these accounts were actually accessed and what personal data may have been lost, especially in the case of high profile users.
New features increase the risk that vulnerabilities like this can become part of the live application, and Facebook is known to implement new features at a high rate, having been acknowledged as the leader in agile web development practices in the past.
This ‘continuous delivery’ of new features, combined with the modular nature of that delivery, increases risk that vulnerabilities like this can become part of the live application. Testing all of the myriad combinations of the sometimes hundreds of components, or modules, that can interact is the challenge. The applications are made up of components built by different developers at different times working based on older best practices, all of this means that vulnerabilities are an inevitability. In Facebook’s case, there will be people working hard to identify flaws in both trenches and this time the attackers got there first.”
Pravin Kothari, CEO at CipherCloud:
“The real $50 million dollar question is who did this impact, exactly? Do any of those 50 million customers impacted reside in the European Community? If so, will this fall under GDPR and how will it be treated? Enforcement of GDPR will come from the Information Commissioner’s Office (ICO). What will their reaction be? Given the horrendous publicity from the Cambridge Analytica data exposures, the EU reaction is not easily predicted. Not knowing all of the detail of when the breach was discovered, who, exactly was impacted, who was responsible, etc., the possible outcomes may be worse than we know today. We’ll have to see what Facebook discloses about potential liability if any exists. The calculations of the potential fines under GDPR are a bit mind-boggling with any possible impact to millions of users.”
Ameya Talwalkar, Chief Product Officer and Co-founder at Stealth Security:
Since the investigation is still ongoing, we are waiting for more details. But given the scale of this attack, it is quite possible that this was orchestrated by bots abusing APIs. First generation bot mitigation technologies, which use JScript and Mobile SDK based device fingerprinting, fail to stop such bot attacks that use APIs.”
Satya Gupta, Chief Technology Officer and Co-founder at Virsec:
These problems could easily have been avoided and services that prioritize security, like banks, hospitals and even airlines rarely make these basic mistakes. It’s a bad idea to let users stay logged on indefinitely while there is no activity. Many people will open a Facebook browser tab and not close it for hours or days while doing other things. If you’re logged into your banking site and are inactive for more than a few minutes you are automatically logged off and need to re-authenticate. This is a small burden for users and a no-brainer for security. There are also solutions that provide continuous authentication requiring users to confirm their identity if there is any unusual behavior.”
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.