
An Update on the Security Issue - minimaxir
https://newsroom.fb.com/news/2018/10/update-on-security-issue/
======
ilovecaching
What I've taken away from the last few years of watching large companies deal
with bad actors is that cyberwarfare is here. The public is yet unaware that
we technologists have become front line soldiers battling against nation state
actors and brigands, and not just for their child's birthday address. I've
listened to plenty of OWASP/Black Hat talks about critical pieces of
infrastructure ("air gaped" power grids for example) hacked by red teams. This
is scary stuff. We all need to start treating this like the hidden war it is
and start planning for the worst. Cyberware is no longer the warfare of the
future it is the now.

~~~
scoggs
I definitely agree. I'm very worried about the potential for a World War 3
scenario where not only has the warfare technology in combat, the weaponry and
ammunition, the missiles and bombs and such becoming more precision and deadly
components of war but beyond that the parties involved have the added digital
technology, imaging technology, unmanned aircraft vehicle technology, and all
the rest of the warfare-related tech that's cropped up over the last decade
plus added to their arsenal.

In an all out war scenario we don't really know the extent this new technology
will ultimately play. Is it going to be the type of scenario like the first
two World Wars where rifling, tank, and air combat technology is going to be
one of the deciding factors? Is it going to be something more akin to World
War 2 where Alan Turing's work on deciphering of the Enigma Machines / Nazi's
communication codes is going to play an integral role in preparation, troop
movement decisions, and gaining the edge on the enemy?

I get the feeling, personally, that it's going to be a combination of
everything above and more. Those individual military's capability of
incorporating all of the tech at their fingertips and applying the knowledge /
inferences gleaned while also making the best use of their cyber, hard, and
soft military tactics is going to be a major deciding factor since the war
will probably be staged on many fronts (physical and digital) between many
allied nations versus many other allied nations.

The ability to communicate and execute will be as important as it always was
(e.g. maximum importance, as usual) and I strongly feel that history will
reveal the more technologically advanced and more wisely dependent nations of
those technologies will write history as they become the winning nation(s) /
powers.

~~~
ilovecaching
Fixed

~~~
scoggs
Thank ya! I edited my comment as well to be more involved in the conversation,
since my comment asking you about the spelling is a moot point.

------
denzil_correa
> For 15 million people, attackers accessed two sets of information – name and
> contact details (phone number, email, or both, depending on what people had
> on their profiles). For 14 million people, the attackers accessed the same
> two sets of information, as well as other details people had on their
> profiles. This included username, gender, locale/language, relationship
> status, religion, hometown, self-reported current city, birthdate, device
> types used to access Facebook, education, work, the last 10 places they
> checked into or were tagged in, website, people or Pages they follow, and
> the 15 most recent searches.

Another reason to not use your phone number as a unique identifier.

~~~
hw
It's also a good idea to just not use Facebook, or at least scrub all profile
details and any personal information including pictures.

On a more serious note, the unusual activity started Sept 14, took then 11
days before actually determining that it was an exploit, and took then 2 days
after that to actually fix the issue. 2 days might not seem like a long time,
but with automation, the hackers could have gone through a lot more accounts
in that time frame.

------
testplzignore
> Within two days, we closed the vulnerability

That is very slow for a server-side vulnerability. Was the fix that
complicated that it could not be safely deployed within minutes or hours? Or
did the FB management not take the issue seriously?

~~~
pcanahuati
I lead Security and Privacy Engineering at Facebook and wanted to chime in on
this thread.

As soon as we found the vulnerability, our first priority was to determine how
we could protect people most effectively. If we had closed the vulnerability
immediately, the attackers could have escalated their attack to modify
information or post as someone else by using the access tokens they had
already acquired before we reset them. Instead, we determined all the
potentially affected accounts and reset their access tokens in a coordinated
way to prevent further misuse of the vulnerability.

We haven't reset 90M accounts all at once before. Identifying the attackers,
defining our remediation, validating that it would work, and closing the
vulnerability while simultaneously ensuring all accounts were secure is
complex to do at scale.

~~~
trevyn
> _our first priority was to determine how we could protect people most
> effectively._

You could have taken the site down until it was fixed.

So protecting people was your second priority.

~~~
shawn
When you respond like this, you discourage comments like the parent from being
posted to HN.

It would be fine if your point was reasonable. But it's not. It's little more
than an excuse to hate on Facebook.

~~~
ric2b
He's just tearing down the PR speak.

------
techntoke
The amount of information leaked in this is so statistically significant that
Facebook should be shutdown while they do an investigation. I currently get
approx. 3 robocalls a day even though I'm in the Do Not Call Registry, and
they are always from different numbers. They even know my name and address
even though I don't publish it.

Having your information leaked like this has real consequences. After the
issue with Cambridge Analytica, you are simply becoming a lab rat peasant for
the oligarchy. Any autonomy that you may have had will soon fade away.

~~~
CydeWeys
Oh god, maybe _this_ is why I've started getting a ridiculous number of spam
phone calls every day over the past month. Shame on me for giving them my
phone number for account security/verification way back ... turns out it
wasn't worth it.

~~~
jerf
I'm not on Facebook at all, and my spam call rate has shot up too. I think
it's just an increase in spam calls, not a result of Facebook hackery. Phone
numbers are dense enough that if you know area codes and exchanges (readily
available information), you can just dial through the remaining 10000 numbers
pretty easily and get enough hits to be worth it, plus you only have to do
that once per phone # to have a good idea of whether that's a hit.

For me, it's mostly been about student loans, which I have not had for several
years now. It's not even targeted. It's just spam. Though anecdotally I've
heard other people say they tend to get different calls, none of which seem
particularly well targeted, so perhaps it's merely very very _poorly_
targeted.

~~~
gaius
_I 'm not on Facebook at all, and my spam call rate has shot up too. I think
it's just an increase in spam calls, not a result of Facebook hackery._

If anyone you know is on FB the chances are FB slurped up all your details
from their address book.

~~~
jerf
Part of my point is that you don't need to "hack Facebook" to get basically
every phone number. If you intend to indiscriminately spam everybody, you can
just _do_ that, you don't first have to "hack" anything. It's part of why
robocalls are such a problem. The tech to do it is decades old; VOIP and later
innovation certainly make it easier, but it's been _possible_ and not that
expensive for decades.

You only have to hack Facebook to improve your targeting or something, but as
I said, I've seen at best no evidence, and really negative evidence, that the
recent spate of calls is well-targeted.

------
minimaxir
> Also, can I point out the irony of ironies that the attackers used the "View
> As" feature, which is ostensibly a PRIVACY check tool, to gain access to all
> this private information?

[https://twitter.com/alplicable/status/1050819857351098370](https://twitter.com/alplicable/status/1050819857351098370)

------
vthallam
This is crazy. It shows how the social graph is so brittle.

My girlfriend's account was one of the affected and since then she keeps
getting these random messages from profiles who look like ex military. No idea
how they even find her profile, because she actually disabled search on FB for
her name/profile.

For facebook, this is just yet another security incident, but for millions of
ordinary people whose contact details are exposed and many of who are women, a
continuous threat.

------
samspenc
> We saw an unusual spike of activity that began on September 14, 2018, and we
> started an investigation. On September 25, we determined this was actually
> an attack and identified the vulnerability.

I'm unclear why it took 11-12 days to uncover this?

~~~
jtokoph
Possible scenario:

Someone noticed a spike on Sep 14th which was a Friday. Person A probably sent
an email to Person B asking for information. Person B finally replied to ask
person C on Monday. Person C gets looped in Tuesday and assigns Person D to
take a look at it. Person D is finishing up a task and starts looking on
Friday. Everyone thinks this is fine as the issue is probably just a front-end
bug that's causing looped requests. It's not considered a security issue yet.

They make a little progress on Friday, but are out of town in Tahoe for the
weekend. Monday the 24th rolls around and they finally figure out that it
might be an attack and report back up the chain, a process which took 24
hours. Now it's the 25th, which is 11 days later.

~~~
Ibethewalrus
possible scenario 2:

1-Mark opens calculator

2-gets how much $$$$$$$$ he’ll lose if fb shutdowns for couple hours

3-lets hack continue

4-profits

Joke aside, i’d estimate they have about in the ballpark of over 200 security
engineers that have alerts for when smth like unusual activity happens

------
shanemlk
I happily deleted my Facebook yesterday. It's scheduled to be deleted
permanently in 30 days. I can no longer criticize a company while using their
product.

~~~
ngngngng
Anyone have any ideas on how someone outside the EU can get facebook to follow
the right to be forgotten thing? I don't believe deleting my account will
delete any of my data, although i've already deactivated and plan to delete
permanently soon.

~~~
fossuser
I think I read recently that deletion does now delete your data post GDPR.

------
deegles
Serious question... how does any smaller, less tech-focused company have a
chance of keeping data secure if not even Facebook can do it?

~~~
ilovecaching
You just do the best you can. Totally secure is a myth. As a smaller company,
however, you have an advantage that your footprint is much smaller and easier
to reason about. The larger you become, the more software you have to run, the
more you have to manage, the more lucrative an attack on your systems will be
for the attackers.

That's why in security we don't play the blame game when someone gets hacked.
We know it could happen to any of us, might already have happened, and we're
all doing the best we can with the resources we have.

~~~
ams6110
> The larger you become, the more software you have to run, the more you have
> to manage, the more lucrative an attack on your systems will be for the
> attackers.

Also the more _people_ you have who might be compromised. It's almost a
certainty that there are people with access inside Facebook who are or have
been corrupted. That can happen in a small company too, but the risk/reward is
usually lower and there are many fewer people who can be targeted.

One person with a thumb drive can exfiltrate a highly damaging amount of data.

~~~
mynameisvlad
It's not even just corruption, there's plenty of phishing attempts targeted at
employees and it only takes one to potentially gain access to a lot of data
depending on how systems are set up.

------
donalhunt
Got an account? Check if you are affected here:
[https://www.facebook.com/help/securitynotice](https://www.facebook.com/help/securitynotice)

------
mehrdadn
Technical question: Does anyone know if there are any common legitimate
reasons to allow an authentication system to automatically generate access
tokens for a client in response to something other than an actual user login?

The thought of it sounds horrifying to me so I'm wondering if I'm missing
something and how/why they might have approved such a design.

~~~
techntoke
When you want to gather people's personal and private information and pretend
it was a breach.

~~~
jazzyjackson
Conspiratorial but I like it.

------
jorblumesea
When are we going to wake up and understand Western companies need state help
to deal with state actors? This isn't script kiddie stuff, it's other
countries with billions of dollars in backing, built to tear apart our
infrastructure, steal IP and gain a competitive global advantage.

The idea that FB or any Western company can stand against tens of thousands of
Chinese engineers with almost unlimited budget is absurd. As much as the
government and government interference is maligned in tech, we need to start
considering a serious public/private cybersecurity partnership.

~~~
komali2
I am of the opinion that our ruling class is simply too old to comprehend the
importance of this issue.

This is ageism, but I can't think my way around it. The questions the
Legislative body were asking the tech companies were _so bad_ , and that's
presumably after they'd been briefed by whatever experts worked for them.

Executive branch: "As far as the cyber, I agree to parts of what Secretary
Clinton said."

FCC: "The thousands of dead people responding to our public request for
comment is fake news. Also, it was a hack. But we weren't hacked."

Justice Samuel Alito on how cell phones can have huge storage capacity: "What
if the person had on his person a compact disk?"

Justice Anthony Kennedy on what happens when you get a text, while sending
one: "Does it say: 'Your call is important to us, and we will get back to
you?'"

------
simonlebo
On the 28th of September I got charged $900+ for Facebook ads that I never
ran. I reported it as fraud to my credit card and let Facebook know. I would
recommend everyone that have their PayPal integration to check their bank
statement for unusual activity around that date.

------
switch007
I got part way through their stupid verification (I think I gave my phone
number, but then they wanted photo ID). So I need to give them a scan of my
passport to see if they failed to protect my other personal data...?

------
joe_hoyle
The post seems to suggest the number to be concerned about is 30 million users
who had access tokens stolen. Seems to downplay the 400 million users who had
their profiles leaked.

"They used an automated technique to move from account to account so they
could steal the access tokens of those friends, and for friends of those
friends, and so on, totaling about 400,000 people. In the process, however,
this technique automatically loaded those accounts’ Facebook profiles,
mirroring what these 400,000 people would have seen when looking at their own
profiles."

Seems a lot more like this has leaked the privacy of 400 million users, but
Facebook are trying to focus on the smaller 30 million (though granted, those
are more seriously affected.)

~~~
ilovecaching
400,000 not 400,000,000

~~~
joe_hoyle
:facepalm:

------
sorokod
The relation between Facebook, it's users and attackers is the same as between
cattle ranchers, their sheep and sheep rustlers.

~~~
908087
Most farmers I know have far more respect for their livestock than FB do for
their "users".

~~~
sorokod
Meh... sheep or FB users, they all get monetized in the end.

------
theabacus
Don’t worry, Facebook. I was affect by this (even though my account has been
disabled for 2 years) and realized I should leave finally. So I did. And
nothing will bring me back to any service you have since you’ve only
demonstrated CYA and uncaringness. If you really cared, you’d compensate me
monetarily for my loss due to your negligence.

