Another Loss of Customer Trust in Facebook?

And The Rise of the 24x7 Security Operations Centre

Another Loss of Customer Trust in Facebook?

And The Rise of the 24x7 Security Operations Centre

The Rise of IDS, SOCs and Incident Response

On Friday morning, I lectured to my students on the power of intrusion detection systems (IDSs), and in how security operations centres (SOCs) are becoming a core part of detecting the early phases of an attack. By the afternoon, my phone started buzzing with news agencies calling about the Facebook hack.

From what I can see, the power of the SOC, and in speedy incident response, came into force, with a relatively fast detection of a major vulnerability, and in the patching of the Facebook infrastructure. The reporting too was fast and, fairly well pitched. While these are no excuses for the poor design, we can, at least, see an improvement in the ways that companies are responding to security incidents.

The ID Token Hack

As GDPR (General Data Protection Regulation) continues its roll-out, the days of companies hiding a hack for a while are gone, and where they must now report within 72 hours. And so, after taking a battering around the Cambridge Analytica scandal, Facebook is back in the news again with another weakness identified in their infrastructure. The words “may” and “could” feature highly in the incident report for the actual loss of data, but it looks likely that the scope of the attack has been contained, with the resetting of the passwords on the accounts which have been affected.

On the back of the announcement, Facebook’s shares fell by over 2.5%:

On the back of the Ticketmaster and British Airways hack, it can be seen that hackers may be turning to sophisticated Web hacks, and where weaknesses in the creation of the Web infrastructure are compromised. For Facebook it is the “View As” feature, and was identified through a spike in activity around 16 September 2018:

This feature allows a user to view what their profile looks like to other users on the Facebook platform. Unfortunately, the code contained bugs, along with the possibility for users to gain access token which could be used to access the accounts of other users. It is thought that around 50 million of these access tokens could have been compromised, and Facebook has since reset these. Along with this, another 40 million tokens of those people who have used the “View As” feature have also been reset.

A token is a useful method of granting users access for a given amount of time and with certain defined rights. This allows the back-end system to authenticate the user as they move through the system without having to re-enter their user credentials. Increasingly, though, these tokens are being attacked, as they can be copied and then used to gain access to services without requiring a username and password.

The accessing of the Facebook ID token without actually accessing the Facebook Web site has been well known for a while, and which can be easily scripted to gather the information on the tokens:

Federated ID and OAuth2

Facebook, as with many other major Cloud Service Provider, including Google, use the OAuth2 authentication protocol for providing an ID token to a user. The token, itself, does not contain the password, but just the fact that the user has identified themselves, and has rights on the system for a given amount of time. This token can also be trusted on other sides — with a federated identity. Thus if you use Facebook to log into Spotify then Facebook proves your identity and then passes an OAuth2 token back to you, to give to Spotify. The scope of the breach could thus involve other external services which use Facebook as an identity provider.

While OAuth2 solves many problems in logging into systems and in traversing across trusted systems, many security experts criticize it usage, as the tokens can be captured, and where long periods of access can be granted on a single provision of a user identity.

A recent article on Medium defined that OAuth 2 was the gatekeeper of the growing API industry, but also its Achilles Heel:

OAuth 2 — The Gatekeeper of API Economy and its Achilles Heel
What is OAuth 2medium.com

Its simplicity in its operation allows developers to quickly authenticate the user, and then allow them to gain the required rights. But it has major flaws.

The response

Facebook has yet to report on whether user data was stolen, but they did identify that the Facebook APIs had been probed by the stolen tokens. There have not been any reports of customers having their passwords changed at the current time.

The shock of losing customer trust has, in part, caused Facebook to considerably ramp up its security provision, and is boosting its security-related workforce from around 10,000 to 20,000. Many of these will be involved in analysing the security of the existing infrastructure, and on detecting a possible incident, and responding to it.

Detecting and responding

With 2.23 billion active users on Facebook, the task of providing new features for users, and making the infrastructure secure is becoming an ever increasing problem for Facebook.

There are several things that are different in this hack against the British Airways and Ticketmaster ones. The core to this one is the speed of detection of the problem. With the British Airways and Ticketmaster compromises, there was a significant amount of time in the detection (and which were detected by an external party) and which had provided an opportunity to move to a profit phase. The Facebook compromise seems to have been detected at a relatively early phase and contained. This is the power of 24x7 monitoring within Security Operations Centers, and where anomalies can be quickly identified and hack stopped before it gets to the point of profit.

For Intrusion Detection Systems, we aim to detect a hack at an early stage before it gets to profit. In the Facebook case, the intruders have found an exploit, which they possibly then aimed to use to create a foothold into the system:

If Facebook’s SOC and intrusion detection systems have worked correctly, would have been able to stop the intruders before the gained a foothold onto the system. A key factor in this is the fast resolution of the exploit and to contain the scope of the hack.

Conclusions

If you are a large data provider like Facebook, it is not an easy task to make sure that every single part of the infrastructure is secure, so the continual monitoring of access is required, and in a rapid response. For BA and Ticketmaster, the response was slow, but in this case, there was a rapid detection of the problem, and the door was quickly closed. We do, though, need to spend more time understanding the design of our systems and test them properly, and that involves considerable investment in time and money.

For a company like Facebook, identity is the core of their business model, and that is where the make the money. The provision of access tokens should thus be at the core of most of their business, and they must now focus on the security of these.

The recovery of the share price before the stock market closed, may be a pointer that many think that the breach has been contained before it actually leaked sensitive customer data.

We do need to move to better ways of proving identity and rights, and OAuth 2 is flawed. We need to move to a world in which citizens take more control of their world, and the Facebook hack shows how flawed our current digital world is. We are patching a leaky damn, but it’s going to crumble soon, so we’d better start thinking about designing it properly, and given users their identity and rights back.