Share

Related Links

Related Stories

  • Security approaches called into question as Washington Post joins media hack victims
    In the wake of the revelation that a high-profile Chinese hacking gambit was directed towards The New York Times and the Wall Street Journal throughout the fall of 2012, it has come to light that the Washington Post was also a victim of cyber-espionage activity – sparking yet more discussion around how to implement appropriate security precautions.
  • Twitter hacked – 250,000 user details may have been lost
    Late on Friday afternoon Twitter announced that it had been breached and that attackers may have had access to usernames, email addresses, session tokens and encrypted/salted versions of passwords for approximately 250,000 users.
  • Wall Street Journal attacked by Chinese hackers
    Barely 24 hours after the New York Times revealed it had been the target of a four-month-long, politically motivated attack by alleged Chinese hackers, the Wall Street Journal said that it too has been a victim of Chinese cyber-spying.
  • NY Times points blame for 4-month hack at Chinese government
    In a development that appears to be as politically motivated as the kidnapping of embedded investigative journalists in the Middle East, the New York Times said that it has uncovered a four-month-long hacking effort on the part of Chinese hackers.
  • Java security settings can be ignored by malware
    New vulnerabilities and flaws in Java are so common and frequent that it is difficult to keep pace. Less than two weeks ago it was revealed that the Java sandbox could be bypassed; now it is disclosed that the complete security settings can be ignored.

Top 5 Stories

News

Facebook is the latest media company to admit it was hacked

18 February 2013

On Friday Facebook admitted to being just another hacked media company, joining the New York Times, Washington Post, Wall Street Journal and Twitter in admitting a recent breach – although Facebook claims that no user data was lost.

“Last month,” noted the company, “Facebook Security discovered that our systems had been targeted in a sophisticated attack.” It was a waterhole attack aimed at mobile developers. “This attack occurred when a handful of employees visited a mobile developer website that was compromised.” The exploit hosted on the developer site was a Java zero-day (patched by Oracle on 1 February) and it is likely that mobile developers from other companies would have been similarly compromised.

Facebook discovered the breach when it “flagged a suspicious domain in our corporate DNS logs and tracked it back to an employee laptop.” Examination of the laptop found it to be compromised, and a wider search discovered several other compromised laptops. Examination of the developer website “found it was using a ‘zero-day’ (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware.”

The infected laptops, says the company, “were fully-patched and running up-to-date anti-virus software.” Since the exploit was a zero-day Java exploit, it is understandable that that the anti-virus failed to stop it. However, in a separate interview with Ars Technica, Facebook’s CSO Joe Sullivan said the company recognized the malware that was deposited. “Facebook's security team has a dedicated malware researcher, Sullivan said, who was able to identify the malware,” reports Ars. “After analyzing it, the Facebook security team shared signature and forensic data from the malware with law enforcement and other companies.”

This asks some questions of the anti-virus being used by Facebook. Although it would be easy enough for the attackers to tweak the malware to defeat currently known signatures, if the malware was recognizable to Facebook staff then its behavior should also be known to the AV companies. The question then is whether the AV’s behavioral analysis should have detected its presence.

Facebook is adamant that no user data was compromised. “We have found no evidence that Facebook user data was compromised,” it says. Sullivan told Ars Technica that the attackers “were trying to move laterally into our production environment,” and that although they gained some visibility, they did not succeed in exfiltrating any data. “However, some of the information on the laptops themselves – ‘what you typically find on an engineer's laptop,’ Sullivan said – was harvested by the hackers, including corporate data, e-mail, and some software code.”

This latest breach confirms current advice. Do not use Java, or have java plug-ins enabled in browsers, unless absolutely necessary. “I'd be very surprised,” comments Sophos’ Paul Ducklin, “if the mobile developer website alluded to above actually required Java, so there would have been no reason to have Java turned on for that site.” It also demonstrates that while up-to-date AV and patching remains essential, it is not enough. Ducklin suggests an intrusion prevention system (IPS) would help discover intruders and prevent exfiltration. Rob Kraus, director of research at Solutionary Security Engineering Research Team (SERT) recommends increased intelligence. “To fully combat threats, organizations have to start knowing what the bad guys know – that is the only way to have a fighting chance.”

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security  •  Wireless and Mobile Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×