White Hat Hacking with TDL | Facebook loses the keys to the Kingdom



Website attacks on the rise

Organisations that have their own web presence, may have considered how often pot-shots are taken at their web sites from malicious sources. DarkReading has reported that the average number of attack attempts for websites has risen lately and, based on data analysed from 6 million customer websites, for the second quarter of 2018, Sitelock has found that a website, on average, suffers 58 attack attempts per day – or one every 25 minutes – an increase of 16% since the first quarter of this year. That jump comes after a dip in attack attempts from the fourth quarter of 2017 (63 attempts each day) to Q1 of this year (50 per day).  With these statistics the view that ‘ we are just a small (insert business here) why would anyone want to attack us?' needs reconsideration.


As a means to improve access to their latest findings and recommendations, the Australian Signals Directorate (ASD) have launched a new website (https://cyber.gov.au) from late August to consolidate cyber-security content and alerts for individuals and organisations into one hub. This is a great resource for process, technology and risk management materials. This will replace the Australian Cyber Security Centre site in time.

Supermicro supply-chain attack

In what sounds like something out of a spy movie, Bloomberg Businessweek has reported that nearly 30 US companies, including a major bank, government contractors and Apple, may have been victims of a hardware supply-chain attack against Supermicro. The report claims that chips – some smaller than the tip of a sharpened pencil – had been inserted into Supermicro motherboard designs, in order to allow nation-state-sponsored adversaries access to high-value corporate secrets and sensitive government networks.

Coin image

Figure 1: The scale of the chip, compared to a US penny

While there is debate in the InfoSec community around the claims, the article sure makes for interesting reading leads to some key take-aways:

  1. Supply-chain attacks; both hardware and software-based are possible. We need to ensure due diligence when selecting suppliers of any componentry that we choose to integrate into our networks
  2. Visibility and understanding of what is “normal” is key. Only through understanding the “normal” can we detect the “abnormal” and investigate. This doesn’t have to apply to low-level component analysis, but can deliver valuable security outcomes when looking at user behaviour, network traffic and other indicative metrics

 Facebook loses 50 million keys to the Kingdom

As reported by many newswires in October, Facebook announced a massive breach of nearly 50 million accounts when attackers exploited a series of bugs in the implementation of the “View As” feature, which allows a user to view their own profile as it would appear to another user. In exploiting the vulnerability, Facebook would cough-up an access token which an attacker could use to access the user’s account. If the user had registered for access to third-party apps and sites using the “Logon using Facebook” feature, it is possible that the attacker could then pivot from the user’s Facebook account into their other associated accounts however, Facebook have said that there is no evidence so far that third-party apps or sites have been accessed in this way. When the initial breach was detected, Facebook took steps to revoke the tokens for the 50 million affected users, along with another 40 million potentially-impacted users, forcing 90 million users to provide their credentials and log in to Facebook again on next access.

While inconvenient for the 90 million users, this breach could prove to be quite inconvenient for Facebook, as EU regulators have opened an investigation, which could lead to fines of up to $1.6 billion.

For a full run down and analysis, please refer to the Dark Reading article here.

Take-aways?  While “Log on using Facebook”, “Log on using Google”, and other such options provide a level of convenience, that convenience comes with risk and associated cost. If your primary account is compromised, attackers end up with more than just the keys to your castle, but to the whole Kingdom.

Contact Us today to find out how Thomas Duryea Logicalis can support you with your organisation's security concerns and posture.

Tags Security, Privacy, Google Chrome, HTTPS Sites, Crypt worm, Cybercriminals, Spyware, Human Error, Malware, Facebook, Malicious Attacks, Apple, Attackers, ASD, Cybersecurity


Contact Us