Latest news
Their security team has not only been the first to discover the presence of the malware in its networks and to identify it, but has also discovered the source of the infection and the C&C server that the malware was sending information to.
After having sinkholed the server and analyzed the incoming traffic, they discovered that other companies have been affected, too, and they proceeded to notify them. In the end, it turned out that Apple, Twitter and Microsoft were among these companies.
But what allowed Facebook to react so well to the breach?
At the CanSecWest Conference held this week in Vancouver, Ryan McGeehan, security manager for incident response at Facebook, and Chad Greene, manager of the Facebook CERT, shared details about how Facebook prepares its security teams for incidents such as that one.
The first, dubbed "Vampire", was a simulation of a full breach in which actors that pretended to be affiliated with the Koobface gang had apparently owned a number of laptops across the company (including a few of those belonging to members of the security teams), installed backdoors, had root access to the server, were actively disrupting the security teams' log searches, and ultimately sent an email containing screenshots proving the "ownage" and blackmailing the company.
As they prepared to completely rebuild the domain in order to assure that the attackers are booted out, the news came that it was all just a drill.
While the "attack" was unfolding, the incident response team kept an eye on all people involved in the defense, evaluating their reactions and their interactions. As McGeehan pointed out, there is no other way to prepare effectively for incidents such as these apart from mounting this type of exercises - first-hand experience is crucial.
The second "attack", dubbed "Loopback" and executed at the end of 2012, was more similar to the real one that hit the company at the beginning of this year, Threatpost reports.
With the help of an in-house developer who was instructed to let malware in by clicking on a link in a spear-phishing email that exploited a zero-day vulnerability, the "attackers" established control of the system and used it to push out altered PHP code that created a backdoor in Facebook's production code.
This change would have affected all Facebook users, were it not for the fact that the backdoor was not designed to run.
Follow @zeljkazorz
Spotlight
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
