[kictanet] Facebook Security Breach

Gichuki John Chuksjonia chuksjonia at gmail.com
Sun Sep 30 02:35:25 EAT 2018


No one can be able to defend against an advanced intruder who has the
resources, the patience, the budget and a boss who is demanding for
results. The way they figured out “View As” code had an issue was a simple
vulnerability, but actually finding it meant they had several operators
following each part of deployment of code inside Facebook.

On Sun, 30 Sep 2018 at 02:29, Harry Delano via kictanet <
kictanet at lists.kictanet.or.ke> wrote:

> Ebele,
>
> Many thanks for this feedback, will definitely take a look at the
> resources you have provided, which I also believe
> many on this forum interested in this area might find resourceful to hone
> their skills, and can get rewarded for it at
> the same time..
>
> Regards,
> Harry
>
> On Sat, Sep 29, 2018 at 6:24 PM Ebele Okobi <ebeleokobi at fb.com> wrote:
>
>> Hi!
>> I don’t think the issue is the rigor of FB tech or security teams, so I
>> appreciate the questions but I can say that we are fortunate, given the
>> profile of the company, to be able to hire many of the best engineers and
>> security teams. We are always, however, eager to learn and looking for
>> others to test our vulnerabilities, so if you would like to assist us with
>> your expertise, here’s information about our white hat program. Please do
>> review-we’d be grateful for your technical insights, so get involved!
>>
>> https://m.facebook.com/whitehat
>>
>> https://www.wired.com/story/facebook-bug-bounty-third-party-apps/
>>
>>
>> Ebele Okobi | Public Policy Director, Africa
>>
>>
>>
>>
>>
>> On Sep 29, 2018, at 2:46 PM, Harry Delano <harry26001 at gmail.com> wrote:
>>
>> Hey Ebele,
>>
>> I suppose I simply followed your cue, specifically here==>" |We continue
>> to investigate and learn more, but please do let me know any specific
>> questions|" prior to fully interacting with the security page
>> information updates. It's got some of the info I needed to know.
>>
>> But I have a couple of questions below, feel free to escalate as you had
>> suggested. We are all learning/helping each other get better as a tech
>> community;
>>
>> - How much rigorous source code security vulnerability tests, was the
>> 'upload video' feature that supposedly triggered "user access tokens"
>> stolen by "3rd" parties as indicated by Pedro in you security update,
>> subjected to before it went live..?
>> - Beyond the routine in-house system analysis/audits/testing that
>> probably missed this vulnerability, was this feature subjected to Bug
>> bounty hunting ( External audit resources)...?   Was it given a "clean bill
>> of health"..?
>>
>> Thanks
>> Harry
>>
>>
>>
>>
>> On Sat, Sep 29, 2018 at 1:12 PM Ebele Okobi <ebeleokobi at fb.com> wrote:
>>
>>> Hi!
>>> Are you asking for a representation of the specific line or lines of
>>> code, of the multiple millions of lines of code that make up FB code base?
>>> If so, I don’t have that, and it’s not the kind of information any company
>>> has ever released after a breach. But do correct me if I’m wrong? I’m also
>>> not sure how helpful that would be, but grateful for insight there.
>>>
>>> That said-Facebook knows that our platform is one of the most attractive
>>> platforms in the known world for virtually every bad actor in the world. So
>>> we have multiple teams constantly assessing vulnerabilities, running
>>> scenarios, doing everything possible to harden us as a target. And to the
>>> second question, the teams have to try to anticipate and foresee any and
>>> every possible risk.
>>>
>>> Ebele Okobi | Public Policy Director, Africa
>>>
>>>
>>>
>>> On Sep 29, 2018, at 9:50 AM, Harry Delano <harry26001 at gmail.com> wrote:
>>>
>>> Hey Ebele,
>>>
>>> What specific code that was breached had the vulnerability on the
>>> platform, and just how difficult was this breach to be foreseen and
>>> forestalled..?
>>>
>>> Harry
>>>
>>>
>>>
>>> On Sat, Sep 29, 2018, 10:36 Ebele Okobi via kictanet <
>>> kictanet at lists.kictanet.or.ke> wrote:
>>>
>>>> Hello, All-
>>>>
>>>> Just making sure you have all seen this. We continue to investigate and
>>>> learn more, but please do let me know any specific questions. I may not yet
>>>> know the answers, but it would be very helpful for me to escalate.
>>>>
>>>> https://newsroom.fb.com/news/2018/09/security-update/
>>>>
>>>> Ebele Okobi | Public Policy Director, Africa
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> kictanet mailing list
>>>> kictanet at lists.kictanet.or.ke
>>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.kictanet.or.ke_mailman_listinfo_kictanet&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=pQA_yFIG0idcsCpuC3F9uJxDb2Ke_H2LBTztrpl3s54&e=>
>>>> Twitter: http://twitter.com/kictanet
>>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__twitter.com_kictanet&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=YFwO03KXLCJXWc8PRyAwoOyJXr0WCLPlLcc3b9NNDRE&e=>
>>>> Facebook: https://www.facebook.com/KICTANet/
>>>> Domain Registration sponsored by www.eacdirectory.co.ke
>>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.eacdirectory.co.ke&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=eGHRh6DN6cARqoSgAWEo2lnuDwyLdNeo2ndgras4L3c&e=>
>>>>
>>>> Unsubscribe or change your options at
>>>> https://lists.kictanet.or.ke/mailman/options/kictanet/harry26001%40gmail.com
>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.kictanet.or.ke_mailman_options_kictanet_harry26001-2540gmail.com&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=U6nR8Mr0jNGP63wH1odaSfAfI35zkY7SYfgBb4Ps7SY&e=>
>>>>
>>>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>>>> for people and institutions interested and involved in ICT policy and
>>>> regulation. The network aims to act as a catalyst for reform in the ICT
>>>> sector in support of the national aim of ICT enabled growth and development.
>>>>
>>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>>> online that you follow in real life: respect people's times and bandwidth,
>>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>>> not spam, do not market your wares or qualifications.
>>>>
>>> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
> Domain Registration sponsored by www.eacdirectory.co.ke
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/chuksjonia%40gmail.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
-- 
-- 
Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P
I.T Security Analyst and Penetration Tester
jgichuki at inbox d0t com

{FORUM}http://lists.my.co.ke/pipermail/security/
http://chuksjonia.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20180930/26fbad04/attachment.htm>


More information about the KICTANet mailing list