Security Bits Logo

Security Bits – Facebook Token Hack, Bloomberg Amazon & Apple Servers & China, Facebook Uses 2FA Numbers for Advertising

Security Bits – 5 October 2018

Followups

Security Medium 1 — The Facebook Hack

Facebook surprised 90 million users by logging them out of Facebook completely as part of their response to a security vulnerability. Facebook didn’t just log people out of the web, they logged people out of connected devices and apps too. How? By disabling all active tokens for the affected users.

Why did Facebook do this? Because they became aware of a vulnerability that would allow an attacker to generate a valid token for any Facebook user of their choice, and, that the vulnerability had definitely been used against 50 million accounts, and possibly used against another 40million!

It’s hard to over-estimate the seriousness of this vulnerability — it effectively allowed attackers to become any Facebook users they wished! Data leaks only contain important accounts by accident, this vulnerability allowed attackers to pick and choose their victims at will.

Facebook have patched the vulnerability, and have gone back through their logs to find those who were affected, or who may have been affected, and then invalidated all tokens for those accounts.

Because Facebook is an OAuth identity provider (i.e. because the Login with your Facebook Account feature exists), attackers could theoretically user this vulnerability to access 3rd-party apps and sites too, but Facebook say they’ve found no evidence of this having happened.

Links

Security Medium 2 – Chinese Government Hardware Hack?

Bloomberg published a story this week they have been working on for over a year — it describes a disturbing world, one where the Chinese government managed to sneak spying hardware the size of a grain of rice onto the motherboards of servers built by the company Supermicro and sent to foreign customers including 30 US companies, some of which had US government contracts. The reports doesn’t name most of the companies, but it does refer to “a major bank”, and it does name Apple and Amazon specifically.

When it comes to Apple, the report cites “Three senior insiders at Apple” who told Bloomberg that Apple had found spying hardware in servers from Supermicro in 2015. The report further states that Apple ended their relationship with Supermicro a year later, and cite Apple as saying it was for unrelated reasons. Apple has strongly contradicted the report, saying very plainly that it is factually incorrect, that Apple did not find a spying chip on any servers in 2015. They did find one issue with a driver on Supermicro server in 2016, but that was fully investigated and found to be a mistake rather than a targeted attack against Apple. Apple assume Bloomberg’s reporters are conflating that incident with hardware boobytrapping of servers in their data centres which Apple explicitly and clearly deny ever having discovered.

With regards to Amazon the story focuses in on Amazon’s purchase of the company Elemental. Servers from elemental were installed into US Government data centres by Amazon. The report claims Amazon discovered the hardware hacks during investigations as part of their due diligence for the acquisition. Amazon deny they found any hardware issues during these investigations.

When it comes to Amazon’s AWS server farms the sourcing is noticeably less strong IMO “people inside AWS”, note the absence of the word senior this time. Like Apple, Amazon have strongly and clearly disputed the facts as put forward by the story.

To throw more confusion on the whole thing, Bloomberg also cite “six current and former senior national security officials” as having described US government investigations into these hacks to them, but there is no official confirmation that these investigations exist, let alone that they found evidence of 30 companies being hacked. It’s also interesting to note that Bloomberg explicitly say that only four of the six named Apple. Finally, they say they have a total of 17 sources for their story.

Here’s the core of Amazon’s rebuttal:

It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware

The pre-acquisition audit described four issues with a web application (not hardware or chips) that SuperMicro provides for management of their motherboards. All these findings were fully addressed before we acquired Elemental.

And here’s the core of Apple’s rebuttal:

Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.

On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.

We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple

The UK’s GCHQ (similar to the NSA in the US) has cast doubt on the report:

We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS (Amazon Web Services) and Apple.

The WSJ is also reporting that their sources within the US intelligence community are casting doubts on the story.

Bloomberg are no fly-by-night operation, so it’s hard to imagine they do not believe their sources. Similarly, Apple and Amazon are being so clear in their denials with so little wiggle-room that they too must surely believe what they are saying. It seems to me that either the sources are honestly mistaken, or someone is lying to Bloomberg.

There is just no way for any of us to know what’s going on here, it just comes down to who we trust. For what it’s worth, I’m inclined to believe Apple, but you’ll have to make up your own minds.

Links

Notable Security Updates

Notable News

  • Facebook admit that they use cellphone numbers used for 2FA to target ads at users (Editorial by Bart: given the inherent insecurity of SMS, now seems like a good time to switch your Facebook account from SMS-based 2FA to authenticator-based 2FA) — gizmodo.com/…
  • Security researchers find that password managers on Android can be tricked into auto-filling passwords into malicious apps (Editorial by Bart: bottom line, be careful what you download on Android) — nakedsecurity.sophos.com/…
  • Apple’s added security and privacy features show some cracks that are in need of patching. Thankfully at their worst these problems reduce the new OSes to the level of security that existed in the previous versions:
  • A lock screen bypass has also been discovered for iOS 12, but it’s a particularly difficult one to pull off, the real-world threat is not high — nakedsecurity.sophos.com/…
  • The next version of WiFi has been announced and devices are expected to start shipping next year. The big changes are more speed and the introduction a whole new naming-scheme — no more hard-to-remember letters, just simple numbers. The next version of WiFi will be WiFi 6, and WiFi AC has been retro-actively named WiFi 5, and WiFi N has been retro-actively named WiFi 4 — www.theverge.com/…
  • 🇺🇸 News outlets are reporting that Police in the US forced a suspect to unlock their phone with FaceID (Editorial by Bart: other than click-bait, I’m not sure why this made the news. We’ve known for years that biometrics are not protect by the 5th amendment because they are something you are not testimony. This was true for TouchID, and has been true for FaceID since day-1) — nakedsecurity.sophos.com/…
  • Legal experts point out that if Apple Watch’s fall detection feature summons emergency services to you because it detects a fall and you fail to reply to the repeated requests for confirmation that you’re OK, police can enter your home without a warrant (Editorial by Bart: some people are trying to spin this as some kind of problem or scandal, but it seems to me this is very much a feature rather than a bug — the whole point of the feature is to get help!) — arstechnica.com/…
  • Facebook has made it just a little harder to close your Facebook account by forcing it to continue to exist for an extra 16 days. Facebook has never allowed you to instantly delete your account, they’ve always made you wait for a 14-day cooling-off period, but now they’ve extended that to 30 days — nakedsecurity.sophos.com/…
  • A French police officer has been charged with using police data as the basis for a phone tracking service he sold on the dark web (Editorial by Bart: just one more piece of evidence proving that point that a backdoor for the good guys can never be contained) — nakedsecurity.sophos.com/…
  • Mozilla has published a new site to help you leverage the have I been pwned database – FireFox Monitor (monitor.firefox.com/…) lets you check if an address belongs to a compromised account, and register for alerts should the address be found in a future compromise — nakedsecurity.sophos.com/…
  • Microsoft is killing passwords one announcement at a time — nakedsecurity.sophos.com/…

Suggested Reading

Palate Cleansers

1 thought on “Security Bits – Facebook Token Hack, Bloomberg Amazon & Apple Servers & China, Facebook Uses 2FA Numbers for Advertising

  1. Mike P - October 9, 2018

    Loved the show as always…..just wanted to chime in on the FB cellphone thing. When this news crossed my desk, I had a look at my profile. I was currently setup to use the TOTP 2FA, but my cell number was also on the profile….and used to be used as the 2FA some time ago. When I removed my cell from my profile, I then received an email from FB that 2FA was DISABLED !! So, I needed to re-setup the TOTP and generate a new set of backup codes. 😐

Leave a Reply

Your email address will not be published.

Scroll to top