The massive Facebook data loss: early thoughts

 

3 April 2021 – If you are in the cybersecurity industry, you have been been pinged all weekend on the Facebook data loss. The *technicals* behind it are not complex but require some work-throughs. Ars Technica and The Verge and a few other “go to sites” will have some good, detailed pieces out shortly. So in brief:

* More than 540 million records about Facebook users were publicly exposed on Amazon’s cloud computing service. A report out by UpGuard said two third-party Facebook app developers posted the records in plain sight, causing yet another major data breach for the world’s biggest social network.

* According to UpGuard, a Mexico-based media company called Cultura Colectiva was responsible for the biggest leak. It exposed 146 gigabytes of Facebook user data, including account names, IDs and details about comments and reactions to posts.

* Separately, an app called At the Pool exposed databases that appeared to include data about user IDs, friends, photos and location check ins, as well as unprotected Facebook passwords for 22,000 users. The app — which was meant to help people meet up for offline activities — shut down in 2014.

• It’s unclear how many individual users had data exposed but some of that data is already up on the Dark Net.

* UpGuard said it alerted Cultura Colectiva and Amazon about the breaches from Cultura Colectiva in January, but no action was taken until Wednesday morning. After Bloomberg reached out to Facebook for a comment about that breach, an Amazon “storage bucket” with the data from Cultura Colectiva was secured.

* The data from At the Pool went offline before UpGuard reached out about it.

As we all well know, Facebook is under federal criminal investigation for deals it struck with electronics manufacturers to access user data, and it has been hit a series of security breaches over the past year. The British analytics firm Cambridge Analytica, which worked with the Trump campaign in the 2016 election, got access to data from more than 87 million users; and Facebook last September said that an attack on its networks exposed information from nearly 50 million users. Facebook said it has more than 2.3 billion active monthly users worldwide.

When something like this happens I always turn to Steve King who is the Director of Cybersecurity Advisory Services at CyberTheory, a full-service cybersecurity marketing advisory firm that provides storying, branding, advertising, marketing, content, digital strategy, messaging, positioning … oh, the list goes own. Go the link. Steve is very much a “Big Picture” guy able to look at all the connecting threads from 10,000 feet up. His work as a security practitioner goes back years … across all industries and regions … and his contact base is to die for.

I was able to get through to him (I have the secret number to his bat cave) to get his read and he had this to say:

Do I think Zuck should step down? Do I think FB engineers are both stupid AND arrogant? Why do people offer up all their personal information to FB anyway? As I have said many, many times before: cybersecurity is hard. I’ve been doing it a long time and it’s the hardest job on the planet. No excuses for the FB engineers, but a stroll down memory lane might not hurt.

Now, Microsoft engineers are quite smart. Long ago, back in 2016, they were giddy about the release of Tay, the first AI/ML chatbot designed to learn from human interaction. It was programmed to recognize and respond to patterns of conversational input it received. What could possibly go wrong?

Initially, Tay looked like a smashing success. Within 2 hours it was talking smack. And within the first day it was reeling off the most racist, xenophobic slurs you could imagine. Within 24 hours, Tay was taken down. Experiment over.

While we are really quite good at technology, we are even better at being human. Timnit Gebru’s departure from Google tells us all we need to know about AI/ML and the inherent confirmation biases that govern everything we do.

Until we solve for the human element, we will continue to circle back to where we started. And, the Zucks will keep doing what they want.

We veered off onto the technical aspects of the Facebook data loss but then Steve went back to his view from 10,000 feet which is what he does best:

You want some scale on all this? Then back-up a bit. More records were compromised in 2020, than in the past 15 years combined. Reported Ransomware (representing a fraction of actual cases) is up 60% compared to 2019.

We switched entire workforces to WFH almost overnight, from 31 million before the pandemic, to just under 500 million today. That exodus was at the expense of cybersecurity and bypassed policies, leaving most exposed to exploitation, as home offices are a snake pit of vulnerabilities calling out for attention.

But COVID-19 only accelerated a pattern that was already in play as compromised data in 2019 had increased by 200% compared to the previous year. Data lakes are getting larger, and we are collecting increasingly sensitive information about our customers, as part of our digital transformation process and to personalize products and services.

At the same time, threat actors have become more sophisticated, using automated bots to leverage attack vectors more broadly. Does anyone think that this is going away anytime soon, or after the threat of COVID-19 passes?

Those of us in the community have been warning about the inevitability for years. Last year was the year to invest in education, training, staffing and technologies. This year, it is likely too late.

It also pings against something I wrote about last week: the cloud attack you won’t see coming. If stealth hacking hasn’t already come to your cloud computing operation, it will shortly. There is a rising tide of cyberattacks that are more sneaky than ever before. It’s called “stealth hacking”, subtle attacks that try to see your data and processes without alerting anyone that this is occurring.

In the world of consumer computing, this may manifest as keystroke-monitoring malware that installs from a malicious download. The hacker hopes to remain undiscovered and gather as much data as possible until the jig is up, or perhaps never be discovered at all. 

In the business/enterprise world its is much more scary. As my team noted in our analysis of the Accellion breaches, law firms are especially susceptible to these attacks. David Linthicum, an internationally recognized cybersecurity expert, used these examples:

The damage that a non-stealth hack can do is easy to define as to risk and cost. According to RiskIQ, in 2019, “Every minute, $2,900,000 is lost to cybercrime, and top companies pay $25 per minute due to cybersecurity breaches.” However, if you don’t know that you’re being monitored, the damages could be 10 times that of an instantaneous attack. Since many stealth hacks go undiscovered, there is no good data on the damages that actually occur. On the top of the list: (1) Insider trading of stock, getting access to sales and other accounting data pre-earnings announcements, (2) Pre-audit movement of cash from company accounts, (3) Litigation analysis on top player cases, and (4) Blackmail due to access to HR records.

The assumption is that this kind of hacking targets on-premises systems which often are being neglected now with the focus on cloud computing. But this problem is likely to move to public clouds as well, if it hasn’t already.

Although many would say the public cloud providers are responsible to better protect their customer’s data, the reality is that it’s a “shared responsibility model.” This means the cloud vendor provides you with the tools and procedures to be secure, and it’s up to you to implement them correctly. For instance, if you misconfigure the security for storage buckets in the public cloud and data is accessed, that’s on you. But enterprises really need a holistic security strategy that’s systemic to all systems and all points of monitoring. Although these are not easy to set up and are costly to run, the price of dealing with a hack – either stealth or not – is at least 50 times more.

But as Steve King has noted many times, enterprises are not turning that page. The beat goes on.

Digital technology is treated as a force of nature, without an agenda, inevitable and unstoppable. The past that has survived in the minds of the current generation is one that reflects what has happened rather than what is possible. Society is often treated as an object, which digital technology does things to, rather than a community of people with agency and a collective desire to shape the future. “All our invention and progress seem to result in endowing material forces with intellectual life, and in stultifying human life into a material force,” declared Karl Marx. Nowhere in our current society is this observation more relevant than our personal and political and social engagement with digital technology.

The phrase “digital revolution” captures something of the transformative nature of the time we find ourselves in. Technology is revolutionizing how we organize production, reproduction and consumption.  But every day shows we live in an age steeped in pessimism … due to that wonderous “digital revolution”.

Oh, yes. I know. Loss of Facebook data is immaterial when we look at phenomena like climate change that threatens the lives of billions, inequality grows unchecked, and right-wing populism peddles fear and bigotry. I get it. That FB data loss is insignificant.

But today we live, breathe and die on “the digital”. And this Facebook data loss only further emphasizes we live in a world where wealth and privilege prefers our slothful stasis. While capitalism appears to be a constant, we have prioritized selfishness at an immense human cost of greed, and squandered the potential of the digital age.

Leave a Reply

Your email address will not be published. Required fields are marked *

scroll to top