Facebook Rolled Its Own 0Day For Red Team Exercise 40
chicksdaddy writes "Threatpost has the story of the extreme — even hair-raising — lengths that Facebook's incident response team has gone to in order to prepare the company's staff to be hacked. Among the methods described at the CanSecWest Conference: 'Operation Loopback' in 2012, which was designed to mimic an APT-style attack from China and used what appears to be an internally developed exploit for an internally discovered 0day. From the article: 'McGeehan and his team this time identified a likely attacker — China — and decided to impersonate its tactics. For this one, they recruited an internal engineer as an accomplice. They wanted to get a backdoor into Facebook's production code, so they sent a spear-phishing email containing exploit code for a live zero-day vulnerability to the engineer. He dutifully clicked the link and his machine was promptly compromised. (McGeehan would not identify which product the vulnerability affected, nor how the Facebook team came into possession of it, but said that they disclosed it to the affected vendor before the Loopback exercise and used it before the patch was publicly available.)' Ouch!"
Way to much time on their hands (Score:1)
Aren't they supposed to be trying to mobilise their systems so they can knock Google in to irrelevance to gratify their stockholders delusions?
No wait, that's never gonna happen. Might as well fish out some crappy POC from SecurityFocus code it up and and see if their dumb ass hipster engineers will accidentally click on it while thinking it was supposed to be a link to a cute kitty pix. I reckon for their next trick they should start filming their own version of Jackass in the HQ office ... Mark Zuckkerbal
Competing for advertising revenue (Score:2)
In the world where, despite their different core competencies in terms of engineering ways to attract non-paying users to whom their customers can advertise, both of them actually make the vast majority of their revenue selling online advertising.
Google+ isn't where Google competes with Facebook directly for money. Social network users aren't either company's paying customers.
Re: (Score:2)
In what world is Facebook competing with Google?
Advertising revenue genius.
Ofcourse It had to be China (Score:2, Insightful)
I mean, with the soviets gone, Sadam gone, Bin Laden gone, SOMEONE has to step up to be the stereotype arch-enemy of the US. So let's build this image because hey, we just have to learn and be prejudiced with 1 and a half billion people. After all, what good are the chinese for? We don't need them right?
Re: (Score:3)
They made my computer...
Re: (Score:2, Informative)
It's not about racial prejudice, it's about probability.
Re: (Score:1)
They are probably racist?
Re: (Score:1)
Maybe...
Re: (Score:3, Funny)
If China would rid the world of Facebook, they would be heroes, not the enemy.
Sounds like Facebook handled it correctly (Score:5, Insightful)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
not really a zeroday exploit... (Score:2)
Correct me if I'm wrong but it's not really a zero day 'sploit if it's internally known, the attack is internal penetration testing, and the exploit gets closed before it's known.
Re: (Score:2)
This is Slashdot, where every exploit is a zero-day exploit. I could release a patch to TRS-DOS 1.3 that makes it ignore passwords and someone here would post it as a zero-day.
But I believe that patch already exists.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)