DIT The Division of Information Technology - Morgan State University Presentation Classified as

Page created by Lonnie Leonard
 
CONTINUE READING
DIT The Division of Information Technology - Morgan State University Presentation Classified as
The Division of
Information Technology
          DIT
            Morgan State University

           Presentation Classified as
                     Public
DIT The Division of Information Technology - Morgan State University Presentation Classified as
NCSAM: National Cyber
 Security Awareness Month
Facebook Hack and Security
DIT The Division of Information Technology - Morgan State University Presentation Classified as
What happened? Numbers
https://newsroom.fb.com/news/2018/10/update-on-security-issue/
§ Originally reported as 50 Million
§ Refined to 30 Million
   § 15 Mil – Name and Contact (Phone, email or both)
   § 14 Mil – Same + username, gender, locale/language, relationship
     status, religion, hometown, self-reported current city, birthdate,
     device types used to access Facebook, education, work, the last
     10 places they checked into or were tagged in, website, people
     or Pages they follow, and the 15 most recent searches.
   § 1 Mil – Did not access any data
§ Between September 14 and 27, 2018
DIT The Division of Information Technology - Morgan State University Presentation Classified as
What happened? Definitions
https://newsroom.fb.com/news/2018/10/update-on-security-issue/
§ Token:
   § like a digital key you are given when you login.
   § heavily used in all organizations to allow access to data and
     systems
   § Like getting your key once you buy your house. The key is now in
     your possession to get into the home without having to sign for a
     new one every time you want to get in.
§ “View As…”
   § Allows user to see what his or her account looks like to others
   § Rob is my friend. If I want to see what my profile looks like to
     Rob, I can ”View As” Rob.
DIT The Division of Information Technology - Morgan State University Presentation Classified as
What happened? Attack
https://newsroom.fb.com/news/2018/10/update-on-security-issue/
§ Attackers had accounts with friends.
§ The following is automatic and used a vulnerability:
§ Attackers did a “View As” for those friends and took the
  tokens for them.
§ Attackers then used the stolen tokens to perform a “View As”
  of their friends and took their tokens
§ (Rinse and) Repeat until the attackers have 400,000 stolen
  tokens to ”View As” 30 million users
§ (Yes, it seems Fb exposed the secure tokens)
DIT The Division of Information Technology - Morgan State University Presentation Classified as
What does it mean to me?
§ Facebook has 2.7 billion users
§ 30 million is about 1% of total users
§ Odds are you are not impacted.
§ FB will let you know if you were.
§ You can check out the Fb site on the subject at
  https://www.facebook.com/help/securitynotice
§ It will tell you if you were one of them
§ But, alas, there is nothing anyone could do to prevent the
  token from being stolen
§ “View As” is disabled and the vulnerability patched
DIT The Division of Information Technology - Morgan State University Presentation Classified as
Remember
§ Facebook is FREE!
§ Just because they respect your privacy doesn’t mean it is
  guaranteed.
§ Read the EULA.
§ Who owns the data you put there?
§ Read the EULA.
§ News reports Fb is looking to purchase a security firm to beef
  up security.
DIT The Division of Information Technology - Morgan State University Presentation Classified as
Security Tips Overload!
Here are some suggestions
DIT The Division of Information Technology - Morgan State University Presentation Classified as
Tip 1: Password/2FA
§ Change if you are concerned.
§ Don’t save it in your browser
§ Two-Factor Authentication (MFA)
DIT The Division of Information Technology - Morgan State University Presentation Classified as
Tip 2: Monitor Your Devices
§ Check Where you logged in (AKA Device Audit)
§ Log out from those you don’t know
  § And Redo Tip 1
Tip 3: Setup Alerts
§ Alerts available from
  § Facebook App on Phone
  § Messenger
  § Email
Tip 4: Posts Privacy
§ Set who can view you
  §   Public (NO NO NO)
  §   Friends
  §   Friends Except …
  §   Specific Friends
  §   Only Me
  §   Custom
Tip 5: Availability to Find
§ How Do People Find or Contact You?
Tip 6: Apps
§ Did you know Apps linked to Fb can see everything you do?
§ Remove Unwanted Apps
Tip 7: Hide your About!
§ About contains a lot of info about you. See how much you
  are sharing, like your cell phone number!!
Tip 8: Hide your About!
§ No, not a mistake. Just another reminder to hide your about!
§ What does your bank use to ID you over the phone?
Helpful Links
§ https://www.facebook.com/help/security/security_features
§ https://www.facebook.com/help/securitynotice
§ https://www.wired.com/story/facebook-privacy-apps-ads-
  friends-delete-account/
Thank you!

           Ronald King
Chief Information Security Officer
             (CISO)
        ciso@morgan.edu
You can also read