DIT The Division of Information Technology - Morgan State University Presentation Classified as
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
The Division of Information Technology DIT Morgan State University Presentation Classified as Public
What happened? Numbers https://newsroom.fb.com/news/2018/10/update-on-security-issue/ § Originally reported as 50 Million § Refined to 30 Million § 15 Mil – Name and Contact (Phone, email or both) § 14 Mil – Same + username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. § 1 Mil – Did not access any data § Between September 14 and 27, 2018
What happened? Definitions https://newsroom.fb.com/news/2018/10/update-on-security-issue/ § Token: § like a digital key you are given when you login. § heavily used in all organizations to allow access to data and systems § Like getting your key once you buy your house. The key is now in your possession to get into the home without having to sign for a new one every time you want to get in. § “View As…” § Allows user to see what his or her account looks like to others § Rob is my friend. If I want to see what my profile looks like to Rob, I can ”View As” Rob.
What happened? Attack https://newsroom.fb.com/news/2018/10/update-on-security-issue/ § Attackers had accounts with friends. § The following is automatic and used a vulnerability: § Attackers did a “View As” for those friends and took the tokens for them. § Attackers then used the stolen tokens to perform a “View As” of their friends and took their tokens § (Rinse and) Repeat until the attackers have 400,000 stolen tokens to ”View As” 30 million users § (Yes, it seems Fb exposed the secure tokens)
What does it mean to me? § Facebook has 2.7 billion users § 30 million is about 1% of total users § Odds are you are not impacted. § FB will let you know if you were. § You can check out the Fb site on the subject at https://www.facebook.com/help/securitynotice § It will tell you if you were one of them § But, alas, there is nothing anyone could do to prevent the token from being stolen § “View As” is disabled and the vulnerability patched
Remember § Facebook is FREE! § Just because they respect your privacy doesn’t mean it is guaranteed. § Read the EULA. § Who owns the data you put there? § Read the EULA. § News reports Fb is looking to purchase a security firm to beef up security.
Tip 1: Password/2FA § Change if you are concerned. § Don’t save it in your browser § Two-Factor Authentication (MFA)
Tip 2: Monitor Your Devices § Check Where you logged in (AKA Device Audit) § Log out from those you don’t know § And Redo Tip 1
Tip 3: Setup Alerts § Alerts available from § Facebook App on Phone § Messenger § Email
Tip 4: Posts Privacy § Set who can view you § Public (NO NO NO) § Friends § Friends Except … § Specific Friends § Only Me § Custom
Tip 5: Availability to Find § How Do People Find or Contact You?
Tip 6: Apps § Did you know Apps linked to Fb can see everything you do? § Remove Unwanted Apps
Tip 7: Hide your About! § About contains a lot of info about you. See how much you are sharing, like your cell phone number!!
Tip 8: Hide your About! § No, not a mistake. Just another reminder to hide your about! § What does your bank use to ID you over the phone?
Helpful Links § https://www.facebook.com/help/security/security_features § https://www.facebook.com/help/securitynotice § https://www.wired.com/story/facebook-privacy-apps-ads- friends-delete-account/
Thank you! Ronald King Chief Information Security Officer (CISO) ciso@morgan.edu
You can also read