Facebook is just the distraction from the real threat

The “Facebook problem” is real and it’s bad.  Whatever else you get from this, I’m not trying to play down the impact and continuing risk of data custodians who betray our trust.

It’s just that in the greater scheme of things, account takeover is much more dangerous, much easier to implement, verified to be ubiquitous on the web today, and yet is almost completely unreported.  We should address this and the Facebook problem but if we can do only one it should be this one.  This post explains why, and how I’ve tried to address it over time.

July 2017

My blog post “All Your Accounts Are Belong To Us” last July described how the presence of 3rd party scripts on account creation, login, recovery, and maintenance pages allow complete account takeover.  To the extent that people reuse passwords this potentially enables takeover of multiple secondary accounts.  If this includes the victim’s email account the adversary can potentially take over all their accounts using the email-based account recovery process.

I wrote the post out of exasperation after trying unsuccessfully for months to interest the FBI in the national security aspects of the problem.  What I told the FBI but that isn’t prominent in my blog post is that I used Built With to scan the top 100k sites on the Internet looking for sites which loaded 3rd party scripts from Yandex, the Russian Google and a hacking arm of the FSB.

There were plenty of sites using Yandex scripts and of those I found about 30 who loaded those scripts on the account creation page.  This means that Russian state hackers can effectively look over the shoulders of tens of millions of users as they create their account, fill in their profile, and transact business on the site.  At a minimum it gives away the users’ ID and password, credit card info if the site needs that, account recovery Q&A, all profile data, and transactional data.  Since the scripts run on sites like Porn Hub and adult payment gateways, they also give Russia detailed info on the users’ kinks, including if the user searches for illegal things like child porn.

Why might this be a problem?  Well, for example, unless we believe Trump is sophisticated enough and determined enough to use NoScript everywhere, there’s a good chance the FSB could tell us for certain whether he really is into golden showers and, if so, provide an inventory rated by number of views of his top 100 favorite fetish videos. That would actually explain a lot.

For another example, if the effort of hacking into servers that control critical infrastructure is like climbing a mountain, then arranging for the administrators of those systems to unwittingly hand over their login credentials is like taking the ski lift to the top.  The sites on which I found Yandex scripts included gamer sites, car enthusiasts and racing sites, tech manual repositories, porn, retail, lyrics, poetry, and more.

There are plenty of Sysadmins in the pool of users represented by these sites.  In fact, with tens of millions of compromised users, the probability of some of them being high value targets is 100%.   If a compromised high value user is smart enough to use different passwords they might be convinced to give up their password to a power plant or political party’s email server if their bank accounts are drained and they are bribed with their own money, or they are extorted with their sexual fetish secrets laid out in excruciating detail.

Screen shot released by US DHS showing the level of
access hackers gained to power plant operations controls

 

November 2017

When I wrote the All Your Accounts blog post the presence and capabilities of 3rd party scripts on sensitive pages was verified but the possibility they are used specifically for data exfiltration was speculation on my part.  In November 2017, researchers at Princeton published the first of their No Boundaries series confirming the data exfiltration aspects I had been warning about.  Although any script is capable of doing this, Princeton has focused specifically on session replay scripts – those whose stated purpose is logging the user’s session.  Even if we accept the premise that only scripts that admit they exfiltrate data will actually exfiltrate data, the Yandex scripts include session replay functionality and fall into this category.

Not that there’s anything unique about Yandex.  The Alibaba Group out of China has their own suite of scripts with the same capabilities.  Nobody is reporting that China tried to hack our elections so my research focused on the Russian scripts.

After Princeton published the first No Boundaries article I began contacting news desks and tech journalists, pointing them at the Princeton articles and inviting them to contact me for the National Security implications that Princeton does not cover.  After scores of contacts with no replies, I started telling a small group of friends who I figure are technical enough to use NoScript.  Those included Doc and Joyce Searls who advised me to write it up.

I declined at the time because I was hoping a) for further confirmation from a security researcher with more visibility and reputation; and b) some idea of how it might be mitigated since we can’t ask the world to run NoScript.  I was also concerned that if the NatSec implications were widely reported it would make them less valuable to our cyber adversaries and thus trigger wide-scale use of them.  This is similar to how once a 0-day vulnerability is known, anyone holding it in reserve has to use it or lose it.

 

March 2018

Since talking with Doc and Joyce, the Facebook/Cambridge Analytica news broke large and now there’s lots of talk of regulating data custodians.  I’ve redoubled my awareness campaign efforts since then, contacting dozens more journalists and even revealing publicly the #NatSec implications because it apparently doesn’t make any difference what I say, nobody seems to take it seriously.

So hear this:

THERE IS ZERO BENEFIT IN REGULATING FACEBOOK AND OTHER DATA CUSTODIANS IF 3RD PARTY SCRIPTS THAT DIRECTLY COMPROMISE MILLIONS OF USERS ARE NOT ALSO ADDRESSED.

If an adversary can log directly into your Facebook account it doesn’t matter how much Facebook is regulated.  As long as data custodians plant 3rd party scripts on their protected pages the real threat isn’t even a data custody issue.

 

Feasibility

But how possible is that, really?

According to Statista about 70% of US adults reuse passwords on at least some sites. More concerning though are the 28% who reuse passwords across most or all web sites.

In other words, the FSB may be holding in reserve weaponized access to the complete online identities of…

  • 28% of US Wargaming.net users
  • 28% of US Motor1 users
  • 26% of US Poem Hunter users
  • 28% of US Lyrics Mode users
  • 28% of US Songsterr users
  • 28% of US ManualsLib users
  • 28% of US Mr. Porter users
  • 28% of US Pissed Consumer users
  • 28% of US DailyNews.com users
  • 28% of US PronTV.org users
  • 28% of US Porn Hub users
  • 28% of US DepositPhotos.com users

…to name a few I was able to find and manually verify that they embed Yandex scripts on their account creation pages.  All of these are among the top sites on the Internet so that’s a lot of compromised users. Perhaps tens of millions of them, and I didn’t spend the $300 to get a complete report from Built With of sites using Yandex so this is just a tiny sample.

Note that this excludes the 42% of users who reuse “some” passwords.  Because some portion of those people will also be completely compromised, the 28% estimate is conservative.  The real number is almost certainly greater.

 

Skepticism

The few people I’ve cornered long enough to make them listen while I describe this have responded along the lines of “you don’t really know Russia is doing any of this.”  That’s true.  What I have seen working in IT Security for 25 years is that known security vulnerabilities are almost always used, usually by relatively unsophisticated insiders who just want to work around what they see as intrusive company security measures.

So I could assume that a hostile nation currently engaged in active and highly sophisticated cyberwarfare against us has somehow completely overlooked these vulnerabilities that were verified by Princeton, or I could assume that the FSB is aware of the exposure but too ethical to exploit it…or I could be realistic and assume a whole lot of us are royally screwed.

Again, I’ve focused on Russia because they are openly engaged in cyberwarfare against us.  The greater problem is *any* 3rd party scripts on protected pages of a web site and this includes other adversarial nations like China, as well as a ton of US companies. In fact there’s a possibility my reports to the FBI were ignored because the US versions of these scripts have been weaponized by our own government.

 

Why reveal this publicly now?

There’s an opportunity cost to regulate data custodians like Facebook.  Following through with the narrow and ineffective focus on data custodians will make it harder to organize and drive new regulation to mitigate 3rd party script risks. Any regulation we undertake today should include elimination of 3rd party scripts on protected pages as the primary priority because we might not get a second chance to dip into the regulation well.

There’s also an order of magnitude difference in the risk presented by data sharing by custodians, versus bypassing the data custodian to effect direct account takeover at Internet scale.  “The Facebook problem” focuses on what is by far the least of these threats while the real possibility of bulk account takeover of the online accounts and identities of tens of millions of US adults by hostile foreign powers goes unaddressed.

And because, as I said earlier, this doesn’t seem to have any gravitas coming from me.  I can’t get even the people reporting on “the Facebook problem” at any level from local to national to respond to my queries.  Either my autistic pattern recognition is amped up way too high and there’s nothing here, or else it’s almost impossible for anything I say to trigger a cascade in which all the weaponized accounts are used before mitigation can be applied.  I make my living applying autistic pattern recognition to IT security problems so I hope it’s not the former.

In any case, I’ve tried for more than a year to do some form of responsible, discreet disclosure.  This is all I have left.

 

The ask

I challenge anyone reading this to provide a technically plausible refutation of any of these claims and scenarios.  Bear in mind while making any such refutation that the Princeton security researchers have verified the technical details on which I rely, and the only speculative part as far as I can see is that I give the FSB and the NSA credit for figuring this out before I did and weaponizing it.

Absent of a plausible refutation, perhaps you will ask your favorite news desk or tech journo why this is not being covered.  Or, more to the point, ask your Congress critters why the regulation being considered doesn’t take this into account. In their post “Website operators are in the dark” the Princeton researchers provide a list of things that might help mitigate this risk.  It’s not much but it’s a start.

Either way, let me know, yeah?  Contrary to what you might think, I would actually LOVE to find out I’d overlooked something that makes this all more of a Sci-Fi plot than reality.  At least then I’d sleep a little better.

You can protect yourself by running NoScript to block 3rd party keylogger scripts, and by using 2-factor authentication to reduce the chance of someone logging in with your ID and password.  As always, get a password manager if you don’t already have one and use it to generate a long, random password that is different for every web site or app.  Make sure your account recovery email account uses a unique password and 2-factor authentication.

 

 

Leave a Reply