Episode 114: Complexity at Root of Facebook Breach and LoJax is a RAT You Can’t Kill

In this week’s podcast: Facebook revealed that a breach affected 50 million accounts and as many as 90 million users. Is complexity at the root of the social media giant’s troubles? We speak with Gary McGraw of the firm Synopsys about it. Also: BIOS-based malware has been demonstrated at security conferences for years.  Last week, the security firm ESET warned that it identified a sample in the wild. Even worse: the Russian Hacking Group Fancy Bear was believed to be responsible. We’ll talk to firmware security expert Giovanni Vigna of the firm Lastline about the truth and hype around LoJax and other firmware based attacks.

The movie The Social Network brought the heady tale of Facebook’s founding to the Big Screen, including dramatic scenes like that one, the famed “coding shots party” where contestants competed for a position as interns on Facebook’s development team. If that scene gives you pause, as a Facebook user, about the quality of some of the social network’s underlying code, nobody will blame you.

Facebook’s Biggest Adversary: Complexity

But today, more than 10 years later, Facebook sports a $469 billion market capitalization and 2.23 billion active monthly users. More importantly: the company can afford and has built one of the top security teams in Silicon Valley. And yet, last week saw Facebook doing a forced log out of some 50 million users following a security breach that allowed unnamed attackers to steal session tokens that allowed them to take over Facebook users’ accounts.

[See also: Veeam mishandles Own Data, exposes 440M Customer E-mails]

Mark Zuckerberg, Facebook CEO
Facebook said a breach affected some 50 million account holders. Is complexity the problem?

How did one of the software industry’s best security teams miss a hole large enough to expose tens of millions of accounts?

Our first guest in this week’s podcast, Gary McGraw of the firm Synopsys says that whopping security may be inevitable: a byproduct of the frothy web application development space that has prioritized rapid and agile development and Dev-Ops at the cost of thoughtful planning and design. In this conversation, Gary and I talk about the Facebook breach and why others like it may be lurking out there on fast- growing web based platforms.

LoJax: the Rat You Can’t Kill

Gary McGraw is the Vice President of Security Technology at the firm Synopsys
and the best selling author of Software Security and 11 other books.

Malicious software like remote access tools and ransomware can be very challenging to remove from infected systems.

But when all else fails, the support desk is likely to tell you to just reinstall the operating system on the machine to get rid of what ails it. But what if even that step wasn’t enough? What if there was a piece of malicious software that could survive even that radical measure?

The security firm ESET reported finding just such a beast last week: a rootkit dubbed LoJax that targets UEFI the Unified Extensible Firmware Interface – software that operates at the lowest levels of modern computing devices: connecting operating systems to the firmware that runs the underlying hardware like hard drives, communications ports and network adapters. The malware, LoJax, is thought to be a tool of a Russian, state-sponsored hacking group known as Fancy Bear – and “yes” that’s the same Fancy Bear that broke into the Hillary Clinton campaign back in 2016.

What does the discovery mean for companies and individuals worried about persistent malware infections? Probably nothing, says Giovanni Vigna of the firm LastLine.

An expert in the security of firmware, Vigna said that there are lots of reasons that UEFI malware won’t ever be an attackers first choice. Still, for organizations and individuals worried about targeted attacks by sophisticated actors, UEFI malware may be something to be mindful of, he says.

Spread the word!

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.