Facebook Security Breach
Hello, All- Just making sure you have all seen this. We continue to investigate and learn more, but please do let me know any specific questions. I may not yet know the answers, but it would be very helpful for me to escalate. https://newsroom.fb.com/news/2018/09/security-update/ Ebele Okobi | Public Policy Director, Africa
Hey Ebele, What specific code that was breached had the vulnerability on the platform, and just how difficult was this breach to be foreseen and forestalled..? Harry On Sat, Sep 29, 2018, 10:36 Ebele Okobi via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Hello, All-
Just making sure you have all seen this. We continue to investigate and learn more, but please do let me know any specific questions. I may not yet know the answers, but it would be very helpful for me to escalate.
https://newsroom.fb.com/news/2018/09/security-update/
Ebele Okobi | Public Policy Director, Africa
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/harry26001%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Hi! Are you asking for a representation of the specific line or lines of code, of the multiple millions of lines of code that make up FB code base? If so, I don’t have that, and it’s not the kind of information any company has ever released after a breach. But do correct me if I’m wrong? I’m also not sure how helpful that would be, but grateful for insight there. That said-Facebook knows that our platform is one of the most attractive platforms in the known world for virtually every bad actor in the world. So we have multiple teams constantly assessing vulnerabilities, running scenarios, doing everything possible to harden us as a target. And to the second question, the teams have to try to anticipate and foresee any and every possible risk. Ebele Okobi | Public Policy Director, Africa On Sep 29, 2018, at 9:50 AM, Harry Delano <harry26001@gmail.com<mailto:harry26001@gmail.com>> wrote: Hey Ebele, What specific code that was breached had the vulnerability on the platform, and just how difficult was this breach to be foreseen and forestalled..? Harry On Sat, Sep 29, 2018, 10:36 Ebele Okobi via kictanet <kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke>> wrote: Hello, All- Just making sure you have all seen this. We continue to investigate and learn more, but please do let me know any specific questions. I may not yet know the answers, but it would be very helpful for me to escalate. https://newsroom.fb.com/news/2018/09/security-update/ Ebele Okobi | Public Policy Director, Africa _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke> https://lists.kictanet.or.ke/mailman/listinfo/kictanet<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.kictanet.or.ke_mailman_listinfo_kictanet&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=pQA_yFIG0idcsCpuC3F9uJxDb2Ke_H2LBTztrpl3s54&e=> Twitter: http://twitter.com/kictanet<https://urldefense.proofpoint.com/v2/url?u=http-3A__twitter.com_kictanet&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=YFwO03KXLCJXWc8PRyAwoOyJXr0WCLPlLcc3b9NNDRE&e=> Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.eacdirectory.co.ke&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=eGHRh6DN6cARqoSgAWEo2lnuDwyLdNeo2ndgras4L3c&e=> Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/harry26001%40gmail.com<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.kictanet.or.ke_mailman_options_kictanet_harry26001-2540gmail.com&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=U6nR8Mr0jNGP63wH1odaSfAfI35zkY7SYfgBb4Ps7SY&e=> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Ebele Thanks for being forthright with this. Indeed, no one is today immune to cyber attacks. Not even the Pentagon. What is important is to ensure that we mitigate those risks and once we fall to such bad actors how to react. One of the most critical issues to deal with is how one communicates the breach and assures all what they are doing to minimize damage. Keep up the comms, Ebele. Regards Ali Hussein +254 0713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/alihkassim Blog: www.alyhussein.com "Discovery consists in seeing what everyone else has seen and thinking what no one else has thought". ~ Albert Szent-Györgyi Sent from my iPad
On 29 Sep 2018, at 1:11 PM, Ebele Okobi via kictanet <kictanet@lists.kictanet.or.ke> wrote:
Hi! Are you asking for a representation of the specific line or lines of code, of the multiple millions of lines of code that make up FB code base? If so, I don’t have that, and it’s not the kind of information any company has ever released after a breach. But do correct me if I’m wrong? I’m also not sure how helpful that would be, but grateful for insight there.
That said-Facebook knows that our platform is one of the most attractive platforms in the known world for virtually every bad actor in the world. So we have multiple teams constantly assessing vulnerabilities, running scenarios, doing everything possible to harden us as a target. And to the second question, the teams have to try to anticipate and foresee any and every possible risk.
Ebele Okobi | Public Policy Director, Africa
On Sep 29, 2018, at 9:50 AM, Harry Delano <harry26001@gmail.com> wrote:
Hey Ebele,
What specific code that was breached had the vulnerability on the platform, and just how difficult was this breach to be foreseen and forestalled..?
Harry
On Sat, Sep 29, 2018, 10:36 Ebele Okobi via kictanet <kictanet@lists.kictanet.or.ke> wrote: Hello, All-
Just making sure you have all seen this. We continue to investigate and learn more, but please do let me know any specific questions. I may not yet know the answers, but it would be very helpful for me to escalate.
https://newsroom.fb.com/news/2018/09/security-update/
Ebele Okobi | Public Policy Director, Africa
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/harry26001%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info%40campusciti.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Hey Ebele, I suppose I simply followed your cue, specifically here==>" |We continue to investigate and learn more, but please do let me know any specific questions |" prior to fully interacting with the security page information updates. It's got some of the info I needed to know. But I have a couple of questions below, feel free to escalate as you had suggested. We are all learning/helping each other get better as a tech community; - How much rigorous source code security vulnerability tests, was the 'upload video' feature that supposedly triggered "user access tokens" stolen by "3rd" parties as indicated by Pedro in you security update, subjected to before it went live..? - Beyond the routine in-house system analysis/audits/testing that probably missed this vulnerability, was this feature subjected to Bug bounty hunting ( External audit resources)...? Was it given a "clean bill of health"..? Thanks Harry On Sat, Sep 29, 2018 at 1:12 PM Ebele Okobi <ebeleokobi@fb.com> wrote:
Hi! Are you asking for a representation of the specific line or lines of code, of the multiple millions of lines of code that make up FB code base? If so, I don’t have that, and it’s not the kind of information any company has ever released after a breach. But do correct me if I’m wrong? I’m also not sure how helpful that would be, but grateful for insight there.
That said-Facebook knows that our platform is one of the most attractive platforms in the known world for virtually every bad actor in the world. So we have multiple teams constantly assessing vulnerabilities, running scenarios, doing everything possible to harden us as a target. And to the second question, the teams have to try to anticipate and foresee any and every possible risk.
Ebele Okobi | Public Policy Director, Africa
On Sep 29, 2018, at 9:50 AM, Harry Delano <harry26001@gmail.com> wrote:
Hey Ebele,
What specific code that was breached had the vulnerability on the platform, and just how difficult was this breach to be foreseen and forestalled..?
Harry
On Sat, Sep 29, 2018, 10:36 Ebele Okobi via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Hello, All-
Just making sure you have all seen this. We continue to investigate and learn more, but please do let me know any specific questions. I may not yet know the answers, but it would be very helpful for me to escalate.
https://newsroom.fb.com/news/2018/09/security-update/
Ebele Okobi | Public Policy Director, Africa
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.kictanet.or.ke_mailman_listinfo_kictanet&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=pQA_yFIG0idcsCpuC3F9uJxDb2Ke_H2LBTztrpl3s54&e=> Twitter: http://twitter.com/kictanet <https://urldefense.proofpoint.com/v2/url?u=http-3A__twitter.com_kictanet&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=YFwO03KXLCJXWc8PRyAwoOyJXr0WCLPlLcc3b9NNDRE&e=> Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.eacdirectory.co.ke&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=eGHRh6DN6cARqoSgAWEo2lnuDwyLdNeo2ndgras4L3c&e=>
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/harry26001%40gmail.com <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.kictanet.or.ke_mailman_options_kictanet_harry26001-2540gmail.com&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=U6nR8Mr0jNGP63wH1odaSfAfI35zkY7SYfgBb4Ps7SY&e=>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Hi! I don’t think the issue is the rigor of FB tech or security teams, so I appreciate the questions but I can say that we are fortunate, given the profile of the company, to be able to hire many of the best engineers and security teams. We are always, however, eager to learn and looking for others to test our vulnerabilities, so if you would like to assist us with your expertise, here’s information about our white hat program. Please do review-we’d be grateful for your technical insights, so get involved! https://m.facebook.com/whitehat https://www.wired.com/story/facebook-bug-bounty-third-party-apps/ Ebele Okobi | Public Policy Director, Africa On Sep 29, 2018, at 2:46 PM, Harry Delano <harry26001@gmail.com<mailto:harry26001@gmail.com>> wrote: Hey Ebele, I suppose I simply followed your cue, specifically here==>" |We continue to investigate and learn more, but please do let me know any specific questions|" prior to fully interacting with the security page information updates. It's got some of the info I needed to know. But I have a couple of questions below, feel free to escalate as you had suggested. We are all learning/helping each other get better as a tech community; - How much rigorous source code security vulnerability tests, was the 'upload video' feature that supposedly triggered "user access tokens" stolen by "3rd" parties as indicated by Pedro in you security update, subjected to before it went live..? - Beyond the routine in-house system analysis/audits/testing that probably missed this vulnerability, was this feature subjected to Bug bounty hunting ( External audit resources)...? Was it given a "clean bill of health"..? Thanks Harry On Sat, Sep 29, 2018 at 1:12 PM Ebele Okobi <ebeleokobi@fb.com<mailto:ebeleokobi@fb.com>> wrote: Hi! Are you asking for a representation of the specific line or lines of code, of the multiple millions of lines of code that make up FB code base? If so, I don’t have that, and it’s not the kind of information any company has ever released after a breach. But do correct me if I’m wrong? I’m also not sure how helpful that would be, but grateful for insight there. That said-Facebook knows that our platform is one of the most attractive platforms in the known world for virtually every bad actor in the world. So we have multiple teams constantly assessing vulnerabilities, running scenarios, doing everything possible to harden us as a target. And to the second question, the teams have to try to anticipate and foresee any and every possible risk. Ebele Okobi | Public Policy Director, Africa On Sep 29, 2018, at 9:50 AM, Harry Delano <harry26001@gmail.com<mailto:harry26001@gmail.com>> wrote: Hey Ebele, What specific code that was breached had the vulnerability on the platform, and just how difficult was this breach to be foreseen and forestalled..? Harry On Sat, Sep 29, 2018, 10:36 Ebele Okobi via kictanet <kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke>> wrote: Hello, All- Just making sure you have all seen this. We continue to investigate and learn more, but please do let me know any specific questions. I may not yet know the answers, but it would be very helpful for me to escalate. https://newsroom.fb.com/news/2018/09/security-update/ Ebele Okobi | Public Policy Director, Africa _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke> https://lists.kictanet.or.ke/mailman/listinfo/kictanet<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.kictanet.or.ke_mailman_listinfo_kictanet&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=pQA_yFIG0idcsCpuC3F9uJxDb2Ke_H2LBTztrpl3s54&e=> Twitter: http://twitter.com/kictanet<https://urldefense.proofpoint.com/v2/url?u=http-3A__twitter.com_kictanet&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=YFwO03KXLCJXWc8PRyAwoOyJXr0WCLPlLcc3b9NNDRE&e=> Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.eacdirectory.co.ke&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=eGHRh6DN6cARqoSgAWEo2lnuDwyLdNeo2ndgras4L3c&e=> Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/harry26001%40gmail.com<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.kictanet.or.ke_mailman_options_kictanet_harry26001-2540gmail.com&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=U6nR8Mr0jNGP63wH1odaSfAfI35zkY7SYfgBb4Ps7SY&e=> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Ebele, Many thanks for this feedback, will definitely take a look at the resources you have provided, which I also believe many on this forum interested in this area might find resourceful to hone their skills, and can get rewarded for it at the same time.. Regards, Harry On Sat, Sep 29, 2018 at 6:24 PM Ebele Okobi <ebeleokobi@fb.com> wrote:
Hi! I don’t think the issue is the rigor of FB tech or security teams, so I appreciate the questions but I can say that we are fortunate, given the profile of the company, to be able to hire many of the best engineers and security teams. We are always, however, eager to learn and looking for others to test our vulnerabilities, so if you would like to assist us with your expertise, here’s information about our white hat program. Please do review-we’d be grateful for your technical insights, so get involved!
https://m.facebook.com/whitehat
https://www.wired.com/story/facebook-bug-bounty-third-party-apps/
Ebele Okobi | Public Policy Director, Africa
On Sep 29, 2018, at 2:46 PM, Harry Delano <harry26001@gmail.com> wrote:
Hey Ebele,
I suppose I simply followed your cue, specifically here==>" |We continue to investigate and learn more, but please do let me know any specific questions|" prior to fully interacting with the security page information updates. It's got some of the info I needed to know.
But I have a couple of questions below, feel free to escalate as you had suggested. We are all learning/helping each other get better as a tech community;
- How much rigorous source code security vulnerability tests, was the 'upload video' feature that supposedly triggered "user access tokens" stolen by "3rd" parties as indicated by Pedro in you security update, subjected to before it went live..? - Beyond the routine in-house system analysis/audits/testing that probably missed this vulnerability, was this feature subjected to Bug bounty hunting ( External audit resources)...? Was it given a "clean bill of health"..?
Thanks Harry
On Sat, Sep 29, 2018 at 1:12 PM Ebele Okobi <ebeleokobi@fb.com> wrote:
Hi! Are you asking for a representation of the specific line or lines of code, of the multiple millions of lines of code that make up FB code base? If so, I don’t have that, and it’s not the kind of information any company has ever released after a breach. But do correct me if I’m wrong? I’m also not sure how helpful that would be, but grateful for insight there.
That said-Facebook knows that our platform is one of the most attractive platforms in the known world for virtually every bad actor in the world. So we have multiple teams constantly assessing vulnerabilities, running scenarios, doing everything possible to harden us as a target. And to the second question, the teams have to try to anticipate and foresee any and every possible risk.
Ebele Okobi | Public Policy Director, Africa
On Sep 29, 2018, at 9:50 AM, Harry Delano <harry26001@gmail.com> wrote:
Hey Ebele,
What specific code that was breached had the vulnerability on the platform, and just how difficult was this breach to be foreseen and forestalled..?
Harry
On Sat, Sep 29, 2018, 10:36 Ebele Okobi via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Hello, All-
Just making sure you have all seen this. We continue to investigate and learn more, but please do let me know any specific questions. I may not yet know the answers, but it would be very helpful for me to escalate.
https://newsroom.fb.com/news/2018/09/security-update/
Ebele Okobi | Public Policy Director, Africa
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.kictanet.or.ke_mailman_listinfo_kictanet&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=pQA_yFIG0idcsCpuC3F9uJxDb2Ke_H2LBTztrpl3s54&e=> Twitter: http://twitter.com/kictanet <https://urldefense.proofpoint.com/v2/url?u=http-3A__twitter.com_kictanet&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=YFwO03KXLCJXWc8PRyAwoOyJXr0WCLPlLcc3b9NNDRE&e=> Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.eacdirectory.co.ke&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=eGHRh6DN6cARqoSgAWEo2lnuDwyLdNeo2ndgras4L3c&e=>
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/harry26001%40gmail.com <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.kictanet.or.ke_mailman_options_kictanet_harry26001-2540gmail.com&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=U6nR8Mr0jNGP63wH1odaSfAfI35zkY7SYfgBb4Ps7SY&e=>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
No one can be able to defend against an advanced intruder who has the resources, the patience, the budget and a boss who is demanding for results. The way they figured out “View As” code had an issue was a simple vulnerability, but actually finding it meant they had several operators following each part of deployment of code inside Facebook. On Sun, 30 Sep 2018 at 02:29, Harry Delano via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Ebele,
Many thanks for this feedback, will definitely take a look at the resources you have provided, which I also believe many on this forum interested in this area might find resourceful to hone their skills, and can get rewarded for it at the same time..
Regards, Harry
On Sat, Sep 29, 2018 at 6:24 PM Ebele Okobi <ebeleokobi@fb.com> wrote:
Hi! I don’t think the issue is the rigor of FB tech or security teams, so I appreciate the questions but I can say that we are fortunate, given the profile of the company, to be able to hire many of the best engineers and security teams. We are always, however, eager to learn and looking for others to test our vulnerabilities, so if you would like to assist us with your expertise, here’s information about our white hat program. Please do review-we’d be grateful for your technical insights, so get involved!
https://m.facebook.com/whitehat
https://www.wired.com/story/facebook-bug-bounty-third-party-apps/
Ebele Okobi | Public Policy Director, Africa
On Sep 29, 2018, at 2:46 PM, Harry Delano <harry26001@gmail.com> wrote:
Hey Ebele,
I suppose I simply followed your cue, specifically here==>" |We continue to investigate and learn more, but please do let me know any specific questions|" prior to fully interacting with the security page information updates. It's got some of the info I needed to know.
But I have a couple of questions below, feel free to escalate as you had suggested. We are all learning/helping each other get better as a tech community;
- How much rigorous source code security vulnerability tests, was the 'upload video' feature that supposedly triggered "user access tokens" stolen by "3rd" parties as indicated by Pedro in you security update, subjected to before it went live..? - Beyond the routine in-house system analysis/audits/testing that probably missed this vulnerability, was this feature subjected to Bug bounty hunting ( External audit resources)...? Was it given a "clean bill of health"..?
Thanks Harry
On Sat, Sep 29, 2018 at 1:12 PM Ebele Okobi <ebeleokobi@fb.com> wrote:
Hi! Are you asking for a representation of the specific line or lines of code, of the multiple millions of lines of code that make up FB code base? If so, I don’t have that, and it’s not the kind of information any company has ever released after a breach. But do correct me if I’m wrong? I’m also not sure how helpful that would be, but grateful for insight there.
That said-Facebook knows that our platform is one of the most attractive platforms in the known world for virtually every bad actor in the world. So we have multiple teams constantly assessing vulnerabilities, running scenarios, doing everything possible to harden us as a target. And to the second question, the teams have to try to anticipate and foresee any and every possible risk.
Ebele Okobi | Public Policy Director, Africa
On Sep 29, 2018, at 9:50 AM, Harry Delano <harry26001@gmail.com> wrote:
Hey Ebele,
What specific code that was breached had the vulnerability on the platform, and just how difficult was this breach to be foreseen and forestalled..?
Harry
On Sat, Sep 29, 2018, 10:36 Ebele Okobi via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Hello, All-
Just making sure you have all seen this. We continue to investigate and learn more, but please do let me know any specific questions. I may not yet know the answers, but it would be very helpful for me to escalate.
https://newsroom.fb.com/news/2018/09/security-update/
Ebele Okobi | Public Policy Director, Africa
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.kictanet.or.ke_mailman_listinfo_kictanet&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=pQA_yFIG0idcsCpuC3F9uJxDb2Ke_H2LBTztrpl3s54&e=> Twitter: http://twitter.com/kictanet <https://urldefense.proofpoint.com/v2/url?u=http-3A__twitter.com_kictanet&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=YFwO03KXLCJXWc8PRyAwoOyJXr0WCLPlLcc3b9NNDRE&e=> Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.eacdirectory.co.ke&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=eGHRh6DN6cARqoSgAWEo2lnuDwyLdNeo2ndgras4L3c&e=>
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/harry26001%40gmail.com <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.kictanet.or.ke_mailman_options_kictanet_harry26001-2540gmail.com&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=ArvepG4_wcNu_X9xi3nb_Xa9WsGLVfmK6mwPdVONOTE&m=O1h_XpASYxIlr18vqUENPckAjem0x_H5wqKrXjFE464&s=U6nR8Mr0jNGP63wH1odaSfAfI35zkY7SYfgBb4Ps7SY&e=>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Domain Registration sponsored by www.eacdirectory.co.ke
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/chuksjonia%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester jgichuki at inbox d0t com {FORUM}http://lists.my.co.ke/pipermail/security/ http://chuksjonia.blogspot.com/
participants (4)
-
Admin CampusCiti -
Ebele Okobi -
Gichuki John Chuksjonia -
Harry Delano