Breaking

LightBlog

Thursday, March 16, 2017

Facebook Buys Stolen Accounts Off the Darknet to Keep Their Users Safe

Keeping Facebook safe and keeping Facebook secure are two different tasks, Facebook’s Chief Security Officer Alex Stamos said at recent conference. Security, he explained to the crowd, is building walls of defense to keep threats out. But “safety is bigger than that.”

Stamos explained that the “bigger” form of safety was making use of stolen password dumps on the darknet. Instead of simply comparing the password hashes of Facebook users with those made publicly available, Facebook buys the account dumps hidden on the DNMs.

Database breaches containing electronic healthcare records have routinely popped up on marketplaces like the TheRealDeal. Social media has been regularly exploited too. Earlier this year, 65 million Tumblr accounts surfaced for a surprisingly low price.

After the Adobe breach, we learned Facebook that the social media giant mined the Adobe data to find anyone who shared passwords between Facebook and Adobe. The accounts that used the same username (email) and password were “concealed” and received a message with instructions to update their password.

“Recently, there was a security incident on another website unrelated to Facebook. Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places,” the Facebook message said.

Stamos explained that the social media giant hunted the darknet for account and/or server dumps to buy. The team then used a “computationally heavy” method to cross-reference the passwords found in the dumps with Facebook users’ password hashes.

Facebook sandboxed the users after matches were found, keeping the possibly-compromised accounts from the public eye—until the account owner changed the password.

“The reuse of passwords is the No. 1 cause of harm on the internet,” Cnet quoted Stamos on stage. He continued “Even though we provide these options, it is our responsibility to think about those people that choose not to use them.”

The ability that Facebook had regarding cross-referencing passwords found in data breaches and those of Facebook users raised several questions. People wanted to know how Facebook could possibly check their credentials against those found online without storing their login data in plain text. The suspicion that Facebook stored account information in plain text or similar encrypted fashion was not held by a lone conspirator.

Chris Long, a security incident response manager at Facebook, explained the process after the 2013 Adobe breach. This was his reply to a commenter on krebsonsecurity.

We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time. Like Brian’s story indicates, we’re proactive about finding sources of compromised passwords on the internet. Through practice, we’ve become more efficient and effective at protecting accounts with credentials that have been leaked, and we use an automated process for securing those accounts.

“It can do that because passwords can be used to create hashes, but the reverse isn’t true: hashes can’t be used to recreate the passwords that made them,” Naked Security wrote.

Stamos explained “When somebody logs into Facebook, the password they hand over is passed through a one-way hashing function. If the result matches what Facebook has on record, that user is allowed in.”

Facebook looks for stolen password that are able to pass through Facebook’s hashing algorithm. If it passes and matches the hash file on record for a particular user, “Facebook knows it has hit on a reuser,” Stamos said.
Adbox