TechBizWebTechBizWeb

    Subscribe to Updates

    Get the latest news about Technology and Business from all around the web..

    What's Hot

    Missile strikes rekindle fear among Kyivans as Moscow renews attacks

    July 2, 2022

    FTX agrees deal with option to buy BlockFi for up to $240mn

    July 2, 2022

    The end of the frictionless life

    July 2, 2022
    Facebook Twitter Instagram
    • About Us
    • Privacy Policy
    • Guest Post
    • Terms
    • Contact
    Facebook Twitter Instagram
    TechBizWebTechBizWeb
    Subscribe
    • Home
    • Technology

      Twitch is testing channel surfing

      July 2, 2022

      You can now play the “all your base are belong to us” game on your Switch

      July 2, 2022

      There’s a better way to bypass Windows 11 install restrictions

      July 2, 2022

      What is the best controller for Xbox consoles?

      July 1, 2022

      The GPU shortage is over

      July 1, 2022
    • Business
    • Cyber Security

      Tips to bolster cybersecurity, incident response this 4th of July weekend

      July 1, 2022

      Jon Raper named CISO at Costco

      July 1, 2022

      2022 RSAC takeaways: Risk management vs compliance

      July 1, 2022

      3 security lessons we haven’t learned from the Kaseya breach

      July 1, 2022

      Auston Davis named CISO at Versant Health

      June 30, 2022
    • Blockchain
    • Vulnerabilities
    • Social Engineering
    • Malware
    • Cyber Security Alerts
    TechBizWebTechBizWeb
    Home»Social Engineering»Meta, Apple emergency data request scam holds lessons for CISOs
    Social Engineering

    Meta, Apple emergency data request scam holds lessons for CISOs

    April 11, 2022Updated:April 11, 2022No Comments5 Mins Read
    Facebook Twitter Pinterest LinkedIn Tumblr WhatsApp
    Share
    Facebook Twitter LinkedIn Pinterest Email

    A recent Bloomberg piece highlighted how Meta Platforms, Inc., (parent company of Facebook) and Apple, Inc., had been successfully socially engineered into providing customer data in response to “emergency data requests” to individuals who they believed to be representing the U.S. government. If your entity is collecting customer data, it is possible you’ll receive a lawful request for the data from a government entity. This may take the form of a warrant, subpoena or national security letter. Do you have a process for handling these requests?

    How these miscreants manipulated these conglomerates into providing data may have been made possible due to the heavy volume of requests received each day and the lack of checks and balances within the processes. Both Meta and Apple have published guidelines to be used by government entities to engage their companies to request information. Both rely on the use of online forms or email. Direct human interaction does not happen when requests are originated.

    Let’s look at the processes for the two entities.

    Meta/Facebook emergency data request process

    The Meta/Facebook guidelines cover a variety of scenarios, ranging from the U.S. legal process requirements to international requirements, to authenticity and account preservation, as well as child safety matters, data retention, format, user consent and notification of individuals, and the “emergency request.”

    For the emergency request, which was the means by which the organization was manipulated, the online request form carries warning notices on who may use it and how unauthorized requests are subject to prosecution. That said, the online request form is straightforward:

    We disclose account records solely in accordance with our terms of service and applicable law.

    If you are a law enforcement agent or emergency responder who is authorized to gather evidence in connection with an official investigation or in order to investigate an emergency involving the danger of serious physical injury or death, you may request records from Facebook through this system.

    I am an authorized law enforcement agent or government employee investigating an emergency, and this is an official request

    Check the box and move on to the next step.

    Provide “The name of the issuing authority and agent, email address from a law-enforcement domain, and direct contact phone number.

    The email address, phone number (+XXXXXXXXXX), user ID number (http://www.facebook.com/profile.php?id=1000000XXXXXXXX) or username (http://www.facebook.com/username) of the Facebook profile.

    Apple emergency data request process

    Apple takes a different approach, issuing Guideline for Law Enforcement Requests in PDF. The guide is no less comprehensive than Meta/Facebook and in many instances more so. The section on emergency request is, however, more comprehensive. Apple uses a separate PDF form “Emergency Government/Law Enforcement Information Request” in which the requestor attests that the emergency involves circumstances or serious threats to “life/safety of individuals, the security of a State, or the security of critical infrastructure/installations.” The requestor then emails the request to a designated email address, with the subject line: “Emergency Request.”

    Social engineering emergency data requests

    All who study social engineering know, you give the target what they are looking for and you add a sense of urgency for the provision of information or taking an action. In both companies, the process was similar, each requiring provision of the rationale for the request, identifying information, and point of contact.

    “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone said in a statement provided to Bloomberg. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”

    So how could the events have transpired?

    It could have found its point of origin with the compromised email accounts associated with law enforcement. When law enforcement entities learn that an email account has been compromised, do they change the email? Remove the email from every pre-authorization engagement? Send out notices disavowing any legitimacy to an email originating from the compromised email?

    Probably not. With a compromised email in hand and a ready template provided by the target, the creation of the fake request is possible as easy as filling in the blanks. But what of the validation/verification aspect? When the requesting party is providing all the contact data, they can control the engagement.

    Review emergency data request processes

    CISOs will be well served to review their processes with legal and HR to ensure that their entity isn’t the next to be successfully targeted. Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance, on processes, she observes, “Companies will be well served by having a ‘business security officer’.” That is an individual within the business operations element who is responsible for the security of the business element and supported by the information security team.

    She continued how infrequently those who are doing internal threat monitoring include input from those who understand best how business is conducted. That is to say, those on the shop floor may be best positioned to provide input on how the current system bracketed by policy and procedures can be defeated.

    Plaggemier’s advice is spot-on. Those who handle the requests day in and day out are best positioned to advise on how a third party may game the processes. Perhaps it is as simple as requiring pre-registration and third-party verification of authenticity before accepting a request from a given entity. What is required, however, is that each company must be able to independently verify the efficacy and credibility of the request.

    Copyright © 2022 IDG Communications, Inc.

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

    Related Posts

    5 social engineering assumptions that are wrong

    June 24, 2022 Social Engineering

    Threat actors becoming more creative exploiting the human factor

    June 13, 2022 Social Engineering

    PIXM releases new computer vision solution for mobile phishing

    May 25, 2022 Social Engineering

    New RAT malware uses sophisticated evasion techniques, leverages COVID-19 messaging

    May 11, 2022 Social Engineering

    Musk’s Twitterverse and the future of misinformation

    May 6, 2022 Social Engineering

    Chinese APT group Mustang Panda targets European and Russian organizations

    May 5, 2022 Social Engineering
    Editors Picks

    FTX agrees deal with option to buy BlockFi for up to $240mn

    July 2, 2022

    The end of the frictionless life

    July 2, 2022

    Twitch is testing channel surfing

    July 2, 2022

    You don’t need a crowd for a communal moment

    July 2, 2022
    Trending Now

    Klarna valuation crashes to $6.5bn from $46bn

    By techbizweb

    The GPU shortage is over

    By techbizweb

    Google closes data loophole amid privacy fears over abortion ruling

    By techbizweb

    https://www.nationalsportsacademy.com

    slot gacor hari ini

    http://www.inadesfo.org/

    http://www.eueomgbissau.org/

    http://www.congo-mai-mai.net/

    http://www.angelesdelafrontera.org/

    http://fifaworldcup2018schedule.com/

    http://tony4gtrmcr.co.uk/

    http://www.standrewsagreement.org/

    http://www.bob-russell.co.uk/

    http://davidmulholland.co.uk/

    http://railwayhotelenniskillen.com/

    http://www.fantasysportstrades.com/

    http://www.rainleaf-flooring.com

    http://mothersagainstguns.org/

    http://ma-coc.org/

    slot online

    http://www.paradoxmag.com/situs-judi-slot-online-gampang-menang-2021/

    http://www.paradoxmag.com/situs-judi-slot-online-terbaru-2021/

    http://slot-terbaru.net/

    Slot Gacor

    Slot Online

    Situs Slot Gacor

    http://www.appdexterity.com/

    https://cars4kids-deutschland.de/

    https://www.stretchingculture.com/

    https://www.b-123-hp.com/slot-gacor/

    https://denzstaffing.nl/

    https://ezbbqcooking.com/slot-gacor/

    https://www.mbahelp24.com/slot-gacor

    https://minhtanstore.com/slot-jackpot-terbesar/

    https://njbpusupplierdiversity.com/slot-gacor-gampang-menang/

    https://www.floridaspecialtycropfoundation.org/slot-gampang-menang/

    https://childrenscornerpreschool.org/slot-gacor-gampang-menang/

    https://cryptoquoter.com/slot-online-terbaik/

    https://alorkantho24.com/slot-gacor/

    https://ellas.xyz/slot-gacor/

    https://it.dougamatome.xyz/slot-online/

    https://www.daltercume.com/slot-gacor/

    https://josi-ana.dougamatome.xyz/slot88/

    https://josi-ana.dougamatome.xyz/slot-gacor/

    https://fastobserver.com/slot-jackpot-terbesar/

    https://www.planetexperts.com/slot-gacor/

    https://bfsolution.group/slot-bet-kecil/

    https://rustleva.co/slot/

    https://bfsolution.group/slot-bet-kecil/

    https://www.hotelcalimareal.com/togel-online/

    https://anime-game.dougamatome.xyz/slot-gacor-gampang-menang/

    https://anime-game.dougamatome.xyz/togel-online/

    https://bourbonbarrelfoods.com/slot/

    http://suneo39.wp.xdomain.jp/slot/

    https://techbizweb.com/slot-gacor/

    https://www.generalcatalyst.com/18-daftar-slot-gacor-terbaik-gampang-menang-jackpot-hari-ini/

    https://www.hotelcalimareal.com/slot-online/

    https://www.blockgates.io/slot-gacor/

    https://l12.com.br/slot-gacor/

    slot paling gacor

    https://www.donalds-hobby.com/slot-online/

    https://thecryptodirt.com/slot-gacor-hari-ini/

    http://iseta.edu.ar/aulavirtual/app/upload/users/1/1205/my_files/sbobet.html

    http://escuelavirtual.mincit.gov.co/app/upload/users/1/194/my_files/slot.html

    https://www.dev.medecinesfax.org/courses/JUDICASINO/document/slot.html

    http://www.e-archivos.org/cursos/courses/JUDICASINO/document/slot-gacor.html

    http://iesma.com.br/ead/main/upload/users/4/447/my_files/slot.html

    https://www.fundacoop.org/chamilo/app/upload/users/1/1185/my_files/slot.html

    https://fata-aatf.org/eskola/main/upload/users/3/31/my_files/slot.html

    https://uancv.edu.pe/ofinvestigacion/app/upload/users/3/328/my_files/slot-terlengkap.html

    https://micost.edu.my/EL/app/upload/users/2/209/my_files/slot-gacor.html

    https://www.academiacoderdojo.ro/elearningdev/app/upload/users/2/2442/my_files/slot-online.html

    http://campus-cidci.ulg.ac.be/courses/JUDICASINO/document/slot-termurah.html

    https://www.escueladerobotica.misiones.gob.ar/aula-ste/courses/LIVECASINO/document/slot-tergacor.html

    http://ccdipeepccqqfar.usac.edu.gt/chamilo/app/upload/users/3/358/my_files/slot-online.html

    https://cunori.edu.gt/campus/app/upload/users/7/7334/my_files/slot-online.html

    http://u-rus.com.ar/aula/app/upload/users/1/1322/my_files/slot.html

    http://icrodarisoveria.edu.it/chamilo/app/upload/users/1/1855/my_files/slot.html

    https://iestpliliagutierrez.edu.pe/clarolgm/courses/CASINO/document/slot.html

    http://pva.cobach.edu.mx/app/upload/users/7/7379/my_files/slot.html

    http://www.imb-pc-online.edu.gt/PL/app/upload/users/3/373/my_files/slot.html

    http://avcs.upeu.edu.pe/main/upload/users/3333/my_files/slot.html

    https://chamilo.fca.uas.edu.mx/app/upload/users/1/11186/my_files/slot-online/

    TechBizWeb
    Facebook Twitter Instagram Pinterest Vimeo YouTube
    • Home
    • Guest Post
    • About Us
    • Privacy Policy
    • Our Authors
    • Terms and Conditions
    • Contact
    © 2022 Tech Biz Web. Developed by Sawah Dev.

    Type above and press Enter to search. Press Esc to cancel.