Meta, Apple emergency data request scam holds lessons for CISOs

Fake requests from law enforcement gave cybercriminals access to sensitive customer data. It's a signal for CISOs to work with business to review and update processes for these requests.

A recent Bloomberg piece highlighted how Meta Platforms, Inc., (parent company of Facebook) and Apple, Inc., had been successfully socially engineered into providing customer data in response to “emergency data requests” to individuals who they believed to be representing the U.S. government. If your entity is collecting customer data, it is possible you’ll receive a lawful request for the data from a government entity. This may take the form of a warrant, subpoena or national security letter. Do you have a process for handling these requests?

How these miscreants manipulated these conglomerates into providing data may have been made possible due to the heavy volume of requests received each day and the lack of checks and balances within the processes. Both Meta and Apple have published guidelines to be used by government entities to engage their companies to request information. Both rely on the use of online forms or email. Direct human interaction does not happen when requests are originated.

Let’s look at the processes for the two entities.

Meta/Facebook emergency data request process

The Meta/Facebook guidelines cover a variety of scenarios, ranging from the U.S. legal process requirements to international requirements, to authenticity and account preservation, as well as child safety matters, data retention, format, user consent and notification of individuals, and the “emergency request.”

For the emergency request, which was the means by which the organization was manipulated, the online request form carries warning notices on who may use it and how unauthorized requests are subject to prosecution. That said, the online request form is straightforward:

We disclose account records solely in accordance with our terms of service and applicable law.
If you are a law enforcement agent or emergency responder who is authorized to gather evidence in connection with an official investigation or in order to investigate an emergency involving the danger of serious physical injury or death, you may request records from Facebook through this system.
I am an authorized law enforcement agent or government employee investigating an emergency, and this is an official request

Check the box and move on to the next step.

Provide “The name of the issuing authority and agent, email address from a law-enforcement domain, and direct contact phone number.
The email address, phone number (+XXXXXXXXXX), user ID number (http://www.facebook.com/profile.php?id=1000000XXXXXXXX) or username (http://www.facebook.com/username) of the Facebook profile.

Apple emergency data request process

Apple takes a different approach, issuing Guideline for Law Enforcement Requests in PDF. The guide is no less comprehensive than Meta/Facebook and in many instances more so. The section on emergency request is, however, more comprehensive. Apple uses a separate PDF form “Emergency Government/Law Enforcement Information Request” in which the requestor attests that the emergency involves circumstances or serious threats to “life/safety of individuals, the security of a State, or the security of critical infrastructure/installations.” The requestor then emails the request to a designated email address, with the subject line: “Emergency Request.”

Social engineering emergency data requests

All who study social engineering know, you give the target what they are looking for and you add a sense of urgency for the provision of information or taking an action. In both companies, the process was similar, each requiring provision of the rationale for the request, identifying information, and point of contact.

“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone said in a statement provided to Bloomberg. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”

So how could the events have transpired?

It could have found its point of origin with the compromised email accounts associated with law enforcement. When law enforcement entities learn that an email account has been compromised, do they change the email? Remove the email from every pre-authorization engagement? Send out notices disavowing any legitimacy to an email originating from the compromised email?

Probably not. With a compromised email in hand and a ready template provided by the target, the creation of the fake request is possible as easy as filling in the blanks. But what of the validation/verification aspect? When the requesting party is providing all the contact data, they can control the engagement.

Review emergency data request processes

CISOs will be well served to review their processes with legal and HR to ensure that their entity isn’t the next to be successfully targeted. Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance, on processes, she observes, “Companies will be well served by having a ‘business security officer’.” That is an individual within the business operations element who is responsible for the security of the business element and supported by the information security team.

She continued how infrequently those who are doing internal threat monitoring include input from those who understand best how business is conducted. That is to say, those on the shop floor may be best positioned to provide input on how the current system bracketed by policy and procedures can be defeated.

Plaggemier’s advice is spot-on. Those who handle the requests day in and day out are best positioned to advise on how a third party may game the processes. Perhaps it is as simple as requiring pre-registration and third-party verification of authenticity before accepting a request from a given entity. What is required, however, is that each company must be able to independently verify the efficacy and credibility of the request.

Copyright © 2022 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022