Fake requests from law enforcement gave cybercriminals access to sensitive customer data. It's a signal for CISOs to work with business to review and update processes for these requests. Credit: Gerd Altmann A recent Bloomberg piece highlighted how Meta Platforms, Inc., (parent company of Facebook) and Apple, Inc., had been successfully socially engineered into providing customer data in response to “emergency data requests” to individuals who they believed to be representing the U.S. government. If your entity is collecting customer data, it is possible you’ll receive a lawful request for the data from a government entity. This may take the form of a warrant, subpoena or national security letter. Do you have a process for handling these requests?How these miscreants manipulated these conglomerates into providing data may have been made possible due to the heavy volume of requests received each day and the lack of checks and balances within the processes. Both Meta and Apple have published guidelines to be used by government entities to engage their companies to request information. Both rely on the use of online forms or email. Direct human interaction does not happen when requests are originated.Let’s look at the processes for the two entities.Meta/Facebook emergency data request processThe Meta/Facebook guidelines cover a variety of scenarios, ranging from the U.S. legal process requirements to international requirements, to authenticity and account preservation, as well as child safety matters, data retention, format, user consent and notification of individuals, and the “emergency request.” For the emergency request, which was the means by which the organization was manipulated, the online request form carries warning notices on who may use it and how unauthorized requests are subject to prosecution. That said, the online request form is straightforward:We disclose account records solely in accordance with our terms of service and applicable law.If you are a law enforcement agent or emergency responder who is authorized to gather evidence in connection with an official investigation or in order to investigate an emergency involving the danger of serious physical injury or death, you may request records from Facebook through this system.I am an authorized law enforcement agent or government employee investigating an emergency, and this is an official requestCheck the box and move on to the next step. Provide “The name of the issuing authority and agent, email address from a law-enforcement domain, and direct contact phone number.The email address, phone number (+XXXXXXXXXX), user ID number (http://www.facebook.com/profile.php?id=1000000XXXXXXXX) or username (http://www.facebook.com/username) of the Facebook profile.Apple emergency data request processApple takes a different approach, issuing Guideline for Law Enforcement Requests in PDF. The guide is no less comprehensive than Meta/Facebook and in many instances more so. The section on emergency request is, however, more comprehensive. Apple uses a separate PDF form “Emergency Government/Law Enforcement Information Request” in which the requestor attests that the emergency involves circumstances or serious threats to “life/safety of individuals, the security of a State, or the security of critical infrastructure/installations.” The requestor then emails the request to a designated email address, with the subject line: “Emergency Request.”Social engineering emergency data requestsAll who study social engineering know, you give the target what they are looking for and you add a sense of urgency for the provision of information or taking an action. In both companies, the process was similar, each requiring provision of the rationale for the request, identifying information, and point of contact.“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone said in a statement provided to Bloomberg. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”So how could the events have transpired?It could have found its point of origin with the compromised email accounts associated with law enforcement. When law enforcement entities learn that an email account has been compromised, do they change the email? Remove the email from every pre-authorization engagement? Send out notices disavowing any legitimacy to an email originating from the compromised email?Probably not. With a compromised email in hand and a ready template provided by the target, the creation of the fake request is possible as easy as filling in the blanks. But what of the validation/verification aspect? When the requesting party is providing all the contact data, they can control the engagement. Review emergency data request processesCISOs will be well served to review their processes with legal and HR to ensure that their entity isn’t the next to be successfully targeted. Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance, on processes, she observes, “Companies will be well served by having a ‘business security officer’.” That is an individual within the business operations element who is responsible for the security of the business element and supported by the information security team.She continued how infrequently those who are doing internal threat monitoring include input from those who understand best how business is conducted. That is to say, those on the shop floor may be best positioned to provide input on how the current system bracketed by policy and procedures can be defeated.Plaggemier’s advice is spot-on. Those who handle the requests day in and day out are best positioned to advise on how a third party may game the processes. Perhaps it is as simple as requiring pre-registration and third-party verification of authenticity before accepting a request from a given entity. What is required, however, is that each company must be able to independently verify the efficacy and credibility of the request. Related content news Is China waging a cyber war with Taiwan? Nation-state hacking groups based in China have sharply ramped up cyberattacks against Taiwan this year, according to multiple reports. By Gagandeep Kaur Dec 01, 2023 4 mins Cyberattacks Government news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe