>> The engineer's computer was compromised using a real zero-day exploit targeting...
Why so complicated? Zero-day exploit? After all, Facebook is not Iran's nuclear facility. And in case of large software companies social engineering is generally easier and more effective than zero-day exploits.
I'd suggest simulating more realistic attack by anonymous, with attempts to social-engineer facebook employees out of their pa.. laptops.
Facebook is probably more of a target than Iran's nuclear facilities. Having an omniscient view of Facebook's users would be extraordinarily valuable to anyone in power, not to mention the ability to spearfish.
Spear phishing is a specifically targeted phishing attack that appear to come from a legitimate source... often one of authority within the targeted organization.[1]
The vast majority of these sorts of exploits are delivered via spearfishing, which is a form of social exploit in that a human being is fooled into clicking a link or opening a file that contains malicious code. The article doesn't specify, but I would bet that was the vector in this case too.
Also, Anonymous is far from the most sophisticated attacks a company like Facebook will see. They tend to stick to DDOS and easy SQL injections.
While FB may not be a nuclear facility, I can pretty much guarantee you that people who use nuclear facilities (or their equivalent) have FB accounts. And that hacking those accounts and/or the computers that are used to access them would probably be a not good thing.
Facebook has on the order of a billion users. That's a huge cache of interesting content and access no matter how you slice it.
Why so complicated? Zero-day exploit? After all, Facebook is not Iran's nuclear facility. And in case of large software companies social engineering is generally easier and more effective than zero-day exploits.
I'd suggest simulating more realistic attack by anonymous, with attempts to social-engineer facebook employees out of their pa.. laptops.