Slashdot Mirror
How Facebook Responded To Tunisian Hacks
jamie writes "Facebook's security team opens up, shedding light on a revolution that could become a parable for Internet activism. Quoting: 'After more than ten days of intensive investigation and study, Facebook's security team realized something very, very bad was going on. The country's Internet service providers were running a malicious piece of code that was recording users' login information when they went to sites like Facebook. By January 5, it was clear that an entire country's worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades. Sullivan and his team decided they needed a country-level solution — and fast. Though Sullivan said Facebook has encountered a wide variety of security problems and been involved in various political situations, they'd never seen anything like what was happening in Tunisia.'"
How badly does Facebook's password encryption suck if a man-in-the-middle attack can easily steal everybody's password?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Really is annoying that Facebook defaults to http
When Facebook does something right, they should be commended. They easily could have shrugged their shoulders and said, "Not our problem!"
Gamingmuseum.com: Give your 3D accelerator a rest.
makes you wonder why a country is able to steal it's Facebook user's passwords.
If they are doing it, I would be surprised if lots of others aren't too.
Build your own energy sources from scratch. http://otherpower.com/
Could someone post the executive summary for this?
The author doesn't get to the fucking point, and I'm not going to read all that garbage to learn how Facebook's authentication sucks wrt security (assuming that's even mentioned in the article).
The second technical solution they implemented was a "roadblock" for anyone who had logged out and then back in during the time when the malicious code was running. Like Facebook's version of a "mother's maiden name" question to get access to your old password, it asks you to identify your friends in photos to complete an account login.
Hmm, you're trying to log in... Please help us identify your friends first.
This is going to be a great new fake verification for a future authoritarian government.
Article Summary: They switched facebook to use https in Tunisia.
I wish facebook would consider just switching all traffic to https.
Er, Facebook is willing to give up pretty much all your personal details to any third party that asks so I don't see why this is that much different. I'm surprised they didn't release some lame statement along the lines of 'Oh this is so you can log in much easier, just let your local government official do it for you and he can do all your shopping and check your Farmville while you are in prison.FUCK ZUCKERBERG!
So Facebook's sales guy called the President of Tunisia and said "Dude, you have to pay for all that user data just like everyone else does. What makes you think you're special?"
The article is a little light on details, but am I right in thinking that people's session cookies were being sidejacked? AFAIK, despite FB not sending everything over https, the password is sent over https. So I don't see how a keylogger like approach would work to intercept the pw, unless the Tunisian government was smart enough to run something like Moxie Marlinspike's sslstrip where they did a MITM attack and sent unencrypted http traffic to the user and then stole their password. I doubt this was the case because a) they don't seem smart enough and b) no security measure would circumvent this unless people knew not to log in over http.
So now we just wait until the government uses sslstrip...
P.S. - It's unbelievable that in this day and age FB doesn't encrypt the whole session given how trivial session-jacking is.
Now, that's a story..
The real revolution-causing leak will be the naked pics leaks.
Build your own energy sources from scratch. http://otherpower.com/
Facebook doesn't want anyone accessing their customers' personal information unless Facebook is being compensated.
#DeleteChrome
Every time I see the words "very, very bad" I get a flashback of this:
Babu: You bad man! You very, very bad man!
With his finger saying "uh-uh", going left and right.
Just to find out that they rerouted to https and used the ability to recognize friend's faces to determine if someone was a legitimate account holder.
facebook doesnt have encryption past the server because they dont use HTTPS with an SSL certificate... they use HTTP which simply exposes all information that passes to their server. Its only encrypted after it reaches their server
Everyone knows its insecure lol. Its the most easy site to hack because it uses client side coding...
At least, I guess they must not...unlike most every other government in the world... If they did, they could still pretend to be Facebook, even when facebook uses https!
Quote from TFA:
Though Sullivan is the unflappable type, the Tunisian situation seemed to force him into a bit of reflection. "When you step back and think about how Internet traffic is routed around the world, an astonishing amount is susceptible to government access," he noted.
Indeed. It happened in Tunisia today, but just remember that there is absolutely no technical reason why it couldn't happen here. Your ISP could do it, your government could do it, and every single last router along the way could do it.
In fact, we pretty much know it IS being done (remember those secret NSA rooms they found at AT&T and all that?); it's just done in a more professional fashion, and the government's not going to tip their hand easily (so if you have something to hide, you're probably safe: they'll know, but they won't act in a way that would give away that they know).
Why again isn't https standard? And why again doesn't Slashdot support https?
Why do you need a country-level solution? Why not a global solution, which implements ALL your country solutions at once?
I want to delete my account but Slashdot doesn't allow it.
Want to have HTTPS on Facebook as default? Show your support in favor of HTTPS. Join the Facebook page. :p
Once again, our friends at the EFF are ahead of the curve. Their HTTPS Everywhere extension, released a few months ago, probably would have beaten this attack by Tunisian security services, or at least made their jobs much harder.
Here's the extension: https://www.eff.org/https-everywhere
Work that donate button a little while you're there.
The country's Internet service providers were running a malicious piece of code that was recording users' login information when they went to sites like Facebook. By January 5, it was clear that an entire country's worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades. Sullivan and his team decided they needed a country-level solution — and fast.
Please tell me that they turned on https for logins by default. Because that is what they should have done.
yeah, the solution is easy: encrypt fucking everything.
As big a fan as I am of HTTPS, it's not only slower than HTTP for the end user, but costs a bunch more in bandwidth and compute (cacheing problems).
I'd say only HTTP is also more along the lines of Zuckerberg's infamous opinion of his users... in his view they get what they deserve.
Make sure everyone's vote counts: Verified Voting
SSL3/TLS will only protect against MITM attacks if BOTH the client AND the server mutually authenticate. This would require the issuance of a signed certificate to the client, not something that any garden variety retail grade web service does. On the other hand it is quite possible that just using HTTPS would have thwarted the attack simply because it puts a rather higher technical barrier in place and makes it necessary to use more intrusive measures. In any case the point is a good one, HTTPS should be universal for any kind of authentication for a whole raft of reasons.
"Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
... means what you think it does:
a revolution that could become a parable...
Bzzt. wrong
Currently hooked on AMP
Yes, https increases CPU and bandwidth, but if you also include the benefits: reduction in staff, support, bandwidth, cpu, etc currently wasted trying to fix the resulting stolen/hijacked accounts, it would come out ahead, probably way ahead.
Tm
Support TBI Research: http://www.raisinhope.org
I absolutely despise this statement FTFA:
"Facebook needs to own its position as a part of The Way the World Works and provide protections for political speech and actors."
Why is it that activists of all persuasions tend to think that Company X should apply some sort of political guidelines to their business? Facebook is a business, plain and simple. If Facebook as a business takes sides in some sort of political/religious/ethical issue, then the opposing side will stop using the company's services; hurting revenue and damaging or potentially destroying the tool in the first place. Facebook in my mind did the absolute right thing in this situation: they established a set of rules for the use of their service (real identities, no psuedonyms or impersonation of other people, and no hacking other people's accounts), and allow access to whomever wants to partake as long as they follow those rules. When one party attempted to circumvent those rules, Facebook responded in line with their policies and blocked the circumvention. Part of this article appears to imply that Facebook alters it's profile to protect political free speech, but it's value is far greater as a tool to allow speech of all forms and allow all access to all parties. Political changes belong in the cultural/political arenas of society, the economic arena should be left out of it.
The only thing that matters in a secure system is trust. A better method is for facebook to exploit the users and facebooks mututal knowledge of a shared password to establish a secure channel and prove to each other common knowledge of the password. This way the user knows they are talking to facebook and facebook knows they are talking to the user.
Layering plaintext authentication on top of https is better than nothing but how much better? Given the rediculous expanse of trusted third parties any of which have the capability to compromise or sublet the compromise of the entire global system is not particularly reassuring especially when a government is your advasary.
Secure solutions for password authentication without the ususal offline attack vectors such as RFC 5054 (TLS extension) have been around for several years yet I fear they may never be implemented due to lack of user demand, conspiracy theories regarding the potential for negative impact on the SSL market (Good riddance I say) and questionable patent issues (Relevent ones having only recently expired).
If facebook really cares about security they will push browser vendors to implement RFC 5054 (Code or patches are already available for all of the major SSL toolkits)
'Nuff said.
"The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
Agreed, but this part of the article had me intrigued:
I do not know the ins and outs of internet routing well enough to understand this, but I was alarmed by it. Does anyone with more technical expertise in the area have any insight?
It's called SSL Stripping... It's an old issue, but a recent tool has made it a bit more mainstream. There's a presentation here: http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf. And a tool here: http://www.thoughtcrime.org/software/sslstrip/
The slides are worth looking through. At the root it's a very simple concept: people do not type https into the browser, they usually get to https through a redirect from http. A MiTM can tamper with that and continue talking http with the client... or he can talk https with both client and server (two different connections), but then he needs to play some tricks to get a signed certificate for a domain that looks to the user like facebook.com.
but Sullivan said that Facebook had not seen that happen.
How would they know? the MiTM could easily talk https with facebook.
Most security certificate only specifies the domain name of host. A reverse proxy and a DNS record giving the proxy as the address of the server on the certificate is the basis of the Pharming attack. https/ssh/etc require that you have a trustworthy translation from name to ipaddress. A corrupt ISP defeats it.
Atlas stands on the earth and carries the celestial sphere on his shoulders.
Ironically, the thing that concerns me the most about this article is not that ISP's were key-logging, but that a journalist refers to the Internet as 'the Cloud'.
Have a muse as to why those in power would love us to think that the Internet has now been replaced by 'the cloud' and maybe you'll share my concern.
Someone else eating their lunch not their problem?
* Those are MY bitches, playa!
* Using and abusing our users is OUR job!
* If someone is going to fuck them in the ass IT'S going to be ME. ... things that might be overheard in Facebook control.
Am I the only one who noticed that the article mentions that the consultant who they interviewed, a one ms. Rim Abida, didn't want her full name published yet they repeatedly do so? Even in the same paragraph.
Unless, of course, that is a fake last name. But it doesn't mention that anywhere.
"Sarcasm is for *winners*, Alan." - Charlie Harper (Two and a Half Men)
> Anyone who logged in during the period of time where passwords were being captured was presented with photos and asked to pick the ones featuring their friends. Then they were asked to choose a new password.
I don't use facebook, but where did FB get those pics? And wouldn't that mean that a determined attacker could successfully bypass this in most/all cases?
Facebook is AOL all over again - stupid users.
Just because something is popular, doesn't mean you should use it. Tweeter falls into this group too.
It's not just social networking sites that have this problem. Verizon's web site makes it really hard to log in with SSL. If you enter the URL https://www.verizon.com/ yourself, it redirects you to the non-SSL page. My favorite trick is to enter dummy username and password values, and click "Log in". Usually, the "login failed, please try again" page uses SSL. Not Verizon's. I eventually found some combination that got me an SSL connection before entering my info, but I don't remember what it was.
I think this is a result of their newly reimplemented web site. They sent out an email, saying that customer's web accounts had all been changed, and urging us to click on a link in the email to enter new ones. You know, just like all the phishing attacks. But this one is real: Verizon's web site even has a message saying that those email messages were legit. Most companies repeatedly warn their customers that they should never trust emails that claim to be from the company and ask for your login information (and rightly so). Not Verizon. I hope they fix this before too many of their customers have their info stolen.