Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Facebook Responded To Tunisian Hacks

Posted by Soulskill on from the occupying-the-town-of-zuckerberg dept.

jamie writes "Facebook's security team opens up, shedding light on a revolution that could become a parable for Internet activism. Quoting: 'After more than ten days of intensive investigation and study, Facebook's security team realized something very, very bad was going on. The country's Internet service providers were running a malicious piece of code that was recording users' login information when they went to sites like Facebook. By January 5, it was clear that an entire country's worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades. Sullivan and his team decided they needed a country-level solution — and fast. Though Sullivan said Facebook has encountered a wide variety of security problems and been involved in various political situations, they'd never seen anything like what was happening in Tunisia.'"

38 of 227 comments (clear)

  1. Require HTTPS for all connections... by Cryect · · Score: 5, Insightful

    Really is annoying that Facebook defaults to http

    1. Re:Require HTTPS for all connections... by Pojut · · Score: 4, Insightful

      I'd say baffling is more appropriate...as huge as the website is, and with as much personal information being slung around, you'd think they would make it ONLY https at this point...

      --
      Living With a Nerd
    2. Re:Require HTTPS for all connections... by Anonymous Coward · · Score: 4, Insightful

      you lose chat, you lose push notifications and profile editing.

      Awesome! HTTPS actually makes the application less annoying?!?!

    3. Re:Require HTTPS for all connections... by I8TheWorm · · Score: 2

      Erm, embarassing moment... someone already has.

      --
      Saying Android is a family of phones is akin to saying Linux is a family of PCs.
  2. Kudos to facebook by operagost · · Score: 5, Insightful

    When Facebook does something right, they should be commended. They easily could have shrugged their shoulders and said, "Not our problem!"

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.
    1. Re:Kudos to facebook by gparent · · Score: 2

      When they prevent HTTP login and switch to HTTPs, they'll have done something right. This is just PR. Their shitty security allowed this in the first place.

  3. so who's to blame for this one? by lagi · · Score: 2

    makes you wonder why a country is able to steal it's Facebook user's passwords.

  4. HTTPS by gambino21 · · Score: 5, Insightful

    Article Summary: They switched facebook to use https in Tunisia.

    I wish facebook would consider just switching all traffic to https.

    1. Re:HTTPS by jschmitz · · Score: 2

      They are already raking in the bucks - you aren't the customer you are the product

    2. Re:HTTPS by LWATCDR · · Score: 3, Insightful

      Wow $20 a year? You and five other people. They rake in more than that in ad revenue from each "prime" user. Also most people just don't care enough to pay for this service.

      What I find amazing is not that Facebook isn't secure but people expect it to be. This is a place where you "publish" information on the internet. It is not now and never should have been considered a secure communication channel.
      Why doesn't facebook default to https:? My guess is cost. It takes resources to encrypt data and for face book moving everything to https probably would cost a few million dollars in resources.
      And nothing stops you from using https://facebook.com/ does it?

      --
      See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
    3. Re:HTTPS by heypete · · Score: 5, Informative

      Hardware costs would soar if they switched entirely to HTTPS. There is an entire industry making crypto co-processors to handle the load that millions of concurrent HTTPS connections place on an infrastructure.

      SSL accelerators are useful for offloading the CPU-heavy part of the SSL transaction: the RSA key-exchange part. The rest of the secured connection is quite light, particularly when using a fast cipher like RC4. The RSA part can be sped up by using shorter keys (e.g. a 1024-bit key, rather than 2048 or 4096-bits), while still providing modest security (anything is better than nothing).

      That this guy, a Google employee, said the following about SSL:

      In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.

      If you stop reading now you only need to remember one thing: SSL/TLS is not computationally expensive any more.

    4. Re:HTTPS by MattskEE · · Score: 3, Informative

      And nothing stops you from using https://facebook.com/ [facebook.com] does it?

      If you go to https://facebook.com/ you do view an encrypted home page. But all of the links to everything are just non-encrypted http. Unless you copy each link, paste it into the address bar, and prepend 'https://' to it (or write a browser script to do the same) then most of your facebook session will not be secured.

    5. Re:HTTPS by heypete · · Score: 2

      Forgive my second reply, but I failed to mention something in my previous post that is relevant: since Facebook already handles password logins over HTTPS, the heavy lifting (i.e. the RSA key exchange) is already taking place for every user. They can clearly handle that load. It's just that they're wasting those cycles by switching back to an insecure connection afterward.

      Leaving the connection secure with a lightweight cipher like RC4 uses minimal additional resources, is extremely fast, and would be trivial to turn on.

  5. Pay Up by Anonymous Coward · · Score: 5, Insightful

    So Facebook's sales guy called the President of Tunisia and said "Dude, you have to pay for all that user data just like everyone else does. What makes you think you're special?"

  6. Re:Duh by Anonymous Coward · · Score: 5, Informative

    I believe the ISP changed the facebook login page to execute additional javascript to grab the entered password before it was sent off, encrypted, to the fb server. But then again I didn't RTFA...

  7. Light on details by sat1308 · · Score: 3, Insightful

    The article is a little light on details, but am I right in thinking that people's session cookies were being sidejacked? AFAIK, despite FB not sending everything over https, the password is sent over https. So I don't see how a keylogger like approach would work to intercept the pw, unless the Tunisian government was smart enough to run something like Moxie Marlinspike's sslstrip where they did a MITM attack and sent unencrypted http traffic to the user and then stole their password. I doubt this was the case because a) they don't seem smart enough and b) no security measure would circumvent this unless people knew not to log in over http.

    So now we just wait until the government uses sslstrip...

    P.S. - It's unbelievable that in this day and age FB doesn't encrypt the whole session given how trivial session-jacking is.

    1. Re:Light on details by mlts · · Score: 2

      There are a lot of places other than FB which don't encrypt their traffic other than the initial username/password. Mainly because it is cheap to do so (plain http connections after authentication can be cached, no need to set up and tear down encrypted sockets, etc.)

      However what was par for security even last year before widespread sidejacking tools like FireSheep became available is now considered a wide open security risk. Just like how companies have to firewall their networks with the expense involved in having network security, separating departments, and such, companies will have to move to SSL for the entire transaction with their visitors or customers.

    2. Re:Light on details by Nemesisghost · · Score: 2

      In TFA, it states that the only ones susceptible to this attack were those who logged in/out during the attack. If you kept yourself logged in then the attack failed. They were effectively running a keylogger type script.

  8. Executive summary by 93+Escort+Wagon · · Score: 5, Funny

    Facebook doesn't want anyone accessing their customers' personal information unless Facebook is being compensated.

    --
    #DeleteChrome
  9. Re:Duh by reaper · · Score: 3, Insightful

    As bad as every other site that doesn't require https:// for login.

    --
    - Dan
  10. Re:Duh by Yvan256 · · Score: 3, Funny

    Add the character "2" at the end of all current passwords?

  11. Re:Duh by whoever57 · · Score: 2

    How badly does Facebook's password encryption suck if a man-in-the-middle attack can easily steal everybody's password?

    The attack may have been a little more sophisticated. Most pages are loaded over a non-encrypted connection. Just the pasword may be sent over an https connection. However, the use of unencrypted pages for everything else allows man in the middle attacks that insert a javascript keylogger into the reply that logs keystrokes directly from the source PC, not from packets as they cross the wire.

    That's why FB's response was to respond to all requests from Tunisia using https. That's why GMAIL now defaults to 100% https.

    --
    The real "Libtards" are the Libertarians!
  12. Re:Duh by Locke2005 · · Score: 4, Insightful

    A valid point -- end-to-end encryption in both directions is required. Meaning the calls to always use https actually make sense.

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  13. Re:Duh by Anonymous Coward · · Score: 4, Interesting

    Anyone who logged in during the period of time where passwords were being captured was presented with photos and asked to pick the ones featuring their friends. Then they were asked to choose a new password.

  14. Re:Duh by kalaudio · · Score: 2
    It looks to me the attack either wasn't that pervasive, or the solution wasn't that thorough:

    Sullivan's team rapidly coded a two-step response to the problem. First, all Tunisian requests for Facebook were routed to an https server. The Https protocol encrypts the information you send across it, so it's not susceptible to the keylogging strategy employed by the Tunisian ISPs.

    Https would still be suceptible to keylogging. I won't detail how the attack would be laid out (wouldn't want to inspire potential attackers ;) ), but https won't protect from a keylogging javascript being attached to the login page by an ISP. Do your research on MIM attacks if anyone wants to find out. So, either the solution won't work, or the attack wasn't as cleverly implemented. And let me say which one it is: both. I've just inspected facebook's login page, and it transmits passwords in the clear (in a POST request), protected only by a MIM-vulnerable https implementation. Yet, the article says facebook reports that their workaround "seems to work". It would only work if the attack was poorly implemented.

  15. Re:Duh by MichaelSmith · · Score: 3, Interesting

    The ISP can run a proxy which pretends to be the user from the point of view of facebook and pretends to be facebook from the point of view of the user. It can run an https connection to facebook and forward it to the user as a plain http connection. That way it can record or change anything in the facebook session and the user probably won't be aware that the proxy is there.

    The proxy could also run an https connection between the proxy and the user but that is more difficult because encryption software in the browser would alert the user that the proxy is not facebook. However if the browser has been fiddled with its game over for the user on many levels. Lots of people in the third world access the internet from internet cafes. One place I used in Malaysia has a single windows image which is booted across the LAN when a workstation is started. If the Government got their own software on to the server with that image, or changed the template for all the internet cafes then it would be impossible to guarantee security.

    --
    http://michaelsmith.id.au
  16. Re:Duh by jdogalt · · Score: 2

    Agreed, but this part of the article had me intrigued:

    It wasn't a totally perfect solution. Most specifically, ISPs can force a downgrade of https to http, but Sullivan said that Facebook had not seen that happen.

    I do not know the ins and outs of internet routing well enough to understand this, but I was alarmed by it. Does anyone with more technical expertise in the area have any insight?

    Not like I've RTFA or anything, or even an expert, but my guess is simply the issue of- facebook _allows_ http logins, so all a nefarious government/network need do is break https for the site. I.e. the solution is to not have an unencrypted option, such that if a gov/net breaks https, instead of falling back to an insecure login, people get pissed that they can't use the site at all, and thus it becomes a high profile news story, etc.

  17. HTTPS Everywhere by metrometro · · Score: 4, Informative

    Once again, our friends at the EFF are ahead of the curve. Their HTTPS Everywhere extension, released a few months ago, probably would have beaten this attack by Tunisian security services, or at least made their jobs much harder.

    Here's the extension: https://www.eff.org/https-everywhere

    Work that donate button a little while you're there.

  18. Https as commonly employed isn't enough by Giant+Electronic+Bra · · Score: 2

    SSL3/TLS will only protect against MITM attacks if BOTH the client AND the server mutually authenticate. This would require the issuance of a signed certificate to the client, not something that any garden variety retail grade web service does. On the other hand it is quite possible that just using HTTPS would have thwarted the attack simply because it puts a rather higher technical barrier in place and makes it necessary to use more intrusive measures. In any case the point is a good one, HTTPS should be universal for any kind of authentication for a whole raft of reasons.

    --
    "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
    1. Re:Https as commonly employed isn't enough by Mysteray · · Score: 4, Insightful

      In theory, only one end needs to authenticate the other.

      In practice, the website depends on the client to do a good job of this. So if you're running MS Windows, the Tunisan government can put a trusted root certificate in your computer with the endorsement of Microsoft. So even running https everywhere will not save Facebook from Microsoft.

      Try it yourself. If you have access to a Windows machine, visit http://bit.ly/eWYRbA in IE then check your personal cert store for Agence Nationale de Certification Electronique.

      If you think this is a big deal, retweet it or spread the word in other ways. I'm at a loss to explain why people aren't realizing the magnitude of this.

      Of course, what's even better is that it's a CODE SIGNING cert. ;-) Now that's what I call pwned!

    2. Re:Https as commonly employed isn't enough by BBTaeKwonDo · · Score: 4, Informative

      FWIW, since Chrome on Windows re-uses some (maybe all?) of IE's networking layer, you can use Chrome instead of IE to reproduce this. There is a caveat - you need the "Update Root Certificates" program which was included in Windows XP SP2.

      This page has a nice writeup of the problem and mentions that Vista or higher behave differently (not really better, just differently).

    3. Re:Https as commonly employed isn't enough by Mysteray · · Score: 2

      No, only one party needs a certificate (call them party S for server). The other party (C for client) picks a random symmetric key and encrypts it to the public key of S. S decrypts it and the two ends can exchange data.

      This is a (greatly oversimplified) overview of how SSL usually works, without client certificates. The CA is necessary because the client doesn't know the server's cert in advance. It does have the limitation that S cannot prove the absence of a man-in-the-middle, but C can. In practice, S relies on C to do a good job of this. If C trusts a corrupt CA, then all bets are off.

      SSL was originally designed to make people feel comfortable typing their credit card numbers into web forms on the internet. So it didn't originally provide any way for the server to prove the security of the connection (hey as long as the card goes through, right?)

      Apparently Mozilla doesn't accept Tunisia as a trusted CA at this time. I blogged about this issue regarding CNNIC.

  19. No Kudos to facebook by Tmack · · Score: 2
    Like others have said, this is easily preventable. HTTPS. Make the http login page redirect to https, and make pages default to https and no more login stealing-by-snooping (firesheep) will work. As is, you can login via https, but all the links on the page are http. VERY annoying.

    Yes, https increases CPU and bandwidth, but if you also include the benefits: reduction in staff, support, bandwidth, cpu, etc currently wasted trying to fix the resulting stolen/hijacked accounts, it would come out ahead, probably way ahead.

    Tm

    --
    Support TBI Research: http://www.raisinhope.org
  20. Re:Duh by TheMidget · · Score: 3, Interesting

    Meaning the calls to always use https actually make sense.

    Indeed. Most (all?) those online services, whether it be yahoo, facebook or myspace have their login box accessible from their main (non https) page. Even though login itself may be encrypted, the user is not supposed to enter the https himself, but he is instead redirected to a https page once he clicks login.

    ... which makes it easy to hijack this first step, and unless the user doublechecks the URL just before login for https, he will fall for it.

    It's scary how easy this is (I once did it for a friend who wanted to spy on his estranged wife), and you don't even need any funny javascript. Just have a proxy that substitutes https://login.service.com/ with http://login.service.com/ and you're set.

    This also makes those obnoxiously scary "bad certificate" warnings so pointless: the smart man-in-the-middle will avoid the certificate issue entirely, and just redirect everything to non-encrypted http.

    The only solution to this is to make the user aware of the process. Make it explicit that in order to login, you need to go to https://www.facebook.com/ or https://yahoo.com/ . That way, the user is forced to "do the right thing" if he wants to log in, and an interloper will have much more trouble intercepting. Instead of just hacking up a quick proxy perl script, he'll actually have to ask TunisCert to issue a fake certificate...

  21. Re:Duh by DavidRawling · · Score: 3, Insightful

    It *is* possible to encrypt the password for real before the password gets passed to the server, by means of using some javascript with a one-way encryption (think pgp) and a public key, but that would require disclosing the public key as well as the encryption algorithm being used, which isn't very good mojo.

    WTF? There's nothing wrong with disclosing the public key (hint: it's right there in the name. You can encrypt with the public key, publish the key on websites, in newspapers, hell broadcast it on national radio - it doesn't matter. That's the point. Just don't publish the private key.

  22. Facebook ... Security ... by Kittenman · · Score: 2

    'Nuff said.

    --
    "The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
  23. SSL Strip by js_sebastian · · Score: 2

    Agreed, but this part of the article had me intrigued:

    It wasn't a totally perfect solution. Most specifically, ISPs can force a downgrade of https to http, but Sullivan said that Facebook had not seen that happen.

    I do not know the ins and outs of internet routing well enough to understand this, but I was alarmed by it. Does anyone with more technical expertise in the area have any insight?

    It's called SSL Stripping... It's an old issue, but a recent tool has made it a bit more mainstream. There's a presentation here: http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf. And a tool here: http://www.thoughtcrime.org/software/sslstrip/

    The slides are worth looking through. At the root it's a very simple concept: people do not type https into the browser, they usually get to https through a redirect from http. A MiTM can tamper with that and continue talking http with the client... or he can talk https with both client and server (two different connections), but then he needs to play some tricks to get a signed certificate for a domain that looks to the user like facebook.com.

    but Sullivan said that Facebook had not seen that happen.

    How would they know? the MiTM could easily talk https with facebook.

  24. Re:Duh by petermgreen · · Score: 4, Informative

    Or just find a CA that is either sympathetic to your cause or subject to your coercion.

    read and weep. A list this long and spread through so many different countries is not the way to run a tight ship security wise.

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register