Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Facebook Responded To Tunisian Hacks

Posted by Soulskill on from the occupying-the-town-of-zuckerberg dept.

jamie writes "Facebook's security team opens up, shedding light on a revolution that could become a parable for Internet activism. Quoting: 'After more than ten days of intensive investigation and study, Facebook's security team realized something very, very bad was going on. The country's Internet service providers were running a malicious piece of code that was recording users' login information when they went to sites like Facebook. By January 5, it was clear that an entire country's worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades. Sullivan and his team decided they needed a country-level solution — and fast. Though Sullivan said Facebook has encountered a wide variety of security problems and been involved in various political situations, they'd never seen anything like what was happening in Tunisia.'"

15 of 227 comments (clear)

  1. Require HTTPS for all connections... by Cryect · · Score: 5, Insightful

    Really is annoying that Facebook defaults to http

    1. Re:Require HTTPS for all connections... by Pojut · · Score: 4, Insightful

      I'd say baffling is more appropriate...as huge as the website is, and with as much personal information being slung around, you'd think they would make it ONLY https at this point...

      --
      Living With a Nerd
    2. Re:Require HTTPS for all connections... by Anonymous Coward · · Score: 4, Insightful

      you lose chat, you lose push notifications and profile editing.

      Awesome! HTTPS actually makes the application less annoying?!?!

  2. Kudos to facebook by operagost · · Score: 5, Insightful

    When Facebook does something right, they should be commended. They easily could have shrugged their shoulders and said, "Not our problem!"

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.
  3. HTTPS by gambino21 · · Score: 5, Insightful

    Article Summary: They switched facebook to use https in Tunisia.

    I wish facebook would consider just switching all traffic to https.

    1. Re:HTTPS by heypete · · Score: 5, Informative

      Hardware costs would soar if they switched entirely to HTTPS. There is an entire industry making crypto co-processors to handle the load that millions of concurrent HTTPS connections place on an infrastructure.

      SSL accelerators are useful for offloading the CPU-heavy part of the SSL transaction: the RSA key-exchange part. The rest of the secured connection is quite light, particularly when using a fast cipher like RC4. The RSA part can be sped up by using shorter keys (e.g. a 1024-bit key, rather than 2048 or 4096-bits), while still providing modest security (anything is better than nothing).

      That this guy, a Google employee, said the following about SSL:

      In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.

      If you stop reading now you only need to remember one thing: SSL/TLS is not computationally expensive any more.

  4. Pay Up by Anonymous Coward · · Score: 5, Insightful

    So Facebook's sales guy called the President of Tunisia and said "Dude, you have to pay for all that user data just like everyone else does. What makes you think you're special?"

  5. Re:Duh by Anonymous Coward · · Score: 5, Informative

    I believe the ISP changed the facebook login page to execute additional javascript to grab the entered password before it was sent off, encrypted, to the fb server. But then again I didn't RTFA...

  6. Executive summary by 93+Escort+Wagon · · Score: 5, Funny

    Facebook doesn't want anyone accessing their customers' personal information unless Facebook is being compensated.

    --
    #DeleteChrome
  7. Re:Duh by Locke2005 · · Score: 4, Insightful

    A valid point -- end-to-end encryption in both directions is required. Meaning the calls to always use https actually make sense.

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  8. Re:Duh by Anonymous Coward · · Score: 4, Interesting

    Anyone who logged in during the period of time where passwords were being captured was presented with photos and asked to pick the ones featuring their friends. Then they were asked to choose a new password.

  9. HTTPS Everywhere by metrometro · · Score: 4, Informative

    Once again, our friends at the EFF are ahead of the curve. Their HTTPS Everywhere extension, released a few months ago, probably would have beaten this attack by Tunisian security services, or at least made their jobs much harder.

    Here's the extension: https://www.eff.org/https-everywhere

    Work that donate button a little while you're there.

  10. Re:Https as commonly employed isn't enough by Mysteray · · Score: 4, Insightful

    In theory, only one end needs to authenticate the other.

    In practice, the website depends on the client to do a good job of this. So if you're running MS Windows, the Tunisan government can put a trusted root certificate in your computer with the endorsement of Microsoft. So even running https everywhere will not save Facebook from Microsoft.

    Try it yourself. If you have access to a Windows machine, visit http://bit.ly/eWYRbA in IE then check your personal cert store for Agence Nationale de Certification Electronique.

    If you think this is a big deal, retweet it or spread the word in other ways. I'm at a loss to explain why people aren't realizing the magnitude of this.

    Of course, what's even better is that it's a CODE SIGNING cert. ;-) Now that's what I call pwned!

  11. Re:Duh by petermgreen · · Score: 4, Informative

    Or just find a CA that is either sympathetic to your cause or subject to your coercion.

    read and weep. A list this long and spread through so many different countries is not the way to run a tight ship security wise.

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  12. Re:Https as commonly employed isn't enough by BBTaeKwonDo · · Score: 4, Informative

    FWIW, since Chrome on Windows re-uses some (maybe all?) of IE's networking layer, you can use Chrome instead of IE to reproduce this. There is a caveat - you need the "Update Root Certificates" program which was included in Windows XP SP2.

    This page has a nice writeup of the problem and mentions that Vista or higher behave differently (not really better, just differently).