Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Employees' Laptops Compromised; User Data Believed Safe

Posted by timothy on from the safely-exploited-by-facebook dept.

Trailrunner7 writes "Laptops belonging to several Facebook employees were compromised recently and infected with malware that the company said was installed through the use of a Java zero-day exploit that bypassed the software's sandbox. Facebook claims that no user data was affected by the attack and says that it has been working with law enforcement to investigate the attack, which also affected other unnamed companies. Facebook officials did not identify the specific kind of malware that the attackers installed on the compromised laptops, but said that the employee's machines were infected when they visited a mobile developer Web site that was hosting the Java exploit. When the employees visited the site, the exploit attacked a zero-day vulnerability in Java that was able to bypass the software's sandbox and enable the attackers to install malware. The company said it reported the vulnerability to Oracle, which then patched the Java bug on Feb. 1."

41 of 75 comments (clear)

  1. thats what happens when by Anonymous Coward · · Score: 2, Insightful

    you use windows as your dev environment

    1. Re:thats what happens when by Anonymous Coward · · Score: 1

      or perhaps it's because the comment was trolling?

    2. Re:thats what happens when by drankr · · Score: 1, Insightful

      How was it trolling? Why doesn't the article state what OS those laptops were running? Hmm? Because it's the most insecure OS known to mankind, Windows, and it doesn't even have to be said any longer? Or because the writers are pathetically unprofessional and are deliberately withholding the facts here? Either way, I don't know.

    3. Re: thats what happens when by cyber-vandal · · Score: 3, Informative

      It's "would have" you ignorant moron.

    4. Re: thats what happens when by Anonymous Coward · · Score: 2, Funny

      What's a "beehive asshole"?

    5. Re: thats what happens when by cyber-vandal · · Score: 1

      It's a common piece of UK English fuckwittery from semi-literate fuckwits who don't know their own language.

    6. Re: thats what happens when by greenfruitsalad · · Score: 1

      english IS his first language. nobody who learned english as their second language would write "would of". this is similar to "they're, their, there" type of mistake. only native speakers have a problem with this.
      first time i came across "would of", i had to look it up on google.

  2. It's good they'll protect your data from thieves.. by Anonymous Coward · · Score: 4, Insightful

    but who's gonna protect people's data from Facebook itself?

  3. Safe? by DoofusOfDeath · · Score: 5, Insightful

    Given Facebook's MO, users should assume that anything Facebook, Inc. had access to is already in the hands of people you can't trust.

    Them being hacked is pretty irrelevant.

    1. Re:Safe? by elucido · · Score: 1

      Are you accusing Mark Zuckerberg of being a hacker?

    2. Re:Safe? by KiloByte · · Score: 5, Funny

      Are you accusing Mark Zuckerberg of being a hacker?

      No, most hackers can be expected to have some basic integrity.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    3. Re:Safe? by bjwest · · Score: 1

      Please tell me where in that statement you got the idea he was implying Zuckerberg is a hacker. Even using the popular, but incorrect, definition of hacker does not apply here as Mark Zuckerberg owns Facebook and I'm sure he has no need to "hack" into the system to get at any information he wants.

      --

      --- Keep the choice with the user..
    4. Re:Safe? by oztiks · · Score: 1

      What's more disconcerting is the incident being made public now. Why a month after the incident occurring? Are they afraid of an Anonymous Hacktivism style attack? are they trying to spare embarrassment of critical systems that may of been impacted?

      They did speak of source code snippets and internal emails being on these particular laptops, TBH, that's worse than what Sally did on the weekend IMHO.

      And the blame China point, another case of "here we go again", what is inferred by bringing this up?

    5. Re:Safe? by oztiks · · Score: 1

      Hacker Way, Hacker-Freakin-Way ...

      He just made real hackers around the world cringe after he did that.

    6. Re:Safe? by History's+Coming+To · · Score: 1

      "Owns" != "Has a right to the data". If the CEO of a major bank wanted to see every purchase his ex-wife makes he can't just call the data up, any sensible company will have need-to-know policies in place to prevent abuse and afford some deniability, regardless of how high up the request comes from. I don't doubt a bank CEO could get access to his ex-wife's data, but I'd be very surprised if any company would admit that policy is simply to hand over any data to the bloke in charge without any control or oversight.

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
    7. Re:Safe? by Runaway1956 · · Score: 2

      Zuckerberg has successfully social-engineered about half the people in the US. Social engineering is a hacker skill, isn't it? People fall all over themselves to provide Zuck with their personal details.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    8. Re:Safe? by bjwest · · Score: 1

      "Not having a right to the data but still having access to it" != "hacking" anymore than considering a janitor of a building a lockpicker if he has a master key and goes into a room he's been told to stay out of. It may get him in trouble, but he did not break into the room.

      --

      --- Keep the choice with the user..
    9. Re:Safe? by bjwest · · Score: 1

      Interesting way to look at it and something I didn't consider. However, even though that would apply to the overall picture of FaceBook, going back to the OC, it doesn't apply to my original question.

      --

      --- Keep the choice with the user..
    10. Re:Safe? by History's+Coming+To · · Score: 1

      Yeah, it all comes down to your definition of hacking, which as you point out, isn't well defined.

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
    11. Re:Safe? by tlhIngan · · Score: 1

      Well, if you meant to keep it private, why did you post it online for the world to see?

      Oh, right, so-called "privacy" controls. Which are a brilliant social engineering hack meant to extract more information from users who wouldn't otherwise readily give it up. Unless you can control all your friends, anything they can see, the world can see. All it takes is someone to re-post it, or mention it or something and the beans are spilled.

      Truth is, anything you post online is public. As someone's very famous sister found out when one of her "friends" re-posted a family photo and put it up on Twitter as well.

      Sorry, the old adage is still true - don't put online stuff that you want to remain private. And stuff that ends up on the internet, stays on the internet.

  4. Wait, this increased security? by squiggleslash · · Score: 2

    Facebook's users finally have privacy because someone got in and hacked into Facebook's laptops? What did they do, disable the graph API?

    --
    You are not alone. This is not normal. None of this is normal.
    1. Re:Wait, this increased security? by oztiks · · Score: 2

      The word on the street is that they tied FB profile authentication in with their lobby entrance security systems, so unless you have a FB profile you can't enter the building.

    2. Re:Wait, this increased security? by History's+Coming+To · · Score: 1

      True or a snarky comment about the ubiquity of "login with facebook"? I honestly can't tell any more.

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
  5. No user data was compromised by 2phar · · Score: 5, Funny

    Well, that's good to know. I'd hate to think of all those sensitive personal data falling into the hands of some evil corporation that would exploit it to make money with no concern for the privacy of the people involved.

    1. Re:No user data was compromised by Barsteward · · Score: 1

      I want to know how they can say for sure that none of the data was lifted of the computers

      --
      "The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
    2. Re:No user data was compromised by Nidi62 · · Score: 1

      The data might be safer with hackers than it is with the corporations Facebook sells it to

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    3. Re:No user data was compromised by History's+Coming+To · · Score: 1

      Or, if they've got any sense, they use dummy data for dev work like everybody else in the world.

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
  6. User data should never be decrypted. by elucido · · Score: 2, Interesting

    I don't see why it would be so difficult to keep user data safe. Keep it encrypted, use a VPN, stream the data to memory but never store any of it unencrypted.

    1. Re:User data should never be decrypted. by History's+Coming+To · · Score: 1

      Exposing user data is what Facebook's business is, just in a controlled manner depending on how much info or money you give them. Clients (eg advertisers), well that's a different matter, but this was user data, not client data.

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
    2. Re:User data should never be decrypted. by phantomfive · · Score: 1

      Is there any company in the world that encrypts more than password/CC numbers? I don't think many companies do that....

      --
      "First they came for the slanderers and i said nothing."
    3. Re:User data should never be decrypted. by elucido · · Score: 1

      Yes, there's...ways to improve on this, partial tables, encrypted tables with some info, nega-databases, and homomorphic encrypted operations. I'm sure every single one of your developers has a PhD and is intimately familiar with zero knowledge proofs and protocols? No...? Well then, shaddup. No, you can't even train them or give them the papers to read -- they'll implement it wrong.

      But that is the direction we should be going. If it's implemented wrong then the buggy code will be fixed and eventually it will be implemented right. It should be done and the only excuse you have not to do it is that it would cost too much in CPU resources or be too hard. What is more important than user data? The user is most important and the user data is sacred. That has to be protected and it's Facebook with their goddamn lax policies that help destroy the foundation of the internet itself.

      But the bottom line is most encryption only protects data at rest. Stone cold rest in a drive that's powered off. Anything else -- we can get to. I don't mean hackers. I mean remotely competent sysadmins, devs, devops -- even management with a properly written disaster recovery document.

      Encryption protects data in transmission over the internet all the time. When you transmit your credit card information it's encrypted via https/ssl. Asymmetric encryption also protects data fairly well. Fully homomorphic encryption is new but a company like Facebook has enough resources to start work on a practical implementation. The problem right now is it's incredibly slow and not very optimized but that could change.

      Your argument is that you can't train people to understand certain things or that there aren't programmers who can implement it? That is complete and utter bs. Facebook has the money and can hire whoever they want to hire and if you pay someone 100k a year to study and program it then I'm certain they could. It's complicated but it's not so complicated that you couldn't study it and be trained. So I say why not study it? Oh yeah, because Facebook doesn't seem to care about privacy, about user data security, about encryption, when they released they weren't even using https!

      Btw yes I have written programs and I know about the client server relationship. I also know enough about encryption to know that you actually CAN secure a laptop. If the data is stored elsewhere such as in the cloud and connected to via VPN and that connection is closed off and encrypted, that would be a start, but the best solution is not to give employees access to user data from their laptop. Go to the office where we can monitor every employee on every computer and where we can at least filter stuff like Java and other malware so it does not contaminate the environment. Letting anyone connect their laptop to the network then take it home and then on top of that allowing Java to run on it ? Just plain stupid. They should have removed Java and everything not absolutely required for the task.

  7. Useless articles by Anonymous Coward · · Score: 4, Insightful

    What's the point of these articles that announce that so and so company's systems have been hacked? They never contain any forensic information about the exploits other than to loosely identify the vulnerable software the bad guys used to get into the system. No identification of the malware installed, no identification of the OS's the laptop were running, no identification of any antivirus products that turned out to be completely useless in stopping the attacks. IOW, no goddamn information that would be useful to anyone who wanted protect themselves from attack, or at least detect whether their system were already compromised.

    The lack of forensic details about the attack provided by Facebook or any of the other companies hit with the java exploit causes great doubt about their claims that no user data was accessed.

  8. In other news by houghi · · Score: 1

    A man gave way to a car and no accident happened.

    Are we in such a bad shape that NOT compromising personal data has become the news worthy factor?

    --
    Don't fight for your country, if your country does not fight for you.
  9. "zero day" is as bad as l337 speak by Anonymous Coward · · Score: 3, Interesting

    Can we all stop saying zero day? it's just an attempt to sound cool and hackish and it means nothing. it's a vulnerability, and it has an exploit and no patch is available, as opposed to unpatched.

    if they release new software that they brag is secure, and you have an exploit that already compromises a vuln, ok, you have a zero day because that's day one of something. then it makes sense. otherwise, it's false street cred and bravado.

    1. Re:"zero day" is as bad as l337 speak by Anonymous Coward · · Score: 1

      You might not be old enough, but "zero day" originally meant that software was cracked and distributed via BBS on the same day it was released. That is what zero day meant. Zero-day warez was the status groups like Quartex and Fairlight aspired to achieve.

      THAT is what zero day meant.

  10. How about embbeded devices by Anonymous Coward · · Score: 1

    Ok, Java is hosed, most of Adobe is hosed etc...

    But has anybody ever considered the dangers of embedded linux devices in a company? Some of these things are pretty powerful with the right ARM socket, shady firmware and make the perfect backdoor in whatever corporate infrastructure. It's not that everybody is equipped with the latest firewall, the latest IDS or latest Layer 7 proxy or DPI on SSL and even then, DPI on SSL or Layer7 proxies can be performance hogs in a time that end users want to have a webpage loaded in 0.0000001 seconds. /conspiracy-theory: Make some overhyped BIG Ltd with cheap embedded solutions, send demo units to the whole world and your backdoor/botnet is in place. Don't put a real backdoor in it, just make it 'vulnerable' and if someone would find an exploit, patch it, like the good guys, and introduce another one.

  11. How's your fancy pants coding parties now? by Anonymous Coward · · Score: 1

    Turns out Facebook employees don't know what the fuck they're doing. Keep drinking the beer, at least that'll give you good memories later in life.

  12. Re:It's good they'll protect your data from thieve by oztiks · · Score: 1

    A photo of the hacker planting the malware can be found here.

  13. oh the irony by milkmage · · Score: 1

    http://arstechnica.com/security/2013/02/at-facebook-zero-day-exploits-backdoor-code-bring-war-games-drill-to-life/

    "The FBI e-mail, zero-day exploit, and backdoor code, it turns out, were part of an elaborate drill Facebook executives devised to test the company's defenses and incident responders. The goal: to create a realistic security disaster to see how well employees fared at unraveling and repelling it. While the attack was simulated, it contained as many real elements as possible."

  14. Who cares? by ilsaloving · · Score: 2

    Your data was spread across the 4 winds as soon as you started using Facebook.

    The only "problem" here is that your data has now been around the globe without Facebook getting to monetize the transaction.

  15. "User Data Safe" by Mark+Rawls · · Score: 3, Insightful

    I think that's the first time that the phrases "user data believed safe" and "Facebook" have been uttered in the same sentence.