Forgot your password?
typodupeerror
Facebook Security Social Networks The Internet IT Politics

How Facebook Responded To Tunisian Hacks 227

Posted by Soulskill
from the occupying-the-town-of-zuckerberg dept.
jamie writes "Facebook's security team opens up, shedding light on a revolution that could become a parable for Internet activism. Quoting: 'After more than ten days of intensive investigation and study, Facebook's security team realized something very, very bad was going on. The country's Internet service providers were running a malicious piece of code that was recording users' login information when they went to sites like Facebook. By January 5, it was clear that an entire country's worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades. Sullivan and his team decided they needed a country-level solution — and fast. Though Sullivan said Facebook has encountered a wide variety of security problems and been involved in various political situations, they'd never seen anything like what was happening in Tunisia.'"
This discussion has been archived. No new comments can be posted.

How Facebook Responded To Tunisian Hacks

Comments Filter:
  • by Locke2005 (849178)
    How badly does Facebook's password encryption suck if a man-in-the-middle attack can easily steal everybody's password?
    • Re:Duh (Score:5, Informative)

      by Anonymous Coward on Monday January 24, 2011 @05:01PM (#34986272)

      I believe the ISP changed the facebook login page to execute additional javascript to grab the entered password before it was sent off, encrypted, to the fb server. But then again I didn't RTFA...

      • Re:Duh (Score:5, Insightful)

        by Locke2005 (849178) on Monday January 24, 2011 @05:12PM (#34986460)
        A valid point -- end-to-end encryption in both directions is required. Meaning the calls to always use https actually make sense.
        • SSL3/TLS will only protect against MITM attacks if BOTH the client AND the server mutually authenticate. This would require the issuance of a signed certificate to the client, not something that any garden variety retail grade web service does. On the other hand it is quite possible that just using HTTPS would have thwarted the attack simply because it puts a rather higher technical barrier in place and makes it necessary to use more intrusive measures. In any case the point is a good one, HTTPS should be
          • by Mysteray (713473) on Monday January 24, 2011 @07:16PM (#34988134) Homepage

            In theory, only one end needs to authenticate the other.

            In practice, the website depends on the client to do a good job of this. So if you're running MS Windows, the Tunisan government can put a trusted root certificate in your computer with the endorsement of Microsoft. So even running https everywhere will not save Facebook from Microsoft.

            Try it yourself. If you have access to a Windows machine, visit http://bit.ly/eWYRbA [bit.ly] in IE then check your personal cert store for Agence Nationale de Certification Electronique.

            If you think this is a big deal, retweet it [twitter.com] or spread the word in other ways. I'm at a loss to explain why people aren't realizing the magnitude of this.

            Of course, what's even better is that it's a CODE SIGNING cert. ;-) Now that's what I call pwned!

            • by BBTaeKwonDo (1540945) on Monday January 24, 2011 @08:21PM (#34988840)
              FWIW, since Chrome on Windows re-uses some (maybe all?) of IE's networking layer, you can use Chrome instead of IE to reproduce this. There is a caveat - you need the "Update Root Certificates" program which was included in Windows XP SP2.

              This page has a nice writeup of the problem [proper.com] and mentions that Vista or higher behave differently (not really better, just differently).
        • Re: (Score:3, Interesting)

          by TheMidget (512188)

          Meaning the calls to always use https actually make sense.

          Indeed. Most (all?) those online services, whether it be yahoo, facebook or myspace have their login box accessible from their main (non https) page. Even though login itself may be encrypted, the user is not supposed to enter the https himself, but he is instead redirected to a https page once he clicks login.

          ... which makes it easy to hijack this first step, and unless the user doublechecks the URL just before login for https, he will fall for it.

          It's scary how easy this is (I once did it for a friend w

      • by kalaudio (1968112)
        It looks to me the attack either wasn't that pervasive, or the solution wasn't that thorough:

        Sullivan's team rapidly coded a two-step response to the problem. First, all Tunisian requests for Facebook were routed to an https server. The Https protocol encrypts the information you send across it, so it's not susceptible to the keylogging strategy employed by the Tunisian ISPs.

        Https would still be suceptible to keylogging. I won't detail how the attack would be laid out (wouldn't want to inspire potential attackers ;) ), but https won't protect from a keylogging javascript being attached to the login page by an ISP. Do your research on MIM attacks if anyone wants to find out. So, either the solution won't work, or the attack wasn't as cleverly implemented. And let me say which one it is

        • by icebike (68054)

          https won't protect from a keylogging javascript being attached to the login page by an ISP.

          It would protect if there was no http login page. You have to get the javascript installed before you launch https because you can't get it installed later.

          With most browsers, simply having the http page remap to the https page leaves the keylogger free to continue to run. But if you start your session with https you are reasonably safe from key loggers done in javascript.

    • by h00manist (800926)
      I wonder how they're going to fix it now that the passwords are all stolen already.
    • Re:Duh (Score:4, Insightful)

      by reaper (10065) on Monday January 24, 2011 @05:06PM (#34986370) Homepage Journal

      As bad as every other site that doesn't require https:// for login.

      • Agreed, but this part of the article had me intrigued:

        It wasn't a totally perfect solution. Most specifically, ISPs can force a downgrade of https to http, but Sullivan said that Facebook had not seen that happen.

        I do not know the ins and outs of internet routing well enough to understand this, but I was alarmed by it. Does anyone with more technical expertise in the area have any insight?

        • They may just mean that an ISP can modify the HTML delivered to the user so that the form submit action is set to the http address vs https.
        • by Jahava (946858)

          Agreed, but this part of the article had me intrigued:

          It wasn't a totally perfect solution. Most specifically, ISPs can force a downgrade of https to http, but Sullivan said that Facebook had not seen that happen.

          I do not know the ins and outs of internet routing well enough to understand this, but I was alarmed by it. Does anyone with more technical expertise in the area have any insight?

          I think it's simple: Facebook allows HTTP logins, but defaults to HTTPS. The ISP could respond to the initial HTTPS request with a redirect to the regular HTTP version.

        • Re:Duh (Score:4, Interesting)

          by MichaelSmith (789609) on Monday January 24, 2011 @05:28PM (#34986702) Homepage Journal

          The ISP can run a proxy which pretends to be the user from the point of view of facebook and pretends to be facebook from the point of view of the user. It can run an https connection to facebook and forward it to the user as a plain http connection. That way it can record or change anything in the facebook session and the user probably won't be aware that the proxy is there.

          The proxy could also run an https connection between the proxy and the user but that is more difficult because encryption software in the browser would alert the user that the proxy is not facebook. However if the browser has been fiddled with its game over for the user on many levels. Lots of people in the third world access the internet from internet cafes. One place I used in Malaysia has a single windows image which is booted across the LAN when a workstation is started. If the Government got their own software on to the server with that image, or changed the template for all the internet cafes then it would be impossible to guarantee security.

        • by jdogalt (961241)

          Agreed, but this part of the article had me intrigued:

          It wasn't a totally perfect solution. Most specifically, ISPs can force a downgrade of https to http, but Sullivan said that Facebook had not seen that happen.

          I do not know the ins and outs of internet routing well enough to understand this, but I was alarmed by it. Does anyone with more technical expertise in the area have any insight?

          Not like I've RTFA or anything, or even an expert, but my guess is simply the issue of- facebook _allows_ http logins, so all a nefarious government/network need do is break https for the site. I.e. the solution is to not have an unencrypted option, such that if a gov/net breaks https, instead of falling back to an insecure login, people get pissed that they can't use the site at all, and thus it becomes a high profile news story, etc.

        • by jonbryce (703250)

          The conncection from home computer to ISP proxy server is by http. The connction from ISP proxy server to Facebook is by https. The proxy server can then modify the page before sending it unsecured to the home computer.

        • Agreed, but this part of the article had me intrigued:

          It wasn't a totally perfect solution. Most specifically, ISPs can force a downgrade of https to http, but Sullivan said that Facebook had not seen that happen.

          I do not know the ins and outs of internet routing well enough to understand this, but I was alarmed by it. Does anyone with more technical expertise in the area have any insight?

          It's called SSL Stripping... It's an old issue, but a recent tool has made it a bit more mainstream. There's a presentation here: http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf [blackhat.com]. And a tool here: http://www.thoughtcrime.org/software/sslstrip/ [thoughtcrime.org]

          The slides are worth looking through. At the root it's a very simple concept: people do not type https into the browser, they usually get to https through a redirect from http. A MiTM can tamper with that and conti

    • by whoever57 (658626)

      How badly does Facebook's password encryption suck if a man-in-the-middle attack can easily steal everybody's password?

      The attack may have been a little more sophisticated. Most pages are loaded over a non-encrypted connection. Just the pasword may be sent over an https connection. However, the use of unencrypted pages for everything else allows man in the middle attacks that insert a javascript keylogger into the reply that logs keystrokes directly from the source PC, not from packets as they cross the

    • How badly does Facebook's password encryption suck if a man-in-the-middle attack can easily steal everybody's password?

      How exactly was Facebook supposed to encrypt the users' passwords before receiving them? If you know how to do this then I'll write you a check right now.

      • I think I can help a little here. If you aren't using https for logins, then you can do some password hashing tricks to make things much more secure. I developed a similar solution for this at my last job. I checked some other sites to see if they used it when I developed my solution and found that yahoo email did pretty much exactly the same thing when they were using http (non-secure) logins.

        Basically the idea is something like this:

        *) Server sends a random long string along with form. This string has a t

        • and without a client key, you can spoof the login page (redirect to http if you like), add some JS that hands you the password, and you're done. Not sure what you expect to do with the token.
          • Good point. The solution I mentioned only works when ISP or middleman isn't injecting things. Sorry about the unnecessary reply.

    • I could have stolen innumerable facebook passwords when I was in college. When you register your computer for the campus network, you can choose your hostname, which would then be a FQDN -- <myhost>.<university name>.edu . So I registered the "facebook" hostname, and any time someone on the campus network typed in "facebook" (without the .com), it would resolve to me. I ran a redirect to my profile page on facebook.com, just for the hell of it (I eventually got, um, told that I should find bette
      • Feel lucky you didn't end up in front of a judge.
      • Good evening Mr By I represent the Government of Tunisia. A new future awaits you as an employee of the fastest growing security establishment in Africa...

    • by rwven (663186)

      Facebook doesnt use an SSL login page.... It was totally unencrypted.

    • I guess Facebook needs to hire another 500 engineers. [slashdot.org]
  • by Cryect (603197) on Monday January 24, 2011 @04:57PM (#34986198)
    Really is annoying that Facebook defaults to http
    • by Pojut (1027544) on Monday January 24, 2011 @05:03PM (#34986304) Homepage

      I'd say baffling is more appropriate...as huge as the website is, and with as much personal information being slung around, you'd think they would make it ONLY https at this point...

      • by tkprit (8581)
        I use https and FB just doesn't work well with it: not only do you lose chat, you lose push notifications and profile editing.
      • by sustik (90111)

        So some websites (still?) send login and password info as cleartext?

        Why do we enable incompetent people to get rich?

        • by Darinbob (1142669)
          Heck, Windows does this too somewhere. Ie, at work a third party training site send me email about my account and password. And the password they included in the email was my corporate password (one behind the current one at the time, but very recognizable). I have never given this password to anything but Mac OS and Windows remote desktop. Yet somehow it shows up in clear text at a third party...

          My only guess is that someone in IT sniffed some passwords, or else active directory (or whatever windows us
    • by choongiri (840652)

      Precisely. This attack should have been impossible.

      • by rjstanford (69735)

        Except that all the interceptor need do is force an HTTP connection to themselves, then make the HTTPS connection outbound. How many people would actually check for an HTTPS connection before logging in to Facebook?

    • The real revolution-causing leak will be the naked pics leaks.
    • As big a fan as I am of HTTPS, it's not only slower than HTTP for the end user, but costs a bunch more in bandwidth and compute (cacheing problems).

      I'd say only HTTP is also more along the lines of Zuckerberg's infamous opinion [theregister.co.uk] of his users... in his view they get what they deserve.

    • by Darinbob (1142669)
      It's facebook though. Who would be dumb enough to put vital information there? You shouldn't need high security when the stuff you're protecting is trivial.

      That's the theory anyway. Turns out users are dumb; the put important info on public sites that they don't want anyone to see, they use the same password for multiple sites, they have auto login, etc. So it does make sense to have https, in hindsight. So all the fluff sites should beef things up.
  • Kudos to facebook (Score:5, Insightful)

    by operagost (62405) on Monday January 24, 2011 @04:58PM (#34986208) Homepage Journal
    When Facebook does something right, they should be commended. They easily could have shrugged their shoulders and said, "Not our problem!"
    • by gparent (1242548)

      When they prevent HTTP login and switch to HTTPs, they'll have done something right. This is just PR. Their shitty security allowed this in the first place.

    • Like others have said, this is easily preventable. HTTPS. Make the http login page redirect to https, and make pages default to https and no more login stealing-by-snooping (firesheep) will work. As is, you can login via https, but all the links on the page are http. VERY annoying.

      Yes, https increases CPU and bandwidth, but if you also include the benefits: reduction in staff, support, bandwidth, cpu, etc currently wasted trying to fix the resulting stolen/hijacked accounts, it would come out ahead, probabl

  • makes you wonder why a country is able to steal it's Facebook user's passwords.

  • If they are doing it, I would be surprised if lots of others aren't too.
  • HTTPS (Score:5, Insightful)

    by gambino21 (809810) on Monday January 24, 2011 @05:00PM (#34986244)

    Article Summary: They switched facebook to use https in Tunisia.

    I wish facebook would consider just switching all traffic to https.

    • by mlts (1038732) *

      +1. I know FB would rake in the bucks if they offered a premium service that had https by default, no ads, and the ability to use a VASCO or SecurID keyfob (with OATH certification when logging from PCs, and for non-PCs, the FB app has the ability to set a PIN.)

      I'd pay the usual $20 a year for this easily, mainly because FB is a good tool for keeping track of band and other events going on locally.

      • by jschmitz (607083)
        They are already raking in the bucks - you aren't the customer you are the product
      • Re:HTTPS (Score:4, Insightful)

        by LWATCDR (28044) on Monday January 24, 2011 @05:20PM (#34986584) Homepage Journal

        Wow $20 a year? You and five other people. They rake in more than that in ad revenue from each "prime" user. Also most people just don't care enough to pay for this service.

        What I find amazing is not that Facebook isn't secure but people expect it to be. This is a place where you "publish" information on the internet. It is not now and never should have been considered a secure communication channel.
        Why doesn't facebook default to https [slashdot.org]:? My guess is cost. It takes resources to encrypt data and for face book moving everything to https probably would cost a few million dollars in resources.
        And nothing stops you from using https://facebook.com/ [facebook.com] does it?

        • by vlm (69642)

          What I find amazing is not that Facebook isn't secure but people expect it to be. This is a place where you "publish" information on the internet. It is not now and never should have been considered a secure communication channel.

          I deleted my facebook acct about a year ago, so excuse my terminology.

          Imagine the scenario of a profile picture being changed to goatse.

          You are correct that it is "published" to the internet and is not secret-secure.

          Where you are wrong, is thinking that it is authorized-secure.

          Much like this post was written by VLM. Or, was it? As if you'd know...

          • by LWATCDR (28044)

            It would be at most annoying but not harmful. The people that know me would think that someone else did it. AKA that I was hacked. The risk to benifit ratio of me being on facebook is worth it time. I get to see when friends are expecting babies, get married, and or get new jobs. I guess if someone really wanted to make the effort they could hack my account but as I said it would be mildly annoying and not much else.

            Big deal. But you deleted your profile so I guess you realize that facebook isn't secure or

        • Re:HTTPS (Score:4, Informative)

          by MattskEE (925706) on Monday January 24, 2011 @06:54PM (#34987908)

          And nothing stops you from using https://facebook.com/ [facebook.com] [facebook.com] does it?

          If you go to https://facebook.com/ [facebook.com] you do view an encrypted home page. But all of the links to everything are just non-encrypted http. Unless you copy each link, paste it into the address bar, and prepend 'https://' to it (or write a browser script to do the same) then most of your facebook session will not be secured.

    • The ISP could still proxy the connection though. Proxy to FB and Proxy to client would still be encrypted but the proxy would get the username and password. The client may have to click through a warning about a mismatched certificate but I reckon most would.

      • Most browsers give you a very big and mean looking error message when certs mismatch. The kind that make people unversed in security call their computer geek friends before doing anything; I suspect that this won't be too huge a problem.
        • by MBCook (132727)
          They don't have to play Man-In-The-Middle. They can just make sure that HTTPS doesn't work (return error codes, drop packets, etc) such that it becomes unusable and people's only choice (if they want to keep accessing FB) is to use standard HTTP.
        • True but say the user in Tunisia is using IE from Windows. Maybe the government looks the other way when people steal the version of windows with the "right" binaries. Or he's running firefox but Tunisia has a special localised version which you automatically get when you download it from one of their ISPs.

      • by BitterOak (537666)

        The ISP could still proxy the connection though. Proxy to FB and Proxy to client would still be encrypted but the proxy would get the username and password. The client may have to click through a warning about a mismatched certificate but I reckon most would.

        Probably not even necessary. How hard would it be for the Tunisian government to get a CA in Tunisia to sign a fake Facebook cert? Then there'd be no warnings at all. I mean SSL only works if you trust every CA whose root cert is in your browser, and really, why the hell should anyone do that?

        • The ISP could still proxy the connection though. Proxy to FB and Proxy to client would still be encrypted but the proxy would get the username and password. The client may have to click through a warning about a mismatched certificate but I reckon most would.

          Probably not even necessary. How hard would it be for the Tunisian government to get a CA in Tunisia to sign a fake Facebook cert? Then there'd be no warnings at all. I mean SSL only works if you trust every CA whose root cert is in your browser, and really, why the hell should anyone do that?

          Yes.

    • I wish facebook would consider just switching all traffic to https.
      Because typing in the "s" would confuse the majority of the userbase.

  • Pay Up (Score:5, Insightful)

    by Anonymous Coward on Monday January 24, 2011 @05:01PM (#34986270)
    So Facebook's sales guy called the President of Tunisia and said "Dude, you have to pay for all that user data just like everyone else does. What makes you think you're special?"
  • Light on details (Score:3, Insightful)

    by sat1308 (784251) on Monday January 24, 2011 @05:03PM (#34986294)

    The article is a little light on details, but am I right in thinking that people's session cookies were being sidejacked? AFAIK, despite FB not sending everything over https, the password is sent over https. So I don't see how a keylogger like approach would work to intercept the pw, unless the Tunisian government was smart enough to run something like Moxie Marlinspike's sslstrip where they did a MITM attack and sent unencrypted http traffic to the user and then stole their password. I doubt this was the case because a) they don't seem smart enough and b) no security measure would circumvent this unless people knew not to log in over http.

    So now we just wait until the government uses sslstrip...

    P.S. - It's unbelievable that in this day and age FB doesn't encrypt the whole session given how trivial session-jacking is.

    • by mlts (1038732) *

      There are a lot of places other than FB which don't encrypt their traffic other than the initial username/password. Mainly because it is cheap to do so (plain http connections after authentication can be cached, no need to set up and tear down encrypted sockets, etc.)

      However what was par for security even last year before widespread sidejacking tools like FireSheep became available is now considered a wide open security risk. Just like how companies have to firewall their networks with the expense involve

    • In TFA, it states that the only ones susceptible to this attack were those who logged in/out during the attack. If you kept yourself logged in then the attack failed. They were effectively running a keylogger type script.
  • by 93 Escort Wagon (326346) on Monday January 24, 2011 @05:05PM (#34986352)

    Facebook doesn't want anyone accessing their customers' personal information unless Facebook is being compensated.

  • At least, I guess they must not...unlike most every other government in the world... If they did, they could still pretend to be Facebook, even when facebook uses https!

  • Why do you need a country-level solution? Why not a global solution, which implements ALL your country solutions at once?

    • by tnk1 (899206)

      Why do you need a country-level solution? Why not a global solution, which implements ALL your country solutions at once?

      Because:

      a) Tunisia is in the news for the first time since the Punic Wars, so its topical. That gives positive PR value.
      b) Tunisia is a small country that doesn't have the number of users as, let's say, the US, and so forcing https down their throat is not going to be a big deal
      c) If this fails, people will forget about it as soon as people forget about Tunisia again. (About 2-4 weeks from now)

      and....

      d) "Holy shit, look at what's going on in Tunisia! Hey, wouldn't it be funny if we had Tunisians as cust

  • HTTPS Everywhere (Score:5, Informative)

    by metrometro (1092237) on Monday January 24, 2011 @05:36PM (#34986834)

    Once again, our friends at the EFF are ahead of the curve. Their HTTPS Everywhere extension, released a few months ago, probably would have beaten this attack by Tunisian security services, or at least made their jobs much harder.

    Here's the extension: https://www.eff.org/https-everywhere [eff.org]

    Work that donate button a little while you're there.

  • The country's Internet service providers were running a malicious piece of code that was recording users' login information when they went to sites like Facebook. By January 5, it was clear that an entire country's worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades. Sullivan and his team decided they needed a country-level solution — and fast.

    Please tell me that they turned on https for logins by default. Because that is what they should have done.

  • ... means what you think it does:

    a revolution that could become a parable...

    Bzzt. wrong

  • by Kittenman (971447) on Monday January 24, 2011 @06:40PM (#34987742)
    'Nuff said.

It is the quality rather than the quantity that matters. - Lucius Annaeus Seneca (4 B.C. - A.D. 65)

Working...