How Facebook Dealt With The Tunisian Government Trying To Steal Every User's Passwords
from the security-in-action dept
If you haven't yet read it, you owe it to yourself to read Alexis Madrigal's fascinating piece at The Atlantic about how Facebook responded to what apparently was a government-run country-wide hack attack on Facebook (prior to the recent regime change) designed to capture every Tunisian user's Facebook password. As the article notes, for all the talk of how much Twitter was used to communicate during the Tunisian protests and eventual ouster of the old government, Facebook may have played an even bigger role.However, Facebook's security staff had been hearing anecdotal stories from people in Tunisia claiming their accounts had been hacked, along with some indications that something odd was going on. Eventually, they realized that the Tunisian ISPs appeared to be running a giant man-in-the-middle keylogger system, that would record a user's password any time they logged into Facebook. So how do you respond to that if you're Facebook? A two-step approach: force all traffic from Tunisia to run through https: to encrypt the passwords and prevent this from happening and then set up a system for when people logged in, asking them to identify a friend, in order to prove it was really them. Of course, all of this makes me wonder why Facebook doesn't always use https, but that's another question for another day.
While the solution wasn't perfect, it appears to mostly do the job, even if it came a bit later in the process. But just from an outsider's perspective, it is a fascinating story of how various internet tools are playing into world politics, and how that leads to some totally unexpected situations.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Why doesn't TechDirt always use https???
I once had a Pot whose best friend was a Kettle.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Why doesn't TechDirt always use https???
[ link to this | view in chronology ]
Re: Re: Why doesn't TechDirt always use https???
"Hepcat (or whatever you name)"
Its pronounced {huh-fes'-tuhs}
[ link to this | view in chronology ]
Re: Re: Re: Why doesn't TechDirt always use https???
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
HTTPS all the time
Your wish is granted.
http://it.slashdot.org/story/11/01/26/1926211/Facebook-Launches-Social-Login-and-HTTPS
[ link to this | view in chronology ]
Re: HTTPS all the time
[ link to this | view in chronology ]
Re: Re: HTTPS all the time
[ link to this | view in chronology ]
All Sites Should Be Doing This For Passwords
The CPU load is negligible compared to having your bank account drained.
This has been a known problem for years. I'm surprised Facebook isn't doing this for all accounts as they should.
[ link to this | view in chronology ]
Re: All Sites Should Be Doing This For Passwords
Experience is a harsh school, but some will learn in none other.
[ link to this | view in chronology ]
Re: All Sites Should Be Doing This For Passwords
[ link to this | view in chronology ]
Re: All Sites Should Be Doing This For Passwords
Not if that bank account belongs to someone else, like the person logging in, as opposed to the person paying for the server. The person paying for the server just wants to save every penny they can. (Like Techdirt here. That's why they don't even offer HTTPS connections.) See how that works? And people will still log-in and send their passwords in the clear over the internet, anyway. For example, you did, here, didn't you?
[ link to this | view in chronology ]
Re: Re: All Sites Should Be Doing This For Passwords
[ link to this | view in chronology ]
Re: Re: Re: All Sites Should Be Doing This For Passwords
[ link to this | view in chronology ]
Re: All Sites Should Be Doing This For Passwords
How does an unencrypted wifi reveal the password to your https protected bank login?
You might give up where you bank but not much else.
[ link to this | view in chronology ]
Re: Re: All Sites Should Be Doing This For Passwords
[ link to this | view in chronology ]
Re: Re: All Sites Should Be Doing This For Passwords
To maintain the connection one needs session cookies and those can be hijacked if transferred in non encrypted channels, meaning anyone can use that cookie to say it was you.
[ link to this | view in chronology ]
Re: Re: Re: All Sites Should Be Doing This For Passwords
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The site isn't though.
[ link to this | view in chronology ]
Re:
The keyword in mikes statement was "ALWAYS"
[ link to this | view in chronology ]
Re: Re:
Here at techdirt the whole point is to allow everyone to see every post and comment. Signing in gives you some extra benefits but is not required.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Face will soon have the option to always use HTTPS
http://blog.facebook.com/blog.php?post=486790652130
I can't turn it on yet for my account though.
I wish all sites would use HTTPS at least for logins no matter how innocuous the site but I know that may not be feasible.
[ link to this | view in chronology ]
Re: Face will soon have the option to always use HTTPS
Most noticeably, their chat widget doesn't work under HTTPS.
[ link to this | view in chronology ]
https = Hephaestus Tries, Totally Proven Stupid
"...running a giant man-in-the-middle keylogger system, that would record a user's password any time they logged into Facebook."
You shouldn't need Mike to restate every part of the post in every paragraph. When was the last time you used Facebook and entered your password somewhere other than the login page? Or Techdirt?
Pot, Kettle and Black would all enjoy a hearty laugh when they met and discussed Hephaestus' posts.
[ link to this | view in chronology ]
Re: https = Hephaestus Tries, Totally Proven Stupid
I will give you a clue, since you so need it. "Perfect Citizen" is an NSA project that allows for network monitoring. It is so well know it showed up in popular science, wired, I could go on but I have been proven totally stupid by you.
Here is some stuff from the EFF and government monitoring of social networks.
The government gives incentives (Contracts) if you comply with their requests to monitor network traffic. They also remove incentives (don't give you contracts and stop doing business with you) if you don't comply.
Its not like the US government is monitoring computer networks, social networks, what you are searching for, or has given pardons to ATT and other communicatons providers for illeaglly wiretaping entire networks, or anything like that.
I truely love being proven wrong, so I agree I have been proven totally stupid.
[ link to this | view in chronology ]
Re: https = Hephaestus Tries, Totally Proven Stupid
XSS+Session Cookie=Account Hijack.
[ link to this | view in chronology ]
So?
[ link to this | view in chronology ]
Re: So?
[ link to this | view in chronology ]
https
[ link to this | view in chronology ]
Re: https
[ link to this | view in chronology ]
keylogging != unencrypted packet reading
Sorry if this sounds pedantic, but you (and the source) should make the distinction between keylogging (a local action) and the packet reading of unencrypted HTTP traffic to find clear text passwords. These two methods are quite different and constitute very different levels of intrusion. These two methods also take two very different approaches to guard against.
p.s. Keep up the great work Mike; I truly appreciate all the work you put into Techdirt!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I think we could say that facebook actually learned from the tunisian revolution as well.
[ link to this | view in chronology ]
The attack on Facebook *was* a man-in-the-middle-attack, not just keystroke logging. Like many sites - including stores and even banks - Facebook encrypted the password (and probably the username) that you sent. You'll see sites that do that show a little "why is this secure?" help box to assure you that, no, the page itself doesn't show a lock indicator (because it isn't https) but your credentials are perfectly safe because they are sent "using 128-bit encryption".
But they are not at all safe because you have no idea who you are actually talking to. It could be Facebook/the store/your bank; or it could be someone who mocked up a page that looks like Facebook's/your store's/your bank's, complete with a nice, encrypted username/password mechanism, sending your username/password right to them. The Tunisian attack was a slight variation in that they modified the real page on the fly to inject this attack, rather than making up a fake site - but the end result was the same.
If you're going to put your stuff in a safe-deposit box handed to you by a bank official - make sure you're really at a bank, and that it's a real bank official handing you the box! Relying on a "secure username/password" field on an unauthenticated page is like accepting an offer of a safety deposit box from some guy on the street outside the bank. Sure, the box is solid steel and the lock is high quality - but who else has the key?
If a site you deal with offers "security" by encrypting just the login information - complain to them. You'll almost certainly be unable to get a message to anyone who actually understands the issue - but if you follow up by closing your accounts, eventually they'll get a clue.
-- Jerry
[ link to this | view in chronology ]