Forgot your password?
typodupeerror
Facebook Security Social Networks IT

Facebook Employees' Laptops Compromised; User Data Believed Safe 75

Posted by timothy
from the safely-exploited-by-facebook dept.
Trailrunner7 writes "Laptops belonging to several Facebook employees were compromised recently and infected with malware that the company said was installed through the use of a Java zero-day exploit that bypassed the software's sandbox. Facebook claims that no user data was affected by the attack and says that it has been working with law enforcement to investigate the attack, which also affected other unnamed companies. Facebook officials did not identify the specific kind of malware that the attackers installed on the compromised laptops, but said that the employee's machines were infected when they visited a mobile developer Web site that was hosting the Java exploit. When the employees visited the site, the exploit attacked a zero-day vulnerability in Java that was able to bypass the software's sandbox and enable the attackers to install malware. The company said it reported the vulnerability to Oracle, which then patched the Java bug on Feb. 1."
This discussion has been archived. No new comments can be posted.

Facebook Employees' Laptops Compromised; User Data Believed Safe

Comments Filter:
  • by Anonymous Coward

    you use windows as your dev environment

  • by Anonymous Coward on Saturday February 16, 2013 @10:38AM (#42921597)

    but who's gonna protect people's data from Facebook itself?

  • Safe? (Score:5, Insightful)

    by DoofusOfDeath (636671) on Saturday February 16, 2013 @10:39AM (#42921599)

    Given Facebook's MO, users should assume that anything Facebook, Inc. had access to is already in the hands of people you can't trust.

    Them being hacked is pretty irrelevant.

    • by elucido (870205)

      Are you accusing Mark Zuckerberg of being a hacker?

      • Re:Safe? (Score:5, Funny)

        by KiloByte (825081) on Saturday February 16, 2013 @11:27AM (#42921835)

        Are you accusing Mark Zuckerberg of being a hacker?

        No, most hackers can be expected to have some basic integrity.

      • by bjwest (14070)

        Please tell me where in that statement you got the idea he was implying Zuckerberg is a hacker. Even using the popular, but incorrect, definition of hacker does not apply here as Mark Zuckerberg owns Facebook and I'm sure he has no need to "hack" into the system to get at any information he wants.

        • by oztiks (921504)

          Hacker Way, Hacker-Freakin-Way ...

          He just made real hackers around the world cringe after he did that.

        • "Owns" != "Has a right to the data". If the CEO of a major bank wanted to see every purchase his ex-wife makes he can't just call the data up, any sensible company will have need-to-know policies in place to prevent abuse and afford some deniability, regardless of how high up the request comes from. I don't doubt a bank CEO could get access to his ex-wife's data, but I'd be very surprised if any company would admit that policy is simply to hand over any data to the bloke in charge without any control or o
          • by bjwest (14070)

            "Not having a right to the data but still having access to it" != "hacking" anymore than considering a janitor of a building a lockpicker if he has a master key and goes into a room he's been told to stay out of. It may get him in trouble, but he did not break into the room.

        • Zuckerberg has successfully social-engineered about half the people in the US. Social engineering is a hacker skill, isn't it? People fall all over themselves to provide Zuck with their personal details.

          • by bjwest (14070)

            Interesting way to look at it and something I didn't consider. However, even though that would apply to the overall picture of FaceBook, going back to the OC, it doesn't apply to my original question.

    • by oztiks (921504)

      What's more disconcerting is the incident being made public now. Why a month after the incident occurring? Are they afraid of an Anonymous Hacktivism style attack? are they trying to spare embarrassment of critical systems that may of been impacted?

      They did speak of source code snippets and internal emails being on these particular laptops, TBH, that's worse than what Sally did on the weekend IMHO.

      And the blame China point, another case of "here we go again", what is inferred by bringing this up?

    • by tlhIngan (30335)

      Well, if you meant to keep it private, why did you post it online for the world to see?

      Oh, right, so-called "privacy" controls. Which are a brilliant social engineering hack meant to extract more information from users who wouldn't otherwise readily give it up. Unless you can control all your friends, anything they can see, the world can see. All it takes is someone to re-post it, or mention it or something and the beans are spilled.

      Truth is, anything you post online is public. As someone's very famous sist

  • by squiggleslash (241428) on Saturday February 16, 2013 @10:39AM (#42921601) Homepage Journal

    Facebook's users finally have privacy because someone got in and hacked into Facebook's laptops? What did they do, disable the graph API?

    • by oztiks (921504)

      The word on the street is that they tied FB profile authentication in with their lobby entrance security systems, so unless you have a FB profile you can't enter the building.

  • by 2phar (137027) on Saturday February 16, 2013 @10:39AM (#42921605)
    Well, that's good to know. I'd hate to think of all those sensitive personal data falling into the hands of some evil corporation that would exploit it to make money with no concern for the privacy of the people involved.
  • by elucido (870205) on Saturday February 16, 2013 @10:44AM (#42921625)

    I don't see why it would be so difficult to keep user data safe. Keep it encrypted, use a VPN, stream the data to memory but never store any of it unencrypted.

    • Is there any company in the world that encrypts more than password/CC numbers? I don't think many companies do that....
  • Useless articles (Score:4, Insightful)

    by Anonymous Coward on Saturday February 16, 2013 @11:02AM (#42921707)

    What's the point of these articles that announce that so and so company's systems have been hacked? They never contain any forensic information about the exploits other than to loosely identify the vulnerable software the bad guys used to get into the system. No identification of the malware installed, no identification of the OS's the laptop were running, no identification of any antivirus products that turned out to be completely useless in stopping the attacks. IOW, no goddamn information that would be useful to anyone who wanted protect themselves from attack, or at least detect whether their system were already compromised.

    The lack of forensic details about the attack provided by Facebook or any of the other companies hit with the java exploit causes great doubt about their claims that no user data was accessed.

  • A man gave way to a car and no accident happened.

    Are we in such a bad shape that NOT compromising personal data has become the news worthy factor?

  • by Anonymous Coward on Saturday February 16, 2013 @11:20AM (#42921805)

    Can we all stop saying zero day? it's just an attempt to sound cool and hackish and it means nothing. it's a vulnerability, and it has an exploit and no patch is available, as opposed to unpatched.

    if they release new software that they brag is secure, and you have an exploit that already compromises a vuln, ok, you have a zero day because that's day one of something. then it makes sense. otherwise, it's false street cred and bravado.

    • by Anonymous Coward

      You might not be old enough, but "zero day" originally meant that software was cracked and distributed via BBS on the same day it was released. That is what zero day meant. Zero-day warez was the status groups like Quartex and Fairlight aspired to achieve.

      THAT is what zero day meant.

  • by Anonymous Coward

    Ok, Java is hosed, most of Adobe is hosed etc...

    But has anybody ever considered the dangers of embedded linux devices in a company? Some of these things are pretty powerful with the right ARM socket, shady firmware and make the perfect backdoor in whatever corporate infrastructure. It's not that everybody is equipped with the latest firewall, the latest IDS or latest Layer 7 proxy or DPI on SSL and even then, DPI on SSL or Layer7 proxies can be performance hogs in a time that end users want to have a we

  • by Anonymous Coward

    Turns out Facebook employees don't know what the fuck they're doing. Keep drinking the beer, at least that'll give you good memories later in life.

  • http://arstechnica.com/security/2013/02/at-facebook-zero-day-exploits-backdoor-code-bring-war-games-drill-to-life/ [arstechnica.com]

    "The FBI e-mail, zero-day exploit, and backdoor code, it turns out, were part of an elaborate drill Facebook executives devised to test the company's defenses and incident responders. The goal: to create a realistic security disaster to see how well employees fared at unraveling and repelling it. While the attack was simulated, it contained as many real elements as possible."

  • by ilsaloving (1534307) on Saturday February 16, 2013 @04:24PM (#42923447)

    Your data was spread across the 4 winds as soon as you started using Facebook.

    The only "problem" here is that your data has now been around the globe without Facebook getting to monetize the transaction.

  • "User Data Safe" (Score:3, Insightful)

    by Mark Rawls (2648691) on Saturday February 16, 2013 @05:44PM (#42923875) Homepage
    I think that's the first time that the phrases "user data believed safe" and "Facebook" have been uttered in the same sentence.

The one day you'd sell your soul for something, souls are a glut.

Working...