Facebook Employees' Laptops Compromised; User Data Believed Safe 75
Trailrunner7 writes "Laptops belonging to several Facebook employees were compromised recently and infected with malware that the company said was installed through the use of a Java zero-day exploit that bypassed the software's sandbox. Facebook claims that no user data was affected by the attack and says that it has been working with law enforcement to investigate the attack, which also affected other unnamed companies. Facebook officials did not identify the specific kind of malware that the attackers installed on the compromised laptops, but said that the employee's machines were infected when they visited a mobile developer Web site that was hosting the Java exploit. When the employees visited the site, the exploit attacked a zero-day vulnerability in Java that was able to bypass the software's sandbox and enable the attackers to install malware. The company said it reported the vulnerability to Oracle, which then patched the Java bug on Feb. 1."
thats what happens when (Score:2, Insightful)
you use windows as your dev environment
Re: (Score:1)
or perhaps it's because the comment was trolling?
Re: (Score:1, Insightful)
How was it trolling? Why doesn't the article state what OS those laptops were running? Hmm? Because it's the most insecure OS known to mankind, Windows, and it doesn't even have to be said any longer? Or because the writers are pathetically unprofessional and are deliberately withholding the facts here? Either way, I don't know.
Re: thats what happens when (Score:4, Informative)
It's "would have" you ignorant moron.
Re: (Score:2, Funny)
What's a "beehive asshole"?
Re: (Score:1)
English might not be his first language, you don't have to be rude.
Re: (Score:2)
It's a common piece of UK English fuckwittery from semi-literate fuckwits who don't know their own language.
Re: (Score:2)
english IS his first language. nobody who learned english as their second language would write "would of". this is similar to "they're, their, there" type of mistake. only native speakers have a problem with this.
first time i came across "would of", i had to look it up on google.
It's good they'll protect your data from thieves.. (Score:4, Insightful)
but who's gonna protect people's data from Facebook itself?
Re: (Score:2)
A photo of the hacker planting the malware can be found here [yaaree.com].
Safe? (Score:5, Insightful)
Given Facebook's MO, users should assume that anything Facebook, Inc. had access to is already in the hands of people you can't trust.
Them being hacked is pretty irrelevant.
Re: (Score:2)
Are you accusing Mark Zuckerberg of being a hacker?
Re:Safe? (Score:5, Funny)
Are you accusing Mark Zuckerberg of being a hacker?
No, most hackers can be expected to have some basic integrity.
Re: (Score:2)
Please tell me where in that statement you got the idea he was implying Zuckerberg is a hacker. Even using the popular, but incorrect, definition of hacker does not apply here as Mark Zuckerberg owns Facebook and I'm sure he has no need to "hack" into the system to get at any information he wants.
Re: (Score:2)
Hacker Way, Hacker-Freakin-Way ...
He just made real hackers around the world cringe after he did that.
Re: (Score:2)
Re: (Score:2)
"Not having a right to the data but still having access to it" != "hacking" anymore than considering a janitor of a building a lockpicker if he has a master key and goes into a room he's been told to stay out of. It may get him in trouble, but he did not break into the room.
Re: (Score:2)
Re: (Score:3)
Zuckerberg has successfully social-engineered about half the people in the US. Social engineering is a hacker skill, isn't it? People fall all over themselves to provide Zuck with their personal details.
Re: (Score:2)
Interesting way to look at it and something I didn't consider. However, even though that would apply to the overall picture of FaceBook, going back to the OC, it doesn't apply to my original question.
Re: (Score:2)
What's more disconcerting is the incident being made public now. Why a month after the incident occurring? Are they afraid of an Anonymous Hacktivism style attack? are they trying to spare embarrassment of critical systems that may of been impacted?
They did speak of source code snippets and internal emails being on these particular laptops, TBH, that's worse than what Sally did on the weekend IMHO.
And the blame China point, another case of "here we go again", what is inferred by bringing this up?
Re: (Score:2)
Well, if you meant to keep it private, why did you post it online for the world to see?
Oh, right, so-called "privacy" controls. Which are a brilliant social engineering hack meant to extract more information from users who wouldn't otherwise readily give it up. Unless you can control all your friends, anything they can see, the world can see. All it takes is someone to re-post it, or mention it or something and the beans are spilled.
Truth is, anything you post online is public. As someone's very famous sist
Comment removed (Score:3)
Re: (Score:3)
The word on the street is that they tied FB profile authentication in with their lobby entrance security systems, so unless you have a FB profile you can't enter the building.
Re: (Score:2)
No user data was compromised (Score:5, Funny)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
User data should never be decrypted. (Score:3, Interesting)
I don't see why it would be so difficult to keep user data safe. Keep it encrypted, use a VPN, stream the data to memory but never store any of it unencrypted.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yes, there's...ways to improve on this, partial tables, encrypted tables with some info, nega-databases, and homomorphic encrypted operations. I'm sure every single one of your developers has a PhD and is intimately familiar with zero knowledge proofs and protocols? No...? Well then, shaddup. No, you can't even train them or give them the papers to read -- they'll implement it wrong.
But that is the direction we should be going. If it's implemented wrong then the buggy code will be fixed and eventually it will be implemented right. It should be done and the only excuse you have not to do it is that it would cost too much in CPU resources or be too hard. What is more important than user data? The user is most important and the user data is sacred. That has to be protected and it's Facebook with their goddamn lax policies that help destroy the foundation of the internet itself.
But the bottom line is most encryption only protects data at rest. Stone cold rest in a drive that's powered off. Anything else -- we can get to. I don't mean hackers. I mean remotely competent sysadmins, devs, devops -- even management with a properly written disaster recovery document.
Encryption
Useless articles (Score:4, Insightful)
What's the point of these articles that announce that so and so company's systems have been hacked? They never contain any forensic information about the exploits other than to loosely identify the vulnerable software the bad guys used to get into the system. No identification of the malware installed, no identification of the OS's the laptop were running, no identification of any antivirus products that turned out to be completely useless in stopping the attacks. IOW, no goddamn information that would be useful to anyone who wanted protect themselves from attack, or at least detect whether their system were already compromised.
The lack of forensic details about the attack provided by Facebook or any of the other companies hit with the java exploit causes great doubt about their claims that no user data was accessed.
Re: (Score:2)
"zero day" is as bad as l337 speak (Score:3, Interesting)
Can we all stop saying zero day? it's just an attempt to sound cool and hackish and it means nothing. it's a vulnerability, and it has an exploit and no patch is available, as opposed to unpatched.
if they release new software that they brag is secure, and you have an exploit that already compromises a vuln, ok, you have a zero day because that's day one of something. then it makes sense. otherwise, it's false street cred and bravado.
Re: (Score:1)
You might not be old enough, but "zero day" originally meant that software was cracked and distributed via BBS on the same day it was released. That is what zero day meant. Zero-day warez was the status groups like Quartex and Fairlight aspired to achieve.
THAT is what zero day meant.
How about embbeded devices (Score:1)
Ok, Java is hosed, most of Adobe is hosed etc...
But has anybody ever considered the dangers of embedded linux devices in a company? Some of these things are pretty powerful with the right ARM socket, shady firmware and make the perfect backdoor in whatever corporate infrastructure. It's not that everybody is equipped with the latest firewall, the latest IDS or latest Layer 7 proxy or DPI on SSL and even then, DPI on SSL or Layer7 proxies can be performance hogs in a time that end users want to have a we
How's your fancy pants coding parties now? (Score:1)
Turns out Facebook employees don't know what the fuck they're doing. Keep drinking the beer, at least that'll give you good memories later in life.
oh the irony (Score:2)
http://arstechnica.com/security/2013/02/at-facebook-zero-day-exploits-backdoor-code-bring-war-games-drill-to-life/ [arstechnica.com]
"The FBI e-mail, zero-day exploit, and backdoor code, it turns out, were part of an elaborate drill Facebook executives devised to test the company's defenses and incident responders. The goal: to create a realistic security disaster to see how well employees fared at unraveling and repelling it. While the attack was simulated, it contained as many real elements as possible."
Who cares? (Score:3)
Your data was spread across the 4 winds as soon as you started using Facebook.
The only "problem" here is that your data has now been around the globe without Facebook getting to monetize the transaction.
"User Data Safe" (Score:3, Insightful)