How Facebook Dealt With The Tunisian Government Trying To Steal Every User's Passwords

from the security-in-action dept

If you haven't yet read it, you owe it to yourself to read Alexis Madrigal's fascinating piece at The Atlantic about how Facebook responded to what apparently was a government-run country-wide hack attack on Facebook (prior to the recent regime change) designed to capture every Tunisian user's Facebook password. As the article notes, for all the talk of how much Twitter was used to communicate during the Tunisian protests and eventual ouster of the old government, Facebook may have played an even bigger role.

However, Facebook's security staff had been hearing anecdotal stories from people in Tunisia claiming their accounts had been hacked, along with some indications that something odd was going on. Eventually, they realized that the Tunisian ISPs appeared to be running a giant man-in-the-middle keylogger system, that would record a user's password any time they logged into Facebook. So how do you respond to that if you're Facebook? A two-step approach: force all traffic from Tunisia to run through https: to encrypt the passwords and prevent this from happening and then set up a system for when people logged in, asking them to identify a friend, in order to prove it was really them. Of course, all of this makes me wonder why Facebook doesn't always use https, but that's another question for another day.

While the solution wasn't perfect, it appears to mostly do the job, even if it came a bit later in the process. But just from an outsider's perspective, it is a fascinating story of how various internet tools are playing into world politics, and how that leads to some totally unexpected situations.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    kaotix, Jan 26th, 2011 @ 3:14pm

    I'm so glad stories like these are actually seeing the light of day. It sort of proves that everything though, governments are bad, social media is good. lol

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Christopher Smith, Jan 26th, 2011 @ 3:19pm

    The reason why most providers prefer to default to HTTP is simple cost. Basic HTTP requests can be returned to the client before HTTPS negotiation would have finished, and the crypto, while reasonably efficient on current processors, still imposes a noticeable CPU load.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Hephaestus (profile), Jan 26th, 2011 @ 3:23pm

    "Of course, all of this makes me wonder why Facebook doesn't always use https, but that's another question for another day. "

    Why doesn't TechDirt always use https???

    I once had a Pot whose best friend was a Kettle.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    Hephaestus (profile), Jan 26th, 2011 @ 3:24pm

    Re:

    They had a friend named Black.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Hephaestus (profile), Jan 26th, 2011 @ 3:24pm

    Re:

    They would meet once in while.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    blaktron (profile), Jan 26th, 2011 @ 3:27pm

    Would this technical solution be considered Obstruction of Justice in the US?

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Mudlock, Jan 26th, 2011 @ 3:28pm

    HTTPS all the time

    "Of course, all of this makes me wonder why Facebook doesn't always use https..."

    Your wish is granted.

    http://it.slashdot.org/story/11/01/26/1926211/Facebook-Launches-Social-Login-and-HTTPS

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    RobShaver (profile), Jan 26th, 2011 @ 3:30pm

    All Sites Should Be Doing This For Passwords

    Man-in-the-middle is easy at any unencrypted wi-fi hot spot like Starbucks or at the curb by your house. If you log into your bank your account (meaning your money) is at risk.

    The CPU load is negligible compared to having your bank account drained.

    This has been a known problem for years. I'm surprised Facebook isn't doing this for all accounts as they should.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    sehlat (profile), Jan 26th, 2011 @ 3:31pm

    Re: All Sites Should Be Doing This For Passwords

    Surprise is unnecessary.

    Experience is a harsh school, but some will learn in none other.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Chris ODonnell (profile), Jan 26th, 2011 @ 3:33pm

    The sign in page here is https.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Hephaestus (profile), Jan 26th, 2011 @ 3:43pm

    Re:

    "The sign in page here is https."

    The site isn't though.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Hephaestus (profile), Jan 26th, 2011 @ 3:45pm

    Re:

    "Of course, all of this makes me wonder why Facebook doesn't always use https, but that's another question for another day. "

    The keyword in mikes statement was "ALWAYS"

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Jan 26th, 2011 @ 3:53pm

    Re: All Sites Should Be Doing This For Passwords

    Facebook sucks are security... Why else would they have given access to most of your private information to "developers" (quotes because the term is used very loosely, as anyone can become a developer). Countries are forcing it to enforce its security because it has always been, and probably will always be, one of the worst secured sites out there. Kinda sucks for the ones using it that it's so popular heh.

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    Dennis S. (profile), Jan 26th, 2011 @ 4:08pm

    Face will soon have the option to always use HTTPS

    The Facebook Blog - A Continued Commitment to Security
    http://blog.facebook.com/blog.php?post=486790652130

    I can't turn it on yet for my account though.

    I wish all sites would use HTTPS at least for logins no matter how innocuous the site but I know that may not be feasible.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    mischab1, Jan 26th, 2011 @ 4:08pm

    Re: Re:

    The difference is that you aren't supposed to be able to see anything on FaceBook unless you have signed in to your account. And then you are only supposed to see stuff that other people have given you access to. (Doesn't matter that most people allow everybody to see everything. Those of us who want to keep stuff private to select friends can do so.)

    Here at techdirt the whole point is to allow everyone to see every post and comment. Signing in gives you some extra benefits but is not required.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Jan 26th, 2011 @ 4:13pm

    Re: All Sites Should Be Doing This For Passwords

    The CPU load is negligible compared to having your bank account drained.

    Not if that bank account belongs to someone else, like the person logging in, as opposed to the person paying for the server. The person paying for the server just wants to save every penny they can. (Like Techdirt here. That's why they don't even offer HTTPS connections.) See how that works? And people will still log-in and send their passwords in the clear over the internet, anyway. For example, you did, here, didn't you?

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Ho Hum, Jan 26th, 2011 @ 4:15pm

    Re: Why doesn't TechDirt always use https???

    Because, Hepcat (or whatever you name), this site doesn't require/collect personal/sensitive data beyond bare bones one may wish to disclose.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Jan 26th, 2011 @ 4:22pm

    Re: Re: All Sites Should Be Doing This For Passwords

    Until people start refusing to send passwords over non-secured connections (yeah, right), most server operators will see no need to spend the few extra cents for it.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Howard, Cowering, Jan 26th, 2011 @ 4:25pm

    https = Hephaestus Tries, Totally Proven Stupid

    Dude. Try reading the whole article.

    "...running a giant man-in-the-middle keylogger system, that would record a user's password any time they logged into Facebook."

    You shouldn't need Mike to restate every part of the post in every paragraph. When was the last time you used Facebook and entered your password somewhere other than the login page? Or Techdirt?

    Pot, Kettle and Black would all enjoy a hearty laugh when they met and discussed Hephaestus' posts.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Jan 26th, 2011 @ 4:26pm

    So?

    If they weren't doing anything wrong, then they should have nothing to fear. I'm sure Tunisian law enforcement were just trying to keep an eye out for copyright infringement and other criminal activity.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    Hephaestus (profile), Jan 26th, 2011 @ 4:27pm

    Re: Re: Why doesn't TechDirt always use https???

    Who wants anyone with a packet sniffer along the route, or your ISP, or the some random party to monitor what you are doing?

    "Hepcat (or whatever you name)"

    Its pronounced {huh-fes'-tuhs}

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Hephaestus (profile), Jan 26th, 2011 @ 4:28pm

    Re: Re: Re:

    Then if you are signed in you should be able to run https.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    TriZz (profile), Jan 26th, 2011 @ 4:29pm

    https

    I'm not sure how a huge site like Facebook runs...but if a cert had to be added to every server, that could get really REALLY expensive.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    Chargone (profile), Jan 26th, 2011 @ 4:50pm

    Re: So?

    that's either some mighty fine sarcasm you've got going there, or you need stabbing in the face repeatedly with a rusty spoon...

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Jan 26th, 2011 @ 4:58pm

    Re: All Sites Should Be Doing This For Passwords

    What bank does not force you to use https?

    How does an unencrypted wifi reveal the password to your https protected bank login?

    You might give up where you bank but not much else.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    Hephaestus (profile), Jan 26th, 2011 @ 4:59pm

    Re: https = Hephaestus Tries, Totally Proven Stupid

    "...running a giant man-in-the-middle keylogger system, that would record a user's password any time they logged into Facebook."

    I will give you a clue, since you so need it. "Perfect Citizen" is an NSA project that allows for network monitoring. It is so well know it showed up in popular science, wired, I could go on but I have been proven totally stupid by you.

    Here is some stuff from the EFF and government monitoring of social networks.

    The government gives incentives (Contracts) if you comply with their requests to monitor network traffic. They also remove incentives (don't give you contracts and stop doing business with you) if you don't comply.

    Its not like the US government is monitoring computer networks, social networks, what you are searching for, or has given pardons to ATT and other communicatons providers for illeaglly wiretaping entire networks, or anything like that.

    I truely love being proven wrong, so I agree I have been proven totally stupid.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    ajnachakra (profile), Jan 26th, 2011 @ 5:56pm

    keylogging != unencrypted packet reading

    "the Tunisian ISPs appeared to be running a giant man-in-the-middle keylogger system..."

    Sorry if this sounds pedantic, but you (and the source) should make the distinction between keylogging (a local action) and the packet reading of unencrypted HTTP traffic to find clear text passwords. These two methods are quite different and constitute very different levels of intrusion. These two methods also take two very different approaches to guard against.

    p.s. Keep up the great work Mike; I truly appreciate all the work you put into Techdirt!

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    Marcus Carab (profile), Jan 26th, 2011 @ 6:31pm

    Re: HTTPS all the time

    I noticed this today - so I'm wondering, did Facebook develop these features to deal with this situation, then decide to roll them out globally? Or were they already working on them, and then decided to roll them out early in Tunisia?

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Jan 26th, 2011 @ 6:33pm

    Re: Re: All Sites Should Be Doing This For Passwords

    People that don't know much like to talk out of their asses... especially here.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Jan 26th, 2011 @ 7:16pm

    Re: Re: Re: All Sites Should Be Doing This For Passwords

    There is a problem with that, for people to identify insecure channels they must see it first, most people don't know or are aware of those things.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Jan 26th, 2011 @ 7:21pm

    Re: https = Hephaestus Tries, Totally Proven Stupid

    Logins are fascinating you can send them through HTTPS but if the cookie sessions are in the open what stops someone from hijacking that and gaining control of something?

    XSS+Session Cookie=Account Hijack.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Jan 26th, 2011 @ 7:25pm

    Re: Re: All Sites Should Be Doing This For Passwords

    If you are using a banking system that only does HTTPS on the login stop now or you will have your bank account drained.

    To maintain the connection one needs session cookies and those can be hijacked if transferred in non encrypted channels, meaning anyone can use that cookie to say it was you.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Jan 26th, 2011 @ 8:13pm

    Re: Re: HTTPS all the time

    Pretty sure this was in the works and was accelerated when firesheep went viral a few months back

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous Coward, Jan 26th, 2011 @ 8:19pm

    Re: https

    all of $475.00 per year plus labor

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    Nick Coghlan (profile), Jan 26th, 2011 @ 8:51pm

    Re: Face will soon have the option to always use HTTPS

    I've been running FB mostly over HTTPS via the HTTPSEverywhere Firefox addon, and it does have a few issues.

    Most noticeably, their chat widget doesn't work under HTTPS.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Anonymous Coward, Jan 27th, 2011 @ 12:14am

    It was reported that they were injecting javascript onto facebook login pages. There's keylogger called "The Middler" that uses javascript's onKeyPress event. Other javascript tricks can change a form to send someone's password (onSubmit) to a server via ajax and store it, then bounce them to the real login processor. They might not have been found out had they not injected javascript and simply read login packets instead.

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Kurata, Jan 27th, 2011 @ 2:43am

    To add something to this story, it seems Facebook has defintiely adopted the HTTPS on login, and is considering adding the social login a-la-tunisian to its current system.

    I think we could say that facebook actually learned from the tunisian revolution as well.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anonymous Coward, Jan 27th, 2011 @ 8:54am

    Re: Re: Re: All Sites Should Be Doing This For Passwords

    Not during the same session and not after I click Logout.

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Anonymous Coward, Jan 27th, 2011 @ 4:36pm

    Re:

    Yes

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    Jose_X, Jan 27th, 2011 @ 7:24pm

    Re: Re: Re: Why doesn't TechDirt always use https???

    As the earlier commenter stated, https is costlier in cpu usage, bandwidth, and time. This means you can scale (much?) less for your given hardware if you use https all the time.

     

    reply to this | link to this | view in thread ]

  41.  
    icon
    leichter (profile), Jan 30th, 2011 @ 4:44am

    Sigh. So many remarks, so little understanding. And in this case, understanding is actually quite important.

    The attack on Facebook *was* a man-in-the-middle-attack, not just keystroke logging. Like many sites - including stores and even banks - Facebook encrypted the password (and probably the username) that you sent. You'll see sites that do that show a little "why is this secure?" help box to assure you that, no, the page itself doesn't show a lock indicator (because it isn't https) but your credentials are perfectly safe because they are sent "using 128-bit encryption".

    But they are not at all safe because you have no idea who you are actually talking to. It could be Facebook/the store/your bank; or it could be someone who mocked up a page that looks like Facebook's/your store's/your bank's, complete with a nice, encrypted username/password mechanism, sending your username/password right to them. The Tunisian attack was a slight variation in that they modified the real page on the fly to inject this attack, rather than making up a fake site - but the end result was the same.

    If you're going to put your stuff in a safe-deposit box handed to you by a bank official - make sure you're really at a bank, and that it's a real bank official handing you the box! Relying on a "secure username/password" field on an unauthenticated page is like accepting an offer of a safety deposit box from some guy on the street outside the bank. Sure, the box is solid steel and the lock is high quality - but who else has the key?

    If a site you deal with offers "security" by encrypting just the login information - complain to them. You'll almost certainly be unable to get a message to anyone who actually understands the issue - but if you follow up by closing your accounts, eventually they'll get a clue.

                                                            -- Jerry

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This