While cloud computing isn’t necessarily moving IT security into uncharted waters, it is highlighting some old vulnerabilities that many organizations just never got around to patching up, from shoddy encryption practices to allowed poor user practices. Leading the way, in both stumbles and recoveries, might be Facebook, which probably has its own recent security struggles more closely watched than any other company.
Phishing for fame and friends
Today, most attacks on corporate infrastructure are driven by monetary gain: Long gone are the days where embarrassing defacements dumped a company’s dirty laundry and embarrassing taunts onto its domain. Instead, the criminals are largely organized, stealthily going in and making off with the valuable digital loot without being noticed until it’s far too late. Facebook still sees its share of these types of criminals. However, its high-profile nature, and mixed track record on privacy, has made it a favored target for the type of attacker who still likes to put on a show. Nicolas Sarkozy’s account was recently hacked, posting a message stating the president would not seek office again (he has made no official statement on his plans). Facebook founder Mark Zuckerberg then had his fan page hacked, pleading for the company to become a ‘social business.’
Not just for social networks anymore
While the vulnerabilities that were exploited in these attacks were eventually disclosed to be a rather mundane and limited API bug, researchers (perhaps speculating wildly to get their 15 minutes) fingered a few prominent exploits, and they’re ones that could be used against your very own corporate network just as easily. One possibility was the fact that much of Facebook’s communications are unencrypted (except for the login process). After a simple utility called Firesheep was released, hijacking someone’s session over unencrypted Wi-Fi became as easy as installing a browser extension.
While Firesheep, built as a research tool, largely targets social networks in order to raise awareness, many corporate software applications could be vulnerable to similar attacks, particularly if they don’t force a user to join a VPN first or rely exclusively on SSL for all communications.
Another possible method being floated was that Zuckerberg fell victim to a phishing attack, where another site, masquerading as Facebook, sent him an e-mail and convinced him to login. These attacks are quite common on the social networking giant. In Zuckerberg’s case, I think it’s highly unlikely, but what’s not unlikely is a major corporation coming under a hand-tailored phishing attack seeded among its users. Though many phishing attempts are almost laughably executed and largely focused on banks and PayPal, more and more crime is financially motivated and highly organized. I’ve seen even small companies fall victim to very customized attacks that almost wiped out their finances overnight.
Finally, the speculation was that Zuckerberg (or one of his fan page handlers) used a weak password. While I’d be shocked if the founder was using something along the lines of “12345,” the fact that the fan page responsibility is likely doled out to another lower-level employee makes this attack much more feasible. Always remember the weak links of shared administration in your own processes.
Fighting back, the Facebook way
Of course, Facebook isn’t taking all of this without a fight, and your policies should be learning from their mistakes before you find your own company a victim. For one thing, they’ve rolled out two new security features, as highlighted by CIO:
- SSL Encryption for all traffic … sort of. It’s an optional feature, and a little bit hidden, but users can now choose to have all their Facebook traffic encrypted. For businesses, this is a no-brainer: Yes, SSL is computationally more expensive, but getting successfully attacked is much more so.
- Two-factor authentication. If the site thinks your login is a little suspicious, it prompts for a second authentication by making you name a few pictured friends. Ok, this might not be a great idea for your own Intranet, but there are enough two-factor authentication options out there to make this feasible.