Sophos Cloud Optix
According to TechCrunch – and numerous other online technophile sites – a prominent Facebook fan page has been hacked, defaced and, as a result, closed down.
The victim? Mark Zuckerberg. The defacement? This message, apparently:
Let the hacking begin: If facebook needs money, instead of going to the banks, why doesn’t Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a ‘social business’ the way Nobel Prize winner Muhammad Yunus described it? http://bit.ly/fs6rT3 What do you think? #hackercup2011
Here’s a YouTube video we’ve made about the incident:
(Enjoy this video? You should subscribe to the SophosLabs YouTube channel.)
I know what you’re thinking. How could anyone stoop so low as to diss Time’s Man/Woman of the Year?
Actually, so far, that’s one question no-one – not even Facebook – seems to be able to answer. We don’t know how the hack was perpetrated.
(Update: We now now what really happened.)
However, celebrity social networking pages are often managed by a whole team of marketing minions. (When you have millions of Facebook friends or Twitter followers, keeping up with the pace of your online social interactions generally gets beyond the capacity of a single person. What this says about the legitimacy of your “friendships” is left as an exercise for the sociologists.)
In the absence of any sort of two-factor authentication, an account which can be accessed by many different users with many different passwords is at greater risk than an account used by just one person. Given lots of passwords with sufficient power to deface a page or to steal personally identifiable information (PII), a hacker has many more opportunities to beg, steal, bribe or borrow a password to the crown jewels.
In Australia, there’s already a name for this: the Vodafone Problem. By giving passwords to all its dealers, and giving them access to pretty much all of the Vodafone Australia customer management system – including PII, call records and customer security codes – the mobile phone giant pretty much guaranteed that the wheels would come off, sooner or later.
A single lost, sold or stolen password, or a single dishonest, aggrieved or even merely ill-advised dealer, was in a position to spoil things for everyone.
Perhaps this sort of “injury to one is an injury to all” effect is what went wrong in this Facebook hack? Perhaps Mark Zuckerberg was careless in choosing or looking after his own password? (Perhaps Mark might find it useful to join us online at Sophos’s Facebook page? It’s free!)
Whatever happened in this case, it raises one more tough question: do you still trust Facebook with your online persona?
Why not have your say by voting in our poll?
Update: Mark Zuckerberg fan page hacked on Facebook: What really happened?
Big lesson for Zuckerberg… *if* it’s true.
I have nothing worth hacking on my facebook… simply dull chit chat and dross about what I’m up to. Interests of genealogy, history, writing, art and design? Nothing worth hacking into there.
No home details, no family details, no business details, no school or work history, phone numbers, email addresses… nothing to connect my facebook to my personal life.
I keep it private, and *if* someone hacked my facebook… I’d shrug and start another. No biggie because I have nothing to worry about.
But others…. I am sick and tired of passing on privacy and security messages. Anyone who doesn’t respect my privacy and the privacy of others is un-friended. My facebook is locked down a snugly as facebook allows, and because that’s not as secure as I’d like, I limit what info is online.
What Will Mark Do?
Bugger-all, I reckon.
You seem to have only understood one half of the problem. The issue isn't just other people stealing your information from Facebook (that didn't happen here, for example), it's also people stealing your account and pretending to be you.
Right now you have simply dull chit chat and dross about what you're up to… then someone breaks into your account, and suddenly your life appears to be much more interesting… and you are sending your friends all the interesting links to malware we've been seeing in this blog lately.
But wait! Your friends will notice these changes and updates etc. as the fakes they are, right? That they're not actually from you? Just to be safe, you attempt to log on and fix your account… and find that your password has been changed.
So… you start another… but the previous one's still there.
Three years down the road, and you're looking for a new job. Potential employer pulls up your old Facebook page to see what you've been up to…. I'm sure you can imagine the rest.
Starting another account is clearly the problem here. If you have a problem accessing Facebook, contact them directly to sort it out. A new account will not fix the problem, just create a new one as you say.
Fail, that’s not exactly how the hacker cup is supposed to work lol. Also if anyone is interested his page is still up on the Google cached version if people want to try that.
You know that that was a a game developer showing Facebook what can be done, don't you? I think it was a protest against Facebook credits taking 30% of the game developers' transactions in the future. The message is pretty clear: if Facebook wants money…
As far as privacy on FB goes… we know that there is no privacy, and all accounts can be hacked, at anytime, regardless how "secure" your passwords are.
Graham, your video report contains mistakes/lies. Mark Zuckerberg's personal page WAS NOT hacked. This was his public fan/brand page that for all we know hundreds of people had authorised access to.
His personal page is absolutely fine: http://www.facebook.com/zuck
Chillax dude and read our article 🙂 We do explain that it's possible that other Facebook staff may have been tasked with managing Zuckerberg's fan page.
Apologies for any confusion.
Unfortunately, Facebook has so far declined to comment – so we don't know who was in charge of managing that page or how the hack occurred.
I was talking about your scaremongering video, not this article (written by Paul Ducklin). In the video you state it was ‘his personal page’. IT WAS NOT HIS PERSONAL PAGE.
Dude, why don’t you ‘chillax’ yourself and stop posting scaremongering videos? How hypocritical can you be?!
Exactly, you don’t know what happened, so why are you bothering to comment on it?
Crumbs – there's no need to keep shouting.
If you recheck the video you'll see I already updated it with an annotation apologising for saying "personal" page and that I should have said "fan page" instead. I did that after your initial post.
Again, I'm sorry for making that mistake and hope you'll forgive me.
There's no need to scaremonger like this, yet you do it anyway. I was shouting because you didn't read my previous message where I referred to your video, not the article above, and assumed I was talking about the article when I clearly wasn't.
Sorry but no, updating the annotations doesn't really help, as most people watching will just listen, and may not even be looking at the video at all as they hear your voice. You should update the soundtrack, or ideally just delete the whole thing as it's based on very little facts at all.
The whole thing is presented in a way where you are trying to suggest that Mark either irresponsibly used his account (allowed his password to be sniffed), which is noteworthy because of his position, or that if a fan page about him can get hacked, anyone's own personal profile pages could get hacked to. Without knowing what exactly went on here, I feel it is irresponsible to try and link all this together in the way that you have, especially in the quotes of yours on the Telegraph site and other publications. Obviously you have a vested interest in raising interest in Internet security though, so it's fairly obvious why you're doing it…
You've already reported that another high-profile fan/brand page got hacked – perhaps it was just the same bug that allowed both to happen and has nothing to do with Mark's personal security attitude at all. This kind of speculation is especially damaging as most people don't really understand how all this works, and you're sending out messages that may be completely false.
In full disclosure, Dave is a Facebook app developer, so he presumably benefits mightily from the holier-than-thouness of Facebook, as well as the number of people who remain ignorant of the inner workings of Facebook.
I know Graham, and I know that the good bloggers at Sophos are passionate about protecting people because it's the right thing to do, not just financially motivated.
Perhaps, Dave, as someone who has kept these very strange bedfellows for a very long time, you've had a bit too much of their Kool-Aid. Lay off the stuff. It's not good for you.
Hello anonymous person – why don't you have an identity? Do you have something to hide? In fact, the same goes for virtually everyone commenting on here except Graham himself.
Actually I benefit when people know the 'inner workings of Facebook' better, not worse, as people learn to work with it, not against it like Graham. And in any case, all I care about is the truth being publicised to the general public, not falsities.
It's one thing to try to protect people, but another one completely to exaggerate and even lie about what happened. This whole story is only a story because the page that was affected is about Mark Zuckerberg. That DOES NOT mean his own personal Facebook account was hacked at all, or that any other personal account has ever encountered this problem, yet that is the way this story is being put across.
In Graham's video, he gets a number of things wrong. He claims Mark had the movie made about him – of course not, he had nothing to do with it being made. He asks "Is the crown about to fall from his head?" and then admits "Well, maybe not" – hence blatant scaremongering (why say that at all if it's not true?). The audio then goes on to say "his own personal page on Facebook has been hacked" – which again is not true at all, and also "This isn't a message that Mark Zuckerberg posted on his account, someone else posted it up there" – yet nobody has posted anything on Mark Zuckerberg's account – this is just a fan page (that he possibly has nothing to do with)! He then admits that we don't know how the fan page got hacked (he claims it is Mark's own page – again, it is not), and speculates on various ways Mark might have personally caused this to happen, but doesn't at all address that it probably was someone else's fault and nothing at all to do with him. He then signs off saying that Facebook taking down the page about their CEO is 'enough to make you sweat', in a sneer-y tone – eh?! It's just deliberate propaganda to try to paint the service negatively – more scaremongering from Graham, unfortunately.
And then ironically, he tells people to join the Sophos Facebook page!
Graham/Sophos are clearly trying to cash in on every tiny problem that Facebook's massive and constantly evolving service encounters. But alas they have shown they are not Facebook experts, so it really would be better if they stick to what they know.
I fail to see how Graham and crew benefit that much from the Facebook press.
They don’t sell to consumers. In fact, Sophos even gives products away to them, as in the case of Mac AV.
You show up here an paint Graham as a biased source, when, as a Facebook app developer, you benefit even more directly from the party you’re trying to defend.
I have watched time and time again as others have been threatened by Facebook’s holey security, and the company doesn’t seem to care. But when the image of the company or its founder falls prey to one of these exploits, or their latest “feature” gets enough bad press, it gets fixed, or temporarily suspended, and fast. How many times does this have to happen before you have good reason to conclude that Facebook isn’t looking out for its user base, just itself? How much forgiveness can they give scammy app developers before you start to realize they’re more likely in cahoots with them than simply over-lenient?
How many times do you go crawling back to someone who abuses you before you realize “I’m sorry, it was a mistake and I’ll never do this again,” really means, “I’ll just semi-apologize and back off for a while, and then hit you again when you least expect it”?
If you need to have that much vigilance in a relationship, there’s no relationship, and you really just need to leave.
How you can so staunchly defend them, I can’t fathom, except that it keeps your conscience clear enough to keep coding apps for the platform.
Anyway, enjoy your KoolAid.
Sophos benefit because the public becomes more paranoid about Internet security and is more inclined to spend money on Sophos products. Whether or not they sell to consumers, if people are generally more paranoid, this will seep into the business world as well – people that run businesses, are people!
Yes, I benefit from a bigger user-base on Facebook – that's why I'm sticking up for it/them!
The company does care about security – they fixed the bug in this issue within a day or two. And just this month they announced both HTTPS support for the whole site, and improved security for app developers:
http://developers.facebook.com/blog/post/452 http://developers.facebook.com/blog/post/455
Facebook as a company runs on an agile model of moving quickly. Any trusted engineer can roll out code across all 60,000+ servers at the touch of a button if need be. However, it wouldn't be in their interest to deliberately upset their users with security leaks – they would clearly lose them as a result and that cannot be their goal. Nobody nor no company is perfect, but clearly no major damage has ever been done – or else people would have stopped coming back. Instead, monthly and daily active users stats continue to rise. Go figure!
P.S. Thanks for completely ignoring nearly all my points.
The whole point is, if someone really wants into your computer, they are going to get into it, whether its the Government data base, or some lowly FB troll who sits there and does nothing but play applications and change their status updates. It doesnt matter which software you use. Yes some might make you safer than others, but hell even condoms are only 99% effective. The only way to stay safe is to abstain. Never use a computer, never use a cell phone, never use any kind of technology. The minute you put any info anywhere, its out there, if someone know or even cares enough to try to find it. Everything we do on the computer leaves a little trail, like a slug leaving a coat of slime behind itself.
Sure there are programs that wipe that little slime trail away, but hey I am sure someone can hack those too.
I mean seriously, fear mongering. The only fear mongering I am suffering from is the lack of security measures in place by FB, I see more and more scams, viruses, and spam on the walls each day. I can only ignore the seeming lack of FB to do anything about it beyond shut down the very sites who try to educate the FB masses about these issues.
And as for the daily active users, LOL I know people who have ten accounts to play apps with, so not all of those people are real, lol. Its was also the winter in the united states when you posted that, its cold people stayed in. Once it gets warm the numbers will drop again.
Dave Nattriss <3 Mark Zuckerberg
I certainly love him more than Graham Cluley's needless scaremongering.
"He's had a major Hollywood movie maken about the way he founded Facebook" ??
I think you must mean "maded …"
Smirk. Yeah, hands up. I made the video at 2am and err.. stumbled.
And to be fair, Mark didn't have the film made at all. He was the only person in it not to be a part of it.
It's a bit silly actually, hacking into this particular account.
I understand it's a statement, but what statement are they trying to make? That a poor password can be hacked? That there's a system of micro-loans available to under-privileged individuals in 3rd world countries? That they're pissed off about banks loaning money?
None of this is really worth taking a lot of time on. Especially since it's not his real page, nor is it run by him but instead by a team of individuals who use it for updates, etc.
So really, meh.
His profile has been removed, but his Page is still live at: http://www.facebook.com/pages/Mark-Zuckerberg/683…
"Whatever happened in this case, it raises one more tough question: do you still trust Facebook with your online persona?"
I think this is a bit of a ridiculous question.
"Trusting facebook with your online persona" is like "trusting the finish of the exterior of your house to the builder" in that they have created a framework with all of the tools to manage your persona (house) securely, and presented you with a format for it; you are in control of it, and in charge of cleaning it up if it gets defaced.
Examine this sort of situation as if a person spraypainted graffiti on your property; you still have to clean it up. You might ask the police (Facebook) to locate a perpetrator to pay for the damages, but realistically, you're still responsible for maintaining it to your satisfaction (and in this case, the damage is generally much cheaper to repair).
Arguably, you can impose security measures with your page as with your house, and like with a house, ignorance of threats and solutions does nothing to make such threats (vandalism, in this case) go away. Only by educating yourself may you protect yourself.
But imagine that you bought a lock for your house and later found that it could be opened without a key (which is, as it transpires, a fair analogy for how the Zuck Hack happened). You probably wouldn't replace it with another lock from the same vendor, would you?
No, Paul, it's not the same. No personal Facebook page or Facebook account was hacked here, as far as we know.
What happened, to use the analogy, was that an office/shop (in this case, the one that represent Mark Zuckerberg as a public figure) had graffiti spray-painted on it's wall. As far as we know, the lock to get inside the office or shop wasn't picked or broken – it simply had a small previously unknown vulnerability that allowed non-authorised parties to spray the graffiti, which has now (according to Facebook) been fixed.
And nobody's house got broken into in any case! Mark Zuckerberg's personal page, and as far as we know, the personal pages of over 600 million monthly active users of the site, were completely unaffected: http://www.facebook.com/zuck
(whereas the office/shop page is http://www.facebook.com/MarkZuckerberg)
Judge: Do you have anything to say before sentence is passed?
Prisoner: Your Honour, it was only a _small_ vulnerability. Really small. Tiny, even. And it was previously unknown.
Judge: Oh, that's OK then.
Um, since when would the people who built the building and look after its maintenance be legally responsible if it got vandalised?! The vandals (hackers) would be in the dock, not the leaseholders (Facebook).
Its interesting to see all your comments. My account was hacked into and my passwords changed. This was resolved by facebook the day before yesterday. I immediately changed the passwords once the account was reactivated, cleared my cache, ran virus checks etc. A day later, my account was hacked into again (probably by the same person). This time they entered my Zynga application and stole $552,000 000 worth of poker chips. There is financial fraud taking place here. With companies the size of Facebook and Zynga, you would think on line security would be of high importance. Its ok to give advice stating change passwords regulary – but what does that mean = every five minutes? People become dependant on the social networking side and dont deserve to be treated this way. Its sad really..
Sound like you're picking passwords that are easy to guess, or are using an unsafe connection, as Facebook will lock up if you brute-force attack an account.
Anyway, the good news is that they are now rolling out support for HTTPS log-ins. See http://developers.facebook.com/blog/post/452
That's right folks, Facebook *are* taking security seriously.
But apparently not seriously enough?
http://www.net-security.org/secworld.php?id=10553
LOL really, this plan has now been implemented. Did someone leave a few back-doors, or just went ahead and left the front door open on this one. I have never seen more spam and scams and people posting they got hacked, than in the last few weeks since this went into effect.
Seriously?
Safer LOL please continue, you make me laugh.
Thanks
My facebook was hacked a week ago, the hacker changed my e-mail, then of coarse the pass word, facebook has not fixed my account yet, they blocked it. not even sure if I still have an account! they will not contact me to let me know what is going on. I even gave them the e-mail account that took over mine. I got the e-mail because the hacker posted it on my facebook, an I got to see it just before facebook blocked my account. the part that confuses me is I did have my e-mail hidden, so how did the hacker get access to even be able to change it?
It's interesting learning what people expect from a free service.
my personal page was hacked i need to know how to get it back !!!!plz
Wow. I am outraged by those comments. It seems nobody wants to understand the message from the *hacker*. Especially it's a ridicule for the author of this article.
Nobody understands? Really?!
That sounds terrific!
People, listen (and read), the message is clear! The founder of facebook claims (check official videos) that it is the concept to keep facebook free and for social purpose, to hold social values. On the other hand, a huge company is being financed by third parties – Investors such as banks. Any stakeholder party is somehow lobbying on its dependent beneficiaries, even if we are not seeing this directly. It could, facebook gets financed unless it sticks to some values of a creditors (their missions, aims, strategies). No creditor would finance any project if it did not meet their aims.
Now, ask where the idea of holding social values (far from big commerce) gets placed in such a context? Anybody dared to read the actual message from the *hacker*? It contains a link to an interesting article.
Long story short: if Zuckerberg's idea of keeping only social values would be sincere, the company would be aimed at growing profits and dividends. People who have accounts would contribute to finance the idea, expecting no financial gains. Wouldn't you contribute a few bucks if you knew the facebook would bring you an advantage and won't big fishes benefit from your reading ads?
Er, what the author of the article was trying to point out was not the message which was posted, _but that it was posted at all_.
And, to be fair to the author of the article (who is not impressed by your use of the word "ridicule", by the way), the entire message of the hacker was published in full.
I'm not a social scientist (thank goodness), so I am not interested – here, at least – in guessing whether people would invest in Facebook if Zuckerberg was a completely different sort of person, and Facebook a completely different sort of organisation.
But I am interested in knowing what breaches of this sort do to people's trust in Facebook to keep their data secure.
(That's why this site is called Naked Security, rather than Naked Social Business.)
Dear Paul,
apt remarks from you! It's right, I did not pay attention to the subject of this site as a whole (which is rather about security issues than politics or business). I just was directed here from a brief on a different site. (In fact, I was curious to see the actual message from the hacker, which you honestly posted here).
To be clear, I don't support such behaviour. I think the hacker should be punished for what he actually did,i.e. cracking the security system on fb.
What made my reaction was other people's comments, where nobody seemed to think of the real message.
In fact, facebook is so powerful in it's size and influence, that it is not an easy task to distinguish between simply technical issues (e.g. cracking the site) and social message (/meaning).
In this particular case, I thought it was over simplistic just to come down to technical matters only. In fact, what real damage was done? Any leakage of personal data? or other? we don't know…
All this is worth considering IMO.
PS. apologies, in my previous message there should be "wouldn't be aimed at" in last paragraph.