Facebook owns up – admits network breached, blames “Java in the browser”

There’s a scene in the movie The Social Network where Mark Zuckerberg is arguing with Eduardo, his CFO.

Eduardo’s just frozen Facebook’s bank account.

The plan is to get Zuckerberg’s attention and to try to get Zuck back on what Eduardo thinks is the straight and narrow.

But Zuckerberg is irate.

He thinks it might end up with an unpaid bill and thus a network outage, and that won’t do!

Zuck rants:

Let me tell you the difference between Facebook and everybody else: WE DON'T CRASH EVER!

It’s only a movie, of course.

In real life it’s not true that Facebook never goes down, but when you consider its size and the online activity it supports, Facebook’s uptime and availability is astonishing. Stellar. Intergalactic, even.

The movie version of Zuckerberg goes on to explain:

If the servers are down for even a day, our entire reputation is irreversibly destroyed. Users are fickle... Even a few people leaving would reverberate through the entire user base.

But what about getting owned by hackers?

What effect do you think that might have?

If you’re the world’s biggest social network, and if collecting, storing and using other people’s personal information is your bread and butter?

Hold your horses, because we’re about to find out.

Facebook just published an article entitled Protecting People On Facebook, and it doesn’t cover what you might at first expect when you see the title.

Sure, it starts upbeat enough:

Facebook, like every significant internet service, is frequently targeted by those who want to disrupt or access our data and infrastructure. As such, we invest heavily in preventing, detecting, and responding to threats that target our infrastructure, and we never stop working to protect the people who use our service.

But that’s followed by a hint of what’s coming next:

The vast majority of the time, we are successful in preventing harm before it happens, and our security team works to quickly and effectively investigate and stop abuse.

And then the bombshell. OK, not really a bombshell. Let’s be fair and say it’s actually a pretty candid admission for which the company deserves at least a nod of respect:

Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops.

Later on in the article, Facebook claims that it has “found no evidence that Facebook user data was compromised,” and and for what it’s worth, I’m willing to accept that claim.

Update. In an interview with Ars Technica, Facebook CSO Joe Sullivan has admitted that the crooks made off with information from the laptops themselves. (“What you typically find on an engineer’s laptop, including corporate data, e-mail, and some software code.”) But despite being able to get “some limited visibility” into Facebook’s production systems, Sullivan confirmed that a forensic review found no evidence that the crooks got away with any data off those systems. Close, in a word, but no cigar. (Added 2013-02-16T22:11Z)

The crooks had a Java zero-day at their disposal, and this exploit let them infiltrate Facebook’s network and inject malware.

But the company says it was fully patched and anti-virused, and it sounds as though the malware that followed the exploit was quickly spotted and cleaned up, with no lasting harm done.

Just one suggestion to Facebook developers: why not read Naked Security?

We’ve given you loads of good reasons to turn off Java in your browser, starting from the middle of last year.

That alone could have side-stepped this problem.

Even just using a browser with click-to-play (so that Java and Flash applets, amongst others, can’t launch quietly in the background from compromised websites) would surely have been enough.

I’m guessing now, but I’d be very surprised if the mobile developer website alluded to above actually required Java, so there would have been no reason to have Java turned on for that site.

Similarly, the mobile developer website could have considered using outbound web or packet filtering to block the egress of Java applets if, indeed, its site was never supposed to serve them up in the first place.

→ IPS technology is usually thought of as a way to keep bad guys out, not least because it stands for intrusion prevention system. But most decent IPSes work bidirectionally, and can act as effective EPSes, or exfiltration preventers, too. You filter email for spam both ways (don’t you?), because you can, and because it makes sense. The same applies with network traffic in general. If the bad guys have already got in, you may as well stop them getting back out as well!

Having said all that, it remains for me to ask. You have turned off Java in your browser, haven’t you?

If not, here you are: How to turn off Java in your browser.

And fear not that you will break JavaScript: Java is not JavaScript.