Saturday, January 29, 2011

Facebook: Social Giant Under Attack

How secure is Facebook?  Security and privacy may be a fatal flaw to this social giant.

What do the President of France and the CEO of Facebook have in common?  They have both had their Facebook accounts hacked.

On or abouts January 24, 2011 President Sarkozy of France has an interesting announcement - he announced he was not running for reelection.  380,000 people "liked" this on Facebook.  There was only one problem.  He never posted this announcement.  It was posted by a hacker who broke into his account.  The French used has horribly bad in its grammar.  But the point was made.  Security is a dynamic thing.  It is ever changing.  What worked to protect you last month may not be enough this month.  This is true for people; it is true for networks.

It is not surprising that Facebook should be attacked by hackers so much.  There are 500 million people on it.  That statistical fact attracts the part of the hacking community that is particularly criminal.  If one looks at YouTube there are literally hundreds of methods demonstrated on how to hack someones Facebook account.  We will show just a couple.  If you cannot see the embedded video here is the link:

Facebook's Reaction to Hacking Attacks
Facebook has responded with two security features it should have had a long time ago.  A secure way to log on using HTTPS and a "social authentication."  Using HTTPS allows users to logon using what is called a Secure Sockets Layer (SSL).  The advantage to this method is that it makes electronic eavesdropping much more difficult.  It uses what is called a digital certificate to authenticate the site that is being logged into.  Is this method completely secure?  No.  It can still be compromised as the article in wikipedia explains:
The point of the servers SSL certificate is to ensure that the server you are talking to is in fact the server you think you are talking to. Some certificate types have better checking of the applicants claims than others and so provide a greater confidence of this. Unfortunately this information is only of use if it's communicated to the user which is something browsers have traditionally been bad at (though i've noticed firefox is now displaying company names in the address bar for some certificate types).
The other security system, social authentication that Facebook speaks about relates to the user answering questions regarding the identification of friends or personal information that Facebook has in its data banks.  This security would stop bots or amateurs, but people who are seeking identity theft would have personal information already most likely.  These features which were the result of government hacking attacks unto the entire nation of Tunisia will be implemented to all users in the next several weeks.

These security measures will NOT make Facebook invulnerable to hack attacks, but it will at least make them harder.  Facebook has serious challenges again in performing a tightrop act.  It must keep the interface simple and easy to use (which is what has encouraged so many to use it), and it must increase the sophistication of its security, as well as its features. So far, Facebook has not done well in either area.  We will see if it can.

No comments: