Facebook Wins at the Oscars, Fails at Security

The Oscars are over and the film about Facebook, The Social Network, won three awards. Pretty good – I saw the movie and thought it deserved a few gold statues.

But just as I was getting ready for the Oscar weekend, I received the following email from Facebook:

From: Facebook
Sent: Friday, February 25, 2011 1:17 PM
To: Eric Byres
Subject: Joe Smith posted on your Wall.

Joe wrote:
"Hey Eric, is this you? LOL Embarrassing! http://apps.facebook.com/cafidit/"

Reply to this email to comment on this post.

Thanks,
The Facebook Team

Now a normal human being would probably have clicked on the link to see what was so embarrassing. Joe Smith (not the person’s real name, of course) is a senior engineer at a major oil company. So something embarrassing could be bad for business and would need immediate attention.

And why not? The email really came from Facebook and the URL domain in the link is a real Facebook domain.

Fake Facebook login page

The trouble is, if you click on the link, you are redirected to a very realistic but fake Facebook login page. When you “log in”, the bad guys grab your Facebook username and password. Then they forward you and your login details to the real Facebook page so you don’t notice a thing. A few minutes later they log into your account and send the same phishing message to all your friends, grabbing all your friends’ names and passwords as they click on the link.

Creating this sort of phishing scam is trivial – so trivial there is a seven step guide on the site How To Phish Facebook!

What the bad guys do with your Facebook name and password is varied. A popular option is called the London Scam, where they use your account to rob your friends (for a particularly funny account of this see London scam). The hackers could also start to try that password (and close variations of it) against other network accounts they can associate with you.

There is some money in hacking a Facebook account, but big $$$ in using that to get to a Paypal or eBay account. (FYI this is known as the password reuse problem and is a big issue.  See Password Reuse – Control Networks Double The Risk for my rant on this topic, and a link to a brilliant cartoon on the subject.)

Now I am as paranoid as they come, so I didn’t click. Instead I logged directly into Facebook to see my wall. Then I looked at Joe’s wall. The fact he had sent the same message to all his friends in under a minute had me more than a little suspicious.

So I started a virtual machine (VM), logged into Facebook again and clicked on the link. Sure enough, even though I am logged into Facebook, I am being asked to log in again. The login looks identical to the Facebook page but the URL in the header is wrong – it points to a site in Russia.

So I immediately contacted Facebook through their anti-fraud system. And I emailed my friend advising him to change all his passwords.

Facebook Customer Service:  No Disclosure of Phishing Problems

Now this is the part that bothers me…

I thought that Facebook would have sent a warning to everyone involved. Facebook never contacted my friend. They never contacted any of his friends, including a number that had swallowed the bait. Facebook just quietly disabled the phishing attack, hid the offending wall postings  and left their clients to fend for themselves. The attackers still have all the account details. I bet they had a new Facebook login site up in a few hours, phishing for new victims. Nice.

So what does this have to do with ICS security? On the surface, little - certainly I hope no one has Facebook connected to their SCADA system.

But look a little deeper and there are a number of reasons the ICS world needs to be concerned. For starters, my friend was a senior engineer in the ICS business, so I trust emails and posts from him. And had the attack been a little more subtle or targeted, anyone could have bitten. For example, "Hi Eric, seen this morning’s ICS-CERT emergency report on the new PLC vulnerabilities? – they are nasty! Here is the link:" And if I clicked it I might have downloaded something like an infected PDF file. Who knows where that file might end up?

Disclosing Vulnerabilities Applies to ICS Vendors too

The other message to the ICS community is that poor disclosure policy is a risk to everyone. If vendors in any field know there is a vulnerability or an exploit for their product, they need to inform their clients immediately. Whether they need to inform the whole world is a debate for another day, but leaving clients in the dark is wrong.

And end-users need to make disclosure a part of their purchasing requirements. Only when clients demand disclosure, will the industry provide it.

Had a bad (or good) experience with security disclosures? Tell us about it and maybe we can all make disclosure processes work a little better.

 

Subscribe to the "Practical SCADA Security" news feed

Add new comment