Tell me more x
, there is a new speed test available. Give it a try, leave feedback!
dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer

Search Topic:
uniqs
1111
share rss forum feed


47717768
Premium
join:2003-12-08
Birmingham, AL
kudos:2

Facebook Hit By Malware Exploit

This latest attack occurred when a handful of the social network's employees visited a mobile developer website that was compromised, the company reported.
»www.eweek.com/cloud/face ··· ffected/


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:18
Reviews:
·Bell Sympatico
See my notes in reply to antdude See Profile
»Re: Facebook Says Its System Was Compromised In January
Facebook statement:
»www.facebook.com/notes/f ··· 08250766
quote:
Rather than using typical targeted approaches like "spear phishing" with e-mails to individuals, the attackers used a "watering hole" attack—compromising the server of a popular mobile developer Web forum and using it to spring the zero-day Java exploit on site visitors.

"The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:6

1 recommendation

I don't quite understand. The Facebook employees IGNORED the Java popup warnings? Or did they think they were immune so they didn't bother to put the slider to highest or (in the latest Java where Oracle has defaulted to highest) they turned it off?

It sounds to me like Facebook employees just didn't bother with practicing safe hex.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:18
Reviews:
·Bell Sympatico
It would seem Facebook is doing some finger-pointing at employees.

Facebook officials said they recently discovered that computers belonging to several of its engineers had been hacked using a zero-day Java attack that installed a collection of previously unseen malware. In an exclusive interview with Ars Technica, company officials said that the attack did not expose customer data, and it was contained to the laptops of a small number of Facebook engineers. But other companies who were affected by the same hacking campaign may not have been so lucky.

--
Canadians reserve the Right to - Arm Bears

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:6
reply to 47717768
)
This made the 10PM Hawaii News Now joint news cast on the local CBS and NBC affiliates in Honolulu a few minutes ago. I couldn't believe it.

redwolfe_98
Premium
join:2001-06-11
kudos:3
Reviews:
·Time Warner Cable

4 edits
reply to Mele20
)
said by Mele20:

I don't quite understand. The Facebook employees IGNORED the Java popup warnings?

do a google-search for "java vulnerabilities" and read a few of the multitudinous articles about java-vulnerabilities and then, finally, you will understand..

the "popup-warnings" were not activated in java 7.10 and, when then were activated, in java 7.11, they didn't work, not when using IE.. supposedly that bug was fixed in java 7.13, but who knows..

it bugs me to hear you say that you don't understand people's computers getting infected with malware via vulnerabilities in java, as if there is no problem with java.. please quit saying that every time there is a new report of computers being infected with malware via vulnerabilities in "java", as if there is no problem with "java"..

you say that they must have had java's security-features disabled.. no, the security-features didn't work, not to mention the 50+ security-holes that java had.. if the security-features had worked, you would be hearing about that rather than hearing about more malware-infections via vulnerabilities in java..

p.s. "safe hex" = 1. no java installed 2. use "firefox" (latest build) with the "noscript" addon

Velnias

join:2004-07-06

2 recommendations

reply to 47717768
)
Java = Just Another Vulnerability Announcement


Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2

1 recommendation

reply to 47717768
)
Click for full size

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:6
reply to redwolfe_98
)
I didn't read anywhere what browsers they were using. I would never have thought engineers were stupid enough to use IE....especially IE that has Java installed on it and not even disabled (since once it is installed on IE it cannot be removed completely ever). I gave them some credit for not being naive "home" users. If they were really using IE then I'll pour even more scorn on them.

I did read that this happened in January but I did not read what day so how could you possibly expect me to know which version of Java they were using? For all I know, maybe they didn't bother to use the current version of Java much less configure the slider ...IF the version they had did have the slider.

As for whether or not they had the first version with the slider, and that was the current version when they visited that site, and they had configured the slider, yes, it didn't work perfectly...however, where did you learn that they were using that version of Java with the slider configured for high safety? Even if this was proven all true, the popup DID OCCUR ON IE 10 on Win 8 (and wouldn't engineers have the latest OS and latest version of IE with all its patches)? The popup did not stop Java from eventually loading on IE 10 UNLESS you read the popup and acted quickly. The popup did work as long as you were paying attention. (I know because I used it on all my browsers when it first came out so I know how IE 10 responded). I posted about it and I recall there was almost no interest in or comment about the new slider until much later which I thought was strange since this is a security forum. All anyone seemed to want to do was criticize Java and I got the distinct impression that I was ruining some folks fun because I mentioned a new security measure in Java instead of ranting about Java like everyone else here seems to do.

So, did you read that they said the popup worked but their attention was not on their screens so they didn't notice the popup and because of the bug (which was fixed in the second version of Java that has the popup) and NOT paying proper attention they got infected?

It sounds like laziness and refusal to practice safe hex to me if they used IE and were not super vigilant at all times. I've never claimed that Java doesn't have a lot of vulnerabilities but what does that have to do with this specific incident? It still boils down to being up to date and practicing safe hex at all times and then they would have seen the popup and if they had acted immediately the popup was effective and then was fixed fully in the next version. I was confused because engineers should be the ones to always practice safe hex and never use IE unless they were forced to use it to program Facebook for it and those things I don't know and so OF COURSE I was confused. Any person who frequents a security forum would have been confused for the reasons I mentioned unless the news accounts they read were far more detailed than the ones I read where the information was grossly inadequate.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

HELLFIRE
Premium
join:2009-11-25
kudos:21

2 recommendations

reply to 47717768
)
In my experience, IE is the browser of choice in the enterprise arena, simply because security-wise it can be locked
down with Active Directory Group Policy. In fact, in alot of places I support browers like Firefox, Chrome, etc. are
considered "unauthorized / unapproved software;" oftentimes alt browsers fix what issues users are having, but
some pointyhead who makes alot more than I declared "IE or nothing." Perfect Catch-22.

My 00000010bits.

Regards


47717768
Premium
join:2003-12-08
Birmingham, AL
kudos:2
said by HELLFIRE:

In my experience, IE is the browser of choice in the enterprise arena, simply because security-wise it can be locked
down with Active Directory Group Policy. In fact, in alot of places I support browers like Firefox, Chrome, etc. are
considered "unauthorized / unapproved software;" oftentimes alt browsers fix what issues users are having, but
some pointyhead who makes alot more than I declared "IE or nothing." Perfect Catch-22.

My 00000010bits.

Regards

Say what again? You must be joking.


norwegian
Premium
join:2005-02-15
Outback
kudos:1
said by 47717768:

Say what again? You must be joking.

It is still the norm for large business.


47717768
Premium
join:2003-12-08
Birmingham, AL
kudos:2
Oh. Now i see what HELLFIRE saying. at first i thought he was talking about end users.


norwegian
Premium
join:2005-02-15
Outback
kudos:1
reply to 47717768
)
Has anyone heard any more on this?

After my comment in the other topic here and a few other things a little odd at the time, I'm wondering what it was all about.

Can anyone confirm they need the same domain now to view pages....not that I do a lot there, it was just an easy way to find old friends.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke


redwolfe_98
Premium
join:2001-06-11
kudos:3
Reviews:
·Time Warner Cable

4 edits
reply to Mele20
)
said by Mele20:

It still boils down to being up to date and practicing safe hex at all times and then they would have seen the popup and if they had acted immediately the popup was effective and then was fixed fully in the next version

here is one article that discusses issues with java 7.11:

»blogs.computerworld.com/ ··· 1?page=0

the bugs, where the popup-warnings failed to work and where unsigned java applets were allowed to run freely were later confirmed by US-CERT:

»www.kb.cert.org/vuls/id/625617

(look at "notes", under "disable java" )

then, when examining java 7.11, adam gowdiak found that it was far worse, with his "issue 53", where all java applets, whether signed or not, were able to run freely in all browsers, regardless of any of java's security-settings that were used:

»seclists.org/fulldisclos ··· /Jan/241

»web.nvd.nist.gov/view/vu ··· 013-1489

it has been speculated that it was this "issue 53"-vulnerability that was exploited in the most recent incident involving some of the facebook employees..

regarding the issues with the popup-warnings, in java 7.11, which were discovered by michael horowitz, at "computerworld", and later confirmed by US-CERT, if you read the related articles, in order for the bugs to start causing problems, one first has to disable "enable java content in the browser", in java's security-settings, and, then, re-enable "enable java content in the browser".. so, as you said, when you tested java's new popup-warnings, they worked for you.. they would work unless one had disabled ""enable java content in the browser" and then re-enabled "enable java content in the browser"..

then there is "issue 53" where any java applets were allowed to run, with no popup-warnings, and regardless of any security-settings that were used..

so, finally, after facebook reported to oracle that their computers had been compromised via vulnerabilites in java, oracle addressed the problem with java 7.13, which supposedly included fixing the bugs where the popup-warnings were not functioning as they were suppose to, not when using IE..

It sounds like laziness and refusal to practice safe hex to me if they used IE and were not super vigilant at all times

and that is why it bugs me to hear you say "you don't understand" someone's computer being infected with malware via vulnerabilities in java, because you make it sound like there is something wrong with the people whose computers were infected rather than there being something wrong with java..


Khaine

join:2003-03-03
Australia
reply to 47717768
)
Apparently the same group also hacked employees of Apple and Twitter. See »allthingsd.com/20130219/ ··· y-hacks/