Facebook Hacks Points To Much Bigger Threat For Mobile Developers 59
DavidGilbert99 writes "Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised. However following some investigation by security firm F-Secure, it seems this could be just the tip of the iceberg and that thousands of mobile app developers without the dedicated security team Facebook has in place could already be compromised. The vector for the attack was a mobile developer's website, and the malware used likely targeted Apple's Mac OS X rather than Windows."
Comment removed (Score:5, Informative)
Re:Not just mobile (Score:5, Interesting)
F-Secure have been trying their damndest to scare people into buying their garbage for Macs, so they'll take any opportunity they can get.
yeah.. having now read it, the investigation uses proof of macs that fb had a mac on a promo picture of their security team(showing some powerpoint or keynote).
that's not an investigation, it's gossip.
Developers with Java applets enabled in browsers? (Score:2)
Re: (Score:2)
Re:Yes (Score:5, Funny)
OMG. Are you saying that there are developers who use only one browser for everything?
Re: (Score:1)
I develop in Java, but it's all server-side. Most of the Java developers I know of are either server-side or mobile.
Unless you're actually developing applets, why would you want them enabled?
Re: (Score:2)
Curious (Score:5, Insightful)
"Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised"
Can a hacker really compromise user data any more than the user that freely gave it away?
Re:Curious (Score:5, Insightful)
"Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised"
Can a hacker really compromise user data any more than the user that freely gave it away?
By hacked, facebook means, freely given user data was stolen without our tithe.
What development website was infected? (Score:2)
I'm an iOS developer, and frequent some development websites - but none I go to use Java. Does anyone know what site is affected? It seems like that would be REALLY useful to know to know if you were potentially impacted.
It's a good thing macs ship without Java by default now, that probably protected a lot of people.
Re: (Score:2)
If it's in the news, you can probably assume that the treat's been neutralized, however, the advice is to check your source if you've visited a mobile dev. site in the past couple of months, which on your profession would be everybody. However, interestingly enough I can't seem to find any mention of specific mobile dev sites. Do check your hosts file though for rouge entries.
That's way too broad (Score:3)
however, the advice is to check your source if you've visited a mobile dev. site in the past couple of months,
That's kind of bad advice though. It covers way too many people.
I don't even have Java installed so I don't need to check anything, as far as this story goes... but it would be really good to know what site EXACTLY was the cause of the problem so we'd know to look out for other ways the site may have been exploited if we visit. I mean, is every mobile developer on the planet now supposed to change
Re:What development website was infected? (Score:4, Funny)
Do check your hosts file though for rouge entries.
The mauve and pastel entries are usually legit though!
Also, more is involved host files compromised... (Score:2)
Do check your hosts file though for rouge entries.
This is another thing that just doesn't add up. Lets say I did have Java installed, and visited this rogue site. Ok then, how did my hosts file get changed? I don't have permission to write to it, no developer is going to visit a web page and then type in a password into a "webpage would like full access to your system" box.
To me it seems way more likely that it's not just any developer at risk, but that it was a very targeted attack on small groups of de
Re: (Score:3)
Ok then, how did my hosts file get changed?
Privilege escalation, arbitrary code execution.
I don't have permission to write to it, no developer is going to visit a web page and then type in a password into a "webpage would like full access to your system" box.
That point is moot if the exploit doesn't require any interaction.
Re:Also, more is involved host files compromised.. (Score:4, Insightful)
Privilege escalation, arbitrary code execution.
But now you aren't talking Java exploit. You are talking an OSX exploit too. Not impossible, it's just not mentioned at all. It would imply a flaw in OS X that we'd very much like to know about also, yet it's not discussed.
That's the all-around problem, the reporting is incredibly shoddy. Is it just Android developers at risk? Just IOS developers? All Mac users because of a new OS X privilege exploit? We are all in the dark with the article as it was, to the point where we can't tell anything.
Re: (Score:2)
You folks realize that the JVM or any anything of that nature is going to require execute right?
Why's this significant you ask? Cause once the JVM's been exploited an attacker can run just about anything the JVM can, probably through the jvm itself.
Execute is not privilege (Score:2)
You folks realize that the JVM or any anything of that nature is going to require execute right?/eM.
Yes, we ALL know that.
But it doesn't matter for what I was saying. I don't have write access to /etc/hosts, therefore neither does Java in a browser (or anywhere else I run it).
Yes it can do anything else in my home directory but I was warned to "check my hosts file". But why, when the only exploit mentioned is Java and that does not have permission (without an OS X exploit) to modify /etc/hosts.
Re: (Score:2)
That's the thing with slashdot articles, they refer to it as a JAVA exploit... so in the world of security there is no 1 magic key master king exploit that does everything in one step. Things happen in series: Java gets exploited, access to the system is gained: and then something else is run to escalate privilege or gain access to an account, or simply report information. So via the Java exploit, "payloads" get delivered, which can do things like write to the hosts file. Consider how a lot of scareware
How many devs understand security? (Score:2, Interesting)
Security concerns within Android are even worse. How many know to layer on security beyond what is offered out of the box? Many developers are standardizing on SQLCipher, but what happens when that is the "standard" and becomes a larger target?
Before reading Hacking & securing iOS Applications, the vulnerabilities were
Re:How many devs understand security? (Score:5, Interesting)
If you are writing mobile software, you need to grasp the shortcomings of the platforms. Reading Hacking & securing iOS Applications [barnesandnoble.com] was eye opening - and how many devs read it?
Security concerns within Android are even worse. How many know to layer on security beyond what is offered out of the box? Many developers are standardizing on SQLCipher, but what happens when that is the "standard" and becomes a larger target?
Before reading Hacking & securing iOS Applications, the vulnerabilities were all sort of known to me, but the book sort of scared me into digging deeper and further securing my products.
huh, wtf you're smoking? any app you give away to be run in users computers is suspect to the user modifying it. ain't no platform security that works out there. so that book is one big pile of snake oil(of course securing the communications between you and the user to some degree is important.. but you shouldn't blindly trust that information that the client is sending). it's kind of useless to encrypt the "registered or not" db you're using when the key is there in the program. of course platforms have varying degrees of difficulty for people to hack(j2me and non-ndk android being on the easier side, of course).
but the basic idea that you could just trust the client to keep iap information etc secure is just.. stupid. same goes for pc drm of course and this is why diablo and the new sim city are moving game logic into the servers so what the user has becomes just dumbed down client, so hacking it doesn't give access to the sweets.
Re: (Score:2)
has no relevance to what I wrote
WHAT FUCKING SITE?!?!? (Score:4, Insightful)
Can't be that hard to tell! sure it might screw the site over 34023 over but fuck... could just post it.
without the site name this is just f-secure doing what it usually does - astroturfing! I mean there's literally NO NEW INFORMATION. ok, perhaps it's new information that it was java that was used as applet that was used as attack vector.
Re: (Score:2)
It's like those news website articles with misleading title (or question as title) hotlinks to entice you to visit the article. The more page hits, the more advertizing sold. Only in this case, they're trying to generate hits on F-Secure's website. If that's your intent, you cannot give away information up front. It would defeat the purpose.
I suppose it helps t
Re: (Score:2)
I suppose it helps to get angry at them (if they hear about your anger somehow). It lets them know that their teasing technique isn't building the sort of goodwill that could result in a customer, at least not in those who see through it.
well their target isn't really people who decide this stuff anymore, on their own anyways, but guys who work at companies and isp's and who decide which product they should bundle(not users that is) with their offering.
on and off (depending on year) their sw is harder to remove than malware too.. but this reeks of them trying to advertise their mac product..
My bad. (Score:1)
Hours of fighting, cursing, and seriously elevated blood pressure later I was signed up and had found one relative. It was probably not a hack, just me trying to find a way to add someone without giving facebook my email credentials.
Facebook can have access to my email when they pry the credentials from my cold dead hands!
Re:My bad. (Score:4, Interesting)
In the next several years, it might be weird to _still_ have a Facebook account. Just like an AOL email, myspace account...
I left FB in 2009 and haven't looked back.
Re: (Score:2)
This was for a highly paid job in a position of significant trust. I can understand their reasoning. Hiring someone to a position like that you would want to make sure that their FB would not become a cause of embarrassment later.
Note they asked to see her facebook, not for her login, or password.
Re: (Score:2)
a friend of mine was applying for a job, and they wanted to see her facebook page. "I don't have one.", was not an acceptable answer.
This was for a highly paid job in a position of significant trust. I can understand their reasoning.
I can't.
It is not like it is unheard of people not having a FB account, not even outside the basement dweller circle. If they do not accept as an answer that you do not have an FB account then already at that point the "position of significant trust" have collapsed.
Re: (Score:1)
Right or wrong, the fact is that it looks odd if you are applying for a technical job and you don't have a facebook presence.
If my 72 year old mother has a facebook account then EVERYONE has an account.
Re: (Score:2)
Hiring someone to a position like that you would want to make sure that their FB would not become a cause of embarrassment later.
Then you would think "I find their handling of user privacy to fall well short of my expectations and I find using it an overall time consuming distraction from more important things in my life. Furthermore, as I am applying for a position of significant trust my choice not to maintain a facebook page eliminates the possibility of it ever being a cause of personal or professional
Re: (Score:2)
Obviously you are not a thirteen year old school-girl with no friends. That is the target audience for FB. Nerds come here instead.
Re: (Score:2)
Do you use another social networking site, or do you simply not partake in relationships online at all?
Re: (Score:2)
Some people don't live in basements and can actually have relationships with people in a non virtual circumstance. It is called real life.
and some people have a social life without having a phone number.
so?
you know what's funny about many facebook pariahs? they have blogs and homepages on which they share everything with everyone.
Re: (Score:2)
Re: (Score:2)
So what are you doing here then? Picture or it didn't happen!
Re: (Score:1)
You're doing it wrong (Score:2)
You seriously don't have a single friend on Teh Facebook? It may be difficult to find a particular person on FB, but to find a reasonable number of acquaintances usually isn't that hard unless you hang out exclusively with FB deniers. It's been so long since I signed up, I can't remember who my first FB "friends" were, but it wasn't hard to find a dozen or so people I knew.
I've had my email address for so long (easily 15+ with the same personal address, almost 10 with my work address) that it's basically p
Re: (Score:1)
The Simpsons (No. 135)
I'll say it again (Score:1)