Tuesday, July 6, 2010

Employees Challenged To Crack Facebook Security, Succeed

Via techcrunch.com -

Apparently Facebook noticed the slap down that the FTC gave Twitter in June because it “failed to prevent unauthorized administrative control of its system.” Shortly afterwards one of the senior engineers at Facebook responsible for SRE (site reliability engineering) challenged Facebook employees to try to compromise him and gain access to Facebook’s administrative system via information obtained from him.

They succeeded.

It took a couple of weeks though. Employees supposedly got in via his home WiFi network, says our source. The details aren’t entirely clear, and Facebook isn’t talking. What I’ve heard is that they were able to intercept data from his home network after capturing his WPA password by luring him into logging into a rogue WiFi SSID that appeared to be his own router. See here for some details on how easy this is to do.

Once his home network fell, the Facebook employees were able to monitor all his Internet activity and obtain clear text passwords, etc.

The Twitter hacks last year began with compromised personal email accounts and unfolded from there.

It’s absolutely a smart thing for Facebook to do this, and other companies should too. But if a security engineer at Facebook was compromised, even though he knew it was coming, imagine how trivial it would be for other people to get hit, too.

Now excuse me while I go camp out in Mark Zuckerberg’s back yard for a week or two and try to set up a rogue WiFi SSID. Wish me luck.

1 comment: