Re: [silk] Pink Chaddi Campaign hacked on Facebook
On Wed, Apr 15, 2009 at 9:14 AM, Kiran Jonnalagadda wrote: > Facebook allows an account to be logged in from only one location at a > time. How, then, could the vandalism have been carried out even when Nisha > was always in control of her account? This is the point where I suspect > Facebook's security vulnerability lies. > I guess this makes it pretty clear that the password was never compromised. More likely her facebook cookie was stolen through an XSS vulnerability (maybe in one of the third-party apps she has installed). This would allow certain operations to be done using the account but not things like changing the password. It's not unknown for hackers to post images that violate the TOS with the intent of getting the account disabled. As you pointed out, facebook doesn't seem to allow the same person to be logged in twice which should mean that when she logs in, previous cookies will be invalidated. But perhaps every time she logged in her cookie was stolen? Since she's still using the account, I'd say ask her to remove any suspicious facebook apps. Of course now her problem is getting back access to the deleted groups, not how it was hacked. (Third-party app security is difficult to get right. There are solutions like Google's Caja [1], but it's not yet widely adopted.) [1] http://code.google.com/p/google-caja/
Re: [silk] Pink Chaddi Campaign hacked on Facebook
ashok _ wrote, [on 4/15/2009 1:19 PM]: > Facebook doesnt seem to use SSL for a lot of stuff maybe its > someone at her work place ... or someone she knows. I use the following Greasemonkey [1] script [2] to force secure connections on facebook, banking sites, gmail, &c. However, none of these will protect against someone who has access to your computer - either via a trojan, or physical access (maybe a co-worker who walks up to your cube while your PC has carelessly been left unlocked) Udhay [1] https://addons.mozilla.org/en-US/firefox/addon/748 [2] http://userscripts.org/scripts/show/29090 -- ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com))
Re: [silk] Pink Chaddi Campaign hacked on Facebook
On Wed, Apr 15, 2009 at 8:01 AM, Kiran Jonnalagadda wrote: > >> Well - if its the same IP? Open access point say. Or a compromise of her >> pc >> / laptop? > > Facebook doesnt seem to use SSL for a lot of stuff maybe its someone at her work place ... or someone she knows. ashok
Re: [silk] Pink Chaddi Campaign hacked on Facebook
On Wed, Apr 15, 2009 at 12:49 PM, Priyanka Sachar wrote: > yes tweets pertaining to this may help.I also feel we could request > Scobleizer, techcrunch, Om Malik for some help regarding highlighting this > issue on their sites. > I'm a fairly lightweight twitterer compared to some luminaries on this list, but FWIW I've kicked it off using the hashtags #pinkchaddi and #facebookfail. More hashtag suggestions are welcome... -- Balaji
Re: [silk] Pink Chaddi Campaign hacked on Facebook
On 15-Apr-09, at 9:31 AM, Suresh Ramasubramanian wrote: Well - if its the same IP? Open access point say. Or a compromise of her pc / laptop? Suresh, Nisha's computer security was overseen by Karim (ex-Sarai, Cyber Mohalla and NLS, if you know him). Karim's a sensible sysad and thoroughly examined her working setup; even moved her to a different computer. Nisha called me for help last Thursday. I looked around her account, received a warning that Facebook had just deleted an obscene image uploaded from her account, knocked off all her Apps, just in case one of them was an attack vector, received another warning of impending account suspension for ToS violations, changed her password for her to be doubly sure it was not being sniffed at her end, and agreed with her that we would not access her account until the next morning. The next day, her account was suspended. I live in Bangalore. Nisha and Karim live in Delhi. Whatever the attack vector was, it couldn't have been from the local computer or network. It had to be upstream. Nisha's presented her side of the story here: http://kafila.org/2009/04/12/arise-awake-the-people-who-run-facebook/
Re: [silk] Pink Chaddi Campaign hacked on Facebook
yes tweets pertaining to this may help.I also feel we could request Scobleizer, techcrunch, Om Malik for some help regarding highlighting this issue on their sites. 2009/4/15 Kiran K Karthikeyan > > I doubt Facebook cares about what the Hindu says. How does one get their > > attention? > > I call for a twitcampaign with the #facebook hashtag and a retweet request. > > Most web apps today listen to what people are saying on twitter and > the response is quite fast. > > Can you put up your post on a blog or should we just link to the > public archive of silklist? > > Kiran > >
Re: [silk] Pink Chaddi Campaign hacked on Facebook
> I doubt Facebook cares about what the Hindu says. How does one get their > attention? I call for a twitcampaign with the #facebook hashtag and a retweet request. Most web apps today listen to what people are saying on twitter and the response is quite fast. Can you put up your post on a blog or should we just link to the public archive of silklist? Kiran
Re: [silk] Pink Chaddi Campaign hacked on Facebook
Kiran Jonnalagadda [15/04/09 09:14 +0530]: Facebook allows an account to be logged in from only one location at a time. How, then, could the vandalism have been carried out even when Nisha was always in control of her account? This is the point where I suspect Facebook's security vulnerability lies. Well - if its the same IP? Open access point say. Or a compromise of her pc / laptop?
Re: [silk] Pink Chaddi Campaign hacked on Facebook
On 15-Apr-09, at 7:25 AM, Suresh Ramasubramanian wrote: This is an exception I'd say - which is why I've escalated it to him I don't know if its a result of this, but I just got a response from Facebook Support, saying they're looking into this. The modus operandi of the attacks suggests that Nisha's account was being used to conduct them. However, we have established that her computer was secure and her password was not stolen. She changed it several times through the period, and towards the end, asked me to change it for her, and to leave the account offline for several hours before logging in again. Facebook allows an account to be logged in from only one location at a time. How, then, could the vandalism have been carried out even when Nisha was always in control of her account? This is the point where I suspect Facebook's security vulnerability lies. Best, Kiran
Re: [silk] Pink Chaddi Campaign hacked on Facebook
On Tue, Apr 14, 2009 at 9:55 PM, Suresh Ramasubramanian wrote: > Kiran Jonnalagadda [15/04/09 01:18 +0530]: > >> Does anyone here know how to get the attention of Facebook's management? >> > > I have a friend there who heads facebook security. He's not a contact I use > very often, certainly not for run of the mill hacked account cases for > which FB does have a process that works when used right (passwords can be > bruteforced, or if your friend logged in from a cybercafe PC with a > keylogger trojan on it, or was on an open wifi, it can be stolen that way > too..). > This is an exception I'd say - which is why I've escalated it to him > > Likewise, I sent Kiran's message to a law school friend who is part of FB's management. DK
Re: [silk] Pink Chaddi Campaign hacked on Facebook
Kiran Jonnalagadda [15/04/09 01:18 +0530]: Does anyone here know how to get the attention of Facebook's management? I have a friend there who heads facebook security. He's not a contact I use very often, certainly not for run of the mill hacked account cases for which FB does have a process that works when used right (passwords can be bruteforced, or if your friend logged in from a cybercafe PC with a keylogger trojan on it, or was on an open wifi, it can be stolen that way too..). This is an exception I'd say - which is why I've escalated it to him srs
Re: [silk] Pink Chaddi Campaign hacked on Facebook
On Wed, Apr 15, 2009 at 01:18, Kiran Jonnalagadda wrote: > Does anyone here know how to get the attention of Facebook's management? > > Do you recall the Pink Chaddi Campaign coordinated via Facebook? It doesn't > exist anymore. > > Or, it does, but Facebook doesn't want you to access it. Here's a link to > the group. Try accessing it, you'll get redirected to the home page: > > http://www.facebook.com/group.php?gid=49641698651 > > Just a week ago, Mark Zuckerberg posted to the Facebook blog, highlighting > the campaign as a notable use of the platform: > > http://blog.facebook.com/blog.php?post=72353897130 > > """From the protests against the Colombian FARC, a 40-year old terrorist > organization, to fighting oppressive, fringe groups in India, people use > Facebook as a platform to build connections and organize action.""" > > Three days later, Nisha Susan, the campaign's coordinator, found her > Facebook account suspended. She had already spent weeks talking to Facebook > support over the group formerly known as "The Consortium of Pubgoing, Loose, > and Forward Women", since mysteriously renamed to "A good bong is a dead > bong" along with assorted death and rape threats turning up in its > description. Today Facebook won't let you look at the group either. > > What the heck happened? It got hacked, plain and simple. > > Facebook Support insists Nisha isn't keeping her account secure. I've looked > it over for her, as have others, who've examined her computer thoroughly and > even moved her to a Linux box. None of these measures stopped the continuing > defacement of the group. FB Support has responded with requests to fill out > forms describing what's going on, followed by silence. > > There is only one inescapable conclusion to this: Facebook is insecure and > they don't want to admit it. > > There's been only one mainstream media mention of this, in the Hindu > yesterday: http://www.hindu.com/2009/04/14/stories/2009041459890400.htm > > I doubt Facebook cares about what the Hindu says. How does one get their > attention? Perhaps getting the attention of BoingBoing or any other big-league blog / " effect" sites would help. After all, the Pink Chaddi Campaign got much link love from BB (I think it was Rishab Ghosh who pointed it out to Cory Doctorow).
[silk] Pink Chaddi Campaign hacked on Facebook
Does anyone here know how to get the attention of Facebook's management? Do you recall the Pink Chaddi Campaign coordinated via Facebook? It doesn't exist anymore. Or, it does, but Facebook doesn't want you to access it. Here's a link to the group. Try accessing it, you'll get redirected to the home page: http://www.facebook.com/group.php?gid=49641698651 Just a week ago, Mark Zuckerberg posted to the Facebook blog, highlighting the campaign as a notable use of the platform: http://blog.facebook.com/blog.php?post=72353897130 """From the protests against the Colombian FARC, a 40-year old terrorist organization, to fighting oppressive, fringe groups in India, people use Facebook as a platform to build connections and organize action.""" Three days later, Nisha Susan, the campaign's coordinator, found her Facebook account suspended. She had already spent weeks talking to Facebook support over the group formerly known as "The Consortium of Pubgoing, Loose, and Forward Women", since mysteriously renamed to "A good bong is a dead bong" along with assorted death and rape threats turning up in its description. Today Facebook won't let you look at the group either. What the heck happened? It got hacked, plain and simple. Facebook Support insists Nisha isn't keeping her account secure. I've looked it over for her, as have others, who've examined her computer thoroughly and even moved her to a Linux box. None of these measures stopped the continuing defacement of the group. FB Support has responded with requests to fill out forms describing what's going on, followed by silence. There is only one inescapable conclusion to this: Facebook is insecure and they don't want to admit it. There's been only one mainstream media mention of this, in the Hindu yesterday: http://www.hindu.com/2009/04/14/stories/2009041459890400.htm I doubt Facebook cares about what the Hindu says. How does one get their attention? -- Kiran Jonnalagadda http://jace.seacrow.com/