How Facebook protected Tunisian accounts
In early January 2011, the Tunisian special services, with the help of a local monopolist provider, carried out a massive hack of accounts on Facebook, trying to stop the organization of rallies on the streets and the distribution of videos. Technically, this was done by introducing a malicious script into the site authorization page for Facebook users in Tunisia, followed by interception of an encrypted login and password from a fake URL (see here for more details).
It turns out that the Facebook developers recognized the attack in the early stages and within a few days implemented a special protection technique for users from this country.
Facebook Security Director Joe Sullivan (Joe Sullivan) first noticed an unusual stream of complaints from Tunisian users that outsiders log in and delete their accounts. In addition, there was a sharp surge in attendance from Tunisia. On December 25, 2010, Sullivan instructed his security department to investigate the problem.
')
They could not immediately prove the facts of the seizure of accounts, because in Tunisia all users have dynamic IPs. But after ten days of trial, it turned out that something unprecedented was happening: by January 5, 2011, it became clear that the passwords of all users in Tunisia were compromised. Facebook has not yet come across this: the enemy was the national ISP, which filtered all incoming traffic and added malicious scripts to individual user sessions. The work of independent security experts Clay Shirky and Yevgeny Morozov, who explained in detail how the Facebook accounts were hacked by government intelligence, helped the Sullivan to be published in open sources.
Facebook took it as a technical, not a political problem, and began to solve it. Sullivan's team quickly rolled out a two-tier system. Firstly, all requests from Tunisia were automatically redirected to the https server (although they understood that the ISP could forcibly transfer the session to http, but this did not happen). Secondly, an additional authentication procedure was launched for all Tunisian users who recently performed authorization (that is, whose passwords could be intercepted). To enter the site, they needed to recognize a few of their friends from photographs. For 100% of Tunisian users, the new system was activated by the morning of January 10th.
According to experts, the jasmine revolution in Tunisia (or, as it is also called, the Facebook revolution) raised several issues that are worth considering. First, the question arises as to how international Internet traffic is protected from the invasion of governments or other potentially harmful organizations. Secondly, this is a ban on pseudonyms on Facebook, because now we see that in some countries for political activity you can lose your life, so that local activists are simply dangerous to communicate on the Internet under real names.
By the way, in Belarus, where the situation is similar to Tunisia, there is now a new wave of repression against the civilian population: probably, through a system like SORM, the authorities received a list of cellular subscribers who were in the center of Minsk during mass protests on December 19, 2010 from 20:00 until 22:00 (according to unofficial data, about 75 thousand people), now they are all called in for questioning by the investigating authorities. Locals for political conversations are recommended to buy SIM-cards issued for fake people.
It turns out that the Facebook developers recognized the attack in the early stages and within a few days implemented a special protection technique for users from this country.
Facebook Security Director Joe Sullivan (Joe Sullivan) first noticed an unusual stream of complaints from Tunisian users that outsiders log in and delete their accounts. In addition, there was a sharp surge in attendance from Tunisia. On December 25, 2010, Sullivan instructed his security department to investigate the problem.
')
They could not immediately prove the facts of the seizure of accounts, because in Tunisia all users have dynamic IPs. But after ten days of trial, it turned out that something unprecedented was happening: by January 5, 2011, it became clear that the passwords of all users in Tunisia were compromised. Facebook has not yet come across this: the enemy was the national ISP, which filtered all incoming traffic and added malicious scripts to individual user sessions. The work of independent security experts Clay Shirky and Yevgeny Morozov, who explained in detail how the Facebook accounts were hacked by government intelligence, helped the Sullivan to be published in open sources.
Facebook took it as a technical, not a political problem, and began to solve it. Sullivan's team quickly rolled out a two-tier system. Firstly, all requests from Tunisia were automatically redirected to the https server (although they understood that the ISP could forcibly transfer the session to http, but this did not happen). Secondly, an additional authentication procedure was launched for all Tunisian users who recently performed authorization (that is, whose passwords could be intercepted). To enter the site, they needed to recognize a few of their friends from photographs. For 100% of Tunisian users, the new system was activated by the morning of January 10th.
According to experts, the jasmine revolution in Tunisia (or, as it is also called, the Facebook revolution) raised several issues that are worth considering. First, the question arises as to how international Internet traffic is protected from the invasion of governments or other potentially harmful organizations. Secondly, this is a ban on pseudonyms on Facebook, because now we see that in some countries for political activity you can lose your life, so that local activists are simply dangerous to communicate on the Internet under real names.
By the way, in Belarus, where the situation is similar to Tunisia, there is now a new wave of repression against the civilian population: probably, through a system like SORM, the authorities received a list of cellular subscribers who were in the center of Minsk during mass protests on December 19, 2010 from 20:00 until 22:00 (according to unofficial data, about 75 thousand people), now they are all called in for questioning by the investigating authorities. Locals for political conversations are recommended to buy SIM-cards issued for fake people.
Source: https://habr.com/ru/post/112426/
All Articles