Facebook security practices questioned in wake of Anonymous threat

Even as the shadowy hacker group Anonymous threatens to take on the mighty social-networking site Facebook, claiming the group
will ‘kill’ Facebook on Nov. 5, some researchers are criticizing Facebook security, saying it could be better.

More on Facebook: Facebook to pay hackers for bugs

“We started testing the site and reporting vulnerabilities to them,” says Mandeep Khera, chief marketing officer at security
firm Cenzic about Facebook, which in late July started a bug bounty program encouraging researchers to confidentially report
any security issues directly to Facebook. But Khera says Facebook brushed off the issues Cenzic raised in the last few days about some weaknesses the security firm
believes it has identified in Facebook log-in and passwords, among other things.

However, Khera says Facebook yesterday apparently corrected one issue regarding ineffective session termination using Internet
Explorer browser, which occurred when the user logged out using IE and backspaced a few pages, a refresh of the Facebook page
automatically logged you in again. “They said they can’t reproduce the vulnerability but it looks like they fixed it,” Khera
says.

Cenzic is criticizing the password system that Facebook uses, which Khera says is six characters and “takes 30 seconds to
crack.” He also faults Facebook for not having SSL on for the initial user registration. “This can be sniffed by anyone,”
he says. He also complained about Facebook’s auto-password-complete function, saying, “As a good practice, it shouldn’t complete
the password automatically.” He faulted Facebook’s “bad login message” because he says it tells too much in saying you didn’t
enter the right email for example.

But after Cenzic reported these findings to Facebook, “they came back and said, the password and SSL stuff, these are ‘best
practices,’ not ‘vulnerabilities,’” Khera says. “So our response was, shouldn’t you be following best practices since everyone
is hacking you?”

The hacker group Anonymous today allegedly threatened to ‘destroy’ Facebook on Nov. 5, accusing the social-networking site
of spying on users, cooperating with authoritarian governments and abusing people’s privacy. However, because the alleged
Anonymous notification did not originate from better-known sources of Anonymous communiqués to the public, some are questioning
whether this is an authenticate Anonymous threat at all. Anonymous, however, has proven diligent in carrying out threats it has made in the past.

Cenzic is offering developers for social-networking sites a free “healthcheck” vulnerability assessment using Cenzic’s cloud-based
offering, ClickToSecure Cloud.

Read more about security in Network World’s Security section.

Share and Enjoy