Agentless Backup is Not a Myth

Malicious code injected into Tunisian versions of Facebook, Gmail, and Yahoo! stole login credentials of users critical of the North African nation's authoritarian government, according to security experts and news reports.

The rogue JavaScript, which was individually customized to steal passwords for each site, worked when users tried to login without availing themselves of the secure sockets layer protection designed to prevent man-in-the-middle attacks. It was found injected into Tunisian versions of Facebook, Gmail, and Yahoo! in late December, around the same time that protestors began demanding the ouster of Zine el-Abidine Ben Ali, the president who ruled the country from 1987 until his ouster 10 days ago.

“Because it seems to be a perfect copy of the Facebook page, the first thing you assume is the Tunisian government has very cleverly injected the JavaScript as the data went through,” he said.

He said similar phishing attempts targeting Tunisian protestors date back to June, and possibly much earlier.

Although The Tech Herald reported on the rogue scripts three weeks ago, the revelations escaped wide notice until now. On Monday, members of the anti-Tunisian TAKRIZ network warned supporters to stop relying on its Facebook page (at facebook.com/takrizo) after discovering on Friday that all administrative access to it had been suspended.

This is consistent with Danny O'Brien's findings from earlier this month, which said that unknown parties have used the pilfered credentials “to delete Facebook groups, pages, and accounts, including Facebook pages administrated by Sofiene Chourabi, a reporter with Al-Tariq al-Jadid, and the account of local online video journalist Haythem El Mekki.”

Also on Monday, The Atlantic reported that members of Facebook's security team first became aware of the mass credential slurp in the days immediately following Christmas, when they began receiving similar reports of mass deletions of Tunisian dissidents' pages.

“After more than ten days of intensive investigation and study, Facebook's security team realized something very, very bad was going on,” The Atlantic article stated. “The country's internet service providers were running a malicious piece of code that was recording users' login information when they went to sites like Facebook. By January 5, it was clear that an entire country's worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades.”

Facebook Chief Security Officer Joe Sullivan reportedly responded by programming his site to automatically establish an encrypted, HTTPS connection with anyone trying to view the site from inside Tunisia's borders.

“It wasn't a totally perfect solution,” The Altantic noted. “Most specifically, ISPs can force a downgrade of https to http, but Sullivan said that Facebook had not seen that happen.”

Facebook's response is problematic for another, more basic reason: Tunisia's government, with its control of The National Digital Certification Agency, already has the authority to generate valid SSL certificates. That gives it the ability to create HTTPS addresses for Facebook or any other website that it wants to impersonate.

Still, it's nice to see Facebook offering Tunisians a more reliable way to connect over encrypted channels. If only the site would only offer the rest of the world the same basic amenity. ®

Steps to Take Before Choosing a Business Continuity Partner