28 Jan 2011
In my last two blogs I've written about my recent experience at the hands of a hacker.
I've now managed to retrieve all the internet services he stole, but my Facebook account is still suspended, and seems unresponsive to my efforts to reactivate it. I can almost understand why a free site with 600 million users doesn't have a phone support service, but they do appear to be missing a trick.
Facebook recently revealed that it has raised $1.5bn (£0.95bn) in investments, putting its overall valuation at around $50bn (£31.5bn). It has raised this capital by flogging portions of itself off to investors.
Would it have had to do this with a premium rate support service, say £1 per minute? It'd make an absolute killing - largely from kids and teenagers on their parents' phone lines admittedly, but cash is cash, and parents are easily ignored when you're a $50bn business. But I digress.
Having lost my account I'm in exalted company. Facebook founder Mark Zuckerberg's own fan page on his site was hacked shortly after mine. Coincidence? I can picture the master hacker at work: "We've got Sumner, now for Zuckerberg."
Unsurprisingly, getting the big Z's page back under control has proven to be a higher priority for the company than any issue of mine. Whatever happened to ‘customer first'?
The social media site is often criticised for the fact that most of its security features are off by default, with the universal law of inertia meaning that most users' data is available to prying eyes. In an effort to generally beef up security, Facebook this week introduced Secure Socket Layer (SSL) encryption. So information sent between users and the site will be encrypted in transit. Unless your system is infected by a keylogger. Or a bot. Or you're subject to a man-in-the-middle attack.
For those not in the know, that's where the hacker sits between the parties (say the user and Facebook) when relaying communication between the two. They believe they're talking to one another, unaware that it's all being digested and managed by the malicious party.
This is exactly the form of attack that SSL is supposed to prevent, but hands up who's heard of the ‘compelled certificate creation attack'? Well these are covert attacks using false SSL certificates, mandated by a government agency. (That's according to Christopher Soghoian and Sid Stamm.)
Great, so we might as well put SSL in the bin then. If government agencies can do it, then so can hackers. Not because they also have the power to compel the certificate authorities (although I wouldn't put it past them to successfully impersonate a government agency for the purpose), but because almost anything locked away in an agency's data store is just more goodies in the sweet shop for the determined hacker.
Yes, government and even military networks are just as vulnerable (if not more so) than those in the corporate world. In fact, coming back to Zuckerberg's incident, the Guardian did some simple investigative work into the hack, and found that it originated from an IP address owned by the US department of defense in Williamsburg. Either someone in the military hacked Facebook, or more likely, the cyber criminal was able to hack into the military network and use it as a proxy.
In summary, nothing's very safe and I want my Facebook account back. And £1bn if Zuckerberg goes for my premium rate idea. It's not as if he can't afford it.
Stuart Sumner senior reporter and security expert