Saturday, February 16, 2013

Facebook Says Hackers Breached Its Computers

 Facebook admitted that it was breached by sophisticated hackers in recent weeks, two weeks after Twitter made a similar admission. Both Facebook and Twitter were breached through a well-publicized vulnerability in Oracle’s Java software.


In a blog post late Friday afternoon, Facebook said it was attacked when a handful of its employees visited a compromised site for mobile developers. Simply by visiting the site, their computers were infected with malware. The company said that as soon as it discovered the malware, it cleaned up the infected machines and tipped off law enforcement.

“We have found no evidence that Facebook user data was compromised,” Facebook said.

On Feb. 1, Twitter said hackers had breached its systems and potentially accessed the data of 250,000 Twitter users. The company suggested at that time that it was one of several companies and organizations to be have been similarly attacked.

Facebook has known about its own breach for at least a month, according to people close to the investigation, but it was unclear why the company waited this long to announce it. Fred Wolens, a Facebook spokesman, declined to comment.

Like Twitter, Facebook said it believed that it was one of several organizations that were targeted by the same group of attackers.

“Facebook was not alone in this attack,” the company said in its blog post. “It is clear that others were attacked and infiltrated recently as well.”

The attacks add to the mounting evidence that hackers were able to use the security hole in Oracle’s Java software to steal information from a broad range of companies. Java, a widely used programming language, is installed on more than three billion devices. It has long been hounded by security problems.

Last month, after a security researcher exposed a serious vulnerability in the software, the Department of Homeland Security issued a rare alert that warned users to disable Java on their computers. The vulnerability was particularly disconcerting because it let attackers download a malicious program onto its victims’ machines without any prompting. Users did not even have to click on a malicious link for their computers to be infected. The program simply downloaded itself.

After Oracle initially patched the security hole in January, the Department of Homeland Security said that the fix was not sufficient and recommended that, unless “absolutely necessary”, users should disable it on their computers completely. Oracle did not issue another fix until Feb. 1.

Social networks are a prime target for hackers, who look to use people’s personal data and social connections in what are known as “spearphishing” attacks. In this type of attack, a target is sent an e-mail, ostensibly from a connection, containing a malicious link or attachment. Once the link is clicked or attachment opened, attackers take control of a user’s computer. If the infected computer is inside a company’s system, the attackers are able to gain a foothold. In many cases, they then extract passwords and gain access to sensitive data.

Facebook said in its blog post that the updated patch addressed the vulnerability that allowed hackers to access its employees’ computers.

Hackers have been attacking organizations inside the United States at an alarming rate. The number of attacks reported by government agencies last year topped 48,500 — a ninefold jump from the 5,500 attacks reported in 2006, according to the Government Accountability Office.

In the last month alone, The New York Times, The Wall Street Journal and The Washington Post all confirmed that they were targets of sophisticated hackers. But security experts say that these attacks are just the tip of the iceberg.

A common saying among security experts is that there are now only two types of American companies: Those that have been hacked and those that don’t know they’ve been hacked.

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...