That Facebook Hack

On September 16th Facebook engineers noticed a number of anomalies in the behavior of the massive social media site. Although we still know very little about the extent of this breach, how we will all be affected, or if it will just pass in the night as an oddity, there are multiple lessons to be learned.

For one, we are all vulnerable. And more so all the time. In his recent (and highly recommended) book Click Here to Kill Everybody Bruce Schneier makes it clear that we live in an ever-interconnected world, where computers are no longer those things sitting on our desks, but our cars, refrigerators, aquariums, medical appliances, thermostats, and more. All of these are now vulnerable to hacking. And will be hacked. The attack on Facebook was subtle and depended on figuring out multiple small vulnerabilities, then turning them into one big one.

The extent of effects from this breach is unknown, and Facebook has not been forthcoming so far. One serious issue with this is that it's not just Facebook. Many web sites, apps, etc. are set up to use Facebook credentials for login - in effect, possibly extending this breach to other sites and applications. I generally avoid using Facebook credentials on other sites for this very reason - it's a quick way to spread the effects of a vulnerability, and Facebook has shown itself to not be the most responsible player in the bunch.

So - what's a computer user to do?

I have some suggestions.

• Try to avoid using Facebook, Google, Twitter, etc. as login credentials on sites and apps.  It's easy, it's convenient, but it broadens your hacking exposure.
• Don't re-use passwords. It's so easy to use the same password multiple places - but again, it ensures that if your account is breached, it's breached in many places at once. I've been guilty of this myself. I recommend looking into using a password manager program to handle the many passwords we all have, and possibly using that program to generate completely random nonsensical passwords.
• Consider using Two Factor Authentication. The idea here is to not just use a password to log in, but to use a password and a token of some sort. The idea here is to use something you know (a password) along with something you have (a random token) to log in. I've used these systems for many years. The token can come from having the computer send you a text message (which is slightly less secure) or using some sort of token generator, usually a program on your cell phone like Google Authenticator. This makes your life more awkward, but quite a lot more secure. There are also dedicated pieces of hardware for this like Yubikeys. I have used all of these methods (and for quite a few years carried an expensive dedicated token generating card with me for work - at least now I can use my cell phone which I always have anyway). 

These are only partial cures, but since it seems unlikely that the computer industry or Congress are going to save us, we need to consider protecting ourselves. Stay safe.