in Follow-Up, Meddling, Politics, X-Geek

Following up on Romney hacking with an expert


I saw that the Mother Jones reporter consulted security expert Bill Pennington on the Romney Facebook hacking. Like any good digital sleuth, I hunted down Pennington’s email address to see what he thought about the situation. Pennington works at White Hat Security as the Chief Strategy Officer.

This afternoon I sent him the following email:

Hi Bill,

I’m Mark Turner, a guy who was contacted by Mother Jones about the Mitt Romney Facebook hacking thing.

I wanted to be clear about my experience: I’ve worked in IT and network security for 20 years. I’m a sysadmin who maintains security on my corporate network. I’m the guy who keeps the others in the office from clicking on things they shouldn’t.

I use Privoxy ad-blocking software on my Linux desktops. I do not click on ads, ever. And I rarely if ever use Facebook’s mobile app because it sucks ass. Yet, somehow I became a fan of Mitt Romney without my knowledge.

Facebook’s Activity Log shows every one of the 400+ likes I’ve clicked on during the life of my Facebook account. It does NOT show me ever liking Mitt Romney. That’s the only Like that doesn’t show up. Even if I screwed up and clicked on something by mistake, I would expect there to be a record of it.

But there isn’t. That’s why I think something hacked my account from the inside.

Facebook all but admitted that click fraud exists when it announced at the end of August that it was cracking down on fake Likes. It knows there is a problem. It can, and does, happen.

The Hacked by Mitt Romney page has over 250 fans (although now I don’t trust that they’re real or not….). I’ve heard dozens of stories from people who’ve had this happen to them, including the daughter of a deceased man whose account liked Romney to her shock.

There’s something going on here and it’s not simple clickjacking.

Anyway, just wanted to get that off my chest. Thanks for listening!

Cheers,
Mark Turner
www.markturner.net

I was delighted to receive a quick response from him:

Thanks Mark, that is good information that I didn’t have before. I was totally speculating about what could cause this behavior, and as you pointed out click jacking is very widespread and a huge problem for FB to deal with.

I did mention to the reporter that it was entirely possible that someone hacked accounts and then liked Mitt Romney’s page but I downplayed it because typically people like to exploit these hacked accounts for monetary gain, and I could not figure out why they would expose themselves to losing access to hacked accounts by liking Mitt Romney.

It is interesting that you say Facebook’s own accounting does not show that you liked MR’s page either. If someone just guessed your password and logged on as you, then I would expect the like to show up in FB’s Activity Log just like any other activity. I have noticed that FB says it does not show logins to the m.facebook.com site so perhaps it does not show likes from that site either. It is also possible that FB found out about the rogue likes and was trying to clean up the mess.

One other possibility is a rogue app. or someone taking a legitimate app and someone making it do bad things.

Sadly the people that hold all the cards are FB and I don’t really buy their story of accidental clicks on the mobile site, maybe some but not all. I don’t think they are going to come out and say that all likes can be faked, that would kill their already terrible stock price.

I sent him this response:

On 10/10/2012 03:26 PM, Bill Pennington wrote:
> It is interesting that you say Facebook’s own accounting does not show that you liked MR’s page either. If someone just guessed your password and logged on as you, then I would expect the like to show up in FB’s Activity Log just like any other activity.

That’s the part that gets me. If I screwed up and clicked on something, it should be in the log. If someone guessed my password (highly, highly unlikely), it should be in the log. I would assume that if I did something on the mobile app it would also be there, too, but I don’t click on things from my phone. This is something I’ll try out tonight, though, just to see what actually happens.
> I have noticed that FB says it does not show logins to the m.facebook.com site so perhaps it does not show likes from that site either. It is also possible that FB found out about the rogue likes and was trying to clean up the mess.
There are people in the Hacked by Mitt Romney page who say they’ve become victims recently. It appears to still be going on.
> Sadly the people that hold all the cards are FB and I don’t really buy their story of accidental clicks on the mobile site, maybe some but not all. I don’t think they are going to come out and say that all likes can be faked, that would kill their already terrible stock price.
>
>
Yup. That’s what makes this so hard to investigate. We have to take Facebook’s word on it, and so far they’re not telling.

Thanks for letting me vent.

Cheers,
Mark

Pennington then asked me a routine question of whether I had visited any public Wifi spots that day. That’s good due diligence on his part as there have been plenty of identify thefts and other shenanigans that were linked to the use of unsecured public Internet sources. I replied that I had not visited any such hotspots and even if I did, my Facebook settings are set to force an https-encrypted session so no data could’ve been sniffed. And if that weren’t enough, there would still be a record of it in the activity log, which there isn’t.