While I believe that posting any private information to a social networking site is… well… nuts, I also believe we should have a reasonable expectation of privacy. This means companies like Facebook must do a good job of protecting themselves from potential attacks. So why were laptops used by Facebook employees targets of a recent zero-day attack?
Yes, it was zero-day. We can’t foresee all possible attack vectors. The threat agent used a hole in Java to infect the laptops. Further, the Java exploit was setting on a developer site. Doh! Didn’t see that coming, Facebook? You should have.
Java is full of holes. It is an exploit waiting to happen, and it is not the first time attackers circumvented the Java sandbox to get at the underlying platform. Some, like Andrew Storms at nCircle Security, believe Java needs a complete overhaul (via Gregg Keizer, Computerworld).
“Oracle should just take a mulligan and redesign Java before everyone completely loses faith in it…”
Apparently, Facebook didn’t get the memo. Why would a social network company allow its employees to visit risky sites and then connect back to a network where customer and other sensitive data reside? Why would any organization?
For more information on end-user device security, see Chapter 6 – End-user Device Security.