Yesterday, a YouTube video from a splinter of Hacktivist group Anonymous proclaimed that it will “destroy Facebook” over privacy issues on November 5th. Now, as military tactics goes, that is like telling the Germans that the Allied Forces are going to launch D-Day three months in advance. That is no recipe for success. The threat against Facebook should be taken with a grain of salt. Yet, the question arises, if Anonymous or a group of hackers really did want to take down Facebook, how could it be done?
See the video after the jump for a full explanation on why Anonymous might want to destroy Facebook. Yet, the first thing to know about the alleged destruction of Facebook, is that it is not wholly supported by the Anonymous collective. Various Anonymous-based Twitter accounts have said something along the lines of “no one can speak for the whole of Anonymous. There are some anons who support #opFacebook whilst others do not.” Yet, what if the entire group was motivated to cause chaos and disruption? Are there any tactical advantages that Anonymous has that Facebook could not easily thwart?
A DDoS Won’t Work
In reality, it is not likely that Anonymous has the chops to really hurt Facebook. In its history, the favorite weapon of Anonymous and LulzSec has been the distributed denial of service attack (DDoS). A DDoS launches a bomb of requests at a target server (or servers) so that the server becomes overwhelmed and the website goes down. There are tricks that can be implemented into a DDoS attack, such as hidden lines of code within the packet bombs being sent that can worm their way into sensitive areas while the server is busy, but companies know to look for this and it can be turned away.
A DDoS attack would not work on Facebook. It is too large, too sophisticated and handles so much data already that there is little that a DDoS would accomplish. Maybe the service would be slow for a couple hours. Yet, even if Facebook did go down for a while from a DDoS, that is certainly not the “destruction” of the platform. Apple, Amazon, Google and Facebook are so big and handle so much data that they are almost immune from DDoS attacks.
“Destruction isn’t a DDoS attack anyway. Destruction means dead, kaput, sayanora, forever,” Graham Cluley of security firm Sophos told ReadWriteWeb. “A DDoS attack would be more Anonymous’s style – but how likely it would be to succeed is very questionable, as Facebook has a strong infrastructure behind it. In the past we’ve seen Facebook manage to withstand heavy DDoS attacks when other social networks like Twitter have crumbled (see: Twitter DDoS). Although Facebook stumbled a little, it didn’t go down.”
Publicly Shame Facebook & Make Users Lose Trust
Cluley thinks that the way to destroy Facebook would be if it “permanently and devastatingly loses the trust of its user base.” Yet, how can this be accomplished? If Anonymous (or anybody) does not possess the tools to destroy Facebook’s infrastructure, what is the back door that would make users lose faith in Facebook?
This is where other Anonymous tactics come in. For instance, look at Booz Allen Hamilton. Its corporate infrastructure was attacked and it leaked 90,000 emails concerning the Department of Defense. If Anonymous really wanted to attack Facebook, digging up dirt in its own corporate communications would be the way to go.
“If hackers could find a backdoor into Facebook’s corporate network and if they managed to gain high enough access rights, then they might be able to search emails and logs to hunt for evidence of Facebook selling information to governments if it were taking place,” Cluley said. “But there’s a lot of ‘if’s’ there.”
Spear Phish the Corporate Back Door
The best way for a hacker to gain access to Facebook’s corporate communications would be a very well-targeted spear phishing attempt where a message is sent to a high-level executive with a Trojan that would enable the hacker to take control of that computer and then access the corporate network.
“And I would imagine, like most other businesses of such a size, Facebook would have layered defenses in place to reduce the chances of hackers breaking into their systems, and have locked down their most sensitive information with access control and encryption,” Cluley said.
Overall, we are talking about theories. Maybe a portion of Anonymous will attack Facebook on November 5th, maybe they will not. Maybe they will be successful, though they probably will not be. Anonymous considers itself a movement, and as with any movement, there are going to be disagreements on which way it should go. Facebook, while maybe not always the most forthright company about its privacy policies, is hardly a secretive government or evil corporation bent on making war across the world for the sake of profit.
For all we know, this “threat” could be made by a 17-year-old kid who reads too much news. As Paul Ducklin of Sophos wrote on the company’s Naked Security blog “someone with a computer, an Internet connection, a basic video editor and a voice synthesiser – has decided that Facebook should die.”