Data Theft Vulnerability Resolved by Facebookreposted by ákos bardóczi at February 10th, 2011 at 5:20PM - click here to leave a comment
Facebook has reconciled a major privacy vulnerability that left members susceptible to social engineering exploits and data theft.
The flaw may have allowed users to unwittingly spread malware to their contacts and provided malicious websites access to private account information.
The security lapse was discovered by research students Zhou Li and Rui Wang who alerted both Facebook and security firm Sophos, according to an article in V3.co.uk.
"According to Wang and Li, it was possible for any web site to impersonate other sites which had been authorised to access user data, such as name, gender and date of birth," said senior technology consultant at Sophos Graham Cluley.
"Furthermore, the researchers found a way to publish content on the visiting users’ Facebook walls under the guise of legitimate web sites, a potential way to spread malware and phishing attacks."
Cluley was able to confirm the vulnerability after some experimentation, and credited the extensive security precautions applied to his account for the initial difficulties in replicating the exploit.
After several attempts, Cluley said he was able to harvest some private data from his account as well as plant the equivalent of a malicious web link.
Though Facebook staff quickly worked to provide a solution to the flaw, Cluley warns that the social networking platform’s complexity makes it likely that similar flaws may be found in the future.
"Clearly Facebook’s web site is a complex piece of software, and it is almost inevitable that vulnerabilities and bugs will be found from time to time. The risk is compounded by the fact that there is so much sensitive personal info about users being held by the site, potentially putting many people at risk," Cluley states in the V3.co.uk article.
Facebook members should apply some simple security features that are already available. One important feature allows members to monitor their profile for any unauthorized access to their Facebook account.
You can also check out “A Facebook Security Lockdown Guide” which provides a checklist of necessary security options and protocols to help protect you from exploitation.
Managing Social Media for Network SecurityFebruary 10th, 2011 at 4:37PM - click here to leave a comment
Managing network security is all about controlling the attack surface.
If your network users need to communicate with services A, B, and C through channels X, Y, and Z, it’s not impossible (with a little elbow grease) to manage the potential attack surfaces in the network and control the security risk. When it was all about communication with email and a few Web applications, network security could be better managed, because you knew where the potential holes were and could close them off when new threats were revealed.
But now network managers have a whole new attack surface to manage: the vast multitude of potential entry points to a network created by the use of social media sites. And as social media services get more robust, the potential for a security breach goes up almost exponentially for both your organization and individual users themselves.
It’s become a well-known scenario: An employee visits a social media site on a corporate machine during some idle time and ends up picking up a piece of malware from one of the dozens of trojans that proliferate through that site. That malware may just turn the machine into a spam generator, if you’re lucky. More sophisticated malware will log keystrokes and provide the malware author with plenty of authentication information from your network.
Users themselves are particularly at risk while using social media sites, because if one of their social media accounts gets compromised, it’s a fair bet their password will be repeated on other sites. This leaves them vulnerable to being hacked on banking and commerce sites, which can impact their productivity as they spend days if not weeks trying to get their online and financial identities back in order. Not to mention what happens if they use the same password for your network.
Depending on the brazenness of a criminal targeting your company, your very organization can even be put at risk. A recent story on Inc. related the tale of a manufacturing company undergoing an expansion of their warehouse and announcing it to the world at large on their corporate blog, Facebook, and Twitter.
"As the day for the big move approached, they told customers about potential shipping delays, but said they’d return with better service than ever.
"On the first day, several men wearing the uniforms of a well-known logistics company showed up to help with the move. With dozens of legitimate workers swarming around the site, they blended in easily and no one questioned them as they loaded equipment into their own van. They drove off before anyone realized they were interlopers," the article related.
This kind of incident is rare, but virtual criminal activity doesn’t have to remain virtual; reports of armed robberies and assaults around Craigslist-initiated sales meetings are also on the rise.
As a networking manager, it’s not your responsibility to keep employees safe from harm on their own time. But there are some policies you can consider implementing that will decrease the size of your network’s attack surface and—if implemented with a fair dose of training—will also keep your co-workers safe on their own machines.
One policy that bears exploring is the straightforward banning of social media activity on your network. That may indeed be necessary, if your organization’s Internet policy already discourages personal use of company assets. It’s a little hard to police that kind of policy on email, since you can’t really tell what messages are personal or business without treading into privacy waters. But unless the user is with sales or marketing, it’s a pretty reasonable assumption that they aren’t on Facebook or Foursquare for business reasons.
Of course, this won’t make you popular, and it doesn’t address the larger problem of social media: it’s still very easy to phish for information across social media networks. Phishing attacks are rampant on all forms of communication, but they are especially troublesome on social media because it’s not that hard to fool someone. If open source guru Simon Phipps tweets me a link from @webmink, will I notice that it’s really from @webmink2 before I click the link to a fake login page? Hopefully yes, but if I’m not paying attention, I could just as easily be fooled.
Education and password management
Most experts agree that a two-pronged solution is needed to control the size of the social media attack surface in your organization.
The first is purely an educational tactic: deliver the message to users that if they are using social media, they must never assume that a link or software download is actually from a friend—even if it’s from their friend’s account. They need to challenge such receipts and confirm that the package was indeed intended to be delivered.
The second approach is to enforce better password management. This is partly educational, since you will need to convince users that it’s in their best interests to have different passwords for each network and service they visit anyway. But you have some control over this, as well: Implement a password policy that will enforce a password change every month. Even if the user has used like passwords across multiple sites, it is very unlikely that will continue to be the case after a month or two of resetting passwords on your network. They may still have a problem with a single password for multiple sites, but your network won’t be one of them.
On the broader problem of social media as a corporate attack surface, make sure you impress upon the people in your organization who do use social media to do their jobs that care should be taking in sharing information about the company or its employees. Social media is a great tool to reach customers, but it’s not just your customers who are listening to what your company has to say. Think about risk in every corporate statement, even a tweet.
Brian Proffitt is a technology expert who writes for a number of publications. Formerly the Community Manager for Linux.com and the Linux Foundation, he is the author of 20 consumer technology books, including the most recent Take Your iPad to Work. Follow him on Twitter at @TheTechScribe.
Facebook Plagued By Two New Security ExploitsFebruary 10th, 2011 at 1:04PM - click here to leave a comment
PandaLabs announced the discovery of security exploits via popular social media sites Facebook and Twitter. In the last several days, two new malware strains have been wreaking havoc on Facebook users.
The first, Asprox.N, is a Trojan delivered via email informing users their Facebook account is being used to distribute spam and that, for security reasons, the login credentials have been changed.
The email includes a fake Word document attachment, supposedly containing the new password, with an unusual icon and the filename Facebook_details.exe.
Deceiving victims by opening a .doc file upon opening the attachment, this file is really a Trojan that downloads another file designed to open all available ports, connecting to mail service providers in an attempt to spam as many users as possible.
The second new malware strain, Lolbot.Q, is distributed across instant messaging applications such as AIM or Yahoo!, with a message displaying a malicious link.
Clicking the link downloads a worm designed to hijack Facebook accounts, blocking users’ access while informing that the account has been suspended.
To “reactivate” their account, users are asked to complete a questionnaire, promising prizes such as laptops and iPads. After several questions, users are asked to subscribe and enter their cell phone number, which is in turn charged a fee of $11.60 per week.
Victims can restore access to their Facebook account only once they subscribe to the service and receive a new password.
"Once again cybercriminals are using social engineering to trick victims and infect them with malware," said Luis Corrons, technical director of PandaLabs. "Given the increasing popularity of social media, it is no surprise that it is being exploited to lure victims."
Two new malicious codes using FB discoveredFebruary 10th, 2011 at 12:22PM - click here to leave a comment
Spam trumpeting the power of love is nothing more than an old trick dressed up in new clothes, more evidence that the backers of the Waledec bot Trojan are the same bunch that hammered users in 2007 with Storm, security companies are warning.
Multiple security vendors, including MX Logic Inc., Trend Micro Inc., and Panda Security, have issued alerts about new Valentine’s Day-themed spam campaigns that try to dupe users into installing the Waledec bot.
Subject lines for the spam, said Sam Masiello , vice president of information security at MX Logic, are “short and sweet,” and include “Me and You,” “In Your Arms” and “With all my love.” From the spam, users who browse to the embedded link reach a site with a dozen hearts, any one of which download an executable file when clicked.
Masiello first noted the campaign last Thursday, but other researchers, including those at Trend Micro and Panda, picked up on the trend Monday. Both Masiello and Florabel Baetiong, an anti-spam research engineer with Trend, noted the similarity between the recent infection attempt and Valentine’s Day scams launched last year by hackers controlling Storm, another bot Trojan that has since fallen into disuse, possibly because the crew responsible surrendered to heavy pressure by security experts .
"Clearly the old Storm folks are working as hard as they can to build up their new botnet, and are following the old tried-and-true methods of centering their social engineering tactics around holiday themes," said Masiello in a post to the MX Logic blog .
Storm used Valentine’s Day spam in both 2007 and 2008 to hijack PCs.
Most researchers have come around to the idea that Waledec is, in fact, the new Storm. Joe Stewart , an expert on botnets — Storm, in particular — was confident that the group that backed Storm essentially re-wrote its code to come up with Waledec. “If it’s not the same people, they would have had to study Storm intensively to match the functionality,” Stewart said in an interview recently. “It’s so similar that it’s unlikely to be a different group.”
The Waldec malware first began infecting systems just before Christmas , when it used phony holiday greetings and e-cards as bait, another Storm tactic during 2008. Last week, it surfaced again, this time hitchhiking on a spam run that claimed then President-elect Barack Obama would not take the oath of office on Jan. 20.
Although the Waledec botnet remains relatively small — Stewart put it at just 10,000 machines — it’s growing at “an alarming rate,” according to MessageLabs Ltd. In a report on botnets the e-mail security company released Monday (download PDF) , MessageLabs speculated that the botnet owners are “focusing on growing and developing this new botnet, rather than sending spam through it at this stage.”
Masiello said that messages designed to plant Waledec were running at a volume of about 4,000-5,000 per hour, down from approximately 12,000 an hour last Friday, and had been holding steady for the last 48 hours. “I’d agree with MessageLabs,” said Masiello on Tuesday. “It does look like they are in the process of building up the botnet.” MX Logic has not seen any evidence that the Waledec botnet is, in turn, sending spam of its own.
Several botnets that were heavily disrupted by the takedown of McColo Corp., a California-based hosting company, are in the same condition, Masiello added. After suffering losses when McColo — which had hosted command-and-control servers for several botnets, particular one dubbed “Srizbi” and other called “Rustock” — was yanked off the Internet, they have spent the last several months adding new PCs to their collection.
Facebook plugs gnarly authentication flawFebruary 10th, 2011 at 1:43AM - click here to leave a comment
Security researchers have discovered a flaw that creates a means for a malicious website to grab hold of a Facebook user’s private data without their consent as well as to post messages impersonating the user on the social networking website.
The authentication-related bug was discovered by researchers Rui Wang and Zhou Li, who reported the flaw to Facebook last week. The social networking site responded to the report by patching the hole last weekend, and by adding Rui and Zhou to its list of security researchers who have helped make Facebook safer for users.
The vulnerability only worked if a user had visited a malicious web while logged into Facebook and only in social network profiles that allow applications to run, a feature that the vast majority of Facebook users enable. When run successfully, the attack would have potentially embarrassing consequences.
"If the user has ever allowed a website – YouTube, Farmville or ESPN, etc – to connect to Facebook, she will lose her private data to the malicious website, or even enable the website to post phishing messages on Facebook on her behalf," Rui explained.
Information disclosure bugs of this type often stem from web-based attacks, such as cross-site scripting and cross-site request forgery. In this case, however, the vulnerability stems from a bug in one of Facebook’s authentication mechanisms, Rui explained.
The vulnerability enables the malicious website to impersonate any other websites to cheat Facebook, and obtain the same data access permissions on Facebook those websites receive. Bing.com by default has the permission to access any Facebook users’ basic information such as name, gender, etc, so our malicious website is able to de-anonymize the users by impersonating Bing.com. In addition, due to business needs, there are many websites requesting more permissions, including accessing to a user’s private data, and publishing content on Facebook on her behalf. Therefore, by impersonating those websites, our website can obtain the same permissions to steal the private data or post phishing messages on Facebook on the user’s behalf.
The exploit is generic, so we do not need to write an exploit for each Facebook app/website. The only parameter we need is the app ID of a Facebook app/website.
The two researchers – who previously discovered a range of side channel attacks involving web apps – have illustrated the attack via a video posted to YouTube that can be found here.
We ran the vulnerability by security experts at Sophos, who confirmed that the vulnerability worked – but only in cases where a Facebook user allows applications. Installation of a browser-based Flash player is another necessary prerequisite in order to pull off the attack.
"Facebook’s website is clearly a complex piece of software, and it is almost inevitable that vulnerabilities and bugs will be found from time to time," a security researcher at Sophos explained. "The risk is that there’s so much sensitive personal info about users at risk.
"Facebook’s security team should be applauded for fixing the vulnerability promptly once it was reported to them," he added. ®
Facebook, favourite bait of cyber-crooks in 2011reposted by ákos bardóczi at February 2nd, 2011 at 10:02PM - click here to leave a comment
In just three days, two new malicious codes using Facebook have been discovered
The recent trend for developing computer threats designed to spread by exploiting the most popular social media continues to gather pace, reports global IT vendor Panda Security. In the last three days alone, two new malicious codes that use Facebook to ensnare victims have been wreaking havoc.
One of these, Asprox.N, is a Trojan that reaches potential victims via email. It deceives users by telling them that their Facebook account is being used to distribute spam and that, for their security, the login credentials have been changed. It includes a fake Word document supposedly containing the new password.
The email attachment has an unusual Word icon, and is called Facebook_details.exe. This file is really the Trojan which, when run, downloads a .doc file that runs Word to make users think the original file has opened.
The Trojan, when run, downloads another file designed to open all available ports, connecting to various mail service providers in an attempt to spam as many users as possible.
The other, Lolbot.Q, is distributed across IM applications such as MSN and Yahoo!, displaying a message with a malicious link. This link downloads a worm designed to hijack Facebook accounts and prevent users from accessing them. If users then try to login to Facebook, a message appears informing that the account has been suspended and that to reactivate them they must complete a questionnaire, with the offer of prizes –including laptops, iPads, etc.– to encourage users to take part.
After several questions, users are asked to enter their cell phone number, where they will receive data download credits for a cost of R83 a week. On subscribing to the service, victims will receive a password with which they can recover access to their Facebook account.
“Once again cyber-criminals are using social engineering to trick victims and infect them with malware” says Jeremy Matthews, head of Panda’s sub-Saharan operations. “Given the increasing popularity of social media, it is no surprise that it is being exploited to lure potential victims”.
PandaLabs advises all users to be wary of any messages with unusually eye-catching subjects, whether via email or IM or any other channel; and to be careful when clicking on external links in Web pages. Obviously, we also warn users not to enter any personal data in applications attempting to sell any type of test.
For more information visit: www.pandalabs.com
Usenet - The Oldest Social Network Online?February 2nd, 2011 at 7:54PM - click here to leave a comment
Usenet, if you know anything about it, is one of the oldest forms of social networking. It was launched in 1981. This means, of course, that it was already up and running before most people even had access to a home computer.
In the early days - and today - it provided a forum for professionals and interested amateurs to exchange information on a wide variety of topics. Normally, an article about technology that was developed in 1981 would already have segued into a description of how that technology was replaced. In the case of Usenet, it is still alive and kicking and is increasingly popular.
According to studies, Usenet did not take quite the same route as the Internet did where information is concerned in an important regard. The Internet has a reputation for being one of the best sources of information ever devised, provided that you are very good at sorting through all the junk information out there.
On Usenet, you are not as likely to have this problem, according to studies.
Whatever the reasons for it, Usenet readers tend to be harder on information in terms of verifying its accuracy. On an Internet forum, bad information will likely get a flame. On the Usenet system, bad information will likely be broken down to its component arguments, deconstructed and invalidated by a thoughtful person who wants to make sure the quality of the newsgroup is maintained.
Usenet also allows you to get access to exceptionally qualified individuals. For example, if you have always wanted to talk to someone who worked on a supercollider but, like most people, have no way of making that happen, you may find such a person on Usenet.
Usenet has always been a favorite hangout of scientists.
This is likely, in part, because they have to spend less time dealing with cranky information on Usenet than they do online. Usenet has managed to keep very high standards in some of its newsgroups and this sometimes makes them absolutely fascinating to read.
If you want to participate, you will find most newsgroups very welcoming. They are not like friend networks or the other common networking strategies of most sites. These newsgroups are based on interest and you don not have to post anything to read them. If you want to jump into the conversation, hit the appropriate thread and say Hi . If you do not want to do that, you can still amuse yourself with all the other articles on the newsgroup.
In the last ten years, several social networking sites have come and gone. Usenet has lasted almost 30 years and, in all that time, it attracts new users everyday; some truly interesting and accomplished people among them. It is still a very popular service for networking.
Facebook Introduces HTTPS Opt-In for Users, Impacts App Developersreposted by ákos bardóczi at January 29th, 2011 at 9:28AM - click here to leave a comment
In an article posted today on the Facebook Developer Blog, Facebook announced that they would be offering users the option to switch their Facebook experience to HTTPS-only, which would force all Facebook page loads to be routed over SSL.
According to the blog entry, this feature would be opt-in, and canvas application developers would need to provide an SSL url for the “Secure Canvas URL”.
If a user who has opted into the SSL-only version of Facebook attempts to access a Facebook Application that doesn’t have a Secure Canvas URL set, the user will evidently be shown a message (which will likely be confusing and scary, not because Facebook will purposefully make it so, but because most users don’t really understand SSL) that will give them the option to switch from HTTPS to HTTP. From the post:
If you do not provide a secure Canvas URL, we will display a confirmation page to let HTTPS users switch to HTTP and continue to your app.
This currently affects CANVAS apps only – not application tabs – although that may very well change once Facebook pushes the IFRAME version of tabs out some time in Q1.
HTTPS is slower and more server intense than HTTP, and it’s one more cost/timeline issue that has to be factored in. For some clients, I set up the hosting environment (which would include DNS, SSL, etc) – for others, their IT department provisions web space and handles DNS, and they often require a mountain of paperwork and a week to process.
For the latter scenario, the cost of the certificate is negligible, but for a highly-trafficked app, the increase in server load could have serious financial impact. It could mean the difference between needing one server and several.
For smaller companies, stepping up to SSL would mean buying a certificate and potentially paying extra for the dedicated IP address it will need, and if the app takes off, a much heftier hosting bill for running everything over SSL.
If the above would actually, truly improve the safety of the users in some significant way, I’d probably still be on-board.
Security is something I take very seriously, and in 2010, Firesheep showed the world how easy it was to hijack a user’s Facebook session and essentially pwn their account because the session data was being transmitted unencrypted and was sniffable over public wifi. To be fair, it wasn’t just Facebook that was affected, but if you’re logging into websites on an unencrypted public wifi, odds are your email accounts and everything else are at risk too.
That said, this seems like it will give naive users a false sense of security and not actually provide that much value for the effort involved by the app developers.
“Oh, this application must be safe – I’m using HTTPS, and the S stands for *secure*!”
Phishing, rogue apps and malware are already horrendous problems on social media websites, Facebook especially. I would much rather see Facebook (and others) improve their session handling before going in this direction. Reputable companies who are collecting any kind of PII are already running data submission over HTTPS, and non-reputable companies aren’t going to become more honest just by forcing them to encrypt the data they’re mining from your profile.
The net result is a lot of extra work for developers and companies for not a lot of benefit to not a lot of users, with the side effect of confusing people into thinking that SSL = trustworthy, or that a non-SSL app is malicious and trying to eat their souls.
IMHO, the much bigger threat to Facebook users is their own poor judgment on what to click on. Social engineering rules social networks, and no amount of encryption is going to fix that. As the fabulous shirt from Jinx says “there is no patch for human stupidity”.
Until people start being more critical of what they’re clicking on and what apps they’re allowing access to their profile, they’ve got a lot more to worry about than SSL. It’s the same false sense of security that users running antivirus programs often suffer from.
“I don’t need to worry about what I click on – I’m running antivirus! My virus definitions are up to date, so I am safe and protected and nothing can harm me.”
In 2008, Symantec had to write new virus signatures every 20 seconds to keep up with the onslaught of malware that was released. This was increased to every 8 seconds by 2009. [Source: Gray Hat Hacking The Ethical Hackers Handbook, 3rd Edition]
What do you think? Am I just being a whine-ass lazy developer? Am I being a slacker security pundit? Let me know in the comments.
Facebook, Twitter, blogs — Are you allowed to access those social networking tools at work?
The Army has just released its 2011 social media handbook that offers social media guidance for soldiers, personnel and their families, Mashable reports.
The handbook suggests security tips like setting your privacy setting options to “friends only” and to not reveal your schedule and event locations.
Other top security tips include turning off the GPS function on your smartphones to avoid geotagging. And you should review photos and videos before you’ve posted online to make sure they don’t give away “sensitive” information.
This story is part of Federal News Radio’s daily Cybersecurity Update brought to you by Tripwire. For more cybersecurity news, click here.
Facebook defends security strategy - Shy social network responds to criticismreposted by ákos bardóczi at January 28th, 2011 at 9:19PM - click here to leave a comment
Analysis Facebook has defended its record in thwarting rogue applications and other security in the face of criticism from security firms that it ought to adopt tighter application controls.
The dominant social network disputes findings from a threat report by UK-based net security firm Sophos, released earlier this week, that spam, malware and other attacks have become more effective against Facebook users over the last year.
Facebook reckons the opposite is true while disputing the methodology adopted by Sophos which it said looked, for example, at the volume of spam sent to Facebook users instead of the volume that reached their in-boxes.
Facebook said: “If your spam filter catches all the spam, does it matter that your filter caught 10 per cent more?”
The social networking site reckons less than three per cent of communications on Facebook are spam, compared to industry estimates that email spam makes up 90 per cent of all electronic messages. The implication is that Sophos is focusing on the wrong problem.
Survey scams have become an almost daily occurrence on Facebook over recent months. Typically they use the lure of an application that a potential victim’s friend has been tricked into installing, such as a ‘Dislike’ button or a link to shocking (invariably bogus) news about a celebrity.
Instead of getting the promised content, victims are invited to navigate their way through a thicket of time-wasting surveys. Scammers earn a kick-back for each victim as affiliates of unethical marketing firms.
More ambitious (and lucrative) scams attempt to trick victims into supplying their mobile number, before signing up to a premium rate text messaging service of questionable utility.
The scams take advantage of human stupidity rather than web security vulnerabilities. Both Sophos and Facebook agree that user education is part of the solution, but the two are split on whether Facebook itself could do more to tighten up its controls on how applications are released onto its platform.
In a statement responding to Sophos’ report, Facebook said it has plenty of controls already that limit access to information.
We have built extensive controls into the product, so that now when you add an application it only gets access to very limited data and the user must approve each additional type of data (so we do more than anyone else to educate users about passage of data, and force disclosure and user consent for each category beyond the basics).
We have a dedicated team that does robust review of all third party applications, using a risk based approach. So, that means that we first look at velocity/number of users/types of data shared, and prioritise. This ensures that the team is focused on addressing the biggest risks, rather than just doing a cursory review at the time that an app is first launched.
We make sure that we act swiftly to remove/sanction potentially bad applications before they gain access to data, and involve law enforcement and file civil actions if there is a problem.
Down with this sort of thing
Facebook said it is constantly improving the level of account protection offered to users, citing its introduction of one-time passwords back in October 2010, a development designed to make it safer for users to use public computers to access the service.
The social network goes on to list its user education programmes, which are geared to improving the security awareness levels of users.
These initiatives include updating the 3.6 million people who have liked the Facebook Security Page, hundreds of thousands of which have taken our “Stop. Think. Connect.” quiz on the Page, which we developed with National Cyber Security Alliance and the Anti-Phishing Working Group; as well as the education we do through the product, for example, when we detect that an account is compromised by phishing or malware, we put the owner through a remediation/education process that includes a free McAfee virus scan.
When a person clicks on a link that we can’t verify, or that we think might be suspicious, we pop an interstitial warning.
We put these points to Sophos, which said it stood by the main findings of its original report, and argued that the social network could and should do more to improve the security of its users.
"I definitely feel that Facebook could be doing more to both better secure their users, and to ensure that privacy is treated as a higher priority," Graham Cluley, senior technology consultant at Sophos, told El Reg.
Facebook may talk a good game but a quick search (viewable only if logged into Facebook and safe providing you don’t click on the links) shows hundreds of victims have installed a rogue app that falsely promises the ability to “see who has viewed your profile”.
Facebook ought to have someone searching for such scams and stamping them out, something that isn’t happening as yet. “Often I see these scams spreading for days on end, with no obvious action taken by Facebook,” Cluley said.
According to Sophos, the social network could employ a round-the-clock security response team. Some have suggested Apple-style pre-approval of apps would drastically reduce, if not eliminate, the volume of crud circulating on Facebook. However, Cluley said such an approach was hard to apply to Facebook’s platform.
"Pre-approval of apps is tricky, because they are web-based and contain content that is not hosted on Facebook’s own servers," Cluley explained. "In other words, the bad guys could change it any time - turning a good app into a rogue one."
What might work better is some form of white-listing or restricting the ability to access sensitive data to already trusted developers, Cluley explained.
"Each app could be submitted for profiling to Facebook, who would create a matrix of what data it requested to access from the user, and which webpages it uses content from. If these changed at any point then the app would no longer be approved, and be sent back to Facebook’s sinbin team for checking.
"Better than that would be for Facebook to only allow apps that came from approved developers to access sensitive information or post to users’ walls."
Cluley said Facebook introduced an optional app verification program in November 2008, only to quietly kill it off a year later.
Facebook ought to consider reviving the program, said Cluley. “If developers had to pay to become official developers for the Facebook platform, and if not being an official developer meant you weren’t able to hit Facebook users, then we’d see an instant dramatic drop in the attacks.”
Sophos suggested that Facebook ought to be more proactive in using its security page as an early warning system on scams, as part of a broader program targeted at curtailing rogue apps and other security threats.
"There’s a sliding scale of things that Facebook could do to counter the problem of rogue apps - ranging from faster response to stricter conditions about who and who can’t write Facebook applications," Cluley concluded. "What’s clear is that their current approach isn’t working." ®
Facebook has 11,701 compromised webpagesreposted by ákos bardóczi at January 25th, 2011 at 8:09PM - click here to leave a comment
A MINEFIELD OF MALICIOUSNESS is the best way of describing social networks it seems, with over 20,000 compromised webpages having been found at such websites.
AVG is warning users of social notworking services to be on their guard after its research uncovered the 20,000 odd compromised pages, 11,701 of which are on the world’s largest social network, Facebook. The insecurity outfit also found that Youtube has 7,163 compromised pages.
"The fact that we found almost 20,000 compromised web pages should make social media users sit up and take notice," said Tony Anscombe, AVG’s head of free products. "And in particular, it is the audience most active on these sites, the under 25s, who are most at risk."
In related news, security firm Websense warned users of a new spam campaign containing malicious links and attachments that can infect a user’s PC with the data stealing Zeus Trojan.
"This is a great example of a blended threat that covers all attack angles - web, email and file based - which steals your data to boot," said Carl Leonard, senior manager at Websense Security Labs.
The Inquirer - Computer hardware news and downloads. Visit the download store today.
A proxy-based real-time protection mechanism for social networking sitesJanuary 25th, 2011 at 2:54PM - click here to leave a comment
Dwen-Ren Tsai Chang, A.Y. Sheng-Chieh Chung You Sheng Li
Dept. of Comput. Sci., Chinese Culture Univ., Taipei, Taiwan
This paper appears in: Security Technology (ICCST), 2010 IEEE International Carnahan Conference on
Issue Date: 5-8 Oct. 2010
On page(s): 30 - 34
Location: San Jose, CA
Print ISBN: 978-1-4244-7403-5
INSPEC Accession Number: 11706594
Digital Object Identifier: 10.1109/CCST.2010.5678686
Date of Current Version: 30 december 2010
In the past few years, social networking websites such as Facebook and Myspace become very popular. The usage rage of social networking websites even exceeds that of Google. Followed by the popularity is many potential networking threats. How to prevent and improve these threats to avoid their expansion has become a major challenge. This paper categorizes social networking websites into three main structures: The social network (SN), the network application service (NAS) and the communication interface (CI). Through literacy review, we explore the potential information security threats (1ST) that may lead by each layer. We then use security characteristics such as confidentiality, integrity and availability to cross-analyze these threats. The analytical results are presented by graphs and tables to demonstrate the distribution of current security threats for social networking websites. We propose a real-time website security protection mechanism based on the concept of proxy. The client side transmits information to the social networking website through proxy. The main function of the proxy is to detect and determine the security threats of the website. These threats include web-based malware, phishing websites and malicious connection. The idea is to integrate many commercial protection software and online security scanning services into a security module, simultaneously execute webpage security threat scan, then scan the information sent by the web server with the security module before sending to the client. If security threats were found in the web page, the system will add this web page to the blacklist and issue a warning to the client side to prevent attack. The functionality of proxy is to segregate the client and the networking threat. Using simultaneous scan of many protection software and online services can increase the recognition rate of security threats. Later one, as long as the client is to receive the webpage in the blacklist, a warning will be iss- - ued directly to the client side. Through this mechanism, we can lower the security risk of the clients using social networking websites.
Over the weekend, a Koobface-like attack surfaced on Facebook, infecting users by tricking them into clicking to view a photograph.
"Unlike the majority of Facebook scams we report, this one actively infects your computer with malware instead of simply tricking you into taking surveys and passing on messages to other users," said Chester Wisniewski, senior security advisor at Sophos. Facebook has since removed the malicious application.
From a security and hoax standpoint, it was a busy weekend for the social network, as links to a story also emerged that Facebook would shutter on March 15th, also known as the Ides of March. “The stress of managing this company has ruined my life,” Facebook CEO Mark Zuckerberg allegedly said. “I need to put an end to all the madness.”
Supposedly, a VP of technical affairs at Facebook, Avrat Humarthi, issued a related warning to Facebook users. “If you ever want to see your pictures again, I recommend you take them off the Internet. You won’t be able to get them back once Facebook goes out of business.”
Learn how removable device policy enforcement can mitigate the risks inherent with portable storage devices while enabling managed use of these necessary productivity tools.
Three ways to Prevent USB Insecurity in Your Enterprise
Of course, Humarthi is a fictional character and the entire story a hoax, traced to the Weekly World News. Even so, the story spread “like wildfire” on the social network over the weekend, said Graham Cluley, senior technology consultant at Sophos, who estimates that at least a million users clicked on the story. “Although a hoax is nothing like as bad as a piece of malware worming its way between users and stealing information, it’s still a nuisance, clogging up communications, increasing the overall level of spam, and perhaps leading people to make decisions for the wrong reasons,” he said.
Another outbreak of mass gullibility also affected Facebook users over the weekend, as scammers attempted to lure people into viewing a video alleging that the killer of hip-hop star Tupac Shakur was Suge Knight, the owner of Tupac Shakur’s record label, Death Row Records. To get to the news, however, readers needed to “complete a 30-second test below to prove you are human.”
Cluley said that “this is where the scammers make their money. Every time someone fills in an online survey, they make a little bit of commission. If they can find an attractive enough lure — like a video ‘proving’ who killed Tupac Shakur — they can potentially bring lots of people to the surveys.”
Indeed, at least 125,000 people had clicked on fake links relating to the bogus news, which was being circulated by 10 different rogue applications. Cluley said the attack is also being distributed via Twitter posts with direct links to the Facebook applications. Any users that authorized the rogue application would then see the attack posted to their Facebook wall, perpetuating the scam.
Facebook and Twitter Will Used For Distributed Cyber Attacks: PandaLabsJanuary 25th, 2011 at 2:54PM - click here to leave a comment
PandaLabs, the internet security site has revealed that Facebook and Twitter are the two most unsafe social networking websites. The breach of privacy has been the issue for many finance related sites and now it seems social networking sites also fall to prey to it.
The annual report by PandaLabs has regarded 2010 as a highly interesting year in terms of cyber crimes. According to PandaLabs’ report, in 2010 has seen the creation of 34 percent of all malwares have ever been created. An intelligence system that is capable of analysing and detecting malwares, reveals that out of a total number of 134 millions of unique classified files stored with the company, 60 million were malwares.
Other than cyber crimes, cyber war and cyber activisms also took place in 2010. Two popular worms, “Stuxnet” and “Here you have” were referred to by PandaLabs in this context. While the former was to damage the functioning of nuclear power plants, the latter was created by an Islamic terrorist organisation in retaliation to war against terrorism by the United States.
PandaLabs did their job and perhaps more than that. They warned Facebook and Twitter users that in 2011, such cyber attacks will take an even severe form. The report states; “In 2011, not only will hackers continue to use these networks, but it is predicted that they will also be used more for distributed attacks.”
In late 2010, a secret group of expert hackers called “Anonymous” surprised everyone by conducting the DDoS attacks to defend Julian Assange, the founder of WikiLeaks and his ideology. They had taken down some established and so-called secured sites. Considering this, it can be anticipated that 2011 will appear to be a potholed time for social networking sites. There’s however another reason to speculate this. American internet users spent a huge amount of their times on social networking, nearly 23%.