Social-networking sites like Facebook and Twitter can expect more attention from cybercriminals in 2010, according to a new report (PDF) released Tuesday by McAfee Labs. Also at risk are users of Adobe Systems products including Acrobat Reader and Flash. And move over Microsoft; the security firm predicts that Google's Chrome OS will "create another opportunity for malware writers to prey on users."
The company also anticipates smarter and more dangerous Trojans that "follow the money," as well as a "significant trend toward a more distributed and resilient botnet infrastructure that relies much more on peer-to-peer technologies."
In a recorded interview (scroll down for audio) David Marcus, McAfee Labs' director of security research and communications, said that he expects "an explosion of Facebook and other services targeted by cybercriminals." In addition to malware like Koobface that spreads among Facebook users' friends list, Marcus expects an increase in rogue Facebook applications.
"When you click yes to 'do you want to allow this application to access your Facebook account,' you're giving that application access to all the data in your Facebook account," he said. Facebook vets the third-party applications that it distributes, but rouge developers are finding other ways to get people to install unauthorized apps.
"A lot of the spammers and scammers will send fake Facebook application requests to users' inboxes," he said. Marcus recommends that you only install apps from within Facebook by clicking "browse more applications" in the Facebook application installer."
Twitter vulnerabilities
According to McAfee, Twitter is vulnerable mostly because of URL-shortening services like bit.ly and tinyurl.com. There's nothing wrong with Twitter or these services, but when you click on a shortened URL you have no idea where you're going until after you get there. I would like to see a URL-shortening service that vets each URL for security and rejects those that are potentially dangerous. Twitter, according to the McAfee report is "also serving as a control vehicle for botnets."
Criminals are now being more surgical in their attacks, singling out individuals and corporations as targets. The report points to the 10-month investigation of "GhostNet," which McAfee Labs describes as a "network of at least 1,295 compromised computers in 103 countries" that "primarily belonged to government, aid groups, and activists." The malicious code was delivered by e-mail with subject headings related to the Dali Lama and Tibet, according to the report.
The report also sites "a very targeted wave of attacks against the management of major companies," as well as attacks carried out against "journalists from various media organizations, including Agence France Press, Dow Jose and Reuters based in China."
Adobe products and Google Chrome vulnerable
Adobe products, especially its Acrobat Reader and Flash, are likely to replace Microsoft Office as the No. 1 software target, according to McAfee. It's nothing they've (Adobe) done wrong," Marcus said. "The bad guys go where the masses go" and because of the increasingly widespread use of Adobe products, "that tends to be what the bad buys will start looking to exploit. It really is nothing more sophisticated than that."
Criminals are infecting PDF files and leveraging exploits in the opening of PDF documents, according to Marcus.
"Instead of viewing a PDF you're actually taken to a website that downloads some type of malware to your machine." Adobe plans to patch a critical hole in Reader and Acrobat on January 12.
There is also concern about Google's Chrome operating system, which is expected to be officially released in 2010. Chrome, which will run Web-based applications, is likely to be vulnerable to attacks in HTML 5--the newest version of the hyper-text markup language that, says the report, "holds all the promises that today's Web community seeks--primarily blurring and removing the lines between a Web application and a desktop application."
McAfee also warned of banking Trojans with "new tactics that went well beyond the rather simple keylogging-with-screenshots" that were used earlier. Trojans now use rootkit techniques to hide on a victim's system to disable antivirus software.
"Often the victim's computer becomes part of a botnet and receives malware configuration updates," the report said.
For more on the threats on Facebook and Twitter read "Using Facebook and Twitter safely" on CNET.
Cause for optimism
The report did end with some optimism, calling 2009 a good year for law enforcement. In November 2009, the U.S. Department of Justice indicted nine individuals "from Russia, Moldova, and Estonia who were allegedly responsible
for $9 million in customer payroll data compromises at RBS WorldPay."
The year also "saw the conviction of the infamous "Godfather of Spam," Alan Ralsky of Michigan, and his criminal syndicate, which was responsible for generating a significant portion of the world's unsolicited e-mail," McAfee said.
"You started to see that not a lot of resiliency was built into some of those botnets, they were taken down, and poof they disappeared for very long periods of time," Marcus said. He said he thinks "the bad guys will learn from that and build in some redundancy," but he remains optimistic. "The good guys and regular users are getting tired of getting exploited and we're finally starting to see more offensive and aggressive take downs of botnets...we're starting to see people wanting to take back the Internet."
Listen to Larry's interview with David Marcus.
Listen now: Download today's podcast
You and just about everyone else, it seems, are spending more and more time on Facebook and Twitter, updating statuses and checking friends' tweets. That's all well and good, of course, but the amount of personal information that all of you share in real time, and the level of trust implicit with the social networking sites, do pose particular security and privacy problems.
A recent study from Sophos found that Facebook users reveal a lot of personal information to new friends, including ones they really don't even know or have never met. Using fake profiles, Sophos sent out friend requests to 100 random Facebook users, and more than 40 percent blindly accepted, giving the company access to birth dates, e-mail addresses, phone number and addresses--private information strangers shouldn't have.
The openness of Twitter--anyone can follow anyone else, and posts are indexed in search engines--makes it a nirvana for spammers. Kaspersky says there are nearly 500,000 new unique URLs that appear in Twitter posts daily, and of those, anywhere between 100 and 1,000 are malware attacks.
Here's a look at some of the specific threats users of the sites face and what they can do about it.
A rogue app that appeared early in the year sent notifications to Facebook users reporting they were violating terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users.
(Credit: Trend Micro)Problems: Malware, account hijacking, phishing, and social engineering
The biggest malware risk is Koobface, (an anagram of Facebook), which is a worm that targets social networking sites and affects Windows-based computers. Once a computer is infected, it hijacks the Facebook account and sends messages to other friends of the victim, enticing them to click on a link. The link redirects to a Web site where they are prompted to download software ostensibly to watch a video. However, there is no video; only malware that infects the system, blocks access to security sites, and can be used to steal sensitive information from the computer, such as credit card numbers. Infected machines can then be used to spread the worm to others on Facebook, send spam and distribute fake antivirus alerts, said Rik Ferguson, a security researcher at Trend Micro. Koobface now can automatically create new profiles using infected machines, he said.
Facebook accounts can be hijacked in several ways. A brute-force attack can be used to guess passwords. Users can fall for phishing attacks by clicking on links in messages or e-mails purportedly coming from friends that redirect to a fake Facebook log-in page. Or malware such as Koobface can steal passwords.
Social engineering is a huge problem for social networks because the trust that users have for messages and posts from friends can be easily exploited by scammers. Hijacked accounts are used to send everything from spam touting weight loss plans to links that install malware and steal passwords to fake emergency messages saying a friend is stranded in another country and needs someone to send money. Scammers are also sending e-mails that look like they come from Facebook and include an attachment that contains a Trojan.
Solutions: Use antivirus and anti-malware software and keep it up-to-date. Install security updates for operating system and other software. Use software like AVG Linkscanner or McAfee Site Adviser to protect against phishing and malware attacks. Become a fan of the Facebook Security page, which has posts related to all sorts of security issues, tips, resources and other information. If you think you've been infected with Koobface or other malware you should reset your password and notify friends who may have been affected.
Use an up-to-date browser that features an antiphishing black list, such as Firefox 3.0.10 or Internet Explorer 8. Be aware of where you enter your password. Check to see that you are logging in from a legitimate Facebook page with the Facebook.com domain. Be wary of unusual stories or offers that are too good to be true. Verify information with sources directly. Be cautious of any message, post or link that looks suspicious, requires an additional log-in or asks you to download or upgrade software. If a link seems odd or lacks context, don't click on it. Don't click on links or open attachments in suspicious e-mails. You can add a security question from the "Account Settings" page if you would like an additional layer of protection.
Problem: Rogue applications
Facebook doesn't vet every app that appears on the site, which means there is a risk that some apps will have bugs in them or will violate Facebook's privacy policies. Facebook has proven diligent in removing rogue and problem apps quickly when it is notified, but unlike iPhone apps, pretty much anyone can write a Facebook app. "Because the code is not always of professional standard or hosted or audited by Facebook, we've seen innocent apps compromised externally and used to deliver malware, such as fake antivirus," Ferguson said. One rogue app that appeared early in the year sent notifications to Facebook users reporting them in violation of terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users, according to Trend Micro.
Solution: See solutions above, and be cautious about adding applications. Research the developers and perform Web searches to see if anyone has complained about the app. And ask yourself, what value does the app provide? Do I really need to play zombie?
Problem: Privacy leaks due to user error
Because people control who they are friends with on Facebook it is easy for users to have a false sense of security about the privacy of their data and activities on the site. Social engineering attacks, lax security practices by users like using weak passwords and design or implementation problems with the site itself can undermine the privacy protections users rely on. Users who fall for phishing scams and get their accounts hijacked have everything in their account exposed to strangers who can then use the different types of data for identity fraud or to target the victim's friends with social engineering attacks.
Solution: See solutions above. Also, use unique logins and passwords for each Web site you access. Use strong passwords, change them often and don't share them with anyone.
These instructions explain how to keep most people from viewing your friends list on Facebook.
(Credit: CNET)Problem: Privacy leaks due to design or implementation issues
Privacy advocates contend that Facebook's lenient apps approval process, privacy policies and confusing privacy settings put users at risk. Two weeks ago, Facebook asked users to configure their privacy settings. The options were confusing and many people were inclined to just keep the default settings, which are set to make the data visible to the Web rather than opting to use the old settings established by the user. Screenshots and descriptions are detailed on this photo gallery.
Many people have complained that it is difficult to figure out how to change the privacy settings, that they are not intuitive and that there doesn't seem to be one central place for that. And using Facebook Connect with outside apps, like the iPhone app Foursquare, can expose more information than a user expects to share. The new privacy changes at Facebook have prompted the Electronic Privacy Information Center to ask the Federal Trade Commission to investigate.
Facebook encourages people to share their full names, date of birth, home town and other information, all pieces of information that are commonly used in identity fraud. Scammers on underground sites even refer to Facebook as a "free date-of-birth look up service," according to Ferguson. People don't realize that their profile information can be accessed by total strangers who happen to be in the same groups or networks unless they specifically change the settings. People who don't trust random apps--which in general have access to profile information even if it isn't necessary to the function of the app--don't realize that the apps their friends are using also have access to their data. "Friends apps can access most of your profile, interests and groups. There is no way to prevent them from accessing your name, profile, photo, town and gender," said Joseph Bonneau, a PhD candidate in security at the University of Cambridge. In response to user feedback, Facebook made a change that allows users to hide their friend lists from everyone but their friends, a Facebook spokesman said.
Solution: CNET has a tutorial on how to hide your Facebook friends list by clicking on the pencil in the friends box on your profile. Detailed instructions and tips on dealing with Facebook privacy settings are available on the DotRights.org site and on the All Facebook blog. Facebook also has a blog post about the privacy changes.
Problem: Privacy leaks related to marketing
The relationship between the apps and advertisers can also cause problems. Adding an app allows the app to show ads inside the Facebook domain, and that can leak a user's profile information to the advertiser, said Peter Eckersley, a staff technologist at the Electronic Frontier Foundation. Meanwhile, cookies and other browsing tracking technology combined with data from social networks can be used by marketers to identify users for targeted advertising and other purposes, Eckersley said, providing details in a blog post on different ways data can be leaked from social networks to third-party tracking firms. Once marketers know a specific person's user name, they can use that identifier in the URL to get to a user's public profile page, according to Eckersley. "They can create a social graph of your date of birth, city, employment, relationship status, all uniquely codified in a way that can be automatically sucked into a database," he said.
Solution: Pick a good cookie policy for the browser, such as manually approving all cookies or only keeping cookies until the browser is closed. Disable Flash cookies. Use Firefox extensions such as RequestPolicy and NoScript to control when third-party sites can include content or run code in the browser page. Use the Targeted Advertising Cookie Opt-Out plugin or AdBlock Plus to block ads. To hide your IP address and other browser characteristics, use Tor via Torbutton.
Problem: Information used to suppress dissent and target political activists
As with e-mail, blog postings and other public expressions of dissent, Facebook and Twitter have been used by governments to target protesters. The Wall Street Journal reported earlier this month that family members of Iranian Americans had been arrested or questioned because of anti-Iranian government posts on Facebook by members outside the country. In other instances, Iranians living abroad were forced to log into their Facebook accounts or reveal passwords to government officials as they arrived at the Tehran airport and some even had their passports confiscated because of their political posts. In the U.S., the EFF says, officials have taken actions against U.S. citizens based on information discovered on their social networks; the group has sued the CIA and other agencies for allegedly refusing to release information about how they are using such sites in surveillance and investigations.
"Basically, every time you post something to Facebook you should assume that the whole world will know what you've posted, your family, employer, the government, people you don't trust," Eckersley said.
Solution: Think carefully about what information you want to share about yourself and consider only posting information you would want to let the general public see.
Twitter has many of the same malware, phishing, hijacking and social engineering issues that Facebook has, and the solutions for those problems would be the same. Because users don't provide much personal information to Twitter, and can even create accounts using all fake information, and because anyone can follow anyone else, there aren't the same issues with privacy, either. But that makes life easy for spammers.
Security does seem to be a worrisome thing with Twitter. The site has had several serious problems from employee accounts getting compromised. In January, someone hacked into the Twitter internal network -- possibly by guessing the password -- and gained access to the Twitter accounts of President Obama, CNN anchor Rick Sanchez, and 31 other high-profile Twitterers. In May, someone broke into Twitter's network and gained access to 10 accounts, which appeared to include Britney Spears and Ashton Kutcher. In that breach, a hacker was able to gain access to a Twitter employee's Yahoo account through the password recovery system and from there get information from other sites, including access to the employee's Twitter account. And last week, the legitimate account of a Twitter employee was used to hijack the site and redirect visitors to an external page displaying a banner for the "Iranian Cyber Army."
Meanwhile, Twitter was crippled (and Facebook and other sites also affected) by a rare politically motivated denial-of-service attack targeting one user in August. However, that incident reflects more on Twitter's ability to keep the site up in the face of an attack and accessibility than it does about security risks to users.
Twitter users are susceptible to getting their accounts hijacked, and the site has been targeted by clickjacking pranks. In these social engineering attacks, users were encouraged to click on links that distributed the original tweet to all of the Twitter user's followers.
Users with large numbers of followers have an added responsibility to be careful, particularly when setting accounts to automatically post items from news feeds. A malicious post on an unmoderated news feed that venture capitalist Guy Kawasaki was re-tweeting distributed a Trojan to more than 139,000 followers in June.
Kaspersky offers a Krab Krawler tool that analyzes tweets as they get posted on Twitter and blocks any malware associated with them. Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links. And Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Blogger, Gmail, Google and a host of other popular sites. To keep up with security issues on Twitter follow Twitter's Spam Watch account.
Social networks are also susceptible to other serious security problems that can hit any type of Web site. For instance, last week passwords of 32 million stored in plain text on the RockYou site were exposed by a SQL injection attack, according to security firm Imperva. Because the passwords are used on other affiliate sites to the social networking application maker, the breach jeopardized other accounts, like Gmail, Hotmail, and Yahoo.
Facebook has sued three men, alleging they used phishing techniques to get access to Facebook user accounts and then sent spam from the compromised accounts.
The lawsuit was filed Monday in federal court in San Jose, California, and named as defendants Jeremi Fisher, Philip Porembski, Ryan Shimeall and the companies associated with them, Choko Systems, Harm, and iMedia Online Services, according to a Facebook statement late on Tuesday. The defendants could not be reached for comment.
The defendants are accused of launching at least four spam campaigns over the last couple of years, the latest in the last three months being responsible for nearly three-fourth of all spam on the site, according to the suit. The latest "escalated attack" included spam offering a colon cleanser, fake messages purporting to show a video of the recipient and offers for recipients to make money through a fake "Google Campaign." Clicking on the spam typically sends a user through various marketing sites before landing them on a page that prompts for their Facebook log in information.
It is unclear exactly how Facebook user log in information, used to send spam to friends, was obtained.
Facebook has spent $5,000 combating the spam, according to the suit.
The lawsuit makes claims under the Can-Spam (Controlling the Assault of Non-Solicited Pornography and Marketing) Act, the Computer Fraud and Abuse Act, the California Anti-Phishing Act and the California Computer Data Access and Fraud Act, according to Facebook.
This is the latest legal action the social networking site has taken related to spam. In October, Facebook was awarded $711 million in a judgment Thursday against self-described "spam king" Sanford Wallace.
The largest judgment ever under the Can-Spam Act was an $873 million award Facebook won in November 2008 against Adam Guerbuez, of Montreal, and his company, Atlantis Blue Capital.
Updated December 16 at 7:55 a.m. PST with details from the lawsuit.
Editors' note: This is a guest column. See Larry Downes' bio below.
It's been a bad week for those, like me, who feel the debate over data privacy too often casts information businesses as evil Halloween monsters, determined to terrorize and humiliate their customers just for the fun of it.
On Monday, the Federal Trade Commission held the first of three conferences on privacy and technology, at which a parade of consumer advocates and legal scholars warned of an imminent data apocalypse.
Recent events seemed, alas, to support that view. Sprint, for example, reported that over the last 13 months, it has received more than 8 million requests for GPS data about customer location and movement from law enforcement agencies. (Sprint is now determining the number customers affected, estimated to be in the thousands.)
Verizon and Yahoo filed objections to a Freedom of Information Act request that asked how much the companies charge to comply with government surveillance orders, claiming that release of the information would "shock" and "confuse" customers.
Then, Google's notoriously private CEO, Eric Schmidt, brushed aside a CNBC's reporter's question about concerns that users are putting too much trust in his company, saying, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."
Most disturbing at all is what happened over at Facebook, the social-networking behemoth that now hosts more than 350,000,000 members. Based in part on complaints by government agencies in Canada and Europe, the company announced in July that it had begun testing a more comprehensive and simplified set of privacy settings, promising to give users "even greater control over the information they share and the audiences with whom they share it."
After months of what looked like careful planning, Facebook implemented its new privacy policy and user tools this week.
The announcement landed flat on, well, flat on its face. A chorus of the usual suspects, including the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California cried multiple fouls, objecting both to the nature of the changes and the way in which they were being imperiously foisted on users. "Under the banner of simplification," said Electronic Privacy Information's Center's Marc Rotenberg, "Facebook has pushed users to downgrade their privacy."
First, a word about the changes themselves. In a detailed exegesis published on Wednesday, EFF's Kevin Bankston divided the revisions into three categories: the good, the bad, and the ugly.
In the good column, Bankston noted that all Facebook users are being required to review their privacy settings and have been given new tools to simplify the process. For each individual post to their page, users can now limit who among their friends gets to see what. In the bad department, EFF doesn't like the recommended settings, which pretty much let everyone see everything.
The ugly, however, are genuinely ugly. The version of a user's Facebook page open to Facebook members and nonmembers alike will now show the user's name, profile picture, location, and gender, as well as a complete list of her friends. Most of that information can no longer be controlled other than by not providing it in the first place. (Facebook has already backtracked on the public availability of friends information.) And users can no longer opt out of letting Facebook and third-party applications, such as all those quizzes and tests my friends seem to spend most of the day filling out, access at least some information from their account and that of their friends.
Logic behind privacy policy changes
I understand why Facebook wants these changes. Given the sheer number of Facebook users, it's increasingly difficult to find friends when presented with a list of dozens of profiles with matching names and no other information.
As the company moves to find ways of making money from its network, moreover, open access to information about users is not just important--it's essential. Constraining the company's ability to publish and otherwise monetize that information limits the chances Facebook and other social-networking sites can continue to secure funding, compete in a wide-open market, and ultimately survive as a commercial enterprise.
That, at least, is the kind of reasonable explanation for the changes the company could have provided. Instead, it announced the new policy and implemented it at the same time, leaving no opportunity for user review or comment. According to EFF's Bankston, Facebook didn't disclose the creation of the new category of "publicly available information,"--that is, information about a user that cannot be controlled--until "the very day it is forcing the new changes on users." (Facebook did, in fact, allow a one-week comment period on a draft of the new policy, which is more than 5,000 words long, in early November.)
The company's reliance on good relations with its users makes the ham-fisted and tone-deaf nature of these changes both "shocking" and "confusing." After a minirevolt erupted earlier this year over changes to Facebook's terms of service, in which the company seemed to grant itself a more generous license for user data, a chastened CEO Mark Zuckerberg quickly reversed course.
More than that, Zuckerberg promised that future modifications would be developed in collaboration with users on an open-source model. "Our terms aren't just a document that protects our rights," Zuckerberg wrote on the company's blog, "it's the governing document for how the service is used by everyone across the world. Given its importance, we need to make sure the terms reflect the principles and values of the people using the service."
Exactly. So why didn't Facebook learn from its own painful lesson? While the company tested the new features with some users and solicited comments on the privacy policy over the last several months, Facebook reported in November that the number of comments it received on its draft proposal "did not reach the threshold to hold a vote." That's not a good thing.
Lessons not learned
Despite the high level of emotion, rightly or wrongly, that users attach to the topic of privacy, the new policy and tools simply arrived, providing some new protections even as existing controls were unceremoniously removed. Did the company think no one would notice? These and other recent privacy gaffes and missteps have unfortunate consequences.
Consumers, already uneasy about how increasingly intimate information is being handled online, will trust companies less, raising the potential for government regulations and new privacy agencies to fill a perceived void. That would be a dangerous result, and ultimately a counterproductive one.
Introducing new layers of regulatory bureaucracy will slow the pace of exciting innovations in information technology that have kept users engaged in the first place. And interjecting government oversight over any data raises the possibility of misuse of that information by other parts of the government, a problem made all too clear by continued revelations about secret surveillance under the wide umbrella of the Patriot Act and other antiterrorism measures.
The reality is that most information services do a good and responsible job of balancing user interests in controlling information access with value derived from transactional and other data that pay for much of what happens online.
Though often implicit, users today trade the use of information about their activities, purchases, and interests for innovative and often free services that analyze and aggregate that data. Such services help cell phone users locate their friends with Loopt, consumers simplify their search for products and services on Amazon and eBay, and connect with each other in the low transaction cost world of social-networking applications such as Facebook and Twitter.
The real problem: PR
The real problem here is not of policy but rather of public relations. Start-up companies increasingly invest early and often in legal counsel, in part to navigate the complex waters of intercompany relationships and in part to avoid potentially lethal litigation from patent trolls, unhappy competitors, and a global army of business regulators.
At the same time, marketing, as well as public and government relations, get little attention, as companies believe that enthusiastic users are now the best form of PR a young company can get and at a price that can't be beat.
Maybe so. But as information exchanges have moved from the purely pedestrian business-to-business networks of the 1980s to the everything-and-everybody sharing that characterizes our increasingly digital lives, companies who discount or dismiss the emotional and even irrational attachment consumers have to information about themselves do so at their peril.
It's not that Google, Facebook, and others need to change in any fundamental way how they do business. They must rather rethink the casual, careless, and often conceited way with which they communicate to users, business partners, regulators, and other stakeholders. When the lawyers lead, everyone loses.
For companies like Facebook today and everyone else tomorrow, users and the data they provide are not just the most valuable asset; they are the only asset. As consumers absorb that fact, they will increasingly use the tools of online communities--ironically, tools provided by social-networking sites themselves--to express their dissatisfaction with unequal exchanges of information for value. Better to collaborate with them now than to negotiate later, at the end of a gun.
Facebook, as Mark Zuckerberg correctly noted, is a kind of virtual nation, where terms of service and other policy documents serve as Constitution and governing law. As such, changes to both policy and practice require honest deliberation and engagement with the residents.
They can no longer be delivered as fait accompli. For one thing, it's pretty easy for virtual citizens to revolt against a government they don't like, or simply pack up and move somewhere less tyrannical. Easier than it is in the physical world, in any case.
Facebook users are too willing to give out their personal information, security firm Sophos has found.
According to Sophos' Australian team, which conducted a study to see how likely Facebook users were to offer up personal information, 41 to 46 percent of the 100 people Sophos contacted "blindly accepted" friend requests from two fake Facebook users created by the security firm.
After becoming friends with Sophos, the security firm was able to access up to 89 percent of the users' full dates of birth, all of their e-mail addresses, where they went to school, and more. Half of all the users Sophos befriended displayed the town or suburb where they live. They even offered up information on family and friends.
Younger users were "more liberal" with their workplace or school information than older users. "Both groups were very liberal with their e-mail addresses and with their birthdays," the security firm wrote in a blog post Sunday announcing the results. "This is worrying because these details make an excellent starting point for scammers and social engineers."
The security firm added that "10 years ago, getting access to this sort of detail would probably have taken a con-artist or an identify thief several weeks, and have required the on-the-spot services of a private investigator. Sadly, these days, many social networkers are handing over their life story on a plate."
Sophos' concerns over the way Facebook users are keeping information private comes on the heels of a statement released last week by Facebook founder Mark Zuckerberg discussing why Facebook users need to use the privacy tools his company has created. On Sunday, Facebook also announced the formation of a safety advisory board, comprised of five Internet safety groups.
Don Reisinger is a technology columnist who has written about everything from HDTVs to computers to Flowbee Haircut Systems. Don is a member of the CNET Blog Network, and posts at The Digital Home. He is not an employee of CNET. Disclosure.
Facebook on Tuesday announced that it has decided to adopt a revised privacy policy designed to be more accessible and easier to understand.
The social network had just completed a weeklong comment period for the new revision and, though "a lot of people participated," less than 7,000 members commented. According to Facebook's rules, this meant that a vote was unnecessary, Michael Richter, Facebook deputy general counsel, wrote in a company blog.
Overall, members supported the proposed changes, including the simplification of the language used to describe the policy and the document's new structure, Richter said.
The site also plans to add visual resources designed to make the document more accessible, such as a glossary of important terms and informational "learn more" videos. Facebook expects to post the revision in English, French, Italian, German, and Spanish soon.
The revision is the latest chapter in Facebook's privacy saga. In July, an investigation by Canada's privacy commissioner suggested that Facebook is unconcerned with members' privacy and called on it to do more. Commissioner Jennifer Stoddart expressed concern that while it's easy for members to deactivate their accounts, the process of actually deleting them is less clear. Facebook could therefore retain member data from deactivated accounts for an indefinite period of time, in violation of Canadian privacy law.
The social network went through a user backlash over the introduction of its News Feed in 2006, and a bigger one over the controversial Beacon advertising program in 2007. More recently, a revision to Facebook's terms of use prompted consumer advocacy blog The Consumerist to highlight language that it said meant that Facebook claimed ownership of user profile data and photos.
Twitter and Facebook users were getting hit with scams on Monday.
Twitter users warned about direct messages that said, "I make money online with google. i learned how here [link]," according to Twitter users.
A Twitter representative said it was not a phishing scam because the site to which the spam links does not ask for a username and password, or look like a Twitter page.
"We're on it and fixing accounts as fast as possible," she wrote in an e-mail. "You can keep posted on known issues as well by checking in on the Twitter Status page."
On Facebook, meanwhile, people were seeing messages from friends that said, "just take a look at it and read it over and try it if you want [link]." The link goes to a site that appears to be hosting malware. Accounts that are generating the messages are likely compromised, and the owners should change their passwords immediately.
"We're aware of this campaign, and are blocking malicious URLs and resetting affected users' accounts," a Facebook representative said in an e-mail. "The link in the spam message is for a work-at-home scam, not a phishing site. We're still investigating, but it's likely people's accounts were compromised through a previous phishing scheme."
Twitter users warned about a "make money online with google" scam on Monday.
(Credit: Twitter Search)Updated at 3:39 p.m. PST with Facebook comment and at 2:15 p.m. PST with comment from Twitter.
On the heels of one fake Facebook e-mail scam, a researcher warned on Wednesday of another such campaign in which users of the popular social network are being tricked into revealing their passwords and downloading a Trojan that steals financial data.
In the latest scam being blasted to e-mail in-boxes, a legitimate-looking Facebook notice asks people to provide information to help the social network update its log-in system, said Fred Touchette, a senior security analyst at AppRiver. When the user clicks the "update" button in the e-mail, they are directed to a fake Facebook log-in screen where their user name is filled in and they are prompted to provide their password.
This is a screen shot of the message in the body of the fake Facebook e-mail.
(Credit: AppRiver)When they provider that information, victims are taken to a page that offers an "Update Tool," but that is actually the Zeus bank Trojan that is designed to steal financial and personal data, Touchette said.
Users of smart phones that have the Facebook app installed can also easily be duped because the phishing e-mail appears as an actual Facebook notification complete with Facebook icon, he said. The message is received in the e-mail in-box on the phone as well as under the Facebook notification section in the app itself, he added.
There are likely to be a lot of victims given how many e-mails the scammers are sending. AppRiver has captured about 6 million e-mails in its filters and noticed that the messages were coming in at a rate of 30,000 a minute at one point, according to Touchette. That's about 10 times the usual botnet e-mail message rate, he said.
More details are on the AppRiver blog.
On Tuesday, researchers reported that a different botnet, Bredolab, was distributing fake "Facebook Password Reset Confirmation" e-mails that included a Trojan. As of late Wednesday night, security provider Cloudmark said it had seen more than 730,000 of the Bredolab-related e-mails.
To protect against such phishing attacks, people should be extremely cautious about clicking on links in e-mails and they can mouse over the link to see if the domain is a legitimate domain, Touchette said.
Meanwhile, Facebook users should easily be tipped off that the latest scam is just that, a scam, he said. "Facebook doesn't need all of its users to update their accounts in order for them to make changes to their site," he added.
If there is any question about the legitimacy of the e-mail or the link, users should close the e-mail and go directly to the site to check for important notices to customers, he said.
This is the prompt Facebook users get as part of the latest phishing scam. Downloading the "update tool" installs a Trojan.
(Credit: AppRiver)A new variant of the Bredolab Trojan horse is attached to a fake "Facebook Password Reset Confirmation" e-mail, security firm MX Labs is reporting.
Some users are receiving the e-mail from "The Facebook Team," according to the security firm. The sender's e-mail address displays "service@facebook.com." In reality, the address and sender were spoofed.
MX Labs found that the e-mail was accompanied by an attachment named, "Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe" that, the e-mail claims, contains the user's new Facebook password. The security firm said that the element between the underscore and .zip are randomly chosen letters and numbers for each recipient.
When a user downloads the file, it could wreak havoc on their computer. MX Labs said in a blog post that the Trojan horse Bredolab "executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions)." In other words, it's nasty.
Once it makes its way to the user's PC, Bredolab creates "%AppData%\wiaservg.log" and "%Programs%\Startup\isqsys32.exe" in the user's system files. MX Labs said that it also creates two new processes, called "isqsys32.exe" and "svchost.exe."
Another security watchdog, M86 Security, wrote that there's more to the outbreak than Bredolab. After it sneaks its way onto the user's computer, M86 said, Bredolab downloads a bot called Pushdo. The company found that Pushdo immediately starts "spamming out more of these Facebook password reset e-mails."
For its part, Facebook was quick to point out that the e-mail containing the virus wasn't coming from the social network.
"This virus is being distributed through email, not on Facebook," a Facebook spokesperson wrote. "The email is disguised as a Facebook password reset e-mail with an attachment that purportedly contains the new password, but is actually the virus. We're educating users on how to detect this through the Facebook Security Page."
Facebook said that users should be "suspicious of unexpected emails claiming to be from Facebook." The company also said that it will never send users a new password as an attachment.
Those users that have downloaded the file should use anti-malware software to remove it. Click here for a list of security software available from CNET's Download database.
Updated at 1:03 p.m. PDT to include new details from M86 Security.
Don Reisinger is a technology columnist who has written about everything from HDTVs to computers to Flowbee Haircut Systems. Don is a member of the CNET Blog Network, and posts at The Digital Home. He is not an employee of CNET. Disclosure.
I'm not an employee of MySpace, but I was able to join its Facebook network.
(Credit: Facebook)I do not work for MySpace. But my Facebook profile now says I do, thanks to what appears to be a sneaky little flaw in MySpace's recently launched e-mail client.
Professional networks on Facebook are intended to be limited to employees, and require a corporate e-mail address to which Facebook sends a confirmation e-mail to verify accuracy. But when MySpace launched MySpace Mail this summer, it made e-mail addresses with the myspace.com domain--which is also used internally for corporate e-mail--available to any members of the News Corp.-owned social network.
A reader tipped off CNET News to the hack, which requires a little bit of HTML know-how. We're not going to give detailed instructions out of the interest of MySpace employees' own security--and it looks like Facebook has put a fix in place, because when a CNET colleague used a MySpace Mail address to register around 2:40 p.m. PT on Wednesday, he was informed that the address was invalid.
See what happens?
(Credit: Facebook)In vague terms, it looks like MySpace was aware of the fact that members might try to register for its network on Facebook, because the confirmation link to Facebook does not work in MySpace Mail, nor does copy-pasting it. Basically, it's mangled somehow. But, the tipster explained, the real link is still in the page's HTML source. And indeed, I was able to join MySpace's network on Facebook.
This does have security implications, because many Facebook members limit some of their profile data to people who went to their schools or work for the same company--Facebook first launched corporate networks in the spring of 2005. Many may display their cell phone numbers, photo albums, or home addresses only to college alumni or co-workers.
It's an issue for Facebook as well because the massive social site does have an obligation to make sure that its restricted networks don't lie fallow. If there's a change in corporate e-mail structure at a company with a Facebook network, particularly a big one, that can mean something big with regard to potentially thousands of Facebook members' security.
A MySpace representative told CNET News that the company was looking into the matter and would be able to comment soon.
This post was updated at 2:44 p.m. PT on Wednesday to note that the problem appears to have been corrected by Facebook.
