Social-networking sites like Facebook and Twitter can expect more attention from cybercriminals in 2010, according to a new report (PDF) released Tuesday by McAfee Labs. Also at risk are users of Adobe Systems products including Acrobat Reader and Flash. And move over Microsoft; the security firm predicts that Google's Chrome OS will "create another opportunity for malware writers to prey on users."
The company also anticipates smarter and more dangerous Trojans that "follow the money," as well as a "significant trend toward a more distributed and resilient botnet infrastructure that relies much more on peer-to-peer technologies."
In a recorded interview (scroll down for audio) David Marcus, McAfee Labs' director of security research and communications, said that he expects "an explosion of Facebook and other services targeted by cybercriminals." In addition to malware like Koobface that spreads among Facebook users' friends list, Marcus expects an increase in rogue Facebook applications.
"When you click yes to 'do you want to allow this application to access your Facebook account,' you're giving that application access to all the data in your Facebook account," he said. Facebook vets the third-party applications that it distributes, but rouge developers are finding other ways to get people to install unauthorized apps.
"A lot of the spammers and scammers will send fake Facebook application requests to users' inboxes," he said. Marcus recommends that you only install apps from within Facebook by clicking "browse more applications" in the Facebook application installer."
Twitter vulnerabilities
According to McAfee, Twitter is vulnerable mostly because of URL-shortening services like bit.ly and tinyurl.com. There's nothing wrong with Twitter or these services, but when you click on a shortened URL you have no idea where you're going until after you get there. I would like to see a URL-shortening service that vets each URL for security and rejects those that are potentially dangerous. Twitter, according to the McAfee report is "also serving as a control vehicle for botnets."
Criminals are now being more surgical in their attacks, singling out individuals and corporations as targets. The report points to the 10-month investigation of "GhostNet," which McAfee Labs describes as a "network of at least 1,295 compromised computers in 103 countries" that "primarily belonged to government, aid groups, and activists." The malicious code was delivered by e-mail with subject headings related to the Dali Lama and Tibet, according to the report.
The report also sites "a very targeted wave of attacks against the management of major companies," as well as attacks carried out against "journalists from various media organizations, including Agence France Press, Dow Jose and Reuters based in China."
Adobe products and Google Chrome vulnerable
Adobe products, especially its Acrobat Reader and Flash, are likely to replace Microsoft Office as the No. 1 software target, according to McAfee. It's nothing they've (Adobe) done wrong," Marcus said. "The bad guys go where the masses go" and because of the increasingly widespread use of Adobe products, "that tends to be what the bad buys will start looking to exploit. It really is nothing more sophisticated than that."
Criminals are infecting PDF files and leveraging exploits in the opening of PDF documents, according to Marcus.
"Instead of viewing a PDF you're actually taken to a website that downloads some type of malware to your machine." Adobe plans to patch a critical hole in Reader and Acrobat on January 12.
There is also concern about Google's Chrome operating system, which is expected to be officially released in 2010. Chrome, which will run Web-based applications, is likely to be vulnerable to attacks in HTML 5--the newest version of the hyper-text markup language that, says the report, "holds all the promises that today's Web community seeks--primarily blurring and removing the lines between a Web application and a desktop application."
McAfee also warned of banking Trojans with "new tactics that went well beyond the rather simple keylogging-with-screenshots" that were used earlier. Trojans now use rootkit techniques to hide on a victim's system to disable antivirus software.
"Often the victim's computer becomes part of a botnet and receives malware configuration updates," the report said.
For more on the threats on Facebook and Twitter read "Using Facebook and Twitter safely" on CNET.
Cause for optimism
The report did end with some optimism, calling 2009 a good year for law enforcement. In November 2009, the U.S. Department of Justice indicted nine individuals "from Russia, Moldova, and Estonia who were allegedly responsible
for $9 million in customer payroll data compromises at RBS WorldPay."
The year also "saw the conviction of the infamous "Godfather of Spam," Alan Ralsky of Michigan, and his criminal syndicate, which was responsible for generating a significant portion of the world's unsolicited e-mail," McAfee said.
"You started to see that not a lot of resiliency was built into some of those botnets, they were taken down, and poof they disappeared for very long periods of time," Marcus said. He said he thinks "the bad guys will learn from that and build in some redundancy," but he remains optimistic. "The good guys and regular users are getting tired of getting exploited and we're finally starting to see more offensive and aggressive take downs of botnets...we're starting to see people wanting to take back the Internet."
Listen to Larry's interview with David Marcus.
Listen now: Download today's podcast
Facebook last Wednesday announced new privacy settings that give users some additional control over what information they share, while taking away the ability to hide a few pieces of information from the general public.
One particular piece of publicly available information--users' friends lists--caused a bit of an uproar from a number of sectors, including business people who don't necessarily want to expose their professional networks to the public and their competitors. It is also a concern to some parents who might not want their kids--or a list of their kids' friends--to be widely available.
Facebook quickly backtracked. A day later, the company announced on its blog that users can now uncheck the "Show my friends on my profile" option in the Friends box on their profile so that your friend list won't appear on your publicly viewable profile.
Unfortunately, they weren't very clear on exactly how you make the change. ... Read more
Sites owned by Yahoo, AOL, and Google have joined Facebook and MySpace in expelling New York sex offenders from their rolls.
New York Attorney General Andrew Cuomo announced Thursday that Google's Orkut.com, AOL's Bebo.com, and Yahoo's Flickr.com are among 13 additional social-networking sites to use sex offender data available through New York's Electronic Securing and Targeting of Online Predators Act (E-Stop) to find and disable accounts associated with registered sex offenders.
Other companies that have agreed to cooperate include BlackPlanet.com, Classmates.com, Flixster.com, Fotolog.com, hi5.com, MyLife.com, Stickam.com, and Tagged.com.
New York Attorney General Andrew Cuomo
(Credit: NY Attorney General's Office)There are still some holdouts. Cuomo called on other sites, including Friendster.com, Buzznet.com, eSpin.com, Habbo.com, and LiveJournal.com, "to commit to using the list." He urged parents and children to consider not using sites that haven't complied.
On December 1, Facebook and MySpace deleted the accounts of more than 3,500 sex offenders based on the New York law.
By comparing this data with their own user roles, Facebook was able to identify and delete 2,782 registered sex offenders. MySpace deleted 1,796 accounts.
In addition to deleting the accounts of any known registered sex offenders, the companies will turn over information about the accounts to law enforcement officials.
In a statement, Cuomo said: "It is no secret that sexual predators abuse social networking websites to find and manipulate victims and to insinuate themselves into their victims' lives."
The E-Stop law, which was passed in 2008, requires registered sex offenders from New York to disclose their online identities to officials. Information must include e-mail addresses, instant-messaging screen names and social-networking account names. The law also requires the state's Division of Criminal Justice Services to release state sex offender Internet identifiers to social-networking sites and other online services so that they can prescreen or remove individuals who match the list. It also imposes restrictions on sex offender's use of the Internet if the victim was a minor and if the Internet was used to commit the crime. Restrictions include banning the offender from social-networking sites, as well as prohibiting access to online pornography or communicating with anyone with the intention of promoting sexual relations with a minor.
Cuomo is one of several state attorneys general who have expressed concerns about the danger of Internet predators. In 2008, Cuomo and 48 other attorneys general entered into an agreement with MySpace that resulted in the Internet Safety Technical Task Force, whose report concluded that the actual threat of predators is less than many had feared and that kids are far more likely to be harmed by bullying and harassment from other youth. I served on that task force as a representative of ConnectSafley.org, a nonprofit Internet safety organization I help operate.
Facebook users are about to see an unfamiliar screen when they sign on to the service--a request to configure their privacy preferences. But it's not really a request. It's a requirement.
"As far as we know, it's the first time in the history of the Internet," said Facebook spokesman Simon Axten, "that so many people have been required to make affirmative decisions about their privacy."
The company on Wednesday provided details of the changes that CEO Mark Zuckerberg blogged about last week. These include eliminating regional networks and giving users more granular control over who can see individual pieces of content while making some basic profile information available to everyone. Also, Facebook is simplifying what this blogger and others have criticized as overly complex privacy controls, but it is also requiring members to make some information available to the public.
All Facebook users will be asked to configure privacy settings
(Credit: Facebook)
Controversial privacy history
Over the years, Facebook has been the subject of criticism, lawsuits, and threatened federal action over various changes to its privacy policy.
In 2007, Facebook announced its Beacon advertising service, which broadcast member activity on partner sites to their Facebook friends. If you bought a movie ticket on Fandango, for example, all of your Facebook friends would immediately know about it. The Beacon program unleashed a campaign from consumer advocacy groups including MoveOn.org as well as a class action law suit that was settled this September. As part of that settlement, Facebook agreed to shut down Beacon and to donate $9.5 million to an independent foundation to "fund projects and initiatives that promote the cause of online privacy, safety, and security."
In February of this year, Facebook found itself at the center of another privacy storm after it announced a change in its policy that would give the company seemingly perpetual control over user-supplied content. That prompted the Electronic Privacy Information Center to threaten filing a complaint with the Federal Trade Commission and also led to the formation of a Facebook group called People Against the new Terms of Service that attracted nearly 150,000 members protesting the changes. The uproar caused the company to rescind those changes and resulted in CEO Mark Zuckerberg holding a press conference where he announced that the company would create "a new approach to site governance" so that its decisionmaking would be more transparent.
Mandatory privacy settings
All users will soon be confronted with a "privacy announcement" informing them that they must configure their settings. Initially, you will be able to "skip for now" but you will later be required to go through the steps in order to continue using the service, according to Axten.
To encourage people to share information, Facebook has set the default to "everyone," but you can later go back to set more restrictive settings. You can also keep your old settings. If you're not sure what they are, you can display them by hovering over the radio button.
New Facebook privacy setting page
(Credit: Facebook)In the final step, Facebook displays your settings and gives you a chance to change them. At this point or at any time in the future you will be able to adjust any of your settings
Final stage verifies new settings.
(Credit: Facebook)The Facebook settings will be based on four basic levels: friends, friends of friends, everyone, and customize. If you belong to a network, you will also have the setting friends and networks. As before, you will also be able to customize settings to include or exclude specific friends or groups of friends.
Some information must be publicly available
Some information--including name, profile picture, gender, current city, networks you belong to, friend lists, and pages you're a fan of--will be available to everyone. The only way to keep that information from the general public is to not include it as part of your Facebook profile. Users also have the ability to limit what can be found via a search on Facebook and what information Facebook will make available to search engines like Google and Bing.
According to Axten, that information is being made publicly available to make it easier to find people using Facebook search, especially people with common names. If you locate a "John Smith" in a Facebook search, seeing his picture and knowing where he lives can make it easier to pinpoint the right person. Though not mandatory, Facebook, according to a spokesperson, is encouraging people to make other information public such as where they went to school or where they work. However Axten added that if a user had previously configured their privacy settings, they should keep what they already have.
While adults have the option of making content available to everyone, the maximum exposure available to users under 18 will be friends of friends or school networks.
Control over who gets to see your posts
The most important change is that you will now be able to specify who can see each piece of your content including status updates, photos, and videos. Each time you add content, you'll be able to determine whether it can be seen by everyone, friends and network, friends of friends, only friends, or a custom setting. Customized settings allow you to include or exclude individual people or lists of people. For example, one could share last night's exploits with his fraternity brothers but not with his fellow church members or office mates. The list feature, which has long been available, allows you to divide your friends into groups. For example, as a journalist, I encourage readers to "friend" me at Facebook.com/larrymagid, but I also maintain a list of "real world friends."
Third-party application settings
As in the past, you will have some control over the information that can be seen by operators of third-party Facebook applications. Facebook has added the ability to fully block an application from accessing any information but, in most cases, that will disable the application.
Facebook's Axten said that application developers will have access to all publicly available information, but can only access other information with the user's permission. Applications are also required to only access user information that is essential for them to run. The company, said Axten, has an enforcement squad to ensure compliance.
Facebook is also launching a new Privacy Center that will offer "a comprehensive guide that helps users understand and control how they share information."
Disclosure: Facebook is one of several companies that provides support to ConnectSafely.org, a nonprofit Internet safety organization I help run.
Back-to-school time is an excellent time for kids, parents, and teachers to think and talk about the safe and appropriate use of the Internet and social-networking tools.
My message to parents and teachers is simple: embrace the technology that kids use, recognize that whatever you may lack in technology knowledge you make up in wisdom, and remember that you, too, were once a kid. Your first reaction to kid activity that may be a bit disturbing shouldn't be to freak out and shut down access but to take a deep breath, talk with (and listen to) the kids, and do everything you can to encourage dialog.
And try to become familiar with the technology your kids use. That doesn't mean you necessarily have to be their friend on Facebook or MySpace, but before you start trying to control how they use social-networking technology, make sure you understand it.
Teachers should attempt to use social networking as part of the educational process. Whether they know it or not, kids are engaged in informal learning through their use of social networking, so why not use the same technology for formal learning? And while you're at it, incorporate digital citizenship and media literacy into your teaching.
As my ConnectSafely co-director Anne Collier pointed out in Social media literacy: The new Internet safety, media literacy and critical thinking "is protective against manipulation and harm." Encouraging kids to practice good digital citizenship helps protect all young people, because "behaving aggressively online more than doubles the risk of being victimized."
Hemanshu Nigam, News Corp. & MySpace security chief.
(Credit: MySpace)As per kids, Hemanshu Nigam, the chief security officer at News Corp. and MySpace offers some Online Safety and Back to School advice especially suited to youth who use social-networking services like MySpace and Facebook (MySpace is one of several companies that provide financial support for ConnectSafely). He starts off with the usual internet safety advice: "Don't post anything you wouldn't want the world to know" and "don't get together with someone you 'meet' online unless you're certain of their identity." Then, perhaps a bit uncharacteristic of his background as a former federal prosecutor, Nigam also provides advice about the compassionate and kind use of social networking:
- Post with respect: photos are a great way to share wonderful experiences. If you're posting a photo of you and your friends, put yourself in your friends' shoes and ask would your friends want that photo to be public to everyone. If yes, then you're uploading photos with respect.
- Comment with kindness: compliments are like smiles, they're contagious. When you comment on a profile, share a kind word, others will too.
- Update with empathy: sharing updates lets us tell people what we think. When you give an opinion on your status updates, show empathy towards your friends and help them see the world with understanding eyes.
A study commissioned by Web security company AVG Technologies and the Chief Marketing Officers Council (CMO) points out an interesting contradiction between people's concerns and actions regarding security risks on social networking sites.
The summary report says that "while the majority of social networking users are afflicted by web-borne security problems, less than one third are taking actions to protect themselves online."
Unfortunately, the data provided to the media as of Tuesday afternoon says very little about the study's methodology, lacks the actual questions asked, and in some cases lacks the actual percentages of responses. It did, however, say that the data is based on "responses from a random sampling of more than 250 consumers." It was conducted online during second quarter of 2009. The report didn't specify how they developed a random sampling--a difficult task for Web-based surveys. In addition to the small sample size, it's not clear how they derived the sample and whether it was truly representative of the population they were studying.
As someone who has studied, taught, and conducted survey research, I am disappointed by how little information was provided to the media about the methodology and specific results of this study. However, with that caveat, I still think the data is interesting and worth reporting.
Participants, according to the summary, "indicated concern over growing phishing, spam and malware attacks, and nearly half of those surveyed are very concerned about their personal identity being stolen in an online community." The report said that "nearly 20 percent experienced identity theft" but didn't define identify theft. An AVG spokesperson told me that it means impersonation online, not the typical definition that almost always involves financial fraud. A CMO spokesperson said it was based on a concern that users could download malware on social-networking sites, which could lead to identity theft and other problems.
Online impersonation can result in financial fraud but often is used as a form of cyberbullying to embarrass someone or make them look as if they said something they didn't really say. It can also be used as part of a scam to get a "friend" of the person being impersonated to send money to help their "friend" who claims to be stranded in a foreign country or otherwise in trouble. As per malware--that too is true. Malware, however it is distributed, can install keyloggers that can capture confidential information that can lead to identity theft.
In the survey, 47 percent of the respondents said they "have been victims of malware infections" and "55 percent have seen phishing attacks." What isn't clear is whether the infections or phishing attacks are from social-networking sites or some other source. It is possible for malware to be distributed through social-networking sites, often in the form of links to Web sites that contain malicious code, but there are plenty of other ways to get it. Social-networking sites could be used for phishing attacks, but phishing usually comes via e-mail. To say that users of social-networking sites have been exposed to phishing and malware would be like saying that most people who eat spinach are likely to have had measles when they were children. There is a correlation, but no evidence of causality.
The study also reported that most of the 86 percent of the sample who said they use social-networking sites "fail to perform the following basic security measures on a regular basis," including changing passwords (64 percent infrequently or never), adjusting privacy settings (57 percent infrequently or never) or "informing their social network administrator on security issues." The report didn't specify what a "social networking administrator" is. In my house it's me, but an AVG spokesperson said that the report was likely referring to the "report abuse" links provided by most social-networking sites.
The survey also found that 21 percent accept contact offerings from members they don't recognize, "more than half let acquaintances or roommates access social networks on their machines, 64 percent click on links offered by community members or contacts and 26 percent share files.
AVG recommends that social networking users:
1. Don't accept pop-ups or prompts for software unless you're armed with Web scanner software such as AVG's free LinkScanner
2. Don't post or submit confidential personal data
3. Change password at least once per month
4. Don't let others access their social networks on your computer
5. Don't auto save your password, and clear your history at least weekly
6. Don't accept friend requests or request friends that you don't know
Mostly good advice
I certainly agree that it's a very bad idea to post confidential information, even if you limit access to your profile to people who really are friends. I don't even like using e-mail to send out anything confidential--digital information has a way of being copied and friends can sometimes become ex-friends.
I also agree with the suggestion not to autosave passwords and to periodically clear your Web history and strongly agree that all Windows users have up-to-date malware-detection software.
While a terrific idea, it's unrealistic to expect people to change their passwords monthly though, as I pointed out in a recent post, it is important for social networkers to have very strong passwords and consider using a password manager like LastPass.
The advice to not let others use your computer is also unrealistic. Some people have to share a computer at home or at work and few of us would turn down a friend's request to sit at our computer a few minutes to check their social-networking profile.
As per accepting friend requests from strangers, it depends how you use your social-networking page. I accept all friend requests on Facebook but never post anything that I wouldn't publish in a newspaper or say on radio or TV. If you use your social-networking site to share personal information, then AVG is right--be careful who you accept as a friend and even then, be cautious about what you post.
While I can't comment on the entire suit, it's clear to me that parts of the just-filed privacy lawsuit against Facebook represent a lack of understanding of how social networks like Facebook work as well as how best to protect children and adults on the Internet. I'm especially baffled by the allegation that Facebook violated the rights of an 11-year-old child because he disclosed that he had swine flu.
The suit, brought by five plaintiffs in Southern California, alleges that Facebook violates California privacy laws.
The child who said he had swine flu is identified as "Xavier O." The complaint says he "has a Facebook account that was opened without the knowledge or consent of his parents." He allegedly "uploaded personal information, videos and photographs, including swimming and/or partially clothed photographs of children ages 5 to 11." It further says that he posted information that he had swine flu and asked people to "Please pray for me...God Bless." The complaint says that "upon learning of the Facebook account and the posting of an uncertain medical condition," the child's parents "removed the medical condition postings from Facebook" and that "Xavier O. and his parents have been unable to learn where the minor's medical information may have been stored, disseminated or sold by Facebook."
(Disclosure: I'm co-director of ConnectSafely.org, a nonprofit organization that receives financial support from Facebook as well as other companies.)
I don't know where to begin parsing young Xavier's case. First, by simply having a Facebook account he was violating Facebook's terms of service. And why did his parents only remove "the minor's medical information?" They should have deleted his entire account.
Like all reputable social networking sites, Facebook complies with the Children's Online Privacy Protection Act (COPPA) by not allowing children under 13 to have accounts (COPPA does make provisions for accounts for children under 13 but imposes certain conditions including parental consent). The only way for this young man to obtain a Facebook account would be to lie about his date of birth.
Facebook makes reasonable efforts to remove accounts of children where there is evidence they are under 13, but it's not possible to catch every violator of these terms and its attempts to validate the ages of members are consistent with industry practices. While it could be argued that they should be using some type of age-verification technology, an exhaustive investigation of those technologies by the Harvard Berkman Center led Internet Safety Technology Task Force (of which I was a member) determined that such technologies, at the current time, are neither effective nor necessarily desirable.
Once on Facebook, anything a person posts can, by default, be seen only by his friends or people in his network. If Xavier's profile was available to additional people, it was because he changed his default privacy settings. But, even if he hadn't, there is always the possibility that a friend or anyone with access to his profile could copy any text or images posted and disseminate them. So of course it's possible that such information could have been stored, or disseminated. In an e-mail interview, Facebook spokesman Barry Schnitt said, "There are no circumstances under which we would have sold that information." He further points out that the plaintiffs in the suit "make many assertions about mining data and selling it, but never say who is buying."
What I find very strange is the statement that the 11-year-old had posted "swimming and/or partially clothed photographs of children ages 5 to 11." Could they be implying he was posting child pornography images? If so (and I doubt it), this kid could find himself in juvenile court.
Another strange allegation comes from a college student who joined Facebook in 2005 back when it was for college students only. Somehow she is shocked that Facebook is now open to anyone--a change that Facebook made with great fanfare in 2006. If she's so unhappy about the change, why doesn't she just close her account?
Santa Clara University Law Professor Eric Goldman told me that he considers the complaint to be "a jumbled mess." "There is a style of complaint that lists every single possible gripe you have with a company," he said. "This one listed all sorts of random gripes about Facebook including insignificant items like their acquisition of FriendFeed." He added, "lawyers sometimes do that, hoping that if you throw those against the wall, the judge will find something that sticks."
This post is adopted from a post that first appeared on my site, SafeKids.com.
Elinor Mills
(Credit: CNET)CNET security and privacy reporter Elinor Mills, who has been reporting on the Twitter, Facebook, and Google denial of service attacks since early Thursday morning, interviewed a Facebook executive who told her that the attacks appeared not to be aimed at Twitter or Facebook but toward an individual person who blogs about independence of a breakaway region of Georgia. But even though it was aimed at one person, the sheer size of the attack was enough to bring down Twitter and impact Facebook.
The podcast runs 4 minutes and 53 seconds.
Listen now: Download today's podcast
Of course you're not personally responsible for bringing down Twitter, but if your computer isn't equipped with up-to-date anti-malware software and the latest version of your operating system, you could unwittingly be part of the problem.
Twitter has confirmed that its outage Thursday morning and subsequent intermittent problems were due to an ongoing denial-of-service attack. Facebook also "encountered network issues related to an apparent distributed denial-of-service attack, that resulted in degraded service for some users," according to a company spokesperson.
Typically a DoS attack, which is often called a distributed denial-of-service attack, results when multiple computers simultaneously try to access the site in question. Usually the reason that happens is because the attacking PCs are infected with malware that does the dirty work for whoever is behind the attack.
As Symantec blogger Marian Merritt pointed out, "It's often the case that DDoS attacks come from computers infected with bots, turning them into zombie computers doing their cybercriminal's bidding. "
You can help prevent your PC from being part of such an insidious scheme by:
* Using a good anti-malware suite from a reputable vendor such as Symantec, TrendMicro, McAfee, ZoneAlarm, or CA. You can find trial versions of such programs as well as the excellent AVG-Anti Virus Free Edition at CNET's Download.com
* Making sure your operating system has the latest patches. Visit Microsoft and Apple security pages for information.
* Avoid clicking on e-mail links that take you to Web sites you're not familiar with (malware is often distributed through "drive-by downloads" from unreputable or infected sites).
Visit CNET's security center for more security news.
Podcast: Larry talks with CNET security reporter Elinor Mills about how the attack may have been aimed at a single individual who blogs about Georgia. The podcast runs 4 minutes and 53 seconds.
Listen now: Download today's podcast
While we're not yet about to see Facebook let people log on to its site with their MySpace ID, or vice versa, we are starting to see more cooperation among sites. MySpace ID product lead Max Engel speaks with Larry Magid about MySpace's efforts, including collaboration with AOL.
Listen now: Download today's podcast
