Security

The U.K. government is considering the mass surveillance and retention of all user communications on social-networking sites, including Facebook, MySpace, and Bebo.

Vernon Coaker the U.K. Home Office security minister, on Monday said the EU Data Retention Directive, under which Internet service providers must store communications data for 12 months, does not go far enough. Communications such as those on social-networking sites and via instant-messaging services could also be monitored, he said.

"Social-networking sites such as MySpace or Bebo are not covered by the directive," said Coaker, speaking at a meeting of the House of Commons Fourth Delegated Legislation Committee. "That is one reason why the government (is) looking at what we should do about the Intercept(ion) Modernisation Programme, because there are certain aspects of communications which are not covered by the directive."

Under the EU Data Retention Directive, from March 15, 2009, all U.K. ISPs are required to store customer traffic data for a year. The Interception Modernisation Programme, or IMP, is a government proposal, introduced last year, for legislation to use mass monitoring of traffic data as an antiterrorism tool.

The IMP has two objectives: that the government use deep-packet inspection to monitor the Web communications of all U.K. citizens; and that all of the traffic data relating to those communications are stored in a centralized government database.

The U.K. government has previously said communications interception is "vital" and has hinted that social-networking sites may be put under surveillance. And responding to a question from Liberal Democrat Parliament member Tom Brake, Coaker said all traffic data on social-networking sites and through instant-messaging services may be harvested and stored.

"The honorable member for Carshalton and Wallington will also know the controversy that currently surrounds the Intercept(ion) Modernisation Programme," Coaker said. "I look forward to his support when we present (IMP) proposals, which may include requiring the retention of data on Facebook, Bebo, MySpace, and all other similar sites."

Deep-packet inspection, the second strand of the IMP, involves intercepting and examining the contents of all data packets that flow over a network. In Monday's meeting, Coaker said the government still intends to have a consultation on whether to inspect and then store all Internet traffic data in a centralized government database.

"What is the point of having a consultation if, as the honorable gentleman implies, the government (has) already made up (its) mind to have a central database?" Coaker asked. "We have not made up our mind. We have said we will consult on a variety of options."

Opposition to the government's IMP proposal has been fierce. Cambridge University computer security expert Richard Clayton told ZDNet UK on Wednesday that the government proposal to monitor social-networking traffic was "extremely intrusive."

"The question is whether it's necessary or proportionate, and the short answer is no, it doesn't look that way," said Clayton. "If the government wants to make us safer, having a few more police on the electronic beat would be a good idea."

Clayton said the problem for the government is that the Data Retention Directive applies only to data held by Internet service providers, but that a large number of people don't use ISPs' systems to communicate, instead using online services such as Web mail and social-networking sites. Servers may be located in different jurisdictions, Clayton said, and data retention times may be short.

"The government wants to collect all of this data on everybody, just in case," Clayton said. "Suppose you use (an e-mail service based in Pakistan), and you blow up the Houses of Parliament. The government would have to persuade the Pakistani authorities to turn over the logs, which may then turn out only to have been retained for three days."

However, Clayton believes that the cost of harvesting this information, which would involve all U.K. Internet infrastructure providers and ISPs having "black boxes" to monitor data, would be prohibitively expensive. Clayton said taxpayers' money would be better spent on the police, who could target investigations to those they suspect of criminal activity, rather than on performing blanket surveillance of everybody.

"To deploy deep-packet inspection equipment isn't cheap--the word 'billion' is appropriate," Clayton said. "It took the Home Office the best part of a year to find 3 million pounds for the Police e-Crime Unit. That's what is wrong with this picture."

Web inventor Sir Tim Berners-Lee also opposes the use of deep-packet inspection to inspect people's data. Berners-Lee told ZDNet UK last week that the Internet should not be "snooped" upon.

"If (third parties) are using the data for political ends or commercial interest, there we have to draw the line," Berners-Lee said. "There's a gap between running a successful Internet service and looking inside data packets."

Tom Espiner of ZDNet UK reported from London.

Just in time for the weekend, social networks Facebook and MySpace were dealing with several new security issues on Friday that could expose personal information and communications from friends.

This screenshot shows the notification that popped up with the latest rogue Facebook application.

(Credit: Trend Micro)

Facebook said it had removed a new rogue application that was spamming users and exposing their information. Before it was halted, the application sent messages claiming that a friend had reported the recipient for violating Facebook's terms of service and offered a link to click to find out more information.

Users who clicked on the link were providing the app access to their profile and personal information as well as unknowingly forwarding the message on to everyone in their Facebook contact list, according to Graham Cluley's blog for Sophos.

"Our team disabled this application for violating the Facebook Developer Terms of Service," Facebook spokesman Simon Axten said in an e-mail. "Some additional versions of it have sprung up, and we've disabled these as well. We're actively monitoring the site for others and are working to block the application completely."

Cluley said Facebook should do more to prevent such rogue applications from spreading in the first place than just shutting them down on an isolated basis.

"One of the problems is that Facebook allows anybody to write an application, and third-party applications are not vetted before they are made available to the public. So, even as Facebook stamps out one malignant application, it can pop up in another place like a poisoned mushroom with a different name," Cluley wrote.

"It sounds like this could be a new favoured trick being used by spammers and identity thieves to build up their databases of intended targets," he wrote. "My advice to Facebook users is to think very carefully before adding any new applications."

The problem prompted a Facebook user to create a Facebook group for victims of the scam, noted Trend Micro in its anti-malware blog.

The rogue app surfaced less than a week after the spread of a similar app dubbed "Error Check System" that falsely warned users that their friends were having problems viewing their profiles.

"Surely these two events in just a single week mean that it's about time that Facebook reviews its application hosting policy," the Trend Micro blog said.

What that quote suggests is akin to saying, 'there have been two robberies, we need to implement martial law in the city,'" said Facebook spokesman Axten. He noted that there are more than 660,000 developers and the "vast majority" of Facebook applications are not "nefarious."

The company makes it easy to be a Facebook developer--asking only for a valid e-mail address to get an application key--to foster innovation, and has a dedicated Developer Operations team that investigates applications that show "anomalous activity," Axten said.

"In this case, we responded quickly to user reports and disabled the application before too many people were affected," he said.

Meanwhile, over at MySpace, a spokeswoman said the company fixed a vulnerability on Friday that enabled strangers to view MySpace users' private comments. As with the other privacy holes that have been reported on, someone would have to know the exact URL and insert the correct user ID to exploit the weakness.

MySpace was working to plug a hole on Tuesday that allows anyone to view members' private photos without being friends with them.

The vulnerability, reported to CNET News by Canadian computer technician Byron Ng, was easy to exploit by plugging a member's ID number into a specific MySpace URL. However, someone would have to know which URL to use to be able to see the private photos.

Hours after CNET News notified MySpace of the security hole midday and several hours later a MySpace representative said the company had confirmed the vulnerability, disabled it, and was rolling out a fix.

Rival social network Facebook fixed a similar privacy hole in September.

Updated 6:50 p.m. PT with Facebook saying no hole in Free Gifts app.

MySpace was working to fix a security hole on Monday that allows people to see private comments friends have written on members' pages.

"MySpace is committed to keeping all users as safe and secure as possible. Today, MySpace was alerted to an issue within the MySpace Mobile WAP site and is working to roll out an immediate fix," a MySpace spokesperson wrote in an e-mail.

With the MySpace hole, people have to go through the company's mobile page and know the user ID of a member to read their private comments, said Canadian computer technician Byron Ng, who alerted CNET News to the issue and said he had previously contacted MySpace as well.

Getting someone's user ID is easy; just hover over the name and the user ID is the first group of numbers buried in the coding at the bottom of the page.

In addition, security vulnerabilities publicized by Ng in June that allow MySpace users to delete bulletins from groups they don't control, to pin and unpin topics in groups they aren't members of, and to post messages to a group they are banned from remained unfixed. Those issues are expected to be fixed within the week, MySpace said.

Meanwhile, Facebook was investigating possible security issues of its own, including a third-party app that lets people see comments written on member pages, even if they aren't their friends.

"We're still checking on Advanced Wall but we've confirmed that there is not a hole in Free Gifts," a Facebook spokesman wrote in an e-mail. "It's only public gifts that can be seen in the manner you propose below, which is how they are meant to be seen.... Private gifts are not shown on this page."

Facebook users should remember that photos and videos are public unless the person who posts them sets the privacy setting to private.

Beyond these security issues, people can use a method called "social engineering" to get access to a stranger's profile by being accepted as a friend in their network, Ng said.

For instance, someone could create a profile that looks like a party promoter that many members will become friends with just to hear about events. Or, someone could create a profile with the same name as someone who is already in a target's friend list with the hopes that the target will be confused and accept the imposter, Ng said.

"If the average citizen is worried about people spying, never add anyone, even a 'friend,' without telephone or e-mail confirmation that it is legitimate," Ng writes in an e-mail.

For people who want to keep an eye on who is viewing their MySpace pages, there are two sites that offer tracking services: ProfileSnitch.com and WhoVisited.com.

Those sites allow MySpace members to embed HTML code in their profile pages that reports back to the tracking sites so members can see who was viewing their pages. This only works with MySpace and not Facebook, however, because MySpace allows members to use HTML in their profiles and Facebook does not, NG said.

Just because a "friend" sends you something on Facebook or MySpace doesn't mean you should trust it.

A new worm is spreading via Facebook and MySpace, turning victims' computers into zombies on a botnet, Kaspersky Lab said on Friday.

Basically, infected machines are propagating the worm by sending messages via the social networks to friends in the network.

The messages look like they contain links to video clips. When clicked on they prompt the recipient to download an executable file that purports to be the latest version of Flash Player. Instead, it is the worm itself, infecting yet another victim.

When infected machines log onto the social networks the next time their computers automatically send the malicious messages out to new victims grabbed from the friend list, said Ryan Naraine, security evangelist at Kaspersky.

"We've seen these types of worms before, typically around MySpace," he said. "People are more trusting of things they receive from a friend," and many people don't recognize that what they are downloading isn't a legitimate Flash Player file, but a malicious program.

Naraine repeated the refrain that security professionals have been spreading for years: be careful about downloading anything to your computer, even if it appears to come from a friend; and be diligent about applying security patches to your computer.