(Credit:
RockYou)
An Indiana man filed a lawsuit against RockYou this week alleging that the provider of social-networking apps failed to secure its network and protect customer data, enabling a hacker to grab passwords of 32 million users earlier this month.
The suit seeking class action status was filed Monday in U.S. District Court in San Francisco by lawyers for Alan Claridge, of Evansville, Ind., who registered with RockYou in August 2008 to use a photo-sharing application. RockYou is a publisher and developer of online apps and services like "SuperWall" on Facebook and "Slideshow" on MySpace.
Claridge said he received an e-mail from RockYou on December 16 informing him that his sensitive, personally identifiable information, including e-mail address and password, may have been compromised in a security breach, according to the suit.
Security firm Imperva notified RockYou on December 4 that it had learned of a breach of RockYou's network from underground hacker forums. RockYou had been hit with a common type of exploit known as a SQL injection flaw that targets information stored in databases and hackers were regularly discussing the fact that the hole at RockYou was being exploited, the lawsuit said.
After being informed of the breach, RockYou admitted that customer data had been stored in an unencrypted database.
The suit claims RockYou failed to protect sensitive user data including e-mail addresses, passwords, and login credentials for social-networking sites like Facebook and MySpace and was negligent in storing data in plaintext.
"RockYou recklessly and knowingly failed to take even the most basic steps to protect its users' PII (personally identifiable information) by leaving the data entirely unencrypted and available for any person with a basic set of hacking skills to take the PII of at least 32 million customers," the lawsuit alleges.
"Because a majority of Internet users utilize identical passwords across a wide range of Web sites, gaining access to a user's e-mail account name and password has a high likelihood of providing access to a user's personal and/or work e-mail account," the suit said.
RockYou also took at least one day to take action to fix the problem, and failed to notify customers of the breach in a reasonable time frame, not posting notice on its Web site or warning customers for 10 to 12 days after it was notified, the lawsuit alleges.
Wendy Zaas, a spokeswoman for Redwood City, Calif.-based RockYou, provided this statement when asked for comment on the lawsuit: "RockYou is aware of the class action suit brought by Alan Claridge and plans to defend itself vigorously. The company takes its users' privacy seriously."
The lawsuit includes nine counts including negligence, breach of contract, violation of California's Computer Crime Law, and California's Security Breach Information Act, among other allegations. It asks the court to order RockYou to protect customer data and seeks unspecified damages.
The suit was first reported by Wired. Com.
Facebook users are too willing to give out their personal information, security firm Sophos has found.
According to Sophos' Australian team, which conducted a study to see how likely Facebook users were to offer up personal information, 41 to 46 percent of the 100 people Sophos contacted "blindly accepted" friend requests from two fake Facebook users created by the security firm.
After becoming friends with Sophos, the security firm was able to access up to 89 percent of the users' full dates of birth, all of their e-mail addresses, where they went to school, and more. Half of all the users Sophos befriended displayed the town or suburb where they live. They even offered up information on family and friends.
Younger users were "more liberal" with their workplace or school information than older users. "Both groups were very liberal with their e-mail addresses and with their birthdays," the security firm wrote in a blog post Sunday announcing the results. "This is worrying because these details make an excellent starting point for scammers and social engineers."
The security firm added that "10 years ago, getting access to this sort of detail would probably have taken a con-artist or an identify thief several weeks, and have required the on-the-spot services of a private investigator. Sadly, these days, many social networkers are handing over their life story on a plate."
Sophos' concerns over the way Facebook users are keeping information private comes on the heels of a statement released last week by Facebook founder Mark Zuckerberg discussing why Facebook users need to use the privacy tools his company has created. On Sunday, Facebook also announced the formation of a safety advisory board, comprised of five Internet safety groups.
Don Reisinger is a technology columnist who has written about everything from HDTVs to computers to Flowbee Haircut Systems. Don is a member of the CNET Blog Network, and posts at The Digital Home. He is not an employee of CNET. Disclosure.
The Electronic Frontier Foundation sued the CIA, the U.S. Department of Defense, Department of Justice, and three other government agencies on Tuesday for allegedly refusing to release information about how they are using social networks in surveillance and investigations.
The nonprofit Internet rights watchdog group formally asked more than a dozen agencies or departments in early October to provide records about federal guidelines on the use of sites like Facebook, Twitter, and Flickr for investigative or data gathering purposes, according to the lawsuit.
The requests were prompted by published news reports about how authorities are using social networks to monitor citizen activities and aid in investigations. For example, according to the lawsuit, government officials have: used Facebook to hunt for fugitives and search for evidence of underage drinking; researched the activities of an activist on Facebook and LinkedIn; watched YouTube to identify riot suspects; searched the home of a social worker because of Twitter messages regarding police actions he sent during the G-20 summit; and used fake identities to trick Facebook users into accepting friend requests.
The EFF needs access to the information to "help inform Congress and the public about the effect of such uses and purposes on citizens' privacy rights and associated legal protections," the lawsuit said.
None of the agencies contacted had complied with the EFF's Freedom of Information Act (FOIA) requests and only one, the IRS, had asked for an extension, according to the suit.
The suit, filed in federal court in San Francisco, names the defendants as the CIA, the office of the Director of National Intelligence, and the departments of Defense, Justice, Homeland Security, and Treasury.
The FOIA requests and the lawsuit were filed on behalf of the EFF by the Samuelson Law, Technology, and Public Policy Clinic at the University of California at Berkeley School of Law.
Government surveillance of citizens, particularly in areas they consider private, should have oversight, said Shane Witnov, a law student who worked on the case for the Samuelson Clinic.
"Social-networking sites are becoming a part of the way we communicate every day and everyone thinks they are sharing information [on the sites] with just their friends," he said. "Governments are using the sites but not in the way [citizens] expect when they sign up."
The government agencies could not be reached for comment Tuesday afternoon.
Updated 4:55 p.m. PST with comment from Samuelson Clinic law student.
In war and possibly in peace, China will wage cyberwar to control the information flow and dominate the battle space, according to a new report compiled for a congressional commission.
Chinese military strategists see information dominance as the key to overall success in future conflicts and will continue to expand the country's computer network exploitation capabilities, according to the report, titled "Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation." The report was prepared for the U.S.-China Economic and Security Review Commission under contract by Northrop Grumman's Information Systems Sector.
In a conflict, China will likely target the U.S. government and private industry with long-term, sophisticated computer network exploitation and intelligence collection campaigns, the report concludes. U.S. security agencies can expect to face disciplined, standardized operations; sophisticated techniques; high-end software; and a deep knowledge of the U.S. networks, according to the report (PDF).
The strategy employed by the People's Liberation Army--China's military organization--is to consolidate computer network attacks with electronic warfare and kinetic strikes, creating "blind spots" in enemy systems to be exploited later as the tactical situation warrants, according to the report. The strategy, which has been adopted by the world's other technologically inclined armies, is referred to by the PLA as "Integrated Network Electronic Warfare," the report stated.
The emphasis on information warfare has forced the PLA to recruit from a wide swath of the civilian sector, according to the report. As is the case with the U.S. military and its new Cyber Command, the PLA looks to commercial industry and academia for people possessing the requisite specialized skills and pasty pallor to man the keyboards. And although it hints broadly at it, the report offers no evidence of ties between the PLA and China's hacker community.
The U.S.-China Economic and Security Review Commission reports and provides recommendations to Congress on the national security implications of the bilateral trade and economic relationship between the United States and the People's Republic of China.
ORLANDO, Fla.--OK, IT managers, it's time to loosen up.
That's how analysts advised Gartner Symposium attendees here Monday, arguing that corporate computing departments shouldn't block social networking and that security shouldn't completely lock down communications with the outside world. And even if information technology authorities want to shut down such activity, they can't.
Carol Rozwell, a Gartner vice president
(Credit: Stephen Shankland/CNET)"Banning access to social media from the corporate network is futile," said Carol Rozwell, a Gartner vice president. "The world we live in is digitally enabled and socially connected."
The advice reflects the transformation of the information technology world as the Internet steadily pervades more and more corners of everybody's life. Although the Gartner event historically has concerned itself with matters such as justifying the expense of a new enterprise resource management computing system, the broadening show reflects the growing scope of work that IT managers face.
Overall, companies must acknowledge that not everything is under control of their own top-down administration, said Peter Sondergaard, senior vice president of research at Gartner.
"We're moving from control to greater autonomy," Sondergaard said. Managers also must find an appropriate place on the spectrums of in here vs. out there and owned vs. shared.
... Read more
Security appliance maker Barracuda Networks has acquired Purewire, a Web security-as-a-service provider, the companies were set to announce on Tuesday.
The acquisition gives Barracuda the SaaS offering, but also adds to its security researcher and threat detection capabilities, the company said.
The companies did not disclose terms of the deal.
Barracuda offers e-mail, Internet, Web, and instant messaging protection, much of it based on open-source software.
Purewire launched its Trust Web reputation service earlier this year.
I'm not an employee of MySpace, but I was able to join its Facebook network.
(Credit: Facebook)I do not work for MySpace. But my Facebook profile now says I do, thanks to what appears to be a sneaky little flaw in MySpace's recently launched e-mail client.
Professional networks on Facebook are intended to be limited to employees, and require a corporate e-mail address to which Facebook sends a confirmation e-mail to verify accuracy. But when MySpace launched MySpace Mail this summer, it made e-mail addresses with the myspace.com domain--which is also used internally for corporate e-mail--available to any members of the News Corp.-owned social network.
A reader tipped off CNET News to the hack, which requires a little bit of HTML know-how. We're not going to give detailed instructions out of the interest of MySpace employees' own security--and it looks like Facebook has put a fix in place, because when a CNET colleague used a MySpace Mail address to register around 2:40 p.m. PT on Wednesday, he was informed that the address was invalid.
See what happens?
(Credit: Facebook)In vague terms, it looks like MySpace was aware of the fact that members might try to register for its network on Facebook, because the confirmation link to Facebook does not work in MySpace Mail, nor does copy-pasting it. Basically, it's mangled somehow. But, the tipster explained, the real link is still in the page's HTML source. And indeed, I was able to join MySpace's network on Facebook.
This does have security implications, because many Facebook members limit some of their profile data to people who went to their schools or work for the same company--Facebook first launched corporate networks in the spring of 2005. Many may display their cell phone numbers, photo albums, or home addresses only to college alumni or co-workers.
It's an issue for Facebook as well because the massive social site does have an obligation to make sure that its restricted networks don't lie fallow. If there's a change in corporate e-mail structure at a company with a Facebook network, particularly a big one, that can mean something big with regard to potentially thousands of Facebook members' security.
A MySpace representative told CNET News that the company was looking into the matter and would be able to comment soon.
This post was updated at 2:44 p.m. PT on Wednesday to note that the problem appears to have been corrected by Facebook.
A recent simplification of Facebook's user privacy controls wasn't enough for some policymakers.
On Thursday, in conjunction with the Canadian Privacy Commissioner, Facebook announced a new set of modifications to its user privacy controls as well as its developer API, and the targets of these changes are the thousands of third-party applications built on Facebook's developer platform. That means there may be major implications for developers--some of whom rely almost exclusively on Facebook activity as a revenue source.
The Canadian Privacy Commissioner's office released a set of recommendations for Facebook last month, specifically highlighting concerns that third-party applications could access a significant amount of users' personal data. "It's clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates," commissioner Jennifer Stoddart said in a release at the time.
Facebook's newest set of changes will require third-party applications to specify which fields of user data they access (birthdays, favorite music, geographic location, etc.) and will require users to offer explicit permission before an app can access any of their friends' profile data. This is also in tune with recommendations offered earlier this week by a chapter of the American Civil Liberties Union, which highlighted the amount of personal data that third-party apps can access--sometimes without a user knowing it.
"Our productive and constructive dialogue with the Commissioner's office has given us an opportunity to improve our policies and practices in a way that will provide even greater transparency and control for Facebook users," Elliot Schrage, Facebook's vice president of global communications and public policy, said in a release Thursday. "We believe that these changes are not only great for our users and address all of the Commissioners' outstanding concerns, but they also set a new standard for the industry."
But what does it mean for developers? This could make it difficult for some apps--particularly the sillier ones that rely on heavy viral spread and often one-time use--to gain traction and stay effective. These are similar concerns to those that arose when Facebook cracked down on apps that it deemed "spammy" (and often rightfully so). But on the other hand, the new privacy controls could stem off bad press that could easily paint the developer platform as a whole as unsafe or untrustworthy.
"It is important for developers to have access to information, but we want to balance that with transparency and control for users," Ethan Beard, Facebook's director of platform product marketing, said in a blog post geared toward developers.
"We have committed to making these enhancements over the next twelve months, and anticipate a lengthy beta period including opportunities for you to provide input, multiple blog posts, and updated documentation delivered well ahead of time," Beard's post continued. "Understanding that this will likely require modifications to your code base, we want to give you the earliest heads up that these enhancements are on our road map."
The Northern California chapter of the American Civil Liberties Union has put out a campaign designed to raise awareness of the privacy implications of Facebook's developer platform. It's focusing specifically on the popular "quiz" applications, like "Which Cocktail Best Suits Your Personality?" and "Which Wes Anderson Movie Character Are You?" These are largely one-time-use apps that many a Facebook user clicks on and tries out with little concern.
According to the ACLU chapter, "millions of people on Facebook who use third-party applications on the site, including the popular quizzes, do not realize the extent to which developers of quizzes and other applications have access to personal information. Facebook's default privacy settings allow nearly unfettered access to a user's profile information, including religion, sexual orientation, political affiliation, photos, events, notes, wall posts, and groups." For the promotion, it's put together a quiz about how much you know about Facebook-based quizzes.
Side note: Creating a Facebook quiz app to draw attention to the pratfalls of Facebook quiz apps is very meta.
"It's time for Facebook to upgrade its privacy controls so that quizzes can only see what people want them to see," Chris Conley, technology and civil liberties fellow at the ACLU of Northern California, said in a release. "Users need stronger protections than Facebook currently provides."
So are the ACLU-NC's claims legitimate? The most damning one asserts that "regardless of whether a user's Facebook profile is 'private,' by taking a quiz the user allows its developer to gain access to the user's profile information...by Facebook default, every time one of a user's friends takes a quiz, the quiz has access to that user's profile information." That could have particularly alarming security implications if an app turns out to be malicious.
Facebook does not deny this, but notes that "sensitive" information like contact details are not available to third-party apps, and that Facebook has settings for users to tweak exactly how much their friends' apps can see.
Last month, the company modified its privacy settings to make them more user-friendly.
The ACLU chapter recommends that Facebook make it an opt-in, rather than opt-out process for apps to access a user's friends' data and require that apps list the specific profile data fields that they will be accessing.
"We generally agree with (the ACLU's) recommendations and have already made public announcements about relevant changes that are under way," Facebook spokesman Barry Schnitt said in an e-mail. "Specifically, we recently disabled hundreds of applications, including quiz applications, that were inconsistent with Facebook Platform policies...We've also had productive discussions with the Canadian Privacy Commissioner about improving user data controls on Platform. We'd be glad to also have productive discussions with the ACLU and generally catch them up, if they want to give us a call."
The office of the Canadian Privacy Commissioner, which has taken issue with Facebook's privacy policies, is holding a press conference on Thursday to address the subject, and Facebook plans to hold a conference call with reporters in response.
A judge has dismissed most of the charges against a former San Francisco network administrator accused of hijacking the city's computer network he designed and maintained.
San Francisco Superior Court Judge Kevin McCarthy on Friday tossed three tampering charges against Terry Childs, while preserving a lone charge of denying city authorities access to the network, according to a report in the San Francisco Chronicle. Childs, who has been in custody since July 2008, had worked at San Francisco's Department of Telecommunication Information Services for five years. Childs, 44, is being held on $5 million bail.
Childs had formerly been accused of tampering with the city's Fiber Wide Area Network after allegedly being disciplined for poor performance. He was also accused of electronically spying on his supervisors and their attempt to fire him.
Childs is still charged with denying other administrators access to the system, which maintains about 60 percent of the city's law enforcement, payroll, and jail-booking records. Childs reportedly refused to surrender secret codes that would allow access to the system.
However, after a week in the city's jail, Childs agreed to give the access codes to San Francisco Mayor Gavin Newsom during a secret jail house visit. The meeting reportedly was so secret that the police department and district attorney were not informed of the meeting ahead of time.
Childs' attorney has claimed that there was no destructive intent and that Childs was merely protecting the network from incompetent city officials who were trying to force him out of his job.
