Facebook groups are under attack. But the attackers say they come in peace and insist they want only to highlight a flaw in the way Facebook handles group administration.
An organization called Control Your Info has taken control of hundreds of Facebook groups. Those groups had administrators that eventually stepped down from their position, creating a power vacuum at the top. According to the organization, when the administrator steps down, anyone can take over a group, view the members' personal information, and change group information to say whatever they want. Control Your Info believes that the way Facebook handles group administration is a major flaw. And it wants to bring that to everyone's attention.
Control Your Info has hijacked Facebook groups.
(Credit: Screenshot by Don Reisinger/CNET)"Hello, we hereby announce that we have officially hijacked your Facebook group," a message written on Monday reads on one hijacked group. "This means we control a certain part of the information about you on Facebook. If we wanted, we could make you appear in a bad way which could damage your image severely."
Janis Roukkos, a representative from Control Your Info wrote that his organization wants to get social-networking users to "think about the safety in your social-media life to the same extent you do in your real life." Although the Control Your Info is in control of that specific group now, Roukkos wrote that Control Your Info will restore the group name (which it changed) and leave the group "by the end of next week." He also promised to not "mess anything up."
That single group isn't alone. A quick search for "Control Your Info" in Facebook yields hundreds of groups that have been hijacked by the organization. All the group names have been changed to "Control Your Info," the logos have been changed to the organization's image, and the messages are all the same. The only difference is which Control Your Info representative is writing about the organization's intentions to each group.
Control Your Info's blog sheds some more light on the organization's problem with Facebook. According to Control Your Info, "Facebook Groups suffer from a major flaw. If (an) administrator of a group leaves, anyone can register as a new admin. So, in order to take control of a Facebook group, all you really have to do is a quick search on Google.
"When you're admin of a group, you can basically do anything you want with it," the blog post continued. "You can change (its) name, and the groups members won't even get a notification of it. You can send (messages) to all members and edit info. This is just one example that really shows the vulnerabilities of social media."
Once again, Control Your Info attempted to justify its actions. The organization said the "project is strictly not for profit and done for a good cause."
Facebook did not immediately respond to request for comment.
In the meantime, what do you think about Control Your Info's practices? Is it really teaching folks about social-media security? Let us know in the comments below.
Google Dashboard lets Google users review and delete personal data stored by the company.
(Credit: Screenshot by Tom Krazit/CNET)Google is proving to be well aware of the uneasiness among the public over the increasing amount of data it stores from users of its services.
Google is launching Google Dashboard, a service that lets you log into a console and see all the personal data that the company maintains on a Google Account user across all its products, from Gmail and YouTube to Blogger and Picasa. It allows users to log into the settings page of their Google account and review links to the personal data stored by Google across many of its products from a single Web page.
Users can delete data, change privacy settings, and read the privacy policies from various accounts on that page, which is scheduled to go live Thursday. Google had been prebriefing news outlets on the announcement, but a YouTube video outlining the service was somehow published on Google's Privacy Channel on YouTube and spotted by the Google Operating System blog.
One of the overarching themes with regards to Google this year has been the increasing discomfort among both the public and the government with the degree to which Google has grown to dominate the Internet. With nearly two-thirds of all Internet searches passing through its servers and growing numbers of people using its Google Docs, Gmail, and YouTube services, Google is a vital gateway to information for Internet users.
Google has tried to placate critics, recently emphasizing that it tries very hard to let users export any data they enter into one of Google's products through the work of the Data Liberation Front. Dashboard is another step in that direction as Google tries to emphasize that users have control over the data it stores on them.
In the wake of a firestorm over just how much of social-gaming companies' profits can be attributed to potentially scammy offers and incentives, News Corp.'s MySpace has taken a stand (and, it could be said, taken advantage of the PR opportunity) by coming out vocally against them.
"We're adding a fifth principle (to our developer terms of use) that clarifies a specific use case that we feel is particularly damaging to the user experience: promotions that include hidden renewals without specific opt-in will not be permitted," a company blog post by CEO Owen Van Natta read. "Because it's our belief opt-out offers are misleading and do not have the best interests of the users in mind, we will be updating our Terms of Use this week to better clarify this for users and developers."
What exactly is he referring to? In many of the most popular (and profitable) games built for big social-networking platforms like Facebook and MySpace, players can progress faster in the game by either buying virtual goods with "real" money, or by completing offers and surveys from a partner company like the prominent Offerpal Media. Critics say that many of these offers aren't actually free, and unwittingly can sign users up for expensive subscriptions or programs.
After a public confrontation between TechCrunch's Michael Arrington and Offerpal CEO Anu Shukla at last week's Virtual Goods Summit event in San Francisco, game makers like Zynga and RockYou put out statements saying that they're cracking down on offers that are potentially misleading.
Could this lead to real industry changes? Yes. But keep in mind that Facebook, the biggest destination for these social games, already bans this stuff in theory. "Ads cannot be deceptive or fraudulent about any offer made," the company's advertising guidelines read, and adds "if an ad includes a price, discount, or 'free' offer...the destination URL for the ad must link to a page that clearly and accurately offers the exact deal the ad has displayed (and) the ad must clearly state what action or set of actions is required to qualify for the offer."
But judging by the amount of sketchiness that allegedly takes place on the platform, it seems like advertisers aren't necessarily following these guidelines. Whether MySpace's stance against them can lead to a legitimate crackdown has yet to be seen.
Kaspersky unveiled a new tool on Thursday called "Krab Krawler" that analyzes the millions of tweets posted on Twitter every day and blocks any malware associated with them.
The tool looks at every public post as it appears on Twitter, extracts any URLs in them and analyzes the Web page they lead to, expanding any URLS that have been shortened, Costin Raiu, a senior malware analyst at Kaspersky, said in an interview.
The company is scanning nearly 500,000 new unique URLs that appear in Twitter posts daily, he said. Of those, anywhere between 100 and 1,000 are malware attacks. Twitter has also been targeted by the Koobface virus which posts malicious links from infected users' accounts.
About 26 percent of the total posts contain URLs, and many of those lead to spam sites that are marketing products or services and aren't considered malware, according to Raiu. Tens of thousands of different accounts are posting spam links, most likely from accounts created by bots, he said. The most frequent URLs posted lead to online dating sites, he added.
Twitter has its own filtering system, but some malicious links still manage to get through, Raiu said.
While Kaspersky's regular antivirus software may detect and block 95 percent of the malware Twitter users are threatened with, malware code changes frequently to evade filters and it could take between two and 12 hours for new stuff to be classified as malicious and detected, he said.
While antivirus companies have traditionally focused on protecting e-mail-borne viruses, they are increasingly turning their attention to social-media sites as attackers do.
Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links, said Morton Swimmer, a senior threat researcher at Trend Micro.
Meanwhile, Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Gmail, Blogger, MSN, MySpace, Google search, Yahoo, and other sites.
Social-media sites are popular for attackers not only because people are flocking to them, but also because users seem to trust messages that appear to come from friends on those sites more than they trust e-mails, Raiu said.
"People are worried about unsolicited e-mail, so they are careful not to run the programs they get by e-mail, but they aren't prepared to deal with these kinds of new attacks," he said.
The most common piece of malware associated with Twitter links is Trojan-Clicker.HTMLIFrame, a malicious JavaScript that can get downloaded to a computer when it visits a compromised Web site.
(Credit: Kaspersky)A new variant of the Bredolab Trojan horse is attached to a fake "Facebook Password Reset Confirmation" e-mail, security firm MX Labs is reporting.
Some users are receiving the e-mail from "The Facebook Team," according to the security firm. The sender's e-mail address displays "service@facebook.com." In reality, the address and sender were spoofed.
MX Labs found that the e-mail was accompanied by an attachment named, "Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe" that, the e-mail claims, contains the user's new Facebook password. The security firm said that the element between the underscore and .zip are randomly chosen letters and numbers for each recipient.
When a user downloads the file, it could wreak havoc on their computer. MX Labs said in a blog post that the Trojan horse Bredolab "executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions)." In other words, it's nasty.
Once it makes its way to the user's PC, Bredolab creates "%AppData%\wiaservg.log" and "%Programs%\Startup\isqsys32.exe" in the user's system files. MX Labs said that it also creates two new processes, called "isqsys32.exe" and "svchost.exe."
Another security watchdog, M86 Security, wrote that there's more to the outbreak than Bredolab. After it sneaks its way onto the user's computer, M86 said, Bredolab downloads a bot called Pushdo. The company found that Pushdo immediately starts "spamming out more of these Facebook password reset e-mails."
For its part, Facebook was quick to point out that the e-mail containing the virus wasn't coming from the social network.
"This virus is being distributed through email, not on Facebook," a Facebook spokesperson wrote. "The email is disguised as a Facebook password reset e-mail with an attachment that purportedly contains the new password, but is actually the virus. We're educating users on how to detect this through the Facebook Security Page."
Facebook said that users should be "suspicious of unexpected emails claiming to be from Facebook." The company also said that it will never send users a new password as an attachment.
Those users that have downloaded the file should use anti-malware software to remove it. Click here for a list of security software available from CNET's Download database.
Updated at 1:03 p.m. PDT to include new details from M86 Security.
Visible Technologies, a company that monitors online social activity and packages the findings for clients, has forged a "strategic partnership" with In-Q-Tel, the CIA's not-for-profit investment arm, to give the organization insight into social media.
The deal was first reported on Monday by Wired.
According to Visible Technologies, In-Q-Tel is also investing in the company through a "technology development agreement." It did not release more details than that.
However, examining Visible Technologies' work may offer insight into what In-Q-Tel has in mind.
Visible Technologies, which is based in the Seattle area, provides services that allow companies to monitor social-media activity. Companies tend to be interested in consumer opinions. With Visible Technologies' service, companies can view content from mainstream media, cultivate information from blogs, check out open Web 2.0 sites, read tweets, and more. Visible Technologies said its goal is to provide clients "with actionable insight into social-media conversations."
Aside from culling real-time, raw conversations across the Web, Visible Technologies also "scores" its content, helping clients determine the context of each mention and whether the tone of the comments are negative or not.
In-Q-Tel apparently sees Visible Technologies' offering as ideal for monitoring social media overseas.
The CIA may or may not be interested in what people think about it, per se. However, In-Q-Tel spokesman Donald Tighe told Wired that the organization plans to use Visible Technologies' service for "early-warning detection on how issues are playing internationally." He noted that it has no intentions of monitoring activity in the United States.
Steven Aftergood, a member of the Federation of American Scientists, told Wired that that contention regarding overseas use only is probably true because "even if information is openly gathered by intelligence agencies, it would still be problematic if it were used for unauthorized domestic investigations or operations."
Regardless, In-Q-Tel, and by extension, the CIA, will be monitoring tweets and other social content soon. What do you think of that? Let us know in the comments below.
Twitter has added a "Report as spam" feature to its service in an effort to get help from its users in fighting spam, the company wrote in a blog post on Tuesday.
"Folks can now help us conquer spam by calling our attention to a profile they find questionable," a company representative wrote. "Click the 'Report as spam' button under the Actions section of a profile's sidebar and our Trust and Safety team will check it out to see what needs to be done."
To stop users from simply using the spam feature as a weapon against others they don't like, Twitter said that "no automated action will be taken as a result of reporting a user as spam." That said, users who click the button will automatically have the profile blocked from following or replying to them.
Twitter's decision to add a "Report as spam" button is just another way the company is trying to combat spam accounts. It's fighting an uphill battle. Out of my more than 12,000 followers, I've found several that do nothing but spam users. That said, I do believe that the "Report as spam" feature will be quite helpful in limiting that going forward.
Of course, all that depends on our willingness to report others. I'm all for it. Are you?
Technically, we can't blame the loss of Sidekick users' data on a failure of either the concept or the technology of "cloud computing." But Microsoft's clear bungling of basic information management practices (apparently, there were backups--but they didn't work) does cast a pall over not just Microsoft but the cloud concept entirely.
T-Mobile is trying to keep customers' data alive.
(Credit: Screenshot by Rafe Needleman/CNET)Microsoft, as one of the giant infrastructure technology companies that's saying through its product offerings that data is safe in the "cloud," has a responsibility not just to its customers but to the growth of cloud computing overall to keep the data it's holding safe.
The company's failure to keep the data safe shows the world how fragile cloud computing is. Even though, really, it isn't. The world knows how to build systems that safeguard data from hardware and software and network failures, and even from hacking and other forms of sabotage. The fact that Microsoft failed to keep the Sidekick data backed up indicates, rather, how management can fail.
But do consumers, or corporate IT managers considering cloud-based services, care where the failure was? All we know is that it failed.
Travel by commercial airliner is neither unsafe nor inherently safe because of the technology itself. It is as safe or as dangerous as the procedures followed to certify and maintain the equipment that people put their life's trust in.
Microsoft's Sidekick outage shows that sadly, in fact, it's true: you cannot trust the cloud because you can't trust the people who run it. It indicates another scary truth: We haven't had enough cloud failure yet. We're going to have more. We need more. We learn from each failure. And we're all thinking the same thing: I hope I'm the beneficiary, and not the victim, of the hard lessons still to come.
Data in the cloud can be safe. And it will become more safe thanks to this outage. Failures of trust, like this one, have costs, but there are benefits as well.
Google's browser now has an extension to use the Web of Trust, a project that lets people rate the trustworthiness of Web sites and see how others have rated them.
The open-source plug-in previously worked only with Firefox and Internet Explorer, but now a version is available for the new developer preview version of Chrome, according to a blog post.
The Web of Trust extension lets people rate Web pages. Clicking an icon in the lower left corner of Chrome pops up this interface.
(Credit: Screenshot by Stephen Shankland/CNET)It's one of a host of relatively widely used extensions available on other browsers but now on their way to Chrome, whose extensions framework is just getting off the ground. There also are extensions (called add-ons in the Firefox realm) for Delicious and Xmarks, for example.
The extension takes advantage of the newer "mole" feature that lets windows pop up from the bottom of the screen. (The "mole" term originated with the work Google's Gmail team on instant-message windows; closing a number of them is like playing Whack-a-Mole.) However, Web of Trust programmers are considering using a newer extensions possibility called browser actions, which builds an extension interface into a button that appears along the top of the Chrome window.
"Browser Actions look promising though and we're looking forward to using them in future," said programmer Sami Tolvanen in a mailing list announcement. He also offered a list of suggestions for the Chrome extensions interface.
Separately, Google announced a new developer preview version, Chrome 4.0.221.6 for Windows, 4.0.221.8 for Mac OS X, and 4.0.221.8 for Linux. In the Windows version is a new browser action feature, pop-up windows.
(Credit:
CNET / Josh Lowensohn)
The iPhone has many applications that let you view Web cams from around the world, but what about turning your phone into a remote camera of its own? A new app called IP Camera (warning: iTunes link) does just that. This $1.99 tool takes a photo from your iPhone's camera every 12 to 15 seconds, then posts it to a local Web page that can be accessed from other computers on the same network.
All that's needed for setup is to make sure your phone is on Wi-Fi, then to jot down the special local HTTP address it gives you. It will keep running until you quit the application manually or get a phone call; although like any good iPhone app it starts right back up when you're done with a call.
While there are very few bells and whistles, this app worked really well in my testing with an iPhone 3G. Although one big thing that's missing is a way to archive the photos it takes. You can temporarily stop its stream of photos, then save whichever one it's on, but it does not keep a "recents" on its Web page, or on your phone's camera roll.
I'd also like to see a way to change the frequency in which it takes photos, which could keep it from zapping too much juice if you're using it while disconnected from a power plug. And a way to run it with the display off would be nice too, since hitting the sleep button freezes the app into re-sending the same shot over and over again.
Tip: the iPod universal dock and iPhone 3G dock are both angled in such a way that makes it incredibly easy to perch your phone on a bookshelf or on top of a coworker's cube and get a great view. They'll never suspect you're watching their every move.
Related: DIY home surveillance with a Webcam
The IP Camera app turns your iPhone into a mini server, taking photos every 15 seconds and posting them almost-live to a Web page.
(Credit: CNET)
