For starters, there are 350 million + users to go after. On top of that, many are less computer-savy users (like your parents and mine, teenagers, etc.) who may not be familiar with malware and how to protect themselves. Add in the fact that Facebook makes a great, centralized location to steal all kinds of information about you — and a jumping off point to steal from your contacts — and it’s easy to see why malware crews would target the site.

Take the jump for more on this particular attack, and how to avoid trouble (be sure to share with your non-techy friends)!

The message reads as follows:

Dear user of facebook ,

Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Thanks,
Your Facebook.

Here are a few clues that this message is (and others like it are) fake:

• It has an attachment: big, reputable sites like Facebook never send out emails with attachments — especially not on password or account alerts
• It’s addressed to “user of facebook”: Facebook knows your real name, and they use it when they email you.
• The tone is too casual: an actual “safety alert” from Facebook would be written in a much stronger tone.
• It’s too short: warnings from popular sites tend to be wordy. Bad guys, on the other hand, are usually lazy and won’t bother to write a lengthy message.
• “facebook” isn’t capitalized: that’s a stylistic gaffe you’d never see on an official Facebook message.
• Facebook doesn’t email new passwords: when you do a reset, for example, they’ll send a random code to your inbox and a link to a form where you can create a new password.

If you’ve got a good antivirus program and you’ve kept it up-to-date, chances are good that the attachment (and the message itself) will be detected. Not sure you’re protected? Take a look at our list of free antivirus programs for Windows.

Another helpful download for less experienced users is a link scanner like WOT or AVG’s LinkScanner — both are part of our list of 10+ tools for safe web browsing.



Share

The report by Gartner (which costs $95) highlights the usual, inherent risks of moving to a new platform. VPSes, due to the new and immature software used to split a server’s resources, can be insecure. It’s not such a huge problem now, with only 18% of enterprise processing occurring on virtual servers, but by 2012 that will climb to over 50%. Right now, with the sheer number of unsecured physical dedicated servers, hackers are unlikely to target VPSes… but that will change!

Gartner suggests that organizations do their homework before switching to virtualized server resources — and specifically they need to know the ‘hypervisor’ backwards and forwards. The hypervisor’s job is to effectively split the physical server into discrete portions — but as you can imagine, if the hypervisor is compromised, every user’s data then becomes available. Such security concerns also pertain to cloud computing, though you have to assume that providers like Amazon know what they are doing.

This is just a teething issue, and I’m sure network and system administrators will get on top of things sooner rather than later.

[via Network World]
Share

Facebook, with 400 million users and a wealth of sensitive and contextual information, will make previous attempts at utilizing your location look like child’s play. Not only will this impact you as a user of the busiest site on the Internet, but games are about to be turned on their head: if you thought Foursquare was cool, you really have seen nothing yet. There were hints that Facebook would be enabling geolocation in November, and I guarantee that casual games companies like Zynga are wetting their pants in anticipation. Imagine how social gaming could soon become with a geolocation-enabled Facebook: when you visit your friend’s house, their FarmVille farm could pop up on your smartphone. How about a healthy version of the game that rewards you for tending to your farm while walking around outside?

Of course, with greater functionality comes wide-ranging risks. We’ve already seen the potential pitfalls of exposing your location on Foursquare — won’t the 400 million users of Facebook merely exacerbate the issue? Won’t the term ‘Facebook stalking’ take on a whole new meaning when someone actually knows where you are?

I bet there’s a large percentage of Facebook users that haven’t configured their privacy settings. What if you tell your boyfriend or girlfriend that you’re out with friends, but the geolocation data of an uploaded photo gives away your true location? Worse, can you imagine your mother checking up on you?

I know social networking is all about exposing information about ourselves, but most of the time we are aware of the data we’re exposing. Be careful, and make sure you know what you’re publishing.

Share

The WSJ is reporting on the White House’s new Comprehensive National Cybersecurity Initiative (CNCI), a program intended to shore up the U.S. Internet defenses. The main reason for declassification seems to be due to privacy concerns — and as always with improved security, you’re going to lose a little privacy. In this case, it’s communication snooping (but that’s nothing new)

The Initiative, codenamed Einstein, details a lot of changes and improvements, with stringent and omnipresent wire taps being just part of the program; scanning your emails is just one of the many new incoming changes. First up is the creation of a secure federal network with Trusted Internet Connections, and then they want to install intrusion detection sensors to make sure they catch breaches early.

Beyond the creation of a secure network, there will be better interoperation between government, public, and private sectors — a lot of critical infrastructure isn’t directly managed by the government, and they obviously think some things can be tidied up. It seems like the current American counter-intelligence system is split — as part of the CNCI, they’re going to try and bring all of the departments and agencies together.

Expanding cyber education efforts is also on the list. Education in new endeavors and fields of knowledge is, in my opinion, one of the most vital things a modern government must invest in.

Hopefully this isn’t all too little too late. It’s actually a little sad to be told, in plain English, just how loose and dilapidated the current American defences are.
Share

In essence: if you hit F1 in response to a pop-up dialog, an attacker could execute arbitrary code (i.e. hack you). All it takes is some cleverly-crafted VBScript — but Microsoft says it’s not aware of any such attacks currently in the wild.

The good news is, it only affects you if you’re using Internet Explorer — the bad news is, it probably won’t be patched for some time, so some old business machines will no doubt get compromised before a fix is in place. I wonder if the new browser ballot thing warns users about unpatched security holes before they choose a browser to install…

Paraben are a ‘forensics’ company that specialize in a wide variety of kinda-cool solutions to odd, and mostly technological, problems. The Porn Stick, much like their ‘Chat Stick’ uncovers chat logs, is all about finding porn on a target system. Just plug it in, run an EXE and watch as it sorts porn into ‘Suspect’ and ‘Highly Suspect’ folders. It even searches by file header rather than extension, which is ‘geek speak’ for ‘if you’re gonna hide porn, you gotta do it properly‘.

How does it detect porn though? ‘Analysis of flesh tones, shapes and curvatures, face detection and body part separation.’ I kid you not, that’s what the How It Works section says. It even capitalizes it: Body Part Separation. Ew.

They claim a success rate of 99%, which is pretty impressive!

The thing is, I can’t get my mind off an even better use of the Porn Stick. I travel a lot, and often I’m alone. Sometimes I get lonely… but if I had a Porn Stick, I could just plug it into a random computer and harvest all of the porn; problem solved.
Share

Here are the highlights from Miller’s interview:

He thinks Windows 7 will prove more secure than OS X Snow Leopard this year, in part because it doesn’t have Java and Flash enabled by default. Windows’ full ASLR (address space layout randomization) also gives it a security advantage.

When asked what he thought would make the safest OS and browser combo, he opted for Chrome or IE8 on Windows 7, with no Flash installed, although “there probably isn’t enough difference between the browsers to get worked up about.”

For my money, the juiciest quote from the interview was “The main thing is not to install Flash!”

On the mobile side, Miller guessed that the iPhone 3GS would be more easily exploitable than the Motorola Droid, mainly because the iPhone’s been around longer, and has been subjected to more extensive security research.

You can check out Miller’s full answers (in English or Italian!) at OneITSecurity.
Share

The security consultant doesn’t work directly with the government, but as a researcher his work and findings would have been accessible by the Chinese government and its agencies. It’s a tenuous link without direct government ties and it’s still possible that someone else hacked the author to get his code — but it seems unlikely in my opinion, given the scale of the attack.

In further news, the attack itself came from Shanghai Jiaotong University and Lanxiang Vocational School, with the former boasting one of the best security departments in the country, replete with veteran government cyber commanders. Jiaotong has a very strictly-monitored and secure internal network too, making it unlikely that the Google attack could’ve been routed through it.

The plot will continue to thicken, but we may never see a real resolution. Just do the world a favor and upgrade from IE6 — and pressure your system administrators to do the same!

[via ReadWriteWeb]
Share

The hole is likely to be still open since no updates have been released since the exploit became public. Secunia rates the problem as highly critical, however the Mozilla Foundation has yet to release an official statement – and patch.

Whether the exploit has already been widely circulated or used on a large scale remains unknown. The H is reporting that according to the analysis on the Extraexploit blog, a significant increase in the number of Firefox 3.6 crashes was noted on the 12th and 13th of February, but no-one can really say if this is related to the exploit or not.

Make sure to check for Firefox updates more often since the built-in update checker is very dull. Users with older versions of the Mozilla browser may update to Firefox 3.0.18 and Firefox 3.5.8.
Share

This year they’ll be looking at all major browsers on both Windows 7 and Vista, and Mac OS X Snow Leopard. $60,000 of the $100,000 total prize fund is allocated to mobile phones, however — the rules aren’t clear yet, but the four phones being scrutinized are the Apple iPhone 3GS, RIM BlackBerry Bold 9700, a Nokia device running Symbian S60 and a Motorolla device running Android.

I can’t find any speculation on which of the mobile handsets are likely to crumble first — Portnoy definitely thinks that Windows 7 is more secure than Snow Leopard though! “…Snow Leopard isn’t on the same level as Windows 7.”

[Go Windows! But ironically, via Macworld]

Share