Category: Privacy

Facebook employee reveals information on Facebook privacy issues

1
Posted by Tech Paranoia on January 12, 2010 – 1:00 pm
Filed under Privacy
Tagged as , ,

An anonymous Facebook employee has revealed that all user activity on the site is recorded and stored with as many as six copies of each photo retained.

In an interview on the therumpus.net, the employee answered a question about if everything is saved, whether or not it has been deleted or untagged. He said that was essentially correct, and it was only changing that for performance reasons.

The employee said: “How do you think we know who your best friends are? But that’s public knowledge; we’ve explicitly stated that we record that. If you look in your type-ahead search, and you press ‘A’, or just one letter, a list of your best friends shows up. It’s no longer organised alphabetically, but by the person you interact with most, your ‘best friends’, or at least those whom we have concluded you are best friends with.”

The employee admitted that the change was made ‘sometime in the last three months’, but it stores snapshots, which is basically a picture of all the data on all of the Facebook servers. The employee said that this is done every hour, of every day of every week of every month.

When asked if this is every viewable screen, the employee said: “It is way more than that: it’s every viewable screen, with all the data behind every screen. So when we store your photos, we have six versions of your photos. We don’t store the original: we make six different versions on the photo uploader and upload those six versions.”

These are stored in four data centres around the world – in Santa Clara, San Francisco, New York and London. The employee said that in each of those, there are approximately five to eight thousand servers.

Read more at: SC Magazine UK

Airport Scanners Can Store, Transmit Images

0
Posted by Tech Paranoia on January 12, 2010 – 11:00 am
Filed under Privacy
Tagged as ,

bodyscan_bContrary to public statements made by the Transportation Security Administration, full-body airport scanners do have the ability to store and transmit images, according to documents obtained by the Electronic Privacy Information Center.

The documents, which include technical specifications and vendor contracts, indicate that the TSA requires vendors to provide equipment that can store and send images of screened passengers when in testing mode, according to CNN.

The TSA has stated publicly on its website, in videos and in statements to the press that images cannot be stored on the machines and that images are deleted from the scanners once an airport operator has examined them. The administration has also insisted that the machines are incapable of sending images.

But a TSA official acknowledged to CNN that the machines do have these capabilities when set to “test mode.”

The official said these functions are disabled before the machines are delivered to airports and that there is no way for screeners in airports to put the machines into test mode to enable the functions. The official, however, would not elaborate on what specific protections, if any, are in place to prevent airport personnel from putting the machines in test mode.

The TSA also asserts that the machines are not networked, so they cannot be accessed by hackers.

Source: Wired

Aggressive phishing campaign spoofing Microsoft Office Outlook Web Access

0
Posted by Tech Paranoia on January 11, 2010 – 10:00 am
Filed under Malware, Privacy
Tagged as , ,

msphishing

An aggressive spear phishing email campaign inviting recipients to “apply a new set of settings” to their mailboxes because of a recent “security upgrade” of their mailing service.

An embedded link in the email connects users to a web site that appears to be a Microsoft Office Outlook Web Access page, including official Microsoft and Microsoft Office logos. On the page, users are directed to “download and launch a file with a new set of settings for your e-mail account.”

The executable is actually a Zbot Trojan virus similar to Trojans distributed in recent H1N1 and Facebook phishing attacks.

“This spear phishing campaign is unusual in that it is highly personalized and is targeting a very large number of domains with a customized message for each domain,” said Dr. Tom Steding, president and CEO of Red Condor.

“Spear phishing campaigns usually target a single organization or domain, but this attack broke the mold as the volume and targets are very high. Once again, this is a perfect example of scammers modifying their tactics to thwart traditional security systems and demonstrates the importance of having an advanced, real-time email security solution. For Red Condor customers, the messages were blocked immediately, and a new filtering rule was in place within a few minutes of detecting the campaign.”

A spear phishing campaign is a highly targeted form of phishing that typically targets a single organization. Emails appear as if they come from a trusted source, such as an employer who would normally send an email to the entire company or a well-known organization.

Source: Help Net Security

Facebook users hacked with direct messages forwarding to suspicious site

0
Posted by Tech Paranoia on January 6, 2010 – 10:00 am
Filed under Privacy
Tagged as ,

Facebook users have reported receiving direct messages which includes a link to a suspicious website.

In what could be the first major Facebook security story of the year, users have reported receiving a message that encourages them to visit the ‘binsservicestore.info’ website after a friend’s recommendation.

According to DomainQuery, the website was created on 15th September 2009, last updated on 29th December 2009 and is due to expire on the 15th September this year. The sponsoring registrar is GoDaddy.com Inc and the administrator and registrant data provide contact details in India.

Rik Ferguson, senior security advisor at Trend Micro, said that binsservicesstore.info lands on a ‘work from home scam page’ that uses geo-ip to look like a local (to you) online newspaper.

Andy Thomas, commercial director of Garlik, warned at the end of December about a scam on Facebook where a user is offered a free £25 iTunes voucher. The scam, which came via an invitation and involves sending the group administrator a message with the user’s name and email address, had around 464,000 respond.

Thomas said: “Some simple maths and logic says this is going to cost someone over £12 million. That is Hooveresque in promotional scale and we all remember what happened to them, the truth is this is a well timed scam that plays on people’s trust of the iTunes brand and love of a bargain (it’s called social engineering).

“The only gift members will get is a nasty surprise in an email (probably the one containing your iTunes ‘gift’) or a permanent place on a phishing attack list sold, much like direct marketeers buy email or physical addresses. If you or a friend joined this list make sure they know what to expect over the next few days, weeks, months.”

Source: SC Magazine UK

New Attack Locates Web Users Via XSS, Google Data

0
Posted by Tech Paranoia on January 6, 2010 – 9:00 am
Filed under Hacks, Privacy
Tagged as , ,

The security researcher who created the MySpace XSS worm in 2005 has developed a technique that enables an attacker to accurately locate a Web user with GPS coordinates, without using IP-based geolocation.

Samy Kamkar, the author of the infamous Samy worm that spread through MySpace, on Monday published information about a new technique that can be used to exploit a vulnerability in some home Internet routers and, when combined with other information, pinpoint a user’s physical location. The tactic utilizes a combination of cross-site scripting and some freely available tools and information on the Web.

In an example of the attack Kamkar published on his site, the attacker must first get the victim to visit a malicious Web site, which then exploits a cross-site scripting flaw in the victim’s home router. In his example, Kamkar uses a flaw he discovered in a router used by Verizon FiOS customers. A bit of AJAX code then grabs the router’s MAC address and sends it off to the attacker.

The attacker then sends the MAC address through Google Location Service via the Location-Aware Browsing service in Firefox. The result: a set of longitude and latitude coordinates for the victim’s PC.

Kamkar released the Samy worm on MySpace in 2005 and it quickly spread across the site, leaving messages on millions of users’ pages. He later was sentenced to three years’ probation as part of a plea agreement stemming from the incident.

Source: Threat Post

How Non-Latin Domain Names Could Be Used to Steal Your Money

0
Posted by Tech Paranoia on January 5, 2010 – 10:00 am
Filed under Privacy
Tagged as ,

paypal <> raural

Unicode is great because it supports multiple languages simultaneously, bringing international understanding, universal peace, and planetary love. And so is ICANN’s decision to allow domain names that use non-Latin alphabets. Until both combine to steal your credit card numbers.

Or your login name, passwords, address, or whatever other data a phishing site can get from you.

Until now, there was an easy way to test if a site was legit or not: You just look at the browser URL. If it’s not paypal.com or amazon.com or whatever.com, then it’s not those companies’ web sites, no matter how well they clone their layout and graphics.

The problem will come in 2010. That’s when sites’ URLs would start popping in non-Latin alphabets like Cyrillic. And that’s when there will be cases of mistaken identity: Just check the image above, in which the russian word “raural” becomes “paypal.”

Source: Gizmodo

Almost 16 million use same password for every website

0
Posted by Tech Paranoia on January 4, 2010 – 11:00 am
Filed under Privacy
Tagged as

Almost 16 million people are in danger of falling victim to internet fraud because we use the same password for almost every website, a new study has found.

This could lead to money being stolen from bank accounts, fraudulent purchases via online shops or identity theft, according to life assistance company CPP.

The average internet user is asked for a password by 23 websites a month.

The research found 46 per cent of British internet users, 15.6 million, have the same password for most web-based accounts and five per cent, or 1.7 million, use the same password for every single website.

Some 29 per cent use variations of the same password, for example using days of the week or adding numbers to the end of a word.

Memorable dates, children’s names and mother’s maiden names are each used by one in 10. One in five users sign in with their pet’s name.

Users are advised to keep passwords secret but 40 per cent admit disclosing them to friends or family while two per cent say their former partner still has access to their accounts.

Source: Telegraph.co.uk

Phishers prefer Paypal, Visa, eBay and Amex

0
Posted by Tech Paranoia on December 30, 2009 – 12:00 pm
Filed under Privacy
Tagged as

Compared to the first half of 2009, the amount of phishing messages has remained relatively unchanged, although phishers have switched their focus to institutions that could bring them the most profit in the shortest timeframe. This is one of the results of BitDefender’s malware and spam survey.

Primary targets are PayPal, Visa and eBay, followed by HSBC, American Express and Abbey Bank. Ally Bank and Bank of America rank last with a little over one percent of the total amount of phishing messages. These messages mostly target English-speaking computer users who are using the services of at least one of the institutions previously mentioned.

BitDefender Labs found that most web 2.0 phishing attempts in the first half of 2009 relied on social engineering schemes and speculated user naivety. The Twitter Porn Name scam is a good example. Users were invited to reveal their first pet name, as well as the first street on which they lived. These names are usually employed as backup/security questions. An e-crook possessing a person’s username along with these “clues” can easily retrieve a password that he or she can later employ to access the account and send spam, access transactions, or use the account in whatever way necessary to make a profit, including demanding a ransom for release of the hijacked account.

“2009 witnessed a wide range of security threats aiming at both end-users and at corporate networks,” Vâlceanu commented. “Extra caution and a highly-rated antimalware solution with antispam, antiphishing and antimalware modules are a must-have for anyone surfing the web in 2010.”

Source: Help Net Security

Zuckerberg pictures exposed by Facebook privacy roll-back

0
Posted by Tech Paranoia on December 11, 2009 – 11:30 am
Filed under Privacy
Tagged as ,

Illuminating pictures of Facebook chief exec Mark Zuckerberg have been exposed by Facebook’s privacy roll back.

Back in October, the world at large could see only one photo of the Facebook co-founder via the social networking site. Facebook’s controversial privacy shake up this week means that world+dog can now obtain access to a cache of 290 previously private shots featuring Zuckerberg. These pictures were uploaded either by Zuckerberg himself or by people who tagged him in images they posted onto the social networking site.

Gawker – which carries a selection of pictures of Zuckerberg in a story here – describes them as showing him as “shirtless, romantic, clutching a teddy bear, and looking plastered” though not all at the same time, we’d hasten to add.

“We just knew this new system would be a boon to gossips like ourselves,” Gawker enthusiastically reports.

Security watchers and the privacy conscious complained that default setting applied in Facebook’s privacy revamp earlier this week meant that everyone had access to pictures, opinions and personal details uploaded onto the social networking site. Users have to be proactive about limiting access to their accounts because the default setting pushes Facebook users towards sharing more information.

Source: The Register

Facebook comes under heavy criticism after it changes policy on privacy controls

0
Posted by Tech Paranoia on December 10, 2009 – 12:00 pm
Filed under Privacy
Tagged as , ,

Facebook has come under heavy criticism over privacy settings after users were warned about changes to the controls on its homepage.

The message tells users of the social networking site ‘we’re making some changes to give you more control of your information and help you stay connected. We’ve simplified the Privacy page and added the ability to set privacy on everything you share, from status updates to photos.

“At the same time, we’re helping everyone find and connect with each other by keeping some information – like your name and profile picture – publicly available.” A guide is then offered to help the user control their privacy settings.

However criticism has been made on the language used in the guide, while users have hit out at the removal of the right to display profiles to certain friends. One user said: “I could previously customise my friends list visibility – not only as to make it not visible to non friends- but I could choose which one of my friends could not view it. With [these] new privacy settings I cannot, it’s either everyone can see it or no one. This way you have restricted my range of choice…everyone’s range of choice actually!”

Many other users hit out at the rights of everyone being able to see a user’s friends list, with many users commenting that they wanted the settings restored. One user said: “Seriously. You don’t just go and remove privacy from 350 million users. Seriously, Facebook. Who the hell do you think you are? If hackers made everyone’s profile pictures public there would be an uproar.”

Source: SC Magazine UK