Gee Thanks! I’ve been working out! …..oh wait a minute! What video??? CLICK!!!!

That was probably the script the culprit had in mind …and who knows how many times it played out.

I received the following message in my email inbox earlier from a cousin on Facebook.

It was so obviously malicious. Never mind the spelling issues. That is a trick typically used to get by email filters. My first reaction was to log in to Facebook and verify that it was indeed the source. I was reminded of an article I read about a similar fake LinkedIN email attack. In this case, the message was right there with a slight difference. The link now was more obvious.

One of those shortened bit.ly links that could lead you anyway. Without clicking the link, I clicked “reply” asking ” Did you send this?” . I already knew the answer but hey!  I immediately got the following response from one of the sender’s friends.

The plot thickens…

I sent the cousin a message advising a change of Facebook credentials. The message was apparently sent to many other users.  I’ve read and blogged about compromised Facebook account being used to spread malware and/or lure users to malicious sites but this is my first such experience. I’m not the average Facebook user though, since I only use it to cross-post blog updates.  I didn’t have to time to investigate what’s on the other side of that bit.ly link but just thought I’d share the experience.

Beware fellow Facebook users!

The e-mail appeared to be an invitation from an old, junior high school friend. Yet when the hospital employee clicked on the link, it instead led her to a malicious site that installed a Trojan horse on her computer. In a little over a week, international cybercriminals used that beachhead to steal more than $600,000 from the woman’s employer, according to a terse description of the incident on the Information Systems Security Association’s Web site.

A number of similar incidents to this one highlight the threats of online crime facing small and midsize businesses (SMBs), says Stan Stahl, president of Citadel Information Group and president of the Los Angeles chapter of the ISSA.

“Typically, they say, ‘We have firewalls in place and have AV on all the desktops, so I guess we are secure,’” Stahl says. “But today cybercrime is so sophisticated that is not enough anymore.”

Read full article at http://www.darkreading.com/smb-security/security/attacks/showArticle.jhtml?articleID=225702557&cid=RSSfeed

What is the values proposition for allowing employees access to web 2.0 resources such as social networks?

Every other day, we hear about the risks. Compromised Twitter accounts, phishing via LinkedIN,  malicious Facebook apps were only a sample of an every growing landscape. Most enterprises, appreciating the threats these pose to an environment, simply deny access to social networks from company systems and networks.

Even within such organizations, there are user who need to access social networks to perform their job functions. LinkedIN has become a great tool for recruiting prospective new hires. More companies are using Twitter, Facebook, Myspace and others to promote their business an connect with customers.

But outside of that, is there a value in allowing employees, whose job function do not require it, access to social networks on company systems?

I’m prompted to ask this because last week I was at a meeting of the Northern Virginia chapter of the  Information Systems Security Association (ISSA-NOVA) and the speaker was the deputy CISO of the IRS, Devon Bryan. He spoke about how the IRS was dealing with the security challenges posed by Web 2.0, particularly social networking, Their current stance is to block all access except for those employees who job function required it. Most security  professionals would agree this is probably wise. However, he also added that they are looking at technology that would allow users to “view” social networking sites, but not allow them to “update” them. As he explained, or tried to, read vs. write/execute.

As this was an audience full of security professionals, it was quickly pointed out that drive-by malware downloads only require the user to browse the infected web page or one that is linked to an infected web page. To view is to infect, so to speak. There was then talk of how to mitigate that using virtual machines or proxies.

I have no doubt the technical challenges can be overcome. The hackers who now treat social networks as the new frontier will probably change tact to react as well. Besides wanting to keep employees happy, what’s the policy rationale for allow users to follow their subscribed tweets or friends updates? Never mind, the adverse effect this with have on productivity. Really, why bother?

Facebook claims to have identified the self-proclaimed Russian hacker calling himself  ” Kirlios” .  Newswire report over the weekend reported that Kirlios had succeed in hacking a large number of Facebook accounts.  On hacker forums, Kirlios has been offering up Facebook accounts for sale in batches of 1000 – up to 1.5 million in total. The going price is between $25 and $45 a batch. Quite reasonable really.

Facebook claims they turned the information about the hacker to law enforcement authorities and that the hacker’s claims are grossly overstated. Even if this guy is caught, extradition to the US is unlikely. Russia’s stance on this sort of thing is ” show us the proof and we will prosecute him ourselves”.

So…. I made this post about the Social Media fallacy that is Blippy. Well true to form, here we are less than two months later finding out…

“Blippy, a social networking site that allows users to share their purchases and discuss shopping with others, will revamp its security plans and hire a Chief Security Officer after an embarrassing incident in which the site accidentally published a few of its members’ credit card numbers on Google.

Blippy Co-founder and CEO Ashvin Kumar said in a blog post this week that the slip-up occurred as a result of a technical oversight back in February that caused raw transaction data to appear within the HTML code on some Blippy pages for about half a day. ”

Who didn’t see this coming a mile away? Presenters at Shmoocon this year noted that penetration testers [and hackers] absolutely love this the Blippy platform because of the naked insight it offers into the spending habits of specific individuals. They also shared a favorite quote making its way around the infosec community: “I joined Blippy and all I got was jacked at the ATM.”"

Sigh

Google will ask users of its social network Buzz to review their privacy settings starting April 5.

This follows a series of privacy related concerns and updates following the initial launch of the service. I mentioned some of the concerns here in a post: Google Acknowledges Privacy Issues With Buzz amid FTC complaint

The latest tweaks will also show every aspect of a user’s profile, from public settings to the websites users are connected to, and who they are following or being followed by.

“Shortly after launching Google Buzz, we quickly realised we didn’t get everything right and moved as fast as possible to improve the Buzz experience,” said Buzz product manager Todd Jackson in a blog post.

“Offering everyone who uses our products transparency and control is very important to us.”, he continues.

The blogosphere has reacted positively to the proposed changes.

“While we can say that this is what we wanted at launch, it is heartening to see it now,” said Alex Wilhelm, of TheNextWeb.

Ben Parr, associate editor at social media blog Mashable, said that while the changes could not fix the damage already done, they might “help get Congress off [Google's] back”.

“If it can appease critics on the privacy issues, then it can tackle the bigger challenge: making Google Buzz into a competitive threat to Twitter and Facebook.”

The Google Buzz team has promised more updates in the future.

I swear I am not on an anti-Facebook crusade, but the endless drip, drip, drip  of security issues is astounding. So is Facebook just worse than the rest when it comes to security? I think not.  It’s just that they are the most popular and receive the most attention. In other words, ALL social networking sites have these issues.

“Last night during Facebook’s regular code push, a bug caused hidden email addresses to be visible briefly,” said a Facebook spokesman yesterday.

This new calamity lasted for 30 minutes.

Read more: http://www.v3.co.uk/v3/news/2260541/facebook-bug-discloses-private

Facebook users are expressing strong disapproval of proposed privacy changes will let the site share some user information with third-party Web sites and applications. Have you added your voice? These social networking sites have a captive audience which many businesses will pay a pretty penny to have access to and get information about.

When Google decided to unilaterally opt Gmail users into Buzz and share your contact information, it received bad press and an FTC filing. I can only hope the same and more happens here.

Under Facebook’s current rules you’re asked first if you want to share information (your name, photos and friends list) with third-party sites. The proposed policy, which Facebook hasn’t implemented yet, would bypass asking you for approval when visiting some sites and applications Facebook has business relationships with, sharing limited personal information automatically.

Tell Facebook how you feel about it here: http://blog.facebook.com/blog.php?post=376904492130

Alas, another day, another Facebook security alert.

As soon as you install this malware, it will tag every single one of your friends in a photo in batches of about 20. It then posts that photo to your wall.

This is what the photo looks like:

If a Friend looking through the photos then clicks on the app’s  link, they’ll see this:

If you have a lot of friends, you might end up with a series of albums like this:

Apart from the wall spamming, another obvious indication that this is a virus itself, is the url:

http://apps.facebook.com/kxetyegpgkxdwfy/

A valid application is not going to have a url with a bunch of jumbled letters at the end.

If you have been tagged in  the photo by one of your friends (remember, they did not really do this – the app did automatically), you can remove the tag.

1. Open your photos
2. Click the offending picture
3. Look for your name in the list of people tagged
4. Click the ‘Remove Tag’ link that appears beside your name

The photo will then automatically be removed from your photo list.

Source:

http://www.f-secure.com/weblog/archives/00001920.html

http://thefacebookinsider.com/2010/03/warning-facebook-antivirus-will-virally-spam-your-friends/

“I think the social networking sites are good to have,” she said. “You just have to be smart about it. Because just because you’re trustworthy and a nice person does not mean everyone on your Facebook is. So you can’t put your address — my address wasn’t even listed — or your phone number or that you’re home alone or going out of town.”

That’s a quote from a woman whose house was robbed by a Facebook “friend” after she updated her status indicating she was on her way to a concert. She appeared on the CBS Early Show this morning. The robber  had contacted her six month previously claiming to be long lost neighbor from 20 years ago. Fortunately for her, she had cameras installed at home and recorded  the culprit in the act.

I can’t stress enough the importance of limiting the information you put out there. With friends like these, ….

Source: CBS NEWS