Gee Thanks! I’ve been working out! …..oh wait a minute! What video??? CLICK!!!!

That was probably the script the culprit had in mind …and who knows how many times it played out.

I received the following message in my email inbox earlier from a cousin on Facebook.

It was so obviously malicious. Never mind the spelling issues. That is a trick typically used to get by email filters. My first reaction was to log in to Facebook and verify that it was indeed the source. I was reminded of an article I read about a similar fake LinkedIN email attack. In this case, the message was right there with a slight difference. The link now was more obvious.

One of those shortened bit.ly links that could lead you anyway. Without clicking the link, I clicked “reply” asking ” Did you send this?” . I already knew the answer but hey!  I immediately got the following response from one of the sender’s friends.

The plot thickens…

I sent the cousin a message advising a change of Facebook credentials. The message was apparently sent to many other users.  I’ve read and blogged about compromised Facebook account being used to spread malware and/or lure users to malicious sites but this is my first such experience. I’m not the average Facebook user though, since I only use it to cross-post blog updates.  I didn’t have to time to investigate what’s on the other side of that bit.ly link but just thought I’d share the experience.

Beware fellow Facebook users!

What is the values proposition for allowing employees access to web 2.0 resources such as social networks?

Every other day, we hear about the risks. Compromised Twitter accounts, phishing via LinkedIN,  malicious Facebook apps were only a sample of an every growing landscape. Most enterprises, appreciating the threats these pose to an environment, simply deny access to social networks from company systems and networks.

Even within such organizations, there are user who need to access social networks to perform their job functions. LinkedIN has become a great tool for recruiting prospective new hires. More companies are using Twitter, Facebook, Myspace and others to promote their business an connect with customers.

But outside of that, is there a value in allowing employees, whose job function do not require it, access to social networks on company systems?

I’m prompted to ask this because last week I was at a meeting of the Northern Virginia chapter of the  Information Systems Security Association (ISSA-NOVA) and the speaker was the deputy CISO of the IRS, Devon Bryan. He spoke about how the IRS was dealing with the security challenges posed by Web 2.0, particularly social networking, Their current stance is to block all access except for those employees who job function required it. Most security  professionals would agree this is probably wise. However, he also added that they are looking at technology that would allow users to “view” social networking sites, but not allow them to “update” them. As he explained, or tried to, read vs. write/execute.

As this was an audience full of security professionals, it was quickly pointed out that drive-by malware downloads only require the user to browse the infected web page or one that is linked to an infected web page. To view is to infect, so to speak. There was then talk of how to mitigate that using virtual machines or proxies.

I have no doubt the technical challenges can be overcome. The hackers who now treat social networks as the new frontier will probably change tact to react as well. Besides wanting to keep employees happy, what’s the policy rationale for allow users to follow their subscribed tweets or friends updates? Never mind, the adverse effect this with have on productivity. Really, why bother?

Facebook claims to have identified the self-proclaimed Russian hacker calling himself  ” Kirlios” .  Newswire report over the weekend reported that Kirlios had succeed in hacking a large number of Facebook accounts.  On hacker forums, Kirlios has been offering up Facebook accounts for sale in batches of 1000 – up to 1.5 million in total. The going price is between $25 and $45 a batch. Quite reasonable really.

Facebook claims they turned the information about the hacker to law enforcement authorities and that the hacker’s claims are grossly overstated. Even if this guy is caught, extradition to the US is unlikely. Russia’s stance on this sort of thing is ” show us the proof and we will prosecute him ourselves”.

These types of attacks have become the norm on Facebook.  Last week, I posted on a similar scam involving Whole Foods Grocery.

This particular  scam page had taken in more than 37,000 users by last Friday, offering them a $1,000 gift certificate in exchange for promoting Ikea to  friends. At that time, the page was gaining new fans at the rate of about 5,000 per hour. The promotion, the page said, was only available for one day.

To participate, users must become a fan of the fake Ikea page, hosted on Facebook, and then invite all their friends to become fans. They are then directed to an affiliate marketing page hosted by GiftDepotDirect.com, where they are asked personal information such as name, address, date of birth and home telephone number.

After that step, the victim is told to sign up for two online marketing offers – these ones with legitimate websites such as Netflix and CreditReport.com – in order to claim the gift card.

The promised cards in these scams never show up. Who would have thunk it??

** Cross-posted from www.secur3t.com**

Google will ask users of its social network Buzz to review their privacy settings starting April 5.

This follows a series of privacy related concerns and updates following the initial launch of the service. I mentioned some of the concerns here in a post: Google Acknowledges Privacy Issues With Buzz amid FTC complaint

The latest tweaks will also show every aspect of a user’s profile, from public settings to the websites users are connected to, and who they are following or being followed by.

“Shortly after launching Google Buzz, we quickly realised we didn’t get everything right and moved as fast as possible to improve the Buzz experience,” said Buzz product manager Todd Jackson in a blog post.

“Offering everyone who uses our products transparency and control is very important to us.”, he continues.

The blogosphere has reacted positively to the proposed changes.

“While we can say that this is what we wanted at launch, it is heartening to see it now,” said Alex Wilhelm, of TheNextWeb.

Ben Parr, associate editor at social media blog Mashable, said that while the changes could not fix the damage already done, they might “help get Congress off [Google's] back”.

“If it can appease critics on the privacy issues, then it can tackle the bigger challenge: making Google Buzz into a competitive threat to Twitter and Facebook.”

The Google Buzz team has promised more updates in the future.

I swear I am not on an anti-Facebook crusade, but the endless drip, drip, drip  of security issues is astounding. So is Facebook just worse than the rest when it comes to security? I think not.  It’s just that they are the most popular and receive the most attention. In other words, ALL social networking sites have these issues.

“Last night during Facebook’s regular code push, a bug caused hidden email addresses to be visible briefly,” said a Facebook spokesman yesterday.

This new calamity lasted for 30 minutes.

Read more: http://www.v3.co.uk/v3/news/2260541/facebook-bug-discloses-private

Facebook users are expressing strong disapproval of proposed privacy changes will let the site share some user information with third-party Web sites and applications. Have you added your voice? These social networking sites have a captive audience which many businesses will pay a pretty penny to have access to and get information about.

When Google decided to unilaterally opt Gmail users into Buzz and share your contact information, it received bad press and an FTC filing. I can only hope the same and more happens here.

Under Facebook’s current rules you’re asked first if you want to share information (your name, photos and friends list) with third-party sites. The proposed policy, which Facebook hasn’t implemented yet, would bypass asking you for approval when visiting some sites and applications Facebook has business relationships with, sharing limited personal information automatically.

Tell Facebook how you feel about it here: http://blog.facebook.com/blog.php?post=376904492130

Alas, another day, another Facebook security alert.

As soon as you install this malware, it will tag every single one of your friends in a photo in batches of about 20. It then posts that photo to your wall.

This is what the photo looks like:

If a Friend looking through the photos then clicks on the app’s  link, they’ll see this:

If you have a lot of friends, you might end up with a series of albums like this:

Apart from the wall spamming, another obvious indication that this is a virus itself, is the url:

http://apps.facebook.com/kxetyegpgkxdwfy/

A valid application is not going to have a url with a bunch of jumbled letters at the end.

If you have been tagged in  the photo by one of your friends (remember, they did not really do this – the app did automatically), you can remove the tag.

1. Open your photos
2. Click the offending picture
3. Look for your name in the list of people tagged
4. Click the ‘Remove Tag’ link that appears beside your name

The photo will then automatically be removed from your photo list.

Source:

http://www.f-secure.com/weblog/archives/00001920.html

http://thefacebookinsider.com/2010/03/warning-facebook-antivirus-will-virally-spam-your-friends/

“I think the social networking sites are good to have,” she said. “You just have to be smart about it. Because just because you’re trustworthy and a nice person does not mean everyone on your Facebook is. So you can’t put your address — my address wasn’t even listed — or your phone number or that you’re home alone or going out of town.”

That’s a quote from a woman whose house was robbed by a Facebook “friend” after she updated her status indicating she was on her way to a concert. She appeared on the CBS Early Show this morning. The robber  had contacted her six month previously claiming to be long lost neighbor from 20 years ago. Fortunately for her, she had cameras installed at home and recorded  the culprit in the act.

I can’t stress enough the importance of limiting the information you put out there. With friends like these, ….

Source: CBS NEWS

Here’s an interesting story. Who didn’t see this coming?

“Police say a hacking investigation in Fairfax County, Virginia started with a Facebook pregnancy announcement. But, it turns out the woman is not expecting a baby.

According to police, someone hacked into her Facebook account and posted the fake status update. The victim, who is from Springfield, also claims someone accessed her Hotmail account and sent out nasty emails.

All of the victim’s classes at Northern Virginia Community College were canceled by the hacker.

Police are investigating the Facebook and Hotmail hacking claims, but so far no charges have been filed.”

Source: http://www.myfoxdc.com/dpp/news/local/woman-says-facebook-account-was-hacked