Personal Information Easily Harvested on Facebook

Facebook is currently the most popular social networking site on the Internet. With the ability to find friends, communicate with them, and play games, the site can be addictive. But the BBC’s program Click this week showed that your personal information - the information in your Facebook profile - can be harvested easily by applications you choose to add to your profile.

It turns out that when you allow an application to access your personal information - something that many applications require - that application can get at not only your information, but that of your friends, without their knowing it, and in spite of their security settings.

The Click team created a simple application that could masquerade as a game or a test.

“We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours.

But whatever it looks like, in the background, it is collecting personal details, and those of the users’ friends, and e-mailing them out of Facebook, to our inbox.

When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.

Did you know that you were responsible for other people’s security?”

The solution? Alas, there is none for no. The only thing you can do is make sure that you don’t include, in your Facebook profile, information that you don’t want non-friends to find out about. Or, as the Click team says, “In fact, the only way we can see of completely protecting yourself from applications skimming information about you and your friends is to erase all the applications on your profile and opt to not use any applications in the future.”

To learn more about this, watch this segment of Click on the program’s website.

Posted by Peter on May 6, 2008 in Other Software, Security | Permalink

Celebrate the 30th Anniversary of Spam

An article in The Register reminds us that the very first spam e-mail was sent on May 3, 1978, or thirty years ago. Somehow, this anniversary is not much to celebrate. As most Internet users can attest to, spam is rampant; it’s the true scourge of the Internet. Many users get as many as hundreds of spam messages a day; all you need is to have one e-mail address on a web site, in forums, or on mailing lists, for spammers to harvest it, package it, and sell it along with millions of others.

While spam filters are increasingly efficient (and Intego’s Personal Antispam is recognized as the most effective spam filter for Mac), spam is constantly evolving. (This Wikipedia page explains some of the techniques used in spam, and how they change to try and fool spam filters. It’s a never-ending battle, unless the powers that be come up with a system that will authenticate messages, allowing ISPs to filter out spam.

The Register article cited above suggests that 95% of all e-mail is spam; other sources posit figures of 80-90%. But spam works; as the Register says, “a recent survey … revealed that 11 per cent of people admit to having bought goods in response to spam messages.”

Posted by Peter on May 2, 2008 in Intego Software, Security | Permalink

Computer Keyboards Dirtier than Toilet Seats

While we usually discuss here the type of computer security that affects your data, operating system and personal identity, it’s time to look at another aspect of security that you may not realize. The British consumer magazine Which has done a study of computer keyboards in a typical London office and found that they are “5 times filthier than a toilet seat,” and that “the germs found could cause food poisoning symptoms such as diarrhoea and other stomach upsets.” While this is the case however in offices, this is likely not the case at home. The article points out that, “the main cause of a bug-infested keyboard is eating lunch at your desk, as the crumbs encourage the growth of millions of bacteria.” So unless you eat over your home keyboard, you have less to worry about for that one.

Most people never clean their keyboards, their mice, or even their telephones, while it is relatively easy to do so. Just take a clean, lint-free cloth with some alcohol, and you’ll get them pretty well cleaned. Well, not always - the problem with keyboards is the spaces between the keys. To really clean a keyboard, you need to pop off the key caps (use a screwdriver and carefully pry them off) and, perhaps, soak them in a disinfectant. For other devices, you can simply use alcohol or disinfectant wipes.

Posted by Peter on May 2, 2008 in Security | Permalink

Website Certification Fraught with Difficulties

An article on The Register discusses problems with a security vendor’s certification of hacker-free web sites not being totally safe. The problem with such certification is that, even with daily checks of sites, it’s very hard to guarantee that any web site remains safe. In this case, the security vendor in question is understating the danger of cross-site scripting attacks (vulnerabilities that can occur when web applications inject malicious code into web pages). (To learn about cross-site scripting, see this Wikipedia page.)

The real problem lies less with such certification than with the fact that web sites can never be certified 100%. The web is too fluid, and vulnerabilities can arise and be exploited very quickly. For this reason, you cannot trust this kind of certification, and must always have client-side protection (ie, protection on your computer) and keep your Mac up to date with the latest security updates. Also, make sure you have software such as VirusBarrier and NetBarrier, to protect you from malware and security risks.

Posted by Peter on April 30, 2008 in Intego Software, Security | Permalink

Hackers’ Contest to Create Even More Malware

The annual Defcon hackers’ conference this August is featuring a strange competition. Called Race to Zero, it is described as follows:

The event involves contestants being given a sample set of viruses and malcode to modify and upload through the contest portal. The portal passes the modified samples through a number of antivirus engines and determines if the sample is a known threat. The first team or individual to pass their sample past all antivirus engines undetected wins that round. Each round increases in complexity as the contest progresses.

At first glance, this may seem like a good idea; to try and find weaknesses in antivirus software, in order to spur vendors to detect more malware. But when looking more closely, it turns out to be a very dangerous game indeed.

Security companies have a hard time stopping the proliferation of malware, and researchers attempting to make this even harder can only harm the broader community. In this contest, a large number of hackers will create dozens, even hundreds of variants of existing malware, which will then easily go into circulation. If their hacks are successful, this provides fodder to malware writers to help them tweak their code to further block detection. While the hackers in the contest may have good intentions, the result of their game is likely to lead to an increase of malware.

In addition, one of the contest’s rules shows just how dangerous this game is:

6. Techniques used to perform mutations will not be submitted to antivirus vendors without contestants approval but may be used during our post-contest round-up presentation

What this means is that any contestant can take his technique home, or share it, further spreading the spread of dangerous malware. If, on the other hand, the contest stipulated that all techniques would be shared with antivirus companies, at least those responsible for ensuring end-user security could be aware of them and improve their detection. This sort of conference is generally non-malicious, and hacks are usually found and shared for the good of the greater community. But this strange rule suggests that what has long been the attitude of the white-hatted hacker may be changing.

“We are especially worried that contestants or other participants will use this contest to develop techniques that may release new versions of very dangerous malware,” said Laurent Marteau, CEO Intego. “Encouraging hackers to spend their time writing more dangerous malware is not part of the hacker ethic; it is likely to lead to dangerous results for all computer users around the world.”

Posted by Peter on April 28, 2008 in Security | Permalink

Copyrighting Malware

The Register has an article today about virus writers adding copyright notices to their malware. These are professional virus writers, and the copyright notice, the article says, “is designed to prevent the malware from being freely distributed after its initial purchase.” Apparently, this is a problem that is hurting the revenue stream of your friendly-neighborhood malware programmer.

It makes you wonder how they can enforce this, of course. But there’s a way. One of the licenses says, “In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies.”

There’s no better threat than that: send the code to security companies so it will be blocked much quicker than when it’s discovered in the wild. There’s no honor among thieves…

Posted by Peter on April 28, 2008 in Security | Permalink
< Newer Articles    Older Articles >

Copyright © 2007-2008 Intego