The Mac Security Blog
In a blog post entitled A New Suite of Safety Tools, Facebook has announced that they are “starting to introduce” Two Factor Authentication, which will help prevent hackers from accessing your Facebook account. The principle of this is to require additional authentication when you access Facebook from a different device – a different computer than usual, or a mobile device. As the blog post explains:
If you turn this new feature on, we’ll ask you to enter a code anytime you try to log into Facebook from a new device. This additional security helps confirm that it’s really you trying to log in.
Facebook hacking can be a serious problem, as your reputation can be at stake. In addition, anyone who can access your Facebook account also has access to personal information belonging to your friends. This new feature will help prevent such hacking.
Facebook has announced that they are adding secure HTTPS access to the company’s web site. This means that data is encrypted, in both directions, between your computer and their servers. This can ensure that data that you send is protected, but also that no one can “sniff” your connection and intercept data on Facebook pages you load.
You’ll see this by the presence of a padlock somewhere in your browser window (if you use Safari, this lock is at the top-right of the window; in Firefox, it’s at the bottom-right), and a green section in your address bar with the name Facebook, Inc.
You can log into Facebook securely by using https instead of http in the site’s URL (https://www.facebook.com), or by changing your Account Security settings. The settings below should be available sometime today:
Facebook also announced a new type of “captcha” (a system used to prove you are human) if you need to verify your identity: it uses pictures of your friends, and asks you to name the person in the photos. Facebook says, “Hackers halfway across the world might know your password, but they don’t know who your friends are.”
Facebook has instituted a new system whereby developers of Facebook apps can access users’ addresses and phone numbers. While some Facebook users add this information to their pages, and this information is visible to friends, it was not previously accessible to developers. Third parties will now be able to access this information automatically, if users opt in.
The problem with all such schemes is twofold: first, as shown in the sample screenshot above (from the Facebook Developer Blog), is that to use certain apps, users may have no choice but to allow access to this information. The second problem is that it is highly possible that Facebook malware (or, more correctly, cross-site scripting attacks that function when people click links on Facebook) will eventually be able to crack this system and access this information even when users don’t choose to allow it.
Users who are concerned about this information being made public, or, especially, being harvested by advertisers, should delete their addresses and phone numbers from Facebook.
Update: Facebook has announced that they are putting this new feature on hold:
Over the weekend, we got some useful feedback that we could make people more clearly aware of when they are granting access to this data. We agree, and we are making changes to help ensure you only share this information when you intend to do so. We’ll be working to launch these updates as soon as possible, and will be temporarily disabling this feature until those changes are ready. We look forward to re-enabling this improved feature in the next few weeks.
Intego’s researchers have been examining the OSX/Koobface.A Trojan horse for some time, and the company provided some information about this Trojan horse yesterday. Following a number of questions, Intego would like to present some additional information about this Trojan horse.
This malware, unlike what one company claims, is not a “critical” risk, for several reasons. The level of risk for any given malware depends on several criteria, and this risk is fluid. As time changes, the risk level can increase or decrease depending on how common the malware is, whether new variants appear, and other conditions.
First of all, OSX/Koobface.A is not very widespread. While there is evidence that a handful of Mac users have been infected, there is no evidence to suggest that there is any large number of infections. (We’re only looking at infections to Mac users; since the Trojan horse can infect Windows and Linux users as well, it is very possible that there are more infections occurring on those platforms, especially Windows.)
Second, the malware is flawed, and does not work correctly in all situations. Intego’s researchers have not been able to found it to be operable on Macs running Mac OS X 10.6. In addition, the presence of a Java alert, and the appearance of an installer asking for an administrator’s password, show that the installation does not occur surreptitiously.
Finally, the installer for this malware contacts a number of remote servers to download files. The installer contacts 5 servers at a time until one responds. Intego has isolated dozens of servers that are contacted, yet all but one of them seem to be currently off line. (This does not mean that these servers will not come back on line, or that future variants of this malware will not contact other servers.)
In addition to the servers used to provide elements installed on Macs, one part of the malware contacts IRC servers. As of today, all the IRC servers contacted have been blacklisted and are off line.
Concerning the files that are installed, there is a combination of Java files for the malware’s main operation, together with Mac, Windows and Linux files. Some files are archives containing Java classes or other Windows or Mac files. The following is a list of files downloaded:
cad.scp
cplibs.zip
cplib_x86_osx.tnw
cplib_x86_win.klf
jnana.pix
jnana.tsa
NirCmd.chm
nircmd.exe
nircmd.zip
nircmdc.exe
ofex.avi
ofex.exe
ofex.zip
OSXDriverUpdates.tar
pax_wintl
pax_wintl.zip
pex.bsl
rawpct
rawpct.zip
RingOnRequest.lock
rvwop
rvwop.zip
VFxdSys.exe
VfxdSys.zip
VfxdSysAdm.exe
WinStart.exe
WinStart.zip
One of the Java classes found in the above archives is called FaceBookWorm.class.
Intego has no doubt that there will be variants of this malware in the future, but for now, the threat is minimal. Intego’s Virus Monitoring Center is remaining vigilant in order to detect any new variants that may cause serious threats to Mac users.
A Wall Street Journal article published today has some pretty serious news for Facebook users:
Many of the most popular applications, or “apps,” on the social-networking site Facebook Inc. have been transmitting identifying information—in effect, providing access to people’s names and, in some cases, their friends’ names—to dozens of advertising and Internet tracking companies…
Wall Street Journal reporters, who investigated a number of popular apps, say that this issue “affects tens of millions of Facebook app users, including people who set their profiles to Facebook’s strictest privacy settings.”
Apps users allow to access their profiles get access to a “Facebook ID,” a unique ID attributed to each user. But since this ID is a public part of the user’s profile, anyone can connect the ID to the user, and thereby obtain information about them, “even if that person has set all of his or her Facebook information to be private.”
The article gives a number of examples of apps that have collected such information and passed it onto third-party advertising and tracking companies, or includes it in cookies, that are accessible to other companies.
It’s not clear how common this is, or which apps are harvesting this information, but Facebook users should be very careful about allowing apps to access their personal information.
Facebook has recently changed its privacy settings, allowing a number of websites of Facebook’s choice to access your personal information. And, as has often been the case with Facebook, this is an opt-out change; in other words, the change has been made, and you have not been informed, and to go back, you must make changes to your privacy settings.
A Cnet article looks at this issue and explains how to turn off this new feature. This feature, called Instant Personalization, “shares all your publicly available information (name, profile picture, gender, and “Connections,” another new way for you to publicize all the things you’re interested in) with, right now, three partner sites: Yelp, Pandora, and Docs.com.” But it’s clear that, in the future, this information will be shared with other websites. Because, as author Molly Wood says, “I hold few illusions that Facebook’s business strategy has ever been about anything other than building up a huge user base and then selling ads to those users.”
Google went through a similar problem with its Buzz service, turning on features without even informing users. Facebook has done this in the past as well, usually backing down, then coming back more stealthily to make changes. So if you’re a Facebook user, check out the article linked above to find out how to ensure that your personal information remains personal.