You and just about everyone else, it seems, are spending more and more time on Facebook and Twitter, updating statuses and checking friends' tweets. That's all well and good, of course, but the amount of personal information that all of you share in real time, and the level of trust implicit with the social networking sites, do pose particular security and privacy problems.
A recent study from Sophos found that Facebook users reveal a lot of personal information to new friends, including ones they really don't even know or have never met. Using fake profiles, Sophos sent out friend requests to 100 random Facebook users, and more than 40 percent blindly accepted, giving the company access to birth dates, e-mail addresses, phone number and addresses--private information strangers shouldn't have.
The openness of Twitter--anyone can follow anyone else, and posts are indexed in search engines--makes it a nirvana for spammers. Kaspersky says there are nearly 500,000 new unique URLs that appear in Twitter posts daily, and of those, anywhere between 100 and 1,000 are malware attacks.
Here's a look at some of the specific threats users of the sites face and what they can do about it.
A rogue app that appeared early in the year sent notifications to Facebook users reporting they were violating terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users.
(Credit: Trend Micro)Problems: Malware, account hijacking, phishing, and social engineering
The biggest malware risk is Koobface, (an anagram of Facebook), which is a worm that targets social networking sites and affects Windows-based computers. Once a computer is infected, it hijacks the Facebook account and sends messages to other friends of the victim, enticing them to click on a link. The link redirects to a Web site where they are prompted to download software ostensibly to watch a video. However, there is no video; only malware that infects the system, blocks access to security sites, and can be used to steal sensitive information from the computer, such as credit card numbers. Infected machines can then be used to spread the worm to others on Facebook, send spam and distribute fake antivirus alerts, said Rik Ferguson, a security researcher at Trend Micro. Koobface now can automatically create new profiles using infected machines, he said.
Facebook accounts can be hijacked in several ways. A brute-force attack can be used to guess passwords. Users can fall for phishing attacks by clicking on links in messages or e-mails purportedly coming from friends that redirect to a fake Facebook log-in page. Or malware such as Koobface can steal passwords.
Social engineering is a huge problem for social networks because the trust that users have for messages and posts from friends can be easily exploited by scammers. Hijacked accounts are used to send everything from spam touting weight loss plans to links that install malware and steal passwords to fake emergency messages saying a friend is stranded in another country and needs someone to send money. Scammers are also sending e-mails that look like they come from Facebook and include an attachment that contains a Trojan.
Solutions: Use antivirus and anti-malware software and keep it up-to-date. Install security updates for operating system and other software. Use software like AVG Linkscanner or McAfee Site Adviser to protect against phishing and malware attacks. Become a fan of the Facebook Security page, which has posts related to all sorts of security issues, tips, resources and other information. If you think you've been infected with Koobface or other malware you should reset your password and notify friends who may have been affected.
Use an up-to-date browser that features an antiphishing black list, such as Firefox 3.0.10 or Internet Explorer 8. Be aware of where you enter your password. Check to see that you are logging in from a legitimate Facebook page with the Facebook.com domain. Be wary of unusual stories or offers that are too good to be true. Verify information with sources directly. Be cautious of any message, post or link that looks suspicious, requires an additional log-in or asks you to download or upgrade software. If a link seems odd or lacks context, don't click on it. Don't click on links or open attachments in suspicious e-mails. You can add a security question from the "Account Settings" page if you would like an additional layer of protection.
Problem: Rogue applications
Facebook doesn't vet every app that appears on the site, which means there is a risk that some apps will have bugs in them or will violate Facebook's privacy policies. Facebook has proven diligent in removing rogue and problem apps quickly when it is notified, but unlike iPhone apps, pretty much anyone can write a Facebook app. "Because the code is not always of professional standard or hosted or audited by Facebook, we've seen innocent apps compromised externally and used to deliver malware, such as fake antivirus," Ferguson said. One rogue app that appeared early in the year sent notifications to Facebook users reporting them in violation of terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users, according to Trend Micro.
Solution: See solutions above, and be cautious about adding applications. Research the developers and perform Web searches to see if anyone has complained about the app. And ask yourself, what value does the app provide? Do I really need to play zombie?
Problem: Privacy leaks due to user error
Because people control who they are friends with on Facebook it is easy for users to have a false sense of security about the privacy of their data and activities on the site. Social engineering attacks, lax security practices by users like using weak passwords and design or implementation problems with the site itself can undermine the privacy protections users rely on. Users who fall for phishing scams and get their accounts hijacked have everything in their account exposed to strangers who can then use the different types of data for identity fraud or to target the victim's friends with social engineering attacks.
Solution: See solutions above. Also, use unique logins and passwords for each Web site you access. Use strong passwords, change them often and don't share them with anyone.
These instructions explain how to keep most people from viewing your friends list on Facebook.
(Credit: CNET)Problem: Privacy leaks due to design or implementation issues
Privacy advocates contend that Facebook's lenient apps approval process, privacy policies and confusing privacy settings put users at risk. Two weeks ago, Facebook asked users to configure their privacy settings. The options were confusing and many people were inclined to just keep the default settings, which are set to make the data visible to the Web rather than opting to use the old settings established by the user. Screenshots and descriptions are detailed on this photo gallery.
Many people have complained that it is difficult to figure out how to change the privacy settings, that they are not intuitive and that there doesn't seem to be one central place for that. And using Facebook Connect with outside apps, like the iPhone app Foursquare, can expose more information than a user expects to share. The new privacy changes at Facebook have prompted the Electronic Privacy Information Center to ask the Federal Trade Commission to investigate.
Facebook encourages people to share their full names, date of birth, home town and other information, all pieces of information that are commonly used in identity fraud. Scammers on underground sites even refer to Facebook as a "free date-of-birth look up service," according to Ferguson. People don't realize that their profile information can be accessed by total strangers who happen to be in the same groups or networks unless they specifically change the settings. People who don't trust random apps--which in general have access to profile information even if it isn't necessary to the function of the app--don't realize that the apps their friends are using also have access to their data. "Friends apps can access most of your profile, interests and groups. There is no way to prevent them from accessing your name, profile, photo, town and gender," said Joseph Bonneau, a PhD candidate in security at the University of Cambridge. In response to user feedback, Facebook made a change that allows users to hide their friend lists from everyone but their friends, a Facebook spokesman said.
Solution: CNET has a tutorial on how to hide your Facebook friends list by clicking on the pencil in the friends box on your profile. Detailed instructions and tips on dealing with Facebook privacy settings are available on the DotRights.org site and on the All Facebook blog. Facebook also has a blog post about the privacy changes.
Problem: Privacy leaks related to marketing
The relationship between the apps and advertisers can also cause problems. Adding an app allows the app to show ads inside the Facebook domain, and that can leak a user's profile information to the advertiser, said Peter Eckersley, a staff technologist at the Electronic Frontier Foundation. Meanwhile, cookies and other browsing tracking technology combined with data from social networks can be used by marketers to identify users for targeted advertising and other purposes, Eckersley said, providing details in a blog post on different ways data can be leaked from social networks to third-party tracking firms. Once marketers know a specific person's user name, they can use that identifier in the URL to get to a user's public profile page, according to Eckersley. "They can create a social graph of your date of birth, city, employment, relationship status, all uniquely codified in a way that can be automatically sucked into a database," he said.
Solution: Pick a good cookie policy for the browser, such as manually approving all cookies or only keeping cookies until the browser is closed. Disable Flash cookies. Use Firefox extensions such as RequestPolicy and NoScript to control when third-party sites can include content or run code in the browser page. Use the Targeted Advertising Cookie Opt-Out plugin or AdBlock Plus to block ads. To hide your IP address and other browser characteristics, use Tor via Torbutton.
Problem: Information used to suppress dissent and target political activists
As with e-mail, blog postings and other public expressions of dissent, Facebook and Twitter have been used by governments to target protesters. The Wall Street Journal reported earlier this month that family members of Iranian Americans had been arrested or questioned because of anti-Iranian government posts on Facebook by members outside the country. In other instances, Iranians living abroad were forced to log into their Facebook accounts or reveal passwords to government officials as they arrived at the Tehran airport and some even had their passports confiscated because of their political posts. In the U.S., the EFF says, officials have taken actions against U.S. citizens based on information discovered on their social networks; the group has sued the CIA and other agencies for allegedly refusing to release information about how they are using such sites in surveillance and investigations.
"Basically, every time you post something to Facebook you should assume that the whole world will know what you've posted, your family, employer, the government, people you don't trust," Eckersley said.
Solution: Think carefully about what information you want to share about yourself and consider only posting information you would want to let the general public see.
Twitter has many of the same malware, phishing, hijacking and social engineering issues that Facebook has, and the solutions for those problems would be the same. Because users don't provide much personal information to Twitter, and can even create accounts using all fake information, and because anyone can follow anyone else, there aren't the same issues with privacy, either. But that makes life easy for spammers.
Security does seem to be a worrisome thing with Twitter. The site has had several serious problems from employee accounts getting compromised. In January, someone hacked into the Twitter internal network -- possibly by guessing the password -- and gained access to the Twitter accounts of President Obama, CNN anchor Rick Sanchez, and 31 other high-profile Twitterers. In May, someone broke into Twitter's network and gained access to 10 accounts, which appeared to include Britney Spears and Ashton Kutcher. In that breach, a hacker was able to gain access to a Twitter employee's Yahoo account through the password recovery system and from there get information from other sites, including access to the employee's Twitter account. And last week, the legitimate account of a Twitter employee was used to hijack the site and redirect visitors to an external page displaying a banner for the "Iranian Cyber Army."
Meanwhile, Twitter was crippled (and Facebook and other sites also affected) by a rare politically motivated denial-of-service attack targeting one user in August. However, that incident reflects more on Twitter's ability to keep the site up in the face of an attack and accessibility than it does about security risks to users.
Twitter users are susceptible to getting their accounts hijacked, and the site has been targeted by clickjacking pranks. In these social engineering attacks, users were encouraged to click on links that distributed the original tweet to all of the Twitter user's followers.
Users with large numbers of followers have an added responsibility to be careful, particularly when setting accounts to automatically post items from news feeds. A malicious post on an unmoderated news feed that venture capitalist Guy Kawasaki was re-tweeting distributed a Trojan to more than 139,000 followers in June.
Kaspersky offers a Krab Krawler tool that analyzes tweets as they get posted on Twitter and blocks any malware associated with them. Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links. And Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Blogger, Gmail, Google and a host of other popular sites. To keep up with security issues on Twitter follow Twitter's Spam Watch account.
Social networks are also susceptible to other serious security problems that can hit any type of Web site. For instance, last week passwords of 32 million stored in plain text on the RockYou site were exposed by a SQL injection attack, according to security firm Imperva. Because the passwords are used on other affiliate sites to the social networking application maker, the breach jeopardized other accounts, like Gmail, Hotmail, and Yahoo.
TweetDeck gets promotional with a Sherlock Holmes movie theme.
(Credit: Screenshot by Stephen Shankland/CNET)In a sign that both the movie industry and the Twitter industry are adapting to the times, TweetDeck released a promotional version of its Twitter-user software that sports a look and function tied to Warner Bros.' Sherlock Holmes movie and related 221B video game.
The Sherlock Holmes promotional version is called TweetDeck Telegram Co. and sports black-and-white icons and a couple period touches that try, but don't really succeed, to make you think you're in the 19th century. It also adds a new column for 221B-related tweets that tie into the online video game.
"Alongside the development of our core products we've also been partnering up with a select group of bands, record labels, movie studios, and media companies to develop themed TweetDecks," said TweetDeck founder and Chief Executive Iain Dodsworth in a blog post Monday. "These special TweetDecks not only offer a potentially radical look and feel but also a dedicated channel straight to the artist or movie alongside the usual TweetDeck columns."
These special TweetDecks are a nice idea, especially for a start-up in search of new revenue sources. But here's what I don't like: you must install a new version of the software.
Happily, Adobe Systems' AIR (Adobe Integrated Runtime) foundation makes this reasonably easy. But I'd much rather have a TweetDeck skin that does the trick, especially because uninstalling this to go back to regular TweetDeck is another hoop to jump through.
TweetDeck, for those unfamiliar with the software, lets you get more out of Twitter by constantly publishing tweets from those you follow, categorizing those you follow, shortening Web addresses, and automating various administrative tasks. It also can act as a front end to Facebook, MySpace, and LinkedIn.
Twitter is a free service and TweetDeck is free software to use it. Promotional deals are one way to make money off the ecosystem. Another, apparently, are Twitter's search deals with Google and Microsoft.
(Credit:
CNET)
As we close out another great year at Download.com, we've been putting together several end-of-year software collections. Just like last year, Jessica Dolcourt and I have split up the iPhone apps of the year into two groups. Jessica has put together the iPhone Starter Kit that's perfect for grabbing the best productivity apps to make your life more...productive. My job is quite the opposite. I went through my favorite games of 2009 (and quickly realized I had too many), and was able to narrow it down to 17 of my most played games. If you're looking to waste some time, this collection was made for you!
I tried to make a collection of games that would have something for everyone, so I included quick casual games along with strategy, tower defense, first-person shooters, word games, and more. Obviously, I recommend every game in this list, but hopefully you'll be able to find a genre you like so you have something to play over the holidays.
Without further ado, here are my favorite games for 2009.
... Read moreMozilla Messaging hopes to release Thunderbird 3.1 in early April, a date that reflects a new frequent-release strategy adopted from the better-known Firefox effort at Mozilla.
Dan Mosedale, a programmer for the open-source e-mail software, published the date in a Thunderbird schedule draft he announced Thursday.
"If we're lucky, we relabel 3.1RC1 [release candidate 1] as final and ship it on Tuesday, April 6. Otherwise, there's an RC2," Mosedale said in the planning document.
The new version is due to get an updated Web browser engine. Using the same Gecko project that Firefox is built atop means Thunderbird messages can integrate with Web activity such as Google Calendar.
Another possibility for 3.1 is a revamp of the Thunderbird start page, Mozilla Messaging CEO David Ascher said Friday. That redesign, which Ascher described in May, could show more useful information than the present splash screen--for example, information about what activity people has been up to help pick up where they left off.
"The 'start page,' which makes a lot of sense in Firefox, never made a huge amount of sense to me in Thunderbird. In particular, it's shown only when a folder is selected, and no message is selected. That's hardly a logical time to show the (colorful, pretty, but fairly useless) page we show now. Instead, why not show information about the selected folder and help people who clearly intended to select a folder, so most likely wanted to do something related to that folder," Ascher said in the blog post.
The faster Thunderbird release cycle is just one attribute the Thunderbird team is trying to adopt from Mozilla's higher-profile Firefox effort. Also on the longer-term plan is financial self-sustenance. Those are big challenges, though. An easier adoption will be fun names.
Starting now, Thunderbird versions will be named after beaches, Ascher said in a blog post this week.
"Firefox releases have cool code names while in gestation," Acher said. "Firefox picks national parks as code names, as metaphors for the values that go into making a Firefox release. The idea made a lot of sense to us, so we decided to follow suit for Thunderbird. Rather than parks, we picked beaches."
First up: Hawaii. Thunderbird 3.1 gets the name Lanikai, Ascher said, adding that he misspelled it "Lanakai" in the blog post.
The Sony A850, the least expensive full-frame SLR on the market, now has raw-image support from Adobe.
(Credit: Sony Electronics)Adobe Systems released an update to its Photoshop and Lightroom products on Thursday night to support raw images from a raft of newer cameras from Canon, Nikon, Sony, and others.
Raw image formats, which record the unprocessed image sensor data from various higher-end cameras, offer higher quality and more flexibility than JPEGs but require more processing and take up more space. Adobe, Apple, and others write their own modules to decode the proprietary formats.
Adobe's update supports several newer SLRs from Canon, Nikon, Pentax, and Sony; compact cameras from Olympus, Panasonic, and Canon; and several medium-format camera models from Mamiya. Here's the full list of cameras now supported in Lightroom 2.6, the Camera Raw 5.6 plug-in for Photoshop CS4, and the DNG Converter 5.6 utility:
• Canon EOS-1D Mark IV
• Canon EOS 7D
• Canon PowerShot G11
• Canon PowerShot S90
• Leaf Aptus II 5
• Mamiya DM22, DM28, DM33, DM56, M18, M22, M31
• Nikon D3S
• Olympus E-P2
• Pentax K-x
• Panasonic FZ38
• Sigma DP1s
• Sony A500
• Sony A550
• Sony A850
The software also fixes a problem that, on PowerPC-based Macs, could create artifacts in highlight areas in some circumstances with medium-format sensors and with some cameras from Sony, Olympus, and Panasonic.
The Camera Raw plug-in also works for customers of Photoshop Elements 8 and Premiere Elements 8. The free DNG Converter software can translate raw files into the Digital Negative format Adobe is trying to promote and standardize as a way to address file format longevity issues for archiving, expand use of raw photography, and handle metadata better.
Supporting raw processing keeps software makers on a new-camera treadmill. Apple updated its support for some of the new cameras on Wednesday, and DxO Labs announced it supports Canon's high-end S90 compact with the new DxO Optics Pro v6.1.1.
Mozilla, racing to release Firefox 3.6 by the end of the year, issued a fifth, and likely final, beta version of the new browser.
The open-source browser backer announced the new Firefox beta (download for Windows and Mac OS X) in a blog announcement Thursday.
Firefox 3.6 builds in a feature called Personas for customizing the browser's appearance, adds the File interface for better file management such as selecting what to upload, and, my personal favorite, placement of new tabs next to the ones that spawned them.
A total of 127 bugs were fixed since the fourth beta, but this time Mozilla didn't announce any new features. The first Firefox 3.6 beta arrived in October.
Mozilla had considered issuing its first Firefox 3.6 release candidate this week: "If we can go to build today or tomorrow, QA [quality assurance] will scrap Beta 5 and we'll release RC to the beta audience ASAP," the Mozilla meeting notes said.
Mozilla has updated its Firefox browser to patch three critical security holes.
Firefox 3.5.6 and 3.0.16 both fix earlier memory corruption issues. "We presume that with enough effort at least some of these could be exploited to run arbitrary code," the security advisory said.
In addition, the earlier version of Firefox 3.5 had two critical vulnerabilities in its technology for playing Ogg-format media, one with the liboggplay media library and one with the libtheora video library.
The patches are among 62 fixes in the new Firefox, software that's translated into dozens of languages and runs on multiple operating systems. Users of the OS/2 operating system will be delighted to know that problems with Firefox's full-screen mode and with print preview have been resolved.
"We strongly recommend that all Firefox users upgrade to this latest release," Mozilla said in a blog posting. By default, Firefox downloads updates automatically then prompts users to restart when it's ready; updates also can be retrieved through the "check for updates" menu option.
Mozilla plans to cease supporting Firefox 3.0 in January. Meanwhile, a significant update, Firefox 3.6, is due by the end of the year.
Correction 1:23 p.m. PST December 17: This story was corrected to note that it was the earlier versions of Firefox that suffered the vulnerabilities.
Google's browser has passed Safari in terms of worldwide browser usage--at least by one measurement.
NetApplications' measurements of browser usage share, which track which browsers individuals use based on visits to the company's network of Web sites, gave Chrome the third-place spot after No. 1 Internet Explorer and No. 2 Firefox for the week of December 6 through 12, according to a Computerworld story Tuesday. Chrome had 4.4 percent share to Safari's 4.37 percent.
Google released beta versions of Chrome for Mac OS X and Linux on December 8. Earlier, only developer channel versions had been available. Google plans to release the "stable" versions January 12, according to the Chromium development calendar.
Take these usage share numbers with a grain of salt. Even though 0.03 percentage points still is a lot of people in the real world, it is a small fraction, and a change in Net Applications' assumptions in August led to share changes two orders of magnitude more dramatic. Weekly statistics also vary: Although Firefox cleared 25 percent share in one week of November, it averaged only 24.72 percent for the overall month.
I've asked various browser makers about how trustworthy they view NetApplications' statistics to be. The answers generally are favorable but not ringing endorsements.
Regardless of the precise details, though, the Chrome trajectory is upward: its November usage share was 3.93 percent to Safari's 4.36 percent.
And although Google relied on word of mouth for promoting its original online search product, it's taking a more active role with Chrome. The latest example: a "Chrome for Christmas" site that lets people send invitations to download Chrome.
Firefox proved that a browser not bundled with an operating system can be successful, and Chrome could show the idea isn't a fluke if its growth continues.
Google is promoting its browser through this 'Chrome for Christmas' e-mail campaign.
(Credit: Screenshot by Stephen Shankland/CNET)Adobe warned of reports of an attack exploiting a hole in Reader and Acrobat on Monday.
"This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild," the company said in an advisory on its Security Incident Response Team blog. "We are currently investigating this issue and assessing the risk to our customers. We will provide an update as soon as we have more information."
Three different security vendor partners reported the alleged exploit to the company on Monday afternoon, said Adobe spokeswoman Wiebke Lips. She said she could not provide more details.
Last week, Adobe released a critical update affecting Flash Player and Adobe AIR.
Meanwhile, some Macintosh users were reporting on the Adobe Forums site that they were having problems installing an update from October that resolved a critical vulnerability in Adobe Reader and Acrobat 9.1.3 that had reportedly been exploited in the wild.
Updated 6:01 p.m. PST with Mac user problems installing update.
(Credit:
CNET)
Looking at my iPhone yesterday, I noticed that there was a crack about a centimeter long right up the middle of the back of the handset coming straight from the charging area. It's hardly noticeable and I'm sure my iPhone will continue to work, but it definitely serves as a reminder that when my two-year contract is up in June, I'm going to be ready for a new iPhone.
Fortunately, a story over at AppleInsider points to a rumor that the next generation of iPhones are set to come out right about that time. Eldar Murtazin, an insider, said the next generation iPhone has recently been slated for production by Foxconn, Apple's Taiwanese iPhone manufacturer, putting the handset right in line for a June release. Some of the reworked features mentioned in the article include a new Apple-designed map replacement and the possibility for RFID swipe support (handy in checkout lines). Like any news related to Apple, almost everything revolves around rumors, but it does make me excited for when I can finally upgrade beyond the iPhone 3G.
This week's apps include a popular database app for movie buffs and a huge update for one of the first iPhone games.
The iPhone-friendly layout helps you get to info you want quickly
(Credit: Screenshot by Jason Parker/CNET)IMDb (free) is a new iPhone app that lets you access movie, TV, and celebrity information from the popular Internet Movie Database. Like the IMDb Web site, you'll be able to access just about any information you could want about movies, celebrities, TV shows, and photos, all on your iPhone. But even better than the Internet version, you'll also be able to browse movie and TV show times in your area once you give IMDb access to your location.
The interface for IMDb was clearly made for mobile, with a launch page that lets you access local movie and TV information so you can find a movie or schedule your evening viewing on the go. But at the very top of the interface is a searchbox for all those moments where you want to know a specific actor from some obscure movie. Simply type in the information you have, and IMDb gives you a huge list of results. When you drill down to actor and movie pages, you get an easy to browse layout with a filmography, actor bios, and much more. People who love movies or just like having a portable database to search for local movies, TV shows, and celebrities should definitely grab this app.
Navigating past those cannons and obstacles is going to be tricky
(Credit: Screenshot by Jason Parker/CNET)Labyrinth 2 ($4.99) is the sequel to one of the early games that showed off the accelerometer capabilities of the iPhone. But where the original was a straight-forward game where you tilt the phone to guide the metal ball to the goal, Labyrinth 2 adds several more maps, tons of features and obstacles, and breathes new life into an old game concept.
The first thing you'll notice about Labyrinth 2 is the enormous amount of playable map packs. Each map pack is rated so you can pick easy levels for more casual play, medium for a little more challenge, and hard levels when you're ready to dive in to a real challenge. What moves this iteration of the old game into modern times are new features to effect gameplay. Amidst the usual walls and holes you need to navigate around, there are now magnets and fans to knock you off track, cannons that shoot at your ball, and floor switches that open gates to get to the goal. Even if you manage to get past all the included map packs you can download free level packs to keep going. Overall, if you liked the original game for iPhone (and even if you didn't), Labyrinth 2 offers so much content and new concepts to the game that it's definitely worth checking out.
What's your favorite iPhone app? Are you happy to finally see the official IMDb on the iPhone? What do you think of Labyrinth 2? Let me know in the comments!
