The Security Pub

Random Thoughts About Security

Category Archives: Information Security

Facebook Scam – Facebook is Closing All Accounts Today

There is yet another viral scam being spread across Facebook by a rogue application, tricking users into believing that Facebook is closing all accounts today.

Many Facebook users have found that their profiles have been updated with a message which reads:

 

 

 

Facebook is closing all accounts today. They can’t handle so many accounts. Most of the old accounts are not active, so they are deleting everything. If you want your account alive please confirm your activity. This is the final notice! [LINK]

They may also see a message reading:

Final Notice – Confirm your activity today!
In order to keep your account alive you must verify your activity!
Your account will be permanently disabled if you don’t take this step.

The sad thing is that there are many Facebook users who can be fooled by a cunning piece of social engineering like this, as their addiction to the world’s most popular social network outweighs their skepticism about Facebook killing off accounts.

If you think you may have clicked on a link for a rouge application, check out my post on securing facebook profile.

Fake Facebook Application that Steals Login Information

Yet another fake application that is stealing Facebook users’ login credentials has recently been discovered by Symantec researchers.

This application lures in users with videos titled “Tornado Randomly Appears During Soccer Game” or “Video: This is the best April Fools’ prank ever!”, when the user clicks on the message an automatic download of a script that logs the user out of Facebook and then displays an Error message inviting him to log in in order to continue:

For more information regarding this “Fake” Facebook application click here.

SQL Injection Attack Compromises 380,000 URLs

A massive SQL injection attack campaign has been spotted by Websense researchers, and the number of unique URLs affected by it has risen from 28,000 when first detected yesterday, to 380,000 when the researchers last checked.

The injected script redirects users that have landed on various infected pages to the domain in the script, which then redirects them further to a website simulating an anti-malware check and peddling a rogue AV solution.

Both sites are currently offline, say the researchers, but the attackers have started using other domains for redirection, and will likely keep changing them up.

The researchers also noted that some iTunes URLs have been injected with the script, but that Apple has done a good job in securing the site against this kind of attacks.

“The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn’t execute on the user’s computer,” they explained.

NASA systems dangerously at risk from cyberattack

An official audit of NASA’s network has concluded that the space agency faces a high risk of cyberattack.

Experts from the Office of the Inspector General (OIG) paint a grim picture of the state of the space agency’s server infrastructure, warning that vulnerabilities in its systems leave it open to defacement, denial of service or information-stealing attacks.

In particular, six unnamed IT systems were found to be at risk to attacks that might allow hackers to seize remote control of critical systems over the net – which included systems that control spacecraft – as a result of unpatched software vulnerabilities.

Read the full article – The Register

Facebook Vulnerability

There is currently an unpatched XSS vulnerability in the mobile API version of Facebook that is currently being exploited to post messages to users’ Walls, which serves as a gateway to the specially crafted website exploiting the flaw.

The flaw has been misused for a while now, but has only recently been used widely. Indonesian users are currently targeted by various groups using the vulnerability to their advantage.

It allows any website to include, for example, a maliciously prepared iframe element that contains JavaScript or use the http-equiv attribute’s “refresh” value to redirect the browser to the prepared URL containing the JavaScript,” explains Symantec. “Any user who is logged into Facebook and visits a site that contains such an element will automatically post an arbitrary message to his or her wall.

No user interaction is needed, so the messages are spreading through Facebook at a fast pace. Facebook’s security team has been notified about the vulnerability and is working on a fix. Hopefully it will be issued soon, since the attack seems easy to recreate.
Symantec advises users to log out of Facebook when they are not actively using it or to use script-blocking add-ons to prevent the attack.

Secure Your Facebook Profile

Facebook is a terrific resource for networking, for catching up with old friends, and for staying in touch with the people you want to stay in touch with.  Maybe that’s why it has over 500 million active users from all over the world, with roughly half of them logging in every day.

The average Facebook user:

  • has 130 friends.
  • creates 90 pieces of content each month.
  • is connected to 80 community pages, groups and events.

As interesting as these stats might be, they trigger an even more interesting question:

Who has access to your information?

Sure, you want to tell your friends how your day was, but do you want to share those comments with your boss?

Does your college admissions councilor really need to see the pictures from last weekend’s party?

And does an application developer in Romania really need to know your home address?

If you’re going to maintain a Facebook profile, you should follow these four steps to secure your information.

Step 1: Edit Your Friends

Is there anyone in your friends list that you never interact with?  If so, then click the x on the far right to remove them.  You should do this at least twice a year to keep your friends list current.  (Don’t worry.  Facebook won’t post a status update that you’re no longer friends with anyone you remove.  It’ll be our little secret.)

If you’re like me, you probably have people in your Friends list that you network with for work or projects.  These are the people you want to stay connected with, but you don’t want to grant them the same access to your profile that your Friends have.  You can add these Friends to your Limited Profile list by using the Edit List function on this page.

Step 2: Update Your Security Information

Unless you’re using a password vault, there’s always the chance that you’ll forget your Facebook password.  And what if someone compromises your Facebook account and changes the password?  What will you do to take control of your account?

Facebook lets you add security information in case you ever lose access to your account.  I strongly recommend that you add two email addresses and a mobile number.

Step 3: Update Your Privacy Settings

Facebook has been in the news on multiple occasions for privacy concerns.  As a result, they continue to refine their privacy settings, granting users more and more control over their information.  The Privacy Settings page has four (4) key elements:

  1. Connecting on Facebook
  2. Sharing on Facebook
  3. Apps and Websites
  4. Block Lists

Below are my recommendations for updating your privacy settings.

The one point that I refuse to budge on: NEVER grant Everyone access to your Facebook information.  The risks far outweigh the benefits.

Connecting

  • Search for you on Facebook – Friends of Friends
  • Send you messages – Friends Only
  • See your Friends list – Friends Only
  • See your education and work – Friends Only
  • See your current city and hometown – Friends Only
  • See your likes, activities, and other connections – Friends Only

Sharing

  • Set everything to Friends Only

If you click on Customize Settings , you can lock down your information even further by listing specific Friends who you want to share information with.  Likewise, you can list specific Friends who are never permitted to see that information.

You might consider applying those settings to things like:

  • Your birthday
  • Permission to comment on your posts
  • Places you check into
  • Your contact information

Apps and Websites

Remember that app that you tried out back when you first joined Facebook?  Yeah, it still has access to your information.

Click on Edit Settings to remove the apps that you don’t use anymore.  If you want to start with a clean slate, you can click Turn off all platform apps.

Other Apps, Games and Websites settings recommendations:

  • Info accessible through your friends – Uncheck everything
  • Game and app activity – Friends only
  • Instant personalization – My preference is Disabled
  • Public search – Disabled

Block Lists

Maybe it’s an ex.  Maybe it’s a stalker.  Maybe it’s a spammer who refuses to leave you alone.  It doesn’t matter who you want to block or why.  The important thing is that Facebook lets you use this page to Block Users.

Facebook also lets you use this page to block app invites, event invites, and apps.  Instead of constantly declining invitations to mind your neighbor’s farm, join their Mafia, or play Phrases with them, all you have to do is tell Facebook which apps you don’t want to play.  Simple as that.

Step 4: Tweak Your Account Settings

There are a TON of options on the Edit Account page, but I’m only going to touch on the ones that you absolutely need to update.

Settings

  • Make sure your password is strong (letters + numbers + special characters) and hard to guess.  Again, I recommend using a password vault to store your passwords.
  • Linked Accounts – If you’re logged into another site, your browser will automatically log you into Facebook.  Keep this list as short as you can.
  • Account Security – Set this to https.  Otherwise, that shady character at Starbucks will hijack your account.
  • Download Your Information – If you want to backup your entire profile to your local computer, this is where you do it.
  • Notifications
    • Visit this page and start unchecking boxes.  Not so much a security setting as a “leave me the heck alone” setting.  You’re welcome. ;]
  • Mobile
    • If you choose to send updates to your mobile phone, NEVER set Limit my daily texts to Unlimited.
  • Payments
    • The fewer places your credit card information is stored online, the better. It’s up to you whether you want to pay Facebook to watch Grown Ups.
  • Facebook Ads
    • My recommendation is to set both dropdown boxes to No one.

As Facebook continues to improve their privacy policy, I’m sure these options will change.  In the meantime, these steps should be enough to keep you safe for now.