In the past, Facebook has seemed curiously reluctant to do anything which might impede traffic.
After all, Facebook’s revenue doesn’t come from protecting you, the user. It comes from the traffic you generate whilst using the site.
So this latest announcement is a welcome sign, since some of the new security features prevent or actively discourage you from doing certain things on the Facebook network. Let’s hope that everyone at Facebook has accepted that reduced traffic from safer users will amost certainly give the company higher value in the long term.
But do Facebook’s new security features go far enough? Let’s look them over.
* Partnership with Web of Trust (WOT)
WOT is a Finnish company whose business is based around community site ratings. You tell WOT if you think a site is bad; WOT advises you as you browse what other people have said about the sites you visit.
Community block lists aren’t a new idea – they’ve been used against both email-borne spam and dodgy websites for years – and they aren’t perfect. Here’s what I said about them at the VB2006 conference in Montreal:
[C]ommunity-based block lists can help, and it is suggested that they can be very responsive if the community is large and widespread. (If just one person in the entire world reports a [dodgy] site, everyone else can benefit from this knowledge.)
But the [cybercriminals] can react nimbly, too. For example, using a network of botnet-infected PCs, it would be a simple matter to 'report' that a slew of legitimate sites were bogus. Correcting errors of this sort could take the law-abiding parts of the community a long time, and render the block list unusable until it is sorted out. Alternatively, the community might need to make it tougher to get a [site] added to the list, to resist false positives. This would render the service less responsive.
Another problem with a block list based on “crowd wisdom” is that it can be difficult for sites which were hacked and then cleaned up to get taken off the list. Users will willingly report bad sites, but are rarely prepared to affirm good ones.
False positives, in fact, have already been a problem for Facebook’s own bad-link detector, which is also mentioned in the announcement. Naked Security has had its own articles blocked on Facebook simply for mentioning the name of a scam site.
In short, the effectiveness, accuracy and coverage of the WOT partnership remains to be evaluated. But I approve of the deal. It’s a step forward by Facebook. However, Facebook’s own bad-link detector could do with improvement.
* Clickjacking protection
Facebook introduced some anti-clickjacking measures a while ago. It’s a good idea. If you’re trying to Like a page known to be associated with acquiring Likes through clickjacks, Facebook won’t blindly accept the click. You’ll have to re-confirm it.
Again, I approve of this. But in my opinion, it’s not going far enough. It would be much better if Facebook popped up a confirmation dialog every time you Liked something, so that the “blind Likes” triggered by clickjacking would neither work nor go unnoticed. (Indeed, this popup dialog would be a great place for users to report clickjacks to the WOT community block list!)
That’s not going to happen. Facebook wants Liking to be easy – really easy – as it helps to generate lots of traffic. A popup for every Like almost certainly wouldn’t get past Facebook’s business development managers. Not yet, at any rate. But if we all keep asking, perhaps they’ll see the value?
Facebook also says it’s working with browser makers on this problem. That’s good.
* Login approvals
Facebook’s final announcement is what it describes as two factor authentication (2FA). Facebook will optionally send you an SMS every time someone logs in from “a new or unrecognised device”. (Facebook doesn’t say how it defines “new”, or how it recognises devices.)
This is a useful step, and will make stolen Faceook passwords harder to abuse. In the past, you would only see Facebook’s “login from new or unrecognised device” warning next time you used the site, by which time it might have been too late.
The new feature means that you’ll get warnings about unauthorised access attempts pushed to you. Furthermore, the crooks won’t be able to login because they won’t have the magic code in the SMS which is needed to proceed.
It’s a pity Facebook isn’t offering an option to let you enable 2FA every time you login. It would be even nicer if they added a token-based option (and they’d be welcome to charge a reasonable amount for the token) for the more security-conscious user.
A token would also allow users to enjoy the benefits of 2FA without sharing their mobile phone number with Facebook – something they might be unwilling to do after Facebook’s controversial flirtation, earlier this year, with letting app developers get at your address and phone number.
Source :- http://nakedsecurity.sophos.com
- Facebook announces new security features – but do they go far enough? (nakedsecurity.sophos.com)
- Facebook Partners with Security Startup, Protects Users From Scammer’s Links (readwriteweb.com)
- Facebook Security Features Crack Down on Scams and Spam (webpronews.com)
- Facebook to Tighten Security to Prevent Spamming (sharepress.org)
- Facebook Blocks Malicious Links Via Web Of Trust (allfacebook.com)
- Facebook’s Newest Wall (technologyreview.com)
- Facebook adds new user security features (news.cnet.com)
- Q&A: Fighting a Clickjack Attack (gadgetwise.blogs.nytimes.com)
- Facebook adds new user security features (news.cnet.com)
- Facebook adopted a warning service (robbiz1978.blogspot.com)
- Facebook adds new protection against dubious web links with WOT (venturebeat.com)
There’s a zombie invasion going on – and it could have infiltrated your business, your home office, or even the corner of your bedroom.
Of course, it’s not the kind of zombies beloved by the movie theatres but instead the problem of compromised computers being controlled by a remote hacker.
Many members of the public still haven’t understood that spammers don’t use their own PCs to send spam – instead they create botnets of commandeered computers around the globe (also known as “zombies”), which can be used to relay spam, send out malicious links and even launch distributed denial-of-service attacks.
If they did understand the problem, maybe they would put more effort into protecting their computers.
Sophos has today published a new report, revealing the top twelve spam-relaying countries around the world. We call the list the “dirty dozen”, and because virtually all spam is sent from compromised PCs, it’s a pretty good indication of where the botnets have got the tightest hold.
The top twelve spam relaying countries for January – March 2011
|5. S Korea||3.8%|
|6. United Kingdom||3.2%|
Although the USA and UK contribution to the global spam problem has decreased in percentage terms, it is essential for organizations not to become complacent. Financially-motivated criminals are controlling compromised zombie computers to not just launch spam campaigns, but also to steal identity and bank account information.
Computer users must be educated about the dangers of clicking on links or attachments in spam mails – and many computers may already be under the control of cybercriminals. Businesses and computer users must take a more proactive approach to spam filtering and IT security in order to avoid adding to this global problem.”
In all, we counted spam being sent from an astonishing 229 countries around the world during the first quarter of 2011. So everyone, no matter where they live, should be taking more care of their personal computer’s protection.
For as long as spam continues to make money for the spammers, it will continue to be a global problem. Too many computer users are risking a malware infection that sees their computer recruited into a spam botnet. To combat the spammers, it’s not only essential for computer users to run up-to-date security software, they must also resist the urge to purchase products advertised by spam.
So, don’t add to the statistics, do your bit in the fight against spam and don’t allow your computer to become a zombie.
Keeping your security patches up-to-date, your anti-virus defences in place and having a good helping of common sense can help avoid your computer from being recruited by the bad guys.
Source :- http://nakedsecurity.sophos.com
- The dirty dozen spam-relaying countries revealed (nakedsecurity.sophos.com)
- Global Appetite for Spam Takes Asian Flavor (blogs.wsj.com)
- Spam in the First Quarter of 2011 – Securelist (securelist.com)
- US leads in spamming globally (aptantech411.wordpress.com)
- Facebook spam prevention scam spreading like wildfire (go.theregister.com)
- 9 Thoughts on Stepping Up Spam and Malware Enforcement (circleid.com)
- How does Canada’s spam output fare globally? – Page 1 – Security (itworldcanada.com)
- Relay Stent-Grafts Show Promise In Treatment Of Aortic Dissection Patients (medicalnewstoday.com)
- Microsoft, Feds Bring Down BotNet Spam Ring, Boner Pill Emails Drop Almost 40% (geekologie.com)
- China cleans up its spam problem (infoworld.com)
- The Distribution of Botnets Since Rustock Went Down (circleid.com)
Yesterday around 150000 Gmail users account were disabled by the Google system. They lost all their emails, attachments and chat logs. Google explained that approximately 0.08% of its users were affected by this bug. This bug reset all these accounts and even sent them the Google start up mail that any new user of Gmail receives.
Google reported on its dashboard that the engineers are working to get the problem fixed and restore full access. When the Google spokesman was contacted, a clear message was sent across stating that all the mails and accounts would be restored. Though many users are still apprehensive about the fact that all their messages would be restored.
Meanwhile others are advised to take precautions and store a backup of all their emails. There is a free application for Mac, PC and Linux called Gmail Backup. This is quick and easy to use. After downloading this software, Google asks for your account details and begins backing up your emails securely. Users have suggested various other sites for backing up their emails as many found that this software is not supported with Mac. Some of the popular ones are backupify.com and eternos.com.
- Gmail bug deletes emails for 150,000 users (infoworld.com)
- Gmail Bug Deletes E-Mails for 150,000 Users (pcworld.com)
- Free Backup Gmail Emails with Gmail backup (madrasgeek.com)
- 150,000 Gmail users bugged, all Emails and attachments lost! (globalthoughtz.com)
- Google Explains Gmail Fail That ‘Erased’ Users’ Emails, Disabled Accounts (huffingtonpost.com)
- Google Glitch Disables 150,0000 Gmail Accounts (mashable.com)
- Google: Bug Wipes Out 150,000 Gmail Accounts (blogs.forbes.com)
- Google wipes 150,000 Gmail accounts. WHY? (chatootsboots.wordpress.com)
- Gmail Eats 150,000 Accounts (searchenginejournal.com)
- GFail: Google ‘Very Sorry’ After The Cloud Eats 150,000 Gmail Accounts (wired.com)