Posts Tagged ‘Security’


>

Today it’s Facebook.  

” … Over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties,”

  Symantec had to get them to come out and tell you…


And yet it amazes people continue to put things online that they wouldn’t want the whole world to see…

Story from Reuters below:

Facebook may have leaked your personal information: Symantec

Photo
12:46am EDT
(Reuters) – Facebook users’ personal information could have been accidentally leaked to third parties, in particular advertisers, over the past few years, Symantec Corp said in its official blog.
Third-parties would have had access to personal information such as profiles, photographs and chat, and could have had the ability to post messages, the security software maker said.
“We estimate that as of April 2011, close to 100,000 applications were enabling this leakage,” the blog post said.
” … Over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties,” posing a security threat, the blog post said.
The third-parties may not have realized their ability to access the information, it said.
Facebook, the world’s largest social networking website, was notified of this issue and confirmed the leakage, the blog post said.
It said Facebook has taken steps to resolve the issue.
“Unfortunately, their (Symantec’s) resulting report has a few inaccuracies. Specifically, we have conducted a thorough investigation which revealed no evidence of this issue resulting in a user’s private information being shared with unauthorized third parties,” Facebook spokeswoman Malorie Lucich said in a statement.
Lucich said the report also ignores the contractual obligations of advertisers and developers which prohibit them from obtaining or sharing user information in a way that “violates our policies.”
She also confirmed that the company removed the outdated API (Application Programing Interface) referred to in Symantec’s report.
Facebook has more than 500 million users and is challenging Google Inc and Yahoo Inc for users’ time online and for advertising dollars.
(Reporting by Thyagaraju Adinarayan and Sakthi Prasad in Bangalore; Editing by Bernard Orrand Anshuman Daga)
© Thomson Reuters 2011. All rights reserved.

Facebook may have leaked your personal information: Symantec | Reuters

Sharevar addthis_config = { ui_cobrand: “The MasterFeeds”}

The MasterFeeds


>Facebook Loses Much Face In Secret Smear On Google
Facebook secretly hired a PR firm to plant negative stories about Google, says Dan Lyons in a jaw dropping story at the Daily Beast.

For the past few days, a mystery has been unfolding in Silicon Valley. Somebody, it seems, hired Burson-Marsteller, a top public-relations firm, to pitch anti-Google stories to newspapers, urging them to investigate claims that Google was invading people’s privacy. Burson even offered to help an influential blogger write a Google-bashing op-ed, which it promised it could place in outlets like The Washington Post, Politico, and The Huffington Post.
The plot backfired when the blogger turned down Burson’s offer and posted the emails that Burson had sent him. It got worse when USA Today broke a story accusing Burson of spreading a “whisper campaign” about Google “on behalf of an unnamed client.”

Not good.
The source emails are here.
I’ve been patient with Facebook over the years as they’ve had their privacy stumbles. They’re forging new ground, and it’s not an exaggeration to say they’re changing the world’s notions on what privacy is. Give them time. They’ll figure it out eventually.
But secretly paying a PR firm to pitch bloggers on stories going after Google, even offering to help write those stories and then get them published elsewhere, is not just offensive, dishonest and cowardly. It’s also really, really dumb. I have no idea how the Facebook PR team thought that they’d avoid being caught doing this.
First, it lets the tech world know that Facebook is scared enough of what Google’s up to to pull a stunt like this. Facebook isn’t supposed to be scared, ever, about anything. Supreme confidence in their destiny is the the way they should be acting.
Second, it shows a willingness by Facebook to engage in cowardly behavior in battle. It’s hard to trust them on other things when we know they’ll engage in these types of campaigns.
And third, some of these criticisms of Google are probably valid, but it doesn’t matter any more. The story from now on will only be about how Facebook went about trying to secretly smear Google, and got caught.
The truth is Google is probably engaging in some somewhat borderline behavior by scraping Facebook content, and are almost certainly violating Facebook’s terms and conditions. But many people argue, me included, that the key data, the social graph, really should belong to the users, not Facebook. And regardless, users probably don’t mind that this is happening at all. It’s just Facebook trying to protect something that it considers to be its property.
Next time Facebook should take a page from Google’s playbook when they want to trash a competitor. Catch them in the act and then go toe to toe with them, slugging it out in person. Right or wrong, no one called Google a coward when they duped Bing earlier this year.
You’ve lost much face today, Facebook.
Update: Sleazy PR Firm Throws Scummy Facebook Under The Sordid Bus


>

Hello all readers of the MasterBlogs!

Excuse us for the breakdown in our blog service, but Blogger is to blame!!! – not us!!

The MasterBlog: Blogger is (Finally) back

_______________________________________
Check it out on The MasterTech Blog

>

Stolen Camera Finder Finds Stolen Cameras

Drag a photo onto the box and it will search for other pictures with your camera’s serial number
If you lose your phone or your computer, there’s a fair chance you’ll get it back if you’re using some kind of tracking software. As we have seen before, Apple’s Find my iPhone service has rescued more than one lost phone. But what about your other gadgets?
If your camera is stolen, you now have at least a chance of finding it thanks to the Stolen Camera Finder by Matt Burns. It works by searching the web for photos bearing the serial number of your camera. This number is embedded in the EXIF data of every photograph you take.
Using the tool is easy. Just visit the site and drag a photo from your camera onto the waiting box. The tool searches its database for your camera and if it finds it, you can then go see the pictures. This may — hopefully — give you some clues as to where it is now. You’ll need to use a JPG image (RAW doesn’t work) and some cameras don’t write their serial number into the metadata.
The data comes from Flickr, and also from data crawled from the web. Matt has also written a browser extension for Google Chrome which will check the serial number of photos on every page you visit and add it to the database.
I tried the tool with a photo from my camera, and nothing showed up. I have a ton of photos online, on both on Flickr and here at Wired.com, so I was expecting something. I guess that the service will increase in value as time passes and the database grows. Still, the service is free, and if nothing else it lets you view a whole lot of information about your photos in the drop-down list.
Stolen Camera Finder [Stolen Camera Finder via Photography Bay]
See Also:

Stolen Camera Finder Finds Stolen Cameras | Gadget Lab | Wired.com

Sharevar addthis_config = { ui_cobrand: “The MasterFeeds”}

The MasterFeeds


>

Can You Frisk a Hard Drive?

If you stand with the Customs and Border Protection officers who staff the passport booths at Dulles airport near the nation’s capital, their task seems daunting. As a huge crowd of weary travelers shuffle along in serpentine lines, inspectors make quick decisions by asking a few questions (often across language barriers) and watching computer displays that don’t go much beyond name, date of birth and codes for a previous customs problem or an outstanding arrest warrant.
Illustrations by Jennifer Daniel, Photograph by Imagemore Co., Ltd./Corbis
The officers are supposed to pick out the possible smugglers, terrorists or child pornographers and send them to secondary screening.
The chosen few — 6.1 million of the 293 million who entered the United States in the year ending Sept. 30, 2010 — get a big letter written on their declaration forms: A for an agriculture check on foodstuffs, B for an immigration issue, and C for a luggage inspection. Into the computer the passport officers type the reasons for the selection, a heads-up to their colleagues in the back room, where more thorough databases are accessible.
And there is where concerns have developed about invasions of privacy, for the most complete records on the travelers may be the ones they are carrying: their laptop computers full of professional and personal e-mail messages, photographs, diaries, legal documents, tax returns, browsing histories and other windows into their lives far beyond anything that could be, or would be, stuffed into a suitcase for a trip abroad. Those revealing digital portraits can be immensely useful to inspectors, who now hunt for criminal activity and security threats by searching and copying people’s hard drives, cellphones and other electronic devices, which are sometimes held for weeks of analysis.
Digital inspections raise constitutional questions about how robust the Fourth Amendment’s guarantee “against unreasonable searches and seizures” should be on the border, especially in a time of terrorism. A total of 6,671 travelers, 2,995 of them American citizens, had electronic gear searched from Oct. 1, 2008, through June 2, 2010, just a tiny percentage of arrivals.

“But the government’s obligation is to obey the Constitution all the time,” said Catherine Crump, a lawyer for the American Civil Liberties Union. “Moreover, controversial government programs often start small and then grow,” after which “the government argues that it is merely carrying out the same policies it has been carrying out for years.”
One of the regular targets is Pascal Abidor, a Brooklyn-born student getting his Ph.D. in Islamic studies, who reported being frisked, handcuffed, taken off a train from Montreal and locked for several hours in a cell last May, apparently because his computer contained research material in Arabic and news photographs of Hezbollah and Hamas rallies. He said he was questioned about his political and religious views, and his laptop was held for 11 days.
Another is James Yee, a former Muslim chaplain at the Guantánamo Bay prison, who gets what he wryly calls a “V.I.P. escort” whenever he flies into the United States. In 2003, Mr. Yee was jailed and then exonerated by the Army after he had conveyed prisoners’ complaints about abuse, urged respect for their religious practices and reported obscene anti-Muslim caricatures being e-mailed among security staff.
Years later, he evidently remains on a “lookout” list. A federal agent stands at the door of Mr. Yee’s incoming plane, then escorts him to the front of the passport line and to secondary screening.
Arriving in Los Angeles last May from speaking engagements in Malaysia, he was thoroughly questioned and searched, he said, and his laptop was taken for three or four hours. He was not told why, but after it was returned and he was waiting to rebook a connecting flight he’d missed, a customs officer rushed up to the counter. “We left our disk inside your computer,” he quoted her as saying. “I said, ‘It’s mine now.’ She said no, and sure enough when I took the computer out, there was a disk.”
Customs won’t comment on specific cases. “The privacy rights that citizens have really supersede the government’s ability to go into any depth,” said Kelly Ivahnenko, a spokeswoman.
In general, “we’re looking for anyone who might be violating a U.S. law and is posing a threat to the country,” she explained. “We’re in the business of risk mitigation.”
Yet the mitigation itself has created a sense of risk among certain travelers, including lawyers who need to protect attorney-client privilege, business people with proprietary information, researchers who promise their subjects anonymity and photojournalists who may pledge to blur a face to conceal an identity. Some are now taking precautions to minimize data on computers they take overseas.
“I just had to do this myself when I traveled internationally,” said Ms. Crump, the lead attorney in a lawsuit challenging the policy on behalf of Mr. Abidor, the National Association of Criminal Defense Lawyers and the National Press Photographers Association.
During a week in Paris, where she lectured on communications privacy, she had legal work to do for clients, which she could not risk the government seeing as she returned. “It’s a pain to get a new computer,” she said, “wipe it completely clean, travel through the border, put the new data on, wipe it completely clean again.”
In simpler days, as customs merely looked for drugs, ivory, undeclared diamonds and other contraband that could be held in an inspector’s hand, searches had clear boundaries and unambiguous results.
Either the traveler had banned items, or didn’t. Digital information is different. Some is clearly illegal, some only hints at criminal intent, and under existing law, all is vulnerable to the same inspection as hand-carried material on paper.
Most pirated intellectual property and child pornography, for example, cannot be uncovered without fishing around in hard drives. “We’ve seen a raft of people coming from Southeast Asia with kiddie porn,” said Christopher Downing, a supervisor at Dulles. If a person has been gone only two or three days and pictures of children are spotted in a bag, he explained, the laptop is a logical candidate for inspection. Such searches have been fruitful, judging by the bureau’s spreadsheets, which list numerous child pornography cases.
But terrorism is an amalgam of violence and ideas, so its potential is harder to define as officers scrutinize words and images as indicators of attitudes, affiliations and aspirations. Random searches are not done, Mr. Downing said, although courts so far have upheld computer inspections without any suspicion of wrongdoing. In practice, something needs to spark an officer’s interest. “If you open up a suitcase and see a picture of somebody holding an RPG,” he noted, referring to a rocket-propelled grenade, “you’d want to look into that a little more.”
The search power is preserved by its judicious use, Mr. Downing said. “If you abuse it, you lose it.” he added. The A.C.L.U. doesn’t want customs to lose it, Ms. Crump explained, but just wants the courts to require reasonable suspicion, as the Supreme Court did in 1985 for examinations of a person’s “alimentary canal.” The court distinguished such intrusive inspection from “routine searches” on the border, which “are not subject to any requirement of reasonable suspicion, probable cause, or warrant.” The justices added in a footnote that they were not deciding “what level of suspicion, if any, is required for nonroutine border searches” of other kinds.
Laptop searches should be considered “nonroutine,” Ms. Crump argues, something the United States Court of Appeals for the Ninth Circuit declined to do in 2008, when it reversed a judge’s decision to suppress evidence of child pornography obtained during a suspicionless airport computer search.
With the search powers intact, Mr. Abidor no longer dares take the train home from his studies at McGill University in Montreal. He doesn’t want to be stranded at the border, waiting hours for a bus, as he was in May. So last month his father drove up from New York to get him for vacation. The men were ordered to a room and told to keep their hands on a table while customs officers spent 45 minutes searching the car, and possibly the laptop, Mr. Abidor said. “I was told to expect this every time.”

David K. Shipler, a former reporter at The Times, is the author of “The Rights of the People: How Our Search for Safety Invades Our Liberties,” to be published in April.

‘Digital Inspections’ at U.S. Border Raise Constitutional Questions – NYTimes.com

var addthis_config = { ui_cobrand: “The MasterTech Blog”}

_______________________________________

Check it out on The MasterTech Blog

>

New Hacking Tools Pose Bigger Threats to Wi-Fi Users

 

February 16, 2011

You may think the only people capable of snooping on your Internet activity are government intelligence agents or possibly a talented teenage hacker holed up in his parents’ basement. But some simple software lets just about anyone sitting next to you at your local coffee shop watch you browse the Web and even assume your identity online.
“Like it or not, we are now living in a cyberpunk novel,” said Darren Kitchen, a systems administrator for an aerospace company in Richmond, Calif., and the host of Hak5, a video podcast about computer hacking and security. “When people find out how trivial and easy it is to see and even modify what you do online, they are shocked.”
Until recently, only determined and knowledgeable hackers with fancy tools and lots of time on their hands could spy while you used your laptop or smartphone at Wi-Fi hot spots. But a free program called Firesheep, released in October, has made it simple to see what other users of an unsecured Wi-Fi network are doing and then log on as them at the sites they visited.
Without issuing any warnings of the possible threat, Web site administrators have since been scrambling to provide added protections.
“I released Firesheep to show that a core and widespread issue in Web site security is being ignored,” said Eric Butler, a freelance software developer in Seattle who created the program. “It points out the lack of end-to-end encryption.”
What he means is that while the password you initially enter on Web sites like Facebook, Twitter, Flickr, Amazon, eBay and The New York Times is encrypted, the Web browser’s cookie, a bit of code that that identifies your computer, your settings on the site or other private information, is often not encrypted. Firesheep grabs that cookie, allowing nosy or malicious users to, in essence, be you on the site and have full access to your account.
More than a million people have downloaded the program in the last three months (including this reporter, who is not exactly a computer genius). And it is easy to use.
The only sites that are safe from snoopers are those that employ the cryptographic protocol transport layer security or its predecessor, secure sockets layer, throughout your session. PayPal and many banks do this, but a startling number of sites that people trust to safeguard their privacy do not. You know you are shielded from prying eyes if a little lock appears in the corner of your browser or the Web address starts with “https” rather than “http.”
“The usual reason Web sites give for not encrypting all communication is that it will slow down the site and would be a huge engineering expense,” said Chris Palmer, technology director at the Electronic Frontier Foundation, an electronic rights advocacy group based in San Francisco. “Yes, there are operational hurdles, but they are solvable.”
Indeed, Gmail made end-to-end encryption its default mode in January 2010. Facebook began to offer the same protection as an opt-in security feature last month, though it is so far available only to a small percentage of users and has limitations. For example, it doesn’t work with many third-party applications.
“It’s worth noting that Facebook took this step, but it’s too early to congratulate them,” said Mr. Butler, who is frustrated that “https” is not the site’s default setting. “Most people aren’t going to know about it or won’t think it’s important or won’t want to use it when they find out that it disables major applications.”
Joe Sullivan, chief security officer at Facebook, said the company was engaged in a “deliberative rollout process,” to access and address any unforeseen difficulties. “We hope to have it available for all users in the next several weeks,” he said, adding that the company was also working to address problems with third-party applications and to make “https” the default setting.
Many Web sites offer some support for encryption via “https,” but they make it difficult to use. To address these problems, the Electronic Frontier Foundation in collaboration with the Tor Project, another group concerned with Internet privacy, released in June an add-on to the browser Firefox, called Https Everywhere. The extension, which can be downloaded at eff.org/https-everywhere, makes “https” the stubbornly unchangeable default on all sites that support it.
Since not all Web sites have “https” capability, Bill Pennington, chief strategy officer with the Web site risk management firm WhiteHat Security in Santa Clara, Calif., said: “I tell people that if you’re doing things with sensitive data, don’t do it at a Wi-Fi hot spot. Do it at home.”
But home wireless networks may not be all that safe either, because of free and widely available Wi-Fi cracking programs like Gerix WiFi Cracker, Aircrack-ng and Wifite. The programs work by faking legitimate user activity to collect a series of so-called weak keys or clues to the password. The process is wholly automated, said Mr. Kitchen at Hak5, allowing even techno-ignoramuses to recover a wireless router’s password in a matter of seconds. “I’ve yet to find a WEP-protected network not susceptible to this kind of attack,” Mr. Kitchen said.
A WEP-encrypted password (for wired equivalent privacy) is not as strong as a WPA (or Wi-Fi protected access) password, so it’s best to use a WPA password instead. Even so, hackers can use the same free software programs to get on WPA password-protected networks as well. It just takes much longer (think weeks) and more computer expertise.
Using such programs along with high-powered Wi-Fi antennas that cost less than $90, hackers can pull in signals from home networks two to three miles away. There are also some computerized cracking devices with built-in antennas on the market, like WifiRobin ($156). But experts said they were not as fast or effective as the latest free cracking programs, because the devices worked only on WEP-protected networks.
To protect yourself, changing the Service Set Identifier or SSID of your wireless network from the default name of your router (like Linksys or Netgear) to something less predictable helps, as does choosing a lengthy and complicated alphanumeric password.
Setting up a virtual private network, or V.P.N., which encrypts all communications you transmit wirelessly whether on your home network or at a hot spot, is even more secure. The data looks like gibberish to a snooper as it travels from your computer to a secure server before it is blasted onto the Internet.
Popular V.P.N. providers include VyperVPN, HotSpotVPN and LogMeIn Hamachi. Some are free; others are as much as $18 a month, depending on how much data is encrypted. Free versions tend to encrypt only Web activity and not e-mail exchanges.
However, Mr. Palmer at the Electronic Frontier Foundation blames poorly designed Web sites, not vulnerable Wi-Fi connections, for security lapses. “Many popular sites were not designed for security from the beginning, and now we are suffering the consequences,” he said. “People need to demand ‘https’ so Web sites will do the painful integration work that needs to be done.”

New Hacking Tools Pose Bigger Threats to Wi-Fi Users – NYTimes.com: “

iStockphoto
By KATE MURPHY
Published: February 16, 2011

– Sent using Google Toolbar”

Share this|var addthis_config = { ui_cobrand: “The MasterBlog”}

________________________
The MasterBlog


>

Incredible the industry that it has become! 
Google Chases Computer Criminals to Search-Engine Competitors – Bloomberg
Google Inc. has almost cut in half the malicious software affecting users of its search engine, driving hackers to competitors including Microsoft Inc.’s BingYahoo! Inc. and Twitter Inc., a report says.
Hackers targeted Google, owner of the most popular search engine, 38 percent of the time as of Dec. 31, according to the report to be released later this month by Barracuda Networks Inc., a web security firm. Mountain View, California-based Google accounted for 69 percent of the attacks in a sample conducted around June, the report says. A Barracuda report in July labeled Google “king of malware.”
Even as Google improved its security, the number of attacks increased. In the December sample, Barracuda said it found 226 pieces of bad software a day, compared with 146 in June. Meanwhile, Google’s competitors recorded an increase in malware- laced search results: Cyber criminals placed 30 percent of their bad software on Yahoo! search results in December, up from 18 percent in June. Bing accounted for 24 percent in December, up from 12 percent in June. And the targeting of Twitter rose to 8 percent from 1 percent, the report says.
Google said it has ratcheted up efforts to identify and scrub attempts at so-called search poisoning, which allows criminals to take control of computers to perpetuate cyber attacks, as well as large-scale banking and identity-theft swindles.

Sent from my iPad





%d bloggers like this: