According to PandaLabs, cybercriminals are hijacking the Facebook “Like” option in a wave of new scams that use messages related to the popular game Farmville, the “Sex and the City 2” movie and other eye-catching keywords.
This is a “clickjacking” attack and uses a malformed URL with embedded code to carry out the attack. Users are tricked into “liking” a page but they don’t realize that they are recommending it to all of their Facebook friends. Users should be wary of messages with striking subjects received from Facebook’s internal messaging system, and take all necessary precautions when clicking the “Like” button on external Web pages. Here’s an excerpt from a press release I got from Panda today:
[Panda Labs] has reported the proliferation of scams hijacking the Facebook “Like” option. The attack uses eye-catching messages related to the popular game Farmville, the “Sex and the City 2” movie or the keyword sex to grab the attention of logged-in Facebook users as they browse Web pages with the “Like” button, the Facebook wall feature or messaging system.
Clicking the link brings the user to a Web page containing photos and videos of the relevant topic. Upon visiting it, a message is displayed on the user’s Facebook profile indicating that they “like” it, with a text that is not controlled by the user. According to Luis Corrons, Technical Director of PandaLabs, “This distribution technique reminds us of computer worms, although this time there doesn’t seem to be any malware behind it (at least yet).”
While this one appears not to be malicious, it is a click-fraud scam because the real business stems from the pay-per-click system, which counts every click and generates revenue for affiliates.
Just be careful out there!
Plugins and add-ons, extensions, oh,my! If you use Firefox, chances are you have plenty of these things installed. I counted 15 on my installation. Of course, the plug-in check only checks plug-ins, but it serves to alert you to the possibility that other add-ons need attention.
To check your plug-ins, go to: http://www.mozilla.com/en-US/plugincheck/
I’ve checked both my systems at home and sure enough, I was out of date on at least one plug-in on each system.
Having to check several applications using different tools can be tedious, so I still recommend that everyone use Secunia’s Personal Software Inspector.
The Secunia PSI is a free security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly “popular” among criminals. I’ve written about this one before and I still recommend it.
Bottom line: whatever tool you use, keep your apps, plug-ins, scripts, whatever up to date.
From: craigslist [mailto:firstname.lastname@example.org]
Sent: Thursday, June 10, 2010 8:53 PM
Subject: Your posting has been flagged for removal
Your posting has been flagged for removal.
Approximately 98% of postings removed are in violation of craigslist posting guidelines.
If you need help figuring out why your posting was flagged, try asking in our flag help forum. Include posting title, body, category, city, how often posted, any images, HTML markup, etc.
If you feel your posting was wrongly flagged down (2% of flagged ads are) please accept our
apologies and feel free to repost using the link below:
Sorry for the hassle, and thanks for your understanding.
Of course, the email isn’t legit, it’s a targeted phishing attack. Hence, my reply to his query:
The URL does not contain a virus and is harmless except for the fact that if you did fall for it, the crooks or spammers who stole your credentials will use your account to spread their spam or scam and YOU will get banned from Craigslist for it.
Let me point out a few things you can do and some things to look for when you get one of these emails:
1. Take a close look at the link in the email. Often there are misspellings or other subtle errors. In this case the link appears to be legit, but look closely at the first few characters:htt p://www.craigslist.org/about/terms.of.use.html — there’s a space in there. It should be “http://,” not “htt p://.”
2. Hover your mouse over the link and note where the link is pointing. If what is shown doesn’t match the link exactly, it’s bogus.
3. Do a Google search on the email subject; you’ll probably find out it’s a hoax in the first few listings.
4. A good site to join and check regularly is http://antifraudintl.org.
5. When you get some negative action email like this, ALWAYS check it out before you act. Be proactive; the scammers are betting that you will have the “Omigod!” reaction and just click the link without thinking.
Hope this helps.
Have a great weekend.
Be careful out there, folks!
I first addressed this question three years ago in my seldom-updated Geek Gripes blog in response to Deb Shinder’s editorial piece in Issue #285 of WXP News. With increasing evidence that terrorists are using our networks for nefarious purposes, the issue continues to be relevant. Shinder had this to say in her original piece:
Certainly none of us want to make it easier for terrorists to accomplish their missions – but I can’t help wondering where an all-out effort to do away with everything that might aid the bad guys will lead us. After all, it’s well documented that terrorists also use cell phones and email to further their plotting. Does that mean we should shut down those communications systems, as well?
If you think about it, it’s a slippery slope. Do you take away tools that have valuable legitimate uses by law abiding citizens just because criminals can use them to commit crimes? That’s the premise of gun control laws, but in the U.S., those laws have had dismal success records. Do we really want to extend that philosophy to Internet sites and services?
Deb is not proposing such action, of course (she’s way too level-headed to suggest such a thing); she’s asking the hard questions. But there are even harder questions to ask, questions that go well beyond restricting communication lines, and I’m not shy when it comes to speaking out against further restrictions to our liberty based upon some perceived threat. These questions may seem extreme, but use your imagination. How bad could it get?
Terrorists have to eat; do we refuse to sell food to anyone on a terrorist watch list? Does the government take over food distribution? Terrorists drive motor vehicles; does every driver have to be pre-screened before getting a license and then “approved” to buy a vehicle? Will farmers, who use nitrate fertilizers capable of being turned into explosives, be subject to purchase limits based on the number of acres they farm? After all, a terrorist posing as a farmer could buy tons of the stuff and then blow up half a town.
Anything a “normal” human being does or uses in the course of day-to-day living would also be done or used by a terrorist; they are, after all, human beings, too.
I’ll tell you where an all-out effort to do away with everything that might aid the bad guys will lead us: a total police state–your every move monitored, every purchase you make subject to scrutiny and/or approval, every communication medium you use monitored 24/7, everything you say subject to interpretation by Homeland Security. The whole country would be a prison, a guard at every street corner, dusk-to-dawn curfews in force, shopping and visits with friends and family monitored and subject to time limits.
Any atrocity you can imagine would be possible–and likely. It would make the dystopia depicted in George Orwell’s novel, “1984,” seem like utopia.
What do you think?
On June 3, Panda Security announced that it has significantly upgraded and extended its Panda Cloud Antivirus product line to offer a free and “Pro” version to users.
A year ago, Panda made history by becoming the first major security vendor to unveil a free antivirus powered exclusively by the cloud. Microsoft was next with its Security Essentials product. Having tried AVG’s, Avast’s and Avira’s free antivirus products, I’ve settled on Panda’s Cloud Antivirus and Microsoft Security Essentials for my home systems. From their press release:
Today’s announcement is a natural evolution of the company’s “freemium” strategy and builds on Panda’s commitment to providing all users – of both the free and pro versions – with the best possible protection and minimal impact on PC performance. While other vendors charge more money for better protection (like the Mafia), Panda’s upsell comes in the form of greater ease of use and manageability through a number of automated security capabilities.
That’s a novel idea, isn’t it?
How about the rest of the industry follows suit?
Now, I ask you: If the stolen data had been encrypted, none of these incidents would be of much concern, would they? Certainly not; the data would be useless to the thieves because it would be just so much white noise. So, this being the case, why isn’t all sensitive data everywhere encrypted? For that matter, just encrypt everything all the time. Unfortunately, it’s not quite that simple.
Encryption adds processing overhead. Encryption key security is an issue. Systems that need to access the encrypted data need access to the key. Then there’s the danger of forgetting or losing the encryption key thereby rendering the data completely useless. None of these issues is a good reason not to use encryption; however, they do present challenges that make broad use of encryption difficult to implement in large organizations.
Short of encrypting every hard drive everywhere (which would be a major nightmare to implement), at least every database that contains any sensitive information should be stored on encrypted partitions or drives.
So why isn’t everyone doing it?
Here is a humorous video featuring Daddy Brad and Daddy Clay from DadLabs.com. But the message is serious, even if couched in humor. Enjoy!
Is your family prepared for disasters like floods, hurricanes, and tornados? In this episode of The Lab, Daddy Clay and Daddy Brad tackle the topic of disaster preparedness. To do this, they compare survival kits.
Download “Is Your Family Prepared for Disaster?”
It’s again time to delve into our Hacking Skills Challenge. Our last challenge was level 10 at HackThisSite.org and that was three months ago. They say these are supposed to get increasingly difficult as we climb the ladder, but the last one was fairly easy, albeit that it required a Firefox plugin to accomplish the hack. Level 11 is considerably more difficult and requires a bit of thinking out of the box. Here’s the challenge:
Sam decided to make a music site. Unfortunately he does not understand Apache. This mission is a bit harder than the other basics.
One of the biggest problems people who don’t understand Apache run into is that they end up allowing their directories to be listed. We need to keep that in mind. You’ll see why in a minute.
When you click on the challenge, you’re taken to a page that has a sentence similar to: I love my music! “I Need You to Turn To” is the best! Not much of a clue there, it seems, and where’s the password prompt? And what page are we looking at? Viewing the source produced this:
I love my music! "Someone Saved My Life Tonight" is the best! <!--We even have our own collection - if you could find it!-->
Nothing listed for the actual page being viewed which made me think that it’s straight html. So, I tried ../index.php and voila! Got a password prompt. Progress, but a few tries at guessing the password were futile. On a whim, I went back to the original URL, http://www.hackthissite.org/missions/basic/11/, and found that the song name had changed. This time I got:
I love my music! "Honky Cat" is the best! <!--We even have our own collection - if you could find it!-->
So, I refreshed the page a few times and kept getting different songs. Like the two above, however, they all had one thing in common: The were songs performed by Elton John. I tried “elton” as the password, but no go, so it’s time to see if we can find .htaccess to see if we can get some answers.
http://www.hackthissite.org/missions/.htaccess – no go
http://www.hackthissite.org/missions/basic/.htaccess – no go
http://www.hackthissite.org/missions/basic/11/.htaccess – no go
http://www.hackthissite.org/missions/basic/11/elton/.htaccess – no go
Convinced that “elton” is the key, I tried an old trick that I’ve seen before and put this in: http://www.hackthissite.org/missions/basic/11/e. I got a listing with the letters b, c, d, e, f, g, and l as other directories. Hmm. . . could it be? I tried http://www.hackthissite.org/missions/basic/11/e/l and the last letter listed was “t.” Pretty obvious now: http://www.hackthissite.org/missions/basic/11/e/l/t/o/n. Nothing listed there, but that has to be where .htaccess is located. Sure enough:
IndexIgnore DaAnswer.* .htaccess <Files .htaccess> order allow,deny allow from all </Files>
Think “DaAnswer.*” might be it? Yep. http://www.hackthissite.org/missions/basic/11/e/l/t/o/n/DaAnswer gives:
The answer is simple! Just look a little harder.
The answer is: simple. That’s the password.
My April 26, 2010 post, “Security Risk of Digital Copiers,” I reported on the issue of permanent storage of images on copier hard drives and the potentially serious security risks associated. Now the FTC is getting involved.
Representative Edward J Markey (D-Mass), who first raised the issue with the FTC in April, said, “Many of these machines do not just copy sensitive documents; they store them as well, providing a treasure trove for identity thieves. In short, these machines are not merely document copiers, they are document keepers.
“I am very pleased to learn that the FTC is investigating this important matter, which most consumers are unaware of when they place their tax returns, financial records and other personal information on the copier and hit the ‘Start’ button.”
In a letter to Markey, FTC chairman Jon Leibowitz ensured that government data is safe: “With respect to government agencies, our own practice is to acquire ownership of the hard drives in the digital copiers we lease, and to erase and subsequently destroy these hard drives when the copiers are returned.”
Liebowitz also said that the FTC will work with manufacturers and vendors to educate customers of the security risks involved and promised to update FTC consumer and business educational materials.
Facebook apparently listened to all the feedback and recent furor over its complicated privacy settings interface and have simplified it. You can check out the details in CEO Mark Zuckerberg’s blog post and check out the new Facebook Privacy Page. I commend Zuckerberg and the whole Facebook team for actually listening to its users. That certainly gives me more confidence in their product.
. . . you have sent us lots of feedback. We’ve listened carefully in order to figure out the best next steps. We recognize that we made a lot of changes, so we really wanted to take the time to understand your feedback and make sure we address your concerns.
The number one thing we’ve heard is that there just needs to be a simpler way to control your information. We’ve always offered a lot of controls, but if you find them too hard to use then you won’t feel like you have control. Unless you feel in control, then you won’t be comfortable sharing and our service will be less useful for you. We agree we need to improve this.
Today we’re starting to roll out some changes that will make all of these controls a lot simpler. We’ve focused on three things: a single control for your content, more powerful controls for your basic information and an easy control to turn off all applications.
What do you think?