Category: Computing

The BBC reports that details of 100m Facebook users has been collected and published online via BitTorrent.

The BBC story takes a little less freaked line than The Telegraph, but it’s not as if this was a security breach that caused private data to be exposed as Facebook says this was all public in any case.

Ron Bowes of SkullSecurity reportedly wrote a program to download millions of the public profiles of Facebook users in order to assist the development of the Nmap Security Scanner and the Ncrack tool by creating a database of usernames typically used by people.

Mr Bowes said his original plan was to “collect a good list of human names that could be used for these tests”.

“Once I had the data, though, I realised that it could be of interest to the community if I released it, so I did,” he added.

Mr Bowes confirmed that all the data he harvested was already publicly available but acknowledged that if anyone now changed their privacy settings, their information would still be accessible.

“If 100,000 Facebook users decide that they no longer want to be in Facebook’s directory, I would still have their name and URL but it would no longer, technically, be public,” he said.

It has been played down by people who have likened it to creating a telephone directory. However the question of whether users explicitly consented to be in such a directory is not easily answered as Facebook’s privacy settings seem to be too complicated for a sizable percentage of their users to understand.

EFF and the Tor Project have launched a Firefox extension called HTTPS Everywhere. The extension forces the browser to connect using https with every website that offers the facility to do so. With the increasing occurence of sidejacking of web sessions where the site only uses SSL for authentication but not for the whole session this extension should be installed by everyone.

Mikko of F-Secure argues that the ongoing security problems with Adobe Acrobat Reader, which is now the primary vector for malware having overtaken Microsoft Word sometime in 2009, is to do with fundamental issues with the PDF format itself.

Looking at the 756 page specification document (PDF format naturally) one finds details about how to embed all kinds of things from multimedia to executable JavaScript into PDF files.

So using an alternative to Adobe Acrobat Reader such as the Foxit Reader is not the solution as it is just as vulnerable due to including the same functionality as Adobe Acrobat Reader. There might be alternative PDF readers that simply render the documents without the additional functions but another secure workaround is to open them up in Google Docs.

The F-Secure blog reports on a clever little phishing attack which uses Twitter’s own Direct Message service and URL shortening services.

Unsuspecting users will click the link provided in the message which comes from somebody they know as Direct Messages can only come from people you follow on Twitter. However the message is likely coming from a hijacked account and points to a URL which hosts a phishing page that looks like Twitter and is asking you to sign in.

Once they have your credentials they then send messages to all your contacts and their web of hijacked accounts grows exponentially.

The good news is that Twitter has reacted quickly to this attack and are closing down the avenues of attack.