News that hackers have once again found their way into Facebook should serve as reminder to firms using external social networks as part of a business strategy that data is not necessarily secure behind a web site's login details.

Perhaps social suites available from enterprise vendors might be a safer bet.

FBHive, a recently launched site following Facebook, said yesterday it was able to hack into any person's "Basic Information" section, no matter what their privacy settings.

"We have already reported this bug to Facebook on June 7th 2009, through multiple avenues, but it has received little attention. Hopefully this incites a little more action from them," said the post.

The exploit involved fooling the "Edit Information" section of a user's profile to display another user's Basic Information by using the Tamper Data add-on for Firefox.

FBHive launched a video to show Facebook users how easy the hack was.

Although soon after FBHive published its report, the Facebook security team fixed the exploit, the news follows a revelation from a Burton Group analyst back in 2008 that an email add-on called Xobni, which plugs in to Microsoft Office and correlates Outlook contact data with external sources such as Facebook, also managed to override privacy protections.

Analyst Mike Gotta said that when an individual's social data is pulled from an external network site into another person's email account, they should be properly notified.

"I do believe that context of a relationship agreement made within one environment does not necessarily transfer to other environments without the parties being aware and in some cases, consenting to that information being revealed in those other contexts," Gotta had said in his blog.

"What really surprised me though was that I now had access to people's information via Xonbi's Facebook Connect application that I could not access normally on Facebook," he added.

June 23, 2009 | Permalink | Comments (0)

Online identity firm Garlik has revealed that criminals are targeting gamers with increasing regularity in an attempt to harvest personal and financial information which could be worth as much as £4.5m a year.

The research assessed illegal trading of credentials on platforms such as Microsoft Xbox, Sony Playstation and World of Warcraft.

Garlik estimated that around 500,000 XBox Live credentials are being traded on a yearly basis, with a selling price of around £100 for 20 accounts.

It also warned that digital content delivery platform Steam is one of the most highly targeted, with hackers uploading infected add-ons for various titles which contain maliciousTrojan code

"Online games-related account theft is definitely a problem, and while some companies have tried to combat such activity it's an issue that isn't taken seriously enough by most gamers," said Phil Elliott, managing editor of videogames business site GamesIndustry.biz.

"There's a clear risk that compromised personal data could be used for further serious activity."

To minimise their risk exposure, Garlik has warned users not to use the same password for online gaming as banking and other accounts.

The news also comes just a few days after security vendor Webroot reported an "astonishing volume" of phishing Trojans, designed to steal licences, usernames and passwords from gaming accounts.

"These single-purpose Trojans are very good at what they do, and can rapidly (and silently) report the desired information back to servers -- typically, perhaps unsurprisingly, located in China," wrote Webroot's Andrew Brandt on the firm's threat blog.

June 22, 2009 | Permalink | Comments (0)

A new survey by security vendor PC Tools has found that over a third of consumers don't update their security software, while more than half ignore alerts.

Can this really be true? Are PC users really that stupid? Well, as long as the survey wasn't carried out with a select bunch of Luddites, the implications are fairly alarming.

The sheer scale and constantly evolving nature of malware today means regular security updates are essential if your PC is to remain as resistant to attack as it can be. But if, as the research suggests, 40 per cent of women and just 20 per cent of men remember to switch on their automatic updates, the future looks grim.

Of course, enterprise PCs will have the requisite policies and technologies in place to minimise the risk of infection, so why care about the consumer sphere?

Botnets are the source of most evil these days; sending spam, launching denial of service attacks and firing off more malware. Until users take the security of their systems more seriously, these botnet-based attacks will continue to make corporate information security chiefs work hard for their money.

An interesting footnote is the 56 per cent of consumers who ignore security alerts when they flash up. This is a concern that security software companies must consider carefully. Are security notices generally too frequent, rendering the important ones lost in the noise? Should consumers be given an easier way to set alert levels? At the very least, a bit of food for thought.

June 18, 2009 | Permalink | Comments (0)

Many companies fail to protect sensitive data from embittered ex-employees by not properly and quickly terminating all access when someone leaves the company, according to a new study.

A survey by access management firm Courion found that, although the majority of IT managers reckon that terminated employees will not attempt to remotely access data, over half admitted to having no real idea of what access routes remain active after someone leaves the company.

"The fact that 53 per cent of IT managers are largely unaware of employee access rights is of great concern, and has been exacerbated by the high frequency of mergers and acquisitions in the current climate," said Stuart Hodkinson, general manager at Courion.

"The time for over confidence has passed. It is important for IT managers to close these holes by undertaking regular audits, and ensuring that employees have access only to the information they need to do their jobs."

This proliferation of what Hodkinson calls "zombie accounts" is also aided by the fact that 28 per cent of respondents said that their company still provisions accounts manually, making delays and errors in deactivation much more likely.

The survey found that nearly half of businesses take more than a day to inform the IT department of a departing employee, and around a third admit that it takes more than a week to shut off access to systems.

Hodkinson sees this as a worrying window of opportunity for disgruntled employees to attack internal systems, or obtain valuable information that could cost the company a lot of money and tarnish its reputation.

The survey also revealed that nearly one in 10 companies could never be completely certain that terminated employees no longer have access to IT systems.

June 15, 2009 | Permalink | Comments (0)

Security firm Webroot is warning that cyber criminals are increasingly going after the credentials of online gamers.

In a blog posting, the firm's Andrew Brandt said that the Webroot Threat Research Group had been tracking an increase in this kind of activity since the start of the year.

He said the researchers had noted an "astonishing volume" of phishing Trojans, designed to steal the licence keys that gamers use to install copies of legitimately purchased games, and also the usernames and passwords which players use to log in to their accounts on games such as World of Warcraft.

"These single-purpose Trojans are very good at what they do, and can rapidly (and silently) report the desired information back to servers -- typically, perhaps unsurprisingly, located in China," wrote Brandt on the Webroot threat blog.

"We know the exact servers they contact, and what kinds of information they're sending. And we know why: Thar's gold in them thar WoW accounts, and the rush is on to cash in."

According to Brandt, the method by which the initial executable file gets on a user's PC varies, with exploits in malicious iframes being commonplace. Once infected, PCs could end up with "metric tons of malware on them", he added.

"I can only imagine that it takes very little effort for the jerks behind this scheme to retrieve thousands of account details," wrote Brandt.

"With such an effortless infection method, and the difficulty of prosecution (let alone identifying the perps), they don't even seem to be concerned in the slightest about covering their tracks."

June 14, 2009 | Permalink | Comments (0)

Gordon Brown has turned to web pioneer Tim Berners-Lee as he struggles to take control of the expenses scandal that has rocked his government for what feels like years already.

Brown and the rest of Parliament is getting ready for its summer holidays so in the midst of scurrying around looking for passports and toothbrushes he has somehow found the time to come up with the idea of publishing all MPs' expense claims online - in the next few days. It is thought that by making MPs more accountable in this way they may stop claiming for things like funeral wreaths and duck habitats.

Doing anything in the 'next few days' doesn't sound like a good idea to us. It has the ring of a rush around it and given the sensitivity of the information involved it really ought to come with the sort of protection that Danielle Lloyd rolls with these days. And that is likely to take a bit more time than the quoted few days.

Unlike the old system, the fact that this one is online will make it open to abuse from both internal and external sources, whether that's admin staff accidentally leaving a USB stick containing expenses details on the train, or attackers trying to hack into the system. And given that the old system couldn't cope with internal abuse we can't help but worry how it will handle a nation full of disgruntled voters and a million sweaty keyboards.

Anyway, like most government backed online initiatives it is bound to run years over schedule, cost billions, and then fall over due to demand on launch - maybe they could use an extra few days to actually make sure that it works.

June 10, 2009 | Permalink | Comments (1)