Facebook privacy given a poor scorecard by WhatApp project

Facebook has been rated lower than its social networking competitors Twitter and MySpace for privacy and security, according to a study from Stanford University.

 

According to a report in Forbes, the WhatApp website has rated the security and privacy of Facebook as being lower than that of the Apple iPhone, Twitter and MySpace.

 

Service	Privacy	Security
Facebook	2/5	2/5
Twitter	3/5	3/5
MySpace	3/5	3/5
iPhone	3/5	3/5

WhatApp, which was co-created by Stanford University Law fellow Ryan Calo, describes itself as “an online resource where experts and other users can assess, discuss, and rate the privacy and security of mobile and Internet-enabled applications. Now in Beta, the website combines traditional consumer reporting and review tools with wikis and news feeds to allow users to make informed choices about the applications they download.”

 

Calo told Forbes that he believed Facebook users are concerned about the amount of information applications can access: “I think people are upset because when you download an app, you don’t have any control over what the app developer sees on your profile. There’s the perception among users that they don’t need to give away so much information to have the apps do the same thing as they are currently doing.”

 

However, I think we would be rash to take WhatApp’s scorecard for Facebook at err.. face value. It’s important to note that the WhatApp site’s goal is primarily to look at specific applications, and that the results publicised by Forbes are extrapolated from those individual application scores to give an overall score for how well Facebook as a whole is faring. (I’ve been contacted by Oliver Chiang, the author of the Forbes article, who tells me that WhatApp do rate platforms such as Facebook separately from the apps, so it’s not an aggregation. Sorry about that).

 

What isn’t clear is how well can we verify Carlo’s credentials as an expert, and it’s also not shown how many of the site’s “verified” experts contributed to the scores that have been published so far. Nevertheless, Facebook won’t be best pleased to see it ranked poorly against its competitors.

 

Facebook security and privacy are very real concerns, of course, and this debate is likely to run and run. Many of us may well have good reason to long for the days of 2006, when Facebook privacy was a much simpler thing:

"No personal information that you submit to Facebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings."

It’s very simple – all I want is to have control over who can see my personal information on Facebook.

But it seems that more and more Facebook is preventing me from achieving that seemingly simple aim.

 

By Graham Cluley, Sophos

 

 

8 Things You Probably Didn’t Know About KOOBFACE

You’ve probably read or heard about KOOBFACE malware propagating through social networking sites such as Facebook, MySpace, and Twitter. A lot of analysis is available online through blogs or malware descriptions. But I bet most of you probably still do not know some or all of these things about KOOBFACE.

 

1. KOOBFACE knows: KOOBFACE has the capability to steal whatever information is available in your Facebook, MySpace, or Twitter profile. Profile pages of these social networking sites may contain information about one’s contact details (address, email, phone), interests (hobbies, favorite things), affiliations (organizations, universities), and employment (employer, position, salary). So beware, KOOBFACE knows a lot!
2. KOOBFACE doesn’t just know you through your profile information, they also know what you look like!: Not only does the botnet steal profile information, it also makes sure to put a face to the name by getting one’s profile picture as well.
3. URLs leading to KOOBFACE malware are either in compromised or free Web hosting sites: Yep, call them cheap but the guys behind KOOBFACE are making good use of compromised and free Web hosting sites in spamming KOOBFACE-related URLs. These URLs are spammed in social networking sites with catch phrases like “funny video,” which lead to a fake YouTube or Facebook site, which then leads to KOOBFACE malware.
4. KOOBFACE zombies are made into Web servers on top of being social networking site spammers: KOOBFACE installs a Web server component into infected machines, which effectively makes the infected machine part of the malware’s distribution network. Infected machines serve fake YouTube or Facebook pages, which then lead to the KOOBFACE malware.
5. KOOBFACE zombies are able to distribute repackaged versions of the malware: KOOBFACE Web servers are able to use UPX, a popular executable packer program, to pack (compress) the KOOBFACE binaries they serve.
6. Half of KOOBFACE infections occur in the United States: This is not surprising since majority of the social networking site users reside in the United States.
7. KOOBFACE is able to block IP addresses: Probably in an effort to protect itself against takedown or snooping by curious researchers, KOOBFACE implemented a blockIP routine where traffic coming from a particular IP range is blocked.
8. KOOBFACE is able to defeat Facebook’s spam filtering: Facebook, MySpace, and Twitter have recently implemented a spam-filtering mechanism where known spam URLs are blocked. KOOBFACE tries to circumvent this by first testing if a KOOBFACE spam URL is blocked by Facebook or not.

So there, some things you may not know about KOOBFACE. If this whets your appetite for more information, you may read our research paper The Heart of KOOBFACE: C&C and Social Network Propagation, fresh off the grill from the White Papers section of TrendWatch.

 

by Ryan Flores from trendmicro