Details of 100 million Facebook users were *already* exposed on the net

Have you seen the headlines? They’re pretty scary-looking.

 

Here’s just a handful – although there were hundreds more to choose from:

“A fifth of Facebook users names ‘leaked’ to file-sharers”, Techwatch

“Details from 100 million Facebook profiles posted online”, Network World

“Details of 100m Facebook users collected and published”, BBC News Online

“100 million Facebook accounts exposed”, V3

 

At first glance these headlines might appear frightening. But there’s one thing you need to know. All of this information was already available to anyone on the internet.

 

What’s happened is that a security consultant called Ron Bowes wrote some scripts to harvest publicly-available information from the profiles of Facebook users who had left their profiles open for anyone to view.

 

In total he managed to scrape the names and urls of some 100 million Facebook users (about 20% of their population), and posted the database of snaffled information up on a peer-to-peer file-sharing network for anyone to download.

 

 

This wasn’t really a “hack” as such, as the guy who collected this information didn’t have to break into accounts to access the information. The personal information from users’ Facebook profiles was already available to anyone because individuals’ privacy settings had not been properly secured, and they had effectively left their lights on and curtains open for anyone to peek in and make a note of anything they could see.

 

The real problem here is that users haven’t secured their profiles well enough – but I don’t think they’re the only ones at fault. Facebook has gradually eroded its users’ privacy over the years, in an attempt to share more information with the rest of the internet. In fact, it’s even recommended that users use settings that share more information – and some users may not have been aware that going with Facebook’s recommendations would leave them open to being snooped on in this fashion.

 

The problem is that once you’ve shared your information with “everyone” on the net in this fashion, there’s no going back. You can’t withdraw your data – and now the user details have been harvested they will forever be available for anyone to access.

 

 

Facebook users need to wake up to the risks of sharing too much information online, and examine their Facebook security settings closely to ensure that they are not divulging too much to people they don’t know, and are comfortable with their choices. Today the news story is about names and urls being scooped up – maybe tomorrow it could be more personal information that is gathered from poorly secured Facebook users.

 

 

Read More…

 

The Main Risks Associated with Spam

There was a time when spam was considered little more than an invasive annoyance. It was merely an attempt, albeit an unwanted one, to communicate information about a product or service to as many people as possible. But then hackers saw another opportunity. They decided to use this tool as a means to exploit consumers and businesses.

 

Spam then, can pose considerable risk to the enterprise. But what are the primary issues?

 

Productivity – If we estimate the time that it takes for an employee to evaluate and delete an unwanted email, and multiply that by the number of employees, we begin to see how costly spam is. While this scenario may not represent real dollars spent mitigating the problem, it does translate into productivity losses which can have a financial impact. Time spent dealing with spam is time not spent on company business.

 

Storage Space – Company managed anti-spam solutions typically include one or more servers and software. Some estimates indicate spam accounts for over 90% of email. What this means is that a significant portion of that server space is used to receive and sometimes quarantine suspicious emails. If messages aren’t deleted, space can be easily consumed, forcing the purchase of additional storage space.

 

Security – Unfortunately, many spam messages are sent with the intent to harm the receiver. Clicking on erroneous links or opening infected file attachments can result not only in damage to the computer, but loss of data as well. In an era where privacy laws protect consumer data, the loss may be further compounded by financial penalties and damage to company reputation.

 

Spam can no longer be viewed as a problem of convenience, targeted at potential consumers. Real loss of data, reputation or company services can prove costly. Based on these risks, businesses should invest in solid anti-spam service solutions. To further reduce costs, cloud-based solutions have proved that they are not only up to the task, but will also save your time and money in the process.

 

Additional Resources:

http://www.allspammedup.com/2009/10/taking-control-of-the-risks/

http://www.spamlaws.com/

http://blogs.computerworld.com/16285/outbound_spam_hard_data_illustrates_real_risks

 

This guest post was provided by Veronica Henry on behalf of GFI Software, a leading software developer that produces network and messaging security solutions for SMBs. More information about GFI anti-spam solution can be found at http://www.gfi.com/mes

All product and company names herein may be trademarks of their respective owners.

Transport website leaking private information of 168,000 passengers

A hacker called “ins3ct3d” has demonstrated that he can access the personal information of 168,000 users of public transport in The Netherlands via an insecure website.

 

A campaign to encourage residents living in the provinces of Gelderland, Overijssel and Flevoland to use public transport has been promoting a website called “Experience the OV” at www.ervaarhetov.nl, which allows people to request a card allowing them to try out public transport travel for free.

 

However, as magazine Webwereld reports, a simple SQL injection attack allowed “ins3ct3d” to access how to access the personal information of subscribers – including names, addresses, birth dates, email addresses and phone numbers.

 

The hacker, who has chosen to remain anonymous, demonstrated the attack to the magazine by accessing the personal data of one of Webwereld’s reporters.

 

Explaining his reason for exposing the security vulnerability, “ins3ct3d” explained that he felt compelled to warn his fellow citizens as long as the government continues to use unsafe systems. “This time it’s sensitive personal data, next time your fingerprints or EPD,” he said.

 

(EPD is the Electronische Patientdossier.. I guess I don’t need to give a translation of that for you to realise why that’s not data you want falling into the wrong hands).

 

There’s no confirmation that banking data was exposed, but there were fields in the databases for ID card numbers, payment agreements and so forth. At the request of Webwereld, the hacker did not retrieve more data, so there’s no telling if any of these fields had been filled.

 

Webwereld contacted the authorities, and the website is currently “temporarily unavailable”:

I guess we should all breath a sigh of relief that, in this instance, the hack appears to have orchestrated with the interests of exposing poor security, rather than stealing users’ data and identities. Hopefully this incident might play some smart part in raising awareness around the world of the need to ensure your website is coded securely, and not at risk of leaking sensitive information.

 

By Graham Cluley, Sophos

 

Canadian Pharmacy spammers set up shop on Twitter

At the beginning of this month I received an email telling me about someone new who had started following me on Twitter.

Their name was @canadianshop, and it was immediately apparent that they were promoting a Canadian online pharmacy via their account. These kind of websites are frequently promoted in email spam.

Like every other time you receive a new follower on Twitter, the service reminds you that you can report them for spam:

If you believe canadianshop is engaging in abusive behavior on Twitter, you may report canadianshop for spam.

 

But for once I decided not to. After all, this account was clearly spammy and I was curious to see how long it would take before someone else reported them and their account was suspended.

 

That was 24 days ago. And despite the @canadianshop account making no attempt to hide who they are – even their background wallpaper uses familiar imagery used in hundreds of thousands of emails to promote medications like Viagra and Cialis – they remain active on Twitter.

 

At the time of writing the account is following over 2000 people, and has 589 folk following it back.

In addition to its activities on Twitter, the account has also created a number of custom bit.ly links to promote its online stores which redirect to Canadian Pharmacy websites like the one below:

So, let’s hope the account gets shut down soon. I’ve reported it to Twitter now, and also dropped a line to the folks at bit.ly about the links in case they want to take action against those.

 

As if anyone needed reminding let me say it again – if you buy drugs online you’re not only putting your personal information at risk (remember these guys are prepared to spam and use scummy tactics to promote their sites, they possibly wouldn’t flinch at doing something naughty with your credit card details), but you’re also potentially putting your health in jeopardy.

 

By Graham Cluley, Sophos

 

Energizer DUO USB battery charger software allows unauthorized remote system access

 

Overview

The software available for the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.

 

 

I. Description

Energizer DUO is a USB battery charger. An optional Windows application that allows the user to view the battery charging status has been available on the Energizer website. The installer for the Energizer DUO software places the file UsbCharger.dll in the application’s directory and Arucer.dll in the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component for providing USB communication capabilities. UsbCharger.dll executes Arucer.dll via the Windows rundll32.exe mechanism, and it also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

 

Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. Note that Windows XP SP2 and later systems include a firewall by default. Upon running the Energizer UsbCharger software for the first time, a dialog similar to the following is displayed:

If the user selects “Unblock,” then the system will be at risk. Also note that if the application is unblocked, this will cause Windows to add rundll32.exe to the Windows Firewall exceptions list. This means that any DLL that is executed through the rundll32.exe mechanism will be excluded from the Windows Firewall, regardless of the DLL or port used.

 

The backdoor capabilities include the ability to list directories, send and receive files, and execute programs. The hash information for the file is:
MD5: 1070be3e60a1868d2cd62fc90d76c861
SHA1: d102b1d2538d8771be85403272e5a22a4b3f81ad

The file details for Arucer.dll are:

--a-- W32i   DLL CHS         1.0.0.1 shp     28,672 05-10-2007 arucer.dll
Language        0x0804 (Chinese (PRC))
CharSet         0x04b0 Unicode
OleSelfRegister Disabled
CompanyName
FileDescription Arucer DLL
InternalName    Arucer
OriginalFilenam Arucer.DLL
ProductName     Arucer Dynamic Link Library
ProductVersion  1, 0, 0, 1
FileVersion     1, 0, 0, 1
LegalCopyright  ???? (C) 2006
LegalTrademarks

VS_FIXEDFILEINFO:
Signature:      feef04bd
Struc Ver:      00010000
FileVer:        00010000:00000001 (1.0:0.1)
ProdVer:        00010000:00000001 (1.0:0.1)
FlagMask:       0000003f
Flags:          00000000
OS:             00000004 Win32
FileType:       00000002 Dll
SubType:        00000000
FileDate:       00000000:00000000

 

II. Impact

An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user.

 

 

III. Solution

Remove the Energizer UsbCharger software

Removing the Energizer UsbCharger software will also remove the registry value that causes the backdoor to execute automatically when Windows starts. The Arucer.dll file will remain in the system32 directory, but the mechanisms for executing the code in the DLL will not be present.

 

Remove the Arucer.dll file

The backdoor component of the Energizer UsbCharger software can be removed by deleting the Arucer.dll file from the Windows system32 directory. Because the backdoor hosted by rundll32.exe continues to run after the software has been uninstalled, the Windows may need to be restarted before this file can be removed.

 

Remove “Run DLL as an App” exclusion from the Windows Firewall

If the user unblocks Run DLL as an App (rundll32.exe) from the Windows Firewall, the exclusion will remain after the Energizer UsbCharger software has been uninstalled. To restore the firewall to the previous state, the “Run a DLL as an App” entry should be removed from the exclusions list.

 

Block or restrict network access

Blocking access to 7777/tcp can mitigate this vulnerability by preventing network connectivity to the backdoor. This may be achieved with network perimeter devices or host-based software firewalls. The Energizer UsbCharger software does not automatically add an exception to the Windows Firewall for 7777/tcp or the backdoor application. Therefore, the first time that Energizer UsbCharger is executed, the user will be prompted that “Run a DLL as an APP” has been blocked by the Windows Firewall.

 

The following Snort rules can be used to detect network traffic related to this backdoor:

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer Command Execution"; flow:established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; classtype:trojan-activity; sid:1000004; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer DIR Listing"; flow:established; content:"|C2 E5 E5 E5 9E D5 D4 D2 D1 A1 D7 A3 A6 C8 D2 A6 A7 D3 C8 D1 84 D7 D7 C8 DD D2 A6 D2 C8 D2 A7 A7 D2 D7 A4 D6 D7 A3 D4 DC A3 98 E5|"; classtype:trojan-activity; sid:1000005; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer WRITE FILE command"; flow: established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; classtype:trojan-activity; sid:1000006; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer READ FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A3 D3 A6 D1 D6 A0 D4 A4 C8 D4 D0 D0 D4 C8 D1 D5 D5 D5 C8 A4 D1 DD D6 C8 A6 D6 D3 D4 DC D3 DC A4 A0 A6 D1 D4 98 E5|"; classtype:trojan-activity; sid:1000007; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer NOP Command"; flow:established; content:"|C2 E5 E5 E5 9E D2 DD D6 A0 A4 A6 A7 A3 C8 A0 A3 DD A7 C8 D1 DC DD 80 C8 A4 D5 D0 DC C8 A3 D5 A7 D0 A7 A1 D4 D7 D3 D1 D4 A0 98 E5|"; classtype:trojan-activity; sid:1000008; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer FIND FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 A4 D2 A4 D7 A0 A7 D2 C8 D4 A0 D1 DC C8 D1 81 D0 83 C8 A7 D1 A1 DD C8 A1 D3 D3 D1 D0 A7 D2 D1 D1 D5 A0 D6 98 E5|"; classtype:trojan-activity; sid:1000009; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer YES Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; classtype:trojan-activity; sid:1000010; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer ADD RUN ONCE Command"; flow:established; content:"|C2 E5 E5 E5 9E D6 DD D1 A0 A7 A0 D7 A6 C8 A3 DC A0 A4 C8 D1 83 D3 87 C8 DC D1 A0 A3 C8 A6 DC A1 D7 A1 A4 D0 DD A3 A1 D4 D6 98 E5|"; classtype:trojan-activity; sid:1000011; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer DEL FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E D1 A3 D1 A3 D5 A1 DD DD C8 A0 D2 D4 D0 C8 D1 87 D4 83 C8 A7 D6 D4 D4 C8 D3 D4 A0 D0 D6 D5 A6 D7 A6 DD A3 A6 98 E5|"; classtype:trojan-activity; sid:1000012; rev:2;

 

Systems Affected

 

Source : www.kb.cert.org

 

 

Hackers exploit Oscar film awards to spread scareware

 

Last night saw Kathryn Bigelow’s hard-hitting film “The Hurt Locker”, about a bomb disposal team in Iraq, scoop the major gongs at the Academy Awards. It shouldn’t probably be any surprise to hear that movie buffs around the world used the internet to keep track of who won which Oscars, and – sadly -that hackers would try and exploit the event.

 

Internet users searching for phrases like

Oscars 2010 winners

 

may be putting the security of their computers at risk today, as some of the results returned by search engines can point to malicious webpages.

 

By using SEO (search engine optimisation) techniques, hackers have created webpages that are stuffed with content which appears to be related to the 2010 Oscars, but are really designed to infect your computer.

 

As you can see, information about the Oscars ceremony and award winners has been one of the hottest search topics overnight.

 

Clicking on the dangerous links takes you to a page which pretends to scan your computer for security threats, trying to trick you into downloading malicious code and hand over your credit card details.

 

As Fraser Howard recently described on the SophosLabs blog, victims are redirected a number of times upon visiting from a search engine, before being taken to a webpage hosting a malicious script.

 

Sophos detects the malicious scripts as Mal/FakeAVJs-A, and the fake anti-virus itself as Troj/FakeAV-AXS.

 

Fake anti-virus attacks (also known as scareware) are nothing new, and it’s very common for hackers to exploit hot topics in an attempt to bring a steady stream of traffic to their infected webpages.

 

By Graham Cluley, Sophos

(McAfee) Operation Aurora Overview (Video)

 

Find out what operation aurora is, what’s at risk, and how to protect your organization.

 

German Government: Don’t use Internet Explorer

The German government has advised computer users not to run Internet Explorer and run an alternative browser instead, because of a critical zero-day security flaw.

 

The advice, which came in the form of an official statement from the German Federal Office for Security in Information Technology (known as the Bundesamt für Sicherheit in der Informationstechnik or BSI) says that the as yet unpatched vulnerability is likely to be the same one blamed for hacker attacks on Google and other US companies last week.

 

The BSI advisory claims that although Microsoft’s advice to run Internet Explorer in ‘protected mode’ and disable Active Scripting makes it more difficult for hackers to attack, it does not completely prevent them.

Here is a rough translation (courtesy of Google Translate) of the BSI statement:

Critical vulnerability in Internet Explorer

BSI recommends the temporary use of an alternative browser
Bonn, 15.01.2010.

In Internet Explorer there exists a critical yet unknown vulnerability. The vulnerability allows attackers to inject malicious code via a specially crafted webpage into a Windows computer, in order to infiltrate and control computers. The past week has become known in the Hacker Attack on Google and other U.S. companies has probably exploited the vulnerability.

Affected are the versions 6, 7, and 8 of Internet Explorer on Windows XP, Vista and Windows 7. Microsoft has published a security advisory, in which it discusses ways of minimizing risk and is already working on a patch for the security hole. The BSI expects that this vulnerability will be used in a short time for attacks on the Internet.

Although running Internet Explorer in "protected mode" as well as disabling Acitve Scripting does make it more difficult to attack, it can not completely prevented. Therefore, the BSI recommends that users switch to an alternative browser while waiting for Microsoft's patch.

Once the vulnerability has been closed, the BSI on its warning and information service MayorCERT also informed. Keep informed about the civic-CERT and the BSI warns citizens and small and medium enterprises from viruses, worms and vulnerabilities in computer applications. The expert analysis of the BSI around the clock, the security situation in the Internet and send alerts when action is needed and safety information via E-mail.

 

The vulnerability means that a hacker could send you a message, perhaps pretending to be from a colleague or friend, and – if you clicked on a link in that email – your vulnerable installation of Internet Explorer would visit a malicious webpage infecting your Windows PC with a Trojan horse.

 

At that point the hackers could effectively grab control of your computer, with the potential of stealing company secrets, personal information or using it to spread spam or other attacks. The problem is that right now Microsoft doesn’t have a patch to fix their software.

 

Of course, the German government’s advice that internet users should switch to alternative browsers is unlikely to well received at Microsoft, and pressure is sure to grow on the company to release an “out-of-band” patch to resolve the security flaw as soon as possible.

 

With Google pointing the finger of blame for the attacks at China, it’s perhaps not surprising that the German government should be keen to ensure that its own computers (whether they be in government or industry) are not next in the firing line of hackers.

 

Alternative internet browsers such as Firefox, Safari and Opera have all suffered from security vulnerabilities in the past, of course.

 

You can read SophosLabs’s write-up on the Microsoft security flaw here, as well as further commentary by principal virus researcher Vanja Svajcer.

 

With all this talk about state-sponsored cyber-spying originating from China clearly spooking the German authorities, it’s perhaps a little ironic that the Germans themselves were accused of using the internet and malware to spy on another country a couple of years ago.

 

by Graham Cluley, Sophos

 

Simple Facebook Flaw Put All Members at Risk of Identity Theft

IT security and control firm Sophos is again reminding internet users that their personal information may be being placed at risk – and is perhaps best kept off the internet – following news that popular social networking website Facebook contained a flaw that could have allowed hackers to access sensitive profile information about any of the site’s 200 million plus users.

Read more