adm – Page 3562 – STE WILLIAMS

Facebook U-turns on phone and address data sharing

Facebook appears to have U-turned on plans to allow external websites to see users’ addresses and mobile phone numbers.

Security experts pointed out that such a system would be ripe for exploitation from rogue app developers.

The feature has been put on “temporary hold”, the social networking firm said in its developers blog.

It said it needed to find a more robust way to make sure users know what information they are handing over.

“Over the weekend, we got some useful feedback that we could make people more clearly aware of when they are granting access to this data. We agree, and are making changes to help ensure you only share this information when you intend to do so,” the firm said.

The updates would be launched “in the next few weeks”, it added and the feature will be suspended in the meanwhile.

Bad guys

Facebook’s volte-face is likely to be a case of ‘once bitten, twice shy’.

Facebook’s troubled privacy history

July 2010: Personal details of 100m users are published on the net to “highlight privacy issues”

July 2010: German officials launch legal action against the site for accessing and saving the personal data of people who do not use it

July 2010: Facebook begins to roll out further changes to the site in its ongoing efforts to appease critics of its privacy practices

May 2010: The site announces that it will simplify its privacy settings in response to growing disquiet from it users that they are too complex

May 2010: A fix for a security flaw that allows users to eavesdrop on the live chats of their friends and see their pending friend requests is rushed out

January 2010: The Canada’s information commissioner launches an investigation over changes to Facebook’s privacy policy

December 2009: Ten US privacy groups file a complaint to the Federal Trade Commission over Facebook’s new privacy settings

December 2009: Facebook introduces another set of privacy controls

February 2009: Changes to the sites terms of service provoke the ire of privacy campaigners

May 2008: A Canadian privacy group files a complaint against the site accusing it of violating privacy law

May 2008: The BBC finds a flaw in the website that could expose people’s details

January 2008: The site faces investigation in the UK after users find they can’t permanently delete their profiles

November 2007: Members force the site to changes its controversial advertising system Beacon, which told friends and businesses what they looked at or bought

Last year, wide-ranging changes to privacy settings resulted in a loud chorus of disapproval from both users and privacy experts, including the Canadian privacy commissioner, Jenny Stoddart.

The firm was forced to radically simplify privacy settings. Ms Stoddart said at the time that the social network had “vastly improved” the sharing of personal information with third-party developers.

Facebook founder Mark Zuckerberg has made no secret of his desire to open up the relationship between the network’s 500 million members and the wider internet.

Having access to mobile phone numbers and physical addresses could have real benefits for users, the firm said in its blog.

“You could, for example, easily share your address and mobile phone with a shopping site to streamline the checkout process, or sign up for the up-to-the-minute alerts on special deals directly to your mobile phone.”

But Graham Cluley, a senior analyst at security firm Sophos, said it would also be very easy for rogue developers to jump on the bandwagon.

“You can imagine, for instance, that bad guys could set up a rogue app that collects mobile phone numbers and then uses that information for the purposes of SMS spamming or sells on the data to cold-calling companies,” he said.

Not required

Facebook has introduced a dashboard which allows users to decide what level of access to grant various apps they sign up for.

It also said that users would have to grant permission to any apps or sites that had wanted to access people’s home address or phone number.

But many people still click ‘accept’ far too quickly, said Mr Cluley.

“Facebook does alert users to the fact that this information will be shared with others, warning prompts and other pop-ups are so frequent that they are often ignored,” he said.

“The best solution would be to permit users to provide this data, via a dropdown or checkbox, when they choose to add an application, but it should not be required,” he added.

Hello World !

blog

Hello

Facebook developers granted access to more of your information

library
api | facebook

Facebook has added APIs for developers to access the home address and mobile numbers of users, so FarmVille can see where, as well as who, you are.

Permission to access such data must be given through the usual notification system, but with the vast majority of users simply agreeing with everything they’re asked, the new facility is attracting privacy concerns beyond those incurred by sharing one’s details with the developers of Bejeweled Blitz or similar. (more…)

Wikileaks given data on Swiss bank accounts

library
Julius Baer | Rudolf Elmer | Switzerland | wikileaks

Wikileaks has established a reputation for publishing sensitive materials

A former Swiss banker says he will pass on data containing account details of 2,000 prominent people to Wikileaks.

The data – which is not yet available on the Wikileaks website – is held on two discs to be passed on by Rudolf Elmer at a press conference in London.

Mr Elmer, who has given data to Wikileaks before, was fired from Swiss bank Julius Baer in 2002.

He is scheduled to go on trial in Switzerland on Wednesday for breaking bank secrecy laws.

According to a report in Swiss newspaper Der Sonntag, Mr Elmer does not expect the data to become immediately available on the whistle-blowing website, as it must first undergo a vetting process.

He said the data included the offshore accounts of about 40 politicians, and covers accounts at three banks, including his former employer.

No court order against PlayStation hackers for now

library
Computer Fraud and Abuse Act | Digital Millennium Copyright Act | fail0verflow | Geohot | PS3 | Sony | us gov

A San Francisco federal judge declined to order New Jersey-based hacker Geohot to turn over the technology he used to root the PlayStation 3, saying she doubted Geohot was subject to her court’s authority.

The move by US District Judge Susan Illston on Friday was a blow to Sony, which argued that the 21-year-old hacker, whose real name is George Hotz, should be forced to surrender his computer gear and the code he used to circumvent digital rights management features in the gaming console. Illston rejected arguments that Hotz’s use of Twitter, PayPal, and YouTube, all located in the Northern District of California, were sufficient contacts with the region to establish personal jurisdiction.

“If having a PayPal account were enough, then there would be personal jurisdiction in this court over everybody, and that just can’t be right,” Illston told James G. Gilliland Jr., an attorney representing Sony. “That would mean the entire universe is subject to my jurisdiction, and that’s a really hard concept for me to accept.” (more…)

Chinese crack down on ‘money-sucker’ Androids

library
android | China | Google | mobile phones

The Chinese government is to crack down on “money sucking” mobiles: Android-based handsets that subsidise themselves by stealing from the customer’s account.

The crackdown aims to involve network operators, target retailers and ensure that selling handsets featuring pre-installed Trojans is explicitly illegal, according to the Google translation.

The idea is to set up a central unit to manage complaints, though it seems the scam has been going on long enough to build up considerable momentum.

The handsets concerned are sold cheaply, and generally unbranded, though some bear forged logos. Once they go into use the Android-based handsets start quietly sending text messages, or making a silent call or two. The transactions only incur a fee of about around 20 pence a time, in the hope the user will never notice, while the miscreant collects the termination fee or other premium charge. (more…)

Gamers raid medical server to host Call of Duty

library
CoD | gaming | NHS

A server storing sensitive patient information for more than 230,000 people was breached by unknown hackers so they could use its resources to host the wildly popular Call of Duty: Black Ops computer game.

New Hampshire-based Seacoast Radiology warned patients on Tuesday that the hacked server stored their names, social security numbers, medical diagnosis codes, address, and other details. On a website established after the mid-November breach, the medical group urged patients to monitor their credit reports for signs of identity theft, although there’s no evidence of any misuse of the information. (more…)

DUP website translated into Irish by mischievous hacktivist

library
@HectorOHackAtD | DUP | hack | Hector O'Hackatdawn | Ireland | politics | twitter | website

A mischievous hacktivist broke into three websites run by the Democratic Unionist Party on Wednesday night to replace the website of the staunchly unionist Ulster party with an Irish language version.

Party leader Peter Robinson’s welcome message to the site was translated into Irish and appended to include support of the “Irish Language Act”, the BBC reports.

In reality, the DUP has repeatedly blocked the introduction of the proposed law, which is backed by nationalist majority party Sinn Fein.

The hacker, who rejoices in the Joycean moniker of Hector O’Hackatdawn @HectorOHackAtD), also defaced the websites of party bigwigs peterrobinson.org and jeffreydonaldson.org. (more…)

Gawker makes a hash of non-ASCII characters in passwords

library
gawker | oauth | password

Gawker is phasing out the use of email-address-and-password login in favour of more modern OAuth authentication and the use of anonymous one-off accounts.

Tom Plunkett, CTO at Gawker Media, briefly explained the plans in responding to the discovery of another password-related security snafu involving the media news and gossip site. Computer scientists at Cambridge University discovered that, until a fortnight ago, it was failing to handle non-ASCII characters in passwords. Instead, all non-ASCII characters were mapped to the ASCII ‘?’ prior to generating a password hash.

As a result of the cock-up, the accounts of Native Korean speakers, to quote just one example, might be opened by hackers who simply guessed a string of question marks.

Joseph Bonneau, a computer scientist at Cambridge University, came across the security hole in researching the handling of non-ASCII characters in passwords. “Gawker was using a relatively little-known Java library with the known bug of converting all non-ASCII characters to ‘?’ prior to hashing,” Bonneau explained.

Bonneau credits Gawker with responding quickly to his discovery by applying a fix within three days, though the number of exposed accounts is small. Gawker’s blog is only available in English and checks by Bonneau suggested fewer than one in 50,000 users elected a password which was entirely non-Latin.

The latest glitch follows a far more serious breach last month, when security slip-ups by Gawker resulted in the exposure of millions of user passwords. A database dump containing user login credentials, chat logs, and other Gawker-site collateral was released as a Torrent by hacking group Gnosis. Gnosis extracted the material after gaining root access to Gawker’s servers. The attack was motivated in large part by an online feud between hackers affiliated with anarchic imageboard 4chan and Gawker.

Gawker responded to the breach by asking users to change their password, a similar response to its attitude to the much less significant non-ASCII hash snafu. Users affected by the non-ASCII bug are being prompted to change their password as soon as they login to the site with their old (vulnerable) credentials. Meanwhile, Gawker is making backend changes that will allow it to move to a more secure password system, Plunkett explained.

“Longer term (beginning early February), we will be migrating all of our users to our new commenting platform that will be described on the tech.gawker.com blog later this month,” Plunkett explained. “This will eliminate the need for email addresses or passwords on our platform. Once this change goes live, new commenters will not be able to register with a user/password – we will support only OAuth or anonymous accounts we are calling ‘burners’.”

Gawker earlier said it was going to introduce two-factor authentication logins for its employees, in response to the compromise of the site’s security last month.

Interview: Jailbroken iPhones a vector rather than a vulnerability

library
apple | iphone | jailbreak | jailbroken

Earlier this week, Sense of Security hit the headlines advising against the careless use of jailbroken iPhones in corporate environments. The Register speaks to the company’s security consultant Kaan Kivilcim, who presented his findings at the ASIA conference in December, about what the company found. (more…)