Facebook a month of security breaches

Its been a bad month for Facebook and I hope this is a sharp nudge l for those who make decisions regarding our security and privacy. Facebook should first commit to a full audit of its systems to make sure it complies with its own policies, and then spend some time listening to its customers' feedback.

To date, Facebook insists it has not intentionally released this information and has made changes to prevent this data leakage. Social networks are entrusted with people's personal data this should requires an embedded sense of responsibility.

As with PleaseRobMe.com, it is easy for people to determine from your IP address that you are trapped away from home in a European ash cloud, or that you are lying about your activities and location. Using online services and social media for communications carries with it the same risks as sending emails, in my opinion a great deal more.

Hopefully Facebook is listening to all of the commentary related to their users' concerns over privacy, and will make changes to their system. They are clearly aware that including the IP is a bad idea, considering their move to begin hiding it, albeit trivially.

So this weekend when you upload your photos or share an event, check your privacy settings and don't go into too much detail as you don't know who will be reading or looking at your items.

Fairly scary stuff.

http://www.sophos.com/blogs/chetw/g/2010/05/08/facebook-notifications-leak-ip-addresses/

Twitter-in a Twist- lost followers

Twitter has an embarrassing bug on its hands – one that allows users to make anyone follow them. Mashable reader Ozan Yılmaz emailed mashable this morning, writing “[tweet] accept [username]” then the [username] immediately starts following you.”

Initially I noticed that my main Twitter account was following lots of new people that I had not manually followed. That means that if peopel chose to exploit this bug, their tweets could show up in anyone’s timeline — at least until the issue gets resolved. Well it appears the powers to be from twitter have resolved it with a mallet... I now have no followers, no one I am following and my lists have disappeared.

Other reports confirm that this exploit is currently being used by many users. No word yet from Twitter on when this might be fixed and if they’ll be able to do undo the damage, but I’ll update here when I know more.

Twitter is experiencing the same problem OpenID will have, or any "federated" approach where a true factor is not involved in authenticating requests such as this. The balance is, most solutions are too "expensive" (meaning hit to processing, user experience - not just cost) for such lightweight, high-scale things based on the social network site usability or cost model.

Twitter needs to find a strong simple to embed authentication technology that - gives the best of both: strength and validation with SAAS utility ease and integration, cost; but without the thin "browser-only or service-only" rigor that can enable such "over the transom" requests.

Not surprisingly 3 the top 10 trending Twitter topics at the moment have to do with the bug and the zeroing of followers.

Read what the press is saying:

http://www.informationweek.com/news/software/web_services/showArticle.jhtml?articleID=224701415

I am so tired of hearing about Facebook security issues? Every time I tweet search they have another issue with information leakage. They clearly have serious privacy issues, Facebook is aware it's a problem because they tried to hide it and short term fixes like turning off chat are like a using a fire extinguisher on a volcano.

Most people would agree at this point that we should not expect Facebook to protect our privacy, but with hundreds of millions of users impacted by their decisions, it's important to publicize these issues in the hopes that they will address them.

Sophos, a world leader in IT security and control, is warning social networking users of the dangers of allowing strangers to gain access to their online profiles, following new research into the risks of identity and information theft occurring through global phenomenon Facebook.

Compiled from a random snapshot of Facebook users, Sophos's research shows that 41% of users, more than two in five, will divulge personal information - such as email address, date of birth and phone number - to a complete stranger, greatly increasing their susceptibility to ID theft.

Online Fraud Protection requires a layered approach.

Identity Management Requires Defense in Depth, Much Like Enterprise Security

I could not agree more with Scott Waddell's blog entry on depth of security. It’s only a matter of time before today super powered cyber criminals find ways to take advantage of the inherent weaknesses in even the best technologies, '2 factor' have been hacked, username and password is not enough... you can google for yourself the stories.

Today’s cyber criminals are so tech savvy and innovative that staying one step ahead of them isn’t always possible. So when it comes to network security, a good defense should be made up of several different layers. That way, even if a hacker is able to exploit vulnerability in one layer of the system, he may be stopped or slowed down by another. This strategy, known as defense in depth, essentially allows organizations to protect the integrity of their systems by slowing hackers down and buying security professionals the time they need to respond to a security breach once it has occurred. This mitigates the damage that malicious hackers can do, even if they are able to make it past initial barriers.

The same basic principle of creating a more comprehensive defense by layering tools and diversifying methods can be applied to fighting online fraud. To successfully combat online fraud, a fraud management system should include the layers of defence including multi-factor identity authentication.

I agree wholehearteldy with Scott that the best offensive against cyber crime today is a multi-layered defense.

http://blog.iovation.com/2010/02/19/fraud-management-requires-defense-in-depth/#more-1580

Survey Reveals Massive Incidence of Credit Card Fraud and Identity Theft Retailers blamed for making people vulnerable to fraud

Working in internet security I am always concerned that the online communities and retailers are not protecting their users and the results of this survey conducted on 26th April 2010 confirm my worst fears.

The researchers at Infosec have published a survey of 1000 commuters in London that has found that a tidal wave of credit card fraud and Identity theft is sweeping the UK:

• 44 % of people said they have suffered from bank/credit card fraud
• 42% have had their identity stolen.
• the average amount stolen was £1448 per person,
• 37% overall did not get their money back from the bank.

The research shows that people that lost a small amount of money were far less likely to get their money back from their bank than people who lost a large amount of money with 91%of people who lost more than £5000 getting their money back compared to only 41% of people who lost less than £100.

Who do Consumers Blame?

• Retailers 60%,
• Banks 12%
• Own Fault 28%

The place that people said that they were most likely to have their details stolen from was online via websites or email.

Claire Sellick Event Director for Infosecurity Europe said, “The incidence of bank/credit card fraud and ID theft is very high, perhaps this is not surprising given how ingenious criminals have become. This is particularly true for online transactions and interactions as people are easily duped by offers that seem too good to turn down, pass on their details due to email phishing scams, act on phone calls from people claiming to be from their bank, or failing to check what post they throw away. There is a constant battle between the criminals and security experts and Infosecurity Europe is the event where the people who protect us all come to gain an insight into the latest technology and services to keep us safe from the criminals.”

Read the full account below.

http://www.eskenzipr.com/page.cfm/T=m/Action=Press/PressID=632