Facebook farewells flaky SHA-1

FacebookFacebook has set the date: on September 30, the ancient and creaking SHA-1 hashing algorithm will make its tumbril trip and get the chop.

SHA-1, designed by the NSA in 1995, is a one-way algorithm: a block of data is turned into a message digest. The digest can’t be turned back into the original message, but serves as a digital signature confirming the authenticity of (for example) the software you’ve downloaded.

And it’s long been on the end-of-life list, because it’s vulnerable to collision attacks – different blocks of data can present the same SHA-1 hash, allowing malware to verify as if it were authentic.

From October 1, The Social NetworkTM says, third-party apps signed with SHA-1 will no longer be able to connect to Facebook.

As Facebook’s Adam Gross blogs, the move is in line with the Certificate Authority and Browser Forum’s intention to sunset SHA-1 by January 2016.

“We’ll be updating our servers to stop accepting SHA-1 based connections before this final date, on October 1, 2015. After that date, we’ll require apps and sites that connect to Facebook to support the more secure SHA-2 connections”, Gross wrote.

Facebook recommends that “applications, SDKs, or devices that connect to Facebook” be checked for SHA-2 support, to avoid user irritation.

The migration hasn’t been without its detractors. Earlier this year, infosec bods told The Register the shift poses challenges. If users see disruption – for example, too many “insecure site” warnings – they fear that trust in the Internet will be undermined.

Cross-posted from TheRegister

New Facebook scams in 2014

So many Facebook scams in 2014 have been a little worrying even though at first they all seem innocent enough, but these are social scams to lure users in to gain money or access to computers.

One particular Facebook scam this year was the “Robin Williams goodbye video”, which was apparently made before his death. This fake BBC News video is a scam and no such video exists.

The “Robin Williams goodbye video” started to circulate on Facebook and asks users to share the video before they can watch it, DO NOT click on it. There is no video so no point on sharing it, Symantec explains in detail that when Facebook users click on the video it asks them to either fill out a survey or install an application. When the survey is complete the scammers gain money for each one completed.

Robin Williams goodbye video

 

Do not open any app offering to change your Facebook’s color because it is a scam. The Facebook color blue may be getting a little boring for some and may like a change; this is where a new web app could come in handy.

If you come across the “Facebook color changer” or “Facebook Colour Changer” DO NOT open this at all, it will hijack peoples Facebook accounts. It has already been reported it has accessed over 10,000 FB accounts so far; this is malicious software done in two steps. The first step process is when users click to allow the app access to the users Facebook profile, the second step is where the first step has been declined and asks the user to download anti-virus software.

 

Facebook profile color changer scam

If anyone has followed the tutorial video on how to use the “Facebook colour changer” it is advised to change passwords immediately, you should also remove the app from your profile from the Facebook app settings.

Another Facebook scam will trick users and then access accounts, in a nutshell you basically hack yourself. It cleverly lures Facebook victims into believing they can access anyone’s account using three simple steps. The scam starts of by asking users to open Facebook in a web browser then visit the person they wish to hack, with a few simple steps such as right-clicking anywhere on the page after doing the above and then via the pop-up menu select “Inspect Element”. Once this has been done it will open an HTML editor, it is within this editor users are instructed to copy-paste a string of code provided – The code does not work, never has and never will.

Whilst on the subject of Facebook scams we recommend you keeping an eye on these ones, anything to do with these please do not click on them. 1) A Facebook app that allows you to see total profile views and visitors, 2) There is another scam titled ‘Rihanna sex tape with her boyfriend’, 3) Free-T-shirts when you Check my status update (Just another scam), 4) You can check if a friend has deleted you.

The above are only a few Facebook scams, there are thousands but these are more recent. Do NOT click on anything you are not sure about, especially when it says share this video to view it (Unless it is a trusted website).

What Facebook scam have you come across lately?

Firefox 22 enables WebRTC, makes social APIs easier to manage

logo-onlyBetaNews: Mozilla has released Firefox 22.0 FINAL for Windows, Mac and Linux. The update includes some platform-specific improvements — Firefox following display scaling options in Windows, and providing download progress indicators in its dock application icon in OS X — plus a number of other tweaks and improvements.

Other new features include the ability for users to now manage their social API plug-ins via the Add-ons menu (select Services in the left-hand menu to do so), while users can now adjust the playback rate of HTML5 audio and video files (right-click the playback screen and choose Play Speed to do so).

One major behind-the-scenes update is that WebRTC — the technology used for sharing audio/video streaming and data sharing between browser clients — is now fully enabled by default in Firefox. This is achieved by enabling the two remaining components, PeerConnection and DataChannels, the latter of which can be used to reduce latency in real-time gaming by allowing gaming apps to connect peer-to-peer between devices.

Another new feature is the enabling of asm.js optimizations (codenamed OdinMonkey), which Mozilla promises will see major performance improvements. Other performance tweaks include asynchronous canvas updates that will improve WebGL rendering, better memory usage and shorter display times when rendering images.

Other changes include plain text files being displayed with word wrap within the Firefox window and support for using the Pointer Lock API outside of full-screen view. Developers gain access to a new built-in font inspector, plus CSS3 Flexbox as well as a new Web Notifications API have both been implemented. HTML5 support has also been extended to support the new <date> and <time> elements.

Firefox 22.0 FINAL is available now as a free, open-source download for Windows, Mac and Linux.

firefox-22

Facebook Virus That Drains Your Bank Accounts: What You Need to Know

This post has been shared originally by Malwarebytes Blog:

The word about the Zeus Trojan back on Facebook has spread as fast as the malware itself across many news sites.

Awareness and education about online dangers is essential but headlines like “Malware That Drains Your Bank Account Thriving On Facebook” instill fear while at the same time blame Facebook — something that may not be entirely justified.

Malicious links on social networking sites are nothing new (Twitter, Linkedin to name a few). They have been, and continue to be, abused by spammers to peddle fake AV or redirect to exploit sites distributing all sorts of nasties.

So what exactly is all the fuss about? Let’s have a look at this example reported by the New York Times.

FB

 

The fraudulent/spammy posts appear to be from either fake Facebook accounts or ones that were hijacked. The links all seem to have a similar pattern, where the country-code top-level domain name (ccTLD) is “tk”. This ccTLD belongs to Tokelau, a small territory part of New Zealand that’s regarded as a hotbed for all sorts of online fraud. Suricata/Emerging Threats even has a detection rule for “.tk” domains: “ET CURRENT_EVENTS DNS Query to a .tk domain – Likely Hostile”, which sums their trustworthiness rather well.

In this particular case, the “.tk” domain seen here is simply used as a redirector to another domain, 2bestmall . com

counterfeit

Here we have a classic case of counterfeit merchandise where big brand names are advertised at 78% off of MSRP. Visitors who make a purchase have their payment processing done through another intermediary known as billingcheckout . com, which has a rather poor reputation according to Web of Trust (WOT).

checkout

The domain name billingcheckout.com was registered through TODAYNIC.com, INC, a Chinese registrar with unsurprisingly bogus registrant information. Ordering counterfeit goods may not be the smartest of ideas if the parcel is intercepted at the customs, and trusting a “company” like this with your credit card is definitely not something you want to do.

As far as the Zeus malware connection, the counterfeit website we identified belongs to an interesting hosting company that has many ties to malware activity:

safebrowsing

What’s more, if you dig deeper you will find the link to Zeus (courtesy of abuse.ch):

zeus

The Zeus Trojan is a rather notorious piece of malware that became extremely popular and inspired offshoots such as the Citadel Trojan. It sits in the background and waits for the user to log into a sensitive site (such as a banking login screen) so that it can steal the password or even display fake pop-ups requiring the victim to enter additional confidential information.

It’s not the first time and it won’t be the last that links posted to Facebook pages and profiles will contain or redirect to malware. But does Facebook really sit idle while its users get infected? Not quite, as the social media platform has partnered with many security companies to offer a safer experience, including both WebSense and WOT.

webs

wot

I also feel this is a bit of a cheap shot because that same spam can be found elsewhere. This same ad has also appeared on Google’s Blogger, a service that I and many other professionals use to maintain their own blogs:

blogger

Facebook happens to be the largest social networking site and as such is one of the most coveted platforms for the bad guys, just like Microsoft’s Windows is for the operating systems.

These kinds of statements made from online news sources on this topic have undermined the incredible amount of work and resources spent on fighting cyber-crime, and fail to show the realities security researchers face every day. Cyber-criminals constantly adapt and up their game to defeat every new security measure put in place. Whether they are financially or politically motivated, cyber attacks will always exist.

End-users need to rely on a layered defense approach to best protect themselves. It is nice to know that Facebook and Google continue to try and protect us from browsing malicious sites, but we cannot expect them to block 100% of attacks. As always, good security software and best practices (such as being careful before clicking links) go a long way towards saving you from all the online dangers out there.

Facebook closes cross-site scripting holes

facebook-xss-1
Code could be injected through (fake) custom locations

Facebook has closed various cross-site scripting (XSS) holes that were discovered by security firm Break Security and which have now been described in greater detail. Break Security’s CEO, Nir Goldshlager, explains that the social network was vulnerable to attacks through its Chat feature as well as its “Check in” and Messenger for Windows components.

In the Chat window, for example, attackers were able to share links that weren’t adequately checked by Facebook. This enabled attackers to add disguised JavaScript commands to links that were then automatically inserted into href parameters by the Chat client. When users clicked on these specially crafted messages, the injected code was executed on their systems.

facebook-xss-2
Page names can contain JavaScript

The “Check in” service could be manipulated by creating custom locations into which attackers were then able to inject JavaScript code through their settings. That client-side XSS code was executed when users checked in at such a location.

Messenger for Windows could be compromised by creating a Facebook page. Pages can send messages to all users. If JavaScript code was entered as part of the page name, and the page sent out messages to users, the script would be executed on users’ machines as soon as they logged into Messenger.

Cross-Posted from Heise-Security

Facebook Got Hacked Last Month and Is Just Telling You Now

Cross-posted from Gizmodo:

facebook_logoFacebook just announced that it was hacked last month in a short statement on its website. Apparently, an unknown number employees visited a compromised developer site and were infected with malware. Facebook’s being very cagey about all this, but we’ve been able to scrounge up some details.

According to the statement, the company reacted swiftly with an investigation and remediation following the “sophisticated attack.” The company won’t say which law enforcement agencies it’s working with. It claims no user data was compromised.

What a surprise, Facebook waited until the end of the day on a Friday to tell us about an oopsies.

Here’s the full statement from the company.

Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day. We have no evidence that Facebook user data was compromised in this attack

We’ve reached out to the company for additional comment regarding the nature of the hack and other details. We’ll update when we hear back. [Facebook]

Facebook responded to our request for comment with the following. The company says it isn’t commenting further at this time.

We were able to investigate user data compromise [sic] by forensic analysis on the affected devices and infrastructure.

Why Google or Facebook Buying Your Favorite Startup

Time Techland wrote:

wpid-photo-jul-20-2012-405-pm

When I learned this morning, via Twitter, that the small company behind Mac/iOS e-mail app Sparrow was being bought by Google, I almost didn’t need to read the startup’s announcement to know the upshot.

Google and Facebook buy itty-bitty web companies all the time. And the acquired businesses typically convey what’s happening in an eerily consistent five-step ritual:

  1. Announcement of thrilling acquisition
  2. Reiteration of startup’s wildly ambitious founding notion
  3. Explanation that either Google or Facebook is the best place to change the world
  4. Acknowledgement (or sometimes non-acknowledgement) that the startup’s product is being discontinued or is going into limbo
  5. Expression of heartfelt gratitude to various supporters, usually including the consumers who are losing their something they liked

So it seems to be going with Sparrow: Its five-person team will be working on Gmail henceforth; the existing Sparrow apps aren’t being discontinued, but they apparently won’t get any updates, either.

…[SNIP]…

Why does this keep happening? There are several related factors at work:

Google and Facebook are already pursuing ginormous dreams of their own and don’t need new ones. They’ve got the resources they need to turn them into reality, and hundreds of millions of users who are already on board. Which is why they’re rarely all that interested in the actual products produced by the companies they snap up, especially if they cater to relatively specific needs and small user bases, such as Sparrow’s signature creation, its Gmail app for OS X.

Tiny startups are full of smart, ambitious people. To keep growing, Google and Facebook need to hire armies of  smart, ambitious people–and the most efficient way to do so is often to buy small companies and thereby acquire their teams.

Large, well-established companies are envious of small, young companies. Both Google and Facebook remain more intrepid and innovative than your average great big company. But when you’re huge, you obsess over the the possibility of becoming bloated, lethargic  and bureaucratic. You also get paranoid that some little-known upstart will create the next big thing. Buying startups is a way to address all these fears–or at least seems like one.

Getting bought by Google or Facebook is a viable business model. Many startups with cool products don’t have a clear idea of how they’re going to make money with them. Cashing a check for a few million dollars is an expedient way to do it.

Working for a powerful web giant probably does sound appealing. I don’t think the startup founders are fibbing when they say that joining a huge company will help them fulfill their founding missions. Still,the scrappy renegades who found startups and invent new things rarely seem to be content at bigger companies forever. One example that springs to mind involves Twitter rather than Google or Facebook: Loren Brichter, creator of the amazing app Tweetie, left Twitter only 19 months after he joined it.

Continue Reading: http://techland.time.com/2012/07/20/why-google-or-facebook-buying-your-favorite-startup-means-its-probably-toast/

Marissa Mayer and Future Relationship of Yahoo!, Google and Facebook

Eric Jackson in Forbes Wrote:

Marissa_MayerThere are so many intriguing aspects of Marissa Mayer‘s hiring at Yahoo! (YHOO).

However, what intrigues me the most is the what the future strategic direction of Yahoo! will be under her watch and what this means for the company’s future relationships with Google (GOOG) and Facebook(FB) (not to mention Microsoft(MSFT)).

Presumably, Marissa already has the start of a strategic vision.  And she said as much in a leaked memo yesterday:

The company has been through a lot of change in the past few months, leaving many open questions around strategy and how to move forward. I am sensitive to this. While I have some ideas, I need to develop a more informed perspective before making strategy or direction changes.

Continue Reading: http://www.forbes.com/sites/ericjackson/2012/07/20/predicting-the-strange-future-relationship-of-yahoo-google-and-facebook/

Fake Facebook Photo Notifications Contain Malware

Mashable: Sophos’s NakedSecurity blog outlined the threat on Wednesday. The company’s SophosLabs intercepted a “spammed-out email campaign” which was designed to spread malware. Sophos provided the following example:

facebook-malware-email

The blog notes that the email address above misspells “Facebook” as “Faceboook.” The link takes the user to a malicious iFrame script, which exposes the user’s computer to malware. However, within four seconds, the user’s browser is directed to a presumably innocent Facebook page like the one below to act as a smokescreen.

facebook-malware-page

The lab recommends checking the “Facebook” email addresses closely in emails and hover your mouse over the link, at which point you should see it doesn’t go to a Facebook page.

Have you been duped by a fake Facebook photo tag message? Let us know in the comments.

Facebook and Opera: Facebook Browser Is Imminent

facebook(low)Mashable: Are you ready for a Facebook browser that integrates the social networking behemoth into your online life more than ever? That’s exactly what could be on the way soon, according to one report.

A Friday Pocket-lint report cites a “trusted source” that Facebook wants to buy Opera Software — manufacturers of the Opera web browser, which claims more than 200 million users worldwide. The Facebook browser would include default menu bar plugins, further permeating Facebook into users’ general web experience, according to the report.

A Facebook spokesperson declined Mashable‘s request for comment.

A custom browser would be a significant step toward Facebook becoming your web, as opposed to just an Internet site you visit and service you use. Opera’s mobile browser has received strong reviews online, meaning a functional Facebook browser using it could be even more powerful. Facebook has struggled to penetrate mobile use as deeply as many think it should be able to — and will need to in order to sustain long-term growth.

A Facebook browser would also bolster the newly public company’s competition with Google. Google Chrome recently became the web’s most-used browser, but Facebook’s gigantic user base of more than 900 million people would present a potential serious threat down the line. It would be interesting to see Facebook try to battle Google for browser dominance as Google+ struggles to play catchup in social networking.

We’ll see if the Opera rumors are true, but if Pocket-lint‘s “man in the know” is even remotely hooked in, it’s not hard to imagine the arrival of a Facebook browser being only a matter of time.

How could a Facebook browser help the company take over the web — or can it? Share your perspective in the comments.

Source: Mashable