26 models of Trendnet webcams have been identified as vulnerable to a bug that lets anyone tap into the video stream with just an IP address. The flaw was noted a month ago and the company has been working to alert people and patch the devices. Unfortunately, the company has no way of contacting non-registered webcam owners, and so the devices may remain accessible if the users never suspect anything.

It’s a bit scary, but certainly not unprecedented. Although it’s not quite the same thing, two years ago a school was accused of spying on its students via the webcams in school-owned laptops (the district later settled). This time, it’s hackers who found their way in, and randoms on the internet who spent long hours watching the feeds.

The security flaw was posted by Console Cowboys on January 10th; the susceptible devices were easily found, as they identify themselves in such a way that their IP can simply be scraped for. The result: hundreds of feeds being watched, some mundane things like cameras watching the front door, but others were trained on, say, a young mother in some state of undress watching over her baby.

Screenshots were taken and video recorded, naturally, and while some of the people on message boards, Reddit, 4chan, and other communities may have thought it creepy and inappropriate, many more must have considered it the opportunity of a creepy lifetime. Of the hundreds of devices known to have been watched, and perhaps thousands more worldwide (Trendnet estimates the total vulnerable, not to say breached, at “most likely less than 50,000″), how many had kids playing, or someone walking out of the shower, or anything you can imagine.

And the worst part is that many of these devices will never be updated. The users can’t be alerted directly, as the webcam runs independently as a networked device on some normal webcam broadcast software. Even a “call home” automatic check for updates, if it’s enabled, would probably be dismissed by most users. “The camera is working fine, why bother? Probably just have to configure it again.”

The company that created the webcams will likely be sued, and rightly so. They are absolutely liable for software they marketed as secure and private, and which appears to have been breached by one guy, who did it on his own for kicks. A security researcher would probably conclude that the protections on the cameras were totally inadequate. After all, the breach was done after updating the camera to the most recent firmware (from 2010, as it turns out). And while they issued an update on January 30th and knew about the flaw weeks before, there was no real announcement until yesterday.

And with all this comes the question of whether in a case like this a company should be able to force-update a device. It’s the “light side” version of Amazon sucking books off your Kindle, but it’s essentially the same action.

One also begins to wonder how many cameras are being accessed by people who don’t publicize their results or share on web communities. I’ve tipped my own webcam up in what I feel is justified paranoia, and things like hard disconnects or shutters will likely become popular features once the security risks (always extant) become more well-known.

The company has put up a warning and list of affected models here. Worth checking and perhaps sharing.

[additional info from BBC and The Verge]

My Dad, bless his heart, spends all day on the Internet and, like a reverse Cat’s In The Cradle, my dad is just like me in that he loves to find wild junk that he thinks is interesting. To wit: he just found the Brinno Peephole Viewer, an electronic system for looking through a peephole.

To be fair, this is definitely something people need. My parents are getting up in years so they’re getting both blind and paranoid, so anything to assuage those two situations is a plus. This thing attaches to your normal peephole and then displays the scene behind the peephole on an LCD screen. It runs on two AA batteries and costs about $90.

The viewer also reduces fish-eye distortion found with regular, non-LCD peepholes.

It’s definitely not new nor is it particularly high tech, but if you, like me, are dealing with a set of parents who are getting up there in years and need a leg up, it might be a nice investment. Besides, it’s fun to say peephole.

Product Page

In 2011, Sony had several major security breaches: Sony Online Entertainment, Sony Pictures, and Playstation Network all were attacked and private data was successfully stolen. Their handling of the attacks, particularly the larger PSN one, was widely criticized.

Many users are either unaware or acutely aware of how many sites and services have financially or personally sensitive information on record. Events like the Sony hacks do not reassure them, and actions like Google’s yesterday (though arguably innocuous) may alarm them. Users want more control and more security.

And the EU is looking to give it to them. But with the threat of enormous fines, many companies will find that the most logical thing to do is move away from the entire business of storing and serving user identities.

It’s a simple fact that maintaining a database of a hundred thousand or a million (or far more) active users is a serious engineering problem in both software and hardware. Keeping things secure but still accessible, staying abreast of new regulations (like those proposed in the EU), providing localized support on billing and user data issues — it’s quite a task. Web enrollment in software and services is growing at a huge rate, and many products and “real” items such as cars and banks are increasingly reliant on online services as well. It’s been happening for a long time, sure. But the stresses are starting to get out of hand.

If you’re a car company, or a movie distribution service, or a game publisher, the process of keeping and tracking your users securely is becoming too great of a portion of your business. And with increased regulation and requirements like the EU’s (which some are calling “onerous” and a “tax” on businesses that keep electronic records, but are probably nevertheless inevitable), it’s not something on which they can get by with minimal effort.

So what will happen? The same thing that happens whenever a part of an industry begins to outgrow its role: new, dedicated companies sprout up and the world offloads the task onto them.

This already happens to some extent, of course. It’s not like every company in the world maintains an independent and proprietary database of its users. There are services and software for this purpose, and the user-management business is plenty real already.

But for the millions and millions of people and accounts still internally managed (numbers that are growing worldwide in any market you can think of as online services gain more traction), the situation no longer makes sense. Why should a company that runs a movie distribution service also be running a world-class user-management service? It doesn’t make any sense. It’s like a restaurant making its own forks.

It was logical for a while that data related to Sony services should reside on Sony servers, administrated by Sony. But in a day where our logins transcend sites, and everything we do is personalized, that no longer really rings true — to Sony, that is. Regular humans want to go to a site, put in their user name and password, and have their data retrieved. They don’t really care if the data is served by Sony or a third-party site because it’s never said one way or the other.

But for Sony and companies like it, the increasingly expensive and complicated user-management part of their business is starting to look like an attractive target for spinning off to third-party services. And third-party services are going to start revving their engines to attract these user-weary multinationals. This doesn’t apply to services like Instagram and Spotify, naturally; they’re account-focused to begin with.

It will be much easier for a company built from the ground up for user databases to handle these requirements and adjust to local laws. They can do it faster, better, and cheaper than an internal team, and compete directly with each other. It’ll be good for the user data sector and good for the multinationals hoping to offload this burden. Not to mention good for the users: the EU regulations require fast turnaround on data, instant notification of security breaches, and impose heavy fines for abusive or neglectful companies. Sony wants to worry about the quality of its games and devices, not about whether each of its 20 internal user-tracking divisions is jumping through legal hoops.

Secure account management isn’t the most exciting business, but you better believe it’s going to show some serious growth over the next few years, and everyone will gain by it.

Editor’s note: Contributor Kai Lukoff is based in Beijing and is co-founder of the startup blog TechRice.

Here’s Hongyi Zhou’s advice to Chinese entrepreneurs: “Don’t try to be cool.” Zhou is CEO of Qihoo 360 (NYSE: QIHU), whose company’s core is the definition of uncool: anti-virus software. Yet Qihoo has 370 million monthly active users and a very cool $1.9 billion dollar valuation.

If you want to build a big company in China, don’t build for your iPhone-toting friends, the Chinese tech blogs, or copy the latest fad on TechCrunch. Chinese entrepreneurs must appreciate the vast chasm between white-collar elites and the rest of the country. The Silicon Valley has an echo chamber of its own, but China’s is an order of magnitude louder.

“There’s only 80 million or so white-collars in China, and not even 5 million could be considered your peers,” Zhou told a group of Chinese Stanford students visiting as part of the Stanford CEO Beijing tour over winter break. Many of the students are already running startups in China or considering returning to do so.

Hot startups that pop up on TechCrunch all have at least five Chinese versions. That’s a common route for the ‘cool kids’ among Zhongguancun’s techies: there are more Tumblr, Flipboard, Pinterest, Instagram, and WhatsApp clones and mashups than you can count. You may receive a mention on 36kr or Tech2IPO, China’s top startup blogs, but that does nothing for your user growth in a second-tier Chinese city, let alone in the third, fourth, or fifth tier.

Chinese blogger Simon Shen writes, “China does not have one so-called ‘national internet,’ instead there’s a great divide. It encompasses the elite with ThinkPad laptops and also the grassroots with MTK Shanzhai mobile phones. Our elites are on par with America, while our grassroots are on par with Vietnam.”

In ”The Story of W&L”, Shen tells the tale of two Chinese entrepreneurs: W, who always adopts the latest coming out of the Silicon Valley, and L, who mingles with migrant workers to learn what simple games they want on their Shanzhai feature phones. It’s L who’s making the real money: “in China, you target elites to make noise, but you target the grassroots to make money.”

The Four With Reach
Only four companies have achieved mass market reach among China’s 500-million plus netizens: Tencent, Baidu, Alibaba, and Qihoo. The first three are China’s reigning Internet emperors. Qihoo is a scrappy newcomer with the user numbers and decent revenues, though its business model is still a work in progress. All four feature products that foreigners—and highly-educated Chinese returnees—may scorn, but are beloved by local users.

Qihoo 360 started in 2006 with anti-virus software, a product so prosaic that it even flew under the radar of China’s existing Internet giants for the first three years of the company’s existence. In 2009, Qihoo made a daring decision to give away its anti-virus software for free. Anti-virus may not be flashy, but it’s a basic essential for all Chinese netizens, who face a daily barrage of viruses and malware. It quickly became the default for Chinese Internet users.

Leveraging that trust and brand recognition, Qihoo then rolled out a suite of security-related products. In China, the Qihoo 360 Safe Browser is second only to Internet Explorer in market share. The browser directs massive traffic to a start page (hao.360.cn) full of paid links to popular Chinese websites, with a layout like Yahoo’s circa 1996. It won’t win any awards for web design, but selling links and search traffic on that one page generated 60% of Qihoo’s $47.5 million in Q3 2011 revenue (see also Red Tech Advisors’ superb deep dive on Qihoo’s innovative business model).

Building a billion dollar company and solving a real problem for hundreds of millions of users, that’s pretty cool.

There’s something weird going on with Chromebooks – the Google-branded laptop computers powered by the company’s web-based operating system Chrome OS. They’re not saving the password changes you make to your Google account. Basically, if you change your password, shut down your machine, then reboot, the Chromebook will ask you for your old password instead of the new one.

The problem has to do with Google’s sessions being persistent (that is, they don’t log you out), and leads to a relatively minor security threat. Meaning, if someone was to take advantage of this threat, they would need physical access to your Chromebook. In the grand scheme of things, that puts this threat on the low-end of the risk spectrum. However, because Chromebooks are pitched as low-cost, secure, easy-to-use alternatives to traditional laptops for businesses and educational institutions, it’s important to highlight issues such as this to make the community aware.

Also, I just think it’s annoying.

Having experienced the problem myself after a tip from my former colleague Audrey Watters who covers the edu-tech space at Hack Education, I reached out to security professionals to determine its severity.

Roel Schouwenberg, the Senior Researcher at Kaspersky Lab, who will also be speaking on the topic of Chrome OS security at the upcoming RSA Conference 2012, looked into the problem. He found that the reason this is occurring is because your Google password is used for local authentication, too.

“This is why you can log onto your Chromebook even when it has no Internet connection,” he explains. But when you change your Google password, that change is not immediately communicated back to the Chromebook, even though the new password is active for all your online services.

This is the case even if you change your Google Account password on another device. The old password is stored in Chromebook’s local authentication, so the computer will  ask for the old one. In order to workaround this issue, you have to sign out of your Chromebook session on the device while you’re online, then sign back in to force the sync of the new password that’s already active elsewhere.

But security-wise, an attacker would have to know your old password and have physical access to your Chromebook in order to be a threat. And even then, there isn’t much of a threat: you still have to re-authenticate with any Google service before getting connected to, say, your Gmail or Google Docs, for example.

So while you could call this a security issue, it’s really more of an annoyance. From an I.T. support standpoint, however, I could see this being a hassle for Google App admins who have to help users who can’t figure out why their new password doesn’t work. (One thing I learned from my handful of years in I.T.: no one is immune from experiencing password reset issues. Having passwords that don’t immediately update even when you’re online, would only compound the problem.)

In online discussions of the issue, folks who didn’t force the refresh on their own (you know, normal people), reported seeing sync delays of 24 hours even up to four days or a week. That seems high, though, and it’s hard to know how long these delays are normally without further investigation (underway now).

For what it’s worth, much of this behavior (using the password for local authentication, for example) is by design. That’s why Chromebooks work offline. And a lot of the confusion here could be minimized simply by having a better UI (user interface) and flow for walking you through the password change process.

But really, if you change your Google password, and your Chromebook requires your Google password, then the end user’s expectation is to use their current Google password.

It’s kind of one of those non-issue issues, but something that’s indicative of how far Chrome OS still has to go to be a competitive alternative to traditional operating systems: they’re still working on the login, folks. The login!

On the surface, the announcement sounds boring: Microsoft said this morning that it will begin automatically upgrading Windows customers to the latest version of Internet Explorer starting next year. But in reality, this was one of the most important things Microsoft could have done for the web, web security and the safety of all those who go online.

Nice move, Microsoft. It’s about time.

According to the official blog post, the IE updates will be pushed out to those running Windows XP, Vista and Windows 7, beginning with customers in Australia and Brazil in January, before rolling out worldwide.  Only those who have “Automatic Updates” turned on in Windows will receive the download, however. But thanks to constant prompting from the Windows OS itself, that’s an option many have already agreed to.

There are numerous ways to opt out, too, ranging from blocking tools to simply uninstalling the updates, which rolls you back to your previous version. Those who have declined the update previously also won’t be upgraded. (I’m not so sure about that one. I’d ask again – maybe they just found the pop-up annoying at the time?)

Silent updates to the browser is now par for the course in modern browsers like Firefox and Chrome, as Microsoft points out. Although Firefox’s move to silently update its browser was a more recent addition, Google has long made automatic updates a part of Chrome’s value proposition. And though it goes without saying that an updated browser is a more secure one, Microsoft has helpfully linked out to its own research on the matter: the Microsoft Security Intelligence Report (vol 11), which found that less than 1% of exploits during the first part of 2011 came from zero-day vulnerabilities (meaning those that are so new, they have yet to be patched by software vendors).

99% of all attacks, the report said, came from unpatched but known vulnerabilities and/or social engineering (a whopping 45% there). Just as sad, 90% of infections were attributed to a vulnerability exploitation that had a security update available for over a year. Over a year!

Granted, the report wasn’t looking only at web browsers, but it’s common knowledge that older versions of IE are the ones causing the most trouble. According to Internet security firm Secunia.com, there are over 200 vulnerabilities in IE 6, for example, 15% of which are unpatched. Even Microsoft can’t stand the thing, having set up a web page devoted to “moving the world off of IE6,” a browser built 10 years ago.

And yes, despite Chrome’s advances, what happens with IE still matters. The thing still has a 53% market share (source: netmarketshare). 

So while, in the past, it’s been funny (sad?) to have “upgrade your mom and dad’s web browser day,” doing so has not just been about the browser wars – it’s about the web’s future (hello, HTML5) and safety as a whole. And frankly, that’s not really a job everyone’s parents are up to. Even as a fairly tech-savvy person myself, it’s not a job that I want to be burdened with, either. The vendor should be pushing the updates down to me. (Hey, you too Apple! I have to hit the App Store Upgrades section daily. Lame.)

There’s more of a benefit to pushing down the new version, at least in terms of security. Let those who care figure out how to opt-out and leave the rest of us alone.

I’ve recently fallen into the habit of pulling and tugging at ATM slots before I slide my card through because I fear that someone nefarious has stuck one of these 3D-printed card skimmers over the opening. This skimmer, found in California, was 3D-printed to resemble the real Chase ATM slot almost perfectly.

Wildly enough, there’s a pinhole camera connected to a full PCB hidden under the plate and the ports designed to assist the visually impaired seem to be unimpeded, which means nothing would seem amiss even as this thing grabbed your card account number, PIN, and, presumably, the security code on the back of your card in some cases. The fact that this barnacle of electronics is attached, parasitically, to one of the most secure and human-proof devices in existence is an amazing feat.

Krebsonsecurity writes:

I’ve noticed that since a pair of skimmers were caught in New York City using similar hardware, many of the Chase ATMs here have begun using a different design with blue transparent plastic. I worry that this sort of security by reaction will be a bit shortsighted but clearly Chase has begun the cat and mouse game with these guys. I wonder when those janky ATMs at delis and convenience stores will be hit?

More and more of us are getting comfortable sharing our real-world identities online, but the tools for helping us maintain our online privacy and security are still catching up to our behavior. Witness the porn-and-violence spam links attack that caused many users to accidentally share and see nasty images in their news feeds.

German company Secure.me has a solution, that it has recently launched to the world: an online service that analyzes your Facebook profile for any data that’s putting your privacy at risk.

It’s not the only service out there. Some others include Friend Checker, Minor Monitor and SocialShield (the latter two being designed primarily for parents watching their kids). But Secure.me is interesting for a couple reasons. One is the ease of use, and the other is the dual individual and parent focus.

First, the interface does a nice job of mimicking high-end virus protection software — you can see scores and analysis happening in front of you in a reassuring dashboard format. You start out simply by connecting with Facebook. The site will then automatically begin scanning your Facebook profile to identify any potential risks. Sections on the site’s left-hand navigation bar include a summary of all risks, analyses of your photos and activities, as well as sections on your profile, network and overall privacy.

The last three sections each include their own scores. Your privacy analysis is scored based on how much information you share in your information section, and it’s pretty aggressive. For instance, including your sexual orientation or political beliefs will result in a lower score than if you don’t (you never know how people might use that information against you).

Your profile analysis shows a score for the mood of posts from friends and apps that you’re mentioned in, presumably based on keyword sentiment analysis. The point is apparently to help show if conversations you’re in are getting out of control. There’s also a tag cloud of trending topics to help you get a sense for what others are talking about.

The network analysis shows posts from friends and people in your network, and featuring anything that includes potentially offensive words, from “sex” and “idiot” to more serious swear words. The company will also warn you if there’s a particularly dangerous link being shared by your friends, like for the porn and graphic violence that hit Facebook several weeks ago. This section also has a mood bar to show how your friends seem to be feeling.

Some extra features help the service stand out, including a tool that analyzes photos from your friends and network to identify any photos of you that you aren’t already tagged in. The parent feature works similarly to SocialShield and other competitors. You, the parent, email your child an invite link, and they sign in with Facebook and let you see what they’re sharing.

In my experience testing Secure.me, I didn’t find anything shockingly revealing. I was aware of every potential security risk that the service found for me. It didn’t find any crazy untagged photos of me, either. Maybe the boring results are simply because I’m pretty aware of how I use Facebook already? Or because I’m not that actively sharing and discussing content with people?

Secure.me got its start in Germany back in 2007, building an all-purpose tool called Ruflotse, which lets users to track themselves across the web and in social networks. Whether because Facebook has gotten big in Germany or because Germans are especially sensitive around privacy, the Facebook analysis became an especially popular feature. The original company has its headquarters and 50,000 paying users in Europe. The international focus, which includes the “Secure.me” name, and the Facebook focus, also includes an office expansion — it’s just set up shop in San Francisco as well.

Going forward, the plan is to start charging users for access to premium features, cofounder and CTO Christian Sigl tells me. These features include automatic analysis of your profile every day, the photo matching tech, extended data storage (7 days for free, 90 for paid), and multi-person access intended for parents. The site is available as a free trial now but look for the subscription request to come at the beginning of the year.

DARPA’s Shredder Challenge, a contest to reconstruct documents from a slurry of shredded paper, has been solved, suggesting that my grandmother may be barking up the wrong tree when she shreds the Campmor catalog. Three scientists with experience in computer vision and mobile technology, Otavio Good, Luke Alonso, and Keith Walker, scanned each chunk for unique characteristics that allowed them to reconstruct the documents automatically on screen. They then put the pages back together by hand.

Their team won a $50,000 prize.

The contest consisted of five different documents (you can try a demo here but rest assured the real ones were a bit harder) and teams were a race to reconstruct them as quickly as possible.

So should gam-gam – or you – keep shredding documents? Good told the New Scientist:

So with DARPA’s documents reconstructed, are shredders now insecure? No, says Good. “The challenges that DARPA gave us were actually simple compared to if you have a bin full of lots of shredded pieces of paper. Reconstructing these documents was not easy at all. I don’t think you have much to worry about with your shredded documents.”

Looks like your secrets are safe… for now.

A San Francisco-based team has just won the DARPA Shredder Challenge. DARPA, the government agency whose work led to the creation of the Internet, challenged the public to reconstruct five shredded documents. The winning team, called “All Your Shreds Are Belong to U.S.” completed the task in 33 days, spending nearly 600 man-hours building algorithms and piecing together more than 10,000 shreds.

9,000 teams registered to compete. The winning teams gets a $50,000 prize paid for by the U.S. Treasury.

Dan Kaufman, director, DARPA Information Innovation Office says “the most effective approaches were not purely computational or crowd-sourced, but used a combination blended with some clever detective work.”

DARPA Director Regina Dugan adds “The DARPA Shredder Challenge underscores the value of increasing the number and diversity of problem solvers. The varied methods used have potential implications for so-called ‘wicked problems,’ generally considered insolvable by conventional means, and offer the possibility of increased speed, agility and breadth in innovation.” I’ll say.

The shredder challenge also suggests just because you shred something, that doesn’t mean it can’t be put back together.

You can see the puzzle solutions and pictures of the winning submissions at www.shredderchallenge.com.

Update: Here’s a look at the winning teams solution to the puzzle above:

You may be aware of the growing controversy surrounding Carrier IQ, a piece of software found pre-installed on Sprint phones that, according to developers who have investigated, is capable of detecting, recording, and transmitting various user actions and inputs. Among the data CIQ potentially has access to are location, SMS, apps, and key presses.

News of the software has been percolating for months on development forums, but when Trevor Eckhart recently summarized his findings, he found himself facing a cease and desist while Sprint vigorously denied the charges, saying “We do not and cannot look at the contents of messages, photos, videos, etc., using this tool.”

The C&D was quickly retracted, but Eckhart has now released a video that seems to give the lie to both Sprint and Carrier IQ’s assurances.

A step by step breakdown of the video, with code snippets, is available here.

A couple grains of salt are suggested. First, while Eckhart has no reason to falsify this information, it’s possible that this debug log is not entirely accurate for technical reasons, or that the conclusions are only applicable to this handset or software version. Second, this log does not prove that any of this information is actually being transmitted to any third party.

However, the fact that CIQ is in fact seeing all this information means that it has access to it and could very easily record it and transmit it. Whether it has or hasn’t isn’t material, because Sprint and CIQ have both said that they can’t. In fact, CIQ claims their software:

-Does not record your keystrokes.
-Does not provide tracking tools.
-Does not inspect or report on the content of your communications, such as the content of emails and SMSs.
-Does not provide real-time data reporting to any customer.
-Finally, we do not sell Carrier IQ data to third parties.

Note the careful use of the words “record,” “provide,” “inspect,” and “report.” It’s obvious from this video that the application has access to the information in question, and whether it records, provides, inspects, or reports it is simply a setting they can choose. The purposes for which CIQ says their software is installed — identifying trending problems in the fleet, for instance — don’t seem to me to require the level of access the software has granted itself. Add this to the fact that users are not informed at any step of the fact that their information is passing through “quality assurance” layer (sometimes before the user layer itself is aware of it), and their indignant denial begins to ring hollow.

Furthermore, as many developers have pointed out, the mere presence of the software is detrimental. Removing the software has reportedly improved performance and battery life. Furthermore, secure handshake information over wifi is passed through the software unencrypted, something that has little to do with carrier quality assurance. And if that information is cached even temporarily, that’s a security risk.

The presence and capabilities of this software, if it is indeed necessary, should be explained fully to users and the option given to safely opt out. As it is, Carrier IQ’s software appears to be overly invasive and potentially insecure. Hopefully Sprint will provide an adequate explanation soon; in the meantime, CIQ cannot be removed except by installing a custom ROM, so unless you’re prepared to do that, you’re out of luck.

Valve CEO Gabe Newell has contacted all users of the Steam game distribution platform to let them know that the company has suffered a security breach. The hack was originally thought to be limited to the official Steam forums, but further investigation has revealed that the hackers had access to a database containing “user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.”

That said, they says that they have no evidence that any personally identifiable information was actually taken, and have detected no fraudulent credit card information.

Users of the service are advised to change their passwords and be on the watch for suspicious account activity.

Here’s the notice in its entirety:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

In an experiment that reveals as much about the people on Facebook as it does about Facebook itself, researchers from the Unversity of British Columbia Vancouver infiltrated the social network with bots and made off with information from thousands of users.

Around 250GB of data was stolen during the study, including personal and marketable information, and around three thousand users were targeted. Only one in five of the profiles were flagged by the Facebook Immune System, which clearly needs a boost.

The fake UBC accounts, which they call “socialbots,” were created from a few simple scripts, which submitted a the requisite account information: names, pictures, and status updates were trawled from the open web, eventually producing 102 fairly believable accounts. The intelligence organizing this effort is referred to evocatively as the “botherder” or “adversary.”

Next, they sent friend requests to random people. Unsurprisingly, they found earlier that more attractive people get better responses to unsolicited friend requests, so they pulled their profile pictures from the high end of Hot Or Not. Only 20% of this initial random sampling took the bait, but later, when friending one of their network’s 2nd-degree friends, the success rate jumped to 60%. That’s called the “triadic closure principle,” if you were wondering. Each bot made around 20 friends on average, but some nabbed as many as 80 or 90.

Facebook’s fraud detection was avoided by rate-limiting the posts and friend requests to avoid CAPTCHAs. Only 20 profiles were detected by Facebook, all of them, interestingly, the female bot variant.

Considering how easy it was to automate the process of account creation and propagation, one has to question the effectiveness of Facebook as an authentication system. Naturally it can be used to determine identity to a certain point, but it’s certainly no Turing Test. Our own comment section shows that bots and generated accounts are plentiful. Hopefully this experiment will spur Facebook to improve this aspect of their security, as it was intended to. Maybe it will also convince some people to be a bit more selective in their friending process.

And in case you’re wondering whether you might have inadvertently contributed to the experiment and, thus, the sum of human knowledge, rest easy:

We carefully designed our experiment in order to reduce any potential risk at the user side by following known practices, and got the approval of our university’s behavioral research ethics board. We strongly encrypted and properly anonymized all collected data, which we have completely deleted after we finished our planned data analysis.

You can download the full report here. It makes for interesting reading, though for hackers and botnet enthusiasts, it probably contains little in the way of new information.

New figures from Facebook reveal how often the social networking site’s users are hacked. In the blog post announcing the forthcoming “Trusted Friends” feature, Facebook also an included infographic detailing Facebook’s security measures. One figure in particular jumped out at security researchers: every day, “only .06%” of Facebook’s 1 billion logins are compromised. Or, to put it another way, 600,000 logins per day are compromised.

This tidbit was first noticed by Graham Cluley of Sophos, who, apparently didn’t ignore the infographic like the rest of us. (Marketers have ruined infographics for us – we’re too often infographic-blind these days).

Crunching the numbers, Cluley noted that 600,000 compromised logins per day means one compromised login every 140 milliseconds.

Facebook revealed the figure in a section explaining how it keeps spam at bay, as the majority of the time, Facebook accounts are hacked by spammer who send out messages to the victim’s friends. (Who hasn’t seen this? “Help, I’m in London and had my wallet stolen!”)

There were some other interesting numbers shared by Facebook, too, including:

• Less than 4% of the content shared on Facebook is spam (vs. 89.1% of email is spam)
• Less than 5% of Facebook users experience spam on any given day
• 50% of Facebook’s 750+ million users login to Facebook every day (wait, aren’t we up to 800 million now? Must be an old infographic).
• The average user has 130 friends
• People spend over 700 billion minutes on the site per month

Update: We were curious about what Facebook really meant by “compromised” accounts, so we were glad to hear back from the Facebook PR team this afternoon with a clarification. First of all, Facebook wants it known that these accounts weren’t hacked or compromised on Facebook itself, they are compromised off site, such as through phishing scams, for example. (I think we all pretty much knew that, but there you go.)

And for the record, here’s how Facebook is defining “compromised”:

Compromised in this sense refers to logins where we are not absolutely confident that the account’s true owner is accessing the account and we either preemptively or retroactively block access.

Facebook says it will soon allow you to get help from your friends when you get locked out of your Facebook account. According to a post on Facebook’s official Security page, you’ll be able to designate three to five friends as “Trusted Friends” who will be sent special codes in the event that you’re locked out of your Facebook account and unable to access your email.

It will also be introducing something called “App Passwords” to bring increased security to Facebook-enabled applications.

Typically, when you can’t remember your Facebook password, you can have a password reset sent to you via email. Sometimes, such as when you’ve had your Facebook account hacked, your email has also been compromised. In other cases, people who signed up with Facebook so long ago may no longer have access to the email account (or accounts) Facebook has on file.

With the new “Trusted Friends” setting, getting back into your locked account can now be facilitated by your friends instead.

Says Facebook:

Similar to other features that help you prove your identity through your friends, you can now select three to five trusted friends who can help you if you ever have issues accessing your account.  It’s sort of similar to giving a house key to your friends when you go on vacation–pick the friends you most trust in case you need their help.

If you forgot your password and need to login but can’t access your email account, you can rely on your friends to help you get back in.  We will send codes to the friends you have selected and they can pass along that information to you.

Facebook is also introducing another security feature in the next few weeks called App Passwords. This will allow you to set application-specific passwords that will allow you to login to third-party applications with a unique code. From the description, it sounds like these will be one-time passwords that you will use just the first time you authorize an application using your Facebook credentials.

Although it’s nice to see Facebook focused on security efforts, this particular development is probably not going to be much of a hit with mainstream users. Even Facebook itself can’t seem to describe the feature all that clearly:

There are tons of applications you can use by logging in with your Facebook credentials.  However, in some cases, you may want to have a unique password for that application. This is especially helpful if you have opted into Login Approvals, for which security codes don’t always work when using third-party applications.

We are testing a feature that allows you to use app passwords for logging into third-party applications. Simply go to your Account Settings, then the Security tab, and finally to the App Passwords section.  You can generate a password that you won’t need to remember, just enter it along with your email when logging into an application.

Facebook makes this announcement all the more confusing by posting a screenshot with the word “Apple” to describe the “app” in question. That makes it sound like Facebook is talking about device-specific passwords, which is not actually the case.

It’s a one-time password for a given app, and that app may run on an Apple device, but it won’t work for all the Facebook-enabled apps on the same device.

A hacking group calling themselves “Team Swastika” posted what they claimed was over 10,000 comprised Facebook accounts to Pastebin, a service that serves as an online clipboard. However, according to statements from Facebook PR, these email and password combinations don’t actually represent live Facebook accounts. Instead, it appears that the hackers obtained the accounts using common phishing techniques, where users were tricked into giving away their personal information.

The development was first discovered by Rik Ferguson of Trend Micro, who notes that this hacking group had previously drawn attention to itself by publishing database tables and user credentials from the websites of the Indian Embassy in Nepal and the Government of Bhutan.

He was able to look at the list of supposed Facebook accounts before it was taken down, and found that they came from all over the world, and the majority of the users were not using complex passwords. Many of the passwords were simply a derivation of the user name, a favorite sports team or a short numerical password.

There was no indication as to how this account data was stolen, said Ferguson.

Says Facebook:

This does not represent a hack of Facebook or anyone’s Facebook profiles. Our security experts have reviewed this data and found it to be a set of email and password combinations that are not associated with any live Facebook accounts.

In reality these emails/passwords are the result of standard phishing activities where people were tricked into giving away their credentials.

Although the accounts may not have been actual Facebook logins, assuming they are indeed legitimate email/password combos, they could represent a comprise of numerous other services. Because users often reuse their same password around the Web, the logins may open up access to other accounts that were not the intended target of the phishing scheme. Good thing they’ve been taken down from Pastebin then.

Update: Ferguson now has new info on the compromised accounts. He says that the two lists the hacking group posted have previously been seen online. One list has been around for the better part of a year, while the second, which may actually be the work of another hacking group, was posted 19 days ago. More details are here.   

Image: Countermeasures

Facebook is announcing a partnership with security firm Websense today, in order to protect its users from dangerous links that lead to malicious websites and malware sites. Going forward, when a Facebook user clicks on a link, the new system will first check the link against Websense’s system to determine whether or not it’s safe.

If it’s not, a message is displayed warning the user that the link is potentially harmful and suggests you return to the previous page.

The “return to previous page” button is positioned to the bottom-right of the message, and is very prominent, subtly encouraging the user to choose that option. However, for those who choose to take on the risk, a smaller “ignore this warning” option is available on the left.

Also included in the message is information about why the link was flagged as suspicious.

The system being used is powered by Websense’s “ThreatSeeker Cloud,” the security firm’s classification and malware identification platform. The company says it’s capable of analyzing threats in real-time using its own proprietary technology known as the “Advanced Classification Engine,” or ACE. With ACE, Websense can not only block known malware sites, but also those which the system has never encountered before. It can even block shortened URL’s, like those truncated using bit.ly, a company Websense partnered with in November 2009.

This isn’t the only security mechanism Facebook has in place to protect against malicious links, it should be noted. In May, the social networking site partnered with the crowdsourced reputation management service Web of Trust to offer similar protections. Web of Trust, which will continue to operate on Facebook, also checks to see if links are classified as spam, malware or phishing and presents a warning message of its own. Web of Trust, however, relies on submissions from a community of users who have installed its Web browser extension, not the real-time technology being used in Websense’s solution.

Facebook, too, has its own proprietary database of malicious URLs and other means it uses to keep malicious activities off its site, the company says.

This is not Websense’s first foray into Facebook protections. The company also offers a Facebook app called Defensio which allows Facebook Page owners to control the sorts of links that are posted to their wall. Defensio not only protects against malicious content, but can be configured to prevent a wide range of URL categories including sex, gambling, drugs, hate speech, violence and more.

Facebook will begin rolling out the increased protections to its 800 million users starting today.

Oh, Microsoft! You are so cunning. With IE market share plummeting and many users opting for “alternative” web browsers like Firefox and Chrome, your base of power is crumbling. We thought you would succumb to melancholy and accept your fate. But you had a plan all along. Clever girl.

Yes, Microsoft has found a way to stanch the hemorrhaging of its users to other browsers: label them as malware in the built-in Security Essentials suite!

Okay, I kid. It was just a minor mistake, and they corrected it immediately: “On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified. On September 30th, 2011, Microsoft released an update that addresses the issue.” The incorrect detection led to Chrome being removed and reinstall prohibited.

It actually brings up an interesting point, though. Seamless updates like Chrome’s are growing more popular, especially since many apps are essentially web services, and changes (mostly innocent) happen behind the curtain all the time. When it’s a local app, though, the process for authentication becomes more complicated.

Google shouldn’t have to wait for Microsoft to approve all its updates. But Microsoft needs to be vigilant and watch for unauthorized changes that may negatively affect the user. And while malicious programs are important to watch for, poorly secured ones can be just as dangerous.

Security was never simple, but it’s getting more complicated by the day and users have more choices and more exposure. Luckily, snafus like this one are pretty harmless and Microsoft, though I give them a hard time, is actually very responsive on this front.

Update: Google has some more information on their Chrome blog.

Remember Connectify? The downloadable software that turns PCs into Wi-Fi hotspots in just a few minutes? It looks like the company now has a new investor: In-Q-Tel (IQT), which just so happens to be the strategic investment firm that seeks out new technologies for the U.S. Intelligence Community, including the CIA.

The new funding will help Connectify move beyond simple Wi-Fi hotspot creation, a decidedly consumer-facing service, in order to focus on VPNs (virtual private networks). Using similar easy-to-install software, Connectify will soon enable users to spontaneously create self-forming VPNs without dialing into a central location. The VPNs will also leverage the combined throughput and reliability of all the available Internet connections, the company says.

The additional security and feature set will be integrated into both Connectify’s current product line-up as well as into its upcoming and yet-to-announced products.

Connectify informs us that it can’t disclose the amount of funding IQT provided due to the organization’s sensitive mission involving bringing technology to the U.S. intelligence community.

Still, it’s easy to envision potential use cases for the technology, especially in situations where authoritarian government regimes watch over their citizens’ Internet communications far too closely. But the enhanced security will benefit stateside consumers too, by offering a safer way to share your Internet access with those around you.

And here we were thinking Windows PC software was boring…consider our interest piqued.

“Did you see this photo of you?” “Look on your face in this pix is priceless!” “LMAO this video of you is funny!” 

If you’re a regular Twitter user, you’ve probably see tweets like those come through as @replies or direct messages at some point. And you probably know not to click on the accompanying link. After all, there is no picture of you behind it, only a malicious web page set up by a criminal that wants to scam you, spam you or worse – infect your computer with malware.

But now there’s a tool that gives you added protection against these sorts of threats. Bitdefender’s new Safego protection for Twitter scans your profile for spam, phishing attempts and malware, and automatically notifies you when threats are detected.

Similar to the company’s Safego Facebook app, the new Twitter protection (now in beta), uses the same anti-malware and anti-phishing engines to scan the URLs posted to your profile.

The service checks unknown users before you follow them, checks the accounts of people you’re following and scans direct messages for spam, suspicious links and highjacking attempts. Threats are ranked by their severity as red, yellow, grey (low threat) or green (no threat). An optional setting can also warn your friends if it finds their accounts have been compromised.

But the service stops short of deleting tweets or unfollowing users on your behalf – it notifies you via direct message instead.

To use the service, you simply sign in with Twitter and authorize the Bitdefender Safego application as you would any other third-party app. You can then scan Twitter users’ profiles, your Twitter timeline and your direct messages, as well as configure any necessary settings.

The app is clearly in its development period, I must warn. The first time I tried it,  there were issues authenticating my account and I was directed to the Bitdefender 404 page. But because the app is in beta right now, I supposed I’ll give it a pass for the crash. It’s stable at present (if a bit slow). And, let’s face it, the app is providing a much-need service for the spam-overridden, link-filled social network that is today’s Twitter.

While the service did an OK job with detecting obvious threats upon its initial scan, I was surprised that it had some big misses too. For example, it claimed some anonymous link-tweeting profile was safe, when it was clearly a spam bot.

Still, this app is notable because of its uniqueness. After checking with several security firms for similar products, the closest we could come up with was McAfee Mobile Security’s SiteAdvisor, which scans links in all social networking sites, including Twitter. But none of the firms connected had heard of a dedicated anti-malware app just for Twitter.

But as with anything security-related, you can’t just trust software alone to do the job for you – you need to use a little common sense, too.