Insecurity: Bad Secret Questions and Information Disclosure
It’s a little known fact that most websites have a backdoor that can get you access in other people’s accounts – weak secret questions! Ok, so maybe it’s not a back door as such, but the threat is so high that for some websites it might as well be. Let me explain… Read more
Facebook Hackers from the Future!
I got this email from Facebook today, and apparently my account was accessed on an iPhone by someone in the future! OMG HAX.
Either today is the day I successfully complete my time machine (made exclusively from broken pieces of the Large Hadron Collider) – or hackers in the future are wreaking havoc in my account, and there’s nothing I can do about it! At least Facebook were kind enough to notify me…
In reality this is happening because I’m in GMT+11 and Facebook’s servers in San Francisco are in GMT-8, making for an awesome 19-hour time difference. Unfortunately this makes my story far more mundane, so I’m sticking with hax0rs from the future. I think the guys at Facebook may want to disambiguate this email somewhat by putting in the date/time in UTC.
If you too want to be notified when there are unexpected logins to your Facebook account, check out my post on Facebook’s Suspicious Login Tracking.
Plugin to Disconnect: Regain Browsing and Search Privacy
Ex-Google employee Brian Kennish has been developing a web browser plugin dubbed ‘Disconnect‘, which aims to restore users’ web browsing and searching privacy on a number of major sites. The plugin, which current supports Google, Facebook, Digg, Twitter and Yahoo, blocks uniquely-identifying cookies which are used to track individual users’ browsing activity and searches. Brian also created ‘Facebook Disconnect‘ which prevents Facebook from tracking you on any website that uses the Facebook Connect functionality.
Both of these plugins de-personalize your normal browsing and searching, whilst allowing you to continue using services like Google and Facebook normally. You can see which cookies are being blocked in real-time, and unblock any that you may want. Note that the search de-personalization currently only works on the google.com domain (not local country domains).
At the moment these plugins are only available for Chrome and RockMelt (a new social media-embedded browser I just heard of), but a Safari extension and Firefox add-on are on the way!
Facebook Announces Centralized Messaging
I was tempted to title this post “How Mark Zuckerberg Reads Your Email”, but never mind…
Facebook today announced that they have developed centralized messaging functionality, which will allow people to communicate over a variety of different mediums ‘seamlessly’. Soon you’ll be able to send your friend a text message, who will receive it as an email (or chat, or message, etc). Facebook have basically created a mechanism where any text-based communication media to or from an individual will be organized into a single thread.
In theory I find this to be a great idea. Seamless messaging is something that would solve many problems, and make life a bit easier. Unfortunately there are a few issues that I can see:
- Centralized Messaging: By virtue of this service’s actual design, I’m concerned about storing absolutely all of one’s communication in one place. Currently if someone can get into your email, they can read your mails; if they can get into your Facebook, they can read your messages and chats; if they can steal your phone, they can read your SMS. If someone adopts Facebook’s approach to centralized messaging, all of their correspondence is in one place. This means that if your account, or Facebook itself, is compromised, the entirety of your correspondence is compromised.
- Non-synchronous Communication: Let’s face it… if I want to chat to someone, I will knowingly use a chat client. Why? Because I’m prepared for that style of short and quick communication. Email, on the other hand, is not as agile. Although it’s not uncommon to rapidly exchange several emails in the space of five or ten minutes, you wouldn’t want to have a full conversation using that medium. The issue here is that people who prefer chat or SMS, will attempt to communicate with people who prefer email or messages. Each medium invokes a different behaviour and expectation. As a result, an email user will receive tons of really short chat-style one-liners filling up their inbox (with subjects as “(No Subject)”), and SMS users will (somehow) be receiving long-ass messages from email or message users.
- Perpetual Storage: At the moment if I send someone an SMS, I know that message will probably get deleted eventually when they choose to prune their texts. I also have a tiny bit more faith that SMS isn’t as easy to intercept, and generally only the person with access to the corresponding phone will be able to read it (as opposed to email where anyone with the username/password or able to intercept the network traffic can read them). If I send someone a message on AIM or some other IM, that message will usually only be logged on their local machine (if at all). In this new model, Facebook users, as well as non-Facebook users corresponding with Facebook users, would be delivering their conversations to Facebook for perpetual storage (they advertise this as a feature). Note that it’s not yet possible to delete an individual message from a conversation – you’d have to delete the entire conversation.
I want to like this feature, and to be honest centralized messaging in some form (not necessarily Facebook’s) is the future. Unfortunately that will mean entrusting much of our correspondence to some entity, and that entity (be it Google, Facebook, or someone else) will undoubtedly come under fire for having such a dangerous amount of insight and monopoly over the way we communicate.
How To Delete Your Account on 14 Popular Websites
A few months ago I posted about Facebook’s ever-so-slightly simplified account deletion process. I just stumbled across an article on Smashing Magazine that describes how to delete one’s account on 14 popular websites.
Here are the relevant links for the following sites:
Facebook (Delete Account page)
MySpace (people still use this?)
Windows Live (“Close your account” at the bottom)
Intercepting Unencrypted Sessions with Firesheep
Firesheep, a new Firefox extension that allows you to intercept unencrypted sessions being transmitted over the network, has been released by Eric Butler. Taking advantage of websites that don’t use SSL by default, such as Facebook and Twitter, Firesheep uses network-sniffing to intercept the cookies used to transport session IDs (also known as sidejacking). Note this attack will work over Wifi by default, but will require extra work on a switched wired network.
Once Firesheep has intercepted a user’s cookie over the network, it allows you to be logged in as that user. The concept of session-stealing is as old as the internet, but to have a Firefox extension that does it in such a user-friendly manner is great. It’s also a lot more dangerous as it makes this attack so much easier for any unskilled attacker to carry out.
Protecting Yourself
The are a couple ways of protecting yourself from sidejacking attacks. The first and foremost is to ensure that you use SSL when visiting popular or particularly sensitive web services, including Gmail, Hotmail, Facebook, Twitter, or any other site that’s of importance to you (online banking?). The best way of doing this is to make sure your bookmarks (or the URL you type in) starts with “https://”, and that no SSL certificate errors appear. Another Firefox plugin, HTTPS Everywhere, from the privacy advocates over at the Electronic Frontier Foundation (EFF), enforces SSL on predefined sites. You can also protect your searches by using Google over SSL (encrypted.google.com).
Another way of protecting yourself is to channel your browser traffic through a VPN or SSH Tunnel. Your data is then sent through an encrypted link to a remote host (preferably one you control), before being sent to the destination.
Installing Firecat
Firebug runs in Firefox on Mac OS X and Windows, however Windows users will need to install WinPcap first. After downloading the extension file (xpi), simply open it by going to File -> Open File (you will need to restart Firefox). To clarify some confusion, once you’ve installed the extension, you need to go to View -> Sidebar -> Firesheep to enable it, and click Start Capturing.
Give it a try for yourself.
[Update] Detecting and protecting against Firesheep with FireShepherd.
Facebook Introduces One-time Passwords and Remote Log-out
Hot on the heels of my last post about Facebook’s Suspicious Login Tracking,the social networking site has just introduced two additional authentication/session security mechanisms. The first news item is the introduction of one-time passwords, with the aim of increasing account security for those who log into Facebook on public or shared computers.
The proposed one-time password mechanism would require you to register your mobile phone number with Facebook. You would then be able to text “otp” to 32665 (currently U.S. only), and Facebook would send back a single-use password for your account that expires after 20 minutes. This feature will become available in the coming weeks.
Although it’s a good idea in theory, and helps mitigate against malware or key loggers, it also makes targeted attacks more easy to perform. It is easy to lose one’s phone, or even leave it unattended. If an attacker can get to your phone for a minute, they may be able to get a one-time password for your account. How Facebook actually implements this remains to be seen.
The second feature they introduced, available now, is the ability to remotely sign-out a session. Remember that time you logged in to Facebook at your friend’s house, and forgot to log out, resulting in a slew of embarrassing posts and images being posted on your behalf? With this feature you may have been able to prevent that by logging in to Facebook and then killing that session. I think this is a great feature, and would be useful in other long-session-based services such as Gmail.
You can find this by going to Account -> Account Settings ->Account Security. Your current session will be showed under ‘Most Recent Activity’. If you see anything under ‘Also Active’ that you don’t recognise, just click ‘end activity’ and Facebook will delete the server-side session ID for that session.
Inform your Friends about their Hacked Accounts
Every so often I receive an email from someone I know; it talks about something completely random, and almost always includes a link at the end. The same thing sometimes happens on MSN and I get a message like this:
(12:02:36 PM) Friend: Hey! My cat had a spastic fit, and then coughed up a hairball! Check it out!
Now, whether or not that link goes to a malware site, or just someplace for you to buy viagra is not the point. You don’t click on suspicious-looking links… do you?
In some cases they may have simply fallen for a phishing attack, and typed in their credentials where they shouldn’t have. They may even have been hacked due to weak secret questions. More often than not however – and you see this a lot with Hotmail/MSN users – what’s happened is that they logged into their email or MSN on an infected computer, which recorded their credentials. In either of these scenarios the info back to its HQ, where it starts being used to send out spam/viruses/porn/more porn/younameit.
The best solution is to simply change the password (and secret questions) for the account in question. Be a friend, and tell them that they’ve been 0wned.
[Updated 19/01/2011]
Facebook’s Suspicious Login Tracking
This is kind of old news, but I’ve only recently become acquainted with Facebook’s tracking of suspicious logins. If you only use a couple of devices, or haven’t traveled around much, you may not have seen come across these recent security additions to the authentication mechanism.
When logging in to Facebook, the site looks up the last location you logged in from (by geolocating the IP address), and compares it to a list of ‘known’ locations. If the location the user is logging in from is beyond a certain ‘distance threshold’ from the known locations, the user will be challenged. There are two types of challenges that can be chosen; the first is to recognise friends based on their picture (a solution I find both elegant and effective); the second is to answer a pre-set security question. If the user fails both of these challenges (I did… go figure), they have to wait an hour before trying again.
The next time you successfully log in, you will be alerted to any recent suspicious login attempts, complete with a geolocated map of that attempt’s location (see screenshot).
This feature has been added to Facebook’s authentication mechanism, and is thus on by default for all accounts. There is another feature however, that is not on by default, but is also interesting. You can set Facebook to notify you whenever a new computer or mobile device is used to log in to your account. This setting is found under Account Settings -> Account Security -> Login Notifications.
Thought this would be of interest to anyone looking to further secure their use of Facebook. Check out their full blog post about these features.
Related:
Disable Facebook Places – or – Location-Stalking for Fun and Profit
In a direct strategic offensive on Foursquare’s service and a long-term plan for world domination, Facebook recently introduced their own service dubbed Places. These two services allow users to ‘check-in’ to virtually any venue/event, thus sharing their location with friends (or the world). This introduced an awesome new sport known as Foursquare stalking where one could follow the check-ins of known or random people (eg. by searching for 4sq.com on Twitter Search), call up the venue they are currently at, and ask to speak to the person… and then doing this for every location they check-in to. Tremendous fun. The guys at PLA Radio had fun prank-calling people using this, with amusing results.
Apparently the bald fat guy below just got home. Since he is kind enough to post the actual location of his domicile, all a thief has to do is wait until he checks-in somewhere far away, and then proceed to leisurely rob him of all his stuff. Sorry baldfatguy… didn’t mean to pick on you but you were at the top of the list.
Surely Facebook’s entry into this domain will allow for more stalking goodness. Another interesting perspective is using Places to create an alibi by spoofing one’s GeoLocation. Anyway, onto the essentials. At least most of us can just avoid using services like Foursquare… but if you have a Facebook account, it’s yet another privacy setting you will have to set yourself.
To Disable Places: Log in to Facebook and go to the Privacy Settings. Click on Customize Settings at the bottom, and then modify the Things I Share settings (you will need to select Custom from the dropdown menu in order to choose Only Me). These settings are only important if you do actually use Places.
Next go down to Things Others Share, and uncheck Friends can check me in to Places.
Loading ...
