Thursday, April 28, 2011

Three examples of security scams and frauds

Facebook stalker apps

To know who's been viewing their profile, a lot of Facebook users have been trapped into a new form of scam: "stalker apps" or apps that claims to show you who's been looking at your profile. The apps that have made their way around the social network lately have been a mixture of phishing scams and twists of the truth. In reality, it's not possible for a Facebook app to gather that kind of data under Facebook's current terms. The explicit goal of these apps is to gain access to your profile information in order to sell it or hijack your account, and they technically don't show you your "stalkers". A recent app called Stalker Check, for example, ended up showing you the users who were the most active on your Facebook account. So, if you had a friend who was constantly commenting on your wall posts and leaving "likes" all over your images, he or she would show up on the Stalker Check. If you had an ex-boyfriend who was visiting your page every day without leaving a trace, however, he would not show up on the Stalker Check.

Considering how much information the normal Facebook apps can legitimately collect from your profile, it's wise to avoid any kind of stalker app, as none of them is real. They are used to trick users into allowing rogue third-party apps access to your profile to post spam links on your friends' Facebook walls. A recent example from my personal Facebook account, a message from a friend who's been affected by just another stalker app called ProViews. As my Facebook and Windows Live accounts are connected, this message appeared both on my Facebook account and Messenger.


Clicking on the link takes you to a standard "Request for Permission" box that asks to access your basic information, post to your wall and e-mail you notifications from the stalker app. If you click on the "Allow" button, you have just started an automated process that secretly posts other "bait" messages to all your friends walls from you that will likely snare some of them as well. If you have fallen for this scam, make sure you edit the settings for "Apps and Websites" at the bottom left corner of the "Privacy Settings" menu to remove the scam stalker/creeper app from the "Apps You Use" list.

The Facebook attack by Ron Bowes

In July, 2010 security consultant Ron Bowes used a piece of code to scan Facebook profiles to collect data of 100 million profiles. The data collected was not hidden by the user's privacy settings. Bowes then published the list online. This list, which has been shared as a downloadable file, contains the URL of every searchable Facebook user's profile, their name and unique ID. Bowes said he published the data to highlight privacy issues, but Facebook claimed it was already public information.

All together, Bowes said he was able to collect names and Web addresses for 171 million Facebook users. That's a little more than a third Facebook's 500 million users. Bowes compiled this list of text into a file and made it available online as a downloadable torrent. Is this a big deal? Facebook points out that some of the data Bowes collected was already available through search engines like Google and Bing. The entire data set is also available to any user signed into Facebook. So the data was already publicly available, and nobody's private Facebook data has been compromised. Nevertheless, this is the first time that 171 million Facebook profile names have been collected into one set of files that can be easily analyzed and searched by anyone. As Bowes pointed out in a blog post, someone could use this data as a starting point to find other publicly available user data on Facebook. The more a bad guy knows about you, the greater your security risk is.

Apple's security breach: 114 000 iPad owners exposed

A security breach exposed iPad owners including dozens of CEOs, military officials, and top politicians. The breach exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel's information was compromised. The specific information exposed in the breach included subscribers' email addresses and an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID.

The subscriber data was obtained by a group calling itself Goatse Security. The hackers created a computer script known as the "iPad 3G Account Slurper," which attacked AT&T's servers over several days in June 2010. The computer program was designed to mimic the behavior of an iPad 3G, so that AT&T's servers were fooled into believing they were communicating with an actual iPad. Once deployed, the program would randomly guess the unique identifier for each iPad. Each correct guess would result in the iPad's email address being displayed on AT&T's website. The group wrote a PHP script to automate the harvesting of data.

Goatse Security finally notified AT&T of the breach and the security hole was closed. However, it's horrendous how customer data, specifically e-mail addresses, are negligently leaked by a large telco provider. In addition to complicating the AT&T-Apple relationship, the breach also unnerved customers thinking of buying iPads that connect to AT&T's cellular network. They were vulnerable to spam marketing and malicious hacking. Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads. This is particularly the case given that U.S. iPad 3G customers have no choice in mobile carriers.

In January 2011, two men, Andrew Auernheimer, 26, and Daniel Spitler, 25, were taken into custody and charged with conspiracy to access a computer without authorization and fraud in connection with personal information.

No comments:

Post a Comment