This morning, Facebook launched a new feature called “login approvals,” which offers users the ability to further secure access to their Facebook account through the introduction of a second step to the login process. Once opted-in to this security feature, users enter in their email address and password as usual, but will then receive a second code sent to them on their mobile phone. This short, numeric code must also be entered before being able to access Facebook from that computer.

While an extra step may not be to everyone’s liking, for those looking for additional ways to secure access to their account, this feature will be welcomed.

This type of security feature is known as “two-factor authentication,” a term which refers to the two separate steps taken to ensure a user is who they say they are. A username (in this case, the email address registered with Facebook) and a password can easily become compromised, as anyone who’s had their Facebook account hacked can tell you. What’s less likely, however, is for anyone else to gain physical access to your mobile phone.

By requiring that this second code is sent to a device you have in your possession, you can easily keep unwanted third-parties from getting into your Facebook account.

To turn on login approvals, you’ll first need to confirm what computer you’ll be using, by entering in a security code sent via text message to your phone. Once you enter the code, you’ll be asked to save the device to your account, so you don’t see the message again when using that same computer.

After this initial setup is complete, if you ever login from an unrecognized device, you’ll be asked to enter in another security code sent to your phone.  You will also be notified of this change upon the following login to Facebook, and asked to verify the attempted account access.

If it wasn’t you who had attempted to sign in from the other device, you’ll be able to change your Facebook password to re-secure the account immediately. However, you can be assured that the person who attempted to hack into your account would not have been able to access it, as they did not have the code sent to your mobile phone at the time.

And if you ever lose your phone, you can return to any previously authorized device to log back into Facebook.

To enable this feature, go to the “Account Security” section of the Account settings page on Facebook, and look for the new “Login Approvals” option. You can access your Account settings by clicking on the “Account” link at the top-right of the Facebook homepage.

Spammers are now using Facebook Events to trick users into completing online surveys, taking part in online contests and perform other tasks which allow spammers to generate commissions. In some cases, users are also tricked into giving up their mobile phone number, which is then automatically signed up for expensive premium services.

According to multiple security firms, spammers using Facebook Events to promote their links have been highly successful in their efforts to dupe unsuspecting users thus far. According to a report from TrendMicro,”tens of thousands” of users had mistakenly registered for one spammer’s event. Meanwhile, Sophos found an example where over 10 million Facebook users had been targeted, and over 165,000 had accepted.

TrendMicro’s fraud analyst Paul Pajares says that spammers have turned to Facebook Events instead of posting their links to users’ walls where they can “easily get lost in the News Feed.” These bogus events often have tantalizing, link-bait titles like “How to Find Out Who’s Viewing Your Profile” or “Who Blocked You From His Friend List?”

Example of fake event.

For the record, Facebook doesn’t allow you to track profile views or blocks, either through its own user interface and feature set or via third-party Facebook applications. Facebook even explains in its own online Help documentation that “blocking someone is completely confidential,” and that no one will ever be notified that they’ve been blocked. It also does not permit third-party applications to track this information, either.

In addition, any application that claims it can show you who’s been viewing your profile should be reported, Facebook says in a separate FAQ (frequently asked question) available here.

However, the Event spam is new enough that Facebook has not yet updated its Help documentation to refer to both applications and events. The pages only mentions apps.

That said, any links promoting such activities should be avoided at all costs, no matter the source.

How these scams work:

Once on an Event’s page, users visiting the “More Info” section  are provided with instructions on how to find out the answer to the question the event promotes (e.g. who blocked you, who’s viewing your profile, etc.) The final step, of course, is clicking the spammer’s link.

This link is obfuscated using a URL-shortener like bit.ly, which takes a longer link and compresses it into a shorter one that redirects to the site in question. Bit.ly and other services like it grew in popularity thanks to Twitter, which limits the number of characters in its status update field to 140 characters. For Twitter users sharing news and other links with each other, these services are invaluable. However, for spammers, the shorteners can hide what would otherwise be questionable domain names and URLs from potential scam victims.

As a best practice, you should avoid any event invitations of a similar nature, even if you see a friend promoting them on their own Facebook Wall. The tricky, bogus events being used by these cyber criminals also automatically reshare the Event’s link to victims’ own Facebook pages. If you see something like this, you may want to inform your friend that they were a victim of a spammer.

Google has long touted the speed of Chrome, most recently tying the Year of the Rabbit in to its announcement of a Chrome beta. Today, the stable version of the browser is being released.

Google says the speed boost correspondents to a 66% improvement in JavaScript performance in benchmark tests.

But speed isn’t just the “pure brawn” under the hood, says Google, and the new interface in this most recent version of Chrome is meant to help the user move more quickly as well, particularly when it comes to changing settings. The settings interface now takes up its own tab in the browser, and there’s a new search box so you can quickly find what you’re looking to manage.

Chrome speed benchmarks

The new Chrome also lets you synchronize your passwords across the various computers you use. You can encrypt these for additional security. To enable this feature, visit the “Personal Stuff” section in Chrome’s settings.

Google has also extended Chrome’s sandboxing to the browser’s integrated Flash Player, which will help protect you against malicious webpages.

You can download the latest version here, or if you’re already using Chrome, you’ll be automatically updated soon. Also be sure to check out these two YouTube videos that describe both the new settings menu as well as what exactly “sandboxing” is.

Microsoft has launched another salvo in its campaign to hammer the final nail into the coffin of an outdated, insecure product: Internet Explorer 6.

The problem with Internet Explorer 6 is that Microsoft no longer supports it, and the creaky old web browser simply doesn’t provide anything approaching a sufficient level of defence as severely critical vulnerabilities have been left unpatched.

A new website,  www.ie6countdown.com, attempts to convince users of the reasons why they should upgrade to a more secure version of the web-browsing software, and provides information for organisations on how they can best migrate.

What I found particularly interesting, however, was a graphic of the world showing the percentage of browser marketshare Internet Explorer 6 has in each country.

India, Saudi Arabia, Taiwan and Vietnam are all doing a poor job of choosing a hardened web browser, with IE6 responsible for ten percent or more of the browser usage in those countries.

But the worst country by miles is China, where – according to Microsoft – Internet Explorer 6 accounts for over a third of the browser usage. Hmm, I wonder how much of that is related to pirated copies of the software that users have chosen not to replace with legitimate later versions?

Anyway, this is a good campaign by Microsoft – and although it is clearly designed to switch people to Internet Explorer 9, anything which encourages computer users to throw its ageing predecessor IE6 in the garbage bin has to be applauded.

It’s not often that we encourage you to stop using one of our products, but for #IE6, we’ll make an exception: http://bit.ly/g0wt4m

March 4, 2011 2:24 pm via webReplyRetweetFavorite

@Microsoft

Microsoft

Lets make Microsoft’s day – help them kill off Internet Explorer 6.

For years, ads pimping malware disguised as legitimate antivirus programs have gone to great lengths to mimic the look and feel of Microsoft’s Internet Explorer browser and Windows operating system. Now Mozilla Firefox, Google Chrome, and Apple Safari are getting the same treatment.

A security researcher from Zscaler has recently uncovered a campaign that’s tailored to the browser that the intended victim is using. Those with IE will see the same tired graphic depicting a Windows 7 security alert, but look what happens when the visitor is using Firefox.

Fake Warning in Firefox

Not only does the image contain internal Firefox elements in the source code, it also spoofs the security warning the browser shows when users attempt to navigate to an address known to be malicious, said Julien Sobrier, a senior security researcher at Zscaler.

When the intended mark visits the page with Chrome, the ruse looks altogether different. The first screen shows a warning window bearing the browser’s distinctive logo and the words “Chrome Security has found critical process activity on your system and will perform fast scan of system files.”

Fake Google Chrome warning

The user then sees what purports to be a Chrome window showing a virus scan.

Fake scan in Google Chrome

Not to be left out, Safari is also spoofed, although with significantly less effort. The initial warning looks like this:

Fake Safari warning

But the scan page defaults to the look and feel of IE.

The ads are an attempt to trick visitors into believing they have infections that can be cured by the software being offered in the ad. By customizing the screens to the browser, it stands to reason, malware mongers stand a better chance of succeeding.

“I’ve seen malicious pages tailored in the past, but they were mostly fake Flash updates or fake codec upgrades for Internet Explorer and Firefox,” Sobrier said. “I’ve never seen targeted fake AV pages for so many different browsers.”

Some of the sites that redirect to the scam include columbia.faircitynews.com, www.troop391.org, jmvcorp.com. When successful, the redirected page pushes the file InstallInternetDefender_xxx.exe, where “xxx” is a number that changes frequently. At time of writing, it was detected as malicious by just 9.5 percent of the major (legitimate) AV packages, according to a VirusTotal scan.

No doubt, many readers are savvy enough to spot scams like this, but what about poor Aunt Mildred, who has being told by a well-meaning relative to never, ever use the heavily targeted IE? Makes you realize why fake AV can be such a huge revenue generator.

Sobrier, who blogged about his findings here, first spotted the customized ads on Monday.

Given how much data we’re trusting to online sites these days — email, search history, even voice calls — the repercussions to having our account passwords phished, hacked, or guessed are worse than ever. Unfortunately as far as consumers are concerned, account security has been stagnant for years: nearly every service requires a username and password, and that’s it.

But today, Google is making things much, much better for those who want it and will be rolling this out over the next few days, so you may not see it quite yet.

The feature is called two-factor authentication, and it’s been available to Google Apps customers since September. Now it’s rolling out to everyone. It’s a bit confusing and the set-up process will probably intimidate a lot of people, but it’s well worth looking into if you value your account data. You can activate it by hitting the ‘two-step verification’ link on this page.  So what exactly does it do?

2-Step Verification

In short, it makes it so that when you go to login to your Google account, you need to enter both your existing password and a special new second passcode — one that you don’t have to write down or memorize because it’s always changing, so it’s nearly impossible to phish. You generate this second password by firing up a new mobile app available for Android, iPhone, and BlackBerry called ‘Google Authenticator’, or by having Google call or send you a text message to a phone number you entered when you set up the feature. That password will expire in just a few minutes though, so be quick (and yes, you will feel like a secret agent the first few times you use it).

It’s not as stressful as it sounds, because you can elect to only require this second password once per computer (this still keeps phishers from being able to access your account). There are a few more quirks to it — in order to save passwords in applications like iCal, Mail, and most other desktop apps, you’ll have to generate a unique app-specific password. But again, you can save this so you only have to do it once per app.

There are also a few backup measures in place should you lose access to your mobile phone. You can designate a second, backup phone number to send the passcode to, and you’re also strongly encouraged to print out a set of ‘one-time’ passwords to keep in a safe place. This is only for the secondary password — you’ll still have to keep that ‘normal’ Google password memorized.

To be clear, two-factor authentication isn’t a new idea. It’s been used by large businesses for years. But giving consumers access to this same protection is a big win, and I’m hoping other services will follow suit in the near future.

Google Authenticator

USB Flash Drive

Here’s some good news for anyone who has been struck by auto-running malware from a USB stick in the past. Microsoft has rolled-out an “important, non-security update” through Windows Update, changing the behaviour of Autorun when you plug a USB stick into your computer.

Not sure what Autorun is? It’s the technology which causes a program to start automatically when you insert a CD or USB stick into your Windows PC. You may have spotted the Autorun.inf files in the root directory of your USB sticks and on CDs in the past.

It may sound like a neat idea, but a lot of malware (The Conficker worm would be perhaps the most infamous example) has exploited the technology to infect computers via USB sticks in the past.

The more recent versions of Windows, like Windows Vista and Windows 7, have made changes to the way that Autorun operates and this has helped fight the spread of Autorun malware. But older versions of Windows, such as Windows XP, were still often at risk.

In fact, in a blog post published yesterday, Microsoft’s Holly Stewart presented statistics which suggested that “Windows XP users were nearly 10 times as likely to get infected by [Autorun malware] in comparison to Windows 7.”

XP vs. 7 using Autorun.

Yesterday, Microsoft rolled out an update via its Windows Update infrastructure, to users running versions prior to Windows 7, which effectively prevents Autorun malware from automatically infecting computers without the user’s permission.

Note, however, that this isn’t the death of Autorun entirely. As Microsoft’s Adam Shostack explains on the MSRC blog, Autorun is still available for “shiny media” such as CDs and DVDs.

Hmm. I guess that will be welcome news for any misguided company which tries to emulate Sony’s disastrous scheme from 2005 where music CDs automatically installed a rootkit as part of their DRM copy protection.

All in all, though, Microsoft has done a good thing here. Autorun was never a necessary technology in my point of view, and its exploitation by malware made it a dangerous liability. Locking it in a windowless room, handing it a service revolver and appealing to its sense of decency is probably the best move that can we make.

Many people have been pleased to hear that Facebook is now allowing users to choose full SSL/HTTPS encryption throughout their session to prevent their accounts from being compromised through unencrypted WiFi using tools like Firesheep.

After the announcement though, lots of people are confused and requested we provide better instructions on how to choose this more secure option. I was able to find a brief (only 1.5 minutes!) YouTube video on how to enable this feature.

As of the time of this article (January 28, 2011) only a fraction of all Facebook accounts have been enabled to use this option. I expect it to be available to all Facebook users in a short amount of time.

The myth that HTTPS sessions consume a large quantity of resource needs to be quashed. While encryption may seem to be a heavy duty task, modern algorithms are designed to create the maximum security for a minimum impact.

If you are a web master or IT administrator who is responsible for providing services to your customers, please look into securing your pages and following Facebook’s lead. If they can provide an extra layer of protection for more than 500 million users, surely you can provide the same protections to your users.

For Facebook users, in addition to selecting the new HTTPS option, take a look at this guide on how to secure your profile. I hope this can help some of the people out there, as of lately, there have been a lot of bad things going around on Facebook.

Facebook has added APIs for developers to access the home address and mobile numbers of users, so FarmVille can see where, as well as who, you are. Permission to access such data must be given through the usual notification system, but with the vast majority of users simply agreeing with everything they’re asked, the new facility is attracting privacy concerns beyond those incurred by sharing one’s details with the developers of Bejeweled Blitz or similar.

Users almost always click “Allow” when faced with such decisions, as demonstrated by Microsoft’s Active X technology more than a decade ago and proven by the thriving malware ecosystem sustained by inattentive Facebook users today.

The alternative is pointed out by Sophos security, which suggests a more totalitarian approach: “Wouldn’t it better if only app developers who had been approved by Facebook were allowed to gather this information?” There are no Trojans on iOS or in the Mac App Store, so perhaps pre-approval is the way forward, restrictive as it is.

Sophos has said that the new APIs, applied on Friday, might be fodder for rogue application developers. Survey scams that form one of the mainstays of security threats on Facebook often attempt to hoodwink punters into supplying their mobile number and signing up to premium rate text messaging service of questionable utility.

The process of extracting mobile phone numbers of potential marks, which used to be a matter of social engineering trickery, might now be done much more easily. Users would still need to give permission for third-party Facebook applications to access this personal contact data but this has become a matter of fooling someone into clicking a dialogue box rather than the trickier process of hoodwinking them into typing in their mobile phone number.

Facebook recently beefed up its account recovery options to include messages sent to a designated mobile phone number as part of its account recovery procedure. This, and other factors, mean that the mobile phone number of many users will be held by the dominant social network.

Mobile phone numbers might even be held by the social network without users submitting them, in cases where their friends have recorded relevant phone numbers in their address book and make use of Facebook’s iPhone application. More details on this privacy exposure can be found in an article here.

Sophos is urging users to remove their addresses and phone numbers from Facebook, as a precaution. A guide on reviewing Facebook privacy settings, developed by Sophos, can be found here.

Facebook’s privacy dashboard can be found here.

The new APIs, launched at the weekend, also provide notification for developers if a user “unlikes” something: so next time you take a thumbs-up off a page, expect a phone call asking why, and perhaps a knock on the door from someone seeking a more detailed explanation.

UPDATE: Douglas Purdy, director of developer relations, just posted on the Facebook developer blog to explain that Facebook agrees with its critics that the feature could be better implemented and the company will be pulling it until changes are made.

“Over the weekend, we got some useful feedback that we could make people more clearly aware of when they are granting access to this data. We agree, and we are making changes to help ensure you only share this information when you intend to do so. We’ll be working to launch these updates as soon as possible, and will be temporarily disabling this feature until those changes are ready. We look forward to re-enabling this improved feature in the next few weeks.”

It will be interesting to see what they decide to change when and if they re-release this new “feature” to the masses.

Microsoft is at odds with a researcher employed by Google who published a zero-day Internet Explorer vulnerability on New Year’s Day. The vulnerability was discovered using cross_fuzz, a browser fuzzing tool created by Google researcher Michal Zalewski, who says he gave Microsoft more than six months of warning before going public with the flaw. That hasn’t stopped Microsoft from sharply disagreeing, however, with the company arguing that Zalewski has now put thousands of IE users at risk.

According to Zalewski’s published timeline of events, he first told Microsoft about the vulnerability in July of last year and provided the company with copies of cross_fuzz for independent verification. Zalewski informed the company that he planned to release the tool in January, and Microsoft acknowledged the report at that time—confirmed on Tuesday by Microsoft spokesperson Jerry Bryant.

Microsoft said it was unable to reproduce any problems using the cross_fuzz tool upon being informed of the issue in July, despite Zalewski’s insistence that he saw “multiple crashes and GDI corruption issues” in IE. The company claims it was only notified on December 21 of a new version of cross_fuzz that could cause a potentially exploitable crash.

Microsoft immediately issued Security Advisory (2488013), confirming that the vulnerability impacted all supported versions of IE. Microsoft explained that the vulnerability exists due to the creation of uninitialized memory during a CSS function within the browser, making it possible for the memory to be leveraged by an attacker with a specially crafted webpage.

“We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable,” Bryant told sources.

This is when the stories diverge, however. Zalewski says he heard virtually nothing from Microsoft until mid-December, at which point others were able to reproduce the problem, including by means of the original cross_fuzz version used last July. According to Zalewski, Microsoft was suddenly concerned about the potential PR fallout and claimed the IE problems only surfaced after he had updated his code. Zalewski said he confirmed that the problem was unchanged by running both the new and old versions of the fuzzer and told Microsoft again that he planned to release the tool in January.

“Response from [Microsoft Security Research Center] confirms that these crashes are reproducible with the July 29 fuzzer; unclear why they were unable to replicate them earlier, or follow up on the case,” Zalewski wrote on December 29. As promised, he released the fuzzer on January 1.

Now, Microsoft is accusing Zalewski of increasing the risk to IE users—the company says attackers may find a way to exploit the flaw before a patch can be tested and distributed. Zalewski insists that Microsoft knew about the flaw and his plan to release in January for more than six months, however, and did nothing until it was almost too late.

Whichever way this he-said, she-said fight ends up, Microsoft says it’s actively monitoring the situation and plans to issue a patch soon.

Intel on Monday said that it was building a hardware security layer in its next-generation Core chips to prevent streaming movies from being copied. The chip feature, called Insider, includes an end-to-end protection layer and management feature to unlock high-definition movies from online streaming services, said Karen Regis, consumer Consumer Client Marketing Manager at Intel.

Insider is a part of Intel’s enhanced graphics offerings in its next-generation Core processors, which will be officially released on Jan. 5, ahead of the Consumer Electronics Show in Las Vegas.

With Insider, users will get access to more 1080p high-definition streaming content, which is not yet mainstream on the Internet, Regis said. Movies with the 1080p high-definition — in which images are shown in a 1920 by 1080 pixel resolution — can also be found on Blu-ray discs. Studios are also worried about pirating, which discourages them from making premium 1080p content available via streaming, Regis said. Insider provides a security blanket that could encourage more studios to make high-definition movies available, Regis said.

Intel has partnered with Warner Bros. Digital Distribution, which will make 300 high-definition titles available from its WB Shop or Best Buy’s CinemaNow service. The movies can be played only on systems with the next-generation Core processors, Regis said.

The feature in time will trickle down to Intel’s other consumer chip offerings, Regis said. Intel is also partnering with more studios and announcements will be made in the upcoming months.

Beyond Insider, the company is also building many new graphics technologies into the Core chips to speed up creation and rendering of video. Intel for the first time is building a graphics processor and CPU inside the same chip, which will improve application and graphics performance while consuming less power. The Core chips are based on a new microarchitecture code-named Sandy Bridge.

Intel is adding specialized hardware accelerators to quickly encode and decode video. The feature, called Quick Sync, allows users to transfer high-definition video into a format suitable for smartphones in a matter of seconds. The hardware accelerators are faster than software, which could take minutes to transfer video.

Intel is also upgrading its Wi-Di technology, which enables users to wirelessly transmit images and video from a PC to a high-definition TV. Users will now be able to stream 1080p content, an improvement from the previous 720p resolution. Users will also be able to stream protected movies from the Intel Insider feature, Regis said.

But the Core processors won’t support DirectX 11, which makes graphics more realistic on PCs running Microsoft’s Windows 7 OS. Intel is a step behind Advanced Micro Devices, whose upcoming Fusion chips include graphics processors that support DirectX 11.

“We have tested applications — we don’t see a huge number of applications that use features in DirectX 11 today. We will have that capability built into our processor graphics before it’s in the mainstream,” Regis said.

In the consumer segment, DirectX 11 is more relevant to high-end gaming, where discrete graphics cards are heavily used, Regis said. Intel will initially ship quad-core Core chips in January, followed by dual-core chips in February.

Shortened URLs included in garden-variety emails and tweets are harder for antivirus and antispam applications to weed out, giving hackers another lucrative avenue to spread spam quickly and with much greater efficiency.

That’s the word from security software vendor Symantec (NASDAQ: SYMC), which dedicated most of its July MessageLabs Intelligence report to the pesky shortened URLs that are pretty much a prerequisite for quickly sharing links to stories, tweets and images on Twitter and other microblogging services.

Symantec’s report found that shortened-hyperlink spam hit a one-day peak of 18 percent of all spam emails on April 30, a total of more than 23.4 billion messages in one 24-hour period.

More troubling, Symantec security experts said, is the recent trend showing that shortened, spam-laden URLs are becoming as much a fabric of the spam culture as come-ons from Nigerian royalty and shady pharmaceutical dispensaries.

In the second quarter of last year, Symantec found that there was one day out of the three-month span during which shortened hyperlinks appeared in more than 1 in 200 spam messages. This year, however, there were 43 days when shortened URLs with spam accounted for 0.5 percent of all spam traffic and 10 days when the total surged to more than 5 percent of all spam messages.

“As far as spammers are concerned, any tactics that make it harder to block their spam emails are going to be exploited,” Paul Wood, a senior analyst at Symantec’s MessageLabs, said in the report.

“When spammers include a shortened URL in spam messages, these shortened hyperlinks contain reputable and legitimate domains, making it harder for traditional antispam filters to identify the messages as spam based on the reputation of the domains found in the spam emails,” he added.

This alarming influx of shortened URLs containing spam and malware was to be expected, security experts say, as more and more people embrace Twitter, its messages’ 140-character limit and the short URLs they often necessitate. And now that these shortened URLs with legitimate-looking domains are now being disseminated by botnets, the spammers are increasing their infection rate and generating lots of ill-gotten revenue.

Symantec’s surveillance revealed that the infamous Storm botnet, which reemerged in May, is the main source of malicious shortened URLs, accounting for some 11.8 percent of spam in the category.

“While botnets are often the source of short URL spam, 28 percent of this type of spam originated from sources not linked to a known botnet, such as unidentified spam-sending botnets or non-botnet sources, such as webmail accounts created using CAPTCHA-breaking tools,” Wood added.

The report discovered that that on average, one website visit is generated for every 74,000 spam emails containing a shortened URL link and the most frequently visited shortened links from spam received more than 63,000 website visits.

There are increasing concerns about website attacks on the mind today, thanks to hackers’ takedown of high-profile sites during the Wikileaks cyberwar in particular, and the website defacements that often accompany political turmoil such as those that hit both Pakistanese andIndian government-run sites recently as well as some prompted by political issues here in the U.S. Sometimes the hacks are more akin topranks, while other times they serve as a way for those with strong opinions to express that sentiment anonymously. And sometimes, the hacks are initiated by spammers, instead of these sorts of political “hacktivests.”

To defend against this form of online vandalism, Google has announced it will begin to identify hacked sites, right in the Google search results.

According to news from Google’s Webmaster Central blog, the Internet search giant will begin warning Web surfers of sites that may have been hacked with a message that reads “This site may be compromised.” This will help protect those browsing the Web from becoming victims of malware, as is especially the case when sites are compromised by spammers, says Google.

Example of compromised websites in search results.

Users clicking the warning link will be directed to this page in Google’s Help Center that explains more about the notice and what it means, but Google will not stop you from clicking through on the search result itself, nor does it insert an additional warning after doing so, as it does with sites known to host malware.

Google says it will use “a variety of automated tools” to detect signs of hacked sites as quickly as possible and it will then add the notification and alert the site’s webmaster to the issue. Webmasters who are worried that the notices will negatively affect their search traffic can request a site review to accelerate the notification’s removal once this problem has been resolved.

Facebook survey scams continue to be a big problem. Just this weekend security companies estimate that hundreds of thousands of Facebook users have been hit by a resurgence of the “Girl killed herself” scam. I can certainly believe them as my Facebook news feed has been littered with them all weekend.

After seeing all the different profiles sending out all kinds of junk to their friends from these scams, it is obvious that many people are struggling to clean up their accounts after they were tricked into allowing a third party application to post messages from their profile. Of course, these messages look to your online friends as though you posted them, so it’s really important that the problem gets resolved or the scam will just spread more and more virally.

Here’s a quick YouTube video where Sophos Security shows you how to clean up your Facebook account from such an attack:

So make it easy on yourself and just don’t click on this type of random stuff if you see it pop up on your news feed from a friend. If you are really curious, try messaging your friend to see if they really meant to post it first. The internet can be a scary place… so stay safe out there!

Priya Nayak, who works in consumer operations under Google’s “Google Accounts” wing, puts it best: “My Google Account is very valuable to me.” And thus, in honor of National Cyber Security Awareness month, Nayak has taken to the Google blogs to dish out a list of helpful security measures one can use to have an online life that’s hacker-free.

Nayak does make a good point—whether it’s Google or another service, the world is increasingly moving toward a shared, online experience. Our photos are online; our e-mail is online; our blogs and calendars are online. As such, our online identities present a lucrative target for scammers, phishers, and others who would seek to harm our digital domains.

More importantly, one’s online accounts can be seen as a launching pad to do harm to others. After all, if everyone on your contacts list assumes that everything you send is on the up-and-up, it makes scams like those, “send me money, I need help” kinds of deals even more effective—why would anyone question your queries if you’ve had an excellent online track record so far?

“Account hijackers prey on the bad habits of the average Internet user,” writes Nayak. “Understanding common hijacking techniques and using better security practices will help you stay one step ahead of them.”

So how, then, do you do that?

Google—via Nayak—recommends that you start by choosing unique passwords for each of the major online “terminals,” as it were, which you use to access sensitive information about your life. That means no reusing passwords between, say, your Google Accounts and your online banking setup, or your Facebook page and your work e-mail, etc.

And once you have this batch of unique passwords set up, get ready to practice your memorization skills—that’s because Google recommends that you change your passwords no fewer than two times per year. Before you get ready to take the easy way out, Google prefaces that it’s not enough to just change a letter or append a new number to your existing password. You have to go back to the drawing board and concoct a brand-new segment of numbers and letters.

It’s double-important that you realize just how your passwords and accounts are used, in the sense that a given service provider isn’t going to just call you up on the phone and ask you for this information.
Phishing, after all, is one of the top four ways that unscrupulous folk gain access to your sensitive online information. That’s in addition to someone reusing any passwords they’ve previously acquired from you across new sites, malware that infects your system and logs your password without you knowing, and brute force attacks on your accounts.

If you want to check out just how secure you are online, Google’s crafted a simple checklist you can use to ensure that you’re going about your digital business the right way.

For all the controversy they create with privacy issues, there’s no denying that Facebook has good ideas. The latest feature they’re starting to roll out today is very, very smart: one-time passwords.

We’ve likely all had the situation where we’ve logged into some account at an Internet cafe, library, or friend’s computer and worried that we forgot to log out and/or accidentally saved our passwords on that computer. Facebook’s new feature allows you to simply text “otp” to 32665 from your mobile phone (the one associated with your Facebook account) and you’ll immediately receive a temporary password that can only be used once and will expire in 20 minutes. Brilliant.

The only downside seems to be that you need to remember that texting shortcode, but perhaps they’ll put a link prominently on their mobile site and/or apps.

On top of one-time passwords, Facebook is finally rolling out the ability to sign out of your account remotely. This obviously also solves the problem of worrying you forgot to log out of your account on another machine. Google and other services have had this for a while, and it can be very useful.

Example of recent facebook account activity.

In your Account Settings page, Facebook also now shows you your period of last activity on the service, just in case you’re afraid someone has accessed your account. This is also similar to what Google does with Gmail, but it’s laid out in a much nicer way on Facebook — including the approximate location of the person and what device they were using to access the account (Google lists both of those things as well but in a much more computerized format).

Facebook also notes:

Lastly, when people log in to Facebook we will regularly prompt them to keep their security information updated. If you ever lose access to your account, having this information helps us verify who you are and get you back into your account quickly.

Speaking of Google, they’ve also been recently stepping up their game with regard to security. Last month, they started enabling two-step authentication which requires you enter a username, password, and secret code sent to the mobile phone associated with your Google account.

Example of infected website warning.

According to a new report published in a blog last month by researchers at security firm Dasient, the number of websites infected by malware in the second quarter of 2010 spiked to more than 1.3 million — the first time that figure has ever topped 1 million.

“That’s a jump of almost two times the number that we saw in the previous quarter,” says Neil Daswani, co-founder of Dasient. “The numbers are really surprising.”

Malware authors are becoming more efficient and creative in their methods of attacking websites, Dasient says. For one thing, they are creating new malware at an exceedingly rapid rate: Dasient detected more than 58,000 new infections in Q2 alone, raising its comprehensive malware library to more than 200,000 different infections.

Attackers are also becoming more crafty in the way they distribute their payloads, Daswani observes. For example, many malware authors have begun deploying new infections late on Friday afternoons, when they know most IT departmental resources will be at an ebb over the weekend.

“They can make the campaign last longer by starting it right before a weekend,” Daswani says. The average malvertising campaign in Q2, for example, lasted 11.5 days.

Malvertising itself continues to grow, Dasient says: More than 1.6 million malvertisements are served on an average day, up 20 percent in the second half of Q2, according to the report. Some 42 percent of websites rely on third-party advertising resources, yet many site operators do not vet this content for malware before they serve it, Daswani notes.

Attackers favored JavaScript over iFrames as a means of delivering malware in Q2, according to the report. “In Q2, over 43,000 JavaScripts and over 15,000 IFRAMEs were added to Dasient’s infection library,” Dasient says. “As a percentage of the total number of new entries, JavaScript samples have increased by 19 percent, and JavaScript samples now make up 74 percent of the entries for the quarter [as compared to 55 percent three quarters ago].”

“One of the advantages of JavaScript is that it can be used to modify a whole Web page, whereas an iFrame is more limited,” Daswani says. “JavaScript offers a larger attack surface.”

Attackers use .com and .cn domains most frequently to host malicious code, Dasient says. In Q2, there was a rise in .info domains that were infected and used to host malicious code, the report states.

Three out of four drive-by-downloads have one letter filenames and are written to the User’s Application Data directory, according to Dasient. The most common name for a drive-by-download was f.exe.

The level of attack sophistication is going to only increase over time, Daswani says. “This is a problem that isn’t slowing down,” he says. “It’s not going away.”

If you’ve ever worried about being phished or having your password hacked, Google’s new “Two-factor authentication” could be your best friend — because it makes it much, much harder for a hacker to break into your account. Today, Google is announcing that it’s bringing the security feature to its millions of users: the feature will be rolling out first for Google Apps Premiere, Education, and Government edition customers, with plans to bring it to all Google users (even those who aren’t using its Apps suite) in the next few months.

Google's new two step authentication!

So what exactly is two-factor authentication? Most of the login systems you’ve probably used are only ‘one-factor’ — you enter one password and you’re in, but if that password gets compromised, you’re toast. More secure systems are common in large businesses, and often require both a password and a physical card or dongle to login — these are called ‘two-factor’ systems, because they require both your password and another key, and are far more secure because a hacker probably isn’t going to have that physical token. Unfortunately these security systems are generally quite expensive. But Google is bringing one to the masses.

Google’s system doesn’t require a physical keycard. Instead, it relies on your mobile phone. First, you need to activate the optional feature from your settings page (again, this is only available to certain Google Apps customers at first). Then, when you go to sign in to your Google account, you’ll first be asked to enter your password as usual. Next, you’ll be brought to a screen asking for a verification code (see the screenshot above).

The verification code comes from your mobile phone, which you’ve previously linked up to your Google Account. Google has built a ‘Google Authenticator’ application for Android, the iPhone, and Blackberry — fire up the application, and it will give you the six digit verification code that you enter back into your browser (the system can also send you a SMS message or give you the code via voice call).

Coming soon to mobile devices!

That’s it. The entire process only takes a minute or so, but it’s much more secure because anyone wanting to access your account will also need access to your mobile phone. You can opt to require this two-factor authentication all the time, or you can elect to only require it one time per computer (in other words, you’ll only need to enter it once on your home PC and/or work computer).

Like I said, this may not sound sexy, but it’s a big deal. Given how much data users are storing on Google, and the fact that plenty of people still fall prey to phishing scams on a regular basis, this is a major step in helping keep users secure. This is all optional (unless your Apps administrator sets a policy requiring it), but I suspect Google will be making a push to urge users to take advantage of the new system as it begins rolling out more broadly.

The news will also make Google Apps an even more tempting proposition for security-conscious businesses (Google notes that prior to this release, it was also the first company to receive FISMA certification in the collaboration/document sharing space). To make this more appealing to businesses, Google is also open-sourcing its authentication apps, so businesses can create their own custom-branded versions.

Example of private browsing in Firefox.

Features in the four major browsers designed to cloak users’ browser history often don’t work as billed, according to a research paper that warns that users may get a false sense of security when using the built-in privacy settings.

The private-browsing modes are supposed to allow users to visit a website without leaving any trace on their computers, and yet Internet Explorer, Firefox, Chrome, and Safari frequently leave tracks, according to the research, which is scheduled to be presented at next week’s Usenix Security Symposium in Washington DC. The makers of those browsers — Microsoft, Mozilla, Google, and Apple respectively — often hail the offerings as a way to enhance privacy when using shared computers.

One failure that affects IE, Firefox, and Safari happens when users save SSL, or secure sockets layer, client certificates while browsing in private mode. The browsers store a record of those actions in a file that allows anyone who has physical access to know exactly what site the user was visiting at the time. Similarly, when IE and Safari encounter a self-signed certificate, it is stored in a certificate vault that is preserved even after the private session ends.

Similarly, Firefox users who make security certificate settings while in private mode will have a partial copy of their browsing history stored in a file called cert8.db, the researchers said.

“We discovered that all these browsers retain the generated key pair even after private browsing ends,” the researchers wrote. “Again, if the user visits a site that generates an SSL client key pair, the resulting keys will leak the site’s identity to the local attacker.”

The study (PDF here) showed each browser failing in specific settings.

The privacy mode in Firefox, for instance, is undermined when a user sets site-specific preferences or uses a variety of Mozilla-sanctioned plug-ins. The open-source browser also stores websites visited that dole out custom protocol handlers based on the HTML5 standard.

For its part, IE’s InPrivate mode can be undermined when websites make SMB queries, since the Microsoft browser shares large chunks of code with Windows Explorer.

The researchers also devised a way for webmasters to detect when someone visiting their sites is using the privacy mode. It involves placing an iframe with a unique web address and then “using JavaScript to check whether a link to that URL was displayed as purple (visited) or blue (unvisited).”

The researchers said that to the best of their knowledge they are the first to demonstrate a way to detect private browsing mode — but that may not really matter for much longer. The technique appears to use the decade-old browser history attack, which was recently fixed in Safari and will soon be fixed in Firefox. It’s only a matter of time before Microsoft and Google follow suit.

Using the technique, they confirmed what we all suspected: the feature is mainly used when surfing to porn sites. Gift and news sites, not so much.

A security feature implemented by Facebook in May requires some users to identify friends from photos in order to log in from an unfamiliar computer – tough for a bot or an imposter to fake. But it’s also a major annoyance for some who have been denied access to their accounts after failing to correctly identify photos of dogs, objects and acquaintances they don’t know well enough to recognize.

Facebook has already added a question to its FAQ specific to the issue: “I can’t access my account because I don’t recognize anyone in the photo security check.”

Facebook user Eleanor Herman was directed to the security check after trying to login from a laptop computer at the beach instead of the one she normally uses. She’s an author who is ‘friends’ with her readers, many of whom she does not know personally, and she has not been able to correctly identify the five out of seven photos required to access her account. Facebook makes her wait an hour before attempting the security check again.Here is an example of one of the photos causing her a lot of trouble:

Facebook photo security check.

It’s easy to see why this test is difficult for many Facebook users to pass, and difficult to understand how Facebook failed to realize this.

Facebook encourages us to ‘connect’ with as many people as possible, however marginal the relationship, so it’s not surprising that users can’t recognize every face in their growing ‘friend’ banks. Users upload and tag pictures of animals, food, objects, landscapes, abstract art and groups of people jammed together – the volume of photos mistagged as inside jokes is enough to invalidate this as a way to verify a user’s identity.

Facebook says it is relying on tagged pictures from friends with whom a user is likely to have a close connection, similar to the algorithm used to decide what to display in a user’s News Feed. But users are understandably getting frustrated:

Users complaining about the new security feature.

Facebook has responded to some sources to say only a small percentage of users have any problem with the photo security check. It’s found the method to be more effective than other kinds of security checks, a spokesman said, and Facebook is always working to improve its systems.