BLOGS: Facebook checked out, 1.5 million accounts overdue for password changes?

ESET is suggesting that it’s time to change your Facebook password. The cause is the possible/probable loss of a large number of users’ details.

The  Internet  is abuzz with the announcement from Verisign’s iDefense Labs that a criminal hacker on a Russian forum who goes by the nom-de-plume “Kirllos” (Carlos?) is selling the credentials for 1.5 million Facebook accounts in batches of a thousand for between $8 and $30, depending upon their quality (which, in this case, means dates of birth, mobile phone numbers, number of friends, geographic locations and so forth).

Details are still sketchy, and as of writing, ESET had not heard back from Facebook. But it can’t be ignored.

What is interesting to me is how so many accounts may have been breached:  As of the writing of this blog entry, we actually have yet to hear from Facebook on the matter, but the sheer volume of accounts implies something more than simple organic theft via keystroke logging, password stealers or other bot-deployed malware.  Whether the result of a data breach from insufficient security settings; a targeted attack on Facebook employees or the results of insider action, the post-mortem on this will, no doubt, make for fascinating reading.
Aryeh Goretsky, MVP, ZCSE, Researcher, ESET

So, change your password now rather than rescue your reputation or worse later.

Blog entry

NEWS: A Social Media Governance Toolkit

On Tuesday 27 April, IT Governance will launch at Infosecurity Europe a “new toolkit that will help any organisation to develop, implement, monitor and improve social media activities within an effective governance structure”.

How do I know this? Am I on the select list of major news outlets that get pre-release releases? No. In fact, I don’t know for certain. It’s a guess. It’s based on the inclusion of a press release for that date in my RSS feed that has been removed from its source location.

So I’m guessing that someone at IT Governance published the story, realised it was premature and withdrew it. That’s why I’m not going to discuss anything more about the release: it is either meant for Tuesday or it isn’t going to happen at all.

I’m just hoping that within this toolkit for governing social media there is something to prevent unsanctioned or premature or too personal information being posted to said social media. because once you post something to the internet, it is very, very difficult to get it back again.

IT Governance

Consumers International IP Watchlist

In most countries, the rules that regulate access to our society’s culture and learning place big business first and consumers second. That is the overall finding of this second Consumers International IP Watchlist, which endeavours to rate countries on how well they uphold their citizens’ rights of access to knowledge – or A2K, for short.
Consumers International IP Watchlist

I would like to thank Peter Mandelson for his tireless efforts in getting the UK on to the Consumers International IP Watchlist league table. This is a table that rates different countries’ “consumer friendliness”; and we are 32nd out of 34. Put another way, this suggests that the UK copyright laws make us the third most restrictive, anti-consumer nation in the world. Well done Peter. The unelected overlord of the British Government. A socialist who places “big business first and consumers second”.

You can get a copy of the report here.

But while you’re in copyright mode, take a look at the video When Copyright Goes Bad also produced by Consumers International.

Copyright rules no longer do what they are supposed to do. They have gone bad. When Copyright Goes Bad is a new short film introducing the renegotiation of copyright and is for anyone interested in how copyright is affecting consumers.

This is a film about how copyright has become one of the most important consumer issues of the digital age. Why corporate lobbying risks criminalising the actions of hundreds of thousands of people. And what the future holds for the fight for fairer copyright laws.

I take heart from Michael Geist’s conclusion that ultimately these restrictive copyright practices will be defeated. But he probably hasn’t met Mandelson. Mandelson is all about power and control. In the UK, the Digital Economy Act gives him more power and control. It is a dangerous mixture when control freak meets profit-oriented big business: each uses the other. The control freak manipulates big business’ need to protect its profits so as to get more control; business manipulates the freak’s need for power to increase profit. And it is the citizen consumer who pays the price.

Biobank, GeneWatch, DNA and the database state

UK Biobank is nearing its initial target of 500,000 participants (455,316 people are already helping – 11pm Saturday 24 April 2010 – from the home page). I have to assume that all of these people understand not just what they are doing, but the full implications of what they are doing. And I wonder how many of the rest of us have even heard about UK Biobank.

UK Biobank is a major UK medical research initiative, and a registered charity in its own right, with the aim of improving the prevention, diagnosis and treatment of a wide range of serious and life-threatening illnesses – including cancer, heart diseases, diabetes, arthritis and forms of dementia. To do this vital work we need your help. We are now recruiting 500,000 people aged 40-69 from across the country to take part in this project.
UK Biobank

But is that all? Of course not.

UK Biobank was set up as a pilot project for a vast database of everybody’s electronic medical records linked to their DNA. It is a legacy of Tony Blair and the claims he made that we would all have our genomes sequenced to ‘predict and prevent’ disease. Commercial interests want to use the marketing of fear to sell more drugs and other products to healthy people who are supposed to be at high genetic risk. This science fantasy is bad for health: genes are poor predictors of most diseases in most people and many people will be treated for diseases they’re not going to get. A database of people’s medical records linked to their DNA would become the holy grail of marketing and also allow the Government or police to track every individual or their relatives.
Dr Helen Wallace, GeneWatch UK’s Director

I have been worried about the police and its DNA database of innocent people. I am worried about the NHS Spine. But put the two together and give government, police and medical researchers (that is, the pharmaceutical companies who’s sole purpose is to sell pharmaceuticals) access to it and we truly have the foundation of a totalitarian state.

The pharmaceutical companies already wield unwarranted power over our lives. In recent years we need only consider the two flu scares, Bird and Swine. Ridiculous hype and scare stories led to massive and unwarranted purchase of vaccinations at our cost and their huge profit. And think also of the MMR vaccine saga, and the way in which we are bullied and blackmailed into accepting it. And before you dismiss Wakefield’s concerns over the vaccine as being discredited, ask yourself by whom? And then, before you automatically believe what they tell us, have a look at Wakefield himself being interviewed by Dr Mercola.

In this interview, Dr. Andrew Wakefield shares his personal and professional insights into a number of topics, from the gut-brain connection so often seen in autistic children, to the safety of a number of childhood vaccines.

But most importantly, he sets the record straight on the harsh criticism he’s endured as the author of one of the most controversial vaccine-causing-autism studies ever done.
Dr Mercola

GeneWatch UK is calling for:

1. The Government plan to build a vast database of everyone’s electronic medical records linked to DNA to be abandoned. This would mean cancelling the NHS ‘Spine’, and abandoning proposals to integrate genome sequences into people’s medical records, except in the limited circumstances where this is of benefit to heath.
2. A review of the value for money of UK Biobank in the light of evidence that genes are poor predictors of common diseases.
3. UK Biobank’s long-awaited ‘Access Policy’ to be published for consultation, so that people taking part know who is using their data: what it is being used for; and whether they will be identifiable.

I would go further. It is time to force government to abandon its attempts to control us via huge, centralised, joined-up databases that contain every detail of our lives. George Orwell would not believe what we are allowing to happen today.

Let’s bash Google

I’m not trying to defend Google. I’m just trying to understand what’s going on.

When Google launched Buzz, it got things wrong. It was privacy opt out rather than opt in. Now, it didn’t catch me out, so it wasn’t totally obscure. But a lot of people got very upset, which I understand, and complained. But frankly, I don’t think I’ve ever seen a large computer company react with such speed. Google recognised it was wrong, and changed things very, very fast. And I’m even beginning to see that it has a place as a sort of threaded, more conversational, Twitter.

What about Facebook? While Google said, “We got it wrong; you want privacy,” Facebook seems to say “You got it wrong; you don’t want privacy.” It seems to me that the privacy implications in an automatically opted-in application personalization where you don’t even know what applications are involved are infinitely more worrying than Google’s Buzz debacle.

So I’m a little bit puzzled by the letter from Canada’s Information Commissioner and countersigned by numerous other Information Officers castigating Google over something it’s already put right, but not mentioning Facebook.

The privacy problems associated with your initial global rollout of Google Buzz on February 9, 2010 were serious and ought to have been readily apparent to you.

In essence, you took Google Mail (Gmail), a private, one-to-one web-based e-mail service, and converted it into a social networking service, raising concern among users that their personal information was being disclosed.  Google automatically assigned users a network of “followers” from among people with whom they corresponded most often on Gmail, without adequately informing Gmail users about how this new service would work or providing sufficient information to permit informed consent decisions. This violated the fundamental principle that individuals should be able to control the use of their personal information.

Users instantly recognized the threat to their privacy and the security of their personal information, and were understandably outraged. To your credit, Google apologized and moved quickly to stem the damage.
Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of the data protection authorities in France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain and the United Kingdom

I have to ask if there are other motives at work here? After all, the EU is already ‘investigating’ Google (some say it follows pressure from Microsoft to do so). And of course Google has just started telling the world about the ‘interference’ it gets from different governments while making it perfectly clear that it will not just roll over on every non-judicial demand for information about its users that it receives.

Google is not all good. Most governments are not at all good. Frankly, I would much rather have the ethics of Google – aided by the watchful eyes of EFF – looking after my privacy than any of the governments that have signed this letter.

BLOGS: Opting out of Facebook’s Instant Personalization

I doubt if there is anybody left in this universe who is unaware of Facebook’s attitude to your privacy: you don’t have any, it is ours, and we will do what we want with it, but will allow you a little control if you can navigate through the hoops we’ve set up. We own you.

And, boy, are there some hoops. No list of applications with a check box that you can tick to opt in to – just a whole series of pages you have to go through to even find what the applications are.

Now, I am not saying that opting into these pages is a bad thing – that’s for you to decide. But it should be your choice and not theirs. So I would say, get out now while you can; watch what happens, and then you decide if you want to opt back in.

So for that reason I shall be eternally grateful to EFF for its step-by-step guide on how to do just that.

If you don’t want the websites that you or your Facebook friends visit to know your information, you must opt out. Since this process is a bit complicated, we have made a quick video showing step by step how to do so.
Kurt Opsahl

Blog entry

NEWS: Not a good idea to make cyber threats…

Allegedly…

ANTHONY DIGATI was dissatisfied with his insurance company – and wanted his premiums back. That wasn’t going to happen, so he resorted to threats. According to the FBI, he emailed staff at the company and directed them to a website.

The website included, among other things, the following text:

• These things, unless you honor the below claim, WILL HAPPEN on March 8, 2010.
• As you have denied my claim I can only respond in this way. You no longer have a choice in the matter, unless of course you want me to continue with this outlined plan. I have nothing to lose, you have everything to lose.
• My demand is now for $198,303.88. This amount is NOT negotiable, you had your chance to make me an offer, now I call the shots.
• I have 6 MILLION emails going out to couples with children age 25-40, this e-mail campaign is ordered and paid for. 2 million go out on the 8th and every two days 2 million more for three weeks rotating the list. Of course it is spam, I hired a spam service, I could care less, The damge [sic] will be done.
• I am a huge social networker, and I am highly experienced. 200,000 people will be directly contacted by me through social networks, slamming your integrity and directing them to this website within days.
• I think you get the idea, I am going to drag your company name and reputation, through the muddiest waters imaginable. This will cost you millions in lost revenues, trust and credibility not to mention the advertising you will be buying to counter mine. Sad thing is it’s almost free for me!
• The process is in motion and will be released on March 8th, 2010. If you delay and the site goes live, The price will then be $3,000,000.00.

Not a good idea.

If convicted on this charge, DIGATI faces a maximum sentence of two years in prison and a maximum fine of $250,000 or twice the gross pecuniary loss or gain derived from the offense.

FBI New York

BLOGS: Preliminary Analysis of the Officially Released ACTA Text

EFF takes a preliminary look at the ACTA document. It is a US-centric evaluation, but a valuable insight from legal minds that are concerned about how the law affects all of us.

If the previous leaks (here, here, here  and here) left any doubt, the officially released text makes it crystal clear that ACTA is not just about counterfeiting. When ACTA was announced two years ago, it was portrayed as a modest effort at increasing coordination between customs agencies tracking counterfeit physical goods. The officially released text shows that it’s far broader. First, it is not just about trademarks; it covers copyright, potentially patents, and all other forms of intellectual property. Second, it’s not just about physical goods. It’s all about the Internet — which it targets very specifically — and citizens’ ability to use it to communicate, collaborate and create. ACTA contains new potential obligations for Internet intermediaries, requiring them to police the Internet and their users, which in turn pose significant concerns for citizens’ privacy, freedom of expression and fair use rights.
Gwen Hinze

Blog entry

BLOGS: Cybermules and Money Mules

Symantec has produced an excellent explanatory introduction to cybermules: what they are and how they are recruited.

In this day and age we’re all aware of the threat cybercriminals pose to our personal information. If you’re not careful, items like your credit card number could fall into the wrong hands, resulting in unauthorized goods and services being purchased in your name. What may come as a surprise is not everyone participating in these activities is a full-blown cybercriminal. Some are ordinary citizens—just like you and me—that unintentionally get caught up in illegal activity.
Ben Nahorney

A cybermule is an innocent person recruited to repackage fraudulently purchased goods and ship them abroad to the criminal.

If this blog gets you interested in knowing more about mules, turn to Dancho Danchev and his series on Keeping Money Mule Recruiters on a Short Leash. Money mules are similar to cybermules except that they generally know they are breaking the law, and they ‘ship’ money rather than goods via bank accounts. It’s international money-laundering. Money mules are usually recruited via job offers for things like Shipping Agents, and Local Finance Agents, and offer very good pay for very little work. But Keeping Money Mule Recruiters on a Short Leash – Part Four shows that mule recruitment can even be used as social engineering to get a trojan onto your computer.

Some of the mule recruitment sites appear to be interested in something else, rather than recruiting mules — must be the oversupply of people unknowingly participating in the cybercrime ecosystem.

Several of the domains (for instance ortex-gourpinc.tw  and augmentgroupinc.tw) are not accepting registrations, instead, but are attempting to trick the visitor into downloading and executing a bogus psychological test [containing a trojan].
Dancho Danchev

The old adage should always be remembered: if a job offer sounds too good to be true it’s because it is too good to be true. Worse, it’s probably illegal. And even worser: you’re the one most likely to get caught.

BLOGS: Copyright India style: and that thing ACTA

Dr. Michael Geist, a law professor at the University of Ottawa, has made two apposite blogs: one on copyright reform in India, and the other on ACTA. I hope he will excuse me for quoting the former in full:

The Government of India has just introduced  a major new copyright reform package.  Of particular note from a Canadian perspective are the approaches to fair dealing and anti-circumvention.  On fair dealing, the provision is expanded to cover “private and personal use.”  On anti-circumvention, the bill is consistent with implementing the WIPO Internet treaties in a manner that retains equal rights both online and offline. The provision specifically targets circumvention for the purposes of copyright infringement and does not target the distribution or marketing of devices that can be used to circumvent.
Michael Geist

It’s worth considering the implications here. It seems that copying for private use does not breach copyright. And dual purpose products that could allow copyright circumvention will not be targeted. How civilised.

The second blog is a list of links to ‘notable’ comments on the released ACTA document. These, coupled with his blog yesterday (ACTA Draft Text Released: (Nearly) Same As It Ever Was) will provide a pretty wide view of current thinking on the state of ACTA.

Michael Geist’s blog