June 3rd, 2009 03:01am
whataslacker
Facebook is the new playground for phishers. Why? The social networking site has made things relatively easy for computer criminals. So far, the consequences have been relatively mild — mostly, some annoying emails. But if Facebook and other social networking sites don’t get a handle on security issues soon, a serious outbreak could occur.
Behind every successful criminal computer hack a simple two-step process: gain trust, then exploit that trust with an attack. Computer criminals will tell you that gaining trust is the hard part. Consider a real-world parallel: Breaking into a bank is difficult. But if you befriend a guard, he’ll eventually let you walk right in through the front door.
That’s why Facebook attacks are so easy, says Mary Landesman, senior researcher at computer security firm ScanSafe.
“Facebook users assume a level of trust they just should not assume when using the site,” she said.
Phishing attacks have been popping up nearly every week on Facebook and other social sites like Twitter. Victims receive e-mails from friends with innocent-sounding messages, such as “click on this video.” Those who are duped then surrender their login information on a rogue Web site, and then a criminal is off to the races with their identity.
People who would never fall for an old-fashioned phishing note are getting tripped up by Facebook phish for one simple reason: They trust the sender.
“People are pretty unguarded in the social networking environment,” said Kevin Haley, director of Symantec Corp.’s security response team. “You figure you’re surrounded by friends, so why have your guard up?”
He likened Facebook attacks to scam artists that prey on church communities, where members typically share a high level of trust.
By creating what looks like a safe, fun environment, Facebook has created an ideal breeding ground for phishing attacks. In fact, some Facebook software even helps the cause. For example, Facebook makes it relatively easy to send messages to groups of “friends,” or to post notes that appear on their Web pages. That means one stolen login account can lead to a lot of trouble.
Worse yet, some of the techniques Facebook employs fly directly in the face of accepted security practices. Facebook regularly sends e-mail to users with links in the message. “To follow the comment thread, follow the link below,” reads a typical note. Clicking on the link then prompts users to log in.
That is precisely the formula phishers use to trick victims into divulging their passwords — an e-mail with a link that leads to a login page.
The Facebook method is a recipe for disaster. It’s difficult for users to tell the difference between a legitimate Facebook message and a phishing e-mail. That’s why many banks stopped sending e-mails with links years ago. And in general, that is why e-mail is no longer regarded as a secure form of communication — outside the social networking universe, anyway.
But Facebook has trained their users to click on links in e-mail. And with the steady advance of third-party applications that require sharing of data, Facebook has trained users to play fast and loose with personal information, too.
“We’ve barely gotten users to the point where they have a basic understanding of passwords, and the idea of not using the same password for everything,” Landesman said. “Facebook’s use of e-mail and links “is a huge contributing factor (to the phishing problem).”
Facebook could make a simple change and stop many of these phishing attacks — all notification e-mails could say simple “login on our homepage to see the message,” for example, forcing users to always arrive at the site the old-fashioned way — by typing in www.facebook.com in a Web browser’s address bar.
This wouldn’t eradicate phishing. E-mails within Facebook’s system sent between users also include links, and these could also lead to trouble. Because linking to articles is such an important part of Facebook use, there’s no realistic way for Facebook to abolish all e-mail links. But anyone who clicks on such a link sent from within Facebook’s system wouldn’t need to log in again. Over time, users would learn there’s never a need to supply their password after clicking on a link, and wouldn’t be primed to do so when a phisher’s e-mail arrived.
Things could be much worse
So far, most Facebook scams have been designed to steal passwords. But the next successful scam e-mail could be much worse. It could lead users to a cleverly designed Web site booby-trapped with a nasty virus that deletes files or finds its way around a victim’s PC and steals credit card information. Such an attack wouldn’t require the victim to log in; merely visiting the page would be enough.
Of course, these are the same hazards that Internet users face every day — supplying login information to imposter Web sites is bad, landing on booby-trapped Web sites even worse. But Facebook users are especially vulnerable, because they trust the site and their friends. The firm bears responsibility to act before the problem gets worse.
Facebook isn’t entirely to blame, of course. Some of it is old-fashioned techno-naiveté. Users tend to be too trusting when a new technology arrives. Just two months ago we celebrated the 10th anniversary of the Melissa virus, the first e-mail worm that really shut down the entire computing world. Its method sounds quaint — or even silly — today. The Melissa message, which appeared to come from a co-worker or friend, read simply: “Here is that document you asked for … don’t show anyone else ;-).” Few Net users would fall for that trick in a standard e-mail today. But Facebook users are falling for very similar criminal tactics because they are working in a new medium. Many will have to touch this new stove and find out that, here too, they can be burned.
Here, too, Facebook is a victim of its own success. Mary Landesman points out that because nearly all Facebook messages are legitimate, recipients are much more likely to fall for the occasional e-mail trap. On the other hand, most traditional e-mail messages are spam (80 to 90 percent) and most inboxes are full of malicious messages, so consumers are much more wary when using regular e-mail.
“The fact that a majority of Facebook correspondence is still valid gives people a false sense of security,” she said.
Facebook didn’t ask for the job of Internet security cop, but that’s the job the company has now. So far, phishing attempts have been clumsy, often marked by broken English and silly-looking URLs. One recent message urged recipients to click on a link with arcane labels like “Check 121.im.”
But this weekend, a more sophisticated version included a link that looked like this:
http://www.facebook.com/l/;http://XXXXX.ru/?video_id=1319924″
(We’ve altered the link so it doesn’t work)
Notice how believable the link is. It appears to link users to Facebook.com, when in fact it sends clickers to a Web site in Russia (Web browsers ignore all the characters before the semicolon in a link). Expect a steady progression in phishing techniques during the next few months.
Facebook is taking some actions to ward off disaster. It hired security firm MarkMonitor, which has experience in getting phishing Web sites removed from the Internet. The firm says it’s already removed 240 phishing sites since the beginning of the year. When it discovers an ongoing phishing attack, Facebook reaches into users’ inboxes and removes the harmful messages. Because it’s a closed system, that technique is effective at preventing a large outbreak, at least on messages from within Facebook.
But the technology is limited and reactive. Facebook can only shut down an attack after it has started. And it can’t remove notification e-mails that are sent outside its systems, leaving users who get those e-mails still vulnerable.
Facebook is hardly the only social networking site with a problem. Twitter, which was hit this weekend by the same Russian video phishing note as Facebook, also makes things easier for crooks. Last week, security firm Trend Micro said that 13,000 Twitter users were hit by the so-called “Twittercut” phish, which promised to help clickers quickly gain 1,000 new “followers.”
Because there are multiple domains that can be used to log in to a Twitter account, Landsman points out, users are less likely to be skeptical of a link to an unusual Web site.
But Facebook is the 800-pound gorilla with the 200 million users. It should set the tone for a new set of social networking security standards. It should stop pushing users to share information with third-party applications, stop using e-mail links as a main tool of communication, and work harder to educate users about the risks they’ll encounter while using the site.
RED TAPE WRESTLING TIPS
The oldest of all Web security advice still applies. Never click on a link you didn’t expect, even if it comes from an old friend. Always type in Web addresses manually. Think before you click. Count to five if you have to.
Landesman also says that social network site users should avoid what she calls “promiscuous friending.” The wider your network of friends, the more likely one of them will get hit with a virus and their computer will attack yours. Limit your friends and you’ll limit your exposure.
This article was completely taken from MSNBC Red Tape Chronicles / WHY PHISHERS LOVE FACEBOOK by Bob Sullivan http://redtape.msnbc.com/2009/06/my-entry.html#posts
Book Mark it-> del.icio.us | Reddit | Slashdot | Digg | Facebook | Technorati | Google | StumbleUpon | Window Live | Tailrank | Furl | Netscape | Yahoo | BlinkList
May 8th, 2009 09:42am
whataslacker
Saw the new Star Trek movie last night and all I can say right now is “WOW!” I am headed to the IMAX today to see it again and maybe I will be able to formulate more of an actual review at that point, but until then here is my friend’s review from last nights viewing (Warning some spoilers most are at the end of the review — enjoy and go see the film!)
Kent’s Review:
It has been a long, long time since I have given a four star review to any science fiction film released in the theater of late. I was beginning to think the endless sequels, remakes, retreads and prequels had Hollywood in a funk they could not get out of, which certainly did not justify the recent writer’s strike and does even less to fuel the rationalization of the pending actor’s strike. In short, there are very few new ideas out there, and even fewer new ideas that are actually decent and play well from beginning to end without being mucked up by the Hollywood machine. So, in these times of uncertainty, unoriginality and unappreciation, we turn our eyes to what offerings ther are on the table and hope for the best. Sadly, more often than not, we are disappointed with the results.
Until now.
Make no mistake, Star Trek is back, not only in a big way, but in a way that will please fans both young and old and also give chance to newcomers to the saga to hop on board without needing any previous knowledge of the canon or its characters. This is not a reboot. This is not a remake. This is (slightly skewed) fresh start for us to see played out the first meetings of the beloved Original Series characters and many of the snippets of their pasts that were mentioned or alluded to in episodes but were not actually seen. This is no easy task since director J J Abrams needs to walk the fine line between diehard fans, and deeply entrenched legendary history, established and beloved characters, the demands of special effects and action sequences of today and the board of critics, both novice and professional, that have been waiting anxoiusly for this much-hyped recalibration. An impossible task at best, but the results are as mindblowingly close to perfect as anyone could possibly hope to come.
First and foremost, if the cast doesn’t work, the rest of the film doesn’t matter. You can’t just have anyone don a classic Trek uniform, have them deliver tagline references and hope to pass them off as the iconic legends these characters have become. But there are absolutely no worries in that department. Chris Pine’s Kirk is savvy, rebelious, slightly egotistical, reckless and has a weakness for the opposite sex. Equally inpressive is Zachary Quinto’s portrayal of the emotionally and logically divided Spock, who is still trying to determine who he is and sort out what sort of man he is to become. Everyone else - Sulu, Uhura, Chekov, Scotty - is more than passable, even if the looks don’t exactly match or the character developmen is a bit off. But above them all, dead on, perfect-for-the-role is Keith Urban’s portrayal of the late, great DeForrest Kelly’s Dr. McCoy. Just close your eyes as he delivers his crusty county doctor repitoire and try to separate him from his predecessor. Then open them and copare the mannerisms, gestures, expressions and side-of-the-mouth dialogue delivery and try not to believe he is Kelly reborn. The comparisons are staggeringly uncanny.
Then there’s the plot. Well, whenever you have a villain that goes dickering around with time, there are bound to be a few flaws, not to mention inconsistancies that result due to the interference with the space/time continuum. However, since this is not an exact history and some latitude needs to be given for plot devices, the few changes to what history we know of Star Trek are both forgivable and understandable. We can suspend our belief and accept a few minor changes here and there for the sake of the Trek we have all been so eagerly and patiently been waiting for.
And finally, the finishing touches. Special effects; check. Music; check. Surprising and unexpected castings for the supportng roles; check. classic taglines that don’t feel forced or out of place; check. All systems; check. An a kickass ship to put them all in; absolutely.
For so many years the “blockbuster” start of the summer has been a mixed bag of disappointments, half-hearted attempts and critically bashed tripe. This year, without question, the summer film season has begun on an extremely positive note. And with the Enterprise out in front, with any luck, this time it will live long and prosper.
Star Trek **** (out of four) Rated PG-13 for violence, language, sexual situations, alcohol consumption, and scary situations. Starring Chris Pine, Zachary Quinto, Keith Urban, Simon Pegg, Zoe Saladna, John Cho, Anton Yelchin, Bruce Greenwood, Eric Bana, Ben Cross, Wynona Rider, Deep Roy and Leonard Nimoy.
Spoiler stuff from here down.
- Things we would like to have seen or heard that were not included in the film:
- Nurse Chapel
- Yeoman Janice Rand
- “He’s dead, Jim.”
- “I’m only one man, captain.”
- “Beam me up, Scotty” (only because no one officially ever said it ever) or “Energize” all by itself.
- “Fascinating.”
- For the timeline to have been restored, even if only to bring back Amanda or Kirk’s dad, or at least save Vulcan
- Captain (or Admiral) Robert April
- Lt. Arex and/or Lt. M’Ress (now that the special effects are available, they could do it)
- Things that seemed out of place:
- That little alien creature hanging around with Scotty (sorry Deep Roy)
- The violation of the orignal canon regarding no one knowing what a romulan looked like before Balance of Terror
- and, again, the destruction of Vulcan and the loss of Amanda and Kirk’s father
- That whole scene with young Kirk stealing the car and driving it off the cliff
- The premise that Budweiser beer will still be around hundreds of years from now.
- The Spock/Uhura relationship
- Things that were absolutely cool:
- The continued death-of-a-red-shirt tradition
- Uhura being smokin’ hot!
- The inclusion of an Orion girl. Always welcome.
- The inclusion of other alien races in crowd scenes. Nice touch.
- The playing out of the whole Kobyashai Muru incident.
Book Mark it-> del.icio.us | Reddit | Slashdot | Digg | Facebook | Technorati | Google | StumbleUpon | Window Live | Tailrank | Furl | Netscape | Yahoo | BlinkList
Boris Named his Kong Ducky Sir Quacky McGee. (He had to have a little Simpson’s in him since he is so yellow.)
