Facebook bug exposes contact information from millions of users

June 22, 2013 – 6:59 AM

A bug on Facebook leaked email addresses and phone numbers provided by some 6 million people on the site to certain other users, the company revealed Friday.

What sparked the problem is a bit complicated. The bug caused some of the information that the social network stores to make friend recommendations to be inadvertently stored in association with people’s contact information as part of their Facebook account, the company said Friday on its website.

As a result, if a person were to download an archive of their account through Facebook’s Download Your Information (DYI) tool, additional email addresses or telephone numbers for the person’s contacts, or other people with whom the user is connected, might have been displayed, Facebook said.

“We’ve concluded that approximately six million Facebook users had email addresses or telephone numbers shared,” the company said.

“This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool,” Facebook explained.

Source:
http://news.techworld.com/security/3454270/facebook-bug-exposes-contact-information-from-millions-of-users/

Posted in Internet, Privacy | No Comments

NSA: We listen to your phone calls without warrants, too

June 15, 2013 – 11:03 PM

Analysts at the U.S. National Security Agency not only sift through the metadata associated with your calls — they also have the ability to listen in on conversations in real time.

The news, which was first reported by sister site CNET’s Declan McCullagh, cited Rep. Jerrold Nadler (D-NY) who was told during a secret briefing to members of Congress that phone calls could be listened to “simply based on an analyst deciding that.”

It comes just over a week after U.S. President Barack Obama stated: “Nobody is listening to your phone calls.”

He was also told that the NSA does not seek legal authorization from a court to allow its analysts and staff to listen in on calls, even U.S. domestic calls. And, because the same laws that apply to phone calls also include emails, instant messages, and text messages, it is possible that contents of Internet communications could also be accessed under the same premise.

Senate Intelligence committee chairperson Sen. Dianne Feinstein (D-CA) confirmed on Thursday that a court order is not necessary for the NSA to search its call data database that it collects under secret orders from major U.S. telecom firms.

Feinstein also said: “To look at or use the content of a call, a court warrant must be obtained,” indicating that though a court order is required, the NSA does in fact collect the audio contents of calls.

Claims made in a video by Edward Snowden, the whistleblower who leaked documents to The Guardian newspaper in London, that he could “wiretap anyone from you or your accountant to a federal judge to even the president” appear to be accurate.

It also comes a month after former FBI counter-terrorism agent Tim Clemente disclosed to CNN that under certain investigations relating to the protection of national security, his former employer could access call records and contents of those calls.

“All of that stuff is being captured as we speak whether we know it or like it or not,” he claimed.

Source:
http://www.zdnet.com/nsa-we-listen-to-your-phone-calls-without-warrants-too-7000016864/

Posted in Internet, Privacy, Security | No Comments

Behold, the world’s most sophisticated Android trojan

June 7, 2013 – 5:09 PM

Recently discovered malware targeting Android smartphones exploits previously unknown vulnerabilities in the Google operating system and borrows highly advanced functionality more typical of malicious Windows applications, making it the world’s most sophisticated Android Trojan, a security researcher said.

The infection, named Backdoor.AndroidOS.Obad.a, isn’t very widespread at the moment. The malware gives an idea of the types of smartphone malware that are possible, however, according to Kaspersky Lab expert Roman Unuchek in a blog post published Thursday. Sharply contrasting with mostly rudimentary Android malware circulating today, the highly stealthy Obad.a exploits previously unknown Android bugs, uses Bluetooth and Wi-Fi connections to spread to near-by handsets, and allows attackers to issue malicious commands using standard SMS text messages.

“To conclude this review, we would like to add that Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits,” Unuchek wrote. “This means that the complexity of Android malware programs is growing rapidly alongside their numbers.”

Google representatives didn’t respond to an e-mail seeking comment for this post. The trojan is initially distributed through spammed text messages. There’s no indication it’s hosted in the Google Play market for Android apps, so it appears to infect only phones that have been configured to “sideload” apps available from alternative sources.

The malware exploits a previously unknown Android bug that allows it to gain stealthy, persistent, and highly privileged access to the phone’s inner workings. “By exploiting this vulnerability, malicious applications can enjoy extended Device Administrator privileges without appearing on the list of applications which have such privileges,” Unuchek said. “As a result of this, it is impossible to delete the malicious program from the smartphone after it gains extended privileges.”

Source:
http://arstechnica.com/security/2013/06/behold-the-worlds-most-sophisticated-android-trojan/

Posted in Hardware, Privacy, Security, Software | No Comments

Google researcher discloses zero-day exploit for Windows

June 4, 2013 – 1:32 PM

Google security expert Tavis Ormandy has discovered a security vulnerability in Windows which can be exploited by any user on the system to obtain administrator privileges. Rather than reporting the vulnerability to Microsoft, he posted details to the Full Disclosure security mailing list in mid-May and has now published an exploit to the same mailing list.

Ormandy is a familiar figure in the security world. In recent years, the security expert has discovered many different vulnerabilities. He has also been known to take the shortest route when it comes to sharing information on vulnerabilities he has discovered: full disclosure, meaning rapid publication without informing the organisation behind the vulnerable software beforehand.

With this latest vulnerability, Ormandy once more opted for full disclosure on the mailing list of the same name. After discovering a bug in the Windows kernel’sEPATHOBJ::pprFlattenRec function, he wrote to the list: “I don’t have much free time to work on silly Microsoft code” and solicited ideas on how to successfully exploit the bug. With the help of user progmboy, Ormandy then developed a privilege escalation exploit which he shared with the mailing list, noting that another exploit was already in circulation.

The H‘s associates at heise Security were able to use the exploit to reproduce the problem. If the file is opened, it launches a command line which can be used to run arbitrary commands with system privileges, irrespective of the user’s own privileges – even a guest account can be used.

Source:
http://www.h-online.com/security/news/item/Google-researcher-discloses-zero-day-exploit-for-Windows-1876170.html

Posted in Security, Windows | No Comments

Windows 8.1 to let you secure folders with your fingerprint

June 4, 2013 – 1:22 PM

Windows 8.1 will have a couple of tricks up its sleeve for people who use fingerprint readers.

One of Monday’s sessions at Microsoft’s TechEd conference highlighted the support that Windows 8.1 will offer for fingerprint recognition, as described by The Verge. Prior versions of Windows handled fingerprint readers through third-party software. But Windows 8.1 will be the first edition of Windows to natively support the technology.

Users will be able to log into their PCs via a Microsoft Account, purchase apps, and open different programs with a swipe of the finger. They’ll even be able to lock down certain folders so they’re accessible only through a fingerprint.

Microsoft is “working very closely” with two or three manufacturers to outfit Windows 8.1 with the necessary fingerprint support, according to The Verge. The company is also asking more manufacturers to outfit their laptops, tablets, keyboards, and mice with fingerprint readers.

“You’ll begin to see these be more pervasively available just to make it that much easier to log in to Windows,” Microsoft’s Stephen Rose said, The Verge added.

Source:
http://news.cnet.com/8301-10805_3-57587535-75/windows-8.1-to-let-you-secure-folders-with-your-fingerprint/

Posted in Hardware, Privacy, Security, Windows | No Comments