Facebook's ticker privacy scare, and what you should do about it

Amongst the recent new changes to appear on Facebook, there is a "ticker" (a rolling real time list of what your friends are doing).
Not everyone has received it yet, because it's on a staggered rollout, but millions have already seen it.
You'll find it on the right hand side of your Facebook page, in the collapsible chat bar.
It's smashing if you want to keep fully up-to-date with your friends' activity, but there is a problem with it.

The ticker makes it very simple for you to eavesdrop when one of your Facebook friends says something to someone you've never heard of - and even see what the stranger originally wrote too.

Testing shows that your privacy settings are working the same as they did before, providing you used them in the first place.
The appalling enforced eavesdropping in the ticker (your friend said something to someone you've never heard of) is the result of the lax or non-existent settings of your friends, so here's the deal..

What happens is this:
1. You have "friends of friends" or "public" as the privacy setting for your posts.
2. One of your Facebook friends comments on your post, or clicks "Like".
3. As well as all the people commenting on the thread seeing what has been posted (this much is normal), Facebook also tells all *their* friends what was said.
4. Your friend's settings *cannot* stop this from happening, *your* settings can protect your friends' privacy, in this instance.

The ticker has just made it much easier to eavesdrop on what were probably intended to be more private conversations.

So, do this - and make your friends do it too:
* Stop using the "Friends of friends" setting. This is what is broadcasting so widely.
* If you use the "Public" setting, explain that you are doing so. Then people can decide if they want *all* of their friends to be informed of their comments.
* "Limit" all previous posts you have made via the privacy settings (unless you had "friends only" or specific lists already) - this will change everything to "friends" only and will stop people you deleted but did not block, people who sent you friend requests that you ignored, and friends of friends from seeing your activity (yes they can, if you are not on "Friends" or lists).
* Use lists to decide who you want to see things (use the privacy controls in the top right of your posts).

* Encourage your friends to restrict their setting to "friends" or custom lists too. This is the important bit.
* Inform strangers or the connecting friend when strangers show up in your feed. It is their settings that made them show up. This will illustrate to them why they also need to change their settings.

It is not just your settings that control what goes in your Facebook newsfeed and appears on your friends' tickers. Anyone's posts which have privacy set to more than "Friends" will go to all the friends of all the commenters. This is a fact! We've tested it!

Still baffled?  Don't worry.  The problem is complicated to explain, but the solution is simple.  If you want to stop strangers from seeing everything you do, you and your friends need to change your privacy settings to "Friends" or custom lists.  That's it.
The hard part is getting your friends to do it.

If you find your friends aren't understanding the issue, forget about explaining the details and "copy and paste" this to your status:

"If you don't want your actions broadcast to everyone via the ticker/News Feed please set your privacy to "Friends" and ask your friends to do the same.  Pass it on."

What *not* to tell your Facebook friends
Now, there is also a piece of advice being circulated which reads like this:

"Please do me a favor and move your mouse over my name here, wait for the box to load and then move your mouse over the "Subscribe" link. Then uncheck the "Comments and Likes". I would really rather that my comments on friends and families posts not be made public, thank You! Then re-post this if you don't want your every single move posted on the right side in the "Ticker Box" for everyone to see!"

This appears to be the most commonly suggested solution on Facebook, and it's rubbish! It still doesn't stop *your* posts being broadcast. It's an illusion. This option stops you seeing when other people have broadcast a message to a wide audience. It does *not* stop your actions being broadcast by your friends!

You have to do this for every single one of your friends. Time consuming *and* it does not solve the problem - it just stops you from seeing it.
Please don't spread this advice, as it is confusing people and stopping the real problem from being fixed.
How to tell if a post will broadcast to all your friends:
Under each post (on the right) there is an icon which will tell you who it was shared with:

Public
The globe icon means that the post is going to be public.
That means, if you comment your friends will be shown the comment immediately and that everyone on Facebook (except those people you have specifically blocked) can see it.

Friends
The icon showing two heads means that the post is shared with friends only.
It should be safe to comment, with no threat of exposure to strangers via the ticker/news feed.

Custom or Friends of Friends
A gear icon can actually mean one of two things - either Custom or Friends of Friends. You will have to hover your mouse over the icon to see which.
Custom means that the post will be safe to comment on with no leakage to strangers via the ticker/news feed.
Friends of Friends, however, can be considered unsafe - as all your friends and all of their friends will be shown the comment immediately via the ticker/news feed.

You can check your own posts easily that way if you want to make sure that your settings are right.
And don't forget - next time you leave a comment on someone else's Facebook post, don't say something that you may later regret.
If you're on Facebook, consider joining the Sophos Facebook page, where you can keep up-to-date on the latest rogue applications, scams and malware attacks threatening Facebook users.

USA Today's Twitter account falls foul of hackers

USA Today is the latest high profile Twitter account to have fallen victim to a group of hackers.
A group calling themselves the Script Kiddies have claimed responsibility for the hack, which involved posting a series of messages to the official USA Today Twitter account, including:

"Fox News, Wal-mart, Unilevel, Pfizer, NBC and now USA Today. who's next? Vote now! [LINK]"

and

"Please like The Script Kiddies on Facebook! You could choose our next target!"

Fortunately, USA Today was able to regain control of the account (with some assistance from Twitter) before any serious harm could be caused. The newspaper tweeted an apology to its followers:

The Script Kiddies group has previously claimed responsibility for hacking into the NBC News Twitter account to post fake news reports of a terrorist attack involving planes in New York, defacing Pfizer's Facebook page and breaking into the Fox News Politics Twitter account to post a bogus announcement about the death of Barack Obama.
It's unclear how the USA Today Twitter account was compromised, but there was speculation that the hack by the same group against NBC News's Twitter account was assisted by a spyware Trojan horse.
The Script Kiddies might believe that their hacks against media organisations are just childish pranks, but it's unlikely that the authorities find them amusing. The more social media accounts that they target, the more the computer crime police will be keen to bring them to justice.
As always, we recommend that social networking users ensure that they keep their security software up-to-date, choose hard-to-crack passwords and do not use the same password in more than one place.

Has CERN found an exploitable vulnerability in physics?

Rresearchers at the European Organization for Nuclear Research, better known as CERN, claim to have exported subatomic particles from Switzerland to Italy at greater than the speed of light!

You read that correctly. Greater than the speed of light - something which even science fiction fans accept isn't really supposed to happen.
Reports say that CERN boosted streams of neutrinos to a whopping 300,006 kilometres per second on their journey from Geneva, Switzerland, to a laboratory over 700km away in Gran Sasso, Italy.

But received wisdom - and the so-called Standard Model of physics - says that the neutrinos ought to have topped out at just 299792 kilometres per second, the speed of light. Suddenly, the laws of physics seem to have an exploitable vulnerability.
The results now need checking out, a project which researchers worldwide will doubtless be keen to take on.
Unless and until the findings are disproved, however, we can all hope that this means that the speed of light will no longer be the limiting factor in the speeds at which we can send data across the internet.
And then, who knows?
Perhaps we will be able to replace our fibre optic cables with neutrino-based transmission systems, and gain an unexpected 0.07% improvement in performance?
Just imagine how much more YouTube video we'd be able to pack into our busy lives!

Mac OS X Trojan hides behind malicious PDF disguise

A fascinating new example of Mac malware has been discovered, that appears to be adopting an old Windows-style disguise to fool users into running it.
Despite the numerous times that cybercriminals have created boobytrapped PDF files that exploit vulnerabilities to infect unsuspecting users, many people still think that PDF files are somehow magically safer to open than conventional programs.
The OSX/Revir-B Trojan plays on this by posing as a PDF file.
When the malicious Macintosh application file is run it tries to drop a PDF embedded inside it onto the user's hard drive. The Chinese language PDF file displayed is about a controversial topic, "Do the Diaoyu Islands belong to Japan?"
The Diaoyu Islands (known as the Senkaku islands in Japan) are the subject of a long-running dispute between the two countries, with both claiming sovereignty.
Because the document is opened, users may believe that they have opened a harmless PDF rather than run a program.

When we tested the malware inside our labs, we couldn't manage to get it to execute as the author probably intended - however, strings embedded deep inside its code make it clear that it was written with malicious intent.

The malware attempts to install a backdoor Trojan horse (detected by Sophos as OSX/Imuler-A) which would give malicious hackers remote access to your Apple Mac computer.
As our friends at F-Secure point out, we have seen plenty of Windows malware in the past which has pretended to be a PDF rather than an EXE - sometimes using techniques such as the double-extension trick (for instance, filename.PDF.EXE).
It's quite possible that this is evidence that Mac malware authors are attempting something similar, moving on from the fake anti-virus alerts that blighted many Mac users earlier this year.
Customers of Sophos, including users of Sophos's free anti-virus for Mac, are protected against the malware.

Homeless hacker 'Commander X' pleads not guilty

The FBI believes that the homeless man they arrested on Thursday was "Commander X", a member of the People's Liberation Front (PLF) associated with Anonymous hacktivism.
47-year-old Christopher Doyon has entered a not guilty plea to charges of "conspiracy to cause intentional damage to a protected computer, causing intentional damage to a protected computer, and aiding and abetting".
According to an indictment filed against Christopher Doyon and another man, Joshua John Covelli, the charges specifically relate to a denial-of-service attack against the servers of Santa Cruz County in December 2010, after the city put in place a law prohibiting camping inside the city.

The indictment gives Doyon the aliases "PLF", "Commander Adama" (clearly a Battlestar Galactica fan) and "Commander X". Covelli meanwhile is alleged to use the pseudonyms "Absolem" and "Toxic". 26-year-old Covelli was previously named in connection with internet attacks on PayPal.
Someone calling themselves "Commander X" gave an interview to CBS News earlier this year, claiming responsibility for denial-of-service attacks by Anonymous.

According to a CBS News report, "Commander X" told their reporter that he had no fear about being caught:

"We're not going to turn ourselves in. They can come and get us is what I say. Bring it on. Until then, we run... We will remain free and at liberty and at large for as long as we can, and when the time comes that each and every one of us eventually will be brought to justice, we will hold our head high in any court of law and we will defend our actions."

Doyon is scheduled to appear on September 29th for a bail hearing

Secure web browsing cracked by BEAST

A pair of researchers have unveiled a serious new attack on web browser security.
The researchers used this week's Ekoparty security conference in Buenos Aires to unveil a new tool that attacks TLS and SSL, the cryptographic protocols used to establish secure web connections.
The ability to crack encrypted web traffic removes the safety net that protects you when you're doing sensitive online tasks like banking or using credit cards.
The tool, known as BEAST (Browser Exploit Against SSL/TLS), compromises TLS by exploiting a vulnerability that has been known about for years but which has been treated as a theoretical problem until now.
However, although researchers Thai Duong and Juliano Rizzo have significantly raised the stakes it's probably too early to start hoarding tins of beans and donning our tin foil hats.
Right now the attack can take up to half an hour to execute. Although the researchers have hinted that this can be significantly reduced the fact is that if you have the malicious nature, time and access required to execute this attack then there are probably easier ways to exercise your criminal ambitions.
Even when governments attack weapons manufacturers, they don't need to get any more high-tech then basic con tricks like spear-phishing.
The danger of BEASTly attacks against TLS has moved a little closer but we probably have enough time to react before it becomes practical.
A good start would be for browser and server vendors to pull their collective fingers out and start supporting versions 1.1 and 1.2 of TLS. Both of them have specific defences against this kind of attack but unfortunately support for them is poor.
Duong and Rizzo tipped off the major browser vendors about their findings months ago but so far the only response appears to have come from the folks at Chrome. A fix for the attack is currently under test in the development version of their browser.
If you run a web server and you're concerned you may want to take a look at switching them so that they prefer the rc4-sha cipher. It's widely supported and isn't vulnerable to this kind of attack.
Although the BEAST attack is targeted at browsers there are plenty of other applications that rely on TLS, not least mail servers. Although BEAST isn't targeted at them I'm sure it will have raised eyebrows and their vendors will be taking a keen interest. Keep an eye out for updates and advisories.
If you want to know more about how the attack actually works then I recommend you take a look at nickm's excellent and accessible write-up over at the Tor project.

NASA looks to lasers to speed data

WASHINGTON, (UPI) -- NASA says it's looking at lasers to speed up the transmission of high-resolution images from distance spacecraft like those now on Mars.
It currently takes 90 minutes to transmit images to Earth from the planet by radio, but NASA said research could dramatically reduce that time to just minutes and a new optical communications system it plans to demonstrate in 2016 will lead the way.
Such a system could even allow the streaming of high-definition video from distances beyond the moon, a release by the agency said Thursday.
"We want to take NASA's communications capabilities to the next level," said Dave Israel, who is leading a research team that includes NASA's Jet Propulsion Laboratory in Pasadena, Calif., and the Massachusetts Institute of Technology.
Current communication technology will not keep pace with the projected data needs of advanced instruments and future human exploration, Israel said.
"Just as the home Internet user hit the wall with dial-up, NASA is approaching the limit of what its existing communications network can handle," he said.
The solution, NASA said, is to augment its legacy radio-based network with laser-based optical systems that could increase data rates by anywhere from 10 to 100 times.
"This transition will take several years to complete, but the eventual payback will be very large increases in the amount of data we can transmit, both downlink and uplink, especially to distant destinations in the solar system and beyond," James Reuther of NASA's Office of the Chief Technologist said.