On Wed, Dec 08, 2010 at 04:13:25PM -0500, Karl Vogel wrote: > >> On Tue, 7 Dec 2010 21:23:04 -0700, > >> "Dale Scott" <dalesc...@shaw.ca> said: > > D> I'll interpret that as saying a large percentage of the PHP apps vying > D> for your attention are crap, but buyer beware. Just be careful, have a > D> healthy level of scepticism, and keep your eyes open. > > Yup. > > D> I don't know anything about Facebook other than it's PHP-based, but I'm > D> sure we'd hear about it being hacked on a regular basis if it was.
Interesting. Looks like most of these depend on the bad judgement of the user to respond to phishing and similar attacks rather than a flaw in the php code. - though once the user makes the mistake they [unknowingly] allow the attack to insert malware. ////jerry > > http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=216403016 > Microsoft and Facebook Team Up to Put the Kibosh on Koobface > Mon, 6 Apr 2009 > > Microsoft and Facebook are working together to protect users from the > Koobface worm. Koobface spreads through Facebook and MySpace social > networking sites and infects users who run vulnerable versions of > Windows. It steals login information so it can hijack accounts and spam > users' contact lists. > > The spam usually contains a link to what is billed as a video, but users > who click the link are told they must download a program to watch the clip. > If users agree to the download, their machines become infected with > malware. > Microsoft has added Koobface to its Malicious Software Removal Tool (MSRT), > which removed nearly 200,000 instances of Koobface from more than 133,000 > computers in two weeks. > ------------ > > http://www.theregister.co.uk/2009/05/15/facebook_phishing_scam/ > > http://technology.timesonline.co.uk/tol/news/tech_and_web/article6294169.ece > Another Phishing Attack Targets Facebook Users > Fri, 15 May 2009 > > Users of the social networking site Facebook have been subjected to another > phishing attack. The attackers gained access to the social networking > site by using legitimate user accounts and then directing the contacts > of the compromised accounts to websites containing malicious software. > The attackers ostensibly gained access to the initial accounts by > exploiting > easy-to-guess passwords. > ------------ > > > http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1356896,00.html > IT Managers Feel Pressured to Relax Security Policies > Wed, 20 May 2009 > > According to a recent survey of 1,300 IT managers, 86 percent said > they were being pressured by company executives, marketing departments, > and sales departments to relax web security policies to allow access to > web-based platforms such as Google Apps. Nearly half of respondents said > some employees bypass security policies to access services like Twitter > and Facebook. More than half of the respondents noted that they lacked the > means to detect embedded malicious code and prevent URL redirect attacks. > ------------ > > http://www.theregister.co.uk/2009/08/07/twitter_attack_theory/ > Attack on Twitter and Facebook Was a "JoeJob" > 6-10 Aug 2009 > > The denial-of-service attacks that hobbled Twitter and Facebook last week > were not conducted through botnets, but instead were the result of a spam > campaign aimed at a taking out accounts that belong to a pro-Republic of > Georgia blogger. > ------------ > > > http://www.scmagazineus.com/Facebook-to-modify-privacy-practices-after-investigation/article/147556/ > > http://technology.timesonline.co.uk/tol/news/tech_and_web/article6812783.ece > Facebook Will Strengthen Privacy Practices > 27-28 Aug 2009 > > In response to an investigation launched by Canada's Office of the Privacy > Commissioner, Facebook has agreed to give users more control about the > information they share with third-party applications. The applications > will > be required to get permission from users for every category of personal > information they want to access. In addition, users will have the option > to deactivate or to even to delete their accounts. If users delete their > accounts, all information belonging to that user will be deleted from > Facebook servers. > ------------ > > > http://www.computerworld.com/s/article/9138780/Facebook_Captchas_broken_?source=rss_security > Spammers Break Facebook CAPTCHA > Thu, 1 Oct 2009 > > Malware purveyors have managed to break the Facebook CAPTCHA (completely > automated public Turing test to tell computers and humans apart), allowing > them to automate the creation of Facebook pages. The malicious pages are > being used to send links to malicious websites that promote scareware. > The pages all have the same photograph, but have different user names. > Facebook is taking steps to identify the rogue pages and disable them. > ------------ > > http://www.wired.com/epicenter/2010/01/facebook-email/ > Rogue Marketers Can Mine Your Info on Facebook > Ryan Singel > Tue, 5 Jan 2010 > > A marketer can take a list of 1,000 e-mail addresses, either legally or > illegally collected -- and upload those to Facebook through a dummy > account -- which then lets the user see all the profiles created using > those addresses. Given Facebook's ubiquity and most people's reliance > on a single e-email address, the harvest could be quite rich. > ------------ > > > http://www.theregister.co.uk/2010/01/11/facebook_charging_rumour_malfeasance/ > http://www.snopes.com/computer/internet/fbcharge.asp > Facebook Group Page Has Links to Malware-Laced Sites > Mon, 11 Jan 2010 > > Miscreants intent on spreading malware appear to be preying on people's > unfounded fears that Facebook plans to begin charging users for its > services. A Facebook group that appears to offer a place for people to > protest the rumored fees has been shown to contain malware. The group > pages > themselves appear to be clean, but link to suspicious sites. Snopes.com > has > posted a warning about the deceptive groups and associated pages. > ------------ > > > http://www.pcworld.com/businesscenter/article/191847/facebook_users_targeted_in_massive_spam_run.html > http://news.cnet.com/8301-27080_3-20000682-245.html > Spammers Go After Facebook Users > Thu, 18 Mar 2010 > > Spammers have been targeting Facebook members with data-stealing malware. > The malicious messages appear to come from legitimate senders, but the > return address is spoofed. The messages tell recipients that their > Facebook passwords have been reset and that they need to download an > attachment that contains the new password. Although many users may know > by now that websites would not reset passwords and email the new ones, > because Facebook's user base is so large, the attackers appear to be > hoping that at least some will fall for the ruse. > ------------ > > > http://www.eff.org/deeplinks/2010/04/facebook-further-reduces-control-over-personal-information > Facebook Further Reduces Your Control Over Personal Information > Kurt Opsahl > Mon, 19 Apr 2010 > > Today, Facebook removed its users' ability to control who can see their > own interests and personal information. Certain parts of users' profiles, > "including your current city, hometown, education and work, and likes and > interests" will now be transformed into "connections," meaning that they > will be shared publicly. If you don't want these parts of your profile to > be made public, your only option is to delete them. > ------------ > > http://blogs.zdnet.com/security/?p=6304 > 1.5 million Facebook accounts offered for sale > Dancho Danchev > Sat, 24 Apr 2010 > > VeriSign's iDefense Intelligence Operations Team has spotted an underground > market ad offering 1.5 million Facebook accounts for sale. The pricing > method is based on the number of contacts per compromised account, > presumably with the idea to allow easier spreading of related malicious > content across Facebook. > ------------ > > http://www.eff.org/deeplinks/2010/05/facebook-should-follow > Facebook Should Follow Its Own Principles > Kurt Opsahl > Thu, 13 May 2010 > > If you decide to leave by deactivating your account, information is saved > in case you decide to reactivate later. Even if you delete your Facebook > account, you have to wait 14 days and even then Messages and Wall posts > remain. The Facebook Principles are much clearer: Users have the right to > "take [their data] with them anywhere they want, including removing it from > the Facebook Service." Facebook is not living up to its promises. > ------------ > > http://arstechnica.com/web/news/2010/10/facebook-may-be-making-strides.ars > "Deleted" Facebook photos actually aren't > Ars Technica staff > Tue, 12 Oct 2010 > > We wrote a piece more than a year ago examining whether photos really > disappear from social network servers when you delete them, and found > that Facebook was one of the worst offenders when it came to leaving > "deleted" photos online. We decided to revisit the issue recently when > readers continued to point out that our deleted photos from that article > were still online more than 16 months later. > ------------ > > > http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html > http://www.theregister.co.uk/2010/10/18/facebook_apps_privacy_breach > http://www.bbc.co.uk/newsbeat/11565948 > http://www.net-security.org/secworld.php?id=10005 > Facebook Faces Another Privacy Breach > Mon, 18 Oct 2010 > > The privacy of many users on Facebook has been compromised by a number > of popular applications, or apps, used on the social networking site. > An investigation by the Wall Street Journal identified a number of apps > that > access Facebook members' personal details, even if their privacy settings > were set to the most restrictive allowed within the social network. > > According to the report, up to 25 advertising and data gathering firms > were exploiting the issue to enable them access the name of the persons > using certain apps, and in some cases the names of those persons' > friends. One company, Rapleaf, was also found to have combined the user > data accessed in Facebook with its own database of internet users. > Rapleaf admitted that some of this information was also transmitted to > other third parties, but claimed that this transmission was accidental. > Facebook has responded by saying it will implement a solution to prevent > this type of access to user data. > ------------ > > http://blogs.sfweekly.com/thesnitch/2010/10/zynga_facebook_lawsuit.php > http://business.financialpost.com/2010/10/22/13072/ > > http://www.computerworld.com/s/article/9192862/Rapleaf_says_it_has_fixed_privacy_issue_with_Facebook?taxonomyId=203 > Facebook to Employ Encryption to Protect User IDs > Mon, 25 Oct 2010 > > Facebook says it will use encryption and other data protection measures > following reports that users' data were being shared with third parties. > Facebook policy forbids application developers from sharing Facebook User > IDs (UIDs) with third parties, but the company said that "some developers > were inadvertently sharing [the data] via the HTTP Referrer header." > ------------ > > > http://www.computerworld.com/s/article/9192923/New_Firefox_add_on_hijacks_Facebook_Twitter_sessions?taxonomyId=17 > Firefox Extension Makes it Easy to Steal Cookies > Mon, 25 Oct 2010 > > At the ToorCon 12 conference in San Diego, researchers presented a > proof-of-concept Firefox extension that is capable of stealing session > cookies from Facebook, Twitter and other accounts on unencrypted Web 2.0 > sites on open wireless networks. > ------------ > > http://www.bbc.co.uk/news/technology-11665120 > Facebook Bans Developers for Selling User IDs > Mon, 1 Nov 2010 > > Facebook has banned a number of developers from connecting to the social > network for six months after it learned that they had been selling user > information to data brokers. > > -- > Karl Vogel I don't speak for the USAF or my company > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"