WordPress 3.0.4 critical security update

Version 3.0.4 of WordPress is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES.


Certain unspecified input is not properly sanitized in the KSES library before being displayed to the user, according to Secunia.

This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site when the malicious data is being viewed.

This is a critical release, available immediately through the update page in your dashboard or for download here.

Older Facebook apps threaten your and your friends' privacy

Facebook users that are concerned with keeping their privacy have probably become more careful with the years about adding applications to their account, since many ask access to more information they are willing to provide.

But two, three years back - before Facebook was forced to give users more privacy control over each application used - applications asked for a lot more information in order to function than they do now. And all the users that use older versions of various applications are still giving it access to all that information that was agreed on before, reports Vanessa Dennis.

Take the YouTube App as an example, and see what information it asked access to before and what it asks now:


As you can see, before it could access practically all your information, post to your Wall and even access your friends' information. Unfortunately, that means that all the "Facebook" friends that are using any of these "older" applications are giving it access to your information - and vice versa.

If you are at all concerned about this, it's best to review every application you have on your account. Go to Privacy Settings/Apps and Websites, then click on the "Edit Settings" button and on each application individually to review their specific privacy settings. If you are not satisfied with them, delete the application and think twice about adding it again. Then send this article to your friends and ask them to do the same.

Fake iTunes e-mail leads to drive-by download

E-mails purportedly coming from iTunes and bearing "iTunes account may be suspended" in the subject line have been hitting inboxes in the last few days.

"Dear iTunes Customer, it is possible that your account password has been stolen. 4 different IP addresses have been used to login to your account within the last 24 hours. Please visit the bellow link and read what to do and how to contact support department," says in the message.

At first glance, this seems a typical phishing e-mail. But no - "iTunes will never ask you for your password or any confidential information," claims the e-mail, and perhaps gains the trust of some users who then proceed to click on the link.

They land on a fake Apple support page, and it doesn't ask them to share any confidential information:

But, unbeknownst to them, the site silently serves a malicious script that tries to exploit vulnerabilities in older versions of Java and Windows Help to gain access to the system and download and install malware. Users that patch their OS and software regularly are safe from this attack.

Worm blocks access to Facebook

A relatively new worm that Symantec named W32.Yimfoca presents a very interesting and never before seen modus operandi.

A variant of the worm spreads via Yahoo! Messenger and, once installed, downloads and installs W32.Yimfoca on the target system. Lately, it has been noticed that it specifically targets Facebook users by denying them access to their accounts if they don't complete a survey.

Every time the user lands on the Facebook homepage, a window offering the surveys pops up:


Also, while the victim fills out the survey, a progress bar is shown accompanied by a "threat" - "You have only 3 minutes to fill out the selected survey or you will not have access to your account."

Once you have completed a survey - which, by the way, earn the scammers up to $1 per survey - you can access your account. If you don't do it within 3 minutes, the worm will not allow you to access the account while it's running - and it resets even after a reboot of the infected computer.

It is also interesting to note that the worm blocks access to Facebook only if you use Internet Explorer. Using any other browser fails to trigger the worm and you can access your Facebook account without being sidetracked by annoying pop-ups.

Skype Global Outage

Skype is experiencing a massive worldwide outage today. The last major outage was in 2007, in a story that I broke and it lasted a day. They also had a DNS issue back in 2004. Not exactly good timing with the impending IPO and people wanting to wish each other Merry Christmas in 3 days.

This is according to Skype:

Earlier today, we noticed that the number of people online on Skype was falling, which wasn’t typical or expected, so we began to investigate.

Skype isn’t a network like a conventional phone or IM network – instead, it relies on millions of individual connections between computers and phones to keep things up and running. Some of these computers are what we call ‘supernodes’ – they act a bit like phone directories for Skype. If you want to talk to someone, and your Skype app can’t find them immediately (for example, because they’re connecting from a different location or from a different device) your computer or phone will first try to find a supernode to figure out how to reach them.

Under normal circumstances, there are a large number of supernodes available. Unfortunately, today, many of them were taken offline by a problem affecting some versions of Skype. As Skype relies on being able to maintain contact with supernodes, it may appear offline for some of you.

What are we doing to help? Our engineers are creating new ‘mega-supernodes’ as fast as they can, which should gradually return things to normal. This may take a few hours, and we sincerely apologise for the disruption to your conversations. Some features, like group video calling, may take longer to return to normal.

Stay tuned to @skype on Twitter for the latest updates on the situation – and many thanks for your continued patience in the meantime.

Skype Outage Lesson: Don't Rely On Consumer Services For Business Functions.

Apple Releases Patch For 15 QuickTime Vulnerabilities

For those of you out there who are running QuickTime on your Macs or PCs, a new version has been released which fixes 15 different security vulnerabilities. Of the bugs fixed, 14 were touted with the ability to "lead to an unexpected application termination or arbitrary code execution" according to Apple. The final flaw which only affects those running the movie player on Windows, could potentially allow access to a portion of the user's profile.

In a security advisory released by Apple this past Tuesday, the 15 patched vulnerabilities are described. There are multiple file types which can be used to cause different flavors of memory overflows in the QuickTime software. These file types are JP2, avi, movie, FlashPix, Gif, PICT, and QTVR. When one of these files is "maliciously crafted," it can be used to overflow various heap buffers and initiate uninitialized memory access. Apple has implemented better bounds checking and improved file handling when those files are found to be corrupted. Only QuickTime 7.x was affected by this security bulletin. That means that users running Snow Leopard and QuickTime X will not be affected. Earlier versions of OSX and all Windows (XP, Vista, and 7) are affected.

This is yet another example of how no operating system is completely virus-proof. While there is no evidence of any of these vulnerabilities being exploited in the wild, they certainly could have been. Seeing how Apple's market share has grown exponentially in the last few years, with Mac taking over college campuses around the country, it is certainly time to stop calling Mac a 'virus-proof' alternative to Windows. The only reason there are not more viruses for Apple products is because there are so many more Windows users to target. As the Mac user base increases, so will the interest in Mac viruses.

Tracking a pirated software license

When Avast Software spotted a license for its avast! Pro Antivirus software being distributed online, they decided to do a simple experiment - they didn't take any action that would curb its spread, and simply monitored how many time the license will be used to register the software.

The license spread virally via file-sharing sites and has been detected on a number of warez sites around the world. After nearly a year and a half, 774,651 active users were tracked through their IP address, and it turns out that the software had been installed in more than 200 different countries - from Afghanistan to Zimbabwe, Russia to Brazil, USA to the (unexpected!) Vatican City.

Avast Software is currently in the process of "converting" these users - they are actually trying to turn this experiment into a marketing opportunity. The following notice pops-up on the users' screen:


Upon pressing the "Fix this situation" button, they are notified that they will be cut off from virus database updates, but that they have a choice of converting to avast! Free Antivirus or buying avast! Pro Antivirus.

How new Facebook user profiles impact privacy

Facebook today announced its New Profile, designed to help users share their experiences, discover common interests and highlight meaningful relationships. The service will be rolled out across Facebook’s 500 million accounts over the coming months.

According to a Facebook blog, the new feature encourages users to, “Give a more complete picture of how you spend your time, including your projects at work, the classes you take and other activities you enjoy (like hiking or reading). You can even include the friends who share your experiences."

Users should think carefully about how much information they are willing to share using this new service. Information about users’ life and lifestyle is much more use to identity thieves, cyberscammers and fraudsters than it is to the average person that might be a friend on Facebook.

“Adding features to facilitate sharing updates, interests and photos may be appealing to some Facebook users, however people need to be wary about how much personal information they’re willing to give away online,” said Carole Theriault, senior security consultant at Sophos.

“Many Facebook users are online ‘friends’ with complete strangers and so we’d advise Facebook users to consider their privacy settings, make sure they’re only sharing information with people that they know and trust and to think carefully about how much personal information they want to make public.”

Twitter accounts spreading malicious code

Cybercriminals are exploiting Twitter to spread malware using festive-themed messages, according to PandaLabs. Using methods akin to black hat SEO techniques, hackers are taking advantage of trending topics to position malware distribution campaigns.

As the holiday period has begun, topics such as "Advent calendar," "Hanukkah" or even "Grinch," are among the most popular subjects used by hackers to entice users.

Thousands of tweets have been launched using holiday-related phrases, such as "Nobody cares about Hanukkah," or "Shocking video of the Grinch," along with short URLs pointing to malicious websites.


Users who click the link will be taken to a page that infects systems with false codecs. These exploit a security hole in PDF files and try to trick users into downloading a codec that is really a downloader Trojan, which in turn downloads more malware onto the compromised computer.


In addition to subjects related to Christmas, cyber-criminals are using other hot topics to spread their creations, including the Sundance festival, the AIDS campaign, the Carling Cup and tweets about the actor Morgan Freeman.

With the increased risk over the holiday period, PandaLabs offers users a series of practical security tips for using social media:

1. Don't click suspicious links from non-trusted sources. This should apply to messages received through Twitter, through other social networks and even via email.

2. If you click on the links, check the target page. If you don't recognize it, close your browser.

3. Even if you don't see anything strange in the target page, but you are asked to download something, don't accept.

4. Install all available operating system updates and patches. Cyber-criminals are particularly skilled at exploiting critical vulnerabilities in operating systems and commonly used applications. Computer users are often silently redirected to a website with a carefully crafted malicious payload that leaves the computer infected with data-stealing malware or extortion-based threats. In addition to updating your system, you should update Adobe Flash, Adobe Reader and Java software, which are all commonly targeted by cybercriminals.

5. If you do download or install an executable file and the PC starts to launch messages or behaves strangely, there is probably malware on your computer. In this case, you should check your computer with a free online scanner.

6. As a general rule, make sure your computer is well protected to ensure that you are not exposed to the risk of infection from any malicious code.

Malicious Kodak Galleries used for serving Trojan

A variant of a highly specialized Trojan has appeared on fake sites mimicking Kodak Gallery pages, where potential victims are urged to download software that would supposedly allow them to watch the offered slideshow, but actually creates a folder with configuration files and copies a few executables into the System32 folder.


But before doing that, it actually does show the users a slideshow of car pictures, which acts as a smokescreen in order to hide the malicious activity.

Further research by Sunbelt's experts reveals that the fact that the pictures are of a car might not be so random. The Bayrob Trojan - of which this is a variant - has had a history of targeting eBay users, especially those buying motors and cars since that means that bigger amounts of money are involved. The Trojan spoofs various eBay pages and tries to trick the users into parting with their money.

This particular variant has a very low detection rate, so be careful when checking out links that you find on forums or receive in spam e-mails - or even in e-mails and instant messages seemingly coming from a friend.

Behavior of Safari on the iPhone could benefit scammers

A behavior of the Safari browser on the iPhone could be used by phishers and scammers to fool users into believing they have landed on a legitimate site, says Nitesh Dhanjani.

In short, it allows scammers to display a fake URL bar and hide the real one. Users accessing websites from their computers are not in jeopardy, since all popular web browsers do not allow websites to modify in any way the text in the address bar or to hide the address bar itself.


There are two mitigating circumstances that allow alert users to spot the trick:

• While the page loads, the real address bar is visible
• When the page is rendered, the real address bar is visible if the user scrolls up.

Dhanjani set up a proof of concept demo page (http://www.dhanjani.com/ios-safari-ui-spoofing/) where you can surf to with your iPhone to witness that behavior for yourself.

He says that he notified Apple about the issue, but that they could not say when it will be addressed.

Hole in iPhone PayPal app allows account hijacking

PayPal customers that use the payment company's iPhone application to effectuate payments should update it as soon as possible, because a vulnerability that can be exploited to hijack their accounts has been found by a security researcher and confirmed by PayPal.

The flaw doesn't affect the PayPal site or the company's Android application, but the 4+ million people who downloaded the iPhone application so far are in danger of getting their passwords intercepted by a hacker if they connect over unsecured Wi-Fi networks.

Essentially, the flaw makes the application fail to verify the digital certificate of the PayPal.com website and could allow a criminal to "stand" between the user and the site and simply intercept his username and password. Of course, the hacker must be in the same physical location as the user, trick him to connect to a Wi-Fi hotspot that he (the hacker) set up, and wait for him to use the application.

According to The Wall Street Journal, PayPal spokeswoman Amanda Pires said that they haven't yet heard of an instance where this hole was successfully exploited, but also that the company will reimburse every last cent if it happens to anyone.

That is good news, but it's better if you update your PayPal application now and skip any unpleasant surprises, since the patched version has already been made available.

Security - It's not fun sometimes but be thankful it's there

With Thanksgiving long weekend round the corner, here's a post dedicated to IT Security.Security isn't the happiest topic in the tech business. It's not like PCs and phones that get more powerful and cheaper all the time or displays that get bigger and more brilliant. It's mostly a steady stream of bad news or, at best, mitigations of bad situations. But there's still plenty to be thankful for.

It's unfortunate that the basic state of computing is insecure and that you will be attacked if you don't defend yourself. But you can defend yourself and defenses do get better all the time. Combined with some experience and a skeptical attitude, modern software can protect you very effectively.

I'll avoid business products which, I would argue, provide much more defensive power than consumer products. Consumers can still do a good job by following a few basic rules:

• Don't run Windows XP. Run Windows 7 or at least Windows Vista.
• For your everyday tasks, run as a standard, i.e. less-privileged user. If you get a UAC prompt for elevation, pay attention to it.
  • If an application you run doesn't work well in this environment, try to find a replacement. That application is probably badly-designed and you should blame the developers.
• Keep your operating system and applications up to date.
• Run a security suite and keep it up to date.
• Don't install software casually. Look carefully at what you're installing and at what happens in the installation process. Remove software from your system if you're no longer using it.

Can you still get burned if you follow these guidelines? Yes, but it's highly unlikely, certainly far less likely than if you don't take security seriously. The garden-variety attack out there will raise some flag that you can see. Even a high-quality targeted attack like Stuxnet can be stopped by rigorous methods, but such attacks are very rare.

And if you're a Mac user, be thankful for the fact that, by and large, the malware community still doesn't find you to be worth their attention. This situation may be changing slowly, but you're still flying under the radar.

If you put a little money and effort into securing your computers you can do it effectively. So make sure everything's up to date and then be thankful that you'll be able to rely on your systems and then go stuff your face and watch some football.

Warning about "postcard" computer virus

With Thanksgiving and Christmas coming up, friends and colleagues are bound to send out bountiful of online e-greeting cards.

Warnings have been issued this weekend about a highly destructive computer virus which has been released under the guise of a postcard greeting.

It is strongly advised that computer users should not open any message with an attachment entitled “Postcard” or “Postcard from Hallmark”, regardless of who sent it.

The virus opens a postcard image which then 'burns' the whole hard disk C of your computer. Experts say that the virus will be received from someone who has your e-mail address in his/her contact list.

An American computer expert who has a senior position in Microsoft and is related to an Isle of Man resident said, “Even if you receive a mail called “postcard” and it appears to have been sent by a friend, do not open it! Shut down your computer immediately. This is the worst virus announced by CNN.”

The virus has been classified by Microsoft as “the most destructive virus ever”. It was discovered by McAfee on Saturday and so far there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the hard disk, where the vital information is kept.

Kids lured to scam site by promises of parental control bypassing

The latest scam to hit Facebook users is one that supposedly offers a completely free proxy service for those who want to bypass parental controls and blocks set up by schools and at workplaces that prevent users from accessing certain sites such as Facebook.

The campaign is specifically targeting kids, luring them into trying out the service located at hxxp://myfatherisonline.com to access Facebook in school.


Of course, when the victims visit the website they can't find the advertised service. Sunbelt researchers have poked around the site and discovered a veritable trove of various scamming attempts.


The victims are faced with an affiliate site containing malware, surveys, quizzes, offers for free iPhones that will try to get them to subscribe to a premium rate service or sign up for spam.

If you have children and they are permitted to have an account on a social networking site, this might be a good idea to chat with them about the various bogus offers that are lurking on those sites.

The enemy in the network card

There's no corner too small for rootkits to hide themselves. Check this out.

Security expert Guillaume Delugré, who works for the Sogeti European Security Expertise Center (ESEC), has demonstrated that a rootkit doesn't necessarily have to infest a computer. The expert used freely available tools and documentation to develop custom firmware for Broadcom's NetExtreme network controller. He was then able to conceal a rootkit within the firmware, making it untraceable by the virus scanners usually installed on a PC.

Delugré's code is executed by the network card's MIPS CPU and can directly communicate with working memory through the PCI interface's Direct Memory Access (DMA) – network cards normally use this functionality to exchange network frames with the driver installed on the computer.

Potential attackers using such a rootkit could remotely access computers or listen to a user's network traffic. Broadcom's NetExtreme controller is mainly used in corporate environments. Network controllers for home users are usually equipped with little, if any, memory and offer limited programming flexibility, which makes them unlikely targets for such an attack.

The attack scenario isn't entirely new: in 2006, John Heasman injected a rootkit into the extended memory of graphics cards and network cards, although his rootkit needed to download code from the net once Windows had started up. Flash memory chips intended for the PC BIOS on a mother board are another potential rootkit hiding place.

Researchers Uncover Holes In WebOS Smartphones

Linux-based platform prone to Web-injection vulnerabilities and targeted attacks for stealing data.

A pair of researchers has discovered multiple flaws in the WebOS smartphone platform, including one that could let an attacker build a mobile botnet or execute other remote attacks.

Orlando Barrera and Daniel Herrera of SecTheory plan to demonstrate their findings tomorrow at the Austin Hackers Association meeting in Texas. The most dangerous of the vulnerabilities is an injection flaw they found on the WebOS version 1.4.X that allows remote command and control, including access to a phone's files or injecting a remote JavaScript backdoor into the phone's Contacts Application to build a botnet.

Read more here.

Korean cross-border attacks exploited to spread malware

The recent cross-border shellings between North and South Korea have left many people wondering what has been going on and what triggered the attacks: North Korean Artillery Attack on a Southern Island

Scareware and malware pushers have been very prompt at poisoning related search results.

Search combinations such as "north korea bombs/attacks south korea", "kim jong il", "korean war", "world war 3", "yeonpyeong island" and "korean news" have been producing results that take users to pages where warnings about infection on their computers are shown and the users are offered to download rogue antivirus solutions, to pages that attempt to hijack their browser through JavaScript or pages that offer Trojans disguised as codecs and bogus updates for Mozilla's Firefox.

The Tech Herald reports that all of the offending compromised domains are using open source CMS software which was not updated and, consequently, vulnerable to attack. They also noted that topics related to Black Friday, Bristol Palin, Dancing with the Stars, and others have been targeted by the same black hat SEO campaign.

Facebook Messaging System Opens New Security Concerns

The next big thing in social media has been revealed in Facebook's new Messages system, which combines email, texting, and instant messaging into one threaded experience. They want to let people talk to each other without having to worry about whether the recipient prefers email or SMS, etc. This also opens the way for new security challenges to be overcome as more and more people start using this new service.

Sophos, an internet security company that advertises a variety of email and encryption services, has released an article concerning the new Facebook Messages system which focuses on the new security issues that need to be considered for people who opt to use it. In it, senior technology consultant Graham Cluley discusses that the burden of security lies more with the user than with Facebook itself. He says, "Before signing up, users need to realize that these new features increase the attack surface on the Facebook platform, and make personal accounts all the more alluring for cybercriminals to break into. Facebook accounts will now be linked with many more people in the users' social circles - opening up new opportunities for identity fraudsters to launch attacks." Basically, spammers now have more of an incentive to hack into Facebook accounts using phishing attacks and exploiting weak passwords.

The other security issue that Cluley discussed was the fact that "users also need to be aware that Facebook will be storing a complete archive of all of their communications with one person - this raises concerns as to how this data could be misused if it fell into the wrong hands." Imagine every conversation you've ever had with anyone being recorded and stored on servers you have no control over. All that vital information in the wrong hands could most certainly spell trouble for anyone unfortunate enough to fall victim to such a situation. For more security-based information about the new Facebook Messages system, check out the Sophos FAQ about it.

Facebook bug compromises top pages

A customer of Sendible, an online marketing service for promoting and tracking brands through the use of social media, e-mail and SMS messaging, has inadvertently discovered a flaw in Facebook API.

Using Sendible's Facebook application, he tried to post messages on a few Facebook walls - as a fan - but apparently the flaw made them be posted as status messages from the owner of the pages.

Before the flaw could be patched, it was apparently discovered also by some users that decided to use it to propagate a malicious link that would supposedly allow the victims to change their Facebook background. This message appeared on a number of Facebook pages of brands and companies like Coca-Cola, Google, YouTube, South Park, The Daily Show and others.


"A few people who did click on the link reported that it took you to a page outside of Facebook that asks you for some information about you," reports TechCrunch. "The bottom of the page reads 'Powered By AWeber Email Marketing'."

It seems that the malicious link in question has been taken down, but people have been reporting that other links were propagated with the help of the flaw.

Sendible claims that its application wasn't hacked. "This is a flaw in Facebook’s API and may affect all third party Facebook applications," it says. "To ensure this doesn’t happen again, we’ve agreed with Facebook to remove the feature on Sendible that allows fans of Facebook pages to update multiple pages at once."

Facebook claims that there was a bug on its platform AND a flaw in Sendible's API:

"We’ve looked into this more. We began removing the posts immediately upon discovering them and shortly after they were made. They were caused by a temporary bug on Facebook that allowed certain posts requested by an application to be rendered when they shouldn’t have.

There was a flaw in Sendible’s API call that caused Sendible to incorrectly request that posts users had intended to make on the Walls of Pages they liked be rendered on behalf of those Pages themselves. This bug caused those requests to go through.

Upon discovering the bug, we immediately began work to fix it. It’s now been resolved, and these posts can no longer be made. Sendible has also fixed the flaw on its end. We’re not aware of any cases in which the bug was used maliciously."

Facebook "love button" app links to malware

If you spot a Facebook post or a message that advertises an application that will let you "unlock" a "love" button if you run it - don't do it. If you do, you will be actually running a malicious Java applet that downloads a password-stealing Trojan.


You don't even have to press a button to install the application - a simple visit to the application's page (which is displayed in Croatian) will trigger a pop-up that will ask you to run the application which - unexplainably - masquerades as a “Sun Microsystems Java Security Update 6":


If this warning fails to arouse your suspicion and you run the application, the Java applet will download an .exe file from a URL passed as a parameter on the website.

"It then saves and executes it as “NortonAV.exe” from the local user profile folder," explains McAfee's expert. "The downloaded trojan payload is a password stealer which search for passwords stored on the user’s machine. It then sends a password log to an e-mail account on gmail.com over an encrypted SMTP/TLS connection."

Facebook "free plane tickets" scams

Don't be tricked by the impossibly good offers that have lately been popping up on Facebook profiles. There are no free ticket giveaways - there's only the possibility of getting your profile abused by the applications that you are required to install in order to receive them.


Supposedly, Delta Air Lines and JetBlue Airways are giving free tickets to Facebook users, but that could not be further from the truth.

Actually, if you click on the offered link you are asked to install a third-party application - "4freedeltatickets" or "JetBlue Family" - that requests you permission to access your basic profile information, send you e-mails, post on your Wall, access your data any time, and manage your events and pages.

According to Graham Cluley, once you've done that you are redirected to a page where the scammers will try to trick you into signing up for a premium rate cell phone service. In the meantime, the application that you have allowed access to your profile has been posting the same message you fell for on your Wall and added you to events:


If you have fallen for the scam, delete the applications in questions (go to Account/Privacy Settings/Applications and Websites), delete every status message and event it has added to your profile, and contact your cell phone provider to notify them of the situation.

Drive-By Downloads: Malware's Most Popular Distribution Method

After years of burying malicious software in email and portable storage media, attackers now favor quick downloads via legitimate websites, researcher say.

WASHINGTON, D.C. -- OWASP AppSec DC 2010 -- Why try to fool users into opening email attachments when you can simply drop a Trojan on them from their favorite websites?

That's the question many malware authors and distributors are asking -- and the obvious answer is spurring most of them to try out the emerging "drive-by download" method, according to a speaker here this week.

"What we're seeing is a fundamental change in the method of malware distribution," said Neil Daswani, CTO of Dasient, which offers a service that detects and eradicates Web-borne malware. "In the old days, we saw executable code in a static file, which was originally delivered via floppy disks and then via email attachments. Now we're seeing active content delivered via drive-by downloads at legitimate sites."

A drive-by download typically begins by injecting a Web page with malicious code, often through JavaScript, Daswani explained. The code generally invokes a client-side vulnerability to deliver shell code, such as the JavaScript-based Heap Spray attack, to take control of the user's machine. From there, the attacker can send a "downloader," which is often custom, zero-day code that isn't recognized by traditional antivirus systems.

Once the downloader is in place, the attacker can deliver his malware of choice, Daswani said. Drive-by downloads are particularly effective for delivering code that can steal end user credentials (such as Zeus), launch a fake antivirus scam (such as Koobface), steal server-side administrative credentials (such as Gumblar), steal corporate secrets (such as Project Aurora), or collect fraudulent click revenue (such as clickbot.A), he noted.

While drive-by downloads are often more effective at infecting end user devices than email attachments, they also give the attacker broader reach, Daswani observed. Drive-by downloads can be used to infect thousands of websites at once, often by hiding in common third-party devices that are distributed to many sites, such as advertisements, widgets, images, or third-party applications.

"A lot of user organizations do a great job of scanning the code they put on their own sites, but they may not scan the code they're posting from third parties," Daswani warned. "The marketing people will add an ad or a widget to a site, and the IT people may not vet it before it's posted."

Many well-known sites are infected by malware, and the most popular sites are generally targeted most frequently, Daswani noted. In the past two years, major government sites, such as the Treasury Department and Environmental Protection Agency, have been infected, causing them to serve up drive-by downloads to their users. The National Institute of Health has been infected five times in the past two years, and the state of Alabama's website has been infected 37 times in that same time period, he reported.

"It's time to recognize that this is the method of choice for many distributors of malware," Daswani said.

ElcomSoft breaks Firefox, Safari, Opera, and Chrome passwords

Another convincing reason why you shouldn't get lazy and let your Internet browser store your passwords.

Elcomsoft Internet Password Breaker now retrieves cached passwords stored in a variety of email clients and Web browsers.

The new update adds Mozilla Firefox, Apple Safari, Google Chrome and Opera Web browsers to the list of supported applications in addition to already supported Microsoft Internet Explorer, Outlook Express, Outlook, Windows Mail, and Windows Live Mail.


In addition, cached logins and passwords, pre-filled forms and AutoComplete information can be extracted from the browser cache or secure storage area.

Elcomsoft Internet Password Breaker makes it easier to migrate between supported Web browsers. The tool reminds users of some of their login and password information that may long be forgotten thanks to the convenience of using the cached forms.

Features:

• Instant password recovery for a variety of applications
• Supports all versions of Microsoft Internet Explorer, including IE7 and IE8
• Supports all versions of Microsoft Outlook and Outlook Express
• Supports Windows Mail and Windows Live Mail passwords
• Instantly recovers passwords cached in Apple Safari, Google Chrome, Mozilla Firefox and Opera Web browsers
• Reveals stored POP3, IMAP, SMTP and NNTP passwords for all supported applications
• Recognizes and works around enhanced security model of Internet Explorer 7 and 8
• Reveals Microsoft Passport information in Windows Live Mail
• Retrieves Microsoft Outlook PST passwords
• Recovers login and password information to a variety of resources.

Android Falls Short In Security Analysis

We've seen enough news about how Apple's iOS is vulnerable to attack. I think it's only fair that we talk about the shortcomings in its biggest competition, Android. According to a report by Coverity, the popular mobile operating system is home to hundreds of bugs in its kernel with a quarter of those bugs listed as 'high risk' that can be used to exploit user privacy.

Coverity Inc. is in the business of scanning software for potential security vulnerabilities. They recently scanned the open-source Android operating system and discovered 359 bugs. 88 of these are listed as high-risk which according to the report, "include four categories that we have found, through experience and consultation with our customers, to be ones that can cause the most damage and are most likely to be fixed first by developers. These include memory corruptions, illegal memory accesses (e.g., reading beyond the bounds of a memory buffer), resource leaks, and uninitialized variables. "

Let's look at how those bugs compare in the open source world. Coverity claims that the industry average 'defect density' is one defect per every 1,000 lines of code. Android has only half that number, which is impressive until you look at the areas those bugs were found. Most of the code in the operating system is a Linux kernel with custom additions added in, and in the Android specific code, the defect density is twice as high.

Fragmentation of accountability is listed as one of the main conclusions of the report. Coverity basically says that, just like the rest of open source software, with so many people contributing so many different elements to the project, it is almost impossible to keep track of who is in charge of fixing what. This is definitely a problem as open source becomes more and more popular.

The Coverity report can be found here.

Free Mac anti-virus for home users

Good news for MAC users out there!

Sophos announced the availability of a free Mac anti-virus product for home users. Based on Sophos's security software, which protects over 100 million business users worldwide, Sophos Anti-Virus Home Edition for Mac is available for consumers to download at no charge.


Sophos Anti-Virus Home Edition for Mac provides automatic detection against existing and new threats for Mac OS X. The free software also incorporates strong disinfection capabilities, capable of removing malware infections that may already be present on the Mac computer.

Sophos Anti-Virus Home Edition for Mac detects both Mac and Windows malware, and is backed by SophosLabs, Sophos's global network of highly skilled researchers and analysts, protecting businesses from known and emerging malware - viruses, Trojans, spyware and rootkits. SophosLabs ensures that Sophos Anti-Virus Home Edition can even proactively stop brand new unseen threats before they can install on your Mac.

Technical requirements:

• Mac with Intel or PowerPC processor
• 256 MB of memory
• 150 MB of available disk space
• Mac with OS X 10.4 (Tiger), 10.5 (Leopard) or 10.6 (Snow Leopard)
• Supports all Apple Mac hardware including iMac, MacBook, MacBook Pro and the new MacBook Air.

Spying app kicked out of Android Market

Secret SMS Replicator, a spying application that forwards contents of a user's text messages to the phone of the person who installed it in the first place, has been booted out of the Android Market.

Once the application in question is installed, there is no visible shortcut or icon to alert the user about the spying that is in progress, so one can see why this would be a problem for Google. According to ReadWriteWeb, the application was banned because it violates the Market's content policy, which says that applications that are guilty of invasion of personal privacy are not allowed to be uploaded.

Zak Tanjeloff, CEO of DLP Mobile (the company that developed the application) said that they developed it for Android because such an app would never be approved by Apple for use on the iPhone and allowed to be sold on its iTunes App Store.

But, as it turns out, the Android Market has similar rules - the only difference is that Apple's approval process will flush such an application out before it is allowed in, and the Android Market allows them in and removes them once they are published. Unfortunately, that gives potentially malicious applications a small window of opportunity to do their bad work.

Enormous Security Flaw In IOS 4.1

This is one for the record books. The password on your iPhone is not nearly as safe as you may like to think it is. A new vulnerability has been found that allows anyone to bypass that lock and get full access to your phone, contacts list, and even photos.

The way it works is like this. Let your phone lock to where you need to put in your passcode to unlock it. Swipe your finger to bring up the passcode screen. Press "Emergency Call." Now type in any numbers, stars or pound signs work too. This is the important part, press the call button and immediately press the sleep button on the top of the phone. You should be taken immediately to the Phone app, where you can access your phone numbers, voicemail, and full contact list. In order to see photos, go to your contact list and press on someone. Now press "Share Contact" followed by "MMS." You will now be taken to a text message screen, where you can press on the little image of a camera and get to the photos on your phone.

Needless to say, this is a HUGE security hole, which can be used to access your personal information. We can only hope that Apple will be coming out with a security update soon to address this issue, considering the amount of internet media attention it has been receiving. The bug find is credited to Salomão Filho, who posted this video of himself giving a step by step tutorial on how to exploit it.

I have personally tested this on several of my friends' iPhone 3GS and iPhone 4 running iOS 4.1, and found that it is just as easy as it looks to break into a phone using this method.

Facebook phishing worm compromises thousands of accounts

A very effective phishing worm has been targeting Facebook users and has been compromising their accounts by luring them with the offer of seeing a video.

The victim would receive a instant message from a contact asking "Is this you?" and supposedly offering a link to the video, but actually providing a link to a malicious Facebook application which loads a phishing page into an iframe:


The Kaspersky researcher that spotted the worm was curious and poked around the server to access some common directories so that he could discover more information about the worm's activity, and he found one containing Apache access logs.

"When analyzing the content of the log file I saw that someone was trying to access a file named acc.txt," says the researcher. "I downloaded acc.txt and saw that the file contained stolen accounts: in the first version of acc.txt which I downloaded I saw that the attacker had collected over 3000 accounts! I downloaded the acc.txt at 5-minute intervals, and within 20 minutes, the number of stolen accounts went from 3000 to over 6000."

He immediately notified Facebook, and the malicious page was taken down. Users who think their account has been compromised are advised to change their passwords and to terminate any active session that might be found in the Account Security section in the Account Settings.

Increase in Halloween malware attacks

There's an increase in the number of Trojans circulating in the pre-Halloween period this year, according to GFI Software. Eight of the top 10 threat detections currently spreading on the internet are Trojans, up from six during October last year.

Furthermore, three of the top 10 threat detections from last year’s Halloween season are still on the list, highlighting the lasting impact of this type of malware long after the holiday is over.

Consumers should be on the lookout for new iterations of the following common types of attack:

• Halloween Tweets, “likes” and posts on various social media sites that can be used to lure users to malicious websites.
• Search engine optimization (SEO) poisoning, in which links to malicious Web sites show up in search engine results for holiday items.
• Halloween-themed attachments posing as invitations, greeting cards or documents. Clicking on these creates a significant risk of downloading rogue security products or other malware.
• “Typo attacks” which take advantage of the increased Holiday traffic to commonly misspelled URLs. Malware writers set up spoofed infected sites and download locations to trap unsuspecting web users who misspell URLs and end up in the wrong place.
• Sites that offer contests attempting to get visitors to subscribe to questionable subscription services that are billed to their cell phone monthly.

New 0-day flaw in Flash Player exploited in the wild?

Bad news just keep piling on Adobe - it looks like there is a new zero-day vulnerability in their Flash Player that is being exploited in the wild.

Its existence is still to be confirmed by Adobe, but security researcher Mila Parkour from the Contagio Malware Dump blog seems to think it may be the real deal. According to her, the vulnerability is exploited via a malicious .pdf document sent as an attachment, and two files are dropped - and executed - on the system: nsunday.exe and nsunday.dll.

They are both components of a variant of Wisp - an information-stealing and downloader Trojan and, according to Softpedia, it is currently detected by 15 of the 42 AV solution used on VirusTotal.

If the flaw and its use in the wild is confirmed, Adobe will have to scramble to put out a patch way ahead of the selected date for the next security update. In the meantime, users could prevent becoming victims by disabling Flash support in Adobe Reader.

UPDATE: Apple has confirmed the existence of the vulnerability and plans to issue a patch for Flash Player around November 9 and patched up versions of Adobe Reader and Acrobat around November 15.

Think your Twitter Direct Message is private? Think again

Twitter has established itself as a means of broadcasting information to wide group of people all at once. But, for those times where you want to talk more intimately, Twitter also has the ability to send a Direct Message (DM) that is private between the two parties. Well, it's supposed to be private, but the reality is perhaps not as secretive as one might expect.

While the DMs are ostensibly private, the reality is that any apps that have been approved to access your Twitter account can also see those "private" messages.

There are only two types of account access authorisations: read-only, or read-and-write. In either case, the fact that the app has been granted permission to access the account at all means that all Twitter messages, including DMs are accessible to the app. In the event of read-and-write approval, the app could also delete your messages, or send messages out on your behalf.

Perhaps you should think twice next time before blindly approving some random app to access your Twitter feed. You can find out which apps have access to your Twitter messages by logging in to your account on the Twitter site. Click on Settings, then Connections. The fine print for each entry displays the type of access authorized (read-only or read-and-write), and a link is provided to "Revoke Access" for any that seem shady or unwarranted.

It may be a tad paranoid to worry about whether the admin of a given app is abusing the privilege you have granted and is sifting through your private DMs. But, just to be safe you should exercise some discretion with the apps you grant that authority to, and remember that your DMs may not be as private as you might think.

MySpace apps send user IDs to advertisers

In the wake of the discovery that some third party Facebook applications transmit users' ID to ad agencies and Internet tracking companies, The Wall Street Journal has revealed that MySpace and some of the game applications on it are doing exactly the same thing.

This is not the first time MySpace has been found "oversharing" - at the time, they said they were working on a method to obfuscate the ID information sent to ad agencies via "HTTP referrers".

An extenuating circumstance is the fact that - unlike Facebook - MySpace doesn't require of or encourage its users to make an account in their real name, so knowing a user ID doesn't immediately mean that usable information can be harvested. On the other hand, many users simply don't think of creating an online persona to protect their privacy.

Three popular MySpace applications - TagMe, GreenSpot and RockYou Pets - have been found transmitting the information, a thing that is against the rules set by the social network.

"It has recently come to our attention that several third-party app developers may have violated these terms and we are taking appropriate action against those developers," a MySpace spokesman said.

Apple resolves FaceTime security flaw

A flaw in the beta version of Apple's FaceTime for Mac which was presented on Wednesday, has apparently allowed potential hackers to gain access to and modify a user's iTunes account settings from the software - without asking for a password.

Even though the exploitation of the flaw would have been possible only to people who had physical access to the (unattended) system, Apple has moved to close the hole almost immediately. According to InformationWeek it did so by disabling the ability of the user to view those settings from FaceTime.

It is definitely a good move for the time being, and I expect the flaw to be permanently fixed when beta testing is completed. As the number of Mac users rise with the proliferation of iPhones and iPads, it is laudable to see Apple react quickly to potentially dangerous security vulnerabilities.

Google 'spied' on British emails and computer passwords

In what could be called a major security breach, Internet search engine 'Google' has admitted spying on computer passwords and entire emails from households across Britain.

The California-based company has, however, apologized for downloading personal data from wireless networks when its fleet vehicles drove down residential roads taking photos for its Street View project, 'The Sunday Telegraph' reported.

"It's clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs (web addresses) were captured, as well as passwords. We want to delete this data as soon as possible, and I would like to apologise again for the fact that we collected it in the first place," Alan Eustace, Google's Vice-President of engineering and research, was quoted as saying.

Millions of Internet users have potentially been affected.

The Information Commissioner's Office, the privacy watchdog, said it would be looking into Google's admission.

Images for Street View were gathered by vehicle-mounted panoramic cameras starting in 2008.

In May this year, Google confessed the vehicles had also been gathering information about the location of wireless networks, the devices which connect computers to the tele-communications network via radio waves.

Firefox extension makes social network ID spoofing trivial

A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.

"When it comes to user privacy, SSL is the elephant in the room," said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can "sniff out" the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user.


"As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed," explains Butler. "Double-click on someone, and you're instantly logged in as them."

It is not that this was impossible to do before the advent of Firesheep, but it included the use of some knowledge that average Internet users didn't have. "Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win," says Butler.

Whether he will succeed in pointing out the need of full end-to-end encryption and spur websites into action, it remains to be seen. Among the websites whose cookies Firesheep can identify are Facebook, Flickr, Amazon.com, bit.ly, Google, Twitter, Yahoo, WordPress, and many others.

As I write this, the extension has been downloaded some 8,000 times, and the number is rising by the second. Wouldn't it be amazing that an action such as this could bring about the realization of a more secure Internet?

Researchers hack toys, attack iPhones at ToorCon

SAN DIEGO--From "weaponized" iPhone software to hacked toys and leaked cookies, researchers at the ToorCon security conference here this weekend showed how easy it can be to poke holes in software and hardware with the right tools, know-how, and curiosity.

One researcher demonstrated how to take control of an iPhone using an exploit that targets a hole in Safari, which has been patched. The iPhone had an app installed that allowed it to process credit card numbers, which could then be stolen if this were an attack in the wild.

Read more here.

Zynga sued in privacy breach controversy

218 million “class members” probably won’t settle for Farmville dollar.

A suit has been filed in U.S. District Court in San Francisco on behalf of a Minnesota woman charging game maker Zynga with leaking the personal information of 218 million Facebook members in violation of federal law. The suit seeks class action status. (Story in The Register of the UK here. )

The action follows by three days an investigative story by The Wall Street Journal that found a large number of Facebooks apps – including Zynga games such as Farmville and Mafia Wars – leaked the user IDs of Facebook players and their friends to outside companies. (Story here.)

Users’ privacy on the Internet has been a dicey proposition (some say non-existent) for most of the net’s history. Social engineering techniques early on became about as refined as cryptographic algorithms.

The compromise of personal information from breached company, university and government systems made high-profile headlines. That resulted in security standards and laws that required notification of those whose information was compromised (California’s breach notification law, HIPPA, etc.)

The rise of spyware took the issue to entirely new levels and created a whole anti-spyware component of the anti-virus industry.

The most recent controversy over social media exposures (especially by young people) and persistent tracking cookies just refined the concern.

The central question in all of this for the Internet user should be: “will there be some new technology in the future that will circumvent all existing safeguards and compromise my personal information yet one more time?”

If Internet history is any guide, answer is “yes.” There has been a long chain of innovative methods for extracting personal data from any place it is stored and it appears that will never end.

Hackers and virus writers solved the problem years ago. They use pseudonyms (and more than one in known cases.) We haven’t heard of any widespread use of pseudonyms by the average user on social media sites, but we predict it isn’t far off. And it’s not like we’re suggesting it, but changing accounts every few months on things like web email and social media sites and using false personal data like dates of birth would sure play havoc with tracking systems. It will probably give you a whole new selection of spam too.

Hey, on the Internet no one has to know you’re a dog (or your real DOB.)

UK to monitor all cyber communications

The British coalition government intends to forge ahead with the previous Labor government's plans to intercept web communications, inviting protests by civil liberties groups.

The latest action by the government comes despite pre-election pledges from the Conservatives and the Liberal Democrats to reduce surveillance of citizens.

The plan would have all internet and cell phone carriers' record and log every call, email or website visit that goes on in the UK. The data would then be stored for at least a year.

The proposal to commence nationwide communication monitoring was reportedly set out in the government's Strategic Defense and Security Review, with particular emphasis placed on utilizing new technology.

The government will "introduce a program to preserve the ability of the security, intelligence and law enforcement agencies to obtain communication data and to intercept communications within the appropriate legal framework", said the review.

The review also went on to claim that "this program is required to keep up with changing technology and to maintain capabilities that are vital to the work these agencies do to protect the public".

The previous Labor government devised a plan to have ISPs, social-networking sites and other communications service providers gather traffic data on all web communications under the Interception Modernization Program.

Their scheme aimed to collect information on the sender, recipient, timing and location of every email and other message sent via the web. The data would then be stored in such a way as to allow law enforcement and intelligence agencies to track any individual and to see with whom they were communicating and when.

The British coalition government claims that the so-called 'security plans' are necessary to combat terrorism and organized crime. However, critics insist that it amounts to an invasion of privacy and violating civil liberties.

Good news for Mac users!

As Mac usage grows and becomes a more popular platform, the threat of viruses increases right with it. This week, Panda Security released a new version of its antivirus suite geared specifically for Mac computers. This is in compliment to their line of Windows based antivirus solutions.

The majority of Mac users are as interested in anti-virus software as they are in running Internet Explorer. This is mostly because people like to think that by not running Windows, they are impervious to viruses, malware, spyware, and those other nasty things you find while surfing the internet. This is unfortunately not the case. Various viruses and worms have been found to affect Macs as easily as any other operating system. It is for this reason that Panda Security has released its new antivirus software for Mac computers. This is by no means the first program of its type on this platform, with companies such as Symantec and Kaspersky (known for their Windows solutions) also offering mac versions of their security software.

From the Panda Security website, "Malware is not just designed for PCs any more. The more popular Mac computers and devices become, the bigger and more enticing targets they are for hackers and cybercriminals. And universal web connectivity just makes it easier for them to reach their targets. Panda Antivirus for Mac is comprehensive, powerful protection against viruses, spyware, and other malware intended for the Mac OS." They claim that this security suite will protect files from "viruses, worms, Trojans, spyware, keyloggers, bots, and other malware" designed for Mac systems, but also for Windows and *nix systems to prevent you from spreading things to your friends and coworkers. On top of this, there are a bevy of additional protections, such as email and instant messenger scanners, an anti-phishing filter, and what looks like a firewall even thought they don't come right out and say it. You are also able to scan your iOS devices by attaching them via USB tether.

I am not saying that mac users should or shouldn't run antivirus software on their computers, but there is no denying that Mac is vulnerable to security risks just as any OS is. It is good to see that more companies are investing the resources required to make such security software for what is generally seen as a "virus-proof" platform.

Bogus Adobe employees sell fake PDF program

A series of e-mails purportedly sent by Adobe Acrobat Reader Support employees in which the users are urged to activate their "new Adobe PDF Reader" have been hitting inboxes worldwide.

According to Softpedia, the embedded link (www.adobe-download-center.com) redirects the users to another URL (www.pdf-new-2010-download.com), where a bogus program by the name of PDF Pro 2010 is offered on sale.

A hint that this might not be a legitimate offer comes from the fact that users are encouraged to download the file with a promise to receive a free copy of "the best ALL-IN-ONE Office Solution for Your PDF Files!". It is safe to say that any company is unlikely to offer free PDF software along its paid one.

Also, it seems that a variant of this e-mail has been sent out for weeks now. An entry on Adobe's forum posted in late September indicates that a similar message - with the subject line Adobe PDF Reader software upgrade notification - links to a site that tries to install various malware on the users' system.

Don't be fooled by these messages, because Adobe would never send you unsolicited e-mails, even if they want you to patch your software. And even if you are subscribed to one Adobe's mailing lists, if always pays to be extra careful and check the offered link by rolling over it first.

Kaspersky download site hacked, redirecting users to fake AV

Kaspersky's USA download site was hacked.

For three and a half hours on Sunday, it has been providing download links that redirected users to a malicious web page where windows telling them their computer was infected were popping up and they were encouraged to buy a fake AV solution.
The fact was noted by various users on three separate forums. Among those was Kaspersky's own forum, and judging by the comment left by someone with the username "Micha" who appears to be an employee of the security firm stationed in Japan, the problem was solved.

According to ITPro, the incident was first denied, then confirmed by Kaspersky. They say that they took the server offline as soon as they found out about the breach, that the compromise was caused by a vulnerability in a third party application for website administration and that customer details contained on company servers were not compromised.

“Kaspersky Lab takes any attempt to compromise its security seriously. Our researchers are currently working on identifying any possible consequences of the attack for affected users, and are available to provide help to remove the fake antivirus software,” they stated in the statement for the press.

Compromising legitimate pages is a favorite tactic used by malware peddlers, since they are usually better positioned in search results than brand new ones. Whether this instance of compromising a website of a security firm will mark the beginning of a trend, only time can tell.

The rise of Java exploits

Sifting through the data collected and analyzed in order to compile the latest Microsoft Security Intelligence Report, senior program manager Holly Stewart came to an interesting conclusion: Java exploits have become way more popular with hackers than the Adobe-related ones:


This enormous jump is, according to Stewart, due to the fact that three particular vulnerabilities are being constantly exploited. Brian Krebs offers his own explanation: Java exploits have been incorporated into a number of popular exploit packs (Eleonore, Crimepack, SEO Sploit Pack, Blackhole).

These vulnerabilities have been patched for a while, but the problem is that users fail to update Java on their system. "Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don't think to update it. On top of that, Java is a technology that runs in the background to make more visible components work. How do you know if you have Java installed or if it's running?" says Stewart.

Given that Oracle has recently issued a Java security update that patches nearly 30 vulnerabilities, this would be a good time for all users to update the program or check for its existence on their systems and then update it. And while they're at it, they could configure the built-in updater to check for new versions every week.

South Korea's Power Structure Hacked, Digital Trail Leads to China

South Korean intelligence claims China-based hackers stole confidential material from the country's diplomatic and security services throughout 2010. If a new report is correct, hackers inside the People's Republic of China gained access to personal computers and PDAs belonging to much of South Korea's power structure.

South Korea's primary intelligence agency is claiming that China-based hackers stole confidential material from the country's diplomatic and security services throughout the past year. If the new report by the National Intelligence Service is correct, hackers inside the People's Republic of China gained access--via malware--to personal computers and PDAs belonging to much of South Korea's power structure.

The booty? Sweet, sweet defense documents.

Read more info here.

Facebook Adds Extra Layer Of Security

Facebook, the giant of the social media networks, has added extra security to user accounts. This security comes in the form of three new features that are available now for most users.

According to Jake Brill in The Facebook Blog, the first feature that has been introduced is an option to receive a one time use, temporary password for your account. According to Brill, "Simply text "otp" to 32665 on your mobile phone (U.S. only), and you'll immediately receive a password that can be used only once and expires in 20 minutes. In order to access this feature, you'll need a mobile phone number in your account." I can see this being useful in the case that your account has been compromised and your password has been changed by whoever accessed it. You would then be able to get into your account to create a new password that only you know. Of course, in the case of a lost or stolen phone, this policy works against you.

This next feature I am actually glad for. It is a remote sign-out feature that lets you sign off your account from any computers it is active on. It can also show you where you account is being accessed from, so you can tell if someone who shouldn't be on your account is. This is a feature that has been available for other services, such as Gmail, for a long time now, and I'm glad Facebook has finally caught up.

Finally, Facebook will begin prompting you more often for security updates. From Brill, "when people log in to Facebook we will regularly prompt them to keep their security information updated. If you ever lose access to your account, having this information helps us verify who you are and get you back into your account quickly." This is nice for the people who have a hard time remembering to update this kind of information frequently enough.

Overall, I see these new features as two steps forward, and one step back for Facebook security. The step back is only in the case that your phone is lost or stolen, as whoever is in possession of your phone is now in possession of your Facebook account.