Facebook Beefing Up Security With HTTPS Connections

How important is your Facebook account? Do you consider it as important as, say, your bank account? If you happen to feel this way about Facebook, then you'll like the latest news regarding the social network service.

Earlier this week, Facebook rolled out a new feature which allows users to connect with a HTTPS connection.

What is a HTTPS connection?
Basically it's an encrypted link, which is very similar to what most banks provide their customers. The connection type will be able to curb the problems with "sidejacking". Which is the act of cracking into connections over open Wi-Fi networks.

Considering many people keep up with their social networking in public places, this could be a huge privacy move for some users. For those who travel on a consistent basis, this is a huge improvement.

This security feature is added to a long list of updates Facebook has rolled out recently. With one such featured being the "social authentication" feature. This makes it so users have to verify photos of their friends in order to verify their account status.

It's perhaps coincidence, or maybe not, that this feature has released the day after an API error was used to hack into Mark Zuckerberg's account page. The error has been patched, alongside with the release of the HTTPS feature.

The update has also released a day before the Data Privacy Day. Which is an international time to boost awareness for data privacy.

With HTTPS, Facebook continues to try and improve its security image. Many people have criticized them through the years for not protecting users' security and privacy enough. This update is certainly taking a step in the right direction to help boost their image.

Data Privacy Day is January 28, 2011!

Despite all of the benefits of these technologies, doubts and worries persist about just how much personal information is collected, stored, used, and shared to provide these convenient and pervasive tools and services.

Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information. In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it – with whom are they sharing it? Most of all, individuals are asking ‘How can I protect my information from being misused?’ These are reasonable questions to ask – we should all want to know the answers.

To get involved, please contact email info@dataprivacyday.org

Adobe PDF format riddled with exploitable features

Adobe's PDF format and standard has been known for a while now to be easily exploitable and, thus, rather insecure. In the past, attackers have taken advantage not only of its vulnerabilities, but of its features as well. And as Adobe has recently announced a sandbox for Adobe Reader, some experts wonder if it's enough.

As Julia Wolf, a researcher with security company FireEye, pointed out at the 27th Chaos Communication Congress in Berlin - the current PDF standard is riddled with functions that can be misused in various ways.

According to her, a PDF file can have a database scanner embedded in it which is rigged to start scanning as soon as the file is printed on a network printer. It can also be made to display completely different content depending on the OS, browser, PDF reader software or language settings used on the computer.

What's more, some of its functions can be used to set off arbitrary code execution. The fact that the standard supports many insecure formats (XML), technologies (RFID tags) and script languages (JavaScript) only adds to its weak security.

According to The H Security she also mentioned that, interestingly enough, Adobe calls the the PDF format a "container format". And, indeed, it can contain many things - from audio and video to Flash files, which can, in their turn, be exploited by the attackers.

But, one of the biggest problems regarding the exploitation of this feature is that most anti-malware solutions fail to detect this embedded malicious software, and the detection rate is poorer still if the malicious code is compressed.

All in all, the sandboxing feature will be a welcome addition to the new version of Adobe Reader. Whether it will solve the problems she described, it remains to be seen.

Android Trojan with botnet capabilities found in the wild

A new, more sophisticated Trojan for Android devices has been spotting lurking on third-party Chinese Android app markets - the first ever piece of Android malware that has the capability to receive instructions from a remote server and thus become part of a botnet.

Dubbed "Geinimi", the Trojan is attached to (obviously compromised) versions of legitimate applications - mostly games such as Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010.

So far, it has only been spotted being distributed through third-party Chinese app stores. Versions of these applications on the official Google Android Market have not been compromised.

When the affected application is installed on the device, it requires the user to give more permissions that it would usually need. Geinimi them kicks into action, harvests the device's location coordinates, the IMEI and IMSI (unique identifiers for the device and the SIM card), and transmits that information to a remote server via a number of hard-coded domain names.

Until now, the server hasn't been spotted sending instructions to the Trojan, so its final purpose is not yet clear.

It is known, though, that it can download and prompt the user to install an app, prompt him to uninstall an app, and transmit a list of all the installed apps on the device to the aforementioned server.

Lookout's researchers say that Geinimi also uses obfuscation techniques to hide its activities, so it will be more difficult to spot.

But users in general should suspect their devices of being infected by mobile malware if the phone presents unusual behavior such as automatic SMS sending to unknown recipients, automatic phone calls, stealthy installation of unknown applications, etc.

An occasional check of outbound calls and SMSs and of installed applications should become a habit for users.