‘Critical’ Facebook flaw left user images vulnerable to deletion by hackers

Indian researcher Arul Kumar has uncovered a security flaw that allowed hackers to delete any image from any Facebook user’s profile, without the user’s knowledge or consent.
The flaw has been classed as ‘critical’ and worked by exploiting the Facebook Support Dashboard, which is used to send Photo Removal requests to the company. These reports are usually either seen by Facebook’s employees or sent directly to the image’s owner with an automatically generated link to remove the photo. Once clicked by the user, the target image is then deleted.

The new bug has revealed that while sending these images, two parameters were left open and vulnerable. If a hacker modified Photo_id and Owners Profile_id, they were able to bypass any user interaction and simply have the removal link sent to their own personal inbox instead.

The owner profile IDs can be found through a simple search with Facebook Graph, and each image contains the fbid value which can found in a Facebook URL. Once the photo’s ID had been pinned down, two Facebook user accounts could then be inserted in order to receive the link needed to remove the image, with one person acting as a sender and the other as a receiver.
Kumar has warned that any photo could be taken from any page or user, including shared and tagged images, photos from groups and pages and images from suggested posts. The researcher has since been awarded a $12,500 bounty through Facebook’s Bug Bounty program and the company says that the error has since been fixed.

If you’re concerned about the security of your personal data then a VPN service can offer you added peace of mind when surfing the web. A VPN gives your computer an extra layer of protection while you’re using the internet, helping to ensure that the information stored on your device remains securely defended against any external forces attempting to access it.

Microsoft and Google press U.S. government for right to release more data on surveillance

Google and Microsoft might be rivals when it comes to most things, but the two companies have recently joined forces in pressuring the U.S. government to give companies the right to publish information requests made by the secret services. Putting their differences aside, Google and Microsoft are pursuing legal action petitioning the government to permit them to release statistics regarding secret surveillance demands against customers using their services.

The Obama administration has already confirmed that it will begin the release of a limited amount of statistics, notably the total number of security requests that have been issued for customer data over the past 12 months. It’s also been confirmed that this data will be released annually for the foreseeable future, but Google and Microsoft say that this isn’t enough. The two companies are looking for the right to release far more detailed statistics. The U.S. government faced the companies in a federal court in June, but has already asked for six extensions in just two months. Google and Microsoft insist that they simply won’t agree to any more delays.

Microsoft’s general counsel Brad Smith wrote on the company blog, ‘We both remain concerned with the Government’s continued unwillingness to permit us to publish sufficient data relating to Foreign Intelligence Surveillance Act (FISA) orders...we believe it is vital to publish information that clearly shows the number of national security demands for user content, such as the text of an email. We believe it’s possible to publish these figures in a manner that avoids putting security at risk.'

Google’s Chief Legal Officer David Drummond took the same stance as Smith in a letter to the attorney general and FBI. ‘We… ask you to help make it possible for Google to publish in our Transparency Report aggregate numbers of national security requests, including FISA disclosures—in terms of both the number we receive and their scope.’

With these two giants of the internet teaming up for the sake of information disclosure rights, it looks like the U.S. government has a serious fight on its hands.

If you’re concerned about the security of your personal information, a VPN service can help. A VPN provides your computer with additional defences while you’re surfing the web, to ensure your data stays safe and private.

18 new servers and 1873 IP addresses to the Hide My Ass! VPN Network

We’ve added 8 servers, 782 IP addresses and 2 NEW countries to the Hide My Ass! VPN Network

1. France, Strasbourg (LOC1 S2) (128 IPs)
2. France, Strasbourg (LOC1 S1) (128 IPs)
3. Italy, Pordenone, Porcia (LOC1 S2) (60 IPs)
4. Denmark, Copenhagen (LOC1 S2) (126 IPs)
5. Jordan, Amman (LOC1 S2) (60 IPs)
6. USA, New York, Virtual UK (LOC1 S2) (127 IPs)
7. USA, New York, Virtual UK (LOC1 S1) (127 IPs)
8. Saudi Arabia, Riyadh (LOC1 S2) (31 IPs)
9. Norway, Oslo (LOC1 S5) (127 IPs)
10. Norway, Oslo (LOC1 S4) (126 IPs)
11. USA, New York, Virtual Canada (LOC1 S2) (127 IPs)
12. USA, New York, Virtual Canada (LOC1 S1) (127 IPs)
13. Latvia, Riga (LOC1 S2) (59 IPs)
14. Republic of Singapore, Virtual Malaysia (LOC1 S2) (65 IPs)
15. Republic of Singapore, Virtual Malaysia (LOC1 S1) (65 IPs)
16. Republic of Singapore, Virtual Indonesia (65 IPs)
17. Netherlands, Dronten (LOC1 S2) (127 IPs)
18. Ireland, Dublin (LOC1 S2) (127 IPs)

You may have spotted that we have three new ‘virtual locations’. ‘Virtual locations’ are great for getting faster connections through our VPN service. See our knowledgebase for further details.

Android phones account for 79% of malware, study finds Americans willingly open malicious emails and the New York Times and Twitter are hit by the SEA

Android phones account for 79% of malware
The Department of Homeland Security and the Federal Bureau of Investigation have reported that 79 percent of malicious attacks on mobile phones in 2012 occurred on devices that were running Google’s Android operating system. The mobile operating system is the world’s most popular, but authorities have blamed the high number of attacks on the system’s ‘market share and open-source architecture’. Nokia’s Symbian operating system had the second highest number of attacks, while Apple’s system has had only 0.7 percent. The news comes in the wake of security firm Symantec’s discovery of a ‘master key’ bug for Android devices which is already being widely exploited in China.

Americans willingly open malicious emails
A study conducted by TNS Global has found that 30 percent of Americans surveyed would open an email even if they knew that it was suspicious or contained a virus. A further one in eleven admitted to infecting their computer with a virus as a result of opening a malicious email attachment. According to statistics from the Anti-Phishing Working Group, more than 74,000 unique phishing campaigns were uncovered during their reporting period which targeted more than 1,100 brands. The fact that so many Americans would knowingly open a malicious email is even more alarming when you consider that anyone who’s willing to open these emails at home is also likely to be willing to open them at the office, putting corporations at risk.

New York Times and Twitter hit by Syrian hackers
The New York Times’ website and Twitter are both still experiencing problems in the wake of a hack carried out at the beginning of this week by the Syrian Electronic Army (SEA). The hacking group have also recently claimed responsibility for attacks on companies including the BBC and the Financial Times. The SEA gained access to the two websites by editing their Domain Name System information, which resulted in the domains redirecting visitors to websites hosted by the SEA. Hosting company Melbourne IT has said that the hackers managed to enter through the ‘front door’ and added that they were looking at implementing ‘additional layers of security’ in order to protecting the details of their domains.

China hit by ‘biggest ever’ cyber-attack

China has been hit by its biggest ever cyber-attack, causing multiple websites with a ‘.cn’ domain name to be taken offline for several hours.
The distributed denial of service (DDoS) attack began at 2am local time on Sunday before becoming more severe at around 4am. Information about the attack was published on the China Internet Network Information Centre’s (CNNIC) website, along with an apology to any affected users. CNNIC has also promised to ‘enhance the service capabilities’ of the network that is responsible for the affected domains.

The CNNIC has said that they can’t yet be certain about the groups responsible for the attack, but the DDoS method is commonly used by many hacktivists worldwide. It works by flooding websites with excess traffic to disrupt their normal operation.

While DDoS and other hacking attacks aren’t particularly new to China, the country is frequently the focus for accusations of hacking from other nations, particularly the USA. A recent investigation by The New York Times alleged that Chinese hackers had repeatedly targeted their systems over a four-month period – an accusation that the Chinese foreign ministry described as ‘groundless’.

The ease with which the sites seem to have been disrupted has surprised some independent onlookers, with Matthew Aid, an independent analyst, commenting that, 'If all internet sites ending in .cn can be taken down by nothing more sophisticated than a conventional denial-of-service attack, the Chinese internet system is more vulnerable than we previously believed. Clearly Chinese cyber defences are not what they should be.' It's certainly an interesting revelation given how many of America's accusations rely on the extreme sophistication of Chinese governmental hacking capabilities.

Using the internet comes with an inherent risk of attacks, but there are methods individuals can use to help defend the data stored on their personal devices, like a VPN service. A VPN gives your computer an extra layer of security when online, helping to ensure that any malicious external forces are prevented from intercepting information.

Concerns raised by activists over DHS facial recognition technology plans

The USA’s Department of Homeland Security has been warned by civil rights activists that unless it develops a clear ethical framework to cover its facial recognition technology, there will be little to prevent a repeat of the National Security Agency's widespread privacy violations.
The intention is for the video surveillance technology to become capable of picking out fugitives or suspected terrorists from a crowd of people, but privacy advocates are warning the government that the technology will need to come with a civil rights protection clause in order to avoid following in the NSA's footsteps.

The technology works by combining computers, video cameras and facial recognition software to allow it to scan crowds of people and differentiate between individuals, although recent tests have established that the system, known as BOSS or Biometric Optical Surveillance System, is a long way from perfection. A recent test by the Department of Homeland Security found that the system was too slow and unreliable, estimating that several years of additional work would be required before an official release.

For privacy advocates, that makes this the ideal time to act in order to ensure that legislation stays up to date with the technology. Their main concern at present is that the technology thus far lacks a function to keep the public safe and protect their privacy. Very little is known about the technology that BOSS would use, and it’s feared that the database, theoretically there to store images of people on a ‘watch-list,’ could in fact include almost anyone.

Julia Horwitz of the Electronic Privacy Information Centre, which received documents informing them about BOSS, has stated that, 'we didn't see any mention of privacy protection at all,' and confirmed that there were no details given regarding what would warrant an individual's inclusion on the database. As yet another example of the law failing to keep up with technology, it's clear that vigilance is required to ensure we're not faced with another 'Prism'-style scandal.
At least in your own home you can still keep your technology safe by investing in a VPN service to help secure your internet connection. A VPN works as an additional layer of defence that provides a barrier between the private data on your computer and any external users trying to access it.

UK considers ban on ‘key fob’ mobiles, Groklaw news site shuts down over US surveillance, and high speed, in-flight wi-fi is expected by 2014

UK considers banning ‘key fob’ mobile phones
The UK is considering placing a ban on the sale of small mobile phones that have been designed to look like car key fobs. The phones are sometimes marketed as the ‘world’s smallest mobiles’ and feature logos from companies such as BMW, Audi and Volkswagen. The Times has reported fears that the products have been advertised with prisoners in mind, allowing inmates to get around the ‘no mobiles in prison’ rule. The UK’s Society of Motor Manufacturers and Traders says that it had reason to believe that the phones were being made without the permission of its members. Although the devices are still currently available on eBay and Amazon, the National Trading Standards Board has asked retailers to stop selling them.

Groklaw news site abandoned due to US surveillance
Groklaw founder Pamela Jones has announced that the award-winning legal news site is to close, citing her inability to guarantee contributors’ privacy. The site was launched 10 years ago and is known for its coverage of technology law, including privacy disputes and software patents. The news comes after secure email provider Lavabit also announced its closure, referring to an ongoing legal dispute, presumably with the US government, in its closing message. The owner of Lavabit supposedly spoke to Jones and warned her of the privacy dangers when it comes to using email. After concluding that Groklaw would be unable to run without email, Jones decided she felt too uncomfortable with the possibility of constant surveillance and shut down the site.

High speed, in-flight wi-fi expected by 2014
It’s thought that in-flight wi-fi fast enough to stream services such as Netflix could be available on airlines by 2014. The communications regulator Ofcom is currently considering licensing a new satellite that would deliver connections to aircraft, ships and trains at speeds ten times faster than those currently available. Certain communications operators are already planning to launch networks that support the higher speed Earth Stations on Mobile Platforms (ESOMPS) in just a few months. The Federal Communications Commission has already legalised the use of ESOMPS in the US.