Facebook announces new security features – but do they go far enough?

Facebook has just published an article entitled Keeping You Safe from Scams and Spam. It’s all about improving security on its network.

In the past, Facebook has seemed curiously reluctant to do anything which might impede traffic.

After all, Facebook’s revenue doesn’t come from protecting you, the user. It comes from the traffic you generate whilst using the site.

So this latest announcement is a welcome sign, since some of the new security features prevent or actively discourage you from doing certain things on the Facebook network. Let’s hope that everyone at Facebook has accepted that reduced traffic from safer users will amost certainly give the company higher value in the long term.

But do Facebook’s new security features go far enough? Let’s look them over.

* Partnership with Web of Trust (WOT)

WOT is a Finnish company whose business is based around community site ratings. You tell WOT if you think a site is bad; WOT advises you as you browse what other people have said about the sites you visit.

Community block lists aren’t a new idea – they’ve been used against both email-borne spam and dodgy websites for years – and they aren’t perfect. Here’s what I said about them at the VB2006 conference in Montreal:

[C]ommunity-based block lists can help, and it is suggested that they can be very responsive if the community is large and widespread. (If just one person in the entire world reports a [dodgy] site, everyone else can benefit from this knowledge.)

But the [cybercriminals] can react nimbly, too. For example, using a network of botnet-infected PCs, it would be a simple matter to 'report' that a slew of legitimate sites were bogus. Correcting errors of this sort could take the law-abiding parts of the community a long time, and render the block list unusable until it is sorted out. Alternatively, the community might need to make it tougher to get a [site] added to the list, to resist false positives. This would render the service less responsive.

Another problem with a block list based on “crowd wisdom” is that it can be difficult for sites which were hacked and then cleaned up to get taken off the list. Users will willingly report bad sites, but are rarely prepared to affirm good ones.

False positives, in fact, have already been a problem for Facebook’s own bad-link detector, which is also mentioned in the announcement. Naked Security has had its own articles blocked on Facebook simply for mentioning the name of a scam site.

In short, the effectiveness, accuracy and coverage of the WOT partnership remains to be evaluated. But I approve of the deal. It’s a step forward by Facebook. However, Facebook’s own bad-link detector could do with improvement.

* Clickjacking protection

Facebook introduced some anti-clickjacking measures a while ago. It’s a good idea. If you’re trying to Like a page known to be associated with acquiring Likes through clickjacks, Facebook won’t blindly accept the click. You’ll have to re-confirm it.

Again, I approve of this. But in my opinion, it’s not going far enough. It would be much better if Facebook popped up a confirmation dialog every time you Liked something, so that the “blind Likes” triggered by clickjacking would neither work nor go unnoticed. (Indeed, this popup dialog would be a great place for users to report clickjacks to the WOT community block list!)

That’s not going to happen. Facebook wants Liking to be easy – really easy – as it helps to generate lots of traffic. A popup for every Like almost certainly wouldn’t get past Facebook’s business development managers. Not yet, at any rate. But if we all keep asking, perhaps they’ll see the value?

* Self-XSS

This is a geeky way of saying “Pasting JavaScript into your own address bar.”

We’ve already reported on the potential danger of doing this. When you put JavaScript in your address bar, you implicitly give it permission to run as if it were part of the page you just visited. That’s always a risky proposition. Facebook is adding protection against this behaviour.

Facebook also says it’s working with browser makers on this problem. That’s good.

Perhaps all browsers should simply disallow Javascript in the address bar by default? It’s a useful feature, but the sort of user who might need it would surely be technically savvy enough to turn it on when needed.

* Login approvals

Facebook’s final announcement is what it describes as two factor authentication (2FA). Facebook will optionally send you an SMS every time someone logs in from “a new or unrecognised device”. (Facebook doesn’t say how it defines “new”, or how it recognises devices.)

This is a useful step, and will make stolen Faceook passwords harder to abuse. In the past, you would only see Facebook’s “login from new or unrecognised device” warning next time you used the site, by which time it might have been too late.

The new feature means that you’ll get warnings about unauthorised access attempts pushed to you. Furthermore, the crooks won’t be able to login because they won’t have the magic code in the SMS which is needed to proceed.

It’s a pity Facebook isn’t offering an option to let you enable 2FA every time you login. It would be even nicer if they added a token-based option (and they’d be welcome to charge a reasonable amount for the token) for the more security-conscious user.

A token would also allow users to enjoy the benefits of 2FA without sharing their mobile phone number with Facebook – something they might be unwilling to do after Facebook’s controversial flirtation, earlier this year, with letting app developers get at your address and phone number.

In summary

Where does this leave us?

Good work. I’m delighted that Facebook is getting more visibly involved in boosting the security of its users. But there’s still a long way to go.

In particular, this latest announcement doesn’t address any of the issues in Naked Security’s recent Open Letter to Facebook. Those issues represent more general problems which still need attention: Privacy by default, Vetted app developers, and HTTPS for everything.

(If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.)

419 Spam Goes Lingo

Have you ever received an email from an unknown person offering you an exorbitant amount of money and asking for your personal information in return? Well, that is exactly what a “419 scam” is!

419 spam, also known as Nigerian spam, is named after the Nigerian penal code, section 4-1-9. The most common forms of 419 spam are fake business proposals, fake fund transfers, and email lottery winning notifications—all of which include the spammers’ requests for personal information, such as name, account number, phone number, email address, bank details, etc.

419 spam is often seen in English, German, Spanish, and some other European languages, but spammers are now targeting Asian countries because of the increased Internet user base and widespread broadband infrastructure.

For the first time, Symantec has observed 419 spam created in Hindi using Devnagari script. This is a big paradigm shift where 419 spam is concerned. Hindi is a widely used language in the Asian subcontinent, including India, Pakistan, Nepal, Bhutan, and among Indian Diaspora settled around the world. Therefore, it is not surprising to see that spammers have turned towards Hindi to try and trap Hindi-speaking users in their nasty web.

The following is a sample of this type of spam:  



It is important to note that although 419 spam in Hindi was encountered for the first time (in which content-based filters may have failed to detect it), Symantec message security products were able to catch this spam with the help of Symantec’s proprietary filtering techniques. We advise users to beware of such bogus lures—don’t fall prey to false email messages that ask you for personal info in order to claim your grand prize.

Here are a few tips to identify a 419 scam:

•    The amount offered is huge—it refers to millions of dollars or other currency.
•    An email lottery is mentioned and refers to famous brands.
•    The message provides non-standard contact details for further communication.
•    The message asks for personal information from the recipient.
•    Partnership is offered through fake business proposals.
•    The message offers part-time or work-from-home job offers.
•    The message uses false, emotionally charged stories related to past events or disasters, or a next-of-kin type of story is used.

The next time you encounter a similar message, use the above points to help decipher its authenticity.

Note: My thanks to Sujay Kulkarni for contributions to this blog.

Free T-shirts? It’s not a scam, it’s #decodeme again!

Editor’s note: The puzzle code below relies on a peccadillo of Python which makes it version and compiler specific, amongst other things. This means you’ll probably get the wrong results. We do know, however, that the code works on Duck’s Mac, so we’re going to shift to a “cloud model” for solving it. Email Duck the code and the input data (if any) you want to use. If you’re on the right track, he’ll run it “in the cloud” and send you the results. If not, he’ll give you a hint or two to point you in the right direction.

It’s May, and that means it’s time for Australia’s biggest security conference, AusCERT2011, which takes place at the Royal Pines Resort on Queensland’s Gold Coast. The conference runs from Sunday 15 May 2011 to Wednesday 18 May 2011.

Once again, the Sophos stand is going to be the place to hang out.

We’ve produced another puzzle T-shirt in our acclaimed DecoDeme geek fashion range. The puzzle is just hard enough to take a bit of solving, but not so hard that it will distract you from the conference or the evening cocktail parties.

So if you’re attending the event, be sure to come by the stand and pick up your free T-shirt. (Don’t forget to wear it while you’re at the conference!)

You can have a T-shirt even if you don’t intend to solve the puzzle. But we suggest you do – and we’ll be giving out hints on the stand to help you along – because that will put you in line to win a cool 1/16th scale remote-controlled tank.

Solve the puzzle, attend my talk (just before afternoon tea on Monday in the Purple room), and you could walk out with the tank.

In fact, you could win two tanks. We’re also running a prize draw for a second tank. Winning the puzzle prize is clearly the more glamorous option, and will give you several minutes of fame amongst a modestly-adoring crowd of a modest size, but you may as well enter the prize draw as well. Think of it as backup.

If you’re planning to have a go at the puzzle, the source code of the T-shirt is given below to save you typing it in from the image above. (We’ve been a bit sneaky by making the text on the shirt itself very slightly different. We do want to see you on our stand, after all.)

But if you write code to solve this “pre-release” version, you should be able to re-use it to solve the puzzle on the shirt within seconds. So it’s worth putting in a little early research.

And don’t forget, you can ask for hints at the conference. You can also follow me on Twitter(@duckblog) and watch out for clues with the hashtag #decodeme.

Oh. One more thing. We’ve got a bunch of funky-looking Naked Security T-shirts on the stand. But you’ll only know to ask for one if you’ve read this article.

|                                      |
|     import-random!def-shrubbery(     |
|    ni):!-p='ewigsacgtwdbdzaco'!-k    |
|  =dict([[i,chr(97+i)]-for-i-in-rang  |
|  e(26)])!-ra                 ndom.s  |
|  eed(ni)!-                   random  |
|  .shuffle   (k)!-k=dict([[v,i]-for-i |
| ,v-in-k.i    tems()])!-c=''!-for-i-i |
|  n-range(l                 en(p)):-c |
|   +=chr(97+                k[p[i]])! |
|   -return-'http://sophos.    com/an  |
|    z/'+c+'.html'!#-Key-i     s-a-fo  |
|     ur-le                    tter-   |
|        wor                 d-fro     |
|           m-a--Monty--Python--       |
|             sketch!print(shr         |
|                ubbery(key            |
|                  --))--              |
|                                      |