Computer Security Articles

Google has introduced a new feature for its Chrome browser that will display a warning if a user attempts to download a suspected malicious executable file.

The Chrome team are enhancing the implementation of their Safe Browsing API service to include downloaded files.

What is the Safe Browsing API?
The Safe Browsing API is an experimental API that enables client applications to check URLs against Google’s constantly updated blacklists of suspected phishing and malware pages. Your client application can use the API to download an encrypted table for local, client-side lookups of URLs that you would like to check.

The new feature will be integrated with Google Chrome and will display a warning if a user attempts to download a suspected malicious executable file:

This warning will be displayed for any download URL that matches the latest list of malicious websites published by the Safe Browsing API. By adding support for these known malware destinations they will reduce the number of infections for users using Chrome.

For sometime now we’ve been reporting threats targeting Facebook users, most of which result in users unknowingly spreading spammy links to their networks. We’ve seen different social engineering techniques used such as stalker tracker tools, news involving celebrities, and even footages of the recent Japan tragedy.

The said threats usually involve links accompanied by inviting text posted in affected users’ walls. Other users who get tricked into clicking the said links unknowingly execute a script, which lead to posting the very same spammy content.

Recently, however, we saw a different version of this scheme, which leverages a commonly used feature in Facebook—Events.

Instead of posting the spam links in users’ walls where it can easily get lost in the news feed, cybercriminals now use the Events feature to really grab their targets’ attention.

In this scheme, spammers create an event that will be enticing to many users. For example, we saw one event in a post that said ”How to Find Out Who’s Viewing Your Profile.“ 

In the post’s More Info field, the spammer puts instructions that invited users must follow to be able to “view” or to “enjoy the service” the post promises—in this case, the ability to find out who viewed their profiles. You can see that most of the instructions contain ways to promote the event with the last step being to click a certain shortened link.

Needless to say, users tricked into following the given instructions end up promoting the spam event and making money for the spammer. Visiting the page the shortened link points to also executes a script that publishes the same link on the affected users’ walls.

This scheme seems to work fairly well for spammers, as we’ve seen spam events to which tens of thousands of users registered as attendees. We also observed that similar spam event posts are frequently updated by their posters, usually only modifying the provided links to avoid blockage.

As such, users are warned to ignore invitations of a similar nature. We are continuously monitoring for similar spam and blocking related URLs with the help of our Web Reputation Technology.

Post from: TrendLabs | Malware Blog – by Trend Micro

Facebook Users Get Invited to a Spam Event

Passwords from over 3,000,000 user accounts were apparently set to “password” late last night in a wide-spread hack that affected hundreds of news, retail and Web 2.0 sites. Most affected users are completely unaware of the attack.

According to current statistics, 62% of affected users would not notice such a change as their password was already “password”.

Several sites have reported that they are taking steps to protect compromised accounts. In addition, many sites are creating a new rule to ban using the word “password” as a password.

Users are reacting fiercely to the hack but even more so to the ban many sites are putting on one of the world’s most popular passwords. Online riots are to be expected.

The hacker group named “Obvious” has claimed credit for last evening’s attack. Thousands of hacked Twitter and Facebook accounts posted the message “We are all Obvious! Don’t Expect Us”.

A 1.9 GB file containing more than 3,000,000 user names — and one password — is now available for download as a torrent file via The Pirate Bay.

To avoid problems like this in the future, we are recommending users to change their password everywhere to “password1″, which is obviously more secure.

On 01/04/11 At 06:31 AM

Computer users are presented with a steady stream of security warnings, which are designed to help users avoid taking actions that put their systems and data at risk. Sometimes, a click on the OK button is all that stands between the person and an intrusion.

What are the characteristics of an effective security warning? Let’s take a look at some examples.

Microsoft Office Security Warnings

Consider this warning pop-up from Microsoft Excel 2003, which would appear when the user opened a spreadsheet that contained macros, but the macros were disabled.

The text in this warning is too long and technical. The message offers no convenient way to enable macros: even after the user clicks OK, the macros stay disabled. That may be good for security in the short term. In the long term, the user would probably enable macros globally, just to avoid having to deal with this message again.

Fast-forward to Microsoft Office 2010. The security warnings are much shorter and to the point, such as the one stating that “Macros have been disabled.”

The biggest concern I have with this message is that the button to enable macros is labeled “Enable Content.” Non-technical users may not equate content with macros and click the button. After all, content isn’t code, right?

Here’s another, similar security warning from Microsoft Excel 2010, stating that “Data connections have been disabled.”

I doubt many users will know what “data connections” are and will click “Enable Content” for the reasons I outlined above.

Below is a Microsoft Office 2010 security warning that I actually like. It occurs when the user opens a document downloaded from the Internet, in which case Office uses a restricted viewer called Protected View, instead of a full-featured editor.

The warning explains the issue clearly using words that most people will understand, explaining the reason for the security concern and providing a course of action.

Web Browsers’ Security Warnings

Here are a few examples of security warnings presented by web browsers. Consider the following message that Firefox 3.6 presents when the person finishes downloading an executable file.

Though the message presents no text of caution, at least there is no option to run the program—only an opportunity to “Save File”. In this case, the browser leaves it up to the OS to warn the user when he or she attempts to run the program downloaded from the Internet.

Here’s a similar message from Internet Explorer 8. It includes a warning, but leaves room for improvement:

The first button is “Run”, so that’s the one that will probably attract the user’s attention first. The fact that this is a security warning is “hidden” on the periphery of the dialog box: in its window title and the small footer text.

Recommendations for Designing Security Warnings

After surveying these and other examples of security warning messages, the following recommendations come to mind:

• Make the safest button (e.g., “Disgard”, rather than “Run”) most visible. This usually involves placing it first on the left, making it larger or highlighting it in a brighter color.
• Be brief. Users will ignore lengthy text, so include just a few necessary words in the main warning, giving people a chance to click a button for details.
• Include enough background details (e.g., the type of downloaded file) to help the person make a decision regarding the best course of action.
• Stay away from technical jargon that most users of the product won’t understand or will misinterpret.
• Don’t overwhelm the user with numerous warnings in a row. After a while, choice fatigue will prevent the user from selecting wisely.

Designing security warning messages is hard, because it often involves finding a compromise between conflicting goals, such as being terse while providing contextual details. Similarly, the developers need to balance ease of use with security. If you have recommendations or examples in addition to what I presented above, please leave a comment.

— Lenny Zeltser

As early as 2006, Trend Micro already recognized the fact that the BlackBerry technology could be exploited by cybercriminals. The smartphone may have remained spared from malware attacks over the years although there have been recent news of a ZeuS variant specifically targeting BlackBerry users. As we have said in a recent post, banking Trojans are evolving and more sophisticated attacks involving smartphones are among the most recent developments.

The ZeuS malware specifically targeting the BlackBerry OS is currently detected by Trend Micro as BBOS_ZITMO.B. Just like its desktop counterpart, this ZeuS variant does not display any graphical user interface (GUI) that can prompt users about the infection. Instead, it removes itself from the list of applications, in order to effectively stay under the radar.

Upon successful installation, it sends a confirmation message to the administrator to signal that it is ready to receive commands. It specifically sends the message “App Installed OK” to the U.K. number +447{BLOCKED} as seen in the screenshot below.

BBOS_ZITMO.B also allows the attacker to remotely change the number to which it forwards SMS messages sent to the affected phone, also known as the administrator number. Thus, in the event that the original administrator number is tracked down and becomes unavailable, the attacker can just send a command to change the administrator number and continue receiving the forwarded messages.

Based on our analysis, BBOS_ZITMO.B is capable of carrying out the following commands:

• Display SMS: Unmonitored SMS will be treated as a normal SMS and will be displayed on the phone.
• Delete/Drop SMS: SMS from hacker will not be seen by the user.
• Forward SMS: Send SMS to hacker without the user’s knowledge.
• Block Calls
• Remove Block Calls
• Set Administrator: Register a new administrator.
• On/Off
• Add Sender
• Remove Sender
• Set Sender
• Block/Unblock Phone Numbers

Other smartphone OSs are not immune to this threat either. Variants targeting smartphones running Symbian (SYMBOS_ZBOT.B) and Windows Mobile (WINCE_ZBOT.B) have also been spotted with behaviors that are very similar to those exhibited by BBOS_ZITMO.B.

With the increased popularity of mobile banking goes the increase of mobile threats. Thus users are strongly advised to keep their mobile devices secure, and be cautious in installing applications and clicking links sent by unknown users, as they may lead to the download of malicious applications.

Post from: TrendLabs | Malware Blog – by Trend Micro

ZeuS Targets Mobile Users

Privacy has been one of the major concerns of Facebook users roday, especially as the social network continues to increasingly grow to become a massive directory of personal information. Users are becoming very concerned as to who can access the information they post, fearful that these may be viewed and used in a malicious way. Given this, stalkers—people who aim to invade other people’s privacy—are considerably becoming Facebook users’ worst nightmare.

Facebook scams play on people’s fear of being stalked. This is not surprising, we have recently seen newly created domains that offer help to users in order to track down who most view their profiles, as well as how many times these were viewed. The domains contain strings like “profile view” and “creepers” in their URLs, suggesting their alleged purpose.

The pages list down certain instructions the user must follow to use the “stalker tool.” The instructions include copying a certain script and pasting it into one’s browser address bar.

The technique is very similar to a scheme we saw last year, which used the lure “10 lies girls ALWAYS tell guys! Funny!” In this case, the lure may be different but the effect is pretty much the same. Once the user copies the script into his address bar and executes it, his Facebook account is accessed by the script then used to spam messages that promote the stalker tool.

The said messages are randomly generated and may be posted either as a private message or as a wall post.

We tested if the so-called stalker tool works in all browsers and found that it does as long as JavaScript is enabled. The said script is now detected by Trend Micro as HTML_FBSPAM.ASM while access to the related domains is now blocked.

Post from: TrendLabs | Malware Blog – by Trend Micro

Facebook Stalker Tracker Tool Turns Users into Spammers

We have noticed a lot of SMS-based web-phishing attacks in China targeting the Bank of China’s online users. They received a phishing SMS that is designed to look like it was sent by the bank as a reminder to its customers: “Dear user, your token has expired, please visit http://www.boc**.com to reactivate your token.” The URL is similar to the bank’s official website but points to a phishing site that looks almost like the original bank website.

On this bogus phishing website, there is a button on the top right that says “Upgrade your token.”

Once the user clicks this button, it redirects to a page that looks like the normal online-banking login page. The criminals will get all the info they need to steal money from the victim’s account: user ID, password, and token.

This information is used immediately to transfer the victim’s money into the attacker’s account before the token expires.

A lot of technologies–including tokens, certificates, dongles, etc.–are designed specifically to protect against phishing. But even though Bank of China uses tokens to enhance security, customers still need to take care to prevent this type of phishing attack.

Yesterday was “Safer Internet Day” in the European Union. To mark the occasion, Eurostat, the statistical office of the E.U., released a selection of statistics on Internet security: “Nearly one third of internet users in the EU27 caught a computer virus.” The data was collected from a survey on the usage of information and communication technologies in households and by individuals in the E.U.

Leaving aside the misleading title, where the term virus is used instead of the more accurate malware (this error still happens a lot, particularly in the media), the study reveals some very interesting and also somewhat disturbing numbers. On average across all countries surveyed, 31 percent of individuals who have been using the Internet in the 12 months prior to the survey reported an infection, and 3 percent reported a financial loss. Now 3 percent may not sound like a lot, but considering a population of nearly a half-billion and 54 percent (as of 2007) of households having access to the Internet, that means millions(!) of victims have lost money to cybercrime.

In spite of the response that “an IT security software or tool was used to protect their private computer and data” by 84 percent of the individuals, such a large number of infections shows that this problem can’t be solved by technology alone. Using state-of-the-art technologies such as web reputation and file reputation with real-time detection data in the cloud certainly helps, but some user awareness is still necessary.

So watch where you browse and what links you click in emails and on social networking sites. Let Safer Internet Day 2011 inspire you to spend some time learning about how to secure yourself more effectively on the Internet. You’re welcome to use our Cybersafety Resource Portal.

A Valentine’s Day mobile application, which promises to send an romantic MMS message to a loved one, actually hides a money-making scheme that sends expensive messages to a Russian premium rate SMS number.

Security experts have come across a downloadable file called love_mms.rar, which itself contains a Java Archive (.JAR) called jimm2010.jar.

It’s unlikely, of course, that anyone outside of the Russian-speaking world would be impacted by this malware, especially as it’s installation messages are impenetrable to most of us born in other countries:

Добро пожаловать! Вас приветствует мастер установки Jimm 2010! Нажмите "Да", чтобы продолжить инсталяцию.

Установка Jimm Сейчас будет произведена установка приложения Jimm 2010 на Ваш мобильный телефон. Нажмите "Да" чтобы продолжить инсталляцию.

Что такое Jimm 2010 Это красивые иконки и логотипы, прикольные смайлики (до 386 штук), смешные звуки, а также красивый внешний вид мобильной аськи!

Что нового в Jimm? Jimm Mobile от 10 января 2010 года, который включает в себя
многочисленные доработки и изменения мода ХаТТаВ.

Пользовательское Соглашение вступает в силу с момента выражения Вами согласия с его условиями путем продолжения установки программного обеспечения. Настоящее Соглашение формулирует юридические условия пользования Сайтом, предназначено для урегулирования взаимоотношений между Владельцем и Пользователем, и включает политику Сайта по поводу правил пользования услугами и контентом, размещаемым на Сайте, а также по поводу прав, обязанностей и ограничений, связанных с использованием услуг. Данное Соглашение распространяется на настоящих и будущих Пользователей Сайта. Это лишь краткое Пользовательское соглашение, его полную версию Вы можете увидеть на сайте [LINK] В процессе инсталляции Jimm Вы можете сделать пожертвование сайту 2 раза с помощью SMS на номер 5999. Стоимость каждого sms сообщения составляет до 95 рублей без НДС, в зависимости от Вашего оператора.

The last message warns that if you continue with the installation you have agreed you that if you continue then you have agreed to various terms-and-conditions, including that you will be stung twice to the tune of 95 rubles by sending an SMS to a short code number.

The Trojan horse, reported by The Register today, is detected by Sophos as Troj/Jifake-A.

Remember to take care over any applications you install on your computing devices – whether it be a desktop PC, laptop or mobile phone. Just because it’s Valentine’s Day doesn’t mean that there’s any excuse to throw all common sense out of the window.

If you have kids who own their own computers, an inexpensive lamp timer is an excellent way to enforce a digital curfew. I can assure you that your child is occasionally using the Internet at 3:00 am, and this is not helping him or her stay focused in class.

James McQuaid

A new attack on Twitter users has been arriving as spam with a phishing link. It appears as a notification about an unread message from Twitter Support with a subject line such as “Twit 73-923.” The ending number can vary. The body of the message includes “You have [some number of] delayed message(s) from Twitter” and a link to a phishing site.

If you receive one of these emails, make sure to check where the link points to before clicking on it. To visit a page such as this (or any page even), it’s much safer to manually type the web address instead of clicking a link in an email. Links can easily be faked!

Users without protection who click on any of these links could infect their PCs or reveal their Twitter credentials.

We recommend you take advantage of either or both of McAfee’s TrustedSource™ reputation system and SiteAdvisor Technology to protect yourself against malicious phishing attacks and the sites that host them.

Tweet, search and surf safely out there!

View full post on McAfee Avert Labs

IT Management used to be simple, you buy a server install the application and use it happily, issues used to be simple like hardware failures, some bug in the application, etc. Now, to keep things running you need to do various activities that require knowledge, special skills and efforts, a typical SMB will find these [...]

Full story: KaffeNews

A couple of weeks ago two students conducting security research contacted me about a vulnerability which they believed they had found with Facebook.

Rui Wang and Zhou Li said that they had found a vulnerability which allowed malicious websites to access a Facebook user’s private data without permission. According to Rui and Zhou, it was possible for any website to impersonate other sites which had been authorised to access users’ data such as name, gender and date of birth.

Furthermore, the researchers found a way to publish content on the visiting users’ Facebook wall (under the guise of legitimate websites) – a potential way to spread malware and phishing attacks.

Here’s a YouTube video by Rui and Zhou where the vulnerability is demonstrated. (Note: there’s no sound on the video)

When I first experimented last week on a test site created for me by Zhou and Rui I couldn’t precisely mimic what you see in the video. The demo website wasn’t able to extract the name of my test Facebook account, and it displayed a “failed” dialog box when it tried to post to my Facebook wall.

Now it’s possible that it didn’t work because I had applied some pretty rigid privacy settings to my test account, and sure enough when I tried again (having installed the ESPN Facebook app onto my test account) it was then successful, and able to extract my name, email address, and post an “evil” link seemingly via the app.

Ouch!

The good news is that the students practiced responsible disclosure, and informed Facebook’s security team about the flaw rather than release details of how to exploit users’ profiles to all and sundry.

Facebook Security responded promptly, and should be applauded for fixing the vulnerability rapidly once they were informed about it.

Clearly Facebook’s website is a complex piece of software, and it is almost inevitable that vulnerabilities and bugs will be found from time to time. The risk is compounded by the fact that there’s so much sensitive personal info about users being held by the site – potentially putting many people at risk.

Follow our guide for better security and privacy on Facebook to help lock down your profile from unwanted snoopers. You may also want to join the Sophos page on Facebook, to keep informed of the latest security threats.

But remember that ultimately if you don’t want your sensitive information to be leaked onto the net, you perhaps shouldn’t be uploading it in the first place.

You can learn more about the now fixed Facebook flaw in this article published by The Register this morning.

Full story: Naked Security – Sophos

In line with Data Privacy Day this Friday, Facebook announced its rollout of Secure Sockets Layer (SSL) capability for all of its services. Facebook has taken some heat for its lack of SSL support, especially with the release of FireSheep, which we covered here. Facebook does warn that encrypted pages will take slightly longer to load, which is a small price to pay for the added security.

According to the official Facebook post, there should soon be a check box titled Secure Browsing (https) under the Account Security section of Account Settings. This setting specifies that all future connections be redirected to HTTPS. It should be noted that this rollout has just begun and that this option is not yet available to everyone. It may take some time before this option is made available to everyone.

In the absence of the Secure Browsing setting, manually changing the URL to https:// seems to work but with mixed results. The main profile page will successfully load with no problems. Unfortunately, things start to get sketchy from there. Many links are relative and will keep the user in the secure browsing environment. Other links, however, are absolute and remove the protection of SSL. Hopefully, Facebook will fix these issues soon or at least makes it more clear when SSL support is not available.

Facebook also warned that some third-party applications and their own chat functionality currently don’t work if SSL is enabled. Users should be aware of this and take appropriate precautions if they can’t use SSL for those reasons.

Post from: TrendLabs | Malware Blog – by Trend Micro

Facebook Now Officially Supports HTTPS for Users

Full story: TrendLabs | Malware Blog – by Trend Micro

Why you need a Mac OS X Antivirus: an overview of the most aggressive pieces of malware targeting Mac OS X users

Full story: MalwareCity Blog

AP – Two men who authorities say were competing to impress their fellow hackers were arrested Tuesday on federal charges they stole the e-mail addresses of more than 100,000 Apple iPad users, including politicians and media personalities.

Full story: Yahoo! News: Security News

Flash cookies: the bane of Internet users’ experience ever since it became public that companies were using them to track users—completely separate from normal browser cookies. It’s not easy for regular users to go digging around to delete Flash cookie data, but that may change soon thanks to Adobe.

The company has been working with developers from Microsoft and Google to implement a new browser API that will make it easier for browser users to get rid of the local shared objects (LSOs, also known as Flash cookies) used by the Flash Player. In fact, the new API (NPAPI ClearSiteData, for the curious) has already been approved for implementation, and is expected to appear in Firefox sometime in the near future.

Read the comments on this post

Full story: Security

Online criminals are always seeking out tactics that would help monetize their activities.  Potential victims repeatedly fall for the traps that cybercriminals set up such as when they end up downloading malware instead of freeware or pornographic materials. Oftentimes, the realization that their machine is being held ransom comes too late.

One method often used involves disabling the functionality of the compromised computer until the victim dials a premium-rate SMS number. One such cybercriminal operation involves a recent SMS ransomware campaign that has been targeting Internet users in Russia and demanding a 360-RUR (about US$ 12) ransom. Affected systems would consistently display the image below and prevent users from accessing their desktops and applications until they provide the required ransom.

In this particular example, users downloaded a file detected by Trend Micro as WORM_RIXOBOT.A. The file was downloaded from a single website over 137,000 times in December 2010 alone, mostly by users from Russia.  In this case, the worm was downloaded from a pornographic website. However, it may have also been propagated through other means.

Cybercrime is a serious matter for cybercriminals who run these campaigns much like ordinary businesses and keep financial records for their own reference. In our research, we were able to access a panel that was used to keep track of the specific income generated by at least 60 phone numbers used in ransomware campaigns. The list contains 60 phone numbers displayed by the ransomware and used to receive funds from victims.

Based on our findings, this campaign was able to generate 901,245 RUR (US$ 29,435) over the last five weeks. With a payment of approximately US$ 12 per transaction, this indicates that 2,500 people paid the ransom. Users are thus advised to be more wary about their online activities. As this particular ransomware campaign proves, cybercrime is a serious business that comes at a price.

Post from: TrendLabs | Malware Blog – by Trend Micro

SMS Ransomware Tricks Russian Users

Full story: TrendLabs | Malware Blog – by Trend Micro

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

PC World – Internet security company Trusteer has managed to get access to the log files of Web servers that hosted phishing Websites. Their conclusion? Cell phone users are idiots compared to their desktop computing counterparts. Well, they don’t say it as bluntly as that, but their data is damning.

Full story: Yahoo! News: Security News

Thousands upon thousands of Facebook users have been hit by a new survey scam spreading virally across the social network.

Messages claiming to be users’ first ever Facebook status updates are being posted on users’ walls by a rogue application, designed to earn revenue for the scammers behind the attack.

Here’s what some typical messages look like:

My 1st St@tus was: "[random message"]. This was posted on [random date]

Find your 1st St@tus @ [LINK]

If you click on the link you are taken to a rogue Facebook application, which asks you to give it permission to access your profile, which includes giving it the ability to post from your account in your name.

Sadly, many people are all too quick to give permissions to rogue applications like this free reign to their Facebook account – allowing scams like this to spread rapidly and virally between Facebook friends.

If you are foolhardy enough to continue, you are taken to a webpage which contains a survey. This is where the scammers behind the scheme make their money.

Every survey which is completed earns them some commission. In some cases they might also ask for your mobile phone number in order to sign you up for an expensive premium-rate service.

And you? Well, you’ll find that the rogue application has meanwhile taken the opportunity to post a message on your Facebook page, which is now being seen by all of your online friends. When I deliberately infected a test account with the rogue application it got my first status message incorrect, as well as the date that I first posted to the Facebook account.

So, in other words, it’s a complete confidence trick. It doesn’t tell you your first status message on Facebook – and it’s only intention is to drive as many people as possible into sharing the link (which can vary – we have seen several examples) further and further across Facebook, earning the scammers money.

Regular readers of the Naked Security site will be all too familiar with survey scams and rogue applications, and realise the dangers in allowing an app written by unknown third parties to access their Facebook profile. But there are plenty of others out there on Facebook who are still oblivious to scams like this.

Here’s a YouTube video where I show you how to clean-up your Facebook account if you were hit by this, or similar scams:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Keep your wits about you and stay informed about the latest scams spreading fast across Facebook. One of the best ways to do that is to join the Sophos Facebook page, where a 50,000-strong community is regularly sharing information on threats and discussing the latest security news.

Full story: Naked Security – Sophos

Over the last few weeks we have been contacted by a number of members of the Sophos Facebook page, concerned by a message they saw on Facebook, warning them that their account protection was “very low”.

Your account protection status: Very low
Increase protection

With fake anti-virus (also known as scareware) attacks becoming an ever-growing problem (they attempt to trick you into believing your computer has a security problem when it doesn’t), some security-conscious Facebook users might worry that this is a similarly-styled assault, designed to scare you into taking perhaps unwise actions.

Certainly the warning message gives you the impression that there’s something seriously wrong with how you have defended your Facebook account. I must admit I was surprised to see the message appear on my own Facebook account as I have been quite fastidious in my security settings on the social network, following Sophos’s guidelines for better privacy on Facebook.

So, I was curious to find out just why Facebook believed that my account protection status was “very low”, and what they thought I should do to fix that.

If you do click on the link, the first thing you are asked to do is enter an additional email address. Facebook’s thinking is that if you lose control of the, say, Hotmail or Gmail account that you normally log into the site with, you’ll be able to regain access to your Facebook account by giving them an alternative email address. They could then use this, for instance, to communicate with you.

That’s reasonable enough, of course, if you feel comfortable giving Facebook another email address for yourself. And there is a genuine problem of users having the same password on their Facebook and email accounts – meaning that you could potentially lose control of both at the same time, making comandeering back control of your Facebook presence could be tricky.

But, there’s no indication of what else Facebook might do with this alternative email address of yours. Not only would you be right to be concerned about whether you are increasing the potential for data loss by sharing alternative email addresses with online companies, but is it possible that Facebook might also use this secondary email address to further interconnect you with possible contacts? There is, after all, no indication on the page that they are not going to use your secondary email address in any other way.

I feel pretty comfortable that nobody else is going to be able to seize the primary email address I use on Facebook (which, by the way, I do not make visible to others) away from me, so I don’t agree that adding a second email address is going to improve my “account protection”.

It is quickly becoming apparent that what Facebook really means by “account protection status” is the methods by which it can give you back control of your account, should it be compromised. Maybe less people would have been scared by the warning if they had been upfront about that, rather than using scare tactics.

Pressing the small question mark on the dialog box reveals exactly what Facebook believes I have to do to improve my account protection.

No mention of using more secure, hard-to-crack, non-dictionary passwords. No mention of revoking access to rogue applications that may be able to post to my profile’s wall. No mention of reviewing my privacy settings to make sure I’m not sharing my personal information with strangers or search engines.

No, to improve how well my account is protected I need to give Facebook more of my personal information: an alternative email address, a mobile phone number, and answer a “secret” question.

You see, I’ve already chosen not to give Facebook my mobile phone number. And now they’re asking for it again.

One of the reasons that they want your mobile phone number is because of their “one-time password” feature. That feature, announced in October 2010, allows a temporary Facebook password to be texted to you should you lose access to your account.

All very fine and dandy – but what happens if you lose your mobile phone, or someone else briefly swipes it from your jacket pocket? Then an unauthorised individual (whether they be a potential identity thief or a jealous partner) could potentially access your account via the system.

There is a very real problem with Facebook users accessing their accounts from insecure computers, and having their credentials stolen as a result. And Facebook’s one-time password scheme does provide some protection against that.

But that doesn’t mean that the one-time password system guarantees 100% security, and indeed – under some circumstances – it could be exploited by people who want to hack into your account.

On balance, I’m nervous about giving my mobile phone number to Facebook. So, I’m not going to do that.

Finally, Facebook asks me to give the “secret” answer to a question. You may have seen something similar to this on your webmail accounts – meaning that if you are having difficulty logging into your account you can answer the question, and prove your identity.

Hmm.. but just how many of these questions are just the kind of thing that people often post to their Facebook profiles, or may be known to your close friends, family and acquaintances? Wouldn’t that make it easy for them to break into your account too?

Where’s the advice from Facebook that you shouldn’t answer these questions honestly? (“The name of my first pet was Boutrous Boutrous Artichoke Ghali”)

Where’s the option to write your own question? (“What important role did Boutrous Boutrous Artichoke Ghali play in my life?” “He was my pet hamster”).

At first glance, a fair proportion of people seem to be worried that Facebook’s push for more information looks suspicious and uses similar scaremongering tactics to the fake anti-virus and phishing attacks that we are all too familiar with.

There’s nothing necessarily wrong with Facebook giving its millions of users a way of verifying their identity should they lose access to their account, but clearly it should have been presented better and more thought should have gone into how this system was implemented. The suggestion that users’ accounts currently have a protection status of “very low” is entirely misleading and stinks of scare tactics.

As one of the members of the Sophos Facebook community put it, a better way to have phrased the message would have been: “We can help you recover your account if it gets hacked, want to know more?”

I’m not going to tell you not to give Facebook the information they’re requesting in this “account protection” push, but I would suggest that you think carefully before doing so.

If you’re a member of Facebook don’t forget to join the Sophos Facebook page to stay up-to-date with the latest security news.

Full story: Naked Security – Sophos

Mashable – In its quest to fight malware and spammers, Google is now informing users when a website listed in its search engine has been compromised. – on Yahoo! News: Security News