Facebook makes changes to its privacy settings, one more time
December 12, 2012
Facebook said today it that has again updated its privacy settings, in an attempt to make things easier for its users to understand. This is at least the fifth time that the social network updates its privacy settings, and it now phases out the option to block people from searching for your profile.
The company is making changes to how users access its privacy settings. Facebook hopes that this latest overhaul will make the now bloated process easier to understand.
The changes, which come a day after Facebook implemented its new privacy polices, are mainly cosmetic, however. The company isn't changing what settings you can set, except for the option to block searches of your profile within the social network.
Facebook has already begun phasing out this feature and soon it will be removed from everyone's profiles. Everyone used to have a setting called "Who can look up my timeline by name," which controlled if someone could be found when other users typed their name into the Facebook search bar.
The setting was very limited in scope, and didn't prevent people from finding others in many other ways across the site, however. The feature used to come in handy when the network was made up of college students and they could only find each other's profiles by searching for a name.
Now, people can see profiles linked to friends' Timelines, relationship pages or tagged photos. But, why not just leave the feature in place, even if it serves a limited purpose? It can't do any harm to block people from finding you through at least one avenue.
According to Facebook, the search block feature has become more a crutch than a security tool. "Our concern, quite frankly, is that people think it provides a level of security, but it actually doesn't," said Nicky Jackson Colaco, a member of the Facebook Privacy team.
While Facebook is taking away the ability to block searches, it's also shifting the responsibility of keeping users' information private to the users.
This is the biggest overhaul since Facebook changed its settings four months ago and part of Facebook's efforts to constantly refine its privacy controls.
Despite this effort, or maybe because of it, those who hate needing to learn a new set of privacy tools will no doubt moan and groan about the confusion that comes along with yet another onslaught of change.
Facebook says these new changes are designed to give users more flexibility with their privacy. No master setting should control that. It should be a meaningful privacy setting that actually protects you and not give you a false sense of security, say some security and privacy advocates.
Here are the other changes rolling out today:
The overwhelming array of privacy settings may make some users more uncomfortable than when they had fewer options. Then again, privacy may not be on the forefront of every user's minds, if this week's voting is any indication.
In other internet security news
If Google wants Android to continue being a good operating system that wins many hearts, it had better listen to various comments made about the OS. And security is one of them at the top of the list.
One of the enhancements in Android 4.2 was a new app verification service that tested applications being installed against a known Google service in the cloud to see whether the app was known to contain malware or not.
If the results of Xuxian Jiang's research are proven to be correct, Google will need to do a lot more work on the feature to make it useful, as only 15 percent of the known malware samples tested on the service were detected by Android, something that will leave many system admins at odds with the OS, since security is usually at the top of their priorities.
Jiang, an associate professor at North Carolina State University, took Nexus 10 tablets running Android 4.2 and, using semi-automated installations, loaded no less than 1260 malware samples from the Android Malware Genome Project onto the devices.
Overall, of the 1260 samples taken, only 193 were detected as malware. The researchers also performed a test comparing Google's verification against a range of ten different existing anti-virus applications through VirusTotal, looking at randomly selected malware samples from each malware family.
The anti-virus applications run by VirusTotal ranged in overall efficiency from 98 percent all the way down to 51 percent, but the Android App verification system scored only 20.4 percent.
VirusTotal was acquired by Google last September. The researchers noted that the app verification service uses a very fragile mechanism of verifying SHA values from the app and package name to determine whether a package is dangerous or potentially dangerous.
Researchers believe that more information needs to be collected to give a more robust system, but cannot say what information should be or how it should be shared with user privacy concerns.
Jiang also notes that the verification system relies on the server component, leaving the client-side of the system completely without detection capabilities. Adding those abilities would help, although it would be a delicate balance for mobile devices.
The researcher is more hopeful that the potential integration of the Google-owned VirusTotal service with the app verification service could provide much better detection results and a better overall user experience.
In other internet security news
BSD software developers say that hackers broke into two of its FreeBSD project servers using a stolen SSH authentication key, with admin login credentials that appear to have belonged to one of the developers.
The lead project developer behind the open-source operating system has launched a full-fledged investigation into the security breach and has taken a few of the servers offline during his probe. However, early indications are that the damage might have been far worse than was initially thought.
None of the so-called base repositories - stores of core components such as the kernel, system libraries, compiler and daemons were hit, however. And only servers hosting source code for third-party packages were exposed by the attack, which was detected on November 11 and announced on Saturday, November 17, following a preliminary investigation.
The intrusion itself may have happened as far back as September 19, according to the lead developer. On November 11, an intrusion was detected on two servers within the FreeBSD.org cluster. The affected machines were taken offline for analysis, and probably won't be reconnected until sometime next week.
Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precautionary gesture. "We have found no evidence of any modifications that would put any end user at risk. However, we do urge all BSD users to read the report available on our site and decide on any required actions themselves. We will continue to update you as further information becomes known. We do not currently believe users have been affected given current forensic analysis," read a FreeBSD statement on their site.
"And no Trojanized packages have been uncovered, at least as yet. But FreeBSD users have been urged to carefully check third-party packages installed or updated between September 19 and November 11 nonetheless, as a precaution," it continued.
The FreeBSD.org team has promised to tighten up security, in particular by phasing out legacy services such as the distribution of FreeBSD source via CV Sup, in favor of the more robust Subversion, freebsd-update, and portsnap distribution methods. The hack was "not due to any vulnerability or code exploit within FreeBSD", according to the BSD developers.
The whole incident raises some embarassing and troubling questions since it seems that the unknown attackers behind the hacking attempt managed to steal both SSH (remote administration) key file and passwords from a developer.
Analysis of the attack can be found in an informative blog post by Paul Ducklin of Sophos. Attacks on open-source repositories are far from unprecedented. Kernel.org was suspended for a month in July 2011 following a much more serious malware attack and a server compromise.
Then in August 2011 another breach on the MySQL.com website left visitors exposed to malware that could infiltrate said MySQL databases.
But perhaps the most similar attack to the FreeBSD hacking attempt occurred in 2009, with a breach against the Apache Software Foundation, also facilitated by the misuse of SSH keys.
In other internet security news
The U.S. Transportation Security Administration (TSA) has taken yet another bad doze of publicity with the recent discovery that its questionable security system allows passengers in its PreCheck system to choose their own security status, and thus compromising other security features.
The TSA's PreCheck system allows some frequent fliers willing to pay $100 for a background check to skip some of the onerous security checks, like taking off shoes and unpacking laptops or toiletries. PreCheck customers are still subject to more intensive searches on a randomized basis, however.
Aviation blogger John Butler discovered that the barcode information used for the boarding passes of Precheck fliers wasn't encoded, and could be read by a simple smartphone app. It contained the flier's name, flight details, and a number, either a 1 or a 3, with the latter confirming the passenger was cleared for lesser screening.
Ordinarily, it would be a relatively simple task to just scan the issued boarding pass, decode it, and then change the security setting if you are planning to bring something suspicious aboard, or even change the name on the ticket to match a fake ID.
But after placing the new information into a barcode, and a couple of minutes of cut and paste, the new boarding pass would work as normal, Butler explained, and that's where all the issue lies.
"The really scary part in all of that is both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don't check against the real time information," he said. "So the TSA document checker will not pick up on the alterations."
This means that, as long as their boarding pass has a 3 on it, they can always use the Pre-Check line. But the agency that appears to devote so much time to irradiating fliers, fondling vibrators, promoting the homosexual agenda, or just plain stealing fliers' belongings doesn't seem to have thought of that.
The TSA only deems it necessary to have barcode readers for checking the data itself against the presented ID, not the accuracy of the boarding pass itself. And simply encrypting the data would also work as well, so how come they didn't think of that?
According to the TSA's vision statement, the agency strives to "continuously set the standard for excellence in transportation security through its people, processes, and technology." Really? Wow!
In other security news
According to a new study recently released, on average, hackers exploit security vulnerabilities in software for about ten to eleven months before the full details of the security issues surface to the public.
Researchers from Symantec say that these zero-day attacks, so called because they are launched well before security firms and industry vendors are even aware of the vulnerabilities per se, are more prevalent and more potent than previously believed.
Overall, zero-day exploits are often closely guarded secrets and the simple reason is that they can be very valuable to potential hackers. However, once the details of the exploited security flaws emerge in public, application developers and system admins alike can rapidly get to work to mitigate or halt the attacks dead in their tracks.
But in today's imperfect cyber world, this comes at a huge price-- it also tips off the world that these security vulnerabilities also exist in systems.
Case in point-- Leyla Bilge and Tudor Dumitras, both of Symantec Research Labs, identified no less than eighteen zero-day attacks between January 2008 and December 2011, and eleven of them were previously undetected.
"A typical zero-day attack lasts an average of about 312 days and, after vulnerabilities are disclosed publicly, the volume of attacks exploiting them increases by up to five orders of magnitude," the security researchers note.
The study is based on data from customers who had opted into Symantec's anti-virus telemetry service.
A paper on the research-- "Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World" was presented at the ACM Conference on Computer and Communications Security in Raleigh, North Carolina last week.
In other internet security news
U.S. federal police and the Department of Justice (DoJ) are increasingly gaining real-time access to Americans' social network accounts, such as Twitter, Facebook and Google+, but prior to obtaining search warrants, newly released documents reveal.
And the numbers are really dramatic-- live interception requests made by the U.S. Department of Justice to social-networking sites and email providers jumped over 80 percent from 2010 to 2011 alone, and the trend is rapidly increasing.
Documents the ACLU released yesterday reveal that U.S. federal police are using a 1986 law originally intended to tell police what phone numbers were dialed for far more invasive surveillance-- monitoring of whom specific social-network users communicate with, what IP addresses they're connecting from, and perhaps even likes and +1s.
The DoJ conducted 1,662 live intercepts on social networks and email providers last year, up from only 922 a year earlier, the reports demonstrate.
The ACLU hopes that the disclosure of the documents it sued to obtain under the Freedom of Information Act will persuade Congress to tighten up the requirements for police to intercept "noncontent" data -- a broad category that excludes e-mail messages and direct messages.
The current legal standard "allows the government to use these powerful surveillance tools with very little oversight in place to safeguard Americans' privacy," says Catherine Crump, an ACLU staff attorney.
And it could work. On September 25, Rep. Zoe Lofgren, D-Calif., introduced a new bill that would require police to get warrants to access Americans' email and track their mobile phones. But last week, senators delayed a vote on a similar bill after law enforcement groups vehemently objected to it.
You can link to the Internet Security web site as much as you like.