Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Another security flaw has been discovered in Facebook

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

June 22, 2013

There's been a new security flaw that's been discovered yesterday in Facebook that could have inadvertently compromised the contact information of over 6 million users, a Facebook company representative said.

The security hole, which has since been apparently repaired, was part of the Download Your Information tool, which lets Facebook users export all the data from profiles, such as posts to their timeline and conversations with friends.

People using the tool may have downloaded inadvertently the contact information for people they were somehow connected to, although the extent of the damage still isn't known at this time.

Some people usually upload their contact lists or address books to Facebook, which the company then uses to suggest new friends they can connect with who are already using the service, and whom users could be interested.

Although the number of people impacted is sizable, the actual reach of their contact information appears to be limited. The phone numbers and email addresses were not exposed to app developers or posted publicly.

It's only shown to people they had at least a tentative connection with, and who may have already had their contact information. Even in that context, it was only exposed to people who had used the data-exporting tool, Facebook reassured.

"For almost all of the email addresses or telephone numbers impacted, each individual email address or phone number was only included in a download once or twice. This means an email address or phone number was only exposed to one person, it is hoped" Facebook's security team said.

Facebook added that it has no evidence that the security flaw was exploited maliciously and that there have been no complaints so far. (!)

Facebook announced the security flaw yesterday afternoon. The problem was discovered by a third-party security researcher who submitted it through Facebook's White Hat program.

The program is set up so that people such as security researchers can report any vulnerabilities they find on the social network and get a reward for $500 and up in return. These types of programs are common at Internet companies.

"Your trust is the most important asset we have, and we are committed to improving our safety procedures and keeping your information safe and secure," read the post.

People who were affected by the security hole will receive an email from Facebook, the company reassured.

In other internet security news

A nasty IT oversight released hundreds of photos of suspected criminals on the web. But it got a lot worse when the details of the British citizens who reported them over the internet got published as well.

The Facewatch website, which allows police and businesses in Britain to upload and share evidence of alleged petty crimes, was left wide open thanks to a nasty web server misconfiguration.

The error allowed anyone to easily access a huge trove of CCTV footage, including images and information about companies that sign up to the service.

We were able to look through about 4,250 records containing photos and videos of suspects dating back to March 2011.

We saw shoplifters stealing various merchandise from department stores, a man waving a long stick inside a check cashing service outlet, and people looking rather suspicious in some packed pubs presumably just before a crime took place.

Some of the images even had names on them, which would be legally problematic for the site's owner (s) if those pictured turned out to be innocent.

We also saw long lists of stores around Britain which have signed up to Facewatch, along with the names and contact details of their security guards and managers. This could come in handy for any potential criminal wishing to intimidate a witness or cause some kind of revenge on the person who reported them to the police.

Big high-street names whose staff details were available for anyone to look at include the Carphone Warehouse, Lloyds Bank and Ladbrokes, which runs a nationwide chain of various betting offices.

Publicly distributing images of suspected criminals could cause a legal headache due to strict rules on defamation and contempt of court. Publishing evidence of a person apparently committing a crime risks prejudicing a jury, should the case ever come to trial, or it could simply ruin their reputation for a very long time.

Blighty's privacy watchdog - the Office of the Information Commissioner - told us it was beginning inquiries that could lead to a formal investigation.

A spokesman said-- “We have recently been made aware of a possible data breach which appears to involve the Facewatch website. We will be making enquiries into the potential breach of the Data Protection Act before deciding what action, if any, needs to be taken.”

The website boasts it was declared "secured by design" by a police-run body that recognises products or businesses that meet the "Police Preferred Specification" on security. This badge of honour is normally given to secure buildings or products, such as window locks and burglar alarms, but Facewatch was awarded the online equivalent.

But now with a gaping security hole in its website, this could make businesses think again about how stringent this standard actually is.

Worse-- you didn't have to be a small time thief or an expert hacker to get into the sensitive files. All that was required was changing "http" to "https" in the website's address and all the information was there to be accessed.

Specifically, the Nginx software running the HTTPS site was incorrectly configured to list the contents of file directories on the web server rather than serving the intended web pages. Visiting redirects to but this didn't happen on the HTTPS site, which instead revealed the index of the server root directory, which could be explored to find a lot of website code, databases of users and various folders packed with hundreds of images.

We were told about the security flow by a source who was trying to report a crime. While trying to find the address of a HTTPS-encrypted server to send the images to, we found and it gave us full read-only access to Facewatch's file tree.

We reported the security flaw to Facewatch, which closed the hole immediately. The organization's chairman told us the "accessible code was related to a previous version" of its website software. And he argued the long lists of email addresses we saw were in the public domain already and could be "accessed by the public in order for people reporting crimes to contact those who reported a crime on their behalf."

The chairman admitted that contact details of security staff were left visible but they were people who took "all necessary precautions to protect their personal safety".

He continued-- "We have undertaken some strong penetration testing to ensure that the data stored in the Facewatch systems is very secure and we can confirm that all personal data is secure and that our systems are safe. The URL to which you referred us has been closed as this is no longer in use."

No names of any crime victims were hosted on the site due to ICO rules that state they should be deleted within 36 hours of recording them.

The chairman added that some 63,000 people have downloaded Facewatch's smartphone app and its images have been viewed nine million times. As far as allowing officers and authorizeed people to upload files, Facewatch authorizes British citizens to use their mobile phones to view CCTV still shots and other images of people wanted for questioning by the police.

Facewatch's Gordon claimed that some of the images we found on the server were part of that public mug-shot gallery.

"Some residual photos of individuals that the police would like to contact in relation to certain reported crimes were in fact available. Those images had been made available to see if members of the public would be able to help with their identification," Gordon added.

In other internet security news

According to a new study from the University of Erlangen in Germany, Apple's iPhone devices being used as Wi-Fi hotspots are open to hacker's attacks because of weak security protocols in the automatic password generation system Apple has in place.

Called "Usability vs. Security-- The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots," the paper reveals that the seemingly random password iOS generates for hotspots is very simple to hack into.

It consists of only four to six characters followed by a four-digit number string. As a test, the team downloaded a 52,500-word dictionary from an open source version of Scrabble, added number-generating code, and cracked the iOS password system every time, although the team points out it isn't suggesting Apple used the same dictionary.

Using an AMD Radeon HD 6990 GPU, the average time to crack was just 59 minutes. So the team then reverse-engineered the iOS word list used for password generation, using "static and dynamic analysis," tools like GNU Debugger, and by manually going through the ARM disassembly of the relevant iOS frameworks.

They discovered that Apple uses English-language words of between four and six letters from a dictionary made by Lernout & Hauspie Speech Products.

"Only 1,842 different entries of that dictionary are taken into consideration," the paper states. "Consequently, any default password used within an arbitrary iOS mobile hotspot, is based on one of these 1,842 different words. This fact reduced the search space of our initial brute force attack by more than 96 percent and thus increased the overall cracking speed significantly."

Additionally, the selection of words picked for passwords was skewed. For example, the word "suave" was used 0.08 percent of the time, while "subbed" cropped up 0.76 percent of the time and "head" 0.53 percent-– ten times the frequency they should have had under a random selection.

By frontloading these selections into any attack code, the chances of cracking the system quickly are greatly increased.

The team also decided to upgrade their hardware to bring down search times and built a box with four AMD Radeon HD 7970 units that could burn through 390,000 guesses per second. This cut the time to crack automatically generated passwords down to 24 seconds, or 52 seconds using a single AMD Radeon HD 6990 GPU. Users should specify their own, the team recommends.

As a test case, the security team built an iOS application dubbed "Hotspot Cracker" which could be used to try out an attack of the target phone. This was limited by the processing power of the smartphone, but can be used in conjunction with a cloud password cracking service.

Once the password has been compromised, the operator can piggyback on the hotspot's bandwidth, stage a man-in-the-middle attack for eavesdropping, and then get access to files stored on the device.

Jailbroken iPhones are extra risky since they could even allow access to the basic iPhone system services code. While the researchers concentrated on Apple, they noted that other mobile operating systems could also be affected as well.

To be sure, Microsoft's Windows Phone 8 uses a similar password system that doesn't even use words, relying instead on eight-digit number strings alone.

Android is somewhat better, but there have been cases of manufacturers such as HTC dumbing down password generation for some handsets, the University says.

"The results of our analysis have demonstrated that the mobile hotspot feature of smart devices increases the attack footprint in several ways," the team concludes.

"As the default password of an arbitrary iOS hotspot user can be revealed within seconds, attacks on mobile hotspots might have been underestimated in the past and might be an attractive target in the future," the report added.

In other internet security news

A hacker says he's published what he claims to be three telephone numbers belonging to Philippine president Benigno Aquino, including his private mobile number, in a bid to urge voters to confront their leader directly.

Going by the pseudonym “#pRis0n3r”, the hacker posted the numbers to his 10,000+ followers on Facebook on Friday night, alongside the president’s home address and the address of Aquino’s office in the House of Representatives Batasan building.

Beneath the numbers is the message “This is now the chance for your voice to be heard”, alongside an Anonymous logo.

There was no confirmation as to the veracity of the phone numbers but an Aquino spokesman, Ricky Carandang, didn’t sound too happy about that.

"It's cyber vandalism plain and simple," he told AFP. "We're dealing with it. That's all I can say for now."

When the news wire tried to contact the numbers on Saturday morning they had apparently stopped working. There was no further information on the Facebook page of #pRis0n3r as to exactly how he obtained the numbers, but in a message sent to a local paper, the hacktivist claimed he was “100 percent” sure they were Aquino’s.

He also complained that the president was "very silent when it comes to national issues", adding, "We want to hear him."

The group Anonymous has had several run-ins in the past with the Acquino administration, most notably in January when it defaced several government web sites in response to the Cybercrime Prevention Act of 2012.

Local hacktivists claiming to be affiliated with the group have also been involved in a bitter online battle between Filipino and Malaysian hackers which erupted after bloody clashes in the northern Borneo region of Sabah, and in tit-for-tat exchanges with patriotic Chinese over the disputed group of rocks known as Scarborough Shoal.

In other internet security news

Yesterday's Patch Tuesday update for Microsoft Windows OSs all over the globe went pretty well, and was rolled out with five bulletins, including a single critical security update that deals with flaws in all supported versions of Internet Explorer.

Available at 1.10 PM EST, the IE update (MS13-047) deals with no less than nineteen security vulnerabilities and covers all versions of Internet Explorer from IE6 to IE10 and on all supported versions of Windows, from XP to RT.

It's just the sort of thing that might be latched on by hackers as part of drive-by-download attacks, based on malicious scripts on compromised websites, and therefore needs to be patched sooner rather than later.

The other four security bulletins this week all cover lesser flaws, rated "important" by Microsoft. The most noteworthy of these is (MS13-051) which covers Microsoft Office 2003 on Windows and 2011 for Mac OS X and tackles a parsing vulnerability for the PNG graphic format that has already cropped up in a limited number of active attacks.

"The attack arrives in an Office document and is triggered when the user opens the document," writes Wolfgang Kandek, CTO at cloud security firm Qualys.

"Microsoft rates it only as 'important' because user interaction is required, but attackers have shown over and over that getting a user to open a file is quite straightforward," he added.

The remaining three security bulletins rated "important" tackle an information disclosure vulnerability within the Windows kernel, a local privilege escalation vulnerability within the print spooler components in Windows, and a DoS issue in the TCP/IP stack of newer Windows systems.

Taken altogether it's a fairly quiet month. Microsoft's Patch Tuesday bulletin for June can be found on its site. June's patch update from Microsoft omits to fix a recent 0-day security vulnerability discovered by Google's Tavis Ormandy.

The 0-day vulnerability allows an attacker already on a Windows machine to gain admin privileges. In related patching news, Adobe is pushing out an updated version of Flash (APSB13-16), that will be released to Google Chrome and Microsoft IE10 users via an automatic update.

In other cases, the cross-platform update (which covers versions of Flash Player on Windows, Macs and Linux as well as Android smartphones) will need to be applied separately.

Meanwhile, server and data centre system admins would be wise to pay particular attention to the release of a security bulletin from VMware, covering a vulnerability in handling file uploads by the vCenter Chargeback Manager that poses a remote code execution risk on unpatched systems.

For its part, Apple pushed out its own quarterly security updates last week, with a new version of Safari and Mac OS X addressing numerous and some very critical security vulnerabilities.

Those security updates are unrelated to the new versions of Mac OS X and Safari announced at this week's WWDC in San Francisco, which will not be released for some time yet.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: Facebook.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order our special clearance dedicated servers.

Get your Linux or Windows dedicated server today.

Click here to order our special clearance dedicated servers.

Click here to order our special clearance dedicated servers.