Thursday, December 17, 2009

rockyou stoned, Facebook infiltrated

Social networking addon site rockyou.com is the latest victim of datatheft. The hacker posted about it on his blog after getting ticked because rockyou was lying about the amount of data that had been stolen. But the worst part was that the usernames and passwords – all 32.5+ million of them – were in plaintext. And there were also logins to 3rd party sites because rockyou allows users to create content for sites like MySpace and Facebook. Judging from the comments the hacker makes, Myspace and other sites may have similar insane security practices. I looked at the rockyou site as soon as I heard about it, and there was a short, one paragraph message to users about the "minor" breach. A few minutes ago I went back and the link - worded the same as before - was several paragraphs and 1 1/2 to 2 pages long. It started with:
Our users' privacy and data security have always been a priority for RockYou and we strive to keep them secure. Our users have confidence in our services and we will continue to ensure that confidence is deserved.

Sounds very nice and up-front. And I suppose it is the truth, since it only addresses the services, not the security of the services. Historically, rockyou has been a lot more concerned with talking about how concerned they are with privacy and security than they have been with actually providing it.  In September of 2008 they embarrassed and outraged hundreds of companies that produce Facebook apps by cc'ing them all on an email. They were very apologetic:
On the behalf of RockYou, I want to apologize to all of our publishers for the slip. While it was unintended, it was a material mistake. We take privacy of all our partners very seriously and have reviewed and corrected the process that enabled this. We continue to work hard to maximize results but its apparent we will also need to work even harder to regain and maintain trust. For those of you affected, please email me directly with any questions, issues or concerns. My email is ro@rockyou.com (ro at rockyou.com – yes, i’m willing to share in the pain).

Very nice, and very full of bovine excrement. They did the same thing on November 25th of 2008, and again in Januarly 2009.

As if it's not bad enough to have one of the companies heavily involved with Facebook apps proving that, while ignorance is curable, stupidity is a life long problem, Facebook is being besieged by a new variant of the Koobface worm. Hopefully by now (it was announced a week ago) all of the anti-virus vendors have updated their definitions - if yours hasn't, get a different A/V package. Hopefully all Facebook users have up to date anti-virus. Yeah, right. I'll believe that when I hit the lotto 3 weeks running.

The important details are that the virus is spread by placing a "Christmas video" on your wall. When you click on the video it loads "koobface.GK" and installs it. Then it pops up a captcha for you to solve. It won't go away until you solve the captcha, even if you shutdown and restart. The captcha is actually the last step in creating a new Facebook account, which proceeds to spread the worm.

By their nature Facebook, Myspace, LinkedIn, etc. are high risk, dangerous places. They encourage blind trust in the site, and in other users. Unfortunately that trust plays right into the hands of the bad guys. It is best to put as litte information about yourself as possible and treat links on your wall the way you would treat links in email from people you don't know. Don't "Friend" with someone just because they know someone you do, and use as few apps as possible so you don't sell your friends out. Social networks are fun and a great way to stay in touch with old friends, but like a bazarr in Baghdad, it pays to keep your guard up while you're there.