privacy

Hurt ex gets six months for posting girl’s nude pics on Facebook

Posted on


(Credit: Chris Matyszczyk/CNET)

So many have experienced the pain.

She tells you she’s leaving. She tells you she’s taking her pots, her pans, and all her “Twilight” tomes.

You weep. You plug Nilsson’s “Without You” into your ears on permanent play. If it’s frightfully unexpected, your insides demand revenge.

One of the less good ideas, though, is to post nude pictures of her on his Facebook page. I mention this merely because an Australian man just got 6 months in the clinker for being something of a hurt stinker.

Ravshan “Ronnie” Usmanov, 20, posted six pictures of his ex “nude in certain positions and clearly showing her breasts and genitalia.” At least that’s was the Sydney Morning Herald’s reading of the court documents.

With less control than he might have chosen, he then e-mailed her to say “Hullo, darling. I miss you so much. Please come home.” Actually, no. What the court was told is that he wrote: “Some of your photos are now on Facebook.”MORE

Corrupt call center workers selling your private information for pennies

Posted on


 

Thief with secrets image courtesy of ShutterstockAccording to the Daily Mail an undercover investigation in India has uncovered that some call center workers have been selling confidential information on nearly 500,000 Britons.

Undercover reporters from The Sunday Times met with two individuals who claimed to be IT workers who offered to provide them with 45 different types of data gathered from the victims.

Information offered up included names, addresses, phone numbers and credit card details (including CCV/CVV codes and expiration dates).

The reporters allege they could purchase the records for as little as 2 pence apiece ($0.03 USD). One of the IT workersthieves bragged:

"These [pieces of data] are ones that have been sold to somebody already. This is Barclays, this is Halifax, this is Lloyds TSB. We’ve been dealing so long we can tell the bank by just the card number."more

600,000+ compromised account logins every day on Facebook, official figures reveal

Posted on


If you’ve an unauthorised party has logged into your Facebook account, then you’re far from alone.

New official statistics revealed by the social networking giant reveal that 0.06% of the more than billion logins that they have each day are compromised.

Put another way, that’s more than 600,000 per day – or, if you really like to make your mind melt, one every 14 milliseconds.

Snippet of Facebook security infographic

The statistic was revealed in an infographic published alongside an official Facebook blog post trumpeting new security features introduced by the firm.

The new security features include Trusted friends (called “Guardian angels” in the infographic). Read the rest of this entry »

Google publishes web safety advice for ‘Good to Know’ campaign

Posted on


Google cartoon

Google has launched a campaign promoting online safety, in association with the UK’s Citizen’s Advice Bureau.

The campaign, which will include adverts in newspapers, on public transport and online, is being run with the hope of encouraging internet users to take more care over their online activities – including using more secure passwords, and remembering to log out of websites when they have finished using them.

Awareness campaigns about online safety like this are important, as it’s clear that most internet users are pretty clueless about how to best secure their computers and surf safely online.

This isn’t because the public is disinterested in protecting themselves, but due to the fact that many people simply don’t know where to turn, or how to translate complicated buzzwords, geek talk and terminology into simple easy-to-understand English.

So, campaigns like Google’s “Good to Know” one are a *good* thing, as they translate sometimes complicated safety advice into simple terms.

Google, of course, has an interest in people not turning their backs on the internet – it wants users to feel safer online, as that will ultimately increase the popularity of the internet and help Google grow.

GmailTo their credit, Google provides a number of technologies to help users defend their accounts from being hacked – but only a minority of users seem know about them. If you haven’t already done so, check out my advice on how to stop your Gmail account being hacked, for instance.

It’s notable that part of the “Good to Know” campaign appears designed to reassure internet users about the data that Google collects about them to provide its services.

The critical thing, however, will be what I call my “Aunty Hilda test”. If the only people who hear about this advertising campaign are people who are already techie geeks or people who work in information security then it will have failed.

If, however, my Aunty Hilda hears about the campaign – and genuinely learns something about how to protect herself online – then it truly will have succeeded.

With cybercrime and internet fraud on the increase – it’s never been more important to raise awareness and give people simple instructions on how to be safer on the net.

You can find out more about the “Good to Know” campaign atwww.google.co.uk/goodtoknow.

UK student loans targeted by phishers in latest spam campaign

Posted on


With British students about to start another year at university, the last thing they probably want to hear is that there is a problem with a student loan.

But that’s precisely the camouflage that online scammers are using to steal personal information today.

An email, claiming to come from Directgov UK, tells students that there is a problem with the online account for their student loan, and they need to update their account urgently.

Here’s a typical spammed-out message we’ve seen in our traps:

Student loan phishing attack

Subject:

Student Loan Update.

Message body:

Dear Student Finance Customer.

We at HM Government noticed your Student loan online log in details is incorrect and need to be updated.

DOWNLOAD THE ATTACHMENT TO UPDATE YOUR ACCOUNT NOW

Regards
Inline Verification. Directgov UK.

Attached file:

Student Loan Update.html

Clicking on the HTML attachment is not a good idea, however, as it will urge you to enter your details which are then sent via a website to the phishers.

Student loan phishing attack

Sophos products block the message as spam, and block the webpage that the HTML form is attempting to post the personal information.

Remember to always be suspicious of unsolicited attachments. Also, I would hope that a good student would have noticed the grammatical mistake in the phisher’s email..

Lady Gaga website stays strangely silent over database hack

Posted on


Lady Gaga hacked

A gang of hackers known as SwagSec announced at the tail end of last week that they had hacked into Lady Gaga’s UK website and made off with a database of names and email addresses of fans. To prove their point, they published the stolen data online.

The press reported that a source close to Lady Gaga said that she was:

"upset and hopes police get to the bottom of how this was allowed to happen"

If she was upset, she made no mention of the hack on her Twitter page, and posted no apology to her UK fans for the poor website security. She wasn’t, however, too upset to tweet about Emmy award nominations or to drop a line to Cher about doing a duet remix.

Although it’s right that the authorities should be informed regarding SwagSec’s illegal activities, there should surely be some recognition at Gaga HQ that perhaps the website was doing a lousy job at securing its fans’ information?

Lady Gaga user database

Lady Gaga’s record label, Universal, said it had confirmed that the hack had occurred and said that police had been informed:

"The hackers took a content database dump from http://www.ladygaga.co.uk and a section of email, first name and last name records were accessed. There were no passwords or financial information taken. We take this very seriously and have put in place additional measures to protect personally identifiable information. All those affected have been advised."

The risk to users who had their details compromised, of course, is that they could have been the subject of targeted attacks. Imagine how many of them might have opened an attachment or clicked on a link if they received an email claiming to be about free tickets for a Lady Gaga concert, or a sneak preview of her new video.

But although Universal says that it has contacted everyone who was affected – can they be confident that they know the extent of SwagSec’s hack? After all, the hack is claimed to have occurred weeks ago, but was only made public by SwagSec at the end of last week.

Wouldn’t it be more open and transparent to have a message to fans of the Lady Gaga UK website, telling them all what occurred. I went looking and couldn’t find anything to warn the wider array of Lady Gaga fans.

You may remember that the SwagSec hacking group defaced Amy Winehouse’s website earlier this month as well.

One wonders what eccentric female troubadour they will target next..

Canadians increasingly defrauded by fake tech support phone calls

Posted on


Hand holding a phone

Naked Security has been hearing from our Canadian readers about more fake technical support calls trying to get people to infect themselves with fake anti-virus software, keyloggers and remote control software. That’s right, they are calling people on the telephone and trying to defraud them in numerous ways.

The fraudulent callers represent themselves as being from Microsoft, Telus (one of the traditional Canadian phone companies) and other brands believed to be trusted by the intended victims.

As we have reported previously the calls seem to originate from overseas call centres, but often use caller ID numbers that appear to be local. They likely are taking advantage of extremely cheap Voice Over IP technologies that allow them to purchase local phone numbers.

They falsely claim the user’s computer has been sending error messages to them and that they are calling to help fix their PCs. Their modus operandi varies, although the outcome is always the same: them stealing your money.

They usually offer to assist you through remote control software, often from legitimate vendors like LogMeIn. Once they are able to access your PC they will install fake anti-virus software or other malware and charge you for the privilege. This way they get two bites at the apple… Once for the technical support incident and another when you pay for the rogue security suite.

Telus logoThis has been common enough recently that Telus has posted an advisory on their website. Telus states that they are working with the Royal Canadian Mounted Police to trace the origin of the calls and recommend Telus customers who believe they have been defrauded call 310-2255.

A recent study by Microsoft showed that the average Canadian victim had $1560 USD stolen from their accounts. It is important to apply the same skepticism to incoming phone calls as you would apply to unsolicited emails or strangers ringing your doorbell.

Paul Ducklin and Sean Richmond of Sophos Australia recorded a podcastexplaining these scams and provide advice on how to avoid becoming a victim, I recommend listening to it and sharing it with your friends and family.

 

(05 November 2010, duration 6:15 minutes, size 4.5MBytes)

 

These attacks aren’t just affecting Canadians, we have had reports from Australia, the United Kingdom and the United States as well. Stay vigilant and remember, hanging up isn’t rude when someone is calling to scam you.

Thanks to Savio in SophosLabs Canada and Naked Security reader Lystra for contributing information to this story

Face Recognition and Facebook’s Recurring Privacy Problem

Posted on


Once again, Facebook has messed with users’ privacy in the name of a new feature.

 

The latest controversy is over Facebook facial recognition, which can automatically tag friends in photos just by matching the image to a massive database of faces.

 

Face recognition is a useful, time-saving feature — at least when it works. But it’s also a creepy addition to Facebook that opts you in automatically. As my colleague Sarah Jacobsson Purewal reported, you can only opt out of getting automatically tagged by friends. The database can still technically match your name to your face.

 

Therein lies Facebook’s big dilemma, the one that comes up time after time, with each new change to the site that demands more of users’ personal information: Yes, letting users opt-in to new features would be a more respectful approach. But because Facebook is inherently social — that is, it relies on the participation of many users — opt-in is much trickier to pull off. In some cases, it’s just impractical.

 

Take, for example, the “instant personalization” feature introduced last year. This allows partnering Websites to use and display information from your public Facebook profile, and from your friends’ public profiles. For example, if you write user reviews on Rotten Tomatoes or Yelp, your friends can see those reviews when they visit the site, provided they’re logged into Facebook. Had Facebook made this feature opt-in instead of opt-out, most people wouldn’t have bothered. That would defeat the purpose of personalization, which relies on having lots of recommendations from people you know.

 

A simpler example is Facebook’s broader attitude toward public vs. private information. In late 2009, Facebook made changes to its privacy settings to put an emphasis on “everyone,” so that users would share their status updates with the entire Internet by default. In making this change, Facebook was trying to be more like Twitter — a massive, ongoing, public conversation between lots of people, regardless of whether they’re friends or strangers. I like Twitter, and I understand by Facebook would want to make this change. But again, it only works if a critical mass of people are participating. That’s why the “Everyone” option for status updates is opt-out, rather than opt-in.

 

With facial recognition, Facebook faces the same dilemma. Facebook could give people the choice to opt in to its photo recognition database, but then how many people would bother? The whole point of Facebook facial recognition is to tag all of your friends in a photo without any manual work. If most of your friends aren’t participating, the feature is worthless.

 

I’m not defending Facebook’s actions, but I understand why the site behaves the way it does. As long as Facebook introduces new features, there will be new privacy snafus. Facial recognition wasn’t the first, and won’t be the last.

 

Follow Jared on Facebook and Twitter for even more tech news and commentary.