Facebook Graph Search: Welcome to the Phishing Pool
Facebook's privacy critics might have a point when it comes to the new Graph Search function, which security researchers warn could be used to amass information to be used in phishing campaigns. "It will simply help expedite and simplify creating a targeted social engineering attack," said Angel Grant, senior manager at RSA. "Think about how many of your Friends you really know."
01/21/13 7:00 AM PT
Facebook may have given phishers a reason to rejoice last week when it announced a new way to search for information about its billion members.
Graph Search allows a Facebook member to use semantic search to find and aggregate information about people on the social network.
Because Graph Search can return groups of people with similar interests in an organized way, it could become a phisher's best friend, according to Anup Ghosh, CEO of Invincea.
"It makes the job of researching targets easier because phishers don't have to depend on Google's noisy search results," he told TechNewsWorld. "It's not a game-changer, but it does make reconnaissance easier."
Graph Search can be used to craft Big Data offensives against organizations by allowing the mining of people, places, photos and interests, maintained Angel Grant, senior manager for authentication solutions at RSA.
"It will simply help expedite and simplify creating a targeted social-engineering attack," he told TechNewsWorld. "Although graph search was designed with privacy in mind, only allowing to see what you could already view on Facebook -- think about how many of your Friends you really know."
Java Deja Vu
The Java security team at Oracle must be starting to feel like they're participating in a game of Whack-a-Mole from hell. As soon as they plugged a serious flaw in the software on Sunday, an enterprising hacker began peddling another zero-day vulnerability on the black web.
"New Java 0day, selling to 2 people, 5k$ per person," the cracker wrote on an Underweb forum, according to cyber security writer Brian Krebs.
While there's no proof yet that another zero-day flaw exists in Java, the last vulnerability wasn't discovered until it had already started to appear in popular kits used to distribute malware. So if this Zero Day vulnerability does exist, it might not be discovered for some time and only after its done its damage.
The exploitability of another unpatched flaw in the Java plugin would not be a surprise," HD Moore, CSO of Rapid7, told TechNewsWorld. "The previously disclosed vulnerability had been given away, presumably after the original exploit developer no longer had any use for it. There is no reason to believe that the latest [Java Runtime Environment] is any less exploitable. The low price is another indication of how much effort is required to discover and exploit another flaw in the JRE."
When it comes to Java, there's only one safe course of action, Chris Astacio, manager of security research at Websense, told TechNewsWorld,. "If Java is not at all needed in an environment, then it should be removed."
'Red October' Fading Like Autumn Leaves
A high-level cyber espionage campaign dubbed "Red October" appears to be fading away.
The campaign's malware -- found to have infiltrated computer networks at diplomatic, governmental and scientific research organizations mostly in Eastern Europe, Central Asia and in former members of the USSR -- seems to be winding down its activities.
Kaspersky Lab exposed the campaign a week ago. It reported that Red October had been in operation for at least five years and that its infrastructure rivaled the complexity of Flame, a super malware program in the same class as Stuxnet, which disrupted Iran's nuclear development program.
It appears, though, that the spotlight Kaspersky shone on Red October was toxic to its operations. By week's end, security researchers were reporting the network's infrastructure was crumbling. Between Jan. 14 and 15, the infrastructure started to disappear, one Kaspersky malware fighter told Mashable. Domains associated with the campaign are being actively shut down, added another Kaspersky researcher.
The malnet's activity appears to be slowing down for a combination of reasons, according to Kaspersky. Companies affected by the malware are making efforts to shut it down. Registrars are axing domains associated with the bad net. Host companies are taking away the servers used to control the operation. And the Black Hats are turning off parts of the infrastructure in hopes of resurrecting it at a later date.
Data Breach Diary
- Jan. 15: British Columbia Health Minister Margaret MacDiarmid announces letters will be sent to some 38,000 people whose health information being used by researchers was compromised. Information did not include personal names, social insurance numbers or financial information, but did include personal health numbers, birth dates and postal codes.
- Jan. 16: Winnipeg Free Press reports that the Royal Canadian Mounted Police and the federal privacy commissioner are investigating data breach affecting 583,000 people resulting from hard drive discovered missing by Human Resources and Skills Development, Canada. The drive, missing since November 2012, contained names, birth dates, addresses, social insurance numbers and student loan balances for those with loans through the Canada Student Loan Program from 2000 to 2006.
- Jan. 17: Genesco, a US$2.3 billion retailer based in Nashville, Tenn., states in a filing with the U.S. Securities and Exchange Commission that it will vigorously oppose paying $15.6 million in damages credit card companies are seeking from the retailer for a digital criminal intrusion at Genesco for the credit card companies contend the retailer was partly liable.
- Jan. 17: An employee for a private contractor is fired for losing a thumb drive with names, ages and prescription information for 6,000 Medicaid recipients in Utah. Less than a year ago, a data breach at the state's Health Department exposed personal information for 780,000 Medicaid recipients, including Social Security numbers for 280,000 of them.
- Jan. 17: Bank Security Info reports restaurant chain Zaxby's has notified federal authorities that a breach of its computer and point-of-sale systems has so far affected 108 of its restaurants in Florida, Kentucky, Georgia, South Carolina, Alabama, Mississippi, Tennessee, North Carolina, Virginia and Arkansas. Malware and suspicious files have been discovered on computers at the affected locations. No information on the number of people affected by the breach was made public.
- Jan. 17: Cumberland, Maine, reports that it is investigating an incident where the names and Social Security numbers of 275 current and former town employees were posted to the municipality's website. The town is offering free credit monitoring for three months and legal counsel to those affected by the incident.
Upcoming Security Events
- Jan. 21: The Perfect Storm: Managing Identity & Access in the Cloud. 11:30 a.m. ET. Webinar sponsored by Bank Info Security. Free.
- Jan. 21: Optimizing and Safeguarding Your Data Network. 3:30 p.m. ET. Webinar sponsored by Bank Info Security. Free.
- Feb. 8-9: Suits and Spooks Conference: Should Private Companies Take Measured Offensive Actions against Attackers? Waterview Conference Center, Washington, D.C. Registration: $595.
- Feb. 24-25: BSides San Francisco. DNA Lounge, 375 Eleventh St., San Francisco.
- Feb. 25-Mar. 1: RSA Conference USA 2013: Security in Knowledge. Moscone Convention Center, San Francisco. Registration: To Jan. 25, $1895. After Jan. 25, $2295.
- Mar. 12-15: Black Hat Europe. Grand Hotel Krasnapolsky, Amsterdam, Netherlands. Registration: through Feb. 28, Euro 1295 (US$1711); Mar. 1-15, Euro 1495 ($US1975).