Photos taken might pose security threat to you

How serious it is?


However, I found out that this can only affects the user IF:
1. You combine your photos with few other data such as Foursquare, Picasa, blogs, etc.
2. You did mention something that can be used to indicates your location or surrounding.
3. You used current photos capture capability (with sound and GPS setting)
4. And few others combination setting.

Read More

Websense 2012 Q1 Threat Report

The key findings:

• 82% of malicious websites are hosted on compromised hosts. 
• 55% of data-stealing malware communications are web-based.
• 43% of Facebook activity is streaming media, including viral videos. 
• 50% of malware redirects lead to the United States followed by Canada.
• 60% of phishing attacks are hosted in the United States trailed by Canada. 
• 74% of email is spam, compared to the previous year of 84%. 
• Websense Labs has analyzed more than 200,000 Android apps and does see a noticeable quantity with malicious intent or permissions. 
• Advanced threats can be described in six stages: lures, redirects, exploit kits, dropper files, call-home communications, and data theft. 

Read the full articles at sacbee.com

Read More

« Public Status Updates Plunged 93% Since Facebook Moved Privacy Controls Inline Facebook Is Testing Event Suggestions » 35 Privacy Changes Facebook Must Make In Europe

Posted by David Cohen on December 22nd, 2011 5:14 PM

Facebook and the Office of the Irish Data Protection Commissioner publicly released the results of a detailed three-month audit of the social network’s privacy policies in the European Union region, but what steps did the social network agree to implement?
Facebook’s European headquarters are in Dublin, Ireland, which explains why the authorities over there get to dictate the social network’s entire plan for the continent.
That said, here are the policy changes Facebook promised to ma,e grouped by the dates set as delivery goals.

Immediately

1. Facebook is taking steps to limit data collection from social plug-ins, restricting access to such data, and moving to delete such data according to a retention schedule.
2. Facebook will retain ad-click data for two years, and a review will occur in July 2010 to determine if further reductions in the retention period are necessary.
3. Within 10 days of receiving data via social plug-ins, Facebook will remove the last octet of the IP address from social plug-in impression logs, and delete browser cookies set when users visit Facebook. The social network will also: delete receives and records through social plug-in impressions within 90 days; make all search data anonymous within six months; do the same for all ad-click data within two years, and significantly shorten the retention period for log-in information.
4. Impression data received from social plug-ins will become anonymous within 10 days for logged-out users and non-users and deleted within 90 days. For logged-in users, those data will be aggregated or become anonymous within 90 days.

January, 2012

1. Facebook will provide identifiable personal data about users or nonusers upon access requests within 40 days, and it committed to grant users easy and effective access to their personal information. Data will be added to tools including users’ profiles, activity logs, and download tools beginning in January.
2. Facebook agreed to strengthen its single point-of-contact arrangements with law-enforcement authorities that request user data by mandating that all such requests be approved by a designated officer of a senior rank and recording that approval in the request. It will also require that the section of the standard form for such requests that asks why the requested user data is sought be fully completed, and it will re-examine its privacy policy to ensure consistency. The process will begin in January and be reviewed in July.


3. Facebook will provide an additional form of notification for its tag suggest feature, appearing atop the page when users log in, which will disappear once users interact with it, or appear a total of three times for users who do not interact with it. More detail will be offered on how the tag suggest feature works, and this information will also be shown if users adjust their settings. The social network will also discuss any plans to extend tag suggestions beyond confirmed friends with the DPC before implementing any such changes.
4. The authorization token granted to applications can be transferred between apps to allow second apps to access information not granted by users. Facebook will provide more messaging to developers highlighting its policy regarding sharing of authorization tokens, and it will investigate technical solutions to reduce risk of abuse. Notifications to app developers will be completed by the end of January, with an assessment of the issue and a solution by the end of the first quarter.
5. Facebook will integrate user password resets by employees into its monitoring tools.

February, 2012

1. Facebook will move the links to its data-use policy and other policy documents, as well as the help center, to the left side of the user’s homepage.
2. Facebook recently changed its granular data permissions dialog box for applications to enable users to fully understand the permissions they are granting to third-party apps, and it’s expected to become fully available on all apps by February, with a further assessment in July.
3. Facebook will further educate users on the importance of reading app privacy policies and will increase the size of the “report app” link in the dialog box.

First Quarter Of 2012

1. Facebook will begin phasing in the ability for users to delete friend requests, pokes, tags, posts, and messages on a per-item basis, with the hopes of showing demonstrable progress by its review in July.
2. Facebook will move the option to exercise control over social ads to users’ privacy settings from account settings, in order to improve accessibility and knowledge of the ability to block or control ads users do not wish to see again.
3. Facebook will provide users with information on what happens to deleted or removed content, such as friend requests received, pokes, removed groups, and tags.
4. Facebook will work with the DPC to simplify explanations of its data-use policy, identify a mechanism for users to choose how their personal data are used, and provide easier accessibility and prominence of these policies during and subsequent to registration, including the use of test-groups of users and non-users.
5. Facebook will clarify its data-use policy to ensure full transparency.


6. Facebook will provide additional information on how log-in activity from different browsers across different machines and devices is recorded in its revised data-use policy.
7. Facebook agreed that it will no longer be possible for a user to be recorded as a member of a group without that user’s consent. Users will not be recorded as members until they accept invitations, and they will be able to easily leave groups.
8. Facebook will work toward reviewing alternatives to mobile transmission of user data, as well as educating users about the fact that their details are transmitted in plain text when they synch their contact information from mobile devices.
9. Even though it should be obvious to users that their synchronized data still exists after synching is disabled, Facebook will add text to that effect .
10. Facebook immediately geo-blocked the major European Union domains so that messages from pages could not be sent to the vast majority of the social network’s EU users and nonusers, and will further refine information and warnings for businesses using the ability to upload up to 5,000 contact email addresses for page contact purposes.
11. Facebook will add information to its policy clarifying that it acts as a data controller and information generated by use of Facebook Credits is linked to users’ accounts. The social network will also launch a privacy policy for its payments systems in approximately six months.

Second Quarter Of 2012

1. When a friend of a user who installs an application has chosen to restrict what apps can access about them, apps cannot override this selection, but Facebook will examine alternative placements for app privacy controls to more easily enable users to make informed choices about what apps installed by friends can access personal data about them, and it will report back prior to July.
2. Facebook will review the broader implications of a recommendation by the DPC that members be allowed to prevent tagging of themselves once they fully understand the potential loss of control and prior notification that comes with it.
3. Facebook will review the broader implications of a recommendation by the DPC that it add functionality to inform users how broad an audience will be able to view their posts, and to notify them if profile settings are changed to make that post available to a greater audience.

July, 2012

1. Facebook will work with the DPC to establish an acceptable retention period for data held in relation to inactive or deactivated accounts.
2. Facebook will assess changes it has already implemented to its granular data permissions dialog box to enable users to choose who can see when they activate and use an app.
3. Facebook is examining the technical feasibility of deploying a tool to check whether privacy policy links are live, and it will provide an update in July.
4. Facebook will further refine its auditing and automated tools to monitor and take action against applications that breach platform policies, such as accessing user information other than where the user has granted an appropriate permission, and there will be a progress review in July.
5. Facebook will continue to document policies and procedures in order to maintain consistency in security practices, and newly documented policies and procedures will be reviewed in July.
6. Facebook is implementing a new access-provisioning tool that will allow more fine-grained control of employee access to user data, and it will thoroughly review the application and usage of the new token based tool in July.
7. Facebook is working toward meeting the DPC’s objective that it irrevocably delete user accounts and data upon request within 40 days of receipt of the request, and it will review its progress in July.
8. Facebook will take additional measures during the first half of 2012 to ensure that new products or uses of user data take full account of Irish data protection law, and it will have the procedures, practices, and capacity to comprehensively meet its obligations in this area in place by July.

To Be Determined

Facebook will meet with the DPC in advance of any plans to provide individuals’ profile pictures and names to third parties for advertising purposes, and users would have to provide their consent.
Images courtesy of Shutterstock.

From http://www.allfacebook.com/facebook-privacy-europe-2011-12

Read More

Analysis of ‘Operation Black Tulip’: Certificate authorities lose authority

The Agency releases its analysis of the Diginotar- ‘Operation Black Tulip’ case, where a digital certificate authority suffered a cyber-attack.

In the attack, false certificates were created for hundreds of websites, including Google and Skype. Reports indicate that the cyber-attack started in mid-June, and that for two months, false certificates were used to eavesdrop on users in Iran. In its new analysis, the Agency identifies three major issues, and suggests remedies to these.

The Agency has analysed the ‘Operation Black Tulip’ cyber attack and issued recommendations on how to mitigate security concerns with certification authorities. 

Taken from http://www.enisa.europa.eu/media/news-items/analysis-of-2018operation-black-tulip2019-certificate-authorities-lose-authority 

Read More

Carrier IQ faces lawsuits, lawmaker seeks FTC probe

Three lawsuits in United States allege privacy-law violations, a congressman asks Federal Trade Commission to investigate, and activists seek Federal Communications Commission and Justice Department probes of mobile data-collection software. (read more)

"Carrier IQ, which programmer Trevor Eckhart alleges records keystrokes from mobile phones and sends all sorts of personal information off the phone. Carrier IQ denies that and says limited data is gathered for diagnostic purposes only"
"Nokia and BlackBerry maker Research in Motion say they do not pre-install Carrier IQ on their phones, while HTC, Samsung and Motorola say they pre-install it at the carrier's request. Google, meanwhile, says it does not use it on Nexus devices." (read more)


I said:

To all friends... you guys better check your phone to see if the apps installed especially when you used lots of mobile banking or browsing through email, etc whereby lots of username and password being entered and pass around :)...

Read More

Bill Gates: Trustworthy Computing

This is the e-mail Bill Gates sent to every full-time employee at Microsoft, in which he describes the company's new strategy emphasizing security in its products.
From: Bill Gates
Sent: Tuesday, January 15, 2002 5:22 PM
To: Microsoft and Subsidiaries: All FTE
Subject: Trustworthy computing

Every few years I have sent out a memo talking about the highest priority for Microsoft. Two years ago, it was the kickoff of our .NET strategy. Before that, it was several memos about the importance of the Internet to our future and the ways we could make the Internet truly useful for people. Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work. If we don't do this, people simply won't be willing -- or able -- to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new level of Trustworthiness in computing.

When we started work on Microsoft .NET more than two years ago, we set a new direction for the company -- and articulated a new way to think about our software. Rather than developing standalone applications and Web sites, today we're moving towards smart clients with rich user interfaces interacting with Web services. We're driving the XML Web services standards so that systems from all vendors can share information, while working to make Windows the best client and server for this new era.

There is a lot of excitement about what this architecture makes possible. It allows the dreams about e-business that have been hyped over the last few years to become a reality. It enables people to collaborate in new ways, including how they read, communicate, share annotations, analyze information and meet.
However, even more important than any of these new capabilities is the fact that it is designed from the ground up to deliver Trustworthy Computing. What I mean by this is that customers will always be able to rely on these systems to be available and to secure their information. Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony.

Today, in the developed world, we do not worry about electricity and water services being available. With telephony, we rely both on its availability and its security for conducting highly confidential business transactions without worrying that information about who we call or what we say will be compromised. Computing falls well short of this, ranging from the individual user who isn't willing to add a new application because it might destabilize their system, to a corporation that moves slowly to embrace e-business because today's platforms don't make the grade.

The events of last year -- from September's terrorist attacks to a number of malicious and highly publicized computer viruses -- reminded every one of us how important it is to ensure the integrity and security of our critical infrastructure, whether it's the airlines or computer systems.

Computing is already an important part of many people's lives. Within 10 years, it will be an integral and indispensable part of almost everything we do. Microsoft and the computer industry will only succeed in that world if CIOs, consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing.

Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms. We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched -- but as an industry leader we can and must do better. Our new design approaches need to dramatically reduce the number of such issues that come up in the software that Microsoft, its partners and its customers create. We need to make it automatic for customers to get the benefits of these fixes. Eventually, our software should be so fundamentally secure that customers never even worry about it.
No Trustworthy Computing platform exists today. It is only in the context of the basic redesign we have done around .NET that we can achieve this. The key design decisions we made around .NET include the advances we need to deliver on this vision. Visual Studio .NET is the first multi-language tool that is optimized for the creation of secure code, so it is a key foundation element.

I've spent the past few months working with Craig Mundie's group and others across the company to define what achieving Trustworthy Computing will entail, and to focus our efforts on building trust into every one of our products and services. Key aspects include:
Availability: Our products should always be available when our customers need them. System outages should become a thing of the past because of a software architecture that supports redundancy and automatic recovery. Self-management should allow for service resumption without user intervention in almost every case.

Security: The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications.

Privacy: Users should be in control of how their data is used. Policies for information use should be clear to the user. Users should be in control of when and if they receive information to make best use of their time. It should be easy for users to specify appropriate use of their information including controlling the use of email they send.

Trustworthiness is a much broader concept than security, and winning our customers' trust involves more than just fixing bugs and achieving "five-nines" availability. It's a fundamental challenge that spans the entire computing ecosystem, from individual chips all the way to global Internet services. It's about smart software, services and industry-wide cooperation.

There are many changes Microsoft needs to make as a company to ensure and keep our customers' trust at every level -- from the way we develop software, to our support efforts, to our operational and business practices. As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company.
In recent months, we've stepped up programs and services that help us create better software and increase security for our customers. Last fall, we launched the Strategic Technology Protection Program, making software like IIS and Windows .NET Server secure by default, and educating our customers on how to get -- and stay -- secure. The error-reporting features built into Office XP and Windows XP are giving us a clear view of how to raise the level of reliability. The Office team is focused on training and processes that will anticipate and prevent security problems.

In December, the Visual Studio .NET team conducted a comprehensive review of every aspect of their product for potential security issues. We will be conducting similarly intensive reviews in the Windows division and throughout the company in the coming months.

At the same time, we're in the process of training all our developers in the latest secure coding techniques. We've also published books like Writing Secure Code, by Michael Howard and David LeBlanc, which gives all developers the tools they need to build secure software from the ground up. In addition, we must have even more highly trained sales, service and support people, along with offerings such as security assessments and broad security solutions. I encourage everyone at Microsoft to look at what we've done so far and think about how they can contribute.

But we need to go much further.

In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software.

So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. A good example of this is the changes we made in Outlook to avoid e-mail-borne viruses. If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services.

Going forward, we must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm. Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it.

This priority touches on all the software work we do. By delivering on Trustworthy Computing, customers will get dramatically more value out of our advances than they have in the past. The challenge here is one that Microsoft is uniquely suited to solve.

More discussion of our vision for Trustworthy Computing is in the internal white paper.

Bill

Copy from http://www.wired.com/techbiz/media/news/2002/01/49826

Read More

Google unveils '+1' button to rival Facebook 'Like'

Search giant launches social button that allows users to recommend and share search results, but market watcher says latest social media attempt unlikely to succeed. [read more]

I do agree with those people. Although it is good initiative, but there are few things need to be clarified and further improved before it become a successful project. Google need to ensure that the implementation will not violating privacy and data confidentiality of their users.

Read More

Google Chrome Notebook - Is it safe?

I received a video from a friend of my via facebook. It was about Google Chrome Notebook. Here is the video



What I would like to discuss here is the security concern when using this. No doubt that this will save us a lot especially there will no worries of losing unfinished work when your machine crash and no worries of carrying extra hard-disk for storing your data and no worries of where to get your data when you are on vacation. The only things you need to ensure is to have very good internet connection (stability and high bandwidth) which here in Malaysia it is still far from achieving it (I'll discuss this in other issues).

What concern me as one of people involves in information security is security issues related to using Chrome Notebook. What about our privacy and data protection. How safe are we? How trusted are we on Google which will not leak our data to others? How safe is Google and how strong Google protecting our data from being hack/exploit/access by unwanted user? Will Google be able to handle tons of data? How good and reliable is the Chrome Notebook?

This are few basic questions circling my thought when I first saw this video. When Facebook came into the pictures, there are security concern and there are still as Facebook never block other people from copying pictures they found in the facebook. What do you think about Chrome? Will Chrome have the ability to prevent others from cut-n-paste your documents into theirs?

This are basic security that Chrome MUST address first or at least those people that have intention to use Chrome notebook to think about it and reconsider before making such decision. It is Mobility, Flexibility, Cost Saving, and Availability versus Privacy, Trust, and Data Protection.

Read More

WiTopia - Is it safe?

I read a recent articles on protecting yourself from firesheep (a mozilla plugin that meant for good but becoming as a tool for hackers). Read the articles here.

The author that link the articles to another articles he wrote at blog.techrepublic.Here he explains on how WiTopia could provide a secure tunnel between the client and the server that the client wish to connect to or communicate with.

However, the author do forget something here. TRUST between both parties. The question here is CAN WE TRUST WiTopia to keep all our confidential information, such as username and password? Compare to RIM which provide such services for their blackberry phones whereby all information from the devices (email, etc) were stored in their server located in Canada (and few other places). There was great concern on their security and trustworthiness and few countries has requested that the server shall be allocated at their country rather than outside.

So can we trust WiTopia to keep our secret? Is WiTopia safe from being attack or hack? How can we ensure that? Since WiTopia will decrypt our request, relay to the requested site/server, get the response, and relay back in encrypted format to us. It may be secure between client and WiTopia server, but beyond that is no longer secure. That in terms of Trust.

What about Privacy? Shall we trust the service provider with all our privacy data being decrypted and can be seen in the server? How WiTopia protect our secrecy and privacy? Will there be possibility of leakage or it is fully protected even the WiTopia developers or system administrator don't know what is happening (which is impossible for him if in the event he need to do some tracing or maintenance or bugs fixing)?

This are great concern before you proceed with the advice of the author. I'm not saying that using WiTopia is not helping you securing yourself from using wireless devices, but please do get the information on how WiTopia works completely before making such decision.

Read More