Victim of some Facebook Phishing

Facebook.jpgToday I became a victim of some Facebook credentials phishing. I received an instant message from one of my Facebook contacts containing a video. When trying to play the video I got prompted to enter my Facebook credentials. After having done this … my credentials went into the wrong hands. And it became obvious that this video was not from my contact.
This happened on my smartphone. I believe on a PC this never would have happened to me because there are many means to cross-check urls and links and other things to detect a phishing. On a mobile device it is much harder. The login screen really looked authentic.
The result was: many dubious videos sent to all my contacts. In the meantime Facebook right away locked my account because they detect suspicious behavior. I also ( too late ) read the warning from my contact in Facebook from whom I had received the malicious message that her account had been compromised.
I unlocked my Facebook account by setting a new password and acknowledging a confirmation code; Facebook did a quiet good job to detect the problem and take me through steps to resolve. I then posted warning on my Facebook page and also sent warning messages to most of my contacts; luckily I have less than 100 Laughing
Interestingly my Chrome browser on one of my laptops later on insisted in downloading a Malicious Software Removal tool from Facebook, which right away was blocked by my virus scanner. This happened while Facebook was working fine in my Firefox browser. I found this very helpful hint here ( see comment # 3 in this lengthy article ) how to overcome this strange means and enable Facebook again in my Chrome browser.

Advertisements

My favorites for week 19, 2011

Big GrinSomething to laugh: my favorite comic strip of the weekabout communication in modern times

NerdSomething to watch: my favorite video clip of the weekabout a real bad joke with Windows XP

You have a fellow worker next to you who always leaves his PC unlocked when leaving his desk ? Here is your opportunity to play a real bad trick on him. Can be done in one minute or so, may be you first try on your own PC.

I recommend to let your victim not suffer for too long, he might get crazy about this soon. Get him some help after a few minutes latest, may be a good way to earn a free coffee Wink. And whatever you do, never ever mention that you found this in my blog !

  Something to enjoy: my favorite photo  on flickr under a Common Creative licenseabout Acadia NP

Frenchman Bay in Acadia NP
"Frenchman Bay in Acadia NP" by axel_magard.

Let me feature one of my own photos here this week from Acadia NP, where my wife and I have been in 1997. Just this week I scanned in more of my slides with my CanoScan 5600F, and here is one: “Frenchman Bay in Acadia NP”.

Surprise Something to surprise: my favorite "I really didn’t know this" of the weekabout infected computers in Germany

Did you know that

  • 5.3 of 1000 computers in Germany have been infected with malware in 4th quarter 2010.
  • These are twice as many as one year before.
  • However Germany is still below world-wide average of 8.7 of 1000 infected computers

Source: heise online article “Microsoft: Zahl der infizierten Rechner in Deutschland verdoppelt

My favorites for week 18, 2011

Big GrinSomething to laugh: my favorite comic strip of the weekabout tail chasing and big fish

Let me show you some real silly comics this week from B.C. and Garfield which don’t need any further commentary…

 

NerdSomething to watch: my favorite video clip of the weekabout funny signs

The world is full of funny signs. And funny software error messages of course. Anyway, here is a nice compilation of funny signs in “weird things in the world ”:

  Something to enjoy: my favorite photo  on flickr under a Common Creative licenseabout a place in Lhasa

Potala Palace, Lhasa
"Potala Palace, Lhasa" by ddanforth.

My wife has been there in Lhasa a couple of years ago when she did a great hike from Jiri to the Mount Éverst Base Camp.

Surprise Something to surprise: my favorite "I really didn’t know this" of the weekabout internet crime in Germany

This morning in my newspaper …

Did you know that

  • 7 % of German internet users (= 3.5 million) already experienced their account data for one of their online services being stolen,
  • 5 % of German internet users (= 2.5 million) experienced some financial loss because of this,
  • 4 % of German internet users said they will stop shopping in the web because of the recent data theft case at Sony, 23 % feel unsafe now when using online services.

Source: “Allgemeine Zeitung for Friday, May 6th, 2011”, survey by Bitkom. Also I am reading on their German web site that 37 % of internet users share their password with someone else.

Something to talk about: my favorite quote of the weekabout computers

Part of the inhumanity of the computer is that, once it is competently programmed and working smoothly, it is completely honest.

We could add: … once it is competently programmed and working smoothly, it is outdated and needs to be replaced.

My favorites for week 16, 2011

Big GrinSomething to laugh: my favorite comic strip of the weekabout Eastern

Happy Easter Weekend !

  Something to enjoy: my favorite photo  on flickr under a Common Creative licenseabout snakes

4
"4" Night Snake" by jbviper1.

Jerry B. aka jbviper1 has a nice collection of snake photos in his photo stream. Look at that beautiful Night Snake. Well, beautiful in some sense; I wouldn’t want to run into it actually, since I am a bit scared of snakes.

Something to talk about: my favorite quote of the weekabout writing

It is not a bad idea to get in the habit of writing down one’s thoughts. It saves one having to bother anyone else with them.

… unless you write them down in your blog Big Grin.

How to overcome a major Ajax limitation ….

Call it limitation, call it security means: it’s usually one and the same: a security means on one side but an annoying limitation on the other side. Wouldn’t it be nice if you could just step into your house without having to search for your keys ? Wouldn’t it be nice if you just could open up your e-mail or enter any other application without having to remember any password ? Wouldn’t it be nice if you just could insert your credit card into a teller machine and get your money spit out without the extra step to recall and type in your pin code through this sticky keyboard ?

Well, that’s not how it works. The world out there is evil and not all people are good guys, that’s why we need security, also in the area of information technology.

Ajax – the powerful technique to dynamically add content to your web page – has security means aka limitations as well: you can not actually pull data from a different server behind the scenes, only from your own. As Steven Holzner wrote in chapter 3 “Creating Ajax Applications” in his book “Ajax: A Beginner’s Guide”:

However, here’s one thing to note: if the URL you connect to, such as http://www .starpowder.com/data.php, and the Ajax-enabled page (ajax.html here) that’s attempting to download that URL are on different servers, you’re going to have a security problem. If your Ajax-enabled page attempts to download data behind the scenes from a different server, your browser is going to suspect that something underhanded is going on, and will ask permission from the user, via a dialog box, before proceeding.

I actually noticed then when for instance using Ajax through jQuery ( doing a $.get or $.post call ) accessing data from a different server does not work at all, I even do not get any dialog displayed by my browser. This might be related to some security settings in my browser ( Firefox it is in this case ) or the fact that I use jQuery to do an Ajax request. When using Firebug to debug my request I see that it turns red and shows a 200 return code. 200 actually would mean everything is OK, but the red color indicates that it is not. Anyhow, I don’t get any data from this request.

To overcome this limitation some server side programming is needed to actually let some code on your server pull data from a different server and then send it to your browser side application. I have written a very simple server using Perl:

   1: #! c:\perl\bin\perl.exe
   2: # #!/usr/bin/perl
   3:  
   4: use LWP::Simple;
   5:  
   6: printf "Content-type: text/html\n\n";
   7:  
   8: foreach $a (@ARGV) {
   9:             my $html = get($a) or die $!;
  10:             print $html;
  11: }
  12:  

If my jQuery $.get call now calls this perl script and passes an URL of the page I actually want to access to this perl script everything works fine. Steven Holzner  has published some php code in his book in chapter 4 to do the very same thing.

Cookies

Cookies are files containing information about visited web sites which are stored locally on your computer. They allow for instance when using an online shop to store products you like to purchase in a virtual shopping cart. They also allow to store your “surf behavior”: what did you click on and where have you be coming from and what else did you click on. This data can be used by service provider to draw a profile of your way through the internet and their sites, to study what you are interested in, what you read, what your purchase, what “purchasing patterns” you have.
Sometimes cookies are beneficial for you. For some sites like your blog host for example or social network profile host or file/photo/video sharing service or some other site you visit regularly cookies might give you some convenience in speeding up the login procedure and automatically recognizing you when coming back. For many other sites you would prefer to secure your privacy and don’t leave any traces on your computer so that those sites actually can recognize you when coming back and generate some profiles about you to for instance bomb you with some more “customized” advertisements.

Modern browser like Firefox allow to disable cookies at all (check off “Allow cookies from sites”). This is probably the most secure way to protect your privacy but the least convenient. Some web sites you want to visit might not work at all. The next best solution would be to delete cookies when closing the browser. This is a quiet recommended setting and possible in Firefox through the Privacy dialog you get when invoking Tools->Options (“Keep cookies until I close Firefox”).

Now – since you actually might want to keep cookies from some sites you trust to make surfing to those sites more convenient as I described above a smarter solution is to use one of the many cookie handling extensions available for Firefox. The one I am using and can recommend is “View Cookies CS“.

First of all it is a nice tool to keep track of what cookies a particular site is storing on your computer ( by selecting the “Current Website” option from the drop down ) instead of showing all cookies. It also allows you to delete those cookies for a particular web site.
Another very useful feature is the capability to export and import cookies from/to a file. And here is how I use this:

  1. First of all I deleted all cookies.
  2. Then I started visiting those sites I trust and exported cookies into a file.
  3. Every time I have the feeling that there are two many cookies on my computer from sites I don’t trust I simply purge them all and import my file with cookies from sites I trust. When visiting a suspicious site I check “their” cookies with “View Cookies CS” and purge them.
  4. When I notice some time later that I hit a site which I actually trust but because of deleting cookies from that site it does not recognize me anymore I do the folloing:
    1. Delete all my cookies
    2. Import my cookie file with cookies from trusted sites
    3. Sign on to this additional site I trust
    4. Export again all my cookies overwriting my cookie file

That way I keep building a file of cookies from trusted sites and have better control of what cookies from what sites I like to keep permanently.