In an open letter [PDF] addressed to Facebook CEO Mark Zuckerberg, 10 privacy groups such as ACLU of Northern California, Center for Democracy and Technology, Center for Digital Democracy, just to name a few, have expressed their Facebook privacy worries connected to some of the user controls found on the users’ profiles.

In fact, the issues highlighted in the letter are not the first time that being caused numerous privacy complaints, but fortunately this is the first time a total amount of 10 reputable privacy groups have put their voices in such an open letter.

Inevitably, the issues written down on the letter is quite accurate description of the privacy worries with Facebook at this moment. As discussed in the letter, the following issues should be fixed in order to make Facebook realize that the user privacy preservation is as much important as the overall market capitalization of Facebook.

Some excerpts of the letter:

1) Fix the “app gap” by empowering users to decide exactly which applications can access their personal information.

6) Provide users with simple tools for exporting their uploaded content and the details of their social network so that users who are no longer comfortable with Facebook’s policies and want to leave for another social network service do not have to choose between safeguarding their privacy and staying connected to their friends.

Fortunately, we know that Facebook has taken some action for its user commitment by launching a simplified version of privacy settings. However, simplified version of privacy control doesn’t mean that Facebook is creating a privacy-protective default settings for all of its users. And thus, most users will continue to believe that privacy control settings is still not the primary concern of Facebook, at least for this particular moment.

As announced in Facebook’s official blog, they have introduced two main new security features to further protect their user accounts from hackers and scammers.

From now on, users can choose to be notified when their accounts are being accessed from the computers or mobile devices they haven’t used before. Should Facebook detect any suspicious login with the user account, they will ask the person to name the device name, in addition to send an email notification to the account holder as a warning message.

However, to enable this new Facebook security feature, Facebook users have to log-in to their accounts and manually configure the following setting:

1) Log in and click on “Account” at the top right of the page

2) Then on account page, click on “Settings”

3) On the Account Settings page, click on “Account Security”

4) The last step is to change the selection from No to Yes, as shown in the below picture.

Meanwhile, they also add a new layer of security that works at the personal security question; whenever there is a suspicious login, Facebook will prompt the person for identity confirmation.

In fact, the back-end mechanism of these features is targeting at the IP level to automatically match the IP address of one logged in to Facebook, and hopefully these new additions can help to further protect Facebook users from malicious individuals.

If you came across an email asking you to download the Facebook toolbar, with the email heading, i.e. Try the New Facebook Toolbar! Please delete it straight away.

As shown in the below picture, it is clear that the virus authors are using a subtle way to lure potential victims into downloading a toolbar. Perhaps, download the new Facebook toolbar will get users a better way to share and connect with friends is more tempting than anything else.

The email also comes with an executable file, i.e. toolbar.exe. This toolbar.exe is presented itself with an icon of a black ball with “darkSector” written on it and it is detected as a Trojan.Dropper by Symantec.

Typically, Trojan.Dropper is a standalone program that drops different type of standalone malware (trojans, worms, backdoors) to a system. Once executed, it will extract all files it contained to some folder (usually temporary folder) and runs all of them simultaneously. In many cases, Trojan-Droppers also drop and executes to display games, images or messages, which serve as decoys to avert attention from malicious activities.

According to Australian ABC News, Facebook is now examining its accounts of users whose passwords have been hacked by a Russian hacker.

The hacker who called himself Kirllos claimed to have the account details amounted to 1.5 million Facebook users. What’s more, the hacker is offering to sell the login details of accounts hacked by him for a price in between US$25 and US$45 per batch as 1,000 user logins stands for one batch.

In the meantime, Facebook is urging its users who feel their accounts are compromised to follow steps on its security page.

“We’re investigating the accounts in question so that we can block access to any that might be compromised and restore them to their rightful owners,” spokeswoman Maureen O’Hara said.

“We invest heavily in helping people keep their accounts secure and have a team of security professionals who investigate specific attacks on our users and work with law enforcement to pursue those responsible.”

Ironically, it seems the Facebook account selling was not started on this month, but months ago when the hacker registered his account in one of the forums in Russia namely Antichat.ru on last December. There are few topic forums found on that forum with a heading, i.e. “[Sell] Facebook” and batch by batch of Facebook accounts hacked have been posted by kirllos from 2nd January to 8th February in this year.

Sadly, this kind of incident should not be happened on Facebook. The reality is that there are still many, and many users do not aware of how important of keeping their accounts safe.

In this matter, users are advised to be wary of logging onto their Facebook accounts other than the official Facebook page, i.e. facebook.com domain.

In addition, it’s a good practice to use version updated Web browser when facebooking on the Web, and choose the unique logins and passwords for each of the different Web sites you used. Also, be cautious of any message, post, or link that looks suspicious or requires an additional login, even if it is coming from a friend.

As cyber criminals are increasingly targeting Facebook, security issue has became the number one concern on Facebook, and the users or firms that used Facebook for social networking.

As seen in several reports published on the Web recently, the types and severity of the Facebook attacks are expected to be risen in this year 2010.

Here are few reports for your perusal from everything security threats that can open your eyes to a different aspect of the Facebook security issues.

1) Sophos Security Threats Report: 2010 [PDF]

Some excerpts:

According to a Sophos survey conducted in December 2009, 60% of respondents believe that Facebook presents the biggest security risk of the social networking sites, significantly ahead of MySpace, Twitter and LinkedIn.

Source: available at http://www.sophos.com/sophos/docs/eng/papers/sophos-security-threat-report-jan-2010-wpna.pdf, accessed 11 February 2010

Meanwhile, Sophos also said that reports by companies of spam and malware derived from social networks such as Facebook, MySpace and Twitter were up 70 percent from a year earlier.

2) McAfee 2010 Threat Predictions [PDF]

Some excerpts:

With Facebook reaching more than 350 million users, we expect that 2010 will take these trends to new heights.

The explosion of applications on Facebook and other services will be an ideal vector for cybercriminals, who will take advantage of friends trusting friends to click links they might otherwise treat cautiously.

3) Cisco 2009 Annual Security Report [PDF]

Some excerpts:

Social networking site Facebook reports that from August 2008 to December 2009, its active user base more than tripled, from 100 million to 350 million. As Cisco has continued to report, criminals migrate attacks to where their victims are. They have wasted no time targeting this huge audience, and they are creating more sophisticated ways to take advantage of the trust users place in social media. The Koobface worm, first detected on social networking websites such as Facebook in 2008, appeared again in 2009, when yet more variants of the malicious software popped up on Twitter, the microblogging service. Estimates indicate that almost 3 million computers have been infected with Koobface.

There will be more attacks on Facebook especially now it has reached 350 million accounts and its growth doesn’t show any sign of slowing. Although it is true that many of us prefer to use Facebook instead of other social networks due to its popularity, but a site called Seppukoo is offering Facebook users a way out of it.

Seppukoo, the site named after Seppuku, i.e. 切腹, stomach-cutting, the suicide with honor of ancient Japanese samurai. And predictably, the founding of Seppukoo is also about suicide, but to assist the Facebook users in committing virtual identity suicide through accounts deactivation. As the Seppuku restores samurai’s honor as a warrior, Seppukoo deals with the liberation of the digital body, the site says.

Aha. This seems like a bad idea. Remember my post on the “Practise Suicide Groups” and how I urge Facebook to ban the word “suicide 自殺” when someone creating a Facebook group.

In particular, Seppukoo offers Facebook users to pass away and leave their Facebook IDs behind and join the worldwide suicidal network, as the site says. Additionally, Seppukoo will also feature a RIP memorial page and send the page to all their friends that left behind on Facebook.

To go Seppukoo, you must enter your Facebook credentials, and choose the memorial page template, compose the “last words” before your Facebook account is deactivated. Meanwhile, you earn point when you influence your Facebook friends go Seppukoo; with Seppukoo it’s not important how many friends you have, but how much you may influence them, the site says.

For Facebook, this is an attack attempting to direct the curious of virtual suicide towards the end of social networking activities. However, the latest update is that Facebook has blocked Seppukoo. Once the users enter their Facebook credentials, they will receive a pop-up message as below.

Picture 1:

Picture 2:

Phishing campaigns on social networks are not new. The scammers are not satisfied only for pushing spam to sell “Canadian” pills. Now they are using all sorts of phishing campaigns to steal your Facebook password, and constantly change their tactics such as trick the users to download a keylogger so that they can collect your credit card numbers, and etc.

Now the main issue is, how can you tell if your personal information is being phished in Facebook? Here are some useful tips provided by TrendMicro:

- Check the email’s content. Misspellings and grammatical mistakes are very common in spammed messages.

- Check the sender’s email address. A legitimate Facebook email sender will have a facebook.com and not a facebookmail.com address.

Don’t be misled. Facebook Wall strongly advise that you follow the aforesaid tips and stay safe when networking with all your friends in Facebook.

In an ongoing battle against spam or any abuse, Facebook has included a “Report” feature for the profile, page or group which users are allowed to file an abuse report. When clicked, this particular abuse reporting will immediately be submitted to the Facebook user operation team members and the aforesaid action will be filed for further review.

To-date, Facebook users are not only allowed to report user, page or group, it has updated the site and gave its users to quickly report any offensive photo and video. According to a blog post of Facebook, “We created much more granular reporting categories for you to classify the issues you may come across including bullying or unwanted contact from other people on the site. We also added new fields where you can detail the location of abuse that occurs in videos or text.”

For video, users now can tell Facebook the specific time during the video when the abuse occurs. But in contrast to the note reporting, users can copy and paste the offensive text directly from the source.

In fact, as far as the reason of reporting is concerned, the categories for the reason will vary solely depend on what a user is reporting on. For instance, when reporting an offensive photo, users can select from the following reasons: nudity or pornography, drug use, excessive gore or violence, attacks individual or group, advertisement or spam or infringes on your intellectual property. However, Facebook will not remove a photo or video simply because it’s unflattering.

As Jessica Ghastin wrote in the Facebook blog, “The information you provide helps our international team of professional reviewers prioritize reports and know what they’re looking for when reviewing the content.”

Nevertheless, learn to locate the “report” link (it’s in the bottom of the left-hand sidebar), and use this abuse reporting feature as it can help to protect the site integrity. Hopefully, this can be another key feature in alleviating the spam problem in Facebook.

From a security threat standpoint, Facebook users do not take the appropriate steps to fend off various security challenges can cause their computers vulnerable to all sort of problems. In tandem of the declaration of “National Cybersecurity Awareness Month” by The White House, the Internet Crime Complaint Center (IC3), which is a partnership between the FBI and the National White Collar Crime Center, has highlighted certain tips in order to practice safe online social networking.

On the statement, IC3 provided some tips to mitigate the social networking problems such as adjust Web site privacy settings, be selective of your friends, or disable options and then open them one by one such as texting and photo sharing, capabilities, and etc.

In addition, IC3 said cyber criminals are also using spam to promote phishing sites, claiming a violation of terms of service or some other issues which need to be resolved. Other spam attempts are in the forms of getting users to download an application or view a video.

Meanwhile, there have been nearly 3,200 reports of account hijackings since 2006, according to a FBI press release.

To help users fight back against scammer, phishing and identity theft, one of the most used and accessed sites on the Web Facebook has taken a new security measures with an aim to reduce the amount of compromised accounts with a suspicious activity page.

Jake Brill, a project manager for the site integrity team at Facebook, wrote on the Facebook blog: “We’ve spent the last few months improving the way to guide people through the process of regaining access to their account after it’s been compromised and used to send spam. Currently, we send emails explaining what happened and provide links to remedy the situation. Now we’re moving towards a new model that also involves clear and simple steps taken within Facebook itself. In doing so, we can ensure that the person logging in is the true owner of the account, thereby preventing hackers from using it to send spam in the future.”

“Going forward, we’ll continue to send a notification email to the tiny percentage of people whose Facebook accounts have been compromised. What’s new is that when these people try to access the site, they’ll first see a page explaining what happened.”

Meanwhile, a recent survey by Webroot has revealed the social networkers’ risky behaviors, among them are:

Two-thirds of respondents don’t restrict any details of their personal profile from being visible through a public search engine like Google;

Over one third use the same password across multiple sites; and
One quarter accept “friend requests” from strangers.