Two from Tech: Facebook gets info from logged-out users; hacked MySQL.com issued Windows malware!
This weekend, a hacker called Nik Cubrilovic said that Facebook seemed to be sucking in data even from those who had logged out, tracking every page they visit, because logged out requests still send NINE different cookies, including the most important cookies that identify you as a user! Nick cites an article by Dave Winer entitled “Facebook is scaring me.” Winer says:
“People joke that privacy is over, but I don’t think they imagined that the disclosures would be so proactive. They are seeking out information to report about you. That’s different from showing people a picture that you posted yourself. If this were the government we’d be talking about the Fourth Amendment.”
I am personally not at all sure that we are NOT talking about the government. The government uses a lot of existing corporations, and sets up a few of its own. Facebook, for its part, asks us to “trust them.”
A person who identified himself as a Facebook engineer, Gregg Stefancik, responded to Cubrilovic’s article about the persistent cookies with a detailed response that included the following:
‘Said more plainly, our cookies aren’t used for tracking. They just aren’t. Instead, we use our cookies to either provide custom content (e.g. your friend’s likes within a social plugin), help improve or maintain our service (e.g. measuring click-through rates to help optimize performance), or protect our users and our service (e.g. defending denial of service attacks or requiring a second authentication factor for a login from a suspicious location).
The logged out cookies, specifically, are used primarily for safety and security protections, including:
– Identifying and disabling spammers and phishers
– Disabling registration if an underage user tries to re-register with a different birth date
– Helping people recover hacked accounts
– Powering account security features, such as login approvals and notifications
– Identifying shared computers to discourage the use of “Keep me logged in.”’
I will have to agree in part with another respondent, who did not doubt the sincerity of Stefancik’s explanation, but wondered whether his views reflected the views of Facebook management.
So often in history, well-meaning scientists and engineers find themselves exploited both financially and politically by those who may lack their ethics.
(Note added September 28, 2011: Facebook currently has 2 DOZEN high-profile lobbyists in Washington D.C. and has created its own Political Action Committee [PAC].)
(Note added September 27, 2011: For more about the recent Facebook changes and possible reasons behind them, see our earlier blog entry.)
In a second article, CNET’s Elinor Mills discusses the MySQL site, owned by Oracle now, which was hacked and used to serve malware to visitors running Windows before it was cleaned up today! Wayne Huang, the CEO of Armorize, and some of his firms researchers, warned about the attack in a blog entry today! Huang told CNET that he did not know the length of time that visitors to MySQL.com had been vulnerable nor how many visitors might have been infected. Armorize estimated that MySQL.com has more than 100,000 page views each day and more than 34,000 unique visitors each day!
Armorize Chief Executive Wayne Huang and some of his firm’s researchers warned about the attack in a blog post today.
MySQL.com acted quickly to remove the malware so computers would stop getting infected, but Huang told CNET he did not know how long site visitors were vulnerable or how many may have been infected. Armorize estimated that MySQL.com gets more than 100,000 page views a day and more than 34,000 unique daily visitors.
“The infection rate tends to be high for these types of attacks,” he said. “They handled it very quickly but that doesn’t mean they cleaned up the backdoors the attackers left”on the site.
and…
“We haven’t gone in depth in analyzing what this particular piece of malware does,” he said. “We know it changes some of your Windows .dlls (Dynamic-link libraries), probably to make sure it is permanently installed and running all the time. You may be able to clean it up, but it won’t be a trivial process.”
CNET notes that:
According to the Armorize Malware Blog, before the infection was removed from MySQL.com, the compromise redirected traffic to a Blackhole exploit pack that forced the browser to install a piece of malware on the machine.
“It exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java,…), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge,” the blog says. “The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.”
Only 4 of 44 vendors on the VirusTotal site can detect the malware. Brian Krebs of the Krebs on Security blog noticed someone on an exclusive Russian hacker forum selling administrative rights to MySQL.com for $3,000 a few days ago.
(Note added September 26, 2011, 11:38 PM PDT: An L.A. Times article today, entitled “Is Facebook killing your privacy? Some say it already has” discusses Nik Cubrilovic’s post as well as the fact that Marc Rotenberg, executive director of the watchdog group, Electronic Privacy Information Center, is sending a letter to the Federal Trade Commission outlining his concerns about Facebook. The article also contains this quote:
“This redesign is part of Facebook’s overdrive effort to boost data collection and ad sales prior to its IPO,” said Jeffrey Chester, executive director of the Center for Digital Democracy. “Under the guise of enhancing the ability of its members to express themselves, Facebook is building a super-charged commercial surveillance system that threatens their privacy.”
(September 28, 2011: Federal lawmakers have urged the Federal Trade Commission [FTC] to investigate Facebook’s use of cookies to collect information from users after they sign out.)
(Note added October 2, 2011: In a lawsuit by Perrin Aikens Davis of Illinois that seeks “class action” status, Facebook is being sued for tracking users after logout. And a small Chicago company named Timelines.com is suing Facebook for trademark infringement over Timeline….)
-Bill at
Cheshire Cat Photo™ – “Your Guide to California’s Wonderland™”
You can view higher-resolution photos at the Cheshire Cat Photo™ Pro Gallery on Shutterfly™, where you can also order prints and gifts decorated with the photos of your choice from the gallery. The Cheshire Cat Photo Store on Zazzle® contains a wide variety of apparel and gifts decorated with our images of California. All locations are accessible from here. Be a “Facebook Fan” of Cheshire Cat Photo here! If you don’t see what you want or would be on our email list for updates, send us an email at info@cheshirecatphoto.com.
