At any rate, they keep tapping on my shoulder.

Earlier in the week, a couple of recent “status games” loosely connected with medical fund/attention-raising prompted me to write about security implications in a piece for Virus Bulletin (I’ll let you know here when it comes out).

Then Facecrooks announced a malicious app that subverts a status game that I’ve seen around a lot lately, involving sharing whatever was the top of the charts the day you were born. In my case it was Sumer is icumen in (if only it was…) by some wandering minstrel or other, but it so happens I had a fair amount to say about that, which you can read about in Facebook, your birthday #1, and survey scams, if you so wish.

 And now I see that Facebook is announcing a variation on the Timeline scams that Stephen Cobb discussed in Facebook’s timeline to fraud-a-geddon? Bizarrely, this one tells you how to get Timeline ahead of the official launch (it’s already happened, guys!). You might think that it’s all too easy to get Timeline , which some of us would quite happily do without. But at least 120,000 people have apparently fallen for it.

This one will run and run…

David Harley CITP FBCS CISSP
Small Blue-Green World
ESET Senior Research Fellow

Sadly, ESET’s former Agony-Aunt-in-Residence Ms Letitia Teaspoon has now left her employment at ESET. Well, there’s an awful lot of churn in the AV business these days.

The good news, however, is that she has deigned to contribute some words of wisdom to the Small Blue-Green World blogging empire, though any suggestion that she will play Rebekah Brooks to my Rupert Murdoch is merely malicious gossip.

Over to you, Letitia.

(1)

Dear Mumbai Escorts, thank you for your kind words about Mr. Harley’s post about SEO poisoning exploiting last year’s Japanese earthquake. However, if you regard that information as “gorgeous”, that poses some serious questions about the attractions of your escort service.

(2)

Dear Melida, thank you for your interesting observations on car insurance. We’re not sure how they fit into a discussion on DNS settings, though, and I’m afraid you probably can’t pay for car insurance with World of Warcraft gold. Still, these days, who knows?

(3)

Dear Shop On Line, we’re delighted to hear that you are subscribing to our augment and even you fulfillment our access consistently fast. But are you sure you should be smoking quite so much of whatever is in that roll-up?

(4)

Dear {Best Automatic Pool Cleaners|Best Pool Cleaners|Pool Cleaners|Pool Cleaners Reviews|Best Pool Cleaners Reviews|Best Automatic Pool Cleaners Reviews|Aquabot Turbo T4RC Robotic Pool Cleaner with Remote Control Review| Polaris Vac-Sweep 280 F5 Automatic Poo, it was worth getting to the end of your “name” to see the frank confession at the end of what it is you’re actually peddling.

(5)

Dear public domain, yes we do have an email subscription link, cunningly disguised as an email subscription link inconspicuously placed at the top right of each blog post. If we find a comment spammer offering good deals on reading spectacles, we’ll be sure to put you in touch with each other.

(6)

Dear  atarax online without prescription, I agree, Haiti help resources was a big story. However, that was two years ago.

(7)

On a related note, thank you bigwli moderator for adding me to your bigwli Yahoo! group. I’m a little worried, though, that I may not qualify on gender grounds.

Ah well, time for some tea.

Thank you, Letitia.

I hope the hormone treatment is going well. I’ll see you in the teashop later.

David Harley CITP FBCS CISSP
Small Blue-Green World CEO
ESET Senior Research Fellow

You’re probably aware that if you “like” a company or product page on Facebook, it’s possible that your name and photograph could appear in online ads for those products or companies. If you didn’t know, you might want to be careful about what you click the Like button on, as there’s no way of opting out of what FB likes to call a Sponsored Story. If you wouldn’t want your friends to know too much about your taste in music or edible underwear, Facebook may not be your Friend…

If you want to see some of that potential embarrassment paid back, however, Graham Cluley has put up an edited version of an interview in which Facebook VP Elliot Shrage is put on the spot by the BBC’s Emily Maitlis.

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

I’ve been thinking that I ought to comment on Mark Zuckerberg’s blog on Facebook’s Commitment to the Facebook Community (and the perception of rather less commitment expressed by Nicholas Carlson over at Business Insider. However, it turns out that my long-time friend Randy Abrams has said pretty much everything I’d want to say, and more in his article  Mark Zuckerberg, I’ve Read Terry Pratchett and You are no Terry Pratchett.

Zuckerberg’s early observations on the stupidity of people who entrusted him with their data may have been meant entirely humorously, but they’ll haunt Facebook for a long time yet.

Good to see Randy blogging again at Security Through Absurdity: great name. :)

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN/Mac Virus

Don’t panic. I haven’t been infected by some obscure blogworm.

This is a hoax – well, semi-hoax – but not a particularly serious one for the world in general (except maybe for the companies whose work has been misattributed: I’ll come back to that in a minute).

I received a message this morning containing a mildly amusing photograph of a mural put up behind six urinals in a men’s room. According to the message, it was designed by an all-female design team for an office in New York City. Here’s a description (from 2005) from Hotel Industry News (what can I say, I just have very broad tastes in music and reading material!) of the “six-metre long backdrop of life-size photographs featuring local models in varying poses directly behind each of the six stands – each with a full view of the action. One has a tape measure out, one a pair of binoculars, another has a camera, a fourth is peering over her glasses and so the list goes on.” If you don’t find that type of humour offensive, you can find a picture at either of the links above. However, both pieces also make it perfectly clear that the description in the message is an almost complete fabrication.

• The restroom is actually in a hotel in Queenstown, New Zealand.
• The company behind it was Perron Developments in Auckland, not anyone called Edge Designs, as stated in the message.
• However, according to the photographer, “We had a lot of fun with the shoot, made all the better for the fact that there weren’t any men there when we did it.” Maybe that’s what suggested the misattribution to an all-female agency?

According to Hoax Slayer, the original message simply read, with perfect accuracy, “Check out the new men’s loo at the Sofitel in Queenstown NZ!” (Oddly enough, Snopes confirms the “real” message but not the semi-hoax.)

What do we learn from this?

• You can’t trust everything you read on the Internet. (Well, duh…)
• Not all hoaxes are blatant chain letters. Lots of humorous stuff is passed on just because it’s humorous, not because the originator thought up some argument to persuade recipients to keep it going. And there’s nothing wrong with: if you don’t want your friends to forward amusing stuff to you, you can always ask them nicely not to. One friend of mine has a “jokes” list of friends to whom he sends humorous material, knowing that they’re people who are likely to find it amusing if not useful…
• Many hoaxes have a kernel of fact among the fluff (I call these semi-hoaxes). Sometimes the content is changed to make a chain letter more dramatic and persuasive. It’s not obvious what the motivation was here, though Perron’s Peter Dallimore seems to assume in a comment here that it was a case of a company taking credit for someone else’s work. On the other hand, it might actually be intended to damage one of the real companies called Edge Design by making it look as if they’d been guilty of blatant plagiarism. Unfortunately, we can’t often trace the originator of a hoax or semi-hoax, so we may never find out.
• Mostly, a semi-hoax, like other kinds of half-truth, is more persuasive than a downright lie. As many hoaxers and scammers know very well.

Hat tip to Jude for passing on the message, which I hadn’t seen before. You’ll have to excuse me now, I need to take a comfort break.

*I’m sorry if the punning on the malapropism of Muriel for Mural is lost on anyone but Brits of a certain age. If the words “Hilda Ogden” and “Coronation Street” mean nothing to you and you want to know what I’m gibbering about, this article should clear it up. If you don’t care at all about, feel free to Can the Cans…

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

A couple of blogs have gone up on the ESET blog today that might be of interest to readers of this blog.

My article on Facebook Invitation and the Olympic Torch describes at some length how the old but unkillable Olympic Torch hoax is not only being used (again) to waste everyone’s time, but with an added Facebook twist. As if the needless panic and useless mailstorm isn’t bad enough, this turns out to be another example of articles at snopes.com - an excellent information resource where many a hoax is documented – being misused to provide spurious “corroboration” of a hoax.

Meanwhile, Stephen Cobb’s article Breaking Dawn, Taylor Swift, Image Search: Poisoning, survey scams on the rise looks at developments in search poisoning of trending topics, with particular reference to misdirection to adult sites and survey scams.

We’ve also contributed articles to SC Magazine’s Cybercrime Corner: Privacy, identity, and the Nym of the Rose is about the conflict between privacy and the Department of Justice espousal of vested interests in social media. In A wild week in cybercrime Stephen looks at some developments in cybercrime-related legislation that also includes espousal of vested interests, notably with reference to SOPA and PIPA, an issue I also addressed for (ISC)2′s blog in DNSSEC, SOPA, and PIPA.

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

A blog by Stephen Cobb, my colleague at ESET: Cyber Monday Safety: 10 tips for safer holiday shopping online.

Good advice worth keeping long after Cyber Monday.

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

My friend and colleague at ESET, Aryeh Goretsky, has followed up on his earlier post Much Ado About Facebook, on Facebook, the Fawkes virus, and the recent epidemic of offensive material, with a Part II post in which he reminded me of an interesting point. (Actually, several interesting points, but this one struck a particular chord with me.)

Facebook have described the root cause of the problem as:

 a “self-XSS vulnerability” caused by their users pasting malicious JavaScript into their web browsers’ address bars. 

I’m not convinced that Facebook’s rather sparse information to date is the whole of the story. But there is an indication of how that might have been accomplished on a Sophos blog here. 

Which is slightly ironic, given Facebook’s attempts to counter Sophos criticism of FB’s inconsistent performance at dealing with Facebook-specific threats. 

And we’re still waiting to see Facebook talk directly to its users about all this, if only through the Facebook Security page…

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

If you found my earlier blog Facebook and the Fawkes Virus: smoke or fire? at all interesting, you might find this follow-up of interest, too: Facebook: Is the Fawkes virus still smoldering? It refers to Sophos’ blog on the tsunami of obscene content currently afflicting Facebook users, and the link suggested by the Register with the alleged Fawkes virus, allegedly written by Anonymous…

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

200,000 people can’t be wrong? Actually, they can, if they believe this message:

A 14 years old boy got beaten half dead by his stepfather.He only tried to protect his little sister from being raped.Now he's struggling for his life,but doctors say he won't make it without a surgery.His mother doesn't have money to pay it.Facebook donates 45cents for every sharing or reposting.Please help

 It makes no sense that Facebook would offer to pay for surgery conditional on shares and reposts. This is a variation on a classic ploy for getting people to pass on a useless and deceptive message by persuading them that they can achieve a warm fuzzy feeling of having done something charitable by doing something that costs them no money and virtually no effort (rather like the story I blogged about here). Well, I guess that might be the case sometimes: remember that gauche ploy by Bing, offering to give a dollar to Japanese disaster relief each time a URL was retweeted?

Hat tip to Graham Cluley for flagging this chainletter.

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow