Technology

The business and culture of our digital lives,
from the L.A. Times

Category: Security

Facebook, Google, other firms team to fight email phishing scams

DMARC

Major tech firms including Google, Facebook and Microsoft have teamed together to fight email phishing scams. Members say the partnership will lead to better email security and protect users and tech brands from fraudulent messages.

The group, which calls itself DMARC -- for Domain-based Message Authentication, Reporting & Conformance -- says it wants to help reduce email abuse by standardizing how email receivers perform authentication. Now, email senders will get consistent authentication results for their messages at Gmail, Hotmail, AOL and any other email receiver using DMARC.

Email phishing scams are messages designed to trick recipients into providing personal information by replying or clicking on links. The emails look like they come from a legitimate sender, often featuring brand logos and mimicking the format and language of authentic messages.

With the rise of social media and e-commerce sites, spammers and phishers have "a tremendous financial incentive" to compromise user accounts, leading to theft of passwords, bank account information and credit card numbers, DMARC said.

"Email is easy to spoof and criminals have found spoofing to be a proven way to exploit user trust of well-known brands," the group said. "Simply inserting the logo of a well-known brand into an email gives it instant legitimacy with many users."

Other companies involved in DMARC include Bank of America, LinkedIn, PayPal and Yahoo.

RELATED:

Shopping tips for protecting personal information

Hackers infiltrated personal Gmail accounts, Google says

New Justice Department unit to fight tech crimes, identity theft

-- Andrea Chang

Image: Screen shot of the companies involved in DMARC. Credit: DMARC

Google+ now open to teens, with a few security tweaks too

Google+ Hangouts prompt for teens

Google+ opened up to teenagers on Thursday, a move that Google no doubt hopes will help it challenge Facebook as the social network of choice.

"Teens and young adults are the most active Internet users on the planet," said Bradley Horowitz, Google's vice president of products, in a post on his Google+ page. "And surprise, surprise: they're also human beings who enjoy spending time with friends and family. Put these two things together and it's clear that teens will increasingly connect online."

While minors will now be able to use Google+, the experience on the social network won't be exactly the same for them as the 18-and-older crowd. Google has made a few privacy and security changes with teens in mind that Horowitz said will make Google+ a more ideal network to use for sharing and connecting with friends than other services.

"Unfortunately, online sharing is still second-rate for this age group," he said of teenagers. "In life, for instance, teens can share the right things with just the right people (like classmates, parents or close ties). Over time, the nuance and richness of selective sharing even promotes authenticity and accountability. Sadly, today's most popular online tools are rigid and brittle by comparison, so teens end up over-sharing with all of their so-called "friends.' "

The ability to share on Google+ to specific "circles" of friends is a start Horowitz said, but the social network is also giving users "control over who can contact them online. By default, only those in teens' circles can say hello, and blocking someone is always just a click or two away."

Google+'s Hangout video chats will also be tweaked for teens. "If a stranger outside a teen's circles joins the hangout, we temporarily remove the young adult, and give them a chance to rejoin," he said.

Previously, Google+ was only open to users who were 18 years old and up. Now, Horowitz said, anyone who is old enough for a Google account of any sort is old enough for Google+. And in all but Spain (14), South Korea (14) and the Netherlands (16), that age is 13.

Facebook, which boasts more than 800 million users, is open to anyone 13 and older. Google+ has about 90 million users, the tech giant said earlier this month.

RELATED:

Google plans to merge more user data across its products

Google+ continues battle with fading user interest, data say

Google engineer goofs, tells whole world that Google doesn't get it

-- Nathan Olivarez-Giles

Nathan Olivarez-Giles on Google+

Twitter.com/nateog

Image: An example of the prompt a teenage Google+ user under age 18 will receive whenever someone they don't have included in a contact "circle" on the social network joins in on a Hangout video chat session. Credit: Google

Tweets deny that Anonymous will try to hack into Facebook

Anonymous has lobbed many online attacks against high-profile websites, but so far the hacktivist group has never hacked into the world's largest social network, Facebook.

And, if you believe most Anonymous connected Twitter accounts, that won't be changing anytime soon -- despite ongoing rumors and a YouTube video stating an Anonymous-backed Facebook strike is planned for Saturday.

The question of whether Anonymous will attack Facebook got started with that YouTube video, published Monday. The video, which can be seen above, states that the group is targeting the social network as a part of an online war in reaction to two controversial online anti-piracy bills known as SOPA and PIPA that were abandoned by several Washington politicians last week.

"Hello. People of the world. We are Anonymous," a computer generated voice-over says in the video. "The time has come. An online war has begun between Anonymous, the people, and the government of the United States. While SOPA and PIPA may be postponed from Congress, this does not guarantee that our internet rights will be upheld."

Later, the video states that "while it is true that Facebook has at least 60,000 servers, it is still possible to bring it down. Anonymous needs the help of the people, the people who want to take a stand against the government. The people who want to make a difference. This is what we must do."

@AnonOps tweet

On Monday, just a few hours after the video was published on YouTube, the @AnonOps Twitter account -- which many believe to be an authentic Anonymous account -- said there were no plans to hit Facebook.

"Again we must say that we will not attack #Facebook! Again the mass media lie," one tweet said.

Another tweet repeated the denial of the YouTube video, stating "AGAIN: 'Anonymous Threatens Facebook Shutdown Jan' IS A FAKE. RT PLEASE."

But while the attack may not be a legitimate Anonymous operation, and while it may never even take place, the group's lack of hacks against Facebook isn't for a lack of threats.

Rogue members of the collective, which has no publicly clear leadership structure, and possibly even impostors have threatened attacks against Facebook multiple times in the past. Notably, one such threat last August planned for Guy Fawkes Day on Nov. 5 never panned out.

RELATED:

SOPA blackouts inspired protest around the world

Wikipedia: SOPA protest led 8 million to look up reps in Congress

Justice Department shuts down MegaUpload, Anonymous responds with Web attacks

-- Nathan Olivarez-Giles

Nathan Olivarez-Giles on Google+

Twitter.com/nateog

Image: A screenshot of a tweet from the @AnonOps account that denies the hacker group Anonymous will attack Facebook. Credit: Twitter

MegaUpload was a 'mega conspiracy,' Justice Department alleges [Updated]

MegaUpload, one of the world's largest file-sharing websites, was shut down Thursday by the U.S. Department of Justice, which accused it of violating piracy and copyright laws.

  In an indictment, the Justice Department alleged that MegaUpload was a "mega conspiracy" and a global criminal organization "whose members engaged in criminal copyright infringement and money laundering on a massive scale."

The Justice Department said MegaUpload, which had about 150 million users, tallied up harm to copyright holders in excess of $500 million by allowing users to illegally share movies, music and other files. Prosecutors said in the indictment that the site's operators raked in an income from it that topped $175 million.

Justice Department indictment of MegaUpload DOCUMENT: Read the indictment against MegaUpload

MegaUpload was just one of the many services that allow for the easy sharing of large files online. Others include sites such as Mediafire and Rapidshare and cloud storage services that allow for shared folders such as Box.net and Dropbox.

One way MegaUpload differentiated itself was with its online marketing campaign that featured celebrities such as rapper/producers Kanye West, Lil' Jon, Sean "Diddy" Combs and Swizz Beats stating in YouTube videos why they loved using the site. Other videos feature tennis star Serena Williams, boxer Floyd Mayweather Jr., Def Jam Records founder Russell Simmons and director Brett Ratner testifying to their use of MegaUpload.

The release of the Justice Department indictment came after dozens of websites, led by tech heavyweights Wikipedia, Craigslist, Mozilla and Google, altered their websites to protest two anti-piracy bills under consideration on Capitol Hill: the Stop Online Piracy Act (SOPA) and the Protect Intellectual Property Act (PIPA).

Critics of the bills say the proposed laws would give the Justice Department the ability to censor the Internet by giving the agency clearance to shut down a site without having to get court approval of an indictment, as it did with MegaUpload. Although the indictment was unsealed Thursday, it was issued by a federal court in the Eastern District of Virginia on Jan. 5, the agency said.

In a statement issued with the indictment,the Justice Department said "this action is among the largest criminal copyright cases ever brought by the United States and directly targets the misuse of a public content storage and distribution site to commit and facilitate intellectual property crime."

The Justice Department said that at its request, authorities arrested three MegaUpload executives -- officially employed by two companies, Megaupload Ltd. and Vestor Ltd. -- in New Zealand, including the site's founder, Kim Dotcom, who was born Kim Schmitz. The agency is also looking to arrest two additional executives.

The indictment charges the two companies with running a "racketeering conspiracy, conspiring to commit copyright infringement, conspiring to commit money laundering and two substantive counts of criminal copyright infringement."

According to the Associated Press, before the MegaUpload site was shut down Thursday, a statement was posted on the site saying the allegations made against it were "grotesquely overblown" and that "the vast majority of Mega's Internet traffic is legitimate, and we are here to stay. If the content industry would like to take advantage of our popularity, we are happy to enter into a dialogue. We have some good ideas. Please get in touch."

Visits to Megaupload.com on Thursday showed the website as unable to load. The Justice Department had ordered the seizure of 18 domain names it linked to the alleged wrongdoing.

[Updated at 3:42 p.m.: As noted by Times reporter Ben Fritz on our sister blog Company Town, the hacker group Anonymous has allegedly lobbed a denial-of-service attack that has temporarily taken down the websites for the Department of Justice and Universal Music as a move in retaliation for the shutdown of MegaUpload. Forbes is reporting that the same attack has struck the sites for the Recording Industry of America and the Motion Picture Assn. of America.]

[Updated at 3:50 p.m.: The Twitter accounts @YourAnonNews and @AnonOps are taking credit on behalf of Anonymous for the web attacks on the websites of the Justice Department, Recording Industry of America, Motion Picture Assn. of America and Universal Music.]

ALSO:

SOPA blackouts inspired protest around the world

Apple's iBooks 2, iBooks Author: Bids to own publishing's future

Wikipedia: SOPA protest led 8 million to look up reps in Congress

-- Nathan Olivarez-Giles

Nathan Olivarez-Giles on Google+

Twitter.com/nateog

Zappos website hacked; credit card database not affected, CEO says

Zappos

Zappos.com, the popular online shoe site, was the victim of a cyber attack by a hacker who gained access to part of the company's internal network through one of its servers, Chief Executive Tony Hsieh said in an email to employees Sunday. 

Hsieh said the Henderson, Nev., company was cooperating with law enforcement to undergo "an exhaustive investigation" and that the database that stores customers' credit card and other payment data was not affected or accessed.

"We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident," Hsieh said in a separate email to customers. "Over the next day or so, we will be training everyone on the specifics of how to best help our customers through their password change process now that their passwords have been reset and expired. We need all hands on deck to help get through this." Tony Hsieh

The company said it would notify the more than 24 million customer accounts in its database about the incident and provide instructions on how to choose a new password; the company has already reset and expired existing passwords. 

In the email to shoppers, Zappos said customers' personal information -- including their name, email address, billing and shipping addresses, phone number, the last four digits of their credit card number and/or the cryptographically scrambled password on their account -- may have been compromised.

"In order to service as many customer inquiries as possible, we will be asking all employees at our headquarters, regardless of department, to help with assisting customers," Hsieh said. "We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren't capable of handling so much volume."

The company is directing customer concerns and questions to an internal Web page.

Zappos, which sells shoes and has since expanded to other retail categories, was bought by Amazon.com in 2009. The company has become known for its customer service and for its quirky company culture led by Hsieh -- including head-shaving events, impromptu parades around the cubicles and employee birthday pranks.

RELATED:

Amazon to buy Zappos

A conversation with Zappos CEO Tony Hsieh

Retail chains are embracing their online stores

-- Andrea Chang

Twitter.com/byandreachang

Top photo: Zappos' company headquarters in 2010. Credit: Isaac Brekken / For The Times

Lower photo: Zappos Chief Executive Tony Hsieh. Credit: Isaac Brekken / For The Times

Facebook to boost privacy protections in Europe, Irish agency says

Facebookprivacy

Facebook will improve privacy protections in Europe over the next six months after an investigation into its practices there, the Irish data protection agency said Wednesday.

The agency conducted a three-month audit of Facebook's compliance with European Union and Irish data protection requirements.

Facebook, the Menlo Park, Calif., company that has its European headquarters in Dublin, has agreed to give users more information on how Facebook and third-party apps handle their information, minimize how much data is collected on users when they are not logged in to Facebook and warn European users that Facebook uses facial recognition software that suggests people to tag in photos.

The Dublin headquarters has responsibility for handling hundreds of millions of users outside the U.S. and Canada.

"This was a challenging engagement both for my Office and for Facebook Ireland," Irish Data Protection Commissioner Gary David said in a statement. "Arising from the audit, FB-I [Facebook Ireland] has agreed to a wide range of 'best practice' improvements to be implemented over the next six months."

There will be another formal review in July.

The agency received 22 complaints from a privacy group, Europe V Facebook, and additional complaints from the Norwegian Data Protection Agency. Facebook said it was pleased that the report underscored a number of Facebook's "strengths or best practices” in the security of user data and using personal information to target ads. 

“The people who use Facebook take privacy and data protection seriously and so do we,” Richard Allan, Facebook’s director of public policy for Europe, said in a blog post.

Last month, Facebook agreed to settle privacy complaints raised by the U.S. Federal Trade Commission. The proposed 20-year agreement would require Facebook to get permission from users before sharing information they thought would remain private. The company also agreed to 20 years of privacy audits.

Facebook has run into trouble with its facial recognition software that suggests people for users to tag in their photos. A German data protection agency said it may fine Facebook over the feature and Norway's privacy watchdog is investigating.

Facebook, the world's most popular social networking site, is planning a $100-billion initial public offering sometime next year.

RELATED:

Watchdog group targets Facebook privacy settlement 

Facebook and FTC reach agreement on privacy protections

Facebook nears settlement with the FTC on privacy

-- Jessica Guynn

Photo: Dan Kitwood / Getty Images

China-based hackers reportedly targeted U.S. Chamber of Commerce

US Chamber of Commerce website

Hackers based in China reportedly pulled off a massive Web attack against the U.S. Chamber of Commerce lobbying group, which resulted in access to a significant number of confidential emails and documents.

Unnamed sources told both Bloomberg and the Wall Street Journal that the security breach took place in 2010 and gave the hackers access to information belonging to the Chamber's 3-million members.

The chamber, the U.S.' largest business lobbying group, is still investigating the attack, both reports said.

The strike is believed to be one in a wave of Web attacks from hackers based in China, along with previous reported hackings against "U.S. companies, business associations, and lobbying groups involved in trade policy associated with China," Bloomberg said.

Officials at the Chamber of Commerce were unavailable for comment on Wednesday.

According to the Journal's report, the chamber hasn't yet determined how much of its data was viewed or taken by the hackers, though evidence has been found that "hackers had focused on four chamber employees who worked on Asia policy, and that six weeks of their email had been stolen."

It is also possible that the hackers, who investigators suspect may have ties to the Chinese government, "had access to the network for more than a year before the breach was uncovered, according to two people familiar with the chamber's internal investigation," the Journal said.

RELATED:

China cracks down on Internet rumors

Chinese hackers pose a growing threat to U.S. firms

China-based hackers targeted oil, energy companies in 'Night Dragon' cyber attacks, McAfee says

— Nathan Olivarez-Giles

Nathan Olivarez-Giles on Google+

Twitter.com/nateog

Image: A screenshot of www.uschamber.com, the website of the U.S. Chamber of Commerce lobbying group. Credit: U.S. Chamber of Commerce

Sprint says it has stopped pulling Carrier IQ data from phones

Sprint-newTwo weeks after the Carrier IQ dust storm, in which an unknown California company was found to have data collections software embedded on tens of millions of smartphones, one of the company's main allies is taking a step back.

Sprint Nextel Corp. is now saying that it has "disabled use of" the Carrier IQ software. Importantly, that doesn't mean they have turned off or deleted the data collection software from your phone. Instead, the company is using the term "disabled" to mean that it is no longer accessing data from the Carrier IQ program, even though that program is still operational on your mobile device.

"We have weighed customer concerns and we have disabled use of the tool so that diagnostic information and data is no longer being collected," wrote Sprint spokeswoman Stephanie Vinge in an email. "We are further evaluating options regarding this diagnostic software as well as Sprint’s diagnostic needs."

In late November, when the furor originally broke out, Sprint came to Carrier IQ's aid, noting that "Carrier IQ is an integral part of the Sprint service" and that "Sprint relies on Carrier IQ to help maintain our dependable network performance.”

But now, in the wake of congressional inquiries and a nasty public relations storm, it seems the company has reconsidered the value of Carrier IQ.

RELATED:

Carrier IQ, T-Mobile, Sprint, RIM face class-action suits

Carrier IQ defends itself in privacy flap over data collection

Security researchers doubt researcher's Carrier IQ video conclusions

Image: A Sprint storefront in New York City. Sprint says it has disabled use of Carrier IQ software. Credit: Stephen Yang/Bloomberg

Facebook fixes security glitch after leak of Mark Zuckerberg photos

Facebook

Facebook says it has fixed a security glitch after founder and chief executive Mark Zuckerberg's private photographs were published online.

The incident stemmed from a Nov. 27 post on the Bodybuilding.com Web forum. An anonymous tipster spelled out step-by-step instructions to access photos uploaded by Facebook users, even if the photos were marked as private. Among the photos hackers published: Zuckerberg preparing food and handing out candy on Halloween.

Facebook says the security glitch "was live for a limited period of time." It did not say how many of the site's more than 800 million users were affected. "The precise number of people impacted is unknown at the moment but we continue to investigate," a spokeswoman said in an e-mail.

Facebook blamed the problem on a recent "code push" in which it revised some of its software.

"Not all content was accessible, rather a small number of one's photos. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed," a company spokesman said in an email.

The privacy breach struck at Facebook's Achille's heel. Last week Facebook agreed to settle federal government charges that it exposed too much user information without consent.

Security and privacy concerns have not dampened enthusiasm for Facebook, which has soared in popularity. It's preparing for an initial public offering next year that could peg the company's worth at $100 billion.

RELATED:

Facebook and FTC reach agreement on privacy protections

Facebook nears settlement with FTC on privacy

Privacy group asks FTC for Facebook inquiry

-- Jessica Guynn

Photo credit: Dan Kitwood / Getty Images

Carrier IQ disputes spying accusations; security researchers agree

Carrier IQ, the beleagured online metrics company that has been accused of installing spy software on millions of smartphones, has broken its silence to say the critics have it wrong.

"While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video," the company said in a statement released late Thursday. 

The firm's defense came as as politicians and privacy organizations continued to question the little-known Mountain View, Calif., company, which designs communications analysis software used by some of the largest U.S. wireless carriers, including AT&T, Sprint and T-Mobile. The carriers say data collected on their behalf by Carrier IQ helps them improve their service.  

Last week, 25-year-old system administrator named Trevor Eckhart released a video (above) purporting to show Carrier IQ's app recording smartphone users' every keypress, and implying that the company was therefore able to intercept users' private communications.

But security researchers have disagreed with conclusions drawn from Eckhart's analysis.

"It's not true," said Dan Rosenberg, a senior consultant at Virtual Security Research, who said the video shows only diagnostic information and at no point provides evidence the data is stored or sent back to Carrier IQ.

"I've reverse engineered the software myself at a fairly good level of detail," Rosenberg said. "They're not recording keystroke information, they're using keystroke events as part of the application."

The difference is subtle but important. To perform commands, applications need to know which buttons a user has pushed: Your email app needs to know when you tap the reply button, and your phone app needs to know which numbers you press in order to dial. Applications therefore pay attention to which buttons a user is pressing.

But listening for a button press does not mean an application is therefore sending a record of those button presses back to the company, researchers said.

System-related apps like Carrier IQ often allow users or phone engineers to tap a series of keys in order to bring up administrative options or to display information on the phone's performance. In order to show that data, apps needs to know the correct code was tapped in -- by identifying specific key presses, as it is shown doing in the video.

But Rosenberg said his look at the Carrier IQ program revealed "a complete absence of code" that would indicate key presses were being tracked and recorded or sent over the Internet by the phone.

Instead, the readouts on Eckhart's video that occur when he presses keys are "debugging messages" -- informational feedback meant to help smartphone programmers verify that their applications are working correctly. In this case, Carrier IQ's developers appear to have set up the program to display a diagnostic message when a key is pressed or when a text message is sent.

"It's just spitting debug messages to the internal Android log service," sad Jon Oberheide, a co-founder of Duo Security. "It appears that Carrier IQ is indeed collecting some metrics, but I have not seen any evidence that keystrokes, SMS messages or Web browsing session content are being transferred off the device."

Carriers like AT&T, T-Mobile and Sprint have long disclosed that they collect and store information about users' locations, phone records and text messages. But what appeared to unnerve consumers and privacy observers was the possibility that the companies had gone a step further and were monitoring nearly every action a user performed on the phone.

That claim set off alarms among phone users, privacy advocates and now Sen. Al Franken (D-Minn.), who demanded Thursday that Carrier IQ explain its software and the types of data it collected.

Though Carrier IQ denied it collected message text and other personal communications, it did note that it gathers "intelligence on the performance of mobile devices" and sends it to wireless carriers. The company said little more about the specific types of data it does collect, whether users can opt out of the collection or how long the company keeps collected data.

RELATED:

AT&T says attempted hacking was unsuccessful

Facebook settles privacy complaint with Federal Trade Commission

RIM Mobile Fusion to add BlackBerry security tools to Android, iOS

-- David Sarno

Video: Trevor Eckhart's video about Carrier IQ.

Connect

Recommended on Facebook


Advertisement

In Case You Missed It...

Videos

How to Reach Us

To pass on technology-related story tips, ideas and press releases, contact our reporters listed below.

To reach us by phone, call (213) 237-7163

Email: business@latimes.com

Andrea Chang
Armand Emamdjomeh
Jessica Guynn
Jon Healey
W.J. Hennigan
Tiffany Hsu
Deborah Netburn
Nathan Olivarez-Giles
Alex Pham
David Sarno


Categories


Archives