Google+ runs out of disk space, spams users with notifications

Google PlusSome early adopters of Google+ have found themselves bombarded with multiple notification messages in their email, due to a bug in the social networking's code after the site - astonishingly - ran out of disk space.

Vic Gundotra, Senior Vice-President of Social for Google, posted an apology (appropriately enough) on his Google+ account to those users affected, painting the social network as having been a victim of its own success.

Google spam apology

Please accept our apologies for the spam we caused this afternoon.

For about 80 minutes we ran out of disk space on the service that keeps track of notifications. Hence our system continued to try sending notifications. Over, and over again. Yikes.

We didn't expect to hit these high thresholds so quickly, but we should have.

Thank you for helping us during this field trial, and once again, we are very sorry for the spam.

It's pretty embarrassing for Google+ to suffer from such a bug - you can hardly imagine how the site could conceivably "run out of disk space", even if it is still technically undergoing trials.

High profile sufferers included Rory Cellan-Jones, BBC News's technology correspondent, an influential reporter who would hardly be high on your list of people you want to slate the social network.

Follow @ruskin147Rory Cellan-Jones@ruskin147
Rory Cellan-Jones
Getting zillions of Google+ emails, including duplicates which is apparently a bug. Already dubious about its usefulness...

Of course, accidental spam like this is better than being hit by spam containing Viagra adverts, phishing messages and malicious links - but it's still a nuisance and precisely the kind of irritating bug that is likely to upset users.

If you are on Google+, and want to keep informed about the latest security news, consider adding me to one of your circles.

Follow @gcluley

35 million Google profiles were *already* exposed on the internet

Google Profile logoDo you have a Google Profile? Did you find yourself getting cobbywobbles when you read the headlines in the security press?

Here's just a handful of the many headlines that have appeared in the last few days:

"35 Million Google Profiles Captured In Database", Information Week

"35m Google Profiles dumped into private database?", The Register

"Entire Google Profile database acquired by a user", ARN

Matthijs R. Koot, a PhD student at the University of Amsterdam, was able to create a database of 35 million Google Profiles, scooping up real names, email addresses, biographical information, Twitter feeds, links to Picasa photos, etc.

Sound scary to you? If so, maybe you're one of those people who has populated your Google Profile with a large amount of private information that you wouldn't like to fall into the hands of ne'er-do-wells.

At first glance the headlines might appear worrying. But there's one important thing you need to know.

All of this information was already available to anyone on the internet.

Some Google Profiles

You may remember that last year security researcher Ron Bowes conducted a similar experiment with Facebook, creating a database of 100 million Facebook users who had left their profiles open for anybody to view.

Koot has done something similar - but with Google Profiles. He wrote a relatively simple script (which he published on the net for others to try out) that harvests Google Profile data - and in the process, revealed that many users were potentially being careless with their personal information.

Part of Koot's script

So, Koot hasn't actually exposed any new information. He's just written a script to collect together data which was already out there.

Google Profile allows you to choose the nature of the url to your profile. You can either have a random-looking number, or the username they use for Google Gmail.

For instance, Matthijs R. Koot has the option of using:

https://profiles.google.com/115572197788225218471

or

https://profiles.google.com/mrkoot

Google Profile URL

However, Google Profile users are explicitly warned that if they choose to customise their URL with their GMail username, they will be making their email address publicly discoverable.

Koot says that he conducted the test to expose how careless people were being with Google Profile, and in particular that they were exposing their email addresses.

He discovered that approximately 40% of the 35 million Google Profiles he accessed exposed the owner's username and hence their @gmail.com address. That's 15 million exposed email addresses.

There's an obvious potential for spear phishing and malware campaigns when you have access to such a hoard of legitimate email addresses. Especially when they can be combined with other personal information shared on your Google Profile.

Google Profile users can adjust their settings to not allow their profiles to be indexed by search engines. But that's not really fixing the main problem.

Google Profile search visibility

Wouldn't it be better to choose not to post personal information in the first place?

One problem, of course, is that you may not actually realise that you already have a Google Profile.

After all, Google freely admits that "if you've been writing reviews on Google Maps, posting buzz on Google Buzz, creating articles on Google Knol, sharing Google Reader items, or adding books to your Google Book Search library, you may already have a profile."

Google Profile help screen

Maybe now is the time to check if you have a Google Profile, and - if you do - that you're comfortable with the information you're sharing through it.

Ultimately, though, remember the golden rule. If you don't want a piece of information to fall into the hands of hackers/your boss/your mother-in-law then maybe it's best not to post it on the internet in the first place.


Facebook announces new security features – but do they go far enough?

Facebook has just published an article entitled Keeping You Safe from Scams and Spam. It's all about improving security on its network.

In the past, Facebook has seemed curiously reluctant to do anything which might impede traffic.

After all, Facebook's revenue doesn't come from protecting you, the user. It comes from the traffic you generate whilst using the site.

So this latest announcement is a welcome sign, since some of the new security features prevent or actively discourage you from doing certain things on the Facebook network. Let's hope that everyone at Facebook has accepted that reduced traffic from safer users will amost certainly give the company higher value in the long term.

But do Facebook's new security features go far enough? Let's look them over.

* Partnership with Web of Trust (WOT)

WOT is a Finnish company whose business is based around community site ratings. You tell WOT if you think a site is bad; WOT advises you as you browse what other people have said about the sites you visit.

Community block lists aren't a new idea - they've been used against both email-borne spam and dodgy websites for years - and they aren't perfect. Here's what I said about them at the VB2006 conference in Montreal:

[C]ommunity-based block lists can help, and it is suggested that they can be very responsive if the community is large and widespread. (If just one person in the entire world reports a [dodgy] site, everyone else can benefit from this knowledge.)

But the [cybercriminals] can react nimbly, too. For example, using a network of botnet-infected PCs, it would be a simple matter to 'report' that a slew of legitimate sites were bogus. Correcting errors of this sort could take the law-abiding parts of the community a long time, and render the block list unusable until it is sorted out. Alternatively, the community might need to make it tougher to get a [site] added to the list, to resist false positives. This would render the service less responsive.

Another problem with a block list based on "crowd wisdom" is that it can be difficult for sites which were hacked and then cleaned up to get taken off the list. Users will willingly report bad sites, but are rarely prepared to affirm good ones.

False positives, in fact, have already been a problem for Facebook's own bad-link detector, which is also mentioned in the announcement. Naked Security has had its own articles blocked on Facebook simply for mentioning the name of a scam site.

In short, the effectiveness, accuracy and coverage of the WOT partnership remains to be evaluated. But I approve of the deal. It's a step forward by Facebook. However, Facebook's own bad-link detector could do with improvement.

* Clickjacking protection

Facebook introduced some anti-clickjacking measures a while ago. It's a good idea. If you're trying to Like a page known to be associated with acquiring Likes through clickjacks, Facebook won't blindly accept the click. You'll have to re-confirm it.

Again, I approve of this. But in my opinion, it's not going far enough. It would be much better if Facebook popped up a confirmation dialog every time you Liked something, so that the "blind Likes" triggered by clickjacking would neither work nor go unnoticed. (Indeed, this popup dialog would be a great place for users to report clickjacks to the WOT community block list!)

That's not going to happen. Facebook wants Liking to be easy - really easy - as it helps to generate lots of traffic. A popup for every Like almost certainly wouldn't get past Facebook's business development managers. Not yet, at any rate. But if we all keep asking, perhaps they'll see the value?

* Self-XSS

This is a geeky way of saying "Pasting JavaScript into your own address bar."

We've already reported on the potential danger of doing this. When you put JavaScript in your address bar, you implicitly give it permission to run as if it were part of the page you just visited. That's always a risky proposition. Facebook is adding protection against this behaviour.

Facebook also says it's working with browser makers on this problem. That's good.

Perhaps all browsers should simply disallow Javascript in the address bar by default? It's a useful feature, but the sort of user who might need it would surely be technically savvy enough to turn it on when needed.

* Login approvals

Facebook's final announcement is what it describes as two factor authentication (2FA). Facebook will optionally send you an SMS every time someone logs in from "a new or unrecognised device". (Facebook doesn't say how it defines "new", or how it recognises devices.)

This is a useful step, and will make stolen Faceook passwords harder to abuse. In the past, you would only see Facebook's "login from new or unrecognised device" warning next time you used the site, by which time it might have been too late.

The new feature means that you'll get warnings about unauthorised access attempts pushed to you. Furthermore, the crooks won't be able to login because they won't have the magic code in the SMS which is needed to proceed.

It's a pity Facebook isn't offering an option to let you enable 2FA every time you login. It would be even nicer if they added a token-based option (and they'd be welcome to charge a reasonable amount for the token) for the more security-conscious user.

A token would also allow users to enjoy the benefits of 2FA without sharing their mobile phone number with Facebook - something they might be unwilling to do after Facebook's controversial flirtation, earlier this year, with letting app developers get at your address and phone number.

In summary

Where does this leave us?

Good work. I'm delighted that Facebook is getting more visibly involved in boosting the security of its users. But there's still a long way to go.

In particular, this latest announcement doesn't address any of the issues in Naked Security's recent Open Letter to Facebook. Those issues represent more general problems which still need attention: Privacy by default, Vetted app developers, and HTTPS for everything.

(If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.)


SSCC 58 – Coreflood, DSLReports, Sony, Stars and Ars Technica

Sophos Security Chet Chat logoPaul Ducklin joined me from Sydney this week as we both returned home from a long and rewarding trip to InfoSec Europe.

While the news has been dominated by the recent attack on Sony Computer Entertainment, we started off talking about the actions the US government took against the Coreflood botnet. The news was largely positive, but it does allow broadened powers for the police that include actions some feel could further harm the victims.

When the topic of DSLReports, Sony and other data leakage incidents came up, our conclusions were ultimately in alignment. While these incidents are important and may draw our attention to the problem, these losses are only a small part of what Paul likes to call the "death of a million cuts."

On the topic of the supposed "Stars" virus, which Iran claims is a second stage Stuxnet virus, the conclusion was the same. Even if this "Stars" virus is real, and is a concern for Iran, in the meantime the rest of us are being hit with a barrage of cyber-crap that is having real impact on our lives.

No story is complete without some comment on Facebook and Chet Chat 58 is no exception. Aside from the usual list of attacks and scams, it appears that their DMCA takedown process and other pieces of their self-defense mechanisms are easily manipulated. Ars Technica's Facebook page was arbitrarily deleted this week based on a DMCA claim that no one has yet been able to explain.

If you prefer a news summary for the week in text format, visit the Sophos Security News and Trends for the latest selected hot topics or subscribe to our weekly newsletter, Sophos eNews.

(28 April 2011, duration 18:37 minutes, size 12.6MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 58.


Facebook comment-jacking? OMG! I Can’t believe JUSTIN Bieber did THIS to a girl

Justin Bieber scam on FacebookIt's starting to seem like Facebook can't win against those who wish to use their service to scam, spam and simply cause trouble. Over the last day or so, a new type of attack has been spreading using the phrase "OMG! I Can't believe JUSTIN Bieber did THIS to a girl".

It leads to a page asking you to verify a simple math problem to "prevent bots from slowing down the site". In actuality, it is another clickjack-type scheme in which you are asked to type the answer into a box.

Comment-jack security check

It doesn't matter what you type, because it's a social engineering trick. What you are actually typing is a comment that is used to share the link with your friends on Facebook. You can see the tooltip that says "Add a Comment" in the screenshot.

This bypasses Facebook's recent attempt at detecting likejacking fraud. Links you comment on are not using the same mechanisms that Facebook is monitoring when you click "Like".

Many moons ago, the first Facebook attacks started with illegitimate applications asking for permission to access your wall and spread their messages by spamming your friends through wall posts. While this worked well, it was a bit easy for Facebook to track down and remove the bogus apps.

Early in 2010 we saw the first attempts at likejacking. This technique involves layering one image over the top of a Like button and tricking the victim into clicking something that appears to play a video or a continue button, when in fact they are clicking the Like button hidden underneath.

Facebook Bieber scam wall post

More recently we have seen the attackers trying lots of new techniques. In the past few months we have seen them tagging people in photos they are not in to get you to click, inviting people to fake events and even making you an administrator of a Facebook page that isn't yours.

While protecting yourself may not be as simple as not clicking anything that says "OMG!" that isn't a bad start. Be skeptical, understand that messages from your friends may not in fact have been sent to you willingly, and if you are really tempted to click, take a short timeout to conduct a Google/Bing search.

As of the time of this writing some of the YouTube videos this scam leads to have been removed by YouTube. However, one video that is still working has over 525,000,000 views since February and thousands of comments in the last 24 hours -- in other words, since this Facebook scam has been making the rounds.

To stay up to date on the latest threats, follow us on Facebook. For advice on how to configure your profile to protect your privacy check out our recommendations for Facebook settings.


Why you shouldn’t reveal your Royal Wedding Guest name

In the absence of a genuine ticket to the real event, Facebook users are encouraging each other to reveal their Royal Wedding Guest name.

Here's a typical message that is currently being spread by well-meaning users across the social network:

Wedding guest name on Facebook

In honor of the big wedding on Friday, use your royal wedding guest name. Start with either Lord or Lady. Your first name is one of your grandparents' names. Your surname is the name of your first pet, double-barreled with the name of the street you grew up on. Let's do this! Post yours here. Then cut and paste it into your status.

Regally yours,
Lady Edith Spanky-Rushmoor

Do you see the problem?

By playing the game, you might be unwittingly making life easier for identity thieves and hackers.

Look at it this way. Think of all the websites which ask you to give it a "secret question" which can confirm your identity in the event of you forgetting your password.

Yahoo password question

If you tell everyone your Royal Wedding Guest name then you are giving away information which might help someone break into, say, your email account.

So, here's my advice.

Firstly, don't post this kind of personal information onto the internet - the few seconds worth of amusement you may get by telling people your Royal Wedding Guest name are not worth the potential pain of having your identity stolen.

Secondly, when websites ask you for a "secret answer" to reset your password... lie. You don't need to tell the truth when you're asked by a website what your mother's maiden name was, or the name of your favourite TV show. So, say something random but memorable that no-one is likely to guess like "Xena Warrior Princess" or "Artichoke Sandwich".

If you use Facebook and want to learn more about threats, you should join the Sophos Facebook page where we have a thriving community of over 70,000 people.

Of course, if you do happen to be one particular couple getting married tomorrow, you're not going to have any chance keeping your grandparents' names secret..

Hat-tip: Thanks to Naked Security reader Paul who brought this particular issue to our attention.