As Sophos indicates, affected profiles will have “liked” messages showing in their newsfeed such as “LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE.” with a link.

The links take users to another page with a second link and this will automatically update that user profile with the same status.

“They hide an invisible button under your mouse, so wherever you click your mouse-press is hijacked, secretly clicking on a button which tells Facebook that you ‘like’ the webpage. This then gets published on your own Facebook page, and shared with your online friends, resulting in the link spreading virally,” explained Graham Cluley, senior technology consultant at Sophos. “Some of the pages ended up with hundreds of thousands of fans as a result. Facebook needs to tighten up the way it handles the ‘liking’ of external webpages before it is more widely abused by malicious hackers and spammers.”"

Check your own recent news feed to make sure that you haven’t “liked” something inadvertently. Delete any links to suspicious pages.

The guide uses Gmail’s “last account activity” section in your Inbox to look at the IP addresses that have accessed your account. The guide then teaches you how to determine if suspicious IP addresses are ok or not.

If you suspect your account has been hacked, Step 6 will take you through how to change your password and security question.

It’s an awesome guide. I didn’t know about this feature of Gmail, and I was thankful that my account activity showed only my IP! How does yours look?

Gonzalez was reportedly paid $75,000 a year working undercover for the US Secret Service to inform on bank card thieves. Oh, the irony! This just goes to show you that anyone can be a cyber thief – even people trusted by the government.

The article at Wired goes into more detail about Gonzalez, how he came to be arrested, the topic of paid informants, and conjecture that perhaps being a paid informant reinforced Gonzalez’s criminal behavior.

Gonzalez is set for sentencing this week for the breaches. The government is seeking a 25 year prison sentence.

In this article, Andrew outlines an interesting proposition to avoiding attacks: think like a hacker. Instead of thinking like a security professional, you must think of the passion and the drive that goes into hacking. In the same way a hacker will ‘think outside the box’, so too must the security professional.

It is, of course, easier said than done. The article is not a how-to, either. It is simply a reminder that there are many ways ‘in’ and that security must be a multi-faceted effort in order to thwart potential attacks. In addition, if your network is compromised, you may find that there is no single point of attack but rather a chain of attacks.

Via InformIT ; Image: Clipart

The data, compiled from application-related security incidents that are publicly reported, indicates that 19% of the hacks in the first half of 2009 were targeting social networking sites like Twitter and Facebook. This is the first year when social networks became an attack sector. In 2008, government was the leading sector being targeted. The data also indicates a 30% increase in overall web attacks compared to the first half of 2008.

“The dramatic rise in attacks against social networking sites this year can primarily be attributed to attacks on popular new technologies like Twitter, where cross-site scripting and CSRF worms were unleashed,” said Ryan Barnett, director of application security research for Breach Security. “Looking back at 2008, a notable election year, government-related organizations were the top-ranked attack victims and have now dropped to number three. The WHID report demonstrates that hackers can be fickle, following popular culture and trends to achieve the most visible effect for their efforts, which means that companies must be vigilant in implementing web application systems and monitoring application activity.”

Download a copy of the report here.

Also making major news right now is the indictment of Albert Gonzalez on charges of hacking into the Heartland Payment Systems. Gonzalez is already awaiting trial over his involvement in the TJX hack, putting him as part of the hacking team behind two of the largest hacker-based breaches in history. Read more here.

If you want to recover your password, chances are someone else can recover it for you. Most password-recovery systems will ask you a series of “security” questions such as ‘What is your cats name?’ or ‘Where did you grow up?’… problem is, in the age of Google and social networking sites like Facebook, that data is no longer secure.

Some web security experts are now calling these password reset tools the weakest link in Web security.

One web expert asked permission to hack into the bank accounts for several friends. Using only information he found online, he was able to trigger the bank reset, access the email via another password reset, then access the bank accounts. You can read more about his “social hack” experiment published here on Scientific American.

Security experts are positing that it won’t be long before portfolios of personal information will be bought and sold for large-scale password-reset hacking attempts.

So, what’s the solution? Coming up with secure challenge questions is not an easy task. A preference-question (such as “Do you like opera?”) set may work more effectively than fact-based questions. There’s a fabulous discussion about this password issue going on at MSNBCs Red Tape Chronicles here.

Great reference for additional reading: Security Questions in the Era of Facebook (PDF) by Ariel Rabkin.

Via red tape ; image: clarita @morguefile