Week in review: Facebook privacy loophole, Duqu still active, the world of vulnerability sellers

Here’s an overview of some of last week’s most interesting news, podcasts, videos and articles:

US govt and military email addresses offered for sale
Webroot has recently unearthed an offer for sale of millions of email addresses harvested by a cybercrime underground service, which has cleverly segmented the database based on country or generic top-level domains.

Fake LinkedIn emails serve malware
Emails purportedly coming from business-related social network LinkedIn have been hitting inboxes in the last couple of days, ostensibly reminding recipients of invitations they received.

VolP: The new way in?
In this podcast, Simon Heron, an Internet Security Analyst for Redscan, discusses the demand for, and the risks of VoIP deployment. He also suggests measures that should be implemented to defend voice traffic.

Beware of fake Google AV
A number of pages offering “Google antivirus” software and threatening to block the users’ access to Google services because of an infection have recently popped up and appear among Google and Bing search results.

Cisco goes beyond BYOD
Employees are demanding not only to use their own devices at work, but also to have more flexibility in the way they work and when and where they work.

Confidential documents are leaving the workplace
90% of Americans believe people remove confidential documents from the workplace, even though most adults (79%) say taking confidential files outside the office is grounds for termination.

Smartphone security checklist
Inattention to potential security threats can result in the invasion of privacy, identity theft, inconvenience, the loss of intellectual property and the actual loss of money.

Facebook privacy loophole allows regular spying on users
With over 845 million active users, Facebook is a great source of willingly shared information for anyone who can effectively become a “Facebook friend” with the targets.

Computer and biological viruses might eventually converge
The term “computer virus” was coined by Fred Cohen in the early 1980s, because like its biological counterparts, the computer virus is essentially a sequence of information that codes its behavior in a host system. Almost thirty years later, the term still fits and the similarity between the two are many, and the differences not that big.

Carberp gang arrested in Russia
Eight men have been arrested in Moscow for having allegedly stolen over $2 million from the bank accounts of over 90 Russian individuals by infecting their computers with the Carberp Trojan and other malware.

GSM cracking revelations are profound
Commenting on news reports that an Indian company has revealed it can tumble and clone the credentials of mobile phone SIM cards over the airwaves – apparently because certain Indian GSM carriers are using the A5/0 minimal encryption system on their cellular networks – Cryptzone says this raises, once again, the issue that GSM voice calls can no longer be considered secure.

A peek in the world of vulnerability sellers
Vupen is not the only firm that earns its money by selling information about software vulnerabilities to the highest bidder, but is definitely the most prominent one.

Duqu developers still active, researchers say
A newly found variant of the loader file used to load the rest of the Duqu payload has been forwarded to and analyzed by Symantec researchers, who discovered that this component was compiled on February 23, 2012.

Mousetrap Trojan steals money by chain reaction
The new Mousetrap campaign starts with a Java applet that has been injected into a popular website.

Mozilla testing default Google search encryption in Firefox
Firefox users should soon have encryption turned on by default when searching for things online via the built-in Google search engine, Mozilla confirmed.

Voice analysis technology prevents phone scams
Nagoya University and Fujitsu developed the first technology to analyze phone conversations to automatically detect situations in which one party might “over trust” the other party.

The sorry state of web-based single sign-on services
Web-based single sign-on services are becoming increasingly popular, as they offer a better and simpler user experience. But are they secure?

Hardening the endpoint operating system
Qualys CTO Wolfgang Kandek talks about the effects of hardening the endpoint operating system and improving the resilience against common attacks.

Plan to reduce botnets launched
The OTA has been working with the FCC and leading ISPs to develop the voluntary U.S. Anti-Bot Code of Conduct.

Megaupload users targeted with extortion scheme
The recent shutdown of the Megaupload file hosting service by the US authorities is being actively exploited by cyber crooks who are attempting to extort money from the service’s users.

Facebook set to change its privacy policy again
On March 15, Facebook published a draft of the changes that it plans to make to its Statement of Rights and Responsibilities, and asked users to comment on them. The comment period for the changes has ended on Thursday.

Securing SharePoint
Microsoft SharePoint enables information sharing and report publishing. It also provides a search facility for users to find content. The problem is that, all too easily, any one can find things they shouldn’t. The result is inappropriate snooping, actively promoted by SharePoint, and that spells trouble for every organization using the tool.