A security problem that allowed malicious web sites to access personal user information without their explicit permission has just been fixed by Facebook. This flaw has been reported by Rui Wang and Zhou Li, two student researchers.

According to Graham Cluley, senior technology consultant at Sophos, the security lapse could let malware spread between users,and abuse data as it goes by impersonating a legitimate site that already has the permission to take information.

“According to Wang and Li, it was possible for any web site to impersonate other sites which had been authorised to access user data, such as name, gender and date of birth,” he said. “Furthermore, the researchers found a way to publish content on the visiting users’ Facebook walls under the guise of legitimate web sites, a potential way to spread malware and phishing attacks.”

The security problem only occurred in accounts with looser settings, as more rigorous privacy settings offered adequate protection for the flaw. Fortunately, the students informed only Facebook and Cluley and not the wider world, which could have led to the exploit being used by malicious groups.

Cluley, an outspoken critic of Facebook’s security practices according to V3.co.uk, acknowledged the social site’s security team “responded promptly, and should be applauded for fixing the vulnerability rapidly once they were informed about it”.

However, Facebook is likely to be targeted by similar malware in the future due to it’s complexity.

Due to the success the Stuxnet cyber worm has registered in slowing down the Iranian nuclear program and many other industrial systems around the world, variations of this malware are expected in 2011.

According to eWeek, the Stuxnet worm might have damaged up to 1,000 Iranian centrifuges, after infecting more than 62,000 computer systems in Iran alone. The very efficient and complex Stuxnet cyber worm raises serious concerns that its variants will manage to affect other systems around the world - beyond the traditional information technology targets.

The mild manipulation of the centrifuge engine speeds, prompting the engines to operate just fast enough to break down is considered the genius of the Stuxnet. The manipulation was made possible by the use of USB thumb drives that have delivered code commands through a common yet subtle approach that transported the worm through the network.

The next step in the Stuxnet evolution the emergence of many new variants that can target more types of electronic operating systems – such as those governing national power grids, according to eWeek.

“We need to think above and beyond expected targets, which are not servers or routers,” Adam Bosnian, an executive vice president for information security company Cyber-Ark, told eWeek.

According to an August 2010 Symantec study on the impact of the Stuxnet worm, the malware code has hit 62,867 computers in Iran; 13,336 in Indonesia; 6,552 in India; 2,913 in the United States; 2,436 in Australia; 1,038 in the United Kingdom; 1,013 in Malaysia; and 993 in Pakistan.

“It’s amazing, really, the resources that went into this worm,” Liam O Murchu, manager of operations with Symantec’s security response team told Computer World in September. But the future applications of this bug – and the infinite offshoots Stuxnet will inspire – have begun to raise considerable concerns. “If my coffee maker is on the network, it can infect my computers,” Ed Cohen, vice-president of e-mail security at SonicWALL told eWeek.

To prevent Stuxnet infections, follow this simple four-step guide.

Back in 2008, assuming that the human factor would eventually fail at some point and people would make the mistake of plugging an unsecured memory stick into a military laptop, several memory sticks were scattered in a US military base in the Middle East that was providing support for the Iraq war. All these memory sticks were deliberately infected with a computer worm.

It resulted in the self-propagation of a computer worm into the computer system of Centcom – the central command of the US military. The eradication process took 14 months. Apparently this attack, acknowledged by the Pentagon only in august 2010, was very similar to a Stuxnet worm attack which was used in attempts against Iraq’s nuclear facilities and Iran’s nuclear programme.

The attacks appear to have been highly funded, this bringing forth the possibility of being orchestrated by another country. The Stuxnet worm has infected 30,000 of Iran’s computers and was apparently delivered by intelligence operatives. This tactic appears to be an almost duplicate of the cyber attack against Centcom.

After these attacks, the US gas attempted an exercise called “Cyber Storm III”, an exercise that had as main purpose the countering an all-out cyber war. The exercise that involved government agencies and 60 private organisations in various sectors such as banking, chemical, nuclear enery, IT took place on Thuesday. The results have yet to be disclosed.

James Lewis of the Centre for Strategic and International Studies in Washington stated:

“Cyber war is already here.We are in the same place as we were after the invention of the aeroplane. It was inevitable someone would work out how to use planes to drop bombs. Militaries will now have a cyber-war capability in their arsenals. There are five already that have that capacity, including Russia and China.”

He added  the he believes only 3 countries  have the drive and means capable of launching the Stuxnet attack on Iran: the US, Israel and the UK.

Lewis also believes that a deliberate hacking of an electric generator at the Idaho National Laboratory has previously proven that infrastructure can be persuaded to destroy itself.

“There is growing concern that there has already been hostile reconnaissance of the US electricity grid,” he said.

Due to the fact that Israel has a specialised cyber war unit, called “unit 8200”, some analysts have been led to believe that the Stuxnet attack against Iran was orchestrated by this country.

The fact that a file called Myrthus, a reference to the book of Esther and Jewish pre-emption is present in the worm’s structure can be a proof but also a red-hering.

“Reality has quickly caught up” says Dave Clemente, a researcher into conflict and technology at he International Security Programme at Chatham House in London. ”You look at the Stuxnet worm. It is of such complexity it could only be a state behind it,” Clemente said.

He also points out that the US and UK are putting large ammounts of resources ino cyber warfare defense. According to his statements, a centre for cyber security operations in GCGQ and a new office of cyber security in the Cabinet Office have taken form.

A few steps against Stuxnet infections can be found here

As some of you may know, the Stuxnet worm (and Conficker) has been running amok on both private and corporate networks. The malware spreading via USB devices is always the source of new threats. The latest development of Stuxnet exploits zero day vulnerabilities to target supervisory control firms and data acquisition (Scada) and other industrial systems. Such systems are being used to control pipelines’ pressure or motor work rates on industrial factory floors. Typical environments can be oil pipelines and power-plants, factories etc.

Conficker/Stuxnet detects platforms with Scada systems installed on and uses Windows vulnerabilities to gain access and spread through the network. In the light of current events and the continuous spread of the worm through USB ports and USB portable devices, endpoint security and data loss prevention solution developer CoSoSys has created a four-step strategy against Stuxnet that’s extremely easy to implement:

1. Disable the Autorun function for all portable storage devices
To do so, all you need is AutoRun Disable by Endpoint Protector, a free software available here.

2. Block all USB ports and all other connection interfaces for all computers in your network. There are a few endpoint security solutions you can use to achieve this: Secure it Easy, Endpoint Protector, or the software as a service My Endpoint Protector solution which is free for home users. More details on the solutions mentioned above can be found here.

3. Make sure your Antivirus is up to date

4. Make sure you perform all available Windows updates

Last week, a worm called “Here you have” has started spreading. Among the first targeted companies was Intel. The damages were minor, in part because of the companies traditional defenses, but mainly because of well trained employees.  Malcom Harkins, chief information security officer at Intel states that the employees started calling IT as soon as they saw the worm.

“The employee base saw it, they reacted really quickly, and helped us contain it by alerting us to it and then telling others not to click on it,” Harkins says.

Due to the fact that mobile devices nowadays allow more and more people to work from virtualy anywhere, companies need to start treating their employees as security partners.

According to recent studies, employees are  increasingly bringing personal devices, such as smartphones, netbooks, or pads into the work place. The usage of web-services such as social networks has increased.

According to Ted Schadler and Josh Bernoff’s, new book – Empowered, managers should encourage and help their employees to use innovative technologies in order to helo their companies thrive.

Rather then be to obstructive and make employees “do an end-run” around them, managers should try to both protect and instruct their employees in the ways necessary to avoid threats, not only protect against them.

“We rethought our security strategy and, you know what, people are the new perimeter,” Intel’s Harkins says. “So if you embrace that part of that perimeter, I think your monitoring and detection increases dramatically, which then gives you a much better response time to mitigate exposures.”

Recruiting employees through training should provide and additional contingent of security helps besides the deployment of data security technology. It is also recommended that the security teams should use innovative technologies to help their mission.

To such and end, Intel Sets up occasional “Web jam” sessions, which are somewhat collaborative session that include both members of the security teams and other employees, in order to build awareness for security and corporate policies. Social networks have proven to be a great help toward this end, as people like discussions and debates.

Harkins and Schadler say that mistakes are part of the learning process. Taking responsibility will empower employess towards helping security rather then hindering it.

As a conclusion, we can safely say that in order to achieve a better level o data security it’s best to give your employees some freedom and allow them to make their own mistakes. They will feel more at ease and no try to go over your head using today innovative technologies and also, they will come to you, their manager with various problems or possible threats.

The US Army has temporarily banned the use of USB devices, along with floppy discs, CDs, external drives, flash media cards and all other removable media devices, to prevent a worm from spreading through its networks. According to the Register, the worm that caused this extreme measure is Agent-BTZ, a variant of the SillyFDC worm.

While the ban itself is bound to cause some distress, as it would in any other organization, the work flow will be more extensively affected in the US Army because for some offices email or online file transfers are not allowed either.

The measure is a bit drastic, but at least something was done. I personally would have expected a safer endpoint security system and protected USB drives, given the Army’s impressive history with lost hardware and data breaches (see some examples here, here and here). Who knows, maybe this time they will learn

CSO Online has recently published a top 10 of the most significant data breaches of 2007. They have analyzed stolen hardware, malware infections and other such security breaching activities. CSO has also concluded the “most brilliant lunacy” of the year was to require the usage of social securities numbers as passwords.

If you haven’t guessed who the dark winner is, it’s the nasty TJX affair. But considering other data and facts we’ve recently told you about, the CSO estimated losses seem to be a bit off. Nevertheless, the top is quite interesting and a very good reminder security should never be taken lightly.