Over 90% of Facebook users hate having photos of them posted without approval

SophosLabs: Facebook users overwhelmingly agree that it's rude to post photos or videos of them without asking permission first. Some even think it should be illegal.

Sophos has polled over 800 Facebook users, asking whether people should seek permission before posting photographs or videos online of others.

Although a large majority - 83% - of polled Facebook users think it's just common courtesy to ask permission before posting a photo or video of someone else (and a further 8% felt it should be illegal not to have received approval), some respondents believed that Facebook's existing tagging controls allowed you to remove a picture that you didn't want published online.

Unfortunately, that's not correct.

Last August, Facebook revamped its privacy settings - introducing the option to review photos and posts that you have been tagged in before they appear on your own profile page.

(You may or may not be surprised to hear that Facebook has not enabled this option by default.)

However, rejecting a photo tagged in your name from appearing on your profile page does not stop your Facebook friend from uploading and publishing it in the first place, it merely blocks it from appearing on *your* profile. It will still be visible elsewhere on the site.

In short, you can't force a photo of you to be taken down - but you can remove your name from its tags after it has been published. You can't stop friends from sharing photos of you, but you can block it (after it is published) from appearing on your own profile.

The best you can do is keep requesting that your Facebook friends untag you from unflattering photographs, or pictures that you would rather remain private, and ask that they request permission to include you in photos in future.

The situation is arguably more complicated if you're not even a member of Facebook. You can still be tagged in a Facebook photo, and your tagger can include your email address - meaning you are informed that you have been tagged and invited to visit a link to view the photo, but you won't be able to do anything else without signing up for the site.

Facebook users have time and time again contacted Naked Security, requesting that the social network implements a system whereby photos and videos can only be tagged with a name *after* the subject has given their permission.

Presently, Facebook fosters a "publish first, apologize later" culture, rather than something which over 90% of the site's users would seemingly prefer. And there's no sign that Facebook is planning to change in this regard.

A few who commented on the poll agreed that we all need to stipulate to the photographer or videographer that we want our images to be kept offline.

For her part, survey respondent Pam Archer Smith, who identifies herself as a photographer and who also answered that it's only common courtesy to ask, said she approaches the issue with the viewpoint of seeing her subjects as clients:

I always make sure I tell people that I am posting on FB and IF I have people that are not keen then I omit that photo! I have an on-line photo gallery and clients decide whether they want it private or not. It's always best to make sure though - but if you are out with me 9/10 there will be a photo of you :D

Other respondents reminded fellow Facebook users of what could be done through privacy settings, to reduce the potential pool of people who could view a personal photograph. (Of course, that's little comfort for those who suffered late last year from a flaw that allowed access to private photos on the social network.)

Out of the smaller group who thought it should actually be illegal to post photos of other people without permission, one commenter, Bruce Miller, noted that the issue should be regarded the same as it is for printed materials:

If a photographer wants to put your photo in a magazine, you're asked to sign a release. Why would we accept anything less anywhere else?

In reply, John Leal said that it actually is illegal when it comes to recording people unaware:

There is a reasonable expectation of privacy, and posting video/photos of anyone without their being aware of it, when taking under that assumed expectation is unlawful. Dependent on circumstance, photos/video taken in a public setting are a bit different, tending to fall under public domain, however, there are anti-stalking/peeping-tom laws that could offset the right to use those images/video. If nothing else the use of imagery of someone else would fall under the clause of common courtesy.

But again, those who felt it should be illegal were in the minority. Many felt that such a step would be overly litigious.

I voted with the majority. I believe it's clear that a new etiquette should be formed around posting images, whether it's an ad hoc effort coming from the Facebook user base or a policy that Facebook implements.

Of course, as some commenters pointed out, everything depends on what, exactly, the image depicts. When Ars Technica last week wrote about supposedly deleted Facebook photos persisting 2.5 years after they should have been erased, one circumstance in particular caught my attention: that of an Ars Technica reader who'd tried to delete a photo of his toddler, naked in the grass.

It had been posted by a family friend. Obviously, the poster didn't request permission.

When the father attempted to delete a naked photo of his child, he was justifiably concerned when links to the JPG continued to pull up the image off a legacy Facebook server.

I do volunteer work. I write articles for nonprofits, and I take photos of events for use with those articles. I always ask people if they're OK with their images being used online or in a printed newsletter.

Do I ask friends if it's OK if I post their images? I have to admit, my social sphere comfortably inhabits Facebook Land.

Friends freely post photos of me and of our mutual friends without asking permission. I do the same, knowing that they'll have no objection. In such a social circle, of course, etiquette should always take into account mutual understanding of the comfort level around published images.

Does that mean we sometimes just assume it's OK to post images?

I think it does, at least in my case.

From now on, considering this poll, what I think of as mutual understanding of comfort level will shift to accommodate the vocalizing of a more concrete request for permission to post.

Will you change your own policy? Feel free to let us know how you and your friends and family handle the issue and whether the poll results will change how you post.

Flash Player update plugs exploited hole

H-Online: Adobe has released updates for Flash Player closing seven holes in the application. Six of the holes can be exploited to allow an attacker to infect a PC using crafted web pages. The seventh is a cross site scripting hole that Adobe says is already being exploited in "active targeted attacks". The attacks, which are only aimed at Internet Explorer on Windows, try to trick the user into clicking on a malicious link. Adobe say the hole "could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website".

Flash Player version 11.1.102.55 and earlier on Windows, Macintosh, Linux and Solaris, version 11.1.112.61 and earlier for Android 4.x, and version 11.1.111.5 and earlier for Android 3.x and 2.x are all affected. Desktop Flash users should update to 11.1.102.55 by downloading it from Adobe's site. Android 4.x users should update to 11.1.115.6 and Android 3.x and 2.x users should update to version 11.1.111.6 by browsing to the Android Market Place for an update.

Google's Chrome browser, which embeds the Flash Player, has been updated to version 17.0.963.56 on Windows, Mac, Linux and Chrome Frame. The Chrome update also addresses thirteen high, medium and low severity security issues, eight of which paid out from $500 to $1337 in bug bounty rewards. Google Chrome updates should be automatically delivered to Chrome users.

LibreOffice, Really?! Really?!

I’ve been reading from Mozilla Blog and I liked it and agree with that, so I share it with you:

I read an article on the Web somewhere that there was a new LibreOffice version. It's been several years since I gave OpenOffice a try and I've been interested to see what OpenOffice had evolved into, so I thought, "Hey, maybe they've improved some. I'll install it and see." Here is what happened.

Continue Reading at: http://weblogs.mozillazine.org/asa/archives/2012/02/libreoffice_youre_do.html

Java SE updates fix critical security holes

The H-Online: Oracle has fixed 14 security holes in the Java Standard Edition (Java SE) with a critical patch update. The vulnerabilities allow attackers to use specially crafted Java WebStart applications or web services in order to install malicious code on computers that run flawed versions of Java. Oracle says that such flawed versions are particularly likely to exist on Windows computers because Windows users tend to have admin privileges. The risk is smaller under operating systems such as Linux and Solaris, the company added.

The holes, five of which are rated as maximum risk vulnerabilities, affect the JDK (Java Development Kit) and JRE (Java Runtime Environment) 7 Update 2, JDK and JRE 6 Update 30, JDK and JRE 5.0 Update 33, and SDK and JRE 1.4.2:35, and earlier releases of each. Versions older than JavaFX 2.0.2 are also affected.

Oracle has closed the holes in Java SE 7 Update 3, Java SE 6 Update 31 and JavaFX 2.0.3. The updates are available for Windows, Linux and Solaris. Under Windows, the updates will be installed automatically via auto-update. Otherwise, the patches can be downloaded from the Java download page and installed manually. Oracle recommends that flawed versions be replaced as soon as possible.

Warning: Whitney Houston autopsy video links on Facebook aren't what they seem

SophosLabs: The death of pop superstar Whitney Houston made headlines around the world this weekend, and it didn't take long for fraudsters and cybercriminals to cash in on the singer's death.

For instance, messages have been seen shared on Facebook claiming to link to a video of Whitney Houston's autopsy.

According to the messages, the video of Whitney Houston's autopsy "reveals a shocking secret that explains her death".

Here's what a typical message looks like:

[video] - Whitney Houstons autopsy reveals a shocking secret that explains her death.
[LINK]

Breaking News: Coroners autopsy reports reveals a dark past and secret life which tragically led to Whitney Houstons death.

Clicking on the link will take your browser which appears to show a YouTube video embedded on what looks like a Facebook webpage. However, a message on the page says that the video cannot be played as your version of Adobe Flash needs to be updated.

Of course, you should only ever download an update for your installation of Flash from the *real* Adobe website, so my recommendation would be very wary about downloading any software that this bogus webpage might serve up to you, or any scam survey pages that it might direct you towards.

If you use Facebook and want to get an early warning about the latest attacks, you should Omid's TechBlog Facebook page.

Chinese hackers had free rein at Nortel

The H-Online: According to a report, hackers, allegedly from China, had access to telecoms equipment manufacturer Nortel's IT systems over a period of several years – access that they took full advantage of. Citing an internal investigation, the Wall Street Journal reported on Tuesday that, using seven passwords stolen from senior managers, intruders had access to almost all confidential information within Nortel from 2000 onwards.

Brian Shields, the manager who led the Nortel investigation, is quoted as saying that the hackers "had access to everything". Huge volumes of technical documents, research and development (R&D) reports, business plans and emails were downloaded over the course of several years. "They had plenty of time," said Shields, "All they had to do was figure out what they wanted." The seven stolen passwords included the password belonging to the company's then CEO. The attackers have not been identified, but the WSJ notes that they appear to have been working from China.

The spyware is reported to have been so deeply embedded in some employees' computers that it took years for the company to become aware of the extent of the problem. According to the investigators, the hack was discovered in 2004 when questions were asked as to why one high-ranking manager appeared to have downloaded what was for him an unusual set of documents. When the manager proved to be as surprised as anyone at the documents downloaded, it became clear that something was amiss. It was subsequently determined that some computers were regularly sending data to an IP address in Shanghai.

According to the report, Nortel's attempts to stem the flow of information were initially limited to little more than changing the seven compromised passwords. Mike Zafirovski, who was Nortel's CEO for several years, told the newspaper that, for some time, people "did not believe it was a real issue".

Nortel went bankrupt in 2009 as a result of the financial crisis. The Canadian networking company was split up and parts of the business sold off to various competitors. The irony is that, according to Shields, before the closing down sale, Nortel had not stopped the hackers or shown any interest in disclosing that they had a problem. With these backdoors in place, companies buying up parts of Nortel could have been getting a lot more than they bargained for.

Twitter enables HTTPS for all signed-in users

The H-Online: Twitter has announced that it has now enabled HTTPS by default for all users signed into the micro-blogging service. By using HTTPS, all user information including log-in credentials transmitted to the company's servers are sent using SSL encryption. This means that all data is transmitted in encrypted form and can no longer be read and exploited for fraudulent activities by attackers using tools such as the Firesheep extension for Firefox.

The company originally added the "Always use HTTPS" option in March of last year but required users to manually enable it. Later, in August, it began to enable the setting by default for "some" of its users. Those who prefer not to use HTTPS can still disable it by unchecking the "Always use HTTPS" setting on the Account Settings page. More details about HTTPS on Twitter and keeping an account secure can be found in the Twitter Help Center.

iPhone 5 tester SMS text scam hits cellphone users

SophosLabs: Scammers don't just lure you into visiting their websites via email, Facebook and Twitter - you can be targeted on your mobile phone too.

For instance, there have been numerous people on the internet who have reported receiving messages like the following:

Apple needs iPhone5 testers! The first 1000 users who visit [LINK] and enter code 4444 will get to test & keep the new iPhone5.

Of course, the promotion has nothing to do with Apple (who do not do public tests of their upcoming products), and - as the iPhone 5 hasn't even been announced yet - you have close to zero chance of receiving a free smartphone.

Instead, you're being duped into handing over your personal information which could be used for, well.. who knows what. In the past, we've seen the fraudsters earn commission through the traffic they bring to an online survey, or signed-up for an expensive premium rate service.

It's also easy to imagine how such a scheme could be used for stealing personal information, or gathering data that will later be used against you.

After all, whoever invited you to the bogus iPhone 5 test had no qualms about sending you SMS text spam - so they have already proven themselves to be of a dubious moral character.

Some mobile phone operators allow you to report SMS text spam to them, so they can try to block those behind it. Unfortunately the method of reporting text spam is different from operator to operator, so you will need to contact them (or visit their respective websites) for instructions.

Microsoft's Patch Tuesday fixes critical vulnerabilities

The H-Online: As expected, Microsoft has released nine bulletins to close a total of 21 holes in its products. Four of the bulletins close critical vulnerabilities in Windows, Internet Explorer, .NET and Silverlight, including an issue in the Windows kernel-mode drivers that became publicly known in December of last year.

The company advises those responsible for prioritizing update deployment to focus on the critical patches for Internet Explorer and the C Runtime Library in Windows, as these could be exploited by an attacker to remotely execute arbitrary code on a victim's system. For an attack to be successful, a user must first visit a malicious web page or open a specially crafted file. The other critical bulletins fix issues in .NET and Silverlight, as well as the Windows kernel. Microsoft notes that it has yet to see any active attacks exploiting these issues in the wild.

Rated as "important", the remaining five bulletins correct a number of remote code execution and privilege escalation issues. These include a total of six vulnerabilities in SharePoint and the Ancillary Function Driver in Windows that could be used to allow elevation of privileges. Five holes in the Windows Color Control Panel, an issue in the Indeo Codec included with Windows, and five problems in Visio Viewer – part of Microsoft Office – that could be used to remotely execute code have also been closed.

An overview of all of these updates, including descriptions about each of the vulnerabilities, can be found Microsoft Security Bulletin Summary for February 2012.

According to reports, the updates to the Microsoft Windows Malicious Software Removal Tool (MSRT) and the company's Forefront security products, which were released at the same time as Microsoft's Patch Tuesday security updates, result in a false positive malware warning on google.com. Following the updates, when visiting google.com in Internet Explorer, users receive a warning that a potential threat has been detected, specifically Exploit:JS/Blacole.BW; those using Firefox only reportedly see a warning after a search is initiated, and Chrome and Opera are said to be unaffected.

Shockwave Player critical holes closed

The H-Online: Adobe has updated Shockwave Player on Windows and Mac OS X to version 11.6.4.634 after identifying nine critical vulnerabilities. The problems affect Shockwave Player 11.6.3.633 and all earlier versions on Windows and Mac OS X – Adobe recommend updating to the new release by downloading it from get.adobe.com/shockwave. To identify whether Shockwave Player is installed on a system, users should visit the test page on Adobe's site.

The majority of the problems are in the Shockwave 3D Asset where seven memory corruption vulnerabilities could lead to code execution; these were all reported by Hongnang Ren of FortiGuard Labs. An eighth memory corruption issue and a heap overflow vulnerability, both of which could also lead to code execution, were reported by "instruder" of vulnhunt.com and bring the flaw tally up to nine.