I recently started using Facebook and Buzz along with Twitter as public publishing tools. Facebook still sells itself as being for your friends and people you know, which is still completely false. Everything you post on Facebook is public-regardless of your privacy settings, and permanent-regardless of whether you delete it from your wall, but that's besides the point.

The issue I'm writing about today is one where Facebook allows any website to post to your wall as you without your consent (ie: identity theft), as long as you're signed into Facebook. Most people are permanently signed in even when all Facebook tabs and windows are closed by means of a session cookie your browser saves for weeks. Today in my newsfeed there was a link to a video of the tsunami in Japan.

When you click on the link you get taken to a fake youtube page, and are told to verify your age to watch the video. Clicking on the "Verify my age" link takes you to an annoying ad for a malware toolbar, while secretly using your Facebook account to post the link to your own wall and like it. Clicking anywhere else takes you to other sites that infect your computer with viruses and malware.

This malware spreading site happens to be using a live analytics service called amung.us and if you look at the ping response you can see that there are constantly around 10,000 people on the site over the five minutes I kept hitting refresh.

The fake youtube site isn't hacking Facebook or your account, it's simply taking advantage of a gaping security hole in Facebook's API. Any website can embed a hidden Like button, and if you happen to be logged into Facebook on that computer that website can post anything to your wall.

How does it work?

A website loads a hidden Like button on their page, which is just an iframe calling http://www.facebook.com/plugins/like.php with some GET variables. The website uses Javascript to trigger the click action of the Like button posting anything they feel like to your profile without your consent or knowledge. Your friends see the link, trust you, click on it and begin spreading it themselves.

How can Facebook easily prevent it?

Liking a 3rd party webpage should popup a little box that asks for your pin number. Your pin number should be set in your Facebook account settings and be a 4 digit number separate from your password that you're prompted to change every month. This way posting content is a conscious effort on your part, and 3rd parties can't use hidden Like buttons to post to your wall.

There's a new trojan worm(a self replicating malware program; think computer virus) calledStuxnet. It infects all versions of Windows back to Windows NT and 2000 and possibly earlier versions as well. It also affects Windows Server, so many of the websites you visit may be leaking your personal information and/or unknowingly infecting your computer just by visiting the website.

It hides itself on usb sticks inserted into infected systems, the simple act of viewing files on an infected usb stick infects your computer. It's also been discovered that it can infect your computer from website favicons in web browsers, email, office documents, cds, via webdav, ftp, etc.. So anywhere on a Windows system where you see any kind of shortcut icon, the act of viewing that icon will infect your computer - assuming the shortcut is malicious. The bug is in the heart of Windows; the function where Windows parses a shortcut icon to display it to you, will instead install the worm if parsing a malicious icon.

The worm once installed contacts home(the hackers) and can be used by the hackers to run any code on your computer they want. They can steal your passwords and see everything you type or is displayed on the screen, they can transmit files, they can erase your whole system or crash your drive. anything. They have total control of the system.

It's already been found infecting Siemens industrial systems and it could easily target core network infrastructure like your ISPs. There are reports that 9000+ newly infected systems are being discovered every day and that the number is skyrocketing. It is currently undetectable by anti-virus software. The exploit has been demonstrated and published for over a week now, so aside from Stuxnet there could be tens of thousands of other related worms and viruses taking advantage of the same security hole.

Microsoft is unlikely to fix this until the second Tuesday of August, and it's very unlikely they'll fix it in unsupported versions of Windows like 2000 or NT - which constitute millions of computers especially in the corporate world where proprietary information leaks can seriously affect the stock market and national defence. For regular users it means identity theft, system crashes, all your computer activity being monitored and broadcast, your email or Facebook account being used to send the virus to your friends, family, and colleagues, and more.

Microsoft has released a dirty patch to deactivate the vulnerable part of Windows until there's an actual fix, but it's believed not to be effective at preventing the spread of the worm, AND because the vulnerability exists in such an integral part of Windows it seriously affects your ability to use Windows. To paraphrase Steve Gibson, Windows uses shortcuts as the "glue" to link things together in the OS, even within some dialogues and other places you don't realize, so running the supposedly ineffective Microsoft patch leaves you looking at a lot of white squares and unable to perform certain tasks.

Microsoft Security Advisory:
http://www.microsoft.com/technet/security/advisory/2286198.mspx

Symantec's Breakdown:
http://www.symantec.com/connect/blogs/w32stuxnet-network-operations

Security Now(The first 30 minutes is about Stuxnet):
http://twit.tv/sn258