Many people have had their Facebook account broken into by criminals, according to a new report.

The document, in which users recount their experiences on social networks, is compiled by US consumers’ champion Consumer Reports, and bears the apt sub-title ‘What millions of online users don’t know can hurt them’.

The horror stories included one victim’s account of how her Facebook friends list was hijacked by a trickster who then used it to try to extort money from those listed.

One of the most obvious ways of a hacker gaining access to your account is to simply guess your password. While the minimum number of characters Facebook accepts for a password is six, it is far wiser to pick one which is at least two characters longer than this.

Including both upper and lower-case letters, numbers and symbols will also result in a password which is much stronger.

When you try to create any Facebook password, it will tell you how strong or weak it is. Words found in the dictionary are considered very weak. In fact, when you try to enter many common words, such as “season,” Facebook rejects them and displays the message: Password change not successful.You may not use a dictionary word as your password. Please choose a more secure password.

Six characters also happens to be the most common word length in the English language, so you might think that would give you plenty of scope for finding one which will be acceptable and – crucially for many users – easy to remember at the same time.

However, Facebook also finds many passwords which it rates as ‘weak’ still perfectly acceptable, which might lull some users into a false sense of security.

Researchers compiling the report were also surprised to find that Facebook had no issues with passwords comprising a short first name followed by one digit, such as joseph1 and susan1.

Of course, Facebook responds quickly to many perceived security threats, so many of the passwords at the centre of the problems may have been barred by the time you read this.

Nonetheless, ConsumerReports concluded: “The fact that it accepted them, contradicting its own warning about using dictionary words, is worrisome.

“If Facebook is to minimise account theft, it should tighten up such loose ends by rejecting all passwords that are too weak, including all common dictionary words.”

Before picking any password, you can get an idea of how secure it is by using the Microsoft password checker. It also publishes password-picking guidelines, in which it suggests using a minimum of no fewer than 14 characters! It’s no wonder many people are confused, and therefore, vulnerable.

Hackers have targeted Facebook’s estimated 400 million users, sending them spam emails with the intention of persuading them to hand over banking passwords and other sensitive information.

The emails tell recipients that the passwords on their Facebook accounts have been reset, and urge them to click on an attachment to get new login details, according to anti-virus software maker McAfee.

If the attachment is opened, it downloads several types of malicious software, including a program that steals passwords, McAfee said.

Hackers have long targeted Facebook users, sending them tainted messages via the social networking company’s own internal email system. This new attack spreads their malicious software by means of regular email.

A Facebook spokesman said the company could not comment on the specific case, but said a status update posted on the company’s website had warned users about the bogus email and advising users to delete the email and to warn their friends.

McAfee estimated that hackers had sent out tens of millions of spam messages across Europe, the United States and Asia in just a couple of days.

Dave Marcus, McAfee’s director of malware research and communications, said that he expects the hackers will succeed in infecting millions of computers.

“With Facebook as your lure, you potentially have 400 million people that can click on the attachment. If you get 10 per cent success, that’s 40 million,” he told Reuters.

The email’s subject line says “Facebook password reset confirmation customer support,” according to Marcus.

Eric Schmidt, the CEO of Google has said “something will happen soon” in relation to the company’s talks with the Chinese government.

According to a report by the Associated Press, Schmidt told a press conference in Abu Dhabi on Wednesday that talks are underway, but refused to release more details.

He said: “I can’t really say anything other than that we’re in active negotiations with the Chinese government, and there is no specific timetable. Something will happen soon.”

Just a matter of days ago however, the Chinese said there had been no negotiations with Google over the US company’s threat to leave the country.

In January Google said it could cease its business operations in China, after Google email accounts belonging to Chinese human rights activists were hacked.

News home

Questions which serve as security checks on websites need to be replaced by more complex tests to establish a person’s identity, say researchers.

A study has shown how easy it is to guess the answer to common questions, such as someone’s mother’s maiden name.

It found attackers will be able to break into 1 in 80 accounts if they get three chances to guess the answers to security questions.

“The numbers were worse than we thought,” said Joseph Bonneau, the lead researcher on the study.

Many websites, including those of banks, credit card firms, webmail providers and others, use the supplementary questions when changes are made to an account.

In the case of many internet service providers, they can be used to overwrite an existing password without knowing what it is.

Mr Bonneau, a security researcher at the University of Cambridge, said many of his compatriots had investigated the security of these questions.

One study by researchers from Microsoft and Carnegie Mellon looked at how easy it was for friends and family members to guess answers to an individual’s security questions. They found that 17 per cent of the answers could be guessed by those who knew a target.
 
Also, said Mr Bonneau, the information people use as answers might be widely known. For instance in the US marriage and birth records were held for a long time and many were viewable online, making it straightforward to find out useful data, he said.
 
“This assumes there is one account you want to break into and you are willing to spend a couple of hours finding out about this particular person,” he said.

Mr Bonneau and his colleagues, Mike Just and Greg Matthews from the University of Edinburgh, investigated how easy it was to stumble on the answer to a question if an attacker knew nothing about any of their potential victims.

“We measured how hard it was to guess answers,” said Mr Bonneau.

They found that an attacker would get an answer right every 80 accounts, if they were given three chances to try. Most webmail providers allow three attempts to get an answer right before they lock an account for a few hours or a day.
 
Mr Bonneau and his colleagues reached their conclusion after analysing 270 million pairs of first and last names culled from Facebook.

Many security researchers were now looking into ways to make the security questions tougher to guess. Some are considering making people answer three questions before they can re-set a password.

“The chance of guessing three things simultaneously is pretty low,” said Mr Bonneau.

Others, such as Google, were sending reset passwords by text message.

An FBI chief has warned that American security is coming under growing threats from militant groups, foreign states and criminal organisations targeting government and private computer networks.

Bureau director Robert Mueller told the internet security conference that militant groups such as al-Qaeda had primarily used the net to recruit members and plan attacks, but had made clear they also see it as a target.

“Terrorists have shown a clear interest in pursuing hacking skills and they will either train their own recruits or hire outsiders with an eye toward combining physical attacks with cyber attacks,” Mueller said.

And he warned that a cyber-attack could have the same impact as a “well-placed bomb.”

Mueller added that some foreign governments, also posed a threat by seeking to use the Internet for espionage – although he did not identify any suspects, Reuters reported.

“Apart from the terrorist threat, nation states may use the internet as a means of attack for political ends,” he said.

“They seek our technology, our intelligence, our intellectual property, even our military weapons and strategies.”

The comments came followed a series of high-profile incidents such as the attempted attack on Google’s systems that originated in China. Google said at the time that it believed at least 20 other companies had been targeted.

And only this month, Spanish police arrested three men accused of masterminding one of the biggest-scale cyber-crimes to date, involving attacks on 13 million PCs and the theft of credit card details.

Mueller said the FBI was working closely with 60 countries worldwide to counter the threat, and had special agents working alongside police forces in countries from where many of the attacks had been known to originate.

And he urged businesses targeted in cyber-attacks to come forward to help track down the perpetrators, saying the FBI realised how delicate the situation was for many large corporations.

“We will minimise the disruption to your business, we will safeguard your privacy and your data and where necessary we will seek protective orders to preserve trade secrets and business confidentiality,” he said.

American lawmakers have given Microsoft permission to deactivate a global network of computers that the company accused of spreading spam and harmful computer codes, the Wall Street Journal said.
A federal judge in Alexandria, Virginia, granted a request by Microsoft to deactivate 277 internet domains, which the software maker said were linked to a ‘botnet’, a network of computers that hackers can control from a central machine and use to spread viruses.
The company aims to secretly sever communications channels to the botnet before its operators can re-establish links to the network, the paper said, adding that it had taken the first legal steps to taking down a botnet known as Waledac.
The judge’s order required VeriSign Inc, an internet security and naming services provider, to temporarily turn off the suspect internet addresses, the paper said.
Less than a week before this move, internet security firm NetWitness said in a report that a new type of computer virus is known to have breached almost 75,000 computers in 2,500 organisations worldwide, including user accounts of popular social network websites.

Fresh concerns have been raised over the security of Microsoft's Internet Explorer (IE) browser.

The warning comes from French government agency Certa, which said that pending a patch to update Internet Explorer, it recommends using a different browser.

This is the latest blow to Microsoft, following on from the German government’s similar recommendation that internet users should switch to an alternative browser.

The American software giant has already admitted that a weak link in its programme was used by internet hackers in China to gain access to the Google email accounts belonging to human rights activists.

Google is now considering its position in the country following the attack and is expected to hold talks with the Chinese government in the near future.

Speaking to the BBC however, Microsoft’s head of security, Cliff Evans, described the risk as “minimal” and said IE8 is “the most secure browser on the internet”.

He added that so far there have only been cases of malicious code targeting older versions of the software.

Microsoft is now working on a patch to cure the problems, but a release date has not been issued.

Technology firm Yahoo! has been criticised by one of its Chinese business partners after publically coming out in support of Google's decision to consider quitting the country.

The US firm revealed it will no longer censor search results through Google.cn and is considering pulling out of the country and ceasing its business operations following a wave of cyber attacks, believed to have originated in China. The company is now due to enter talks with the Chinese government over its future in the country.

Yahoo! decided to come out in support of Google saying: “We stand aligned that these kinds of attacks are deeply disturbing and strongly believe that the violation of user privacy is something that we as internet pioneers must all oppose.”

But the firm has now been criticised as “reckless” by the Alibaba Group, one of Yahoo!’s Chinese partners, in which it owns a 40 per cent stake.

The Alibaba Group told Bloomburg: “Alibaba Group has communicated to Yahoo! that Yahoo!’s statement that it is ‘aligned’ with the position Google took last week was reckless, given the lack of facts in evidence. Alibaba doesn’t share this view.”

According to a report in The Telegraph, Yahoo! has declined to comment further.

The attacks on Google email accounts belonging to human rights activists can be traced back to the Chinese government “or its proxies”, according to a US internet security firm.

Verisign’s iDefense Labs claims the web addresses involved in the cyber-attack “correspond to a single foreign entity consisting either of agents of the Chinese state or proxies thereof”, reports The Guardian.

The newspaper said researchers at the security firm have managed to find a link to the computer servers which controlled software used by the hackers. The company has also spoken to “several sources” which Verisign says have backed up its claims.

Earlier this week Google went public with news of the attacks, and said it is considering pulling out of the country and ceasing its business operations in China. The search giant, which began operating in China in 2006, said it is no longer prepared to censor internet results in order to comply with Chinese law.

In response, China said it intends to stand firm over censorship of certain internet content and that media companies must “live up to their responsibility of maintaining internet security”, which includes censoring content.

The Chinese government has said it will stand firm with regard to censorship of the internet following Google’s threat to withdraw from the country.

A report in the Financial Times this morning quoted Wang Chen, the head of the State Council Information Office and deputy head of the Communist party’s propaganda department, as saying internet media must “live up to their responsibility of maintaining internet security”, which includes censoring content.

Yesterday Google announced it would consider pulling out of the country if the Chinese government refuses to let it operate without censorship. The move follows a series of attacks by hackers on Google email accounts owned by human rights campaigners, which were discovered to have originated from China.

In a statement issued on a government website, Chen said: “The importance different countries attach to internet security is different. We must …, from the angle of national security, information security and cultural security, actively respond to the challenges in internet security and … find a path of internet development with Chinese characteristics.”

At no point did Chen mention Google by name, but his comments have been seen as the first response to the American company’s public threat.

When Google began operating Google.cn in 2006 it had to agree to censorship of some online content in order to stay within the law. The company said it felt “the benefits of increased access to information for people in China and a more open internet, outweighed our discomfort in agreeing to censor some results”.

However, since the end of 2008, the government in China has taken a harder line with regard to content it deems to be either pornographic or harmful. Over time this has included thousands of blogs and websites, many of which level criticism at the government. Social networking sites such as YouTube, Facebook and Twitter have also been banned.