Facebook has had to change its tune regarding the “Beacon” application.

Unless instructed otherwise, the participating sites alerted Facebook, which then notified a user’s friends within the social network about items that had been bought or products that had been reviewed.

So, if you bought someone a gift on Overstock or Blockbuster, that information was posted to your Facebook news feed, giving away the secret. Oops.

This kind of tracking technology becomes interesting when you take into account things like the Feds subpoenaing Amazon.com for purchase histories. While Amazon and other online bookstores, libraries, etc. may work hard to protect your privacy and first amendment rights, a few website cookies and a financial incentive can quickly cause your privacy to disappear.

Um, botnets have been an existing problem for sometime now. According the FBI press release, here’s what you can do to protect yourself.

Make sure your anti-virus software is up to date, install a firewall, use complicated passwords and be careful opening e-mail attachments and advertisers’ links on Web sites, the bureau advised.

Sentences like that are exactly the reason the public is confused. Use complicated passwords for what? Protections need to be built into the system.

Some in the pharma industry have begun to outsource the testing phase of drug research to 3rd party companies.

With an approaching U.S. presidential election in which health care will be a major issue, the drug makers are clearly in the political cross-hairs.

What this may mean for security, in the short term, are budget cuts. Cutting security shows up in the bottom line immediately – but eventually ends up costing more in the long term.

Just rereading this article over at SecurityFocus and wondering…

An American computer security consultant on Friday admitted to using massive botnets to illegally install software on at least 250,000 machines and steal the online banking identities of Windows users by eavesdropping on them while they made financial transactions.

Out of those 250K machines, how many are not home user machines? I’m guessing a larger number than anyone expects. Having worked my inlaws through a few malware infestations personally, I can tell you that the stuff is insidious. Virus scanners can’t detect it, or are disabled by it. Out of 4 spyware scanners I tried, only a combination of a few of them were able to find and remove it.

Are you running an outbound firewall? Is every computer in your enterprise? Are you being alerted when random connections to IRC channels are made, or when HTTPS websites are being contacted while your web browser is closed? If not, yours may be one of those 250,000 machines.

The pharmaceutical industry is set to grow by 37.5% next year in India. So, what can companies do to conduct business securely with international clients and partners?

• The technology to transmit data, emails, and other information using strong encryption protocols and methods already exists. Invest in security professionals who understand the technology when get you started. Don’t be fooled into thinking you’ll have to reinvent the wheel.

• Setting up a connection with a foreign country is not unlike doing business with another city in your own country. If they’ll be handling your information, make sure that you know how that data is being protected. Have a professional do a security assessment of any international facilities that work with your data.

• The most difficult part and potential weak link are the people. In general, it’s hard to get people to take security seriously, especially if their own laws are not as stringent. After you leave, you’ll need to make sure that the technology enforces employees to select strong passwords, use their hardware tokens, and whatever else required to follow your internal policies.

I’d like to add, don’t fall into the trap in believing that your own country (which ever one it may be) has superior technology or security practices. Keep in mind that you’ll have a whole host of health care and multiple government regulations to worry about as well.

Currently, doctors offices store patient information in a method that suits them. For most of us, the process is seamless – we don’t really care. That is, until we switch doctor’s offices.

Bill Gates is proposing standardizing patient information and making it available across the Internet. The aim is to allow each doctor’s office to communicate patient information with each other, and give patients easier access to their own medical records.

We envision a comprehensive, Internet-based system that enables health-care providers to automatically deliver personal health data to each patient in a form they can understand and use. We also believe that people should have control over who they share this information with. This will help ensure that their privacy is protected and their care providers have everything they need to make fully-informed diagnoses and treatment decisions.

Any such system must make use of strong authentication methods at the offices – and I’m sure they will be. Auditing and logging can mitigate the problems posed by people sharing credentials (which is bound to happen). But what about patients accessing information online?

Just think about how PayPal accounts are authenticated? With a username/password combination. (Sure, they offer hardware tokens, but only security/computer savvy people use them). If that’s how companies, banks, and retailers treat our money, what hope do we have for personal medical information?

Since any system like this is still in the imaginary stage, there are many possibilities. The technology is there, the concerns are there, what needs to happen next?

Wired is running an article by Bruce Schneier where he discusses the fact that the Dual_EC-DRBG (dual elliptic curve deterministic random bit generator) function was revealed to have a backdoor capability during the Crypto 2007 conference. Basically, there can exist a set of complements to the elliptic curve parameters that can remove the randomness.

Of course, we have no way of knowing whether the NSA knows the secret numbers that break Dual_EC-DRBG. We have no way of knowing whether an NSA employee working on his own came up with the constants — and has the secret numbers. We don’t know if someone from NIST, or someone in the ANSI working group, has them. Maybe nobody does.

I do know that the NSA has been pushing Suite B cryptography pretty hard, which includes elliptic curve cryptography and as an extension, the core of the Dual_EC-DRBG function. It’s also pretty common knowledge that ECC has been championed by the NSA for a while. Even if it is totally innocent, it still looks bad.

TOR is a way to browse the web anonymously. However it seems that a number of individuals have had a misunderstanding of anonymous vs. secure.

This article from Australia’s The Age, is a depiction of how Dan Egerstad used TOR against its users.

The question on everybody’s lips was: how did he do it? The answer came more than a week later and was somewhat anti-climactic. The 22-year-old Swedish security consultant had merely installed free, open-source software – called Tor – on five computers in data centres around the globe and monitored it.

A buffer overflow has been found in Oracle 10g and a patch won’t be released until mid-January.

An attack requires authentication to the database, but assuming that, a successful exploit could execute code remotely. Proof-of-concept exploit code was posted on the Internet last Friday.

The best way to prevent this attack is tight network controls and monitoring database logs for unusual activity and logins.

NIST has finally issued notice of a competition for a secure hash replacement to be designated SHA-3. This is similar to the process that NIST followed for AES. This is required because SHA-1 has some serious warts.

NIST has opened a public competition to develop a new cryptographic hash algorithm, which converts a variable length message into a short “message digest” that can be used for digital signatures, message authentication and other applications. The competition is NIST’s response to recent advances in the cryptanalysis of hash functions. The new hash algorithm will be called “SHA-3” and will augment the hash algorithms currently specified in FIPS 180-2, Secure Hash Standard.

So, cryptographers, this is your call to action. Responses are due by October 31, 2008.