Category: Privacy-Security

How to download photos from Facebook at once, albums and all

I managed to get an invitation to Google+ before overcrowding forced Google to put the velvet ropes back-up soon after. In my quest to share photos on the new social network, I wanted an easy way to import my existing Facebook photos without pressing Right Click > Save As for hours. Thankfully, someone I follow on Google+ already had the same thought and found a solution.

Pick & Zip is a simple backup tool that downloads pictures from Facebook without the hassle of having to download photos individually. And it’s useful for more than just exporting the photos to another network like I have. What if you need to download Facebook photos for offline storage and viewing, or creating a slideshow for a party? Pick & Zip lets users do that by downloading a few photos, an entire album, or their entire collection, and archives it into a Zip file.

Anyone who has used Facebook also knows that many photos of you stored on the website were posted by friends and family. Pick & Zip takes care of those photos as well. Users can start mass downloads of Facebook photos in which they are tagged or entire albums from their friends.

UPDATE: Looking for a more direct approach? There’ a clever app called Move2Picasa that will do exactly what the name implies. The user just  needs to authorize a Facebook account by visiting and then wait as the app begins downloading and uploading your albums to Picasa.

There’s no way to select which albums because Move2Picasa grabs entire photo library, so you could be there for a while. You also will have a long time to wait for the process to start because it was featured on TechCrunch and was bombarded with requests, so there’s a rather long line.

Here’s how to do it with Pick & Zip.

  1. Visit and authorize the app through Facebook Connect. (You’ll need to give it permission in order for things to work.)
  2. To download your photos, click “Find My Photos” and click on the “Albums” section.
  3. Hover over the desired album and click the down arrow icon that looks like this.
  4. Click ZIP to download all photos stored in that album.
  5. Then extract that file to have all the photos stored on your computer.

To download only certain photos, click on the album and then click on each image that you wish to save. Once you’ve selected your image(s), press the download button above and click “Download my Selection” on the following page.

To download all Tagged photos, click on the “Tagged” tab and press the “Select All” button. Be sure to uncheck those photos that your oversharing friends tagged you in even though you don’t actually appear in them.

To download a Friends, Groups, or Pages photo, click on the tab on the left and follow the same instructions laid out in the previous explanations.

Now you’ve got an easy path to grab all the photos that you need. And if you’re not comfortable with the app continuing to have access to your information, it’s easy to remove the link between Facebook and Pick & Zip. Visit the Pick&Zip Facebook page and click “Remove” from the bottom left corner.

Thanks, Jake!


Hackers can crack your password in 10 minutes

Is this guy hacking your password? (c) Getty Images

Is this guy hacking your password? (c) Getty Images

It certainly makes for a good headline doesn’t it?

Even though that’s not what Business Week used as the lead for their article about password security last month, it might as well have been.

The article lists off a bunch of password combinations including length (from 6 to 9 characters) and complexity (with or without upper/lower case and with or without special characters) and then gave the approximate times it would take a dedicated hacker to crack those passwords.

The first combination, 6 all-lowercase characters with no numbers, change of case or special characters, can supposedly be guessed in as little as 10 minutes. That claim is designed to scare you as well it should.

The last combination, 9 mixed-case characters with numbers and special characters will take a mind-blowing 44,530 years to crack.

Okay then, case closed right? Everyone just needs to use this combination for their password – or even the slightly less secure 8 character version which will still take 463 years to break – and the hackers will be out of business and we’ll all sleep peacefully knowing our precious Facebook status updates can’t be hijacked by some jerk.

While I would love it if things were that simple, I was skeptical after reading the article and decided to reach out to a security expert for a quick sanity check.

Marc Fossi, Executive Editor, Internet Security Threat Report over at Symantec spoke to me by phone and helped shed some light on the whole password security issue.

The bottom line for Fossi?  “There’s no single silver bullet for security.”

“Security is a process,” he says and by that he means that if you’re taking comfort in the fact that you have one of those 44,530 year passwords, you should be thinking bigger-picture.

The fact is, most successful password hacks aren’t hacks at all. They’re the result of malware infecting your computer through a variety of means – perhaps you opened an infected email attachment, or loaded a file of a USB key that had been previously altered or you grabbed a BitTorrent file that had been seeded as a honey-pot. The list, sadly, is long and varied. However it happens, it’s this virus sitting silently inside your PC that is the real thief and threat. It can track every keystroke you make on your keyboard and hand-deliver it to the waiting hacker who simply has to read through the resulting text to find exactly what s/he’s looking for.

And thanks to our own lazy habit of password re-use, which Fossi flags as a serious problem, that one password maybe the only one the hacker needs to gain access to your financial institution(s), email or corporate intranet.

Suddenly that crazy 9 character string of nonsense doesn’t seem so safe does it?

In case you haven’t already guessed, and there really should be no surprise here – Fossi suggests using an security product such as Symantec’s Norton 360. There are other options as well ranging from the free AVG and Avast! to monthly paid options from your ISP.

But even the combination of strong passwords and a comprehensive security suite can’t provide 100% protection. Especially in our wireless world of Wi-Fi. Unlike with many password-protected websites which often limit the number of incorrect login attempts, thus keeping the brute-force method somewhat at bay, there is no such protection on most home Wi-Fi routers, leaving them open to a hacker in a car with a powerful laptop. Fossi notes that even the outrageously long times cited in the Business Week article could be cut in half or much more with today’s modern quad-core processors. Worse yet, if the hacker has access to a network of cloud-based computers, the total number of CPUs that could be brought to bear on the cracking of your password could number in the hundreds. The article simply doesn’t say what machinery was used to come up with those numbers.

So while there may not be a “silver bullet”, there are still some best practices when it comes to keeping your data from prying eyes:

– Definitely use a “strong” password of at least 8 mixed-case letters with numbers and special characters. It may not provide complete protection but it is far better than a simpler password.

– Having trouble remembering that combination? Use what Fossi calls a “pass-phrase” instead of a password: Take the first letters from the words in an eight-word phrase that is easy for you to remember, for instance “Honey Can You Please Take Out The Trash” and convert it into: HcYpT0T#  (note the “O” from “Out” is now a zero and “Trash” has become the # sign).

– Use anti-virus software, keep it up to date, and make sure you scan ALL files and attachments

– If you have Wi-Fi at home, make sure to use WPA2 as the security protocol – it is FAR more secure that the older WEP and WPA protocols

– Change your passwords regularly. Even if a hacker manages to get one of your passwords, it may be days, weeks or months before they get around to trying it – hey they deal in volume after all – by that time you will have moved on and they’ll be locked out.

Readers, do you have any suggestions to add to this list?

Stuxnet removal tool is malware too

stuxnet-virusW32 Stuxnet is a virus that first appeared earlier this year and has gained a fair share of infamy and media attention for its alleged attacks on industrial installations, the most publicized being a nuclear power plant in Iran.

The virus works by first infecting a computer running the Windows operating system. Programmers in commercial environments – say an assembly line – use these computers to upload code to devices known as Programmable Logic Controllers or PLCs. The problem comes when the Stuxnet virus hijacks this uploaded code and from then on resides in the PLC itself where it can alter the function of these devices.

Unfortunately, we’re not talking about a robot making incorrect welds on a Ford F-150, though that would be bad. Much worse is the theoretical threat that Symantec has outlinedin one of their blogs about Stuxnet. They detail an even that took place when malicious code infected the PLC governing the operation of a pipeline:

Code was secretly “Trojanized” to function properly and only some time after installation instruct the host system to increase the pipeline’s pressure beyond its capacity. This resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb.

Though this incident was not caused by Stuxnet, Symantec is pointing out the way in which it could be used, which is why Stuxnet has been labeled by some as the first “cyber super weapon“.

Needless to say, there are a lot of panicky people out there who anxious to rid themselves of this virus, even if they aren’t in the business of programming PLCs. But Symantec has a warning for anyone out there looking for a quick fix: the cure may be worse than the virus.

Apparently there is a tool circulating the web right now – mainly in forums that discuss the Stuxnet virus –  that promises to get rid of Stuxnet for you, and even claims to be from Microsoft. Neither could be further from the truth.

Well, almost. The supposedly helpful “tool” will rid your PC of Stuxnet if you have it, but it doesn’t discriminate one type of file from another and within a few minutes of running the program, your entire C drive is wiped clean. Stuxnet is gone. And so is everything else.

Typically Microsoft does not issue removal tools for individual security threats like Stuxnet, instead relying on a single Malicious Software Removal Tool, which is updated regularly to identify and remove a whole list of nasty bugs, including Stuxnet.

If you think you are already infected, running this tool should take care of it for you. If you haven’t been infected, but are concerned that you might be vulnerable, here are some suggestions:

  • Install and then regularly update an anti-virus tool such as Norton, Bell Internet Security or the freely available AVG.
  • Turn on Microsoft Windows Update and make sure you install all recommended updates. The most recent update, released on Tuesday, fixes the hole in Windows that allows Stuxnet to do its damage.
  • Surf with caution: Avoid links in emails from people you don’t know. Be wary when when using file sharing services. Never open attachments that you weren’t expecting.

Experts warn of Oscars-related phishing threats

oscarThis weekend’s Academy Awards ceremonies promises to end weeks of speculation surrounding which of the nominated films will walk away with Hollywood’s most coveted prize.

But be warned, as you watch the evening unfold on TV as well as online, there are plenty of party-poopers out there who will be trying to spoil your evening – and we don’t mean by giving away the ending.

According to Symantec, the creators of the Norton family of security products, plenty of malicious websites have already been created and are appearing in the search results related to potential Oscar-winners.

How bad is it? Symantec claims “Out of the top 100 search results related to the Oscar nomination announcements, more than 42% contained potentially malicious content.”

That’s a lot of risky sites!

But it seems that the cybercriminals have been deliberate in their choice of which actors and films to use as bait for unsuspecting web-surfers. Of all the Oscar-related searches, it turns out that George Clooney has the most malicious results of any nominated actor, Meryl Streep of any nominated actress and the movie “Nine” of any nominated movies.

While the choice of Clooney and Streep aren’t surprising as they appear to be the front-runners in their respective categories, “Nine” is a more curious choice given that the big contest amongst movies is between James Cameron’s “Avatar” and his ex-wife Kathryn Bigelow’s “The Hurt Locker.”

Whatever the motivation, suffice it to say you should use care when checking out sites that claim to have the latest information on these and other Oscar topics.

An up-to-date security package might not be a bad idea either :-)