Identity thieves that hit Facebook last week with a new round of phishing attacks are harvesting passwords for profit, a security researcher said today.

“It’s not surprising that they’re targeting Facebook,” said Kevin Haley, a director on Symantec’s security response team. “Facebook has, what, 200 million-plus users? The bad guys always go where’s there’s a lot of people.”

The newest Facebook attacks resemble previous phishing rounds in their tactics: A compromised account sends a malicious link to friends. That link leads to a site that mimics the legitimate log-in page. But users duped into entering their usernames and passwords are likely giving away more than just their Facebook credentials, said Haley.
“Certainly this isn’t new,” he said, “but we think that what you’re seeing is an attempt to shake out every last dollar they can get.”

The criminals are operating on the assumption that the Facebook password they acquire from any given user has a good chance of being the same password that person uses on other sites, such as online shopping services or even bank accounts.

“Get one password for the right person and it’s like having their wallet handed over,” Symantec researcher Marian Merritt in the post to Symantec’s security response blog said on Friday.

Although Symantec has no statistics on the percentage of users who rely on just a single password for multiple online services or activities — Haley called the evidence “anecdotal” — it’s an assumption that both criminals and researchers make. “When you talk to users, that’s what they tell you they do,” he said.

Facebook has acknowledged the attack, and said it has reset passwords of compromised accounts and eliminated the phishing messages when it has found them.

“It’s not like this is some great new virus technology,” Haley said, noting that the newest attacks are unlike worm-based attempts to infect Facebook accounts with the Koobface worm. This is straight con job. “Cons have been known from the beginning of time,” Haley continued. “But now we’re seeing them coming a little faster and more furious.”

The problem with social sites like Facebook is that they portray a certain level of trust — others are “friends,” after all, Haley added — and while users’ may be wary of clicking on links delivered via traditional e-mail, they haven’t yet made the same connection to social networking.

“People are very wary of e-mail [phishing attacks]. They’ve begun to catch on,” said Haley. “But they don’t have their antenna up when it comes to social networking.”

Symantec’s Merritt urged users to use more caution before clicking on links, to double-check the site’s URL and to use more, and more complex, passwords.

But Haley is pessimistic that the advice would sink in anytime soon. “It’s a progression,” he said, referring to the learning curve users go through before they realize they need to take care of their identities in a new online technology or type of service.

Even then, it’s a never-ending fight. “If there’s a way to figure out a new way to attack, the bad guys will do it,” Haley concluded.

The U.S. government says it’s lost — yes, lost — an entire hard drive full of sensitive data. The external drive, stored at the U.S. National Archives and Records Administration, held personal data from the Clinton era, including information about White House staff and visitors and electronic storage tapes from the Executive Office of the President.

Unfortunately, this isn’t the first flub-up we’ve seen when it comes to seemingly dumb data mistakes by major government agencies. In fact, there have been several winners since just last year. Here, then, are our top four government data blunders of recent months, starting with this week’s National Archives revelation.

4. The National Archives’ Hard Drive Disappearance

The National Archives’ hard drive contained an “as yet unknown” amount of data, the office says. Home addresses and Social Security numbers are believed to be a part of the information. Some reports even suggest personal details about one of Al Gore’s daughters could be included, as could details about Secret Service security procedures used during the Clinton years.

The thing’s apparently been missing since April, even though it was just announced today. Most flummoxing, though, is the fact that quoted officials say it may have been “accidentally misplaced.” Right — because a government hard drive with this type of data doesn’t deserve, I don’t know, maybe just an extra shred of caution when it comes to its handling.

Welcome to the list, National Archives.

3. The TSA’s Lost-Then-Found Fumble

The Transportation Security Administration: protectors of our skies; guard gates of our…well, gates. Surely, an agency charged with keeping airports safe would know a thing or two about security. Right?

Not necessarily. Time to rewind back to last summer, when the TSA announced one of its checkpoint laptops from the San Francisco airport was missing. The PC was used to control a “fast-pass” security prescreening program and held unencrypted personal info on 33,000 passengers.

The media was notified, a full investigation was launched, and the prescreening program was sent into partial lockdown. A week later, the TSA found the laptop — wait for it — in its own office. Top-notch.

The TSA also, by the way, lost an external hard drive with employee data in 2007 and “maybe” mailed about 1200 former workers’ Social Security numbers and birth dates to random people a year before that.

2. The U.S. Military’s eBay Embarrassment

MEMO: Do not sell old hard drives containing sensitive military information on eBay. *

* What a U.S. military contractor evidently forgot to send out.

Throw this one into the “how not to manage security” file: Just this month, security researchers announced they’d located launch procedures for a U.S. missile air defense system on a hard drive bought off eBay. The drive, reports indicated, had detailed information about a system used to shoot down missiles in Iraq, along with security policies, facility blueprints, and the always popular list of employee Social Security numbers.

The drive has been tied to Lockheed Martin, which developed the aforementioned defense system. In its defense, though, other drives bought off eBay in the same sweep were found to contain bank medical records, business plans, and detailed information about bank accounts, among other things. So at least it has some company in the “d’oh!” department.

1. The U.K.’s Vanishing Disks. And Hard Drives. And Memory Sticks. And Computers.

Impressive as those feats are, there’s little question the U.K. takes the cake when it comes to dumb data mistakes over the past months. The nation’s top government number crunchers probably can’t even keep count of stupid slip-ups that have plagued various agencies. There were the lost laptops (45,000 citizens’ information exposed; 30,000 of them never notified), the lost CDs (3,000 workers’ data disappeared; information all unencrypted), the lost drivers’ data (3 million Department of Transport files misplaced), the lost military laptop (620,000 recruits’ info exposed), and the lost prison system memory stick (84,000 prisoners’ information set free). And that’s just the tip of the idiotic iceberg.

The BBC estimates the U.K. government fumbled about 4 million people’s personal information within a single year, from mid-2007 to mid-2008. It’s not just the small stuff, either: The government apparently was losing computers at a rate of one PC per week for a while, too, some analyses suggested.

Microsoft will unveil pricing for Windows 7 in a few weeks, a Web site that has accurately predicted past company moves said today.

TechARP.com, a Malaysian Web site that correctly named the ship date of Internet Explorer 8 earlier this year and leaked details of an upcoming free Windows 7 upgrade program for users who buy Vista PCs after July 1, said that Microsoft will publicly announce prices for Windows 7 in mid-June.

Although Microsoft has detailed the Windows 7 versions it will ship later this year, it has not set prices or a launch date for Vista’s successor.

A report last week by CNET cited a Dell product director as saying that the average price of Windows 7 would be higher than Vista, but did not go into specifics. “In tough economic times, I think it’s naive to believe that you can increase your prices on average and then still see a stronger swell than if you held prices flat or even lowered them,” Darrel Ward, director of product management for Dell’s business client product group, told CNET. “I can tell you that the licensing tiers at retail are more expensive than they were for Vista.”

According to TechARP, Microsoft set Windows 7 pricing for computer makers such as Dell several weeks ago. By now, Microsoft has also informed major retailers of the Windows 7 prices.

One analyst didn’t have any idea what Microsoft will charge for Windows 7, but was sure of one thing: Continuing economic problems put a very big monkey wrench in Microsoft’s plans. “It’s such a strange time that it’s hard to even speculate on prices,” said Michael Cherry, an analyst with Directions on Microsoft. “Everything has such a different feel to it because of the economic climate.”

In a way, Cherry said, he feels sorry for Microsoft. “Unfortunately, just when they’ve finally gotten a good Window product, a lot of consumers and businesses are sitting on their wallets,” he said.

What Microsoft may face, Cherry said, is apathy, no matter how many of the problems posed by Vista are solved by Windows 7. “When companies finish their evaluation of Windows 7, and decide that it’s technically feasible, then it has to go into the hopper with all the rest of the IT projects, where it has to be balanced against all the things that IT has to do.”

During tough times, when IT is being asked to do more with less, and consumers are holding on to their money, Cherry thinks it’s likely that a new operating system, especially one like Windows 7 that is essentially a stability and performance upgrade from Vista, will get shoved down, or even off, buyers’ to-do lists.

TechARP also claimed that Microsoft will be taking stock today with its biggest PC partners to find out whether they’re ready for the public launch of Windows 7. “It is expected that Microsoft will finalize [its] launch plans after these discussions,” the site said.

While Microsoft has only said that it will have Windows 7 ready in time for the 2009 holiday selling season, comparisons with launches of Windows XP and Vista put public availability at somewhere between October 11 and Nov. 4.

Forget all the yammering about the forced digital upgrade on June 12: After years of gripping a wretched remote and looking at lousy menus, I’m Comcastrating my cable service. Or, at least, I’m seriously considering doing so. After test-driving one $40 app for a couple of weeks, I’m ready to chuck that crummy cable box into the trash and forget about the digital-upgrade scheme. This is the story of PlayOn, the software that could ruin everything for cable providers–if the bugs are ever ironed out.

Imagine a software package that can stream just about any show to your Xbox 360, PlayStation 3, or, soon, Wii. Netflix? No problem. Major-network TV shows? Yep. Obscure stuff from Adult Swim? You name it, you can watch it. All you need is a PC and an Internet connection in the same house.

A little explanation: For years I had a pretty sweet setup. I crafted a media center PC, loaded with digital tuners, that serves as the hub in my house. It records all my shows, and it spits out whatever I want to watch over my home network to my Xboxes. Simple, clean, effective.

But over the past few months, I’ve found myself watching more of my shows online–be it on Hulu.com or countless other online sites (the legit ones, of course). I’ve already been weaning myself off of conventional TV viewing. But how do I clear the last hurdle–getting shows from that wacky Internet to a TV in my house–without piling on additional costs or ludicrous cable service charges?

That’s when I decided to give PlayOn a try. This software was in beta until late 2008, but it’s now live–and with enough kinks worked out, it’s at least worth the free 14-day trial download. First, the hardware check. Do you have:

Windows XP or Vista?
A 3.2GHz or better Pentium 4, a 2.0GHz or better Pentium M, or any multicore x86 processor?
512MB RAM?
4GB to 5GB of space on the same hard drive where Windows is installed?
Hey, I think that describes a spare laptop I bought two years ago!