Tekblog

Twitter hack claimed by Iranian group

The hack that occurred on Twitter itself is significant beyond any wider political motives. It shows that what is the world’s fastest growing communication network is rather insecure.

Being able to change the DNS records of a website means that rather than simply redirecting users to a vanity page identifying the hack, hackers could actually have redirected people to a site that looked rather like Twitter itself.

In a similar way to phishing attacks that mimic online bank accounts, the hackers could have encouraged users to login, thus revealing usernames and passwords.

Expert Rik Ferguson of Trend Micro told me: “One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site.  The hack that occurred on Twitter itself is significant beyond any wider political motives. It shows that what is the world’s fastest growing communication network is rather insecure.   –channel4news

Twitter: @channel4news |  @rik_ferguson

Web-Based Worms: How XSS Is Paving the Way for Future Malware

I first became aware of cross-site scripting (XSS) nearly a decade ago. At the time, despite being an all too prevalent bug in Web applications, the risk posed by the flaw was of limited value. It was the go-to vulnerability for any pen tester that was having trouble digging up a meaningful vulnerability to add to his audit report.

That has all changed now. Today, XSS represents a meaningful threat — a threat that is not only leveraged by attackers to harvest authentication credentials, but also is enabling a new generation of malware in the form of Web-based worms.

Depending upon whom you listen to, the statistics may be different, but virtually all agree that XSS remains the most prevalent Web application vulnerability that we face today.  –TechNewsWorld

@technewsworld on Twitter

Cisco gives Zeus, Koobface and Conficker awards

Zeus is the most audacious criminal operation of the year and Koobface the most notable criminal innovation, according to Cisco’s Annual 2009 Security Report. On a positive note, the cybercrime sign of hope award goes to the Conficker Working Group.

Cisco Systems Inc. presented its first-ever Cybercrime Showcase awards as part of its 2009 Annual Security Report, released Tuesday.

Zeus: the most audacious criminal operation – Designed for information stealing and specializing in online banking fraud, Zeus is a shrink-wrapped piece of malware that any criminal is able to buy, explained Henry Stern, senior security researcher at Cisco. Some vendors are selling it as service for about $700 a month, he said.

Koobface: the most notable criminal innovation – Koobface is a piece of malware that takes over a user’s social networking account, explained Stern. “As soon as you get infected, it will send messages to all of your friends and it will try to lure them into becoming infected as well,” he said. –ITWorldCanada

@itworldca on Twitter

New Facebook Privacy Settings Under Fire

Facebook is making major changes to its privacy settings, giving you the opportunity to share your personal information with “everyone” on the Internet. But is that wise?

Facebook’s huge user base is signing onto their favorite social network today, and viewing an important message.

They’re being encouraged to review their privacy settings, as Facebook effectively encourages its 350 million users to share more information with everybody on the Internet.

The worry is, of course, that Facebook’s recommendations may be in the best interests of Facebook — but they may not necessarily be in the best interests of all of its users.     –DarkReading

Twitter: @DarkReading |  @Gcluley

Until next time — Stay safe Online!

Tags: compromised, conficker, DNS, facebook, hack, hacked, koobface, twitter, vulnerability, web, XSS, Zeus