Posts Tagged: twitter


27
Oct 10

Firesheep: Baaaaad News for the Unwary

“Firesheep,” a new add-on for Firefox that makes it easier to hijack e-mail and social networking accounts of others who are on the same wired or wireless network, has been getting some rather breathless coverage by the news media, some of whom have characterized this a new threat. In reality, this tool is more of a welcome reminder of some basic but effective steps that Internet users should take to protect their personal information while using public networks.

Most online services use secure sockets layer (SSL) encryption to scramble the initial login — as indicated by the presence of “https://” instead of “http://” in the address field when the user submits his or her user name and password. But with many sites like Twitter and Facebook, subsequent data exchanges between the user and the site are sent unencrypted and in plain text, potentially exposing that information to anyone else on the network who is running a simple Web traffic snooping program.

Why should we care if post-login data is sent in unencrypted plain text? Most Web-based services use “cookies,” usually small, text-based files placed on the user’s computer, to signify that the user has logged in successfully and that he or she will not be asked to log in again for a specified period of time, usually a few days to a few weeks (although some cookies can be valid indefinitely).

The trouble is that the contents of these cookies frequently are sent unencrypted to and from the user’s computer after the user has logged in. That means that an attacker sniffing Web traffic on the local network can intercept those cookies and re-use them in his own Web browser to post unauthorized Tweets or Facebook entries in that user’s name, for example. This attack could also be used to gain access to someone’s e-mail inbox.

Enter Firesheep, a Firefox add-on released this past weekend at the Toorcon hacker conference in San Diego. Eric Butler, the security researcher who co-authored the tool, explains some of the backstory and why he and a fellow researcher decided to release it:

“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new ‘privacy’ features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely?”

In his blog post about Firesheep, I believe Butler somewhat overstates the threat posed by this add-on when he says: “After installing the extension you’ll see a new sidebar. Connect to any busy open wifi network and click the big ‘Start Capturing’ button. Then wait.”

Continue reading →


9
Jun 10

ZeuS Trojan Attack Spoofs IRS, Twitter, Youtube

Criminals have launched an major e-mail campaign to deploy the infamous ZeuS Trojan, blasting out spam messages variously disguised as fraud alerts from the Internal Revenue Service, Twitter account hijack warnings, and salacious Youtube.com videos.

According to Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham, this latest attack appears to be an extension of a broad malware spam campaign that began at the end of May.

The fake IRS e-mails arrive with the tried-and-true subject line “Notice of Underreported Income,” and encourage the recipient to click a link to review their tax statement.

All of the latest e-mails use a variety of URL shortening services. For example, this shortened link (currently live and dangerous, and therefore neutered here)…

Continue reading →


20
Mar 10

Bad BitDefender Antivirus Update Hobbles Windows PCs

A faulty update  is being blamed for incapacitating an untold number of Microsoft Windows systems running anti-virus software from BitDefender.

BitDefender says the problem occurred Saturday morning with a faulty update for 64-bit Windows systems that  caused multiple Windows and BitDefender files to be quarantined. The bad update causes the anti-virus program to flag thousands of legitimate Windows and BitDefender program files as a threat called “”FakeAlert.5″.

The Romanian software firm  said the glitchy update has been removed and that the company is working on a fix for the problem.  BitDefender’s user forum has lit up with complaints from customers, and the company appears to be fielding quite a number of inquiries on the problem via its Twitter page.

“We are creating a patch that will restore all quarantined files,” the company said in a statement on its site. “The patch will be available shortly. We apologize for this error and we will work to prevent this from occurring again in the future.”

BitDefender has posted partial recovery instructions for users who are having trouble booting up Windows after this bad update, although several apparent users commenting on the company’s Twitter feed indicated they were still unable to boot after following the instructions.

Meanwhile, Bitdefender representatives on Twitter are warning users that malware writers already are taking advantage of the situation, and urging users to download the fix — whenever it is made available — only from BitDefender’s Web site.


15
Jan 10

Would You Have Spotted the Fraud?

Pictured below is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but thieves are constantly improving them, and the device pictured below is a perfect example of that evolution.

This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?

Continue reading →


14
Jan 10

FBI: Beware Haitian Quake Relief Scams

The earthquakes that have wrought so much devastation and death in Haiti this week are moving many to donate to various relief efforts. But security experts and the FBI are warning people to be on the lookout for ghoulish criminals scams that invariably spring up in the wake of such natural disasters in a bid to siphon funds from charitable organizations.

Continue reading →