Google Asks For Help Curbing Secret Surveillance (via slashdot)
Despite reports that National Security Agency (NSA) analysts complained that tapping datacenter feeds belonging to Google and Yahoo left them overwhelmed with data, the number of demands Google receives for information on end-users continues to rise…
Taking a cue from Facebook, Twitter has finally rolled out the ability for users to log into their accounts through a public hot spot without fear of it being hijacked by a hacker.
Today, we’re taking an important step to make it easier to manage the security of your Twitter experience – we are adding a user setting that lets you always use HTTPS when accessing Twitter.com. Using HTTPS for your favorite Internet services is particularly important when using them over unsecured WiFi connections. (Official Twitter Blog)
Unless you want to be the latest victim of someone using Firesheep, then it is highly recommended that you switch over to secure logging as soon as possible.
You can activate the security feature by clicking on your username (in the top right hand corner), then selecting “Settings” and then scrolling down to the section that says “HTTPS only.”
Twitter oddly prompts you to re-enter your password to confirm this setting, although once initiated you will be able to simply log into twitter without manually adding HTTPS every time.
Twitter has updated their iOS app for secure logging, although the official Android and Windows Phone 7 apps have apparently not received this feature (so you might want to use a third party app that has until official ones receive an update).
According to Investor’s Business Daily, evil is sweeping social networks, moving beyond email and blogs to where you like to virtually hang out and congregate:
Security experts last week warned that a new strain of the Koobface virus is hitting Facebook, MySpace and other social networking sites. It looks for links and passwords to other social networking sites.
Social networking site owners work actively to put a lid on nefarious activity. On Tuesday, a federal judge in northern California issued a temporary restraining order against three people accused of widespread spamming and phishing attacks on Facebook. It comes three months after Facebook won a suit that prevents another group of spammers from using or accessing Facebook data and applications.
Virus creators are increasingly targeting social networking sites and other Web 2.0 technologies such as the micro-blogging site Twitter and instant messaging services from Google, AOL and others. Virus writers are also creating fake profiles of celebrities, real friends or business associates hoping people will link with them. Users can be tricked into linking to the fake profile, which can be loaded with various forms of malicious software.
The article by Brian Deagon showcased Facebook users who responded to an email from a “friend on Facebook” to visit a link that initiated a program that “rifled through his hard drive, installed malicious software and sent the same e-mail to all of Daradics’ friends on his Facebook profile.” [Read more…]
F-secure reports on security vulnerabilities with Adobe Reader and Foxit Reader for reading PDF files.
While this could be seen as another day-in-the-life update, the warning came with an interesting twist:
Do note that while we are recommending users move away from Adobe Reader, we are not recommending any particular replacement.
…Instead, we recommend users to find their own Adobe Reader replacement.
This way we get more heterogeneous userbase, which is a good idea security-wise. Nobody wants to repeat what happened with the great IE —> Firefox switch. As 40% of users switched to Firefox, about 40% of the attacks switched to target Firefox.
Monocultures are bad.
In the new world of online social, more and more people using the same tools, putting us all at risk as hackers and attackers move towards the natural migration of popularity. Monocultures are bad as they open the door to mass risks. [Read more…]
SecurityFocus reports an estimated 3.5 million computers have been compromised due to a “Downadup worm,” a malicious bot that spreads through websites and blogs.
The Downadup worm, a malicious program that spreads using a recently patched Windows flaw, has compromised more than 3.5 million computers, security firm F-Secure stated this week.
The Downadup worm has successfully spread because it uses a major flaw that Microsoft patched in October to remotely compromise computers running unpatched versions of the Windows operating system. However, the malicious program’s greatest strength appears to be a feature that allows worm-controlled computers to download malicious code from a random drop point.
The program generates addresses for 250 different domains each day. The botnet controller need only register one of the domains and set up a download server to update the bot program with different functionality, said Mikko Hyppönen, chief research officer at F-Secure.
“The bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website, and they then gain access to all of the infected machines — pretty clever,” Hyppönen said in a blog post.
According to the report, the Downadup worm uses Windows XP’s vulnerability in processing remote procedure call (RPC) requests. While a patch was issued and warnings announced, not everyone has upgraded. The top countries hit by the MS08-067 Worms, as F-Secure calls them, are China, Brazil, and Russia, but it is expected to spread further unless server administrators and webmasters update and patch their Windows Servers and Windows programs immediately, including Internet Explorer.
ZD-Net Security Threats reports that the first sign of infection is usually found when users accounts cannot access their accounts and they are locked out of the Active Directory domain as the worm tries to crack passwords in Windows Servers.
Tracking the Downadup infection, F-Secure reported that reports of infections are up by more than one million within just one day, and growing. As last check, they estimate 3,521,230 infections worldwide. [Read more…]
As part of my research into blog scams, I ran across a new video by Consumer Reports WebWatch called “Look Before You Click”.
The WebWatch’s ‘Look Before You Click’ Campaign was created with a grant from the New York State Office of Attorney General and uses a cartoon animation and satrical musical verse to educate Internet users about Internet fraud that comes in through email, blogs, and websites. [Read more…]
Wired has the story of the latest major security hole on the internet, the routing protocol BGP:
Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.
The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.
The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet’s core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy. The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosed a serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness.
