AP Twitter Account Hacked: Underlines Need for Security

The Associated Press Twitter account was hacked yesterday with a false report involving explosions at the White House. The account was quickly suspended, but not before the news had been retweeted thousands of times, resulting in a temporary yet sharp drop in the Dow and news outfits clamoring to ascertain details. Although the account is active again, the news agency has nearly 2 million less followers, which Twitter explains could take up to 24 hours to repair. Continue reading AP Twitter Account Hacked: Underlines Need for Security

China Denies Cyberattack Allegations from Mandiant Report

After U.S. computer-security firm Mandiant Corp. accused China of stealing large swaths of data from U.S. companies, China flatly denied the accusation. In a 74-page report, the firm claims a group attached to China’s People’s Liberation Army stole data from 141 companies since 2006, 115 of which were in the U.S., spanning industries like information technology, telecommunications, aerospace and energy. Continue reading China Denies Cyberattack Allegations from Mandiant Report

Malware Shift: Android Overtakes Windows as Top Security Threat

  • In the 2013 Security Threat Report from security firm Sophos, it’s been revealed that Android is now the top market for hackers, beating out previous frontrunner Microsoft’s Windows OS.
  • “The security firm found that during a three-month period this year, 10 percent of Android-based devices experienced some form of malware attack. Just 6 percent of Windows PCs, meanwhile, were hit by an attack,” according to Technology Review.
  • Cybercriminals understand more than ever that the technological future is in mobile, making this an issue of high concern considering over 100 million Android devices shipped worldwide in the second quarter of 2012, notes the report.
  • Because Android is fairly new, especially when compared to Windows OS, users are not yet conditioned to security concerns and will click on links or open unknown apps.
  • “To make matters worse, the anti-malware tools available in the Android ecosystem just aren’t as strong as they could be,” explains the article. “Security firms are behind the times a bit. And until they catch up, we’re all at risk.”
  • According to the Saphos report, in order to stay safe, users should only surf the Web to known sites and should not download anything that could be dangerous.

Surveillance Catalog: Government Uses New Monitoring Techniques

  • Take a look at the toolkit for governments to legally monitor what people are doing on the Web. It’s an impressive catalog that includes hacking, intercept, data analysis, Web scraping and anonymity products. It makes one aware that nothing is safe from surveillance.
  • Hacking tools use techniques commonly used in malware.
  • Intercept tools can filter all traffic from the Internet backbone and determine which to forward to law enforcement.
  • Data analysis sorts, stores and analyzes information from a variety of sources including wired and wireless networks, surveillance, domestic and foreign agencies, tactical operations, etc. to build a complete profile of suspects or identify patterns across data sets.
  • Web scraping gathers and analyzes data from publicly available sources.
  • Anonymity hides the identity of investigators.
  • If governments are already using these tools, how long will it be before anyone can obtain them? WIll this imperil the confidence people have online?

Facebook Under Siege: Hackers Exploit XSS-Flaw in Massive Spam Attack

  • Facebook suffered one of its largest ever security breaches this week when hackers found a way to spread violent and explicit images to some users’ profiles.
  • Hackers reportedly tricked users into copying and pasting malicious Javascript code onto their browsers, thus providing attackers access to personal profiles.
  • “The ‘self-XSS’ exploit refers to the fact that social engineering techniques were employed to trick users into entering the code necessary to execute the attacks, as opposed to other types of XSS-based attacks where the perpetrators inject the code on to the Website,” reports eWeek.
  • Facebook reported yesterday that it had identified those responsible for the attack, was taking control of the spam and making plans for preventing such a future attack.
  • “Protecting the people who use Facebook from spam and malicious content is a top priority for us, and we are always working to improve our systems to isolate and remove material that violates our terms,” said a Facebook spokesperson, adding that no user accounts or data were compromised.

Security: Facebook Pays $40,000 to Hackers in Bug Bounty Scheme

  • Facebook has already paid out $40,000 to hackers for identifying flaws in its website, just three weeks after the social networker launched its “Bug Bounty” program that offers compensation for finding vulnerabilities in the site’s code.
  • “Schemes such as Facebook’s illustrate the push towards greater disclosure of security weaknesses and hacking incidents, as the technology industry strives to pool its resources to protect itself better,” reports The Financial Times. “The approach has won praise from digital advocacy groups such as the Electronic Frontier Foundation.”
  • “The program has also been great because it has made our site more secure — by surfacing issues large and small, introducing us to novel attack vectors, and helping us improve lots of corners in our code,” explained Joe Sullivan, Facebook’s chief security officer.
  • Facebook joins others such as Google, Mozilla and HP that have programs in place to offer payments to outsiders who identify vulnerabilities.

McAfee Researchers Claim to Discover Massive Hacking Attack

  • McAfee researchers say they have uncovered the biggest hacker attack ever, involving 72 governments and organizations around the world, including the U.S., Taiwan, Vietnam, South Korea, Canada and India — some dating back as far as 2006. Data compromised amounts to several petabytes of information.
  • The attack uses compromised remote access tools, or RATs, which allow system administrators to access systems from around the world and would allow an attacker to view and download confidential information. Some of those organizations and companies compromised still do not know it.
  • The attacker was not a hacker group but likely a “state actor” with very high skill levels (China is the “leading candidate”).
  • According to a blog post from Dmitri Alperovitch, McAfee’s VP Threat Research: “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact.”