The security of social networks was thrust into the spotlight yet again this week with the successful hack of the Twitter Grader application run by Hubspot, a maker of social media and internet marketing tools.

The Twitter Grader application uses an algorithm to calculate, or grade, a Twitter user’s ranking among their peers.  This type of tool has been very popular with Twitter users who willingly grant access to their Twitter accounts for websites that offer this type of ego-feeding information.

The compromise resulted in thousands of unauthorized messages being sent from Grader users’ Twitter accounts containing a link to a web page that hosted an embedded video.  The content turned out to not be malicious and it has been speculated that this was an attempt to increase the search engine rankings of the website.

The hack was quickly acknowledged by Hubspot who proceeded to take down the Grader application while they investigated the issue.  Grader users are advised to revoke access for Grader to their Twitter accounts and also to consider changing their account password. Continue reading Twitter Grader Hack Highlights Social Network Spam Risks»

There have recently been two publicized, high profile attacks on email marketing services.  The two services are Aweber and iContact, each confirming the attacks within about a month of each other.

These companies, and many others like them, provide email marketing services to websites and other online businesses.  Email marketing, when done properly, is a legitimate practice and is not spam although some people do not make the distinction between the two.

A legitimate email marketing service will require a subscriber to deliberately opt-in to a list, usually by sending them a confirmation email before they are added to a marketer’s email list.  This stops spammers from simply harvesting email addresses, importing them into one of these services, and starting to spam them.

This opt-in requirement, plus other measures, assures a high deliverability rate for the customers of the email marketing service because antispam systems on the receiving end can have a high level of confidence that the marketing messages are opt-in and not spam.

Among the more paranoid web users there is a tendency to use unique emails for each mailing list that they sign up to.  So if they were to sign up to ABC Corp’s mailing list, they would use paul_abc@somewhere.com, and then for XYZ Pty Ltd would use paul_xyz@somewhere.com.

This might seem like a lot of hassle to go to, generating unique email addresses for every list you subscribe to, but when the attacks on these companies occurred it was these people who noticed the problem first.  Suddenly their secret, unique addresses began receiving pharmaceutical spam emails.   Your average person who uses one single email address probably would not have noticed this additional spam.

Initial reports were sketchy but eventually first Aweber, and then later iContact determined that a data breach had occurred in their systems.  In both cases the outcome was the same – subscriber email addresses were compromised, but customer account and billing information was not. Continue reading Email Marketing Services Targetted by Hackers»

Security researchers have discovered a vicious new virus. Dubbed Win32.Worm.Zimuse.A, it appears to have originated in Slovakia but has been quickly making its way around the world with the highest rate of infection now in the United States, followed by Slovakia, Thailand, and Italy.  The virus and its variant, Win32.Worm.Zimuse.B, both work in the same destructive way. Once the system is infected, Zimuse creates between 7-11 copies of itself, installs a rootkit, alters system registry entries, and creates several driver files.  After a pre-determined number of days (40 for A, 20 for B) it springs to life with a poorly written fake Windows Defender warning:

          “System Defender – Kernel Error 0xC00000005

This problem is unambigously cause by malicious contents in IP packers in transport layer from website: www.offroad-lm.szm.sk. To bee patient, Windows Defender scan your hard drive(s) for bugs caused by system incompatible code. To recovery of system press OK button. Wait to successfull end of scanning. Inform about this administrator on www.szm.sk and incriminated web site.”

Once that appears, the system is doomed. The next time the user restarts the computer they will be greeted with the heart stopping error “FATAL: No bootable medium found.” This is because the virus overwrites the Master Boot Record, which permanently damages the drive. What makes this virus even more dangerous is that until the message pops up it’s nearly impossible to know the system is infected.

Win32.Worm.Zimuse A and B distribute themselves in very different ways. The first variant embeds itself on legit sites, possibly by poisoning an ad network, and pretends to be an IQ test. The second spreads via exchangeable media like USB flash drives. Experts think it was a malicious prank intended only for fans of a Slovakian motorcycle gang but it has gone far beyond that, destroying data wherever it lands. This could be especially devastating if it hit a critical government or business network.

It is extremely important to make sure your data is backed up safely and to be more cautious than ever about sharing storage media and clicking on links. All IQ tests should be avoided, and web surfing should be confined to familiar sites. If you aren’t sure if your system’s anti-virus programs are up to date, contact your IT department.

In a new report by the Government Accountability Office, NASA was reprimanded over its lax security practices and told to shape up.  NASA has reported nearly 1300 security incidents in the last 2 years, and although it has taken some steps to improve its IT issues, the GOA says it still has far to go.

“NASA remains vulnerable to similar incidents going forward,” the report finds. “Control vulnerabilities and program shortfalls make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts.”

The security breaches reported at NASA include malware infections, data theft, the theft of several laptops containing data on a prototype hypersonic jet, a space telescope and a lunar orbiter, 82 computers being made part of a botnet thanks to the installation of rootkits, and the infection of 86 other computers with the Zoneback Trojan, and others infected with the Coreflood Trojan.

The GAO made 200 recommendations addressing 129 weaknesses. NASA says it is continuing to improve its IT management and better train its employees on proper security practices. Kind of scary that a high tech agency like NASA could be so careless when it comes to security!

Trojans are most popular form of bad apps among crackers.

Trojans remain the most popular form of malware on the Internet, according to a report from IBM Managed Security Services.

The report, which is prepared quarterly by Big Blue’s Internet Security X-force, estimated that more than 56 percent of the malware in circulation can be categorized as Trojans. That shouldn’t be surprising since that form of malicious code offers computer miscreants a way to deliver an assortment of dastardly functions in a single package, functions such as spying, stealing information, logging keystrokes and downloading more poisonous programs.

IBM identified eight specific categories of Trojans now in circulation.

Continue reading IBM report says Trojans remain top threat»

The Home Office issued a public notice about Phorm’s targeted advertising service, but curiously, before the notice was issued, the Home Office had a nice little discussion with Phorm directly to get their “opinion” on the advice before it went out.

Phorm’s service tracks online surfing and then delivers advertisements. The service has been under criticism from several fronts concerning privacy issues. According to BBC reports, Phorm had first requested the Home Office to give a position on its technology back in 2007; the Home Office responded in January 2008 to Phorm, saying, “I should be grateful if you would review the attached document, and let me know what you think.”

Later, the Home Office sent another document, thanking Phorm for their “amendments” to the Home Office’s advice.

It seems to me that when a government agency issues a public notice about a suspect company’s practices, it doesn’t make much sense to ask the suspect company for their input. This sort of collusion is more than bizarre, and seems more like a PR move by Phorm than any attempt by the Home Office to provide meaningful advice to the public.

A new report is revealing that most federal agencies aren’t following security protocols that could prevent phishing attacks. The report by the Online Trust Alliance, a group of security companies working to fight Internet fraud, found that 56% of the 25 agencies it studied did not authenticate emails or domain names.

        “Phishers will send mail that appears to come from the most recognized domains, such as IRS.gov, for example,” said Craig Spiezle, chairman and founder of the Online Trust Alliance. “What the owner of those domains can do is publish a declaration that tells Internet service providers, receiving networks and e-mail programs, ‘No e-mail will come from this domain,’ or ‘Only mail from these specific IP addresses is authorized to send mail from this domain.’ But most agencies are not doing that.”

Continue reading Federal Agencies Not Doing Enough to Prevent Phishing»

We are starting to see more security problems relating to social networking, including social networking phishing attacks that direct users to malicious web sites, and hacks like last week’s Twitter attack by a “bored” 17-year-old. Apparently, according to a Cnet article, “one day he hopes to get a job as a security analyst.” Yikes! If you hire this youngster, you get what you deserve. Let’s not teach a whole new generation that the way to a good job is through criminal activity! Kid, if you’re reading this, you’re not Frank Abagnale, get over it. There is a better way.

But onto the issue at hand. The wave of social networking attacks, social network phishing, and even social network spamming may call for the security policy to be revisited. Many security policies were created before social networking became as popular as it is today, and there has been an ongoing debate as to whether user policies need to be updated to reflect this new reality.

Continue reading Policy updates may be in order to address social networking threats»

In a recent post at TheEmailAdmin, I grumbled briefly about how annoying CAPTCHAs can sometimes be. Scratch that. It’s not a case of “sometimes” – I find them to be annoying all the time! The problem I have is that I usually cannot read the things. Maybe I’m stupid, but it’s often the case that I simply cannot tell whether a particular sqiggly-wiggly line is supposed to be a “2″ or a “Z” or an “8″ or a ‘B’. Unfortunately, the bad guys seem to have no such problems and routinely break CAPTCHAs – see, for example, the post Microsoft’s CAPTCHA Cracked Again.

This leads to the question: are CAPTCHAs doomed? I suspect that the answer is, yup, there is very little doubt that CAPTCHAs will become a thing of the past. Here’s why:

1. I seriously doubt that it will be possible to devise a CAPTCHA that cannot be broken. Yup, people are working on CAPTCHAs which they claim will be much more difficult to break, but I don’t think that they’ll succeed. Where there’s a will there’s a way and, given enough inentive, the bad guys will almost certainly be able to find a back door.

Continue reading Are CAPTCHAs Doomed?»

Last year, teenage Kiwi Owen Thor Walker landed a job with major New Zealand telecommunications company, TelstraClear. What makes the appointment somewhat unusual is that the 19-year-old had appeared in court the previous year on charges relating to his creation of a botnet that was used for various criminal purposes. According to Wikipedia:

          In 2008 he admitted to being the ringleader of an international hacking organisation estimated to have caused $26 million worth of damage.

Walker, known in underground communities as Akill, was apprehended as a result of FBI Operation Bot Roast and, while it seems that he didn’t personally steal any money, he was allegedly paid more than $40,000 by those who did. While Walker was handed a stiff fine by the courts, he managed to escape serving time in the chokey as the court deemed that a conviction could damage his potentially bright career.

According to TelstraClear, Walker was contracted to provide seminars to executives and customers and certain unspecified marketing services – but was never provided with access to their corporate network.

Continue reading Crime and (no) Punishment»