Archive for the ‘Social Media Storm Center’ Category

*WARNING: New Twitter Phishing Scam Spreading via Direct Message

Thursday, October 29th, 2009

There is a new Twitter phishing scam making the rounds, and this one is spreading quickly via direct message.

The infected message, which seems to be an iteration of a previous phishing scam, simply reads: “Hi, this you on here?” Clicking on the link will take you to a phishing site where scammers can take your personal information and hijack your account.

As always, do not visit the link if you receive this direct message! Never provide your Twitter (Twitter) username and password to any website that seems suspicious in any way. If you’ve been tricked, make sure to change your Twitter password immediately.

Researchers Advise Cyber Self Defense in the Cloud

Tuesday, October 13th, 2009

By Dan Nystedt, IDG News Service – Mon Oct 12, 2009 6:30AM EDT

Security researchers are warning that Web-based applications are increasing the risk of identity theft or losing personal data more than ever before.

The best defense against data theft, malware and viruses in the cloud is self defense, researchers at the Hack In The Box (HITB) security conference said. But getting people to change how they use the Internet, such as what personal data they make public, won’t be easy.

People put a lot of personal information on the Web, and that can be used for an attacker’s financial gain. From social-networking sites such as MySpace and Facebook to the mini-blogging service Twitter and other blog sites like WordPress, people are putting photos, resumes, personal diaries and other information in the cloud. Some people don’t even bother to read the fine print in agreements that allow them onto a site, even though some agreements clearly state that anything posted becomes the property of the site itself.

The loss of personal data by Sidekick smartphone users over the weekend, including contacts, calendar entries, photographs and other personal information, serves as another example of the potential pitfalls of trusting the Cloud. Danger, the Microsoft subsidiary that stores Sidekick data, said a service disruption almost certainly means user data has been lost for good.

Access to personal data on the cloud from just about anywhere on a variety of devices, from smartphones and laptops to home PCs, shows another major vulnerability because other people may be able to find that data, too.

“As an attacker, you should be licking your lips,” said Haroon Meer, a researcher at Sensepost, a South African security company that has focused on Web applications for the past six years. “If all data is accessible from anywhere, then the perimeter disappears. It makes hacking like hacking in the movies.”

A person who wants to steal personal information is usually looking for financial gain, Meer said, and every bit of data they can find leads them one step closer to your online bank, credit card or brokerage accounts.

First, they might find your name. Next, they discover your job and a small profile of you online that offers further background information such as what school you graduated from and where you were born. They keep digging until they have a detailed account of you, complete with your date of birth and mother’s maiden name for those pesky security questions, and perhaps some family photos for good measure. With enough data they could make false identification cards and take out loans under your name.

Identity theft could also be an inside job. Employees at big companies that host e-mail services have physical access to e-mail accounts. “How do you know nobody’s reading it? Do you keep confirmation e-mails and passwords there? You shouldn’t,” said Meer. “In the cloud, people are trusting their information to systems they have no control over.”

Browser makers can play a role in making the cloud safer for people, but their effectiveness is limited by user habits. A browser, for example, may scan a download for viruses, but it still gives the user the choice of whether or not to download. Most security functions on a browser are a choice.

Lucas Adamski, security underlord (that’s really what his business card says) at Mozilla, maker of the popular Firefox browser, offered several bits of cyber self defense advice for users, starting with the admonition that people rely on firewalls and anti-virus programs too much.

“You can’t buy security in a box,” he said. “The way to be as secure as possible is about user behavior.”

There is a lot of good built-in security already installed in browsers, he said. If you get a warning not to go to a site, don’t go to it. When you do visit a site, make sure it’s the right one. Are the images and logos right? Is the URL correct? Check before you proceed with filling in your username and password, he counseled.

Software updates are vital. “Make sure you have the most up-to-date version of whatever software you use,” he said. Updates almost always patch security holes. Key software programs such as Adobe Systems’ Flash Player and Reader are particularly important to keep updated because they’re used on so many computers and are prime targets for hackers.

He also suggested creating a virtual machine on your computer using VMWare as a security measure.

“It’s really hard to get people to change their browsing habits,” he said. People want to surf the Web fast, visit their favorite sites and download whatever they want without thinking too much about security. “Educate them, move them along, but don’t expect them to become security experts.”

Internet browser makers take great care in building as much security as possible into their products and putting them through rigorous testing.

The security team for Google’s Chrome browser, for example, will take the first crack at any major update to the software, hacking away to find vulnerabilities or ways to improve security, said Chris Evans, an information security engineer at Google.

After the Chrome security team takes a whack at the software and it is reworked to fix the holes they found, other security teams at Google will have a go at the product to see what trouble they can cause. Finally, the software is released in beta form, and private security researchers and others can hack away. Any problems are fixed before the final release goes out and then the Chrome team stands ready to make new patches for any other security issues that crop up.

Despite all the testing, browser makers are only one part of the security solution because they have no control over Web software or user browsing behavior.

The cloud is the Wild West: hackers and malware makers abound, phishers seek passwords and users do whatever they want to, recklessly surfing and downloading potentially dangerous content as judged by security researchers.

Companies developing Cloud applications and services will need to do more for Web security. Amazon.com with its Web Services and Google as it moves forward with initiatives, such as Google Docs, that attempt to draw people to Web applications and away from computer applications will need to work more closely with security researchers, Meer said.

And Google’s work on the security in the Chrome browser highlights the reason why: Computer applications such as Chrome face intense scrutiny by security researchers throughout the Web, while Web applications do not.

“Reverse engineering keeps [big software companies] honest,” said Meer. “If they hide something in the software code, sooner or later someone finds it. With Cloud services, you just don’t know because we simply cannot verify it.”

Cloud applications are built by one company, and nobody is looking at the code or how safe it is, said Meer. Applications for computers are different. They can be ripped apart by security experts then put back together stronger so there are no security holes, he said.

“Trust but verify,” said Meer. “Just because a guy does no evil today, we cannot trust that they will do no evil tomorrow because we simply cannot verify it.”

Gmail Tries to Help Users Avoid Phishing Scams

Monday, October 12th, 2009

October 6th, 2009 | by Barb Dybwad

Perhaps in light of over 20,000 email accounts including Gmail being recently compromised, Google thought it might be a good time to remind everyone about how to create a secure password.

Half the battle is being alert for signs of phishing — a method hackers use to trick people into sharing personal information including account passwords. The other half is starting with a strong password, and changing it to another smart password regularly — particularly if you have any suspicion your account might have been compromised.

To many of you these are probably old hat by now (and some of them are plain common sense), but in light of the recent successful scams that saw as many as 30,000 account details posted online, it might be worth a periodic review:

Use different passwords on different sites — After all, if you use the same login credentials for multiple sites and one gets compromised, they all are. Since many of us use umpteen web services daily, it’s worth checking out a good password manager tool to help you keep the all straight — and safe.

Don’t use common words or sequences — Simple dictionary terms or sequential numerical sequences won’t cut it. You should make sure your passwords are a mix of letters, numbers and symbols.

Don’t base passwords on personal data — Hackers often use “social engineering” techniques to greater effect than running actual lines of code. Since we routinely share various bits of personal data with others, things like pet names, middle names, birthdays and so on don’t make a good basis for passwords.

Don’t leave your password somewhere visible — If you simply must write it down, don’t put it on a post-it attached to your monitor. Relatedly, if you keep a list of passwords on your computer, name the file something more cryptic than “password file.”

Make sure your password recovery questions are also secure — Strong passwords that lack semantic meaning are unfortunately also easier to forget. Many sites allow you to reset your password over email or after answering one or more Security Questions you set up when creating the account. Make sure these aren’t based on common-knowledge personal data either — try to make them difficult to guess, and avoid any information you’ve posted publicly online anywhere as well.

What steps do you take to ensure the security of your online logins? Do you have any password or security tips to share? Let us know in the comments.

Phishing Scam

Monday, October 5th, 2009

We have received multiple reports that a new, convincing, and dangerous worm and phishing scam is making the rounds on Twitter. Hacked accounts are sending DMs to users and stealing their login information. In fact, one of our own has received one of these direct messages.

Unsuspecting users are receiving DMs with the following text:

If you get this DM, DO NOT VISIT THE LINK. It takes you to a replica of the Twitter (Twitter) login page where the hackers will steal your account and use it to send out more infected DMs to your friends.

If you’re one of the unlucky ones to be fooled by this worm, make sure you change your password. Also delete any tweets or DMs that have the link. If you can’t log into your account, reset the password and contact Twitter Support.

This is not the first worm to hit Twitter, but this one is especially dangerous because the login page is convincing and it is spreading via DMs from friends you trust.

When we have more information, we’ll update you with it.

Update: We contacted Twitter. They are aware of the threat and are on the case.

Safety Tips for Social Networking

Monday, October 5th, 2009

If you follow these simple 6 instruction you can keep yourself and other safe!

1. Be skeptical. Treat every social networking link with caution – especially the ones promising a link to a video.

2. Guard your personal information. Use privacy settings to restrict who can see your sensitive information, or consider omitting all personal information from your profile.

3. Choose passwords wisely. Use different passwords for each of your sites; select a randomized combination of numbers and letters.

4. Have antivirus and antispyware protection. Even if you think you’re not infected, scan your machine for dormant viruses with a free scan; and protect your PC with an Internet security suite that includes antivirus, antispyware, and firewall technologies.

5. Always install updates. If you’re already using antimalware software, be sure to install updates which include the latest malware definitions; do the same with updates to your operating system.

6. Remain vigilant. Malware authors are continually writing new programs to avoid detection, so pay close attention to suspicious behavior.

DNS ATTACK

Monday, October 5th, 2009

Facebook, Twitter and LiveJournal recently reported they were the targets of “denial-of-service” attacks. Hackers launch these attacks by infecting hundreds or thousands of so-called “zombie” computers with malicious software. Once the computers are infected, hackers remotely instruct them to simultaneously attack a targeted Web site, flooding it with so much traffic that it becomes inaccessible.

Koobface is another pervasive threat. It began on Facebook, but now targets a host of other social networks. This worm sends fake messages and links to friends, usually encouraging them to watch a video. Depending on the site, the worm can also post infected links on walls and changes the account user’s “Status” by modifying the text and adding a link. Read more on our blog: “Koobface: Not Just for Facebook Anymore”

© 2009 HotWired