NEWS - October 02, 2012

Twitter Authentication Flaw Helps Crooks Take Over Popular Handles

From Bitdefenders' "Hot for Security" Blog:

If you're one of the Twitter users with an overly appealing username, please change your password to something solid before finishing this story. According to a veteran Twitter user known as @blanket, an authentication flaw in the Twitter login system makes it extremely easy for cyber-criminals to brute-force your Twitter password without any limitation.

Twitter user Daniel Dennis Jones, also known as @blanket, felt the flaw when he received a notification from Twitter that his password had been successfully changed. When he attempted to log in to the micro-blogging platform with his credentials, he found his password had been abusively changed by an unknown user. To add insult to injury, his username had also been replaced to an obscene handle.

"Twitternames that would have high value due to brevity: @hah, @captain, @craves, @abound, @grinding, [were] all cracked/stolen," Jones wrote on his Twitter wall. The series of attacks against these handles appears to have a financial motivation, as these usernames were later pitched at selling for prices between $60 and 100. "By chasing tweets I find @blanket & others are being pimped at a site called forumkorner," Jones continued.

Continued :

Twitter Authentication Flaw Allows Hackers to Hijack User Accounts
Twitter account hijacking exposes easy-to-exploit security flaw
Discussion is locked
Reply to: NEWS - October 02, 2012
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - October 02, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
ScareWare Marketer Gets Whacked With $163 Million Judgment

The Federal Trade Commission (FTC) said today that a federal court has inflicted a judgment of more than $163 million on the final defendant in its case against an operation that used "scareware" tactics in order to trick consumers into believing their computers were infected with malware, and selling them software to "fix" a non-existent problem.

In 2008, the FTC charged Kristy Ross and six other defendants with tricking more than a million Internet users into paying $39.95 or more for software to remove non-existent malware that appeared to be detected by scans.

The FTC said the operation utilized online ad networks and other popular web sites to promote "technologically sophisticated" Internet ads that displayed to consumers a "system scan" that would invariably detect a host of malicious or otherwise dangerous files and programs on consumers' computers. The bogus "scans" would then encourage consumers to buy the defendants' software for $40 to $60 to remove the said malware.

According to the FTC's original complaint, the fake security software included products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus.

Continued :

FTC wins $163 million from woman who tricked 1 million users into thinking their PCs had malware
FTC gets $163M judgment in scareware case

- Collapse -
Automated Toolkits Named in Massive DDoS Attacks Against U.S
.. Banks

Attackers targeting major U.S. banks with distributed denial of service attacks are using a number of toolkits to automate the job. Prolexic Technologies, a security company specializing in DDoS protection services, identified one toolkit called itsoknoproblembro, a kit that attacks multiple ports and network targets.

Meanwhile, Arbor Networks told Threatpost via email that itsoknoproblembro isn't the only tool being used in these attacks, and that this isn't the first time it has seen the kit used in a large-scale DDoS attack. Experts have said the scale of these attacks is massive, unlike any seen previously.

During the past 10 days, PNC, Wells Fargo, J.P. Morgan Chase & Co, and Bank of America have been either taken offline or had intermittent outages interrupting services. A group using the name Mrt. Izz ad-Din al-Qassam Cyber Fighters has claimed responsibility for the attacks as retaliation for the portrayal of Muslims in a series of movie trailers posted to YouTube for the film "Innocence of Muslims."

Prolexic said today that it has recorded sustained floods hitting 70 Gbps and more than 30 million packets per second in some of the attacks. Expert Dmitri Alperovich of CloudStrike told Threatpost last week his company had seen some attacks reach 100 Gbps. Most observed DDoS attacks require 5-10 Gbps of traffic to take down a site.

Continued :

Firm Says "itsoknoproblembro" DDoS Toolkit Was Used in Recent Debilitating Cyber Attacks
Prolexic: "itsoknoproblembro" DDOS Attacks Are Highly Sophisticated
- Collapse -
Tool prevents hackers from obtaining Android app source code

RIIS announced HoseDex2Jar, a mobile security tool that can prevent Android decompilation by hackers on mobile devices.

Android runs applications in .dex format. Dex2Jar is the only tool available to convert Android APK's back into Java .jar files. This allows someone to decompile the .jar file using JD-GUI or JAD into readable source code. Once done, all proprietary source code and other sensitive information stored on backend databases are vulnerable.

RIIS knew if they could figure out a way to stop Dex2Jar from functioning, they could protect Android apps from being decompiled at all, thus protecting the apps from attackers. RIIS started investigating to see if Dex2Jar had any limitations they could expose. HoseDex2Jar was born.

"Developers can take steps such as using tools like ProGuard to obfuscate their code, but up until now, it has been impossible to prevent someone from decompiling an app," said Nolan.

Continued :

Mobile App Development Company Fights Off Android Malware with Obfuscation Tool
Mobile Firm Takes on Android Decompiler With New Tool
RIIS Develops Unprecedented New Mobile Security Tool to Stop Android Decompilation

- Collapse -
Fake Apple Discount Card Wants to Steal Your Personal Info

Have you received a suspicious-looking Apple Store discount card in your email lately? It could be the latest ploy to steal your personal data, Sophos reports.

Aimed at Apple customers in Australia, the "card" claims to offer a 100 AU$ ($103) credit if you spend only 9 AU$, which is, quite obviously, too good to be true.

The text of the email contains the following bit: "Apple is rewarding its long-term customers. Your loyalty for our products made you eligible for buying an Apple Discount Card. With this only 9 AU$ Discount Card you will have 100 AU$ credit at any Australian Apple Store."

Attached to the email comes a form that asks for a lot of your personal info, including your name, address, date of birth as well as credit card details.

The entire thing does not come from Apple and is merely a scheme to obtain your personal info.

Continued :

Bogus Apple Store discount card offer attempts to steal users' identities
Fake Apple Store discount card leads to identity theft
Fake "Apple Reward" Emails Try to Steal Credit Card Details

- Collapse -
Tracking malware in the wild, Crocodile Hunter-style [VIDEO]

security issues.

For instance, the humorous anarchic puppet show about spam, the mindreader who has a little help from Facebook, and Sophos's own movie about what happens when you go cycling around London, hunting for unsecured Wifi access points.

Now we have an affectionate spoof of the "Crocodile Hunter" TV shows made famous by the late Steve Irwin, with the intention of helping raise the public's understanding of web safety issues.

The video, timed to coincide with National Cyber Security Awareness Month, comes from the folks at and Bluehost.

Here are some quick tips:

• Keep your computers protected with up-to-date software and security patches - not just on the computers you use to browse the web, but the servers you use to host your website too. Malicious hackers are always on the lookout for computers that are not running the latest versions of software, hoping to exploit vulnerabilities.

Continued :

- Collapse -
October Is National Cyber Security Month

Every October, those of us in the technology arena, and especially those of us who specialize in data security and privacy protection, promote National Cyber Security Month to family, friends, and co-workers.

If you depend on digital technology - and we all do - then you are at risk. Every day, more and more data about you finds its way online. From the most basic details of your first and last name to more comprehensive details including your address, phone number, and family member names to professional career details, you can be found online. In addition, if you bank online, your financial transactions are at risk, and if you access any medical-related vendors, then your medical records could be at risk.

The truth is, no information is guaranteed to be 100% breach-free. Therefore, you must be vigilant when it comes to knowing what information about you is online. No business or government entity is solely responsible for securing the Internet. You play the most important role in protecting your own digital life. You cannot hide your head in the sand and simply hope for the best.

Continued :

Related : 2012 National Cyber Security Awareness Month

- Collapse -
Android Devices Scream WiFi Network Names

Thanks to lax mobile security practices and the amount of sensitive information stored in your pocket, mobile devices provide a rich platform for attackers to conduct reconnaissance, or the gathering of personal information used to crack into people's accounts.

Julian Bhardwaj, an intern at Sophos, writing for Naked Security, demonstrated a very cheap way to harvest some interesting bits of personal information using no more than a $23.95 wireless router off of eBay and freely available software. He simply took advantage of a default Android setting that broadcasts the names (SSIDs) of preferred wireless networks when you switch on your WiFi radio.

First, he set up a laptop in his university to capture packet data from nearby devices. Within five hours, 246 devices came into his range, and 49 percent were actively searching for - and broadcasting - the names of preferred networks. He was able to see 365 SSIDs, all containing information that a savvy attacker could use.

Continued :

CNET Forums