Facebook login exploit 'a phishers dream'

Data breaches happen in numerous ways. So many ways in fact that it's difficult for security teams to predict where an attack will happen next. The latest is an exploit of Facebook login on numerous websites. Once accounts are hijacked in this way, they can be held for ransom or used by a phisher to work their way into much larger and more profitable data sets.

It's accomplished through the use of a ready-to-use tool called Reconnect. The tool has been released to the wild and is therefore accessible by anyone. Essentially, Reconnect enables the user to log on to a website using stolen Facebook credentials.

"I tested this out and it looks legitimate. This is a phishers dream really, I am sure we will see a lot of Facebook accounts compromised by this. Hopefully, Facebook is working on a fix," said Ken Westin, senior security analyst at Tripwire.

Security researchers believe that most if not all websites that enable Facebook login are vulnerable to the exploit. The blackhat release site says Reconnect can be used to hijack accounts on websites such as Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others.

"This is indeed a very big issue as many popular websites use Facebook's delegated identification, so a widespread exploit could wreak a lot of havoc," said Branden Spikes, CEO of Spikes Security.

"Giving Facebook a little benefit of the doubt here, this looks like an instance of an unfortunate practice where black hats or corrupt penetration testing firms discover big vulnerabilities like this, and rather than submitting them through the standard bug bounty channels (or on the terms of their professional contract with the victim) they choose to ransom them instead," he added.

Phishing: it's not just for email anymore. Until Facebook finds a fix, it may behoove companies to disable the login.

Nude Celebrity Photo Dump Has Many Asking What Happened

Hundreds of private photos belonging to several high-profile Hollywood actresses were posted online this past weekend. They are explicit in nature, and were not intended to be seen by the public. But they have been.

The question, now, is how did this happen?

The details of the hackings haven’t been worked out quite yet, but there are two popular theories floating around: the first is that the hacker, or hackers, exploited a vulnerability allowing cybercriminals to make an unlimited number of password guesses on Apple’s cloud service offering, iCloud. This type of attack—repeatedly guessing passwords until the successful password is found—is called a brute force attack, and is typically done with an automated program. Once an iCloud account is breached, or any cloud service for that matter, the hackers can view and retrieve anything saved in that cloud such as contacts, photos, saved notes, and more.

The second theory, one suggested by Apple after it made an official statement on the situation, is that these celebrities may have fallen victim to a social engineering attack. Social engineering attacks are attacks that take advantage of social habits in order to compromise an account or gain access to sensitive information. For example, a “hacker” could pose as someone who works at your company, but in a different department, in order to trick you into giving up sensitive company information. This wouldn’t be the first time that a social engineering attack made headlines. In 2012, digital journalist Mat Honan had his life turned upside down when hackers gained access to nearly all of his online accounts through social engineering techniques.

Regardless of which theory is accurate, the result is fairly predictable: someone involved with the hacking ring, or the single person who accrued all of these photos, wanted to show off on an Internet imaging board and posted stolen photos. Those photos, of course, were shared throughout the Web, and the privacy of these well-known individuals was shattered.

We won’t know what hacking method was used for some time, possibly not until after an F.B.I. investigation. That investigation won’t restore anyone’s lost privacy, but it’ll hopefully result in some much-needed justice. In the meantime, what can people do in order to protect themselves from such attacks?


Of course, with celebrities being in the public eye, the demand for their personal photos is quite high. Still, while you may not be a celebrity, there are a few important steps that you can take to protect your online identity, and your private photos.

• Be wary of uploading to the cloud. By default, iPhones upload photos to iCloud through a feature called “Photo Stream.” This is done to preserve your photos in the event of phone failure, and enable you to access photos from any of your devices. In this context, however, having personal photos in multiple places only increases the likelihood of those photos leaking. If you feel that you need to disable Photo Stream, follow Apple’s instructions here.

• Be careful what photos you take with your mobile device. Even if you’re not sending them to anyone or uploading to the cloud, do remember that your phone or tablet can be lost or stolen. 

• Use strong passwords. Every online service requires the use of a password. These passwords need to be complex in order to ensure your security. A complex password consists of at least eight characters in length and uses a combination of upper and lower case letters, numbers and symbols. These passwords should be unique to each site and should be changed every six months at a minimum.

• Use a password manager. The reason why strong passwords aren’t used enough is largely attributed to the fact that they’re more difficult to remember. Complex passwords can also be a pain to use on mobile devices.

• Enable two-factor authentication wherever possible. Two-factor authentication is a security standard that requires the account holder to possess two things: knowledge (like a password or answer to security questions) and something that only they would have (like a phone number). Two-factor authentication is a great way of preventing hackers from gaining access to sensitive accounts, and would’ve likely prevented this whole situation from taking place if enabled.

Be warned: there is no one silver bullet to digital security. Vulnerabilities exist because of how programs are built and how they interact with one another. The best way to stay secure online to stay knowledgeable of security defense and use the techniques you need to stay safe surfing.

Apple Not Hacked In Celebrity Nude Photo Breaches

"Very targeted attack" on celebrities' Apple usernames, passwords, security questions -- iCloud, Find My iPhone not breached, Apple says.

This afternoon, Apple confirmed that stolen and leaked private photos of several celebrities were not due to a breach in its iCloud nor Find My iPhone services. Speculation swirled over just how the attackers accessed the accounts of Jennifer Lawrence, Jenny McCarthy, Rihanna, Kate Upton, Mary E Winstead, and others.

A trove of naked photos and video content stolen from the stars appeared on the 4Chan chatroom site over the weekend. Questions about how the hackers got hold of the celebs' accounts began to center around a possible flaw in Apple's iCloud and Find My iPhone after Apple reportedly issued an update that fixed a hole that would allow a brute-force password attack.

In a statement issued today, Apple said:

"When we learned of the theft, we were outraged and immediately mobilized Apple's engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved."

Apple recommends users create strong passwords and use two-factor authentication, which is an option for Apple ID accounts. Apple did not comment on the reported flaw nor did it respond to questions about it via a media inquiry.

One security expert says he tested whether AppleID would lock him out after a certain number of attempts after hearing about the possible patch by Apple: It did. "After ten attempts, it locked me out," says Rik Ferguson, global vice president of security research at Trend Micro. He was unable to confirm whether Apple's authentication service had always done so, or whether this was due to a fix by Apple in the wake of the celeb hacks.

Either way, brute-forcing would require knowing the email address of the target, he says.

It's not surprising that most consumers and celebrities don't opt for the second factor of authentication since it's not required, experts say. And weak passwords most likely played a major role in the attack, they say.

"This breach could have been prevented if iCloud required users to use a two-factor authentication to access their accounts. This will require users to enter a numerical code that is sent to their phone or another device, in addition to using their regular password," says Vijay Basani, CEO of EiQ Networks. "Since numerical code always changes, it makes it difficult for the hackers to gain access [and breach the account], even if they can guess the password."

Think twice before you rush to post your PII for that freebie on Facebook!

Looks like any other product Facebook page? Think again.

Click to enlarge

Another case of misuse of social media, by consumers - that is case study worthy.

I was alerted of people posting their personal particulars (or commonly known as PII in US) on Loreal Singapore's facebook wall in exchange for potential freebies. Read POTENTIAL.

Don't believe how crazy can that be? Here's proof:

Click to enlarge

There's just so much private data there waiting to be mined. The PII have been sanitized to protect their privacy, but I'm thinking my attempts will prove to be futile as the Facebook page is accessible by the general public even without logging in. 

Attack of the computer mouse

This attack method is not new. It was tried and tested with flash drives. Finders keepers?

So the next time one finds a ‘branded’ computer accessory (e.g high end razer mouse or solid state HDDs) lying around which seems too good to be true, it usually is.

========================================================

Security firm Netragard has described an attack during which a modified computer mouse was used to infiltrate a client's corporate network. For this attack, the security experts equipped the mouse with an additional micro-controller with USB support (Teensy Board) to simulate a keyboard, and added a USB flash drive to the setup.

When connected to the PC, the Teensy Board's Atmel controller sent keyboard inputs to the computer and ran software that was stored on the USB flash drive. This allowed Netragard to install the Meterpreter remote control software, which is part of the Metasploit framework. To bypass the target system's McAfee virus scanner, Netragard says it used a previously undisclosed exploit.

The crux of the attack was to find a suitable company employee who would, upon receiving the computer mouse, connect it to a company PC without becoming suspicious. The client who ordered the pen test had excluded social engineering attacks via telephone, social networks and email, but Netragard managed to obtain a list of the company's employees via the Jigsaw service. The security experts selected one of the employees and sent the mouse in its original packaging – camouflaged as a promotional gadget.

Attacks that use specially modified USB devices have been around for a while; USB flash drives that are "accidentally" left lying around are often used in security tests. A current study by the US Department of Homeland Security found that 60 per cent of users will naively connect a USB flash drive to their PC to see what is stored on it.

However, using a computer mouse for such an attack is a new idea. Corporate IT security staff may in future be faced with the problem of having to test peripheral devices before they can allow users to connect them to their PCs. Specially modified Android phones can also present themselves as keyboards, and take control, when they are connected to a PC.

Malicious PDF spam with Sality virus

Malicious spammers will try every approach they can think of to make you open the attachments included in emails.

Sophos warns that a malicious email containing the following text has been dropped into inboxes around the world:

"Hey man.. Remember all those long distance phone calls we made. Well I got my telephone bill and WOW. Please help me and look at the bill see which calls where yours ok.."

You surely don't remember such an occurrence or the sender of the email, since this is just a ploy to make you open the PhoneCalls.pdf attachment, but don't let your innate curiosity get the better of you.

The attached file is crafted in such a way that it can exploit a vulnerability in how Adobe Reader handles TIFF images, and proceeds to download and execute a Trojan that loads the Sality virus into your system's memory. The virus then proceeds to append its encrypted code to executable files, deploys a rootkit and kills anti-virus applications.

Having an up-to-date version of Acrobat Reader and of an anti-virus solution installed can help detect this threat, but teaching yourself to detect suspicious emails such as this one is also a great idea.

Just remember that opening documents attached to unsolicited emails is like the online equivalent of Russian roulette - the odds are stacked heavily against you.

Top 5 FIFA World Cup online risks

Lavasoft warned computer users to be aware of stealthy online traps set by cybercriminals to leverage public interest surrounding the 2010 FIFA World Cup – and issued advice to follow to make sure people enjoy the month-long tournament without becoming the target or victim of an attack.

The World Cup, which begins in only one week and lasts throughout mid July, is known to be the most widely-viewed sporting event in the world. Events that draw such pervasive and ongoing public interest will, without a doubt, be used to propagate socially-engineered crimes - where users are manipulated into performing certain actions or disclosing confidential information.

Lavasoft analysts anticipate that the following five online security risks will be most prevalent leading up to and during the World Cup – and offers specific steps to take to avoid becoming a victim.

Read on for the tips to avoid the online risks.

Koobface Botnet - New Christmas Theme

Facebook and other users of web 2.0 social networks should be careful and avoid unusual messages or spammed comments on their sites, and a new variant of the Koobface worm is circulating with a Christmas based theme.

The Koobface botnet, one of the most efficient social engineering driven botnets, is entering the Xmas season with a newly introduced template spoofing a YouTube video page, in between enticing the visitor into installing a bogus Adobe Flash Player Update (New Koobface campaign spoofs Adobe’s Flash updater), which remains one of the most popular social engineering tactics used by the botnet master

Full report here:
http://blogs.zdnet.com/security/?p=5001

Email Scams Targeting Job Seekers

Email security firm Red Condor has issued a warning to email users about the latest email scams that are targeting people looking for employment.

Among the scams are emails that claim to be offering employment from legitimate companies such as Pepsi and Starbucks or that appear as messages from real job sites like CareerBuilder or Monster.com.

The fake employment offers frequently involve "payment processing" requests which give scammers an excuse to ask for a respondent's bank account information.

In addition to email spam, other scammers are using Craigslist to post fake job ads. When people respond to the ads, they receive an email reply that requires them to go to a "credit check" website to get their credit scores. The credit check link contains the scammer's affiliate, so when the victims pay for the credit check, the scammer gets a commission.

An email response to "Legal Secretary job posting" on craigslist email said, "Do not send me your info or report, I just want to make sure your score is above the 400 mark so check it and give me your exact score when you e-mail me your resume and references."

"Unfortunately, as with all phishing attacks, there is no legitimate employment offer coming, and victims have either given their personal information or money to unknown, deceitful sources," said Dr. Tom Steding, chief executive officer of Red Condor.

"Spammers are once again demonstrating that nothing is off limits as they focus their efforts on the millions of people that are unemployed and looking for work.

Sober worm returns and uses social engineering techniques

PandaLabs has recorded the appearance of a new variant of the Sober worm, Sober.Y, which spreads using social engineering techniques in emails sent in English or German.

The worm uses two types of mail to propagate: Firstly, an email in English with the subject "Your new password," which tries to make users think it is notification of a change of password, asking them to check the data in an attached file, pword_change.zip.

Secondly, an email written in German claiming to contain a photograph of old school friends in the file KlassenFoto.zip. Both compressed files contain the executable PW_Klass.Pic.packed-bitmap.exe, which is a copy of the worm itself.

If the file is run, a false CRC error is displayed, even though the action has already started. The worm collects email addresses from files with certain extensions on the compromised computer, and sends itself out to them in the emails described above using its own SMTP engine. It will only use the German version of the email if the addresses end in .de (Germany), .ch (Switzerland), .at (Austria), or .li (Lichtenstein).

Even though the number of incidents recorded is low, this worm has significant propagation potential.

Survey reveals social networkers' risky behaviors

Members of online social networks may be more vulnerable to financial loss, identity theft and malware infection than they realize, according to a new survey from Webroot.

Surveying over 1,100 members of Facebook, LinkedIn, MySpace, Twitter and other popular social networks, Webroot uncovered numerous behaviors that put social networkers' identities and wallets at risk. Among the highlights:

* Two-thirds of respondents don't restrict any details of their personal profile from being
visible through a public search engine like Google;
* Over half aren't sure who can see their profile;
* About one third include at least three pieces of personally identifiable information;
* Over one third use the same password across multiple sites; and
* One quarter accept "friend requests" from strangers

Social Networks Present New Opportunities for Cybercriminals
Cybercriminals employ various types of trickery and malware to capitalize on risky behaviors. One common tactic is phishing, which hackers use to entice victims into downloading an infected file, visiting a disreputable site outside the social network, or wiring money to a "friend in distress."

In recent months, Webroot has seen an increase in these types of attacks on social networks, including "Trojan-MyBlot," which targeted users of MyYearbook.com, and others targeting Facebook users including "Koobface" and several spread through the domains "mygener.im," "ponbon.im" and "hunro.im."

Sophisticated means to execute attacks on social networks: The Webroot survey respondents who reported experiencing identity theft, a hijacked account and unauthorized username or password changes may have been victimized by hackers who were able to access their profiles and guess their passwords based on the personal information they included.

For a summary of the key findings, pls read here.

Public Search Engines Mine Private Facebook Details

Another reason to be careful what you post on Facebook:
All it takes is a simple Google search, and phishers and marketers can glean a treasure trove of private information based on relationships among Facebook "friends," according to new research.

Researchers from the U.K.'s University of Cambridge recently published a paper (PDF) detailing a project in which they developed a software tool to correlate and map Facebook profiles they found via public search engines, such as Google, to build detailed maps of relationships among Facebook members.

"Knowing who a person's friends are is valuable information to marketers, employers, credit rating agencies, insurers, spammers, phishers, police, and intelligence agencies, but protecting the social graph is more difficult than protecting personal data," the researchers wrote in their paper. "Personal data privacy can be managed individually by users, while information about a user's place in the social graph can be revealed by any of the user's friends."

Source

Trojan Attacks Via Parking Violation Notices

Cybercriminals took their malware to the streets in Grand Forks, N.D., where some motorists recently found parking violation notices on their windshields instructing them to visit a URL to view photos of their purported infraction. The phony parking tickets contained a malicious URL that requires them to download a toolbar, which is actually a Trojan.

The "toolbar" shows photos of parked cars in the area; the user is prompted with a pop-up with a fake security alert, attempting to lure the victim into installing phony antivirus software to clean up their machine.

"The malicious programs were run-of-the-mill; however, the use of flyers was an innovative way of social-engineering potential victims into visiting a malicious website," said Lenny Zeltser, a SANS Internet Storm Center analyst in a blog post on the attack.

Zeltser, who analyzed the malware and the attack, says the initial malware is automatically installed as a browser helper object for Internet Explorer. It then downloads code from a notoriously bad domain that's well-known among security researchers (childhe.com), and then uses the fake security alert to trick the victim into installing more malware.

"Attackers continue to come up with creative ways of tricking potential victims into installing malicious software. Merging physical and virtual worlds via objects that point to websites is one way to do this. I imagine we'll be seeing such approaches more often," Zeltser blogged.

Source