Dec 14 2021

Google fixed the 17th zero-day in Chrome since the start of the year

Category: App Security,Web SecurityDISC @ 9:25 am

Google released security updates to address five vulnerabilities in the Chrome web browser, including a high-severity zero-day flaw, tracked as CVE-2021-4102, exploited in the wild.

The CVE-2021-4102 flaw is a use-after-free issue in the V8 JavaScript and WebAssembly engine, its exploitation could lead to the execution of arbitrary code or data corruption.

“Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild.” reads the advisory published by Google which did not share additional info regarding these attacks.

The vulnerability was reported by an anonymous researcher on 2021-12-09.

Google has already addressed 17 zero-day vulnerabilities in Chrome this year, below is the full list:

Be sure to update your Chrome install to the latest 96.0.4664.110 version for Windows, Mac, and Linux.

The other issues fixed by Google with the latest release are:

[$NA][1263457] Critical CVE-2021-4098: Insufficient data validation in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-10-26

[$5000][1270658] High CVE-2021-4099: Use after free in Swiftshader. Reported by Aki Helin of Solita on 2021-11-16

[$5000][1272068] High CVE-2021-4100: Object lifecycle issue in ANGLE. Reported by Aki Helin of Solita on 2021-11-19

[$TBD][1262080] High CVE-2021-4101: Heap buffer overflow in Swiftshader. Reported by Abraruddin Khan and Omair  on 2021-10-21

The Browser Hacker’s Handbook 

Tags: Chrome, Google, The Browser Hacker's Handbook, zero-day


Aug 22 2021

Google discloses unpatched Microsoft WFP Default Rules AppContainer Bypass EoP

Category: Security vulnerabilitiesDISC @ 2:19 pm

Google disclosed the details of a Windows ​​AppContainer vulnerability because Microsoft initially had no plans to fix it.

Google Project Zero experts disclosed the details of a Windows ​​AppContainer flaw after Microsoft announced it had no plans to fix it.

The team focused its analysis on Windows Firewall and AppContainer that were designed by Microsoft to limit the attack surface of applications. Bypass network restrictions in AppContainer sandboxes could allow an attacker to access services on localhost, as well as granting access to intranet resources in an enterprise organization.

Google Project Zero researcher James Forshaw discovered an issue in the configuration of Windows Firewall that could allow attackers to bypass restrictions and allowed an AppContainer process to access the network.

“Recently I’ve been delving into the inner workings of the Windows Firewall. This is interesting to me as it’s used to enforce various restrictions such as whether AppContainer sandboxed applications can access the network. Being able to bypass network restrictions in AppContainer sandboxes is interesting as it expands the attack surface available to the application, such as being able to access services on localhost, as well as granting access to intranet resources in an Enterprise.” wrote Forshaw.

“I recently discovered a configuration issue with the Windows Firewall which allowed the restrictions to be bypassed and allowed an AppContainer process to access the network. Unfortunately Microsoft decided it didn’t meet the bar for a security bulletin so it’s marked as WontFix.”

According to Google, Microsoft decided to label the issue as WontFix.

“The default rules for the WFP connect layers permit certain executables to connect TCP sockets in AppContainers without capabilities leading to elevation of privilege.” reads the security advisory published by Microsoft. “Connecting to an external network resource from an AppContainer is enforced through default rules in the WFP. For example, connecting to the internet via IPv4 will process rules in the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer. This layer can contain rules such as “InternetClient Default Rule” which will match if the caller is in an AC and has the Internet Capability. If a match is made then the connection is allowed. Eventually an AC process will match the “Block Outbound Default Rule” rule if nothing else has which will block any connection attempt.”

Google discloses unpatched Microsoft WFP Default Rules AppContainer Bypass EoP

DevOps and Containers Security

Tags: AppContainer vulnerability, Containers Security, Google, Windows appcontainer


Jun 02 2011

Google blaming Chinese hackers for security breach

Category: cyber security,CybercrimeDISC @ 10:49 am

Image representing Gmail as depicted in CrunchBase

Image via CrunchBase

For the second time in 17 months, Google is pointing its finger at China for a security breach in one of its systems.

This time, Google says Chinese hackers were responsible for breaking into the personal Gmail accounts of several hundred people _ including those of senior U.S. government officials, military personnel and political activists.

The latest cyber attack isn’t believed to be tied to a more sophisticated one that originated from China in late 2009 and early last year. That intrusion went after some of Google’s trade secrets and triggered a high-profile battle with China’s Communist government over online censorship. (AP, ccg)

This seems pretty intrusive and targeted incident. I’m curious, what is a threshold trigger for declaring a cyber war between two countries. I understand this was not a very prolong incident but these small incidents here and there can certainly achieve some long term objectives for the other side. It is very difficult to prove the correct source of these incidents in the wild west of internet and also there is a lack of international law to pursue these cases as a criminal offense.

Apparently the pentagon recently concluded that computer sabotage can constitute an act of war and justify the use of military force, the wall street journal reported this week.

Well before the use of military force you have to prove beyond reasonable doubt that you are targeting the correct culprit nation. Well if this is the criteria to declare a war against other nation we better buy a good error and omission insurance. In cyber world it hard to prove and easy to spoof, where some groups will be eager to setup an easy victim to justify the use of military force…

Clinton: China hacking charge “Vey Serious

Cyber War: The Next Threat to National Security and What to Do About It




Tags: Activism, china, Chinese language, CrunchBase, Gmail, Google, Jinan, Official, Security


Jan 11 2011

Biggest mobile malware threat

Category: Malware,Smart Phone,Web 2.0DISC @ 2:39 pm
Image representing Facebook as depicted in Cru...
Image via CrunchBase

Facebook is biggest mobile malware threat, says security firm
Researcher claims bad links on Facebook responsible for much higher infection rate that targeted mobile malware

By Joan Goodchild -CSO

The biggest mobile infection threat isn’t malware that specifically targets mobile devices, according to new research from security firm BitDefender. Malware that targets Facebook is a far bigger problem for mobile security, the firm claims.

Spam links on social networks are infecting mobile devices via bad links on Facebook because the worms and other malware are often platform-independent and are widely spread as malware that targets PCs.

BitDefender officials point to Google statistics, which reveal almost one quarter of Facebook users who fell for a recent scam on the social network did so from their mobile device. The URL that was studied was one that claimed to show users a girl’s Facebook status which got her expelled from school. It generated 28,672 clicks — 24 percent of which originated from mobile platforms. Users who clicked on the link — whether on their PC or mobile device — downloaded a Facebook worm and fell victim to an adword-based money grabbing scheme.

“When data security researchers focus on finding malware specifically designed for mobile platforms, they lose sight of an important mobile platform threat source — the social network,” said George Petre, BitDefender Threat Intelligence Team Leader.

Mobile Malware Attacks and Defense

The Truth About Facebook – Privacy Settings Every Facebook User Should Know, and Much More – The Facts You Should Know




Tags: facebook, Google, Koobface, Malware, Mobile device, Mobile operating system, Social network, Uniform Resource Locator


Jan 03 2011

New virus threatens phones using Android

Category: MalwareDISC @ 5:39 pm
it's real :)
Image via Wikipedia

Mobile Malware Attacks and Defense

WASHINGTON (AFP) – A virus infecting mobile phones using Google’s Android operating system has emerged in China that can allow a hacker to gain access to personal data, US security experts said.

A report this week from Lookout Mobile Security said the new Trojan affecting Android devices has been dubbed “Geinimi” and “can compromise a significant amount of personal data on a user?s phone and send it to remote servers.”

The firm called the virus “the most sophisticated Android malware we’ve seen to date.”

“Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone,” Lookout said.

“Geinimi’s author(s) have raised the sophistication bar significantly over and above previously observed Android malware by employing techniques to obfuscate its activities.”

The motive for the virus was not clear, accoring the Lookout, which added that this could be used for anything from “a malicious ad-network to an attempt to create an Android botnet.”

But the company said the only users likely to be affected are those downloading Android apps from China.

The infected apps included repackaged versions sold in China of Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010.

“It is important to remember that even though there are instances of the games repackaged with the Trojan, the original versions available in the official Google Android Market have not been affected,” the security firm said.

Mobile Malware Attacks and Defense




Tags: Android, china, Google, Malware, mobile phone, Security, Servers, Trojan horse


Apr 21 2010

Raid said to have hacked Google password system

Category: CybercrimeDISC @ 3:30 pm

Google Appliance as shown at RSA Expo 2008 in ...
Image via Wikipedia

John Markoff, New York Times

Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret.


But a source with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s services, including e-mail.


The program, code-named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days in December, the source said. The software is intended to enable users to sign in with their password just once to operate a range of services.


The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making changes to the security of its networks after the intrusions. But the theft leaves open the possibility that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.


The new details seem likely to increase the debate about the security and privacy of systems that now centralize the personal information of millions of individuals and businesses.


Link to ‘poisoned’ site


The theft began with a single instant message sent to a Google employee in China, according to the person with knowledge of the inquiry, who spoke on the condition he not be identified. By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View.


Ultimately, the intruders were able to gain control of a software repository used by that team.


Tightening security


The details surrounding the theft of the software have been a closely guarded secret by the company. Google first publicly disclosed the theft in a Jan. 12 posting, which stated that the company was changing its policy toward China in the wake of the theft of unidentified “intellectual property” and the apparent compromise of the e-mail accounts of two human rights activists.


Company executives declined to comment Monday about the new details of the case.


Google continues to use the Gaia password system, now known as Single Sign-On, but has tightened the security of its data centers.


Several technical experts said that because Google had quickly learned of the theft of the software, it is unclear what the consequences of the theft have been. One of the most alarming possibilities is that the attackers might have intended to insert a Trojan Horse – a secret backdoor – into Gaia and install it in dozens of Google’s global data centers to establish clandestine entry points.


This article appeared on page D — 1 of the San Francisco Chronicle on Apr 20, 2010

Cyber War: The Next Threat to National Security and What to Do About It




Tags: china, Gaia, Google, Human rights, Personal computer, Software developer, Trojan horse, Website


Apr 19 2010

Google warns off fake Anti-Virus programs popping up online

Category: MalwareDISC @ 1:15 pm

Top Malware Enero
Image by BitDefenderES via Flickr

Security researchers at Google are warning that a particular type of scam is gaining momentum: fake anti-virus programs.

In a blog post previewing a 13-month study on the prevalence of fake anti-virus programs on the Web, Google said that more than 11,000 individual domains were involved in the distribution of these scams. According to Google, that figure accounts for roughly 15 percent of all malicious software on the Internet.

Google will release the full results of its study at a security workshop later this month.

Also known as “scareware,” fake security programs often appear to simulate a real infection as pop-up videos in malicious Web sites. A message then prompts the user to fix the problem by purchasing the fake anti-virus software.

The damages can be twofold: Not only do victims give away their financial details when they are asked to register and pay for the fraudulent product, but they also unwittingly do the criminals’ dirty work and install malicious software into their computers that can steal more data or enslave their machines to send spam.

Such fake programs have already caught the attention of authorities and other security experts. Last month, security firm McAfee noted in a consumer threat alert that scareware has more than doubled since the first quarter of 2009, “affecting around 69,000 people in the U.S. alone.” In December, the FBI issued a warning related to these scams.

McAfee recommends that computer users do research on an anti-virus company before purchasing its products, be careful when responding to pop-up ads and keep their security software up to date.

A new Verizon Droid: Google’s Nexus One is still not available on Verizon Wireless, but it may not be that important now that the HTC’s Droid Incredible is available through the carrier.

The Droid Incredible uses much of the Nexus One’s stellar hardware and throws in a better camera (8 megapixels to Nexus One’s 5) and HTC’s awesome Sense UI.

Like the Nexus One, the Droid Incredible sports a 1-GHz Snapdragon processor, a 3.7-inch screen and the latest Android 2.1 operating system. It should perform much like the Nexus One because they’re both made by HTC, but without some of the Google-centric feel.

The phone will be available April 29 for $200, after a $100 rebate and with a two-year contract.

This is Verizon’s third Droid phone after the Droid from Motorola and Droid Eris from HTC. The Nexus One won’t be sold in Verizon stores, so the Droid Incredible is really the top Android device for Verizon.

This article appeared on page D – 2 of the San Francisco Chronicle Read more:

Symantec Security Response – To Fake AntiVirus
httpv://www.youtube.com/watch?v=kMLYwfSy8YE

Symantec Protection Suite SBE (End to end and multiple layers of protection for Small Business)




Tags: DroidIncredible, Google, HTC, HTC Sense, McAfee, Motorola, Nexus One, scareware, Verizon Droid, Verizon Droid: Google, Verizon Wireless


Feb 01 2010

Google attack highlights ‘zero-day’ black market

Category: Information SecurityDISC @ 2:40 pm

Beck at Yahoo! Hack Day
Image by Laughing Squid via Flickr

By Jordan Robertson, AP

The recent hacking attack that prompted Google’s threat to leave China is underscoring the heightened dangers of previously undisclosed computer security flaws — and renewing debate over buying and selling information about them in the black market.

Because no fix was available, the linchpin in the attack was one of the worst kinds of security holes. Criminals treasure these types of “zero day” security vulnerabilities because they are the closest to a sure thing and virtually guarantee the success of a shrewdly crafted attack.

The attackers waltzed into victims’ computers, like burglars with a key to the back door, by exploiting such a zero-day vulnerability in Microsoft Corp.’s Internet Explorer browser. Microsoft rushed out a fix after learning of the attack.

How did the perpetrators learn about the flaw? Likely, they merely had to tap a thriving underground market, where a hole “wide enough to drive a truck through” can command hundreds of thousands of dollars, said Ken Silva, chief technology officer of VeriSign Inc. Such flaws can take months of full-time hacking to find.

“Zero days are the safest for attackers to use, but they’re also the hardest to find,” Silva said. “If it’s not a zero day, it’s not valuable at all.”

The Internet Explorer flaw used in the attack on Google Inc. required tricking people into visiting a malicious Web site that installed harmful software on victims’ computers.

The attack, along with a discovery that computer hackers had tricked human-rights activists into exposing their Google e-mail accounts to outsiders, infuriated Google and provoked a larger fight over China’s censorship of the Internet content. Google has threatened to shut down its censored, Chinese-language search engine and possibly close its offices in China.

Pedram Amini, manager of the Zero Day Initiative at the security firm TippingPoint, estimated that the IE flaw could have fetched as much as $40,000. He said even more valuable zero-day flaws are ones that can infect computers without any action on the users’ part.

Zero days refer to security vulnerabilities caused by programming errors that haven’t been “patched,” or fixed, by the products’ developers. Often those companies don’t know the weaknesses exist and have had zero days to work on closing the holes.

In this case, Microsoft actually knew about the flaw since September but hadn’t planned to fix it until February, as companies sometimes prioritize fixing other problems and wait on the ones they haven’t seen it used in attacks.

Microsoft often fixes multiple vulnerabilities at once because testing patches individually is time-consuming and costly, said Chris Wysopal, co-founder of security company Veracode Inc.

But criminals know how the patch cycle works, and Wysopal said the Google attackers may have realized their zero-day flaw was getting old — and thus struck in December just before they thought Microsoft was going to fix it.

“They likely thought the bug would be fixed in January or February,” he said. “They were right.”

Microsoft certainly could have fixed the bug earlier and prevented it from being used on Google, but security experts caution that an adversary that is well-funded or determined could have easily found another bug to use.

“Zero days aren’t difficult to find,” said Steve Santorelli, a former Microsoft security research who now works with Team Cymru, a nonprofit research group. “You don’t have to have a Ph.D. in computer science to find a zero-day exploit. It really is a factor of the amount of energy and effort you’re willing to put in.”

In fact, such exploits are widely available for the right price. VeriSign’s iDefense Labs and 3Com Corp.’s TippingPoint division run programs that buy zero-day vulnerabilities from researchers in the so-called “white market.” They alert the affected companies without publicly disclosing the flaw and use the information to get a jump on rivals on building protections into their security products.

There’s also another, highly secretive market for zero days: U.S. and other government agencies, which vie with criminals to offer the most money for the best vulnerabilities to improve their military and intelligence capabilities and shore up their defenses.

TippingPoint’s Amini said he has heard of governments offering as high as $1 million for a single vulnerability — a price tag that private industry currently doesn’t match.

Little is publicly known about such efforts, and the U.S. government typically makes deals through contractors, Amini said. Several U.S. government agencies contacted by The Associated Press did not respond to requests for comment.

One researcher who has been open about his experience is Charlie Miller, a former National Security Agency analyst who now works in the private sector with Independent Security Evaluators. Miller netted $50,000 from an unspecified U.S. government contractor for a bug he found in a version of the Linux operating system.

Whether to pay — and seek payment — is hotly debated among researchers.

“I basically had to make a choice between doing something that would protect everybody and remodeling my kitchen — as terrible as that is, I made that choice, and it’s hard,” Miller said. “It’s a lot of money for someone to turn down.”

Companies whose products are vulnerable generally won’t pay outside researchers for bugs they’ve found. Microsoft said offering payment “does not foster a community-based approach to protecting customers from cybercrime.” The company declined further comment on its practices and the timing of the fix for the flaw used in the Google attack.

On Thursday, Google announced that it will start paying at least $500 to researchers who find certain types of bugs in its Chrome browser, calling the program an “experimental new incentive.” That mirrors a reward that Mozilla has been offering for critical bugs found in its Firefox browser.

Computer vulnerabilities are so dangerous that one day private companies such as Microsoft might be pressured into buying from the black market to prove they’re doing all they can to keep customers secure — especially the most critical ones such as the military and power companies.

“I think it’s only a matter of time,” said Jeremiah Grossman, founder of WhiteHat Security Inc. “Something really bad has to happen first, and it hasn’t yet. When a virus runs through a children’s hospital and causes loss of life, it’s going to matter a lot.”




Tags: china, Chris Wysopal, Google, Internet Explorer, Microsoft, VeriSign, vulnerability, Zero day attack


Jan 22 2010

If Your Password Is 123456, Just Make It HackMe

Category: Information SecurityDISC @ 2:20 pm

by Ashlee Vance, NYTimes

Back at the dawn of the Web, the most popular account password was “12345.”

Today, it’s one digit longer but hardly safer: “123456.”

Despite all the reports of Internet security breaches over the years, including the recent attacks on Google’s e-mail service, many people have reacted to the break-ins with a shrug.

According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.

“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”

Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. The list was briefly posted on the Web, and hackers and security researchers downloaded it. (RockYou, which had already been widely criticized for lax privacy practices, has advised its customers to change their passwords, as the hacker gained information about their e-mail accounts as well.)

The trove provided an unusually detailed window into computer users’ password habits. Typically, only government agencies like the F.B.I. or the National Security Agency have had access to such a large password list.

“This was the mother lode,” said Matt Weir, a doctoral candidate in the e-crimes and investigation technology lab at Florida State University, where researchers are also examining the data.

Imperva found that nearly 1 percent of the 32 million people it studied had used “123456” as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123” and “princess.”

More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.

That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.

“We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations,” Mr. Shulman said. “The reality is that you can be very effective by choosing a small number of common passwords.”

Some Web sites try to thwart the attackers by freezing an account for a certain period of time if too many incorrect passwords are typed. But experts say that the hackers simply learn to trick the system, by making guesses at an acceptable rate, for instance.

To improve security, some Web sites are forcing users to mix letters, numbers and even symbols in their passwords. Others, like Twitter, prevent people from picking common passwords.

Still, researchers say, social networking and entertainment Web sites often try to make life simpler for their users and are reluctant to put too many controls in place.

Even commercial sites like eBay must weigh the consequences of freezing accounts, since a hacker could, say, try to win an auction by freezing the accounts of other bidders.

Overusing simple passwords is not a new phenomenon. A similar survey examined computer passwords used in the mid-1990s and found that the most popular ones at that time were “12345,” “abc123” and “password.”

Why do so many people continue to choose easy-to-guess passwords, despite so many warnings about the risks?

Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age.

“Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council. “Voice mail passwords, A.T.M. PINs and Internet passwords — it’s so hard to keep track of.”

In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.

But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.

Mr. Moss relies on passwords at least 12 characters long, figuring that those make him a more difficult target than the millions of people who choose five- and six-character passwords.

“It’s like the joke where the hikers run into a bear in the forest, and the hiker that survives is the one who outruns his buddy,” Mr. Moss said. “You just want to run that bit faster.”




Tags: facebook, Federal Bureau of Investigation, Florida State University, Google, MySpace, RockYou, Security, Social network service


Dec 14 2009

Viruses That Leave Victims Red in the Facebook

Category: MalwareDISC @ 3:21 pm

5 Ways to Cultivate an Active Social Network
Image by Intersection Consulting via Flickr

By BRAD STONE – NYTimes.com

It used to be that computer viruses attacked only your hard drive. Now they attack your dignity.

Malicious programs are rampaging through Web sites like Facebook and Twitter, spreading themselves by taking over people’s accounts and sending out messages to all of their friends and followers. The result is that people are inadvertently telling their co-workers and loved ones how to raise their I.Q.’s or make money instantly, or urging them to watch an awesome new video in which they star.

“I wonder what people are thinking of me right now?” said Matt Marquess, an employee at a public relations firm in San Francisco whose Twitter account was recently hijacked, showering his followers with messages that appeared to offer a $500 gift card to Victoria’s Secret.

Mr. Marquess was clueless about the offers until a professional acquaintance asked him about them via e-mail. Confused, he logged in to his account and noticed he had been promoting lingerie for five days.

“No one had said anything to me,” he said. “I thought, how long have I been Twittering about underwear?”

The humiliation sown by these attacks is just collateral damage. In most cases, the perpetrators are hoping to profit from the referral fees they get for directing people to sketchy e-commerce sites.

In other words, even the crooks are on social networks now — because millions of tightly connected potential victims are just waiting for them there.

Often the victims lose control of their accounts after clicking on a link “sent” by a friend. In other cases, the bad guys apparently scan for accounts with easily guessable passwords. (Mr. Marquess gamely concedes that his password at the time was “abc123.”)

After discovering their accounts have been seized, victims typically renounce the unauthorized messages publicly, apologizing for inadvertently bombarding their friends. These messages — one might call them Tweets of shame — convey a distinct mix of guilt, regret and embarrassment.

“I have been hacked; taking evasive maneuvers. Much apology, my friends,” wrote Rocky Barbanica, a producer for Rackspace Hosting, an Internet storage firm, in one such note.

Mr. Barbanica sent that out last month after realizing he had sent messages to 250 Twitter followers with a link and the sentence, “Are you in this picture?” If they clicked, their Twitter accounts were similarly commandeered.

“I took it personally, which I shouldn’t have, but that’s the natural feeling. It’s insulting,” he said.

Earlier malicious programs could also cause a similar measure of embarrassment if they spread themselves through a person’s e-mail address book.

But those messages, traveling from computer to computer, were more likely to be stopped by antivirus or firewall software. On the Web, such measures offer little protection. (Although they are popularly referred to as viruses or worms, the new forms of Web-based malicious programs do not technically fall into those categories, as they are not self-contained programs.)

Getting tangled up in a virus on a social network is also more painfully, and instantaneously, public. “Once it’s delivered to everyone in three seconds, the cat is out of the bag,” said Chet Wisniewski of Sophos, a Web security firm. “When people got viruses on their computers, or fell for scams at home, they were generally the only ones that knew about it and they cleaned it up themselves. It wasn’t broadcast to the whole world.”

Social networks have become prime targets of such programs’ creators for good reason, security experts say. People implicitly trust the messages they receive from friends, and are inclined to overlook the fact that, say, their cousin from Ohio is extremely unlikely to have caught them on a hidden webcam.

Sophos says that 21 percent of Web users report that they have been a target of malicious programs on social networks. Kaspersky Labs, a Russian security firm, says that on some days, one in 500 links on Twitter point to bad sites that can infect an inadequately protected computer with typical viruses that jam hard drives. Kaspersky says many more links are purely spam, frequently leading to dating sites that pay referral fees for traffic.

A worm that spread around Facebook recently featured a photo of a sparsely dressed woman and offered a link to “see more.” Adi Av, a computer developer in Ashkelon, Israel, encountered the image on the Facebook page of a friend he considered to be a reliable source of amusing Internet content.

A couple of clicks later, the image was posted on Mr. Av’s Facebook profile and sent to the “news feed” of his 350 friends.

“It’s an honest mistake,” he said. “The main embarrassment was from the possibility of other people getting into the same trouble from my profile page.”

Others confess to experiencing a more serious discomfiture.

“You feel like a total idiot,” said Jodi Chapman, who last month unwisely clicked on a Twitter message from a fellow vegan, suggesting that she take an online intelligence test.

Ms. Chapman, who sells environmentally friendly gifts with her husband, uses her Twitter account to communicate with thousands of her company’s customers. The hijacking “filled me with a sense of panic,” she said. “I was so worried that I had somehow tainted our company name by asking people to check their I.Q. scores.”

Social networking attacks do not spare the experts. Two weeks ago, Lee Rainie, director of the Pew Internet and American Life Project, a nonprofit research group, accidentally sent messages to dozens of his Twitter followers with a link and the line, “Hi, is this you? LOL.” He said a few people actually clicked.

“I’m worried that people will think I communicate this way,” Mr. Rainie said. “ ‘LOL,’ as my children would tell you, is not the style that I want to engage the world with.”




Tags: Antivirus software, Computer virus, facebook, Google, Kaspersky Lab, Malware, malware 2.0, Online Communities, San Francisco, Security, Social network, Social network service, Spyware, Twitter


Nov 13 2009

Cyber criminals deface 50 to 60 Indian websites a day

Category: CybercrimeDISC @ 2:52 pm

microsoft_fr_hacked
Image by Clopin via Flickr

Webnewwire.com report submitted on November 11, 2009

Has your girlfriend blocked you and you cant see her on-line? Wondering how to keep your email account protected? Or want to hide files from your annoying siblings? MTV’s got Ankit Fadia – the coolest Ethical Hacker in the world to give you everything from tips, tricks to cheat codes that will help make your life on the world wide web a whole lot simpler. Learn cool stuff that you can with your computers, Internet, mobile and other technology in your life!

This is India’s first tech show which does not review tech gadgets, websites or software instead it gives viewers a low down (or download!) on cool stuff that they can do with technology that will make their every day life cooler, simpler and stylish!

I am hosting “MTV What the Hack!” show with MTV VJ Jose, informed Ankit Fadia who was in city on a private visit. Watch it on MTV India every Saturday @ 8:20 PM. Repeat Telecasts every day, he appealed to the people

The show is a guy show with lots of typical MTV style humour. VJ Jose and Ankit Fadia shoot the episodes without a script and just naturally jam in front of camera and talk about technology. The show has got a very good response so far as it is being different from other shows. Most of the tech shows in India are review based shows where gadgets, software and websites are reviewed. This is the India’s first reach show that actually teaches viewers something. The show is on as part of MTV’s move to beyond music and beyond television. Since October 17 this year dropped ‘Music Television’ baseline which has been there in India for the past 13 years. Music contributes about 40 per cent of its programming and soon will go down to 25 per cent. This is happening as part of repositioning exercise MTV kicked off two years back. MTV is born of music, inspired by music, driven by music –but not limited by music. IT is now about new ideas, new formats, new ways of reaching people in new places they choose to live in.

Addressing the press conference Ankit Fadia spoke on various issues concerning Cyber Security in India. Speaking about Cyber security issues India is facing today he said Pakistani cyber criminals are able to deface 50 to 60 Indian websites a day, but, in retaliation only 10 to 15 Pakistani websites are defaced. And this has been going on since 2001. Nodoubt, India is IT capital of the world, but, as far as security is concerned India is far lagging behind, informed Ankit.

Speaking further he added that Terrorists are using most advanced technologies for communication. Which include mainly VOIP(Voice Over Internet Protocol) Chats, hiding messages inside photographs, draft emails, encrypted pen drives etc are some of the techniques to communicate with each other, he informed.

Cyber laws in India are quite good, b ut the problem is that the police who enforce those laws are ill equipped and are not trained properly. And he challenged media to visit the nearest police station and lodge a cyber crime complaint. And you will shocked that 9 out of 10 times, the officials attending you won’t follow what you are saying, said Ankit.

The biggest problem that the police worldwide face while solving cyber crime is the fact that the Internet has no boundaries, however, while investigating a cyber crime case a number of geographical, political, social and diplomatic boundaries come into the picture.

The next big security threat could be from Social Networking, Ankit declared. Everybody in India is on the social networking bandwagon. Even Karan Johar, Priyanka Chopra, Aishwarya Rai, Shashi Tharoor, Barack Obama and many other celebrities are updating Twitter daily. The latest viruses, worms, spyware and malware spread through social networking websites like Twitter, Facebook, Orkut and Myspace.

You will receive a private message from one of your friend (who is already infected) containing a link to a Youtube video. Halfway through the video, it will prompt you to download some Video Plugin or Code. Since the message came from your friend, most people tend to trust it and get infected!, said Ankit.

There are many financial scams and frauds happening on social networking websites. Get rich quick schemes, Earn Money Online Scams and various money laundering attacks now come to you through a Twitter update or a Facebook wall post!. Since Social Networking websites are all about your friends, many people are susceptible to the attack, Ankit said and added that Antivirus companies need to gear up to have a social networking aspect to them. People need to be made aware of the threats of social networking!

Another next big security threat could be People Hacking, he informed. People Hacking is all about sweet talking people to get things done. Especially things that they would normally don’t do or should not do!. People Hacking happens around us all the time. In the office, with your friends, at the check in counters at the airport or on the phone with the call centre. To carry out People Hacking you need to know what to say to whom and more importantly how to say it. Inducing fear, guilt, sympathy or just overpowering the victim with your words can lead to People Hacking, informed Ankit Fadia.

When asked about advise like Dos and Don’ts for average internet user he listed out the following.

– Use an Antivirus. More importantly, update it every week.

– Use an Anti Spyware. Update it every week.

– Use a Firewall. They are not as technical as they sound. A very good firewall that I recommend is Zone Alarm. Just do a Google search to download it.

– Use a strong password for all your accounts—a combination of alphabets, numbers and special characters. Use both lowercase and uppercase.

– Use Windows Update every fortnight to patch Windows.

– Use a Key Scrambler—a software the scrambles your keys in such a way that key loggers & other spying tools cant record what you type on your computer.

– Use a password on your Wi Fi network.

Reblog this post [with Zemanta]




Tags: Aishwarya Rai, Ankit Fadia, Barack Obama, cyber security, facebook, Google, MySpace, pakistan, Priyanka Chopra, Security, social engineering, Social Networking, Twitter, World Wide Web, YouTube