Friday, 31 May 2013

Evernote latest to debut two-factor authentication



evernote logo elephant
Note-taking service Evernote has become the latest online vendor to offer users two-factor security authentication features.
The company said that its service, which allows users to store notes, reminders and other important pieces of data, would be rolling out the feature as part of a larger security update which will also include the ability access user history and authorise outside applications.
Under the new system, customers will be able to link their accounts with a mobile device or number. When the user accesses a service which requires an account name and password, a third dialogue will also require the input of a numerical code sent to the device via SMS.
“This will usually only happen when you log into Evernote Web or install it on a new device,” the company explained.
“This combination of something you know (your password) and something you have (your phone) makes two-step verification a significant security improvement over passwords alone.”
Evernote has been under pressure to beef up its security protections since early May, when a breach allowed attackers to lift user credentials and forced the company to require users to reset their account information.
The use of two-factor authentication has long been advocated by security experts who view the method as a means for thwarting social engineering attacks such as phishing operations which can easily gather usernames and passwords.
While it has been shown theoretically possible to intercept the SMS transmissions via malware-born 'man in the middle' attacks, such operations have been shown to be complex and extremely difficult to carry out on a large scale.

Think you have a strong password? Hackers crack 16-character passwords in less than an HOUR

A team of hackers has managed to crack more than 14,800 supposedly random passwords - from a list of 16,449  - as part of a hacking experiment for a technology website.
The success rate for each hacker ranged from 62% to 90%, and the hacker who cracked 90% of hashed passwords did so in less than an hour using a computer cluster.
The hackers also managed to crack 16-character passwords including 'qeadzcwrsfxv1331'.
A team of hackers have managed to crack more than 14,800 cryptographically hashed passwords - from a list of 16,449 - as part of a hacking experiment for tech website Ars Technica.
A team of hackers have managed to crack more than 14,800 cryptographically hashed passwords - from a list of 16,449 - as part of a hacking experiment for tech website Ars Technica. The success rate for each hacker ranged from 62% to 90%, including 16-character passwords with a mix of numbers and letters. The hacker who cracked 90% of hashed passwords did so in less than an hour

The hackers, working for the website Ars Technica, have now published how they cracked the codes and the traditional methods used to create an anatomy of a hack.
Rather than repeatedly entering passwords into a website, the hackers used a list of hashed passwords they managed to get online.
Hashing takes each user's plain text password and runs it through a one-way mathematical function.
This creates a unique string of numbers and letters called the hash.
Hashing makes it difficult for an attacker to move from hash back to password and it lets sites keep a list of hashes, rather than storing them insecurely as plain-text passwords.
This means if a list is stolen, the plain text passwords can't be obtained easily.
However, this experiment shows this doesn't mean its impossible.
When a user types a password into an online form or service, the system hashes the entered word and checks it against the user's stored, pre-hashed password.
When the two hashes match, the user is allowed entry to their account. 
And using characters, a mix of lower and upper case letters and numbers creates slight variations of a hash. 
The example, Ars Technica use is: hashing the password 'arstechnica' produced the hash c915e95033e8c69ada58eb784a98b2ed.
Adding capital letters to make 'ArsTechnica' becomes 1d9a3f8172b01328de5acba20563408e after hashing. 
Jeremi Gosney, the founder and CEO of Stricture Consulting Group, managed to crack the first 10,233 hashes, or 62 percent of the leaked list, in 16 minutes.

He used a so-called 'brute-force crack' for all passwords that were one to six characters long.
Brute-force attacks is when a computer tries every possible combination of six letters and characters, starting with 'a' and ending with '//////.'
It took Gosney just two minutes and 32 seconds to complete the first round, which found 1,316 plain-text passwords.
Gosney then used brute-force to crack all passwords seven or eight characters long that only contained lower letters. This yielded 1,618 passwords.
He repeated this for seven and eight-letter passwords using only upper-case letters to reveal another 708 passwords.
This graph shows how long in days it took the Ars Technica hackers to crack the list of 16,449 hashed passwords based on the method used.
This graph shows how long in days it took the Ars Technica hackers to crack the list of 16,449 hashed passwords based on the method used. It also shows how long it took to crack passwords based on how long they were. Each hacker used a combination of wordlists, brute-force attacks and Markov chains to crack the list. One hacker managed to crack 90% of the list
Using passwords that contained only numbers, from one to 12 digits long, Gosney managed to brute-force 312 passwords in three minutes and 21 seconds.
Gosney has spent years perfecting word lists that contain a list of all the six-letter words, for example, to make cracking the weaker passwords faster. 
One hurdle Gosney had to jump during stage one of the hack was 'salted hashes', a technique where sites add random characters to passwords to make them harder to crack.
This can include adding random numbers, characters or letters to the start or end of a password during the hashing process so hackers can't automatically enter a six-letter word, for example, and match the hash automatically.

However, Gosney explained that once one weak, 'cryptographically salted' hashes are cracked it becomes easier to work out the rest.

Once Gosney had obtained the weaker passwords, even those that had been salted, using brute-force he moved onto stage two.

Using a hybrid attack - which combines a dictionary attack with a brute-force attack - he added all possible two-character strings of both numbers and symbols to the end of each word in his dictionary. 
Jeremi Gosney used a mixture of brute-force attacks, a hybrid attack that combined wordlists with brute-force attempts
Jeremi Gosney used a mixture of brute-force attacks, a hybrid attack that combined wordlists with brute-force attempts, statistically generated guesses using Markov chains, and other rules to turn a list of hashed passwords into plain text. It took him 14 hours and 59 minutes to complete all stages

TYPES OF PASSWORDS RECOVERED

Some of the longer, stronger and more noticeable passwords that the hackers were able to recover included:
k1araj0hns0n
Sh1a-labe0uf
Apr!l221973
Qbesancon321
DG091101%
@Yourmom69
ilovetofunot
windermere2313
tmdmmj17 and
BandGeek2014
Also included in the list were:
all of the lights
i hate hackers
allineedislove
ilovemySister31,
iloveyousomuch
Philippians4:13
Philippians4:6-7 and
qeadzcwrsfxv1331

He recovered 585 plain passwords in 11 minutes and 25 seconds.
He next added all possible three-character strings to get another 527 hashes in 58 minutes to complete.
Thirdly, he added all four-digit number strings and he took 25 minutes to recover 435 passwords.
In round four he added all possible strings containing three lower-case letters and numbers and got 451 more passwords.
In five hours and 12 minutes he managed to get 2,702 passwords.
He continued to crack the rest of the passwords using a hybrid attack and cracked a total of 12,935 hashes, or 78.6 percent of the list, in five hours and 28 minutes.
During the third stage, in which Gosney attempted to crack the most complicated passwords, he used a mathematical system known as Markov chains.
This method uses previously cracked passwords and a statistically generated brute-force attack that makes educated guesses to analyse plain text passwords, and determine where certain types of characters are likely to appear in a password.
A Markov attack on a seven-letter password has a threshold of 65 tries; using the 65 most likely characters for each position. 
And because passwords usually have capital letters at the start, lower-case letters in the middle, and symbols and numbers at the end, Markov attacks can crack almost as many passwords as a straight brute-force.
Hackers use mix of wordlists, rainbow tables (pictured) and an algorithm called a Markov chain to crack passwords from a hashed list.
Hackers use a mix of wordlists, rainbow tables (pictured) and an algorithm called a Markov chains, among other techniques, to crack passwords from a hashed list. A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering the plaintext password, up to a certain length consisting of a limited set of characters

From this method, Gosney discovered that people who don't know each other use very similar, and in some cases, identical passwords for the same sites.
During this third stage, Gosney also used other wordlists and rules and it took Gosney 14 hours and 59 minutes to complete all stages.
He managed to get another 1,699 more passwords - three hours to cover the first 962 plain passwords in this stage and 12 hours to get the remaining 737.
The other two password experts who cracked this list used many of the same techniques and methods, although not in the same sequence and with different tools.
They used a wordlist that was created directly from the 2009 breach of online games service RockYou.
This hack leaked more than 14 million unique passwords in plain text and this list is the largest list of 'real-world passwords ever to be made public.'
This method cracked 4,900 of the passwords. The same list was then used again, but this time the last four letters of each word were replaced with four digits. This yielded 2,136 passcodes.
Hacker radix then tried brute-forcing all numbers, starting with a single digit, then two digits, then three digits, and so, and managed to recover 259 additional passwords.
He then ran the 7,295 plain text passwords he'd recovered through the Password Analysis and Cracking Toolkit, developed by password expert Peter Kacherginsky, to identify patterns.
A 25-computer cluster that can cracks passwords by making 350 billion guesses per second
A 25-computer cluster that can cracks passwords by making 350 billion guesses per second. It was unveiled in December by Jeremi Gosney, the founder and CEO of Stricture Consulting Group. It can try every possible Windows passcode in the typical enterprise in less than six hours to get plain-text passwords from lists of hashed passwords
Radix then used this information to run a mask attack, which uses the same methods as Gosney's hyrbid attack but took less time.
He replaced common letters with numbers, for example he replaced 'e' with the '3' and recovered 1,940 passwords.
In December, Gosney created a 25-computer cluster that can make 350 billion guesses a second.
In an email to Ars Technica, Gosney explained: 'Normally I start by brute-forcing all characters from length one to length six because even on a single GPU, this attack completes nearly instantly with fast hashes.
'And because I can brute-force this really quickly, I have all of my wordlists filtered to only include words that are at least six chars long.
'This helps to save disk space and also speeds up wordlist-based attacks.
'Same thing with digits. I can just brute-force numerical passwords very quickly, so there are no digits in any of my wordlists.
'Then I go straight to my wordlists + best64.rule since those are the most probable patterns, and larger rule sets take much longer to run.
'Our goal is to find the most plains in the least amount of time, so we want to find as much low-hanging fruit as possible first.'

Belarus becomes world's top country ... for SPAM

Belarus has eclipsed the US to become the biggest single source of global spam, according to cloud-based email and web security firm AppRiver.
Junk volumes from the landlocked former Soviet republic, which borders Poland and Russia, hit an all-time high on 13 April and have sustained this level since then.
In January, AppRiver security researchers were seeing an average of 3.1 million spam messages per day from Belarus. After the spike happened on 13 April, AppRiver said it began recording an average of 12.3 million spam messages per day - which is now climbing.
Only one in a thousand messages from Belarus is legitimate, with 99.9 per cent of the electronic messages consisting of junk mail, said the security firm. Current volumes of junkmail from Belarus are exceeding those from the US, the historic source of most of the world's internet detritus.
"The actual message content was very slim and simple," explains AppRiver security analyst Jonathan French in a blog post. "Most of the messages just simply contained a link and a few words. Many of the links did not lead to active webpages, with most giving 500 or 404 server errors."
"The links that did work lead to pharmacy websites trying to sell drugs to visitors. There was a very small amount of the messages that also lead to websites hosting malware," he added.
French told El Reg that most users would likely recognise the messages, which come from .ru domains and make no attempt at spoofing, as spam. He's currently at a loss to explain the sustained spam spike from Belarus.
"I can only speculate at the cause, but I assume there was nothing special about the April 13th date when spam volume began to rise," French told El Reg. "It may have just been the time for the campaign organiser(s) to start after preparing the machines and systems for this particular campaign. It has been ongoing a while and showing no signs of declining."
Belarus, best known as the last holdout of a Stalinist-style regime in Europe, has rarely - if ever - been mentioned as a major source of spam. However, a quick check with Sophos revealed it had also logged Belarus as the world's worst spam-relaying country over the last 30 days.
Belarus now accounts for 16.3 per cent of the world's spam, compared to 15.1 per cent from the US and 7.45 per cent from the Ukraine, according to exclusive figures produced for The Register. China accounts for 5.78 per cent of the world's spam-relaying.
Sophos's stats, like the figures from AppRiver, look at the locations of abused computers (almost always Trojan-infected zombie drones) rather than the physical location of current spam kingpins

US National Intelligence Council boss gets personal email hacked

In a rather embarrassing slip, the personal email account of Christopher Kojm, chairman of the US National Intelligence Council (NIC), has become the latest victim of been the cracker known as Guccifer.
According to screenshots seen by The Smoking Gun, Guccifer grabbed email exchanges with 9/11 Commission members, banking information, personal correspondence, and documents covering the latest Obama administration's transition earlier this year.
Kojm is a foreign policy wonk who heads the NIC and advises the executive on intelligence matters. Classified information doesn't appear to have been compromised, although no doubt there are some embarrassing tidbits to be had.
"Good night America where ever you are," Guccifer said in a "lengthy, rambling note" attached to the images. In it he calls President Obama "The Black Angel" and mocks the attempts of the Secret Service to find out his identity.
This is the latest political scalp for Guccifer, a cracker who has made a habit of subverting the accounts of the rich and powerful for fun. The cracker's debut was getting into the personal email account of the 41st US President, George HW Bush.
Paintings by George W Bush"Out, damn'd spot! out, I say!"
That instance uncovered a welter of personal information and contact information for the Bush clan and also introduced the world to the artistic ambitions of his son, the 43rd president. A series of self-portraits show that the younger Bush seems to spend a lot of time scrubbing himself down in the bathroom.
Other political targets have included US Senator Lisa Murkowski, General Colin Powell, former advisor to Bill Clinton Sidney Blumenthal, and two staff at the Council on Foreign Relations. Author Candice Bushnell and actor Rupert Everett are also claimed victims.

Indonesia to build crack IT-trained military unit to deflect attacks

The world’s fourth most populous country, Indonesia, is fed up with getting hacked and wants to build a special military defence force to protect the state against online attacks.
A senior defence ministry official revealed that the government is proposing a new law which would allow such a force to defend against and disrupt the increasing number of attacks hurled at government systems, Xinhua reported.
Indonesia has some pretty strict penalties which can be levied against domestic hackers but nothing that would sanction the creation of a specialised military unit such as those which exist in the US and China.
The unit will apparently be manned by specially trained uniformed soldiers from the country’s army, navy and air force, with the Communication and Information ministry providing equipment and training.
Communications and Information minister Tifatul Sembiring said that the country has suffered over 36 million attacks in the past three years and is currently building out a National Cyber Security strategy to protect critical infrastructure and government assets.
It’s unclear how many of those attacks came from outside the country, but some of the most high profile over the past year or two have been the work of home-grown miscreants.
East Javan internet café worker Wildan Yani Ashari, 22, was arrested by police in January for defacing the homepage of president Susilo Bambang Yudhoyono (SBY) and could face up to 12 years in jail.
If and when the military defence unit finally is set up, let’s hope a name is chosen carefully – even a cursory search online will reveal the Indonesian Cyber Army is the moniker of a rather prolific hacking group, as well as the name of what appears to be an info-security training outfit.

'Secret Pentagon papers' show China hacked into Patriot missile system

Chinese spies have allegedly hacked into the designs of many of the United States' advanced weapons systems and platforms, including those for F/A-18 Hornet fighter jets, the Patriot missile system and Black Hawk helicopters.
According to the Washington Post, a "confidential section" of a report prepared for the Pentagon seen by the paper makes the claims. The confidential section alleges that 25 of these hacked designs were in programmes critical to American missile defences, combat aircraft and ships.
The Defence Science Board has already warned in the public part of the report (PDF), released in January, that the Pentagon wouldn't be able to defend itself in the event of a full-scale cyber-conflict.
"After conducting an 18-month study, this Task Force concluded that the cyber threat is serious and that the United States cannot be confident that our critical Information Technology (IT) systems will work under attack from a sophisticated and well-resourced opponent utilising cyber capabilities in combination with all of their military and intelligence capabilities (a 'full spectrum' adversary)," the report said.
However, the report also included a confidential list of compromised weapons, which included the US Army's system for shooting down ballistic missiles, the Terminal High Altitude Area Defence, and the US Navy's Aegis Combat System, also designed to defend against ballistic missiles.
According to the WP, sensitive design information for aircraft and ships was also illicitly accessed, including: the V-22 Osprey tiltrotor transport aircraft; the US Navy's new Littoral Combat Ship, designed to patrol close to shore; and the F-35 Joint Strike Fighter, which the UK is procuring to fly from its two new Queen Elizabeth-class aircraft carriers.
The Defence Science Board didn't claim that Chinese agents were behind the cyber attacks, but top military and industry sources who knew about the breaches told the paper that the hacks were part of a growing Chinese campaign of espionage.
The US has been increasingly vocal about what it claims is increased espionage by the Chinese government and Chinese-controlled corporations. The White House has made it clear that cyber-security is a top concern, and has accused both China's government and Chinese companies of continuous attacks aimed at stealing intellectual property.
China has consistently denied any charges of cyber-snooping on American agencies or companies and has flung back accusations against the US government, claiming that it is using cyber-espionage techniques against China

Microsoft loads botnet-crushing data into Azure

Microsoft is plugging its security intelligence systems into Azure so that service providers and local authorities can get near-realtime information on botnets and malware detected by Redmond.
The new Windows Azure-based Cyber Threat Intelligence Program (C-TIP) was unveiled on Tuesday by Microsoft as an extension of its crime-busting Microsoft Active Response for Security (MARS) program.
C-TIP will let ISPs and Computer Emergency Response Teams (CERTS) get a direct link between their servers and Windows Azure to ingest near-realtime data on malware-infected computers tracked by Microsoft. Previously, these organizations would get MARS data via emails from Microsoft.
"Participation in this system allows these organizations almost instant access to threat data generated from previous as well as future MARS operations." Microsoft's director of security for its Digital Crimes Unit TJ Campana, wrote.
"While our clean-up efforts to date have been quite successful, this expedited form of information sharing should dramatically increase our ability to clean computers and help us keep up with the fast-paced and ever-changing cybercrime landscape,"
ISPs and CERTS plugging into C-TIP will get updated threat data for their specific country or network every 30 seconds, Microsoft said. The Spanish CERT, INTECO, will be one of the first organizations to get C-TIP data, Microsoft said, along with CERTS, CIRCL and govCERT in Luxembourg. Several other unnamed CERTs and ISPs have signed up as well.
Project MARS was started in 2010 as a way for Microsoft to share data on infected PCs with CERTs and ISPS. Mars has helped take down numerous botnets including Bamital, Waledac, Rustok, Kelihos, and Nitol.
Microsoft did not disclose whether C-TIP will use all of Azure's data centers and edge locations or merely those located in the US.

Raspberry Pi puts holes in China's Great Firewall

A tech-savvy China-based Redditor has spotted a hassle-free way of ensuring he or she is always able to bypass the Great Firewall, even when out and about, using the Raspberry Pi to connect to a virtual private network (VPN).
VPNs are a necessity for foreigners living in the People’s Republic who want to access sites prohibited by the country’s ubiquitous internet censorship apparatus – business users and consumers alike have come to rely on them to connect to a banned site.
However, although there’s no shortage of foreign VPN providers to choose from, it can be time-consuming to choose, install and open a client if out and about and using machines which are not your own.
Spotted by TechInAsia, a Reddit user going under the name JaiPasInternet revealed a relatively straightforward solution using the popular single-board computer:
I set my Raspberry to automatically connect to my VPN server through OpenVPN, and then share the connection with a wifi dongle, using hostapd software. I use it on a daily basis with my iPhone and Android tablet (way better than the included VPN client) but the good thing is that, wherever I go, I just bring my Raspberry, plug it into ethernet and to any usb plug, and after a few minutes, I have my censor-free Wi-Fi hotspot.
The Redditor claims set-up is fairly simple to do using information on a Wikipedia page and a blog post on Hostapd, and claimed it’s more straightforward than installing OpenVPN on a DD-WRT router.
Although connection to the user’s own VPN server in France takes a long time, it is apparently “stable for hours”.
Like other OpenVPN users, JaiPasInternet was forced to use the slower TCP version after the Chinese authorities effectively blocked access to UDP as part of a renewed crackdown on foreign VPNs in December.
However, services using other VPN protocols PPTP and L2TP have largely been unaffected as they are too tricky to block without shutting down the entire internet, as explained here.
The cat and mouse game between the Chinese government and internet users in the country took another turn back in March with the launch of the VPN Gate Academic Experiment Project – a free public relay VPN service from Japan claiming to offer “strong resistance to firewalls”. ®

Security boffins say music could trigger mobile malware

Security researchers have discovered that specific music, lighting, vibrations or magnetic fields could all be used as infection channels to trigger the activation of mobile malware on a massive scale.
The paper, titled Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices, was presented in the eastern Chinese city of Hangzhou earlier this month by researchers at the University of Alabama at Birmingham (UAB).
The research describes at length how hard-to-detect non-internet channels can be used to trigger malware hidden in smartphones and other mobile devices from up to 55 feet away.
“When you go to an arena or Starbucks, you don’t expect the music to have a hidden message, so this is a big paradigm shift because the public sees only emails and the internet as vulnerable to malware attacks,” said UAB professor Ragib Hasan in a canned statement.
“We devote a lot of our efforts towards securing traditional communication channels. But when bad guys use such hidden and unexpected methods to communicate, it is difficult if not impossible to detect that.”
On the audio front, the report claimed that “command and control trigger messages” could be sent over 55 feet indoors and 45 feet outdoors, even using “low-end PC speakers with minimal amplification and low-volume”.
It speculated that malware could be activated with messages hidden in TV or radio programmes, background music and even musical greeting cards.
The light channel works best at night or in places with low illumination but could be relayed to a large number of devices and over “reasonably long distances” using large screen TVs, the report said.
The magnetic channel was described as having the shortest range although with the added advantage for the attackers of being able to work whether the device is being carried in the hand or inside a pocket.
“This kind of attack is sophisticated and difficult to build, but it will become increasingly easier to accomplish in the future as technology improves,” said UAB doctoral student Shams Zawoad, in a separate canned statement.
“We need to create defences before these attacks become widespread, so it is better that we find out these techniques first and stay one step ahead.”

Drupal website hacked , users login credentials compromised

One of the famous Content management system(CMS) find them-self as a victim to security breach.  Unknown hackers breached the drupal.org by exploiting a vulnerability in third-party software installed on their server.

Hackers managed to gain access to the account information on Drupal.org and groups.drupal.org.  The information exposed includes usernames, email addresses, country information and hashed passwords.

According to the official announcement, the security breach is result of a vulnerability within drupal.org itself.  The users who running the drupal cms are not affected.

The team said they don't store credit card info on their site and there's no evidence that card numbers have been intercepted.

Drupal has now reset the Drupal.org account holder passwords and asked users to pick a new password at their next login.  Users are also advised to change the password , if they used the same password somewhere else

McAfee upgrades enterprise Endpoint arsenal to help firms fight hackers


A McAfee logo
McAfee has unveiled new Complete Endpoint Protection Enterprise and Business packages, aimed at offering firms better protection against the cyber threats facing them through hardware-enhanced security.
The two packages are the result of collaboration between McAfee and parent company Intel, and are claimed as the first to integrate security services from the chip level through to operating system and applications.
This holistic integration will allow customers to see and protect themselves from previously invisible attacks, according to McAfee.
Complete Endpoint Protection Enterprise and Complete Endpoint Protection Business debut McAfee's Deep Defender rootkit protection, plus dynamic whitelisting, risk intelligence and real-time security management services.
Key features included in the suites are McAfee's Real Time ePO analytics tool, Enterprise Mobility Management (EMM) software, Application Control for PCs and Risk Advisor tools. McAfee said the services will combine to offer administrators and IT managers a single pane of glass view of activity on their networks, letting them spot and react to incoming threats or atypical activity more quickly.
McAfee EMM integrates mobile device management and secure container into the McAfee ePolicyOrchestrator (ePO) platform,enabling customers to use a single pane of glass and integrated policy environment to manage all endpoints, inlcuding smartphones and tablets.
McAfee said the increased endpoint protection will help arm businesses of all sizes against the influx of new sophisticated attacks targeting them.
The explosion of devices in use in the enterprise multiplies the chance of an attack affecting the mobile workforce, who can unknowingly endanger other systems when reconnecting to the corporate network, McAfee said. The Complete Endpoint Protection suites are desinged to protect against this.
The unveiling follows widespread rumblings within the security community that the threat facing businesses is growing. Most recently security experts from Trend Micro, Kaspersky and F-Secure cited a recent boom in Apple Mac Malware as evidence of the increased threat.

Facebook looks to improve security with verified pages

Image of Facebook logo and login screen
Facebook has unveiled a platform that could help to protect both celebrities and fans alike from the dangers of fake pages.
The company said that it will begin verifying certain pages within its social networking service as authentic, providing assurance that the pages, connected to celebrity users, are authentic and not the work of imposters.
The feature, which begins rolling out this week, allows the company to verify a page and then display a blue check mark badge that shows that the page has been authenticated. The company said that it will soon look to expand the feature to pages. Facebook said that it is not accepting any submissions or requests for verifications.
The use of verified accounts has been a valuable tool in helping to crack down on fraud and social engineering scams. Twitter has long used the feature to verify the accounts of celebrities and professional athletes.
For celebrities, the verified accounts will allow for means of separating official pages from fan-created profiles and will help to authenticate any news or announcements released via Facebook. The company said that it will also be expanding the service to popular public figures and brands.
End users, meanwhile, can benefit from knowing the celebrity accounts they follow are authentic and will not contain possible security risks, such as spam or links to third-party sites that could attempt to serve malicious code.
Security has arisen as a primary concern for social networking services in recent weeks. Under heavy criticism following a string of account thefts, Twitter introduced multi-factor authentication.

Ruby on Rails attacks threaten servers

Security threats - password theft
Administrators are being urged to update their Ruby on Rails servers following the discovery of an active malware campaign targeting vulnerable versions of the web development framework.
Researcher Jeff Jarmoc said that the attack – which was spotted earlier this week and is now believed to have been partially disabled – preys upon a vulnerable version of Ruby on Rails to exploit flaws and infect targeted systems with a malware payload that then attempts to establish an IRC connection with a possible command and control system.
The attacks suggest that the infected servers are possibly being drawn into a larger network for additional cybercrime operations.
“Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers,” Jarmoc explained. “There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.”
Despite the danger posed by the attack, administrators can protect themselves by updating to the latest version of Ruby on Rails. A patch for the targeted vulnerabilities has been available since early this year, and all Ruby on Rails servers running versions 3.0.20 and 2.3.16 and later will be protected from the exploit.
A popular platform for web development, Ruby on Rails has not traditionally been the popular attack target that platforms such as Java have become. Because of the high risk posed by a successful attack, however, the platform could become more attractive to cyber criminals.
Chester Wisniewski, senior security advisor at Sophos, told V3 that the high value of Linux servers is enough to lure attackers even to platforms that are not deployed on a massive scale.
Anytime there is a vulnerability in a widely deployed software stack like Ruby on Rails it takes years for all of the server administrators around the world to get around to patching it,” Wisniewski explained.
“In fact it is likely far worse on Linux computers, which are perceived to be more secure and are not patched on a regular schedule like Windows, Java, Flash and other widely exploited software packages.”

Google gives firms only seven days to come clean on zero-day vulnerabilities

Google logo
A pair of Google engineers have cited a recent slew of unannounced zero-day vulnerabilities in unnamed software vendors' products as proof that companies' current responsible disclosure policies are obsolete and should be reduced to just seven days.
Google security engineers Chris Evans and Drew Hintz reported uncovering the vulnerabilities in a public blog post on Thursday, and called for firms to take a more proactive approach to threat disclosures. "We recently discovered that attackers are actively targeting a previously unknown and unpatched vulnerability in software belonging to another company. This isn't an isolated incident; on a semi-regular basis, Google security researchers uncover real-world exploitation of publicly unknown zero-day vulnerabilities," wrote the researchers.
The engineers said while it would be unrealistic to expect companies to be able to fix the vulnerabilities within a week of discovery, it is more than enough time to responsibly report them. "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information," they wrote.
"As a result, after seven days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the co-ordination of vulnerability management."
The upgraded announcement cycle would be a marked increase on Google's current 60-day responsible disclosure recommendation, which was implemented by the search giant three years ago. Evans and Hintz said the hastened time frame is an essential measure businesses must take if they hope to protect themselves and their customers from the increased cyber threat facing them. "Over the years, we've reported dozens of actively exploited zero-day vulnerabilities to affected vendors, including XML parsing vulnerabilities, universal cross-site scripting bugs, and targeted web application attacks," they wrote.
"Often, we find that zero-day vulnerabilities are used to target a limited subset of people. In many cases, this targeting actually makes the attack more serious than a broader attack, and more urgent to resolve quickly. Political activists are frequent targets, and the consequences of being compromised can have real safety implications in parts of the world."
Google is one of many technology companies to call for businesses to be more proactive in combating and disclosing cyber threats. Microsoft recently loaded its anti-botnet security intelligence systems into Windows Azure, to help businesses spot threats more quickly. The UK government has also implemented new measures designed to let firms spot and disclose threats more quickly, launching the Cyber Security Information Sharing Partnership earlier this year.

Malawi Domain Registrar nic.mw website hacked by Bangladeshi Grey Hat hackers

Bangladeshi grey hat hackers has breached the domain registrar of Malawi, a landlocked country in southeast Africa that leads to defacement of several high profile websites.

Hackers placed the defacement page in the "nic.mw/r00t.htm".  They also managed to upload their defacement page in registrar.mw, biz.mw, co.mw, com.mw, www.coop.mw,www.dot.mw, www.edu.mw/, www.gov.mw, www.int.mw, www.net.mw.

At the time of writing, the hacked websites still displays the defacement page. You can also check the mirror of the defacement here:  http://zone-h.net/archive/notifier=BD%20GREY%20HAT%20HACKERS


Of course, this is not the first time the site is under the radar of the hackers.   Earlier this year,  Bangladeshi hackers hijacked the NIC.mw and left the Google Malawi , Kaspersky, MSN, Yahoo defaced.

We are not sure whether the nic fails to patch the previous vulnerability that leads to the security breach or BGHH found a new vulnerability.  It is always better to take care of your web-app security once you find yourself victim of hackers.