Twitter Hacked, 250,000 Email and Password Compromised

If you find that your Twitter password doesn't work the next time you try to login, you won't be alone. The service was busy resetting passwords and revoking cookies on Friday, following an online attack that may have leaked the account data of approximately 250,000 users.

"This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data," Bob Lord, Twitter's director of information security, writes in a blog post.

According to Lord, Twitter was able to shut down the attack within moments of discovering it, but not before the attackers were able to make off with what he calls "limited user information," including usernames, email addresses, session tokens, and the encrypted and salted versions of passwords.

The encryption on such passwords is generally difficult to crack – but it's not impossible, particularly if the attacker is familiar with the algorithm used to encrypt them.

As a precaution, Lord says Twitter has reset the passwords of all 250,000 affected accounts – which, he observes, is just "a small percentage" of the more than 140 million Twitter users worldwide.

If yours is one of the accounts involved, you'll need to enter a new password the next time you login. Lord reminds all Twitter users to choose strong passwords – he recommends 10 or more characters, with a mix of letters, numbers, and symbols – because simpler passwords are easier to guess using brute-force methods. In addition, he recommends against using the same password on multiple sites.

Lord says Twitter's investigation is ongoing, and that it's taking the matter extremely seriously, particularly in light of recent attacks experienced by The New York Times and The Wall Street Journal:

This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.

Although the attack took place this week, it seems to have no relationship to the outage that took Twitter offline for several hours on Thursday. On the other hand, however, Lord's post does make rather cryptic mention of the US Department of Homeland Security's recent recommendation that users disable the Java plug-in in their browsers. He mentions Java twice, in fact.

While it's true that the Java plug-in contains multiple known vulnerabilities and that numerous security experts have warned that it should be considered unsafe, the connection between Java and the attack Twitter experienced isn't clear and twitter is yet to respond to our request for clarification.

Remote PC Control

Remote PC Control 

Control Windows  with Email or SMS

Windows Remote

There’s no magic here, it’s the power of TweetMyPC utility that lets you remote control your computer from a mobile phone or any other Internet connected computer.

he initial version of TweetMyPC was limited to basic shutdown and restart commands, however the current v2 has a far more robust set of commands, enabling a far more useful way of getting your PC to carry out certain tasks especially when you’re AFK(Away From Keyboard).

Let’s get started. Install the TweetMyPC utility of your computer and associate your Twitter and Gmail account with the application. It will use Twitter to receive remote commands (like shutdown, log-off, lock workstation, etc) from while the email account will be used for send your information (e.g., what process are currently running on your computer).

Send Commands to the Remote Computer:

By Email: Associate your Twitter account with Posterous (auto-post) and all email messages sent to twitter@posterous.com will therefore become commands for the remote computer. (Also see: Post to Twitter via Email)

By SMS: If you live in US, UK, Canada, India, Germany, Sweden or New Zeleand, you can send associate Twitter with your mobile phone (see list of numbers) and then control your remote computer via SMS Text Messages.

By IM: Add the Twitter bot – twitter@twitter.com – to your list of Google Talk buddies and you can then send commands via instant message.

By Web:If you are on vacation but have access to an internet connected laptop, just log into the Twitter website and issue commands (e.g., shutdown or logoff) just as another tweet.

Download Files, Capture Remote Screenshots & more..

Here’s a partial list of commands that you can use to remote control the PC – they’re case-insensitive and, as discussed above, you can send them to Twitter via email, SMS, IM or the web.

Screenshot : This is one of the most useful command I’ve come across after the shutdown command. Want to know what’s happening within the confines of your PC when you’re not around? Just tweet screenshot and TweetMyPC will take a screenshot of your desktop and post it to the web (see example).

ShutDown, LogOff, Reboot, Lock : The function of these useful commands is pretty obvious from their names.

Standby, Hibernate : Don’t want to shutdown the remote PC? Save power by entering standby mode with this command. Or hibernate your PC with a tweet, thereby saving even more power.

Download <url> : You can download any file from the Internet on to the remote computer using the download command. For instance, a command like downloadhttp://bit.ly/tCJ9Y will download the CIA Handbook so you have the document ready when you resume work the next day.

GetFile <filepath> : The Download command was for downloading files from the Internet onto the remote computer. However, if you like to transfer a file from the remote computer to your current computer, use the GetFile command. It takes the full page of the file that you want to download and will send that you as an email attachment. If you don’t know the file page, use the command GetFileList <drivename> to get a list of file folders on that drive.

GetProcessList : This is like a remote task manager. You’ll get a list of programs that are currently running on the remote computer along with their process IDs. Send another command kill <process id> to terminate any program that you think is suspicious or not required

Related articles

• Remote PC Control (hackncrackz.blogspot.com)
• How to Remote Control your Windows PC with Email or SMS (beginnerhacking.wordpress.com)
• Google Talk used for home automation communications via Android (hackaday.com)
• Your Next Computer Will Live on Your Arm (wired.com)
• How to take a remote screenshot in OS X (reviews.cnet.com)
• DIY Dino Crafts - This Craft is Remote Controlled, Making for an Awesome Jurassic Play Time (TrendHunter.com) (trendhunter.com)
• Security Alert: CleanedOut (lookout.com)
• AIO Remote - your best remote control to your computer (forums.crackberry.com)
• Remote control via GPRS/GSM SMS. (instructables.com)
• 10 Awesome Apps for Small Businesses (biznessapps.com)

Apple and Amazon Falls Prey to Social Engineering

WiReD writer's Apple iCloud account was compromised and his iPhone, iPad and MacBook remotely erased. The writer's Google Mail and Twitter accounts were also hacked.

Although Honan blames himself for not having two-factor authentication enabled on his Gmail login, he also said that Amazon made it "remarkably easy" for the miscreant to gain control of his Apple iCloud account. He added that Apple had its own "security flaws" after allowing the hijacker to bypass Honan's preset security questions on his iCloud account.

"Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information - a partial credit card number - that Apple used to release information," he wrote in a postmortem examination of the digital attack.

"In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."

Honan claims that he later chatted to his hacker via Twitter, email and AIM, and after Honan agreed not to press charges, the hijacker revealed how he broke into the Twitter, Google and Apple accounts.

The hacker, who called himself Phobia, said he didn't have to use brute force to figure out Honan's passwords for the accounts, but instead used clever social engineering to work his way from call centre to call centre.

Phobia said that the whole intrusion was designed to take control of Honan's Twitter feed because it had a three-character handle: @mat.

He followed the Twitter account's profile page to Honan's website, where he learned of his Gmail address. Phobia then started a password reset process for the Gmail account and thereby bagged another of Honan's email addresses: the Gmail account was setup to send a password reset message to the scribe's @me.com inbox. Although that address was partly obscured by Google (m••••n@me.com), Phobia guessed what it was because it had the same starting character as Honan's Gmail username.

Now that Phobia knew Honan had an AppleID account (associated with the @me inbox), he knew he could take over his iDevices.

Amazon pulled into epic hack attack

Phobia phoned Amazon masquerading as Honan and used his email address and billing address (found in Honan's Whois records for his website) to add a fake credit card to his Amazon account. The hacker hung up and then phoned Amazon again, claiming he'd been locked out of his account and used the fake credit card number, plus real email and address, to persuade Amazon tech support to let him into the account.

Once in Honan's Amazon account, Phobia could read the last four digits of the writer's real credit card in the payment settings page. Unfortunately, those four numbers, along with the addresses, were all Apple tech support needed in a subsequent phone call to allow Phobia to reset Honan's iCloud backup storage login, giving him access to pretty much every account and device Honan owned.

Graham Cluley, senior technology consultant at Sophos, told The Reg that Amazon's verification process for adding the credit card wasn't thorough enough. "A billing address and email address are probably too easy to dig out," he said.

But, as Honan himself admitted, it's normal practice for retailers to star out all but the last four digits of credit or debit cards, so Amazon had no reason not to do the same for an online account.

"Amazon made it too easy for someone to add a credit card to an account (and subsequently gain access to the account), but Apple made it too easy to access account information using the final four digits," Cluley said.

"There's any number of questions Apple could have asked - either extra support questions or they could have asked about recent purchases on iTunes or the App Store."

Apple said that its "internal policies were not followed completely" and it was reviewing its processes for password resets. Amazon had not returned a request for comment at the time of publication.

Have you enable two-factor authentication on your gmail account, are you still using the same password across all the websites you visit, and when last did you change your password. We'll like to hear your experience

Twitter goes down, company at work on solution

Twitter is currently down.

The social network announced the outage on its Status page this morning, saying that "users may be experiencing issues accessing Twitter." The company didn't say what the issue might be, but did say that its "engineers are currently working to resolve the issue."

Years ago, as Twitter's growth skyrocketed, the service suffered from frequent outages. Over the last couple of years, however, most of those outages have subsided, save for a few brief outages from time to time. It's not clear how long this outage might last.

How to check if Spammers are on your Twitter Account

With so many risks to your accounts and computer on the Web, wouldn't it be nice to know that none of the people you follow on Twitter are adding to those risks? Safego, a Bitdefender product, offers a free service that will scan your Twitter account for suspicious users, links, and messages. It won't take any action without your consent, but it can be set to alert you when a new issue arises. Here's how to get started:

Step 1: Head over to http://safego.bitdefender.com/twitter/

Step 2: Log in with your Twitter account. This means the Web site will not need you to sign up for a new account (hooray!).

Step 3: Authorize Safego when prompted by Twitter.

Step 4: Wait as Safego redirects you back to its site and starts scanning your Twitter friends for any suspicious behavior. The more people you follow; the longer this process will take.

Step 5: Once scanning is complete, check out the Friends link on the top banner (next to the Scan Now button). This will change to reflect how many, if any, of your friends are showing suspicious activity.

Step 6: Click on this Friends link to get a list of flagged friends.

Step 7: From the list that appears, you can choose to "unfollow" or clear your flagged friends.

In the notifications area (link at top, or right-hand side on dashboard) you'll see the alerts that are currently disabled. If you'd like to enable any of these to help protect your Twitter account, click on Settings at the top and choose the alerts that work best for you. Additionally, you can use Safego to scan a Twitter user for suspicious activities before you follow them from the Home dashboard.

Anonymous Twitter alternative developed for rioters

After discovering that BBM and their Twittery playthings fed straight into the hands of the cops, smartphone-toting revolutionaries have taken up a new type of instant messaging – Vibe.

Like Twitter in that it is open and lets you mass-message, Vibe is unlike Twitter in that all messages or "vibes" are anonymous. You can set how far you want them to be available too – from 15 metres to global.

The messages self-destruct after a set period of time: from 15 minutes to forever. That makes it much more attractive to those who want to bring down the Man via the medium of street protest, but don't want the Man, or their mothers, or the police looking at twitpics of themselves jumping up and down on burning bin-bags.

According to the New York papers, Vibe is now the instant messaging app of choice for the protesters at Manhattan's #OccupyWallStreet.

Though it is innocently described on the iTunes store as a good way to chat to other people near you at football games or conferences, developer Hazem Sayed, who is based in New York, is actively keen for his app to be adopted by the protesters.

It seems to be catching on:

The NY Daily News interviewed protester Drew Hornbein, a member of the camp's Internet Committee, who explained its uses to the paper:

"Let's say you're protesting and someone up ahead sees that the cops are getting ready to kettle people, they can send out this vibe that only lasts a few minutes that says, 'Cops are kettling'," said Hornbein.

"It's anonymous too, so not only are you able to send out relevant information to a small radius, but it also disappears, there's no record of it, so no one can come after the person who sent it."

Another social media platform for Theresa May to worry about.

Sponsors Link:

How to Get SoundCloud Followers

USA Today hacked by Script Kiddies on Twitter

A group of hackers who target the Twitter feeds of news organisations claimed a fresh victim on Sunday when they hijacked the micro-blogging feed of USA Today.

The group, who use the self-disparaging moniker Script Kiddies, hijacked the @USAToday Twitter feed to encourage fans to contact them to suggest new targets. "Please like The Script Kiddies on Facebook! You could choose our next target!" one of the unauthorised (since purged) updates said.

USA Today quickly regained control of the compromised feed. "@usatoday was hacked and as a result false tweets were sent. We worked with Twitter to correct it. The account is now back in our control," it said. "We apologize for any inconvenience or confusion caused to our readers and thank you for reading @usatoday."

Script Kiddies previously hit the micro-blogging feeds of Fox News – where they posted a false bulletin on the fictitious assassination of US President Barack Obama – and NBC News, where they posted false news about an imaginary terrorist attack on New York.

It's unclear how the feeds were compromised but weak password security of one type or another is one obvious suspect. A combination of social engineering and malware is also possible and seems to be the most likely scenario, at least as far as the NBC hack is concerned.

More commentary on the hack – including screenshots of the unauthorised posts – can be found in a blog post by net security firm Sophos here.

Anonymous Releases Twitter Hijack Tool Called URGE

The long promised tool that can be used to hijack tweets was recently released on the Anonymous hacker group's official blog, complete with download links, source files and how-to instructions.

The Anonymous group of online activists released a new tool yesterday designed to allow people to hijack trending topics on Twitter and tweet messages within them.

Dubbed URGE (for Universal Rapid Gamma Emitter), the beta software is available for download for Windows computers and requires .Net Framework 4 to work.

"This is not a hacking tool nor is it an exploit tool," the group said in a statement. "It was created to make it easier for us to tweet faster without copying and pasting constantly."

Anonymous members say they are annoyed with all the redundant and "pop culture" topics featured on Twitter Trends and want to draw more attention to topics that "actually serve a cause."

"We have taken note of why Twitter would not do so, they only trend topics which would 'appeal' to people and can get people to tweet more," the statement says. "This was pathetic in our eyes, and we could not stand by and take it anymore."

URGE will allow people to spread the message of Anonymous--including "bashing corrupt politicians," among other causes--by riding the coattails of trending topics. "This will help raise awareness of problems going on in this world and show people that real problems exist outside of 'Jersey Shore' and 'Sex,'" according to the statement.

Twitter Faces Threat from Scammers

Scammers are using compromised Twitter accounts to prey on suspecting victims, security firm Sophos is reporting today.

According to the firm, compromised Twitter accounts are sending out tweets and direct messages to followers, urging them to sign up for a site that will help them make some money. One such message from an account reads, "I made $888 today check out how I made it." The message is followed by a link to a malicious site.

According to Sophos, the dollar amount in the tweets and messages can vary.

Sophos says that when users click on the included link, they will be brought to a site that claims to help single mothers and teenagers make "thousands of dollars" each day. However, those who fall prey to the scam will only "end up out of pocket" if they sign up, Sophos said.

As Barracuda Networks revealed earlier this year at the RSA security conference, Twitter has proven appealing to scammers because of its functionality both as a social network and search engine. And the worst part is, many of the site's malicious accounts are more popular than you might think.

Barracuda pointed to one Twitter account, called Download-Heaven, which had 445 followers recently, even though it directed folks to hosted shareware containing malware and Trojans. What's more, the company found in its research of Twitter that just 43 percent of users were considered legitimate. The remaining 57 percent of users were "questionable."

Over a five-month period, Barracuda found 34,627 samples of malware in search engines and on Twitter. According to the research firm, Twitter accounted for 8 percent of that total.

"It's interesting, because we've been doing this work for probably nine months of a year now, and the last time we really examined it and looked back on this, it charted very differently," Barracuda Networks chief research officer Paul Judge said earlier this year. "About 69 percent of the malware that we found was on Google at the time, only 1 percent was on Twitter."

But Twitter hasn't just sat still. The social network last year launched a filtering service that aims at stopping malicious links from being included in direct messages. The company's link-shortening service, t.co, also helps to safeguard users from malicious links.

According to Sophos, keeping safe from the latest threat is quite simple: don't click on the link in the direct message or tweet. Users who have had their accounts compromised should reset their passwords. Sophos also recommends those folks scan their computers for malware.

Hackers Compromises Fox News Twitter Account, Declares Obama Dead

A Twitter account maintained by Fox News has been hacked to post fake "Obama assassinated" stories.

The @foxnewspolitics account was seized to post a succession of bogus updates (example below) on the false story that Obama was shot and killed while supposedly campaigning at a Ross' restaurant in Iowa.

The obviously compromised account has more than 33,000 followers. Such hacks are often an attempt to trick surfers into visiting links for more information that actually land on sites running fake anti-virus scans. No malware payload or links have yet appeared in this case, though that could easily change.

It is unclear who pulled off the attack but it bears the hallmarks of an attack carried out for bragging rights and using password-guessing, possibly by a group of LulzSec wannabes. The timing of the hack early on Monday morning (US time) coincides with US Independence Day.

Hack Facebook and Twitter Accounts in seconds with FaceNiff

In October 2010, a small application called Firesheep had Internet users quivering in fear that their social accounts could be hacked instantly, with a small Firefox extension able to hijack Facebook, Twitter, and Flickr and Amazon.com sessions whist they were connected to unsecured wifi.

With Firesheep requiring a desktop computer to steal a users cookies and authenticate them as any user browsing on the same wireless network, the potential for attacks was rather limited. However, an enterprising developer has taken the same concept and shoehorned the technology into an Android application called FaceNiff, providing a user with the ability to take over Facebook, Twitter and YouTube accounts simply by joining a network and running the app.

FaceNiff requires a rooted Android handset, a barrier for a few but with a wealth of information on the Internet, easily achieved by many. Securing a network doesn’t seem to help either, as the application can snoop information on WEP, WPA and WPA2 WiFi networks.

The application reinforces the need for all social networks to employ SSL encryption on their services, stopping tools like FaceNiff from working in seconds. Both Facebook and Twitter have such an option embedded within the settings but many users are unaware of the option.

The app is meant to be a proof of concept and only used for educational purposes but has been confirmed to work on HTC Desire CM7, Original Droid/Milestone CM7, Sony Ericsson Xperia X10, Samsung Galaxy S, Nexus 1 CM7, HTC HD2, LG Swift 2X, LG Optimus Black and LG Optimus 3D.

The APK file is limited so it can only be used to hijack 3 social profiles. Despite this, developer Bartosz Ponurkiewicz says that users can donate via PayPal for an unlocked version of the application.

To help protect your social networking profiles and assist you in securing your accounts, you can click here for information on how to encrypt your Facebook traffic and here for information on how to secure your Twitter account.In October 2010, a small application called Firesheep had Internet users quivering in fear that their social accounts could be hacked instantly, with a small Firefox extension able to hijack Facebook, Twitter, and Flickr and Amazon.com sessions whist they were connected to unsecured wifi.

With Firesheep requiring a desktop computer to steal a users cookies and authenticate them as any user browsing on the same wireless network, the potential for attacks was rather limited. However, an enterprising developer has taken the same concept and shoehorned the technology into an Android application called FaceNiff, providing a user with the ability to take over Facebook, Twitter and YouTube accounts simply by joining a network and running the app.

FaceNiff requires a rooted Android handset, a barrier for a few but with a wealth of information on the Internet, easily achieved by many. Securing a network doesn’t seem to help either, as the application can snoop information on WEP, WPA and WPA2 WiFi networks.

The application reinforces the need for all social networks to employ SSL encryption on their services, stopping tools like FaceNiff from working in seconds. Both Facebook and Twitter have such an option embedded within the settings but many users are unaware of the option.

The app is meant to be a proof of concept and only used for educational purposes but has been confirmed to work on HTC Desire CM7, Original Droid/Milestone CM7, Sony Ericsson Xperia X10, Samsung Galaxy S, Nexus 1 CM7, HTC HD2, LG Swift 2X, LG Optimus Black and LG Optimus 3D.

The APK file is limited so it can only be used to hijack 3 social profiles. Despite this, developer Bartosz Ponurkiewicz says that users can donate via PayPal for an unlocked version of the application.

To help protect your social networking profiles and assist you in securing your accounts, you can click here for information on how to encrypt your Facebook traffic and here for information on how to secure your Twitter account.

How To: Avoid Getting Fleeced By Firesheep

Over the last 24 hours the world has been abuzz with talk about a small Firefox extension. Usually Firefox extensions don’t make headlines, but in this case one did. Why? This extension is called Firesheep, and it’s scary.

The Firesheep plugin can hijack your Facebook, Twitter, and Flikr sessions while you are connected to unsecured wifi. What do we mean hijack? We mean that it can steal your sessions, pretend to be you, and you won’t even know it.

Yeah, wow.

There is a lot of discussion about the ramifications of releasing something that is simple enough to let anyone become a hacker, and TUAW has some good suggestions for how to guard against Firesheep, but I want to give you my take on it and what practical steps you can take.

First off I want to tell you about my day yesterday (it relates, trust me). Sitting at home working on articles for this joint, I get a call from one of my friends at the CBC. “Have you heard about Firesheep?” I said I saw some headlines, but I hadn’t really looked at it. “Could you look at it and talk about it on camera?”, umm…sure….when? “How about an hour?” Eek. Sure…why not.

I dash to one of my favourite coffee places close by (which I also knew had open wifi) after getting Firesheep all loaded up (it took less than a minute). I order a latte, settle in and …

Holy crap.

Just like everyone said, running Firesheep I could see who was logged into Facebook and a bunch of other sites and with a double-click be that person.

Holy crap.

I’m not usually a terribly paranoid person online, but this gave me the willies. Anyone could have this running and you’d never know it. Oh sure, packet sniffers have been around for a while (that’s how it works), but packet sniffing isn’t easy for most people. Firesheep is easy enough for a kid to use. So how do you combat this? Well let’s get to that now…

First thing, if you have a wireless network at home and you haven’t set up a WPA (or even WEP) password on it, do it now.

Next, for all the businesses that have open wifi, now is the time to bite the bullet and put a password on the network. No, I’m not talking about a “gatekeeper” password that lets you in for a period of time, but WPA/WEP. Encryption. Yes, I know it’s a hassle for people to ask, but just make it obvious. This isn’t about access control, it’s about safety. I showed the manager of the place where the CBC segment was shot what the risk was and he was pretty shocked.

If you frequent a place that has open wifi, ask them to put a password on it. If you lock down your wireless network, then that’s it. Firesheep isn’t a problem. If you’re slightly techie and know how to do this, offer to help. For free.

In the meantime, you can try Firefox extensions like Force-TLS or HTTPS Everywhere or Chrome a extension like KB SSL enforcer all of which force the site you’re on to load the HTTPS (encrypted) version of the site. The problem I ran into with KB SSL today was that a lot of sites don’t have their HTTP and HTTPS versions working together very well. I had to shut it off to read some things…so what does that do? These solutions are only a stop gap as far as I’m concerned.

For those of you lucky enough to have a mobile data stick or can tether your phone for access—both of those are nice and secure. What about your WiFi only mobile devices? Those I don’t have good solutions for. Myself I have both my iPhone and iPad set not to just autoconnect to available networks and I’m going to have them both “forget” several of the local places I go to that don’t have secured wifi. Yes, mobile devices are also vulnerable because this isn’t a vulnerability in a browser or device it’s while how you can the sites connect to each other.

This is what bugs me the most about the whole Firesheep problem. Websites like Facebook and Twitter could force everyone to https like gmail does, but they choose not to. Until now, the risk hasn’t been that huge, but now…now I don’t think they can say that.

From now on, if it’s unsecured WiFi, I’m not using it. Period. If I absolutely have to, then I’ll run a proxy. Yeah, it’s harsh, but even the Firefox and Chrome extensions are only a partial solution. They aren’t 100% and they don’t work with all sites equally well. All you need to do is forget to turn them on or have an application notifier running in the background and …

Done like dinner.

My last tip is for the rather geeky of you who happen to have a web host who lets you have an SSH (shell or terminal) connection (both Dreamhost and Bluehost do) is to use this awesome trick for setting up a secure/encrypted proxy. I use this one all the time, it takes just a moment to set up, but is very, very secure.

If you want to see the entire CBC piece (which gives the right level of urgency I think), the video is up on the CBC site now.

And if you have more suggestions…please let us know in the comments.