Twitter goes secure

Twitter goes secure - say goodbye to Firesheep with "Always use HTTPS" option



Good news on the social networking security front is that Twitter has finally got its act together to offer an Always use HTTPS option.

Amplify’d from nakedsecurity.sophos.com

Twitter goes secure - say goodbye to Firesheep with "Always use HTTPS" option

Good news on the social networking security front is that Twitter has finally got its act together to offer an Always use HTTPS option.

If you turn on this option, all of your personalised interaction with Twitter will be encrypted - not only while you are logging in, but also while you are posting tweets.

A lot of people fail to recognise the value of using HTTPS on Twitter. As long as your username and password are sent over HTTPS, so no-one can sniff them out of the ether, who cares if your tweets go over plain HTTP? After all, a tweet is meant to be public.

The problem is that once you have logged in, Twitter sends your browser a session cookie. This is a one-time secret. It is unique to your account and the current session.

Because your browser retransmits this session cookie in all future requests to the Twitter site, Twitter can see that it's you coming back for more. So you don't need to put in your username and password for every single tweet you send. You login once, and the session cookie identifies you for the rest of the current session.

Unfortunately, if you login to Twitter over unencrypted WiFi - e.g. at a coffee shop or an airport lounge - then anyone who can sniff your session cookie can pretend to be you. That means they can post tweets as you. And you don't want that. (It happened to Mr Demi Moore, a.k.a. Ashton Kutcher, recently, no doubt to his considerable embarrassment.)

Turning on full-time Twitter HTTPS keeps your session cookie encrypted throughout your login session. This is definitely what you want.

Don't forget that it's not just experienced hackers who can sniff Twitter cookies and use them to impersonate you.

The infamous Firesheep plugin to Firefox automates this cookie-stealing process - known as "sidejacking" - so that anyone who can use a browser can do it.

To enable this new Twitter option, go to your Settings page.

At the bottom is the new Always use HTTPS option. Turn it on and click [Save], and then [Save changes].

Do it today.

(Note: as a commentator below points out, it's not clear if, or how, non-web-browser Twitter clients will support this new option. If in doubt, please ask the vendor of your Twitter client, or follow the Simplicity Principle and stick to using your browser when tweeting.)

About the author Paul Ducklin is Sophos's Head of Technology, Asia Pacific. He won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. (Try saying that quickly.) Email him in the Sydney office or follow him on Twitter at @duckblog. View all posts by Paul Ducklin Read more at nakedsecurity.sophos.com

 

See this Amp at http://bit.ly/dY8Rcy

“ Nothing splendid has ever been achieved except by those who dared believe that something inside themselves was superior to circumstance. ”



Bruce Barton (1886–1967)

American advertising executive

U.S. congressman http://bit.ly/hw8ewO

It's a Facebook clickjack scam

Japanese Tsunami Launches Whale Into Building? It's a Facebook clickjack scam

Amplify’d from nakedsecurity.sophos.com

Japanese Tsunami Launches Whale Into Building? It's a Facebook clickjack scam

Sick-minded scammers are up to their dirty tricks again, trying to make a quick buck out of the Japanese earthquake and subsequent tsunami which has shocked people around the world.

Many people are shocked by the TV news reports, showing the devastation wrought on the people of Japan, and some of the video footage taken by media agencies and individuals in the country is truly extraordinary.

And it is against this backdrop that scammers have launched their latest campaign.

Japanese Tsunami Launches Whale Into Building You won't believe this! Crazy Footage!

Other versions read:

GRAPHIC VIDEO.. Japans Tsunami Sends WHALE Smashing Into A Building!

Of course, this is just the latest FouTube clickjacking attack to hit Facebook, and sure enough if you click on the link you are taken to a webpage which tries to trick you into clicking (which will silently say to all of your Facebook friends that you "Like" the page).

Will you get to see a video of a whale launched into a building by the Japanese tsunami? No, of course not.

Instead, you're asked to complete a survey which earns commission for the scammers.

When I tried it, the survey attempted to tempt me with the offer of a purple iPad. Funny, I thought Steve Jobs only made them in black and white.

How to clean-up after a likejacking attack If you made the mistake of clicking on a link spread via a scam message like the ones listed above, you should check your Facebook news feed and remove any offending links that you might have spammed out to your friends. Hover your mouse over the top right hand corner of the post and you should see a small "x" which will allow you to remove it.

And if you entered your mobile phone number, you should keep a close eye on your cellphone bill and notify your carrier to prevent bogus charges from stinging you in the wallet.

Remember to be wary of any links that look like this. If you really want to watch a video chances are that it's available for free - without you having to complete any surveys - on legitimate video sites like YouTube.

Going forward, it's essential that you stay informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos Facebook page, where more than 60,000 people regularly share information on threats and discuss the latest security news.

We've also published some good best practices for better privacy and security on Facebook.

Hat-tip: Thanks to Naked Security readers Don, Rogi and Tripad who contacted us about this scam.

About the author Graham Cluley is senior technology consultant at Sophos. In both 2009 and 2010, the readers of Computer Weekly voted him security blogger of the year and he pipped Stephen Fry to the title of "Twitter user of the year" too. Which is very cool. His awards cabinet bulging, he was voted "Best Security Blogger" by the readers of SC Magazine in 2011. You can contact Graham at gc@sophos.com, or for daily updates follow him on Twitter at @gcluley. View all posts by Graham Cluley Read more at nakedsecurity.sophos.com

 

See this Amp at http://bit.ly/i6MHD1

Bogus CNN video scams Facebook users

Japanese Tsunami RAW Tidal Wave Footage - Bogus CNN video scams Facebook users

Amplify’d from nakedsecurity.sophos.com

Japanese Tsunami RAW Tidal Wave Footage - Bogus CNN video scams Facebook users

Facebook users are being tricked into clicking on links which claim to be raw CNN footage of the Japanese tsunami by cold-hearted scammers - as part of a plot to earn money by driving web traffic to take online surveys.

The videos, which in the examples seen by Sophos exist on a website called spinavideo, purport to be footage of the horrifying tsunami which hit parts of Japan on Friday.

Japanese Tsunami RAW Tidal Wave Footage

Clicking on the link takes unsuspecting users to a website which pretends to be YouTube, but is in fact designed to clickjack users into unwittingly agreeing to Facebook "Like" the page (which spreads the scam virally across the social network).

Users are then tricked into taking an online survey which earns commission for the scammers. No doubt the scammers are hoping that by pretending the video footage comes from CNN, more people might be tempted to click on it.

It's a sad reflection on human nature that a series of scams have appeared since the disaster in Japan, all trying to make commercial gain out of what is a horrific human tragedy.

Remember to always get your news from legitimate news websites, and if you're hunting for a video make sure that you go to the real YouTube website rather than a replica set up by scammers.

How to clean-up after a likejacking attack If you made the mistake of clicking on a link spread via a scam message like the one listed above, you should check your Facebook news feed and remove any offending links that you might have spammed out to your friends. Hover your mouse over the top right hand corner of the post and you should see a small "x" which will allow you to remove it.

And if you entered your mobile phone number, you should keep a close eye on your cellphone bill and notify your carrier to prevent bogus charges from stinging you in the wallet.

Remember to be wary of any links that look like this. If you really want to watch a video chances are that it's available for free - without you having to complete any surveys - on legitimate video sites like YouTube.

Going forward, it's essential that you stay informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos Facebook page, where more than 60,000 people regularly share information on threats and discuss the latest security news.

We've also published some good best practices for better privacy and security on Facebook.

Hat-tip: Thanks to Naked Security reader Kara who contacted us about this scam.

About the author Graham Cluley is senior technology consultant at Sophos. In both 2009 and 2010, the readers of Computer Weekly voted him security blogger of the year and he pipped Stephen Fry to the title of "Twitter user of the year" too. Which is very cool. His awards cabinet bulging, he was voted "Best Security Blogger" by the readers of SC Magazine in 2011. You can contact Graham at gc@sophos.com, or for daily updates follow him on Twitter at @gcluley. View all posts by Graham Cluley Read more at nakedsecurity.sophos.com

 

See this Amp at http://bit.ly/fZWbRf

Fake Android Market Security tool

Fake Android Market Security tool delivers more than just a cure for Droid Dream malware

Amplify’d from nakedsecurity.sophos.com

Fake Android Market Security tool delivers more than just a cure for Droid Dream malware

Only a couple of days after Google published its Android Market Security Tool - that removes all malicious applications infected with Droid Dream malware and prevents their installation - a malicious version of the tool appeared on alternative Chinese application markets.

The Trojanized version of the tool is packaged with open source Java code taken from a project hosted on Google's own online source code repository. The project includes functionality to send MMS messages in the background, for example, when the device boots up.

A suspicious user will immediately notice the difference between the fake and the real Android Market tool if they check the permissions required at installation.#

While the original tool only requires three permissions, the Trojanized version requires additional permissions for "Services that cost you money" as well as the device location.

Another difference is in the version number of the package. The original Google tool version is 2.5 while the fake tool's development is lagging behind a little, being "only" on version 1.5.

The latest attack does not affect Android Market but there may be many people, especially in China, happy to install a free Google's tool which will protect them against attacks by a malware family.

An attack pattern of creating a fake security tool that detects non-existing threats is very common in PC world and already brings a lot of income for cybercriminals.

Judging by the popularity of Android devices and the recent increase in malware attacks, it may be just a matter of time before we start seeing highly suspicious products like Antivirus Android 2012 on the market.

Personally, I think that the ability to install non-market applications and ability to create third party application markets was a mistake for Google's Android team from the security point of view. This path is leading us to Windows-like threat levels.

Sophos products detect the fake Android Market Security tool as Troj/Bgserv-A.

About the author Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics. View all posts by Vanja Svajcer Read more at nakedsecurity.sophos.com

 

See this Amp at http://bit.ly/g3drp8

Update your Apple devices to iOS 4.3

Update your Apple devices to iOS 4.3, or risk malicious code attacks

Amplify’d from nakedsecurity.sophos.com

Update your Apple devices to iOS 4.3, or risk malicious code attacks

Apple has released iOS 4.3, the latest version of its operating system for iPhones, iPads and the iPod touch.

Although some will be excited by the promise of faster performance from Safari, better video streaming and the thought of sharing their iTunes library over WiFi around the home, perhaps the most important reason to install the update onto your Apple gadgets is security.

According to Apple, the new iOS 4.3 update includes a number of critical security patches - some of which are designed to prevent vulnerabilities being exploited that could lead to malicious code being run on your iPhone or iPad.

Details of the security fixes are included in an Apple knowledgebase article, and include protecting against maliciously-crafted TIFF image files that could be used to run malicious code on your device, and multiple memory corruption issues exist in WebKit, which could mean that visiting a boobytrapped website could lead to unauthorised code being executed.

These are, of course, the kind of vulnerabilities that have been exploited by malicious hackers and virus writers in the past and would present a way to deliver code to a non-jailbroken iPhone that did not involve entering via the official iPhone App Store.

There is no indication that these vulnerabilities have been exploited in the wild, but it would nevertheless be prudent to defend against them by installing the operating system patch to your iOS devices. Especially now that details of the security holes are known to the computer underground.

Bad news for iPhone 3G owners There's bad news though for users of older Apple devices, however. The iOS 4.3 update is only compatible with the iPhone 3GS and later and the iPod touch 3rd generation and later. (It works on the original iPad, and the imminent iPad 2)

So if you have an earlier iPhone or iPod touch your device is probably vulnerable to attacks which exploit these security holes, and there is no official patch available for you to protect yourself. That's bad news for the many people who still have an iPhone 3G, for instance.

If you were looking for an excuse to upgrade your iPhone or iPod touch - maybe you've just been given a good one by Apple. But if you were happy with your iPhone 3G, I doubt you're feeling too good about having to reach into your pocket.

Apple customers can download the iOS 4.3 update via iTunes, and more information about the update can be found on Apple's website. Read more at nakedsecurity.sophos.com

 

See this Amp at http://bit.ly/gq5L6E

"If you will not fight for the right when you can easily win without bloodshed; if you will not fight when your victory will be sure and not too costly; you may come to the moment when you will have to fight with all the odds against you and only a small chance of survival. There may even be a worse case: you may have to fight when there is no hope of victory, because it is better to perish than to live as slaves." http://bit.ly/gCrQKo

DOWNLOAD Five-Star Guide For Your iPad

URL:  http://www.makeuseof.com/tag/ipad-magical-revolutionary...

The iPad may not have changed the world of computing quite yet, but it is still a pretty nifty device. An e-book reader, a newspaper, an entertainment center and a workstation, this device can do a lot in a very small package.



Want to get more out of your iPad? Check out “iPad: a Magical and Revolutionary Guide”, the latest manual from MakeUseOf. Featuring the 40 best free apps for the iPad, this easy-to-follow guide contains a treasure trove of information that will make using your tablet that much easier. Learn the ins and outs of the market’s premier tablet, for free!



Whether you’re a casual iPad user looking to learn a bit more, or an iPad addict wanting to get the most you possibly can, our “Magical and Revolutionary Guide” is the manual you’re looking for. Best of all, it’s free!



(Tip: after downloading, drag the PDF file to iTunes to read this guide in iBooks!)



“iPad: A Magical and Revolutionary Guide” outlines all this and more:



* Organizing your apps, with or without iTunes

* Tips and tricks for typing on the iPad, in every language

* Troubleshooting iPad issues, including battery life and app crashes

* Syncing your Gmail, Yahoo or Hotmail accounts

* The best free apps for news, ebooks, drawing/photo editing, blogging/writing, TV, music, social media, remote control, productivity and games.

See this Amp at http://amplify.com/u/bu3pe

Apology is a lovely perfume; it can transform the clumsiest moment into a gracious gift. ~ Margaret Lee Runbeck http://bit.ly/i8NlQg

Microsoft begs users to stop running IE6

URL:  http://nakedsecurity.sophos.com/2011/03/07/microsoft-be...

Microsoft has launched another salvo in its campaign to hammer the final nail into the coffin of an outdated, insecure product: Internet Explorer 6. Are you still running an old version of a browser in your company?

See this Amp at http://bit.ly/hvr3AL

Beware of the the Stripping Girls

URL:  http://nakedsecurity.sophos.com/2011/03/01/stripping-gi...

Stripping girls don't guarantee secure passwords: Is your password "topless"? A pixellated stripper might be enough to encourage you to use a more secure password - but does she take her clothes off too easily?

See this Amp at http://bit.ly/gfG3fX

8 Tools to Visualize Info on Twitter

URL:  http://www.makeuseof.com/tag/8-free-tools-visualise-inf...

8 Free Tools to Visualize Information on Twitter.



Twitter usually turns into a rapid flowing stream of updates. A whole slew of Twitter apps give you an interesting way to filter through what is being said on Twitter, and better yet let you visualize it. Check out the unique and unusual apps.

See this Amp at http://amplify.com/u/bt3wk

Dr. Leo Buscaglia reminds us that the time to love is now. He also reads the poem "Things You Didn't Do."



The time is now to show our love for tomorrow may be too late.

---------------------------------------------------------------------------------------------------------------

Things you didn't do



"There was a girl who gave me (Leo Buscaglia) a poem, and she gave me permission to share it with you, and I want to do that because it explains about putting off and putting off and putting off - especially putting off caring about people we really love. She wants to remain anonymous, but she calls the poem, "THINGS YOU DIDN'T DO" and she says this":





Remember the day I borrowed your brand new car and I dented it?

I thought you'd kill me, but you didn't.



And remember the time I dragged you to the beach, and you said it would rain, and it did?

I thought you'd say, "I told you so." But you didn't.



Do you remember the time I flirted with all the guys to make you jealous, and you were?

I thought you'd leave me, but you didn't.



Do you remember the time I spilled strawberry pie all over your car rug?

I thought you'd hit me, but you didn't.



And remember the time I forgot to tell you the dance was formal and you showed up in jeans?

I thought you'd drop me, but you didn't.



Yes, there were lots of things you didn't do,

But you put up with me, and you loved me, and you protected me.



There were lots of things I wanted to make up to you when you returned from Viet Nam.



But you didn't.



Leo Buscaglia

Amplify’d from www.youtube.com

Leo Buscaglia The Time is Now!

See more at www.youtube.com

 

See this Amp at http://amplify.com/u/bsnsf

Too often we underestimate the power of a touch, a smile, a kind word, a listening ear, an honest compliment, or the smallest act of caring, all of which have the potential to turn a life around. ~Leo Buscaglia http://amplify.com/u/bsnji

Mac OS X backdoor Trojan, now in beta? | Naked Security

URL:  http://nakedsecurity.sophos.com/2011/02/26/mac-os-x-bac...

A new remote access Trojan for Mac OS X has surfaced, showing malware authors are actively developing malware for Apple Mac computers. Read on to learn the malware's capabilities and how it works.

See this Amp at http://amplify.com/u/bs36n

IT pros: How to incorporate cloud skills into your career | TechRepublic

URL:  http://www.techrepublic.com/blog/career/it-pros-how-to-...

Takeaway: Here are some tips for preparing to incorporate cloud technology into your career.

See this Amp at http://bit.ly/fUGLeI

A friend of mine, Bradley Matthews has requested the following: Prayer chain needed. Prayers need to go out for a FB friend's daughter Audri Kate King and her family. Her two year old daughter was just diagnosed with stage 4 cancer. If you see this post, even if you don't know her, God knows. Please post this to your profile for 1 hour and say a prayer for that little girl. Thank you Thank you for your help! http://bit.ly/gR3zpA

Top tips for Mac OS X security – Part 3 | Naked Security

URL:  http://nakedsecurity.sophos.com/2011/02/21/top-tips-for...

Make sure you read the third and final part of our series about how to better secure your Mac OS X computers. Learn best practices for the Mac OS X firewall, Safari, how to control services and catch up with previous parts you may have missed.

See this Amp at http://bit.ly/dMKKF3

How To Check If Someone Else Is Accessing Your Facebook Account

URL:  http://www.makeuseof.com/tag/check-accessing-facebook-a...

What’s the number one issue people have with Facebook? That’s right, privacy. Ever since there’s been a Facebook, people have been voicing their privacy concerns about it, and we’ve been there every step of the way. Over the past year, we’ve given you 16 steps (8 here, 8 there) to regain control of your Facebook privacy, taught you how to secure your settings, given you tips to protect your privacy, introduced you to apps like PrivacyDefender, and shown you how to tweak your Facebook Places security settings. And after all that, we finally broke down and wrote an Unofficial Facebook Privacy Guide.



So what’s the problem now? Nothing, technically. In fact, Facebook has recently given us a way to see if someone else has been accessing our Facebook accounts (without our permission). Is that something you’d be interested in? Follow me.

See this Amp at http://bit.ly/f9PxLJ

Abell 1689 galaxy cluster | TechRepublic

URL:  http://www.techrepublic.com/photos/worldwide-telescope-...

Abell 1689 galaxy cluster



WorldWide Telescope is a new project from Microsoft Research that combines imagery of space and celestial objects into one easy-to-use interface. From the site's overview page: "The WorldWide Telescope (WWT) is a Web 2.0 visualization software environment that enables your computer to function as a virtual telescope--bringing together imagery from the world's best ground- and space-based telescopes for the exploration of the universe."



This image is a high-resolution image of Abell 1689, a galaxy cluster in the constellation Virgo, as taken by the Chandra X-Ray Observatory. The image is embedded on the digitized sky that is the basis of WorldWide Telescope.



Image used with permission from Microsoft. Caption by Wally Bahny.

Resources:

1. http://www.worldwidetelescope.org/

2. http://www.worldwidetelescope.org/whatIs/whatIsWWT.aspx

3. http://en.wikipedia.org/wiki/Abell_1689

See this Amp at http://bit.ly/f0pvFr