The L.A. Times released information today regarding a loophole for protected Twitter accounts. While other Twitter users cannot view protected Twitter accounts without asking for permission, Google appears to bypass that entirely. In fact, a Google search can even reveal some of the protected tweets of deleted accounts.

The Google searches can’t reveal the entirety of tweets unless they are short, but information can still be revealed in the small snippets. Just put “site:twitter.com/username” into Google, replacing the word “username” with that of someone with protected tweets, and view away. For example, everyone has been delighted to see what kind of mood Bill Clinton is in.

Fake Bill Clinton is probably sad you can see his tweets.

Reality check: While the “breach” sent tweeps scrambling and ranting, there appears to be nothing to fear. It seems so far that Google is only showing tweets that were public before the account was later privatized. As for final word on whether or not our protected tweets are safe, we’ll just have to wait to hear from Twitter.

The idea that kids need to be forced to leave the house, go outside, and do some sort of physical activity is nothing new. However, after a recent report it may be more important now than ever.

A survey of 16 to 24 year olds has found that 75% of them feel they “couldn’t live” without the internet. [...] About one third added that they felt no need to talk to a person face-to-face about their problems because of the resources available online.

Think that’s bad? When the group of kiddos was asked about Internet security and phishing, 76% of them thought the internet was a safe place “as long as you know what you’re doing.” Yeah, we haven’t heard that before.

Now please excuse us as we go unplug our siblings’ 360s and take them bowling. And no, not on the Wii.

Brian just got his “enhanced driver’s license” with RFID, so I found these instructions to make an RFID-proof wallet for him.

FBI Director’s wife bans him from online banking after he almost fell for a phishing scam.

A malware network has been discovered siphoning profits from Google, Yahoo, and Bing by spoofing the search engines and their DNS addresses.

Dubbed the “Bahama Botnet,” it hijacks search engine results with doctored links that run a user through a chain of sponsored ad sites. After clicking his or her way through the ads, the user eventually ends up on the requested page.

A traceroute of the connection shows that although the DNS name of the server appears to be legitimate, users are actually connected to 64.86.17.56, an unknown IP address in Canada.

It will be interesting to see how the major search engine corporations respond to this threat.

US Dept of Homeland Security wants to hire 1,000 cybersecurity experts over 3 years. Cringley says they don’t exist.

AV-Comparatives has published (PDF) the results of its August study which evaluates antivirus performance with on-demand scanning.

Published in March and September, the group’s so-called “on-demand scanning” test pits antivirus suites against the world’s most comprehensive body of 1.6 million (and growing) known viral strains. Applications are ranked in separate metrics which include detection rate, false positive rate and scanning speed. The firm also provides an award system which categorizes the apps in one of three levels according to their accuracy less false positives.

Ideally, antivirus packages should be able to detect known viruses to a high degree of accuracy, but AV-Comparatives’ studies prove that this is never the case.

G DATA and AVIRA continue to lead overall detection rates.

(more…)

Reddit.com, a popular aggregator for web news and discussion, was attacked sometime yesterday with a massive cross-site scripting exploit that caused even hovering over a comment on the site to spam thousands of comments from the user’s computer. It didn’t result in any malicious changes to the user’s computer, but the massive traffic and network activity quickly brought Reddit to its knees. As of this writing (1:13pm CET, or 5:13am Central), Reddit appears to have recovered, but “hot” activity has been dormant for hours.

Reddit users were not amused. Capture taken at 6:13AM Eastern

The exploit appears to have been Javascript-based, so using a Firefox addon like NoScript or turning off Java in your browser before visiting reddit would have prevented you from adding to the comment bomb. Investigation is surely forthcoming.

Japanese computer scientists claim that they’ve developed a new exploit (PDF) that will forge packets on a WPA-encrypted WiFi connections in about 60 seconds.

The exploit gives attackers a way to read small bursts of encrypted information sent between computers and routers that use WiFi Protected Access (WPA). The exploit was developed by Hiroshima University’s Toshihiro Ohigashi of Hiroshima University and Kobe University’s Masakatu Morii, both of whom will further discuss their findings at a September 25th conference in Hiroshima.

This paper has proposed a practical message falsification attack on any WPA implementation. Our attack is a method that applies the Beck-Tews attack to the MITM [man in the middle] attack, and can falsify an encrypted short packet (e.g. ARP packet). We have given a strategy for the MITM attack and the method for reducing the execution time of the attack. As a result, the execution time of our attack becomes about one minute in the best case. Therefore, our attack can execute on any WPA implementation, practically.

The new finding is an improvement to a 2008 WPA exploit known as the “Beck-Tews Attack” which could forge packets in about 15 minutes. Both Beck-Tews and the new exploit capitalize on small packets, such as ARP and DNS, to recover the keys used to encrypt individual packets. Armed with these keys, an attacker can intercept or falsify packets with little to no interruption to user services.

Though it all sounds rather scary, some sites have been playing up the insecurity angle without acknowledging the large caveats tangentially mentioned by the research paper:

• This exploit can only be used to falsify short packets like DNS and ARP. While an attacker could theoretically redirect you to unsavory/malicious sites, the attacker does not have an open pipe to your WiFi data.
• The exploit only works on WPA networks that use TKIP security keys as opposed to AES. Most residential routers allow you to choose between the two, and some even permit for AES+TKIP. WiFi users who have chosen WPA+AES or WPA2 are completely immune to the attack.

All in all it is an exciting (or frightening) development in the world of security research, but it’s still a far cry from the exploits that can bust WEP connections wide open in seconds.

Report IE6 offenders you know for a public shaming.

This is mostly notable only because everyone loves a good look-at-this-idiot story. Scammers placed a fake ATM near an entrance of the Riviera Hotel in Las Vegas, currently hosting the DEFCON hacker conference. As one might expect, it wasn’t long before it was noticed by an attendee and hauled away by police. They aren’t sure how long it was there or whether the scammer had any idea what sort of fish he was trying to catch.

Hackers hack Mitnick, Kaminsky prior to DefCon.