What Twitter's homepage looked like before it went down on Thursday night.
(Credit: CC u07ch/Flickr)Twitter stumbled again overnight on Thursday. But this time, it wasn't the work of the "fail whale," the cuddly cartoon personification of the site's excessive technical baggage. Rather, the site was replaced with a foreboding message from "Iranian Cyber Army" before crashing entirely, indicating that it had been the victim of a malicious attack that targeted its internal servers.
Co-founder Biz Stone posted a brief clarification on the issue late on Thursday night. "Twitter's DNS records were temporarily compromised tonight but have now been fixed," he explained. "As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we've investigated more fully."
At the risk of sounding like an evening-news anchor calling attention to exactly how dangerous your treadmill is or how many diseases you can get from the ball pit at Chuck E. Cheese, I think it's time to explore the question: Is it safe to use Twitter?
For one, Twitter's track record with security has been shaky at best. A security flaw this spring exposed the data of a number of employees and allowed a hacker to pilfer some internal documents. Several high-profile accounts, like those of Britney Spears, Ashton Kutcher, and CNN anchor Rick Sanchez, have been targeted individually. Twitter has been the victim of phishing attacks. Other hackers have proved that Twitter accounts can be set up specifically to corral botnets of infected PCs. And in perhaps the biggest incident of all, a politically motivated denial-of-service attack in August that targeted multiple social-media sites managed to cripple Twitter entirely.
Think of it this way: if Facebook, a far bigger and more mainstream site that's had concerns about user privacy splashed all over the news recently, saw its homepage replaced with a nefarious political message, there would probably be a fresh round of calls for CEO Mark Zuckerberg's resignation. Twitter's heavy users are, for better or for worse, accustomed to sporadic downtime and glitches. They're also less likely to ever visit the Twitter.com homepage, considering the service has so many points of entry--text message, as well as third-party apps for mobile, Web, and desktop. Users have become accustomed to logging into third-party applications with their Twitter credentials.
That, perhaps, makes the overnight hack a bigger concern. Even though it's unlikely that user accounts were compromised in this DNS redirect, it's yet another sign that Twitter's security operations have time and again proven weak enough that the service doesn't exactly seem watertight.
A political message, or just plain obnoxious?
On the other hand, we still don't know much about this attack and it may have been less sophisticated than some may fear. One, nobody's exactly sure yet who the hackers were. "Of course, just because a message saying 'This site has been hacked by Iranian Cyber Army' has been posted on a Web page does not necessarily mean that hackers from Iran are responsible for the defacement," Sophos security consultant Graham Cluley wrote on his blog Friday.
Additionally, Cluley said, the aim seems to have been to either get a political message through or to simply be obnoxious. "Fortunately there is no indication at this point that the page was carrying malicious code, and this attack appears to have had political motivations rather than being designed to steal confidential information from users," he wrote.
"It really looks like it was people were redirected to a 'hactivism' site," weighed in fellow Sophos analyst Beth Jones via e-mail. "There was no malicious code on the site claiming to be the 'Iranian Cyber Army' either. It looks like they just hacked the registrar to redirect traffic. So it's quite probable that none of Twitter's own servers were touched."
Another reassurance is the fact that Twitter simply doesn't have the kind of sensitive data that a Facebook or Google does. While it does have millions of mobile phone numbers stored to power its text-message app, not to mention archived private "direct messages" between users, Twitter does not index a whole lot more that isn't otherwise public. Facebook, for example, has many members' credit card numbers on hand (if they've ever used its "gift shop" feature), not to mention extensive personal data in profiles like addresses, birthdays, and family connections. Members who are still concerned about the security of their Twitter accounts can take the obvious step of changing their Twitter passwords to something that they don't use on their e-mail, Facebook accounts, or elsewhere--just in case.
Beth Jones says she has confidence in Twitter. "I wouldn't say their security is second-rate by any means," Jones said via e-mail. "As it stands, they weren't actually compromised, but I can see from a user point of view the questions and concerns. At Sophos we see a new site compromised every 3.6 seconds. That's easily close to 24,000 sites a day, and of those, the vast majority are legitimate sites that get hacked."
That doesn't mean that Twitter shouldn't start making it more clear that it takes security seriously. If the company, which is now beta-testing a "Contributors" feature that may pave the way to paid corporate accounts, begins storing financial information, we can only hope that their security operations are turned up a few notches. Or, ideally, an order of magnitude.
This post was expanded at 6:23 a.m. PT with comment from Sophos' Beth Jones.
Updated at 11:15 p.m. PST to include comment from witness and reflect Twitter.com accessible again.
Updated at 11:50 p.m. PST with status update from Twitter.
Twitter.com was down Thursday evening, and it appears that the microblogging site may have been hacked or the victim of a DNS hijacking.
The site, which was inaccessible for about an hour starting around 10 p.m. PST, was defaced with the following image before it was taken offline:
The message at the bottom of the image appears to be written in Perso-Arabic script and when translated to English it read:
Twitter's status blog was also inaccessible. CNET has inquiries out to Twitter and we will let you know more when we hear back.Iranian Cyber Army
THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY
iRANiAN.CYBER.ARMY@GMAIL.COM
U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don't, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To....
NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST
Take Care.
Chris Hoare, a Flickr user in Leicester, England, captured the screenshot above and said his attempt to connect to Twitter bounced through a second Web-hosting server before the image was displayed but that he couldn't catch the address.
"The HTML was pretty basic, and everything that it showed was local on the server it was being sent from," Hoare told CNET News.
A Twitter update message posted at 11:28 p.m. said the site was "working to recovery from an unplanned downtime" and indicated that the incident was indeed a hijacking of Twitter's DNS records:
Twitter's DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon.
Security has been a thorny issue for Twitter in the past. In January, a hacker hijacked CNN anchor Rick Sanchez's feed and proclaimed the journalist was "high on crack." Twitter users have also been the target of a password-stealing phishing scam. Disguising itself as a private message that led to a fake Twitter log-in screen, the scam was widespread enough for Twitter to put a warning message on all members' home pages alerting them of the issue.
Certainly, there is a contentious history between Twitter and Iran. In the wake of supposed results of that nation's presidential election in June, protesters in Iran used Twitter to skirt government filters to report events, express outrage, and get people out to opposition rallies. Twitter even rescheduled some planned downtime in order to stay accessible for Iranian users in the midst of political upheaval at the request of the U.S. Department of State.
Firefox was the application that had the most reported vulnerabilities this year, while holes in Adobe Reader more than tripled from a year ago, according to statistics compiled by Qualys, a vulnerability management provider.
Qualys tallied 102 vulnerabilities that were found in Firefox this year, up from 90 last year. The numbers are based on running totals in the National Vulnerability Database.
However, the high number of Firefox vulnerabilities doesn't necessarily mean the Web browser actually has the most bugs; it just means it has the most reported holes. Because the software is open source, all holes are publicly disclosed, whereas proprietary software makers, like Adobe and Microsoft, typically only publicly disclose holes that were found by researchers outside the company, and not ones discovered internally, Qualys Chief Technology Officer Wolfgang Kandek said late on Wednesday.
Meanwhile, Adobe took the second place spot from Microsoft this year. The number of vulnerabilities in Adobe Reader rose from 14 last year to 45 this year, while those in Microsoft Office dropped from 44 to 41, according to Qualys. Internet Explorer had 30 vulnerabilities.
A shift in focus
The numbers illustrate the trend of attackers turning their focus away from operating systems and toward applications, Kandek said.
"Operating systems have become more stable and harder to attack and that's why attackers are migrating to applications, he said. "Adobe is a huge focus for attacks now, around 10 times more than Microsoft Office. However, other widely used targets like Internet Explorer and Firefox are still far from secure."
Research from F-Secure earlier this year provides further evidence that holes in Adobe applications are being targeted more than Microsoft apps. During the first three months of 2009, F-Secure discovered 663 targeted attack files, the most popular type being PDFs at nearly 50 percent, followed by Microsoft Word at nearly 40 percent, Excel at 7 percent, and PowerPoint at 4.5 percent.
That compared with Word representing nearly 35 percent of all 1,968 targeted attacks in 2008, followed by Reader at more than 28 percent, Excel at nearly 20 percent, and PowerPoint at nearly 17 percent.
As a result, Adobe needs to respond the way Microsoft did in 2002 when it launched its Trustworthy Computing initiative, and make securing its software a company-wide priority, researchers say. F-Secure even recommended that people stop using Reader and use an alternative PDF reader.
Adobe has taken some action, announcing in May that it would release its security updates on a regular schedule, quarterly and coinciding with every third Microsoft Patch Tuesday.
Another study released this week focuses on which applications are the riskiest to users. Based on the most severe vulnerabilities in popular applications that run on Windows and which are not updated automatically, Firefox again tops the list, followed by Adobe Reader and Apple QuickTime, according to Bit9, a provider of application whitelisting technology.
The list of risky software compiled by Bit9 based on the National Vulnerability Database also includes Java, Flash Player, Safari, Shockwave, Acrobat, Opera, Real Player, and Trillian. Last year, the Bit9 list of the most risky apps included Skype, Yahoo IM, and AOL IM, but those three were not on this year's list.
Not included on the list are programs from Microsoft and Google because of the ability for users of their software to have patches installed automatically. Microsoft software can be automatically and centrally updated via the Microsoft Systems Management Server and Windows Server Update Services, and Google Chrome is automatically updated when users are on the Internet, Bit9 said.
The lists do not take into account the amount of time it takes for companies to release patches, particularly when there is an exploit in the wild. Bit9 noted that Microsoft Internet Explorer was given an "honorable mention" because of a zero-day vulnerability related to ActiveX that went unpatched for three weeks in July.
Microsoft isn't alone in taking longer than customers would like to fix holes. In March, Adobe released a patch for a zero-day vulnerability in Reader and Acrobat--about two weeks after it was disclosed to users and nearly two months after exploits had been discovered in the wild.
Adobe customers will have to wait about a month for a fix to the latest critical zero-day hole in Reader and Acrobat. The company announced on Wednesday it would not patch the vulnerability until its next scheduled quarterly security update release on January 12.
Updated December 21: to clarify in paragraphs one and four that Adobe Reader specifically is ranked second in vulnerabilities, followed by Microsoft Office, and that Internet Explorer alone had 30 vulnerabilities.
The MQ-1 Predator.
(Credit: U.S. Air Force)Iraqi insurgents have reportedly intercepted live video feeds from the U.S. military's Predator drones using a $25.95 Windows application that allows them to track the pilotless aircraft undetected.
Hackers working with Iraqi militants were able to determine which areas of the country were under surveillance by the U.S. military, The Wall Street Journal reported Thursday, adding that video feeds from drones in Afghanistan also appear to have been compromised.
Meanwhile, a senior Air Force officer said Wednesday that a wave of new surveillance aircraft, both manned and unmanned, were being deployed to Afghanistan to bolster "eyes in the sky" protection for the influx of American troops ordered by President Obama.
This apparent security breach, which had been known in military and intelligence circles to be possible, arose because the Predator unmanned aerial vehicles do not use encryption in the final link to their operators on the ground.
Read more of "U.S. was Warned of Predator Drone Hacking" at CBSNews.com.
Adobe on January 12 will patch a critical hole in Reader and Acrobat that is being exploited in attacks. That date is the company's next scheduled quarterly security update release.
The zero-day hole, which affects Reader and Acrobat versions 9.2 and earlier, could crash the system and allow an attacker to take control of the computer.
Malicious Adobe Acrobat PDF files are distributed via an e-mail attachment that, when opened, executes a Trojan that targets Windows systems, according to Symantec. The rate of infection is extremely limited and the risk assessment level is very low, the company said.
Adobe decided to issue the patch in cycle in about four weeks rather than work on an earlier patch release because that would take between two and three weeks to deliver and would put the regular quarterly update off schedule, the company said in a blog post.
"The team determined that by putting additional resources over the holidays towards the engineering and testing work required to ship a high confidence fix for this issue with low risk of introducing any new problems, they could deliver the fix as part of the quarterly update on January 12, 2010," Adobe's Brad Arkin wrote.
In the meantime, customers can use a new JavaScript Blacklist mitigation feature that allows for easy disabling of JavaScript, Arkin said.
"Additionally, an informal poll we conducted indicated that most of the organizations we talked with were in favor of [releasing the patch in cycle] to better align with their schedules," he wrote.
Meanwhile, Webroot analyzed the payload of the malware and found that it installs three files that look like Windows system files that are digitally signed with a forged Microsoft certificate. Unlike legitimate Microsoft-signed certificates, these lack an e-mail address and a time stamp, the company said in a blog post.
"Authors of Trojan horse apps rarely go to the trouble of digitally signing files in this way," writes Webroot researcher Andrew Brandt. "It's not clear why they would be digitally signing files, but clearly the person or people behind this are up to no good."
Updated 3:50 p.m. PST with Webroot finding forged Microsoft certificates in the malware.
Mozilla has updated its Firefox browser to patch three critical security holes.
Firefox 3.5.6 and 3.0.16 both fix earlier memory corruption issues. "We presume that with enough effort at least some of these could be exploited to run arbitrary code," the security advisory said.
In addition, the earlier version of Firefox 3.5 had two critical vulnerabilities in its technology for playing Ogg-format media, one with the liboggplay media library and one with the libtheora video library.
The patches are among 62 fixes in the new Firefox, software that's translated into dozens of languages and runs on multiple operating systems. Users of the OS/2 operating system will be delighted to know that problems with Firefox's full-screen mode and with print preview have been resolved.
"We strongly recommend that all Firefox users upgrade to this latest release," Mozilla said in a blog posting. By default, Firefox downloads updates automatically then prompts users to restart when it's ready; updates also can be retrieved through the "check for updates" menu option.
Mozilla plans to cease supporting Firefox 3.0 in January. Meanwhile, a significant update, Firefox 3.6, is due by the end of the year.
Correction 1:23 p.m. PST December 17: This story was corrected to note that it was the earlier versions of Firefox that suffered the vulnerabilities.
Facebook has sued three men, alleging they used phishing techniques to get access to Facebook user accounts and then sent spam from the compromised accounts.
The lawsuit was filed Monday in federal court in San Jose, California, and named as defendants Jeremi Fisher, Philip Porembski, Ryan Shimeall and the companies associated with them, Choko Systems, Harm, and iMedia Online Services, according to a Facebook statement late on Tuesday. The defendants could not be reached for comment.
The defendants are accused of launching at least four spam campaigns over the last couple of years, the latest in the last three months being responsible for nearly three-fourth of all spam on the site, according to the suit. The latest "escalated attack" included spam offering a colon cleanser, fake messages purporting to show a video of the recipient and offers for recipients to make money through a fake "Google Campaign." Clicking on the spam typically sends a user through various marketing sites before landing them on a page that prompts for their Facebook log in information.
It is unclear exactly how Facebook user log in information, used to send spam to friends, was obtained.
Facebook has spent $5,000 combating the spam, according to the suit.
The lawsuit makes claims under the Can-Spam (Controlling the Assault of Non-Solicited Pornography and Marketing) Act, the Computer Fraud and Abuse Act, the California Anti-Phishing Act and the California Computer Data Access and Fraud Act, according to Facebook.
This is the latest legal action the social networking site has taken related to spam. In October, Facebook was awarded $711 million in a judgment Thursday against self-described "spam king" Sanford Wallace.
The largest judgment ever under the Can-Spam Act was an $873 million award Facebook won in November 2008 against Adam Guerbuez, of Montreal, and his company, Atlantis Blue Capital.
Updated December 16 at 7:55 a.m. PST with details from the lawsuit.
This Google Doodle featuring the Esperanto flag was exploited by scammers to spread malware, according to Barracuda Networks.
(Credit: Google)Online scammers are taking advantage of the public's interest in the Google Doodle to spread malware, a security firm warned on Tuesday.
In so-called "SEO poisoning," scammers use search engine optimization techniques to increase the distribution of malware. They create special malware-rigged Web sites or hide malware on legitimate Web sites they've compromised and then use tags associated with popular search terms to get them listed high up in search engine results.
Typically, scammers capitalize on public interest in news events or celebrities, targeting searches like "Swine Flu" or "Michael Jackson death." But in the latest twist on this technique, scammers are exploiting interest in the Google Doodle, the graphics that often take over the Google logo on holidays or to mark special events.
For instance, the doodle on Tuesday showed a flag for Esperanto, a universal language created by L.L. Zamenhof which is based on parts from a variety of languages. Clicking on the doodle, located near the search box, brings up a list of search terms for "L.L. Zamenhof."
Dave Michmerhuizen, a research scientist at Barracuda Networks, found 31 poisoned sites among the first 100 results, 27 of them in the first 50 sites alone.
On the first results page was a link leading to a compromised Web site that redirects visitors to a fake antivirus site, according to Michmerhuizen. That site displays a fake alert saying the computer might be infected and does a fake scan before prompting the user to pay for antivirus software, he said.
A Google spokesperson said the company had already removed many of the allegedly malicious sites from the index using manual and automated processes to enforce the policies.
"As you probably know, the use of popular search terms to target malware is neither a new vector nor unique to any particular search engine. We work hard to protect our users from malware, and using any Google product to serve malware is a violation of our product policies," the spokesperson said in an e-mail.
"Our Safe Browsing technology is capable of detecting malware being served from sites that have been compromised," the Google e-mail said. "In fact, as we've explained publicly, we have been seeing more infections coming from compromised sites" across the entire Web.
The compromised site on the Google Doodle-related search results page leads to a site selling fake anti-virus.
(Credit: Barracuda Networks)Symantec on Tuesday confirmed a vulnerability in Adobe Acrobat and Reader and said it was being exploited by a Trojan hidden in e-mail attachments.
The malicious Adobe Acrobat PDF file is distributed via an e-mail attachment that "drops and executes when opened on a fully patched system with either Adobe Acrobat or Reader installed," Symantec said in a statement.
Symantec identified the file as Trojan Pidief.H, which targets Windows 98, 95, XP, Windows Me, Vista, NT, 2000 and Server 2003.
The rate of infection is extremely limited and the risk assessment level is very low, according to Symantec.
The exploit has been in the wild since at least last Friday, according to the Shadow Server blog.
"Several tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable," the post says. "We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue. This is legit and is very bad."
The vulnerability is in a JavaScript function within Adobe Acrobat Reader itself, the Shadow Server post says, before advising users to disable JavaScript.
Adobe posted a security advisory late on Tuesday saying that it had confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could crash the system and allow an attacker to take control of the computer.
Affected software is Reader 9.2 and earlier for Windows, Macintosh, and Unix, and Acrobat 9.2 and earlier for Windows and Macintosh, Adobe said. The company recommended disabling JavaScript to protect the system.
Adobe had said on Monday night that it was investigating reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild.
Adobe has increasingly had to deal with holes in and exploits targeting its popular software. Adobe issued updates in October that fixed nearly 30 holes in Reader and Acrobat 9.2. Earlier that month, Trend Micro reported on a zero-day exploit targeting Adobe Reader, as well as 9.1.3 and earlier versions of Adobe Systems' Acrobat.
In July, Adobe warned of attacks in which malicious PDF files were exploiting a vulnerability in Flash. And in April a new Reader hole emerged after Adobe fixed a two-month-old critical vulnerability in Adobe Reader 9 and Acrobat 9.
Updated 5:10 p.m. PST with Adobe confirming vulnerability.
Adobe warned of reports of an attack exploiting a hole in Reader and Acrobat on Monday.
"This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild," the company said in an advisory on its Security Incident Response Team blog. "We are currently investigating this issue and assessing the risk to our customers. We will provide an update as soon as we have more information."
Three different security vendor partners reported the alleged exploit to the company on Monday afternoon, said Adobe spokeswoman Wiebke Lips. She said she could not provide more details.
Last week, Adobe released a critical update affecting Flash Player and Adobe AIR.
Meanwhile, some Macintosh users were reporting on the Adobe Forums site that they were having problems installing an update from October that resolved a critical vulnerability in Adobe Reader and Acrobat 9.1.3 that had reportedly been exploited in the wild.
Updated 6:01 p.m. PST with Mac user problems installing update.
