Twitter users with SMS enabled are vulnerable to an attack that allows anyone to post to their account. The attacker only needs knowledge of the mobile number associated with a target’s Twitter account. Messages can then be sent to Twitter with the source number spoofed.Like email, the originating address of a SMS cannot be trusted. Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else’s number.Facebook and Venmo were also vulnerable to the same spoofing attack, but the issues were resolved after disclosing to their
Sumit Suman recently visited a site, did not sign up for anything, did not connect via social media, but got a personal email from the site the next day.I’ve learned that there is a “website intelligence” network that tracks form submissions across their customer network. So, if a visitors fills out a form on Site A with their name and email, Site B knows their name and email too as soon as they land on the site.It all started 2 weeks ago when I got a promotional email (anonymized to avoid promotion) offering toI get B2B marketing emails all the time but what caught my eye was the inclusion of a report snapshot for 42Floors.com showing names,
(Reuters) - Frustrated by their inability to stop sophisticated hacking attacks or use the law to punish their assailants, an increasing number of U.S. companies are taking retaliatory action.
Known in the cybersecurity industry as "active defense" or "strike-back" technology, the reprisals range from modest steps to distract and delay a hacker to more controversial measures. Security experts say they even know of some cases where companies have taken action that could violate laws in the United States or other countries, such as hiring contractors to hack the assailant's own systems.
Newly released malware PlaceRaider sounds like science fiction: It's Android malware designed to build 3-D models of users' apartments for burglars and assassins. But PlaceRaider--developed by a team at Indiana University--is very real. The new malware was built as an academic exercise, and it exposes security flaws that government agencies would love to use. More importantly, it also exposes unintended mobile functionality that large companies like Google could easily monetize.PlaceRaider, which was summarized in a recent arXiv paper, is a piece of “visual malware” which smartphone cameras, accelerometers, and gyroscopes, to reconstruct victims'
An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory in Idaho Falls, Idaho, Sept. 29, 2011.An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory in Idaho Falls, Idaho, Sept. 29, 2011.There have been security flaws in software as long as there has been software, but they have become even more critically important in the context of cyberweapons development.In the past, security researchers who stumbled on a software flaw would typically report the flaw to the manufacturer of the software, so it could be fixed. That changed, however, when
We've come across a malicious Olympic themed PDF earlier this morning while data mining our back end for documents which drop executables (those are never a good thing, unsurprisingly).The PDF exploits CVE-2010-2883, which affects older versions of Adobe Reader and Acrobat. A typical PDF exploit will launch a clean decoy as part of its attack, and in this case, the decoy is a copy of the London 2012 Olympic schedule circa October 2010. The original source PDF can still be found online at: london2012.com.Click image to view a larger version.The exploit attempts to make a network connection with a site registered to "
Several senior police officials and the former deputy interior minister of Georgia have been arrested on suspicion of spying on former opposition leaders and attempting to influence the result of October’s parliamentary elections.The arrests come after new prime minister Bidzina Ivanishvili’s coalition swept to power at the election, ending the nine-year rule of the government of president Mikheil Saakashvili, who remains in his post until October 2013.The 11 interior ministry officials and former deputy interior minister and current vice mayor of Tbilisi, Shota Khizanishvili, are accused of hacking their opponents’ PCs to illegally obtain personal
Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats. Don't show me this againHi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats. Don't show me this againDon't forget you can subscribe to the SophosLabs YouTube channel to find all our latest videos. Don't show me this againHi there! If you're new here, you might want to subscribe to our RSS feed for updates. Don't show me this againAlready using Google+? Find us on Google+ for the latest security news. Don't show me this again
Editor’s note: Andrew Auernheimer, also known by his pseudonym weev, is an American grey hat hacker and self-described Internet troll. Follow him on Twitter @rabite.In June of 2010 there was an AT&T webserver on the open Internet. There was an API on this server, a URL with a number at the end. If you incremented this number, you saw the next iPad 3G user email address. I thought it was egregiously negligent for AT&T to be publishing a complete target list of iPad 3G owners, and I took a sample of the API output to a journalist at Gawker.I did this because I despised people I think are unjustly wealthy and wanted to embarass them. I thought this
Today seemed like a fun day to write about a really cool vector for cross-site scripting I found. In my testing, this attack is pretty specific and, in some ways, useless, but I strongly suspect that, with resources I don't have access to, this can trigger stored cross-site scripting in some pretty nasty places. But I'll get to that!
Interestingly enough, between the time that I wrote this blog/tool and published it, nCircle researchers have said almost the same thing (
- The Language of UX: Beyond Buzzwords -
- I Can See Clearly Now - E2 Conference Boston
- Learn how to enage customers through mobility - Mobile Commerce World - Mobile Commerce World
- The E2 Social Business Leaders - E2 Conference Boston - E2 Conference Boston
- The A-to-Z of Building Your Big Data Initiative - E2 Conference Boston - E2 Conference Boston
- Building a Hybrid Cloud in Government: It's not that Complicated
- The Best Mobile Apps are Connected
- The Critical Importance of High Performance Data Integration for Big Data Analytics
- Mobile DevOps: Achieving continuous delivery with multiple front ends and complex backends in Banking, Financial Services, and Insurance
- Get Actionable Insight with Security Intelligence for Mainframe Environments