TwitsMag Canada

Article Source: Toronto Sun

Twitter is working to prevent fraud scams on its site.

On its blog, the social networking site announced it will be filtering all links submitted to Twitter through a new service that “can detect, intercept, and prevent the spread of bad links across all of Twitter.”

Back in February, Twitter said it was working on helping members who had been victimized by a phishing attack. The purpose was often to obtain a username and password. The user would receive an e-mail or direct message with a link to a fake Twitter page, and once the person logged in, the scammers would have all the information they needed.

“Our trust and safety team identifies and deletes spam accounts every day. Still, we recommend against indiscriminately following hundreds or thousands of accounts without having a look first,” Twitter’s blog says.

Twitter says people won’t notice the new feature because “it works behind the scenes,” but they may notice links shortened to twit.tl in direct messages and e-mail notifications.

Article Source: PC World

A popular Twitter application used to measure the influence of Twitter users has been hacked and used to send spam messages.

Hackers broke into the Grader.com Twitter application Thursday and used it to spam the Twitter pages of people who enabled the service. Grader users found themselves sending a Twitter message that read “Biz Stone Promoting Twitter in 2006″ and contained a link to a newly registered Web domain that hosted a video of Twitter co-founder Biz Stone.

The hackers appear to be trying to improve the search engine ranking of the domain Seonix.org, an online money-making site, which was registered on Thursday, said Rik Ferguson, a security researcher with Trend Micro who blogged about the incident.

Grader.com is a Twitter add-on that lets users measure how influential they are on the social media network.

The founder of Grader.com’s parent company, HubSpot, said his company was blocking the unauthorized messages, but he could not say how the compromise occurred.

“All indications are that security on one of the Grader.com applications (Twitter Grader) was compromised,” said Dharmesh Shah in an e-mail message. “As a result, an unauthorized third-party was able to post tweets on behalf of some of our users.”

“We have updated the system to not allow unauthorized tweets to be sent out anymore, and are working furiously to research the issue further and make changes such that it doesn’t happen again,” he said. “Security issues are never fun and we hate that this happened. Our apologies to all of our users and those that have trusted us.” The issue was “totally our fault,” he added.

Shah’s own Twitter account sent the Biz Stone spam message, as did the account used by Grader.com.

Twitter users caught a break this time because the Seonix.org Web site is not malicious, according to Ferguson. If they had wanted to, the hackers could have tried to install unauthorized software such as a Trojan horse program on the machines of anyone who clicked on the Seonix.org link.

It’s not clear how many people use the Grader.com service, but the company’s Twitter account is followed by more than 50,000 people.

The hack shows why hackers are increasingly interested in social media and the applications that work on sites such as Twitter and Facebook. “If you can pick an app that has a lot of users and find a way in, then it’s a real big bang for the buck,” Ferguson said.

Twitter has explained in greater detail the reason behind its decision to reset the passwords for some of its users on Tuesday after an external phishing attack. It turns out the problem, which Twitter first described as a “combination of multiple bad acts,” was part of a scam that may have exposed Twitter users who also visit torrent sites requiring login credentials. The incident also highlights, once again, that developing good password management habits is a crucial part of keeping your online identity secure.

Torrent Sites Open For Phishing Season

In a recent post on the Twitter Status blog, the company pointed to an unnamed Website designer as the main culprit behind the recent phishing expedition. For a number of years this designer had been creating Website templates for torrent sites and forums that require new users to create a login ID and password. The designer would then sell these Website templates to third parties who wanted to start their own torrent site of forum.

So the third-parties would set up their torrent sites, cataloging the latest music, film and software downloads, and people would begin signing up to use the service. But unknown to the site administrator, the unnamed designer had created a backdoor into the site allowing the designer to scoop up all the login credentials for the torrent site’s members.

After that, the designer took the login credentials and ran them against third-party sites like Twitter. Since many people use the same login information for multiple Websites and services, the site designer soon had access to a number of Twitter accounts. Even worse, the site designer left some gaping security holes in the design that allowed other hackers to exploit the sites.

One such exploit would prevent users from logging in to the torrent site, and then redirected the user to a different site where they were asked for their login credentials again. This way the hackers could collect login credentials and try to gain access to a user’s Twitter accounts using the same methods as the site designer.

Twitter has not said which torrent sites were victims of this scam, but the microblog is advising all users who are also members of any torrent site to reset their passwords. Twitter said there was a “high correlation between folks who have used third party forums and download sites and folks who were on our list of possibly affected accounts.” However, Twitter also said not all users who were sent password reset notifications were victims of the torrent scam.

Password Safety

This latest Twitter attack highlights, yet again, why practicing good password habits is so crucial. You likely know the password basics like avoiding common passwords such as ‘123456,’ or ‘password,’ which reportedly led to the RockYou data breach last month. You should also make sure you use a combination of letters and numbers, and the more random these combinations are the better. Your password should also be at least eight characters in length, and make sure they do not include things like a common word, name or part of your e-mail address.

But the problem with the Twitter hack wasn’t so much about password strength as password management. If you’re using one, two, or even three common passwords across all your services then you may be vulnerable to a similar attack. One of the best ways to defend against this is to use a password management program.

If you want something a little more low tech you could also consider writing down all your passwords on a separate piece of paper and keeping it somewhere safe (hint: not underneath your keyboard). A less secure, but more practical, option is to create a text file or spreadsheet listing all your passwords. But if you plan to go this route just make sure you don’t name your file something obvious like ‘passwords,’ ’secrets’ or ‘keys to the kingdom.’

Article Source: PC World

Article Source: ZD Net UK

Twitter has temporarily disabled a feature based on Adobe Flash, after a security researcher demonstrated the feature could be used to hijack user accounts.

“We’ve been notified about a vulnerability in our Flash widget and out of an abundance of caution we’ve disabled access as we assess the situation,” Twitter said on Friday in an update on its status page.

The company said it was not aware of any attacks that had been carried out using the vulnerability.

Mike Bailey, a senior security analyst with Foreground Security, demonstrated the flaw on a dummy Twitter account on Friday. Bailey used an XML file hosted on his server to exploit the weakness and cause the dummy Twitter account to display: “@mckt_ just pwned my Twitter account. Neat.”

The exploit required that a user click on a link while logged in to Twitter, according to Foreground. As a result, Bailey was able to steal the user’s session credentials, giving him full access to the account.

The problem is with a Flash-based widget used to display Twitter updates on websites, according to Bailey.

Twitter said the problem does not affect the JavaScript version of the widget. “Please note that the JavaScript widgets are unaffected and are a good alternative for those of you who had been using the Flash version,” the company stated.

Bailey demonstrated the Twitter bug ahead of a talk called ‘Neat, New and Ridiculous Flash Hacks’ that he is scheduled to give at next month’s Black Hat security conference in Washington DC.

Twitter’s login credentials were used to make DNS changes that redirected surfers to a protest site last Friday, according to site admins.

Surfers visiting the micro-blogging website for about an hour early on Friday morning were instead redirected to a page on another site, boasting that Twitter had been pwned by a previously unknown group called the Iranian Cyber Army.

Twitter acknowledged its DNS records “were temporarily compromised” in a status page update, without going into the ins and out of the hack.

Last night, DNS settings for the Twitter web site were hijacked. From 9:46pm to 11pm PST, approximately 80 per cent of Traffic to Twitter.com was redirected to other web sites. We tweeted, blogged, and updated our status page last night.During the attack, we were in direct contact with our DNS provider, Dynect. We worked closely to reset our DNS as quickly as possible. The motive for this attack appears to have been focused on defacing our site, not aimed at users—we don’t believe any accounts were compromised.

However, security experts involved in maintaining the site said Twitter’s own login credentials were used in the attack. Tom Daly, chief technology officer at Dyn told Wired that attackers used a “set of valid Twitter credentials” to change DNS setting and redirect surfers.

The previously unknown group who carried out the attack wrote a message criticising US “interference” in recent Iranian elections, republished by TechCrunch here.

Twitter became a notable outlet for dissent by Iranian protesters during the disputed elections earlier this year, a factor that may have led to its targeting by the presumably religiously conservative Iranian hacktivists (or government operatives) behind the attack.

Source: theregister.co.uk

Article Source: The Vancouver Sun

Twitter added a tool that lets users flag accounts of spammers at the globally-popular microblogging service.

Hitting a “Report as spam” button newly added to the Action section of Twitter pages alerts Twitter’s safety team to check out what, if anything, should be done about a purportedly abusive profile.

“Folks can now help us conquer spam by calling our attention to a profile they find questionable,” Jenna Dawn of Twitter said in a blog post.

“Once you report a profile it will automatically be blocked from following or replying to you. You nailed it!”

Twitter opted not to automate the feature so it can’t be used “to incite an angry mob against an account you don’t like.”

blocky.elliottkember.com

Here is a new application that can help you block the spammers on your twitter acount.

Enter your twitter username and password and the rest is done.

You have to confirm that you want to block the spammers and a list would show up helping you decide.In case you changed your mind you can always unconfirm.Very easy!

twitspam.org

All social network websites including Twitter are exposed to spams and there are always steps to be taken against those spams.

The purpose beyond Twitspam is to stay ahead of any spammer and to eliminate the trend of social networking spam. Basically, Twitspam.org is a list of all spammers on twitter that are reported  to the administrators of the social networking sites. In order for Twitspam to achieve its goal, everyone should take action and if it happened that you encountered a user that you think should be added to this list, please send the information to spammers at twitspam.org.

Or, if you’re on Twitter, you can simply send a tweet that has the name of the spammy Twitter account and include the hashtag “#twitspam” or “#twitterspam” in the same tweet. We’ll find it if your Twitter account is public.