Via Geekologie
Showing posts with label Twitter. Show all posts
Showing posts with label Twitter. Show all posts
Thursday, March 4, 2010
Monday, February 8, 2010
Friday, January 29, 2010
Tuesday, January 5, 2010
XSS Flaws in Twitter and Google Calendar
Darknet has the details on additional cross-site scripting flaws recently discovered in both Twitter and Google Calendar.
While the latest vulnerabilities were reported and rapidly remediated, how could they possibly exist, given the pounding web sites took in 2009 due to unmitigated XSS issues?
Are web-based application providers not routinely scanning their internet points-of-presence as part of their vulnerability management programs? Or are they turning around code changes and feature updates so rapidly that their change management practices suffer and there's not enough testing performed prior to moving code from QA?
Ah, the joys of attempting to secure cloud computing.
As vendors push more offerings from the desktop to the cloud, you'll see attackers moving there too. It is more likely that crooks will try to find one of the thousands of windows unlocked, allowing them to steal valuable data unseen, than it will be for them to try to kick down the door like they did five years ago.
Willie Sutton never actually responded to the question of why he robbed banks with, "Because that's where the money is!", but know this: Attackers don't waste time and money on an exploit unless the return is favorable.
When sites are vulnerable, it's an open invitation to unwanted activity. Expect the bad guys to take advantage.
While the latest vulnerabilities were reported and rapidly remediated, how could they possibly exist, given the pounding web sites took in 2009 due to unmitigated XSS issues?
Are web-based application providers not routinely scanning their internet points-of-presence as part of their vulnerability management programs? Or are they turning around code changes and feature updates so rapidly that their change management practices suffer and there's not enough testing performed prior to moving code from QA?
Ah, the joys of attempting to secure cloud computing.As vendors push more offerings from the desktop to the cloud, you'll see attackers moving there too. It is more likely that crooks will try to find one of the thousands of windows unlocked, allowing them to steal valuable data unseen, than it will be for them to try to kick down the door like they did five years ago.
Willie Sutton never actually responded to the question of why he robbed banks with, "Because that's where the money is!", but know this: Attackers don't waste time and money on an exploit unless the return is favorable.
When sites are vulnerable, it's an open invitation to unwanted activity. Expect the bad guys to take advantage.
Saturday, November 21, 2009
Humping and Barking
“We’re banned from the dog park. Well, I guess it’s okay to hump, and it’s okay to bark, but both at the same time freaks people out."
via shitmydadsays on Twitter
Creationists and Flu Shots
People who don't believe in evolution really shouldn't be allowed to get flu shots.-Rainn Wilson, via DailyKos
Monday, November 16, 2009
Successful Twitter Attack Using SSL Renegotiation Flaw
When Marsh Ray discovered a vulnerability in the secure sockets layer (SSL) protocol that allows attackers to inject text into encrypted transmissions between two endpoints, we all knew it was only a matter of time until successful man-in-the-middle attacks leveraging the flaw began to pop up.
Now comes word that a Turkish grad student has successfully stolen Twitter login credentials that were passing through encrypted data streams, much to the consternation of researchers who recently called the recently-discovered flaw conceptually interesting but of little practical value.
Anil Kurmus was able to show that by leveraging the SSL bug, he was able to demonstrate just how wrong those researchers had been, both in the simplicity of the attack and the results that could be obtained:
Now, Twitter is some seriously low-hanging fruit when it comes to an attack surface due to its architecture and the volume of third party applications that do a poor job of error handling and reporting to the user.
Twitter doesn't help their cause by including the username and password with every request sent through their site. Their API also makes is relatively painless to intercept the contents of the data stream and use it to the attacker's advantage.
To their credit, Twitter claims to have closed the hole that previously existed. Et tu, SSL?
To date, only OpenSSL has provided a patch to deal with the core vulnerability. Every other implementation has been dorking around secretly for months preparing the bug fix that will need to be rolled out internationally.
Next likely attack scenario? How about stealing authentication cookies associated with web mail accounts or social networking sites that specialize in sending and receiving messages?
If your confidence in the core security guarantee associated with TLS isn't shaken, it should be.
Now comes word that a Turkish grad student has successfully stolen Twitter login credentials that were passing through encrypted data streams, much to the consternation of researchers who recently called the recently-discovered flaw conceptually interesting but of little practical value.
Anil Kurmus was able to show that by leveraging the SSL bug, he was able to demonstrate just how wrong those researchers had been, both in the simplicity of the attack and the results that could be obtained:
Despite those limitations, Kurmus was able to exploit the bug to steal Twitter usernames and passwords as they passed between client applications and Twitter's servers, even though they were encrypted. He did it by injecting text that instructed Twitter's application protocol interface to dump the contents of the web request into a Twitter message after they had been decrypted.
Now, Twitter is some seriously low-hanging fruit when it comes to an attack surface due to its architecture and the volume of third party applications that do a poor job of error handling and reporting to the user.
Twitter doesn't help their cause by including the username and password with every request sent through their site. Their API also makes is relatively painless to intercept the contents of the data stream and use it to the attacker's advantage.
To their credit, Twitter claims to have closed the hole that previously existed. Et tu, SSL?
To date, only OpenSSL has provided a patch to deal with the core vulnerability. Every other implementation has been dorking around secretly for months preparing the bug fix that will need to be rolled out internationally.
Next likely attack scenario? How about stealing authentication cookies associated with web mail accounts or social networking sites that specialize in sending and receiving messages?
If your confidence in the core security guarantee associated with TLS isn't shaken, it should be.
Saturday, November 7, 2009
Big Ben Has A Twitter Account
Big Ben. The really big, really famous clock. In London.
Yeah. And 6000 followers, too.
Yeah. And 6000 followers, too.
Monday, October 5, 2009
Thursday, October 1, 2009
Thursday, August 20, 2009
Best Use for Twitter Yet
You should follow @shitmydadsays, a collection of actual things that come out of a 73-year old dad's mouth, as compiled and Tweeted by his 28-year old son.
Examples:
"My flight lands at 9:30 on Sunday...You want to watch what? What the fuck is mad men? I'm a mad man if you don't pick me the hell up."
"I didn't live to be 73 years old so I could eat kale. Don't fix me your breakfast and pretend you're fixing mine."
If your brother comes by, tell him I'm on vacation. I already told him that, but who knows with that guy. Are you listening to me? Fuck.
Via The Daily Dish
Examples:
"My flight lands at 9:30 on Sunday...You want to watch what? What the fuck is mad men? I'm a mad man if you don't pick me the hell up."
"I didn't live to be 73 years old so I could eat kale. Don't fix me your breakfast and pretend you're fixing mine."
If your brother comes by, tell him I'm on vacation. I already told him that, but who knows with that guy. Are you listening to me? Fuck.
Via The Daily Dish
Wednesday, August 19, 2009
Oldsters Talking About Twitter
Gawker has thrown together a short video compilation of old people - reporters and journalists, doncha know - doing their best to discuss the Twitter.
I not sure which is more amusing - the fact that CSPAN has assembled a creaky, health care sucking coterie of coots blind to the fact that Twitter is accelerating their check-in date to a government-run assisted living facility for the irrelevant, or that CSPAN fails to realize they are unknowingly mocking the core personnel infrastructure that comprises their network.
Old People Talking About Twitter , via Gawker
Friday, August 14, 2009
Grumpy Old Senator Men?
I fully applaud people older than me embracing modern technology. I really do.
So why can't I look at this exchange between Senator Specter and Senator Grassley (he puts the ASS in GrASSley!) without the images of Walter Matthau and Jack Lemmon coming to mind?
So why can't I look at this exchange between Senator Specter and Senator Grassley (he puts the ASS in GrASSley!) without the images of Walter Matthau and Jack Lemmon coming to mind?
Friday, August 7, 2009
Twitter Outage Causes Withdrawl For Users
Suddenly, a day without Twitter was like a day without sunshine. My apologies to Anita Bryant.
It wasn't that long ago that face-to-face contact was the preferred means of keeping in touch with those close to us. Nothing was better than sharing a cup of coffee, or a tasty adult beverage, while we spent some time catching up. Since our list of people that we truly considered friends - people we thought to be coffee-worthy - was limited, those were special times to reconnect.
With the advent of email, it became easier to dash off e-notes to people, including those whom we most probably would not have bought a cup 'o Joe, but e-friends are different than real friends, so it seemed perfectly reasonable to share a summary of our comings and goings with them electronically. Since it took some time and effort to compose and send the email, we had to put a little thought into the information we were seeking to relate, because we didn't want to pen a 1 megabyte electronic missive. Who has the attention span to sit and read that?
Then came MySpace, Facebook, and most notably, Twitter, on cellular smart phones, that allowed all of us to provide quite frequent, and mostly unnecessary, updates to the scores of "friends", and they to us. We weren't that concerned with whether they had any real interest in knowing that we were eating Chinese food, or that we were having a Terrible, Horrible, No Good, Very Bad Day, because when they added us as friends, such updates became part of the unwritten, but underlying social dynamic: you read my drivel, and I'll read yours. At least I'll tell you that I read yours, but I'll really just skip past it to see if you posted any new pictures.
Twitter, particularly, with the 140-character limit, was perfect for the short-attention-span-theater crowd, and it gave the perfect excuse to jumble together words, semi-words, sentence fragments, and numbers into an almost indecipherable conglomeration of useless jetsam that could be rocketed to thousands of souls around the world with the click of a mouse. Hey, they asked for it.
With this week's DDOS, varying levels of cyber-panic set in among Twitter devotees. CNN reported the phenomenon thusly:
What may prove more lasting about the day social networking suffered its first major blackout is the degree to which people cared. Near-panic erupted in some corners of the Internet as people lost cherished links to their online friends, family members and news feeds.
Their story contained numerous anecdotes from those panicked and paralyzed:
Some people are mocking the blackout. A user named PaulWilks, for instance, wrote, "I took up juggling."
Others seem concerned. "I did absolutely nothing. It's like my heart was gone," wrote a user named HarajukuxBarbie. "I felt so empty inside," wrote another Twitter user called freinhar.
Now that Twitter is back online and the anxiety has subsided, have Twitter-users tossed away the keypads and iPhones, choosing instead to go outside, read a book, or call their closest friends to invite them for a latte so they can catch up on what was missed?
Of course not. Everyone is too busy following the most popular conversation thread, "whentwitterwasdown."
Image by xotoko via flickr
Thursday, July 23, 2009
Wednesday, July 1, 2009
Month of Twitter Bugs - #1
It's July 1, so you know what that means - the month of Twitter bugs kicks off!
We already have our first, via TwitPwn - it's actually vulnerabilities in the bit.ly service that allows shortening of URLs for easy Tweeting. It was discovered that four XSS (Cross Site Scripting) vulnerabilities existed within the coding, and after being informed, Bit.ly fixed them all - sometimes after fixing them partially then having to go back and re-fix them completely.
TwitPwn gave bit.ly a very poor rating, as it took them nearly 45 days to repair some relatively simple XSS vulnerabilities.
Isn't this fun?
We already have our first, via TwitPwn - it's actually vulnerabilities in the bit.ly service that allows shortening of URLs for easy Tweeting. It was discovered that four XSS (Cross Site Scripting) vulnerabilities existed within the coding, and after being informed, Bit.ly fixed them all - sometimes after fixing them partially then having to go back and re-fix them completely.
TwitPwn gave bit.ly a very poor rating, as it took them nearly 45 days to repair some relatively simple XSS vulnerabilities.
Isn't this fun?
Thursday, June 25, 2009
Tuesday, June 23, 2009
July 2009 - Month of Twitter Bugs
Hey, all you 140-character characters - better hold on to your hats during July.A nice group of techies has decided to continue the tradition of "Month of 'X' Bugs" to bring you a full month of flaws and vulnerabilities that reside in Twitter.
Each day I will publish a new vulnerability in a 3rd party Twitter service on the twitpwn.com web site. As those vulnerabilities can be exploited to create a Twitter worm, I’m going to give the 3rd party service provider and Twitter at-least 24 hours heads-up before I publish the vulnerability.Should be an interesting month, given what happened when this occurred for browsers.
Month of Twitter Bugs
Thursday, June 18, 2009
Beware Bogus Twitter Invites
If you receive an email that claims to contain a Twitter invite, think twice before you open it. Security firm Symantec is warning that there's a mass email worm floating around that seems to be an attachment containing such an invite.
Instead, the zip file, named "Invitation Card.zip" is loaded with the W32.Acknatta.B@mm worm that will infect your PC, including removable drives and shared drives, and also spread via your email address book.
You've been warned!
Tuesday, June 9, 2009
Crazy Senate Twitter Geezer
Senator Chuck Grassley, in an attempt to show how rad and hep he remains even after spending 97 years in the Congress, has resorted to sending almost indecipherable Tweets that frankly seem a little beneath the dignity of a sitting U.S. Senator.
Ummm. What?
I see you've already imparted your wisdom on colleagues when it comes to solving America's energy problems, economic ills, reformed financial regulatory agencies, gotten to the bottom of the whole "torture" thing, and otherwise returned this country to a position of world leadership, and since you're just mopping up, you've got plenty of free time to send magic electronic word bullets from your fancy wireless talking pocket box.
Wonkette's Sara Smith has a nail of her own:
Ummm. What?
I see you've already imparted your wisdom on colleagues when it comes to solving America's energy problems, economic ills, reformed financial regulatory agencies, gotten to the bottom of the whole "torture" thing, and otherwise returned this country to a position of world leadership, and since you're just mopping up, you've got plenty of free time to send magic electronic word bullets from your fancy wireless talking pocket box.
Wonkette's Sara Smith has a nail of her own:
Remember back in 1780-something, when we had actual smart people writing our founding documents in beautiful longhand when they weren’t inventing new kinds of ploughs and bifocals and shit? Now our nation’s top legislators just type away like petulant teenage girls, with their thumbs, about how the president is so awful for spending the weekend in Paris.
Subscribe to:
Comments (Atom)