Hackers Compromise 2 Million Facebook, Twitter and Gmail Accounts

Facebook

Feed-twFeed-fb

More than 2 million accounts have been compromised from popular sites such as Google, Yahoo, Twitter, Facebook and LinkedIn after malware captured login credentials from users worldwide, according to a new report.

According to web security firm Trustwave, hackers have stolen login usernames and passwords across various sites in the past month with the help of Pony malware, a bit different than a typical breach.

See also: Get Lost in These 19 Fascinating Maps

“Although these are accounts for online services such as Facebook, LinkedIn, Twitter and Google, this is not the result of any weakness in those companies networks,” said Abby Ross, a spokesperson for Trustwave. “Individual users had the malware installed on their machines and had their passwords stolenPony steals passwords that are stored on the infected users’ computers as well as by capturing them when they are used to log into web services.” Read more…

More about Facebook, Twitter, Security, Gmail, and Hackers

Bugcrowd Raises $1.6 Million To Expand Bug Bounty Marketplace

Screen Shot 2013-09-04 at 8.09.29 PM

Crowdsourced bug bounty marketplace Bugcrowd has raised $1.6 million from investors to grow its community of 3,000 vetted security penetration testers who can find vulnerabilities and weaknesses in a new feature or application. The Australian startup is hoping to democratise the models commercialised by Facebook and Google, who have paid out millions of dollars to ethical hackers who find and report bugs in their software — before those vulnerabilities are exposed publicly.

Investors ICON Venture Partners, Paladin Capital Group, and Square Peg Capital, as well as angels, committed the seed round investment to expand its sales and marketing operations and expand the firm’s development team to build out the marketplace.

Bugcrowd and similar marketplaces, such as Danish firm CrowdCurity, are democratising the crowdsourced penetration testing model which has previously been only available to the biggest software companies that can afford to pay out millions of dollars.

The crowdsourced model allows companies to expose their applications and software to a diverse range of testers, discovering small bugs and vulnerabilities for a fraction of the price compared with contracting a security consulting firm to do the work.

Bugcrowd tailors bug bounty competitions for individual projects, while CrowdCurity says that it only charges for bugs that are found in the application.

The startup, founded by security researchers Casey Ellis and Sergei Belakomen, graduated from the Sydney-based Startmate accelerator program in 2011 and has been used by customers such as Australian retail giant Coles Myer, Rabobank and e-commerce platform provider Big Commerce.

Google recently increased the minimum rate it will pay for bugs, from $1,000 to $5,000. It revealed it has paid out almost $2 million to security researchers in the past three years, for discovering 2,000 security holes in its Chromium and web apps. Facebook also announced it had paid out $1 million to 329 security researchers. Earlier this year, Microsoft also (reluctantly) launched its own bug bounty program.

Bugcrowd Raises $1.6 Million To Expand Bug Bounty Marketplace

bugcrowd

Crowdsourced bug bounty marketplace Bugcrowd has raised $1.6 million from investors to grow its community of 3,000 vetted security penetration testers who can find vulnerabilities and weaknesses in a new feature or application. The Australian startup is hoping to democratise the models commercialised by Facebook and Google, who have paid out millions of dollars to ethical hackers who find and report bugs in their software — before those vulnerabilities are exposed publicly.

Investors ICON Venture Partners, Paladin Capital Group, and Square Peg Capital, as well as angels, committed the seed round investment to expand its sales and marketing operations and expand the firm’s development team to build out the marketplace.

Bugcrowd and similar marketplaces, such as Danish firm CrowdCurity and Synack, which recently raised $1.5 million from Greylock and Kleiner Perkins, are democratising the crowdsourced penetration testing model which has previously been only available to the biggest software companies that can afford to pay out millions of dollars.

The crowdsourced model allows companies to expose their applications and software to a diverse range of testers, discovering small bugs and vulnerabilities for a fraction of the price compared with contracting a security consulting firm to do the work.

Bugcrowd tailors bug bounty competitions for individual projects, while CrowdCurity says that it only charges for bugs that are found in the application.

The startup, founded by security researchers Casey Ellis, Sergei Belakomen and Chris Raethke, graduated from the Sydney-based Startmate accelerator program in 2011 and has been used by customers such as Australian retail giant Coles Myer, Rabobank and e-commerce platform provider Big Commerce.

Google recently increased the minimum rate it will pay for bugs, from $1,000 to $5,000. It revealed it has paid out almost $2 million to security researchers in the past three years, for discovering 2,000 security holes in its Chromium and web apps. Facebook also announced it had paid out $1 million to 329 security researchers. Earlier this year, Microsoft also (reluctantly) launched its own bug bounty program.

Don’t Install The Google Authenticator For iOS Update, Unless You Want Your Stored User Accounts Wiped

google-authenticator

Google today pushed an update out for Google Authenticator for iOS, the two-factor authentication companion app that makes your Google account and services where you use it to login more secure. But it’s an update users will want to avoid for now, as it erases all your existing stored data and connected accounts, according to multiple tipsters who’ve contacted TechCrunch.

The Authenticator app works by providing users with a timed, expiring randomly generated numeric code they use to sign into services along with their password. It adds an extra layer of security, since it’s very difficult for someone attempting to access your account without permission to trump both the authenticator code and the password check.

Updating the app removes all your existing accounts, with users complaining in reviews for the update that they’ve lost their Dropbox, Google Apps, DreamHost, Twilio, Evernote and other tokens after updating and have been forced to sync each over again. It could leave you locked out of your accounts entirely and forced to contact support for a reset, as Dashlane’s co-founder Alexis Fogel tells us is happening with his service, and it’s something that will also result in an awful lot of unnecessary busy work to set up things that have already been set up before.

Chance are Google will roll out a bug-busting update to this update that fixes the account wiping problem sometime soon, so the best course of action for now is to hold off on updating this specific application. For now Dashlane is also advising its users to disable Google Authentication before they update if they still feel they must, but letting that update linger is still the best course of action. We’ve reached out to Google to see if they can provide a fix for anyone who has already updated, or if they have a timeline for when an update fixing the bug might be pushed out to the iOS App Store. We’ll update when we know more.

Update: The app has been pulled from the App Store, while Google works to resolve the problem.

Google Exploring Location-Dependent Security Settings For Smartphone Unlock

unlockpattern

Google has a patent application published today (via Engadget) that would make the standard system of unlocking a device much more intelligent, using a smartphone’s built-in sensor to change your security settings on a sliding basis depending on where the phone finds itself. This would allow a user to make it easier to unlock a phone while in the comfort of their own home, while making it more difficult when the device is in a public place.

The invention is clearly designed to make it harder for a stranger or unwanted intruder to access your phone and its data when it may be easily lifted from your pocket or bag while in transit or at a public location like a cafe. In the end it’s a convenience feature, more than a security one, since the most secure option would be to use the most intrusion-resistant method of screen locking available at all times. But making things easier to access at home makes a lot of sense, in terms of decreasing friction and potential displeasure with the general user experience.

The patent as described also contains a provision that would allow for a third authentication method to be set for a second so-called “familiar area.” This would allow for a number of different possibilities, like setting different levels of security for home, work and the rest of the world, for instance. It’s a handy and noteworthy wrinkle in the patent app, since it could also make it possible to essentially set up a specific security profile required in professions where on-site security of data and mobile devices is paramount.

There are a lot of ways this could potentially be useful, in fact, and it’s one of those context-based features that Google seems to be focusing on with Google Now and recent updates to apps like Keep. In the future, you have a different phone depending on where you go, and that’s something most of the tech giants seem to be working on.

5 Security Tips for Facebook Mobile

Padlock

Feed-twFeed-fb

You are your Facebook account. Public or private, its contents define you in a professional, commercial and social nature. Your photos are keepsakes, and personal messages can be confidential exchanges. Either way, it’s an identity you want to protect.

But you probably aren’t doing everything you can to secure your account. You can carry Facebook everywhere on your phone, but is it safe? Facebook Mobile leaves you more susceptible to attempted hijackings and identity theft

Here are five ways to make sure there’s more than a phone case between you and a potential intruder Read more…

More about Mobile, Facebook, Apps, Security, and Social Media

Facebook ‘Trusted Contacts’ Needlessly Complicates Security

Trusted-contacts

Feed-twFeed-fb

Mashable OP-ED

Facebook announced earlier this week a new feature called “trusted contacts” to help you get back into your account when locked out. Although it’s intended to make life easier by leaning on a few friends when you’re in need of re-entry (think lending out your spare house keys), the concept is a handful. In fact, you’ll need a special code from each of your trust contacts (about three to five people) to get back into your account

In theory, this sounds like a strong way to triple-lock your account and prevent anyone from entering, but how is this any better than remembering the answer to a few security questions or using Facebook’s existing two-factor authentication feature? Read more…

More about Facebook, Security, Tech, Apps Software, and Two Step Authentication

Locked Out of Facebook? Now Your Friends Can Help

Facebook-community-security

Feed-twFeed-fb

It’s common practice to give out spare house keys to a few trusted friends in case of an emergency, but would you take the same approach when it comes to backing up Facebook login information?

The social network on Thursday announced it’s rolling out a new way to recover passwords with a little help from your friends. Called Trusted Friends, it gives three to five friends access to your account if you’re ever having issues logging in.

The company first introduced the concept to a small test group in 2011 under the name “trusted friends.” Facebook has renamed it “trusted contacts” and increased security. Read more…

More about Facebook, Security, Social Media, and Apps Software

Google Extends Chrome Download Warnings To Include Files That Could Allow The Installation Of Malicious Extensions

chrome-+-logo

Chrome will soon warn users when they are about to download software that could try to change how the browser handles extensions. Specifically, this extension to the company’s Safe Browsing system looks for binaries that could allow potentially malicious extensions to be installed in the browser without the user’s knowledge. This new feature will roll out within the next few days.

Last December, Google already disabled silent extension installations by default. According to today’s announcement, enabling this protection mechanism “resulted in noticeable performance improvements in Chrome and improved user experience.”

The new feature builds on this and also tries to prevent malicious extensions from ever making it into your browser.

Google says it will identify binaries that “violate Chrome’s standard mechanisms for deploying extensions, flagging such binaries as malware.” Most of these malicious extensions try to get around the silent installation blockers, the company says. Once they get past this, an extension can’t be uninstalled or disabled by the user. Some binaries, Google says, also try to manipulate Chrome’s preferences to allow the browser to accept silent installs again and often come bundles with a malicious extension which they then immediately try to install, too, of course.

Google says its “recent measures” will detect and block these kinds of malicious extensions, but it doesn’t go into detail about how exactly it plans to do so.

Google Says Beefed-Up Security Measures Have Reduced Account Hijackings By 99.7% Since 2011

google-verify-account

According to a somewhat self-congratulatory update that Google posted earlier today, it’s getting significantly harder for hackers to successfully compromise its users’ accounts. Google says it has “dramatically reduced the number of compromised accounts by 99.7 percent since the peak of these hijacking attempts in 2011.”

As spam filters improved, Google writes, spammers learned around 2010 that the only way to get past these barriers was to use real accounts that users would trust, and this meant hacking into existing accounts to send spam from them. Now, using data available on the black market, Google writes, the company regularly sees these kinds of attacks, including, for example, “a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time.”

“We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time.”

Once Google realized this was becoming a major issue, it beefed up its security efforts and now performs a “complex risk analysis” every single time somebody logs in to its systems. The company says it evaluates over 120 variables for every login and then decides whether to prompt a user for extra information like the user’s phone number before completing the login.

Google recommends that its users enable extra security features, such as its 2-factor authentication system, and choose strong passwords. Most people, of course, don’t really do this, so chances are there will always be some accounts that will remain vulnerable to account hijacking.

20 visitors online now
14 guests, 6 bots, 0 members
Max visitors today: 24 at 01:04 am EDT
This month: 65 at 04-16-2014 05:21 pm EDT
This year: 66 at 02-14-2014 12:42 am EST
All time: 279 at 10-18-2013 05:24 am EDT
Get Adobe Flash player