How-To Geek

Week in Geek: Password Data for 250,000 Twitter Accounts Exposed in Sophisticated Hack

Our first edition of WIG for February is filled with news link coverage on topics such as Mozilla will be pulling the plug on auto-running nearly all plugins, booting Linux using UEFI can brick Samsung laptops, Dropbox has launched quick file previews for photos & documents, and more.

Weekly News Links

Security News

  • Twitter detects and shuts down password data hack in progres
    Twitter engineers shut down what they described as an “extremely sophisticated” hack attack on its network that exposed the cryptographically protected password data and login tokens for 250,000 users.
  • Mozilla pulling plug on auto-running nearly all plugins
    By default, Firefox will, in the future, only automatically run the content of the most recent version of Flash – all other plugins will default to “Click to Play”. The changes, announced on Mozilla’s security blog as a way to put users back in control of plugins, will increase the security and stability of Firefox.
  • For second time in a month, Apple blacklists Java Web plugin
    For the second time in a month, Apple has effectively blacklisted the current version of the Java Web plugin on OS X. The block comes just days after it was discovered that the latest version of the plugin, which had been rushed out to patch a critical vulnerability, can still be exploited despite its heightened security mechanisms.
  • Oracle releases emergency patches for Java
    Oracle has released a large package of security updates for Java which addresses 50 vulnerabilities in Java both in the browser and in the server. The “Critical Patch Update February 2013″ (CPU) for Java had been scheduled, says Oracle, for 19 February, but due to one of the vulnerabilities being exploited in the wild, the company brought the release forward.
  • Millions of devices vulnerable via UPnP – Updated
    During an IP scan of all possible IPv4 addresses, Rapid7, the security firm that is known for the Metasploit attack framework, has discovered 40 to 50 million network devices that can potentially be compromised remotely with a single data packet. The link to an easy-to-use online vulnerability scanner is embedded in the last paragraph.
  • Latest VLC version has dangerous hole
    The developers of the VLC video player have warned of a crashing bug in the latest 2.0.5 version of the application, which might be exploited to execute arbitrary code. The issue is a problem in the ASF demuxer (libasf_plugin.*), which can be tricked into overflowing a buffer with a specially crafted ASF movie.
  • Path promises fix for grabbing geolocation data from photo
    Just as Path was trying to put its privacy woes behind it, a security researcher has caught the social network taking new liberties with personal information stored on iPhones and iPads. Path’s iOS app was found copying geographic locations embedded in photos and pasting them into user posts—even when location services have been disabled.
  • WhatsApp privacy practices under scrutiny
    The popular cross-platform mobile instant messenger contravened Canadian and Dutch data and privacy laws over the requirement to upload users’ phone numbers.
  • Eight-month WordPress flaw responsible for Yahoo mail breach: Bitdefender
    A cross-site scripting flaw that saw some Yahoo email users lose control of their accounts has now been traced back to a WordPress installation that was not patched for at least eight months.
  • Ubuntu 13.04 Online Search to Send the User’s Geographical Location
    Canonical will try to make Ubuntu 13.04 its best release so far and one of the ways to do that is by improving the Dash functionality and its online features.
  • Malvertising campaigns at multiple ad networks lead to Black Hole Exploit Kit
    Security researchers from Trusteer have detected several malvertising campaigns, affecting multiple ad networks, which attempt to serve client-side exploits, ultimately dropping malware through the Black Hole Exploit Kit.
  • Anatomy of a phish – how crooks hack legitimate websites to steal your details
    Old-school phishing is where cybercrooks lure you into logging in to your bank account on one of their websites. When you enter your personally identifiable information (PII), as you would on the bank’s real site, it gets uploaded to the crooks instead of to your bank. The idea, of course, is that they then use the credentials they just stole to start draining your account.
  • Big Bank Mules Target Small Bank Businesses
    A $170,000 cyberheist last month against an Illinois nursing home provider starkly illustrates how large financial institutions are being leveraged to target security weaknesses at small to regional banks and credit unions.
  • Enterprises using new tech to deceive hackers
    While honeypots are still the widely used tactic to mislead and “bait” hackers, organizations are moving toward the use of newer technologies that can trace and deceive cybercriminals.
  • Lost+Found: Demonic daemons, a bag of crap and Bill Shocker
    Too small for news, but too good to lose, Lost+Found is a compilation of the other stories that have been on The H’s radar this week. In this edition: a demonic SSH daemon, sends out a bag of crap in the nicest possible way, the Bill Shocker malware, iOS 6.1 jailbreak, and The Onion decides to be proactive.

How-To Geek Weekly Article Recap

Geeky Goodness from the ETC Side

One Year Ago on How-To Geek

How-To Geek Weekly Trivia Roundup

Akemi Iwaya (Asian Angel) is our very own Firefox Fangirl who enjoys working with multiple browsers and loves 'old school' role-playing games. Visit her on Twitter and .

  • Published 02/3/13

Enter Your Email Here to Get Access for Free:

Go check your email!