Thursday, July 22, 2010

Cyberduped by Fake Sexy Cybergeek

This is another one about the perils of not being careful when using social networks. A security researcher set up a series of fake Facebook, LinkedIn and Twitter accounts, bearing information and a seductive mug shot of a young lady, posing as a Navy cyberthreat analyst.

The fictitous flirty little Sage, as the dupe was called, established links with around 300 - mostly men, not surprisingly, but also some women - in the U.S. military, intelligence and information security communities. Some of her new found "friends" even considered offering her a job, according to this story in Computerworld.

Interestingly, the flesh honeypot wasn't able to attract any attention from either of the two top notch schools - MIT and St. Paul's, a New Hampshire prep school - listed on LinkedIn to demonstrate her high educational pedigree.

It seems the prep schools were a bit more choosy in who they friend. "One of the things I found was that MIT and St. Paul's [prep school] were very cliquey. If they don't remember seeing you, they are not going to click. You had less of a chance of penetrating those groups than the actual intel and security communities," Thomas Ryan, the real person behind the phony social networker, was quoted as saying.

The lesson is simple and obvious: If you don't know them personally, don't friend them. No matter how cute, knowledgeable or well-educated they appear. Matahari has now moved to cyberspace.

Monday, July 05, 2010

Hackers Hit YouTube XSS Flaw

YouTube was attacked yesterday by hackers using a Cross-Site Scripting (XSS) vulnerability on its web site. Press reports indicate the flaw was fixed by Google, YouTube's owner, within a few hours.

The flaw apparently allowed the attackers to post JavaScript code in the comments section of videos. The attack redirected users looking for videos of Canadian singer Justin Bieber, alleging falsely that he was killed in a car accident. Twitter tweeted away that YouTube was hit by a virus.

Some more technical details were reported on Techie Buzz, and the Internet Storm Center at SANS mentioned the exploit could steal the cookies of YouTube users, which they said wouldn't be of much value.