Image via CrunchBase

More details are surfacing about the security breach at Yahoo that led to approximately 450,000 account logins and passwords being revealed online in plain text, including the fact that thousands of accounts with other services — Gmail and Hotmail among them — may also be exposed.

So how can you tell if you’re among the hacked? Tech Crunch has pointed to the security source Securi, a web monitoring site, where users can verify whether they’re among the victims of the leak.

Click here to visit Securi and see if your own information was compromised.

Other details that have emerged since the news broke are the most popular passwords that showed up in the leak. Dana Lengkeek, a spokeswoman for Yahoo, said in a statement published in the New York Times that most of the passwords being used were no longer valid: she estimated that less than 5 percent of them were.

And if that’s true, it’s a good thing since many of them violate standard password advice not to use predictable words, like “password,” for example.

Security blogger Anders Nilsson did some number crunching to establish the most commonly used passwords that showed up from users and “123456″ was the most popular choice, with more than 1,600 people having used it. Other standbys that people have been long advised not to use but that still appeared were, you guessed it, “password” which was the second most common and “welcome.” There are also 172 people out there who are apparently still fond of “qwerty.”

When LinkedIn was hacked last month and had 6 million user passwords stolen, their most popular list was noticeably different and included words related to the nature of the site itself: “link” “job” and “work” were all among their top five. However, there was still some overlap with the Yahoo list in that “1234″ was the second most frequently used.

This incident reinforces what security researchers have been telling web users in recent months: Choose secure, unique passwords and don’t reuse the same password for multiple accounts.

Source :- http://www.huffingtonpost.com

Just several weeks after Google’s controversial privacy policy changes went into effect on March 1, the company has

Image via CrunchBase

announced the arrival of a new feature called Account Activity.

According to a March 28 blog post by product manager Andreas Tuerk, this new offering will send you a monthly password-protected report laying out information such as log-in, email, and web search activity — essentially a collection of user dataGoogle has stored and is now sharing across many of its services, a move thatconcerned some consumer groups and users.

According to The Verge, the new feature works with both regular Gmail accounts and Google Apps users with custom domain names.

Signing up for the Account Activity beta will allow you to easily track how you’ve been using your Google account. For example, you can view devices and locations where you’ve logged in, what browsers and/or platforms you’ve used to do so and what authentication changes may have been made to your account.

In addition, you’ll be able to see the places you’ve visited and tracked through Google Latitude; stats and trends in the emails you’ve sent and received; and the types of searches you’ve conducted, along with your top queries.

LOOK:

Active YouTube users who have linked to their Google accounts can view how many videos they’ve uploaded in a month, which of them was most popular, and a list of viewers’ locations.

LOOK:

What do you think of Google’s new Account Activity feature? Let us know in the comments!

Source :- http://www.huffingtonpost.com

Related articles

• Google’s New Account Activity Feature Shows Your Shocking Addiction To Google Services (techcrunch.com)

Spamming your Twitter followers with links to diet sites, specious videos, or links to “pics”? You’re not alone.

From the slew of sketchy Direct Messages we’ve received from our followers and the numerous apologies popping up in our Twitter timeline, it seems that a large number of Twitter users have been compromised by spammers who are hijacking their accounts to share links to malicious sites.

What can you do if your account has been hacked? Twitter’s Help Center has a helpful guide to four steps you should take (Visit Twitter’s Help Center for more detailed instructions).

First, change your password by selecting “Settings” from the dropdown menu next to your account name, which is listed on the top right on Twitter.com, then navigating to the “Password” tab.

Next, make sure you’ve turned off access to your account for any suspicious-looking or unknown third-party applications. You can revoke access to any apps linked to your account under the “Applications” tab in the “Settings” page. Next, because you’ve changed your password, you’ll need to enter your updated password in any third-party applications you do want to have access to your account, such as Instagram or Twitter for iPhone.

After this, Twitter advises users to delete any tweets or Direct Messages that may have been sent while their account was compromised (Sending an apology to your followers and/or a warning not to click on any dangerous links you may have tweeted out is optional).

There are also numerous precautions that you can take to ensure your account isn’t hacked in the first place, something that often occurs because an untrustworthy third-party has managed to obtain your login information. Check out Twitter’s Safety Center for a guide to “safe tweeting,” and follow the official @Safety account for updates.

Generally speaking, if someone you follow sends a tweet that seems highly out of character (i.e. “Someone is posting a pic of you all over twitter ;( link2pic here” isn’t what I’d expect from my friend Julie), you should be wary of clicking on the link that’s included.

Malicious third parties often attempt to trick users by using shortened links that disguise the nature of the site they’re directing people to.

In an effort to crack down on this, Twitter recently introduced its own URL shortener on Twitter.com that preserves the first few characters of a domain so that people can have a sense of what site they’re being sent to before they click a link. For example, a link shortened via Twitter.com would read “bbc.co.uk/news/technolog…” instead of “http://goo.gl/oTzoc” or “http://bbc.in/q8U5GH.”

Users should also be choosy when it comes to entering their passwords on third-party sites and apps. Always check the URL of the site before you enter your login information–phishing sites often attempt to trick people into giving up personal information by replicating the color, theme and layout of legitimate websites (see Twittter.com, for example–but beware what you share).

Source :- http://www.huffingtonpost.com

Related articles

• MD Anderson oncologist’s Twitter account has been hacked (medicineandtechnology.com)
• T.co Will Reveal Twitter’s True Traffic Referral Power (readwriteweb.com)
• Twitter Configurations Now Available in the Sharing API (addthis.com)
• Braylon Edwards Pulls Out ‘My Twitter Account Was Hacked’ Excuse (sbnation.com)
• Is your Twitter account hacked and sending out ‘Beach Body’ spam? (blogoholic.in)
• Find Out Who Your Friends Are – When Twitter Account is Hacked [John Murray] (ecademy.com)

Image via Wikipedia

Another South Korean service provider has reported a large-scale data breach, leaking usernames and passwords for subscribers worldwide.

Late last month, cybercrooks made off with the personal information of up to 35,000,000 users of popular Korean sites Nate and Cyworld.

This time, it’s the turn of Seoul-based streaming media service GOMTV to suffer a data-spilling intrusion.

(That’s ‘GOM TV’, where GOM means Gretech Online Movies, not ‘GO MTV’, where MTV means Music Television. Gretech Corporation is the Korean legal entity which sets the terms and conditions and the privacy policy to which you agree when you sign up for GOM TV.)

According to GOM TV, the breach happened early in the morning of Friday 12 August 2011 Korean time; the company sent out a warning email to its subscribers on Sunday 14 August 2011. That’s not exactly immediate, but it sets a much better notification standard than the week which Sony made its users wait for information after the PlayStation Network was breached in mid-April.

Dear Valued GOMTV.net users:

We regretfully inform you that approximately at 2 AM KST, Aug.12th, there has been an attack against our web site, GOMTV.net.

We have found that some of the user information from GOMTV.net has been compromised from the attack. We suspect that the following information might have been exposed: name, location (country), e-mail address, GOMTV.net nickname and password.

Payment details and credentials were not exposed, as GOM TV outsources its payment services to PayPal. Unless, of course, you used the same password for GOM TV as you did for PayPal. (You didn’t do that, did you?)

GOM TV subscribers can pick their own password for the site itself, or can authenticate against Twitter or Facebook instead. As Gretech points out in its email: “Users who have signed up with Facebook or Twitter do not have to worry about changing their passwords as they did not have to enter separate passwords at the time of sign up.”

It sounds as though Gretech was storing passwords in a directly-recoverable form on its web servers. As we’ve said many times before on Naked Security, this is almost always unnecessary for online authentication.

You don’t need to save a user’s password permanently to be able to validate it later. Instead, you calculate and store a complex cryptographic hash of the password.

If a user can subsequently provide a password which produces the same hash, you have satisifed yourself they know the password they chose originally. You need to have the password very briefly in memory, but you never need to store it .

(Of course, you need to choose a satisfactory password-hashing system. Don’t try to invent your own. Use one which is already well-known and considered secure. Good places to start are the password hashing arrangements used by OpenBSD and Linux.)

As if that weren’t bad enough, GOM TV included a bright-and-shiny Click to change button in its notification email. The button doesn’t actually take you directly to the company’s password reset page, but it nevertheless sets a risky precedent, especially as it uses an unusual-looking redirect to take you to the company’s website.

Fake warnings which urge users to click on links in the email they’ve just received are the hallmark of scammers and phishers. Avoid doing the same thing in your own alerts: this discourages users from entering confidential data on web pages they have reached via uncertain links embedded in email.

Source :- http://nakedsecurity.sophos.com

Related articles

• Another Korean data breach – GOMTV.NET spills user account data, including passwords (nakedsecurity.sophos.com)
• Bethesda Forums Possibly Breached Again (escapistmagazine.com)
• Password alternatives may keep data safer (cbc.ca)
• Bethesda Forums Possibly Hit by Hackers (1up.com)
• PSA: Bethesda reports possible security breach, changed your password (joystiq.com)
• Security’s Fab Five (forbes.com)

Twitter users are being hit today by messages claiming to link to a new app from Twitter which will track your stalkers.

However, the messages are really designed to steal your Twitter usernames and passwords.

Here’s a typical message that users are seeing:

Twitter finally released an app that tracks your "Stalkers" get it here [LINK]

If you click on the link you are taken to what appears to be a legitimate Twitter page, asking you to confirm your username and password before the “Stalkers” app can access your account.

However, if you look at your browser’s URL you will see that the page is not hosted by Twitter at all.

If you make the mistake of entering your username and password then you will handing over the keys to your account to phishers, who would then be able to use your account to read your private messages, send messages (perhaps spam-related or containing malicious links) to your followers.

Worst of all, if you’re one of those people who uses the same password as you use elsewhere on the internet – you’ve now told the cybercriminals how to access, say, your Gmail, Hotmail or PayPal accounts as well.

If you found your Twitter account was one of those sending out the phishing messages, or if you made the mistake of entering your username and password, then you must change your password as soon as possible.

Not just on Twitter, but also make sure you’re not using the same password anywhere else on the net.

And remember, it’s important that you don’t use a word from the dictionary as your password. It’s easy to understand why computer users pick dictionary words as they’re much easier to remember, but as I explain in this video a good trick is to pick a sentence and just use the first letter of every word to make up your password.

You can always use password management software such as KeePass or 1Password to remember complex passwords if you find it too difficult.

There’s some other house-cleaning you should do on your Twitter account too. Visit the Applications tab in “Account Settings”, and revoke access for any third-party application that you don’t recognise.

Source :- http://nakedsecurity.sophos.com

Related articles

• Twitter finally released a “Stalkers” app? No, it’s a phishing scam (nakedsecurity.sophos.com)
• Twitter ‘Stalker app’ just a phishing scam (go.theregister.com)
• Hours later “Is This You?” DM phishing scam still flooding Twitter (thenextweb.com)
• I will NEVER ask for your password (windowsteamblog.com)
• Sticky Password Provides Effective Protection Against Phishing Scams (prweb.com)

Image via CrunchBase

Twitter is in the process of adding new features to its website that will helps you sort and view what users are saying about you and what is important to users within your network.

The changes are coming to the selection of tabbed streams (located under Twitter.com‘s tweet box), which let you isolate specific information from the main realtime tweet stream. Twitter will push more content to your @Mentions stream, which will now be called the @Username tab and will display your personal Twitter handle when it rolls out to your account. The site is also adding a new stream, which will live under a tab titled “Activity.”

The “@Username” tab will give you a look at who’s tweeting about you. When another user favorites one of your tweets, retweets a tweet you’ve posted or mentions your username in a new tweet, you’ll be able to view this activity from your @Username stream. This tab also lets you see when a user starts following you.

The “Activity” tab gives you a look at what else your tweeps are talking about–besides you. It will show tweets your followers are favoriting and retweeting. From here, you can also see when people you follow add new followers.

These features are similar to those offered by Twitter desktop app TweetDeck, which Twitter acquired in May.

TechCrunch calls these new additions “smart” and says that they “will make Twitter feel more alive.”

If the new features haven’t rolled out to your account yet, you can check out screenshots of what they’ll look like (below), courtesy of the Twitter Blog.

Source :- http://www.huffingtonpost.com

Related articles

• Twitter Comes Alive With Realtime Activity Streams (techcrunch.com)
• Show me more (twitter.com)
• Twitter Adds an Activity Stream (mashable.com)
• Twitter tries to get stickier by showing you more activity (gigaom.com)
• Your Twitter stream just got less noisy and more useful (thenextweb.com)
• Twitter Will Now Send You An Email If A Follower Retweets Or Favorites Your Tweets (blogoholic.in)

It’s only been a few weeks since the world’s web users woke up to discover a big black bar at the top of their Google search results (introduced when Google+ was launched).

Now, some users of Google search might start seeing something else close to the top of the world’s most famous home page.

The warning message reads:

Your computer appears to be infected.
It appears that your computer is infected with software that intercepts your connection to Google and other sites. Learn how to fix this.

At first glance, you might be worried when you see this message and think you could be on the receiving end of a fake anti-virus attack.

After all, haven’t you been warned hundreds of times in the past to trust the anti-virus software you installed on your computer, not unexpected messages that pop up on websites you visit?

All is explained in a Google blog post, however.

Damian Menscher, a security engineer at Google, describes how he identified that infected computers were sending search traffic through proxies to the search engine. The intention of the cybercriminals behind the scheme was to modify the search results served up by Google to point to money-making pay-per-click sites instead.

In all, Google estimates that a couple of million Windows PCs may be affected around the world by the strain of malware they are hoping to warn users about. The firm says that it’s already been able to successfully warn “hundreds of thousands of users”.

Fortunately, although Google does not scan your hard drive when you search for things via google.com, it can detect the unique traffic signature from visiting infected PCs and make a pretty informed guess about your computer’s health in regard to this malware strain.

Google is hoping that the warning message will encourage users to update their anti-virus software, scan their computers and become more conscious of security issues.

I think what Google is doing should be applauded – anything which warns computer users about genuine malware threats has to be a good thing.

But, sadly and inevitably, there is the potential for cybercriminals to mimic the Google warning and direct users to dangerous downloads and scams. Of course, that isn’t a reason why Google shouldn’t warn their users, when it believes it has identified a security problem.

The danger is that many people may know what their own anti-virus software looks like when it displays a warning, but may be less familiar with how the Google warning presents itself, and where it links to.

Furthermore, Google points users to visit one of its webpages for further advice on how to fix the problem.

So, always be careful about what you search for, and the links you click on when trying to find anti-virus software.

No-one should be fooled into believing that Google’s initiative is any substitute for regular anti-virus software and sensible security practices. Google is attempting to alleviate a very specific malware issue that communicates with its infrastructure.

Google, you get my thumbs up for an imaginative idea that could help with a small part of the malware problem.

Source :- http://nakedsecurity.sophos.com

Related articles

• Google: ‘Your computer appears to be infected’ (nakedsecurity.sophos.com)
• Google senses proxy requests to warn users of malware infestation (arstechnica.com)
• Malware Affecting Google Search in Windows OS (shoutmeloud.com)
• Your Computer Appears To Be Infected, On Google Search (ghacks.net)
• Google Warns Searchers Of Windows Malware Infection (informationweek.com)
• Google Warning Virus Victims (newser.com)

Image via Wikipedia

If you’re using Google+, you might have noticed that unlike many other social networks (such as Facebook and Twitter) there isn’t an option to create a vanity URL. Instead, each profile is identified by a long string of numbers in the URL (for example, 107030912810704099919).

According to Mashable, the reason Google+ doesn’t offer its own vanity URL shorteners is to keep out spammers who could possibly use that data to infer account information about the user. Google+ isn’t a standalone product, and elements of the social network will be baked into various Google products (including search and gmail), so it’s obvious why the company is placing so much importance on privacy.

The Wall Street Journal offers some additional insight into Google+’s security precautions, writing, “Google’s last social-networking attempt, called Buzz, blew up in its face over a privacy issue. The company has learned from that mistake, choosing to limit the number of users with initial access to Google+, in order to minimize damage if any problems popped up.”

For those users who simply must have a vanity URL for their Google+ profile, there is an alternative.

Mashable, notes that a newly launched web application called Gplus.to solves the problem of cumbersome URLs. For example, the service converts “https://plus.google.com/u/0/107030912810704099919/about” into an easy-to-read “Gplus.to/mrcoopersmith.”

CNET has created an instructional video with instructions on what to do.

Here’s a step-by-step guide to help you create your own personalized vanity URL:

1) Go to your Google+ profile (Open Google+ then click on your name)

2) In the URL at the top of the page, find the string of numbers that come directly after ‘plus.google.com/’ and before ‘/posts’ or ‘/about.’
Note: this is what you’re looking for: https://plus.google.com/#################/posts

3) Copy that string of numbers

4) Now, visit Gplus.to and paste the string of numbers into the appropriate field. You could also try using gplusID.

5) Where indicated, type in a nickname or shortener you want to replace the string of numbers with, and click ‘Add’.

6) That’s it! You’re done.

Source :- http://www.huffingtonpost.com

Related articles

• Adding Vanity URL for Your Google+ Web Page (edutekadvisor.typepad.com)
• Get a vanity URL for Google+ profile (techattitude.com)
• Get Unofficial Vanity URL Username for Google Plus Profile (madrasgeek.com)
• How to make your very own Google+ vanity URL (geek.com)
• Google+ has its minuses (news.cnet.com)
• Getting a user-friendly Web address on Google Plus (zdnet.com)

Twitter users are reporting receiving direct messages (DMs) from other members of the network, cheekily asking if it is them who is pictured in a photo, video or mentioned in a blog post.

Various versions of the dangerous messages include:

is this you in the video?

is this you in this picture?

check this out... it's a funny blog post. you're mentioned in it.

Clicking on the link attached to the message can take you to what appears, at first glance, to be the Twitter login page.

But take a closer look, and you’ll see that the website isn’t the real twitter.com. The url is wrong.

If you make the mistake of entering your username and password on the page, in the hope of seeing the picture or video or blog post about you, then you could be handing your login credentials to cybercriminals. They could then use the information to spread scams further across the network, spam out malicious links or use the passwords against other websites where you might use the same login details.

Del Harvey, who runs Twitter’s Safety team, says that Twitter is resetting the passwords of users who it believes have been hit by the phishing attack.

@delbius
Del Harvey

We’re resetting passwords for affected users; here’s the help page to check out about what you should do. support.twitter.com/articles/31796…

about 7 hours ago via Twitter for iPhoneReplyRetweetFavorite

If you use the same password in multiple places, it only takes one password to be stolen for fraudsters to be able to gain access to your other accounts and steal information for financial gain.

It’s also important that you don’t use a word from the dictionary as your password. It’s easy to understand why computer users pick dictionary words as they’re much easier to remember, but as I explain in this video a good trick is to pick a sentence and just use the first letter of every word to make up your password.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Password security is becoming more important than ever. Make sure that you’re taking the issue seriously, or suffer the consequences.

But, if you found your Twitter account was one of those sending out the phishing messages, you shouldn’t just change your password and consider if you are using the same password elsewhere. You should also visit the Applications tab in “Account Settings”, and revoke access for any third-party application that you don’t recognise.

Source :- http://nakedsecurity.sophos.com

Related articles

• Twitter phishing attack spreads via Direct Messages (nakedsecurity.sophos.com)
• Hours spent on Twitter? Don’t click on scam spreading virally on Twitter (pratyushkp.wordpress.com)
• The President is finally taking charge? No, a Facebook phishing attack (nakedsecurity.sophos.com)
• Unfollowed Me rogue application spreads virally on Twitter (pratyushkp.wordpress.com)
• Facebook phishing: Can you spot the difference? (blogoholic.in)
• Banned Lady Gaga video attack spreads on Twitter via rogue app (pratyushkp.wordpress.com)

Image via CrunchBase

First Google rolls out Google+, then redesigns Google Calendar, and now it’s fiddling around with Gmail.

Hidden in the Themes section of the interface and named “Preview” and “Preview (dense),” the clean look is more spread out than the classic Gmail interface, basking in white space that makes it easier to read.

According to Google’s official Gmail Blog, the idea was to “strip out unnecessary clutter and make Gmail as beautiful as it is powerful.” It’s all part of Google’s drive for a better experience that it calls “more focused, elastic and effortless” across each of its products.

The company says it will be gradually working on these new designs over the next few months. For now, you can get a sneak peak of the design you see here by going to the Themes tab in Gmail settings, and you’ll see the two new choices listed. The one at the top of this page is the “dense” version, and the other one is slightly more spread out.

Google’s calling these two preview themes “a sort of sneak peek” because it plans to make this design a permanent part of Gmail’s new interface, which “will eventually expand dynamically to accommodate different screen sizes and user preferences, but until then you can pick the information density that you prefer.”

Source :- http://mashable.com

Related articles

• GMail Got A New Interface And You Can Try It Now ! (netwidz.com)
• After Google Search, Gmail Joins The Redesign Club (techie-buzz.com)
• A preview of Gmail’s new look (gmailblog.blogspot.com)
• How to get the new Gmail right now (howto.cnet.com)
• New Gmail on the way, sneak peak now available (digitaltrends.com)
• Gmail gets Background Customization Feature (pratyushkp.wordpress.com)
• How to stop your Gmail account being hacked (blogoholic.in)