Yahoo Breach Exposes Users Of Other Sites To Data Theft

More than 400,000 Yahoo Inc user names and passwords were stolen and published on the Web, exposing other websites to risk as well, after hackers exploited a vulnerability in Yahoo’s computer systems.

Some logins for Google Inc, AOL Inc and Microsoft Corp services were among those compromised. The three companies said they required affected users to reset passwords for sites including Gmail, AOL, Hotmail, MSN and Live.com.

Yahoo issued a statement apologizing for the breach, the latest setback for a company that has lost two chief executives in a year and is struggling to revive stalled revenue growth.

Chairman Alfred Amoroso acknowledged that Yahoo had experienced a “tumultuous” year at its annual shareholder meeting on Thursday morning. Interim CEO Ross Levinsohn told attendees he was optimistic about the company’s progress.

The breach prompted criticism from security experts who said that a major Internet firm like Yahoo should do a better job at protecting user data.

“This points to some very lax security practices,” said Rob D’Ovidio, associate professor of criminal justice at Drexel University.

As an example, he noted that the hackers were able to produce more than 400,000 cleartext passwords within a day. That indicates that Yahoo either did not encrypt them at all or used an encryption method that was easy to crack, he said.

Yahoo spokeswoman Dana Lengkeek said “an older file” had been stolen from Yahoo Contributor Network, an Internet publishing service that Yahoo purchased about two years ago. It helps writers, photographers and videographers to sell their work over the Web.

“We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users’ accounts may have been compromised,” she said.

 

Twitter Security Lagging,Says Experts

The fast-growing microblogging site Twitter is lagging behind some other Internet services in using methods to help secure the accounts of users, security experts say.

Weaknesses in Twitter’s security became apparent on the U.S. July 4 Independence holiday as a still unidentified hacker took control of a Fox News Twitter account and tweeted falsely claiming that U.S. President Barack Obama was dead.

While the hijacking of Twitter accounts is not new, the false Tweets about Obama generated headlines around the world.

The Secret Service is investigating the matter. Fox News has said does not know how the attacker gained control of its account, but complained that it took Twitter more than five hours to return control of the account to Fox.

“What Twitter needs to do now is to commit to a thorough review of their security practices,” said Daniel Diermeier, a professor at Northwestern University’s Kellogg School of Management. “For Twitter this is a very serious problem.”

Security experts said the attack might have been prevented if Twitter had offered two-factor authentication technology to secure its accounts.

In two-factor authentication systems, a user must enter a second code in addition to a fixed password to access its account. The code changes every minute or so and is sent to a cell phone or other electronic device.

Google Inc and FaceBook already offer two-factor authentication to confirm the identity of users.

Security experts said Twitter could soon come under pressure to do so as well, particularly from influential users such as politicians, major corporations or news outlets.

Google Yanks More Tainted Apps From Its Marketplace

Google yanked more malware-infected applications from its Android Market last week, according to a security researcher who reported the rogue software to the technology giant.

On June 5, Google removed 10 apps from the market after Xuxian Jiang, an assistant professor in computer science at North Carolina State University, reported his findings to the company.

Jiang published an analysis of the malicious code, dubbed “Plankton,” in a blog post last week.

Andrew Brandt, lead threat research analyst at Webroot, has also analyzed Plankton.

“It has the ability to remotely access a command-and-control [C&C] server for instructions, and upload additional payloads,” Brandt said in an interview Friday. “It uses a very stealthy method to push any malware it wants to phone.”

Unlike other code embedded in apps that have appeared in the market, Plankton doesn’t rely on a vulnerability to “root,” or gain complete control of the smartphone, said Brandt. Once the victim has downloaded the bogus app, however, Plankton can call in other files from the hacker-controlled server, including ones that would exploit one or more unpatched Android bugs.

Plankton also harvests data from the phone, including the bookmarks, bookmark history and home page of the device’s built-in browser.

All 10 of the apps that Google pulled after Jiang’s report purported to be add-ons or cheats for the popular mobile game “Angry Birds” from Finnish game company Rovio. None of the apps actually provided their promised functionality, however, but were simply the delivery vehicles for Plankton.

Also on June 5, Jiang told Google of finding apps infected with “DroidKungFu” on unauthorized Chinese app stores, then two days later followed with a report of “YZHCSMS,” a Trojan horse that racks up bills by sending hidden text messages to premium numbers.

Malicious apps have become a persistent problem for Google, which has had to scrub the market several times since early March, when it pulled more than 50 programs able to compromise phones and remotely issue them commands.

Professor to Have Camera Surgically Implanted in Head

In what is undoubtedly a child’s worse nightmare- an authority figure with eyes in the back of their head-will come to fruition as a New York University photography professor is taking the idea of turning the lens around on himself to a literal extreme.

Assistant professor Wafaa Bilal is implanting a camera in the back of his head as part of a project commissioned by a new museum in Qatar.

Bilal will undergo surgery to have the camera implanted in coming weeks (the camera itself will actually be affixed to a piercing-like attachment) and will wear his camera for a year as it snaps still pictures at one-minute intervals, beaming them live to the Mathaf: Arab Museum of Modern Art in Qatar for visitors to observe. The artwork, titled “The 3rd I,” is intended as “a comment on the inaccessibility of time, and the inability to capture memory and experience.” So says the museum, anyhow.

Naturally, this opens up all kinds of privacy issues with regard to Bilal’s students and their rights in the classroom, and the university is sorting through those right now. But frankly, the cyborg-esque nature of the project is undeniably cool, and that’s really the only thing separating this from those “life-blogging” cameras some people hand around their necks to capture the minutiae of their daily existences. That, and 180 degrees.