Consider the case of Rogelio Hackett, Jr., a 26-year-old hacker from Georgia who recently pleaded guilty to the theft of more than 675,000 credit cards. More than $36 million in damages resulted from his crime. Hackett targeted smaller organizations that had not coded their websites properly, leaving them open to SQL injection attacks. “He exploited SQL vulnerabilities,” say Randy Sabett, partner and co-chair of the Internet and Data Protection practice at law firm SNR Denton LLP. “And despite the fact that SQL injections are well documented, we’re still seeing companies that are getting hit and compromised by that kind of attack.”

This article on the Bank Information Security (BIS) blog gives further details:

According to court records, Hackett began his hacking career in the late 1990s by searching for and exploiting SQL vulnerabilities. More than a decade later, the same method of attack continued to reap rewards. “These SQL injections are allowing someone in through the side fence, not the front door,” Sabett says. Josh Corman, research director of the Enterprise Security Practice at The 451 Group, says SQL injections, oftentimes, go right through firewalls. “That’s why we need to look at application-level security,” Corman says. “Firewalls need to be augmented, with things like web-application firewalls.”

If you are a small business with an e-commerce site that stores transaction information in a SQL database, I would suggest you perform an immediate security audit to reveal any potential vulnerabilities in your system. You just don’t know where an attack may come from. It’s not like it used to be, with high-profile hackers and Eastern European crime syndicates leading they way. These days, it’s more like “disorganized crime.” Smaller, less spectacular crimes are able to stay under the law enforcement and card companies’ radars for longer periods.

Avivah Litan, distinguished analyst at Gartner Research, points out, Hackett’s case highlights how widespread and diverse hacking has become. “For every Rogelio Hackett Jr. that gets arrested, there are likely at least another dozen or more ‘Hacketts’ or ‘hackers’ that are not,” Litan says. (Source: BIS blog)

As the holiday period has begun, topics such as “Advent calendar,” “Hanukkah” or even “Grinch,” are among the most popular subjects used by hackers to entice users.

Thousands of tweets have been launched using holiday-related phrases, such as “Nobody cares about Hanukkah,” or “Shocking video of the Grinch,” along with short URLs pointing to malicious websites. To see an example of a tweet like this, please visit:  http://www.flickr.com/photos/panda_security/5226147792/.

Here are some timely (and evergreen) tips on keeping your computer safe over the holidays, or any time, especially if you use social media like Twitter, Facebook and the myriad of other sites out there:

1. Don’t click on links from non-trusted sources on any social media site or links you receive in email.
2. Investigate shortened links using the tips I gave you in Shortened URLs Can Hide Malicious Sites.
3. If you do click on a link and it arrives at a site you don’t recognize or asks you to download something, close your browser immediately. Do not accept any downloads you didn’t ask for.
4. Patch your system and update your antivirus signatures.
5. If you do download or install something and your computer starts acting strangely or launching pop-up messages and freezing up, check it with a free online scanner such as the one at www.activescan.com.
6. Make sure you are protected with a good antivirus and anti-malware program.

The latest news from Panda Security is their announcement of the the results of their First Annual Social Media Risk Index for SMBs, a study which surveyed 315 US businesses with up to 1,000 employees.

Highlights from the study include:

• 33% of SMBs have been infected by malware propagated via social networks
• 23% of SMBs cited employee privacy violations on popular social media sites
• 35% of SMBs infected by malware from social networks have suffered financial loss
• Facebook takes top spot for social networking-related malware infections, followed by YouTube and Twitter
• 57% of SMBs currently have a social media governance policy in place, with 81 percent of these companies employing personnel to actively enforce those policies

In addition, thirty-five percent of survey respondents that were infected by malware from social networking sites suffered a financial loss, with more than a third of those companies reporting losses in excess of $5,000.

“Social media is now ubiquitous among SMBs because of its many obvious business benefits, yet these tools don’t come without serious risks,” said Sean-Paul Correll, threat researcher at Panda Security. “In Panda’s first annual Social Media Risk Index, we set out to uncover the top SMB concerns about social media and draw a correlation to actual incidence of malware infection, privacy violations and hard financial losses. While a relatively high number of SMBs have been infected by malware from social sites, we were pleased to see that the majority of companies already have formal governance and education programs in place. These types of policies combined with up to date network security solutions are required to minimize risk and ultimately prevent loss.”

Is it any surprise that Facebook was cited as the top culprit for companies that experienced malware infection (71.6 percent) and privacy violations (73.2 percent)? I know that Facebook has taken some major steps to fix various privacy issues, but, hey, you still have to be very careful on there. YouTube took the second spot for malware infection (41.2 percent), while Twitter contributed to a significant amount of privacy violations (51 percent).

For companies suffering financial losses from employee privacy violations, Facebook was again cited as the most common social media site where these losses occurred (62 percent), followed by Twitter (38 percent), YouTube (24 percent) and LinkedIn (11 percent).

We were alerted of a new trending topic attack today on Twitter by a fellow threat researcher.  Like the past Twitter trending topic attacks, this one was heavily targeting recent news breaking items such as the suicide bombings in Moscow, as well as many other hot topics on the Internet today.

Correll unearthed some rather alarming statistics:

• 1,888 Twitter accounts (and growing) have been used to spread the attack URL
• 2,560 malicious tweets have been sent out
• The malicious links were clicked on 25,854 times
• 78% of victims came from the United States, 12% from Korea, and 8% from Germany

The high click-rate was in part due to sites like The Huffington Post inadvertently helping promote the malware campaign on the Internet by an embedded Twitter stream on its site.

More detail of Sean-Paul’s analysis can be found at the PandaLabs blog: http://pandalabs.pandasecurity.com/deep-dive-analysis-on-a-twitter-attack/

While searching for some relevant security news this morning, I came across this site. I started following immediately. What’s is all about? Let me let them tell you:

What is ExecTweets?
ExecTweets is a resource to help you find and follow smart people on Twitter. Created by Federated Media, in partnership with Microsoft, ExecTweets is a platform that aggregates the tweets of top business execs and IT pros and empowers the community to surface the most insightful tweets.

ExecTweets is brought to you by Microsoft and powered by Twitter. ExecTweets IT is, as you would guess, the Information Technology guys and gals at work. Get a load of the categories list:

• All Things IT
• Business Processes
• Cloud Computing
• Collaboration
• Communications
• Decision Making
• Desktop Optimization
• Mobility
• Open Source
• Operating Systems
• Security
• Storage
• Virtualization

You join the conversation (have your tweets displayed) by nominating yourself using the “Nominate an IT Pro” button. After you’re approved, your tweets related to IT should start showing up in the feed and other IT Pros can reply and retweet just like on Twitter.

Watch for my Security related tweets if you join.

My thesis is that the security situation with JavaScript is so poor that the only solution is to kill it. End users have very little in the way of protection against malicious JavaScript, major web sites suffer from XSS and CSRF flaws, the language itself allows appalling security holes, and as data moves to the cloud the 14 year old JavaScript security sandbox becomes more and more irrelevant.

I’ve been recommending that everyone use NoScript with Firefox for quite some time. Here’s my article from more than a year ago: Software for Secure Computing: Firefox & NoScript. Recent security updates to Firefox tend to reinforce this view since most of the workarounds for security flaws recommend disabling Javascript.

What do you think? Should Javascript be killed? Would this break 99% of the web sites out there?

Maybe it’s time for a new technology.

Here’s the rub: Because Twitter only allows 140 characters per tweet, the URLs are always shortened, therefore it’s difficult to identify their target. My policy is to never click on a link in a tweet from someone I don’t know, especially when I see them sending multiple tweets trying to get me to take action of some sort. That’s a dead giveaway that the person or persons controlling the profile are spammers or scammers.

Enter TwitBlock, a junk filter and bulk blocking tool for Twitter users. Here’s what they say:

You may think you have a loyal following of people who find you interesting, or amusing, but they’re probably not all real people. Among your followers will be a wide spectrum of fully automated, or computer aided Twitter accounts. They will range from reputable companies looking to profile and market to you, to fake profiles directing you to adult websites. At the very worst you will find the spammers and phishing gangs – the same junk you get in your email inbox, designed to sell you fake pharmaceuticals, or trick you into parting with your passwords or credit card numbers.

An easy way to spot the spammers on your own is to look for duplicate profile images. I have my own handsome mug posted on my Twitter profile and I’m sure no one else is using it. Spammers tend to use pics of attractive women, often “R” rated, or generic photos. TwitBlock maintains a list of the top 20 duplicate profile pics (Warning: some are inappropriate for young viewers!)

The application is still in alpha, but consider testing it. Just give it some thought before you block “Annette552” who may just be your next door neighbor in disguise, but who is more likely to be a spammer out to get your credit card info. You be the judge.

Basically, if you have a Gmail account, you are permitted to guess another Gmail user’s password 100 times every two hours. That’s 1200 guesses per day. If a hacker controls 100 Gmail accounts (easy enough to do, since they’re free, and they probably have many more than this), that’s 120,000 guesses per day. Google has no intention of changing the 100 guesses/2 hrs. limit, saying it’s robust enough. Considering that the Conficker worm’s password table needed only 200 entries to compromise many systems, it’s conceivable that many Gmail accounts could be compromised easily within slightly more than 2 hours.

Gmail does require a password of 8 characters or more, but it does no further parsing, so extremely weak passwords such as aaaaaaaa,  12345678 and the like, are allowed as are dictionary words of sufficient length. What this means is that it’s up to you, the Gmail account holder, to protect your own account; Google isn’t going to enforce strong passwords (other than a length requirement) on the general public any time soon. So, it’s important that you have your own strong password policy.

Eight characters is sufficient length (though I consider it an absolute minimum) to create a very strong password using random upper- and lowercase letters, numbers and symbols. The trouble with those things is that they’re hard to remember. Better to come up with a phrase you can easily remember and use it as your password hint. Then, figure out a standard pattern you can apply to the hint to come up with a strong password. For example, choose the phrase My address is 555 Main St. Now, reverse the order of words and eliminate the spaces: St.Main555isaddressMy; eliminate all repeating letters and numbers: St.Main5drey; finally, make sure every other letter is shifted: St.MaIn5DrEy. That’s a very strong password.

If you want to play around with different scenarios to come up with your own strong password policy, test your passwords with The Password Meter. It’s a pretty cool app.

The tweets themselves are base64 encoded and when Nazario translated one of them, it was clear the encoded tweet was sending links to the bot.

Oddly enough, there’s no mention of this at http://status.twitter.com, but the account in question (well, one of them, at least—there are probably more), https://twitter.com/upd4t3, has been suspended, so it appears that  Twitter security folks are on the ball.

At least one of the vulnerabilities, MS09-037 – Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908), is currently being actively exploited on the Internet; exploit code for MS09-043 – Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638) has been posted publicly.

Get those patches installed ASAP!