Twitter and New York Times clash with hackers for control of their sites

For a good chunk of Tuesday, website administrators at Twitter, The New York Times, and other high-profile media outlets appeared to be locked in a high-stakes battle with self-proclaimed Syrian hackers for control of their Internet domains. Just as quickly as twitter.co.uk, nytimes.com, and other domains were returned to their rightful owners, Internet records showed they'd be seized all over again and made to point to a Russian Web host known to cater to purveyors of drive-by malware exploits and other online nasties.

In between these dueling sides was Melbourne IT, an Australian domain registrar that managed the domain names not only for Twitter and the NYT, but also for The Huffington Post, which security researchers also said also experienced problems. Update: A spokesman for the company told The Australian Financial Review the outages were the result of a breach of its security. The login credentials of one of the company's resellers were compromised, allowing attackers to access servers and change settings that direct users to the correct servers.

One of the researchers following the clash was HD Moore, chief research officer of security firm Rapid7, who watched the struggle play out more or less in real time. At one point on Tuesday afternoon, his searches showed the official domain name servers for twitter.co.uk as being ns1.syrianelectronicarmy.com and ns2.syrianelectronicarmy.com. A half-hour later, the name servers had been changed back to the much more benign servers at a4.nstld.com, f4.nstld.com, g4.nstld.com, and l4.nstld.com.

Read 5 remaining paragraphs | Comments


    






New York Times, Twitter hacked as domain records altered

On Tuesday afternoon, The New York Times confirmed that its website was hacked, possibly by the Syrian Electronic Army (SEA), a Syrian pro-government group.

In a tweet, Eileen Murphy, a Times vice president for corporate communications, wrote: “initial assessment - issue is most likely result of malicious external attack. working to fix.”

The SEA has become increasingly aggressive in recent months, targeting English-language media, including the Financial Times’ Twitter account, the Associated Press, National Public Radio, and even The Onion, which detailed the takeover on its own site in May 2013.

Read 4 remaining paragraphs | Comments


    






iOS and Android weaknesses allow stealthy pilfering of website credentials

Image showing Facebook server exposing a security credential to an unauthorized Android app. It took Facebook several months to fix the vulnerability.

Computer scientists have uncovered architectural weaknesses in both the iOS and Android mobile operating systems that make it possible for hackers to steal sensitive user data and login credentials for popular e-mail and storage services.

Both OSes fail to ensure that browser cookies, document files, and other sensitive content from one Internet domain are off-limits to scripts controlled by a second address without explicit permission, according to a just-published academic paper from scientists at Microsoft Research and Indiana University. The so-called same-origin policy is a fundamental security mechanism enforced by desktop browsers, but the protection is woefully missing from many iOS and Android apps. To demonstrate the threat, the researchers devised several hacks that carry out so-called cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks to surreptitiously download user data from handsets.

The most serious of the attacks worked on both iOS and Android devices and required only that an end-user click on a booby-trapped link in the official Google Plus app. Behind the scenes, a script sent instructions that caused a text-editing app known as PlainText to send documents and text input to a Dropbox account controlled by the researchers. The attack worked against other apps, including TopNotes and Nocs.

Read 7 remaining paragraphs | Comments