Facebook Says It Was a Target of Sophisticated Hacking Attack:

(Reuters) - Facebook Inc said on Friday it had been the target of an unidentified hacker group, but it found no evidence that user data was compromised.

“Last month, Facebook security discovered that our systems had been targeted in a sophisticated attack,” the company said in a blog post posted on Friday afternoon, just before the three-day Presidents Day weekend. “The attack occurred when a handful of employees visited a mobile developer website that was compromised.”

The social network, which says it has more than one billion active users worldwide, also said: “Facebook was not alone in this attack. It is clear that others were attacked and infiltrated recently as well.”

Facebook declined to comment on the motive or origin of the attack.
A security expert at another company with knowledge of the matter said he was told the Facebook attack appeared to have originated in China.

Twitter announced tonight that some of their systems were compromised, in what they described as “a sophisticated attack.”

Information for about 250,000 Twitter users was apparently stolen in the attack, including usernames, email addresses, and encrypted passwords. The post on the official Twitter blog has more details, including a warning about disabling Java in browsers. (Note: they’re not referring to Javascript, a totally different language.)

This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information - usernames, email addresses, session tokens and encrypted/salted versions of passwords - for approximately 250,000 users.

As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter.

Though only a very small percentage of our users were potentially affected by this attack, we encourage all users to take this opportunity to ensure that they are following good password hygiene, on Twitter and elsewhere on the Internet. Make sure you use a strong password - at least 10 (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols - that you are not using for any other accounts or sites. Using the same password for multiple online accounts significantly increases your odds of being compromised. If you are not using good password hygiene, take a moment now to change your Twitter passwords. For more information about making your Twitter and other Internet accounts more secure, read our Help Center documentation or the FTC’s guide on passwords.

We also echo the advisory from the U.S. Department of Homeland Security and security experts to encourage users to disable Java on their computers in their browsers. For instructions on how to disable Java, read this recent Slate article.

This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.

The irony is almost palpable: 4chan hit by DDoS attack, struggling to get back online.

The website 4chan was taken offline Sunday by a distributed denial-of-service attack, and the team behind 4chan is still struggling to get back online. On Sunday morning, 4chan’s status blog reported: “Site down due to a large DDoS attack. We hope to have it back up soon.”

There were reports yesterday that 4chan was accessible again, though moving incredibly slowly. We haven’t been able to access 4chan.org this afternoon, and 4chan’s status page was updated this morning with the message: “Site continues to be down due to a DDoS attack, consisting of a UDP flood on port 80.”

The 10th anniversary of 9/11 isn’t more important than the earlier ones or those yet to come, and we may only mark it as “special” because it’s a nice, neat number in our base-10 numeral system, but we feel an emotional need to mark it in some way nonetheless, don’t we? This is my attempt to do so.

Forget-me-notsTen years. A decade. It’s not very long if you look at it in terms of evolution or even recorded history, but it’s a pretty good chunk of change when you consider that it’s approximately one seventh of the average human’s life expectancy. Time didn’t stop for us the way it did for those who were lost on September 11, 2001—we’ve woken up on 3,652 consecutive days since then and carried on with our lives as normal, even though it seemed that the world had completely changed on that day.

I don’t think the world changed so much as our understanding of it—and of ourselves—did. It took us years to overcome the initial shock, fear, pain, and rage that followed. Some people seem to be stuck there, but I think the vast majority of us have worked our way through that awful tangle of emotions and ended up better and stronger for the effort.

There were a lot of questions we had to ask ourselves: What does it mean to be an American? What does it mean to be a Muslim, and what are our responsibilities as American Muslims? What is patriotism, and at what point does it stop being patriotism and descend into jingoism and bigotry? How many of our freedoms are we willing to give up to feel safe? How many of our principle cultural values are we willing to bend or break to ensure our security, or perhaps more accurately, to mitigate the ever-present threats? I think we’ve already answered some of those questions, even if only through silent, look-the-other-way consent. We’re still working on the others. Sadly, though not surprisingly, we’ve also witnessed our collective trauma being used for political and monetary gain by the cynics and opportunists among us. That, to me, is unforgivable.

So, back to the point of writing this. I need a new tradition for this day, a way to extract something positive from it without forgetting the value of the innocent lives that were lost, or the bravery of those who gave their lives in an effort to save others. How to do that?

I’ll start by making 9/11 a television-free day. No more watching networks that are in a ratings race to see who can pull off the most tear-jerking tribute. No more video loops of planes crashing into the towers from every conceivable angle; of people running, screaming and crying, covered in ash and blood; of scorched earth and airplane parts in a field; of the awful cloud enveloping lower Manhattan when the towers fell; of smoking debris and and a gaping hole in the ground as well as the skyline; of demonstrations and demagoguery. Enough.

There will be no more reading of hate-filled blogs or the latest manufactured political outrage on this day. No more arguing with anyone or engaging in snark of any kind. The attacks were the product of extreme hate & intolerance, and I want nothing to do with either of them in any degree today.

I’ll finish writing this, then I’ll grab some paper and sketch or paint something that makes me happy. I’ll spend time online looking for charities that foster the building of cultural bridges, or that seek to make life better for people in countries like Afghanistan, or maybe donate money to a local volunteer fire department.

Instead of being sad about the people who died, I’ll think of the last messages of love many of them sent to their families, and say a prayer for those survivors. I’ll be thankful for the brave souls on United Flight 93 who willingly gave their lives to save God only knows how many others. Maybe I’ll even call up my local police & fire departments and simply say “Thanks for being there.”

That’s it, that’s my new tradition for 9/11: Avoid the bad, the negative, the useless. Do only positive things, think good thoughts, and hope that my small efforts will help to neutralize some measure of the evil that exists in the world. It’s not much, but it’s all I’ve got. It certainly can’t hurt, and it’s better for my mental health.

P.S. I just called my local FD & PD and they were both quite surprised and happy to receive a simple “thanks” of acknowledgement. It was nice to hear the typically gruff Jersey voices go all soft and squishy for a few seconds. You really should try it—they deserve it, and I guarantee it’ll make you feel better today to hear the smiles in their voices.

As of about 9:00 pm Pacific, Yfrog.com has disabled posting pictures via MMS or email.

See:
The Idiot’s Guide to Hacking Yfrog
Documented Yfrog MMS Feature Made Framing Rep. Weiner Easy

Yfrog says, “No problems here! Everything’s fine!”

Related:
Yfrog ‘secret’ email addresses are easy to figure out

One of Rachel Maddow’s viewers demonstrated today how incredibly easy it is to post a photo to someone else’s yfrog.com account without a password: The Maddow Blog - How one gal planted her boot on the throat of the internet and, with a mighty cry of ‘CAKE!’, slew it in 12 seconds.

Here’s the video of Rep. Anthony Weiner’s interview with Wolf Blitzer of CNN. I think he does a very good job of defending himself against an increasingly predatory media; he says very clearly that he did not post the photo and did not send the tweet.

Notice how Wolf Blitzer keeps yanking out the photo. At one point Weiner says, “I appreciate you continuing to flash that at me.”

After today’s revelation about how easy it is to upload photos to anyone’s yfrog account and automatically have a tweet posted, without even requiring a password, I believe him.

Here’s a fascinating new bit of information in the “Weinergate” (ugh) scandal. Apparently it’s possible for anyone to post a picture to anyone else’s account at the yfrog.com picture hosting site — without a password. The trick is to email a picture from a Blackberry to the user’s yfrog.com email address, with the word “@subject” in the text. This results in the picture being posted at yfrog — and a tweet being posted at Twitter with a link to the picture.

The full details are at Cannonfire, and it certainly appears convincing. I don’t have a Blackberry, but LGF reader “ElCapitanAmerica” tried the technique described in this post, and reports that it really does work.

This is compelling evidence that Rep. Weiner is being framed. There would have been no need to hack into his accounts because of this security hole.

It turns out that you don’t have to email from a Blackberry — you just need to use MMS to send the picture, from any device that supports the protocol. I’ve now confirmed that this technique also works on an iPhone.

It also turns out that this is not really a security hole in yfrog; it’s a documented feature that’s been public knowledge for at least 2 years.

Yesterday WordPress.com revealed that someone had hacked into several of their servers and gained root-level privileges — the most disastrous type of security breach, because with root privileges the hacker has access to everything on the system.

WordPress.com has revealed that someone has gained root-access (“low-level,” as in deep) to several of its servers this morning and that VIP customers’ source code was accessible. WordPress.com VIP customers are all on “code red” and in the process of changing all the passwords/API keys they’ve left in the source code.

“Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.”

While Automattic is down playing the leak, site source code includes API keys and Twitter and Facebook passwords which can let interested parties gain access to sensitive information as well as shut people out of their Twitter and Facebook accounts, etc.