Twitter Password Vulnerability

Reported: 4th May 2018

Twitter advised its 336 million users yesterday (Thursday) to change their passwords after it discovered that it had mistakenly stored them internally prior to fortifying them through a security technique, leaving the passwords vulnerable to hackers.

Parag Agrawal, Twitter’s chief technology officer, wrote in a blog post that users should also consider changing their passwords on other services if the passwords they used there were the same as on Twitter. The company also disclosed the password flaw in a regulatory filing on Thursday, indicating that the bug was serious enough to warrant more formal disclosure than a corporate blog post. Twitter has about 336 million users, according to its latest letter to shareholders.

Twitter CEO Jack Dorsey followed Agrawal’s post by tweeting that company has “no indication of breach or misuse.” He added that the company warned users because “it’s important for us to be open about this internal defect.”

Twitter did not say how many passwords were affected bit it is understood the number was "substantial" and that they were exposed for "several months". Twitter discovered the bug a few weeks ago and has reported it to some regulators, an insider said.

To change your password

Go to your Twitter account settings page, click password, enter your current password, and enter a new one. Remember to use a strong password. Don’t use a password you’ve used somewhere else. (And if you’ve used your Twitter password elsewhere, you’ll want to change it on those services, too.)

Further Reading: Creating Strong Passwords

Fake ad blockers in Chrome store had over 20M installs

Reported: 19th April 2018

If you can't find that ad blocker you recently installed from the Chrome Web Store, you might want to do some browser spring cleaning. Google has killed five top-ranking ad blockers after AdGuard published a report revealing they're fake extensions with extra code that harvest info on the websites you visit. They apparently send the data they collect to remote servers in order to manipulate Chrome's behavior. "Basically, this is a botnet composed of browsers infected with the fake adblock extensions," AdGuard wrote in its report. "The browser will do whatever the command center server owner orders it to do." 

Fake ad blockers have been fooling people since at least 2017 -- last year, 37,000 people installed a fake AdBlock Plus created by what SwiftOnSecurity called a "fraudulent developer who clones popular name and spams keywords." Like that AdBlock Plus impostor, the ones AdGuard discovered also spammed keywords to get to the top of the search results. Their creators simply ripped off legit extensions and added a few lines of malicious code hidden inside benign-looking images -- they didn't even bother thinking of creative names for their fake products.

Apparently, people don't care if an extension's name is something lazy and generic like "AdRemover" and will download it, so long as it's somewhere near the top. According to AdGuard, the fake ad blockers managed to trick over 20 million users into installing them. So, how can you avoid fake extensions going forward? AdGuard says the best way to protect yourself is to check an extension's author and making sure that it's a company you can trust.

Netwise 19.04.18

Phishing E-mail Alert.

Reported: 10th January 2018

The latest phishing e-mail looks like it comes from the Microsoft Team. Actually it comes from a dodgy hotmail account and looks like this

Don’t hit the link to upgrade your mailbox quota and do not reply to the message, it is an attempt to steal your credentials.