Category Archives: Uncategorized

DOSarrest begins Offering Vulnerability Testing and Optimization

VANCOUVER, BRITISH COLUMBIA–(Marketwired – Aug. 14, 2013) – DOSarrest Internet Security announced today that it will begin offering a website Vulnerability Testing and Optimization ( VTO ) service. The services is a comprehensive test that will intelligently crawl a website and find any vulnerabilities in the site’s coding, as well as analyze the structure of the website to see what can be optimized for better performance, all for a safer and better web experience for your visitors. The Vulnerability portion of the scan is able to analyze web code while it is being executed, even for a very large site with dynamic pages, and test with the most advanced SQL Injection and Cross Site Scripting (XSS) analyzers. A report is provided at the end that details all identified security breaches and the line of code that is the culprit as well as how to fix it. A secondary Optimization scan is executed again on all pages within a website, applying best practice rule sets which identify what elements and design structure can be optimized, and how to do it. A DOSarrest security specialist will walk the customer through the report and retest if necessary. “Our customers have come to greatly appreciate our efforts, to not only protect them from DDoS attacks, but to also assist their IT operations in securing their web servers in house “, says Jag Bains, CTO of DOSarrest. Bains, goes on to state “We’re able to leverage our experience and expertise to provide our customers a framework for securing their operations. With web application hacking on the rise, the VTO service is taking our customer partnerships to another level.” More information on this service can be found at: http://www.dosarrest.com/en/vulnerability-testing.html . About DOSarrest Internet Security: DOSarrest founded in 2007 in Vancouver, BC, Canada is one of only a couple of companies worldwide to specialize in only cloud based DDoS protection services. Their global client base includes mission critical ecommerce websites in a wide range of business segments including financial, health, media, education and government. Their innovative systems, software and exceptional service has been leading edge for over 6 years now.

More here:
DOSarrest begins Offering Vulnerability Testing and Optimization

May 7 2013 – OpUSA hacking spree kicks off early

Islamist element in attacks. A pro-Islamic, anti-American hacking campaign appears to have jumped the gun and started early with hundreds of sites being compromised today. Set to take place on May 7 this month – thought to be US time – and targeting government sites in the US, Israel and India, the campaign is called #OpUSA. It is coordinated mainly through Twitter and postings on sites like Pastebin, with an unknown amount of participants. However, lists of compromised sites are already apppearing, with a group called “X-Blackerz Inc” claiming to have hacked “100 US websites”, posting anti-American messages. iTnews loaded some of the sites listed which have India-related domain names, and found them defaced. Elswhere, a group calling itself Charaf Anons posted a list of 73 defaced sites on Pastebin. The website of the Honolulu, Hawaii Police Department was also claimed to be hacked, but as of writing, it is not defaced and operates normally. However, the hackers say they have captured databases that include the Honolulu Police Department staff logins and passwords. Another one was also posted with names and phone numbers that iTnews was able to verify as belonging to police officers in Honolulu. There is more to come: on May 7, the hackers are threatening to release a trove of “all governments emails of USA” [sic] captured by them. From the Anonghost Twitter account Security researcher Analysis Intelligence believes OpUSA features “self-proclaimed online freedom fighters” such as the Pakistani ZCompany Hacking Crew and Palestinians Izz ad-Din al-Qassam Cyber Fighters. These and other groups have hacked thousands of websites in the past, leaked credit card information for American and Israeli individuals and launched denial of service attacks against US banks, according to Analysis Intelligence. The motive for the OpUSA attacks are political, seeking revenge against drone attacks and military action in Iraq, Afghanistan, Gaza and Pakistan, the analysts believe. For DDoS protection click here . Source: http://www.itnews.com.au/News/342192,opusa-hacking-spree-kicks-off-early.aspx

See more here:
May 7 2013 – OpUSA hacking spree kicks off early

Amid banking DDoS attacks, Obama convenes cybersecurity meeting with CEOs

President Barack Obama is shining yet another light on the rising cybersecurity threat in the US, sitting down with more than a dozen CEOs inside the White House Situation Room to discuss how government and the private sector can work together to better protect the nation’s citizens and critical infrastructure. “What is absolutely true is that we have seen a steady ramping up of cybersecurity threats,” Obama said in an interview on ABC’s Good Morning America . “Some are state-sponsored [and] some are just sponsored by criminals.” The timing could not be more apropos: Tuesday offered a bumper crop of cybersecurity red flags to add weight to the president’s statement. For one, a top US official told the Senate Intelligence Committee that cyber attacks are becoming the top global threat. It’s “grown to be right up there” with terrorism, said FBI director Robert Mueller, who said cybersecurity risks now keep him awake at night. Ironically, Mueller, along with First Lady Michelle Obama, Vice President Joe Biden and other political targets were made the victims of a doxxing campaign, which published online supposedly authentic personal information like mortgage statements and credit reports. Meanwhile, JPMorgan Chase and five other banks were hit with denial of service (DDoS) attacks in a renewed offensive on the financial industry yesterday. Attacks on banks have become an ongoing issue, spearheaded in 2012 with the launch of “Operation Ababil” by Islamist hacking collective Izz ad-Din al-Qassam. That attack wave was in protest of “The Innocence of Muslims,” an anti-Islam video that mocked the Prophet Muhammad. On New Year’s Day the group said that that the cyber-attacks will continue, noting in an online manifesto that “rulers and officials of American banks must expect our massive attacks! From now on, none of the U.S. banks will be safe from our attacks.” Indeed, attacks in February and last week have continued the trend, with Chase becoming the latest victim of a website slowdown. In January, a Ponemon Institute survey revealed that more than two-thirds of banks in the US have suffered DDoS attacks within the last 12 months. Gen. Keith Alexander, head of the Pentagon’s US Cyber Command, told Congress at Tuesday’s hearing that Wall Street firms were hit by more than 140 attacks in the last six months. Chase confirmed that CEO Jamie Dimon is among those accepting the president’s invitation to the meeting. Another participant will be Exxon Mobil CEO Rex Tillerson, the oil giant confirmed, but the rest of the group will not be revealed until after the summit, the White House said. Obama issued an executive order Feb. 12 aimed at improving the public sector’s ability to warn enterprises of imminent cyberthreats. It directs the government to share threat information with critical infrastructure owners, and for government agencies to develop a security framework that business can voluntarily adopt. The intention is that unclassified threat reports “that identify a specific targeted entity” will be shared, and that classified reports will be shared with “critical infrastructure entities authorized to receive them.” The White House is also seeking a comprehensive piece of legislation to further information-sharing initiatives in order to protect critical infrastructure such as the power grid, water supply equipment, transportation hubs, and so on. US House of Representatives Intelligence Committee Chairman Mike Rogers (R-Mich.) and Rep. Dutch Ruppersberger (D-Md.) introduced a new version of the Cyber Intelligence Sharing and Protection Act (CISPA) last month, which would make it easier for business and government to work together concerning threats, attacks and remedies in order to shore up defenses. For instance, the House bill as written would offer broad protection from lawsuits to companies that give over user data to the Department of Homeland Security, which in turn would share it with intelligence agencies on a need-to-know basis. In the GMA interview, Obama noted the ramifications of inaction: “Billions of dollars are lost to the consequences. You know, industrial secrets are stolen. Our companies are put into competitive disadvantage. There are disruptions to our systems that…involve everything from our financial systems to some of our infrastructure.” For DDoS protection click here . Source: http://www.infosecurity-magazine.com/view/31244/amid-banking-ddos-attacks-obama-convenes-cybersecurity-meeting-with-ceos/

View original post here:
Amid banking DDoS attacks, Obama convenes cybersecurity meeting with CEOs

How To Select A Distributed Denial of Service ‘DDoS’ Mitigation Service

Late last month, two members of the hacker group LulzSec pleaded guilty to launching distributed denial-of-service (DDoS) attacks against entities ranging from the state of Arizona to Nintendo to the CIA. Yet despite extensive media coverage of such attacks, chief information security officers are still surprised when their companies get hit. This is not an unforeseeable lightning bolt from the blue, people. The cyber world is full of anonymous arsonists, and too many businesses are operating without a fire department on call. A few sprinklers won’t cut it when things flare out of control. Firewalls and intrusion-prevention system appliances are no substitute for specialized DDoS backup when an attack escalates. Proactively securing a mitigation service can be a good insurance policy–in fact, it’s better than insurance, which pays off only after damage is done. That’s because mitigation services are designed to prevent destruction from occurring in the first place. Not only can a mitigation service act as a deterrent–many attackers will move on to easier prey when they see an initial DDoS attack fail–but these providers have the capacity and expertise to rapidly scale DDoS countermeasures against coordinated, professional attacks. That can mean keeping your website online even under heavy bombardment. Big And Small Companies At Risk Denial-of-service attacks used to be something that happened to other people, those with high online visibility. Not anymore. “We’ve seen very small companies come to us and they can’t figure out why they’re under attack,” says Chris Richter, VP of security products and services at Savvis. They ask, “‘What have we done?’” Blame the proliferation of prepackaged DDoS toolkits, such as the Low Orbit Ion Cannon and Dirt Jumper, for the fact that no one’s safe. Like any brute-force tactic, DDoS relies on the fact that any attack, even the most rudimentary, repeated with sufficient volume and frequency, can effectively shut down a network or website. Botnets often span thousands or millions of systems worldwide; Akamai, for example, provides a real-time attack heat map. In early July, attack rates were almost 30% above normal, with hot spots in Delaware and Italy. Geographic dispersion, coupled with network traffic crafted to look like legitimate connections from normal users, makes DDoS attacks both extremely effective and difficult to defeat if you’re not an expert with the right tools. There are three main distributed denial-of-service categories: > > Volumetric attacks overwhelm WAN circuits with tens of gigabits per second of meaningless traffic–so-called ICMP or UDP floods. > > Layer 3 attacks abuse TCP. For example, SYN floods overload network equipment by starting but never completing thousands of TCP sessions using forged sender addresses. SYN floods can be in excess of 1 million packets per second, largely in response to the wider deployment of hardware countermeasures on firewalls and other security appliances, says Neal Quinn, COO of DDoS mitigation specialist Prolexic. > > Layer 7 floods use HTTP GET or POST requests to overload application and Web servers. From the attacker’s perspective, L7 exploits aren’t anonymous. The attacking client’s identity (IP address) is exposed because a TCP handshake must be completed. Attackers who use this approach consider the risk outweighed by the technique’s effectiveness at much lower volumes and the traffic’s stealthy nature. Requests are designed to look like normal Web traffic, factors that make L7 attacks hard to detect. Our InformationWeek 2012 Strategic Security Survey shows that the increasing sophistication of threats is the most-cited reason for worry among respondents who say their orgs are more vulnerable now than in 2011, and L7 attacks are certainly sophisticated. They’re also getting more common: Mark Teolis, founder and CEO of DOSarrest , a DDoS mitigation service, says 85% of the attacks his company sees have a Layer 7 component. Attackers leveraging L7 are often developers; they may do some reconnaissance on a website, looking for page requests that aren’t cacheable and are very CPU-intensive–things like filling a shopping cart, searching a database, or posting a complex form. Teolis says that a mere 2 to 3 Mbps increase in specially crafted L7 traffic can be crippling. “We’ve had gaming sites tell us they can handle 30,000 customers, but if 100 hit this one thing, it’ll bring down the entire site,” he says. Layer 7 attacks are tough to defeat not only because the incremental traffic is minimal, but because it mimics normal user behavior. Teolis has seen attacks where an individual bot may hit a site only once or twice an hour–but there are 20,000 bots involved. Conventional network security appliances just can’t handle that kind of scenario. And meanwhile, legitimate customers can’t reach your site. Why Us? The motivations for a DDoS attack are as varied as the perpetrators. For many, it’s just business, with targets strategically chosen by cyber criminals. Others are political–a prime example is LulzSec hitting the Arizona Department of Public Safety to protest the state’s strict immigration law, SB 1070. And for some, it’s just sport. Given this randomness, it’s impossible to predict the need for professional distributed denial-of-service mitigation. For example, Teolis says one of DOSarrest ‘s customers was the Dog Whisperer, that guru of man’s best friend. “If Cesar Millan can get attacked, anyone is fair game,” he says. Purchasing mitigation services requires the same kind of budgeting as any form of IT security: What you spend on controls should be proportional to the value of the data or website. So, while any organization with an online presence is at some risk, those with financial or reputational assets that could be seriously damaged by going dark should take DDoS mitigation most seriously. Everyone should take these preparatory steps. > > Do online reconnaissance: Follow what’s being said about your company online, particularly on public social networks, and look for chatter that might hint at extortion or hacktivism. Subscribe to security threat assessment reports covering the latest DDoS techniques and incidents. Prolexic is one source for threat advisories; US-CERT also has overviews, like this one on Anonymous. > > Heed threat mitigation recommendations: DDoS threat reports typically include details about the attack signature and recommended mitigation steps. For example, a recent Prolexic report on the High Orbit Ion Cannon identifies specific attack signatures, in this case HTTP requests, and content filter rules to block them. For L3/L4 attacks, incorporate these rules into your firewall; do likewise for L7 attacks if your firewall supports application-layer filtering. > > Have a communications strategy: Know what you’ll tell employees, customers, and the media should you be the victim of an attack. Don’t wait to make statements up on the fly. > > Have an emergency mitigation backup plan: Although most DDoS mitigation services operate on a monthly subscription basis, if you haven’t signed up and an attack overwhelms your defenses, at least know who you’re gonna call. Quinn and Teolis say their services can be operational and filtering DDoS traffic within minutes, though of course it will cost you. What To Look For In DDoS Mitigation At the risk of oversimplification, DDoS mitigation services are fundamentally remote network traffic filters. Once your system detects an attack affecting your network or servers, you redirect traffic to the service; the service filters out the junk and passes legitimate packets to their original destinations. In this sense, it’s like a cloud-based spam filter for websites. This traffic redirection, so-called on-ramping, is typically done via DNS. The mitigation provider creates a virtual IP address, the customer makes a DNS A record (hostname) change pointing to the remote VIPA, traffic flows through the mitigation provider’s filters, and the provider forwards only legitimate traffic on to the original site. Those facing attacks on multiple systems can divert entire subnets using Border Gateway Protocol advertisements, using Generic Routing Encapsulation tunneling to direct traffic to the mitigation provider. Advertising a new route to an entire address block protects an entire group of machines and, says Quinn, has the advantage of being asymmetrical, in that the mitigation service is used only for inbound traffic. The most important DDoS mitigation features are breadth of attack coverage, speed of service initiation (traffic on-ramping), and traffic capacity. Given the increasing popularity of application-layer attacks, any service should include both L3/4 and L7 mitigation technology. Services may segment features into proactive, before-the-attack monitoring and reactive, during-the-incident mitigation. Customers with monthly subscriptions should demand typical and maximum mitigation times–measured in minutes, not hours–backed up by a service-level agreement with teeth. Even those procuring emergency mitigation services should expect fairly rapid response. Most DDoS specialists staff operations centers 24/7. With DDoS mitigation, procrastination can be expensive. For those 70% of customers who first turn to DOSarrest in an emergency, the setup fee for the first month is around $3,500 to $4,000, depending on the complexity of the site. In contrast, an average monthly cost on a subscription basis is $700 per public-facing IP address. Filtered bandwidth is another way to differentiate between services. Some, like Prolexic, adopt an all-you-can-eat pricing model. For a flat fee per server, customers can use the service as often as they need with as much bandwidth as required. Others, like DOSarrest , keep the “use as often as you like” model but include only a certain amount of clean bandwidth (10 Mbps in its case) in the base subscription, charging extra for higher-bandwidth tiers. Teolis says 10 Mbps is sufficient for at least 90% of his company’s customers. A few services use a pricing model akin to an attorney’s retainer, with a low monthly subscription but hefty fees for each DDoS incident. Richter says Savvis is moving to this model, saying that customers want usage-based pricing that resembles other cloud services. Prolexic’s Quinn counters that this pricing structure leads to unpredictable bills. Bottom line, there’s a DDoS service to suit your tolerance for risk and budgetary volatility. Optional services available from some providers include postattack analysis and forensics (what happened, from where, and by whom) and access to a managed network reputation database that tracks active botnets and sites linked to fraudulent or criminal activity, a feature that facilitates automated blacklisting to help prevent attacks in the first place. Aside from looking at service features, evaluate each company’s technical expertise and track record. DDoS mitigation specialists, for whom this is a core business (or perhaps their only business) arguably have more experience and focus than Internet service providers or managed security providers for which DDoS mitigation is just a sideline. Not surprisingly, Quinn, whose company was among the first to offer DDoS mitigation as a service, suggests customers should make vendors show evidence that DDoS mitigation is something they do regularly, not as a rare occurrence. Make sure the service has highly qualified staff dedicated to the task. Ask whether the provider has experts available 24/7 and how long it will take to access someone with the technical ability and authority to work on your problem. Unfortunately there’s no rule of thumb for measuring the DDoS mitigation return on investment; it’s really a case-by-case calculation based on the financial value of the site being attacked. It relies on factors such as the cost in lost revenue or organizational reputation for every minute of downtime. Quinn cites a common analyst cost estimate, which Cisco also uses in its product marketing, of $30 million for a 24-hour outage at a large e-commerce site. There’s a cruel asymmetry to DDoS attacks: They can cost thousands to mitigate, inflict millions in damage, and yet attackers can launch them on the cheap. A small botnet can be rented for as little as $600 a month, meaning a serious, sustained attack against multiple targets can be pulled off for $5,000 or $10,000. With damages potentially two or three orders of magnitude higher than the DDoS mitigation costs, many organizations are finding mitigation a worthwhile investment. In fact, three-quarters of DOSarrest ‘s customers don’t wait for a DDoS attack to flip the switch, but permanently filter all of their traffic through the service. That makes sense, particularly if it’s a high-value or high-visibility site, if your traffic fits within the cap, or if you’re using an uncapped service like Prolexic. These services use the same sorts of colocation hosting centers where companies would typically house public-facing websites, and they do geographically distributed load balancing and traffic routing to multiple data centers. That makes the risk of downtime on the provider’s end minimal. And this approach could actually reduce WAN costs since it filters junk before it ever touches your systems. Recommendations If a mitigation service is too expensive, there are things IT can do to lower the exposure and limit the damage from DDoS attacks (discussed more in depth in our full report): 1. Fortify your edge network: Ensure that firewall and IDS systems have DoS features turned on, including things like dropping spoofed or malformed packets, setting SYN, ICMP, and UDP flood drop thresholds, limiting connections per server and client, and dynamically filtering and automatically blocking (at least for a short time) clients sending bad packets. 2. Develop a whitelist of known good external systems: These include business partner gateways, ISP links and cloud providers. This ensures that stringent edge filtering, whether done on your firewall or by a DDoS service, lets good traffic through. 3. Perform regular audits and reviews of your edge devices: Look for anomalies like bandwidth spikes. This works best if the data is centrally collected and analyzed across every device in your network. 4. Understand how to identify DDoS traffic: Research attack signatures and have someone on your network team who knows how to use a packet sniffer to discriminate between legitimate and DDoS traffic. 5. Prepare DNS: Lower the DNS TTL for public-facing Web servers, since these are most likely to be attacked. If you need to protect an entire server subnet, have a plan to readvertise BGP routes to a mitigation service. 6. Keep public Web servers off your enterprise ISP link: With Web servers being the most common DDoS target, Michael Davis, CEO of Savid Technologies and a regular InformationWeek contributor, recommends Web hosting with a vendor that doesn’t share your pipes. “Your website may be down, but at least the rest of your business is up,” says Davis. 7. Practice good server and application security hygiene: Layer 7 attacks exploit operating system and application security flaws, often using buffer overflows to inject attack code into SQL databases or Web servers, so keep systems patched. For DDoS protection please click here . Source: Darkreading

Continued here:
How To Select A Distributed Denial of Service ‘DDoS’ Mitigation Service

Azerbaijani and Turkish hackers hit Armenian websites with Denial of Service ‘DDoS’ attacks

Last night Azerbaijani hackers attacked BlogNews.am, Armenpress.am websites, and Turkish hackers attacked Beeline.am website. Information security specialist Samvel Martirosyan informed about this. Armenpress.am and Beeline.am websites aren’t functioning at present. According to the information circulated by BlogNews.am, a significant part of the information on the website was deleted because of the hackers’ actions. At this moment, the website’s administration is trying to recover the deleted information. Source: http://www.yerkirmedia.am/?act=news&lan=en&id=7791

View post:
Azerbaijani and Turkish hackers hit Armenian websites with Denial of Service ‘DDoS’ attacks

Anonymous’ open letter to Indian govt claims DDoS attack on sites are legal

Last night hacktivist group Anonymous sent out an open letter to the government of India criticizing the government and ISP companies for blocking torrent and video sharing websites. While doing so, the group clarified the definition of a DDoS attack, a type of online attack the group has been ravaging against government websites. Less of a threatening letter and more of a Hacking 101 course book for the government and mainstream media alike, Anonymous clarified that a DDoS attack is not a hack, which is legally defined as unauthorized access to a network. In fact, a DDoS attack is overflowing the server capacity by an excess of user traffic, or in simpler terms a traffic jam of sorts occurs at website server due to the enormous traffic attracted, in this case the large influx of anonymous group members. Anonymous believes this is a peaceful way to protest the government blocks and also states how websites were blocked when there was no court order asking for specific sites to be blocked like the Air India employee Facebook protest pages. The group has made its intentions clear to go after the government and its supporters, the ISPs that are blocking access to torrents and some other sites like Vimeo. It is also urging Indians to participate in peaceful demonstrations across the country on June 9. In meantime read the whole letter below. Source: http://www.bgr.in/news/anonymous-open-letter-to-indian-govt-claims-ddos-attack-on-sites-are-legal/

Visit link:
Anonymous’ open letter to Indian govt claims DDoS attack on sites are legal

Major Denial of Service Vulnerability Affects Most Web Servers

Security researcher Alexander Klink and Julian Wälde revealed a serious vulnerability that until recently affected the vast majority of web server. The attack only requires a single HTTP request that is specially designed to create hash code collisions in POST form data. When first discovered this attack affected Python, Ruby, PHP, Java, and ASP.NET, but vendors have been working with the researchers to produce patches. Tomcat  updates 7.0.23 and 6.0.35 address this issue by limiting the number of POST form fields to 10,000. The  change log  says that this is configurable, but no details were provided. The patch for  ASP.NET  was released on December 29. The patch will be automatically applied for Windows Azure customers with the default servicing policy. The patch works by limiting the number of POST form fields in a single request to 1,000, which is well below the number needed for a denial of service attack.  This value is configurable  using the appSettings key “aspnet:MaxHttpCollectionKeys”. Currently this can only be applied site-wide, but there have been requests for page-specific overrides. A fix was also added for related flaws in the JSON input and deserialization logic. PHP  5.4.0, which is only a release candidate also offers a max_input_vars directive. The  release notes  do not state what the default value is. So far every vendor we’ve discussed has addressed the issue at the web server level by limiting the number of fields in a single request. Another option is the use of a randomized hash code formula for strings.  Ruby  is one such language. .NET does this as well, but only for internal builds. Production releases currently have a set formula, but given the severity of this issue that may change the next time the CLR is updated. For Java it is not quite so easy; the JVM specifies the hash code formula for strings, which means developers may be relying on it to be consistent across all versions. An update for  Oracle Glassfish  is supposedly complete, but not yet available. There is no information of the method used to address the issue. More information about this issue is available on  Ars Technica  and the  Chaos Communication Congress  website.

Excerpt from:
Major Denial of Service Vulnerability Affects Most Web Servers

http://www.spamfighter.com/News-17155-Data-finds-over-1-m-UK-Home-PCs-Belonging-to-Botnets.htm

Data finds over 1 m UK Home PCs Belonging to Botnets The British Broadcasting Corporation (BBC) has reported that a Dutch security researchers’ group trying to determine methods by which compromising of home PCs can be lessened from getting criminally used, recently, discovered that crime botnets seized over 1m home computers in UK.

Read More:
http://www.spamfighter.com/News-17155-Data-finds-over-1-m-UK-Home-PCs-Belonging-to-Botnets.htm

McAfee Suspects Sophisticated Indulge at Cybercriminals’ Demeanor

According to McAfee’s third quarter security threats report (Q3-2011), revealed by Intel-owned security technology firm, cybercriminals seems to change their tactics of circulating malware for avoiding law enforcement, reports v3.co.uk on November 21, 2011. Commenting on the findings, Toralv Dirro, Security Strategist at McAfee Labs EMEA (Europe Middle East and Africa) said that as a result of a sudden augment of virus indulgence, large botnets are being shut down and operators are being driven to concentrate more on smaller and localized networks, highlights v3.co.uk on November 21, 2011. While explaining the matter, Dirro claimed that law enforcement becomes more interesting when the botnet is bigger

Read the article:
McAfee Suspects Sophisticated Indulge at Cybercriminals’ Demeanor

Researchers Show How Easy It Is To Infiltrate Facebook

A new paper being presented next month at the Annual Computer Security Applications Conference (ACSAC) shows easy it is to infiltrate Facebook and harvest valuable user data. Botnets, networks of hijacked computers controlled remotely for criminal gain or spreading propaganda, have been aggravating cybersecurity professionals for years. The near-billion people connected to social networks has made Facebook and Twitter the new juicy targets for similar schemes

Continue reading here:
Researchers Show How Easy It Is To Infiltrate Facebook