Archive of thenextweb.com
Written on 16th June 2009
17 COMMENTS 
Keith, Network Consultant, Social Media Fanatic
URL shortening services are ubiquitous these days so we tend to forget how these systems can be exploited if not properly secured. The latest example comes via an announcement that Cli.gs, the 4th most popular URL shortening service on Twitter, has been hacked. According to the Cli.gs blog, sometime late Sunday night a hacker exploited a security hole that allowed the attacker to redirect around 2.2 million cli.gs URLs to a single domain name, freedomblogging.com
Cli.gs states, “I’ve identified the hole and disabled all cligs editing for now and I’m restoring the URLs back to their original destination states. However, the most recent backup is from early May, and so we may have lost all URLs created since then.”
URL shortening services have long been a source of paranoia for web savvy users. The simple fact that you can’t see the link you are about to visit provides an opportunity for attackers to lure unsuspecting users to malware laden sites. Normally this is seen on an individual basis but this incident of an attacker taking over 2.2 million URLs will surely entice other hackers to try their hand at mass exploiting the system.
What do you do to protect yourself?
Several URL shortening services have incorporated link previews and browser addons to help users identify the resulting long URL and there are numerous Userscripts to preview a shortened URL. In the end, we all must rely on the URL shortening providers to secure their systems.
Written on 4th June 2009
5 COMMENTS
Martin Bryant, Co-founder, Social Media Café Manchester
Google’s security team has identified the current Top 10 malware sites in the world. The list reads like a rogue’s gallery of the darker side of the web. Sites listed generally use ‘drive-by downloading’ to install and run malware on vistors’ computers automatically. To make things worse many of these domains are linked through to via advertising and other third party content on a vast number of high-traffic websites.
Current king of malware is Gumblar.cn, one of 1400 Chinese-registered domains on Google’s list. Their figures counted 60,000 sites infected with its payload which according to this account injects malicious Javascript code into every HTML file it can find. Meanwhile, Goooogleadsence.biz and googleanalytics.net were two of a number of sites trying to fool people into believing they were visiting a Google site.
Malware infections are a growing problem. Popular celebrity gossip site Digital Spy had to apologise this week after it inadvertently served up malware in banner ads.
[Via Google Security blog]
Written on 3rd June 2009
5 COMMENTS
Martin Bryant, Co-founder, Social Media Café Manchester
“We made it to Kansas City in one piece”; an innocent tweet which may have cost Israel Hyman his Mac Pro. The Arizona-based video editor was out of town seeing relatives when his house was burgled and his computer and two displays taken. Israel has blamed the incident on that single tweet, which also updated his Facebook status.
It’s unclear whether or not some devious criminal was actually scoping out Twitter for victims but there are bound to be more of these stories in the near future. As use of real-time social data services becomes more common we’ll get used to sharing our location either consciously (via a service like Google Latitude) or passively via geotags on photos and videos that we upload.
Even if you don’t actively share your location online there’s likely to be the other data about you out there that make putting a place to the online name easy. Domain name registration records, public electoral roll records, even the phone book – they’re all tools that can help to track you down. It’s easy to imagine a future in which ‘Geolocational crime’ becomes more prevalent.
At least there was some good news for Israel Hyman. The thieves may have taken his computer but at least they left a back-up. His Drobo storage device was untouched.
[via Switched, via ABC News]
Written on 19th March 2009
3 COMMENTS
Boris Veldhuijzen van Zanten, Serial Internet Entrepreneur
Just yesterday Microsoft announced the latest, safest and coolest new version of Explorer. According to Steve Ballmer Explorer “gets people to the information they need, fast, and provides protection that no other browser can match.”
Is that so?
My original plan was start a countdown here until the first reports of Explorer 8 vulnerabilities. Life is stranger than fiction, again, as Explorer 8 has been shown to be vulnerable to hacking attacks within less than 24 hours after its release. ZDnet reports how a hacker named Nils ‘performed a clean drive-by download attack against the world’s most widely used browser to take full control of a Sony Vaio machine running Windows 7′ at the CanSecWest Pwn2Own content. the same hacker also managed to hack into Safari and Firefox.
The exploit that ‘Nils’ used is not published and Microsoft’s Security team was there to witness the whole thing. Expect an update soon.
Truth is that no browser is really 100% secure and lots of people will greatly enjoy this new version of Explorer 8. So go and get it now and let us know how it works for you.
Here are some of the new (untested) features Microsoft talks about that might be interesting for you:
Accelerators
Accelerators make it faster and easier to perform common tasks online by making Web-based services such as ESPN.com, Live Search and Sina available for use directly from the page people are viewing. Users can simply right-click a word or phrase and instantly map, e-mail, or share it.
Web Slices
Web Slices in Internet Explorer 8 makes favorite information from sites such as Digg, Yahoo! Mail, OneRiot, and eBay instantly available wherever someone goes on the Web.
Visual search suggestions
The Instant Search Box in Internet Explorer 8 enables rich, real-time search from sites such as The New York Times, Amazon.com and Wikipedia, as well as sites from people’s own Favorites and History, complete with visuals and detailed information that saves time.
More details about Explorer 8 at Gizmodo.
Written on 5th March 2009
11 COMMENTS
Patrick de Laive, Internet entrepreneur and co-founder of The Next Web Conference. Twitter: @patrick
The news from Spotify being hacked once again shows that your data is not always safe. Even if you trust the company that holds it for you.
Most users know that they should use a different password for each service they use. But from personal experience I know that we don’t always do what is right. Most people use the same password for all their services.
The danger of using the same password:
Most web developers know that you should never save a password in plain text format but sometimes that just isn’t possible. Take Twitter, or any company with a popular open API.
While Twitter (hopefully) uses a hash for their users passwords, it is the Twitter ecosystem (the hundreds of services that are build around Twitter) that you should be worried about. Since Twitter doesn’t have a safe authentication method for their API (like oAuth) these services need to know your username and password in plain text (ie unencrypted) to query the Twitter API.
If you are a passionate Twitter user you probably use a lot of external twitter apps. What you get is hundreds of places where your Twitter password is vulnerable to hacking attempts.
As it is so easy to build a service around Twitter, and many of them have been build in less then 1 day or week, you can imagine that security is not the highest priority for these Twitter projects.
A hacker could probably hack Twitter services more easily than Twitter itself. What he/she would find is your Twitter username and password and in some cases even your email address. Obviously the hacker could abuse your Twitter account, change your password, sell your credentials, stalk you followers and more.
Given that many people use the same username/password combination for many different online services these hackers could also try to log into other web services such as gmail, flickr, Google docs and Yahoo.
In short, it’s a good idea to have a separate password for services like Twitter and don’t use the same password for different services. Use a password generator such as 1Password if you want to make sure your passwords are secure.
An extra benefit to changing your Twitter password is that you automatically filter out the services you don’t use anymore.
Thanks to Robert Beekman for the input.
Written on 4th March 2009
74 COMMENTS
Zee, Editor in Chief at The Next Web, Principal at WeDoCreative.
Spotify, a web/desktop media player have just announced that someone has managed to “compromise their protocols” and gain private information about their users.
The details the hackers may have gotten their hands on include: passwords, email address, birth date, gender, postal code and bill receipt details.
The hacker(s) managed to access information about Spotify members last year, whilst the the flaw they infiltrated was fixed just before Christmas.
Spotify have said:
Last week we were alerted to a group that managed to compromise our protocols. After investigating we concluded that this group had gained access to information that could allow testing of a very large number of passwords, possibly finding the right one. The information was exposed due to a bug that we discovered and fixed on December 19th, 2008. Until last week we were unaware that anyone had had access to our protocols to exploit it.
What you need to do.
If you signed up on Spotify before December 20th 2008 and if you use the same password on alternative services – change ALL your passwords immediately.
More at the Spotify Blog.
Written on 21st November 2008
1 COMMENT
Zee, Editor in Chief at The Next Web, Principal at WeDoCreative.
The Pentagon, headquarters of the United States Department of Defense, has suffered from an unprecedented cyber attack in the form of a virus spreading throughout the United States military network.
The Pentagon told Fox News “We have detected a global virus for which there has been alerts, and we have seen some of this on our networks. We are now taking steps to mitigate the virus.”
The official would not reveal the source of the attack however, so concerned are they that the Pentagon have taken the step of barring all commercial malware, removable media (thumb drives, CDRs/DVDRs, floppy disks) on all DoD networks and computers effective immediately.
Written on 8th October 2008
2 COMMENTS
Ernst-Jan Pfauth, editor in chief
Most web-based games might appear innocent, but a blogger from GUYA.NET proves that they can function as a way for the web’s bad guys to take over your webcam. When this blogger first heard about this phenomenon clickjacking, he tried to develop a game that could do the same thing. He discovered that the Achilles heel of Flash was the Flash Player Setting Manager. Nice piece of citizen journalism.
By creating some sort of overlay in a Javascript Game, users just think they’re trying to click a button as fast as possible. What they really do, is granting some voyeur access to their web cam. Check it out:
Kudos for Adobe, who fixed this problem by “framebusting the Setting Manager pages“. Supposedly, 99.9% of the users are protected from spies, pervs, or whatnot. The issue still exists for Java, SilverLight, DHTML games and applications though. For details on this I gladly refer to ha.ckers.org.
Written on 25th August 2008
1 COMMENT
Robin Wauters, Next web enthusiast & Plugg organizer
According to the Sunday Herald, an international criminal gang has pulled off one of the most audacious cyber-heists ever by stealing the identities of an estimated 8 million people – who have all been guests in at least one of the 1300 existing Best Western Hotels in the past 12 months – in a hacking raid that could ultimately net more than 3.5 billion euro in illegal funds.
A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.
It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007.
Update: Neville Hobson was kind enough to Twitter-point me to a statement issued by Best Western (PDF), wherein they claim the newspaper is being sensationalist, and that most of the facts presented in the article are inaccurate, exaggerated, unsubstantiated or false, although they fail to provide more insight as to what the extent of the damage really is.
Update 2: Best Western provided more feedback on the issue:
“We can confirm that on August 21, 2008, three separate attempts were made via a single log-on ID to access the same data from a single hotel. The hotel in question is the 107-room Best Western Hotel am Schloss Kopenick in Berlin, Germany, where a Trojan horse virus was detected by the hotel’s anti-virus software. The compromised log-in ID permitted access to reservations data for that property only. The log-in ID was immediately terminated, and the computer in question has been removed from use. “
The Sunday Herald alerted Best Western, who promptly closed the security breach on Friday afternoon, but experts fear that information seized in the raid is already being used to pursue a range of criminal strategies. Jacques Erasmus, an ex-hacker who now works for the computer security firm Prevx, has even been quoted saying “In the wrong hands, there’s enough data there to spark a major European crime wave.”
The stolen data included private information like home addresses, phone numbers, credit card details and place of employment.
The initial hacker succeeded in bypassing the system’s security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next tume a member of staff logged in, her username and password were collected and stored.
If you’ve stayed in a Best Western hotel at some point during the past year, you might want to consider hooking up with their customer service department to see what’s up. Use the number 0800 528-1238.
(Image courtesy of hiten mistry @ Flickr)
Written on 22nd July 2008
1 COMMENT
Robin Wauters, Next web enthusiast & Plugg organizer
Israel-based maker of enterprise video analytics software Agent Video Intelligence has raised $9 million in Series B funding from its existing backer, U.S. based VC firm 21Ventures. That’s exactly the same amount they had already raised, so that brings the total to $18 million. The funding is earmarked for sales and marketing and ongoing product development.
Agent Vi delivers solutions for improved security, business intelligence and operations. The technology is pretty cool, too: Agent VI customers can immediately spot and report a person reaching over an unattended jewelry counter; detect a vehicle tailgating through an entry point; detect a person approaching a perimeter; monitor how long a customer views a merchandise display, etc.
Sounds like a valuable solution for casinos, government properties, airports, shopping malls, and so on. I’m left wondering how their technology could be used for online video, though. Sounds like great things could come out of that, but there’s probably not enough money there (yet?).
You can see Agent Vi in action in their demo videos, which are sadly and inexplicably not embeddable.
If you’re still wondering why incorporating intelligent video analytics may be a good idea, the company has listed ten reasons on its corporate blog which are worth checking out.
(Via PE Hub)
URL shortening services are ubiquitous these days so we tend to forget how these systems can be exploited if not properly secured. The latest example comes via an announcement that Cli.gs, the 4th most popular URL shortening service on Twitter, has been hacked. According to the Cli.gs blog, sometime late Sunday night a hacker exploited a security hole that allowed the attacker to redirect around 2.2 million cli.gs URLs to a single domain name, freedomblogging.com
The Next Web Blog is closely associated with The Next Web Conference which is held annually in Amsterdam, The Netherlands. At this event speakers from all over the world come together to talk about, and show off, the future of the Web. (More info 
