On Friday Twitter detected unauthorized attempts to access account data. The attack affects some 250,000 users, exposing passwords, usernames, email addresses, and session tokens. Twitter has notified users and is restoring their service. No attribution yet, but note that Twitter is a new media company.
Chinese intrusion into US media networks looks bigger than suspected, with the Washington Post joining the New York Times and the Wall Street Journal among the victims. The campaign's success shows the limitations of signature-based anti-virus products in particular, but also shows that users who rely on anti-virus software alone are dangerously naive. Google describes its own experience with Chinese cyber attacks and takes that nation's government publicly to task as an "IT menace." The US Government weighs options for confronting China.
The Chrome Web Store contains some malicious extensions being promoted on Facebook. A spam campaign spoofing Booking.com warning emails carries a malware payload. Old (but still used) versions of Juniper's Junos OS are vulnerable to TCP flaws. The Citadel Trojan moves from its original banking targets to government and commercial victims. Oracle tries to address Java insecurity with a new patch (but Apple blocks Java on its OS anyway).
Rapidly "morphing" malware, designed specifically to evade signature-based defenses, is expected to become more widespread. The criminal economy now offers sophisticated development services that enable more capable and difficult-to-thwart exploits. Such crimeware is beginning to eclipse venerable social engineering techniques.
Google establishes an innovation fund in France. Fujitsu offers a new data transfer protocol.