iPhoneDevSDK—the site apparently responsible for the hacks at Facebook, Apple, and Twitter—says it was not aware it was being used to attack visitors until it read press reports this week. In a news post do not click if you’re wary of security breaches on Wednesday, site admins said they had no knowledge of the breach and were not contacted by any of the affected companies. Though, iPhoneDevSDK is now working with Facebook’s security team in order to share information about what happened.

Also, this is a great reminder to log and monitor, or SIEM.  An admin’s account was compromised, then their website was hacked.

Tripwire would have caught the changes, and login auditing would have caught the hacker/admin’s actions.

via Dev site behind Apple, Facebook hacks didn’t know it was booby-trapped | Ars Technica.

This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.

via Twitter Blog: Keeping our users secure.

But while the company was informed by AT&T of suspicious activity over its network connection on October 25—the day the Wen story was published—the attack had begun weeks earlier and appears to have been focused on getting into the e-mail accounts of Times Shanghai Bureau Chief David Barboza and South Asia Bureau Chief Jim Yardley. The attack used 45 different pieces of custom malware code, including remote access tools that gave Chinese hackers the run of the Times’ network.

The attackers used a botnet of computers compromised at US universities to obscure the source of the attack. They then infected computers at the Times with malware, most likely through e-mail “spear phishing” attacks, and used the malware to install remote access tools on at least three target systems that allowed them to gather more information from the network—finally finding the Windows network domain controller and grabbing its user directory and password tables. The hackers then used the cracked passwords to access other systems and created a custom program built to infiltrate the Times‘ mailserver to search all the e-mails and documents sent to Barboza and Yardley’s accounts—apparently searching for the names of people who may have spoken to Barboza as he reported on the Wen family.

via Chinese hackers attacked New York Times computers for four months | Ars Technica.

Hundreds of thousands of websites are potentially at risk following the discovery of an extremely critical vulnerability in the Ruby on Rails framework that gives remote attackers the ability to execute malicious code on the underlying servers.

The bug is present in Rails versions spanning the past six years and in default configurations gives hackers a simple and reliable way to pilfer database contents, run system commands, and cause websites to crash, according to Ben Murphy, one of the developers who has confirmed the vulnerability. As of last week, the framework was used by more than 240,000 websites, including Github, Hulu, and Basecamp, underscoring the seriousness of the threat.

via Extremely critical Ruby on Rails bug threatens more than 200,000 sites | Ars Technica.

I hope to be joining your ranks some day soon.  I’m just debating whether to get a Nexus 7, or to wait for a Surface with Win8 Pro.

We’ve partnered up with Google to cut down 10+ of the steps needed for the domain registration portion of the signup process to just three steps. Now, you can not only verify, but also transfer your email in just a couple of clicks. The best part – you’re no longer required to leave the Google App to complete domain registration!

via Hover integrates with Google Apps | Hover Blog.

This is quite nice and very handy, although you’d only need it during initial setup.

However, if you’re an Apps re-seller and set up domains and accounts for people frequently, it will save a lot of time.

Ponemon Institute and security firm ID Experts … surveyed 80 health care organizations and found that 94 percent had experienced a data-loss incident in the past two years. Another 45 percent sustained more than five breaches during that period.

via Nine out of 10 hospitals lost personal data in last two years – SC Magazine.

All the requirements in the world won’t make a difference if the organizations do not allocate the resources to ensure compliance, and if the employees continue to fail to comply.

According to Reuters, the confetti was apparently shredded horizontally but still contained information from various police incident reports, including names, social security numbers, and bank account information of Nassau County police officers and employees.

Make sure that personally identifiable information is actually destroyed before it leaves your custody.

via Long Island cops probe how secret information became NYC confetti | Ars Technica.

With new Java security-related updates being released practically every week, and new security holes being discovered practically every week, why do developers keep developing for Java?

And worse, they’ll write an app that works in one specific version of Java (such as Cisco’s ASDM, which randomly stops working during Java updates), and then you’re forced to keep a virtual machine around with an old version of Java just to run the legacy app.

But it’s the same with pop-up windows in browser apps — every web browser for the last 8 or so years has had a pop-up blocker, but devs still write apps with pop-up windows and either notices saying, “Please disable your pop-up blocker” or a feeble error message when the app can’t launch.

Come on, devs, let’s bring it into the 21st century!