I love these types of articles. The same way as I was intrigued when I saw the most common passwords that users had in the database that hackers retrieved from Gawker when they were hacked, I love seeing some of the silliest passwords people have seen or used that are the most prone to hacking if someone smart enough wants their hands on that user’s data.

PCMag asked Twitter what some of those most awful passwords they’ve ever seen were, and the results are hilarious. Including such gems as “asdfhgjkl” and the ever-present venerable “password,” the list is full of good ones.

The thing that really bothers me is the commenter who thinks that “everyone knows better than this” and “most sites” require stronger passwords. Oh, you poor poor sheltered thing. If only that were the truth.

[ PC Mag :: Your Worst Passwords, Ever ]

I’ve reviewed a bunch of mobile apps that promise to help you text while walking or in motion without forcing you to not pay attention to where you’re going, but this is the first time I’ve seen an app that actually proactively takes action against its owner if the owner has pirated the app.

The rogue Android App, Walk and Text, is not an official version of the app from the developers, and it’s listed as a version number that doesn’t exist (1.3.7.) Essentially, the only way to get it is to get a pirated copy of the app – one that includes the trojan that’s lying in wait under the surface for you to install and try to run it.

Once the app is installed, it’ll display a screen to you that makes it look like the app is cracking or installing itself, or setting itself up in some other capacity. What it’s really doing behind the scenes is taking your name, your phone number, your phone’s ID information (your International Mobile Equipment Identity or IMEI number,) and anything else it can get to an external server.

Then, and perhaps this is the clincher if the previous weren’t bad enough, the app sends an SMS to everyone in your contacts list that tells everyone that you pirated an app and how cheap you are. The SMS looks like this:

Yowch. That’s pretty harsh.

While I have no love for piracy, I think this one might go a little too far. Maybe if it sent a message to your own e-mail address or something, or did something clever that stayed between you, the app, and the people who knew you pirated it, I wouldn’t think too much of it. Then it’d be harmless.

This, on the other hand, is anything but harmless, and the folks collecting that data are slowly building a repository of data about mobile devices and their owners that they could do just about anything they want with, including sell it to the highest bidder. The SMS to all of your contacts too is pretty underhanded, I don’t think anyone would want their family, friends, or worse employers to get a text message like that.

Admittedly, the folks behind it would say “well then, don’t pirate apps,” which I think is a good moral of the story now that we’ve all heard it. It won’t stop me from feeling a little sympathetic to the people who get busted by it, though.

[ Android Threat Tackles Piracy Using Austere Justice Measures ]

First it was Facebook, and now it’s Twitter – both social networks have finally gotten around to turning on always-on HTTPS to make sure that users logged in to their Web sites are always sending data encrypted when they’re logged in, managing their profiles, posting, and communicating with friends. Considering the number of hijacked accounts is becoming an issue, and the fact that apps like Firesheep allow people on the same network as the user to pull that user’s Twitter or Facebook password in clear text, it makes sense for Twitter to give users the option to use HTTPS for all of their connections.

Now, however, it’s up to developers of third-party apps to leverage HTTPS or SSL in their apps to make sure they’re not defaulting to the old method of passing Twitter logins and can take advantage of the new security.

You’ll find the option in the image above in your Twitter account settings – so when you’re logged in, just click your username in the upper right, then choose “Settings,” and scroll to the bottom of the page. Do yourself a favor and turn this on, right now. Oh! And while you’re there, follow me @halophoenix!

[ Twitter Blog :: Making Twitter more secure: HTTPS ]

Facebook announced some pretty broad and sweeping privacy changes recently, and while they aren’t garnering the attention that past Facebook privacy changes have, these ones are pretty serious and open the door to a number of apps, pages, and external sites and services to know a great deal about you that you may automatically assume is data that’s confined to Facebook itself.

Writing for PC Mag, Dan Costa has some suggestions to help you crack down on how Facebook handles (or mishandles, depending on how you see it) your information and what the service can and can’t do with your data, and who – even among people who use Facebook and are your friends there – can and can’t see certain things about you.

In a fabulous 8-step tutorial rich with screenshots to guide, Dan shows you how to change your Facebook privacy settings to something that benefits you, as opposed to the defaults, which for all of the credit Facebook is due, are designed to benefit the service while offering you some privacy protection – just not as much as you likely assume you have.

I’ll be walking through these steps myself very shortly, I strongly suggest you do too.

[ PC Mag :: Facebook Privacy: 8 Ways to Protect Yourself ]

(image courtesy of Lifehacker!)

The fine folks at Lifehacker posted an interesting feature a few days ago on how to crack wireless networks – the previous tutorial focused on some particular apps and a lot of command-line fu, but this time around a few easy to obtain apps and a computer that”s portable enough to take with you to the network you want to crack and you may be able to find your way onto any wireless network you choose – provided there’s enough traffic on it to crack its WEP key.

In this article, they cover my favorite, KisMAC, a fantastic utility for Mac OS that does exactly what you want it to do with so little fuss you could give it to an inexperienced user to figure out – but if you do understand what’s going on under the hood, it’s even more powerful.

[ Lifehacker :: WEP Cracking Redux: Beyond the Command Line ]

Government officials reported earlier today that a distributed denial-of-service (DDoS) attack was directed at the Web sites of several US government agencies, and that the attacks likely started after July 4th. Officials have also been able to determine that the attack likely originated from North Korea, and that a botnet of likely over 50,000 infected systems were used to take part in the attack. Here’s the official word:

A botnet composed of about 50,000 infected computers has been waging a war against U.S. government Web sites and causing headaches for businesses in the U.S. and South Korea.

The attack started Saturday, and security experts have credited it with knocking the Web site of the U.S. Federal Trade Commission (FTC) offline for parts of Monday and Tuesday. Several other government Web sites have also been targeted, including the U.S. Department of Transportation (DOT).

With that out of the way, many government agencies have been reporting the issue as a major incident, calling it “complex” and “sophisticated,” and it’s kind of disturbing that we’ve learned so little from the greater virus incidents earlier in the decade to use those adjectives to describe this. The attacks have been on-going, and definitely have utilized a modestly sized botnet, but this type of work indicates a potency and level of effort that I think we’ve come to expect from North Korea in other regards: good for getting our attention, but not for much else.

DDoS attacks are relatively harmless when the target doesn’t drive revenue from its Web site or services, and are fairly easy to orchestrate. Additionally, there’s no indication that the North Koreans were responsible for amassing the botnet, were hijacking someone else’s, or perhaps worst of all (but most likely) were customers of a hacker-for-hire ring, some of which are known to sell or rent their botnets to anyone with some spare cash.

There will likely be calls for the US government to strengthen its cybersecurity posture after these attacks, and while I invite any money being invested in technology security, disaster recovery, and business continuity by any organization, I hope logic wins the day against fear.

If you have something that you absolutely, positively must keep chained to one place, whether it’s your bike or your laptop, the 100-Decibel Alarm might be just the item for you. Perhaps you’re worried about your luggage when you travel, to make sure that thieves don’t steal it, or prying eyes don’t end up in your suitcase (just don’t hold me responsible when some TSA agent decides to “inspect” your particular luggage!).

The alarm is pretty simple, it’s your typical combination-based cable lock, and you can lock and unlock it using a combination of your choosing pretty simply. There’s a huge red sticker on the front announcing that it’s a 100-decibel alarm, which will hopefully be enough to scare off any would-be thieves or cable-cutters, but if the red sticker doesn’t warn them off, the ear-splitting alarm will when they cut the cable or try to break the lock open. As soon as the cable is cut or the lock is forcefully opened, the alarm goes off, and won’t stop. How you make it stop once the evildoer has fled and you’ve retained your property, I’m not sure. Either way, the 100-Decibel Alarm retails for $25 US from Skymall, and they’re available now.

[ Techie Diva :: Lock Alarm Guaranteed to Shock Ears ]

Yowch. The Transportation Security Administration, the fine folks responsible for protecting Americans as they travel on plane, rail, or any other major means of public transit, has made something of a major boo boo. A hard drive, containing the private information on over 100,000 TSA employees, from baggage screeners to administrators and officials, has gone mysteriously missing, with no indication or knowledge of where the drive is, who might have it, or whether the data has been used for any nefarious purposes like identity theft.

The lost hard drive contains a wealth of sensitive information, including banking data, social security information, and home addresses of all of the employees. The TSA claims it has no idea whether the drive and its data is missing inside its headquarters, or within the controlled area from which it went missing, or whether it’s left TSA control and is out and about floating around somewhere. The drive contained archive information for employees that worked at the TSA from 2002 to 2005, and the TSA is working with the Secret Service to find and retrieve the drive and its data.

[ MSNBC News :: TSA Hard Drive Goes Missing, With Data on 100,000 Employees ]

The TSA has set up a website to help current and former employees learn more about what they’re doing to retrieve the drive and protect the people who may have been affected:

[ TSA : TSA Employee Data Security Incident ]

(image courtesy of one of my homes away from home, AppScout!)

According to Symantec, Firefox is living up to its name as the more secure browser, as it suffered 26% fewer flaws and critical bugs than its rival for market share, Internet Explorer, in 2006.

According to Symantec’s tally, 40 Firefox vulnerabilities were disclosed between August and December 2006; Internet Explorer (IE), meanwhile, was hit with 54 bugs. Opera and Safari — the browser Apple Inc. bundles with Mac OS X — had four flaws each.

For all of 2006, however, the numbers were nearly neck and neck: Firefox was nailed by 87 flaws during the 12 months, IE by 92.

The trend line also put Firefox in the better light. The open-source browser had 15 percent fewer vulnerabilities in the second half of the year compared to the first, while IE’s total increased 42 percent during the period.

“Internet Explorer was particularly affected by concerted efforts to ‘fuzz’ the browser for new vulnerabilities,” said the Symantec report, which cited July’s ‘Month of Browser Bugs’ project as a big contributor. “The majority reported affected Internet Explorer or Windows components accessible through the browser,” Symantec said.

To add insult to injury to IE, Mozilla developers patched Firefox five times faster than did Microsoft’s. On average, Firefox had an attack exposure window — the amount of time between the disclosure of a bug and when it was patched — of just two days based on a sample set of 26 flaws. By comparison, Microsoft took an average of 10 days to patch the sample 15 vulnerabilities. Both vendors’ attack windows were a day longer in the second half of the year than in the first six months.

That about says that. Firefox evangelists, rejoice!

[ PC World: Firefox Hit by Fewer Flaws Than IE in 2006 ]

It’s been several years we’ve had a serious virus or worm outbreak, and the “Storm” worm is already spreading worldwide with the speed that we saw back in 2003 from worms like “Blaster” and “Funlove.” Disguised as a typical email attachment (and proving that we haven’t quite learned all the lessons about safe downloading that we should have learned back then) the “Storm” worm arrives in your inbox with subject lines like “230 Dead as storm batters Europe,” or “U.S. Secretary of Sate Condoleeza Rice has kicked German Chancellor,” and have attachments with names like “Full Video.exe” and “Full Story.exe.”

So far reports say that the worm has infected over 300,000 PCs worldwide, the most in an attack since 2005, and while the worm isn’t really a “worm,” that is, it doesn’t infect a machine and immediately begin emailing itself to other people, it’s managed to infect so many computers because the virus writers are using bot nets to spam people with copies of the virus in large volumes.

[ PC World: "Storm" Worm Spreads Rapidly Worldwide ]