Pages

Showing posts with label twitter. Show all posts
Showing posts with label twitter. Show all posts

Home Posts filed under >twitter

Twitter Targeted With Fake Antivirus Software Scam

Twitter has been resetting passwords for accounts that started distributing links promoting fake antivirus software in an attack that used Google's Web address shortening service to conceal the links' destination.

The links, masked by Google "goo.gl" URL shortener, bounce through a series of redirect URLs before landing on a Ukrainian top-level domain that then redirects to an IP address associated with other fake antivirus software scams, wrote Nicolas Brulez of Kaspersky Lab on a company blog.

Victims landing on the fake antivirus software page are prompted to scan their computer. If they approve the scan, the page asks if they want to remove threats from their computer: doing so starts the download of a bogus security program called "Security Shield."

Fake antivirus programs remain a pervasive problem on the Internet, with hundreds of variations. The applications target Windows users, and the programs are often installed by exploiting vulnerabilities in a computer's software. Once installed, the applications badger users to pay for a full version of the program. Many of the programs are totally ineffective at actually removing malware from a computer.

Del Harvey, head of Twitter's Trust and Safety Team, wrote on her Twitter account that "we're working to remove the malware links and reset passwords on compromised accounts."

"Did you follow a goo.gl link that led to a page telling you to install 'Security Shield' Rogue AV?" she wrote. "That's malware. Don't install."

Although Brulez classifed the attack as a worm, implying it spreads from account to account, Harvey said the issue was not related to a worm.

More Here


Courtesy:http://news.yahoo.com/s/pcworld/20110121/tc_pcworld/twittertargetedwithfakeantivirussoftwarescam;_ylt=ApQopnp9SFXhgtN5sicrG_CDzdAF;_ylu=X3oDMTNvMW1yMmRoBGFzc2V0A3Bjd29ybGQvMjAxMTAxMjEvdHdpdHRlcnRhcmdldGVkd2l0aGZha2VhbnRpdmlydXNzb2Z0d2FyZXNjYW0EcG9zAzEyBHNlYwN5bl9wYWdpbmF0ZV9zdW1tYXJ5X2xpc3QEc2xrA3R3aXR0ZXJ0YXJnZQ--
Posted by at 7:39 AM 2 comments
Labels:

Beware Goo.gl Fake Antivirus Worm on Twitter

Twitter and Twitter users are being targeted by a malicious worm. The worm sends out tweets with a goo.gl shortened URL link directed to a rogue antivirus application. The attack demonstrates once again how URL shortening can be a Pandora's box as users click on links with no clue where they might lead.
A post on Naked Security by Sophos' Graham Cluley describes the threat. "Thousands of Twitter users are finding that their accounts have been tweeting out malicious links without their permission, pointing to a fake anti-virus attack," adding, "A quick search on the popular micro-blogging network finds many tweets from users containing no message other than a goo.gl shortened link (Google's equivalent to bit.ly or tinyurl), which itself points to a URL ending with "m28sx.html".

Attacks hiding behind shortened URLs are not new, and are also not technically challenging to execute. By their very nature, URL shortening services like goo.gl and bit.ly take cumbersome, long URLs and condense them down to a nice, short alias that can be used in its place. The concept makes it much easier to send some exceptionally long links, and is a necessity for a site like Twitter which caps messages at 140 characters.
Adam Wosotowsky, principal researcher at McAfee Labs, explains, "Shortened URL sites are not 100 percent malicious, so blocking the domain completely can cause false positives, which is something researchers try and avoid. Goo.gl is an example of a site associated with Google, so blocking the domain may be frowned upon by Google, allowing the spammer to continually abuse the site."
Wosotowsky elaborates, "As we stated in our 2011 Threat Predictions, we currently track and analyze--through multiple social media applications and all URL shortening services--more than 3,000 shortened URLs per minute. We see a growing number of these used for spam, scamming and other malicious purposes, and we expect to see shortened URL abuse invade all other forms of Internet communications."
Shortened URLs provide attackers a simple, and commonly accepted means of obscuring malicious links. McAfee recommends using its proprietary URL shortening service--mcaf.ee. McAfee's shortened URLs are scanned and filtered to weed out malware. Of course, you can't really control what URL shortening service other people use to send links to you.

More Here


Courtesy:http://news.yahoo.com/s/pcworld/20110121/tc_pcworld/bewaregooglfakeantiviruswormontwitter;_ylt=AkYzObtzkEvuxfACgaveXiSDzdAF;_ylu=X3oDMTNnM3BocXZwBGFzc2V0A3Bjd29ybGQvMjAxMTAxMjEvYmV3YXJlZ29vZ2xmYWtlYW50aXZpcnVzd29ybW9udHdpdHRlcgRwb3MDNgRzZWMDeW5fcGFnaW5hdGVfc3VtbWFyeV9saXN0BHNsawNiZXdhcmVnb29nbGY-
Posted by at 7:34 AM 2 comments
Labels:

Using Spring Social To Update Status On Facebook, Twiiter and LinkedIn

This blog will cover the following topics:
  • OAuth dance overview
  • OAuth dance with Twitter, LinkedIn and Facebook
  • Using Spring Social templates
Spring Social’s main objective is to make it easy for Java applications to integrate with social network platforms, i.e. Facebook, Twitter, LinkedIn, etc.  It uses the same template technique that was used to make it very simple to work with JDBC or REST operations.  The templates I am referring to are FacebookTemplate.java, TwitterTemplate.java, and LinkedInTemplate.java.  Before you can use any of these templates, you need to provide an access token and/or access token secret.  What is an access token you ask?  Well, it all starts with OAuth dance.
OAuth Dance Overview
In a nutshell, OAuth allows you to share your private data reside on Facebook, Twitter, or LinkedIn with another site without having to hand out your user name and password.  OAuth protocol defines a series of steps to acquire an access token and these steps are known as the OAuth dance.  The OAuth dance is kind of like the “Texas Two Step” dance, it consists mainly of three steps (OAuth 1.0), which seem deceptively simple, but require time and dedication to master them.
Here is a short list of resources about OAuth dance:
The OAuth dance consists of three steps and the last step is when the access token is handed out.
  1. Establish request token
  2. Redirect user to authorization server – this is when user will enter his/her user name and password as well as granting authorizations for a website to access his/her data on his/her behalf
  3. Request access token

All major social network platforms implement OAuth protocol (some are on OAuth 1.0 and a few are on OAuth 2.0), which requires them to expose URLs for the above steps.  The beauty about a standard protocol is once you figure out how to work with one of these platforms, working with the next one is just a mattering of using the correct URLs.  OAuth libraries are widely available and there is a good chance you will find more than one  library for your favorite language.
OAuth Dance With Twitter, LinkedIn and Facebook
In my Java Spring powered web application,  I used a Java OAuth library called scribe.  One thing I really like about this library is that it provides examples to demonstrate how the OAuth dance works.  You just plugin the api key and api secret key into the sample code, and you are ready to go.   Another thing I like about scribe is that it has built in support for LinkedIn and Twitter, where the LinkedInApi.java and TwitterApi.java classes contain the appropriate request token and access token URLs.  Before showing the code I would like to mention a couple of important classes in scribe for dealing OAuth dance.  They are ServiceBuilder.java and OAuthService.java.  ServiceBuilder.java uses builder design pattern to build an implementation of OAuthService for a specific OAuth version (currently 1.0) implementation.  OAuthService.java interface defines a set of methods for the retrieval of request and access tokens and for the signing of HTTP requests.
The code below is for a use case where a user clicks on Sign In with LinkedIn”,  and this request goes to a Spring MVC  handler, which then initiates the request token process by asking SocialNetworkOAuthManager factory to create an instance of SocialNetworkOAuthManger for LinkedIn.  Once the request token is successfully retrieved from LinkedIn,  this handler returns a URL to LinkedIn OAuth authorization server, which displays a form to require user to enter user name and password, and to authorize access to his/her profile on LinkedIn.  After the authorization step is successful, LinkedIn OAuth server will redirect user to a provided callback URL “liEndOAuth.htm” with OAuth verifier token.  A handler for “liEndOAuth.htm” URL then goes and request  an access token and access token secret using the provided verifier token. That concludes the OAuth dance.
view source
print?
01@Controller
02@SessionAttributes({ "userLinkedInProfile", "linkedIn" })
03public class LinkedInController {
04   @RequestMapping(value = "/liStartOAuth.htm", method = RequestMethod.GET)
05   public ModelAndView startAuthentication() throws TwitterException {
06     SocialNetworkOAuthManager linkedInOAuthMgr =
07       SocialNetworkFactory.getLinkedInOAuthManager(
08         linkedInApiKeyPair.getApiKey(),
09         linkedInApiKeyPair.getApiKeySecret());
10 
11     ModelAndView mv = new ModelAndView("redirect:" + linkedInOAuthMgr.getAuthorizationURL());
12     mv.addObject("linkedIn", linkedInOAuthMgr);
13     return mv;
14  }
15 
16 @RequestMapping(value = "/liEndOAuth.htm", method = RequestMethod.GET)
17 public ModelAndView endAuthentication(
18      @RequestParam(value = "oauth_token", required = false) String oauth_token,
19      @RequestParam(value = "oauth_verifier") String oauth_verifier,
20      @ModelAttribute("linkedIn") SocialNetworkOAuthManager linkedInOAuthMgr) {
21 
22      AccessToken accessToken = linkedInOAuthMgr.getOAuthAccessToken(oauth_verifier);
23 
24      UserLinkedInProfile userLinkedInProfile = new UserLinkedInProfile();
25      userLinkedInProfile.setAccessToken(accessToken.getAccessCode());
26      userLinkedInProfile.setAccessTokenSecret(accessToken.getAccessSecretCode());
27 
28      ModelAndView mv = new ModelAndView("close");
29      mv.addObject("userLinkedInProfile", userLinkedInProfile);
30      return mv;
31 }
32}
The actual work of dealing OAuth dance is in the following classes: SocialNetworkOAuthManager.java, LinkedInOAuthManager.java and SocialNetworkFactory.java.
view source
print?
01public class SocialNetworkFactory {
02 public static SocialNetworkOAuthManager getLinkedInOAuthManager(String apiKey,
03                                            String apiSecretKey) {
04    return new LinkedInOAuthManager(apiKey, apiSecretKey);
05 }
06}
07 
08import org.scribe.builder.ServiceBuilder;
09import org.scribe.builder.api.LinkedInApi;
10import org.scribe.model.Token;
11import org.scribe.model.Verifier;
12import org.scribe.oauth.OAuthService;
13 
14public class LinkedInOAuthManager extends AbstractOAuthManager {
15 private static final String AUTHORIZE_URL = "https://api.linkedin.com/uas/oauth/authorize?oauth_token=";
16 
17 private OAuthService service;
18 private Token requestToken;
19 
20 public LinkedInOAuthManager(String apiKey, String apiSecretKey) {
21   super(apiKey, apiSecretKey);
22 
23   service = new ServiceBuilder()
24                 .provider(LinkedInApi.class)
25                 .apiKey(getApiKey())
26                 .apiSecret(getApiSecretKey())
27                 .callback("http://myserver.myapp.com:8080/myapp/liEndOAuth.htm")
28                 .build();
29 }
30 
31 public String getAuthorizationURL() {
32   requestToken = service.getRequestToken();
33   return AUTHORIZE_URL + requestToken.getToken();
34 }
35 
36 public AccessToken getOAuthAccessToken(String verifierCode) {
37   Verifier verifier = new Verifier(verifierCode);
38   Token token = service.getAccessToken(requestToken, verifier);
39   AccessToken accessToken = new AccessToken(token.getToken(), token.getSecret());
40 
41   return accessToken;
42 }
43}
As you can see, the scribe library makes it pretty easy to deal with OAuth dance.
Once the access token is available, it is just a matter of providing that to Spring Social
LinkedInTemplate.java. Below is an example of retrieving LinkedIn member profile URL and using TwitterTemplate.java to tweet.
view source
print?
1LinkedInTemplate linkedInTemplate = LinkedInTemplate(apiKey, apiSecret, accessToken, accessTokenSecret);
2linkedInTemplate.getProfileUrl();
3 
4TwitterTemplate twitterTemplate = TwitterTemplate(apiKey, apiSecret, accessToken, accessTokenSecret);
5twitterTemplate.updateStatus("This is amazing!!");
Unfortunately the LinkedInTemplate.java in Spring Social M1 doesn’t have a method to update network status. However it is not difficult to add such functionality yourself or see how that is done in this blog.
The code to implement the OAuth dance with Twitter is nearly identical to the code above so I won’t bore you with that code.  The Spring Social TwitterTemplate.java does have a method to send a tweet, so it is fairly trivial to send tweets.
The OAuth dance with Facebook is a bit different from LinkedIn and Twitter.  I guess because Facebook is now on OAuth 2.0.  There are two ways (that I know of) to get an access token from Facebook.  The first way is very simple, but it requires using Facebook JavaScript SDK and the second way is directly interacting with Facebook OAuth server via RESTful API.  In this blog, I will only go over the details of the first approach, which is based on the documentation at Facebook Developers site.
At a high level, FB JavaScript SDK provides an easy way using custom tag to display FB login/logout button and handles the redirection to their authorization server.  One important thing to know is once the authorization is successfully completed, the access token is saved in a cookie with name as fbs_.  This means the server side of your application can easily get its hand on the access token.  Spring Social comes with a handler method argument resolver (FacebookWebArgumentResolver.java) to extract the access token and user id out of the FB access token cookie for you.
Here is JavaScript code snippet.
view source
print?
1
2
5"true" perms="publish_stream" >
The “perms” attribute of the tag is a very important attribute because there is where you can specify what are the different resources that your application would like to have access to on behalf of users of your application.
The snippet of Java code below shows how to get to the access token and user id using Spring Social custom annotations @FacebookAccessToken and @FacebookUserId.
view source
print?
01@RequestMapping(value="/fbUpdateStatus.htm", method = RequestMethod.POST)
02public ModelAndView updateStatus(@RequestParam("status") String fbStatus,
03                                 @FacebookAccessToken String accessToken,
04                                 @FacebookUserId String userId) {
05   ModelAndView mv = null;
06   try {
07     FacebookTemplate facebook = new FacebookTemplate(accessToken);
08     facebook.updateStatus(fbStatus);
09 
10     mv = ModelAndViewUtil.buildSuccessfulAjaxStatus();
11   } catch (Exception e) {
12     mv = ModelAndViewUtil.buildFailedAjaxStatus(e.getMessage());
13   }
14 
15   return mv;
16}
NOTE: In order to get @FacebookAccessToken and @FacebookUserId annotations to work correctly, the FacebookWebArgumentResolver.java must be properly configured. There are two ways to do this, but the end goal is the same, which is to set FacebookWebArgumentResolver.java as one of the custom argument resolvers in AnnotationMethodHandlerAdapter.java.  The first way is if you are using the convenient tag, then pass an instance of FacebookWebArgumentResolver.java to AnnotationMethodHandlerAdapter inside a custom BeanPostProcessor.  The second way is don’t use the convenient tag and define both the DefaultAnnotationHandlerMapping bean and AnnotationMethodHandlerAdapter bean manually.  This way you can wire in an instance of FacebookWebArgumentResolver to the property customArgumentResolver of AnnotationMethodHandlerAdapter.
In my application I want to provide a small popup with a text box so a user can quickly send a tweet or send an update to his/her FB wall or send a network update on their LinkedIn member profile.  I stumbled upon qTip library, a tooltip plugin for jQuery framework and really like the functionality this library provides.  It makes it so easy to display a very professional looking tool tip.



More Here


Courtesy:http://fantastic.wordpress.com/2011/01/01/using-spring-social-to-update-status-on-facebook-twiiter-and-linkedin/#comment-663
Posted by at 8:07 AM 2 comments
Labels: , , ,
Subscribe to: Posts (Atom)