STE WILLIAMS

Once ranked as high as number eight among companies most trusted for protecting their customers’ privacy and personal information, Apple has fallen out of the top 20 entirely. Google didn’t make this year’s list, either, but it fell only from its pervious high of 13th place.

The list in question was compiled by the Ponemon Institute, an independent research group focused on privacy, data protection, and information security policy, and published in a new report entitled, logically enough, “2012 Most Trusted Companies for Privacy”.

As they have for the past seven years, the Ponemon researchers contacted over 100,000 adults and asked them – among other things – to name the companies they most trusted to protect the privacy of their personal information. Out of that large sample, the researchers derived 6,704 usable responses that provided a total of 39,890 positive and negative company ratings.

Survey responders named American Express as the company most trusted to protect their personal information, an honor the company has received each year since 2007, when eBay lost the top spot. HP came in second, with Amazon, IBM, and the US Postal Service rounding out the top five; eBay has slipped down to number nine.

Apple and Google didn’t fare as well this year as they have in the past. Neither made it into the top 20, although Google had been so honored in four of the past seven years, and Apple had been named among the 20 most-trusted in 2009, 2010, and 2011.

Apple, Google, Facebook, and other tech companies are less trusted than even ATT (source: the Ponemon Institute)

Facebook missed the cut as well – the social-media juggernaut has only made the annual Ponemon Institute list once, at number 15 in 2009. Other tech companies that were once in the top 20 but are now on the outs include Yahoo!, Dell, and AOL.

The report contains quite a bit more information, as well, and is worth a quick read if you care about such things. One particular bit of data caught our eye: respondents are increasingly pessimistic about the control they feel they have over their personal information, and at the same time they report a greater sense of the importance of that information.

These trends would seem to indicate that a comprehensive privacy solution might be in order (source: the Ponemon Institute)

One final nugget: of the 25 industries that the Ponemon Institute tracks, the one least trusted to protect the privacy of your personal information is Internet and Social Media (excluding eCommerce), with Mozilla being the most trusted company in that mistrusted sector.

Right above the much-maligned internet, slotting in at 24th place among industry groups in trustability, is the non-profit sector. The most trusted non-profit organization? The National Rifle Association (NRA). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/30/top_20_companies_trusted_to_protect_personal_information/

Weaknesses in cloud security and third-party code allowed a hacker to compromise Yahoo! systems last month, according to an analysis of the purported breach.

In December, an Egyptian nicknamed ViruS_HimA claimed he cracked the web giant’s security systems, acquired full access to 12 databases and broke into an unspecified server. He boasted this gave him access to site backups.

ViruS_HimA breached Yahoo! with an SQL injection attack that took advantage of a vulnerability in a third-party application, according to new research by security tools firm Imperva. More specifically, we’re told, ViruS_HimA took advantage of an information-leaking error message from Microsoft SQL Server to pull off the raid. The error was triggered by fooling the software into using a string of text as a number.

SQL injection attacks exploit programming bugs to trick systems into coughing up sensitive data from backend databases or even, as in the Egyptian hacker’s case, execute arbitrary commands on the compromised server. These bugs typically pass user-submitted data direct to the database without scrubbing it of harmful characters.

Imperva explained in a report:

This Yahoo! attack was probably done by using MSSQL’s XP_CMDSHELL system-stored procedure. Many administrative activities in a MSSQL database can be performed through system stored procedures. The XP_CMDSHELL executes a given command string as an operating-system command shell and returns any output as rows of text. Therefore, a SQL injection vulnerability in an application using MSSQL DB enables the hacker to execute shell commands and take over the server.

The security researchers added: “Exploiting MSSQL SQLi vulnerability for command execution is supported in automatic SQLi tools such as Havij, which means a vulnerability can be exploited relatively easily.”

Havij is a popular hacking tool for SQL injection attacks, and was developed in Iran but is available in the English language.

Screenshots posted by ViruS_HimA as trophies from the hack suggest that the vulnerable application runs on ASP.NET, and not PHP as used in most other Yahoo! web apps. In addition the partially redacted hacked machine’s domain name ends in “yle.yahoo.net” and not yahoo.com.

These factors and others allowed Imperva to narrow down the list of potential suspects and conclude that the hack was pulled off by exploiting vulnerabilities within in.horoscopes.lifestyle.yahoo.net, an Indian astrology site built by engineers external to Yahoo!

“The weak link in the Yahoo! attack was not programmed by Yahoo! developers, nor was it even hosted on the Yahoo! servers, and yet the company found itself breached as a result of third-party code,” explained Amichai Shulman, CTO at Imperva. “The challenge presented by the Yahoo! breach is that web-facing businesses should take responsibility to secure third-party code and cloud-based applications.”

Imperva published its research, titled Lessons Learned from the Yahoo! Hack, in the January edition of its regular monthly Hacker Intelligence Initiative Report [PDF]. As well as examining how the hack was pulled off the report provides recommendations on how similar breaches can be prevented – from auditing code to buying a web-application firewall. Which Imperva and others happen to sell.

The December break-in is not the first time Yahoo! has run aground on flawed third-party software. Last July, a decommissioned part of Yahoo! Voices was breached, and approximately 450,000 users’ credentials were exposed. Hackers boasted that they carried out the attack using a union-based SQL injection, the same sort of technique used to pull off the December attack by ViruS_HimA. Yahoo! Voices is an online publishing application that was developed by Associated Content before it was acquired by Yahoo! ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/29/yahoo_hack_analysis/

World Wide Web inventor Sir Tim Berners-Lee has declared government collection of data on citizens web surfing and telephony activities “a very bad idea” after outlining a scenario in which he feels national security could be compromised by caches of armed forces’ members online activities.

Speaking in Sydney at the launch of Australia’s new Digital Productivity and Services Flagship, a think tank designed to boost productivity through cunning use of technology, Berners-Lee suggested that if governments are allowed to track citizen’s use of phones and the internet, foreign spies will find it an irresistible hacking target.

The UK and Australia are both considering collection of such data, the former through the Communications Data Bill while the latter conducts public consultation on the topic.

Berners-Lee said he supports governments’ rights to protect themselves, but that collecting data on web and phone use would mean they hold “a dossier” on individuals.

If the subject of such a dossier were a member of the armed forces and had been viewing naughty web sites, Berners-Lee suggested it “would allow a foreign power to exert a huge amount of pressure on a person” and went on to imply they may therefore be easily blackmailed. Such an outcome is, of course, dependent on spies finding their way into the database enabled by a web snoop law, but Berners-Lee said he cannot imagine a perfect security regime for such a database as doing so will require one agency to curate the data and enact requests to access it, and another to oversee the first agency and ensure its curation and service of access requests are conducted properly.

Berners-Lee said he is not aware of any nation that has created the first agency successfully, never mind the second, and that web snooping is therefore “massively dangerous and a bad idea.”

Web snooping is also undesirable, he said, as it could see web use fall as users fear the stigma of being flagged as having sought out sensitive information. Berners-Lee suggested a teenager who “really needs to visit a forum for professional advice” about their health, or looking for information on sexuality or other advice of a personal nature who chooses not do so from fear their activity would be tracked and that they could be identified in future as having had a particular health concern. Avoiding the web for that reason, he suggested, would mean some deny themselves access to useful knowledge, with potentially unfortunate consequences.

Another privacy issue Berners-Lee address was that of the surprisingly-accurate advertisements served to users of social media websites. Those ads, he said, have come to represent a privacy threat to many internet users, who have therefore become wary of sharing personal information. Berners-Lee hopes internet users can instead be encouraged to share more personal data. Smartphones could become passive trackers that record information about how much their owners exercise, he suggested (battery life permitting). When added to other data such as a patient’s consumption of prescribed drugs, doctors would then have more data to work with and could offer better advice.

“We are missing personal integration of data,” he said. “We should not worry about the value of personal data to others and, think about value to me.” Berners-Lee also offered an interesting taxonomy of computer users, namely geeks, the connected and the disconnected. The latter lack the access to networks and computers that the connected possess. Geeks, in his definition, “can make a computer do something different,” a skill that brings with it the responsibility to think of ways to innovate with computers. Characterising HTML 5 as capable of turning any web page into a computer, Berners-Lee said “it is your duty as a geek to innovate.”

“If you can program a computer you can imagine one machine doing something so you can imagine another computer doing it too.” From such thinking, he believes, flow great applications, and those with the skills to try should not restrain themselves.

“Go for it,” he concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/29/tim_berners_lee_web_snoop_law_dangerous/

The digital video recorders of several CCTV video cameras are vulnerable to attacks that create a means for hackers to watch, copy or delete video streams, according to security researchers.

The researchers added that unless systems are properly firewalled, security flaws in the the firmware of the DVR platform also create a jumping-off point for attacks aimed at networks supporting these devices. The hackable CCTV devices from an estimated 19 manufacturers all use allegedly vulnerable firmware from the Guangdong, China-based firm Ray Sharp.

The issue was first exposed last week by a hacker using the handle someLuser, who discovered that commands sent to a Swann DVR of port 9000 were accepted without any authentication. The vulnerability created a straightforward means to hack into the DVR’s web-based control panel. To make matters worse, the DVRs support Universal Plug And Play, making control panels externally visible on the net. Many home and small office routers enable UPnP by default. This has the effect of exposing tens of thousands of vulnerable DVRs to the net.

And to cap everything off, the Ray Sharp DVR platform stores clear-text usernames and passwords.

The litany of security problems allowed someLuser to develop a script to lift passwords which, once obtained, gives hackers control of vulnerable devices via built-in telnet servers thanks to wide open open control panel problem.

HD Moore, CTO of security tools firm Rapid7 founder of Metasploit, has collaborated with someLuser over the last week to validate his research.

“In addition to Ray Sharp, the exposures seem to affect rebranded DVR products by Swann, Lorex, URMET, KGuard, Defender, DEAPA/DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000,” Moore explained in a blog post. “The vulnerabilities allow for unauthenticated access to the device configuration, which includes the clear-text usernames and passwords that, once obtained, can be used to execute arbitrary system commands root through a secondary flaw in the web interface. someLuser’s blog post includes a script for obtaining the clear-text passwords as well as a standalone exploit that yields a remote root shell on any vulnerable device.

“In short – this provides remote, unauthorised access to security camera recording systems,” Moore concludes in a blog post that does a good job of summarising the issue.

Scans suggest 58,000 hackable video boxes across 150 countries are vulnerable to attack. The majority of exposed systems are in the US, India and Italy, said the researchers. Fixing the problem would seem to involve pushing out a firmware update.

A Metasploit module has been added that can be used to scan for vulnerable devices.

We’ve put out a query to Ray Sharp asking for comment on the alleged firmware flaws. We’ll update this story as and when we hear more. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/29/cctv_vuln/

World Wide Web inventor Sir Tim Berners-Lee has declared government collection of data on citizens web surfing and telephony activities “a very bad idea” after outlining a scenario in which he feels national security could be compromised by caches of armed forces’ members online activities.

Speaking in Sydney at the launch of Australia’s new Digital Productivity and Services Flagship, a think tank designed to boost productivity through cunning use of technology, Berners-Lee suggested that if governments are allowed to track citizen’s use of phones and the internet, foreign spies will find it an irresistible hacking target.

The UK and Australia are both considering collection of such data, the former through the Communications Data Bill while the latter conducts public consultation on the topic.

Berners-Lee said he supports governments’ rights to protect themselves, but that collecting data on web and phone use would mean they hold “a dossier” on individuals.

If the subject of such a dossier were a member of the armed forces and had been viewing naughty web sites, Berners-Lee suggested it “would allow a foreign power to exert a huge amount of pressure on a person” and went on to imply they may therefore be easily blackmailed. Such an outcome is, of course, dependent on spies finding their way into the database enabled by a web snoop law, but Berners-Lee said he cannot imagine a perfect security regime for such a database as doing so will require one agency to curate the data and enact requests to access it, and another to oversee the first agency and ensure its curation and service of access requests are conducted properly.

Berners-Lee said he is not aware of any nation that has created the first agency successfully, never mind the second, and that web snooping is therefore “massively dangerous and a bad idea.”

Web snooping is also undesirable, he said, as it could see web use fall as users fear the stigma of being flagged as having sought out sensitive information. Berners-Lee suggested a teenager who “really needs to visit a forum for professional advice” about their health, or looking for information on sexuality or other advice of a personal nature who chooses not do so from fear their activity would be tracked and that they could be identified in future as having had a particular health concern. Avoiding the web for that reason, he suggested, would mean some deny themselves access to useful knowledge, with potentially unfortunate consequences.

Another privacy issue Berners-Lee address was that of the surprisingly-accurate advertisements served to users of social media websites. Those ads, he said, have come to represent a privacy threat to many internet users, who have therefore become wary of sharing personal information. Berners-Lee hopes internet users can instead be encouraged to share more personal data. Smartphones could become passive trackers that record information about how much their owners exercise, he suggested (battery life permitting). When added to other data such as a patient’s consumption of prescribed drugs, doctors would then have more data to work with and could offer better advice.

“We are missing personal integration of data,” he said. “We should not worry about the value of personal data to others and, think about value to me.” Berners-Lee also offered an interesting taxonomy of computer users, namely geeks, the connected and the disconnected. The latter lack the access to networks and computers that the connected possess. Geeks, in his definition, “can make a computer do something different,” a skill that brings with it the responsibility to think of ways to innovate with computers. Characterising HTML 5 as capable of turning any web page into a computer, Berners-Lee said “it is your duty as a geek to innovate.”

“If you can program a computer you can imagine one machine doing something so you can imagine another computer doing it too.” From such thinking, he believes, flow great applications, and those with the skills to try should not restrain themselves.

“Go for it,” he concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/29/tim_berners_lee_web_snoop_law_dangerous/

The US military is planning a massive increase in the capabilities of its Cyber Command online-warfare department as it seeks to exert dominance over the digital battlefield.

“Given the malicious actors that are out there and the development of the technology, in my mind, there’s little doubt that some adversary is going to attempt a significant cyberattack on the United States at some point,” William Lynn III, a former deputy defense secretary, told the Washington Post.

“The only question is whether we’re going to take the necessary steps like this one to deflect the impact of the attack in advance or . . . read about the steps we should have taken in some post-attack commission report,” he said.

Currently there are around 900 uniformed and civilian staff employed by the Pentagon in its Cyber Command, which is separate from the National Security Agency – at least in principle. In practice, however, the two work side-by-side, and both are headed by the same man, General Keith Alexander

A senior defense official told the paper that the Pentagon would primarily focus on online activity outside of US domestic borders, and would only be involved in major online attacks, not minor hacking and phishing annoyances. US companies and those international companies that use American-hosted services won’t be touched.

“There’s no intent to have the military crawl inside industry or private networks and provide that type of security,” the official said.

The staffing increase is scheduled to begin later this year and next, but there are likely to be problems simply finding that many people with the right skills to do the job. The military was at last year’s Black Hat hacking conference looking for recruits and support from the private security industry, but weren’t finding many takers.

Security researchers who have worked with the Pentagon have complained that all too often the government wants to know their security tricks, but isn’t willing to share its knowledge or pay the kind of rates that researchers can make in private industry.

There’s also the fact that other government agencies are increasingly targeting the security community for special investigation over the last few years, since WikiLeaks started releasing US State Department cables. Many in the industry are feeling little love for the US government at the moment, and this could reduce its ability to hire the best talent.

General Alexander has agreed to stay on in his roles until at least 2014 to manage the increase in numbers.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/29/pentagon_expands_online_war/

HP is getting into the lucrative security remediation sector with a consultancy service designed to minimize the effects of a successful attack, collect evidence for prosecution, and help recover what has been stolen or corrupted.

“It’s nearly impossible for organizations to prevent a breach, but they can take control of how they respond,” said Andrzej Kawalec, CTO of enterprise security services at HP in a statement.

“Combining HP’s portfolio of services and software, the HP Breach Management Solution arms clients with the tools and resources to monitor, manage and respond to breaches head on, minimizing their impact while readying for the next attack.”

As part of the package, HP is offering a 24/7 multilingual breach-response service that will seek to mitigate the effects of a successful attack. Meanwhile, forensic consultants can advise on the procedures companies need to have in place before an attack, and will pore over the aftereffects and try to collect evidence if the case comes to court.

Naturally, HP is keen to add its ArcLight service to the package, and there’s a data recovery squad that can pick over the pieces and try and find any bits that were either lost of corrupted in the attack.

Pricing for the service is on a per-hour basis and companies can pick and choose the components they want. More details will be announced at the HP Discover conference in June. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/28/hp_security_service/

Google has announced the target for its third Pwnium hacking contest, to be held at this year’s CanSecWest security conference, with $3.14159m in prize money for the researchers who can successfully crack its Chrome OS operating system.

And yes, that figure is derived from the first six digits of π.

The contest, to be held on March 7, will see hackers trying to subvert the operating system on a base specification Samsung 550 Chromebook running Wi-Fi. Google is offering $110,000 for a browser or system level compromise delivered via a web page, and $150,000 if the crack survives a reboot of the system.

In order to claim the cash, researchers must provide Google with the full list of vulnerabilities used in the attack, along with any code used. Partial prizes will be offered for semi-successful hacks, at the Chocolate Factory’s discretion.

“We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems,” said Chris Evans of the Google Chrome security team in a post on the Chromium blog.

Google is already sponsoring the other hacking contest at the conference, Pwn2Own, and is putting its Chrome browser in the firing line with a $100,000 for a successful exploit – plus the laptop that the browser is successfully cracked on.

While the prize money for both contests has never been higher, it’s still a very good deal for Google and others who are stumping up the cash. Time and again the security industry has found holes in commercial code that the writers never even dreamed of, and splashing out a few million is well worth it if Google can bolster its defenses further.

The company offered $1m for its first Pwnium contest, and upped that to $2m last year at the second competition at the Hack in the Box conference in Kuala Lumpur. But the Chocolate Factory is unlikely to pay out the full amount this time, since Chrome OS should prove more difficult to crack than Google’s browser.

When Google launched the Chrome OS, it boasted that the operating system was the most secure on the market, saying the mix of hardware and software modules on the machines makes a lot of current attack techniques invalid.

That said, the research community has been known to pull some major surprises, and Google might face a bigger payday than it anticipates. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/29/google_third_pwnium_prizes/

The Anonymous hacking collective attacked a US Justice Department website over the weekend to protest against the prosecution of Reddit co-founder Aaron Swartz.

The hacktivists followed up the initial assault on Ussc.gov, the US Sentencing Commission’s website, by planting an easter egg in the form of retro video game Asteroids on the government portal.

As part of its Operation Last Resort, the hacktivist group also released encrypted files supposedly containing state secrets, for which it has threatened to release encryption keys unless the DoJ “reforms”.

The miscreants managed to infiltrate Ussc.gov on Saturday morning. They said the break-in was in retaliation against FBI prosecutions against Anonymous members and what it sees as the harsh handling of the Swartz case by the US Justice Dept.

Internet prodigy Swartz killed himself at his New York apartment earlier this month after he faced potentially years in jail for allegedly planning to redistribute articles copied from science journal archive JSTOR; his family accused the prosecution pursuing their son too aggressively.

The full (somewhat rambling and bombastic) text of the defacement messages on the US DoJ website can be found here. This is repeated in a video message uploaded to YouTube.

In its statement, Anonymous said the Justice Department had “crossed a line” with the Swartz prosecution, prompting its decision to attack the Sentencing Commission, the body responsible for putting together sentencing guidelines for prosecutors.

The hacktivists said:

Two weeks ago today, a line was crossed. Two weeks ago today, Aaron Swartz was killed. Killed because he faced an impossible choice. Killed because he was forced into playing a game he could not win – a twisted and distorted perversion of justice – a game where the only winning move was not to play.

The group is also threatening to expose sensitive information about the US government, purportedly contained in a 1.3GB encrypted file titled Warhead-US-DOJ-LEA-2013.AES256, which it claimed it had obtained after infiltrating numerous unnamed sites. The group has encouraged internet denizens to distribute the file (which it refers to as a “warhead”), and it has since become available as a torrent through file-sharing networks.

The group has threatened to release the encryption keys needed to unlock this file. It said that other documents may follow. Whether this scrambled data actually contains anything meaningful cannot be verified and the whole exercise, beyond the defacement of the DoJ website, may easily be a massive bluff.

The FBI, meanwhile, has launched a criminal investigation into the hack. “We were aware as soon as it happened and are handling it as a criminal investigation,” said Richard McFeely of the FBI’s Criminal, Cyber, Response and Services division, in a statement, AP reports. “We are always concerned when someone illegally accesses another person’s or government agency’s network.”

Anonymous followed up the initial assault by planting an easter egg for retro video game Asteroids on the Ussc.gov site. The site was unreachable on Monday morning, most likely because filters have been applied blocking access from outside the US or because it has been taken down for repairs.

“Asteroids is a far better game than sentencing innocents and scapegoats,” an update from the semi-official AnonymousIRC account stated, adding “regarding ‪#USSC‬: So far we had much lulz and win. The db was a fake but created lulzy art… and Asteroids just rocks.”

Net security firm Sophos reports that Asteroids has re-appeared on Eastern District of Michigan’s United States Probation Office website. A game of Nyan-cat flavoured Asteroids will begin if you enter the following “Konami code” as explained in the post. Surfers see a message before the Asteroids game begins, with the website slowly disintegrating as surfers shoot it up with lasers.

Swartz, who co-created RSS 1.0 and Reddit, faced trial on charges that he had used MIT’s network to download millions of articles from the not-for-profit academic journal archive JSTOR, with the initial aim of republishing them without restriction.

The charges put against him could have seen him jailed for a theoretical maximum of 50 years. After the material was returned, JSTOR declined to press charges, despite which the DoJ pushed forward with the case, partly on the basis of an initial criminal complaint from MIT. Swartz was found hanging in his Brooklyn home on 11 January.

Anonymous defaced two websites on the MIT domain days after Swartz’s death, replacing regular content with a tribute to the internet activist and a call to reform the US copyright system and computer crime prosecutions. The group later interfered with the operation of MIT’s email system, also as a protest against actions taken against Swartz. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/28/anon_doj_hack_swartz_protest/

Yet another Doctor Who star’s Twitter account has been hijacked to tout dodgy diet pills: this time it’s Colin Baker, who played the sixth incarnation of the hero time lord.

Baker’s @SawbonesHex account was taken for a joyride just a fortnight after the Twitter feed of actress Karen Gillan, who played Doctor Who companion Amy Pond, was hacked to punt the same acai berry spam*.

The former curly-haired Doctor managed to seize control of his account hours after the rogue tweets appeared in the early hours of Sunday. He apologised to his 32,000 followers for the snafu, which resulted in the distribution of spam messages promoting a pill-flogging site.

“I’ve finally worked out how to reset my password so you shouldn’t be inundated with weight loss garbage on Twitter,” the ex-star of the long-running hit BBC sci-fi saga said.

It’s unclear how the hack was pulled off. Christopher Boyd, a senior threat researcher at GFI Software, was among the first to spot all was not well with the @SawbonesHex feed. Twit feed compromises can happened to anyone, not just celebs, but there are a number of sensible precautions that might be taken to guard against attack.

“It’s not that long ago since Karen Gillen had her Twitter feed compromised, and in fact the scam appears to be almost identical,” Boyd explained.

“Be wary of app installs, and do be careful whenever you’re asked for login details (at least one Doctor Who fan has mentioned being sent to the same sort of ads via rogue DMs). If you’re unsure, physically type the Twitter.com URL into your browser to be on the safe side.”

A blog post by Boyd featuring screenshots of the dodgy updates can be found here. The Reg security desk isn’t sure who is behind the apparent spate of attacks against the TARDIS-riding actors but reckons the Adipose can safely be ruled out as potential suspects.

In related hijacking news, a US man claims his Twitter account was hijacked, renamed and turned into a feed purporting to belong to Hollywood actresses Shirley Temple for a week. Once the account had gained 10,000 followers, the feed was suddenly used to offer love-making enhancement pills and work-from-home scams.

Michael Wellington has now regained control of his account @mjwellington6, which still has more than 8,000 followers. He can thank various celebrities, including Toy Story 3 Director Lee Unkrich for believing the @TempleShirleyJ profile was genuine and endorsing it to tens of thousands of fans.

Boyd has more on the frankly weird tale here. ®

Bootnote

* Pills derived from acai berries supposedly allow people to shed weight without dieting or exercise, a claim rubbished by health experts.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/28/doctor_who_twit_jacked/