Lost+Found: Metasploit phishing, hacker bounties and Android malware

Too short for news, too good to lose; Lost+Found is a roundup of useful and interesting security news. In this edition: Metasploit goes phishing, Windows 8 password resets, defacing (or not) by git pull, C# rewards, Commander X spotting, and Android malware.

• With version 4.5 of the Metasploit commercial edition you can now search for human weaknesses. The web assault kit can start a phishing campaign and tell on those who fall for it. Metasploit's armoury has now grown to 1000 exploits.

• Got a Windows 8 password and ten minutes to spare? Then you've got plenty of time to reset that password.

• Script kiddies know many tricks to deface web sites, but the most unusual way to do it is to post a pull request on GitHub.

• The Japanese police are offering a 3 million yen (£22,250) reward for details of the individual – who knows C# and how not to leave a trail on the net – who broke into four individuals' PCs and made it appear as if they were planning mass killings at local schools leading to them being wrongly arrested.

• Maybe Aaron Barr of HBGary wasn't that far off in his attempt to identify key figures in Anonymous. According to Ars Technica, he correctly identified Commander X from a simple lookup of the "People's Liberation Front" web site – but then he discarded it.

• The whole point of Google's Anti-Malware Bouncer is to filter out pests from the App catalogue of Google's Play store. But Kaspersky has found it is still hosting malware that forwards mTANs to criminals.

(djwm)