Recent Posts

826

Living Room / Vuln. Alert: QuickTime/iTunes Zero-Day BOF/RCE

« Last post by Ehtyar on September 19, 2008, 04:23 PM »

Amazing that these things can still happen. The exploit uses an atypically long string to cause the application crash (please note the use of "denial of service" in the second link) and potentially allow arbitrary remote code execution on the effected machine.

A hacker has released attack code that exploits an unpatched vulnerability in Apple Inc.'s QuickTime, just a week after the company updated the media player to plug nine other serious vulnerabilities, a security researcher said Wednesday.

The exploit, which was published on the milw0rm.com site Tuesday, takes advantage of a flaw in the "<? quicktime type= ?>" parameter in QuickTime, which is not prepared to handle excessively-long strings, said Aaron Adams, a researcher with Symantec Corp.'s DeepSight threat notification network.

Full Story
Full Story 2

Ehtyar.

827

Living Room / Blog Post: GPS Spoofing

« Last post by Ehtyar on September 19, 2008, 04:15 PM »

A little paranoid, but poignant nonetheless. Hijackers can quite easily spoof GPS signals, permitting them to falsify signals sent to and from civilian GPS devices.

Our global society relies on the civilian GPS for our communications networks, transportation of goods, power distribution, financial transactions and emergency response, using precise location information and time synchronization. Unfortunately, the GPS system was not designed for this purpose. The civilian GPS has dangerous security vulnerabilities which now leave our global society at risk of serious disruption at any moment.

Full Blog

Ehtyar.

828

Living Room / News Article: Laptop Border Search Procedures To Be Documented

« Last post by Ehtyar on September 19, 2008, 04:08 PM »

The procedures the TSA follows in conducting border searches of laptops may be made public under new legislation.

A U.S. lawmaker introduced a bill last week that would require the U.S. Department of Homeland Security to disclose its procedures for searching computers and devices at the border as well as produce a quarterly report of all laptops, devices and data seized by border agents.

The bill, titled the Border Security Search Accountability Act of 2008, would limit the length of time devices can be held by DHS agents and increase protections for corporate data stored on devices. In addition, individuals would be entitled to a receipt for their belongings, written confirmation if their data is copied and more information about dispute resolution. The DHS would also have to produce a quarterly report of the number of devices seized at different ports of entry.

Full Story

Ehtyar.

829

Living Room / News Article: EFF To Sue President and NSA

« Last post by Ehtyar on September 19, 2008, 04:06 PM »

The EFF has filed suit against Dubya, The NSA and others in an attempt to prevent them spying on citizens via AT&T.

The Electronic Frontier Foundation, a pro-civil-liberties organization, announced on Thursday that it had filed a lawsuit against the National Security Agency, President George W. Bush and other individuals on behalf of AT&T customers, asking that unconstitutional surveillance stop.

The lawsuit aims to end the collection of data and wiretapping by the NSA targeting ordinary Americans and hold the architects of the various surveillance initiatives responsible for any violations of the U.S. Constitution, the EFF said in a statement. The lawsuit uses evidence already made public to make its case, since the Bush Administration has not been shy about using the state secrets privilege to quash past lawsuits. A previous lawsuit brought by the EFF against telecommunications giant AT&T is one of the only cases against the surveillance programs to have survived the government's legal tactics.

Full Story

Ehtyar.

830

Living Room / Re: I can haz LOLMouser plz?

« Last post by Ehtyar on September 19, 2008, 06:44 AM »

We better get the fire dept. over to Deo's house!! These are absolutely hilarious!!

Ehtyar.

831

Living Room / Re: I can haz LOLMouser plz?

« Last post by Ehtyar on September 18, 2008, 11:35 PM »

AWESOME!!!!!

Ehtyar.

832

Living Room / Re: News Article: Microsoft & Cray Release $25,000 Supercomputer

« Last post by Ehtyar on September 18, 2008, 11:14 PM »

LOL!

Ehtyar.

833

Living Room / DonationQuote - DonationCoder Quote Database [Update]

« Last post by Ehtyar on September 18, 2008, 07:20 PM »

Hi everyone. I have recently put together a place for everyone on DonationCoder to submit quotes from site members so that everyone can have a good laugh or read some philosophical thoughts etc. So far it is dominated by snippets of chat from the irc channel on EFNet however quotes can be submitted from any medium with relation to DonationCoder.

It currently works thus:
1. A user finds a quote they'd like to post. E.g. "<ioszilla> today's mousering threat level: ELEVATED".
2. They visit the DonationQuote website at http://quotes.dcmembers.com/.
3. They click the "Contribute" link in the upper right corner.
4. They add a title, insert the quote, and add their own nickname to the post.
5. A moderator checks their post and accepts it into the database. (any forum mods/irc regs are welcome to PM me for moderator login)
Users can see the latest submissions here and RSS with full quotes included here. If you'd like to get an idea of some of the quotes in the database I would recommending checking out a few random quotes here.
I'd like to thank Mouser for kindly hosting this project on the DCMembers website (PM Mouser or Gothi[c] for info.), Gothi[c] for setting up the account and pointing out how horribly insecure the script was (I am ashamed), and Joshua/Deo for recommending it. I'd also like to credit the RASH Quote Management System that the website is based on, along with a warning; this script should never be used on an openly accessible website. It is disastrously insecure and is used in this project only after some very laborious sanitation.
Lastly, have some laughs everyone!!

Ehtyar.

834

Living Room / Re: Vuln. Alert: Browser 'Clickjacking'

« Last post by Ehtyar on September 18, 2008, 08:24 AM »

Oh doi! *headdesk*

Ehtyar.

835

Living Room / Re: Vuln. Alert: Browser 'Clickjacking'

« Last post by Ehtyar on September 17, 2008, 03:40 PM »

Anybody else get the impression that this is more of an Adobe issue, than a browser issue?

-Stoic Joker (September 17, 2008, 11:09 AM)

Yes indeed. Though sensationalism is getting out of hand if they're using the phrase "affecting anyone who uses a browser to surf the web" when they're actually referring to adobe reader.

Ehtyar.

836

Living Room / Wired Gallery: Future Travel

« Last post by Ehtyar on September 17, 2008, 04:07 AM »

Wired.com show artists' impressions of the future of travel.

Future worlds described by science fiction visionaries like Philip K. Dick, William Gibson and Robert Heinlein often included wildly inventive methods of transportation to other planets, galaxies and dimensions.

These brief glimpses into the possible future of travel were left largely to the readers' imaginations, but a flourishing group of dreamers, designers and illustrators are bringing those creations to life -- at least online.

Full Story

Ehtyar.

837

Living Room / News Article: Microsoft & Cray Release $25,000 Supercomputer

« Last post by Ehtyar on September 17, 2008, 04:04 AM »

Microsoft and Cray have teamed up to release the worlds most affordable supercomputer.

Impulse buyers, lock your credit cards in a drawer when you're browsing Amazon.com: You might end up purchasing a $25,000 compact supercomputer on a whim.

In an effort to make supercomputers mainstream, Microsoft and Cray teamed up to produce the Cray CX1, the "most affordable super computer Cray has ever offered." Unveiled Tuesday morning, the CX1 will run a new version of Microsoft Windows on either 32 or 64 Intel cores, and the desktop will carry 4 terabytes of storage, according to a GigaOM story. 

Full Story

Ehtyar.

838

Living Room / News Article: Facebook Apps To Undergo Voluntary Validation

« Last post by Ehtyar on September 17, 2008, 04:02 AM »

Users who wish to certify that their Facebook apps will not violate users' expectations will soon be able to volunteer to have them vetted by Facebook.

After booting applications from Facebook this summer for violating user privacy, the social-networking company is gearing up to vet apps for trustworthiness as part of a voluntary validation program.

The validation badge will give Facebook members a gauge to use in deciding whether to add a particular app or not. Experts praise Facebook's effort, but say apps posing security risks will still be around despite that, partly because of the popularity of the network.

Full Story

Ehtyar.

839

Living Room / Vuln. Alert: Forever21 Payment Card Breach

« Last post by Ehtyar on September 17, 2008, 03:54 AM »

Forever21 has had payment card details stolen from 21 stores over a four year period.

Almost 99,000 payment cards used by people shopping at Forever 21 stores may have been lifted over a four-year period by people linked to the heist of 45.6 million payment cards from customers from stores owned by TJX Companies.

On Friday, the company issued a statement on its website that said it learned of the theft from law enforcement officials more than a month earlier. The theft took place on nine specific dates from March 2004 to August of last year as part of crimes alleged in an August 5 indictment charging 11 individuals of engaging in wholesale credit card theft against stores owned by TJX and others.

Full Story

Ehtyar.

840

Living Room / News Article: Microsoft To Teach About Secure Code

« Last post by Ehtyar on September 17, 2008, 03:49 AM »

Stunningly, Microsoft apparently considers itself in a position to teach others how to code securely.

After spending four years as an internal process for designing secure programs from the ground up, Microsoft's Secure Development Lifecycle could soon go mainstream.

The company on Tuesday unveiled plans to help other organizations adopt comprehensive secure coding practices through three initiatives that will go live sometime in November. The company is billing them as a way to bring SDL practices to the development masses.

Full Story

Ehtyar.

841

Living Room / Vuln. Alert: Browser 'Clickjacking'

« Last post by Ehtyar on September 17, 2008, 03:47 AM »

A vulnerability has been discovered that allegedly allows an attack to misrepresent the destination of a link on their website in order to lead the reader to a destination of the attackers choice. The details are thus far being withheld at the behest of Adobe.

In another event for the "internet is broken" files, two prominent security researchers have pulled a scheduled talk that was to demonstrate critical holes affecting anyone who uses a browser to surf the web.

Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities involving every major browser during a presentation scheduled for September 24 at OWASP's AppSec 2008 Conference in New York. They canceled their talk at the request of Adobe, one of the developers whose software is vulnerable to the weakness, they say.

Full Story

Ehtyar.

842

Living Room / Vuln. Alert: BusinessWeek SQL Injection

« Last post by Ehtyar on September 17, 2008, 03:43 AM »

The BusinessWeek magazine's website has suffered an attack on an SQL injection vulnerability in its pages causing it to serve up malware.

The Web site of BusinessWeek magazine suffered a major SQL injection attack in recent days that left it hosting malware on hundreds of its pages, security vendor Sophos PLC has reported.

Once compromised by such a server hole, the attack scripts could, in principle, launch anything desired by the attacker except currently included code for automatic attacks based on JavaScript. That means a visitor could be hit by malware just by landing on one of the pages, without even interacting in any way.

Full Story
Second Reference

Ehtyar.

843

Living Room / Re: Vuln. Alert: Malformed URLs Crash Acrobat 9

« Last post by Ehtyar on September 15, 2008, 08:33 AM »

...
At least it's not a serious vulnerability
...

-Lashiec (September 15, 2008, 08:17 AM)

Correct.

Ehtyar.

844

Developer's Corner / Re: stackoverflow.com - programmers Q&A site by jeff atwood + joel spolsky is public

« Last post by Ehtyar on September 15, 2008, 08:10 AM »

FINALLY! YAY!

Ehtyar.

845

Living Room / Re: News Article: Insecure Cookies Leak Sensitive Information

« Last post by Ehtyar on September 15, 2008, 07:35 AM »

I use Cookie Monster myself, though I allow sites i frequent/trust permanently, otherwise a site is temporarily allowed permission if necessary, and denied in all other situations.

Ehtyar.

846

Living Room / Re: Vuln. Alert: Malformed URLs Crash Acrobat 9

« Last post by Ehtyar on September 15, 2008, 07:32 AM »

I refuse to continue debating this subject. Those of you unfamiliar with IT security terminology should consider withholding your comments unless you're certain what you're talking about.

Ehtyar.

847

Living Room / Re: Skype Ignores e-Bay Vulnerability In Client Software

« Last post by Ehtyar on September 15, 2008, 07:30 AM »

I've never used the feature myself, and it took quite some research to confirm this theory.

Ehtyar.

848

Living Room / Re: Mythbusters Silenced by Credit Card Companies

« Last post by Ehtyar on September 15, 2008, 01:36 AM »

*cough*take the center page for swim*cough*

Ehtyar.

849

Living Room / Re: Skype Ignores e-Bay Vulnerability In Client Software

« Last post by Ehtyar on September 15, 2008, 01:14 AM »

As eBay owns Skype, they allow you to use single-signon with Skype to access your eBay account. Thus if an attacker manages to steal your Skype identity, he effectively has control of your eBay ID aswell.

Ehtyar.

850

Living Room / Re: Vuln. Alert: Malformed URLs Crash Acrobat 9

« Last post by Ehtyar on September 14, 2008, 10:10 PM »

Hahaha, awesome post Deo, thanks

Ehtyar.