All of you (Gattaca included) who are running the mystical OSX should run right out and click on software update (since you know you left the schedule at once weekly on Mondays) and get your hands on 10.4.8.
Just do it - you know you wanna!
So I’m bouncing through my usual list of suspects on the blog-o-scope… and I come across this interesting article on Lifehacker of all places…
If you’re a command line geek who’s never used netcat but often works across networked machines, this quick netcat primer’s for you.
And for all of you who are new - have a look, you just might find nerd-vana. (Or at least a little teen spirit.)
Tags: lifehacker, netcat, nc, howto
As you can tell pholks, it’s too bloody morning to be drinking and y’all are in a news-needing state.
Here’s some of the “what’s happening now” in the infosec world.
More soon!
Tags: Batman, Make Magazine, Computer Associates, CA, Microsoft, Security Updates, Canada, HP, VooDoo, Wil Wheaton, Bush, Torture, Wesley Crusher
Sadly we still see internet banking sites with rookie mistakes in configuration and/or coding. Many are susceptible to XSS and frame spoofing attacks. According to a study published by German site Heise Security
Two major banks (NatWest and USB) improved the security of their sites since flaws were detailed by Heise last Friday, but other customer-facing e-banking websites remain vulnerable to frame-spoofing and other types of security attack.Last Friday, Heise published a number of demos to show how phishing fraudsters might be able to overlay the websites of NatWest, Cahoot, Bank of Scotland, Bank of Ireland, First Direct, and Link with rogue frames, potentially served from websites controlled by fraudsters. The same type of attack is also possible against the website of the Dedicated Cheque and Plastic Crime Unit, a bank-sponsored police unit.
Having worked for an internet banking site years ago I’m aware of the pressures that bank staff are under to keep the site “live” but, I’m also very aware of the importance of ensuring the safety and security of the customer data (understatement of the year award).
Since documenting its tests, Nat West has made security improvements that means its site is no longer easily susceptible to exploitation. The Bank of England has changed its application to filter user input, so the attack demo by Heise now fails to work. UBS has also made security improvements, but portions of its site are still vulnerable to attack, according to Heise.
Mental note…don’t open an account with…
Tags: Online Banking, Website Vulnerabilities, Online Fraud, Frame Spoof, Heise
It must be Thursday. I’m just having my first cup of coffee and I’ve been up for three years hours.
Tags: AOL ID Theft, RFID, ID Theft, Symantec, Microsoft, News, Daily Links, Morning Coffee
Just in from the folks at Secunia:
Description:
H D Moore has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to an integer overflow error in the “setSlice()” method in the “WebViewFolderIcon” ActiveX control. This can be exploited to corrupt memory when e.g. visiting a malicious web site.
Successful exploitation allows execution of arbitrary code.
NOTE: Exploit code is publicly available.
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.
Solution:
Only allow trusted websites to run ActiveX controls.
Provided and/or discovered by:
H D Moore
Original Advisory:
H D Moore:
http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html
Tags: Integer Overflow, Vulnerability, IE Exploit
Hmmm, another one.
Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft PowerPoint 2000, Microsoft PowerPoint 2002, Microsoft Office PowerPoint 2003, Microsoft PowerPoint 2004 for Mac, and Microsoft PowerPoint 2004 v. X for Mac.In order for this attack to be carried out, a user must first open a malicious PowerPoint file attached to an e-mail or otherwise provided to them by an attacker.
As always take care when opening files if the source is in question. Even still be sure that your antivirus software is up to date. Of course this is never a guarantee but, more to the point it is slightly better than a size 12 lodged in your backside.
Tags: PowerPoint, Remote Exploit, Exploit, Zero Day, 0 day
Recently a hacking tool for DRM was released that bypassed Microsoft controls for movies and music. This tool, FairUse4WM, exploits a hole in DRM that bypasses controls. The folks at Engadget even went so far as to post an open letter to Microsoft in which they chime in with support the application.
The Remond juggernaut has taken a legal approach to this problem. They have filed suit against the unnamed hacker that created the tool.
That wasn’t by itself enough to deal with Viodentia, Microsoft decided, so (as is the local custom) Redmond decided to go legal. But instead of of following the obvious strategy and accusing Viodentia of circumventing its copy protection, Microsoft is claiming the developer must have access to its proprietary source code, specifically code related to its Windows Media software development kit, to have designed such an ingenious hack. Redmond has also sent out legal nasty-grams to sites hosting FairUse4WM code.
It seems a little bit amusing that rather than accept the fact that this person may have found a hole, they have adopted a position that he/she must have the source code. Couldn’t possibly have happened any other way. heh.
Tags: Microsoft, Windows Media, DRM, FairUse4WM
I’ve been reviewing web logs. I’m quite amazed to see the wide range of visitors from around the world that we have been getting here on the Digest. Welcome to all.
Tags: Sophos, IE Patch, Laptop Stolen, Firefox 2.0, HP Snooping, NSA, News, Daily Links, Morning Coffee
In light of the growing interest in RFID tags by government and industry alike we find the dark side. There was a presentation at HOPE in NYC this summer where there was a demonstration of RFID hacking. With all of the scenarios that have been dreamt up so far we find that lawmakers are starting to take notice. Most notably is the legislature in California.
The Identity Information Protection Act of 2006 was passed by state legislators last month and only needs the approval of California Gobernator Arnold Schwarzenegger to become law. The measures are designed to safeguard against either criminal of government abuse of RFID tags by mandating the use of privacy-protecting technologies, such as encryption. The bill, authored by State Senator Joe Simitian (Democrat), would also give Californians the right to decide who can access their personal information stored on RFID cards in documents such as driver’s licences, library cards and the like.
Privacy pundits are hoping that this law will take root and spread to other states (and in my case provinces). But, with Bush in the White House I’m not overly hopeful.
Tags: California, RFID, Indentity Information Protection Act, Privacy, ID Theft
Add to Google
Add to my Yahoo
Add to MSN
Add to Bloglines
Add to Newsgator
Explore
Security Bloggers Network (a FeedBurner Network)
