As if it didn’t have enough security problems with the rampant 3rd party Javascript, it’s now known that the Drupal “Context Module” employed by the site is vulnerable to XSS that can allow remote privledge escalation effectivley pwning the site.
It’s strange that an administration as concerned with infosec as the Obama presidency is would allow such a glaring security hole in it’s public face. My theory: it’s a honeypot for the next David Kennel.
To all those people out there that think Twitter is the stupidest thing on the web since Geocities, turns out you were right. Yesterday a turkish Twitter user discovered that by tweeting “accept >username<” you could force any Twitterer to follow you. Being the responsible tweeter he was, he decided to report to glitch to Gizmodo rather than Twitter and like most things dealing with Gizmodo lately a @#!%storm insued. Twitter pulled features and scrambled to fix the glitch while everybody and their grandmother hacked the site.
Yep the PhpNuke framework’s homepage is serving up malware. Phpnuke.org’s homepage much like that of the the treasury dept. Websense reports that the hompage is serving up nasty iframes containing two IE exploits , one Adobe Reader exploit and a piece of nasty Java shellcode.
The fallout continues from the massive Network Solutions hack of last week. On Monday security researchers discovered that several US Treasury sites that were among the infected were hosting javascript Malware installing popups. The popups were found on bep.gov, moneyfactory.gov and bep.treas.gov. All three of the affected sites contained popups that redirected to grepad.com. This breach further highlights the insufficient job that the US govt is doing to protect its sites and how we all need to be weary of any sites on line.
Read more here
Twitter has suspended the accounts of two torrent sites and removed all of their followers. YourBitTorrent and Torrentsurf both had their accounts suspended last week with no explanation as to why their accounts had been shut off. Both sites updated their accounts daily with links to new torrents.
People in copyleft circles might be quick to point the finger at twitter claiming that they’re in chohorts with the NSA and RIAA.In the past Twitter has suspended the accounts of other torrenting sites this year, but attributed it to the site inserting a phishing utility into it’s torrent software that would then hack other twitter user’s accounts. It should also bee noted that earlier this year twitter announced that it would be incorporating bittorrent technology into its backend to optomise its server loads. Also larger bittorrent sites using twitter such as EZTV, IsoHunt and TorrentFreak still have active Twitter accounts.
What this all may boil down to is that the smaller sites got banhammered from twitter because they were posting too frequently. Twitter has guidelines in its TOS that expressly forbid spamming from ones account and it is quite possible that is what happened in this case. At any rate stay tuned
A recent study at Carnegie Mellon University has found that 18-25 year olds were consistently more vulnerable to spear phishing attacks than older participants. The study of 515 sudents and faculty of Carnegie Mellon was carried out by Dr. Lorrie Cranor and Dr. Jason Hong of Wombat securities.
All participants were sent a series of three legitimate and seven simulated malicious emails over a one month period. The results showed that the 18-25 year old range consistenly fell for the fake emails whereas the older subjects fared slightly better. It is however worth noting that Carnegie Mellon is definetely considered one of the top tier Computer Science schools in the world, so one could safely assume that very few who who participated in the study were novices at using the internet.
Aditionally the overall success rate of avoiding the emails was a dismal 46.6%. Hardly a good statistic for any security study, let alone one where some of the older people in the study played critical roles in developing the internet. Wombat will use the data gathered to further develop their Phishguru corporate security training, desinged to train employees to avoid threats like the ones demonstrated in this study.
Those of you who follow the news may have remembered McAfee’s awesome DAT update that borks XP fiasco. Well McAfee has finally thrown in the towel.
In a blog post today, McAfee assured its home and home office customers that it would:
reimburse reasonable expenses such as a visit to a local support specialist
(or purchasing a new copy of Symantec).
I seriously hope that’s not Norton’s only strategy with this. For years they have not tested their product, not heeded people’s advice to stop using an archaic signature based monitoring system, and have not followed through in the most basic of ways. It’s about time that the av community stopped bilking their users and started providing a product that actually does it’s job.
Much to the joy of Beardy McUnix operator everywhere Canonical has just released Ubuntu 10.04. The new version features a complete Gnome reskinning, the latest version of the linux kernel, Nvidia card support out of the box and enhanced boot speed.
Most important though is that this is Ubuntu’s latest LTS (Long Term Support) release, so you’d better get to know it well if you plan on working with Ubuntu in the future.
Get it here.
It seems like there is no shortage of awesomeness originating from Source Boston this year. Moxie Marlinspike has released a new Firefox add-on called GoogleSharing that block’s Google datamining while browsing the web.
The add-on works by pooling a bunch of different google accounts and amalgamating their search data. It also submits bogus queries to google on behalf of the user so as to further muddle Google’s profile data.
The plugin is free open source, and availible here: www.googlesharing.net
The pervasive botnet that sends out infected facebook messages and then steals ftp passwords has resurfaced in mainland Chinas after it’s command and control servers in Hong Kong were shutdown by authorities.
The creators of this botnet have moved very fast. Just prior to last weeks shutdown, researchers noticed a massive spike in development on the old server. They are now suspecting that this might have been done to test the new command and control server they have now setup in China.
The shutdown also raises new questions as to the effectiveness of simply shutting down servers as a law enforcement tactic. Court injunctions like those taken against the Zeus and Whaledac have only seen limited success as they slowdown but don’t stop most botnets. Additionally raids on isp’s let the hackers controlling these botnets know that they are being watched by authorities and decreases the likelyhood that one of them will make a serious mistake that authorities can use to track them down.
I think the ultimate lesson that may be learned here is that it is better for law enforcement to move in the shadows until they can lock down the individuals
Learn more about Koobface here.
