Category Archives: Security

Malware Warning

Posted on by
4

It’s our unfortunate duty to inform our readers and users that for a period of several hours some resources on the neosmart.net domain were compromised by one or more attackers unknown. By means of a vulnerability that we were not able to track in one of the scripts on our site, attackers were able to inject malicious JavaScript into resources on our site, leading to visitors to our domain being redirected to a webpage elsewhere online that instructed them to download and install a malicious plugin.

The malware has been purged from our site and resources and there is no longer any threat to our visitors. We’re still working on getting more information, but the malware in question is labeled as JS/BlacoleRef.J and JS/Blacole.A by Microsoft Security Essentials. It’s important to note that visitors to our site could not be infected without their knowledge. The malicious JavaScript in question triggered the browser to display a “do you want to install this plugin” dialog (the exact text differs by web browser make and model), and some browsers were not susceptible to the redirect attack. Users with antivirus software should also not have been at risk, as the malware in question has been blacklisted by the various companies for several weeks now.

Continue reading

4Chan Strikes Again, Hiding Porn in Kids Clips on YouTube

Posted on by
94

Please note: that this sort of post is what the losers at 4Chan get a kick out of and look forward to seeing, it’s clear that they get a perverse sort of pleasure out of hearing these complaints, but isn’t possible for anyone with a shred of dignity to let events like this go without speaking.

4Chan, a group of immature script-kiddies that anonymously post online and organize “attacks” against various groups, organizations, and websites, are it again. This time, it’s not the Church of Scientology they’re attacking, but innocent children. As the BBC reports, members of 4Chan have been uploading videos containing explicit sexual content in droves to YouTube today, specifically targeting children.

The videos uploaded by members of 4Chan consisted of children’s clips that start off innocently enough, showing cartoons and other rated-G material usually targeted at children around 5 years old, but soon enough change to videos of adults engaged in sexual activity. 4Chan has the uncanny ability to strike a nerve, driving even the most liberal of internet users to condemn their behavior as pure evil. The problem is, the anonymous 4Chan members are perversely motivated by this sort of response, and cannot be shamed into bringing an end to their disgusting activities.

Continue reading

Verified Accounts: Twitter’s Next Attempt at Making Money?

Posted on by
7

How much would you pay for people to know you’re really you? That the updates coming in every 2 minutes on that twitter page come from yours truly and not someone else… someone else pretending to be you?

If you’re like most people, the answer is not much. But there are people out there that really care, and with good reason. If you’re the FBI, Oprah Winfrey, or one of the million other celebrities currently on Twitter, you probably don’t want someone out there passing themselves off as yourself while posting fake updates to an account literally millions are watching.

Some people to whom money is not an issue already pay thousands of dollars for meaningless SSL certificates – something tucked away in the corner of your browser window that no one pays much attention to. But imagine if Twitter were to start offering “verified accounts” that have been authenticated as belonging to a particular person or institute… how many of these celebrity accounts would suddenly turn into cash cows for Twitter?

Continue reading

Google Abandons Standards, Forks OpenID

Posted on by
38

A couple of hours ago, the Google Security Team posted an article claiming that Google’s made the switch to OpenID, joining Yahoo! and Microsoft in the ranks OpenID providers.

But it looks like someone may have been a bit to hasty to pull that switch (perhaps itching to get some of the limelight Microsoft has been receiving for adding OpenID to all Live ID accounts just the day before yesterday)… because whatever it is that Google has released support for, it sure as hell isn’t OpenID, as they even so kindly point out in their OpenID developer documentation (that media outlets certainly won’t be reading):

  1. The web application asks the end user to log in by offering a set of log-in options, including Google.
  2. The user selects the "Sign in with Google" option.
  3. The web application sends a "discovery" request to Google to get information on the Google authentication endpoint. This is a departure from the process outlined in OpenID 1.0. [Emphasis added]
  4. Google returns an XRDS document, which contains endpoint address.
  5. The web application sends a login authentication request to the Google endpoint address.
  6. This action redirects the user to a Google Federated Login page.

As Google points out, this isn’t OpenID. This is something that Google cooked up that resembles OpenID masquerading as OpenID since that’s what people want to see – and that’s what Microsoft announced just the day before.

It’s not just a “departure” from OpenID, it’s a whole new standard.

Continue reading

Disturbing Stats About Facebook Users & Security

Posted on by
14

There’s a screenshot that’s been sitting on my desktop for a rather long time now, and it’s as scary as it is interesting.

Facebook recently conducted a poll which showed up on the homepage newsfeed, and asked Facebook members just how exactly did they think Facebook’s “friend finder” worked when it prompted them for their email address & password in order to get a list of contacts. The numbers pretty much speak for themselves, here’s what they looked like near the end of the campaign:

Facebook Poll

Now ignore the dark blue bar: it’s a red herring and doesn’t contain any interesting info. The real juicy bit is the “Yes” option, and its 20% response.

Continue reading

Possible Severe Gmail Security Vulnerability (Updated)

Posted on by
14

Gmail may have a serious security vulnerability that can result in the leaking of sensitive private information randomly to people you don’t know, haven’t contacted, and have nothing to do with.

It would seem that between the way Gmail saves and retrieves sessions, existing sessions are authenticated, and views are cached there are one or more loopholes that allow data from a different account (that has nothing to do with yours) to be served instead of the correct data.

I don’t know why, but here’s the how:

  • Firefox 3 opened to Gmail on Ubuntu.
  • Session accidentally reset with ctrl+alt+bkspc
  • Upon reboot & restarting of Firefox, Firefox requested the URIs that were previously open before the crash, partially loading data from local cache and the rest dynamically from the web (because of the AJAX portions of the Gmail interface).

Continue reading

Firefox 3 is Still a Memory Hog

Posted on by
505

One of the biggest “improvements” that Mozilla claims has made its way into Firefox 3 is improved memory usage, in particular, the vanquishing of memory leaks:

Memory usage: Several new technologies work together to reduce the amount of memory used by Firefox 3 over a web browsing session. Memory cycles are broken and collected by an automated cycle collector, a new memory allocator reduces fragmentation, hundreds of leaks have been fixed, and caching strategies have been tuned.

We’re sorry to have to break it to you, but if you thought it was too good to be true you were right. Firefox still uses a lot of memory – way too much memory for a web browser.

Continue reading

Mapping Computer Techniques to the Real World

Posted on by
3

As a recent Times article describes, shopping plazas are now using cell-phone tracking technology to map shoppers’ activities and movement patterns. The "Path Intelligence" hardware used to track the movements works like this:

  • A cell-phone-wielding shopper enters the shopping plaza.
  • Path Intelligence monitors mounted throughout the plaza detect that a new mobile phone is in the vicinity and log its IMEI code.
  • As the shopper moves around the mall, his or her movements are continuously triangulated by the multiple Path Intelligence units, allowing movements to be mapped and saved for later analysis.

The good news: it’s totally private, there isn’t any (automated) way to map a particular record in the Path Intelligence logs to an actual person. The resulting logs can be analyzed for shopping patterns (where people go after visiting a certain store, peak hours of traffic, most popular regions, etc.) later on, providing valuable intelligence and allowing for improvements.

Continue reading

Want UAC-Free iReboot? You got it: iReboot 1.1 released!

Posted on by
61

Back in August of 2007, NeoSmart Technologies released iReboot 1.0 – a tiny application that sits quietly and unobtrusively in the taskbar and is used to select which OS you’d like to reboot into.

iReboot isn’t by any means a major application, but it’s gathered a pretty strong following over the months, mostly by people interested in boosting productivity (or increasing laziness) to the max. But there was one flaw in iReboot that made all the hard work we put into making it as unobtrusive and minimalistic as possible almost meaningless: if you had UAC enabled, iReboot will not run automatically at startup, no matter what you do.

This behavior comes as a result of the architecture that Microsoft used to secure Windows Vista, which doesn’t allow for applications requiring admin approval to run at startup. It doesn’t matter what your application does or if you absolutely trust it beyond the shadow of the doubt, Windows Vista simply won’t let an application that runs in elevated privileges mode to launch at startup – end of story.

Continue reading