Tag Archives: security

Malware Warning

Posted on by
4

It’s our unfortunate duty to inform our readers and users that for a period of several hours some resources on the neosmart.net domain were compromised by one or more attackers unknown. By means of a vulnerability that we were not able to track in one of the scripts on our site, attackers were able to inject malicious JavaScript into resources on our site, leading to visitors to our domain being redirected to a webpage elsewhere online that instructed them to download and install a malicious plugin.

The malware has been purged from our site and resources and there is no longer any threat to our visitors. We’re still working on getting more information, but the malware in question is labeled as JS/BlacoleRef.J and JS/Blacole.A by Microsoft Security Essentials. It’s important to note that visitors to our site could not be infected without their knowledge. The malicious JavaScript in question triggered the browser to display a “do you want to install this plugin” dialog (the exact text differs by web browser make and model), and some browsers were not susceptible to the redirect attack. Users with antivirus software should also not have been at risk, as the malware in question has been blacklisted by the various companies for several weeks now.

Continue reading

Verified Accounts: Twitter’s Next Attempt at Making Money?

Posted on by
7

How much would you pay for people to know you’re really you? That the updates coming in every 2 minutes on that twitter page come from yours truly and not someone else… someone else pretending to be you?

If you’re like most people, the answer is not much. But there are people out there that really care, and with good reason. If you’re the FBI, Oprah Winfrey, or one of the million other celebrities currently on Twitter, you probably don’t want someone out there passing themselves off as yourself while posting fake updates to an account literally millions are watching.

Some people to whom money is not an issue already pay thousands of dollars for meaningless SSL certificates – something tucked away in the corner of your browser window that no one pays much attention to. But imagine if Twitter were to start offering “verified accounts” that have been authenticated as belonging to a particular person or institute… how many of these celebrity accounts would suddenly turn into cash cows for Twitter?

Continue reading

Google Abandons Standards, Forks OpenID

Posted on by
38

A couple of hours ago, the Google Security Team posted an article claiming that Google’s made the switch to OpenID, joining Yahoo! and Microsoft in the ranks OpenID providers.

But it looks like someone may have been a bit to hasty to pull that switch (perhaps itching to get some of the limelight Microsoft has been receiving for adding OpenID to all Live ID accounts just the day before yesterday)… because whatever it is that Google has released support for, it sure as hell isn’t OpenID, as they even so kindly point out in their OpenID developer documentation (that media outlets certainly won’t be reading):

  1. The web application asks the end user to log in by offering a set of log-in options, including Google.
  2. The user selects the "Sign in with Google" option.
  3. The web application sends a "discovery" request to Google to get information on the Google authentication endpoint. This is a departure from the process outlined in OpenID 1.0. [Emphasis added]
  4. Google returns an XRDS document, which contains endpoint address.
  5. The web application sends a login authentication request to the Google endpoint address.
  6. This action redirects the user to a Google Federated Login page.

As Google points out, this isn’t OpenID. This is something that Google cooked up that resembles OpenID masquerading as OpenID since that’s what people want to see – and that’s what Microsoft announced just the day before.

It’s not just a “departure” from OpenID, it’s a whole new standard.

Continue reading

Disturbing Stats About Facebook Users & Security

Posted on by
14

There’s a screenshot that’s been sitting on my desktop for a rather long time now, and it’s as scary as it is interesting.

Facebook recently conducted a poll which showed up on the homepage newsfeed, and asked Facebook members just how exactly did they think Facebook’s “friend finder” worked when it prompted them for their email address & password in order to get a list of contacts. The numbers pretty much speak for themselves, here’s what they looked like near the end of the campaign:

Facebook Poll

Now ignore the dark blue bar: it’s a red herring and doesn’t contain any interesting info. The real juicy bit is the “Yes” option, and its 20% response.

Continue reading

Possible Severe Gmail Security Vulnerability (Updated)

Posted on by
14

Gmail may have a serious security vulnerability that can result in the leaking of sensitive private information randomly to people you don’t know, haven’t contacted, and have nothing to do with.

It would seem that between the way Gmail saves and retrieves sessions, existing sessions are authenticated, and views are cached there are one or more loopholes that allow data from a different account (that has nothing to do with yours) to be served instead of the correct data.

I don’t know why, but here’s the how:

  • Firefox 3 opened to Gmail on Ubuntu.
  • Session accidentally reset with ctrl+alt+bkspc
  • Upon reboot & restarting of Firefox, Firefox requested the URIs that were previously open before the crash, partially loading data from local cache and the rest dynamically from the web (because of the AJAX portions of the Gmail interface).

Continue reading

Want UAC-Free iReboot? You got it: iReboot 1.1 released!

Posted on by
61

Back in August of 2007, NeoSmart Technologies released iReboot 1.0 – a tiny application that sits quietly and unobtrusively in the taskbar and is used to select which OS you’d like to reboot into.

iReboot isn’t by any means a major application, but it’s gathered a pretty strong following over the months, mostly by people interested in boosting productivity (or increasing laziness) to the max. But there was one flaw in iReboot that made all the hard work we put into making it as unobtrusive and minimalistic as possible almost meaningless: if you had UAC enabled, iReboot will not run automatically at startup, no matter what you do.

This behavior comes as a result of the architecture that Microsoft used to secure Windows Vista, which doesn’t allow for applications requiring admin approval to run at startup. It doesn’t matter what your application does or if you absolutely trust it beyond the shadow of the doubt, Windows Vista simply won’t let an application that runs in elevated privileges mode to launch at startup – end of story.

Continue reading

Goodbye NOD32; Hello Kaspersky!

Posted on by
26

Eset’s NOD32 has long been our favorite anti-virus program at NeoSmart Technologies. It’s light, fast, powerful, and pretty damn good at doing what’s its designed to do: keeping our systems clean and virus-free.

In recent years (mainly from last year though), NOD32 has fallen a bit behind in the detection rankings, but for the most part had remained a close contender and a decent choice. Virus.gr has the latest testing results (Link currently not working) as summed up in this post at CyberNet News. In the latest round of tests (and the one before that, and the one before that) Kaspersky is yet again at the top, with a 99.23% detection rate for the newly-released version 7 and a 99.13% for version 6.

Our biggest gripe with Kaspersky 6 was the terrible user interface (which relied on the uber-slow MMC with horrid integration) – plus, we were quite happy with NOD32′s excellent service for all these past years and admittedly a bit reluctant to see its shortcomings.

Continue reading