TweakTown NewsRefine News by Category:
The well known gadget site Gizmodo was off line for much of the weekend and some on Monday. The down time was not related to an thing exotic like a dead server, power no it was a rather plain DDoS attack.
The attack did not hit Gizmodo itself but a site that was once owned by Gizmodo's parent company Gawker. This site called Consumerist was still loading from the Gawker Servers.
By targeting this site the attackers were able to bring all of the Gawker sites down including Gizmodo. There is no word on who the attackers are/were. Gizmodo is back online and as they say "at full power"
Ok this is a good one, it also shows that Apple is really desperate to control the iPhone. According to a report over at Wired; Apple is trying to get the DCMA to believe that Jailbreaking can lead to terrorist attacks on the national cell tower network.
The logic goes something like this;
An Evil Doer jailbreaks the iPhone, uses Ultrasn0w to alter the phones baseband, then using the alterations forces a DDoS attack on a cell tower crashing the service.
Chaos ensues, dogs start dating cats, and the world collapses.
In short a whole lot of FUD by Apple to try and turn jailbreaking into a criminal offense. This argument completely ignores open source phone OSes like Android, Unlocked phones sold by companies and even Apple's own Unlocking process.
It is also funny that Apple says that they have "technological protection measures" built into the iPhone. I guess this is like the shoddy encryption they are trying to push on users.
I hate to break this to Apple, a hacker or terrorist is not going to worry about the legality of jailbreaking before attempting to crash the national cell service.
So I guess everyone that owns an iPhone is a potential national security threat just waiting to happen...but that is not the worst, apparently jailbreaking is good for drug dealers too.
Where is my tin foil hat?
Ok this one is important news and something to concern all of us. Network solutions put out a warning today to some 4,000 merchants that some (if not all) of the transactions made through NS' servers may have been sent out to a third party malicious server.
In effect something like 600,000 people's credit card information has been compromised.
The breech took place between March 12th and June 8th, yet it is only mow being brought to light and the merchants and public warned about this.
Around June 8th the malicious code was found that was redirecting transactions while they were in progress, this completely bypassed the encrypted storage setup to maintain customer data. After all the data was sent before it hit the storage everything about the transaction was compromised, credit card number, name billing address anything entered at the time of sale.
Network Solutions has stated that they have informed the authorities and is paying Trans-Union to contact and monitor affected customers' credit for one year. As of the time of writing there is no evidence that the information has been used.
Something scary has popped up in the malware world today. There is a new exploit in Adobe's Flash that not only has been found, but has already been used as a vector for attack.
The attack was found by Symantec and is very concerning in that it was not targeted directly through the browser (as it usual) instead it used Acrobat Reader to access Flash.
The malicious file was a toxic PDF that accessed Flash to execute its binaries.
The reason this Flash Exploit is so serous is due to Flash's pervasive system integration. Flash covers all manner of browsers, acrobat, Photoshop, operating systems etc. This means that by using a single attack vector a malware developer can attack multiple platforms.
Adobe has been notified of the exploit but in the meantime people are advised to ensure their malware prevention applications are up to date, including OSX and Linux users.
Microsoft has released information on another Active X hole. This time it is in the web components found in their office products.
This makes the third zero-day exploit in the past two months. The exploit works by getting people to browse to malicious websites that have the payload either embedded in the html code or by convincing the user to download the virus.
Microsoft has a work around for the exploit available and is working very hard to get a patch out to fix this issue. In the meantime several sites (mostly in China) have popped up with the malicious code.
The exploit allows for system wide control if the proper code is inserted.
Find the work around here.
Expect another round of patches from Microsoft this coming Tuesday.
Microsoft has released the details of these patches, most of which fall into the remote code execution or elevated privileges category.
Two of the six patches will be for DirectX. It was a couple of months ago that Microsoft finally admitted they had been tracking attacks targeting DX. The loop hole the attacks were using allowed for complete, system wide, control through the use of a malformed QuickTime video.
This predates the announcement that the Video ActiveX control for IE could be exploited through the use of DirectShow filters. This announcement was made just this week and shows again the way malicious coders use our own habits against us.
It seems that as we consume more and more online video content the malware creators are moving towards that medium. After all it was not that long ago that .zip files were the big thing for inserting malware as .jpg files were before that and office files before that.
While these flaws probably should have been detected and corrected before this, it is still interesting to see how the patterns for malware change and evolve with our online usage. Just look at the increase in Twitter spam and malware inserted in tiny URL links. The increase in Skype Spam and the number of attacks and expoits in AIM and Live Messenger.
Opera Unite has come under fire from some leading security experts. In upcoming Opera 10 the Unite feature actually puts a web server inside the browser. According to Opera's CEO this will make it easier for people to host their own websites and to share files over the internet.
It is interesting that this is now being touted as a great thing; the ability to host a website from a PC was something that Microsoft was criticized about with Windows. The www publishing and hosting service was viewed (and turned out to be) a large security hole.
Now when Opera does it, it is great tool that will help millions. While Opera's foot print may be small and will help it stay off of the radar of many malicious coders it is really only a matter of time before someone sees this as a challenge and dives in.
Opera Unite is not yet in final form but there is a publicly available alpha version that you can play with
Microsoft is warning of a new security risk with Active X controls. According to MSA 972890 the problem lies with the way that the Microsoft Video ActiveX control handles video.
If a user is logged in with Admin rights someone injecting this code could potentially take over the entire system. Microsoft also comments that they have identified cases of this exploit being used in the wild.
This makes the issue even more real and has prompted MS to advise people to disable the control. The MS Video Active X Control is one that is used by Media Center to build filters for TV Video recording and playback. It is responsible for connecting the MS DirectShow filters for capture, record and playback of video.
Read the Advisory here.
Get the workaround here
Although this is more Apple news it seems that there is a flaw (everyone stop to gasp) in the new iPhone OS 3.0 Software. This flaw revolves around how the iPhone handles SMS messaging.
According to very limited details it seems that the undisclosed flaw could allow malicious code to be inserted giving an evildoer root access to the thermally challenged device.
Charlie Miller, the person who discovered the flaw went on to say that despite the SMS flaw that the iPhone OS is still very secure. He praised Apple's decision to remove Flash and Java (despite advertising a full and "real" internet experience) stating that they are potential vectors for attack.
Others disagree with Mr. Miller as there are always ways to protect from flaws in add-ons and say that Apple's removal of these features, requiring signed code and restricting applications is just a way to control the phone and of course generate more revenue.
With the release of the SDK for iPhone OS 3.1 and the beta version of the OS we know that Apple will be releasing the sometime very soon (rumors put it out on July 17th). Although many other fixes and features were mentioned with the new OS, this was one that got past the official release.
This is an issue in the world of security. It seems that many companies do not want people to know about gaps in their security or planning.
For the second year running a talk at Defcon/Black Hat covering a security hole in an automated service has been canceled. Last year it was after the Boston Transit Authority filed an injunction on three MIT students for exposing a flaw in their smart card payment system. This year it is a talk exposing a flaw in something that everyone uses, the Automated Teller.
It seems that there is a serious flaw in the software used in some ATMs that can allow a malicious person to access the internal network and to steal pin and account numbers. Barnaby Jack was going to discuss this at length and was also going to demonstrate both remote and local attacks on an unmodified ATM.
As you can imagine the vendor that manufactures the ATM line was upset and asked that the talk be pulled. Their reasoning is that they want to have sufficient time to address the issue before the flaw is exposed to the public.
While their stated goal of addressing the issue is great, it still make me wonder how a hole got there in the first place and if these companies actually test their systems to make sure they are protected against intrusion.