Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Bug

Major Snow Leopard Bug Said To Delete User Data 353

Posted by kdawson from the clean-as-the-driven-snow dept.
inglishmayjer was one of several readers to send in the news of a major bug in Apple's new OS, 10.6 Snow Leopard, that can wipe out all user data for the administrator account. It is said to be triggered — not every time — by logging in to the Guest account and then back in to the admin account. Some users are reporting that all settings have been reset and most data is gone. The article links to a number of Apple forum threads up to a month old bemoaning the problem. MacFixIt suggests disabling login on the Guest account and, if you need that functionality, creating a non-administrative account named something like Visitor. (The Guest account is special in that its settings are wiped clean after logout.) CNet reports that Apple has acknowledged the bug and is working on a fix.
Robotics

Where's Waldo (the Submarine)? 107

Posted by timothy from the keep-an-eye-out dept.
stoolpigeon writes "Scientists on Florida's Gulf Coast are trying to find an underwater robot that has mysteriously vanished. The robot from the Mote Marine Laboratory in Sarasota has been missing since Monday. The robot, which cost about $100,000, was equipped with a detector to find red tide, a toxic algae bloom. The detector was valued at another $30,000. Scientists aren't sure what happened to the robot, which is nicknamed Waldo."
Mozilla

Submission + - Official Mozilla site distributes malicious addon (mozilla.org) 1

Submitted by Anonymous Coward
An anonymous reader writes: A Facebook ad for an amusement program that produces a caricature of your real face is actually a disruptive browser hijacker. Facebook malware is nothing surprising, but what makes this one unusual is that the malware is actually available in the form of a Firefox addon. Furthermore, it's even listed on Mozilla's official addons site at addons.mozilla.org.

In addition to disrupting normal browser function, this addon is designed to be difficult to remove, and leaves behind a configuration mess that must be manually cleaned up. It's effectively a malware addon.

I find it very disturbing that this hostile and disruptive addon is listed through Mozilla's official addon site, as this gives it an appearance of legitimacy that could easily lead many users to think it is safe to install.
Games

Submission + - Blizzard's Warcraft servers compromised by hackers (wow-europe.com) 1

Submitted by
Phil Duffy
Phil Duffy writes: "Blizzard's Warcraft servers compromised by hackers

Blizzard's World of Warcraft servers have been compromised by hackers and are allowing users' accounts to be logged into and modified without the owner's authorization. This is a repeat of the issue that Blizzard's Diablo II servers experienced in December 2000. Accounts are logged into, characters are stripped of their items, used to farm gold, and are even deleted. Through the experience related below as well as others posted on the official World of Warcraft forum (forums.wow-europe.com), it is obvious that this is a security issue originating with Blizzard and not with the end user.

When contacting Blizzard's account support for assistance on resolving the issue, players are constantly pressured to buy a Blizzard authenticator for their account. However, various players' experiences have proven that this authenticator can be removed by social engineering. Game Masters (in-game assistance) are slow to respond and can do little to resolve the issue and prevent the account from being logged into once hacked, regardless of account name change, password resets, booting the hacker from the server, etc. Account support has been able to track the IP of a hacker and yet still been unable to prevent reconnection.

These hacking incidents seem to initiate when the player's account is merged into a Battle.net account without their permission. The Battle.net account setup and merge process is inherently insecure and allows account modification without the confirmation of the account owner via the original email address. A standard security feature for most sites is that any account modification must be confirmed through the registered email. Even Youtube is superior to Battle.net in this respect. If you try to log into Youtube and have forgotten your password, you may initiate a password change request which is then sent to the registered email address. Once the email is received, a link may be selected within it to return the user to the Youtube password reset screen. However, if you forget your Battle.net account, or feel like hacking into one, you may initiate a password change request on the Battle.net site and are immediately prompted to answer your security question. Once the correct answer is entered, a new password may be chosen. The only verification required is the answer to the security question. And let's be honest, it's not too difficult to figure out a mother's maiden name. Also, submitting the answer may be attempted any number of times. The only notification the owner receives in their email, is a message stating that the password was changed and that they may contact account support if they did not initiate this change. Given this standard procedure Blizzard has chosen, their only responsible course of action is to provide 24-hour account support. However, Blizzard Europe does not provide evening or weekend support. For a company that receives over $190 million per month in subscriptions, their account support center is either severely understaffed or simply does not choose to provide adequate account support and security.

Even for accounts that are originally hacked through an end user's compromised computer, such as through a keylogger, the user is unable to resecure their account once they have regained access to it and resolved their computer's security problem. This is because even once they have regained access to their account, unmerged it from the unauthorized Battle.net account, removed any added Blizzard authenticator, and changed their email and/or password for it, they are unable to change their security question and answer. Once you obtain the security answer for an account, you may always reset the password for it. This feature is another indication that this current security breach is on Blizzard's end. As seen from the experience related below, the account password was never changed by the hacker. If the hacker was using a keylogger and/or had access to the user's personal system, they could have easily locked the user out of their account.

Below is a post from the official World of Warcraft — Europe forum. It is referenced with the writer's permission. It was submitted to the wow-europe.com forum on September 4, 2009. At the time that this story is submitted to the media, there has been no forum response from Blizzard to the request for assistance, although multiple players have responded that they have experienced a similar situation. The original post and responses is located at http://forums.wow-europe.com/thread.html?topicId=10711183739&sid=1.

______________________

Battle.net / Login servers Compromised

Early this week, I posted regarding this issue, and my post was deleted. I'm now posting again hoping that Blizzard might actually deal with a problem that is very real.

Two of my accounts were hacked on Sunday, Aug. 30th. The hacker bound my account to a battle.net account. I scanned my PC with AVG, Spybot and Avast, which all came back clean. I called Blizzard on Monday to have my account unbound.

So, Blizzard unbinds my account, resets my password, and when I try to log in with the new password, the hacker is still on my account. I log into my 2nd account, contact a GM, the GM kicks the hacker offline, and then I log in as well as change all my passwords. Within 1 hour the hacker is back on my account. Then I bind my account to my own battle.net account, change the passwords etc, and within minutes the hacker is back on the account. At this point I call my wife who is at her office. I give her the passwords to my battle.net and email and ask her to change them from her work. She works in IT support; her system is on a secured network and has never had Warcraft run on it. Within 2 minutes the hacker is back on my account. Throughout this time I've been logged into my 2nd account watching him, and at this point I've given up.

I wait till the next day as Blizzard phone support is closed for the evening. Tuesday I call Blizzard again. I get the same person on the phone as on Monday. This person was no use at all. When I ask her why this is happening, she can't give me an answer other than "buy an authenticator". Then she says she only works in Billing. I ask to speak to someone in technical support; she refuses to do that, but she asks for my contact number and says she will have technical support call me. So I give her my number and wait for technical support. What a surprise... no phone call.

So I call them again. This is now Wednesday, and I get someone who seems to actually know something. He checks IP logs. At first he can't see anything, but just then the hacker logs onto my account. I tell him "He is on right now", so he contacts a GM. I tell him everything that's happened. He finds it hard to believe, so he sets up a new battle.net account for me on his PC. I make a new email address, the GM kicks the hacker and all seems well. He also suggests that the only thing to do is to format the PC and get an authenticator if this happens again. Well, within an hour the hacker is back on again.

At this point I am really tired. I log onto Blizzard's store, and I try to buy 2 authenticators. They are sold out, so I drive to Best Buy and I buy one new 500g SATA drive and one brand new Laptop. I disconnect my desktop, I unplug both of my old SATA drives, I put in the new drive and I format it and install windows XP. On my new laptop, I make a new email address, and I change my passwords and email address for my battle.net account. I download WoW while Windows is installing on my desktop. 3 hours later it's downloaded and installed. I log on, and the hacker is on my account. He gets disconnected several times because I'm also connecting. He seems to give up and logs off. Thursday goes by and there's no sign of the hacker on either account. I check Blizzard's website, and they have authenticators back in stock. I order two. Today comes, I wake up, I log on and guess what? Hacker's back on my account farming again. I try to call Blizzard, this time very angry, and phones are closed early since it's Friday. And, of course, down all weekend.

Now, I have worked in IT support for Morgan Stanley. I have a CCNA. My wife works in IT support for a major pharmaceutical company. We are hardly IT illiterate. I have never in all my years and experience seen anything like this. What this tells me is that Blizzard's database on their login server or another area has been compromised. I would like some kind of response if anyone, particularly Blizzard, can give a straight and honest answer about this issue."

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close