Comment Limited? (Score 2, Informative) 203
I guarantee that its exploitation isn't limited anymore: an initial exploit module was added to Metasploit last night.
Metasploit module
Metasploit module
Submission + - NEW Defcon Social Engineering CTF competition (darkreading.com)
An anonymous reader writes: n a twist to the popular "capture the flag" game played by hacking teams every year at Defcon, the hacker conference is hosting a contest that aims to test participants' social engineering skills — without anyone getting hurt.
Submission + - Quit Facebook Day (quitfacebookday.com) 1
robbievienna writes: The movement to quit Facebook due to privacy concerns has just taken a new turn. Over 2^15 facebookers think so, and have pledged to cancel their accounts. Quitting Facebook isn't easy. Facebook is engaging, enjoyable and quite frankly, addictive. Quitting something like Facebook is like quitting smoking. It's hard to stay on the wagon long enough to actually change your habits. Having peer support helps, but the way to quit Facebook is not to start a group on Facebook about leaving Facebook.
Comment Open Google (Score 1) 281
For all those who can no longer use Scroogle, but are worried about their privacy while using Google's services, the Firefox plugin Google Sharing allows you to maintain anonymity on all of Google's unauthenticated services. Might be worth looking into.
Submission + - Facebook, I loved you. And you blew it. (spareclockcycles.org)
cirictech writes: A dear john letter to facebook. the whys you should leave and not feel bad.
I can't do it anymore. I wish I could, but this just isn't working out, Facebook. The lies, the viruses, the two-timing with advertisers, I just can't handle it all. I don't have the time or the energy to deal with all of your deceptions and all of your constant attacks on my privacy. I need my personal space. I think I want to try other social networking sites, and I think it's best that I leave you alone with your soul mates: the advertisers, the identity thieves, the stalkers, and the spies. It will be better this way.
Sure, we had some great times in the beginning.
I can't do it anymore. I wish I could, but this just isn't working out, Facebook. The lies, the viruses, the two-timing with advertisers, I just can't handle it all. I don't have the time or the energy to deal with all of your deceptions and all of your constant attacks on my privacy. I need my personal space. I think I want to try other social networking sites, and I think it's best that I leave you alone with your soul mates: the advertisers, the identity thieves, the stalkers, and the spies. It will be better this way.
Sure, we had some great times in the beginning.
Submission + - Breaking Up With Facebook (spareclockcycles.org)
supernothing writes: This is the last staw. Facebook has betrayed its users for the last time. Time and time again it has violated the trust its users have given it. This article summarizes why it is time to break up with Facebook, and forge a new, healthy relationship with a social networking site more deserving of our data.
Submission + - Google Releases a Tutorial for Hackers 1
Hugh Pickens writes: ""Learn how hackers find security vulnerabilities and exploit web applications!" as the San Francisco Chronicle reports that Google has released Jarlsberg, a "small, cheesy" web application specifically designed to be full of bugs and security flaws as a security tutorial for coders and encourages programmers to try their hands at exploiting weaknesses in Jarlsberg as a way of teaching them how to avoid similar vulnerabilities in their own code. Jarlsberg has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The codelab is organized by types of vulnerabilities. In black box hacking, users try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior while in white-box hacking, users have access to the source code and can use automated or manual analysis to identify bugs. The tutorial notes that accessing or attacking a computer system without authorization is illegal in many jurisdictions but while doing this codelab, users are specifically granted authorization to attack the Jarlsberg application as directed."
Submission + - How Assumptions Are Making Us All Insecure (threatpost.com)
Trailrunner7 writes: In the space of a given year, untold thousands of vulnerabilities are found in operating systems, applications and plug-ins. In many cases, the affected vendors fix the flaws, either with a patch, a workaround or some other mitigation. But there's also a huge population of security bugs that vendors never fix because they're deemed unexploitable, an assumption that may be turning into a serious mistake for software makers. Microsoft made such a call earlier this year, after researchers at Core Security informed the company that they had found a vulnerability in the Microsoft Virtual PC software. The flaw, which affected the virtual machine monitor (VMM) in Virtual PC, could enable an attacker to use applications running in user-space on a guest OS to access portions of the Virtual PC memory that should be inaccessible to those applications. This gives the attacker the ability to bypass anti-exploitation technologies in the underlying operating system and exploit flaws in the OS that otherwise would not be exploitable.
The difference in this case, experts say, is that the Virtual PC vulnerability is the symptom of a larger problem lurking beneath the surface: assuming that protections such as ASLR, DEP and SafeSEH will always be around to save us. "We're less worried about this particular vulnerability than we are about the now-exposed (incorrect) assumption that various security mechanisms will always be in place. It's obvious that a complete re-calibration of exploit potential for uncategorized bugs will become necessary if vulnerabilities like the one described here remain in our fielded systems. Not so good for Windows 7," Gary McGraw of Cigital said.
The difference in this case, experts say, is that the Virtual PC vulnerability is the symptom of a larger problem lurking beneath the surface: assuming that protections such as ASLR, DEP and SafeSEH will always be around to save us. "We're less worried about this particular vulnerability than we are about the now-exposed (incorrect) assumption that various security mechanisms will always be in place. It's obvious that a complete re-calibration of exploit potential for uncategorized bugs will become necessary if vulnerabilities like the one described here remain in our fielded systems. Not so good for Windows 7," Gary McGraw of Cigital said.
Submission + - Google Acquires BumpTop, a 3D Desktop Developer | (pcmag.com)
WhiteDragon writes: "Google has acquired Bump Technologies Inc., better known as the creators of BumpTop--a freeware application that transforms one's generic, two-dimensional desktop into a walled, three-dimensional, navigable display. In addition, the software is fully compatible with multi-touch gesturing as well, provided one's hardware supports such technology."
Submission + - Why Chinese Hackers Aren't A Threat (spareclockcycles.org)
supernothing writes: There's a lot of of crazy talk going around about imminent cyber warfare with China, helped in no small part by the largely debunked claims of Richard Clarke. This article explores the true motivations behind the recent Chinese cyber attacks, and why we would shouldn't act like the sky is falling.
To summarize for those who won't read anything unless it's in meme form:
"1.) China loans U.S. large sums of money.
2.) U.S. uses said money to create new intellectual property.
3.) China breaks into networks and takes said property, then also forces U.S. to pay back their debt with interest.
4.) ????
5.) PROFIT"
To summarize for those who won't read anything unless it's in meme form:
"1.) China loans U.S. large sums of money.
2.) U.S. uses said money to create new intellectual property.
3.) China breaks into networks and takes said property, then also forces U.S. to pay back their debt with interest.
4.) ????
5.) PROFIT"
Bookmark Why Chinese Hackers Aren't A Threat (spareclockcycles.org)
Bookmark The Art of Nmap Scanning, Part 1: Source Address Hiding and Obfuscation Techniqu (spareclockcycles.org)
Comment Metasploit (Score 1) 234
has had this functionality for months now...
http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_pdf_embedded_exe
Now, it's entirely possible that he found this on his own. But it's not exactly a new development...
Also, before anyone goes and claims to have found a way to get Java applets to execute arbitrary code as well:
http://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/multi/browser/java_signed_applet.rb
http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_pdf_embedded_exe
Now, it's entirely possible that he found this on his own. But it's not exactly a new development...
Also, before anyone goes and claims to have found a way to get Java applets to execute arbitrary code as well:
http://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/multi/browser/java_signed_applet.rb
Fedora 12 Released 236
AdamWill writes "The Fedora Project is pleased to announce the release of Fedora 12 today. With all the latest open source software and major improvements to graphics support, networking, virtualization and more, Fedora 12 is one of the most exciting releases so far. You can download it here. There's a one-page guide to the new release for those in a hurry. The full release announcement has details on the major features, and the release notes contain comprehensive information on changes in this new release. Known issues are documented on the common bugs page."
