danielkennedy74 - Slashdot User

Submission + - Lush Cosmetics Data Breach (zdnet.com)

Submitted by danielkennedy74 on Friday January 21, 2011 @09:35AM

danielkennedy74 writes: Lush Cosmetics, a handmade cosmetics company headquartered in Poole, Dorset in the United Kingdom with some 600 locations around the world, has ostensibly been the “victim of hackers” according to a post on their UK version web site http://www.lush.co.uk/ yesterday. Details are in somewhat short supply, but according to the notice posted, there was a successful initial intrusion and repeated subsequent attempts at re-entry.

A number of consumers of Lush products are reporting on the Lush Facebook page seeing similar fraudulent transactions (similar dollar amounts) in their bank accounts for items like prepaid phones, hotel bookings, and Xbox Live charges. With a handful of users reporting problems going back a couple of weeks, an important question emerges that is not yet answered: when did Lush first become aware of this problem?

Submission + - Internet Profile of AZ Shooter Jared Lee Loughner (praetorianprefect.com)

Submitted by danielkennedy74 on Saturday January 08, 2011 @10:10PM

danielkennedy74 writes: A shooting earlier near a Tucson Arizona grocery store (Safeway) that killed six people and wounded twelve including U.S. Congressman Gabrielle Giffords is dominating every news channel as new details emerge. One of the aspects of modern attacks by in this case what appears to be a lone mentally disturbed individual, is that the thoughts of these individuals are usually available online.

The 22 year old shooter in custody, Jared Lee Loughner, is no exception. He had a MySpace profile and a Youtube channel, revealing both what he looks like, some biographical details, and a bizarre personal philosophy mentioning grammar, the timeline of man, and currency creation.

Submission + - Anonymous Releases Very Unanonymous Press Release (praetorianprefect.com)

Submitted by danielkennedy74 on Saturday December 11, 2010 @12:03AM

danielkennedy74 writes: Today, December 10th, Anonymous, an Internet gathering, released a press release which you can read below. In it, a description is provided of what Anonymous is about, what Operation Payback is, and where the media is getting it wrong. Also in it, its author forgot to remove his name in the pdf’s Meta information.

Submission + - Anonymous Turns Operation Payback Toward Jester (praetorianprefect.com)

Submitted by danielkennedy74 on Friday December 10, 2010 @11:52PM

danielkennedy74 writes: The Jester, a hacktivist who is normally known for short term denial of service attacks against Jihadist web forums and who recently claimed responsibility for an outage at Wikileaks in the middle of Cablegate (Wikileaks publication of U.S. diplomatic cables) has himself become the target of the large scale hacktivist protest called Operation Payback. The Jester, or th3j35t3r as he is known on Twitter, has ostensibly had the identity of either himself or his close associate revealed as a Montana man who works for the state government named Robin Jackson, who is becoming the target of what could be a good deal of unpleasantness from Anonymous and the 4chan/b/ board at large.

Submission + - Turning an ATM into a Slot Machine (praetorianprefect.com)

Submitted by danielkennedy74 on Wednesday July 28, 2010 @08:10PM

danielkennedy74 writes: Security researcher Barnaby Jack, currently at IOActive but a veteran of Foundstone, eEye, and Juniper with almost ten years in the industry has demonstrated two exploit methods for ATM’s (Automated Teller Machines) in a presentation that is thus far the talk of the Black Hat 2010 conference. In a talk originally slated for last year before it was muffled by Juniper based on the concerns of “an affected ATM vendor”, Jack demonstrates what he calls jackpotting an ATM.

Comment Oops (Score 1) 72

by danielkennedy74 on Friday June 25, 2010 @02:33AM (#32687590) Attached to: Twitter To Establish Information Security Program

Persistent XSS on Twitter.com - http://praetorianprefect.com/archives/2010/06/persistent-xss-on-twitter-com/

Submission + - Another Persistent XSS Vulnerability on Twitter (praetorianprefect.com)

Submitted by danielkennedy74 on Thursday June 24, 2010 @05:15AM

danielkennedy74 writes: Twitter user 0wn3d_5ys has demonstrated a persistent cross site scripting (XSS) vulnerability on Twitter he found on June 21st using his own Twitter account (visit at your own risk) that appears to be due to a lack of input validation of the application name field when accepting new requests for Twitter applications. Visiting his account on Twitter results in a pair of classic cross site scripting alert boxes, then your browser is manipulated, finally you enter the matrix, and get messages from the researcher who found the vulnerability.

Submission + - Security Firm F-Secure Has Security Flaw In Web Si (forbes.com)

Submitted by danielkennedy74 on Thursday June 17, 2010 @08:25PM

danielkennedy74 writes: In a new section supporting the release of an anti-theft product for mobile phones, the web site of Helsinki based anti-virus company F-Secure is vulnerable to the common Web site exploit known as cross site scripting (XSS).

Submission + - Did LIGATT Security’s CEO Threaten Someone's (praetorianprefect.com)

Submitted by danielkennedy74 on Thursday June 17, 2010 @08:23PM

danielkennedy74 writes: European security analyst Chris John Riley is a well known and legitimate security professional who co-hosts the Eurotrash Security Podcast and writes on the Catch22 Insecurity blog. Gregory Evans is a convicted felon (federal conspiracy and wire fraud against AT&T and MCI for stealing 125 toll free telephone lines) who paid $9 million in restitution, was sentenced to 24 months in federal prison, and runs a dubious company that makes great commercials but also claims a client list they don’t actually have, plagiarizes to write books, and performs press release ping pong with a penny stock. So how did one of these men come to threaten the lives of the other and his family?

Submission + - Newsweek Reports Zombie Invasion (praetorianprefect.com)

Submitted by danielkennedy74 on Monday June 14, 2010 @07:25PM

danielkennedy74 writes: Newsweek.com becomes the latest in a long list of sites that will reveal an Easter egg if you enter the Konami Code (, , , , , , , , B, A, enter) correctly. The Konami Code is a cheat code that appeared in many of Konami’s video games, starting in around 1986 (my favorite places to use it were Contra and Life Force, 30 lives FTW). Ostensibly this is probably something that was included by a developer unbeknownst to the powers that be at Newsweek, similar to an incident that happened at ESPN involving unicorns last year.

Submission + - 114,000 iPad Owners Might Get Spam (forbes.com)

Submitted by danielkennedy74 on Thursday June 10, 2010 @02:58PM

danielkennedy74 writes: By now you’ve read Gawker’s breathless reporting of how AT&T has exposed the e-mail addresses of 114,000 Apple iPad 3G owners, and seen the picture on their website demonstrating what that many records looks like printed out. Having a web response without any form of authentication reveal user e-mail addresses is negligent, don’t get me wrong. It just doesn’t rise to a level of hysteria depicted in some of the coverage thus far.

Comment The script used to harvest the iPad user e-mails: (Score 1) 284

by danielkennedy74 on Wednesday June 09, 2010 @11:42PM (#32519746) Attached to: AT&T Leaks Emails Addresses of 114,000 iPad Users

http://praetorianprefect.com/archives/2010/06/114000-ipad-owners-the-script-that-harvested-their-e-mail-addresses/

Submission + - Formspring.me XSS Vulnerability (praetorianprefect.com)

Submitted by danielkennedy74 on Thursday June 03, 2010 @11:03PM

danielkennedy74 writes: Formspring.me, a newly popular social networking site, has a fundamental cross site scripting flaw that allows one logged in user to steal another user’s session, but also may allow users to find out who posted a nasty comment about them. A key complaint about the site is that you can not find out the identity of an anonymous user.

Comment Video of the Exploit in Action (Score 5, Informative) 128

by danielkennedy74 on Saturday January 16, 2010 @12:18AM (#30787634) Attached to: Code Used To Attack Google Now Public

The following links to an example of using this vulnerability in Metasploit to compromise a user's PC, in essence what happened to users at Google and some 30 other companies via bad actors assumed to be Chinese Nationals: http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/

Submission + - Baidu.com the Latest Victim of Iranian CyberArmy (praetorianprefect.com)

Submitted by danielkennedy74 on Tuesday January 12, 2010 @06:49PM

danielkennedy74 writes: A group called the Iranian Cyber Army has, fresh off the heels of their DNS attack on Twitter last month, hijacked the domain of Chinese search engine Baidu.com. Baidu is one of the most popular web sites in the world, a NASDAQ 100 multimedia company headquartered in Beijing that serves up over 740 million web pages along with music and video. The company employs over 6,000 people, has a 77% market share for search in China, and has annual revenue of about $200mm. For about three hours they were an advertising platform for a hacktivist group supporting the fundamentalist Islamic regime in Iran.

Slashdot Top Deals