Home Vulnerabilities Exploits Hacking IT Security Malware
Twitter
RSS

Archive for July 5th, 2010

« Older Entries

Misconfigured Cisco Wireless Gear Could Lead to Wi-Fi Breach

By admin on Monday, July 5th, 2010 | No Comments

Users of a popular Cisco Systems wireless access point may be setting themselves up for trouble if they leave a WPA wireless migration feature enabled, according to researchers at Core Security Technologies.

The issue has to do with Cisco’s Aironet 1200 Series Access Point, which is used to power centrally managed wireless LANs. The Aironet 1200 can be set to a WPA (Wi-Fi Protected Access) migration mode, in which it provides wireless access for devices that use either the insecure WEP (Wired Equivalent Privacy) protocol or the more secure WPA standard.

This gives companies a way to gradually move from WEP to WPA without immediately buying all-new, WPA-capable equipment. But while auditing the network of a customer who used the product, Core researchers discovered that even networks that had stopped using WEP devices could still be vulnerable, so long as the Aironet’s migration mode… Read the rest

Read More...

Never Texting Again: Facebook rogue app spreading quickly

By admin on Monday, July 5th, 2010 | No Comments

Over 170,000 people have in the last few days clicked on a link that is spreading virally across Facebook, claiming to point to a video of someone who died after sending a text message on their cellphone.

The links are being posted on innocent Facebook users’ walls by a rogue application. A typical message posted by the rogue application reads:

I am shocked!!! I'm NEVER texting AGAIN since I found this out. Video here: http://bit.ly/a37TaB - Worldwide scandal!

Facebook status messages from affected users

If you do make the mistake of clicking on the link then you are taken to the rogue Facebook application

Rogue Facebook application

Permission request from rogue application

The problem is that even though Facebook is warning users that they are giving the “I will never text again after seeing this” application permission to post to their wall (as well as access their personal information) many people are still go ahead… Read the rest

Read More...

Google confirms attack on YouTube

By admin on Monday, July 5th, 2010 | No Comments

IDG News Service - Malicious hackers attacked Google’s YouTube on Sunday, exploiting a cross-site scripting (XSS) vulnerability on the ultra-popular video sharing site, hitting primarily sections where users post comments.

“Comments were temporarily hidden by default within an hour [of discovering the problem], and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future,” a Google spokesman said via e-mail.

The attack potentially put at risk YouTube cookies of users who visited a compromised page, but it couldn’t be used to access their Google accounts, the spokesman said. As a precaution, YouTube users should log out of their account and log back in again.

The attackers apparently targeted singer Justin Bieber, incorporating code into YouTube pages devoted to him so that visitors saw tasteless messages pop up about the

Read the rest

Read More...

Justin Bieber fans under fire in YouTube XSS attack

By admin on Monday, July 5th, 2010 | No Comments

YouTube hole
If there are any breathless fans of Justin Bieber reading this – let me calm you straight away: Justin Bieber has not died in a car crash.

But you may have imagined that he did if you checked out some of his YouTube videos this long US Independence Day holiday weekend, or read one of the many internet rumours that spread over the last day or so.

A vulnerability in YouTube’s comment system was exploited widely this weekend, allowing mischief-makers to embed code through a cross-site scripting (XSS) flaw. And one of the things they did was post messages claiming that the teen pop sensation had died in a car crash.

Normally YouTube is smart enough to weed out offending code left in the comments left for videos, but it appears that the hackers found a way to waltz past the site’s defences.

Those watching YouTube videos… Read the rest

Read More...

Adobe’s protection against embedded scripts incomplete

By admin on Monday, July 5th, 2010 | No Comments



Adobe Logo

In a post on their blog, Security firm Bkis report that the protection against /launch attacks, introduced in Adobe Reader and Acrobat with update 9.3.3, is still incomplete. By enclosing the commands embedded in PDF documents in double quotation marks, protection can be bypassed and programs can be launched – although a warning dialogue requiring user confirmation is displayed.

Adobe said that many customers require the function for their corporate solutions, and so instead of disabling the “Allow opening non-PDF file attachments with external applications” option completely, Adobe has integrated a blacklist of prohibited applications (including .exe, bat and many more). The blacklist is designed to make Reader categorically block all malicious calls, regardless of whether the option is enabled or not.

However, the blacklist

Read the rest

Read More...
« Older Entries