Heads up, everyone. Microsoft is preparing to announce 12 security advisories[microsoft.com] next Tuesday, 7 of which are ‘critical’ meaning that remote-code execution is possible. That’s not good. Stay tuned and stay on your toes…
Who are you, REALLY?
January 15th, 2008 | Posted by in Identification | privacy | Security - (0 Comments)On Friday, the DHS took another step forward[news.com] in their drive to increase the reliability of state drivers’ licenses by releasing their “Final Rule,”[dhs.gov] of minimum standards for compliance. These changes are required by the REAL ID Act of 2005 and have been a source of controversy in the security and civil-rights communities. Additionally, some states have passed legislation rejecting REAL ID.
Most Home Routers Vulnerable to New Attack
January 15th, 2008 | Posted by in Security - (0 Comments)GNUCitizen[gnucitizen.org] has released details of a new attack[gnucitizen.org] on UPnP-enabled home routers that can be perpetrated by a Flash object running on the browser of any user. I haven’t tested this, but it looks like it should work even if executed under a non-privileged account. (You do use non-privileged accounts, right?) It should work because this attack vector doesn’t do anything particularly suspicious, and certainly not something that would require administrator privileges. There are several very bad results from this attack, but a worst-case scenario is described in the details published on GNUCitizen’s website:
The most malicious of all malicious things is to change the primary DNS server. That will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of whenever they feel like it. It is also possible to reset the admin credentials and create the sort of onion routing network all the bad guys want.
That would suck.
What’s interesting here is that this is not a vulnerability in UPnP itself. A pre-existing web session with the home router is a prerequisite for this attack to occur. However, GNUCitizen has several other discussions which show that a simple XSS attack is all that is needed to establish the prerequisite. So this is an attack vector that is opened by another exploit entirely!
The AP has released a story [FOXNews.com] detailing that a New Jersey company which provides accounting software to the adult-entertainment industry has been hacked. The software apparently tracks referrals from one website to another and determines how much each website owner is supposed to be paid based on those referrals. The breach allowed the attackers to obtain the subscriber lists of several adult websites. Those subscribers are now being spammed with targeted adult advertisements from competitor websites. The greatest quote from the article from the owner of several adult websites: “There’s a loss, in my opinion, of user confidence.”
Connect with True
