Posts tagged ‘vulnerabilities’

The Black Hat Conference and a Memorable Hack

I wasn’t involved; the reporter who was I’m sure would verify that if pressed.  eWeek is one of the more respectable business publications, with information varying from ‘CIO-only’ to general interest.  The Black Hat Conference, held yearly in Las Vegas, is where security researchers meet and discuss issues.  I intend and expect to bring up some more news from this one, but this nearly tops them all.  Bear in mind that the demonstration did violate the rules of the conference and the ones who…got the eWeek reporter’s password from a hack…might face criminal charges.  I don’t know.  It would depend on how much of a sense of humor is involved.

 

It’s also a glaring demonstration of how vulnerable we all are.  I currently use the Avant Browser simply because it’s so easy to turn off most of the dangerous features.  Firefox 3.0 and Opera…9.5 (okay, my memory isn’t photographic any more), anyway the most recent [it is 9.5]; IE 8 is still in beta and has to be used on an IE7 emulation for a lot of things.  I will also cover the trick that was used to get Brian’s password.  He is an excellent reporter and an intelligent man.  I’ll have to put him down when I reach perfection.

–Glenn

August 11, 2008 at 10:56 am Leave a comment

More about Phishing and XSS–avoiding being a victim…and gmail…and google GADGETS

That’s one of the latest and largest holes being exploited.  This article on eBay gives a hint of how it’s done, and one immediate check.  If you’re “talking” with someone online–live or by e-mail–and they mention Internet-based resources or business resources–search them (“Google” them, though that’s hardly the only search machine) and see if they exist.  There are several resources mentioned in that article that don’t; Yahoo Finance was perhaps the one that most struck my attention.

 

Believe it or not, I was going to let that one go.  I’ve seen three mentions so far of this vulnerability–gmail (which I use) and GOOGLE GADGETS.  It’s probably not too smart to use them or for that matter the Google Desktop.   As in, code is written to the browser.  This year, it’s generally been that then a link is deposited in the Startup folder (that one is supposedly fixed) or now in the desktop.  Reboot, or turn your computer back on in the first instance–you’re running someone else’s code.  In the second instance, what’s happened is a link you think you know, you don’t.  Quite likely, you’ll be loading among other things a keylogger.

 

I’m nearly exclusively using the Avant Browser.  I now know what happened while I was down, and why my computer was down when I got back into action.  You don’t have to do something stupid in order to get infected with a virus.  The reason I use the Avant Browser is because it’s easy to turn off Java, Active-X and half the other cool things–which makes it a bit less easy to mis-direct.  I’m also using Zone Alarm.  Note that these are in fact download links, as well, because there was quite a bit of DNS mis-direction apparently going on last week.

 

Oh, and another note.  When the fixes come…let Windows (or Leopard–hell, even Linusx) download and use the fixes.  That’s this Tuesday with 11 scheduled, if I remember correctly.  XP users may actually have or have had only one fix that applied.

–Glenn

August 10, 2008 at 12:14 pm Leave a comment