Fixed already in FF 19.0.2

https://www.mozilla.org/security/announce/2013/mfsa2013-29.html

yea its a bit old pwn2own happened like 4 days ago or something.

something newer on the other hand that a friend found.

linux x86_64 ASLR bypass 0day. pretty much renders ASLR 100% useless and there is no point in it being enabled. we dont know if anyone else found it or made a POC for it yet but we did. basically allows you to call system calls without parsing and elf headers and without calling SYSCALL at all.

A security notice from Linode was put out to all its users to log into their manager to reset their passwords. Linode administrators have discovered and blocked suspicious activity on the
Linode network which appears to have been a coordinated attempt to access the account of one of their customers. They have found no evidence that any Linode data of any other
customer was accessed in the breach. Law enforcement officials have been notified of the attack and they have taken all appropriate measures to provide the maximum amount of
protection to their customers.

http://blog.linode.com/2013/04/12/security-notice-linode-manager-password-reset/


My thoughts on this...

First off they don't are not saying the extent of the breach or what kind of data was and was not accessed. That seems really badly played on their part. They also forwarded all their
customers emails to a third party remailer to email a security alert which of course came from the remailer rather than Linode causing many customers to think it was a phishing attempt.
Another thing that caught my eye to extend the theory that they are not telling the entire story is that they have said only ONE customer was targeted, but they are resetting EVERY ONES
passwords including but not limited to their manager, LISH passwords and even as far as their API keys.

Either Linode has been compromised more deeply than they are letting on or they are incredibility bad at handling these situations. On a side note I wonder if anyone is going to claim the attack.
I will keep an eye out to see if anyone does in fact claim the attack.

This post was edited by AbDuCt on Apr 15 2013 12:54am

Found just now apparently NMAP has been compromised which also resides on Linode servers.


From: Fyodor

Hi Folks. I'm sorry for the downtime over the last week, but
someone compromised our hosting provider (Linode) and used that access to
break into some of our virtual private server (VPS) systems. So we spent
the last week doing investigation and recovery work. I guess we've seen
the dark side of cloud hosting. The good news is that we have reverted to
pre-breakin (3/31) backups and pretty much all of our sites and services
are up and running again.. Meanwhile, Linode says they have identified and
fixed the flaws in their systems which allowed this to happen, and they
have expelled the attackers. Linode put out their own release at [1].

There are still a couple issues outstanding:

1) The svn server may give you an error when you update since we reverted
to a known good backup and manually re-applied all the commits since then
(after verifying them by hand). You may need to blow away your working
directory and check out from scratch. Also, we have disabled all comitter
accounts until we can reissue them with new passwords.

2) seclists.org is currently missing mail between 3/31 and 4/12. We're
working on migrating that over.

Interestingly, our web referrer logs show that the attacker first
visited us by following a link on this Quora page listing Linode's
most prominent customers:

http://www.quora.com/What-are-some-of-the-highest-traffic-websites-hosted-on-Linode

I guess they hacked Linode and then went looking for well-known sites to go
after. Perhaps we should be flattered to have made the list, but we're
not. Linode says the intruder messed around with our account, but left
their other customers alone.

Thanks for your patience this week. We think everything is cleaned up,
but, as always, please let me know if you see something suspicious or
broken or amiss. I'd like to thank David for staying up with me past
midnight multiple times doing recovery. Linode's CEO (Chris Aker) and COO
(Tom Asaro) were also helpful and prompt in investigating. Let's hope this
doesn't happen again!

Cheers,
Fyodor

[1]
http://blog.linode.com/2013/04/12/security-notice-linode-manager-password-reset/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

This post was edited by AbDuCt on Apr 15 2013 12:59am

I know it isn't hacking related, but I'm surprised the big DDOS war that was or may still be going on hasn't been mentioned much

you mean that small 100gbps attack on some anti spammer website? people made that out to be some huge event but in reality it didnt effect the stability of the internet at all. i didnt post about it because ddos is lame and that it didnt really effect anyone.

cant remember where i saw it but someone made a graph showing various details about the attack during the duration and it didnt really effect any of the stats that much. I think some peoples pings raised by 10ms or something... after all google did say they would help out by opening some of their pipes.

or do you mean that d2jsp "war" if you can call it that. either one was pathetic for reasons of their own. i did laugh though that paul took almost a week of downtime to migrate servers and setup a httpd again.

This post was edited by AbDuCt on Apr 15 2013 01:15am

yeah it was the war with the anti spamming website adding the other website on their spam mail filter list, and that website qq'd and DDOS'd

It was mentioned in my A.I course, I looked at the article later that day. I think it did affect some people. /Shrug

The reason why I brought it up is because, in my own head, what does this say for the future? I do not know much details because I don't pay attention to DDOS attacks but do you think this attack will help in the case of government/isp passing laws relating to the internet?

As in, what this might mean for the future DDOS attacks where other people will be affected?

This post was edited by ArtofApocalypse on Apr 15 2013 01:23am

i dont think anything will come to it after all its pretty difficult to to find the operator of such attacks. likes just take a look at how a normal IRC botnet would look like

rooted/hacked servers hosting an IRCD (because they are hacked it leaves no trace back to the operator)
many bot nodes gathered from various sources (again not linked to the attacker)
attack may connect to the IRCD to give out commands through vpns and proxy lands such as TOR making him pretty much untraceable.

basically there is really nothing linking the attacker to any of the resources and because of that the attackers identity is hard to find. so creating laws would only be a waste of time in my opinion.

as for the future of ddos attacks people are just reaching the beginnings. back in the day it was just tcp connections and udp packets. that evolved into spoofed source ip packets so that they became harder to block because the source was inconsistent. then came other attacks blah blah blah and now we are faced with current more deadly attacks that is an actual exploit in the design of the internet itself. the 300gbps attack on that website was done through DNS reflection in which you can use a small cluster of computer bot nodes to send requests (with spoofed source ip to the attackers target) to a DNS server and the DNS server will send back a huge amount of data. doing this with a few hundred servers to a DNS list of 30,000 could spark up massive bandwidth. A similar ddos method was used on video game servers for half-life, counterstrike, and others. you could spoof an ip and ask for the current players/config of the servers and you can literally apmlify 10 bot nodes into 10,000.

Refer to Gun Control Laws, soda ban laws, or just New York state

Anyways, thanks for responding

This post was edited by ArtofApocalypse on Apr 15 2013 01:43am

you can create any laws you want but if you cant catch the suspects disobeying those laws then there really is no point is there?