Quote (AbDuCt @ Mar 2 2013 02:51pm)
HTML5 remote download feature... could be used maliciously
just feel like warning you guys lol. the HTML 5 feature `localstorage` can be used to remotely download files onto your computer without your concent/knowledge. all popular browsers support this feature at this time. a proof of concept code sample can be found on github (https://github.com/feross/filldisk.js) which can fill a users harddrive up with cat pictures writing almost 1gb of data every 16 seconds on a ssd. Firefox is not effected because it has a cap on how much data it writes but chrome, IE, and opera do not have said limit and can fill your entire harddrive up. Although fulling your harddrive up is the least of your worries seeing how it can download anything without your consent to begin with on any browser supporting html5.
That's such mega old news, fill disk is open source website, that will fill your hard drive in a few seconds & crash your computer, on everything except for firefox.
Quote (AbDuCt @ Feb 2 2013 10:29am)
Security Flaws in UPnP protocol put 50 million devices at risk
A Security Flaw in Universal Plug & Play (UPnP) are exposing more than 50 millions of computers, printers and storage drives to attack by hackers remotely.
Rapid7 said Tuesday in a research paper (https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play), that problem lies in routers and other networking equipment that use a commonly employed standard known as Universal Plug and Play or UPnP.
UPnP allows networked devices to discover each other and automatically establish working configurations that enable data sharing, media streaming, media playback control and other services.
In one common scenario a file-sharing application running on a computer can tell a router via UPnP to open a specific port and map it to the computer's local network address in order to open its file-sharing service to Internet users.
Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet and around 40-50 million network-enabled devices are at risk due to vulnerabilities found in the Universal Plug and Play (UPnP) protocol.
The long list of devices includes products from manufacturers including Belkin, D-Link, Cisco's Linksys division and Netgear.
They found that 20 percent, or 17 million, of those IP addresses corresponded to devices that were exposing the UPnP SOAP (Simple Object Access Protocol) service to the Internet. This service can allow attackers to target systems behind the firewall and exposes sensitive information about them.
Additional vulnerabilities, including ones that can be used in denial of service and remote code execution attacks, also exist in a UPnP library called MiniUPnP.
Rapid7 also release ScanNow UPnP, a free tool that can identify exposed UPnP endpoints in your network and flag which of those may remotely exploitable through recently discovered vulnerabilities.
People who own devices with UPnP enabled may not be aware of it because new routers, printers, media servers, web cameras, storage drives and smart TVs are often shipped with that functionality turned on by default.
Paypal hacker escaped jail
In London today, an 18-year-old anonymous hacker received an 18-month youth rehabilitation order and a 60-hour unpaid work requirement for his involvement in "Operation Payback". One strike against Paypal alone cost the site £3.5 million pounds.
But Jake Birchall escaped jail today after the judge ruled he had been affected by special needs. He was an advanced user of the internet and had used it for nine years, since he was eight years old.
"He did play a prominent and important part in this and I think he has got to learn to get out of bed in a morning and do unpaid work." The judge said.
Jake Birchall had admitted conspiring to impair the operation of computers in 2010 and 2011. They were convicted for their distributed denial of service attacks, which paralyse computer systems by flooding them with online requests.
Ashley Rhodes, 28, of Bolton Crescent, Camberwell, south London, was given seven months, and Peter Gibson, 24, from Castletown Road, Hartlepool, deemed to have played a lesser role in the conspiracy, was given a six-month suspended sentence.
Buffer Overflow vulnerability in VLC media player
VideoLAN recently published a security advisory (http://www.videolan.org/security/sa1302.html) warning of a buffer overflow vulnerability in versions 2.0.5 and earlier of VLC Media Player, which might be exploited to execute arbitrary code. This vulnerability was reported by Debasish Mandal.
The vulnerability is caused due to an error in the "DemuxPacket()" function (modules/demux/asf/asf.c) when processing ASF files and can be exploited to cause a buffer overflow via a specially crafted ASF file. To exploit the vulnerability, a user must explicitly open a specially crafted ASF movie.
Successful exploitation may allow execution of arbitrary code, but requires tricking a user into opening a malicious file.
VideoLAN advises users to refrain from opening files from untrusted locations and to disable the VLC browser plug-ins until the issue is patched. A patch will be included in VLC 2.0.6, the next version of the media player, which is only available for testing purposes at the moment.
FBI Busts Hacker who blackmails 350 women for stripping on camera
The FBI Tuesday announced the arrest of Karen 'Gary' Kazaryan, a 27-year old man, who is said to have blackmailed more than 350 women after convincing them to strip off in front of their webcams has been arrested in the US.
He was arrested in Glendale, California on Tuesday after being indicted on 15 counts of computer intrusion and 15 counts of aggravated identity theft, and faces a possible 105 years in the Big House if convicted. The FBI described the alleged blackmail as "sextortion".
He is accused of hacking into the victims accounts and changing their passwords, locking them out of their own online accounts. He then searched emails or other files for naked or semi-naked pictures of the victims, as well as other information, such as passwords and the names of their friends.
He then posed online as the women, sent instant messages to their friends and somehow, persuaded those friends to get undressed so that he could view and take pictures of them. US authorities said they had found about 3,000 pictures of nude or semi-nude women on Mr Kazaryan's computer.
The FBI said that it hasn't yet linked all of the nude and semi-nude images with people's actual identities. "Anyone who believes they may have been a victim in this case should contact the FBI's Los Angeles Field Office at (310) 477-6565," said a statement issued by the bureau (http://www.justice.gov/usao/cac/Pressroom/2013/016.html).
oh no, someone gonna overflow my buffers while I'm watching a movie on VLC!
lol @ the hacker, what a boss