Facebook users up in arms over new Terms and Conditions

A change to Facebook’s terms of service, which extends control over user content to profiles that have been shut down, has prompted nearly 20,000 users to join protest groups.

Users signing a contract with Facebook give full control of their social networking content to the company, including the right to copy, modify, translate and distribute any of their information, and to use images and descriptions of themselves for any purpose, including commercial use and advertising.

Facebook used to relinquish control over content when contracts were terminated, but the latest change to its terms technically allows the site to keep the information forever.

Source:
http://www.vnunet.com/vnunet/news/2236647/thousands-protest-against

Posted in Internet, Privacy | No Comments

VirtualBox 2.1.4 Released

Sun today released VirtualBox 2.1.4, the second maintenance release of VitualBox 2.1 which improves stability and performance. See the ChangeLog for a list of changes since VirtualBox 2.1.2.

VirtualBox is a family of powerful x86 virtualization products for enterprise as well as home use. Not only is VirtualBox an extremely feature rich, high performance product for enterprise customers, it is also the only professional solution that is freely available as Open Source Software under the terms of the GNU General Public License (GPL).

Download:
http://www.virtualbox.org/wiki/Downloads

Posted in Internet, Privacy, Security, Software | No Comments

Telnetd exploit on FreeBSD 7

A posting on the Full Disclosure mailing list has revealed what the FreeBSD Security team call a semi-remote root exploit for the telnetd service in FreeBSD 7, and later. By default, this service is disabled.

To exploit the vulnerability, a maliciously crafted library must be placed on the victim system beforehand, and then an attacker must connect via telnetd, passing the location of that library in the LD_PRELOAD environment variable. The malicious library is then loaded before the /bin/login process and executed as root.

Source:
http://www.heise-online.co.uk/news/Telnetd-exploit-on-FreeBSD-7–/112657

Exploit Code:
http://www.securityfocus.com/data/vulnerabilities/exploits/33777.c

Posted in Coding, Linux, Security | No Comments

New DDoS attack based on deluge of dots

A technique for worsening the effects of a distributed denial-of-service-type attacks uses a feature in the DNS system that was once designed to be helpful. Patching it could involve reconfiguring millions of domain-name servers, or even rethinking how the system works.

A DDoS attack, of course, involves bombarding a target site with garbage so no other traffic can get through. Some attackers, especially the ones who do these attacks for a living (think extortion), amplification techniques that increase the flow of packets while further disguising the true source of the onslaught. One of these, which SecureWorks is currently examining, leverages a feature in the domain-name system, making it appear that the victim’s computer is lost and in need of a list of all the root domain nameservers. That’s a long list, and the forged command is quite short — in fact, it’s “.” . A tiny effort on behalf of the attacker, therefore, is leveraged into a significant amount of DDoS distress.

All an attacker has to do in the new style is spoof the source and insert the IP address of the target, so the earlier fixes, which managed the problem in terms of recursivity, don’t hold the fort. (The SecureWorks link above includes configuration advice for diligent sysadmins.) Some observers estimate that attackers using the technique have been able to leverage as many as 375 domain-name servers for every infected machine in their botnet.

Source:
http://www.betanews.com/article/New_DDoS_attack_based_on_deluge_of_dots/1234313732

Posted in Internet, Security | No Comments

How Attackers Use Your Metadata Against You

To steal your identity, a cybercriminal doesn’t have to have direct access to your bank account or other personal information. Often, he collects information about you from a variety of seemingly innocuous sources, then uses that data to map out a strategy to crack your online defenses and drain your accounts.

Such methods are well-known to security professionals. But what those same professionals often overlook is this approach also can be used to crack the defenses of sensitive business files, as well. Rather than trying to gain access to your data, itself, the bad guys are analyzing the so-called harmless information about your files — collectively known as metadata — and using it to develop attacks that can drain your business of its most sensitive information.

Metadata is a powerful feature of many document and file types, including Microsoft Office documents, PDFs, JPGs, ZIP files, and multimedia formats. Depending on the application and the file, metadata might contain information such as author names, user names, version of the software used to create the file, the user’s operating system, and sometimes even the computer’s MAC address. Armed with this data, an attacker can develop exploits that might work not only on a specific file, but on all similar file types in an enterprise.

Armed with this data, an attacker can target users, as well as the computing environment within their enterprises. Several instances of metadata mishaps have been in the news in recent years. In one case, attackers used data they collected from the “track changes” feature in Microsoft Word. In another case, they took advantage of failed attempts to black out data in PDF files.

These cases make it clear: Once your documents leave the internal network — either through email or Web publishing — those files and the metadata they contain are fair game for attackers.

Source:
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=214200389&cid=RSSfeed

Posted in Coding, Internet, Privacy, Security, Software | No Comments