IE8 beta installs with search bar ‘keylogger’

Microsoft’s IE8 browser includes a keystroke-logging search suggestion tool similar to the one that Google modified on Monday after coming under fire from consumers.

Unlike Chrome, IE8 Beta 2 does not enable the feature – which some have compared to a keylogger – by default. One privacy expert said that was a “huge difference.”

According to IE8’s revised privacy statement, Microsoft’s beta browser contains a new feature, dubbed “Suggested Sites,” that sends the addresses of visited sites and other information to the company’s servers.

Suggested Sites is similar to the “Google Suggest” tool in Google’s Chrome browser, and is designed to recommend the most likely destination sites based on what the user types, the popularity of sites and Microsoft’s own algorithm.

On Monday, Google reacted to criticism of the feature by promising it would render the data it collects anonymous within 24 hours.

By comparison, Microsoft’s privacy statement does not spell out how long the Suggest Sites data is kept, and when, if at all, the company “anonymises” that data.

The company does, however, go into some detail about what it collects. “When Suggested Sites is turned on, the addresses of websites you visit are sent to Microsoft, together with some standard information from your computer such as IP address, browser type, regional and language settings,” the privacy statement reads. Other data that Search Sites collects includes the time that sites were visited, which site referred the user to the destination site and how long the user was at the destination site.

Source:
http://www.techworld.com/security/news/index.cfm?RSS&NewsID=104271

Posted in Internet, Privacy, Security, Windows | No Comments

Facebook botnet risk revealed

Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into a botnet that launched denial-of-service attacks on a victim server in a demonstration.

“Social Network Web sites have the ideal properties to become attack platforms,” according to a paper entitled “Antisocial Networks:Turning a Social Network into a Botnet,” that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore.

The demo application, called Photo of the Day, displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced “to serve a request of 600 Kbytes,” according to the paper.

Such a botnet could be used for other types of attacks, such as spreading malware, scanning computers for open ports and overriding authentication mechanisms that are based on cookies, the paper warned.

The researchers suggested that Facebook and other social networks be careful in designing their platform and APIs so that there are few interactions between the “social utilities they operate and the rest of the Internet.”

“More precisely, social network providers should be careful with the use of client side technologies, like JavaScript, etc,” the paper says. “A social network operator should provide developers with a strict API, which is capable of giving access to resources only related to the system. Also, every application should run in an isolated environment imposing constraints to prevent the application from interacting with other Internet hosts, which are not participants of the social network. Finally, operators of social networks should invest resources in verifying the applications they host.”

Source:
http://news.cnet.com/8301-1009_3-10034327-83.html?part=rss&subj=news&tag=2547-1009_3-0-20

Posted in Internet, Privacy, Security | No Comments

Wells Fargo Passwords Are Not Case-Sensitive!

I just heard on the Security Now podcast a listener mention that his Wells Fargo password was not case-sensitive.  I’m not a Wells Fargo user but several users who are that I asked this morning actually confirmed this.  You will be logged in no matter what case you enter into the password field.

It was also mentioned in SN’s previous podcast that Wells Fargo customers are reporting that the login system will accept only n characters from the password and just ignore the rest.  I don’t think we know what n is at this point but, for example, if you have a 15 character password, it may only be reading and accepting the first 7 characters, or 8 characters, etc.

This is all very bad.  This also tells me that these passwords are stored in plaintext and not hashed at all in the database.

Be careful WF customers.  They have all of your money and they are not doing everything they possibly can to protect it.  Very sad.

Posted in Coding, Internet, Privacy, Security | 1 Comment

Using Nessus to call Nikto

Earlier this year, Michel Arboi wrote a blog post explaining how to use Nessus to call Nikto and incorporate the results into Nessus output. Most newcomers to Nessus have enabled the nikto.nasl wrapper only to find it produced no output. Some Nessus users have found various ways to ensure Nikto was called correctly and the output displayed. Others chose to run Nikto separately for various reasons. The following guide will explain how to easily configure Nessus to properly call Nikto. This will allow you to save considerable time, especially on scans against a large amount of systems.

Source:
http://blog.tenablesecurity.com/2008/09/using-nessus-to.html

Posted in Internet, Networking, Privacy, Security | No Comments

Twitter targeted by malware attacks

Twitter’s time has finally come.

The microblogging service, once the playground of the Web 2.0 digerati, is now mainstream enough to be targeted by online criminals.

Kaspersky Lab has uncovered a fake Twitter profile created solely for the purpose of infecting people’s computers.

The profile, with an alias that means “pretty rabbit” in Portuguese, has posted a link that purports to be a pornographic video, but is instead Trojan software masquerading as MP3 files that steals data from the machine, according to the Kaspersky’s Viruslist.com blog.

Source:
http://news.cnet.com/8301-17939_109-10007323-2.htm

Posted in Internet, Privacy, Security | No Comments