Archive for the 'Main' Category

irseek closed

December 05th, 2007 * Comments(2)

Not to be confused with ircseek.com, irseek.com, the irc search engine has been forced to temporarily shut up shop after a few compliants in that it had bots that screenscrape channels for content without any permission. There is also an element of finding user information on these sites too. So they could be storing more information than they should be. Makeyougohmm discusses this further but to summarise:

  • Is irseek creating a knowledge base or are they becoming the peeping tom’s of IRC channels without the permission of the people chatting.
  • How are they maintaining the privacy of the users when their entire conversations are being logged?
  • Taking without permission on the web is a bad netiquette. It’s like screenscraping or hotlinking without permission. There is a lot of great information on IRC and that’s what there is to love about IRC but there are also some semi-private conversations that people in niche groups have, even out in the open “public” channels.
  • A channel op and IRC server administrator wouldn’t feel comfortable logging every word in the public channels and making it searchable without notifying the people in the channels the second they joined that this was happening.

Community rules over Facebook

December 04th, 2007 * Comments(1)

In recent weeks, facebook has been implemented an ad system called beacon which upset a number of their users. Well these protests have forced a changeThe Guardian give a better description of the situation.


Facebook has made a U-turn over its controversial new advertising system Beacon after protests by users.
The system, called Beacon, allows other websites to tell your friends and family about some of your activities elsewhere on the internet – for example revealing that you have bought a particular DVD. In return for feeding the information back to Facebook, the other websites get a free advertisement for their services.

However, because Beacon required users actively to opt out of having their information shared with other users, rather than opt in, it was accused of spoiling thousands of people’s Christmas surprises and – perhaps more importantly - damaging their privacy.

A group on the website calling itself “Facebook: Stop Invading My Privacy” has grown to more than 50,000 members, and several other organisations including political activism site MoveOn.org have protested about the new system.

After a week of pressure, the Silicon Valley company last night released a statement saying that it would be changing Beacon so that users would not have their information about their activities published automatically.

“We appreciate feedback from all Facebook users and made some changes to Beacon in the past day,” the company said. “Users now have more control over the stories that get published to their Mini-Feed and potentially to their friends’ News Feeds.”

However, the company did not apologise and it is still impossible for Facebook users to opt out of Beacon entirely.

The furore was reminiscent of privacy protests when Facebook first adopted its News Feed, the automatically generated, potted list of updates from your friends on the social network. Thousands argued that the system invaded their privacy, but user pressure relented after the company made some tweaks and it has now become one of the website’s most popular features.

Spam Tactics

November 27th, 2007 * Comments(0)

As seen in the theregister, Spammers have been using the rarely used “I’m feeling lucky, punk” button and the idea of googlewhacking (popularised by Dave Gorman) for this google attack vector.

The trick worked because a spammer had managed to make a search query that was specific to their website, using an advanced Google search combining the “inurl” and “intext” operators. Next comes the clever part: spammers simulate a user click on Google’s seldom-used “I’m Feeling Lucky” button, so that surfers are taken directly to the first result that comes up for the entered search query. As the spammer has designed the query to yield only one result - that of the spamvertised site - surfers are taken directly to a junk-mail-promoted site after selecting what looks like a search result entry.

Always be careful of the opposite sex, especially online as there’s a virtual stripper floating about which seemingly slip pass captchas for yahoo as a trojan.

Spammers have come up with a sleazy - but undoubtedly ingenious - way to defeat anti-spam security checks. The Captcha Trojan disguises itself as a stripper game that offers voyeurs the chance to see images of a model getting undressed. In order to get “Melissa” to lose an item of clothing, the user must identify the letters or numbers found within a scrambled text image that forms the basis of a captcha (Completely Automated Public Turing test to tell Computers and Humans Apart). Providing users identify the letters correctly, Melissa shows a bit more skin.

vishing and phishing together (more VoIP)

November 27th, 2007 * Comments(1)

I like this combo attack of vishing and phishing…

Cloudmark reports that would-be fraudsters are taking advantage of VoIP systems to develop more convincing attacks. One recent email scam, for example, poses as a notification from a recipient’s bank requesting that they ring customer services to deal with a problem.
“If the recipient makes the call, it gets routed to a cheap VoIP answering system, which may have been set-up on a compromised host,” explained Neil Cook, UK technology chief at Cloudmark. “The system captures the user ID and pincode to sell on to the highest bidder, who then has full access to your account. All the while the call seems very genuine. The reassurance of speaking to an individual rather than working online will lead to many instances of consumers falling foul to such threats.”

Going back to bits and bobs relating to VoIP. VoIP spam isn’t new at all. It dates back to 2004. Take Network World.

“While acknowledging that VoIP spam isn’t yet creating the headaches that traditional e-mail spam has, Qovia plans to develop a tool that blocks unwanted voice mail messages so when spammers begin blasting IP networks with multiple copies of a voice recording, administrators will be able to defend their users’ voice mailboxes, says Richard Tworek, CEO of Qovia. In late June the company filed a patent application for a method of detecting and blocking VoIP spam, and plans to release a tool to implement that technology by year-end.”

This begs the question isn’t the tool working properly? Or is it really closed shop? Or has VoIP spam attacks evolved?
More recently, I love the irony that one of the co-author’s of SIP was V-hacked!

“According to a report in the Guardian, hackers are increasingly targeting VoIP services, such as Skype, with SPam over Internet Telephony (spit) attacks. Ironically, hackers have attacked the VoIP system at Columbia University, where Henning Schulzrinne is professor of computer science. Professor Schulzrinne was the co-author of the protocol that VoIP runs on - session initiation protocol (SIP). SIP is used by most VoIP services, with the notable exception of Skype. The attack left unsolicited marketing messages on multiple phone extensions at the university. Professor Schulzrinne supports the view that VoIP is becoming a major target for spammers, especially with filters becoming more effective at blocking email spam.”

Check out sipera’s vulnerability links for more articles about VoIP.

Password cracking… Hollywood style!

November 25th, 2007 * Comments(3)

I was watching a good movie last night called ‘Along came a spider’ starring Morgan Freeman (Alex Cross). Two things I didn’t like about the movie though. Firstly, it didn’t stay true the novel at all. In fact, the novel actually appears to be more interesting. Secondly and the point of this post, there is a scene where Alex Cross is looking for clues at an agent’s house with whom he had been working closely with. Naturally, he greeted with a login prompt but only has to guess the password. Of course, he works it out in about one minute (due to it being a 104-minute movie). But he worked out the password was relating to the agent’s dad and some poker game and the password was ‘Aces&Eights’. Yes, the characters are seen on screen as he types it and not obscured with asterisks. LAME!

Similarly in ‘Batman & Robin’, there is a scene where Alicia Silverstone (Batgirl) finds out her identity when she hacks into a computer. Surprising it takes her just three attempts to do this but the password relates to her dying uncle, if I remember correctly. That scene is particularly memorable because when she hacks in, she gets a repeated ‘Access granted’ response. No computer ever does that!

Lessons learned? Never believe a Hollywood movie! Never choose a password that anyone is going to be able guess. Seriously! So keep it random but memorable. On reflection, having a password that only someone you trust would be able to guess, doesn’t sound that bad… well in an ideal Hollywood movie, it doesn’t!

Can you think of any other movies with dodgy password cracking practices or general computer weirdness? Please comment if you do!

Please note, this post was not an excuse to mention the lovely Alicia Silverstone nor was it an attempt to make this site popular by mentioning any Alicia Silverstone sites.

;)

« Previous PageNext Page »

Recent