Family Learning Center

Posts Tagged ‘Worm’

iPhone worm author really goes to work

Filed under: iPhone, Jailbreak/pwnage

While you have to go to quite some lengths to be vulnerable to it, jailbroken iPhones have been under fire for susceptibility to a particular SSH-based type of worm that has seen a lot of press lately. One of the developers, Ashley Towns, who helped to get the “rick” rolling, as it were, has just announced his employment at an iPhone game firm.

Sophos is reporting that he’ll be taking up shop at mogeneration, the developer responsible for such hits as Xumii [iTunes link], a cross-social networking communication app, and Moo Shake! [iTunes link], a farm-based activity game for kids. It is an interesting turn of events given that mogeneration even reported on the topic of Ashley’s now-infamous rickrolling iPhone worm.

I personally think that there is a lot of potential for coders of malware to embark on legitimate careers as developers coding for good. However, I don’t favor the thought that malware developers are essentially getting ‘rewarded’ for their dangerous work. There is nothing from mogeneration to imply that Towns was hired based on the notoriety of his SSH-based worm, but I can’t help thinking that there are other, more talented iPhone developers who have stayed below the radar by not writing malware.

I want to know what you think. Should developers of intentionally malicious software be given a clean slate and a new life? Or perhaps should they be feeling the effects of the law’s very long arms?

[via Techmeme]

TUAWiPhone worm author really goes to work originally appeared on The Unofficial Apple Weblog (TUAW) on Thu, 26 Nov 2009 15:00:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments
Read the whole story…

Cartoon: The Worm Has Turned

Last week’s flurry of Twitter DM spam from hacked or phished accounts wasn’t the first instance of that and won’t be the last.

As long as people are willing to trust their Twitter log-in information to third parties – and don’t look carefully at URLs before they log into websites – and as long as a small number of bad actors want to pee in the social media swimming pool, this kind of thing will continue happening.

Sponsor

And it’s not just the log-in-here-and-we-will-steal-your-password.com’s of the world you have to worry about. Legitimate third-party services whose security isn’t up to snuff could be compromised, and your credentials could be stolen from them. Twitter’s use of OAuth is a big step forward… although the rash of Mobster World spam shows that that isn’t a perfect solution either.

Apparently there’s no substitute for ruthlessly and constantly policing your own feed, thoroughly investigating services before you sign up for them, double-checking the URL every time you are about to enter info into a form, and regularly purging your OAuth settings of services you no longer use.

Also, to be safe, change your password regularly… you don’t have to be obsessive about it: every three hours or so should be enough. And because erring on the side of caution is always a good idea, fake your own suicide and change your identity at least once a year.

And you thought Twitter was going to be fun? Slacker.

More Noise to Signal.

Discuss

Read the whole story…

Toys R Us videogame ‘buy back’ program underway nationwide

According to the gang at Joystiq, the Toys R Us videogame trade-in program launches in earnest today, meaning that any of you cats with old videogames laying around can trade ‘em in for the retailer’s gift cards, no questions asked. Just take your old games (even going as far back as the Atari 2600 or Intellivison) to the customer service desk of your local store and they’ll make you an offer at which point, according to a store representative, the games are then “taken by a third party company that refurbishes them for resale.” This year’s been pretty tough, but between our old game cartridges, Cash for Clunkers, and Compton’s “Cash for Firearms” program, it looks like things might finally be going our way after all! The worm has turned, our friends. Indeed, the worm has turned.

Filed under: Gaming

Toys R Us videogame ‘buy back’ program underway nationwide originally appeared on Engadget on Fri, 11 Sep 2009 01:59:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments
Read the whole story…

Massive Twitter Security Problem Not Resolved Just Yet

Yesterday UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field where an application developer would normally link to a product website. There are all sorts of malicious things people could have done to exploit the bug, like steal session cookies, create a Twitter worm or even infect unaware visitors with malware, so it’s safe to say this was a massive security threat.

Sure enough, when word got out Twitter moved to patch the bug to prevent such bad stuff from happening. John Adams from Twitter Operations even commented on Naylor’s blog to point out the hole had been closed shortly after he published his post.

Well, not quite.

Naylor today followed up on yesterday’s blog post with another one correctly claiming that the exploit still very much works. He proved as much by creating another dummy account on Twitter, which pops up a (harmless) dialog box when you visit the link through the website. Twitter may suspend this account soon, much like they did with the first dummy account Naylor created to make his point, so I included a screenshot of what happens when you visit that profile on top of this post.

Naylor writes:

With a few minutes work, someone with a bit of technical expertise could make a Twitter ‘application’ and start sending tweets with it. Using the simple instructions below, it can be arranged so that if another Twitter user so much as sees one of these tweets – and they are logged in to Twitter – their account could be taken over.

Imagine that for a moment. Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do. Perhaps it may simply redirect you to a pornographic website? Or maybe delete all of your tweets? Send a message to all of your friends? Maybe it would delete all of your followers, or worse still, just send the details needed to log in to your account off to another website for someone to use at their leisure.

In my opinion, it’s completely unacceptable that Twitter engineers never got in touch with Naylor to learn more about the exploit and adequately fix the problem, which the SEO consultant correctly marks a shame. Instead, the startup’s tech team apparently tried fixing it without really looking at the potential security issues:

Their idea of fixing it is to stop you putting spaces in the address box. Spaces. Other than that, everything else is fair game.

It’s important to note that you’re probably safe when you use any third-party client for your Twitter needs, although I’d recommend you make use of the more popular ones and stop visiting the Twitter website for the next couple of days. Whatever you do, be careful when you click links to Twitter profiles you don’t know, even when they are linked to by people you know and trust, and be on the lookout for suspicious-looking applications used to send out tweets.

We’ve contacted Twitter to let them know the security threat is still very much present. Hopefully, we’ll see an adequate fix and a statement from the startup soon.

Crunch Network: CrunchBase the free database of technology companies, people, and investors

Read the whole story…