An excellent example of using http status codes to determine what other pages a web user is currently logged in to. This would be useful in many environments – say, adding a “Check out our Facebook Page!” link to a corporate home page when determining that the user is currently logged into their own Facebook account.
HTTP Status Code Harvesting
January 26, 2011
Leave a Comment » | 
Networking | 
Permalink
Posted by matt
In-App Purchases on Android
January 26, 2011Google has announced that they are adding the capability for purchases from inside of an application to the Android operating system. For example, if a video game company wants to sell additional content to players, that will be doable from inside of the game itself rather than some kludgey additional app download.
I can’t wait to see what the scammers come up with to exploit this idea.
Leave a Comment » | Smartphones | Permalink
Posted by matt
Student Intellectual Property
January 26, 2011It’s a given in the world of research universities that the school is at least a partial owner of new patents or products created by its faculty. But with students creating more and more “apps” for platforms like iOS and Android, and with those apps often being worth big money, policies on university ownership of student creations are getting more attention.
From the article:
Missouri relented in Brown’s case. It also wrote rules explicitly giving student inventors the legal right to their unique ideas developed under specific circumstances. If the invention came from a school contest, extracurricular club or individual initiative, the university keeps its hands off. If the student invention came about under a professor’s supervision, using school resources or grant money, then the university can assert an ownership right – just as it does for faculty researchers.
This is an important trend that needs to be watched – in your organization, are there policies governing what intellectual property rights belong to the company for work performed by employees? If one of your call center workers invents The Next Big Thing while taking a support call, what happens?
If you haven’t thought about this yet, it’s probably time. Writing policies as they are needed is never a good idea.
Leave a Comment » | Legal | Permalink
Posted by matt
File Transfer Via DNS Query
January 25, 2011The always-resourceful Johannes Ullrich has posted an excellent step-by-step tutorial on the Internet Storm Center outlining a method for performing file transfers using DNS queries and tools built into a typical Linux installation (specifically, xxd and dig).
If you start seeing lots of hexadecimal A record queries showing up in your named.log — you might have a problem.
Leave a Comment » | Networking | Permalink
Posted by matt
Domain Blocking 2010
January 25, 2011OpenDNS has released a report [warning: PDF file] on the white- and blacklisting of domains in 2010. Interestingly, Facebook was the single most commonly blocked site – but it was also the second most commonly whitelisted site. This means that networks that disallowed social networking sites in general were still likely to make an exception for Facebook, likely owing to its popularity as a legitimate marketing tool.
Apparently the bad guys were also aware of this. The report indicates that Facebook is the second most commonly spoofed site for phishing attacks, behind only Paypal.
Leave a Comment » | Networking | Permalink
Posted by matt
iPhone NFC
January 25, 2011Apple is planning on introducing NFC, or “Near Field Communications”, in the next generation of iDevices. This means that users will be able to pay for purchases at NFC-compliant kiosks using their smart phone as an authentication token.
It will be interesting to see how Apple secures this functionality; I would hope that there is some sort of PIN or other unlocking required. Otherwise, losing a phone would be equivalent to losing a phone and a credit card. In fact, since NFC payment is generally a direct bank account debit rather than a credit transaction, it would be even worse.
Leave a Comment » | Smartphones | Permalink
Posted by matt
Facebook and Tunisia
January 25, 2011A fascinating story in The Atlantic about the cat-and-mouse game between the Tunisian government and Facebook during the recent political unrest. Ammar, the governmental security apparatus, strongarmed the ISPs that Tunisian citizens were using into running domain-level keylogging. Essentially, they were stealing an entire country’s worth of passwords.
The Facebook developers responded with an ingenious technical hack to get around the key capture. All password submissions were pushed over an encrypted channel, and also required the user to identify a friend from his or her accounts. Ingenious – the passwords as a single authentication token were rendered useless.
Leave a Comment » | Networking, Social Engineering, Syndicated | Permalink
Posted by matt
AOL Profits On Ignorance
January 24, 2011Apparently, something like 60% of AOL’s profits are coming from customer ignorance. About 80% of their income is from subscription fees, and 75% of those subscribers have cable or other broadband connections – meaning, essentially, they’re paying AOL for nothing but an @aol.com email address and a backup dialup account, presuming their computer has a modem.
That’s an interesting business model. But I don’t think it’s all that unusual – I can’t tell you how many times I’ve heard of things like maintenance or support contracts being paid for years after the specified hardware or software was taken out of service. If you’re in charge of that sort of thing at your business, it might be smart to take an audit of everything that’s still being billed and make sure that it’s still relevant.
Leave a Comment » | Uncategorized | Permalink
Posted by matt
Credit Union Breach
January 24, 2011The Pentagon Federal Credit Union, the third-largest Credit Union in America, has suffered a security breach exposing the personal data of an unknown number of members. Their explanation is malware brought in on an infected laptop.
There was a time when you could depend on a firewall to protect your network, when data and work would stay in one place and something like this couldn’t happen. There was also a time when a city had a huge wall around it, with one or two gates. Now people have locks on their individual houses, but apparently, the computing world hasn’t caught up yet.
Leave a Comment » | Malware | Permalink
Posted by matt
Resume of a Trojan Horse
January 24, 2011The Internet Crime Complaint Center has a cautionary tale for prospective employers. An email attachment on a response to an online job posting was actually a Trojan Horse program, used to steal the financial credentials of the hiring company and defraud them of over a hundred thousand dollars.
It might be wise to have a dedicated machine or VM for handling untrusted attachments like that; at the very least, make sure that your antivirus software is up-to-date and use it to explicitly scan unknown attachments before opening.
Leave a Comment » | Malware | Permalink
Posted by matt