Anonymous targets military-gear site in latest holiday hack.

On Christmas Day the target was security think tank Strategic Forecasting, or Stratfor. This time it was SpecialForces.com, a Web site that sells military gear. 

Specialforces.com

"Continuing the week long celebration of wreaking utter havoc on global financial systems, militaries, and governments, we are announcing our next target: the online piggie supply store SpecialForces.com," the group wrote in a Pastebin posting today. 

The hackers said they breached the SpecialForces.com site months ago, but only just got around to posting the customer data. Even though the site's data was encrypted, they claim to have 14,000 passwords and details for 8,000 credit cards belonging to Special Forces Gear customers. 

Special Forces Gear founder Dave Thomas confirmed that his company's Web servers were compromised by Anonymous in late August, resulting in a security breach that allowed the hackers to obtain customer usernames, passwords, and possibly encrypted credit card information in some cases. "We have no evidence of any further security breaches, and we believe that the recent Stratfor incident is being used to bring this old news back into the spotlight," he noted.


Thomas added that the compromised passwords were from a backup of a previous version of the Web site that is more than a year old. "Most of the credit card numbers are expired, and we don't have evidence of any credit card misuse at this time," he wrote. "The current Web site does not store customer passwords or credit card information."

After the security breach, "we completely rebuilt our Web site and hired third-party consultants to help us shore up Web site security," he said, adding that the vast majority of the sites' sales are custom t-shirts and related gifts, and that the company donates a portion of its profits to charity.


Identity Finder, a New York-based data loss and identity theft prevention service, determined that files posted to date by Anonymous and its AntiSec offshoot related to this breach include 7,277 unique credit card numbers; 68,830 e-mail addresses (of which 40,854 are unique); and 36,368 plain-text usernames and passwords, some of which might be duplicates.
In the statement issued today, the hackers also took another shot at Stratfor for its alleged confusion over whether its data had been encrypted or not.

Read More

How Mark Zuckerberg Hacked Into Rival ConnectU In 2004.

ConnectU Founder's

This is the story of how, in the summer of 2004, Mark Zuckerberg hacked into a Facebook rival called ConnectU, whose founders had accused him of stealing their idea to build Facebook.  The details of this story were developed from a broader investigation of the origins of Facebook.  The investigation included interviews with more than a dozen sources over two years, as well as what we believe to be relevant IMs and emails from the period.

During the summer of 2004, Mark Zuckerberg's new social network theFacebook.com was already wildly popular.

After Mark launched it in February, the site dominated the conversation at Harvard all spring.  It reached 250,000 users by the end of August and a million users that fall.

TheFacebook.com was so popular that one thing Mark probably never needed to worry about was competition from the other social network launched at Harvard in 2004, ConnectU, whose founders had accused him of stealing their idea.

ConnectU's founders -- Cameron Winklevoss, Tyler Winklevoss, and Divya Narendra -- had launched the site that spring at 15 schools. But it never gained anywhere close to the critical mass of user adoption that Facebook did. Today, 400 million people visit Facebook each month while ConnectU exists only in the Internet archives.

Nevertheless, during 2004, Mark Zuckerberg still appeared to be obsessed with ConnectU. Specifically, he appears to have hacked into ConnectU's site and made changes to multiple user profiles, including Cameron Winklevoss's.

At one point, Mark appears to have exploited a flaw in ConnectU's account verification process to create a fake Cameron Winklevoss account with a fake Harvard.edu email address.

In this new, fake profile, he listed Cameron's height as 7'4", his hair color as "Ayran Blond," and his eye color as "Sky Blue." He listed Cameron's "language" as "WASP-y."

Next, Mark appears to have logged into the accounts of some ConnectU users and changed their privacy settings to invisible.  The idea here was apparently to make it harder for people to find friends on ConnectU, thus reducing its utility.   Eventually, Mark appears to have gone a step further, deactivating about 20 ConnectU accounts entirely.

Mark appeared to be worried about the risk of his actions, but reasoned that ConnectU's developers wouldn't notice a succession of account deactivations coming from the same IP address. He took comfort that Apache logs didn't reveal that type of activity either. Mark also figured that if ConnectU developers did notice anything, their most natural conclusion would be to think that someone had emailed people convincing them to deactivate their accounts.

It is not clear how Mark accessed these accounts. (In an earlier hack of the email accounts of two Harvard Crimson editors, he used login information stored in Facebook's servers.)  It does appear that he retained access to ConnectU's servers for quite some time.

Read More

Hacker who bypassed Facebook security pleads guilty.

A British student has pleaded guilty to charges that he breached security at Facebook earlier his year, despite arguing that his intentions were not malicious.


York computer science student Glenn Steven Mangham, 26, attempted to bypass security on the company's internal systems, raising alarm amongst the FBI that industrial espionage was occurring, according to media reports.

Mangham, who had previously been rewarded by Yahoo for finding vulnerabilities in its systems, discovered that Facebook was far from amused by his activities.

The social networking giant discovered evidence that pointed back to Mangham and he was arrested by the Metropolitan Police Central e-Crime Unit (PCeU) in June.

Specifically, Mangham was accused of using a computer program to secure unauthorized access to Facebook, of attempting to hack into Facebook's Mailman server (used to run internal and external email lists), and attempting to secure access to the Facebook Phabricator server used by internal developers.

Southwark Crown Court was told Mangham produced software scripts that could hack into Facebook's Phabricator server to download "highly sensitive intellectual property".

In addition, the student was said to have breached a webserver used by Facebook to set software development puzzles to programmers who might be interested in working for the company.
Mangham's defence team has argued that he was an "ethical" or "white-hat" hacker, whose intentions - rather than being malicious - were to uncover security vulnerabilities at Facebook with the intention of getting them fixed.

Facebook users will be relieved to hear that the social network told BBC News that the attack "did not involve an attempt to compromise or access user data."

Read More

Sony takes sites down after log-in exploit found

The sign-in for PlayStation Network on the Web was out of service this morning.

Just days after most services for PlayStation Network were brought back online, it appears a new exploit has been discovered that allows hackers to change users' passwords with the data stolen during the break-in to the service last month.

The Web sites that allow PSN users to sign in and reset their passwords have since been taken offline, as the graphic above from PlayStation.com shows. This problem reportedly does not affect the ability to sign in via a PlayStation 3 or PlayStation Portable, just some Sony Web sites.

The report comes from gaming blog Nyleveia, which posted a warning to PSN users that their passwords might not be safe and contacted Sony about it.

Another blog, Eurogamer, says it confirmed the exploit, which allows someone to reset your password by knowing your e-mail address used for the account and date of birth. That information is known to be among the data belonging to 100 million users of Sony's gaming services that was exposed between April 17 and 19 in the second-largest security breach in U.S. history.

Eurogamer says users that changed the e-mail address connected to the PSN account after PSN was restored this weekend should not be at risk.

Yesterday, speaking to a handful of reporters, Sony CEO Howard Stringer admitted that while the company had rebuilt the security for PSN during the three weeks it was unavailable, no system could be guaranteed "100 percent secure."

Update 11:12 a.m. PT: Sony spokesman Patrick Seybold wrote today in a blog post that Sony "temporarily took down the PSN and Qriocity password and reset page." There was "no hack," he emphasized, but a "URL exploit that we have subsequently fixed."

At the time of this update, PlayStation.com and Qriocity.com log-in pages were still inaccessible.

Read More

Relive the Early Days of the Internet at Telehack

Once upon at time before the age of HTML, the internet looked like a command prompt and a world of text. Telehack is a simulation site that recreates the early internet experience.

How exactly does it recreate the experience? From the Telehack FAQ file:

Telehack is a simulation of a stylized arpanet/usenet, circa 1985-1990. It is a full multi-user simulation, including 25,000 hosts and BBS’s the early net, thousands of files from the era, a collection of adventure and IF games, a working BASIC interpreter with a library of programs to run, simulated historical users, and more.

It’s a well fleshed out project that allows you to use commands, load games, navigate the network, interact with real users (currently logged in) and see significant historical users (simulated for posterity). You can access the project either via web interface or by firing up an actual telnet client and connecting in the old fashioned way. Hit up the link below to access the web portal and type telehack.txt at the prompt to read more about the project.

Telehack

Read More

Add Copy To / Move To to the Windows Explorer Right Click Menu

A hidden functionality in Windows allows you to right click on a file, select Copy To Folder or Move To Folder, and the move to box will pop up and let you choose a location to either copy or move the file or folder to.

Here’s the quick registry hack to get this working. As usual, back up your registry just in case. You will want to browse down to this key:

HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers

Once you are at that key, right click and choose the New Key option:

Now you will double-click on the (Default) value and enter the following:

{C2FBB630-2971-11D1-A18C-00C04FD75D13}

Click OK and continue.

If you want to enable Move To, you will repeat the same steps, except creating a new key named Move To, and using this value:

{C2FBB631-2971-11D1-A18C-00C04FD75D13}

Now when you right click on a file or folder, you should see the following options:

Let’s click Copy To Folder just to see what happens….

And that’s it. Useful!

Read More

Play Angry Birds in Your Favorite Browser (Web App, Website, and a Game Hack)

Are you ready to indulge in all of that Angry Birds goodness with your favorite browser? Then we have just what you need with information about the web app for Chromium-based browsers, accessing the game via website using your favorite browser, and a quick hack to unlock all of the levels.

First we will start off with the app for Chromium-based browsers. While this is little more than a link to the official website it can be nice to have if you like keeping everything neat and organized in your Apps Tab.

Download the Angry Birds App 

Decided that you want to play Angry Birds in Firefox, Opera, or another browser? Then you can visit the website directly and play the game there! You can choose between the Standardand HD versions as desired…

Play the Standard Version

Play the HD Version

Want to unlock (or relock) all of the levels when playing Angry Birds in your favorite browser? Then use the following bits of code by pasting them into the Address Bar while the game is open and hit Enter.

Unlock the Levels

javascript: var i = 0; while (i<=69) { localStorage.setItem(‘level_star_’+i,’3′); i++; } window.location.reload();

Lock the Levels

javascript: var i = 0; while (i<=69) { localStorage.setItem(‘level_star_’+i,’-1′); i++; } window.location.reload();

Read More

Don't fall for 'First Exposure: iPhone 5' Facebook scam

Facebook users are being duped into unwittingly spreading spam by clicking on what looks like a link to news entitled "First Exposure: iPhone 5."

A version of the scam, exploiting peoples' interest in the next-generation iPhone, went around Facebook earlier this month, and it's back today with minor changes.

The scam starts when you see someone in your social network comment on a link in a post that looks like it leads to a news story about the iPhone 5 at a Web address of "greatlakesnews.info." Clicking on the link takes you to a different Web page, which provides a captcha window where you're asked to verify a word, ostensibly to prove that you are not an automated bot.

If you see this post on Facebook, don't click on it.

Once you click to verify, a message is posted to your Facebook stream notifying all your friends that you commented on the item and providing them with the bogus iPhone 5 link, in a type of attack known as "clickjacking." Then you're asked to choose from a list of items that then lead to a survey which is really marketing, according to this M86 post.

Clickjacking can be a problem on any Web site, but social networks are particularly susceptible because people share so many links. Facebook's advice to not click on strange links even if they are from friends would cut out many of the legitimate links people share on Facebook.

It's good idea to try to avoid getting news from sources that aren't known news sites. But a big red flag is the captcha window--legitimate sites don't typically make you prove you're human to read a news item.

Read More

Yankees' error leaks personal data on 21,000 fans

A sales rep for the New York Yankees accidentally e-mailed a spreadsheet containing names, addresses, phone numbers, e-mail addresses, and seat numbers of more than 21,000 season ticket holders to thousands of clients, according to blog site Deadspin.

"There are no credit card numbers, but there are account ID numbers. And on Yankees.com, licensees need only their account ID number and password to access their accounts," the report said yesterday. "With the spreadsheet, we have all the account IDs and can probably guess more than a few passwords via spouse's names, street names, and good old 'abc123.' At the very least, the list email addresses are valuable to spammers."

Later, the Yankees sent an e-mail to season ticket subscribers confirming that a rep had inadvertently included an attachment with ticket holder information to an e-mail that was sent on Monday.

"Please note, immediately upon learning of the accidental attachment of the internal spreadsheet, remedial measures were undertaken so as to assure that a similar incident could not happen again," the e-mail said. "The Yankees deeply regret this incident, and any inconvenience that it might cause."

The mistake puts affected fans at risk of phishing attacks and people should be wary of e-mails or phone calls from people claiming to be affiliated with the Yankees and asking for sensitive information.

The data leak contrasts with other recent breaches that are attributed to hacking attacks or unauthorized access. Sony warned this week of a serious breach on the Sony PlayStation Network that puts data of as many as 77 million customers at risk and potentially includes credit card numbers. Earlier this month, dozens of big name financial companies and retailers were forced to warn customers earlier about the potential for phishing attacks after a breach at e-mail marketing provider Epsilon. And DSLReports.com also had e-mail addresses stolen in an attack on its site this week.

Read More

Microsoft plugs critical hole in Windows

Microsoft today fixed a critical hole in Windows and two less serious holes in Office in one of the lightest Patch Tuesdays in recent history.

The critical bulletin, MS11-035, fixes a vulnerability in the Windows Internet Name Service (WINS) that "could allow remote code execution if a user received specially crafted malware on an affected system running the WINS service," according to the bulletin advisory. It affects Windows Server 2003 and 2008.

WINS is not installed on the affected operating system software by default, so only customers who manually install it are affected and will be offered the update, Microsoft said.

"Microsoft is downplaying the bug, but there is potential here for remote code execution," and thus total control of the computer, said Andrew Storms, director of security operations at nCircle. "WINS is a network-aware application that does not require authentication, and many enterprises require WINS on their networks. Taken together, these factors mean that a lot of enterprises will find their internal network servers vulnerable to a remote code bug. Initially, most attackers will probably only trigger a DoS (denial-of-service) event, but finding the remote code exploit won't be far behind."

The second bulletin, MS11-036, fixes two vulnerabilities in Microsoft PowerPoint that could allow remote code execution if a user opens a malicious PowerPoint file. The vulnerabilities affect Office XP, Office 2003, Office 2007, Office 2004 for Mac, and Office 2008 for Mac.

Microsoft also changed its Exploitability Index, the guide it uses to provide customers information on how likely a vulnerability is of being exploited. The company will be publishing two ratings per vulnerability, one for the most recent platform and a second as an aggregate rating for all older versions of the software.

Patch Tuesday has been fairly hectic recently, including last month when 17 bulletins were released to fix 64 vulnerabilities

Read More

French researchers demo attack on Chrome

French security firm Vupen said today its team has figured out a way to bypass security measures in Chrome and offers a video demo it says is a successful attack against the browser running on a Windows machine.

"We are (un)happy to announce that we have officially Pwnd Google Chrome and its sandbox," the Vupen Security blog said. "The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR [Address Space Layout Randomization]/DEP [Data Execution Prevention]/Sandbox, it is silent [no crash after executing the payload], it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64)."

In the video, someone using Chrome v11.0.696.65 on Windows 7 Service Pack 1 (x64) is tricked into visiting a malicious Web page hosting the exploit. Once the machine is compromised, the exploit code downloads a Calculator program from a remote location and launches it outside the sandbox at "medium" integrity level, according to Vupen.

"While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP," the post said.

Vupen, which did not respond to an e-mail seeking comment today, said it would not publicly disclose the exploit code or technical details of the vulnerabilities but will share them with its government customers as part of its vulnerability research services.

Asked for comment, a Google spokesman said: "We're unable to verify VUPEN's claims at this time as we have not received any details from them. Should any modifications become necessary, users will be automatically updated to the latest version of Chrome."

Chrome's sandbox technology is designed to isolate code from other parts of the computer so that if malicious code does get in, its damage is limited. Adobe has added sandbox technology to Reader.

Read More

Facebook plugs third-party access to user accounts

Tokens are like "spare keys" that Facebook users grant to applications that allow them to perform actions on their behalf or access their profile

Facebook has plugged a hole that was inadvertently providing advertisers and other third parties access to user accounts via tokens that serve as "spare keys," Symantec said today after disclosing the problem to the social-networking company.

"Facebook was notified of this issue and has confirmed this leakage," Nishant Doshi, a senior software engineer at Symantec, wrote in a blog post. "Facebook notified us of changes on their end to prevent these tokens from getting leaked."

"We estimate that as of April 2011 close to 100,000 applications were enabling this leakage," Doshi wrote. "We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties."

A Facebook spokesperson told CNET that the company could not find any evidence that private user information was being shared with unauthorized third parties and that contractual obligations prohibit advertisers and developers from obtaining or sharing user information in a way that violates the site's policies.

"We have no evidence of this information being used in a way that violated our policies, but nonetheless, we take any potential issue seriously and quickly took steps to prevent this from happening with apps on Facebook," a company statement said.

User access tokens, which are akin to "spare keys," allow applications to perform certain actions on behalf of the user or to access the user's profile, according to Doshi. Most tokens expire after a short time, but the application can request offline access tokens, which allow them access until the user changes the password, even when the user is not logged in, according to his post.

The leak was happening when an application used a legacy Facebook application programming interface with older authentication schemes, instead of the new OAuth 2.0 data sharing protocol, Doshi said. (Google began supporting OAuth in mid-2008.) If certain parameters were used in the coding, the tokens would be sent in a URL to the application host, and from there could be leaked to advertisers and analytic platforms via iFrame applications embedded in the page, he said.

Its unclear how many people are affected by this problem.

"There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007," Doshi wrote. "We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers."

Facebook users can change their passwords to invalidate any leaked access tokens, effectively changing the lock on your profile, he said.

The Symantec research prompted Facebook to make some changes in its developer road map, including requiring all sites and apps to migrate to OAuth 2.0 and obtain an SSL (secure sockets layer) certificate by October 1.

"We have been working with Symantec to identify issues in our authenticationflow to ensure that they are more secure," the company said in a post on its developer blog. "This has led us to conclude that migrating to OAuth & HTTPS (Hypertext Transfer Protocol Secure) now is in the best interest of our users and developers."

Joey Tyson, a security engineer at Gemini Security Solutions who blogs about social networking at TheHarmonyGuy.com, said Facebook has been progressively improving the security of its platform and that many apps have limited permissions now. "This is a problem worth addressing, but it may not be as serious as some people are thinking it is, and it's certainly not as widely exploited as some people may fear," he sai

Read More

Google testing new search results pages?

When it comes to change, sometimes it's hard to believe in. And sometimes it's just hard to believe your eyes.

Some people have begun to notice that their Google search pages look different from those they had come to know, love, and take for granted.

Suddenly, the pages seem cleaner. Suddenly, there's more white space. And suddenly the colors are greener and the underlinings beneath each search result have disappeared.

Naturally, this has led to troubling words from troubled minds.

Some have called the potential new look "ugly." Yes, ugly.

When it comes to design, though, sometimes things just get old. Partly because you've looked at them too often and partly because the world has moved and new designs offer new ways of looking at things.

To my own eyes, the intention behind the new design is to make the pages more elegant and perhaps, therefore, to make you feel as if the results are actually more considered and accurate, rather than the morass that seems to rain down currently.

Moreover, perhaps the new design emphasizes white space because Google wants to experiment more with the placement of more challenging types of advertising--you know, the sort you might enjoy rather than merely endure.

There appear to be several versions popping up in different corners of the Web, so perhaps some of you might let me know what you have been seeing and how you have been seeing it.

Taste is always a subjective thing. But wouldn't you like just a little more elegance and breathing room on your Google search pages?

Read More

USB puppet by Availabot

Here's a USB device from Availabot that jumps up when your buddy comes online on IM, and goes down when he/she goes offline! 

Read More

µTorrent 3.0 Beta Released

Finally, the long-awaited beta build of µTorrent 3.0 is released. The client comes packed with lots of new features and updates, among which there are ratings, speed streaming, and even portability options, which means that the client would create the best user experience ever.

BitTorrent Inc. recently announced the release of the 3.0 beta version of the client, and its new updates will please a lot of users who were waiting long for secure remote access, ratings, sharing content by drops, quicker streaming, simplified interface and even a portable mode working off a removable drive (USB).

One of the new features – torrent ratings – will allow you to rate and comment on downloads right from the client, which enhances community sense within µTorrent. Another one, called “drop files to send” will let µTorrent users to share files with the others with the drag&drop of the mouse, even if the recipients are not BitTorrent users. It works by creating a link with a personalized message through which the other party can download the files even if they don’t have µTorrent installed.

More features of the beta build of µTorrent 3 include the streaming enhancements. Now the client will enable users to watch the pieces of downloaded video files much faster due to some progressive sequential download methods. Many would love this feature as it could help the users decide if they want to finish downloading films like the highly discussed “Hobo with a Shotgun” at all.

Besides, µTorrent now acquires a new portable mode which will enable people run the client directly from a removable drive like USB. In other words, since now you are able to carry the client on you so that you could use it to download files wherever you like.

Finally, the client has the new simplified interface. BitTorrent Inc. team announced that they have been developing the new version of µTorrent focusing on convenience and better streamlined user experience. Indeed, that’s exactly what they managed to deliver. Now the user can at any moment minimize parts of the client interface for a simplified view. This is supposed to not just help the newcomers to focus their attention on the most important features of µTorrent, but also let the others to cut out distractions and focus solely on searching for, getting and playing files.

µTorrent 3.0 beta is already available online.

http://www.utorrent.com/downloads

Read More

ONBUX-The Best PTC site in the World

ONBUX,one of the owsum PTC site that i have came across.It pays in real with 2$ minimum cashout.Till now onbux has paid me 2$ nd referral packs are also very cheap.A lot of cheap upgrading packages.Do chk guys!!!

Register on ONBUX through this link

http://www.onbux.com/?rh=ca89e790e56f5c7bfb725b47c69bb2a7

Read More

Football (Soccer) Customization Set

Whether you follow the game at an international level, play in a local league of your own, or just play for fun, football (soccer) is an awesome game to be involved in. Now you can bring the passion and excitement of the game straight to your desktop with our Football (Soccer) Customization set.

Icon Packs

Download Link:http://rapidshare.com/files/450075038/soccer_icons_by_TwistXp.zip

Extract the zip folder and then use the icons.

Applying Icons

If you’d rather change all the different icons in one place, you can use the freeware IconTweaker application that gives you access to change pretty much any icon in Windows XP.

Click on the round “icons” icon on the left-hand panel, and then you can customize any of the built-in icons… just click the Change button.

And then click the Open button and pick the icon file you want to use.

There’s a lot more to this application, for instance you can use it to create a theme that you could re-apply later… or you could download icon themes and apply them.

SCREENSHOTS

                                                       

Read More