Sony takes sites down after log-in exploit found

The sign-in for PlayStation Network on the Web was out of service this morning.

Just days after most services for PlayStation Network were brought back online, it appears a new exploit has been discovered that allows hackers to change users' passwords with the data stolen during the break-in to the service last month.

The Web sites that allow PSN users to sign in and reset their passwords have since been taken offline, as the graphic above from PlayStation.com shows. This problem reportedly does not affect the ability to sign in via a PlayStation 3 or PlayStation Portable, just some Sony Web sites.

The report comes from gaming blog Nyleveia, which posted a warning to PSN users that their passwords might not be safe and contacted Sony about it.

Another blog, Eurogamer, says it confirmed the exploit, which allows someone to reset your password by knowing your e-mail address used for the account and date of birth. That information is known to be among the data belonging to 100 million users of Sony's gaming services that was exposed between April 17 and 19 in the second-largest security breach in U.S. history.

Eurogamer says users that changed the e-mail address connected to the PSN account after PSN was restored this weekend should not be at risk.

Yesterday, speaking to a handful of reporters, Sony CEO Howard Stringer admitted that while the company had rebuilt the security for PSN during the three weeks it was unavailable, no system could be guaranteed "100 percent secure."

Update 11:12 a.m. PT: Sony spokesman Patrick Seybold wrote today in a blog post that Sony "temporarily took down the PSN and Qriocity password and reset page." There was "no hack," he emphasized, but a "URL exploit that we have subsequently fixed."

At the time of this update, PlayStation.com and Qriocity.com log-in pages were still inaccessible.

Read More

Relive the Early Days of the Internet at Telehack

Once upon at time before the age of HTML, the internet looked like a command prompt and a world of text. Telehack is a simulation site that recreates the early internet experience.

How exactly does it recreate the experience? From the Telehack FAQ file:

Telehack is a simulation of a stylized arpanet/usenet, circa 1985-1990. It is a full multi-user simulation, including 25,000 hosts and BBS’s the early net, thousands of files from the era, a collection of adventure and IF games, a working BASIC interpreter with a library of programs to run, simulated historical users, and more.

It’s a well fleshed out project that allows you to use commands, load games, navigate the network, interact with real users (currently logged in) and see significant historical users (simulated for posterity). You can access the project either via web interface or by firing up an actual telnet client and connecting in the old fashioned way. Hit up the link below to access the web portal and type telehack.txt at the prompt to read more about the project.

Telehack

Read More

Add Copy To / Move To to the Windows Explorer Right Click Menu

A hidden functionality in Windows allows you to right click on a file, select Copy To Folder or Move To Folder, and the move to box will pop up and let you choose a location to either copy or move the file or folder to.

Here’s the quick registry hack to get this working. As usual, back up your registry just in case. You will want to browse down to this key:

HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers

Once you are at that key, right click and choose the New Key option:

Now you will double-click on the (Default) value and enter the following:

{C2FBB630-2971-11D1-A18C-00C04FD75D13}

Click OK and continue.

If you want to enable Move To, you will repeat the same steps, except creating a new key named Move To, and using this value:

{C2FBB631-2971-11D1-A18C-00C04FD75D13}

Now when you right click on a file or folder, you should see the following options:

Let’s click Copy To Folder just to see what happens….

And that’s it. Useful!

Read More

Play Angry Birds in Your Favorite Browser (Web App, Website, and a Game Hack)

Are you ready to indulge in all of that Angry Birds goodness with your favorite browser? Then we have just what you need with information about the web app for Chromium-based browsers, accessing the game via website using your favorite browser, and a quick hack to unlock all of the levels.

First we will start off with the app for Chromium-based browsers. While this is little more than a link to the official website it can be nice to have if you like keeping everything neat and organized in your Apps Tab.

Download the Angry Birds App 

Decided that you want to play Angry Birds in Firefox, Opera, or another browser? Then you can visit the website directly and play the game there! You can choose between the Standardand HD versions as desired…

Play the Standard Version

Play the HD Version

Want to unlock (or relock) all of the levels when playing Angry Birds in your favorite browser? Then use the following bits of code by pasting them into the Address Bar while the game is open and hit Enter.

Unlock the Levels

javascript: var i = 0; while (i<=69) { localStorage.setItem(‘level_star_’+i,’3′); i++; } window.location.reload();

Lock the Levels

javascript: var i = 0; while (i<=69) { localStorage.setItem(‘level_star_’+i,’-1′); i++; } window.location.reload();

Read More

Don't fall for 'First Exposure: iPhone 5' Facebook scam

Facebook users are being duped into unwittingly spreading spam by clicking on what looks like a link to news entitled "First Exposure: iPhone 5."

A version of the scam, exploiting peoples' interest in the next-generation iPhone, went around Facebook earlier this month, and it's back today with minor changes.

The scam starts when you see someone in your social network comment on a link in a post that looks like it leads to a news story about the iPhone 5 at a Web address of "greatlakesnews.info." Clicking on the link takes you to a different Web page, which provides a captcha window where you're asked to verify a word, ostensibly to prove that you are not an automated bot.

If you see this post on Facebook, don't click on it.

Once you click to verify, a message is posted to your Facebook stream notifying all your friends that you commented on the item and providing them with the bogus iPhone 5 link, in a type of attack known as "clickjacking." Then you're asked to choose from a list of items that then lead to a survey which is really marketing, according to this M86 post.

Clickjacking can be a problem on any Web site, but social networks are particularly susceptible because people share so many links. Facebook's advice to not click on strange links even if they are from friends would cut out many of the legitimate links people share on Facebook.

It's good idea to try to avoid getting news from sources that aren't known news sites. But a big red flag is the captcha window--legitimate sites don't typically make you prove you're human to read a news item.

Read More

Yankees' error leaks personal data on 21,000 fans

A sales rep for the New York Yankees accidentally e-mailed a spreadsheet containing names, addresses, phone numbers, e-mail addresses, and seat numbers of more than 21,000 season ticket holders to thousands of clients, according to blog site Deadspin.

"There are no credit card numbers, but there are account ID numbers. And on Yankees.com, licensees need only their account ID number and password to access their accounts," the report said yesterday. "With the spreadsheet, we have all the account IDs and can probably guess more than a few passwords via spouse's names, street names, and good old 'abc123.' At the very least, the list email addresses are valuable to spammers."

Later, the Yankees sent an e-mail to season ticket subscribers confirming that a rep had inadvertently included an attachment with ticket holder information to an e-mail that was sent on Monday.

"Please note, immediately upon learning of the accidental attachment of the internal spreadsheet, remedial measures were undertaken so as to assure that a similar incident could not happen again," the e-mail said. "The Yankees deeply regret this incident, and any inconvenience that it might cause."

The mistake puts affected fans at risk of phishing attacks and people should be wary of e-mails or phone calls from people claiming to be affiliated with the Yankees and asking for sensitive information.

The data leak contrasts with other recent breaches that are attributed to hacking attacks or unauthorized access. Sony warned this week of a serious breach on the Sony PlayStation Network that puts data of as many as 77 million customers at risk and potentially includes credit card numbers. Earlier this month, dozens of big name financial companies and retailers were forced to warn customers earlier about the potential for phishing attacks after a breach at e-mail marketing provider Epsilon. And DSLReports.com also had e-mail addresses stolen in an attack on its site this week.

Read More

Microsoft plugs critical hole in Windows

Microsoft today fixed a critical hole in Windows and two less serious holes in Office in one of the lightest Patch Tuesdays in recent history.

The critical bulletin, MS11-035, fixes a vulnerability in the Windows Internet Name Service (WINS) that "could allow remote code execution if a user received specially crafted malware on an affected system running the WINS service," according to the bulletin advisory. It affects Windows Server 2003 and 2008.

WINS is not installed on the affected operating system software by default, so only customers who manually install it are affected and will be offered the update, Microsoft said.

"Microsoft is downplaying the bug, but there is potential here for remote code execution," and thus total control of the computer, said Andrew Storms, director of security operations at nCircle. "WINS is a network-aware application that does not require authentication, and many enterprises require WINS on their networks. Taken together, these factors mean that a lot of enterprises will find their internal network servers vulnerable to a remote code bug. Initially, most attackers will probably only trigger a DoS (denial-of-service) event, but finding the remote code exploit won't be far behind."

The second bulletin, MS11-036, fixes two vulnerabilities in Microsoft PowerPoint that could allow remote code execution if a user opens a malicious PowerPoint file. The vulnerabilities affect Office XP, Office 2003, Office 2007, Office 2004 for Mac, and Office 2008 for Mac.

Microsoft also changed its Exploitability Index, the guide it uses to provide customers information on how likely a vulnerability is of being exploited. The company will be publishing two ratings per vulnerability, one for the most recent platform and a second as an aggregate rating for all older versions of the software.

Patch Tuesday has been fairly hectic recently, including last month when 17 bulletins were released to fix 64 vulnerabilities

Read More

French researchers demo attack on Chrome

French security firm Vupen said today its team has figured out a way to bypass security measures in Chrome and offers a video demo it says is a successful attack against the browser running on a Windows machine.

"We are (un)happy to announce that we have officially Pwnd Google Chrome and its sandbox," the Vupen Security blog said. "The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR [Address Space Layout Randomization]/DEP [Data Execution Prevention]/Sandbox, it is silent [no crash after executing the payload], it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64)."

In the video, someone using Chrome v11.0.696.65 on Windows 7 Service Pack 1 (x64) is tricked into visiting a malicious Web page hosting the exploit. Once the machine is compromised, the exploit code downloads a Calculator program from a remote location and launches it outside the sandbox at "medium" integrity level, according to Vupen.

"While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP," the post said.

Vupen, which did not respond to an e-mail seeking comment today, said it would not publicly disclose the exploit code or technical details of the vulnerabilities but will share them with its government customers as part of its vulnerability research services.

Asked for comment, a Google spokesman said: "We're unable to verify VUPEN's claims at this time as we have not received any details from them. Should any modifications become necessary, users will be automatically updated to the latest version of Chrome."

Chrome's sandbox technology is designed to isolate code from other parts of the computer so that if malicious code does get in, its damage is limited. Adobe has added sandbox technology to Reader.

Read More

Facebook plugs third-party access to user accounts

Tokens are like "spare keys" that Facebook users grant to applications that allow them to perform actions on their behalf or access their profile

Facebook has plugged a hole that was inadvertently providing advertisers and other third parties access to user accounts via tokens that serve as "spare keys," Symantec said today after disclosing the problem to the social-networking company.

"Facebook was notified of this issue and has confirmed this leakage," Nishant Doshi, a senior software engineer at Symantec, wrote in a blog post. "Facebook notified us of changes on their end to prevent these tokens from getting leaked."

"We estimate that as of April 2011 close to 100,000 applications were enabling this leakage," Doshi wrote. "We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties."

A Facebook spokesperson told CNET that the company could not find any evidence that private user information was being shared with unauthorized third parties and that contractual obligations prohibit advertisers and developers from obtaining or sharing user information in a way that violates the site's policies.

"We have no evidence of this information being used in a way that violated our policies, but nonetheless, we take any potential issue seriously and quickly took steps to prevent this from happening with apps on Facebook," a company statement said.

User access tokens, which are akin to "spare keys," allow applications to perform certain actions on behalf of the user or to access the user's profile, according to Doshi. Most tokens expire after a short time, but the application can request offline access tokens, which allow them access until the user changes the password, even when the user is not logged in, according to his post.

The leak was happening when an application used a legacy Facebook application programming interface with older authentication schemes, instead of the new OAuth 2.0 data sharing protocol, Doshi said. (Google began supporting OAuth in mid-2008.) If certain parameters were used in the coding, the tokens would be sent in a URL to the application host, and from there could be leaked to advertisers and analytic platforms via iFrame applications embedded in the page, he said.

Its unclear how many people are affected by this problem.

"There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007," Doshi wrote. "We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers."

Facebook users can change their passwords to invalidate any leaked access tokens, effectively changing the lock on your profile, he said.

The Symantec research prompted Facebook to make some changes in its developer road map, including requiring all sites and apps to migrate to OAuth 2.0 and obtain an SSL (secure sockets layer) certificate by October 1.

"We have been working with Symantec to identify issues in our authenticationflow to ensure that they are more secure," the company said in a post on its developer blog. "This has led us to conclude that migrating to OAuth & HTTPS (Hypertext Transfer Protocol Secure) now is in the best interest of our users and developers."

Joey Tyson, a security engineer at Gemini Security Solutions who blogs about social networking at TheHarmonyGuy.com, said Facebook has been progressively improving the security of its platform and that many apps have limited permissions now. "This is a problem worth addressing, but it may not be as serious as some people are thinking it is, and it's certainly not as widely exploited as some people may fear," he sai

Read More

Google testing new search results pages?

When it comes to change, sometimes it's hard to believe in. And sometimes it's just hard to believe your eyes.

Some people have begun to notice that their Google search pages look different from those they had come to know, love, and take for granted.

Suddenly, the pages seem cleaner. Suddenly, there's more white space. And suddenly the colors are greener and the underlinings beneath each search result have disappeared.

Naturally, this has led to troubling words from troubled minds.

Some have called the potential new look "ugly." Yes, ugly.

When it comes to design, though, sometimes things just get old. Partly because you've looked at them too often and partly because the world has moved and new designs offer new ways of looking at things.

To my own eyes, the intention behind the new design is to make the pages more elegant and perhaps, therefore, to make you feel as if the results are actually more considered and accurate, rather than the morass that seems to rain down currently.

Moreover, perhaps the new design emphasizes white space because Google wants to experiment more with the placement of more challenging types of advertising--you know, the sort you might enjoy rather than merely endure.

There appear to be several versions popping up in different corners of the Web, so perhaps some of you might let me know what you have been seeing and how you have been seeing it.

Taste is always a subjective thing. But wouldn't you like just a little more elegance and breathing room on your Google search pages?

Read More

USB puppet by Availabot

Here's a USB device from Availabot that jumps up when your buddy comes online on IM, and goes down when he/she goes offline! 

Read More