A technology security researcher has discovered a flaw in Microsoft Corp’s widely used Internet Explorer browser that he said may allow hackers to steal credentials to access FaceBook, Twitter and other websites.
He coined the technique as ”cookiejacking.”
“Any website. Any cookie. Limit is just your imagination,” said Rosario Valotta, an independent Internet security researcher based in Italy.
Hackers can exploit the flaw to access a data file stored inside the browser known as a “cookie,” which holds the login name and password to a web account, Valotta wrote.
Once a hacker has that cookie, he or she can use it to access the same site, said Valotta, who calls the technique “cookiejacking.”
The vulnerability affects all versions of Internet Explorer, including IE 9, on every version of the Windows operating system.
To take advantage of this flaw, the hacker must first persuade the victim to drag and drop an object across the PC’s screen before the cookie can be hijacked.
That sounds like a difficult task, but Valotta said he was able to do it fairly easily. He built a puzzle that he put up on Facebook in which users are challenged to “undress” a photo of an attractive woman.
“I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server,” he said. “And I’ve only got 150 friends.”
Microsoft said there is little risk a hacker could succeed in a real-world cookiejacking scam.
“Given the level of required user interaction, this issue is not one we consider high risk,” said Microsoft spokesman Jerry Bryant.
May 30, 2011 by admin
Filed under Around The Net
The Wall Street Journal’s All Things Digital blog is reporting that Zynga is set to file for its initial public offering with the Securities and Exchange Commission as early as this week. This move is not entirely unexpected considering how well the recent IPOs of several Internet companies have done recently (e.g., LinkedIn and Russian search giant Yandex). Zynga’s strong performances show the huge investor appetite for fast-growing and high-profile Web 2.0 firms.
May 29, 2011 by admin
Filed under Around The Net
More than 2000 users of Sony Ericsson’s Canadian Website are impacted by the latest hack attack to hit a battle worn Sony. Sony Ericsson is joint mobile phone venture between Sony and Ericsson. According to Sony hackers made off with e-mail addresses, passwords and phone numbers–but no credit card details. Sony has now shut down the affected site. Around 1000 of the stolen records from the Sony Canadian Website are already online, posted by Idahc, a “Lebanese grey-hat hacker”.
“Sony Ericsson’s Website in Canada, which advertises its products, has been hacked, affecting 2000 people,” a Sony spokesperson told AFP. “Their personal information was posted on a Website called The Hacker News. The information includes registered names, email addresses and encrypted passwords. But it does not include credit card information.”
“Sony Ericsson has disabled this e-commerce Website,” Sony detailed to IDG News. “We can confirm that this is a standalone website and it is not connected to Sony Ericsson servers.” For security, Sony has shut down the Canadian Sony Ericsson eShop page, which currently reads: “D’oh! The page you’re looking for has gone walkabout. Sorry.”
The Internet is buzzing with news that Skype is in the process of giving Asterisk the boot by no longer offering Skype for Asterisk starting in July. Skype for Asterisk is proprietary software that was developed by Digium with Skype’s approval. The software was unique in that it allowed Asterisk based systems to join Skype’s VoIP Network. We assume this will not negatively impact current users for the next couple of years.
We wonder if Microsoft had a hand in killing this deal with Asterisk since they have a competing product. One could also assume that Skype wanted to develop a native application and not use Asterisk for SIP implementations. I guess we will need the executives at Skype to fill us in on the details one day.
Apple has finally acknowledge and has promised an update for Mac OS X that will find and remove the MacDefender fake security software, and warn uninfected users when they download the infectious program.
The announcement — part of a new support document that the company posted late Tuesday — was the company’s first public recognition of the threat posed by what security experts call “scareware” or “rogueware.”
Apple has taken criticism for not publicly responding to the MacDefender threat.
“In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants,” Apple said in the document. “The update will also help protect users by providing an explicit warning if they download this malware.”
Apple also outlined steps that users with infected Macs can take to remove the scareware.
Andrew Storms, director of security operations with nCircle Security, was surprised that Apple said it would embed a malware cleaning tool in Mac OS X.
May 27, 2011 by admin
Filed under Around The Net
Analysts around the Internet are saying that Windows based tablets will begin using ARM processors by the end of 2011.
Digitimes is saying that the system performance will mean that the platform will be mainly used for targeting the tablet PC market. Digitimes said that there are several problems which need to be solved with the idea and most notebook makers are wary about it.
Reports now show that Intel shipped 44 percent more Microprocessors than Samsung and Intel’s overall shipments grew 25 percent year-over-year. Meanwhile Samsung’s first quarter microprocessor grew by 15 percent. The report also noted that Toshiba and TSMC came in a respectful 3rd and 4t with 10 and 18 percent of year over year growth respectively. Texas Instruments came in 5th barely edging out Renesas which appears to be closing the gap on TI.
Super mobile chipmaker Qualcomm was 10th and showed a 22 percent growth year-over-year; while AMD ranked 12th, with 2 percent growth. One would have thought that AMD would have been one of the top five manufacturers.
Unfortunately Nvidia and Sony ended up at the bottom with ended up at the bottom with six and 14 percent drop in sales, respectively.
Analysts at Goldman Sachs are saying that chip maker Intel may be in a pickle as microprocessor shipments slow and it faces stiff competition. That said, analysts have advised stockholders to sell Intel as they downgraded the stock.
James Covello and Simon Schafer of GS said that there will be a surplus in chips due to plant expansion. Meanwhile the rest of the gang on Wall Street is forecasting a six percent year-over-year rise in Intel’s sales, amid expanding gross margins, Goldman says otherwise and that sales will be flat due to excess capacity.
Furthermore, Intel is expected to face problems dealing with better chips from their main rival AMD: while tablets are cannibalising notebooks with ARM kicking its tail in the mobile space.
May 24, 2011 by admin
Filed under Smartphones
If you have a smartphone with an unlimited data plan on the Verizon Wireless network, get ready to mourn the end of those good times.
Verizon will put the kabash on its unlimited smartphone data plan some time this summer, according to comments made by the carrier’s chief financial officer. Speaking at the Reuters Global Technology Summit on Thursday, Verizon CFO Fran Shammo stated the company will soon roll out new tiered pricing plans and altogether eliminate the current $30-a-month unlimited option.
According to Reuters, which reported the news, the move is designed to “force heavy data users to pay more for mobile data.”
May 24, 2011 by admin
Filed under Smartphones
Google confirmed that it’s starting to roll out a server-side patch for a security vulnerability in most Android phones that could allow hackers to access important credentials at public Wi-Fi hotspots.
“Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in Calendar and Contacts,” said a Google spokesman in an emailed statement. “This fix requires no action from users and will roll out globally over the next few days.”
Google will apparently apply the fix to its servers since it does not need to push out an over-the-air update to Android phones.
Experts applauded Google’s fast reaction.
“It’s impressive how quickly Google fixed this,” said Kevin Mahaffey, chief technology officer and a co-founder of San Francisco-based mobile security firm Lookout. “Google’s security team, especially on Android, is very, very quick to deal with issues.”
Whatever Google is implementing will shut the security hole that three German researchers publicized last week.
According to the University of Ulm researchers, who tested another researcher’s contention last February that Android phones sent authentication data in the clear, hackers could easily spoof a Wi-Fi hotspot — in a public setting such as an airport or coffee shop — then snatch information that users’ phones transmitted during synchronization.
In Android 2.3.3 and earlier, the phone’s Calendar and Contacts apps transmit information via unencrypted HTTP, then retrieve an authentication token from Google. Hackers could eavesdrop on the HTTP traffic at a public hotspot, lift authentication tokens and use them for up to two weeks to access users’ Web-based calendars, their contacts and also the Picasa photo storage and sharing service.
Sign up for our Technology Newsletter 
Comments