Researchers at NGS Software have come up with a method to embed malicious code into a picture. When viewed, the picture could send the attacker the credentials of the viewer. Social sites like Facebook and Myspace are particularly at risk, but the researchers say that any site which includes log ins and user uploaded pictures could be vulnerable. This even includes some bank sites.
The attack is simply a mashup of a GIF picture and a JAR (Java applet). The malicious JAR is compiled and then combined with information from a GIF. The GIF part fools the browser into opening it as a picture and trusting the content. The reality is, the Java VM recognizes the JAR part and automatically runs it.
The researchers claim that there are multiple ways to deal with this vulnerability. Sun could restrict their Virtual Machine or web applications could continually check and filter these hybrid files, but they say it really needs to be addressed as an issue of browser security. They think that it is not only pictures at risk, but nearly all browser content.
More details on how to create these GIFARs will be presented at this week’s Black Hat conference in Las Vegas.
Wikiwatcher has just officially released their new tools. We covered their announcement at The Last HOPE just last month. The 2.0 version of Wikiscanner is not ready just yet.
Poor Man’s Checkuser exposes the IPs of quite a few user accounts. There is a wealth of data here which can be used as a base for your own tools. Potential Sockpuppetry is a good example of using this data; it shows what IPs are associated with multiple accounts and could be run by the same person. It takes data from the Poor Man’s Checkuser and arranges it by organization and IP range. Beaver Scope keeps an eye on edits coming out of all specific locations on MIT campus. The author used this list of MIT IPs to monitor MIT’s activity during the Caltech-MIT pranking season. It is able to pinpoint exactly which building an article is being edited from. The team hopes to see people develop new tools from the Poor Man’s Checkuser data.
[The Tech Guy] shows us how he added cells to an MSI Wind’s battery. This hack is extremely simple but it may be difficult to get the battery back into your laptop. Also, we’re not too sure how stable it is, and you can definitely forget about taking this thing through an airport. It would be really nice to start seeing people fabricate custom enclosures. Until then, this hack is best reserved for people completely desperate for extended battery life.
[rocketman] has posted about a new event at Defcon dubbed WarBallooning. They are using a Kismet drone (a modified WRT54G), a webcam, and a few high gain antennas. The balloon will be launched at about 15 stories and will be remotely fed targets chosen directly by the Defcon participants. The the directional antenna will be mounted to the camera so pan and tilt can be controlled. The Kismet CSV files will be available for everyone after the event.
If you are interested in WarDriving or building you own high-gain antennas, we suggest you check out this WiFi biquad dish antenna mounted on a car. If cars are too boring, or you do not have one, you could always go WarSailing or WarFlying. Yes, the permutations are endless.
[Dave Clausen] from NYC Resistor sent in his open source RGB LED cylinder. We have seen many cubes in the past (even one that display low-res 3D video) so a cylinder is certainly a new concept and the RGB LEDs are a nice upgrade. The LEDs are wired in a 5-way multiplexed grid using four TLC5940NTs (16 channel LED drivers with internal PWM hardware) so each light is individually addressable. The best thing about this project, of course, is that he has source and EAGLE schematics availbale for download and both are licensed under Creative Commons.
[via NYC Resistor]
The Boxee blog has recently announced that they have finally released a Linux version. So far, only Ubuntu 7.10 through 8.04 support is available. We covered Boxee when they released their alpha version a few months ago. One of the unique things we found about it was the added social layer that allows the user to share their viewing and listening information on various social networking sites.
This XBMC based media streamer has won a lot of praise lately and we are excited to finally see it step into the Linux platform. Up until now, Boxee was strictly run on OSX 10.5 and thus bound to Apple’s hardware configurations. Once they get a stable version running, it will be extremely easy for anyone to build a media streamer from an old PC with various hardware configurations.
The Target Project is a graduate project from the Royal College of Arts in London. It is designed to make us question our relationship with surveillance technology and CCTV. This is a particularly meaningful demonstration for a country like Britain which is said to contain up to 4.2 million CCTV cameras or roughly 1 for every 14 people.
This project has two demonstrations on their site. The first is dubbed the RTS-2 (Racial Targeting System). This system is essentially a camera which follows faces and is able to analyze and interpret the person’s race. The second is SOLA. This system is able to quickly scan someone and calculate their body mass index then publish this information to the web. Both systems achieve their goal by blatantly pointing out a line in which more surveillance does not equate to more security. They also show the wealth of personal data that can be obtained about a person by a simple camera.
[via we make money not art]