Sony takes sites down after log-in exploit found

Just days after most services for PlayStation Network were brought back online, it appears a new exploit has been discovered that allows hackers to change users' passwords with the data stolen during the break-in to the service last month.

The Web sites that allow PSN users to sign in and reset their passwords have since been taken offline, as the graphic above from PlayStation.com shows. This problem reportedly does not affect the ability to sign in via a PlayStation 3 or PlayStation Portable, just some Sony Web sites.

The report comes from gaming blog Nyleveia, which posted a warning to PSN usersRead more

Report: Windows 7 almost five times more secure than XP

Windows 7 is four to five times less vulnerable to malware infections than is Windows XP.

Those are the findings of Microsoft's latest Security Intelligence Report (PDF), which detailed in depth the state of software vulnerabilities, exploits, security breaches, and malware in 2010.

Overall, the study found that infection rates for newer Microsoft operating systems with the latest service packs are consistently lower than those for older OSes, giving Windows 7 and Windows Server 2008 R2 the highest marks for security.

Looking at the number of reported infections per 1,000 computers, Microsoft found that Windows 7 64-bit had … Read more

How bin Laden evaded the NSA: Sneakernet

Far from being a technological recluse, Osama bin Laden was a prolific e-mail writer who reportedly relied on flash drives, couriers, and sneakernet to keep in touch with his correspondents.

Although bin Laden's hideout in Pakistan lacked phone and Internet connectivity, the al Qaeda leader used his computers to prepare messages and save them on flash drives, which would be passed to a courier, according to the Associated Press. The courier would head to a far-flung Internet cafe, send the outgoing messages, retrieve the incoming ones, and then return to Abbottabad with the responses.

That physical couriering of data, … Read more

French researchers demo attack on Chrome

French security firm Vupen said today its team has figured out a way to bypass security measures in Chrome and offers a video demo it says is a successful attack against the browser running on a Windows machine.

"We are (un)happy to announce that we have officially Pwnd Google Chrome and its sandbox," the Vupen Security blog said. "The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR [Address Space Layout Randomization]/DEP [Data Execution Prevention]/Sandbox, it … Read more

U.S. warns SCADA systems at risk

The U.S. government is warning that critical infrastructure systems are at risk of being compromised or attacked in response to the public release of exploits for dozens of holes in four different supervisory control and data acquisition, or SCADA software products.

Saying he had no previous knowledge of SCADA systems before beginning his analysis "some months ago," Italian researcher Luigi Auriemma yesterday posted proof-of-concept software targeting Siemens Tecnomatix FactoryLink, Iconics GENESIS32 and GENESIS64, 7-Technologies IGSS (Interactive Graphical SCADA System) and DATAC RealWin products to the BugTraq security e-mail list.

SCADA systems allow employees at utilities and other … Read more

Xbox promo site targeted in Microsoft Points exploit

A number of people have made off with a chunk of virtual change--an estimated $1.2 million--from Microsoft as part of an exploit that left one of the company's promotional sites spitting out codes for free blocks of Microsoft Points.

The exploit, which was discovered by forum members of enthusiast site The Tech Game over the weekend, centered on a promotion Microsoft was running on a temporary site that offered users a choice of two free days of Xbox Live Gold, a virtual item for their Xbox Live avatar, or 160 Microsoft Points. While a small denomination, 160 Microsoft Points equals $2, which could then be stacked with existing account balances, making the item the most appealing target of the bunch.

The attackers devised a way to tweak the URL of the promotional site to have it repeatedly spit out codes, with most going for the free points. According to games blog Save and Quit, Microsoft shut the site down within hours of the exploit being unearthed (following its buckling under the surge of traffic), but not before enterprising users made off with an estimated $1.2 million in virtual currency. … Read more

Reports: Google yanks infected Android apps

Google apparently has used a kill switch to remove 21 malware-infected apps from both its Android Market and from people's Android devices.

Calling the Trojan the "mother of all Android malware," enthusiast site Android Police said yesterday the infected apps were discovered by a Reddit user. That Reddit user found that pirated versions of legitimate apps were infected by a Trojan called DroidDream, which uses a root exploit dubbed "rageagainstthecage" to compromise a device.

This piece of malware is especially virulent because it apparently cannot only capture user and product information from a device but … Read more

Facebook adds Amber alerts to find missing kids (podcast)

In many communities throughout the country, when a child goes missing you may hear about it on the radio or see a notice on an illuminated highway sign. You might also get a text message if you're signed up to receive one. AOL, Yahoo, Google, and Microsoft also disseminate Amber alerts. Now you can receive them on Facebook.

The Amber alert program, which was established 15 years ago after the abduction and murder of its namesake, 9-year-old Amber Hagerman, has so far resulted in the recovery of 525 kids according to Ernie Allen, CEO of the National Center for Missing and Exploited Children (… Read more

Windows Phone 7 home-brew hole to be plugged

The team behind ChevronWP7, an application that was released last November as a way for users to install applications without going through Microsoft's Marketplace application or signing up for a paid developer account, says that Microsoft has fixed the "error" that had allowed the hack, and will be rolling out that fix as part of the upcoming Windows Phone 7 software update.

ChevronWP7 was available for user download for just a few days before being taken down by its three-man development team. Brandon Watson, director of developer Eexperience for Windows Phone 7, had gotten in touch with … Read more

The 404 670: Where we mouse on over to OnMouseOver (podcast)

If you noticed strange black blocks covering text on the Twitter homepage, one of your friends likely fell victim to a new hack that exploits Twitter's Web interface. The exploit was discovered early this morning by security firm Sophos, which realized that if you put the JavaScript code "onmouseover" into a URL in a tweet, a user can make a pop-up window emerge just by hovering over the link.

"Mouseover" hacks aren't new, and CNET reporter Caroline McCarthy tells us they've been used within e-mails in the past, but the fire is out...for now. In the interim, we recommend you use third-party sources like TweetDeck--at least until Twitter beefs up its security.

We've been talking about "The Social Network" for a few weeks now, and although we're all still skeptical about a movie based on a Web site, we're willing to check it out, and we want you to join us! We're giving away 20 pairs of tickets for a sneak preview showing of "The Social Network" on Tuesday, September 28 at a theater in Manhattan, and all you have to do is 1. FOLLOW @THE404 and 2. TWEET OUT this message:

If you're near NYC, FOLLOW @the404 and RT this for a chance to win a pair of tix to see The Social Network on 9/28 the404.cnet.com

...and you're entered to win! Don't forget that the theater is in Manhattan, so be sure you can get to the showing on September 28 if you enter. Winners will be chosen at random on Friday, September 24, so start tweeting!

Speaking of get-togethers, we're in the midst of organizing a 404 meetup! Our target date is Thursday, October 7, and the tentative location is The Frying Pan bar off of Pier 66 here in NYC, so save the date and we'll send out an official Meetup RSVP soon!

Episode 670 Subscribe in iTunes audio | Suscribe to iTunes (video) | Subscribe in RSS Audio | Subscribe in RSS VideoRead more