Feeds

* Posts by weffew

5 posts • joined 11 Jun 2007

Monster Trojan monsters job seekers' records

weffew

Not a virus

This functionality has been built into monster, and many other jobsites. Basically recruiters / employers can query the backend of the database directly.

There's no need to write a virus to do this, just pose as a recruiter and monster will allow you to connect directly to the backend database.

Office Angels have had a tool that does just this and they are happy to rent the tool out to anyone who can afford it....

Jobseekers need to be more careful with their data.

0
0

Forensic data stolen in server theft

weffew

Total rubbish

Anyone who goes to the trouble of stealing a server is going to make sure they get the right one. Pure incident management rather than truth.

If you have a server processing this kind of data you ought to go to the trouble of running full hard disk encryption then they've only got access while the box is up and running. At this point I have visions of them running off with the UPS as well , well it would'nt be running with the UPS would it ;)

0
0

Student reprimands Facebook for bad manners and exposed code

weffew

PHP errors

Cameron and Rob are right about what is causing it.

I'd also bet there was a config file that contained the user / pass for the database as well. If you can request the file directly and the PHP install breaks you could get the database username and password.

There are products availble that obfuscate the PHP source code such as ioncube. If they prized their source code they'd be using it already.

0
0

Google goes spear phishing on MySpace

weffew

CSS has been traded privately for months

CSS for mspace and hi5 have been traded privately for months. My favourite was the Hi5 CSS that was publically reported in December over at sla.ckers and went unfixed for months.

The exploit instead of stealing the victim's cookie logged the user out of the app and forced them to re-authenticate writing out user / pass to a writeable file on previously compromised webserver.

Normally the victim would be given a hi5 or you'd sign up as their myspace friend and leave a saucy note. Intriguing them to visit your profile , be mysteriously logged out when viewing certain parts of the profile then getting their account hacked later on.

0
0

Anti-spam sites weather DDoS assault

weffew

Nothing new

DDOS on spamhaus et al is normal for spammers. Indeed you are'nt a major spammer until you've DDOS'd them.

Why DDOS them? so you can get your fresh spam out while stopping companies from updating their rulesets and blocklists. It's not supposed to be a prolonged attack.

0
0