exploit

The U.S. government is warning that critical infrastructure systems are at risk of being compromised or attacked in response to the public release of exploits for dozens of holes in four different supervisory control and data acquisition, or SCADA software products.

Saying he had no previous knowledge of SCADA systems before beginning his analysis "some months ago," Italian researcher Luigi Auriemma yesterday posted proof-of-concept software targeting Siemens Tecnomatix FactoryLink, Iconics GENESIS32 and GENESIS64, 7-Technologies IGSS (Interactive Graphical SCADA System) and DATAC RealWin products to the BugTraq security e-mail list.

SCADA systems allow employees at utilities and other … Read more

A number of people have made off with a chunk of virtual change--an estimated $1.2 million--from Microsoft as part of an exploit that left one of the company's promotional sites spitting out codes for free blocks of Microsoft Points.

The exploit, which was discovered by forum members of enthusiast site The Tech Game over the weekend, centered on a promotion Microsoft was running on a temporary site that offered users a choice of two free days of Xbox Live Gold, a virtual item for their Xbox Live avatar, or 160 Microsoft Points. While a small denomination, 160 Microsoft Points equals $2, which could then be stacked with existing account balances, making the item the most appealing target of the bunch.

The attackers devised a way to tweak the URL of the promotional site to have it repeatedly spit out codes, with most going for the free points. According to games blog Save and Quit, Microsoft shut the site down within hours of the exploit being unearthed (following its buckling under the surge of traffic), but not before enterprising users made off with an estimated $1.2 million in virtual currency. … Read more

Google apparently has used a kill switch to remove 21 malware-infected apps from both its Android Market and from people's Android devices.

Calling the Trojan the "mother of all Android malware," enthusiast site Android Police said yesterday the infected apps were discovered by a Reddit user. That Reddit user found that pirated versions of legitimate apps were infected by a Trojan called DroidDream, which uses a root exploit dubbed "rageagainstthecage" to compromise a device.

This piece of malware is especially virulent because it apparently cannot only capture user and product information from a device but … Read more

In many communities throughout the country, when a child goes missing you may hear about it on the radio or see a notice on an illuminated highway sign. You might also get a text message if you're signed up to receive one. AOL, Yahoo, Google, and Microsoft also disseminate Amber alerts. Now you can receive them on Facebook.

The Amber alert program, which was established 15 years ago after the abduction and murder of its namesake, 9-year-old Amber Hagerman, has so far resulted in the recovery of 525 kids according to Ernie Allen, CEO of the National Center for Missing and Exploited Children (… Read more

The team behind ChevronWP7, an application that was released last November as a way for users to install applications without going through Microsoft's Marketplace application or signing up for a paid developer account, says that Microsoft has fixed the "error" that had allowed the hack, and will be rolling out that fix as part of the upcoming Windows Phone 7 software update.

ChevronWP7 was available for user download for just a few days before being taken down by its three-man development team. Brandon Watson, director of developer Eexperience for Windows Phone 7, had gotten in touch with … Read more

If you noticed strange black blocks covering text on the Twitter homepage, one of your friends likely fell victim to a new hack that exploits Twitter's Web interface. The exploit was discovered early this morning by security firm Sophos, which realized that if you put the JavaScript code "onmouseover" into a URL in a tweet, a user can make a pop-up window emerge just by hovering over the link.

"Mouseover" hacks aren't new, and CNET reporter Caroline McCarthy tells us they've been used within e-mails in the past, but the fire is out...for now. In the interim, we recommend you use third-party sources like TweetDeck--at least until Twitter beefs up its security.

We've been talking about "The Social Network" for a few weeks now, and although we're all still skeptical about a movie based on a Web site, we're willing to check it out, and we want you to join us! We're giving away 20 pairs of tickets for a sneak preview showing of "The Social Network" on Tuesday, September 28 at a theater in Manhattan, and all you have to do is 1. FOLLOW @THE404 and 2. TWEET OUT this message:

If you're near NYC, FOLLOW @the404 and RT this for a chance to win a pair of tix to see The Social Network on 9/28 the404.cnet.com

...and you're entered to win! Don't forget that the theater is in Manhattan, so be sure you can get to the showing on September 28 if you enter. Winners will be chosen at random on Friday, September 24, so start tweeting!

Speaking of get-togethers, we're in the midst of organizing a 404 meetup! Our target date is Thursday, October 7, and the tentative location is The Frying Pan bar off of Pier 66 here in NYC, so save the date and we'll send out an official Meetup RSVP soon!

On today's Buzz Out Loud, Jason confesses his noob security mistake, Consumer Reports wants the world to know they STILL don't recommend the iPhone 4. Plus, Mark Zuckerberg's Hollywood moment isn't going to be as fun as he hoped, and we predict the MPAA will go nuclear if rumors of a permanent HDCP crack are true.

Consumers and businesses in Great Britain have lost more than $1 million so far this summer from a Trojan that is infecting their computers, prompting them to log into their bank accounts, and then is surreptitiously transferring money to scammers in other countries, security researchers said on Tuesday.

About 3,000 bank accounts were found to be compromised at one financial institution, which was not identified, according to a white paper released by M86 Security.

The multilevel scheme uses a combination of a new version of the Zeus keylogger and password stealer Trojan, which targets Windows-based computers and runs on … Read more

The new browser security flaw in iPhones, iPods, and iPads could be more dangerous than initially suspected.

The vulnerability comes from the way the jailbreak software, released on Sunday, uses the mobile Safari browser instead of requiring that the device be connected to a computer. Jailbreaking the phone allows it to run apps not approved by Apple. But this flaw could be used to launch an exploit if the user were to surf to a Web site hosting a malicious PDF, giving unrestricted access to the device.

"The same PDF exploit used to jailbreak the device could also be … Read more