Aza Raskin's Tabnapping is a proof-of-concept for a fiendish attack: a tab that waits until you're not watching, then turns itself into a convincing Google login screen that you assume you must have opened.
Actually, it's even sneakier: it can use CSS-based analysis to figure out which websites you login to, and then can use cross-site scripting to reload a different tab -- another one that you're not looking at -- to turn itself into a convincing login screen.
Every time you include a third-party script on your page, or a Flash widget, you leave yourself wide open for an evil doer to use your website as a staging ground for this kind of attack. If you are the evil doer, you can have this behavior only occur once in a while, and only if the user uses a targeted service. In other words, it could be hard to detect.
You can also use a cross-site scripting vulnerabilities to force the attack to be performed by other websites. And for browsers that do not support changing the favicon, you can use a location.assign call to navigate the page to a controlled domain with the correct favicon. As long as the user wasn’t looking at the tab when the refresh occurred (which they won’t be), they’ll have no idea what hit them. Combine this with look-alike Unicode domain names and even the most savvy user will have trouble detecting anything is amiss.
Tabnabbing: A New Type of Phishing Attack
(via Hacker News)
An investigation by Propublica and Bayerischer Rundfunk found 187 servers hosting more than 5,000,000 patients' confidential medical records and scans (including a mix of Social Security numbers, home addresses and phone numbers, scans and images, and medical files) that were accessible by the public, "available to anyone with basic computer expertise."
Of course they announced it at the end of the day on Friday, that’s what you do with bad news.
Iowa state court officials contracted with Coalfire to conduct "penetration tests" on its security; as part of those tests, two Coalfire employees broke-and-entered the Adel, Iowa courthouse, and were caught by law-enforcement, whose bosses in Dallas County were not notified of the test.
If you’re part of the maker community, you know Make:. Though Make: magazine is off the shelves as of this year, the eBooks and resources put out by Maker Media are still a fantastic resource for the new generation of tinkerers, hackers, and robotics geeks. If you’re in that tribe, listen up: they’ve released a […]
Life isn’t getting any less hectic, and pressure cookers are a quick, healthy solution for a growing number of kitchens. But if you thought your Instant Pot was versatile, there’s a major upgrade on the market: The Yedi 9-in-1 Total Package Instant Programmable Pressure Cooker. If you’ve somehow never used a pressure cooker before, try […]
When it comes to data analytics or deep learning, there’s one language behind the apps and algorithms that power the biggest companies of today: Python. The best part about this tool is that as versatile as it is, it’s actually fairly easy to learn. But mastery? For that, you need more than just a beginners’ […]