SECURITY ALERT!

There has been an increase in the past few days of sites being hacked via file upload scripts, particularly a number of high profile ColdFusion based sites.

The hacker gets in by uploading a CFM, ASP, PHP or other supported file type to the server and executing the file, thus escalating his access.

If you have any publicly accessible areas of your site where files can be uploaded then you should make sure you are not vulnerable, make sure that you are validating allowed uploaded file types and not allowing executable files to be uploaded.

In particular you should pay attention to things like image uploads on forums or other applications which people seem to think are safe because it only allows images to be upload. Many scripts will actually accept the uploaded file to the final destination folder before validating it and then deleting it if it is not valid, thus giving a window of opportunity for the file to be executed.

What happens is that the hacker uses a load testing tool that constantly executes the URL on your site where he knows his file will be uploaded (e.g. mysite.com/files/xyz.cfm), this is done many times a second, so when he then uploads the file it will get executed in those few milliseconds before it is deleted.

To avoid this scenario you should perform checks prior to accepting the upload, or upload the file to a temp location first that the hacker cannot access and then move it to the destination folder once it has been verified.

I guess this has been inevitable for some time, but the the WPA wireless security protocol has now been effectively hacked. A Japanese group have developed a hack for the WPA protocol and will be presenting their findings in Hiroshima on Sept 25th (http://www.ieice.org/ken/paper/20090925faPH/eng/).

See here for their full report:

http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Falsification%20Attack%20on%20WPA.pdf

If you are using WEP(already hacked) or WPA, I would strongly encourage you to switch to the WPA2 protocol as soon as possible. If you are using WPA with AES, you should be fine, for now. This hack currently affects WPA using TKIP. But if you have to switch things up might as well go to WPA2 with its newer version of AES. It's only a matter of time before this exploit is actively used, so time is critical.

Here's also a report on this from Network World:

http://www.networkworld.com/news/2009/082709-new-attack-cracks-common-wi-fi.html

Police have rescued five children who were being kept as sex slaves by paedophiles who broadcast the abuse on the internet.

The boys and girls, aged from seven to 13 years old, were snatched from the suspects in a series of raids across the UK.

Three of the youngsters were discovered at addresses in Scotland, and two in England.

The children were being attacked on a daily basis, and footage of the abuse was streamed live on websites.

All are now receiving counselling and support.

Officers said a number of suspects were arrested in the operation.

Scotland's National Sex Crimes Unit, which was set up in March this year, said legal proceedings have begun against them.

Senior prosecuting counsel Derek Ogg QC, who heads the unit, praised police for the "good old-fashioned detective work" that led to the arrests.

Officers began the operation after a man was arrested for other alleged sex offences.

Children were identified and the raids were launched across the UK.

Mr Ogg told Sky News Online: "When you discover this going on in your own back yard, in your home country, it really brings it home to people.

"This was all down to good old-fashioned police detective work."

He added: "It was carried out by incredibly dedicated officers who worked night and day to put an end to these children's daily ordeal.

"I can't stress enough the credit that the police take in these cases.

"It takes amazing dedication sifting through the evidence to get success like this."

I can only hope that our dismal justice system for once does the right thing and a sensible judge puts these evil bastards away for the rest of their lives and while inside they get their genitals amputated.

As a father of 3 myself, I can only imagine how the parents of these children must be feeling right now, it is certainly a heart wrenching decision when you have to decide between what you want to do and what you should do in the best interest of your kids, when sadly vengeance, no matter how much you want it or deserve it will only make the situation worse.

Security researchers are raising an alarm for a potent malware cocktail - backdoor Trojans and password stealers being pushed to Windows users from about 55,000 hacked Web sites.

According to Mary Landesman, a researcher in ScanSafe's security threat alert team, the cybercriminals have embedded a malicious iFrame into tens of thousands of Websites to fire exploits at unsuspecting PC users who surf to one of the rigged sites.

The iFrame points to an intermediary exploit site which in turn loads additional exploits and malware from up to seven different malware domains, Landesman said.

She ran a Google search on the iframe script tag and found it embedded on about 54,900 sites, many  of them legitimate online destinations.

Victim sites include www.feedzilla.com, latindiscover.com, and a number of charitable and nursing facilities, including howellcarecenter.com, sweetgrassvillagealf.com, www.foodsresourcebank.org, and morningsideassistedliving.com.

At the time of writing this blog post, the number of hacked sites listed in Google results climbed to 56,000.

It is not yet clear which vulnerabilities are being exploited in this attack but, judging from recent history, end users should ensure that operating system and desktop software programs are fully patched.

The most common programs under attack include Adobe Flash, Adobe PDF Reader, Apple's QuickTime, WinZip and RealPlayer.  In addition to Microsoft Windows patches, these desktop applications should be updated to the newest version immediately.

If you run a website then I would suggest you do a file search for the aforementioned code and make sure your site has not been hacked, especially if you use 3rd party scripts that may be vulnerable.

One of my all time favourite games, Monkey Island, is now available on XBox Live.

Forgoing the history lesson on an almost-20-year-old game, The Secret of Monkey Island is a point-and-click adventure in which you assume the role of a wannabe pirate named Guybrush Threepwood. In order to become a pirate, Threepwood must prove himself as a swordsman, a treasure hunter, and a thief, which means you must prove that you can both solve puzzles and move a cursor around a screen--often simultaneously. You can expect to hit a few brick walls when you encounter some of the more baffling puzzles, but the all-new hints system does a great job of pointing you in the right direction if you choose to use it (although I would advise only rto use it as a last resort), and the writing is entertaining enough to keep you interested during extended periods of head-scratching if you don't. An option to play the game in its original form or with greatly enhanced audio and visuals is the foamy head on this Special Edition pint of Grog, and you won't want to stop drinking until you can see the bottom of your tankard.

The Secret of Monkey Island is an easy game to pick up, regardless of whether or not you've played this kind of adventure game before. You can use either analogue stick to move a cursor around the screen, and when you're pointing at something you want to interact with or a location you want to move to, you push the A button. Other actions, such as "speak to," "pull," "use," and "give," are assigned to onscreen buttons that, depending on whether or not you're playing with the updated visuals, either appear at the bottom of the screen at all times or in a pop-up window mapped to a shoulder button. Items in your inventory also appear onscreen at all times when playing with the original graphics, but they are mapped to a second pop-up window in the new interface. It's great that you can switch between the two modes on the fly because there are pros and cons to both. The Special Edition looks much better and is the only way to play if you want to hear, as well as read, what characters are saying, whereas the original game's interface is less clunky.

 

Monkey Island isn't a game that wastes any time throwing seemingly useless items and satisfying puzzles at you. Shortly after starting out on Melee Island, you visit a bar where pirate leaders drunk on Grog (a drink so acidic that you have to consume it before it eats through the tankard) give you three challenges to complete; a surly chef refuses you entry to his kitchen; and a hungry seagull makes it difficult for you to pick up what may or may not be a red herring. Before you know it, you're walking around the island with all manner of items stuffed into Threepwood's physics-defying pockets, and you'll spend the majority of your time figuring out how to combine or use those items. Using the "look at" option on an item will afford you an amusing description that often doubles as a clue to its intended purpose. You might still end up solving some puzzles through trial and error, but you'll also kick yourself for not spotting the clues to the puzzle's solution before resorting to that time-tested technique.

This conversation was amusing in 1990...

When you're not attempting to combine a staple remover with a banana or wondering how to get past a group

of deadly piranha poodles, much of your time is spent navigating dialogue trees with characters that include belligerent buccaneers, cholesterol-conscious cannibals, and a used boat salesman named Stan. Some of the conversations are laugh-out-loud funny, and while the actors' delivery isn't always up to the standard of the writing, the voice work is such a great addition to the game that it's difficult to go back to the original edition. Lengthy conversations with the aforementioned salesman can be a little irritating when you have to listen to--as well as read--his persistent patter, but he's still an amusing and memorable character in a cast composed almost entirely of amusing and memorable characters.

In The Secret of Monkey Island: Special Edition, meeting and interacting with these characters is every bit as enjoyable as it was almost 20 years ago. The puzzles, the humor, and the Caribbean-sounding tunes that keep you company as you ponder your next move continue to defy their age, and even the original visuals still have plenty of pixel-perfect charm. The Special Edition update employs a colorful art style that's more reminiscent of the style in The Curse of Monkey Island (the third game in the series) than other games, but it retains the primitive (but pleasing) animation of the first game. Switching between the two available art styles is something that you'll almost certainly do from time to time just because you can, and it's interesting to see how faithfully and brilliantly such locations as the Scumm Bar and the cannibal village have been updated.

and it's even better in 2009 because you can hear it.

It's possible to beat The Secret of Monkey Island in just a couple of hours if you go into the game armed with a complete solution. However, if you take the time to enjoy it and solve the puzzles yourself, it should last you anywhere between five and 10 hours. If you have a rubber chicken with a pulley in the middle, two sticks of cinnamon, a length of rope, and 800 Microsoft points in your pocket right now, the best advice I can give you is this: Spend the points on The Secret of Monkey Island: Special Edition and then figure out for yourself what to do with the rest of that stuff.

Even after all these years it seems I still remembered enough about this game to plough through certain parts quickly, but I had also forgotten enough to make me resort to using the hint system far too quickly just because it is there.