Yabfog » security http://yabfog.com/blog Yet another blog full of gas Tue, 13 Dec 2011 02:45:22 +0000 en hourly 1 http://wordpress.org/?v=3.3 Twitbin Fixes Security Flaw http://yabfog.com/blog/2007/10/26/twitbin-fixes-security-flaw http://yabfog.com/blog/2007/10/26/twitbin-fixes-security-flaw#comments Fri, 26 Oct 2007 21:25:21 +0000 Dan http://yabfog.com/blog/2007/10/26/twitbin-fixes-security-flaw Brian Breslin, of Twitbin, left a comment saying that Twitbin fixed the security flaw I previously pointed out. Cooool! :cool:

]]> http://yabfog.com/blog/2007/10/26/twitbin-fixes-security-flaw/feed 0 Twitbin Fails Basic Password Security http://yabfog.com/blog/2007/10/23/twitbin-fails-basic-password-security http://yabfog.com/blog/2007/10/23/twitbin-fails-basic-password-security#comments Tue, 23 Oct 2007 14:35:34 +0000 Dan http://yabfog.com/wp/2007/10/23/twitbin-fails-basic-password-security UPDATE: FIXED. See the comments below.

A couple weeks ago, I installed twitbin, a Firefox extension that loads twitter in a sidebar. But, I just happened to be checking my browser cookies, and I noticed that my twitter username and PASSWORD were stored in my browser cookies in plaintext! This is not even a session cookie -- it is persistent, with a one-year expiration.

Are you kidding me?! Twitbin -- uninstalled.

"[I]t is never appropriate for cookies to contain plaintext user names and passwords." [The World Wide Web Security FAQ]

]]> http://yabfog.com/blog/2007/10/23/twitbin-fails-basic-password-security/feed 2 WordPress and JavaScript Hijacking http://yabfog.com/blog/2007/04/13/wordpress-and-javascript-hijacking http://yabfog.com/blog/2007/04/13/wordpress-and-javascript-hijacking#comments Fri, 13 Apr 2007 15:56:25 +0000 Dan http://yabfog.com/blog/2007/04/13/wordpress-and-javascript-hijacking/ I read this paper that Bruce Schneier linked to regarding JavaScript hijacking. Seems to me that WordPress plugin developers who piggyback on WordPress's builtin security features shouldn't have anything to worry about.

Judging from what little buzz there was, I think that's probably true, but I'm interested in others' thoughts.

]]> http://yabfog.com/blog/2007/04/13/wordpress-and-javascript-hijacking/feed 0 Yikes! WordPress Hacked! http://yabfog.com/blog/2007/03/02/yikes-wordpress-hacked http://yabfog.com/blog/2007/03/02/yikes-wordpress-hacked#comments Fri, 02 Mar 2007 22:59:01 +0000 Dan http://yabfog.com/wp/2007/03/02/yikes-wordpress-hacked/ The WordPress crew have announced that the WordPress 2.1.1 download got cracked by an unnamed attacker who injected some code that would allow remote code execution. I'm glad I haven't upgraded!

]]> http://yabfog.com/blog/2007/03/02/yikes-wordpress-hacked/feed 0 Scheduled Tasks - Running Tasks Without A Password http://yabfog.com/blog/2005/10/06/scheduled_tasks_running_tasks_without_a_ http://yabfog.com/blog/2005/10/06/scheduled_tasks_running_tasks_without_a_#comments Thu, 06 Oct 2005 12:13:32 +0000 Dan For XP Pro: Go to Start/Administrative Tools/Local Security Policy/Security Settings/Local Policies/Security Options
Accounts: Limit local account use of blank passwords to console logon only. This is enabled by default, disable it.

For XP Home: (Keith Miller) Go to Start/Run/Regedit and navigate to this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Value name: limitblankpassworduse, Type: REG_DWORD, Data: 0 (disabled) 1 (enabled)

For Home: Run Scheduled Task without a Password (Line 67)
http://www.kellys-korner-xp.com/xp_tweaks.htm

Source:
Windows XP FAQ

]]> http://yabfog.com/blog/2005/10/06/scheduled_tasks_running_tasks_without_a_/feed 7