[SecurityRatty] tag: sounds

Zango And The Batman Online Videogame

Wed, 03 Sep 2008 07:00:00 +0000

This is Newsarama, a site (mostly) geared around comics and other related media:

Click to Enlarge

You'll notice Batman, over on the right there. Let's take a closer look:

"Free Online Batman Game"? Well, that's curious because I follow comics pretty closely and I'd be the first to know if an "Online Batman Game" had been in the works (this advert has been doing the rounds on numerous comic-related websites. Visit the URL in the ad - Batmangame.info - and you'll see this...

Click to Enlarge

There it is again - "Online Batman Game". Furthermore, the text goes on to say:

"Batman Online lets you do anything and every little thing you'd like in a Batman game. From leveling up your character to destroying villans, it has it all. Download and play this amazing game now, all for free! I'm sure you'll be playing for hours on end, it's that much fun.

    Level Up Your Character

   Explore a Huge Vast World

   Play Online With Your Friends

   Hundreds of Quests To Finish

   Perfect Battle System

So start your Batman adventure today! Download the full game below and fight them all!"

Note that they specifically call it "Batman Online". It specifically sounds like a text blurb you'd expect to see with a MMORPG. However, something isn't quite right here.

1) The only DC licensed MMORPG anybody knows of is this, and it isn't due out until 2009. It's not Batman-centric, either.

2) The screenshots are lifted from the Batman Begins videogame, which came out in 2005. If you were offering a "Batman Online Game", wouldn't you use screenshots from that instead of an unrelated title?

3) Absolutely no licensing, copyright or legal mumbo-jumbo on the page anywhere. DC and Warner Bros don't roll like that.

4) The website - Batmangame(dot)info - is registered anonymously. Not exactly something you see everyday for websites related to licensed DC franchises such as Batman videogames.

5) "To download and play the Batman Online Game you must download and install Zango as well. It is free, very easy to install and will give you access to the full game."

Shall we continue?

Click to Enlarge

A Zango installer prompt, complete with picture of Batman at the top. If you say "No" to the install, you end up on Google.com. What happens if you click "Start"? Well, you'll get the usual collection of Zango installer screens including one that rather humorously has a guy in a superhero costume.

Once everything is installed, you're taken to another page and from here things just get plain confusing. Remember, up to this point you've been promised an "Online Batman Game", the description of which is clearly intended to evoke images of a MMORPG. However....

Click to Enlarge

All of a sudden, you're being told you're downloading "Batman: Vengeance" on a cheap-looking splash page and shown what looks like an unofficially ripped Batman: Vengeance trailer on Youtube.

In case you're unaware, Batman: Vengeance is a videogame first launched way back in 2001 for consoles (followed shortly after by a PC version). What does this have to do with an "Online Batman Game"? Well, nothing, actually. Aside from the fact you were presented with one thing and are now handed another, things get even stranger when you see the download location:

Click to Enlarge

Have you ever heard of an officially licensed game being offered via Rapidshare downloads? It's possible, I guess, but it seems a little odd. However, the real oddness is reserved for the "Online Batman game" itself.

Remember, we've been promised "Hundreds of quests", "A huge vast world", the ability to "level up your character" and (of course) the "play online with your friends" promise of greatness.

Click to Enlarge

Imagine your dismay, then, when you've installed Zango, downloaded the game from Rapidshare using up around 140MB of bandwidth, installed it and....

Oh dear.

Not only are you given a totally different game than what was advertised, you're given a DEMO VERSION of that game with four short sample levels present, no online functionality and quite a few less quests than the "hundreds" advertised.

Hilariously, you can download a 100% legit copy of this demo here at Fileplanet, sans Adware. Setting aside the issue of whether this file is actually sitting on Rapidshare with either Ubisoft or DC / Warner Bros permission (and if it IS okay to be there, I'm pretty sure it's NOT okay to falsely advertise it as some kind of MMORPG) there are some questions that need to be raised here.

When this guy approached them with his website, did nobody stop to think that this game did not actually match up with the "Online Batman" game it was touted as? Didn't someone at Zango Quality Control actually download the game and see the big "This is a demo" wording as soon as it starts up? Or question why the screenshots on the website don't look like the graphics for Batman: Vengeance in the slightest?

However you look at it, this is a scam, pure and simple. Whoever came up with the idea of an "Online Batman Game" is lying through their teeth. Of course, because their website is registered anonymously we have no idea who the culprit is, unless of course Zango want to deposit them on the steps of Gotham City and let me dispense some Batman-style justice to their posterior.

However, based on the way these things tend to go - God forbid anyone ever offer up the identity of someone happily scamming the public at large, even when that person is dragging the name of the company associated with them through the mud by their antics - I think I might be waiting some time for the Bat Signal...

Leave Your Webcam On 24/7? Might Want To Reconsider...

Mon, 01 Sep 2008 11:46:09 +0000

It's nothing new that many hackers use programs that allow them to "spy" on their victims once they've compromised the PC (as long as they have a webcam switched on, of course). Similarly, hacking culture has always had a fascination for memes, incorporating them into part of the design of their latest DDoS tools.

However, the strange obsession with shock memes has now spilled into a "fun" game currently doing the rounds on various hacking sites and forums.

What this involves is hackers compromising a PC, ensuring the victim has a webcam switched on then opening up shock meme websites at the most inopportune moment, recording the moment of impact with the webcam feed. Or, as one guy put it:

If you don't know what Meatspin is, you can probably count yourself lucky. If you still want to know, click here (for an explanation. Not Meatspin itself, though the explanation might be classed NSFW anyway).

Here's a real life example of one such incident, taken from a message board:

Click to Enlarge

Typically, the shock meme website is opened up at full blast, which startles the victim (most sites of this nature loop a piece of music in the background while the, er, action takes place on screen). The bigger the shock, the better. Here's one guy who sounds like he shot about six feet in the air when the meme site fired up in his browser:

Click to Enlarge

This might all sound like fun and games - sort of - but note that the above individual did try to grab the victims credit card details.

Generally, the attacker doesn't interact with the victim (because they want friends, relatives or others to think the victim actually brought the site up themselves) but here's a little trash talk anyway:

At this point, the attacker may or may not grab a screenshot for posterity. I've seen quite a few galleries on sites comprised of people looking shocked at Tubgirl, or being spun round baby right round by Meatspin, and there's no doubt countless others out there floating around. Of course, not everybody is shocked (or indeed impressed) by a shockmeme site popping up on their computer. As an example of that, take this guy:

Full credit to anyone that counters a shockmeme site appearing on their desktop by picking their nose for five minutes. At any rate, the golden rule with this is that the hackers only bother doing this when a webcam is present and left switched on. If there's no webcam, there's no point trying to elicit a response (because for all they know they're popping open 2 Girls and 1 Cup to an empty server room).

Webcams can be a fun tool, but remember to switch them off every now and again or they could come back to haunt you. Of course, depending on the shock meme site deployed (and who happens to be in the room with you at the time), that could be the least of your worries...

Erase Your Hard Drives Before Selling Them

Wed, 27 Aug 2008 06:48:00 +0000

Sounds like a no-brainer, but it’s a lesson that some large companies still have to learn.

IT manager Andrew Chapman purchased a used drive on eBay, for just 77 British pounds, only to find that it contained the financial history and information for several million people, customers of the Royal Bank of Scotland (RBS) and its subsidiary, Natwest. Luckily for them, Chapman had their best interests at heart and reported the problem, rather than selling or using the information.

According to Evan at the Breach Blog:

The University of Glamorgan conducted research about hard drives bought on eBay that contained sensitive information and published their findings in September 2007. If people don’t think that criminals are buying hard drives on eBay, searching for sensitive information (personal information, health information, corporate secrets, intellectual property, etc.), then they are deluded

Click here to read the full article.

New Releases at Defcon

Tue, 19 Aug 2008 09:04:12 +0000

One of my funny moments at Black Rock City last year was meeting a random guy early one morning on deep playa, chatting and finding out we both were involved in IT security. He’d been at the defcon conference just before Burning Man, we talked for just a minute about industry publications and the hacker contests, before getting distracted with shinier things. I’m not going this year but everyone I know is buzzing about BM this year:)

I was just reminded of this randomly just by reading this list of new tools released at the Defcon this year. Sounds like a busy conference, with a lot of hackers who love what they do. Good stuff.

It has become more like a global fair than what most people think of conferences; even the badge is highly unique. I say this because there are so many things to do at DEFCON, other than going to talks, that you could spend your whole weekend looking at the “World’s Largest Boar!” so to speak. One of the CTF (Capture the Flag) contest winners this year actually exclaimed that he only made it to 2 talks in 12 years! I am also one of those individuals who barely get a chance to go to talks and now that the speaker pool is so diverse it’s hard to find all of the “stuff” they release.

Read the list and full article here

Will Passwords Become Obsolete?

Fri, 15 Aug 2008 09:46:48 +0000

I can’t keep track of how many different passwords I have, although I know it’s not nearly enough — I tend to be lazy like most people and re-use the same passwords for many different accounts.
But here’s a new idea — what if passwords for online accounts were replaced entirely by cryptographic keys that sat on our desktops like icons, and functioned in the background, so we wouldn’t need to remember a string of letters or numbers?

An interesting blog post this morning discusses the obstacles and implications of this kind of technology, in part quoting a recent New York Times article —

In short, we need a log-on system that relies on cryptography, not mnemonics. As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code.

An obstacle to this kind of system are the current initiatives toward Open ID and single-sign on services, strategies that are backed by large industry players such as the Equifax, Google, Novell, Microsoft, Oracle, etc. In the open ID system, you would log in to a session on the web with one password, which would be accepted by any application/account supporting the open ID infrastructure.

To me Open ID sounds like a step backwards, toward less security…
then again, I would think that encrypting everything could also make your system run significantly slower, and that it wouldn’t prevent all the risks either…

UK Police Seize War on Terror Board Game

Fri, 15 Aug 2008 02:50:02 +0000

They said -- and it's almost to stupid to believe -- that:

the balaclava "could be used to conceal someone's identity or could be used in the course of a criminal act".

Don't they realize that balaclavas are for sale everywhere in the UK? Or that scarves, hoods, handkerchiefs, and dark glasses could also be used to conceal someone's identity?

The game sounds like it could be fun, though:

Each player starts as an empire filled with good intentions and a determination to liberate the world from terrorists and from each other.
Then the reality of world politics kicks and terrorist states emerge.

Andrew said: "The terrorists can win and quite often do and it's global anarchy. It sums up the randomness of geo-politics pretty well."

In their cardboard version of realpolitik George Bush's "Axis of Evil" is reduced to a spinner in the middle of the board, which determines which player is designated a terrorist state.

That person then has to wear a balaclava (included in the box set) with the word "Evil" stitched on to it.

Buy yours here; I first blogged about it in 2006.

Fog of the Future: Cloud Computings on the Horizon

Thu, 14 Aug 2008 08:56:26 +0000

If you trust the media and are looking to the future, you might be thinking a good deal about Cloud Computing — according to ComputerWorld, this could be the next big movement.

I’ve heard the buzzwords but wasn’t exactly sure what they meant–luckily, when there’s media hype, there are definitions, too. According to this article, cloud computing is exemplified by Software as a Service — outsourced, hosted platforms and software that perform services for companies.

Another article puts it slightly differently:

OK, let us look at what form of computing in being provided via the cloud. In this model, all IT applications and facilities (i.e. compute, storage and network) are provided as a service rather than dedicated infrastructure. This is intended to allow any user, independent of client platform, to access IT services without knowledge or concern of their location or form. Sound familiar — it’s a service-oriented architecture (SOA)!

In addition, cloud computing incorporates almost every computing manifestation within the IT world: distributed, grid, utility, on-demand, open-source, Web services, P2P, Web 2.0 and, last but not least, software as a service.

It also accommodates thin, thick and mobile clients and allows integration of corporate, commercial and service provider cloud-accessed resources. As an example, in this model, storage is a service resource that is accessed via the cloud, not a dedicated user resource.

Honestly I read that last one first and found the definition a bit dense. It sounds like a summation of everything that makes up our Internet infrastructure already, so how is that different than the Internet itself? Well, cloud computing isn’t about what service or devices are being supported — it’s more about how it’s being provided– it is a location-independent style of computing. The first article calls it “platform as a service.”

Have you heard better definitions of what cloud computing is and does? Share them in the comments below. Thanks!

Trust No One?

Wed, 13 Aug 2008 10:46:48 +0000

Sorry to go all X-Files on you, but I received an EMail earlier today that really drives home how paranoid we probably all are about Phishing nowadays.

Entitled "Chris Boyd, would you be able to spot a fake email?", it was apparently from Paypal:

"Protect yourself from phishing: Paypal is working with Gmail and Yahoo! to block fake Paypal emails from your inbox. Learn how".

As it turns out, the email was legitimate - but as soon as I hear someone asking me "Can you spot a fake Email", my brain is sadly conditioned to assume the mail asking me that question is fake too.

Kind of depressing, isn't it? At any rate, it's interesting how certain words / phrases in mails will automatically set alarm bells ringing. If I'd received this email, I'd have deleted it as soon as I saw the phrase "Your download to win contest has arrived".

Download to Win Contest?? That sounds so very, very wrong, doesn't it?

Twelve billion dollars!

Wed, 13 Aug 2008 10:37:00 +0000

Sounds like a Dr. Evil sound bite :). In fact this could be the potential impact of the 41 million cards stolen - according to security company Jefferson Wells. The amount is a result of simple multiplication - 41 million x $300 for each card lost. On the higher end, no doubt.

While I don't think the real cost is anywhere close to that (even by an order of magnitude), it is still a large number. Even at street price of $2 per card, someone must be making 41 million x $2 = $82M!

More scary to imagine, is where this stolen data is going, what kind of money they are making and what illegal stuff is being done with it.

Wee-Fi: iPhone Penetration, Hotspots Undercounted, Warballoon, Cincy Bus-Fi

Mon, 11 Aug 2008 05:49:01 +0000

iPhone sleeper cell: Security researchers demonstrated the use of an iPhone with an external battery pack as a method of sniffing networks from a mailroom, to find information that a business might not feel that it has to secure in the heart of its operations. Errata Security performed distant penetration testing for a client in this way, and found most of their wireless networks unprotected. This is sort of absurd, and I'll be curious what Errata posts on their own site about this project--the scope sounds wrong in the reporting on their talk--because every firm of any scale has some kind of encryption on their internal networks. If they don't, you have concerns at a much higher level than penetration testing.

Four chains, four Wi-Fi pay policies: CIO magazine looks at Borders, McDonald's, Panera, and Starbucks, and how they're offering Wi-Fi. I'd like to suggest you read this article, but the author writes, "Right now, according to Hotspot Locations, there are more than 33,000 WLAN hotspots worldwide, and more than 10,000 in the United States alone." I don't know who "Hotspot Locations" is, and I need to disclose that I have a financial interest in what must be their competitor, JiWire, but any hotspot finder that calls them "WLAN Hotspots" and reports 11,712 in the U.S. and 33,106 worldwide just isn't working very hard. JiWire lists over 230,000 hotspots worldwide, and notes over 60,000 in the U.S., while Boingo and iPass each resell access to over 100,000 hotspots worldwide.

Up, up, and away in my beautiful, my beautiful warballoon: Defcon hackers deployed a balloon with Wi-Fi receivers on it 150 feet in the air to scan for network vulnerabilities in Las Vegas last week. They found 1/3rd of networks had no encryption--although I always wonder if they're using passive scanning where 802.1X allows a limited connection for authentication and appears "open" in some ways, or if they were actively scanning, in which case 802.1X networks would be unavailable.

Cincinnati Metro service has Wi-Fi on 20 buses: The free service supplied by AT&T in an ads-for-access deal with the authority was placed after a couple years of testing on a relatively long commuter run. The authority spends $15,000 per bus to setup a connection, which seems rather pricey. Other authorities are paying in the low thousands, from what I've seen, so I'm not sure what their particular case is.