Monday, April 30, 2007

G.R.L. & Critical Mass Brooklyn 2007



The G.R.L. rolls out its newest probably-not-street-legal vehicle, the Mobile Broadcast Unit: audio, projection and L.A.S.E.R. tag systems all mounted on a big tricycle. Last Friday, the G.R.L went to war against boredom and had a blast riding and writing with Critical Mass in Brooklyn. Beginning in the summer in NYC you will be able to borrow the MBU to wage your own personal wars in the city. Stay Tuned.

-----------------------------

Local Group - Austin Critical Mass

MOMBY - Ashes to Ashes, Dust to Dust

Well, MOMBY has come to an end.

That silly Spammer trick that I found was given a second look as MOMBY-00010100a.

Will it be the last "Month of [Insert Product that Requires Attention]"??

Who knows...but I have a strange feeling we haven't quite seen the end of this book...

Natural Orifice Translumenal Endosurgery (NOTES)

Via newscientist.com -

Imagine surgery that could be performed without general anaesthetic, requires hardly any recovery time, and leaves you with no visible scars. The catch: it may also leave a very unpleasant taste in your mouth – along with part of your spleen, prostate or perhaps your gall bladder.

Transgastric surgery, or natural orifice translumenal endosurgery (NOTES), as it is officially known, involves passing flexible surgical tools and a camera in through the patient's mouth to reach the abdominal cavity via an incision made in the stomach lining. Once the operation is over, the surgeon draws any removed tissue back out through the patient's mouth and stitches up the hole in the stomach.

To some it may sound disgusting, to others the prospect of scar-free surgery may sound too good to be true. Either way it's coming. In the past couple of weeks three separate surgical teams say they have carried out NOTES procedures on humans - surgical firsts for both Europe and the US. And doctors in India say they have performed appendectomies through the mouth.

State Department Puts Embassies Up for Sale

Via Govexec.com -

WASHINGTON (AP) -- Looking for a stately home or opulent office overseas? One in a posh neighborhood or overlooking an exotic capital? Maybe with a glorious or infamous past? The U.S. government may have a deal for you.

From Kinshasa to Katmandu, Bangkok to Bogota, U.S. embassies, ambassadorial residences and other diplomatic digs are up for sale as the State Department moves its employees to more secure locations, upgrades facilities and combines operations in multipurpose compounds.

Some 29 properties worth more than $205 million are now on the market in 21 countries, including a huge and historic embassy annex in the heart of London, large chancery buildings in Panama, Nicaragua and Nepal and homes fit for envoys extraordinary in Belize and Venezuela.

...

All have been declared ``excess property'' and listed for sale with private real estate brokers by the State Department's bureau of Overseas Buildings Operations, which manages more than 3,500 U.S. government properties in 193 countries.

Chinese Operatives Active In Canada

Via Canada.com -

OTTAWA (CP) - Almost half the effort the country's spy-watchers put into monitoring suspicious foreign activity in Canada is devoted to Chinese operatives, the head of CSIS said Monday.

Jim Judd, director of the Canadian Security Intelligence Service, said there are a lot of foreign agents operating in Canada, many adopting the guise of innocent visitors. "It's surprising, sometimes, the number of hyperactive tourists we get here and where they come from."

Judd told the Senate committee on defence and national security that 15 countries account for most of the concern when it comes to foreign intelligence-gathering or interference in Canadian affairs.

He wouldn't identify all those countries, but did tell senators that China tops the list.
He said CSIS tries to keep close tabs on foreign operatives and hopes "that we have all the bases covered."


Judd said his agency is charged with monitoring foreign efforts to collect information, both public and private; to meddle in Canadian affairs; or to foment trouble within ethnic communities China has been accused of all three activities in the past and has steadfastly denied it has spies in Canada.

...

Two years ago a pair of Chinese officials who defected and sought asylum in Australia said China was running hundreds of spies and informants in Canada, mainly in Vancouver and Toronto.

One of the defectors said some of those agents were charged with intimidating members of the Falun Gong sect in Canada.

Prime Minister Stephen Harper, when he was still Opposition leader, claimed there were up to 1,000 Chinese agents in Canada.

He quoted a CSIS official as saying that Chinese spies stole $1 billion worth of technological secrets every month.

---------------------------------------

I was in Vancouver for CanSecWest and it does have a very diverse Chinese-speaking population.

Top 10 Toxic Waste States

Via BadGuys Blog -

Twenty-seven years ago, after environmental disasters like Love Canal, the feds created a Superfund program to clean up America's toxic waste dumps. But today, that effort has run out of steam and stands underfunded and largely forgotten–despite the fact that nearly half of all Americans live within 10 miles of Superfund sites.

This worrisome bit of news comes from "Wasting Away," the latest investigation out of the Washington, D.C.-based Center for Public Integrity. The center found that fewer than 20 percent of the dumps have been cleaned up enough to be removed from the Environmental Protection Agency's list of worst sites and that the agency recoups only a fraction of what it used to get from polluters to clean up the mess. The center's website includes a handy database of all 1,623 Superfund sites searchable by state and company, complete with maps, contaminants, and population figures.

Osama bin Laden Look Alike Arrested

Via DailyIndia.com -

CHITRAL, Pakistan, April 30 (UPI) -- A man who looks like Osama bin Laden has now been arrested twice, with the latest arrest having taken place near Chitral, Pakistan.

Sher Akhbar of the Afghan village of Bach e Metal, reportedly looks like he could be bin Laden's twin, ABC News reported Monday.Akhbar was arrested after Pakistani intelligence officials reported Bin Laden had been active in the area."We arrested this man as a result of this investigation, but it's not who you might think it is," a senior Pakistani intelligence official told ABC News.


The official added that an investigation involving Pakistani and U.S. intelligence officers revealed Akhbar had no connection to bin Laden, but local residents tried to cash in on a $25 million reward based on Akhbar's resemblance to the terrorist leader.

The United States has an outstanding offer of a $25 million reward for information leading to bin Laden's arrest.

Tools of the Trade - Bigger Than Googol

A googol is the large number 10^100, that is, the digit 1 followed by one hundred zeros (in decimal representation). The term was coined in 1920 by nine-year-old Milton Sirotta, nephew of American mathematician Edward Kasner. Kasner popularized the concept in his book Mathematics and the Imagination.

The Internet search engine
Google was named after this number. Larry Page, one of the founders, was fascinated with mathematics and Googol, even during high school. They ended up with "Google" due to a spelling mistake.

On to the tools....

1) On April 29th, Pidgin (Formerly Gaim) 2.0.0 Beta 7 was released. Pidgin is an instant messaging program for Windows, Linux, BSD, and other Unixes. You can talk to your friends using AIM, ICQ, Jabber/XMPP, MSN Messenger, Yahoo!, Bonjour, Gadu-Gadu, IRC, Novell GroupWise Messenger, QQ, Lotus Sametime, SILC, SIMPLE, and Zephyr.

2) On April 27th, AVG Free Edition 7.5.467 was released. Improvements include:

* Improved polymorphic viruses detection.
* Some improvements in help.
* Fixed problem with starting avgrssvc during the installation.

3) On April 27th, VMware Player 1.0.4 Build 44386 was released. Check out the changelog for all the details.

4) On April 26th, VMWare Workstation 5.5.4 Build 44386 was released. Several security issues were fixed.

5) On April 25th, Tor 0.1.2.13 was released. Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet.

6) On April 17th, 7-Zip 4.45 beta was released. See the changelog for all the details.

7) On April 16th, FileZilla 2.2.32 was released. This update fixes format string vulnerabilities which might be exploitable. So this update is hightly recommended.

8) On April 12th, Snort 2.7 beta 2 was released. See the changelog for all the details.

Sunday, April 29, 2007

Exploiting Online Games, Cheating Massively Distributed Systems

Via Rootkit.com -

http://www.amazon.com/Exploiting-Online-Games-Multi-user-Computer/dp/0132271915

Online Games represent the most complex multi-user systems on the planet. The security problems that plague games today will plague the business applications of tomorrow. Learn how to cheat and break games like World of Warcraft from the inside out. Learn how to protect your next generation application from exploitation.

New Photoshop and IrfanView Exploits

IrfanView <= 4.00 .IFF File Buffer Overflow

Photoshop CS2/CS3, Paint Shop Pro 11.20 .PNG File Buffer Overflow

AFAIK, there are no patches for these vulnerabilities.

Moral of the Story - Do not open untrusted image files.

Student Arrested for Creative Writing Essay

Via Wired Threat Level Blog -

Chicago high school student Allen Lee, 18, was arrested and charged with "disorderly conduct" for writing an essay in creative writing class that his teacher found disturbing. He's also been barred from classes at Cary-Grove High School, where he's reportedly been a straight-A student. The Chicago Tribune reports that the teacher had "encouraged students to express their emotions through writing."

Cary Police Chief Ron Delelio said the charge was appropriate even though the essay was not published or posted for public viewing. Disorderly conduct, which carries a penalty of 30 days in jail and a $1,500 fine, is filed for pranks such as pulling a fire alarm or dialing 911. But it can also apply when someone's writings can disturb an individual, Delelio said. "The teacher was alarmed and disturbed by the content," he said.

Let's hope the unnamed English teacher doesn't discover the public library, or the Chicago cops will be looking to arrest nearly every important author in the last century for disturbing the peace.

It's noteworthy that this action wasn't a knee-jerk response. It followed a round-table discussion by school district officials, who not only concluded that Lee's essay was so disturbing as to demand action, but evidently eschewed moderate responses like contacting his parents or referring him to the school counselor in favor of having him arrested and charged with a crime for his words.

--------------------------

This is double plus ungood....

NIST Issues Guidelines for Ensuring RFID Security

Via NIST.gov -

Gaithersburg, MD – Retailers, manufacturers, hospitals, federal agencies and other organizations planning to use radio frequency identification (RFID) technology to improve their operations should also systematically evaluate the possible security and privacy risks and use best practices to mitigate them, according to a new report* from the Department of Commerce’s National Institute of Standards and Technology (NIST).

“RFID tags, commonly referred to as smart tags, have the ability to improve logistics, profoundly change cost structures for business, and improve the current levels of safety and authenticity of the international pharmaceutical supply chain and many other industries,” said Under Secretary of Commerce for Technology Robert C. Cresanti. “This important report lays the foundation for addressing potential RFID security risks so that a thoughtful enterprise can launch a smart tag program with confidence.”

RFID devices send and/or receive radio signals to transmit identifying information such as product model or serial numbers. They come in a wide variety of types and sizes, from the size of a grain of rice or printed on paper to much larger devices with built in batteries. Unlike bar coding systems, RFID devices can communicate without requiring a line of sight and over longer distances for faster batch processing of inventory and can be outfitted with sensors to collect data on temperature changes, sudden shocks, humidity or other factors affecting products.

As RFID devices are deployed in more sophisticated applications from matching hospital patients with laboratory test results to tracking systems for dangerous materials, concerns have been raised about protecting such systems against eavesdropping and unauthorized uses.
“The goal of our report,” according to lead author Tom Karygiannis of NIST, “is to give organizations practical ways in a structured format with checklists and specific recommendations to address potential RFID security risks.”


...

NIST prepared the new report as part of its responsibilities under the Federal Information and Security Management Act of 2002 to help federal agencies provide adequate security for their information technology systems. However, its recommendations for selecting appropriate security controls for RFID systems are likely to be useful to other types of organizations as well.

The full report is available at:
http://csrc.nist.gov/publications/nistpubs/800-98/SP800-98_RFID-2007.pdf

Metasploit Wikibook

http://en.wikibooks.org/wiki/Metasploit/Contents

Jerome started on Writing Windows Exploits
grutz started on Tips and Tricks
Video Tutorials Video Tutorials
Kashif started on Developing Auxiliary Modules
Kashif started on Using Metasploit
Kashif started on Utilizing Mixins for Exploit/Auxiliary modules development

Belgian Investigating Possible Terrorist Group

Via WikiNews.com -

Belgian Federal prosecutor Johan Delmulle has said in an interview published in the Flemish newspaper De Tijd today that the Federal police are investigating a possible terrorist group that recruits Belgians to commit suicide attacks in Iraq.

According to Delmulle, the Federal police started a record 106 new terrorism inquiries last year, compared to 89 in 2005, and 134 between 2004 and 2002. The trend also confirms itself in 26 cases that were handed over to the courts in 2006, compared to 14 the year before. The majority, i.e. 17 of those cases, concerned terrorist cells that were located in the capital city of
Brussels.

The cases drew from 318 messages of possible terrorist activities that were received in 2006. Every single case was reviewed carefully, according to Delmulle: "We treat every report as if a real terrorist attack was pending. The margin of error has to be zero." In an interview with TV-station
VTM, Delmulle attributed the increasing reports on terrorism to the increased attention for the phenomenon, and not to an increased terror threat.

The federal prosecutor told De Tijd that Belgium mostly has to deal with "sleeping terrorist cells":

Those cells will not immediately become operational here [in Belgium, ed.], but they often offer logistic support to operational cells abroad. For example, they deliver false documents or help persons ex- [sic.] or infiltrate from and to areas of increased risk, such as Iraq and Afghanistan. There is even an ongoing judicial investigation about a cell that recruits Belgian subjects here to commit suicide attacks in Iraq.

Delmulle told VTM he wanted the next Justice Minister to deal with the fact that the names of investigators are mentioned in judicial files. According to the prosecutor, people in the terrorist environment are trying to get a hold on names and locations of inspectors, information about their families and so on, which in turn leads to actual threats. Delmulle himself has been under police protection for the last 5 months because he is the prosecutor in the case of Ferye Erdal and other members of the Turkish resistance group DHKPC.

Saturday, April 28, 2007

Fighting the Heisenberg Principle with Entanglement

Via Nature.com -

A team of researchers has, for the first time, hacked into a network protected by quantum encryption.

Quantum cryptography uses the laws of quantum mechanics to encode data securely. Most researchers consider such quantum networks to be nearly 100% uncrackable. But a group from the Massachusetts Institute of Technology (MIT) in Cambridge was able to 'listen in' using a sort of quantum-mechanical wiretap. The trick allowed them to tease out about half of the data, in a way that couldn't be detected by those transmitting or receiving the message.

The group admits that their hack isn't yet capable of eavesdropping on a real network. "It is not something that currently could attack a commercial system," says Jeffrey Shapiro, a physicist at MIT and one of the authors on the study.

But they expect that one day it will be able to do so, if quantum encryption isn't adequately adapted to stop such hackers from succeeding.

Most quantum networks send secret data in the polarization of photons. The sender encodes each photon's polarization such that the receiver who tries to measure it will only get the right information out about half of the time. When this information does come through, the duo can agree to use that particular bit of data as a key to encode and decode a message.

The system ensures secrecy because anyone intercepting a transmitted photon will disrupt its polarization, and affect the rate at which the receiver can correctly measure it. So the sender and receiver can detect the eavesdropper by noticing a spike in the transmission error rate. They can then stop communicating or try again on a different network.

Shapiro and his co-authors have successfully executed a trick that gets at least part-way around this. To listen in, the team used a quantum-mechanical principle known as entanglement, which can link together two different traits of a particle. Using an optical setup, the team was able to entangle the transmitted photon's polarization with its momentum. The eavesdropper could then measure the momentum in order to get information about the polarization, without affecting the original polarization.

But the tap isn't perfect, says co-author Franco Wong. The entanglement does sometimes perturb the polarization, and Wong says that the team can only extract about 40% of the transmitted data without causing the error rate to rise noticeably.

The idea for this cunning trick has been around since 1998, but nobody had put it into practice until now. The team's experimental proof-of-concept is published in the 25 April issue of the journal Physical Review A1

Friday, April 27, 2007

Saudi Teens Use Bluetooth to Swap Porn

Via Middle East Times -

RIYADH -- Pornographic material accounts for nearly 70 percent of messages exchanged through mobile telephones between teenagers in ultraconservative Muslim Saudi Arabia, a newspaper reported Wednesday.

Misuse of Bluetooth technology by young men and women is increasing, the English-language Arab News said, citing the findings of a recent study.

Eighty-eight percent of girls have been "victims" of such misuse, it quoted study author and professor Abdullah Bin Mohammed Al Rasheed as saying.

The study focused on teenage boys detained by religious police for harassing girls in the Qasim region north of Riyadh.

"The flash memory of mobile phones taken from teenagers showed 69.7 percent of 1,470 files saved in them were pornographic and 8.6 percent were related to violence," Rasheed said.

Young men and women are banned from mixing in public in oil-rich Saudi Arabia, which enforces a strict Islamic moral code. Bluetooth technology links devices such as mobile phones wirelessly. In a separate study of 1,200 women aged 18 to 25, Rasheed found that 82 percent of them use Bluetooth continuously, Arab News said.

The paper said that 99 percent believe that the device has broken the barrier of social taboo and traditions, and about 77 percent admitted that they had used it even inside the grand mosque in Mecca, Islam's holiest shrine.

-----------------------------

There is no stoping technology....

MySpace Launched in China

Via Middle East Times -

BEIJING -- MySpace announced its launch in China Thursday, following months of speculation about the Rupert Murdoch-controlled social networking site's plans for the nation's 137 million Internet users.

MySpace China introduced itself as a "locally owned, operated, and managed company" in which News Corp.-owned MySpace Inc. was only one among several investors. "Based on the MySpace global brand and technology platform, we will develop products and features that are tailored to today's Chinese citizens," said MySpace China CEO Luo Chuan, a former Microsoft executive.

Other investors include International Data Group and China Broadband Capital Partners, the investment company of former China Netcom Group Corp. chief executive Edward Tian.

Global Al-Qaeda Update

Via Military.com -

WASHINGTON - The Pentagon announced Friday the capture of one of al-Qaida's most senior and most experienced operatives, an Iraqi who was attempting to return to his native country when he was captured.

Bryan Whitman, a Pentagon spokesman, said the captive is Abd al-Hadi al-Iraqi. He was received by the Pentagon this week from the CIA, Whitman said, but the spokesman would not say where or when al-Iraqi was captured or by whom.

----------------------------------------------

Via Militiary.com -

RIYADH, Saudi Arabia - Police have arrested 172 Islamic militants, some of whom were being trained abroad as pilots so they could fly aircraft in attacks on Saudi Arabia's oil fields, the Interior Ministry said Friday.

The ministry issued a statement saying the detainees were planning to carry out suicide attacks against "public figures, oil facilities, refineries ... and military zones" - some of which were outside the kingdom.

"They had reached an advance stage of readiness and what remained only was to set the zero hour for their attacks," Interior Ministry spokesman Brig. Mansour al-Turki told The Associated Press in a phone call. "They had the personnel, the money, the arms. Almost all the elements for terror attacks were complete except for setting the zero hour for the attacks."

----------------------------------------------

Via Gulf Times -

ALGIERS: Algerian security forces have arrested 80 Algerian Islamists who made recent visits to Iraq for questioning about suicide bomb attacks in Algiers, a leading newspaper reported yesterday.

The daily, Echorouk, said the 80, suspected of having had links to Al Qaeda in Iraq, were being questioned about whether there was any connection between that branch of Al Qaeda and the bombings that killed 33 people in Algiers on April 11.

The attacks, the first large bombings in the centre of the Mediterranean port city in more than a decade, were claimed by the Al Qaeda Organisation in the Islamic Maghreb, an Algerian Islamist armed group. Most of the arrested men are Islamist militants who were in Iraq to combat the US occupation, and are now back home, a security source was quoted as saying by Echorouk.

“Abdelmalek Droudkel, the leader of Al Qaeda in the Islamic Maghreb, is pushing hard to hire them and take advantage of their experience in explosives, and suicide attacks,” Echorouk quoted a security source as saying.

NY Teen Hacks AOL Networks & Customer Information Database

Via Yahoo! News -

San Francisco (IDGNS) - A New York teenager broke into AOL networks and databases containing customer information and infected servers with a malicious program to transfer confidential data to his computer, AOL and the Manhattan District Attorney's Office allege.

In a complaint filed in Criminal Court of the City of New York, the DA's office alleges that between December 24, 2006 and April 7, 2007, 17-year old Mike Nieves committed offenses like computer tampering, computer trespass, and criminal possession of computer material.

Among his alleged exploits:

* Accessing systems containing customer billing records, addresses, and credit card information

* Infecting machines at an AOL customer support call center in New Delhi, India, with a program to funnel information back to his PC

* Logging in without permission into 49 AIM instant message accounts of AOL customer support employees

* Attempting to break into an AOL customer support system containing sensitive customer information

* Engaging in a phishing attack against AOL staffers through which he gained access to more than 60 accounts from AOL employees and subcontractors

Nieves faces four felony charges and one misdemeanor charge. He was arraigned on Monday and remains detained, a DA's office spokesman said. His next court date is Friday for a procedural hearing to determine the next step in the case, the spokesman said. Nieves' attorney didn't immediately return a call seeking comment.

The alleged acts cost AOL more than $500,000. It's not clear whether customer data was stolen. AOL declined to comment. The DA's office spokesman said the investigation into Nieves' alleged acts continues. "It's too early to tell exactly what [data] he compromised or not," he said.

U.S. Intelligence Report on Contractors

Via DailyIndia.com -

WASHINGTON, April 26 (UPI) -- A government report on the growing use of contractors by U.S. intelligence agencies is too secret to be released.

Ronald Sanders, chief human capital officer for the director of intelligence, told The New York Times that information in the report could be used to deduce how many people are on the payroll. But he did say that about 25 percent of the "Intelligence Community's" work is now done by contractors.


"I can't give you anything that would allow you to impute the size of the (independent contractor) civilian work force," Sanders said.

The CIA, FBI, National Security Agency and other three-letter agencies involved in intelligence gathering have increased their use of contractors since 2001 because of the combination of budget cuts in the 1990s and increased demand for information following the 2001 terrorist attacks.

The House and Senate Intelligence committees are concerned that contracting out work could be more expensive. They also fear that spies could be lured away from civil service positions to work for their agencies as contractors.

Thursday, April 26, 2007

NSA Plans San Antonio Data Center

Via GCN.com -

The National Security Agency/Central Security Service said it has picked a facility in San Antonio as the site of a new data center. Before picking the San Antonio facility, NSA analyzed plans of commercial data centers and evaluated sites around the country with input from other government agencies, including the Army Corps of Engineers.

With input from other government entities, the spy agency is also looking into suggestions that it could share space in data centers with other intelligence agencies, NSA said in a statement.

As the world’s largest spy agency, NSA has 30,000 employees, an estimated $7.5 billion annual budget (the exact amount is classified) and has been described as the world’s largest user of supercomputers. According to one press estimate, its yearly electric bill is $21 million.

GIMP Exploit & Another MS07-017 Exploit

MS Windows (.ANI) GDI Remote Elevation of Privilege Exploit (MS07-017)

Gimp v2.2.14 .RAS File SUNRAS Plugin Buffer Overflow

No Software Solution for Insider Attacks

Via ComputerWorld.com -

LONDON -- Of all the security vendors exhibiting at Infosecurity Europe 2007 here this week, none claim to be able to detect a major threat to enterprises: unhappiness.

Security software doesn't do a good job of detecting employees who may have a grudge against their companies. And often, those unhappy individuals are motivated by deep-seated human emotions: jealously, greed or desire for power, said Bob Ayers, an associated fellow at think tank Chatham House's Information Security Program.

Take, for example, the case of a loathed senior executive of a major European bank. In preparation for a new post, his computer was sent to the IT department, where a security officer said it contained child pornography, Ayers said.

The executive denied the accusation vehemently. Further investigation showed that the pornographic images were placed on the machine by the security officer, an act of revenge against the executive for firing the security officer's father years ago.

"We tend to view insider threats as something with the objective of gaining money or something that can be sold for money," said Ayers, who worked in computer security and intelligence for the U.S. Department of Defense for more than 30 years. "You need to consider other motives than simply financial."

Unfortunately, it's hard to detect employees who may be inclined to act maliciously within a company, said Stephen Bonner, head of information risk management at banking group Barclays PLC.

Ironically, the warning signs of bad employees can also be indicators of good ones: a willingness to work late, a desire to take on more responsibility and close interest in their colleagues' work, he said.

Bonner divided employees into three categories: those who will always do good, those who are mostly good but do bad things, and those who simply prefer bad behavior. Companies can help mitigate their risk by performing background checks and asking employees to take a pledge to act ethically.

Once on the job, managers can also take note of employees' actions. Those who act out -- after not receiving a satisfactory bonus, for example -- may be more inclined to seek retribution against their employers, Bonner said.

On the technical side, it's good to let employees know that their activities will be monitored. But there's a catch. If employees perceive they are being overly monitored, they may act differently, so the monitoring policy should be in line with the organization's work culture, he said.

The last recommendation seems like common sense: If companies treat their employees well, their employees tend to behave better. Addressing human resources problems directly can also help to avoid what could translate into IT problems later.

But companies will always have a certain degree of exposure. "There are people we have to trust in our organizations to work effectively," Bonner said.

Websense Makes Bid for SurfControl

Via ComputerWorld.com -

April 26, 2007 (IDG News Service) -- Security software vendor Websense Inc. on Thursday moved to acquire competitor SurfControl PLC, with a Websense subsidiary offering about $400 million in cash for SurfControl.

Websense SC Operations Ltd. has offered to acquire the SurfControl, based in the U.K., for $14.02 per share, for a total $402.7 million, Websense announced Thursday.

Also Thursday, Doug Wride was named president of Websense, effective immediately. He will continue in his role as chief financial officer and lead the acquisition and integration of SurfControl. Wride will continue to report to Websense CEO Gene Hodges.

The combination of the two companies will create "an IT security solutions company with the scale and product offering to compete more effectively with large global security software companies," Hodges said in a prepared statement.

Both companies provide proactive network security software to head off potential phishing, spyware, virus and other threats to IT systems. SurfControl serves 16 million users globally and Websense serves 25 million.

U.S. Army Hackers Give HITB CTF Another Try

Via NetworkWorld.com -

A team of U.S. Army hackers will attend the Hack In The Box (HITB) Security Conference 2007 in Kuala Lumpur later this year, seeking redemption after falling short at a hacker competition in Dubai earlier this month, the conference organizer said Tuesday.

The Army Strong team was drawn from members of the 2nd Battalion of the U.S. Army's 1st Information Operations Command (Land). The team was unable to complete the entry-level round, called Level 0, in a capture the flag (CTF) competition held by HITB in Dubai this month, according to Dhillon Andrew Kannabhiran, founder and CEO of Hack In The Box (M) Sdn. Bhd


Unlike other CTF competitions that require teams to attack other servers while defending their own, the HITB contest in Dubai only required teams to attack servers and retrieve files, called flags, that were used to score points. Participants in the contest were also allowed to attack each other, but denial-of-service attacks were banned.


"The Dubai CTF was also a pure reverse engineering challenge with teams having to break six levels of increasing difficulty. Level 0 was a Win32 binary whereas all the other levels were Unix binaries," Kannabhiran said. "Teams would progress to the next level by cracking the current level which reveals a password/credentials needed to access the next challenge."

Army Strong was one of three teams competing in the Dubai contest. The other two teams were Team Eleet, whose members came from the Dubai Police, and NDMTEAM, a group of hackers from Bulgaria.

"The Bulgarians were the only team to successfully bypass level 0. However, they did not manage to reverse any of the other flags, as such there was no winner," Kannabhiran said.
The lack of a winner means the $6,000 in cash prizes planned for Dubai were not awarded. Instead, the cash prizes will be carried forward to the Kuala Lumpur conference, he said.


Hack In The Box has yet to announce details of the CTF contest planned for the Kuala Lumpur conference, which will be held from Sept. 3-6.

Optical Fiber Sniffing

Via theregister.co.uk -

Optical links are not as secure as might be assumed. Techniques for extracting data flowing over fibre optic links are evolving to make the technique easier to apply.

Instead of breaking a fibre and installing a device (splicing), an approach that might easily be detected, off-the shelf equipment makes it possible to extract data from an optical link without breaking a connection.

Splitter or coupler methods rely on bending the glass of a fibre-optic cable. If this bend is beyond a particular radius, a small amount of light leaks out. With modern receivers, only a small amount of light needs to be captured (0.1dB of the optical rating is enough) to extract the data from an optical link.

A simple clip-on device - such as the FCD-10B bend coupler from Canadian firm Exfo - is enough to achieve the job.

At the Infosecurity show in London, Swiss encryption appliance firm Infoguard demonstrated the use of optical tapping to intercept a Voice over IP call travelling across an optical link (picture above). There was no noise on the line while the tap was in progress. A PC connected to the optical link via a media recorder was able to recover the unencrypted data flowing over the link.

The scenario of optical hacking might appear like the fodder from Hollywood hacksploitation flicks rather than a practical threat. However, Infoguard said that in 2003 an illegal eavesdropping device was found attached to Verizon's network. Investigators probing the hack reckoned it was motivated by an attempt to access the quarterly statements of a mutual fund company. The perps were never identified.

Infoguard staged the demo in order to illustrate the point that firms need to encrypt data traveling over optical links, using devices such as its 10Gbps EtherGuard appliances.

Personal RFID Firewall

The RFID Guardian is a mobile battery-powered device that offers personal RFID security and privacy management for people. The RFID Guardian monitors and regulates RFID usage, on the behalf of consumers.

The RFID Guardian is meant for personal use; it manages the RFID tags within physical proximity of a person (as opposed to managing RFID tags owned by the person, that are left at home). The RFID Guardian is portable. It should be PDA-sized, or better yet, could be integrated into a handheld computer or cellphone. The RFID Guardian is also battery powered. The RFID Guardian also performs 2-way RFID communications. It acts like an RFID reader, querying tags and decoding the tag responses, and it can also emulate an RFID tag, allowing it to perform direct in-band communications with other RFID readers.

--------------------------

http://www.theinquirer.net/default.aspx?article=39170

Google Talk (gTalk) HTML Injection Technique

Via SecuriTeam -

Google Talk is "a service offered by Google instant messaging. It allows communication via traditional text or voice and is also integrated with Gmail. According to information released last year, Google Talk is used by more than 3 million users worldwide".gTalk chat screen, which uses an Internet Explorer control to display messages, pictures and requests to the user, is vulnerable to HTML injection. The flaw resides in the file transfer notification. A user does not need to accept the incoming file transfer, code is automatically displayed in the chat screen.If combined with additional techniques (discussed in the additional considerations section), this flaw may be used to execute arbitrary HTML code and script code in the user's chat screen.

Credit - The information has been provided by
Alec Storm.

Vulnerability Status - Google was notified, but it remains unpatched.

Wednesday, April 25, 2007

New PacketStormSecurity Mirror

http://packetstorm.austin2600.net/

Austin's own 2600 group has created a new mirror for packetstormsecurity.org

Pretty cool.

Ohio State Cracked For Personal Data

Via SecurityProNews.com (April 18th) -

One incident took place in February, when two laptops were stolen from a professor's home. Those machines contained data about the chemistry students, including Social Security numbers and grades for students going back ten years.

A Columbus Dispatch report about the thefts said the other attack against a University computer took placed the weekend of March 31. Attackers from a foreign IP address broke into an Office of Research machine and accessed over 14,000 faculty and staff records.

The late February burglary of the two laptops and other items would normally have been reported to affected people in 45 days, per Ohio law. An Ohio State spokesperson said in the report that it took several weeks to figure out whose data was on the machines.

An advisory from the school's CIO said: "The University has worked hard to put into place measures to protect sensitive data, which makes this latest incident very unusual. "An ongoing investigation has found that the names, Social Security Numbers, employee ID's and dates of birth of 7,160 former and 6,934 current Ohio State faculty and staff were illegally retrieved by the hacker."

Universities have been attractive targets for attackers due to the completeness of the information they can retrieve, and the relative openness of university networks. Colleges have tended to use Social Security numbers as unique identifiers for students. That practice would put those numbers in multiple systems, and if one of those systems can be breached, there go the SSNs.

Kryptonite Is Real - Sorta

Via Playfuls.com -

A new mineral matching kryptonite's unique chemistry, as described in the film Superman Returns, has been identified by scientists at the Natural History Museum and Canada's National Research Council.

As you might remember from Superman movies, the large green crystals of kryptonite have a devastating affect on the superhero. However, unlike its famous counterpart, the new mineral is white, powdery and not radioactive. And, rather than coming from outer space, the real kryptonite was found in Serbia.

Geologists and mineralogists from mining group Rio Tinto discovered the unusual mineral. It didn't match anything known previously to science so they sort the help of mineral expert Dr Chris Stanley at the Natural History Museum.

'Towards the end of my research,' says Dr Stanley, 'I searched the web using the mineral's chemical formula, sodium lithium boron silicate hydroxide , and was amazed to discover that same scientific name written on a case of rock containing kryptonite stolen by Lex Luther from a museum in the film Superman Returns'.

'The new mineral does not contain fluorine and is white rather than green, but in all other respects the chemistry matches that for the rock containing kryptonite. We will have to be careful with it - we wouldn't want to deprive Earth of its most famous superhero!'

---------------------------

Now we just need to find Krypton...

Tuesday, April 24, 2007

Adobe Photoshop CS2 / CS3 Unspecified .BMP File Buffer Overflow

There is a buffer overflow in Adobe products that can be triggered while processing a malformed BMP, DIB or RLE file.

http://www.milw0rm.com/exploits/3793

Tools of the Trade - Healthier Than That New Car Smell

Over the last few years, research has suggested that the "new car smell" is pretty toxic...

The Ecology Center said toxic chemicals such as bromine, chlorine and lead found in cars' interiors give off harmful fumes for three years.

http://www.physorg.com/news96654868.html (2007)
http://www.cnn.com/2006/AUTOS/01/31/toxic_cars/ (2006)

--------------------------------------

On to the tools...

1) On April 24th, Nullsoft released Winamp 5.34. The version history hasn't been updated yet for this version, but I hope they fixed MAT File Handling NULL Byte Overwrite vulnerability.

2) On April 23th, Adobe released Shockwave Player v10.2.0.021.

3) On April 23th, Irfan Skiljan released IrfanView v4.00. IrfanView is a very fast, small, compact and innovative FREEWARE (for non-commercial use) graphic viewer for Windows 9x/ME/NT/2000/XP/2003/Vista. I have personally used IrfanView for many years and I love it. It is quick and can open many different formats. However, looking over the changelog I see no reference to fixing the ANI buffer overflow vulnerability that existed in v3.99.

4) On April 20th, AVG Free Edition 7.5.463 was released. AVG Free Edition is the well-known anti-virus protection tool. AVG Free is available free-of-charge to home users for the life of the product! See the change log for all the details.

5) On April 18th, Mozilla released Thunderbird 2.0. Check out the release notes for all the new features.

6) On April 18th, GNU Image Manipulation Program (GIMP) 2.2.14 was released. The GIMP is a multiplatform photo manipulation tool. GIMP is an acronym for GNU Image Manipulation Program. The GIMP is suitable for a variety of image manipulation tasks, including photo retouching, image composition, and image construction.

7) On April 17th, CCleaner v1.39.502 was released. CCleaner is a freeware system optimization and privacy tool. It removes unused files from your system - allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history.

8) On April 16th, KeePass 1.07 was released. KeePass is a free/open-source password manager or safe which helps you to manage your passwords in a secure way. See the changelog for all the details.

9) On April 12th, ClamAV 90.2 was released. Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways.

10) Recently, NoScript 1.1.4.8.070420 was released. This version has been tilted the "XSS Sniper" because it has improved precision of the Anti-XSS protection, enhanced also by configurable exceptions and an "Unsafe Reload" command to deal with very few remaining false positives.

11) I ran across these unique fuzzers and just wanted to share them here.

FuzzMan is a fuzzer generator based on unix man pages. Extracts offered options from a man page and creates a shell script that will execute a command using all possible combinations of options and arguments. JavaFuzz is a Java class fuzzer based on the the Java Reflection API. The reflection API represents, or reflects, the classes, interfaces, and objects in the current Java Virtual Machine. Using the reflection API it can contruct and invoke any given class (or list of classes). After getting the types that a class accepts will construct the classes using inappropriate values. JavaFuzz is also hosted at Google Projects with source code.

MI5 Adopts Tracking Tactics for Muslim Extremists

Via Times Online UK -

MI5 is adopting tactics used by the police to keep tabs on paedophiles and other sex offenders to monitor the activities of known or suspected Islamic extremists, The Times has learnt.

The threat from radicalised young Muslims is growing at such a rate that MI5 has realised that it needs the help of police officers on the streets to help it keep a check on extremists in their areas.

Thousands of police officers on the beat in areas with large Pakistani communities — such as Birmingham, Leeds and London — will be expected to keep a lookout for young Muslims known to have become radicals.

The information gathered from day-to-day observations will be used to compile a comprehensive database of lower-level extremism. This register will help both MI5 and the police.

Two Alleged Moroccan Al-Qaeda Members Flee to Spain

Via Intelligence Summit Blog -

(AKI) - Spanish authorities are hunting for two Moroccans, both alleged al-Qaeda members believed to have attended an al-Qaeda training camp in Mali and to have recently fled from Morocco to Spain, daily ABC reported on Friday. Police believed the two militants know how to make an explosives belt and that at least one of them is hiding in the southern Andalusia region, the paper said. One entered Spain via a people trafficking network operating in northern Morocco, where security has been steppped up in the Spanish enclaves of Ceuta and Melilla - both with significant Muslim populations - said ABC.

CanSec Pwn to Own Exploit Details

Via matasano.com -

New details emerging about Dino’s MacBook finding (don’t you just love vulnerability markets?). Dino’s finding targets Java handling in QuickTime.
  • Any Java-enabled browser is a viable attack vector, if QuickTime is installed.
  • Apple’s vulnerable code ships by default on MacOSX (obviously) and is extremely popular on Windows, where this code introduces a third-party vulnerability. (Irony!)
  • Firefox and Safari are confirmed vectors on MacIntel. Users of both browsers are placed at risk by this vulnerability in Apple’s code.
  • Firefox is a presumed vector on Win32, if Apple’s QuickTime code is installed. Users of Firefox on Windows are presumed to be at risk because of this vulnerability in Apple’s code.
  • Disabling Java stops the vulnerability.

-------------------------------------

Apple QuickTime Java Handling Unspecified Code Execution

Lavender's Hormone Havoc

Most cases of male prepubertal gynecomastia are classified as idiopathic. We investigated possible causes of gynecomastia in three prepubertal boys who were otherwise healthy and had normal serum concentrations of endogenous steroids. In all three boys, gynecomastia coincided with the topical application of products that contained lavender and tea tree oils. Gynecomastia resolved in each patient shortly after the use of products containing these oils was discontinued. Furthermore, studies in human cell lines indicated that the two oils had estrogenic and antiandrogenic activities. We conclude that repeated topical exposure to lavender and tea tree oils probably caused prepubertal gynecomastia in these boys.

http://content.nejm.org/cgi/content/short/356/5/479

--------------------------

Now you know why I don't drink soy.....but as noted on Wikipedia. The study's sample size is pretty small and other unkown factors could have had an effect as well...so put this in your "gain of salt" bucket.

20 Tons of Coke Seized Off the Coast of Panama

Via WashTimes.com -

ALAMEDA, Calif., April 23 (UPI) -- U.S. Coast Guard officials Monday showed off more than 20 tons of cocaine they said comprised the largest maritime seizure ever.

The 765 plastic bags filled with the illegal drug, slapped with a street value price tag of about $300 million, were placed briefly on display in Alameda, Calif., under the watchful eyes of armed federal agents, the Contra Costa Times reported.

The crew of the Sherman found the drugs March 17 in cargo containers on the deck of the Panamanian freighter Gatun while patrolling off the coast of Panama. The crew also arrested 14 crew members.

"About halfway through counting the bags we knew we must be close to the record in terms of seizures," said Boatswains Mate 1st Class Michael Aguilera.

The Coast Guard's largest cocaine seizures before the discovery aboard the Gatun were 13 tons from a Cambodian-flagged vessel in 2001 and 15 tons from the unflagged Lina Maria in 2004.

Uttam Dhillon, a Department of Homeland Security official and ex-federal prosecutor, was among those watching the Sherman crew unload the cocaine.

"I never prosecuted, or dreamed of prosecuting, a 20-ton cocaine case," Dhillon said.

Monday, April 23, 2007

Increditability Construction in Dubai

Currently under construction in Dubai, Hydropolis is the world's first luxury underwater hotel. It will include three elements: the land station, where guests will be welcomed, the connecting tunnel, which will transport people by train to the main area of the hotel, and the 220 suites within the submarine leisure complex. It is one of the largest contemporary construction projects in the world, covering an area of 260 hectares, about the size of London's Hyde Park.

--------------------------------------

The Dynamic Architecture building, which will be constantly in motion changing its shape, will be able to generate electric energy for itself as well as for other buildings. Forty-eight wind turbines fitted between each rotating floors as well as the solar panels positioned on the roof of the building will produce energy from wind and the sunlight, with no risk of pollution. The total energy produced by this inbuilt ‘powerhouse' every year will be worth approximately seven million dollars.

---------------------------------------

The World Islands, which is sometimes mistakenly referred to as the Palm World or Globe Islands, are a collection of man-made islands shaped into the continents of the world, located off the coast of Dubai in the United Arab Emirates. It will consist of 300 small private artificial islands divided into four categories - private homes, estate homes, dream resorts, and community islands.

---------------------------------------

The
Palm Islands, also referred to as The Palm Dubai and The Palms, are the three largest man-made islands in the world, which are being built on the coast of the emirate of Dubai, in the United Arab Emirates (UAE). Its concept was announced in May 2002 and the three resort islands are expected to maintain Dubai's position as a premium tourist destination. The Palm Islands is also the self-declared 'Eighth Wonder of the World'.

---------------------------------------

Burj Dubai is set to be the world's tallest building and the centerpiece of the Gulf regions most prestigious urban development, entitled Downtown Dubai. The Arabic meaning for the word Burj is 'tower', which gives Burj Dubai a meaning of 'Dubai Tower' or 'Tower of Dubai'. Its exact height hasn't been disclosed but it has been confirmed that it will be over 700 meters tall and its design was influenced by the six petal desert flower.

Picking Kensington Laptop Locks with Cardboard

Who knew that toilet paper rolls were so useful...

http://www.youtube.com/watch?v=4iZXYZ-1HAU

It should be noted that this is from 2005, and it is possible that new versions of the lock are more resistant to this type of attack.

But in the end lock picking is lock picking...

Hackers Used Office Zeroday Against State Dept.

Via Yahoo News -

WASHINGTON - A break-in targeting State Department computers worldwide last summer occurred after a department employee in Asia opened a mysterious e-mail that quietly allowed hackers inside the U.S. government's network.

In the first public account revealing details about the intrusion and the government's hurried behind-the-scenes response, a senior State Department official described an elaborate ploy by sophisticated international hackers. They used a secret break-in technique that exploited a design flaw in Microsoft software.

Consumers using the same software remained vulnerable until months afterward.

Donald R. Reid, the senior security coordinator for the Bureau of Diplomatic Security, also confirmed that a limited amount of U.S. government data was stolen by the hackers until tripwires severed all the State Department's Internet connections throughout eastern Asia. The shut-off left U.S. government offices without Internet access in the tense weeks preceding missile tests by North Korea.

...

The mysterious State Department e-mail appeared to be legitimate and included a Microsoft Word document with material from a congressional speech related to Asian diplomacy, Reid said. By opening the document, the employee activated hidden software commands establishing what Reid described as backdoor communications with the hackers.

The technique exploited a previously unknown design flaw in Microsoft's Office software, Reid said. State Department officials worked with the Homeland Security Department and even the FBI to urge Microsoft to develop quickly a protective software patch, but the company did not offer the patch until Aug. 8 — roughly eight weeks after the break-in."

Microsoft said it works as quickly as possible to provide customers with security updates.

"If we release a security update that is not adequately tested, we could potentially put customers at risk, especially as the release of an update can lead to reverse-engineering the fix and lead to broader attacks," said Microsoft's senior security strategist, Phil Reitinger. "Updates must be able to be deployed by customers with confidence."

At the time, Microsoft described the software flaw as "a newly discovered, privately reported vulnerability" but did not suggest any connection to the U.S. government break-in. It urged consumers to apply the update immediately. It also recommended that consumers not open or save Microsoft Office files they receive from sources they don't trust or files they receive unexpectedly from trusted sources.

The State Department detected its first break-in immediately, Reid said, and worked to block suspected communications with the hackers. But during its investigation, it discovered new break-ins at its Washington headquarters and other offices in eastern Asia, Reid said.

At first, the hackers did not immediately appear to try stealing any U.S. government data. Authorities quietly monitored the hackers' activity, then tripwires severed Internet connections in the region after a limited amount of data was detected being stolen, Reid said.

Reid also complained the State Department's efforts to deal quietly with the break-in were disrupted by news reports. The Associated Press was first to reveal the intrusions.

"We were successful here until a newspaper article telegraphed what we were dealing with," Reid said.

Saturday, April 21, 2007

US Gov Exposes 63K Social Security Numbers

Via M&C -

WASHINGTON, DC, United States (UPI) -- U.S. government officials warn of possible identity theft after the Social Security numbers of 63,000 people were posted on a public Web site.


The officials said Friday the U.S. Census Bureau posted the Social Security numbers thousands of recipients of federal farm loans in an apparent violation of federal law, The Washington Post reported Saturday.

'We take full responsibility for this and offer no excuses for it,' said Terri Teuber, a spokeswoman for the U.S. Department of Agriculture. 'We absolutely do not think it was appropriate.'

The data, which was posted as part of a U.S. Census Bureau loans database, was removed from the Web site April 13 after an Illinois farmer stumbled on it while searching the Internet and alerted officials. However, the issue was not revealed to the public until Friday because, officials said, information security officials needed time to wipe the information from mirror sites and contact people whose numbers were posted.

However, a watchdog group said the delay was the result of the government attempting to cover up its error.

'The bottom line is the government screwed up,' said Gary Bass, executive director of OMB Watch. 'What`s really important is that they now try to rectify the problem. Thousands of research groups have copies of this site.'

Satellite Navigation Hacking - CanSecWest

Via CNET -

April 20, 2007 (IDG News Service) -- Two security experts have discovered a way to inject false messages -- some amusing and others potentially frightening -- into car satellite navigation systems.

Andrea Barisani, chief security engineer for Inverse Path Ltd. and Daniele Bianco, a hardware hacker at Inverse Path, used off the shelf equipment to transmit messages to their car satellite navigation system warning of conditions ranging from foggy weather to terrorist attacks. They presented their findings on Friday at CanSecWest a security conference taking place this week in Vancouver.

Barisani and Bianco sent the messages over RDS (Radio Data System), a standard created in Europe but also used in North America that allows FM radio stations to transmit data over a sliver of spectrum that runs along every FM channel. RDS can contain information such as the name of the radio station. It can also transmit traffic information.

Over the past couple of years, satellite navigation systems have begun receiving that data so that users are alerted to traffic or weather conditions, Barisani said.

Barisani and Bianco found that they could build a device that transmits over the RDS channel. Through trial and error, they discovered that transmitting certain code numbers translates into certain warnings that are displayed on the satellite navigation system.

Some were amusing. One code number alerts users that there's a bull fight in progress. Another one indicates delays due to a parade.

But some weren't so funny. One tells users that there has been a terrorist incident. Another indicates a bomb alert and another an air crash.

The researchers demonstrated this capability in order to spread awareness that this type of hack could happen maliciously. Barisani advises satellite navigation users that if they ever see an alarming message on their device, "don't freak out immediately, listen to the news on the radio to get confirmation."

They found that the RDS data isn't authenticated or encrypted, which allowed them to broadcast the data to be picked up by any satellite navigation systems. Most satellite navigation devices cycle through the FM channels looking for the traffic data that could be broadcast over RDS, Barisani said. A hacker could obscure an existing station, like a man-in-the-middle attack, in order to transmit what they want. Or, a hacker could also transmit over an unused channel, he said.

Satellite navigation systems that are built into cars aren't easy for users to upgrade, so Barisani doesn't expect the manufacturers to be able to make any changes that could prevent this type of attack. But he hopes that future standards might address the issue.

-----------------------------

I got to see this talk first hand..and it was slick for sure. Good stuff.

Pwn to Own - Safari ZeroDay Does The Trick

Via CNET -

Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple's Safari browser. The computer was one of two offered as a prize in the "PWN to Own" hack-a-Mac contest at the CanSecWest conference here.

The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.

Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.

"The vulnerability and the exploit are mine," Dai Zovi said in a telephone interview from New York. "Shane is my man on the ground."

Apple spokeswoman Lynn Fox declined to comment on the MacBook hack specifically, but provided Apple's standard security comment: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."

Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said. TippingPoint runs the Zero Day Initiative bug bounty program.

A TippingPoint representative said the company would pay, after looking at the vulnerability. "If it is an actual zero-day in Safari that's fine with us," said Terri Forslof, manager of security response at TippingPoint.

The successful hack comes a day after Apple release its fourth security update for Mac OS X this year. The update repairs 25 vulnerabilities.

CanSecWest organizers set up the MacBooks connected to a wireless router and with all security updates installed, but without additional security software or settings.

Friday, April 20, 2007

Lenders Violate Federal Law By Accessing Student Database

Via SecurityFocus.com -

A database containing the personal and financial details of nearly 60 million students had repeatedly been accessed by some lending companies in ways the violated federal privacy laws, the Washington Post reported on Sunday.

According to the article, the database contains everything needed to steal a person's identity, including students' names, Social Security numbers, addresses, phone numbers, birth dates and phone numbers as well as information on loan balances. Some lending companies have apparently given unauthorized users, such as marketing companies, access to the information in the database on a regular basis, according to the Post's article.

"We are just in shock that student data could be compromised like this," Nancy Hoover, director of financial aid at Denison University, told the Washington Post.

The revelation comes as some lending companies and schools are under fire for improper relationships. At least three financial aid directors at various schools have resigned positions or been put on administrative leave after ties with student-lending firm Student Loan Xpress were uncovered. The possible improper access of a database on 60 million students puts the breach in the same category as the repeated breaches of retail giant TJX that led to the leak of at least 46.5 million credit-card numbers and the attack on CardSystems Solutions that resulted in the possible compromise of some 40 million credit-card numbers.

Officials at the U.S. Department of Education are mulling a possible shut down of the database system while access policies and security are tightened, according to the Post.

Details of 100K Bulldog Internet Customers Stolen

Via Out-law -

The private details of 100,000 internet users have been stolen from broadband provider Bulldog. The security breach happened when the company was owned by Cable & Wireless.

The data was stolen from Cable & Wireless in December 2005 by a third party which the company believes it can identify. Bulldog's customer base has since been sold to broadband provider Pipex, but C&W is investigating the breach.

James Brown, managing director of Bulldog Internet, told the Guardian newspaper: "Our understanding is that, following an external enquiry by Cable & Wireless, it has become apparent that at some point in December 2005 Cable & Wireless had some of their customer contact details illegally obtained by a third party. This resulted in a small number of their customers receiving unsolicited calls."

C&W said that it was preparing legal action against a third party which it said could be the source of the leak.

It is not yet clear exactly what customer data was taken. Several customers have reported receiving telephone calls that alerted them to the security breach. It is not known whether or not credit card or bank details were among those taken. C&W said that there was no evidence that that was the case.

Large scale data thefts are becoming increasingly common as identity theft becomes a more lucrative crime. With individuals carrying out more and more of their economic activity online, impersonating those people can bring ever greater rewards.

The US has been the location of the most serious data breaches. One recent US breach had implications for UK citizens, though. The owners of High Street discount clothes chain TK Maxx suffered one of the biggest ever breaches when the credit card details of 45 million customers were stolen by a hacker.

Disgruntled Techie Attempts Californian Power Blackout

Via The Register UK -

A cheesed-off American IT worker was seized by an FBI Joint Terrorism Task Force on Wednesday for attacking the Californian electric power grid.

Lonnie Charles Denison, of Sacramento, allegedly meddled with computers at the California Independent System Operator (ISO) agency. He is also accused of making a malicious bomb threat against the organisation. ISO controls the state's power transmission lines and runs its energy trading markets.

According to the feds, Denison became upset last week after a dispute with his employer, Science Applications International. Science Applications provides IT services to ISO.

Denison first attempted a remote attack against the ISO data centre on Sunday, but this was unsuccessful. He then reverted to simpler means, and entered the facility physically using his security card key late on Sunday night. Once inside, he smashed the glass plate covering an emergency power cut-off, shutting down much of the data centre through the early hours of Monday morning. This denied ISO access to the energy trading market, but didn't affect the transmission grid directly. Nor did his emailed bomb threat, delivered later on Monday, though it did lead to the ISO offices being evacuated and control passed to a different facility.

However, the feds reckon that if Denison had carried out his data-centre attack during normal business hours, "electric consumers in the Western United States would have experienced disruptions in their electrical supply". After arresting Denison they slapped him with a felony rap, destruction of an energy facility. The disgruntled techie, if found guilty, could be looking at the wrong end of a maximum five-year stretch, or perhaps a $5,000 fine.
This case could be another sign that America's terrorist threats can come from within as well as from beyond its borders. Denison is the second American IT worker to appear before federal beaks in recent days for sabotaging key US computers, joining Richard F Sylvestre.

Sylvestre's vandalism could have resulted in a nuclear-submarine collision and landed him in the jug for a decade, but in the end he got sent away for just 12 to 18 months. Denison could get off relatively lightly too, if he receives similar treatment.

--------------------------------------

Managers telling you that "insider attacks" aren't a real threat?

This is a great example of how employees can do some serious evil stuff....

Chinese Dissident Sues Yahoo!

Via TimesOnline UK -

A Chinese political prisoner sued Yahoo! in a US federal court, accusing the internet company of helping the Chinese government torture him by providing information that led to his arrest.

The suit, filed under the Alien Tort Claims Act and the Torture Victims Protection Act, is believed to be the first of its kind made against an American internet company.

Wang Xiaoning, who is serving a 10-year sentence in China, and his wife, Yu Ling, who is currently in San Francisco, are seeking damages and an injunction barring Yahoo! from identifying political opponents to the Chinese authorities.

U.S. Embassy in Germany Warns of Terrorism Threat

Via Washington Post -

BERLIN, April 20 -- The U.S. embassy in Berlin warned Friday that Germany faced an increased threat of terrorism and that Americans in the country were particularly at risk.

Although the State Department regularly issues warnings about dangers to U.S. citizens in Europe and elsewhere in the world, Germany has rarely been singled out as a potential security problem.

In posting the warning, the embassy in Berlin said U.S. diplomatic and consular offices across Germany had increased their security in response to "a heightened threat situation." The embassy did not give details, but U.S. officials who spoke on condition of anonymity said the warning was prompted by increased activity among Islamic extremists in the country instead of a specific plot.

Urban Word of the Day - Disco Nap

Disco Nap

sleeping when ya got something goin' later on that you need to get ready for.

"i was about to go to the club, but i needed a disco nap to feel refreshed."

Ohio Audit Says Diebold Vote Database May Have Been Corrupted

Via Wired Blog -

Problems found in an audit of Diebold tabulation records from an Ohio November 2006 election raise questions about whether the database got corrupted during the tabulation of election results, says a report released today (pdf).

The document, from a team of researchers tasked with auditing the November election in troubled Cuyahoga County, have called for a thorough examination of the database to determine if corruption did occur and the extent to which it may have affected the election results.

Among the report findings:

Vote totals in two separate databases that should have been identical had different totals. Although Diebold explained that this was part of the system design for separate vote tables to get updated at different times during the tabulation process, the team questioned the wisdom of a design that creates non-identical vote totals.

Tables in the database contained elements that were missing date and time stamps that would indicate when information was entered.

Entries that did have date/time stamps showed a January 1, 1970 date.

The database is built from Microsoft's Jet database engine. The engine, according to Microsoft, is vulnerable to corruption when a lot of concurrent activity is happening with the database, such as what occurs on an election night when results are uploaded and various servers are interacting with the database simultaneously.

...

According to the report, Election Director Michael Vu initially denied the audit team access to the raw vote data to examine because he said Diebold had asserted trade secrets protection over the data. By vote data, they're referring to the vote totals and election reports, not the machine source code. It's unclear why he believed the company had a right to assert such claims over such essential public records data.

The audit found more problems with the way the election was administered -- some optical scan ballots were scanned twice while others weren't scanned at all. This kind of problem isn't new to Cuyahoga. Two audit reports on last year's May primary in the county revealed severe data tracking problems by the election staff. And two Cuyahoga election workers were convicted in January of tampering with a recount in the 2004 presidential election by cherry-picking precincts for recount that they knew would match the election results. They were concerned they'd have to work overtime if the recount didn't match the results.

All of these issues led to the resignation of Election Director Michael Vu and the four members of Cuyahoga's board of elections. Vu's problems in Ohio haven't affected his job prospects, however. He was recently hired as assistant registrar of voters in San Diego.

--------------------------------------

Diebold can't be blamed for corrupt election staff, as those type of problems exist in every voting process on the planet - at least those involving humans at some point.

However, Diebold can be blamed with adding yet ANOTHER layer of possible corruption to the process...the insecure and poorly designed voting machine.

Ohh, and we can blame them for wasting our tax money....

Diebold is a company, companies have private investors...those investors (and the company itself) want to make money.....all fine and good. But do we really want to pull all of this into our national voting process? Seriously?

Corporate companies commonly make trade-offs in products / services:

"It is easy to use, but it isn't as secure as it could be."

"That feature, while cool and driven by public demand, was dropped in the interest of time and money."

"We shouldn't explain in the changelog that vulnerability X was fixed. It looks bad on us...and it is better (in our minds) that we don't talk about it. Even if it ends up hurting a couple of our customers."

So lets ask...

Why are we attempting to combine the money making need of companies in with the general public's constitutional right of fair and open elections?

New Non-Critical Exploits

Posted on Milw0rm.com -

OllyDbg v110 Local Format String Exploit

Foxit PDF Reader 2.0 for Windows Remote DoS Exploit

Winamp <= (WMV) 5.3 Buffer Overflow DOS Exploit

Thursday, April 19, 2007

CanSecWest - Day 2

Well, things are rolling along up here in Canada. CanSecWest is into its second day and things are good. But no conference is complete without some bumps.

The pwn-2-own contest got a late start and didn't really kick off until today, around lunch.

Barnaby Jack's "Exploiting Embedded Systems" talk was great, but it also had a little glitch. The network failed once he was about to demo the malware EXE injection via a trojaned router firmware. But don't believe what you have read...he isn't just using JTAG to exploit these systems. This is serious ARM/XScale CPU zeroday stuff.

Drago Ruiu and the CanSecWest crew have rented the Honey Club tonight just for us. Limos will be running between the hotel and the club, so no one has to worry about driving around.

Thanks to Microsoft, Google & Juniper...there will be a open bar. Hell yea!

Anyways, I should get back....next up is Mark Russinovich with a Vista Internal talk. Should be interesting.

Microsoft Working on DNS Patch

Via MSRC Blog -

While we don’t have a firm estimate on when we’ll complete our development and testing of updates for this issue, we have teams around the world working on it twenty-four hours a day, and hope to have updates no later than May 8, 2007 for the May monthly bulletin release.

However, this is a developing situation and we are constantly evaluating the situation and the status of our development and testing of updates. For this issue, our teams are working on developing and testing 133 separate updates: one in every language for every currently supported version of Windows servers. Each of these has to be tested to ensure they effectively protect against the vulnerability. Because DNS is a critical part of the networking infrastructure, they also have to be tested to ensure that changes introduced by the updates don’t pose a greater risk than the security issue we’re addressing.

-------------------------------------------------

Could someone explain to me why they have to create 133 separate updates? I understand for each language of Windows, there is a different patch...but my question is why? It has been this way for a very long time and perhaps I am just missing something.

In a perfect world, shouldn't the language localization happen at the UI level and not the underlying processing code level?

Wednesday, April 18, 2007

McAfee Avert Labs - Sage Volume 1 - Issue 2

Welcome to the second issue of Sage. Research is too good to keep in the labs—or even
just in products. So McAfee® Avert® Labs publishes this semiannual objective forum of leadingedge security research, analysis, trends, and opinion. In this edition, we examine the near-term future of the security business—the threats, defenses, and issues that we will all face during the next five years.

The constant struggle between security personnel and malware authors is an arms race. No matter how quickly developers and IT design new safeguards, the bad guys make similar advances. For every security breach closed or vulnerability fixed, the crooks will find
new ways to disrupt networks and users and make money off of their victims.

http://www.mcafee.com/us/local_content/misc/sage_0407.pdf

Two Men in Detroit Indicated as Iraqi Spies

Via reuters.com -

DETROIT (Reuters) - Two men from the Detroit area have been charged with spying for executed Iraq leader Saddam Hussein's intelligence service, according to federal court documents.

Najib Shemami and Ghazi Al-Awadi were indicted for giving the former government information about its enemies in the United States, and were freed on $10,000 bonds each after appearing in U.S. District Court in Detroit on Tuesday.

The documents also said Al-Awadi told the Iraqi Intelligence Service in 1997 that he killed his son-in-law, who belonged to an anti-Hussein political party.

Iraqis in the Detroit metropolitan area, home to the largest expatriate Iraqi population, have long complained they were being spied on. Shemami and Al-Awadi were born in Iraq and are naturalized U.S. citizens.

Al-Awadi, who has been in the United States since 1974 and lives on Social Security, was paroled from the Michigan Department of Corrections in 1996, after serving six years for manslaughter in the stabbing of his son-in-law.

The court documents also said Al-Awadi provided information about a retired Iraqi physician who was planning to flee to the United States and his nephew, a major general in Iraq.

Two Cautioned Over Using Open Wifi in the UK

Via BBC -

Two people have been cautioned for using people's wi-fi broadband internet connections without permission.

Neighbours in Redditch, Worcestershire, contacted police on Saturday after seeing a man inside a car using a laptop while parked outside a house.

He was arrested and cautioned. A woman was arrested in similar circumstances in the town earlier this month.

BBC Midlands Today correspondent Dr David Gregory said the cases are among the first of their kind.

He added that if people were using someone else's network to enter illegal porn sites, for example, it would be very difficult to trace them.

The man arrested at the weekend was cautioned for dishonestly obtaining electronic communications services with intent to avoid payment.

In the earlier incident, a woman was arrested after attracting the attention of neighbours in the early morning.

She had put up cardboard around her car windows but the light from her computer could be seen through the back window.

West Mercia Police said people with wi-fi should follow security advice given by their internet provider.

ISPs recommend that wi-fi users secure their wireless networks.