Thursday, January 31, 2008

Genetic Mutation Makes those Brown Eyes Blue

Via MSNBC.com -

People with blue eyes have a single, common ancestor, according to new research.

A team of scientists has tracked down a genetic mutation that leads to blue eyes. The mutation occurred between 6,000 and 10,000 years ago, so before then, there were no blue eyes.

"Originally, we all had brown eyes," said Hans Eiberg from the Department of Cellular and Molecular Medicine at the University of Copenhagen.

The mutation affected the so-called OCA2 gene, which is involved in the production of melanin, the pigment that gives color to our hair, eyes and skin.

"A genetic mutation affecting the OCA2 gene in our chromosomes resulted in the creation of a 'switch,' which literally 'turned off' the ability to produce brown eyes," Eiberg said.

The genetic switch is located in the gene adjacent to OCA2 and rather than completely turning off the gene, the switch limits its action, which reduces the production of melanin in the iris. In effect, the turned-down switch diluted brown eyes to blue.

If the OCA2 gene had been completely shut down, our hair, eyes and skin would be melanin-less, a condition known as albinism.

...

Eiberg and his team examined DNA from mitochondria, the cells' energy-making structures, of blue-eyed individuals in countries including Jordan, Denmark and Turkey. This genetic material comes from females, so it can trace maternal lineages.

They specifically looked at sequences of DNA on the OCA2 gene and the genetic mutation associated with turning down melanin production.

...

What they were able to show is that the people who have blue eyes in Denmark, as far as Jordan, these people all have this same haplotype, they all have exactly the same gene changes that are all linked to this one mutation that makes eyes blue," Hawks said in a telephone interview.

The mutation is what regulates the OCA2 switch for melanin production. And depending on the amount of melanin in the iris, a person can end up with eye color ranging from brown to green. Brown-eyed individuals have considerable individual variation in the area of their DNA that controls melanin production. But they found that blue-eyed individuals only have a small degree of variation in the amount of melanin in their eyes.

"Out of 800 persons we have only found one person which didn't fit — but his eye color was blue with a single brown spot," Eiberg told LiveScience, referring to the finding that blue-eyed individuals all had the same sequence of DNA linked with melanin production.

Rubik's Cube-Solving Robot

Via BBC Business -

Pete Redmond has invented a Rubik's Cube-solving robot, which helped market the game at the Toy Fair. In this clip it competes against Dan Harris, the UK's Rubik's Cube champion.

-------------------

Video requires Windows Media Player.

MySpace Uploader Buffer Overflow Exploit

MySpace Uploader Buffer Overflow Exploit

written by e.b.
Tested on Windows XP SP2(fully patched) English, IE6
MySpaceUploader.ocx version 1.0.0.4: {48DD0448-9209-4F81-9F6D-D83562940134}
Aurigma ImageUploader4.ocx version version 4.5.70.0: {6E5E167B-1566-4316-B27F-0DDAB3484CF7}
Thanks to h.d.m. and the Metasploit crew

http://www.milw0rm.com/exploits/5025

-----------------

This control is used by Myspace to allow for quick and easy photo upload. Luckily I have uninstalled this control long ago and continue to use the older photo upload tool (which can be found at the bottom of the photo uploader page).

Fast-Fluxing PHP IRC Bot

Via F-Secure Blog -

Coming across a PHP RFI (Remote File Inclusion) exploit is an everyday event. (At least if you're analyzing malware…)

Typically, most of the exploits we see install a web-based backdoor such as the C99 shell for the attacker to use.

Every once in a while we run into something more sinister.

Today we discovered a nice crossbreed of different techniques. We saw a PHP script that was heavily obfuscated and the configuration was encrypted. It's an IRC bot, written in PHP. On top of that, it uses nine DNS's to go to its masters C&C (Command and Control) server.

The domain names are fast-fluxing so this botnet can move around nicely and since most of the compromised machines are webservers this botnet is packing a nice amount of bandwidth.

Detection for Backdoor:PHP/Obfu.A was added to our 2008-01-30_07 update.

Spyware Another Weapon for Domestic Abuse

Via The Register -

Spyware is becoming a tool of domestic abuse, according to security researchers.

Privacy-invading software packages are most commonly associated with surreptitiously snooping on victims to find out the passwords they use for online banking sites or bombarding them with invasive pop-up ads. But spyware can also be used as a tool to monitor and control their spouses by abusive partners, McAfee researcher Anna Stepanov warns.

"With so much of our lives dependent on computers and other technologies such as cell phones, the use of spyware is ideal for abusers, who often feel the need to control all aspects of a victim’s existence," she writes. "Monitoring a victim’s online, cell phone, or general computing activity is of more value than ever in controlling or hurting a victim."

Safe computing has joined finding safe housing as a list of requirements for people fleeing abusive relationships. "There is a strong movement within the [US-based] National Network to End Domestic Violence to educate victims and the general public about safe computing," Stepanov adds. "Many security companies have made sizable monetary donations to this organization to assist in education and to provide aid for securing networks within shelters for victims of domestic violence."

The changing uses of spyware and its continuing evolution are dealt with in a white paper by Stepanov titled Spyware: A Morphing Campaign.

Commercial products such as FlexiSPY, which records information about an individual's mobile phone calls and SMS messages before sending them to a remote server, have already generated controversy over the last couple of years. Packages such as FlexiSPY and Mobile Spy, another similar product, are marketed as a means for parents to keep watch on their child's phone, or enables employers to enforce an acceptable use policy on their staff. The legality of both products has been questioned.

Russian FSB Protecting Storm Worm Gang

Via The Register -

The creators of the Storm Worm botnet are known to US authorities but a lack of co-operation from their counterparts in St. Petersburg, Russia, is preventing action being taken.

St. Petersburg was the centre of the infamous Russian Business Network. It's also reckoned by some to be the city the Storm Worm (more properly Trojan) authors call home.

Dmitri Alperovitch director of intelligence analysis and hosted security at Secure Computing told The Washington Post that Russian President Vladimir Putin and political influence within the Federal Security Service (Russia's successor to the Soviet KGB) was hampering prosecution efforts. The implication is that elements of Russian intelligence agencies are protecting the city's cybercriminals.

"The right people now know who the Storm worm authors are," Alperovitch said. 'It's incredibly hard because a lot of the FSB leadership and Putin himself originate from there, where there are a great deal of people with connections in high places."

Other security experts reckon that the Storm Worm gang are based in Russia but have no real idea of their location, much less their identities. David Emm, senior technology consultant at Kaspersky Lab UK, said coding similarities and packing techniques used with the worm suggest the authors of the malware and Russian hackers known to have attacked local websites are one and the same. Kaspersky, like antivirus firm F-Secure, reckons that the Storm Worm gang is a multinational effort based in Russia.

"We don't know who they are," said F-Secure chief research officer Mikko Hyppönen, "but we believe it's a Russian gang with an American or several Americans helping them to build the social engineering messages and the websites they use."

-----------------------

Storm Worm turns one year old......

Navy Tests High-Powered Electromagnetic Railgun

Via FoxNews -

DAHLGREN, Va. — A futuristic weapon getting a trial run by the Navy demonstrated its destructive power at the Naval Surface Warfare Center in Dahlgren.

In the demonstration Thursday, engineers fired the electromagnetic railgun at what they said was a record power level: 10 megajoules.

The previous railgun power-use record was about 9 megajoules of muzzle energy.

Railguns use electromagnetic energy to launch projectiles long distances — more than 200 nautical miles.

Because the railgun uses electricity and not gunpowder to fire projectiles, it eliminates the possibility of explosions on ships.

The Navy hopes the railgun will eventually replace the standard 5-inch gun on its ships. The weapon isn't expected to be deployed until at least 2020.


A joule is defined as the energy needed to produce one watt of electricity for one second.

The railgun tested Thursday actually has a capacity of 32 megajoules, but the Navy is slowly building up the energy level in a series of tests.

That's a lot of power, but with a new series of electrically-powered ships coming on line, the Navy figures generating capacity will not be a problem.


According to the Navy, the railgun, when fully developed, will be able to launch solid projectiles at Mach 5, or about 3,700 mph.

Mozilla Prepping Firefox Chrome Fix - But is it really fixed?

Via SecurityProNews.com -

Though Firefox users would only be vulnerable if a chrome package is flat, rather than contained in a jar, Mozilla plans a quick fix.

Until Firefox 2.0.0.12 starts hitting clients running automatic updates for the browser, Window Snyder, Firefox chief security officer, urged Add-On authors who use flat packaging for their work to switch to jar packaging.

Originally, the chrome protocol directory traversal received a rating of Low from the Firefox security group, Snyder's post said the rating has been pushed to High.

"An attacker can use this vulnerability to collect session information, including session cookies and session history. Firefox is not vulnerable by default," said Snyder.

A partial list of add-ons impacted by the issue included listings for Greasemonkey (greasemonkey-0.6.8.20070314.0-firefox) and Google Reader (google_reader_notifier-0.21-fx) among them. One commenter on Snyder's first post said the NoScript extension prevents chrome URIs from being loaded as scripts in content pages.

---------------------------

But is the problem really fixed?

My friend Gerry posted the following message on his blog yesterday....

Mozilla marked Bug ID 413250 as ‘RESOLVED FIXED’ on Tuesday. I got a chance to check out the fix today, and found that the fix is inadequate in stopping the attack. Here’s another demo that reads your session store, and like before, uses the Download Statusbar extension - steal_sessionstore2.html.

Data Breaches Probed at New Jersey Blue Cross, Georgetown

Via Computerworld.com -

Companies are paying a lot of attention to securing their networks against malicious attackers and other threats, but some still lag in implementing similar measures for protecting data on desktops, laptops and portable storage devices.

The most recent examples are Horizon Blue Cross Blue Shield of New Jersey and Georgetown University, both of which faced data compromises this month.

Horizon today said it has notified about 300,000 of its members of the potential compromise of their personal information following the theft of a laptop containing the data on Jan 5.

A security feature on the stolen laptop automatically deleted all of the confidential information on Jan. 23, a company spokesman said. But it is not clear whether the thief who stole the computer accessed the data on the system before then, he said. The data on the laptop was unencrypted but password-protected.

"We think it is highly unlikely because the files were not readily identifiable as containing personal data," said Thomas Rubino, director of public affairs at Horizon Blue Cross Blue Shield, which services about 3.3 million people.

Rubino offered no explanation as to why the data deletion took place nearly three weeks after the computer was first reported stolen. "Obviously, if we had been able to do it before, we would have done it," he said. Blue Cross Blue Shield was in the midst of a data encryption project at the time of the theft. "Unfortunately, this computer did not have encryption on it," Rubino said. An alert posted on its Web site noted that the confidential information on the stolen laptop included names, addresses and Social Security numbers of its members. The laptop did not contain medical data on any members, the company noted.

The laptop was stolen from a health plan employee in Newark. The employee was authorized to have the information on his computer, Rubino said. But the individual appears not to have followed company policies for securing systems that are taken out of company facilities, Rubino said without offering any specifics.

Blue Cross Blue Shield is offering one year's worth of free credit-monitoring services to those affected by the breach.

-------------------------------

In a past life, I had some exposure to a mobile security system that could trigger data deletion on remote devices anywhere on the internet...how did it work?

You install a software client on the mobile device (cell phone, laptop, etc). This software client silently talks back to its master server, which you place in the DMZ...giving it the ability to talk to remote clients on the internet.

Once a mobile has been stolen or lost, you can set the device to auto-delete all data...but this will only work if the device isn't tampered with at a software level (formatted or disabled) and it is connected to the internet at some point in the future.

Perhaps three weeks in the future....

Wednesday, January 30, 2008

Swedish Bank Stops Digital Theft

Via Wired.com -

STOCKHOLM, Sweden (AP) -- A gang of Swedish criminals was seconds away from completing a digital bank heist when an alert employee literally pulled the plug on their brazen scam, investigators said Wednesday.

The would be bank robbers had placed "advanced technical equipment" under the employee's desk that allowed them to take control of his computer remotely, prosecutor Thomas Balter Nordenman said in a statement.

The employee discovered the device shortly after he realized his computer had started an operation to transfer "millions" from the bank into another account, Nordenman said.

"By pulling out the cable to the device, the employee managed to stop the intended transfer at the last second," he said.

The foiled heist happened in August at a bank in Uppland county, north of Stockholm, police said. They announced it only Wednesday after seven suspects, all from the Stockholm region, were arrested this week while allegedly preparing another heist.

Police did not name the suspects, but said many of them have prior fraud and theft convictions. Investigators did not give other details on the device, or how it was placed under the desk.

--------------------

Wow, close call.

Afghan MPs Back Blasphemy Death

Via BBC -

The upper house of the Afghan parliament has supported a death sentence issued against a journalist for blasphemy in northern Afghanistan.

Pervez Kambaksh, 23, was convicted last week of downloading and distributing an article insulting Islam. He has denied the charge.

The UN has criticised the sentence and said the journalist did not have legal representation during the case.

The Afghan government has said that the sentence was not final.

A government spokesman said recently that the case would be handled "very carefully".

Now the Afghan Senate has issued a statement on the case - it was not voted on but was signed by its leader, Sibghatullah Mojaddedi, an ally of President Hamid Karzai.

It said the upper house approved the death sentence conferred on Mr Kambaksh by a city court in Mazar-e-Sharif.

It also strongly criticised what it called those institutions and foreign sources which, it said, had tried to pressurise the country's government and judiciary as they pursued people like Mr Kambaksh.

Some governments and international organisations have called for the sentence to be overturned.

A legal expert, Wadeer Safi, told the BBC that parliament was not constitutionally allowed to intervene in a case in the way the Senate had done, and he was concerned the new statement might prejudice the independence of the judges.

Mr Kambaksh's brother, Yacoub Kambaksh, told the BBC that the journalist was very concerned about his future and said he had not had a fair trial or any lawyer to defend him.

But the provincial governor in Mazar has said the case is being handled with due process.

...

He was arrested in 2007 after downloading material relating to the role of women in Islamic societies.

----------------------------------

So a journalist has been put on trial without a lawyer and given the death penalty for downloading an article relating to the role of women in Islamic societies.

Thank god we saved them from the Taliban and their strict interpretation of Sharia law.

See this Reporters Without Borders article for more details.

MySpace Will Open Site To Outside Developers

Via WSJ.com -

NEW YORK -- The online community MySpace is introducing tools for developing games, media-sharing features and other programs that better integrate with the Internet's leading social-networking site.

Wednesday's announcement follows a May decision by its smaller rival, Facebook, to open its platform to developers, a move that has proven to be a boon for music-sharing startup iLike.com, photo-sharing service Slide Inc. and countless other companies.

Those applications, in turn, have helped make Facebook even more popular, although it still ranks as the second most trafficked social network behind News Corp.'s MySpace. (News Corp. owns Dow Jones & Co., which publishes The Wall Street Journal.)

MySpace will formally launch the MySpace Developer Platform next Tuesday with a kickoff event and workshop at its new San Francisco office. Although developers will have all the tools they need to create and test programs, they won't be able to integrate them right away. MySpace has yet to announce a start date for that.

The company said the program should result in innovations in how friends connect and communicate.

MySpace already has informally allowed developers to create interactive applications known as "widgets." The photo-sharing service Photobucket became so popular that MySpace's parent company bought it for about $300 million.

By creating a formal developers program, MySpace plans to give programmers "deeper access" to the site and the ability to "build richer applications as part of it," said Amit Kapur, 26, named Tuesday as MySpace's chief operating officer.

Such access could include tapping MySpace's data on its users.

Mr. Kapur said the company also would help developers earn advertising money through their applications. He refused to say whether MySpace would split the revenue, adding that more details would come next week.

MySpace officials also hinted at rules and procedures that could help the company avoid the kind of controversy Facebook has encountered with Scrabulous, an online version of the word game Scrabble and one of Facebook's most popular applications.

The Scrabble game's owners, Hasbro Inc. and Mattel Inc., are trying to shut it down and have jointly issued cease-and-desist notices to four parties they didn't publicly named.

-------------------

As if Myspace didn't already have enough malware problems...

Tuesday, January 29, 2008

China Reports Bird Flu Outbreak in Tibet

Via globalsecurity.org -

Chinese agricultural authorities have reported an outbreak of bird flu among poultry in Tibet.

China's official Xinhua News Agency says the outbreak occurred in Tibet's Gongga county, which lies about 50 kilometers outside the capital, Lhasa.

Xinhua says the outbreak, of the deadly H5N1 strain of the virus, had been suspected since January 25, and was confirmed Tuesday.

The Ministry of Agriculture says efforts are underway to contain the outbreak.

One thousand birds have died from the virus, more than 1,300 others have been culled to prevent it from spreading. No human infections have been reported.

Bird flu remains difficult for humans to catch but scientists worry it could mutate into a form that passes easily between people.

The World Health Organization says the bird flu virus has killed more than 200 people worldwide since 2003, mostly in Asia.

LA Man Accused of Being Informant for Saddam

Via mercurynews.com -

LOS ANGELES—An Iraqi-born American citizen collected intelligence on Assyrian groups in the United States for former Iraqi dictator Saddam Hussein and didn't notify government officials here, a prosecutor said Tuesday during opening statements in a federal court trial.

William Shaoul Benjamin, 67, of Los Angeles, is charged with conspiracy, failing to register as an agent of a foreign government and making false statements. If convicted, he faces up to 20 years in prison.

Assistant U.S. Attorney Judith Heinz said Benjamin, who was free on bond, was a paid informant for the Iraqi Intelligence Service, the foreign intelligence arm of the Iraqi government, after coming to the U.S. in 1992.

Heinz said Benjamin was to "penetrate and monitor" expatriate Assyrian Christians, a minority group in Iraq perceived to be hostile to Saddam.

Documents uncovered in Iraq will show that Benjamin was "loyal and reliable" to Saddam, Heinz said.

"There is a spy in the room," Heinz said. "The spy is William Shaoul Benjamin."

Defense attorney James Blatt deferred his opening statement to a later time, and declined comment as he left the courtroom.

Mexico Issues Warrant for Wanted Marine

Via Military.com -

MEXICO CITY - Mexican officials have issued an arrest warrant for a U.S. Marine suspected of killing a pregnant colleague who had accused him of rape, a U.S. Embassy official said Tuesday.

A cousin told reporters last week that Marine Cpl. Cesar Laurean visited family in the area of Guadalajara, Mexico, this month, but left without saying where he was headed.


The burned remains of Lance Cpl. Maria Lauterbach were found with those of her fetus earlier this month in a fire pit in the back yard of Laurean's house in Jacksonville, N.C., and Laurean, is being sought on an indictment charging first-degree murder. Both were stationed at Camp Lejeune, N.C.

Laurean was born in Mexico and fled after leaving a note for his wife in North Carolina saying that Lauterbach cut her own throat and that he had buried her body.

Authorites say she did not commit suicide, and an autopsy found that she died of blunt force trauma to the head. Prosecutors have pledged not to pursue the death penalty if Laurean is found in Mexico, which refuses to send anyone back to the U.S. unless provided assurances they will not face execution.

A U.S. Embassy official, who was not authorized to give a name, said Mexican officials had issued a warrant for Laurean's arrest on a U.S. extradition request. The official did not say when the warrant was issued.

Tools of the Trade - Free Dr. Safdar Sarki

A Pakistani-American doctor who campaigned for the rights of a minority group is gravely ill in a remote Pakistani jail, held without charges under severe conditions for nearly two years, his lawyers and human rights advocates said.

The doctor, Safdar Sarki, was arrested in Karachi in February 2006 while visiting from his home in Texas. Pakistan’s Supreme Court named him as one of the people held in a secret detention system established by the government of President Pervez Musharraf, which by some estimates is holding more than 4,000 people.

Iftikhar Muhammad Chaudhry tried to expose the detention system when he was chief justice of the Supreme Court. Mr. Chaudhry forced Pakistani authorities to admit Dr. Sarki was being held and ordered them to bring him to his court last October.

Mr. Chaudhry was fired weeks later by Mr. Musharraf, before Dr. Sarki could appear before the judge. The president imposed emergency rule on Nov. 3, and fired Mr. Chaudhry the same day. The cases of Dr. Sarki and other secret detainees have languished since.

---------------------------------------

On to the tools...

On Jan 28th, Adobe released Shockwave Player 10.3.0.24. The Shockwave player allows you to play dazzling 3D games and entertainment, interactive product demonstrations and online learning applications.

On Jan 28th, Technitium MAC Address Changer v4.8 was released. Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver.

On Jan 25th, µTorrent 1.7.7 was released. uTorrent is an efficient and feature rich BitTorrent client for Windows sporting a very small footprint. This release addresses a recent DoS security vulnerability.

On Jan 21st, Core Security released the Pass-The-Hash Toolkit v1.2. The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions maintained by the LSA (Local Security Authority) component.

On Jan 20th, Christian Martorella released Wfuzz v1.4. Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

On Jan 20th, Icesurfer released Sqlninja 0.2.2. Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. It is written in Perl and released under the GPLv2.

On Jan 19th, Tor 0.1.2.19 was released. Tor 0.1.2.19 fixes a huge memory leak on exit relays, makes the default exit policy a little bit more conservative so it's safer to run an exit relay on a home system, and fixes a variety of smaller issues. See the release notes for more details.

On Jan 19th, Apache released a load of updates - Apache 2.2.8, Apache 2.0.63 and Apache 1.3.41. All three new releases addressed several security issues, so it is advised to update your Apache installations.

On Jan 18th, Winamp 5.52 was released. This version addresses a known Ultravox streaming metadata buffer overflow vulnerability. Check the version history for the details.

On Jan 17th, CCleaner v2.04.543 was released. CCleaner is a freeware system optimization and privacy tool. It removes unused files from your system - allowing Windows to run faster and freeing up valuable hard disk space. Check the full version history for all the details.

On Jan 15th, Nessus 3.1.9 Beta for Linux, FreeBSD and Solaris was released. Check the news release for all the details.

On Jan 9th, newsgator.com released Feed Demon 2.6.0.21. Feed Demon is a very powerful RSS reader. I used Feed Demon 2.5 in the past but moved to FeedReader in the effort to support the open source project. However, after using FeedReader for a while, I saw what made FeedDemon so great - its performance. But v2.6 is even better....why? Because it is now FREE! No joke.

iPhone Key Leaked

Via Securiteam Blog -

The key which is used to sign iPhone application has apparently leaked, posting the key itself appears to be illegal, therefore we won’t do it, but others have, so just Google search it.

-----------------------

I have no idea if this is real or not...and personally, since I don't own an iPhone, I really don't care either.

Recent study shows that one million iPhones (27%) sold in the US are unlocked.

Uninformed Journal - Volume 9

Uninformed is a technical outlet for research in areas pertaining to security technologies, reverse engineering, and lowlevel programming. The goal, as the name implies, is to act as a medium for informing the uninformed. The research presented here is simply an example of the evolutionary thought that affects all academic and professional disciplines.

http://www.uninformed.org/?v=9

Metasploit Unleashes Version 3.1

Via Metasploit Blog -

Austin, Texas, January 28th, 2008 -- The Metasploit Project announced today the free, world-wide availability of version 3.1 of their exploit development and attack framework. The latest version features a graphical user interface, full support for the Windows platform, and over 450 modules, including 265 remote exploits. "Metasploit 3.1 consolidates a year of research and development, integrating ideas and code from some of the sharpest and most innovative folks in the security research community" said H D Moore, project manager. Moore is referring the numerous research projects that have lent code to the framework.

...

The graphical user interface is a major step forward for Metasploit users on the Windows platform. Development of this interface was driven by Fabrice Mourron and provides a wizard-based exploitation system, a graphical file and process browser for the Meterpreter payloads, and a multi-tab console interface. "The Metasploit GUI puts Windows users on the same footing as those running Unix by giving them access to a console interface to the framework" said H D Moore, who worked with Fabrice on the GUI project.

The latest incarnation of the framework includes a bristling arsenal of exploit modules that are sure to put a smile on the face of every information warrior. Notable exploits in the 3.1 release include a remote, unpatched kernel-land exploit for Novell Netware, written by toto, a series of 802.11 fuzzing modules that can spray the local airspace with malformed frames, taking out a wide swath of wireless-enabled devices, and a battery of exploits targeted at Borland's InterBase product line. "I found so many holes that I just gave up releasing all of them", said Ramon de Carvalho, founder of RISE Security, and Metasploit contributor.

German Police Consider Surveillance Through Skype

Via BetaNews -

Leaked classified documents could point to a Skype and SSL intercepting system that could be launched in southern Germany next month.

In the wake of a foiled terrorist plot against U.S. installations in Germany in September, discussions began over granting police more freedom in surveillance. Federal interior minister Wolfgang Schäuble, member of the Christian Democratic Union, proposed a surveillance method that would involve the use of Trojan horses, allowing police to remotely and secretly search terror suspects' hard drives. Interior ministers failed to come to a conclusion regarding the legality of such a practice.

Two weeks ago, however, Bavarian Minister Joachim Hermann's spokespeople told German news magazine Focus that Bavaria would not wait for planned federal legislation on that matter, and put the bill forward to legalize enhanced police surveillance in Bavaria in February.

Classified documents from September 2007, leaked last week by the German political "Pirate Party," show one particular system that Bavarian police could have in place by February, and its high operating cost.

The system, provided by a company known as Digitask, is called a "Skype Capture Unit," and is essentially a malware client installed onto the surveillance target. It intercepts Skype voice and chat data, purportedly offering real-time streaming of hijacked content. Digitask also offered the police the ability to intercept and decrypt SSL-based communication with a "man-in-the-middle" style attack. Rental of these services would cost the Bavarian Police force €6,000 per month per instance. A further €2,500 fee would also be incurred per installation.

IrfanView 4.10 .FPX File Memory Corruption

* This exploit launches calc.exe.
*
* Tested against Win XP SP2 FR.
* Have Fun!
*
* Coded and discovered by Marsu
*
* Other bugs exist...

http://www.milw0rm.com/exploits/4998

Monday, January 28, 2008

Sunday, January 27, 2008

Components of Random JavaScript Toolkit Identified

Via cPanel Blog -

cPanel announced today that it’s security team has identified several key components of a hack known as the Random JavaScript Toolkit. The systems affected by this hack appear to be Linux® based and are running a number of different hosting platforms. While this compromise is not believed to be specific to systems running cPanel® software, cPanel has worked with a number of hosting providers and server owners to investigate this compromise.

The cPanel Security Team has recognized that the vast majority of affected systems are initially accessed using SSH with no indications of brute force or exploitation of the underlying service. Despite non-trivial passwords, intermediary users and nonstandard ports, the attacker is able to gain access to the affected servers with no password failures. The cPanel security team also recognized that a majority of the affected servers come from a single undisclosed data-center. All affected systems have passwordbased authentication enabled.

Based upon these findings, the cPanel security team believes that the attacker has gained access to a database of root login credentials for a large group of Linux servers. Once an attacker manually gains access to a system they can then perform various tasks. The hacker can download, compile, and execute a log cleaning script in order to hide their tracks. They also can download a customized root-kit based off of Boxer version 0.99 beta 3. Finally, the attacker searches for files containing credit card related phrases such as cvc, cvv, and authorize.

Greece Arrests Man Suspected of Major Data Hacks

Via News.com -

Greek police said on Friday they have arrested a man suspected of selling corporate secrets from France's Dassault Group, including data on weapons systems.

"This 58-year-old mathematician was wanted since 2002 after Dassault contacted Greek authorities," a police official, speaking on condition of anonymity, told Reuters.

"He is responsible for causing damages in excess of $361 million to the company and he has sold this corporate data, including information on weapons systems, to about 250 buyers through the Internet," the official said.

Police suspect the man of selling the data to buyers in Germany, Italy, France, South Africa, Brazil, as well as countries in Asia and the Balkans.

"The man hacked into the company's computer system and got possession of the data," the official said.

Police officers accompanied by computer experts raided the central Athens apartment the man was renting under an assumed name and said he was very competent in covering up his electronic footprints.

"He is one of the world's best hackers, using the nickname ASTRA, but we are also looking for an accomplice in the United Kingdom who helped him locate buyers online," the official said.

Dassault Group and its subsidiaries are a major player in civil aviation and the military sector.

The police official said the man would be taken to the prosecutors to be charged.

Another Julie Amero situation might be developing...

Via SunBelt Blog -

Remember Julie Amero? Well, The Julie Group may have to start evaluating another project.This time, the story is in Florida — and at a school that’s not too far from our own Sunbelt headquarters.

A school cop at
Gulf Middle School, John Nohejl, created a MySpace page to educate kids about safety (with the support of the school). Well, as Wired puts it:
Gulf Middle School resource officer John Nohejl didn't have porn on his MySpace profile, and he didn't link to porn. But one of the 170-odd people on his friends list, which seems mostly populated by students at his school, had a link to a legal adult site. Now the New Port Richey Police Department and the Florida attorney general's elite cyber crimes unit are investigating him for making adult content available to underage children.

From press reports, the adult site linked seems to have been Amateur Match Free Sex, an Adult Friend Finder type of site. It’s well known to anyone on MySpace that affiliates of these types of outfits have been known to do bad things on MySpace (AFF recently settled with the FTC for such behavior). It could have even been a link in the comment of a Friend.Oh, and after this broke, it was found that the school’s site itself had a link to gay porn. The principal is “outraged”.

As Kevin Poulsen at Wired points out, does that mean he gets criminally investigated as well?

This is silly. To criminally investigate an officer because three clicks away from his MySpace page there’s a link to an adult website? (Incidentally, the principal is Stan Trapp and a list of school staff member emails is here.)

At least one thing is heartening — the good folks over at the Florida Cybercrimes unit have their own MySpace page. They may quickly see how ludicrious this whole thing is.

---------------------------------------

Someone needs to put a common sense hat on and think about this. Given the spread of phishing on Myspace, it is not uncommon to see my own friends post links to porn once in a while...it isn't them, it is the phishers using their accounts.

So with over 100 people as 'friends", it is only a matter of time before one falls for a phishing attack and bang - porn links.

Thanks to my friend Alex for bringing this to my attention...we will have to keep any eye on this one.

We have to make sure that officer John Nohejl isn't slapped for something that is out of his control or responsibility.

Saturday, January 26, 2008

How 'Storm' Got the Name

Via F-Secure Blog -

One year ago — Janurary 18th/19th depending on your timezone — a spam run began that resulted in the moniker of "Storm" being given to a family of related malware.

Today, the Storm botnet is one of the more troublesome threats in existence.

How did it get the name? One year ago Dan and Jusu shot some video of our WorldMap Live in action. We uploaded that video to our newly created YouTube Channel and were quite surprised by the number of views that followed.

The "Storm Video" now has 880000+ views.

With that kind of mass attention, the name kind of stuck.

---------------------------------

Wish I had that many honeypots / detection nodes at my fingertips....

Societe Generale's 'Hacker' Trader Had Only Limited Computer Skills

Via InformationWeek -

The Societe Generale banker accused of operating a multibillion-dollar fraudulent trading scheme had only basic computing and programming skills -- a fact that deepens the mystery of how he managed to circumvent layers of highly sophisticated security software designed to prevent unauthorized activity.

On a copy of his resume that's widely circulating on the Internet, Jerome Kerviel lists Microsoft (NSDQ: MSFT) Office and Microsoft Visual Basic as his only IT-related skills. It also shows he performed some light programming work at Societe Generale that involved using Visual Basic to create macros for some of the French bank's trading and business applications.

While those skills might make Kerviel, a finance major, more computer-literate than many of his colleagues, they would hardly equip him for the kind of black hat hacking that would ordinarily be associated with a campaign of illicit, electronic trading that went undetected for months.

Kerviel's lack of advanced IT skills raises a pair of troubling possibilities. One is that Societe Generale's security systems were outdated or not properly maintained.

The other is that the junior-level trader was not working alone. Some reports have suggested that Kerviel used connections he made while working at Societe Generale's back office operations center to carry out the scheme -- which has cost the bank more than $7 billion.

iPhone 1.1.3 Jailbreak Released

Via tuaw.com -

A splinter dev team has just released its 1.1.3 jailbreak. This jailbreak, as discussed in our earlier post provides a "soft upgrade" path for jailbroken 1.1.1 and 1.1.2 users. (See that post for many of the technical details.) For right now, this jailbreak is limited to Windows users only, with a Mac release expected shortly. This does not jailbreak the iPod touch--iPhone only for now.

Friday, January 25, 2008

Texas House Committee Explores New Voting Requirements

Via KeyeTV (Austin) -

What it takes to be able to vote for president may be changing.

Friday, the State House Elections Committee will host a public hearing on whether or not Texas needs stricter voter identification requirements.

This action comes about six weeks before the March 4th presidential primary.

With so much interest in the Democratic and Republican candidates, changing the rules about what it takes to be able to cast a ballot is getting a lot of attention.

Right now, Texas voters only have to show their voter registration card at their polling place. These changes could make voters show their ID along with their voter registration card.

Supporters of the stricter identification rules say they're needed to keep non-citizens from voting.

Lieutenant Governor David Dewhurst says the changes would help prevent fraudulent use of someone else's registration to vote in someone else's place or vote multiple times.

But Democrats aren't happy with the proposal. They want Texas lawmakers to avoid placing more obstacles between people and the polls.

Opponents of the stricter voter ID requirements say if voters are asked to show various forms of ID at the polls, minorities, in particular, are less likely to cast ballots.

Republican House Speaker Tom Craddick says voter fraud has been increasing throughout the country. He says more has to be done to ensure that only U.S. citizens who are Texas residents are voting in Texas elections.

-----------------------------

Wow, what an idea!

Lets ensure that only U.S. citizens are voting...

We should look into making that a standard or something - perhaps like a privilege that is granted with citizenship.

Thursday, January 24, 2008

Japanese Virus Writers Charged for Copyright Violation

Via Channel Register -

Japan has arrested its first suspected virus writers, but in a strange twist the three suspected creators and distributors of a strain of P2P malware have been charged with copyright violation, in an arrest that recalls Al Capone's prosecution for tax evasion.

The trio were cuffed by cops in Kyoto on suspicion of involvement in a plot to infect users of the Winny P2P file-sharing network with a Trojan horse that displayed images of popular animé characters while wiping MP3 and movie files. The malware, called Harada is Japanese reports, is reckoned to be related to the Pirlames Trojan horse intercepting by net security firm Sophos in Japan last year.

According to local reports, the three men have confessed to their roles in unleashing the malware. One is said to have created the malware, while the other duo are reckoned to have offered the malware up to prospective marks on Winny. A lack of relevant computer crime law in Japan means that the group have been charged with copyright offences.

"It isn't illegal to write viruses in Japan, so the author of the Trojan horse has been arrested for breaching copyright because he used cartoon graphics without permission in his malware," explained Graham Cluley, senior technology consultant for Sophos. "Because this is the first arrest in Japan of a virus writer, it's likely to generate a lot of attention and there may be calls for cybercrime laws to be made tighter."

Due to the lack of applicable cybercrime laws, the authors of the malware face much the same fate as the coder who developed Winny. Isamu Kaneko, Winny's author, was fined by a Japanese court in December 2006 for copyright offences.

--------------------------

So if they would have used royalty free images...they would have been fine. Strange.

Polyglot Worm Spreads Over MSN Messenger Network

Via Channel Register -

The IRCBOT-RB Trojan poses as messages containing links to pictures on social networking sites such as MySpace and Facebook. Typical come-ons involve messages such as "Wanna see my pictures before i send em to facebook?". Clicking on a link takes users to booby-trapped websites.

Unusually, the polyglot malware changes these messages according to the language of the affected operating system used. Compromised machines are infected by a simple bot agent that leaves the hardware hooked up to a central control server, awaiting instructions.

Anti-virus firm Trend Micro advises users to avoid the temptation to follow any links or pictures sent via MSN Messenger (unless you are sure of the origin) and to be suspicious of messages which refer to the use of social networking sites.

UK Gov Moves to Secure Laptops with Encryption

Via vnunet.com -

The UK government has banned laptops leaving government buildings unless the contents are encrypted.

A series of catastrophic data leaks has caused the clampdown, after growing fears about the amount of personal data being lost by government employees.

The move is likely to lead to a boom in sales of encryption technology.

Cabinet Secretary Sir Gus O'Donnell said in an email to top civil servants on Monday: "From now on, no unencrypted laptops or drives containing personal data should be taken outside secured office premises.

"Please ensure that this is communicated throughout your organisation and delivery bodies and implemented immediately, and that steps are taken to monitor compliance."

The move will cause considerable disruption in the Civil Service as encryption is relatively uncommon in government systems.

"It is not a technical problem at all, as it is really very simple to use encryption," said John Dasher, director of product marketing at encryption firm PGP.

"Once you have the policy in place, the workforce adjusts. The problem is that too many people think that losing data could not happen to them."

-----------------------

Clearly, this is a good move.

In the short term, it might cause a bit of pain...but it will be worth it.

Now, how do they plan on enforcing this encryption rule?

Wednesday, January 23, 2008

Is Barack Obama a Vulcan?

One of my co-workers noticed this today...and I can kinda see it...what do you think?



UPDATE: Obama ran agianst Republican Jack Ryan for the U.S. Senate in 2004. Ryan was an impressive candidate - attractive and wealthy, with law and business degrees from Harvard. However, during the race Ryan dealing with a messy divorce from actress Jeri Ryan, of “Star Trek: Voyager” fame.

Firefox Chrome: URL Handling Directory Traversal

Via Hiredhacker.com -

I spent some time tonight with scripting access to chrome files and found that Firefox doesn’t properly handle escaped characters. Its possible to load any javascript file on a victims machine. This attack is similar to previously disclosed vulnerabilities but is not constrained to basic Firefox files.

To exploit this the victim needs to have an extension installed that does not store its contents in a jar archive (such as the Download Statusbar). I created a demo that will read the Mozilla Thunderbird preferences file all.js (C:\Program Files\Mozilla Thunderbird\greprefs\all.js).

This looks very interesting and may have bigger potential, but for now, its just another information disclosure.

---------------------

Nice one my friend, nice one.

Mozilla is aware of the issue and looking into it now. They have rated it as a low severity issue at this time.

Personal word of advice to my readers, don't try to out drink Gerry...it is just a mistake. lol

Mujahadeen Secrets 2 Released, Offers Stronger Encryption

Via DarkReading.com -

JANUARY 22, 2008 A Website frequented by al Qaeda supporters has released an upgrade to an encryption software tool for Islamic militants to communicate more privately and securely over the Internet -- with a stronger form of encryption, according to a Reuters report.

Even more disturbing is that the site hosting the application appears to be located in the U.S., in Tampa, Fla., says Paul Henry, vice president of technology evangelism for Secure Computing. Henry says a "whois" lookup shows that the site is hosted by NOC4HostsInc., in Tampa, and he has informed law enforcement of his finding.

"The Tampa connection is interesting, and has been brought to law enforcement's attention, along with a few other interesting sites hosted at the same location. It is appalling that a U.S. hosting firm is renting space for the site," Henry told Dark Reading.

The so-called Mujahadeen Secrets 2 software is available for free on the password-protected Ekhlaas.org site that regularly posts al Qaeda messages. The site says the application is "the first Islamic program for secure communications through networks with the highest technical level of encoding.

"
The original version of Mujahadeen Secrets was released last year by The Global Islamic Media Front, a Web-based group linked to al Qaeda.

Henry says he hasn't had a chance to test out the new application to determine just what type of encryption it's using. "But I understand that among other things, it solves a weak key issue they had, making it more difficult to crack," he says.

Terror experts have been concerned for some time over al Qaeda's increasing presence and use of the Internet to spread its message and to recruit new members. First there was the emergence of Web-based "electronic jihad" software last year, and then the Internet community went on high alert in November after an Israeli news organization reported that al Qaeda was planning a large-scale cyberattack, but that never materialized. (See 'Electronic Jihad' App Offers Cyberterrorism for the Masses and Report: Al Qaeda Schedules Cyber Jihad for Nov. 11.)

Secure Computing's Henry notes that the new version of Mujahadeen Secrets could make things more difficult for law enforcement to track terrorist activity. "With this upgrade, one has to wonder how long it will be before other software such as 'eJihad' [Electronic Jihad] is updated to use current technology and [it] becomes a more menacing threat," he says.

-----------------------------

Getting to the message before it is encrypted seems to be the easy way around this...but that is harder than it sounds.

Why eJihadists just don't use Pidgin with OTR, I don't know.

Tuesday, January 22, 2008

Dutch RFID Transit Card Hacked

Via Schneier on Security -

The Dutch RFID public transit card, which has already cost the government $2B -- no, that's not a typo -- has been hacked even before it has been deployed:

The first reported attack was designed by two students at the University of Amsterdam, Pieter Siekerman and Maurits van der Schee. They analyzed the single-use ticket and showed its vulnerabilities in a report. They also showed how a used single-use card could be given eternal life by resetting it to its original "unused" state.

The next attack was on the Mifare Classic chip, used on the normal ticket. Two German hackers, Karsten Nohl and Henryk Plotz, were able to remove the coating on the Mifare chip and photograph the internal circuitry. By studying the circuitry, they were able to deduce the secret cryptographic algorithm used by the chip. While this alone does not break the chip, it certainly gives future hackers a stepping stone on which to stand. On Jan. 8, 2008, they released a statement abut their work.

Most of the links are in Dutch; there isn't a whole lot of English-language press about this. But the Dutch Parliament recently invited the students to give testimony; they're more than a little bit interested how $2B could be wasted.

My guess is the system was designed by people who don't understand security, and therefore thought it was easy.

-----------------------------

No real shocker here....

Monday, January 21, 2008

Are We Giving The Robots That Run Our Society Too Much Power?

Panelists discuss whether controversial decisions by the Robot Congress and President Executron indicate robots have too much control over our lives.

http://www.theonion.com/content/video/in_the_know_are_we_giving_the

CERT Secure Coding Standards

This web site exists to support the development of secure coding standards for commonly used programming languages such as C and C++. These standards are being developed through a broad-based community effort including the CERT Secure Coding Initiative and members of the software development and software security communities. For a further explanation of this project and tips on how to contribute, please see the Development Guidelines.

The Top 10 Secure Coding Practices provides some language independent recommendations.

RIAA Website Wiped by SQL Injection

Via Realtechnews.com -

It’s a weekend, and a holiday weekend to boot, so the site might stay this way for some time. Someone apparently used SQL injection to wipe, and we do mean wipe, the website of the Recording Industry Association of America (RIAA) clean of content. (In case they’ve fixed the site, click the empty “Who We Are” statement above to see what their homepage looked like at the time of this writing.)

Since the RIAA is usually chasing after pirates of copyrighted and copy-protected material, call it … well, call it what you will.

It started on Reddit, where a link to a really slow SQL query was posted. The post said “This link runs a slooow SQL query on the RIAA’s server. Don’t click it; that would be wrong.”

Of course, no one listened to that tongue-in-cheek warning. While some users were messing around changing links to point the Pirate Bay, for example, someone allegedly wiped the site’s entire database.

UK MoD Data on 600,000 People Stolen

Via guardian.co.uk -

The Government was under fire for yet another data breach after revealing a Royal Navy officer's laptop containing the details of 600,000 people has been stolen.

The Tories immediately called for answers as to how more data had gone missing from Government hands while the Liberal Democrats' dubbed the incident "very embarrassing".

The British Armed Forces Federation (BAFF) said the fact that the laptop appeared to have been left in a car overnight "spoke volumes" and called for a top-level inquiry into the incident.


And one information expert said he was "flabbergasted" at the security lapse and claimed it rivalled the child benefit data loss from HM Revenue and Customs last year.

The laptop was stolen from the officer in Birmingham on the night of January 9 and reported the following morning, but the theft was only revealed on Friday night by the Ministry of Defence when the news began to leak.

It contained personal information from people who had joined up to the Royal Navy, Royal Marines and Royal Air Force and from people who had expressed an interest in joining. Entries on the computer included passport details, National Insurance numbers, drivers' licence details, family details, doctors' addresses and NHS numbers, the MoD said.

MacBook Air vs Commodore SX-64




Thanks to Todd P. for the link.

Sunday, January 20, 2008

Pakistani Police Foil Suicide Attacks & Cyanide Poison Plot

Via reuters.com -

KARACHI, Jan 19 (Reuters) - Pakistani police said on Saturday they had averted a disaster with the arrest of five militants planning to attack Shi'ite Muslim processions with cyanide and suicide bombs.

The arrests late on Friday in the southern city of Karachi came as minority Shi'ite Muslims across Pakistan gathered for religious commemorations that have in recent years drawn attacks from Sunni Muslim militants.

"Their arrest has averted a big disaster ... but the threat of suicide attacks is still there," provincial police chief Azhar Ali Farooqi told a news conference.

The five militants, one of whom was preparing to become a suicide bomber, belonged to different Sunni Muslim militant groups and were picked up in raids in different parts of the city, Farooqi said.

"They planned to carry out suicide and grenade attacks on processions," he said.

Police seized 6 kg (13.2 lb) of explosives for use in suicide jackets, 2 kg (4.4 lb) ball bearings, one kg (2.2 lb) of nails, detonators, three hand grenades and two pistols.

Police also seized 500 grams (17 oz) of cyanide that Farooqi said was going to be used to poison drinks handed out to people taking part in the Shi'ite processions.

Sectarian violence between Sunni and Shi'ite sects flares every year during the Muslim month of Moharram, which marks a period of mourning for Imam Hussein, a grandson of the Prophet Mohammad.

Al-Qaeda Plot to Kill Queen of England in Uganda Foiled

Via newvision.co.ug (Uganda) -

Al Qaeda terrorists posing as television crews planned to blow up the Queen by smuggling explosives into last year’s Commonwealth summit, a UK newpaper, The Sunday Express, reported yesterday.

Two outside broadcast vans belonging to the Uganda Broadcasting Corporation (UBC) were seized after a tip-off from intelligence agents.

As a result, UBC was unable to transmit live pictures of key summit events, including Queen Elizabeth’s historic address to the Ugandan Parliament on November 22.

The coordinator of security agencies in Uganda, Gen. David Tinyefuza said: “We received reports on plots to generally destabilise CHOGM and threats against the principals (heads of State). We were monitoring and we acted on the threats effectively.”

Dr. Ruhakana Rugunda, the Minister of Internal Affairs, told the UK newspaper: “We received information that a terrorist group linked to Al Qaeda, the Allied Democratic Forces, was planning to carry out terrorist activities at the Commonwealth meeting. The security services in Uganda neutralised the threats.”

The newspaper said Rugunda refused to comment on reports that Ugandan armed forces seized a speedboat loaded with arms and homemade bombs. A number of suspected ADF guerrillas aboard the boat on Lake Victoria were arrested. Rugunda added: “A number of suspects have been arrested but I cannot comment on the specifics of this case. What I can say is that we stepped up security because of the Al Qaeda threat but it was neutralised by our security services. “

In the end, the summit was incident free and Uganda was happy to receive such distinguished guests led by Her Majesty the Queen.”

CIA Links Pakistani Militant in the Death of Bhutto

Via Nytimes.com -

WASHINGTON — The Central Intelligence Agency has concluded that the assassins of Benazir Bhutto, the former Pakistani prime minister, were directed by Baitullah Mehsud, a Pakistani militant leader in hiding, and that some of them had ties to Al Qaeda.

The C.I.A.’s judgment is the first formal assessment by the American government about who was responsible for Ms. Bhutto’s Dec. 27 assassination, which took place during a political rally in the garrison city of Rawalpindi.

“There are powerful reasons to believe that terror networks around Baitullah Mehsud were responsible,” said one American intelligence official, speaking on condition of anonymity because he was not authorized to speak publicly on the matter.

The official said that “different pieces of information” had pointed toward Mr. Mehsud’s responsibility, but he would not provide any details.

Gen. Michael V. Hayden, the C.I.A. director, discussed the agency’s conclusion in an interview with The Washington Post published Friday.

Some friends and supporters of Ms. Bhutto questioned the C.I.A. conclusions, especially since the former leader was buried before a full forensic investigation had been conducted. The British government has since sent a team from Scotland Yard to participate in the investigation into the assassination.

“The C.I.A. appears too eager to bail out its liaison services in Pakistan, who are being blamed by most Pakistanis,” said Husain Haqqani, a former adviser to Ms. Bhutto and a professor at Boston University.

“Given the division inside Pakistan on this issue, it might be better to have an international investigation under the aegis of the U.N.,” Mr. Haqqani said.

DJ Shadow & Cut Chemist: The Hard Sell - Photos

Just a couple of photos from the first show in the Hard Sell U.S. Tour.

Left: DJ Shadow
Right: Cut Chemist



UK Concerned Over Facebook's Profile Deactivation Methods

Via BetaNews -

British officials are set to question Facebook over its data retention methods after a user complained that personal information remained on its severs after he deactivated his account.
Facebook's current system still retains some data even after an account is deleted. So far, it has defended the practice claiming that it is in full compliance with UK privacy laws.


Even so, the company said that it takes the "the concerns of the [Information Commissioner's Office] and our user's privacy very seriously and are committed to working with the ICO to maintain a trusted environment for all Facebook users and ensure compliance with UK law," in a statement on its site.

Deactivation of an account is apparently not the same as deleting it per se. Apparently, as a method for users who may change their minds, the data is stored so the account can be quickly reactivated later.

If a user wishes to delete her profile, she must do so manually. It is this facet of Facebook's policies that concerns the agency. It feels that that account deletion should be handled more on the company rather than the user's side.

--------------------------------

I believe this policy by Facebook is down right wrong.

They are putting their own interest (read: keeping your information for profit) above the interest of their users. If a user issues a clear request for total deletion, then the request should be fulfilled by Facebook (without forcing the user to manually delete all messages and comments).

Saturday, January 19, 2008

Defeating Math Antispam Protection Plugin for Wordpress

Via SecuriTeam -

The plugin Math Anti-spam consists of "a simple equation you must be able to solve in order to enter comments to a post. The equation is displayed as an image in a randomized color, font and position. An alternative to the image you can by clicking on the image, you download an audio mp3 clip that reads the equation for you". This audio clip is always the same voice, which is not randomly distorted or any other obfuscation method is applied.

The following illustrates how the Math Anti-spam mechanism can be easily subverted by preforming file comparison on the audio files.

Credit: The information has been provided by
Jose Palazon (a.k.a. palako).

The original article can be found at:
http://docs.google.com/View?docid=df36cd52_19xzmkwqcg

Thinnest Notebook Crown Belongs to Sharp

Via CNet -

On Tuesday, we wrote that the 1998 Mitsubishi Pedion was the thinnest notebook ever.

On Thursday, we learned that isn't the case, thanks to Jorge Pullin, at the Horace Hearne Jr. Institute for Theoretical Physics at Louisiana State University.


Back in the first years of the decade, Sharp released the Muramasas. Measuring 0.54 inch thick, the Actius MM10 Muramasa notebook, which hit shelves in 2003, came with a 1GHz Crusoe processor from Transmeta, 256MB of memory, a 15GB hard drive and a built-in Wi-Fi module. It ran 2.5 hours on a regular battery, and cost $1,499. Sharp also had a Mebius notebook in the Muramasa family that measured 0.65 inch thick. Jorge bought the Mebius.

There might be one or thinner notebooks out there, but not many. If you know of one, let us know. The Muramasas (named after a renowned sword smith) were quite attractive. They also had a definite gap over the Pedion (just over 0.72 inch) and the MacBook Air (at 0.76 inch) in thinness. The MM10 weighed 2.1 pounds, less than the 3-pound MacBook Air.

Too bad about the Transmeta processors, though.

We wrote about them back in 2002 and 2003, but completely forgot about it.

Sharp has had a good number of firsts and near-firsts. It came out with the first LCD calculator, for instance, as well as one of the first cell phones with a camera. That came out in 2000.

(Philippe Kahn claimed he invented the cell phone camera, but the theory has been debunked.) Japanese colleagues also say that the company's TV phones are quite popular because of the screen quality. But people forget about them in the U.S. sometimes.

And, like a lot of Japanese companies, it didn't start out in computers. Sharp's first product was a mechanical pencil that came out in 1915.

Teen Suspect Held in Bhutto's Killing

Via wlos.com (Local Western North Carolina News) -

DERA ISMAIL KHAN, Pakistan (AP) -- Officials in Pakistan say a teenager arrested near the Afghan border claims he was part of a team of assassins sent to kill former Prime Minister Benazir Bhutto.

An intelligence official says the 15-year-old told investigators that a militant leader with strong ties to al-Qaida sent a five-person assassination squad to Rawalpindi , where Bhutto was killed last month.

A senior district police officer in a town southwest of Islamabad says the teen was arrested there. He also said the suspect made "a sensational disclosure."Both officials spoke on the condition that they not be identified. An Interior Ministry spokesman said he had no information about any new developments in the Bhutto case.

The militant leader named by the teen is the same one blamed by U.S. intelligence officials, who say he organized the attack on Bhutto as part of a campaign of assassinations of Pakistani officials and suicide bombings in the country.

CIA Says Hackers Have Cut Power Grid

Via PC World -

Criminals have been able to hack into computer systems via the Internet and cut power to several cities, a U.S. Central Intelligence Agency analyst said this week.

Speaking at a conference of security professionals on Wednesday, CIA analyst Tom Donahue disclosed the recently declassified attacks while offering few specifics on what actually went wrong.

Criminals have launched online attacks that disrupted power equipment in several regions outside of the U.S., he said, without identifying the countries affected. The goal of the attacks was extortion, he said.

"We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands," he said in a statement posted to the Web on Friday by the conference's organizers, the SANS Institute. "In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."

"According to Mr. Donahue, the CIA actively and thoroughly considered the benefits and risks of making this information public, and came down on the side of disclosure," SANS said in the statement.

One conference attendee said the disclosure came as news to many of the government and industry security professionals in attendance. "It appeared that there were a lot of people who didn't know this already," said the attendee, who asked not to be identified because he is not authorized to speak with the press.

He confirmed SANS' report of the talk. "There were apparently a couple of incidents where extortionists cut off power to several cities using some sort of attack on the power grid, and it does not appear to be a physical attack," he said.

Hacking the power grid made front-page headlines in September when CNN aired a video showing an Idaho National Laboratory demonstration of a software attack on the computer system used to control a power generator. In the demonstration, the smoking generator was rendered inoperable.

Friday, January 18, 2008

How to Give a Wannabe Hacker a Very Bad Day

Via vitalsecurity.org -

Last week I came across a site I thought had been hacked - in actual fact, it turned out that the clown who owned the page was just really messy and made it look like a tip.From there, I came across a whole bunch of phish pages and a leet hax forum for wannabe script kiddies. Of course, everything went pear shaped for the site owner the moment I picked up the phone and made a call, as you'll see (though most definitely NOT in the way you'd expect!)

(Warning: Swears galore, because this guy doesn't know the meaning of "eloquent".)

---------------------

Check out the link above for the whole story...wow, this is too cool for school (or something like that).

Hard Sell: DJ Shadow & Cut Chemist

Following in the footsteps of their now-legendary "Brainfreeze" (1999) and "Product Placement" (2001) sets, DJ Shadow and Cut Chemist have outdone themselves. Their new, all-45 show, entitled "The Hard Sell," incorporates eight turntables and two guitar loop pedals, allowing tricks and complexity rarely attempted by a DJ duo.

Jan 18th, 2008
DOORS 08:00 PM SHOW 09:00 PM

La Zona Rosa
612 W. 4th Street
Austin, TX 78701

--------------------------

Well, the show is sold out...but I have three tickets sitting at Will Call - hopefully.

Here is a little preview via Youtube. Thanks to Todd P.

The audio is a little scratchy, and not in the good way..lol

MySpace Bug Leaks 'Private' Teen Photos to Voyeurs

Via Wired.com -

A backdoor in MySpace's architecture allows anyone who's interested to see the photographs of some users with private profiles -- including those under 16 -- despite assurances from MySpace that those pictures can only be seen by people on a user's friends list. Info about the backdoor has been circulating on message boards for months.

Since the glitch emerged last fall, it has spawned a cottage industry of ad-supported websites that make it easy to access the photographs, spurring self-described pedophiles and run-of-the-mill voyeurs to post photos pilfered from private MySpace accounts.

The bug, and its long-term survival, raises new questions about privacy on the News Corp.-owned site, even as it touts a deal with the attorneys general of 49 states meant to polish its online-safety image.

"If kids are doing what they think they need to do, and are still having their photos picked up by slimebags on the internet ... then these are serious issues," said Parry Aftab, executive director of WiredSafety.org, a children's-online-safety group. "It's a matter of trust and it's a matter of safety." (WiredSafety is not connected to Wired News or Wired magazine.)

Representatives for MySpace did not return Wired News phone calls Thursday.

The flaw exposes MySpace users who set their profiles to "private" -- the default setting for users under 16 -- even though MySpace's account settings page tells users, "Only the people you select will be able to view your full profile and photos."

Clicking on the photo link on a private profile gives unauthorized users this message: "This profile is set to private. This user must add you as a friend to see his/her profile." But anyone -- even those without a MySpace account -- can plug the target's public account number, called a "Friend ID," into a specially constructed URL that grants access to those photos.

The only users safe from the exploit are those who have explicitly configured their MySpace photo galleries (and not just their overall profiles) to be private.

A similar technique in circulation allows third parties to see the friends list associated with a private profile.

The photo-gallery backdoor has been discussed on message boards for at least three months. In an October post on the music-oriented forum sohh.com, a user asked a contingent of self-described "pedos" for help in accessing the photos of a 16-year-old girl who caught his eye online. "I got a mission for all you pedo soldiers," he wrote, explaining that the girl's profile was private.

"I can get them. I know a way around it," another forum member responded. Minutes later, he posted direct links to 43 photos of the girl. By request, he posted links the next day for another 12 photos, belonging to a 15-year-old girl whose profile is also private. Sohh.com later banned a number of users who called themselves a "pedo army," for posting MySpace photo links for underage girls. (None of the posts appears to have involved, or alluded to, child pornography or other illegal conduct.)

Beginning in October, commercial websites began springing up to perform the MySpace hack automatically, while earning a buck through online advertising. The sites all allow you to retrieve photos from private profiles merely by typing in the Friend ID of a targeted user.