Wednesday, March 31, 2010

Automated SEO Poisoning Attacks Explained

Executive Summary

This paper describes recent research by SophosLabs into how attackers are using blackhat Search Engine Optimisation (SEO) techniques to stuff legitimate websites with content designed to rank highly in search engine results, yet redirect users to malicious sites. These websites are being used to distribute rogue security products (also known as “scareware” or “fake anti­virus”) onto users' computers.

Sophos researchers have analysed the malicious SEO kits used by hackers to create networks of thousands of cross­linked pages containing search­ friendly content on hot­trending topics, hosted on compromised, legitimate websites.

Michigan ID Theft Suspects Linked to Russian Crime Ring

Via -

It started as a traffic stop, a Kent County sheriff's deputy pulling over a car with a burned-out headlight, and occupants -- reeking of burned marijuana -- providing fake names and addresses.

On the back seat was a stash of Meijer bags.

Police were suspicious and asked the car owner for consent to search.

Inside the car? Multiple credit and debit cards, along with nearly $13,000 in stored-value Meijer cards, more commonly known as gift cards.

The extent of the criminal enterprise wasn't known at the time of the Oct. 2 traffic stop. But after sheriff's detectives and federal authorities got involved, investigators soon determined the three suspects in the car were allegedly linked to an Internet crime ring in St. Petersburg, Russia.

Investigators say the suspects used the information to put thousands of dollars onto fraudulent credit cards and store cards -- and obtain $200,000 in fraudulent student loans.

The cases fuel concern that technology, particularly the Internet, gives criminals an avenue to steal and share information from virtually anywhere. Law enforcement officials at the local, state and federal level in West Michigan are working toward an eventual task force on identity theft.

"There is no single silver bullet to solve it," said Hagen Frank, an assistant in the Grand Rapids U.S. Attorney's office. "It is a priority of the Justice Department to get a handle on identify theft. It really is a growing problem on a national level. Everyone is at risk for it."


Meijer is a regional American hypermarket chain based in Walker, Michigan.

Mozilla: Plugging the CSS History Leak

Via Mozilla Blog -

We’re close to landing some changes in the Firefox development tree that will fix a privacy leak that browsers have been struggling with for some time. We’re really excited about this fix, we hope other browsers will follow suit. It’s a tough problem to fix, though, so I’d like to describe how we ended up with this approach.


Originally specified as a useful feature for the Web, visited link styling has been part of the web for… well, forever. So this is a pretty old problem, and resurfaces every once in a while to generate more paranoid netizens.

The most obvious fix is to disable different styles for visited versus unvisted links, but this would be employed at the expense of utility: while sites can no longer figure out which links you’ve clicked, neither can you. David Baron has implemented a way to help keep users’ data private while minimizing the effect on the web, and we are deploying it to protect our users. We think this represents the best solution to the problem, and we’ll be delighted if other browsers approach this the same way.

Journalists’ E-Mails Hacked in China

Via -

In what appears to be a coordinated assault, the e-mail accounts of more than a dozen rights activists, academics and journalists who cover China have been compromised by unknown intruders. A Chinese human rights organization also said that hackers disabled its Web site for a fifth straight day.

The infiltrations, which involved Yahoo e-mail accounts, appeared to be aimed at people who write about China and Taiwan, rendering their accounts inaccessible, according to those who were affected. In the case of this reporter, hackers altered e-mail settings so that all correspondence was surreptitiously forwarded to another e-mail address.

The attacks, most of which began last Thursday, occurred the same week that Google angered the Chinese government by routing Internet search engine requests out of the mainland to a site in Hong Kong. Google said the move was prompted by its objections to censorship rules and by a spate of attacks on Google e-mail users that the company suggested had originated in China.

Those cyberattacks, which began as early as last April, affected dozens of American corporations, law firms and individuals, many of them rights advocates critical of China’s authoritarian government.

McAfee: 'Amateur' Malware Not Used in Google Attacks

Via -

A misstep by McAfee security researchers apparently helped confuse the security research community about the hackers who targeted Google and many other major corporations in cyber attacks last year.

On Tuesday, McAfee disclosed that its initial report on the attacks, branded Operation Aurora by McAfee, had mistakenly linked several files to the attacks, files that had nothing to do with Aurora after all.

Aurora is a sophisticated spying operation, set up to siphon intellectual property out of major corporations. It has been linked to attacks on Google, Intel, Symantec, Adobe, and other companies. Google took the attacks seriously. Last week it pulled its search engine out of China, in part because of the incident.

The files mistakenly linked to Aurora in McAfee's initial research are actually connected to a still-active botnet network of hacked computers that was created to shut down Vietnamese activists.

McAfee investigated more than a dozen companies that had been hit by Aurora and found the Vietnamese botnet on four of these networks, said Dmitri Alperovitch, McAfee's vice president of threat research. At first, McAfee though they were part of the Aurora attack. "It took us a little while to realize that they weren't related," he said.

McAfee included four filenames in its original Aurora research that it now says are associated with the Vietnamese botnet: jucheck.exe, zf32.dll, AdobeUpdateManager.exe and msconfig32.sys.

McAfee has now "come to believe that this malware is unrelated to Aurora and uses a different set of command and control servers," McAfee Chief Technology Officer George Kurtz said in a Tuesday blog posting.

Other companies that followed up on McAfee's research were apparently confused too, according to McAfee's Alperovitch. "Some of the other companies that published their analysis on Aurora were analyzing this event and just didn't realize it," he said.

One such company was Damballa, Alperovitch said. Earlier this month, Damballa concluded that the Aurora attacks were the work of somewhat amateur botnet writers.

That conclusion was disputed by McAfee and other researchers who had been studying the attacks. They were seeing targeted attacks that compromised victims after careful reconnaissance and then used sophisticated techniques to move around the network and quietly move intellectual property overseas.

This type of attack is what computer forensics company Mandiant calls an advanced persistent threat. In it's report, Damballa described it as the work of a "fast-learning but nevertheless amateur criminal botnet team."

"The advanced persistent threat is not a botnet," said Rob Lee, a Mandiant director.


From my view, Damballa was quick to jump on APT and boil it down to just another botnet problem...which is very good for them, seeing how they sell an anti-botnet appliance.

Just to illustrae this point, they use the term "APT" four times on their front page...and have even created an APT Audit. Hype much?

Google Links Web Attacks to Vietnam Mine Dispute

Via -

Google, fresh off a dispute with China over censorship and intrusion from hackers, says it has identified cyber-attacks aimed at silencing critics of a controversial, Chinese-backed bauxite mining project in Vietnam.

In attacks it described as similar to but less sophisticated than those at the core of its spat with China, Google said malicious software was used to infect “potentially tens of thousands of computers,” broadly targeting Vietnamese speaking computer users around the world.

Infected machines had been used to spy on their owners and to attack blogs containing messages of political dissent, wrote Neel Mehta of the company’s security team in a post late Tuesday on Google’s online security blog.

McAfee, the computer security firm, said in a separate blog posting that it believed “the perpetrators may have political motivations and may have some allegiance to the government of the Socialist Republic of Vietnam.”

It added: “This incident underscores that not every attack is motivated by data theft or money. This is likely the latest example of hacktivism and politically motivated cyberattacks, which are on the rise.”


The McAfee blog post has more technical details on the malware....the bot code masqueraded as a popular keyboard driver needed to use Vietnamese on Windows (VPSKeys).

Java 6 Update 19 Closes 26 Security Holes

Via -

Security updates for Java SE and Java for Business have been released as Java 6 Update 19. The novel part of this announcement is that, for the first time since the Oracle acquisition of Sun, the advisory appears as an Oracle Critical Patch Update (CPU). The change in format makes the advisory much easier to read and includes ratings on the Common Vulnerability Scoring System (CVSS) making it easier to asses how critical a vulnerability is and what priority should be given to closing the problem.

The holes include buffer overflows within the Java Runtime Environment (JRE) in ImageIO, Java 2D, WebStart, the Java plug-in from browsers, sound and in the HotSpot server. The issues affect Java 6 update 16, Java 5.0 update 23, Java 1.4.2_25 and Java 1.3.1_27.

Oracle's JDK 6 and JRE 6 Update 19 for Windows, Solaris and Linux, JDK 5.0 Update 24 for Solaris only, and SDK 1.4.2_26 for Solaris only, are available to download and eliminate the gaps. Java 1.3.1 is no longer supported. Oracle recommends that users install the updates as quickly as possible. For security reasons, TLS Renegotiation has been disabled as an interim fix to be restored in a future update. A number of other non-security fixes have been included in the update.


On Windows, you can update one of two ways.

1) Go into Control Panel, click "Java", then go into the "Update" tab. Click "Update Now" and you should be prompted to install the new version.

2) Download and install from the Java website directly - or

Tuesday, March 30, 2010

MS10-018: Out-of-Band Update for Internet Explorer


This update resolves 10 different vulnerabilities in Internet Explorer, of which the most severe impact can be execution of arbitrary code. All versions of IE from 5.01 to 8.0 are affected to varying degrees. Both servers and workstations should be updated. The update replaces MS10-002, and addresses the MS Advisory 981374 vulnerability. Time to patch! It is a cumulative update.

Here is a listing of the related vulnerabilities and CVE entries:

Uninitialized Memory Corruption Vulnerability - CVE-2010-0267
Post Encoding Information Disclosure Vulnerability - CVE-2010-0488
Race Condition Memory Corruption Vulnerability - CVE-2010-0489
Uninitialized Memory Corruption Vulnerability - CVE-2010-0490
HTML Object Memory Corruption Vulnerability - CVE-2010-0491
HTML Object Memory Corruption Vulnerability - CVE-2010-0492
HTML Element Cross-Domain Vulnerability - CVE-2010-0494
Memory Corruption Vulnerability - CVE-2010-0805
Uninitialized Memory Corruption Vulnerability - CVE-2010-0806
HTML Rendering Memory Corruption Vulnerability - CVE-2010-0807

$88 Billion Deposited in Virginia Couple's Account

Via -

This is probably the only time you'll ever hear anyone complain about having too much money.

The Hickman family of Chesterfield, Va., recently noticed a little extra cash in their checking account -- $88 billion to be exact.

Instead of spending the money, the Hickmans decided to call SunTrust Bank to report the error. Even after talking to several bank employees, no one seemed to know how the problem occurred or how to fix it.

Eventually, SunTrust told the Hickmans it would have to freeze their account until Monday morning. The Hickmans in turn were left spending the entire weekend without any money.

Stephanie Hickman said she couldn't even afford groceries.

"I'm not saying that the $88 billion is my money, but the $150 at least that we had in the account was my money, and now I can't even access that," she said.

SunTrust is now trying to clear up the problem, so that the couple can use the checking account again.

TOSBack - Tracking Policies Changes

Terms-Of-Service and other website policies form the foundation of your relationship with social networking sites, online businesses, and other Internet communities. But most people become aware of these terms only when there's a problem. TOSBack was created to help you monitor the policies for the websites you use everyday, and show how they change over time.

TOSBack is a project of The Electronic Frontier Foundation. We are a non-profit membership-funded organization. If you like TOSBack, please consider making a donation or becoming a member.

LHC Powers Up to Record-Shattering 7 TeV Collision

Via -

The LHC first activated in September of 2008, but the ecstasy of the scientific community quickly turned to agony when an expensive malfunction lead to over a year of repairs. Last August those repairs wrapped up and in November the accelerator was brought back online. On November 30, 2009 it set the world record for particle collision energy, smashing together two proton beams with energies of 1.18 TeV, for a combined collision of 2.36 TeV.

Today researchers at the LHC have tripled that collision energy, powering the beams up to 3.5 TeV each for a combined power of 7 TeV. That much energy has not been seen in particles since the days of the Big Bang -- the dawn of our universe.

Even with the repairs, this was a daunting task, worthy of some of the world's brightest minds. States CERN’s Director for Accelerators and Technology, Steve Myers, "With two beams at 3.5 TeV, we’re on the verge of launching the LHC physics programme. But we’ve still got a lot of work to do before collisions. Just lining the beams up is a challenge in itself: it’s a bit like firing needles across the Atlantic and getting them to collide half way."

CERN Director General Rolf Heuer cautioned, "The LHC is not a turnkey machine. The machine is working well, but we’re still very much in a commissioning phase and we have to recognize that the first attempt to collide is precisely that. It may take hours or even days to get collisions."

However, the researchers' persistence paid off. The collisions started at 8:30 CEST and by 13:06 CEST they achieved the world's first 7 TeV collision

Social Networkers Savvier About Private Information, Survey Finds

Via -

A survey of social networkers, commissioned by Webroot, finds users of sites like Facebook, Twitter and LinkedIn are getting better at protecting their privacy online, but still leave themselves vulnerable to hackers.


Webroot’s second annual study surveyed more than 1,100 members of Facebook, LinkedIn, MySpace, Twitter and other popular social networks. The survey showed an increasing awareness among social network users of how to keep personal information private.

At the same time, it revealed how social network users still put their identities and sensitive information at risk. The survey found that more users are practicing certain safe behaviors, including blocking their profiles from being visible through public search engines—a 37 percent increase over last year. However, more than a quarter of respondents have never changed their default privacy settings and more than three quarters place no restrictions on who can see their recent activity.

In addition, Webroot has seen a rise in spam on social networks, which commonly contains links to malicious Website links. The survey showed a 23 percent increase in spam received on social networks since last year. Younger users (ages 18-29) are the least likely to take steps to safeguard their information, with 43 percent of young users employing the same password across multiple sites compared with 32 percent overall. In general, privacy settings continue to be underutilized, with 28 percent of users reporting they’ve never changed their default privacy settings, though 27 percent of users now restrict who can find their profile through a public search engine, up from 20 percent last year.

“A perfect storm is developing between the number of people flocking to social networks and the new, increasingly sophisticated malware attacks cyber-criminals are launching to prey on the personal data they’re sharing,” said Jeff Horne, director of threat research at Webroot. “For example, our team has noted over 100 different variations of Koobface, a worm known to trick people into clicking links they shouldn’t in order to infect their PCs and often convince them to provide credit card numbers to buy phony antivirus products, among other fraudulent activities.”

Monday, March 29, 2010

Bail Rejected for Former MI6 Man Charged with Revealing Spy Secrets

Via The Register UK -

A former MI6 officer who allegedly attempted to sell Top Secret computer files to what he thought was a foreign intelligence agency has had his bail application rejected.

Westminster magistrates remanded Daniel Houghton, 25, from Finsbury Park, on two Official Secrets Act charges until a further hearing on April 15, PA reports.

He was arrested on March 1 at a central London hotel after allegedly accepting a briefcase containing £900,000 from MI5 counter-espionage officers posing as foreign intelligence. He had demanded £2m, prosecutors have claimed.

It emerged in court yesterday that the operation was launched afer a tip-off from Dutch intelligence authorities. Houghton, a computer science graduate who left MI6 after less than two years' service, has joint British-Dutch nationality.

The disclosure suggests MI6, officially known as the Secret Intelligence Service, did not know Houghton had taken files detailing intelligence gathering techniques and information on 300 British agents when he left his job.

If convicted, Houghton faces up to 14 years' imprisonment on each charge.

ShmooCon 2010 Videos

ShmooCon is an hacker convention held in Washington DC and organized by The Shmoo Group.

Babysitting an Army of Monkeys - Fuzzing 4 Products with 5 Lines of Python

Charlie Miller's (0xcharlie) slides from his CanSecWest talk are now available. Converted from Keynote to Powerpoint.

Babysitting an army of monkeys: an analysis of fuzzing 4 products with 5 lines of Python

'Black Widow' Female Suicide Bombers Kill 37 in Moscow Metro Blasts

Via The Long War Journal -

Two female suicide bombers detonated their vests during morning rush hour at metro stations in Moscow, killing 37 people and wounding 65 more. The attack was carried out by the Caucasus Emirate's 'Black Widows,' and was foreshadowed by the leader of the terror group in a statement in February.

The first suicide bomber detonated at the Lubyanka metro station at 7:52 a.m. local time, killing 24 people, according to RIA Novosti. The Lubyanka station is near the headquarters of the Federal Security Service (FSB), the successor of the notorious KGB.

The second blast took place about 40 minutes later, at the Park Kultury station, which is near the Kremlin, killing 13 people.

The FSB said that an estimated four kilograms of explosives was used in the first suicide attack and 1.5 kilograms was used in the second.

"At present the overall number of the dead as a result of the explosions at the Park Kultury and Lubyanka metro stations is 37, and another 65 were wounded," Irina Adrianova, the spokeswomen for the Ministry for Emergency Situations told ITAR-TASS.

The FSB believes the attacks were carried out by the 'Black Widows,' members of the Caucasus Emirate's female suicide bomber cadre. The chief of the FSB said the heads of two women have been recovered at the blast sites. The Black Widows are typically wives or daughters of family members killed during the wars against the Russians in Chechnya.

The Black Widows have targeted Russian civilians and security personnel in multiple attacks, including: the attack on the Nord-Ost Moscow theater in 2003 (129 killed); an assassination attempt against Chechen President Akhmad Kadyrov (14 killed); a suicide attack on a train in Southern Russia (46 killed); a dual suicide attack at a rock concert at Tushino Airfield in Moscow (16 killed); the destruction of two Russian airliners in 2004 (more than 90 killed); and the attack on a school in Beslan in North Ossetia (334 killed).

The Black Widows are a unit within the members of the Riyad-us-Saliheen, or Garden of Paradise, martyr brigade.

"Riyad [the Riyad-us-Saliheen martyr brigade] is believed to be descended from two other Chechen terrorist organizations led by [former Chechen terrorist leader Shamil] Basayev, the Special Purpose Islamic Regiment (SPIR) and the International Islamic Brigade (IIB)," according to the Study of Terrorism and Responses to Terrorism datatbase. "It has even been suggested that Riyad is simply the result of the marriage of these two groups."

In the spring of 2009, Doku Umarov, the current leader of the al Qaeda-linked Caucasus Emirate, reignited the Chechen insurgency by launching a wave of suicide attacks in the Caucasus and broadening the battle beyond the Chechen border. In April 2009, Umarov revived the Riyad-us-Saliheen martyr brigade, which has spearheaded the assault.

Internet Explorer Cumulative Update Releasing Out-of-Band

Today we issued our Advanced Notification Service (ANS) to advise customers that we will be releasing security update MS10-018 tomorrow, March 30, 2010, at approximately10:00 a.m. PDT (UTC-8). MS10-018 resolves Security Advisory 981374, addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is unaffected by the vulnerability addressed in the advisory and we continue to encourage all customers to upgrade to this version to benefit from the improved security protection it offers.

We recommend that customers install the update as soon as it is available. Once applied, customers are protected against the known attacks related to Security Advisory 981374. We have been monitoring this issue and have determined an out-of-band release is needed to protect customers. For customers using automatic updates, this update will automatically be applied once it is released. Additionally, because Security Bulletin MS10-18 is a cumulative update, it will also address nine other vulnerabilities in Internet Explorer that were planned for release on April 13.

The out-of-band security bulletin is a cumulative security update for Internet Explorer and will also contain fixes for privately reported vulnerabilities rated Critical on all versions of Internet Explorer that are not related to Microsoft Security Advisory 981374.

Detecting Apple Mac OS X AFP Vulnerability with Nmap

During the development of my AFP library for Nmap I came a cross a critical vulnerability in Apple’s implementation of AFP on Snow Leopard. The vulnerability occurs due to improper input validation and allows an attacker to access (list, read, and/or write) files in the parent directory of any AFP sharepoint.

By default, when enabling AFP, the Public folder in each user’s home directory is shared as Public Folder. In my case “Patrik Karlsson’s Public Folder”. Since the Public folder is a subdirectory of a user’s home directory, exploiting this share provides access to all of that user’s home directory files (but not subdirectories or files with restrictive filesystem permissions).

As the name suggests, the Public shares are available to anyone without authentication. Given the default permissions on home directories (world read+execute) and the default umask (world read), this has a serious impact – as unauthenticated users can read all files in a user’s home directory. The attack also works for authenticated users against shares requiring authentication.

Technically the attack is not very challenging and relies on a classic directory traversal attack. It is strikingly similar to the famous Windows SMB filesharing vulnerability from 1995. However, sending such a path to the server without interpreting and translating it on the client is somewhat more challenging. I’ve developed a number of different scripts while researching the vulnerability that list, read and write files in the parent directory. In order to do so I’ve added the necessary code to the AFP library which is essentially the core of these NSE scripts.

At this time I’m releasing two scripts afp-path-vuln, afp-brute and library. The vulnerability detection script attempts to determine whether the scanned servers are vulnerable or not and outputs the contents of the parent directory if they are. The script and library are as of now available from the latest subversion version of Nmap and can also be downloaded here:

You can run the scripts either from your current version of Nmap or from the current subversion release. If you want to run the script with user credentials it needs the subversion release of Nmap as adding the support for AFP authentication involved patching the LUA to OpenSSL API.

For documentation on how to add scripts to your current Nmap installation have a look at Ron Bowes blog post “How-to: install an Nmap script” over here. The afp.lua library should be copied to the nselib directory which is located in the same parent directory as the scripts directory described in the blog post.

Apple Mega Patch Covers 88 Mac OS X Vulnerabilities

Via -

Apple today released one of its biggest Mac OS X security updates in recent memory, covering a whopping with fixes for 88 documented vulnerabilities.

The Mac OS X v10.6.3 update, which is considered "critical," covers flaws that could lead to remote code execution, information disclosure and denial-of-service attacks.

In some scenarios, a malicious hacker could take complete control of a Mac-powered machine if a user simply views a malicious image or movie file.

The update covers critical vulnerabilities in AppKit, QuickTime,CoreMedia, CoreTypes, DiskImages, ImageIO and Image RAW.

It also covers holes in several open-source components, including Apache, ClamAV, MySQL, PHP.

Here's the full list of the patched vulnerabilities.

The Security Update 2010-002 / Mac OS X v10.6.3 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web page.


That a big list of CVEs -

Unfortunately, this meta patch does not include a fix for the bug used by Charlie Miller at PWN2OWN 2010.

New patch doesn't fix pwn2own bug. Sorry suckers, gonna have to wait for the next patch :p


According to Computerworld....
Security Update 2010-002 plugged 92 holes in the client and server editions of Mac OS X 10.5 and Mac OS X 10.6, breaking a record that has stood since March 2008. The update dwarfed any released last year, when Apple's largest patched 67 vulnerabilities.....More than 40% of the vulnerabilities patched today, 37 out of the 92, were accompanied by the phrase "may lead to arbitrary code execution," which is Apple's way of saying that a flaw is critical and could be used by attackers to hijack a Mac.

RumorMill: Out-of-Band IE Patch Coming Tomorrrow

I am hearing tweets about a possible out-of-band IE patch being released tomorrow...most likely for the currently unpatched use-after-free iepeers.dll vulnerability affecting IE 6 & IE 7.

More stuff over at ISC -

More rumors = more real - clearly.

PlayStation 3 Upgrade Kills Linux Option

Via -

Sony is nixing a feature on PlayStation 3 that allowed users to install third-party operating systems, including the open source Linux OS, on the video game console. The PS3 Firmware 3.21 upgrade is available Thursday.

"It will disable the 'Install Other OS' feature that was available on the PS3 systems prior to the current slimmer models, launched in September 2009," Sony announced in post Monday on its official PlayStation blog.

Sony said the move was "due to security concerns." "For most of you, this won't have any impact on how you use your PS3. If you are one of the few who use the Other OS feature, or if you belong to an organization that does, then you can choose not to upgrade your system," Sony said.
The company did not elaborate on why it believes third-party operating systems pose security threats to PlayStation users.

Some other consumer product companies have restricted the use of Linux on their products due to a licensing condition that stipulates that commercial users of Linux make their source code available to end users.

Some manufacturers have voiced concerns that end users would use the source code to disable Digital Rights Management technologies, which are used to protect copyrighted media from unauthorized duplication.

Tivo, which uses Linux in its digital video recorder, has rigged its devices to block installation of source code that's been modified by the end user.

Critics of the move, including free software advocate Richard Stallman, now refer to any attempts by Linux-based hardware manufacturers to limit the use of modified Linux on their products as "Tivoization."

Some PlayStation users are slamming Sony's decision. "I'm so disappointed. You're taking a part of the integrity of my PS3. Soon, backwards compatibility will disappear," wrote night64448, in the comments section of Sony's blog.

"I paid for the ability to run Linux," wrote user Cheriff. "Removing functionality after the transaction has taken place, after you have my money, is not on," wrote Cheriff.

Sony warned users of its Other OS feature to back up their data if they plan to upgrade to the new firmware, as data stored in the alternative OS partition of their console's hard drive will be inaccessible after the update.


According to other reports, it seems like this feature was removed from the newer slim model PS3s some time ago. I have one of the older models that still contains this feature and have installed Linux on my PS3 in the past. However due to the lack of Flash support, my dreams of using the PS3 was a media center were dashed.

Sony believes that removing this option will make it less susceptible to hacking attempts....however, I would say this move will only drive hardware hackers to hack it...if only to restore the ability to install another operating system - something you could do without hacking before this stupid decision.

'Record of Death' Takes Out OpenSSL Servers

Via -

Crafted TLS packets can crash OpenSSL servers and clients. The problem is caused by an error in the ssl3_get_record() function, which processes SSL records. Data is transferred between end points in SSL records. According to an advisory from the OpenSSL development team, incorrectly formatted records can cause a memory access error.

OpenSSL versions 0.9.8f to 0.9.8m are in theory affected, however the bug depends on the C compiler used. Where 'short' is defined as a 16 bit integer (which is almost always the case) only 0.9.8m is affected. Updating to OpenSSL version 0.9.8n resolves the problem.

See also:----------------------------------

Just released today, OpenSSL 1.0.0 is now available.

GCHQ: Spooks in Socks and Sandals

Via Times Online UK -

Tucked away on the outskirts of Cheltenham is a vast circular structure wrapped in razor wire. Getting inside requires passing through layer after layer of ever-tightening security. Everyone in the town knows what it is — Government Communications Headquarters (GCHQ) — but few secrets of its work emerge.

With about 5,500 employees, GCHQ is Britain’s largest but least well-known intelligence agency. Its mission is to eavesdrop on global communications, hunting for the terrorist phone call, Taliban radio traffic or a telling email from a foreign government.

GCHQ operates in a hermetically sealed bubble of security. But the building — known as the doughnut because it is round with a hole in the middle — is open and airy. Casually dressed people stroll down the main thoroughfare, “the street”, chat in coffee bars or work in open-plan offices. Signs for “serious crime” and “Asia-Pacific team” hint at the breadth of their work.

Intruders are unusual in this closed world. As I am escorted around, a voice comes across the PA system: “Blinds facing ‘the street’ in blocks A and B should be closed immediately.” A glance through a window might reveal something secret.


GCHQ’s work is often masked. One time it did make the news was in the run-up to the Iraq war, when a message from its US counterpart, the National Security Agency, was leaked to the press. The Americans wanted help in spying on diplomats as a possible vote on a second United Nations resolution approached. Katharine Gun, a Mandarin linguist, was sacked for the leak but not prosecuted.


ith MI6, and relationships with MI5 have become closer recently. Both agencies joke about GCHQ’s alleged lack of dress sense. “The first thing we need to do is take you to a proper tailor,” a suave MI6 officer is said to have told a GCHQ officer arriving on a faraway bugging mission.

“We can occasionally come over as nerdy or geeky,” Cheltenham’s properly attired director concedes.

“There are a couple of socks-and-sandal-wearing mathematicians,” says a nonsandal-wearing analyst, Joanna. “But to do this job you do have to be reasonably normal and outgoing. It is not just you sitting alone with a computer. You do have to talk to lots of people.”


The dangers of this work are evident from a walk through the grassy open-air space in the middle of the building. There, in one corner, is a memorial to the small number of staff who have died in service. The names show that more fatalities have come in Afghanistan in recent years than anywhere else.

Sunday, March 28, 2010

Active Koobface C&C Servers Hit a Record High

Via -

As I was saying in the yesterday's blog post, we were expecting the number of Koobface C&C servers to start growing sometime this week:

"Cybercriminals don't want the number of C&C servers to drop too much, as that would mean losing their control over the botnet. So, if the earlier strategy of the Koobface gang is anything to go by, we should be seeing new servers being added to control the botnet soon, most probably this week."

And, guess what? Yesterday evening the Koobface gang started adding new servers:


The total number of active Koobface C&C servers went from a low of 65 yesterday to over 200 at the time of writing – 225, to be precise. This is the most Koobface C&C servers we've ever seen in a 24-hour period, and we keep discovering new ones.

We've already started contacting the owners of the compromised websites to get the C&C servers taken down and cleaned up as quickly as possible.


Koobface is a worm that has a long history of targeting users of social networking sites - Facebook, Myspace, Hi5, Bebo, Twitter, etc.

Saturday, March 27, 2010

Al-Qaeda Uses Weakness to Its Advantage

Via -

Stung by a US-Pakistani crackdown and dwindling manpower, Al-Qaeda is not staging stunning 9/11-style attacks but claiming responsibility for stray strikes on mainly Western targets, analysts say.

Although this is a sign of weakness, the new policy shows an ability to adapt which may pose a new danger, they warn.

Washington has stepped up drone raids in Pakistan against Islamist militants, who are also facing the heat of a Pakistani military offensive.

In the past year US President Barack Obama has put Pakistan at the centre of his fight against Al-Qaeda.

Osama Bin Laden's network is now too busy struggling to survive to organise coordinated attacks in his campaign for a global jihad, or holy war.

"Although they are protected by some elements in the Pakistani services, they have a real problem with manpower and means," said Alain Chouet, the former head of the security wing of France's external intelligence agency DGSE.

"They don't have enough men, adequate means of communication ... and whenever there is an attack, never mind where, who or when, there are two or three jokers from Pakistan who claim responsibility without any possibility of anyone establishing a clear link," he said.

Although he failed to down a US airliner on Christmas Eve, failed Nigerian suicide bomber Umar Farouk Abdulmutalab was hailed as a "hero" by Bin Laden who said his action carried a message.


French researcher Jean-Pierre Filiu, whose books include "The Nine Lives of Al-Qaeda," said the group was claiming responsibility for attacks staged by individuals "to magnify its toll of victims and its nuisance value."

He said regardless of the extent of the individual's links to the jihadist movement, there was a tendency to interpret the strike as evidence of a growing "global menace."

Chouet said by systematically claiming responsibility, the group was able to "maintain a certain importance, keep some generous donors and continue to exercise a certain influence while waiting for better times."

The media and Western officials, ready to label any attack linked to radical Islamists as an Al Qaeda act, were actually helping the group, the two experts said.

Isolated operatives were now making the task of intelligence agencies tougher, Filiu said.

"It's when they make contact with an organisation, make trips or establish communication that they can be spotted," he said.

"The real nightmare is the lone wolf because there is nothing to alert."

The Bounty For An Apple Bug: $115,000

Via (The Firewall Blog) -

It's been a tough month for Apple's security team.

First Mac hacker extraordinaire Charlie Miller revealed that he'd found 20 exploitable vulnerabilities in Apple's Preview software, all of which apply to Safari as well. Then, at the Pwn2Own hacking competition in Vancouver, Miller and two other security researchers hijacked both an iPhone and a Macbook Pro in minutes. (Firefox and Internet Explorer 8 were hacked too, though Google's Chrome is still standing.)

Apple apologists will likely respond to that news with the usual refrain: Even if Apple is insecure, it's still safer, given that cybercriminals don't bother to target the 8% of American users who use Macs, by tech tracker IDC's count.

But Adriel Desautels, who I spoke to for this magazine profile of Charlie Miller, might feel differently. Desautels runs Netragard, a cybersecurity firm that acts, among other things, as a bug broker: Desautels buys vulnerability information from independent hackers and sells it on a growing, secret, and unregulated market. (Just who his customers are, Desautels won't reveal, though he argues that he screens them to make sure he's not selling exploit ammunition to cybercriminals.)

Desautels says that as Apple's user base has grown, so has the market for Mac bugs. And he's now willing to pay between $15,000 and $115,000 for the right Apple-focused security flaw. "There's a very big market for Apple bugs right now," says Desautels. "Our buyers are very interested, and in some cases explicitly asking for certain kinds of Mac bugs."


Desautels says his Apple bug bounty is still around 15% less than he would pay for the equivalent PC-focused flaw, given that high-volume cybercrime is still much more common than targeted espionage. But that slim difference shows that Apple is in fact being targeted, he says. "As Apple has become an accepted platform for business and communications, I've definitely seen an increase in demand," he says.

Hackers who win Pwn2Own by taking control of target systems each receive a $10,000 prize along with the hardware they've hacked, and researchers Vincenzo Iozzo and Ralf Philipp Weinmann, who teamed up to hijack the iPhone, will split $15,000. Those rewards are close to the high end amount that the Zero Day Initiative, which runs Pwn2Own, or Verisign's iDefense division would usually pay for bugs. Both companies inform the software vendor of the vulnerabilities and implement the fix in their security products, rather than keeping them secret as Desautels' customers almost certainly do.

That means the researchers at Pwn2Own deserve praise for exposing their bugs to someone who plans to fix them. They could likely have earned far more by pawning them in private to someone with shadier purposes.

Friday, March 26, 2010

Networking Global Sovereignty

Via -

The Wall Street Journal reports that the US State Department is looking at a variety of new cybersecurity options, including the appointment of an ambassador-level official with responsibility for cybersecurity, and the linking of foreign aid to anti-cybercrime law enforcement efforts. This comes not long after Secretary Clinton’s internet freedom speech and the Treasury’s relaxation of export controls on certain internet services and products, and represents another pitch by the administration to ‘do something’ on cybersecurity in global terms.

If we think about cyber arms control proposals, for example, my impression is that the US has been very reluctant to go down this route. One reason perhaps is that although the Russians seem to be keen on such a regime, the US has not elicited enough concessions in principle on law enforcement to make this worthwhile from their perspective (notwithstanding the probable lack of practical effect of such an agreement also). All the more interesting therefore that the Russian Federal Security Service (FSB) has recently been co-operating with the Federal Bureau of Investigation (FBI) in arresting the alleged perpetrators of the December 2008 RBS WorldPay data breach.

It does not require any degree of conspiracy to look at Google’s decision to ditch its self-censorship in China policy in this political light too. The connections between Google and the US government are many and varied, and with the ball now firmly in Beijing’s court with respect to Google’s future operations in China, the US cannot be too displeased about this situation. How this immediately helps Google or the US depends how China reacts in the coming days but it is reportedly fuming that Google is effectively acting as a serious diplomatic lever at the moment. China looks to be outmanoeuvred but … watch that space.

Are we seeing the US making a renewed effort to project its sovereignty as a networked superpower, rather than purely a military one? I think this is indeed the case and, if so, it’s a very smart move. I’m less sanguine about how cybersecurity as a component of national security figures in this power equation but I’m reminded of the words of Alexander Galloway and Eugene Thacker, writing in 2007:

Networks are not a threat to American power. In fact, the opposite is true: networks are the medium through which American derives its sovereignty.

And sovereign entities need ambassadors, perhaps.

US & UN Place Sanctions on Al-Qaeda in Iraq Leader

Via The Long War Journal -

A senior al Qaeda in Iraq leader operating in Iraq, Syria, and Jordan has been sanctioned by the US Treasury Department.

Muthanna Harith Sulayman al Dhari, a senior leader of al Qaeda in Iraq and the Sunni insurgency, has been designated as a terrorist under Executive Order 13224 "for providing financial, material, or technological support and financial or other services." The designation allows the US to freeze his assets, prevent him from using financial institutions, and prosecute him for terrorist activities. Also today, Muthanna was designated as a terrorist by the UN Security Council's al Qaeda and Taliban Sanctions Committee.

Muthanna provides logistical and financial support for al Qaeda in Iraq as well as for his faction of the 1920s Revolutionary Brigade, a Sunni insurgent group. Most of the members of the 1920s Revolutionary Brigade split with the insurgency and formed the backbone of the anti-al Qaeda Awakening movement in 2006 in Anbar province.

Today's Treasury statement said that Muthanna "intended to reinvigorate the insurgency in Iraq by providing training to any insurgent organization fighting Coalition Forces" in August of 2008. He is known to have attended "training meetings" for al Qaeda in Iraq fighters at camps inside Syria.

At the meetings, Muthanna "explained AQI's [al Qaeda in Iraq's] future intentions to the trainees and stated that all available support from AQI would be offered across Iraq for operations against Coalition Forces," according to the Treasury. Muthanna "also advised the trainees that he and two other individuals would soon be traveling to Baghdad to begin resupplying insurgent leaders with equipment."

Muthanna provided an al Qaeda recruiter who operated in Anbar province and in Syria with $1 million, and promised to pay new recruits $10,000 each after they completed training at camps in Syria. Muthanna also directly financed an al Qaeda in Iraq cell and a 1920s terror cell that carried out attacks on Iraqi and US forces.

Chicago Man Charged with Supporting Al-Qaeda

Via (Just In Blog) -

A Chicago, Illinois, man was charged Friday with providing material support to al Qaeda by attempting to send the terrorist group funds overseas, the Department of Justice said.

The man, Raja Lahrasib Khan, also allegedly discussed attacking a stadium in the United States this summer, officials said, though they stressed that there is no imminent domestic danger.

Khan, a Chicago taxi driver who is a naturalized U.S. citizen from Pakistan, was arrested by FBI officials Friday morning.

Mexico Arrests 'King of Heroin'

Via -

Mexican police have arrested a suspected top supplier of heroin to the United States, known as "The King of Heroin," security officials said here on Thursday.

Jose Antonio Medina was presented to the press in Mexico as a new US government report underlined the growing dominance of Mexican drug cartels on the illegal US drug market, including an increasing production of heroin in Mexico.

Medina, also known as "Don Pepe," delivered an average of 200 kilos (440 pounds) of heroin a month to the United States, mainly to Los Angeles, earning some 12 million dollars, Ramon Pequeno, head of the anti-drug squad, said at a news conference.

The 36-year-old, who was captured on Wednesday, "is considered by US authorities to be the main supplier of heroin to this country," Pequeno said.

Medina hid the drugs in secret compartments of vehicles crossing between the Mexican city of Tijuana and the US city of San Diego, one of the world's busiest border crossings, Pequeno alleged.

The US State of California was seeking Medina's arrest and extradition, he added.


According to the BBC....
Mexican drug gangs have expanded their activities in the US with heroin production doubling in 2008, the US justice department says in a report.

US, Russia to Sign Nuclear Arms Reduction Treaty on April 8

Via VOA News -

President Barack Obama says the U.S. and Russia have agreed to the most comprehensive arms control agreement in nearly two decades.

The landmark nuclear arms reduction treaty reduces by about one-third the number of long-range nuclear weapons that the world's two largest nuclear powers will deploy.

President Obama said he telephoned his Russian counterpart, Dmitri Medvedev, Friday, and they agreed to meet in the Czech capital, Prague, to sign the new START treaty on April 8. He said the pact shows that the two nations intend to lead the world in reducing the nuclear threat.

A spokeswoman for President Medvedev told Russia's Interfax news agency the agreement reflects the balance of both countries' interests.

U.S. Secretary of State Hillary Clinton said the pact will give Russia and the United States more credibility in non-proliferation and in dealing with countries like Iran and North Korea on nuclear issues.

The U.S. Senate and the Russian Parliament must ratify the treaty.

Mr. Obama said the treaty also significantly reduces missiles and launchers, and establishes a strong and effective verification system. He said it also maintains flexibility needed to protect national security and guarantee the U.S. commitment to its allies' security.

The new treaty will replace the START I agreement - Strategic Arms Reduction Treaty - signed in 1991 by U.S. President George H.W. Bush and Soviet President Mikhail Gorbachev. That treaty came into force in 1994 but expired in December of 2009.


White House: Key Facts about the New START Treaty, March 2010

Report: Most Targeted Attacks Originate From China

Via -

Most targeted attacks come from China, even though the majority of malicious emails targeting corporations come from email servers in the U.S., according to a new report released today.

Symantec MessageLabs found that the location of the offending email server is only part of the equation. "When we looked at the IP addresses from which the messages were being sent, it revealed that the U.S. appeared to be responsible for more than one-third of those attacks," says Paul Wood, senior analyst with MessageLabs Intelligence. But on closer inspection of the email headers, MessageLabs found 28.2 percent were from China, 21.1 percent were from Romania, and 13.8 percent were from the U.S.

"These are either from individuals in China or computers in China that are under control of someone else [as bots]," Wood says. "The Chinese are certainly in the same boat as the rest of us in malware and bot [infections]."

Targeted attacks, such as those that recently hit Google, Adobe, Intel, and other U.S. companies, brought to light the danger of such attacks that conduct industrial espionage or steal intellectual property from an organization.

Whether this data reflects any activity related to those attacks, also known as Operation Aurora, is unclear. "We were just looking at malware samples we blocked and identified as malicious. There's not necessarily a connection there at all" with Operation Aurora, Wood says. "That's not something I can say 'yes' or 'no' to."

While 36.6 percent of the targeted emails came from mail servers in the U.S., 17.8 percent were from China and 16.5 from Romania. Wood says the U.S. accounted for such a high percentage due to the high concentration of messages that were from Webmail services hosted in the U.S.

The top five types of targeted people were directors, senior officials, vice presidents, managers, and executive directors, the report found. Also, any person with responsibilities in foreign trade and defense policy in Asian countries or other places was also a target, according to the report.

.DOC and .XLS files were the most common types of attachments to the malicious emails -- each accounting for 15.4 percent of the files -- followed by .ZIP (11.2 percent), .PDF (10.7 percent), and .EXE (6.7 percent). Woods says .EXE attachments typically arouse suspicion as malicious, and 15 percent of those they found with emails were malicious. And even though .DOC files are mostly associated with malicious emails, he says, they are not necessarily the most dangerous -- they usually are safe attachments included with the messages.

The most dangerous type of file is an encrypted form of the relatively obscure .RAR file, a proprietary, compressed file. "If they're not encrypted, they are less likely to be malicious," Wood says. "The encrypted ones were malicious 96.8 percent" of the time, he says.

The MessageLabs Intelligence March 2010 report, available here for download, also found that 77 percent of spam sent by the Rustock botnet was sent via a secure TLS connection this month. Spam sent over TLS made up about 20 percent of all spam in March, the report says.

Thursday, March 25, 2010

Pwn2Own Winner Tells Apple, Microsoft & Adobe to Find Their Own Bugs

Via -

The only researcher to "three-peat" at the Pwn2Own hacking contest said today that security is such a "broken record" that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software.

Instead Charlie Miller will show the vendors how to find the bugs themselves.

Miller, who yesterday exploited Safari on a MacBook Pro notebook running Snow Leopard to win $10,000 in the hacking challenge, said he's tired of the lack of progress in security. "We find a bug, they patch it," said Miller. "We find another bug, they patch it. That doesn't improve the security of the product. True, [the software] gets incrementally better, but they actually need to make big improvements. But I can't make them do that."

Using just a few lines of code, Miller crafted what he called a "dumb fuzzer," a tool that automatically searches for flaws in software by inserting data to see where the program fails. Fuzzing is a common technique used not only by outside researchers, but by developers to spot bugs before they release the software. Microsoft, for example, has long touted, and used, fuzzing as part of its Security Development Lifecycle (SDL), the term for its in-house process of baking security into products as they're created.

Miller's fuzzer quickly uncovered 20 vulnerabilities across a range of applications as well vulnerabilities in Apple's Mac OS X 10.6, aka Snow Leopard, and its Safari browser. He also found the flaws in Microsoft's PowerPoint presentation maker; in Adobe's popular PDF viewer, Reader; and in, the open-source productivity suite.

Today, Miller was to take the floor at CanSecWest, the Vancouver, British Columbia-based security conference that also hosts Pwn2Own, to demonstrate how he found the vulnerabilities. He hoped Apple, Microsoft and other vendors would listen to what he has to say.

"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said. "What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing." That, Miller maintained, would mean more secure software.

What really disappointed Miller was how easy it was to find these bugs. "Maybe some will say I'm bragging about finding the bugs, that I can kick ass, but I wasn't that smart. I did the trivial work and I still found bugs."


One researcher with three computers shouldn't be able to do beat the efforts of entire teams, Miller argued. "It doesn't mean that they don't do [fuzzing], but that they don't do it very well."

By refusing to hand over technical information about the vulnerabilities he uncovered, Miller is betting that Microsoft, Apple and others will duplicate his work, and maybe, just maybe, be motivated to do better. "I think they'll feel some pressure to find these bugs," he said.

Miller used one of the flaws he found by dumb fuzzing yesterday to exploit Safari on a MacBook Pro, walking off with the notebook, $10,000 and a free trip to Las Vegas this summer to the DefCon hacking conference.

Inside a Global Cybercrime Ring

Via -

Hundreds of computer geeks, most of them students putting themselves through college, crammed into three floors of an office building in an industrial section of Ukraine's capital Kiev, churning out code at a frenzied pace. They were creating some of the world's most pernicious, and profitable, computer viruses.

According to court documents, former employees and investigators, a receptionist greeted visitors at the door of the company, known as Innovative Marketing Ukraine. Communications cables lay jumbled on the floor and a small coffee maker sat on the desk of one worker.

As business boomed, the firm added a human resources department, hired an internal IT staff and built a call center to dissuade its victims from seeking credit card refunds. Employees were treated to catered holiday parties and picnics with paintball competitions.

Top performers got bonuses as young workers turned a blind eye to the harm the software was doing. "When you are just 20, you don't think a lot about ethics," said Maxim, a former Innovative Marketing programer who now works for a Kiev bank and asked that only his first name be used for this story. "I had a good salary and I know that most employees also had pretty good salaries."

In a rare victory in the battle against cybercrime, the company closed down last year after the U.S. Federal Trade Commission filed a lawsuit seeking its disbandment in U.S. federal court.
An examination of the FTC's complaint and documents from a legal dispute among Innovative executives offer a rare glimpse into a dark, expanding -- and highly profitable -- corner of the internet.

Innovative Marketing Ukraine, or IMU, was at the center of a complex underground corporate empire with operations stretching from Eastern Europe to Bahrain; from India and Singapore to the United States. A researcher with anti-virus software maker McAfee Inc who spent months studying the company's operations estimates that the business generated revenue of about $180 million in 2008, selling programs in at least two dozen countries. "They turned compromised machines into cash," said the researcher, Dirk Kollberg.

The company built its wealth pioneering scareware -- programs that pretend to scan a computer for viruses, and then tell the user that their machine is infected. The goal is to persuade the victim to voluntarily hand over their credit card information, paying $50 to $80 to "clean" their PC.

Scareware, also known as rogueware or fake antivirus software, has become one of the fastest-growing, and most prevalent, types of internet fraud. Software maker Panda Security estimates that each month some 35 million PCs worldwide, or 3.5 percent of all computers, are infected with these malicious programs, putting more than $400 million a year in the hands of cybercriminals. "When you include cost incurred by consumers replacing computers or repairing, the total damages figure is much, much larger than the out of pocket figure," said Ethan Arenson, an attorney with the Federal Trade Commission who helps direct the agency's efforts to fight cybercrime.

Groups like Innovative Marketing build the viruses and collect the money but leave the work of distributing their merchandise to outside hackers. Once infected, the machines become virtually impossible to operate. The scareware also removes legitimate anti-virus software from vendors including Symantec Corp, McAfee and Trend Micro Inc, leaving PCs vulnerable to other attacks.

When victims pay the fee, the virus appears to vanish, but in some cases the machine is then infiltrated by other malicious programs. Hackers often sell the victim's credit card credentials to the highest bidder.

Facebook Threatens Greasemonkey Script Writer

Via -

Another day, another abusive bullying attempt. This time, it's Facebook, which is apparently trying to bully the maker of a Greasemonkey script that cleans up your Facebook live feed by removing annoying app notices (such as all the crap your friends are doing in Farmville and Mafia Wars). It sounds quite useful. Originally, the script was called Facebook Purity, and Facebook complained about the trademark issue (a stretch... but perhaps you could see the company's point). So the guy changed the name to Fluff Busting Purity. No trademark issue at all. But Facebook is still complaining. The thing is, this is a Greasemonkey user script -- meaning that everything happens in the user's browser -- which Facebook has no claim over. If you tell your browser to ignore certain things on a website, that should be your choice. This add-on is there to help people who want it, such that it makes Facebook more useful to them. It's too bad that as Facebook gets bigger, we're hearing more and more stories of this kind of bullying activity.


TJX Hacker Gets 20 Years in Prison

Via -

Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison on Thursday for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX and other retailers.

The sentence for the largest and costliest computer-crime case ever prosecuted is the longest ever imposed in a hacking or identity-theft case. And it is among the longest imposed for a financial crime. It beats out a sentence recently imposed on hacker Max Ray Vision, who received 13 years in prison for similar crimes.

Gonzalez, 28, who dubbed his criminal enterprise “Operation Get Rich or Die Tryin’,” argued in court filings that his only motive was technical curiosity and an obsession with conquering computer networks. But chat logs the government obtained showed Gonzalez confiding in one of his accomplices that his goal was to earn $15 million from his schemes, buy a yacht and then retire.

The government claimed in its sentencing memo that companies, banks and insurers lost close to $200 million, and that Gonzalez’s credit and debit card thefts “victimized a group of people whose population exceeded that of many major cities and some states.”

Gonzalez’s crimes were committed mostly between 2005 and 2008 while he was drawing a $75,000 salary working for the U.S. Secret Service as a paid undercover informant.

The sentence relates to hacks into TJX, Office Max, Dave & Busters restaurant chain, Barnes & Noble and a string of other companies.

Detecting Suspicious Gmail Account Activity

Via The Official Gmail Blog -

A few weeks ago, I got an email presumably from a friend stuck in London asking for some money to help him out. It turned out that the email was sent by a scammer who had hijacked my friend's account. By reading his email, the scammer had figured out my friend's whereabouts and was emailing all of his contacts. Here at Google, we work hard to protect Gmail accounts against this kind of abuse. Today we're introducing a new feature to notify you when we detect suspicious login activity on your account.

You may remember that a while back we launched remote sign out and information about recent account activity to help you understand and manage your account usage. This information is still at the bottom of your inbox. Now, if it looks like something unusual is going on with your account, we’ll also alert you by posting a warning message saying, "Warning: We believe your account was last accessed from…" along with the geographic region that we can best associate with the access.

To determine when to display this message, our automated system matches the relevant IP address, logged per the Gmail privacy policy, to a broad geographical location. While we don't have the capability to determine the specific location from which an account is accessed, a login appearing to come from one country and occurring a few hours after a login from another country may trigger an alert.

By clicking on the "Details" link next to the message, you'll see the last account activity window that you're used to, along with the most recent access points.

If you think your account has been compromised, you can change your password from the same window. Or, if you know it was legitimate access (e.g. you were traveling, your husband/wife who accesses the account was also traveling, etc.), you can click "Dismiss" to remove the message.

Keep in mind that these notifications are meant to alert you of suspicious activity but are not a replacement for account security best practices. If you'd like more information on account security, read these tips on keeping your information secure or visit the Google Online Security Blog.

Wednesday, March 24, 2010

Laser Security for the Internet: Scientist Invents a Digital Security Tool Good Enough for the CIA

Via -

A British computer hacker equipped with a "Dummies" guide recently tapped into the Pentagon. As hackers get smarter, computers get more powerful and national security is put at risk. The same goes for your own personal and financial information transmitted by phone, on the Internet or through bank machines.

Now a new invention developed by Dr. Jacob Scheuer of Tel Aviv University's School of Electrical Engineering promises an information security system that can beat today's hackers -- and the hackers of the future -- with existing fiber optic and computer technology. Transmitting binary lock-and-key information in the form of light pulses, his device ensures that a shared key code can be unlocked by the sender and receiver, and absolutely nobody else. He will present his new findings to peers at the next laser and electro-optics conference this May at the Conference for Lasers and Electro-Optics (CLEO) in San Jose, California.

"When the RSA system for digital information security was introduced in the 1970s, the researchers who invented it predicted that their 200-bit key would take a billion years to crack," says Dr. Scheuer. "It was cracked five years ago. But it's still the most secure system for consumers to use today when shopping online or using a bank card. As computers become increasingly powerful, though, the idea of using the RSA system becomes more fragile."

Dr. Sheuer says the solution lies in a new kind of system to keep prying eyes off secure information. "Rather than developing the lock or the key, we've developed a system which acts as a type of key bearer," he explains.

But how can a secure key be delivered over a non-secure network -- a necessary step to get a message from one user to another? If a hacker sees how a key is being sent through the system, that hacker could be in a position to take the key. Dr. Sheuer has found a way to transmit a binary code (the key bearer) in the form of 1s and 0s, but using light and lasers instead of numbers. "The trick," says Dr. Scheuer, "is for those at either end of the fiber optic link to send different laser signals they can distinguish between, but which look identical to an eavesdropper."

Dr. Scheuer developed his system using a special laser he invented, which can reach over 3,000 miles without any serious parts of the signal being lost. This approach makes it simpler and more reliable than quantum cryptography, a new technology that relies on the quantum properties of photons, explains Dr. Scheuer. With the right investment to test the theory, Dr. Scheuer says it is plausible and highly likely that the system he has built is not limited to any range on earth, even a round-the-world link, for international communications.

"We've already published the theoretical idea and now have developed a preliminary demonstration in my lab. Once both parties have the key they need, they could send information without any chance of detection. We were able to demonstrate that, if it's done right, the system could be absolutely secure. Even with a quantum computer of the future, a hacker couldn't decipher the key," Dr. Scheuer says.

First Anti-Cancer Nanoparticle Trial on Humans a Success

Via -

Look close. You may be staring at the end of cancer. Those tiny black dots are nanobots delivering a lethal blow to a cancerous cell, effectively killing it. The first trial on humans have been a success, with no side-effects:
It sneaks in, evades the immune system, delivers the siRNA, and the disassembled components exit out.
Those are the words of Mark Davis, head of the research team that created the nanobot anti-cancer army at the California Institute of Technology. According to a study to be published in Nature, Davis' team has discovered a clean, safe way to deliver RNAi sequences to cancerous cells. RNAi (Ribonucleic acid interference) is a technique that attacks specific genes in malign cells, disabling functions inside and killing them.

The 70-nanometer attack bots—made with two polymers and a protein that attaches to the cancerous cell's surface—carry a piece of RNA called small-interfering RNA (siRNA), which deactivates the production of a protein, starving the malign cell to death. Once it has delivered its lethal blow, the nanoparticle breaks down into tiny pieces that get eliminated by the body in the urine.

The most amazing thing is that you can send as many of these soldiers as you want, and they will keep attaching to the bad guys, killing them left, right, and center, and stopping tumors. According to Davis, "the more [they] put in, the more ends up where they are supposed to be, in tumour cells." While they will have to finish the trials to make sure that there are no side-effects whatsoever, the team is very happy with the successful results and it's excited about what's coming:
What's so exciting is that virtually any gene can be targeted now. Every protein now is druggable. My hope is to make tumours melt away while maintaining a high quality of life for the patients. We're moving another step closer to being able to do that now.

Pwn2Own 2010: Internet Explorer 8 Exploit on Windows 7

I decided to write a quick document about the techniques I used to exploit Internet Explorer 8 on windows 7 with ASLR and DEP enabled.

The exploit consists of two parts.

The first part figures out where a certain .dll file is loaded in the current process followed by step 2 that uses the information gathered in step 1 to trigger an exploit that uses some ret2lib technique to disable DEP for our shellcode and then redirects the program flow to the shellcode.

I will not (and am not allowed to) give out the exact vulnerabilities that I used in the exploit, but I might disclose them someday when Microsoft has them patched. Yes, you read that correctly, them, I used 2 exploits to get the final code execution on W7, but that was partly to speed up the exploit.

Anyways, I’m writing this on the plane to Vancouver without access to the W7 VMs that I tested the exploit on, so I’ll keep it vague. Also, I only had MS Word and MS Paint for the text and the images, so don’t complain about the quality of the final document.


I just read most of it back and Agree that it’s a bit of a lousy paper, skipping certain concepts and assuming prior knowledge, continuously switching from ‘I’ to ‘we’, but hey, you read it so far so maybe you liked it anyways =)

Peter Vreugdenhil

IPhone Falls in Pwn2Own Hacking Contest

Via -

A delayed flight didn't stop Vincenzo Iozzo and Ralf Weinmann from scoring a cool US$15,000, a brand-new iPhone and a trip to Las Vegas at the annual Pwn2Own hacking contest in Vancouver on Wednesday.

The security researchers developed an undisclosed attack on the iPhone's mobile Safari browser to get access to a phone and then run a program that sent the phone's SMS messages to a Web server.

It is the first fully functioning attack on an iPhone since Apple released version 2 of the device in 2008, said Charlie Miller, the hacker who is set to follow the iPhone attack with an exploit he hopes will hack into the contest's MacBook Pro (his takeaway, should he succeed: the laptop and $10,000).

Apple introduced a number of advanced security measures with iPhone 2.0, including a "sandbox" in the device's kernel that restricts what hackers can do on a compromised machine, and a cryptographic code-signing requirement that makes it harder for them to run their initial malicious payload.

"When iPhone 2.0 came out, it became a lot harder" to hack the device, said Miller, who earned fame three years ago as the first person to hack the iPhone.

In fact, Weinmann said he had been set to compete in last year's Pwn2Own contest but had to abandon his plans at the last minute when he discovered his attack only worked on jail-broken phones, which have been hacked to run unapproved applications. Jail-breaking circumvents the iPhone's memory protections, but the Pwn2Own rules force contestants to use unmodified phones.

The Pwn2Own contest pays contestants for their exploit code, which leverages software flaws to give the attacker a foothold on the machine being attacked. But because of the iPhone's sandbox architecture, Weinmann and Iozzo actually spent much more time working on their payload software.

To make their attack work, they used a technique called "return-oriented programming," in which they essentially cobble together instructions from different parts of the iPhone's memory. But even with this technique, the iPhone's sandbox restricted what they could do once they had hacked into the machine.


According to the ZDI Twitter feed...
  • Nils from MWR InfoSecurity (@MWRLabs) succeeded against Firefox on Windows 7.
  • Peter Vreugdenhil (@WTFuzz) succeeded against Internet Explorer 8 on Windows 7 with a technically impressive exploit bypassing DEP.
  • Charlie Miller (@0xcharlie) popped the MacBook Pro via Safari.

Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL

This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate authority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals' secure Web-based communications. We reveal alarming evidence that suggests that this attack is in active use. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks.


Paper was authored by Christopher Soghoian & Sid Stamm.

Christopher Soghoian is a Ph.D. Candidate in the School of Informatics and Computing at Indiana University.

Sid Stamm is the Securinator @ Mozilla - at least according to his Linkedin =)

Malvertising: Malware Delivered by Yahoo, Fox, Google Ads

Via CNET -

Malware that exploits holes in popular applications is being delivered by big ad delivery platforms including those run by Yahoo, Fox, and Google, according to Prague-based antivirus firm Avast.

Viruses and other malware were found to be lurking in ads last year on high-profile sites like The New York Times and conservative news aggregator Drudge, and this year on Drudge, TechCrunch and

Now, researchers at Avast are pointing fingers at some large ad delivery platforms including Yahoo's Yield Manager and Fox Audience Network's, which together cover more than 50 percent of online ads, and to a much smaller degree Google's DoubleClick. In addition, some of the malicious ads ended up on Yahoo and Google sites, Avast claims.

"It's not just the small players but the ad servers connected with Google and Yahoo have been infected and served up bad ads," said Lyle Frink, public relations manager for Avast.

The most compromised ad delivery platforms were Yield Manager and Fimserve, but a number of smaller ad systems, including Myspace, were also found to be delivering malware on a lesser scale, Avast Virus Labs said.

Found in ads delivered from those networks was JavaScript code that Avast dubbed "JS:Prontexi," which Avast researcher Jiri Sejtko said is a Trojan in script form that targets the Windows operating system. It looks for vulnerabilities in Adobe Reader and Acrobat, Java, QuickTime, and Flash and launches fake antivirus warnings, Sejtko said.

Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser, Avast said.


This isn't really breaking news, as this has been happening for at least the last two years pretty strongly. I remember my early days in Myspace....malware ads everywhere.

This story should serve more as a reminder to those that think they are safe because they only go to "safe sites" and only people going to "bad sites" get nasty malicious ads.

When it comes to malicious ads...there are no "safe sites". Patch now and patch often.

DNSSEC: More Security for Root DNS Servers

Via -

From today (Wednesday) at 5pm CET, the K DNS root server operated by the European RIPE internet registry will provide a DNS zone signed with the DNSSEC security protocol. Two hours earlier, the D-Root server operated by the University of Maryland will start returning signed responses. The E-Root server operated by NASA is scheduled to follow in the early evening.

This means that seven of the
13 central root servers which constitute the Domain Name System (DNS) responsible for domain name resolution on the internet will then return signed responses. On the sidelines of the 77th meeting of the Internet Engineering Task Force (IETF) in Los Angeles this week, the Internet Corporation for Assigned Names and Numbers (ICANN), VeriSign and the American National Telecommunications and Information Administration (NTIA) reported that so far the transition has been smooth.


For the time being, users will also still be able to access one of the remaining 6 root servers without DNSSEC. ICANN, VeriSign and the NTIA decided on this gradual transition as a precautionary measure.