Saturday, August 04, 2007

DefCon: e-Passports Hacked in New Security Threat

Chris Zappone writes on CNNMoney.com:

As the nation grapples with difficulties getting new passports, a technology researcher has found another problem with the radio frequency ID technology the new documents carry.

Computer security expert Lukas Grunwald cloned and manipulated the content of a RFID passport, then used the hacked e-Passport to crash the machine needed to read it.

RFID technology combines silicon chips with antennas to make data accessible via radio waves. It's already a $650 million industry, according to ABI Research, which expects the market to more than triple by 2011.

Technologists, however, have insisted for that RFID technology as implemented in the U.S. Passport is not secure and cannot assure privacy.

The U.S. government began rolling out RFID-chipped E-passports last year over the objections of numerous security experts.

More here.

California: Electronic Voting Machines To Be Restricted

Via CBS5.com.

California’s secretary of state has decertified L-A County’s voting system, and placed rigorous security conditions on voting equipment used in dozens of counties.

Debra Bowen’s decision, announced early Saturday morning, also limits the use of two of the most widely used machines by Diebold Election Systems and Sequoia Voting Systems to ONE per polling place for disabled voters.

The announcement follows the results of an eight-week security review of the voting systems used in California’s that revealed vulnerabilities that would allow hackers to manipulate them.

More here.

Undercover TV Producer Booted From DefCon

Robert McMillan writes on NetworkWorld:

It's a story of betrayal worthy of an episode of Dateline NBC.

Dateline NBC Producer Michelle Madigan was publicly outed at the DefCon security conference in Las Vegas Friday after show organizers were tipped off that she was trying to film show attendees with a hidden camera.

Madigan ran from the show after organizers publicly threatened to escort her from the event during a 4 p.m. conference session. "She literally kicked the door open," said "Priest," a show official who declined to be identified. "She made the mistake of running. Had she taken it like an adult, she would have been treated with kid gloves, treated with respect."

The Dateline NBC producer than continued out to a nearby parking lot, surrounded by a small crowd of show attendees and media, talking briefly on her mobile phone and not saying anything to the gathering crowd.

More here.

Note: Kim Zetter also has additional details here on Threat Level.

U.S. Senate Votes to Expand Eavesdropping Power

An AP newswire article, via MSNBC, reports that:

The Senate, in a high-stakes showdown over national security, voted late Friday to temporarily give President Bush expanded authority to eavesdrop on suspected foreign terrorists without court warrants.

The House, meanwhile, rejected a Democratic version of the bill.

Democratic leaders there were working on a plan to bring up the Senate-passed measure and vote on it Saturday in response to Bush's demand that Congress give him expanded powers before leaving for vacation this weekend.

The White House applauded the Senate vote and urged the House to quickly follow suit.

I'll just bet they did.

More here.

Friday, August 03, 2007

U.S. Border Computers Vulnerable to Attack

Spence S. Hsu writes in The Washington Post:

The U.S. government's main border control system is plagued by computer security weaknesses, increasing the risk of computer attacks, data thefts, and manipulation of millions of identity records including passport, visa and Social Security numbers and the world's largest fingerprint database, officials said.

U.S. officials have called the US-VISIT system a cornerstone of the nation's efforts to stop terrorists at the borders and stanch the flow of illegal immigrants. It automates the collection of fingerprints and digital photographs, and links border control officers to FBI, border enforcement, immigration and State Department watch lists and databases.

More here.

Thursday, August 02, 2007

Black Hat: Perception vs. Reality in Security

William Jackson writes on GCN.com:

As computers go, the human brain is not a very good one, says security researcher and consultant Bruce Schneier.

“People are a mess,” Schneier said in a keynote address Thursday at the Black Hat Briefings computing security conference. “If you are looking for computer-like calculations in people, you are not going to find it.”

Schneier, a long-time security iconoclast who has railed against what he called security theater, which provides the illusion of security without the reality, cited a number of clinical studies of how humans perceive risk. The results shatter “any hope that your brain is rational,” he said.

The traits found in these studies have a direct impact on how people select and use security controls in their lives and online.

The human mind is full of biases and shortcuts that allow it to work quickly and efficiently, but not always accurately, when assessing problems.

More here.

ISPs to Blame for New Worm Affecting MSN Users

Liam Tung writes on ZDNet Australia:

ISPs could kill a new worm that is spreading rapidly via MSN Messenger, according to security experts.

The worm, called Backdoor.IRCBot.gen, spreads by sending file transfer requests to a victim's contact list. Once accepted, a malicious file is executed on the recipients’ computer, which gives criminals control of the infected computer.

Experts say that in most cases, IM worms send files to all the user's contacts without their knowledge and the only way to verify the authenticity of the file is to check with the person who is supposed to have sent it.

James Turner, security consultant for Australian-based research firm IBRS, claims ISPs could stop the worm if they tried.

More here.

Black Hat: Web Browser Attack Skirts Corporate Firewalls - UPDATE

Robert McMillan writes on CIO.com:

A 10-year-old security problem has come back to haunt corporate IT, a security researcher told an audience at the Black Hat conference in Las Vegas Wednesday.

Dan Kaminsky, director of penetration testing for IO Active, showed how problems in the way browser software works with the Internet's domain name system could be exploited to give attackers access to any resources behind the corporate firewall.

He described a multi-step attack that could be used to scan corporate networks for data or vulnerabilities. But at the heart of the attack is a 1996 paper by Princeton researchers showing how a Java applet could be used to access systems on a victim's network. "It's one of the few things that's actually come back from the dead," Kaminsky said.

The fundamental problem, according to Kaminsky, is in the way that Web browser software decides how to trust other computers. This decision is based on the Internet domain name of the computer, and that DNS information can be misused, Kaminsky said. "It's a binding problem," he said during an interview after his talk. "They assume a value is not changing, but the attacker can change it whenever he chooses."

More here.

UPDATE: 7 August 2007 11:00 PDT: Lisa Vaas has really nice write-up of the mecahnics of this here on eWeek.

Number Of Hackers Attacking Banks Jumps 81%

Sharon Gaudin writes on InformationWeek:

The number of hackers attacking banks worldwide jumped 81% from last year, according to figures released at the BlackHat security conference Thursday. Researchers from SecureWorks also reported that hackers going after the company's credit union clients increased by 62% from last year.

So why are there so many more hackers this year than last? Joe Stewart, a senior security researcher at SecureWorks, told InformationWeek that highly technical and savvy hackers are no longer the only ones in the game.

Hackers no longer need to be technical wizards to set up an operation to steal people's banking information and then rob their accounts or sell their identifying information to an even bigger cybercriminal. Hacking toolkits and malware are for sale in the online underground. All hackers need are basic technical skills and the knowledge of where to go to buy what they can't build themselves.

More here.

Man Nabbed in Hacking of Dane's e-Mails

An AP newswire article, via Yahoo! News, reports that:

A man has been arrested on suspicion he hacked into Danish cyclist Michael Rasmussen's e-mails and tried to sell them to a newspaper, police said Thursday.

The 30-year-old man, who was not named due to Danish privacy rules, reportedly claimed the e-mails contained information about Rasmussen's whereabouts before the Tour de France.

Rasmussen was kicked out of the Tour by his Rabobank team — while leading the race — for allegedly lying about his whereabouts to evade drug testers.

More here.

Windows Vista Gets Another Dose of The 'Blue Pill'

Sean Michael Kerner writes on internetnews.com:

Once again security researcher Joanna Rutkowska took the stage at Black Hat, and once again she set out to prove in glorious detail how to exploit and attack Microsoft Windows Vista.

Rutkowska blew the lid off last year's Black Hat event with her landmark presentation ahead of the official Vista release where she demonstrated a virtualized rootkit called Blue Pill that took control over a Vista machine.

This year she brought a new pill and a few more tricks to take Vista to task.

More here.

Pharma Spammer Gets 30 Years in Prison

Anne Broache writes on the C|Net News Blog:

AOL once deemed an infamous Minnesota spammer named Christopher William Smith "the poster child for the Can-Spam Act."

A federal judge in his home state on Wednesday had a new name for the convicted junk mailer: "drug kingpin." He sentenced Smith to 30 years in prison for multiple charges stemming from his highly lucrative online drugstore, whose illegal sales brought in about $24 million, the Star Tribune in Minneapolis reports.

U.S. authorities originally arrested Smith in 2005 on belief that he had moved his business, called XPress Pharmacy, to the Dominican Republic after his stateside operations were ordered to cease.

Smith, who went by the moniker "Rizler," first gained notoriety by reportedly blasting to AOL subscribers billions of junk e-mails promoting the usual array of spamalicious goods: "generic Viagra," porn, cable TV descramblers and penis-enhancement pills, according to reports. Security experts once ranked him among their most prolific offenders.

More here.

Wednesday, August 01, 2007

Black Hat: SecureWorks Offers Free Security Tools

Brian Prince writes on eWeek:

Researchers from SecureWorks have created two new tools to address security issues. They will be presenting the tools at the Black Hat convention, which runs July 28-Aug. 2 in Las Vegas.

The first tool, known as CaffeineMonkey, was developed by SecureWorks' Ben Feinstein and Daniel Peck. CaffeineMonkey helps IT pros detect Web sites hosting malicious JavaScript and uncover the ways hackers are trying to hide the malicious code.

Building on the work of several existing honey pots—Internet-attached servers meant to lure attackers in order to study how they hack into systems—the duo described the goal of their project as an attempt to further automate the collection of malicious software, with a particular focus on attacks using JavaScript for exploitation or obfuscation.

More here.

Black Hat: Web Apps Over Wi-Fi Puts Data at Risk

Jeremy Kirk writes on InfoWorld:

Users who access Google's Gmail or the Facebook social-networking site over Wi-Fi could put their accounts at risk of being hijacked, according to research from Errata Security, a computer security company.

It's not just those sites but any rich Web applications that exchange account information with users, including blogging sites such as Blogspot or even SaaS (software as a service) offerings such as Salesforce.com, that could pose a risk for users, wrote Errata CEO Robert Graham and Chief Technology Officer David Maynor in a paper.

Most Web sites use encryption when passwords are entered, but because of the expense, the rest of the information exchanged between a browser and a Web site is not encrypted, they wrote in a paper presented at the Black Hat 2007 security conference in Las Vegas this week.

Using a packet sniffer, which can pick up data transferred between a wireless router and a computer, it's possible to collect cookie information while a user is accessing one of those sites over Wi-Fi.

More here.

U.S. Spying Raises New Privacy Fears

Caron Carlson writes on InfoWorld:

With confirmation from the national intelligence chief that a domestic spying program extends beyond tapping e-mails and phone calls into other kinds of surveillance, attention is turning to the administration's data mining and other clandestine technologies that could be used against people in the United States.

National Intelligence Director Mike McConnell told Sen. Arlen Specter, R-Pa., in a July 27 letter that the scope of intelligence activities authorized by an executive order in 2001 is broader than the National Security Agency’s warrantless domestic wiretapping. One thing that is clear: The government's appetite for looking into data held by private companies is only growing. Earlier this summer, the FBI asked Congress for millions of dollars to pay communications companies to maintain massive databases of customer records.

Not just telephone companies and ISPs have been subject to growing data search demands. The government has searched the records of hotels and apartment buildings, among other businesses, under surveillance powers expanded by the USA Patriot Act.

Businesses are largely silent when it comes to discussing such demands, but in 2005, when the Patriot Act was up for review by Congress, the concerns of corporate America were revealed. Manufacturers, financial institutions, real estate companies and others complained that the scope of data searching imposed a growing financial burden. Additionally, they said that confidential files, trade secrets and other proprietary information could be too easily obtained and spread around under the Patriot Act’s expanded police powers.

More here.

Black Hat: Richard Clarke: 'Computers Are Best Friend Of Progress, And Security Its Worst Enemy'

Larry Greenemeier writes on InformationWeek:

The convergence of all forms of technology is happening, allowing paralyzed hospital patients to move computer mice via brain waves and treating certain cases of epilepsy and depression through brain stimulation. It won't be long before human-machine interactions that tie the human brain directly into the Internet are possible.

That is, if we can make cyberspace secure, former U.S. government counterterrorism adviser Richard Clarke told attendees Wednesday at the Black Hat USA 2007 conference in Las Vegas.

More here.

MPack Banking Crimeware Infects 500,000 Computers

Sharon Guadin writes on InformationWeek:

A hacking tool for sale in the Russian underground is in the hands of 58 criminals who have infected more than 500,000 users, according to a security research firm.

The MPack toolkit is a powerful exploitation tool that launches attacks against Web browsers. Ken Dunham, a senior engineer with VeriSign-iDefense reported this summer that the toolkit leverages multiple exploits -- including the Windows ANI bug and a QuickTime overflow bug -- to compromise computers.

More here.

Black Hat: NSA: 'We're from the government. Help us.'

William Jackson writes on GCN.com:

The National Security Agency, whose initials once seemed to stand for No Such Agency, is moving from being a proprietary to an open-source organization. Sort of.

Information technology security and information assurance is becoming too critical, too big and too complex a problem for the government to address by itself, Tony Sager, chief of NSA's Vulnerability Analysis and Operations Group, said Wednesday in an opening address at the Black Hat Briefings computer security conference.

"We've got to figure out how to solve this problem with solutions that scale across the entire community," Sager said. That means his agency has to bring its information to the table and find common ground with the private and academic sectors. "'We're from the government and we're here to help' doesn't work with this crowd."

Although much of NSA's work remains secret, Sager's group is a reflection of the need to develop open and standardized security and research practices.

More here.

U.K. to Hear McKinnon's Case Against Extradition

Gary McKinnon


Via CSO Online.

Gary McKinnon, the ex-systems administrator accused of conducting the biggest military hack of all time, has won the right to have his case against extradition to the United States heard by the House of Lords.

The decision gives McKinnon and his legal team a fresh chance to challenge the extradition, having argued previously that the U.S. authorities acted in an "oppressive" manner to secure his removal from the United Kingdom.

McKinnon has always maintained that, since the alleged offenses took place in the United Kingdom, that is where he should stand trial. No date has been set for the House of Lords hearing, and he remains on bail.

"Gary McKinnon is delighted to learn of this important development," said his barrister, Ben Cooper.

More here.

Tuesday, July 31, 2007

Programming Note: Black Hat Week, Viva Las Vegas


So blogging will be probably be somewhat sporadic beginning today (Tuesday), and going through Friday, since I am doing the same thing that thousands of other security geeks on Planet Earth are doing this week -- descending on Las Vegas for Black Hat 2007.

I'll be posting to the blog as time allows.

Cheers!

- ferg

Monday, July 30, 2007

Zango is Violating Recent Settlement With the FTC

Ben Edelman:

In my hands-on testing, Zango continues numerous practices likely to confuse, deceive, or otherwise harm typical users as well as practices specifically contrary to Zango's obligations under its November 2006 settlement with the FTC.

Among these practices are widespread, ongoing Zango-designed installation sequences which install Zango pop-up ad software without any on-screen disclosure of material terms. Instead, these installations mention Zango's effects only in a lengthy EULA – exactly contrary to the FTC settlement's requirements.

Zango's ongoing practices also include prominent pop-up ads promoting sites that attempt to defraud users (e.g. by charging for software that is actually free), as well as widespread in-toolbar ads without the labeling and hyperlinks specifically required under the FTC settlement.

More here.

In Passing: Tom Snyder

Tom Snyder
May 12, 1936 - July 29, 2007


In Passing: Ingmar Bergman

Ingmar Bergman
July 14, 1918 – July 30, 2007


In Passing: Bill Walsh

An American Great, Bill Walsh
November 30, 1931 – July 30, 2007



Google Hires Security Guru Michal Zalewski

Ryan Naraine writes on Zero Day:

Google has snapped up one of the sharpest minds in the hacker community, luring Michal Zalewski to help lock down its long list of Internet facing products.

Zalewski, a 26-year-old computer security whiz from Poland, joined the search engine giant about a week ago to work as an Information Security Engineer.

He confirmed the move via e-mail but declined to discuss specifics about the new gig.

More here.

Congrats, Michal. - ferg

Yahoo! Testimony About Imprisoned Reporter Contradicted

Thomas Claburn writes on InformationWeek:

A new document calls into question the extent of Yahoo's cooperation with Chinese authorities in the arrest and imprisonment of Chinese journalist Shi Tao, sentenced in April, 2005, to 10 years in prison for revealing state secrets.

An English translation of the Beijing State Security Bureau's Notice of Evidence Collection, issued to the Beijing Representative Office of Yahoo (HK) Holdings, says, "According to investigation, your office is in possession of the following items relating to a case of suspecting illegal provision of state secrets to foreign entities that is currently under investigation by our bureau. ..."

The translation of the notice was posted last week by The Dui Hua Foundation, a nonprofit human rights organization.

In congressional testimony in February 2006, Yahoo general counsel Michael Callahan denied that Yahoo knew the charge.

More here.

Class-Action Lawsuit Filed Against USPS For Alleged Privacy Violations

Sharon Gaudin writes on InformationWeek:

A Seattle-based attorney has filed a class-action lawsuit against the U.S. Postal Service for allegedly selling employees' personal information to marketing companies in violation of the U.S. Privacy Act.

The lawsuit, which has been filed on behalf of all postal employees, alleges that the USPS has allowed private businesses to access and use its employee master file, which contains private information, including home addresses, of all full- and part-time employees. The complaint noted that the USPS sets up co-branding agreements with different marketing companies. The agreements allow the companies to use the Postal Service logo on marketing materials that are sent to employees' homes.

The lawsuit seeks to force the USPS to stop disclosing employees' private information, and to recover the money USPS received through the co-branding agreements.

More here.

Homeland Security Warns on U.S. Power Threat

Andrew Charlesworth writes on vnunet.com:

The US Department of Homeland Security (DHS) has set out security requirements for automated control systems, principally in the power industry, to protect installations against physical and cyber-attacks.

Surprisingly for a document dealing with automated systems as opposed to data networks, it includes recommendations about protection against spam and social engineering, threats not normally associated with control systems.

More here.

Toon of the Day: The Harbinger


Click for larger image.

Background here.

Russian Hackers Steal $500,000 From Turkish Banks

Via Moldova.org (RIA Novosti).

Two un-named hackers from the Russian city of Togliatti on the Volga River stole over $500,000 over a period of two years from bank accounts in Turkey, Interior Ministry investigators said Monday.

The two men purchased a dedicated server with remote access to a desktop hosted in a U.S. data center, and a special application capable of infecting banking computers in Turkey with a Trojan virus to obtain information on bank accounts, investigators said. One of the hackers has been arrested, and the other is on a federal wanted list.

After processing the obtained information, the hackers transferred money to accounts of Turkish collaborators, who in turn cashed the money in and later transferred it to Togliatti via Western Union.

The Interior Ministry's investigation committee said there were a total of 265 registered money transfers totaling $508,000 between February 2005 and April 2007.

One of the men, arrested in June this year on fraud charges, is being held in a pre-trial detention center in the Samara Region.

More here.

Sunday, July 29, 2007

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Sunday, July 29, 2007, at least 3,648 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,992 died as a result of hostile action, according to the military's numbers.

The AP count is nine more than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Let's Be Careful Out There: Bogus Windows Domains

Last week, my colleagues over at Sunbelt Software discovering a bogus Windows domain being registered earlier this month (where the "w" in "windows" is actually two "v"s).

Today, I've been alerted to the fact that are several additional Windows domains which have registered where the "w"s have been also been replaced with "v"s:

VVINDOWS.COM NS NS1.MYDOMAIN.COM
VVINDOWS.COM NS NS2.MYDOMAIN.COM
VVINDOWS.COM NS NS3.MYDOMAIN.COM
VVINDOWSVISTA.COM NS DNS1.MALKM.COM
VVINDOWSVISTA.COM NS DNS2.MALKM.COM
VVINDOWSMEDIA.COM NS PARK25.SECURESERVER.NET
VVINDOWSMEDIA.COM NS PARK26.SECURESERVER.NET
VVINDOWSUPDATE.COM NS NS1.VVINDOWSUPDATE.COM
VVINDOWSUPDATE.COM NS NS2.VVINDOWSUPDATE.COM
NS1.VVINDOWSUPDATE.COM A 208.64.26.146
NS2.VVINDOWSUPDATE.COM A 208.64.26.146
VVINDOWS.INFO NS PARK36.SECURESERVER.NET
VVINDOWS.INFO NS PARK35.SECURESERVER.NET
VVINDOWS.NET NS NS.WEBZERO.CO.KR
VVINDOWS.NET NS NS2.WEBZERO.CO.KR


And these use "v"s for both "w"'s:

VVINDOVVS.COM NS NS1.DN.NET
VVINDOVVS.COM NS NS.PRO-FUTURA.COM
VVINDOVVS.INFO NS PARK36.SECURESERVER.NET
VVINDOVVS.INFO NS PARK35.SECURESERVER.NET
VVINDOVVS.NET NS NS1.DN.NET
VVINDOVVS.NET NS NS.PRO-FUTURA.COM
MS-VVINDOWS.COM NS NS1.OFFICELIVE.COM
MS-VVINDOWS.COM NS NS2.OFFICELIVE.COM

While some of these domains may not yet have hosts associated with them, there is certainly no good that can come of these.

So let's be careful out there, folks.

- ferg


Halvar Flake Denied Entry to U.S. for BlackHat

Larry Seltzer writes on Cheap Hack:

It's all over some stupid technicality of the contract with BlackHat being with him personally and not his company. In the process of interrogating him over it DHS actually asked why the training he's doing couldn't be performed by an American citizen. I'm speechless. Flake will now need to get a Business visa from the US embassy, a process that can take a long time.

Without going into specifics, this isn't the only story I've heard lately about DHS stifling computer security research. Flake's problems seem to be the reactionary stupidity of some officials on the ground, whereas the other I've heard of were more political. In either event, the result is government at its worst.

More here.

Also: More here on Zero Day.

Bush Appointee Blocked Surgeon General's Draft

Christopher Lee and Marc Kaufman write in The Washington Post:

A surgeon general's report in 2006 that called on Americans to help tackle global health problems has been kept from the public by a Bush political appointee without any background or expertise in medicine or public health, chiefly because the report did not promote the administration's policy accomplishments, according to current and former public health officials.

The report described the link between poverty and poor health, urged the U.S. government to help combat widespread diseases as a key aim of its foreign policy, and called on corporations to help improve health conditions in the countries where they operate. A copy of the report was obtained by The Washington Post.

Three people directly involved in its preparation said its publication was blocked by William R. Steiger, a specialist in education and a scholar of Latin American history whose family has long ties to President Bush and Vice President Cheney. Since 2001, Steiger has run the Office of Global Health Affairs in the Department of Health and Human Services.

More here.

Data Mining Prompted Fight Over Domestic Surveillance

Scott Shane and David Johnston write in The New York Times:

A 2004 dispute over the National Security Agency’s secret surveillance program that led top Justice Department officials to threaten resignation involved computer searches through massive electronic databases, according to current and former officials briefed on the program.

It is not known precisely why searching the databases, or data mining, raised such a furious legal debate. But such databases contain records of the phone calls and e-mail messages of millions of Americans, and their examination by the government would raise privacy issues.

The N.S.A.’s data mining has previously been reported. But the disclosure that concerns about it figured in the March 2004 debate helps to clarify the clash this week between Attorney General Alberto R. Gonzales and senators who accused him of misleading Congress and called for a perjury investigation.

The confrontation in 2004 led to a showdown in the hospital room of then Attorney General John Ashcroft, where Mr. Gonzales, the White House counsel at the time, and Andrew H. Card Jr., then the White House chief of staff, tried to get the ailing Mr. Ashcroft to reauthorize the N.S.A. program.

More here.