Friday, September 17, 2010

A Loophole Big Enough for a Cookie to Fit Through

Riva Richmond writes in The New York Times:

If you rely on Microsoft’s Internet Explorer’s privacy settings to control cookies on your computer, you may want to rethink that strategy.

Large numbers of Web sites, including giants like Facebook, appear to be using a loophole that circumvents IE’s ability to block cookies, according to researchers at CyLab at the Carnegie Mellon University School of Engineering.

A technical paper [.pdf] published by the researchers says that a third of the more than 33,000 sites they studied have technical errors that cause IE to allow cookies to install, even if the browser has been set to reject them. Of the 100 most visited destinations on the Internet, 21 sites had the errors, including Facebook, several of Microsoft’s own sites, Amazon, IMdb, AOL, Mapquest, GoDaddy and Hulu.

More here.

Thursday, September 16, 2010

Mark Fiore: Back To School

More Mark Fiore brilliance.

Via The San Francisco Chronicle.

- ferg

Man Gets 6 Years in Prison for Laundering $2.5 Million for Carders

Kim Zetter writes on Threat Level:

A California man who served as a lynchpin for transmitting stolen money to hackers and carders in East Europe and elsewhere was sentenced on Thursday to 6 years in prison for conspiring to launder money.

Cesar Carranza, 38, also known as “uBuyWeRush,” ran a legitimate business selling liquidation and overstock merchandise online and from three California stores.

But, according to an indictment [.pdf], he also sold MSR-206’s to carders to encode stolen bank card data onto blank cards, and he served as a conduit to transmit stolen money between mules and carders.

He worked with many of the top carders in the criminal underground between 2003 and 2006, including Maksim “Maksik” Yastremskiy, a Ukrainian carder who allegedly worked with TJX hacker Albert Gonzalez and was considered by authorities to be one of the top sellers of stolen card data on the internet.

In 2003 and 2004, Carranza became an approved and trusted vendor on online criminal forums such as CarderPlanet and Shadowcrew, advertising his goods and services and dispensing advice on the best tools to use for various criminal endeavors.

More here.

Wednesday, September 15, 2010

China Continues Satellite Maneuvers

Alan Boyle writes on

Space-watchers say China is still doing whatever it started doing last month with two close-flying satellites in orbit. And that's keeping outside observers worried about the fact that Chinese officials have not yet actually said what it is they're doing.

The maneuvers, which appear to involve rendezvous operations between the SJ-06F satellite and the more recently launched SJ-12 craft, could amount to practice for space station dockings or coordinated satellite observations from orbit. Few folks would have a problem with that. But they also could be aimed at developing the expertise for lurking near someone else's satellite and eavesdropping, or even knocking that satellite out of commission in the event of a crisis. That's the worrisome part.

The formation-flying exercise began in mid-August, and stirred up a significant fuss a couple of weeks ago when some observers speculated that the SJ-12 might have given a nudge to the SJ-06F. China says the satellites in the SJ series (SJ stands for "Shijian," or "Practice" in Chinese) are designed for scientific purposes, but space experts suspect that they actually are being used for military surveillance.

More here.

U.S. Urges NATO to Build 'Cyber Shield'

An AFP article, via, reports that:

NATO must build a "cyber shield" to protect the transatlantic alliance from any Internet threats to its military and economic infrastructures, a top US defence official said Wednesday.

Cyber security is a "critical element" for the 28-nation alliance to embrace at its summit of leaders in Lisbon on November 19-20, US Deputy Defence Secretary William Lynn said in Brussels.

"The alliance has a crucial role to play in extending a blanket of security over our networks," Lynn said.

"NATO has a nuclear shield, it is building a stronger and stronger defence shield, it needs a cyber shield as well," he said at a forum hosted by the Security & Defence Agenda think-tank.

The Pentagon's number two called for adopting the Cold War-era strategy of "collective defence" in the cyber arena.

More here.

Note: This seems like a red herring to me -- in fact, I'm still trying to figure out how they think this would work. - ferg

Monday, September 13, 2010

Privacy Group Sues to Get Records About NSA-Google Relationship

Ken Dilanian writes in The Los Angeles Times:

The National Security Agency should divulge information about its reported agreement with Google Inc. to help the Internet company defend itself against foreign cyber attacks, according to a lawsuit filed Monday by a privacy group.

The ad hoc and secretive nature of Google's arrangement with the federal spy agency also spotlights what some experts said was the lack of a clear federal plan to deal with the growing vulnerability of U.S. computer infrastructure to cyber intrusions launched from foreign countries. At risk are power grids, banks and other crucial public services.

"We have a faith-based approach, in that we pray every night nothing bad will happen," said James Lewis of the Center for Strategic and International Studies, a Washington think tank.

In January, Google announced that it had been the victim of "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property."

A month later, newspapers reported that Google had begun cooperating with the NSA, the spy agency in charge of defending the U.S. military from such attacks. Google, according to reports, enlisted the NSA, which has a vast electronic surveillance capability and a trove of cyber-warfare experts, to help trace the source of the attack and take steps to prevent future intrusions.

More here.

'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps

Dennis Fisher writes on ThreatPost:

A pair of security researchers have implemented an attack that exploits the way that ASP.NET Web applications handle encrypted session cookies, a weakness that could enable an attacker to hijack users' online banking sessions and cause other severe problems in vulnerable applications. Experts say that the bug, which will be discussed in detail at the Ekoparty conference in Argentina this week, affects millions of Web applications.

The problem lies in the way that ASP.NET, Microsoft's popular Web framework, implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions. A common mistake is to assume that encryption protects the cookies from tampering so that if any data in the cookie is modified, the cookie will not decrypt correctly. However, there are a lot of ways to make mistakes in crypto implementations, and when crypto breaks, it usually breaks badly.

"We knew ASP.NET was vulnerable to our attack several months ago, but we didn't know how serious it is until a couple of weeks ago. It turns out that the vulnerability in ASP.NET is the most critical amongst other frameworks. In short, it totally destroys ASP.NET security," said Thai Duong, who along with Juliano Rizzo, developed the attack against ASP.NET.

More here.

Sunday, September 12, 2010

Anti-U.S. Hacker Takes Credit for 'Here You Have' Worm

Robert McMillan writes on PC World:

A hacker who claims he was behind a fast-spreading e-mail worm that crippled corporate networks last week said that the worm was designed, in part, as a propaganda tool.

The hacker, known as Iraq Resistance, responded to inquiries sent to an e-mail address associated with the "Here you have" worm, which during a brief period early Thursday accounted for about 10 percent of the spam on the Internet. He (or she) revealed no details about his identity, but said, "The creation of this is just a tool to reach my voice to people maybe... or maybe other things."

He said he had not expected the worm to spread as broadly as it had, and noted that he could have done much more damage to victims. "I could smash all those infected but I wouldn't," said the hacker. "I hope all people understand that I am not negative person!" In other parts of the message, he was critical of the U.S. war in Iraq.

More here.