Patchy Windows patching leaves users insecure

Windows users need to patch their systems an average of every five days to stay ahead of security vulnerabilities, according to a study this week.

The numbers come from a company called Secunia which just happens to be developing an all-in-one patching tool to reduce update headaches for consumers.

Stats from the two million existing users of Secunia's free Personal Software Inspector tool show the average home user needs an average of 75 patches from 22 different vendors to be fully secure. The complexity of patching means that most users are not even in the race, meaning that hackers hoping to exploit software vulnerabilities to infect vulnerable systems stay well ahead of the game.

Matters are further complicated by the variety of different update mechanisms applied by differing suppliers.

Thomas Kristensen, chief security officer at Secunia, explained: "The core of this patching issue is that the software industry has, so far, failed to come up with a unified patching solution that can help home users on a large scale; that is, encompassing all software programs."

Secunia is working on porting technology from its Corporate Software Inspector (CSI), which has featured integrated with Microsoft's corporate patching tools since January 2010, to its home user-focused PSI technology. This will allow the technology to offer automatic updating features currently absent in Secunia PSI 1.5.0.1, the latest version of its consumer patching aid tool.

The proposed tool, Secunia PSI 2.0, would have expert and amateur running modes.

"We will offer different configurations which can range from 'a click on every program approve patching' to 'install automatically' and don't tell me," Kristensen told El Reg.

Secunia hopes to cover 60 per cent of third-party vendors products at launch, a figure it hopes to increase over time. It wants to reduce if not eliminate manual security updates chores, such as the need to manually uninstall older version of patched programs, a problem that sometimes crops up with Adobe updates in particular.

"We will do whatever we can do to avoid manual actions," Kristensen added.

A new research paper, Security Exposure of Software Portfolios, which explains the patching pain issue and Secunia's approach to soothing discomfort in greater depth, can be found here (pdf).

11 More U.S. Airports Get Body Scanners

Transportation officials announced Friday 11 more United States airports will begin receiving full-body imaging machines

“By accelerating the deployment of this technology, we are enhancing our capability to detect and disrupt threats of terrorism across the nation,” Homeland Security Secretary Janet Napolitano said in a statement.

Despite concerns of privacy and their effectiveness, the 11 airports are to get the 150 machines beginning Monday at Boston’s Logan International Airport, and one at the O’Hare International Airport in Chicago. In all, 30 U.S. airports will employ the scanning devices.

Fliers declining to submit to the machines that create X-ray-like virtual images of the body may get intense pat-downs from Transportation Security Administration authorities. The combined 150 imaging machines are being bought, in part, by $1 billion the government set aside from its $787 billion federal bailout bill.

The American Civil Liberties Union has decried the scanners as “virtual strip searchs.” The Electronic Privacy Information Center, in a Freedom of Information Act request, said the machines are capable of storing and transmitting images of passengers despite the government’s claim to the contrary.

A test-image shown to reporters Friday at Logan International “showed the blurry outline of a female volunteer. None of her clothing was visible, nor were her genitals, but the broad contours of her chest and buttocks were. Her face also was blurred,” The Associated Press said. “The image included the shadow of a cellphone purposely left on her belt, as well as the metal buttons on her pants. But overall, it looked like the outline of a ghost.”

The Amsterdam airport where suspected underwear bomber Umar Farouk Abdulmutallab boarded a Detroit-bound Christmas flight had the scanning machines. But they were not used to check the Nigerian.

The machines also cannot detect so-called “booty bombs” in which an explosive is inserted into the body.

By summer, TSA expects the units, made by California-based Rapiscan, to be deployed at airports in Fort Lauderdale, Florida; San Jose, San Diego, Los Angeles and Oakland, California; Columbus, Ohio; Charlotte, North Carolina; Cincinnati; and Kansas City.

See Also:

• Airport Scanners Can Store, Transmit Images
• Body Scanners Might Violate U.K. Child-Protection Laws
• German ‘Fleshmob’ Protests Airport Scanners
• Adding More Names to Watch Lists Isn’t Change, It’s a Step Back …
• TSA Nixes Flying Without ID

Opera says bug 'probably' can't commandeer machines

A security vulnerability identified in Opera can be exploited to crash users' browsers, but probably can't lead to the remote execution of malware, a company spokesman said.

The buffer overflow bug was disclosed by Vupen Security on Thursday, and the report has since been picked up by others, including Secunia and Sans. The advisories have said the vulnerability is critical because it can be exploited to remotely execute malicious code on end user machines.

Vupen officials didn't respond to emails seeking details. But Opera isn't so sure.

"We believe that the bug primarily causes a crash, and that exploiting the vulnerability to execute code is extremely difficult, if not impossible," spokesman Thomas Ford told The Register. He went on to say that users should be sure to enable a security feature known as DEP, or data execution prevention.

"In our testing, DEP mitigates the problem and should protect the system," he said.

Thing is, DEP isn't always turned on by default. If you use Windows XP, follow the instructions here to make sure you're protected. Users of Vista and Windows 7 can find details here and here. The changes will prevent Windows from executing code when loaded into memory by a variety of third-party applications.

Apple provides similar protections. Readers who know whether Opera is automatically protected on Macs are encouraged to leave a comment.

Researchers have figured out ways to bypass DEP and a similar protection known as ASLR, or address space layout randomization, but at the moment those techniques are extremely difficult for the average exploit writer to pull off.

Ford said Opera is in the process of pushing out an update that patches the bug.

PHPKIT "include.php" SQL Injection

PHPKIT is a web portal application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "searchstr" parameter of the "include.php" script when the "path" parameter is set to "login/member.php". PHPKIT version 1.6.1 is affected.

Ref: http://www.securityfocus.com/bid/38324

10.9.85 - CVE: Not Available
Platform: Web Application - SQL Injection

Joomla! "com_acteammember" Component SQL Injection

The "com_acteammember" application is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter before using it in an SQL query.

Ref: http://www.securityfocus.com/bid/38270

10.9.80 - CVE: Not Available
Platform: Web Application - SQL Injection

Softbiz Jobs "news_desc.php" SQL Injection

Softbiz Jobs is a PHP-based script for job recruitment. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "news_desc.php" script before using it in an SQL query.

Ref: http://www.securityfocus.com/bid/38344

10.9.90 - CVE: Not Available
Platform: Web Application - SQL Injection

Think software patching is a hassle? You're not alone

Underscoring a barrier to remaining secure online, the average Windows PC user has to install a software update every five days from 22 different providers, according to vulnerability tracking service Secunia.

The figure is based on the results of more than 2 million users of Secunia's PSI, or Personal Software Inspector, a free application that helps consumers keep track of out-of-date software on their machines. The hassle of having to manually install that many updates may be preventing many people from running programs that are free of known vulnerabilities, the company warned earlier this week in a whitepaper (PDF).

"In fact, it is highly unlikely that even skilled enthusiasts will patch their systems as frequently as the whitepaper's findings indicate," Secunia CEO Thomas Kristensen wrote here. "The core of this patching issue is that the software industry has, so far, failed to come up with a unified patching solution that can help home users on a large scale."

To combat the problem, Secunia is working on an update to PSI that will automatically update applications, Kristensen said. The company is a few months away from releasing the program, which will allow users to exclude certain applications they may not want updated, according to The KrebsonSecurity blog.

PSI already comes highly recommended by many security watchers, this one included. Automatic patching would only make it better.

Scareware sellers fool Google with file switch

Cybercrooks have developed a new technique for manipulating search engine results in order to promote the crud they sell, such as scareware packages.

Hackers first place benign pdf files on web pages they are seeking to promote, before replacing these documents with booby-trapped Flash files once a new site has been indexed.

The ruse, which featured in a recent attack themed around ice hockey players and the Winter Olympics, is illustrated in a blog post by Finnish security firm F-Secure here.

Argos buries unencrypted credit card data in email receipts

Catalogue firm Argos has been criticised for an email security breach that exposed customers credit card details and CCV security numbers.

The exposure came to light after an Argos customer who checked his order confirmation email found that his credit card number and security code was buried in the HTML source of the message. The slip-up meant that any miscreants who intercepted email confirmation messages from Argos would be able to harvest plastic card payment details - if they spotted where the numbers were stashed.

The breach was discovered by UK Argos customer Tony Graham and first reported by PC Pro. Graham's card details were recently fraudulently misused, but this incident has not been linked to the Argos email slip-up.

It's unclear how long the exposure problem lasted, or how many Argos customers were affected.

In a statement, Argos said it had already corrected the fault and was working with privacy watchdogs at the Information Commissioners Office in dealing with the fallout from the breach.

Argos takes the security of its customers data extremely seriously, is fully aware of the requirements of the Data Protection Act and has taken remedial action in relation to this matter.

We are in contact with the Information Commissioners Office. We have made them aware of our approach to customer communications and will continue to work closely with them to ensure we are taking all appropriate actions.

Ed Rowley, product manager EMEA at content security firm M86 Security, said the whole incident might easily have been prevented. It is incomprehensible that this credit card data was sent out in an unencrypted format - even if the sensitive information was not visible in the main body it should have been protected from being sent out," he said.

"A good email content filtering product could have enforced encryption or blocked this data from being sent out at all by Argos, using standard or default email security rules.

"This case highlights the need to filter both inbound and outbound email in order to guard against malware coming in but also to block sensitive information from leaking out. Its astonishing that larger companies are not using these well established security tools and procedures."

Patch Tuesday will leave F1 hole unpatched

Microsoft is planning just two bulletins next week, covering vulnerabilities rated only as "important", as part of this month's Patch Tuesday.

The scheduled updates address a total of eight security flaws in Microsoft Office and desktop versions of Microsoft Windows (XP, Vista and Windows 7). March's modest patch batch contrasts with February's monster haul of 13 updates, five of which were rated as critical. The whole bundle tackled 26 security flaws.

As usual details of what the updates fix will have to wait until next week, but that hasn't stopped security firms making educated guesses about what's in store and what security fixes remain pending.

Alan Bentley, VP International at Lumension Security, said: "From what weve seen, it doesnt appear that the bulletins released will address all of the issues that are in the wild."

Back at the start of the week a VBScript issue involving Internet Explorer and older versions of Windows made headlines because it meant vulnerable users were potentially exposed to attack providing they can be tricked into pressing the F1 key.

Microsoft confirmed the potential problem, which it said it was investigating, adding that it's seen no evidence of the bug been harnessed in actual real-world attacks.

Israeli raid scrubbed after errant Facebook post

Israeli military officials said they called off a planned raid on a West Bank village after a combat soldier posted its details on Facebook, according to news reports.

The unnamed soldier included the time and location of the raid on his Facebook page and said troops planned to start "cleaning up" the village. After fellow soldiers alerted their superiors, the incursion was called off for fear the errant post had tipped off enemies.

The incident is precisely the kind of sensitive information leak that security researchers warn can result when individuals post information and pictures to social networking sites. Pictures often embed geographic positioning data or include confidential information on white boards that can be intercepted by bad guys, penetration testers Mike Bailey and Mike Murray warned Wednesday. They dub such techniques social penetration.

The Israeli military has grown wise the the risk. The soldier has been court-martialed and sentenced to 10 days in jail. Officials have also placed posters at military bases that show images of Iranian President Mahmoud Ahmadinejad and other enemies along side a mock up of a Facebook page. The caption reads: "You think that everyone is your friend?"

More from the Associated Press is here.

White House cyber-security chief praises Oz security

International engagement vital.

Howard Schmidt, the White House's cyber-security advisor, has labelled Australia's cyber-security strategy as "wonderful" during his talk at the RSA Conference in San Francisco this week.

Delivering a keynote address at the conference Schmidt, who was appointed the cyber-security coordinator for the Obama administration last December, praised Australia's cyber security developments - among only three other countries.

"Australia has put together a wonderful cyber security strategy; the UK is, [also], and Germany is putting together all kinds of great things," said Schmidt.

Discussing the US Government's international cyber-security strategy, Schmidt said partnerships on an international government level are fundamental for a safe internet.

"At the government-to-government level it's making sure that other governments that we have relations with, that we're doing security with, that we're doing military operations with, have the mechanisms that focus on cyber-security in their governments as we do in our government.

"And you see some really good examples of that," he said.

"We can't continue to go the way we've been going and expect things to be good. Governments need to be engaged," he said.

Rocky relationships with [other] governments should not impact the international fight against cyber crime, he added. "We have legitimate disagreements time-to-time between governments, but that should not impact foreign policy or the need to look into the cyber-security issue...particularly cyber-security issues.

"Nobody wins if there's disagreements on the internet. We're the benefiter of it, we use it all the time, so as a consequence we've got to work internationally, make sure we've some norms, rules of engagement from a law enforcement perspective and also from a diplomatic perspective.

"I think once we start focusing on some of the issues we'll move a lot further on solving the issues," he said.

 

Security Pros Question Deployment of Smart Meters

The country’s swift deployment of smart grid technology has security professionals concerned that utilities and smart-meter vendors are repeating the mistakes made in the rollout of the public internet, when security became a priority only after malicious attacks had reached mass levels.

But when it comes to the power grid, the costs of remote hack attacks are potentially more dramatic.

“The cost factor here is what’s turned on its head. We lose control of our grid, that’s far worse than a botnet taking over my home PC,” said Matthew Carpenter, senior security analyst of InGuardian, speaking at a panel at the RSA Security Conference in San Francisco this week.

The panel included Seth Bromberger, manager of information security at Pacific Gas and Electric, a San Francisco-based utility company that provides natural gas and electrical services to customers in central and northern California and is in the forefront of the smart meter rollout; and Matt Franz, principal security engineer at Science Applications International Corporation (SAIC).

Carpenter serves on the AMI-SEC Task Force, a group working on developing security guidelines and best practices for smart meter infrastructure, and has done penetration testing on smart meter systems to uncover security issues. He said the most common vulnerability he’s seen so far is susceptibility to “cross-site request forgery” on the control systems.

“That took me by surprise,” he said. “That’s not something that I would have imagined to be one of the greatest vulnerabilities found.”

Cross-site request forgery allows an attacker to hijack an authentication cookie stored in a user’s browser — to authenticate him, for example, to his bank or, in this case, a utility control system — and obtain access to the system as that user.

Last October, President Barack Obama announced $3.4 billion in grants to utility companies, municipal districts and manufacturers to spur a nationwide transition to smart-grid technologies and fund other energy-saving initiatives as part of the federal economic stimulus package.

Smart grids use digital meters and control mechanisms that allow utility companies to better control the flow of electricity remotely and promise to save energy and reduce utility costs. Smart meters installed in homes and businesses allow utility companies to remotely communicate with the devices to read usage levels and control the delivery of services.

But security research on the systems is lagging behind the deployment of smart meters, which has already occurred in some places in the United States. PG&E is in the lead with 5 million gas and electric smart meters deployed since 2006, which represents about half of its customer base. PG&E expects to deploy an additional 5 million smart meters by 2012.

Among the concerns Carpenter expressed was one related to vulnerabilities that could arise in the encryption schemes used in smart grid systems, given that the systems are expected to have a lifespan of 15 to 20 years. Advances in encryption cracking that are likely to occur over that time period would make the encryption obsolete he said.

He also discussed a need to examine the aggregation points that receive communication from the meters and have “an immense amount of control” in some cases.

“In some circumstances they’re simply going to give you a denial-of-service if you tamper with them because the crypto is done appropriately from the head-end control system down to the meters and the aggregation point really can’t tinker much with it,” Carpenter said. “But in other [cases] there’s a great deal of control that that aggregation point has, and they’re sitting on the top of a poll not in a brick building [with] guard dogs and razor wire . . . and [they have] an Ethernet cable.”

An attacker could sniff traffic going to the aggregation point or possibly send commands to the meters or inject code into the backend control system.

But even more pressing and immediate, in terms of vulnerabilities, is the remote shut-off capability in smart meters. Digital smart meters have an electronic disconnect switch that allows the utility company to shut down electricity remotely. Carpenter asked PG&E’s Bromberger directly, “Why not think about disconnecting the disconnect switch until we figure out more of what we’re dealing with?”

Bromberger responded that PG&E had in fact disabled the remote disconnect function in the first generation of electricity smart meters it deployed.

“We wanted to be sure that we had detection response capabilities and security figured out before we started implementing that,” he said.

What he didn’t say was that this actually represents only a tiny portion of the meters PG&E has deployed.

A PG&E spokesman provided details to Threat Level after the panel discussion. Of the 5 million PG&E smart meters currently deployed, 2.5 million are electricity meters, with the remainder gas meters. Spokesman Paul Moreno confirmed that 300,000 of the electricity meters do have the remote disconnect function disabled, but he couldn’t say how many, if any, of the 2.2 million other meters have been disabled in the same manner. When asked if he could obtain the information, Moreno said the company had never been asked for it before and wasn’t sure if those figures existed.

The 300,000 meters that have the functionality disabled are mechanical meters that can be read remotely through the power line; the remaining 2.2 million are digital meters that use a radio frequency signal for remote communication.

The gas smart meters don’t allow for remote turnoff. They aren’t actually new meters but simply devices that go on top of existing gas meters to record the number of therms being used.

With regard to vulnerabilities in general, the panelists acknowledged that new vulnerabilities would always arise in smart systems no matter how well the systems are designed. The important thing is to make compromise as painful and time-consuming a process as possible to deter or delay an attacker and implement processes for adequate detection and response so that when a compromise does occur, utility companies can do something swiftly to limit the damage.

Photo courtesy PG&E

See also:

• Feds’ Smart Grid Race Leaves Cybersecurity in the Dust

White House Cyber Czar: There is No Cyberwar

Howard Schmidt, the new cybersecurity czar for the Obama administration, has a short answer for the drumbeat of rhetoric claiming the United States is caught up in a cyberwar that it is losing.

“There is no cyberwar,” Schmidt told Wired.com in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.”

Instead, Schmidt said the government needs to focus its cybersecurity efforts to fight online crime and espionage.

His stance contradicts Michael McConnell, the former director of national intelligence who made headlines last week when he testified to Congress that the country was already in the midst of a cyberwar — and was losing it.

Schmidt’s official title is cyber-security coordinator at the White House, a job he took over just before Christmas. Schmidt has no budgetary authority, but he said that doesn’t make him powerless, because his office is in the White House. He’s been there before as an adviser to President George W. Bush, and he’s been the president and board member of countless security associations.

One of his first moves in his new job was to publish an unclassified summary of the country’s 12-point cybersecurity plan, known as the Comprehensive National Cybersecurity Initiative, a move toward transparency that he announced Monday as the keynote speaker at the world’s premier security conference.

That plan was first formulated under a veil of secrecy in January 2008 by President Bush. He was prompted in no small part by McConnell, who was director of national intelligence and reportedly convinced the president that a cyberattack could cause more economic damage to the United States than the 9/11 terrorist attacks.

Much of the authority and the funds under that initiative fell to the National Security Agency, the military’s premier spying agency that also has responsibility for locking down the government’s classified networks. Not surprisingly, McConnell, as DNI, held power over the NSA.

McConnell rejoined Booz Allen Hamilton, a defense contractor who made more than $4 billion in 2008, mostly in government contracts, including secret ones. A former NSA director, McConnell now servers as the vice president for national security business at Booz Allen Hamilton. It was recently acquired by the powerful and politically connected Carlyle Group, the world’s largest private equity whose advisers and board members have included George Bush, George W. Bush, James Baker and former SEC chief Arthur Levitt.

In an op-ed in the Washington Post last weekend, McConnell called for a re-engineering of the internet and a return to a Cold War mentality of deterrence based on the threat that the U.S. would massively retaliate against any perceived attack.

“More specifically, we need to re-engineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable,” McConnell wrote.

Threat Level rebutted that notion Monday, in a post that called McConnell the greatest threat to the internet.

For his part, Schmidt said no re-engineering of the internet is in the plans under the Obama administration. And he re-emphasized the president’s promise — delivered in a May cyber speech — that the government would not monitor the internet at large.

“People have to recognize that when we close the door and go home, we are just normal netizens like anyone else. I’ve been in the internet from the very beginning. We don’t want to see it changed to where it is no longer available and we don’t have the ability to do things anonymously as we choose to in certain realms,”Schmidt said.

“But we also need to do our financial transactions securely and you need to be able to file your story online in a manner so that by the time you upload it, it doesn’t say ‘At noon, today San Francisco had a terrible earthquake’ when that didn’t happen,” Schmidt added.

But that commitment to keep the government’s monitoring equipment out of the commercial internet seems belied by a CNET interview at RSA with a Homeland Security cyber security official who said that DHS was considering installing its classified “Einstein 3″ security technology to non-government infrastructure.

Cyberwar advocates make their case for this in part by pointing to high profile stories by 60 Minutes, the Wall Street Journal and the National Journal, that hackers have penetrated the grid and in some cases, caused massive blackouts including the 2003 cascading failure in the Northeast that affected some 50 million citizens. Those stories relied nearly exclusively on anonymous defense intelligence officials or contractors, and are often easily debunked.

Schmidt said it’s possible that hackers have gotten into administrative computer systems of utility companies, but says those aren’t linked to the equipment controlling the grid, at least not in developed countries. He’s never heard that the grid itself has been hacked.

“As for getting into the power grid, I can’t see that that’s realistic,” Schmidt said.

There’s been much ink spilled in recent years over the turf battles in D.C. over whether the NSA, representing the military, or DHS, the civilian side, takes the lead role in cybersecurity.

Rod Beckstrom, now the president of the International Corporation for Assigned Names and Numbers, resigned from his role heading cybersecurity for DHS last spring, protesting that the NSA was encroaching too far, and that the job of protecting non-military government websites should be handled by civilians — especially as the government pushes citizens to use those websites for more and more business.

But Schmidt said he hasn’t run into that problem and said government agencies are working together.

“I haven’t seen that tension,” Schmidt said.

As for which will take the cybersecurity lead, Schmidt simply says it’s a shared effort.

But that’s a very thorny issue — one that has dogged the government’s intrusion protection system Einstein and its successors, Einstein 2 and 3.

Why should U.S. citizens trust cybersecurity to the NSA, which under President Bush secretly turned its powerful spying apparatus inwards in violation of U.S. law and its longstanding mantra to never spy on citizens?

Schmidt counters that the NSA has long had the job of protecting classified computers and has already become a participant in the wider security community, including offering advice on how to secure computer systems such as Linux and Windows. And more important, Schmidt said, the president maintains the NSA has to obey limits.

“When your boss, in our case the president, tells an agency not to do something and here are the controls put in place and here is the coordination put into place, that’s a pretty big commitment,” Schmidt said.

As for his priorities, Schmidt says education, information sharing and better defense systems rank high.

That includes efforts to train more security professionals and have the government, including the NSA’s defensive side, share more information with the private sector.

“One thing we are looking at is how do make sure that the private sector has the information it needs from the government,” Schmidt said, referring to what he called “some of the unique visibility the government has from the attacks on our systems.”

The government must also be active in reducing its own vulnerabilities, according to Schmidt.

“We can’t sit there and be waiting for the next intrusion attempts to take place,” Schmidt said. “We need to become stronger in what we are doing so we are better able to resist the things that are being thrown at us.”

Schmidt, who has held cybersecurity positions inside the Air Force, the FBI and Microsoft, mentioned he’s part of a Facebook group of Wired magazine collectors. The oldest one he has, he said, had co-founder of the Electronic Frontier Foundation John Perry Barlow on the cover. Though the irascible Barlow never made the cover (other than a mock-up of the first edition), Schmidt could have been referring to Issue 2.04 which included a promo for an essay from Barlow.

Fittingly, that essay - about the failed effort to mandate government-accessible backdoors in encryption technology, was entitled “Jackboots on the Infobahn.”

Photo: Howard Schmidt in a lonely RSA conference room Wednesday March 3. Credit: John Snyder/Wired.com

See Also:

• Cyberwar Hype Intended to Destroy the Open Internet
• NSA Must Examine All Internet Traffic to Prevent Cyber Nine-Eleven …
• Spy Chief Torpedos Government’s Lawyering in Spy Cases
• Nation’s Top Spy Retracts Politically-Convenient Exaggeration …
• Brazilian Blackout Traced to Sooty Insulators, Not Hackers …
• Did Hackers Cause the 2003 Northeast Blackout? Umm, No
• Put NSA in Charge of Cyber Security, Or the Power Grid Gets It …
• Is the Hacking Threat to National Security Overblown?

'Severe' OpenSSL vuln busts public key crypto

Computer scientists say they've discovered a "severe vulnerability" in the world's most widely used software encryption package that allows them to retrieve a machine's secret cryptographic key.

The bug in the OpenSSL cryptographic library is significant because the open-source package is used to protect sensitive data in countless applications and operating systems throughout the world. Although the attack technique is difficult to carry out, it could eventually be applied to a wide variety of devices, particularly media players and smartphones with anti-copying mechanisms.

"Wherever you need to verify the origin of a piece of software or a piece of information, those building blocks come in handy," said Karsten Nohl, an independent security researcher who in unrelated attacks has broken encryption in widely used smartcards and cordless phones. "The OpenSSL library provides much more than just SSL."

The scientists, from the University of Michigan's electrical engineering and computer science departments, said the bug is easily fixed by applying cryptographic "salt" to an underlying error-checking algorithm. The additional randomization would make the attack unfeasible.

An OpenSSL official, who asked that his name not be published, said engineers are in the process of pushing out a patch and stressed the attack is difficult to carry out in real-world settings.

The university scientists found that they could deduce tiny pieces of a private key by injecting slight fluctuations in a device's power supply as it was processing encrypted messages. In a little more than 100 hours, they were able to feed the device enough "transient faults" that they were able to assemble the entirety of its 1024-bit key.

"This is probably not as much of a threat to a server system as it is to a consumer device," said Todd Austin, one of the scientists who devised the attack. "The place where this would be more applicable would be if you want to attack a Blu-ray player (where) you have an environment where someone is giving you a device that has a private key to protect intellectual property and you have physical access to the device."

Servers, by contrast, would be much harder to attack because they are generally located in places that prevent people from manipulating their power supply. But that doesn't mean they're immune to such exploits. In events where a machine was overheating or otherwise experiencing power fluctuations, the vulnerability will cause servers to leak secret data that could be intercepted by attackers.

The scientists are also experimenting with the possibility of exploiting the bug using lasers or natural radiation sources, they said.

The attack is enabled by what the researchers described as a "severe vulnerability" in the OpenSSL innards that carry out authentication based on the RSA public key encryption algorithm. It resides in the so-called fixed window exponentiation algorithm of the open-source crypto library, which is used when errors arise. By triggering a single-bit error in a multiplication operation, the scientists were able to force OpenSSL to divulge 4 bits of the secret key.

Once they gathered about 8,800 malformed messages from the targeted device, they fed the data into an 81-machine cluster of 2.4 GHz Pentium-4 systems running a custom-designed algorithm. They applied the technique to an embedded hardware device consisting of a Sparc processor running a Linux operating system and were able to extract its 1024-bit private key in 104 hours.

The researchers said it may be possible to apply the method to other crypto libraries, such as one offered by the Mozilla Foundation.

The other two scientists working on the project were Valeria Bertacco and Andrea Pellegrini. Their paper (PDF) will be presented next week at the Design Automation and Test in Europe Conference.

DMCA Muscle Strong-Arms DVD Copying

Those awaiting a legitimate method to duplicate DVDs for personal use likely will have to wait even longer, perhaps forever, after RealNetworks tossed in the white towel and abandoned litigation toward that end.

RealNetworks spent almost two years in a legal battle with the Motion Picture Association of America, which sued the Seattle-based company to block the sale of its DVD-copying software and hardware - generally known as RealDVD. The company said late Wednesday it was dropping its appeal of an August federal court decision that declared RealDVD an illegal violation of the Digital Millennium Copyright Act of 1998.

The act, which the Hollywood studios strongly lobbied for, prohibits the circumvention of encryption technology. DVDs are encrypted with what is known as the Content Scramble System, and DVD players must secure a license to play discs. RealDVD, U.S. District Judge Marilyn Hall Patel ruled, circumvents the CSS technology designed to prevent copying and is therefore a breach of the CSS license.

The litigation cost RealNetworks millions of dollars, including $4.5 million to reimburse the MPAA for its legal costs. The outcome cost Rob Glaser, RealNetworks’ CEO, his job.

Most important, RealNetworks’ admitted defeat solidifies the DMCA’s power – and leaves in its wake a legal and political vacuum: There is no active movement to legalize the duplication of DVDs under the DMCA, and every attempt to do so has failed.

For the moment, consumers will have to opt for underground services like Handbreak and others to copy their DVDs — a practice whose legality is questionable under the Patel’s ruling. Pirating and sharing movies via illicit BitTorrent sites is also available, but clearly unlawful under the Copyright Act.

In the end, there is no legitimate method to copy ones DVD, even children’s DVDs that are often scratched by their juvenile owners.

Copying DVDs amounts to “theft,” the MPAA’s general counsel, Daniel Mandil, said Wednesday. And RealNetworks’ white flag has emboldened the movie studios’ litigation arm, which Mandil said would “vigorously pursue companies that attempt to bring these illegal circumvention products and devices to market.”

By suing RealNetworks in 2008, the Hollywood studios feared losing control of the DVD like the music industry did with the CD.

It’s OK to copy music from CDs, for example, and place it in an iPod. Yet, it’s illegal to do the same with a DVD. When it comes to the DVD, there’s not even a question of fair use allowed under copyright law.

As it turns out, the DMCA protects the DVD but not the CD.

Hollywood lobbied hard for the DMCA, in part to produce the DVD. The studios were savvy enough to have seen how easy it was to duplicate the CD, which was not encrypted. Attempts to lace CDs with Digital Rights Management had failed.

But the DVD was different than the CD. It was born with encryption, now called the Content Scramble System. It is designed to prevent duplication. Under the DMCA, gadgets and software allowing duplication of encryption-protected works are prohibited.

Judge Patel, in her ruling in the RealNetworks case, said “while it may well be fair use for an individual consumer to store a backup copy of a personally owned DVD on that individuals computer, a federal law has nonetheless made it illegal to manufacture or traffic in a device or tool that permits a consumer to make such copies.”

Patel, however, added some doublespeak: “Fair use can never be an affirmative defense to the act of gaining unauthorized access” a simple way of saying it was illegal to hack into the encryption to make a copy.

Patel’s decision virtually mirrored the 2004 ruling by another federal judge declaring as illegal DVD copying software produced by 321 Studios. The difference between the two cases was that RealNetworks secured a Content Scramble System license, and claimed a loophole in the license allowed its RealDVD software to make hard-drive or thumb-drive backup copies of movies.

Judge Patel did not buy that argument.

That alleged loophole, however, is being litigated by Kaleidescape, a California company that sells high-end, home DVD duplicating hardware that reached the market after a California judge ruled the a CSS licensing loophole indeed allowed a copying device.

But a California appeals court didn’t see it that way, and last year reversed the decision, which is on appeal to the California Supreme Court. Judging by RealNetworks’ white flag, the outcome is obvious.

Photo: john_a_ward/Flickr

See Also:

• DMCA Exemption Unlikely for iPad Jailbreak
• DMCA Coupon Flap Ends Nobody ‘Won’
• Once Again, DMCA Protects Online Video Sites
• 10 Years Later, Misunderstood DMCA is the Law That Saved the Web …
• Air Force Cyber Command’s New Weapon: DMCA Notices
• YouTube to McCain: You Made Your DMCA Bed, Lie in It
• Universal Says DMCA Takedown Notices Can Ignore ‘Fair Use …

eBay scammer get four years

The leader of a UK-based gang who made millions selling counterfeit luxury golf kit and other knock-off goods through auction site eBay has been jailed for four years.

Gary Bellchambers and six others ran what is reckoned to be the biggest ever such scam between June 2003 and March 2008. Their fraud was eventually rumbled by a trading standards team at Havering Council, who were put on the trail of the fraudsters by pensioner Christine Manz.

The council team worked with eBay to identify 96,000 bogus transactions including golf clubs, clothing and forged Qantas business class lounge pass cards. The crooks supplied cheap knock-off imitations in place of the promised premium quality kit from US manufacturer Callaway Golf.

Bellchambers, 45, of Rainham, who admitted masterminding the scheme, pleaded guilty to fraud along with co-conspirators Keith Thomas, 49, from Rainham, and Chris Moughton, 56, from Blackpool. Four other suspects in the case were found guilty in a trial last December.

Roy Cottee, 65, and his wife Kay, of Rainham, Essex; Helen Wilson, 28, of Hertford, and Sharron Williams, 48, of West Wickham, Kent joined their three accomplices in the dock for a sentencing hearing at Snaresbrook Crown Court in London on Thursday.

Ringleader Bellchambers was jailed for four years and three months, with a recommendation to spend at least half that time behind bars. Thomas, the scam's second in command, was sentenced to 16 months in jail, with an order to serve half in custody.

Roy and Kay Cottee were also convicted of conspiracy to distribute Qantas business class lounge cards. Roy Cottee was jailed for 12 months while his wife was handed down a 300 hour community service order.

The other three members of the conspiracy received a combination of suspended sentence and community service orders.

In a statement, eBay UK welcomed the sentences and explained the modus operandi of the crooks. "Bellchambers and his gang of felons used an international network of criminals to open and maintain eBay accounts using a variety of false documentation, bank, credit card and contact details.

"The case which secured todays convictions was supported by eBay's Fraud Investigation Team and reinforces eBays ongoing commitment to fighting counterfeits."

eBays Fraud Investigation Team worked with Havering Trading Standards for over three years to make sure Bellchambers and his accomplices were brought to justice. Investigators supplied information from suspect eBay and PayPal accounts to their Trading Standards counterparts as well as testifying in court.

Last year eBay trained 1,666 coppers in the UK, and in the last two years has assisted officers in over 9,000 case investigations, resulting in the arrest of 200 suspected criminals.

Monster botnet held 800,000 people's details

The Mariposa botnet had the power to dwarf Georgia and Estonia cyberattacks if it had been used to launch denial of service attacks, say Spanish police.

Months of investigations by the Guardia Civil in Spain, the FBI and security firm Panda Security and Defence Intelligence led to the takedown of the 12.7 million strong zombie network in December and the arrest of three suspects in Spain two months later.

At a press conference announcing the operation in Madrid on Wednesday, Spanish police said they recovered the personal details of 800,000 people from systems recovered from three alleged cybercriminals. This cache of stolen information includes bank login credentials from businesses and consumers as well as email passwords.

Three Spanish residents suspected of running the botnet have been charged with online offences: the most senior alleged botmaster, nicknamed Netkairo, 31, from Balmaseda in the spanish province of Vizcaya, as well as his two alleged lieutenants JPR, 30, from Molina de Segura Murcia and JBR, 25, from Santiago de Compostela in La Corua. None of the suspects have been named at this stage of proceedings.

In a statement (in Spanish here), Guardia Civil officers said they were also on the trail of a fourth suspect nicknamed Phoenix, who's possibly based in Venezuela.

Defence Intelligence discovered the botnet last May and formed a team that brought in security experts from Bilbao-based Panda and computer scientists at Georgia Tech Information Security Center. Security researchers infiltrated the botnet's command and control systems, learning enough to mount a successful takedown operation in cooperation with ISPs on 23 December.

Netkairo responded to this by launching a retaliatory denial of service attack against Defence Intelligence that took out customers at a Canadian ISP for several hours. In wrestling to obtain control of the botnet he made the mistake of connecting to compromised systems using his home PC, a mistake that led to his identification (as explained in our earlier story on the takedown operation).

Luis Corrons, technical director of PandaLabs, explains the Mariposa botnet's business model and the takedown operation in a video below.

Web wags stage IE 6 funeral

The unsung comic geniuses of the web are holding a mock funeral for Microsoft's decrepit IE 6 browser software later on Thursday.

The IE 6 Funeral site announced on Monday that the browser "passed away" in a workplace injury (a reference to the role the eight-year-old browser played in the Operation Aurora attack against Google and others late last year). IE 6 is survived by son Internet Explorer 7 and granddaughter IE 8 (very clearly a girl).

Mock obituaries for IE 6 note the browser, born in August 2001, enjoyed a long life but became a danger to itself and others in its dotage.

Redmond began offering Windows users in Europe a ballot screen this week featuring a list of alternative browsers as well as Internet Explorer and the opportunity to upgrade. The move, which came soon after Google's decision to withdraw support for the browser in Google Apps, was the final nail in IE 6's coffin.

IE6 Funeral invites well-wishers to attend a wake for the browser later on Thursday in Denver. Those surfers unable to attend are asked to send flowers. Are we having fun yet?

WSC CMS "Password" Field SQL Injection

WSC CMS is a content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the password field before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Ref: http://www.securityfocus.com/bid/38335

10.9.89 - CVE: Not Available
Platform: Web Application - SQL Injection

Joomla! "com_acstartseite" Component SQL Injection

The "com_acstartseite" application is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "Itemid" parameter before using it in an SQL query.

Ref: http://www.securityfocus.com/bid/38269

10.9.79 - CVE: Not Available
Platform: Web Application - SQL Injection

Amelia CMS "index.php" SQL Injection

Amelia CMS is a content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "page" parameter of the "index.php" script before using it in an SQL query.

Ref: http://www.securityfocus.com/archive/1/509617

10.9.84 - CVE: Not Available
Platform: Web Application - SQL Injection

Hacking human gullibility with social penetration

Security penetration testers Mike Bailey and Mike Murray rely plenty on attacks that exploit weaknesses in websites and servers, but their approach is better summed up by the famous phrase "There's a sucker born every minute."

That's because so-called social penetration techniques are more reliable and easier to use in identifying chinks in client fortresses, the principals of Mad Security said Wednesday. That's true even for organizations that place a high premium on security and train their employees to resist the most common attempts to trick them into letting down their guard.

"I like finding those elite little exploits where they'll bounce things off eight different websites through cross-site request forgery and cross-site scripting attacks," Bailey said Wednesday at the BSides security conference in San Francisco. "I've never actually needed it in a pentest, because all you have to do is send them a malicious link" or crafty email.

Bailey said he regularly sends client employees emails informing them the strength of their login passwords is being tested through a new website. They are then instructed to follow a link and enter their credentials. The success rate: as high as 50 percent.

The vulnerability stems from humans' inherent tendency to trust one another. Survival over the millennia largely depended on their ability to work in groups. When one person saw that a group of his peers ate a particular berry and didn't die, he ate the same fruit - and survived as a result. Hackers who understand this trait can exploit it to access companies' most precious assets.

"The social part of our industry, we are never going to patch," Murray said. "We need to have our whole industry understand this. This is what all social attacks are about."

During their hour-long talk, the pair described the most common social penetration methods, which can be found in everything from 419 email scams to trojan attacks that succeed only when a victim clicks on a malicious link.

The come-ons often invoke a sense of urgency, such as an opportunity to make money only if the mark moves quickly. Scammers often try to form perceived bonds with their victims by thanking them for their attention or apologizing for an interruption. The ruses amount to hacks that suspend the marks' critical faculties just long enough to get them to make a critical mistake.

Bailey employed a similar trick last year, when he and two other ethical hackers claimed a $10,000 prize for breaking into the email account of StrongWebMail CEO Darren Berkovitz.

The XSS, or cross-site scripting, vulnerability they identified could only be exploited if the victim clicked on a link while logged in to his account. The solution: They sent him an email with the subject line "we think we've already won this contest," with the attack link in the body. Berkovitz took the bait, and they won the prize.

The technique works even on firms and individuals that regard themselves as especially security savvy, although the tricks often must be tailored to them, Murray warned.

"They spend all this time talking about security," he explained. "If I send them an email saying 'Do the right thing for security,' they say OK, and we own them. The things that normally work in most organizations don't work on them, but if you figure out what works on them, they're as easy to own as anybody else, no matter how intense their preparation is."

Google Hackers Had Ability to Alter Source Code

The hackers who targeted Google and other companies in January targeted the source code management systems of companies, allowing them to siphon source code as well as modify it, according to a new report.

More importantly, systems that the companies used to develop and manage their source code have numerous security flaws that would allow easy compromise of a company’s intellectual property. The same systems are used by numerous other companies who may not realize that their source code is open to attack.

The white paper (.pdf), released by security firm McAfee during this week’s RSA security conference in San Francisco, provides a couple of new details about the attacks, dubbed Operation Aurora, that affected some 34 U.S. companies, including Google and Adobe, beginning last July. McAfee helped Adobe investigate the attack on its system and also provided information to Google about malware that was used in the attacks.

According to the paper, the hackers gained access to software configuration management systems (SCM), which could have allowed them to steal proprietary source code or surreptitiously make changes to the code that could seep undetected into commercial versions of the company’s software product. Stealing the code would also allow attackers to examine the source code for vulnerabilities in order to develop exploits to attack customers who use the software, such as Adobe Reader, for example.

“[The SCMs} were wide open,” says Dmitri Alperovitch, McAfee’s vice president for threat research. “No one ever thought about securing them, yet these were the crown jewels of most of these companies in many ways — much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting.”

Many of the companies that were attacked used the same source code management system made by Perforce, a California-based company whose products are used by many large companies. McAfee’s white paper focuses on the insecurities in the Perforce system and provides suggestions for securing it, but the company said it also would be looking at other source code management systems in the future. The paper doesn’t indicate exactly which companies were using Perforce or had vulnerable configurations installed.

As previously reported, the attackers gained initial access by conducting a spear-phishing attack against specific targets within the company. The targets received an e-mail or instant message that appeared to come from someone they knew and trusted. The communication contained a link to a web site hosted in Taiwan that downloaded and executed a malicious JavaScript, with a zero-day exploit that attacked a vulnerability in the user’s Internet Explorer browser.

A binary disguised as a JPEG file then downloaded to the user’s system and opened a backdoor onto the computer and set up a connection to the attackers’ command and control servers, also hosted in Taiwan.

From that initial access point, the attackers obtained access to the source code management system or burrowed deeper into the corporate network to gain a persistent hold.

According to the paper, many SCMs are not secured out of the box and also do not maintain sufficient logs to help forensic investigators examining an attack. McAfee says it discovered numerous design and implementation flaws in SCMs.

“Additionally, due to the open nature of most SCM systems today, much of the source code it is built
to protect can be copied and managed on the endpoint developer system,” the paper states. “It is quite common to have developers copy source code files to their local systems, edit them locally, and then check them back into the source code tree. . . . As a result, attackers often dont even need to target and hack the backend SCM systems; they can simply target the individual developer systems to harvest large amounts of source code rather quickly.”

Alperovitch told Threat Level that his company has seen no evidence yet to indicate that source code at any of the hacked companies had been altered. But he said the only way to determine this would be to compare the software against backup versions saved over the last six months to when the attacks are believed to have begun.

“That’s an extremely laborious process, particularly when you are dealing with massive projects with millions of lines of code,” Alperovitch said.

Among the vulnerabilities found in Perforce:

Perforce runs its software as system under Windows, giving malware the ability to
inject itself into system-level processes and providing an attacker access to all administrative functions on the system. Although the Perforce documentation for UNIX tells the reader not to run the server service as root, it doesn’t suggest making the same alteration to the Windows service. As a result, the default installation on Windows runs as a local system, or as root. By default, unauthenticated anonymous users are allowed to create users in Perforce, and no user password is required to create a user. All information, including source code, that is communicated between the client system and the Perforce server is unencrypted and therefore easily sniffed and compromised by someone on the network. The Perforce tools use weak authentication, allowing any user to replay a request with
a cookie value that is easy to guess and obtain authenticated access to the system to perform “powerful operations” on the Perforce server. The Perforce client and server store all files in cleartext, allowing easy compromise of the all the code in the local cache or on the server.

The paper lists a number of additional vulnerabilities.

Malaysian Hacked & Defaced Sites March 2010

MyHND v10.3
Malaysian Hacked & Defaced Sites March 2010 Archive

Website	URL	Mirror	Source	Status
Malaysian Gamers	http://www.gamers.com.my/	http://security.org.my/index.php?/archives/Defaced-httpwww.gamers.com.my.html	Computer and Network Security, Mamak Style	Recovered.
FIABCI Malaysia	http://www.fiabci.com.my/cms/	http://security.org.my/index.php?/archives/Defaced-httpwww.fiabci.com.mycms.html	Computer and Network Security, Mamak Style	Recovered.
Crocs Malaysia	http://crocs.com.my/	http://security.org.my/index.php?/archives/Defaced-httpcrocs.com.my.html	Computer and Network Security, Mamak Style	Recovered.
Aspirasi Digital Online	http://www.aspirasidigital.net.my/InisiatifMain.asp	http://security.org.my/index.php?/archives/Defaced-httpwww.aspirasidigital.net.my.html	Computer and Network Security, Mamak Style	Recovered.
Agensi Kaunseling Dan Pengurusan Kredit (AKPK)	http://www.akpk.org.my/Portals/0/r3m1ck.txt	http://security.org.my/index.php?/archives/Defaced-httpwww.akpk.org.my.html	Computer and Network Security, Mamak Style	Unfixed.
Techsource	http://www.techsource.com.my/events/events.asp	http://security.org.my/index.php?/archives/Defaced-httpwww.techsource.com.my.html	Computer and Network Security, Mamak Style	Recovered.
Ofitech	http://ofitech.com.my/mydoms.php	http://security.org.my/index.php?/archives/Defaced-httpofitech.com.mymydoms.php.html	Computer and Network Security, Mamak Style	Recovered.
Nature in a box, The Art of Nature	http://www.natureinabox.com.my/images/index.htm	http://security.org.my/index.php?/archives/Defaced-httpwww.natureinabox.com.my.html	Computer and Network Security, Mamak Style	Unfixed.
Welcome to the Nasom Teleautism	http://www.nasom.com.my/	http://security.org.my/index.php?/archives/Defaced-httpwww.nasom.com.my.html	Computer and Network Security, Mamak Style	Recovered.
Nippon Precision Technology Sdn Bhd.	http://www.nippon-precision.com.my/newsdetail.php?newsId=24	http://security.org.my/index.php?/archives/Defaced-httpwww.nippon-precision.com.my.html	Computer and Network Security, Mamak Style	Recovered.
Northern Corridor Economic Region (NCER)	http://ncer.com.my	http://security.org.my/index.php?/archives/Defaced-httpncer.com.my.html	Computer and Network Security, Mamak Style	Recovered.
Pejabat Setiausaha Kerajaan Negeri Perak	http://mbj.perak.gov.my/	http://security.org.my/index.php?/archives/Defaced-httpmbj.perak.gov.my.html	Computer and Network Security, Mamak Style	Recovered.
Jabatan Pengajian Politeknik (Operasi)	http://www.politeknik.edu.my/index.asp	http://security.org.my/index.php?/archives/Defaced-httpwww.politeknik.edu.my.html	Computer and Network Security, Mamak Style	Recovered.
Masjid AnNur - Kotaraya	http://www.masjidannur.com.my/Default.php	http://security.org.my/index.php?/archives/Defaced-httpwww.masjidannur.com.my.html	Computer and Network Security, Mamak Style	Page Error.
OROGENIC Group of Companies - Capable Reliable Global	http://orogenicgroup.com/ http://orogenic.com.my/	http://security.org.my/index.php?/archives/Defaced-httporogenic.com.my-httporogenicgroup.com.html	Computer and Network Security, Mamak Style	Recovered.
Kedai Rakyat ® - Tempat Rakyat Berjual Beli	http://www.kedairakyat.com/08/.~/	http://security.org.my/index.php?/archives/Defaced-httpwww.kedairakyat.com.html	Computer and Network Security, Mamak Style	Unfixed.
andamanseripengantin.com	http://andamansetipengantin.com/	http://security.org.my/index.php?/archives/Defaced-httpandamansetipengantin.com.html	Computer and Network Security, Mamak Style	Server Down.
KLSE	http://klse.info/.~x/	http://security.org.my/index.php?/archives/Defaced-httpklse.info.x.html	Computer and Network Security, Mamak Style	Recovered.
kedah.edu.my	http://www.kedah.edu.my/	http://security.org.my/index.php?/archives/Defaced-httpwww,ict,akademik.kedah.edu.my.html	Computer and Network Security, Mamak Style	Recovered.

Nigeria fingered in latest NAB phishing attack: WatchGuard

Africa's broadband revolution threatens Western businesses.

A home PC in Lagos, Nigeria, connected by domestic broadband was likely responsible for a surge in malicious emails targeting NAB customers today.

Reputation websites that tracked the bona fides of millions of machines connected to the net reported the IP address responsible saw an 11-fold increase in malicious traffic over the past day.

NAB has been contacted for comment.

The zero-day threat from the probably infected Nigerian host, one of the top spammers against the bank, was exposed in a demonstration of emerging threats using WatchGuard's web-based reputation authority.

The security vendor's Australian senior sales engineer Gary Spiteri said spammers have become more efficient at targeting customers of financial institutions, reflected by the fact that fewer of their phishing emails bounced than when using scattergun approaches.

As Africa connected to broadband it was following the lead of Western countries such as the US and those in Eastern Europe in becoming a vector of attack.

"I doubt that there's a National Australia (Bank) mail host in Nigeria," Spiteri said.

"Interestingly, 83.33 percent [of the Nigerian host's emails] was spam but it's a 100 percent good recipient list: no bounce backs, they've got a good, qualified list of spam targets and two blacklists have it and two of them don't.

"That's quite possibly an emergent threat.

"It's probably a PC on a conventional ADSL link and it's got some sort of bot on it.

"This is probably the source of a phishing outbreak."

Spiteri said good security practices lagged adoption of broadband adoption in Third World countries.

"Third World countries don't spend money on anti-virus, don't put network security in place, they have pirated copies of Windows, which means that security updates are turned off from Microsoft; so you'll get an increasing number of vulnerable operating systems on PCs that are then targets for more bots to be deployed on to them which then become generators of more types of this type of spam."

Borderware bears fruit

The Australia and New Zealand manager for firewall vendor WatchGuard,  Scott Robertson, said reputation technology it bought in last August's marriage with Canadian security vendor Borderware would filter down from its high-end XCS class of devices to the XTM line within six months: "We're hoping for 90 days".

Robertson said the installed base of 10,000 Borderware appliances that collect intelligence about emerging threats would grow in this time to more than 600,000 once the switch was flipped on Watchguard devices.

Overnight, Watchguard launched appliances aimed at small and medium-sized organisations. The XTM5 for organisations with up to 1500 users and the XTM2 for branches and businesses of up to 50 users were based on its Fireware operating system and blocked Skype, instant messaging, attacks over unified communications and VoIP, the company said.

Channel

Robertson said WatchGuard was ramping up its channel activities by:

* launching a credit card rewards program,

* tightening adherence to its certification program,

* increased marketing,

* emphasising its partner program that allowed resellers to let their customers "try before they buy"

* and an annual trip to a tropical resort for "top performers".

"We can have more discussions with resellers about spam and content filtering and sell up into the high-end space" such as banks and financial institutions, he said.

XlentProjects SphereCMS "archive.php" SQL Injection

SphereCMS is a content manager implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "view" parameter of the "archive.php" script before using it in an SQL query. SphereCMS version 1.1 Alpha is affected.

Ref: http://www.securityfocus.com/bid/38309

10.9.83 - CVE: Not Available
Platform: Web Application - SQL Injection

Pogodny CMS "id" Parameter SQL Injection

Pogodny CMS is a content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. This issue affects to the "id" parameter of the "index.php" script when the "modul" parameter is set to "niusy".

Ref: http://www.securityfocus.com/bid/38253

10.9.78 - CVE: Not Available
Platform: Web Application - SQL Injection

Article Friendly "Username" Field Login SQL Injection

Article Friendly is a PHP-based application for publishing articles. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "Username" field of the login page. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Ref: http://www.securityfocus.com/bid/38341

10.9.88 - CVE: Not Available
Platform: Web Application - SQL Injection

How FBI, police busted massive botnet

Analysis More details have emerged about a cybercrime investigation that led to the takedown of a botnet containing 12m zombie PCs and the arrest of three alleged kingpins who built and ran it.

As previously reported, the Mariposa botnet was principally geared towards stealing online login credentials for banks, email services and the like from compromised Windows PCs. The malware infected an estimated 12.7 million computers in more than 190 countries.

The botnet was shut down on 23 December 2009 following months of collaboration between security firms Panda Security and Defence Intelligence in co-operation with the FBI and Spain's Guardia Civil.

Half the roster of Fortune 1000 companies harboured machines infected by Mariposa at one time or another, according to Christopher Davis, chief exec at Canada-based Defence Intelligence, who first discovered the Mariposa botnet back in May 2009. Defence Intelligence teamed up with academics at Georgia Tech Information Security Center and security experts at PandaLabs and law enforcement to form the Mariposa Working Group in order to eradicate the botnet and bring the perpetrators to justice.

The Mariposa Working Group infiltrated the command-and-control structure of Mariposa to monitor the communication channels that relayed information from compromised systems back to the hackers who run the botnet. Analysis of the command system laid the groundwork for the December 2009 shutdown of the botnet, as well as shedding light on how the malware operated and provided a snapshot of the current state of the underground economy.

Butterfly collectors

Mariposa (Spanish for butterfly) bonnet malware spread via P2P networks, infected USB drives, and via MSN links that directed surfers to infected websites. Once infected by the Mariposa bot client, exposed machines would have various strains of malware installed (advanced keyloggers, banking trojans like Zeus, remote access trojans, etc) by the hackers to obtain greater control of compromised systems.

The botmasters made money by selling parts of the botnet to other cybercrooks, installing pay-per-install toolbars, selling stolen credentials for online services and laundering stolen bank login credentials and credit card details via an international network of money mules. Search engine manipulation and serving pop-up ads was also part of the illegal business model behind the bonnet.

The criminal gang behind Mariposa called themselves the DDP (Das de Pesadilla or Nightmare Days) Team. They nearly always connected to the Mariposa controlled servers from anonymous VPN (Virtual Private Network) services, preventing investigators from identifying their real IP addresses.

However when the December shutdown operation happened, the gangs leader, alias Netkairo, panicked in his efforts to regain control of the botnet. Netkairo made the fatal error of connecting directly from his home computer instead of using the VPN, leaving a trail of digital fingerprints that led to a series of arrests two months later.

A blog post by Panda Software explains what happened next.

Netkairo finally regained control of Mariposa and launched a denial of service attack against Defence Intelligence using all the bots in his control. This attack seriously impacted an ISP, leaving numerous clients without an Internet connection for several hours, including several Canadian universities and government institutions.

Once again, the Mariposa Working Group managed to prevent the DDP Team from accessing Mariposa. We changed the DNS records, so the bots could not connect to the C&C servers and receive instructions, and at that moment we saw exactly how many bots were reporting. We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history.

On February 3, 2010, the Spanish Civil Guard arrested Netkairo. After the arrest of this 31-year-old Spaniard, police seized computer material that led to the capture of another two Spanish members of the gang: J.P.R., 30, a.k.a. jonyloleante, and J.B.R., 25, a.k.a. ostiator. Both of them were arrested on February 24, 2010.

Domains used by Mariposa were unwittingly hosted by US ISP CDmon,which assisted security researchers and law enforcement officials in taking down the botnet.

The main botmaster, nicknamed Netkairo and hamlet1917, as well as his two alleged lieutenants Ostiator and Johnyloleante have been charged with cybercrime offences. More arrests are expected to follow.

Under Spanish law suspects are not named at this stage of proceedings. Pedro Bustamante, senior research advisor at Panda Security, said: Our preliminary analysis indicates that the botmasters did not have advanced hacking skills.

"This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss."

MS confirms 'F1 to pwn' IE bug

Microsoft has confirmed that an unpatched Internet Explorer vulnerability makes it potentially dangerous to press F1 if you are running earlier versions of Windows.

A security bug in the VBScript technology bundled with Internet Explorer means that it might be possible to create a web site that displays a specially crafted dialog box that pushes malware providing a victim is tricked into pressing the F1 (help menu) key while viewing a booby-trapped site using Internet Explorer. The novel exploit technique works on older versions of Windows (Win 2000, XP and Server 2003). As previously reported, Vista, Windows 7 and Windows Server 2008 are immune.

Proof of concept code is reportedly in circulation but Microsoft said: We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.

Redmond went on to criticise security researchers for not coming to them with the problem first in an advisory, published on Monday.

Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

The advisory expands on an earlier holding statement in providing a list of potentially vulnerable systems, a preliminary risk assessment and suggested workarounds. Redmond security gnomes are still investigating the flaw but a decision to develop a patch looks like a big odds-on favourite if past form holds true.

Microsoft gave no indication of when a patch might become available but the next scheduled Patch Tuesday is only six days away, cutting it very fine to develop, much less test, a fix. An April or even May update for IE seems more likely.

Brass necked suspect swallows USB evidence

A suspected cybercrook who swallowed a USB drive in an apparent bid to destroy evidence has been charged with obstruction.

Florin Necula, from New York, ate a Kingston flash drive thought to contain mag strip dumps from credit cards shortly after his arrest outside a bank in Queens on 21 January. He gobbled the USB drive while awaiting processing and questioning at a Secret Service office in Brooklyn.

Necula's attempts to digest the evidence resulted in a trip to a New York hospital and, four days later, a presumably delicate operation to remove the USB stick.

Necula and three associates allegedly used card skimmers to swipe credit card details from victims using a doctored ATM machine. Police recovered laptops, cameras, flash drives, and mobile phones from Necula and his three alleged co-conspirators during a raid at a Long Island City apartment they used.

Necula was later charged with four offences, including obstruction of justice, and held in jail pending further proceedings. The Smoking Gun has the full run-down on the story, including extracts from court papers, here.

Necula's desperate actions are weird but not entirely unprecedented, Cornered crooks have previously attempted to eat mobile phone SIM cards when cornered by the police.

RSA 2010: Microsoft suggests quarantining botted PCs

Infected PCs like smokers.

One of Microsoft's leading security executives has said that consumers running infected PCs are like smokers exhaling chemicals to those around them.

"You're not just accepting [the risk] yourself," Charney, corporate vice president for trustworthy computing, said during a morning keynote at the RSA Conference in San Francisco. "You're contaminating everyone around you."

Charney spent some time discussing preventative and disruptive measures that should be taken to rid computers of botnet infections.

Drawing on statistics that there are 3.8 million compromised computers responsible for 87 percent of all email, Charney suggested using "inspection and quarantine" to clean infected home computers. He did not go into specifics.

"Just like we do defence-in-depth in IT, we have to do defence-in-depth in response," he said. "We need to use social and political mechanisms to reinforce value."

Microsoft recently spearheaded efforts to bring down the prolific Waledac botnet. A court order was granted last week that ordered the botnet's command-and-control domains to be severed.

Charney also used some of his address to discuss the security implications of cloud computing. He said the issue of identity "becomes amplified" in the cloud. To combat these threats, providers and end-users must accept shared accountability. Meanwhile, governments must define "normative behavior" of how they plan to extract data from the cloud, Charney said.

See original article on scmagazineus.com

Secure Computing Magazine

Over 50% of apps vulnerable to security breaches

As Microsoft divulges IE flaw work-around.

More than half of internally developed, open source, outsourced and commercial applications are vulnerable to security breaches.

A report by Veracode claims that of the 1,600 applications analysed when first submitted, 58 per cent contained vulnerabilities similar to those exploited in the recent cyber attacks on Google.

Despite the claim about vulnerabilities in open source software, the report did find that it "has comparable security, faster remediation times and fewer potential backdoors than commercial or outsourced software".

However, it also found that 40 per cent of all applications submitted at the request of large enterprises were from third-parties, and more than 30 per cent of all internally developed applications also included identifiable commercial, open source and outsource code.

Matt Moynahan, CEO of Veracode, said: “Because of the depth and breadth of the data in our platform, we have expansive knowledge about risk from all types of applications and across the software supply chain.

“The report not only analyses the state of security more comprehensively than any others in this market, but it offers specific recommendations for each type of potential threat.  It is essential reading for security professionals and executives accountable for the software supply chain and its impact on the business.”

Joseph Feiman, vice president and Gartner fellow, said: “Gartner advises its clients to conduct their own inspection of all application code they procure from third-parties. However, if they lack their own resources or expertise, we recommend that they outsource third-party code testing to trusted service providers.”

The news comes as Microsoft confirmed it was investigating a publicly posted issue that could allow an attacker to host a maliciously crafted web page. An attacker could run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop-up dialog box.

Jerry Bryant, senior security communications manager at Microsoft, said it was not aware of any attacks seeking to exploit this issue at this time and it has determined that users running Windows 7, Windows Server 2008 R2, Windows Server 2008 and Windows Vista, are not affected by this issue.

See original article on scmagazineus.com

Secure Computing Magazine

Google: 'no timetable' on China talks

Google has reiterated that it's no longer willing to censor search results in China. But as it continues to censor search results in China, it's not quite sure when this will actually stop.

In mid-January, as it told the world that alleged Chinese hackers had pilfered unspecified intellectual property from the company, Google said that it would spend "the next few weeks" discussing "the basis on which we could operate an unfiltered search engine within the law, if at all." That was seven weeks ago. But Google vice president and deputy general counsel Nicole Wong told the US Senate Judiciary Committee today that the company has "no timetable" for when talks will be completed.

That said, Wong insisted that the company is "firm in our decision that we will not censor our search results in China and we are working towards that end," as reported by the AFP.

"We want to get to that end - of stopping censoring our search results - in a way that is appropriate and responsible," Wong said. "We are working on that as hard as we can but it's a very human issue for us."

At a California conference about three weeks ago, Google co-founder Sergey Brin told The New York Times that any change in the company's China situation may take "a year or two" rather than "a few weeks."

"I want to find a way to work within the Chinese system to bring information to the people,” he said. “Perhaps we won’t succeed immediately, but maybe in a year or two.” Â

Flipping Off Cops Is Legal, Not Advised

Flipping the bird, or sticking out the middle finger, is perhaps the oldest insulting gesture on earth, dating to ancient Greece and adopted by the Romans as digitus impudicus â€" the impudent finger.

A zillion middle fingers later, an Oregon man is suing suburban Portland cops over his use of the gesture, (.pdf) claiming civil rights violations. Twice he flipped them off for no apparent reason while driving and was pulled over each time — resulting in what he said was a “bogus” traffic citation that was later dismissed, and a tongue lashing he still remembers.

“The guy flew into a road rage,” Robert Ekas, a retired Silicon Valley systems analyst, said in a telephone interview Tuesday.

Lawrence Wolf, a Los Angeles criminal defense attorney, said there was no law against flipping off cops. And in most instances when it leads to an arrest or conviction, the charges are dismissed. But the gesture invites police confrontation, he said.

“It’s certainly not the smartest thing one can do,” Wolf said.

Ira Robbins, an American University legal scholar, has written the definitive paper on flipping the bird: Digitus Impudicus: The Middle Finger and the Law. (.pdf) “The pursuit of criminal sanctions for use of the middle finger infringes on First Amendment rights, violates fundamental principles of criminal justice, wastes valuable judicial resources, and defies good sense,” he wrote.

In November, a Pittsburgh man was awarded $50,000 after he was wrongly cited for disorderly conduct after flipping off an officer.

Ekas, in both instances, flipped off officers while they were driving a Clackamas County patrol car. “It seemed like the right thing to do,” said the 46-year-old, who is seeking damages and police reform amid allegations he was unlawfully stopped. “The long and the short of it, I was pulled over because I gave them the finger.”

A federal judge will entertain Clackamas County’s motion on March 15 to have the civil rights lawsuit tossed. The county denies the allegations. (.pdf)

Ekas said his actions, which occurred with his teen-aged son in the car both times, were a form of protest against the agency he claims is abusing its citizenry. “That’s why they get the finger,” he said, noting he wants a jury trial.

Wolf, meanwhile, suggested if Ekas’ case makes it to trial, the officers are likely to testify that they were concerned “about his sanity.”

The jury, he said, is likely to say, “‘Give me a break’ and then go home.”

Photo: davidsonscott15/Flickr

See Also:

• Traffic Officer Says He Saw No Blood on Reiser’s Car Seat â€" Update …
• Stakeouts, Lucky Breaks Snare Six More in Citibank ATM Heist …
• Cops Use Anti-Terror Funds to Buy Portable Fingerprint Scanners …
• Reporter Visits Terror Watch List Center, Prevented from Seeing …
• California Police Camera Surveillance Increasing
• Top Internet Threats: Censorship to Warrantless Surveillance …

U.S. Declassifies Part of Secret Cybersecurity Plan

The Obama administration declassified part of the government’s cybersecurity plan Tuesday, publishing parts of it that discuss intrusion detection systems for federal computer networks and the government’s role in securing critical infrastructure.

The declassification announcement was made by Howard A. Schmidt, a former Microsoft security executive who in December was appointed cybersecurity coordinator by President Barack Obama. Schmidt was speaking at the RSA Security Conference in San Francisco, an annual industry conference for computer security professionals.

The government’s Comprehensive National Cybersecurity Initiative was launched in 2008 by President George W. Bush under a shroud of secrecy. The plan has 12 directives that cover the government’s strategy to protect U.S. networks — including military, civilian, government networks and critical infrastructure systems — as well as the government’s offensive strategy to combat cyber warfare.

Civil libertarians criticized the Bush administration for failing to disclose the contents of the plan or allowing independent oversight of its implementation. Schmidt said that Obama recognized the need for some transparency.

“There are a lot of legal issues about what we’re doing,” he told the 2,000-member audience, adding that the government was currently working on a list of about 40 legal questions related to the cybersecurity initiative.

Obama said last May that he planned to appoint a separate official to ensure that the implementation of the cybersecurity plan doesn’t violate privacy and civil liberties and insisted that the government’s plan would not include spying on the public.

“Our pursuit of cybersecurity will not include â€" I repeat, will not include â€" monitoring private sector networks or internet traffic,”he said. “We will preserve and protect the personal privacy and civil liberties that we cherish as Americans.”

A White House spokesman said Tuesday that the administration had appointed Tim Edgar to oversee the privacy aspects of the cybersecurity initiative. Edgar, a former attorney for the American Civil Liberties Union, has been working as the deputy for civil liberties for the Civil Liberties and Privacy Office of the Office of the Director of National Intelligence.

The declassified portion of the plan published Tuesday includes information on only part of the initiative and does not discuss cyberwarfare. The plan instead discusses the deployment of Einstein 2 and Einstein 3, intrusion detection systems on federal networks designed to inspect internet traffic entering government networks to detect potential threats.

DHS (Department of Homeland Security) is deploying, as part of its EINSTEIN 2 activities, signature-based sensors capable of inspecting Internet traffic entering Federal systems for unauthorized accesses and malicious content. The EINSTEIN 2 capability enables analysis of network flow information to identify potential malicious activity while conducting automatic full packet inspection of traffic entering or exiting U.S. Government networks for malicious activity using signature-based intrusion detection technology.. . . EINSTEIN 2 is capable of alerting US-CERT in real time to the presence of malicious or potentially harmful activity in federal network traffic and provides correlation and visualization of the derived data. . . .

The EINSTEIN 3 system will also support enhanced information sharing by US-CERT with Federal Departments and Agencies by giving DHS the ability to automate alerting of detected network intrusion attempts and, when deemed necessary by DHS, to send alerts that do not contain the content of communications to the National Security Agency (NSA) so that DHS efforts may be supported by NSA exercising its lawfully authorized missions.

The Einstein programs have raised concerns among privacy and civil liberties groups, such as the Center for Democracy and Technology, because they involve scanning the content of communications to intercept malicious code before it reaches government networks.

In 2008, the Department of Homeland Security’s Privacy Office published a Privacy Impact Assessment on early versions of Einstein 2 (.pdf) but has not published one on Einstein 3. The assessment left many questions unanswered, such as how much of a role the National Security Agency will play in the programs and whether information obtained in scans be shared with law enforcement or intelligence agencies.

What may be the most controversial part of the declassified plan is a discussion of a need for the government to define its role in protecting private critical infrastructure networks. Critical infrastructure includes the electrical grid, telecommunication networks, internet service providers, the banking and financial industry, and others.

The document indicates that DHS and private-sector businesses have already “developed a plan of shared action with an aggressive series of milestones and activities” but doesn’t discuss the nature of those shared actions other than to say that the two sectors are focused on developing a “public-private sharing of information regarding cyberthreats and incidents.”

The U.S. Government depends on a variety of privately owned and operated critical infrastructures to carry out the public’s business. In turn, these critical infrastructures rely on the efficient operation of information systems and networks that are vulnerable to malicious cyberthreats. This Initiative builds on the existing and ongoing partnership between the Federal Government and the public and private sector owners and operators of Critical Infrastructure and Key Resources (CIKR). . . . It addresses security and information assurance efforts across the cyber infrastructure to increase resiliency and operational capabilities throughout the CIKR sectors.

Additionally, the plan calls for a strategy to increase the security of classified networks and to develop and implement a government-wide cybercounterintelligence (CI) plan, but provides little detail about what that would involve.

“A government-wide cybercounterintelligence plan is necessary to coordinate activities across all Federal Agencies to detect, deter, and mitigate the foreign-sponsored cyberintelligence threat to U.S. and private sector information systems,” the plan says. “To accomplish these goals, the plan establishes and expands cyber CI education and awareness programs and workforce development to integrate CI into all cyber operations and analysis, increase employee awareness of the cyber CI threat, and increase counterintelligence collaboration across the government.”

Photo: huertk/Flickr

See also:

• Cyberwar Hype Intended to Destroy the Open Internet
• Obama Says New Cyberczar Won’t Spy on the Net
• Obama Appoints Former Microsoft Security Chief New Cybersecurity Czar
• Obama Promises New Era of Openness
• Obama Cybersecurity Report Addresses Critical Infrastructure and Privacy Issues

Php Auktion Pro "news.php" SQL Injection

Php Auktion Pro is a content manager implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "id" parameter of the "news.php" script before using it in an SQL query.

Ref: http://www.securityfocus.com/bid/38371

10.9.92 - CVE: Not Available
Platform: Web Application - SQL Injection

Newgen Software OmniDocs "ForceChangePassword.jsp" SQL Injection

Newgen Software OmniDocs is an application for managing documents. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "ForceChangePassword.jsp" script.

Ref: http://www.securityfocus.com/bid/38304

10.9.82 - CVE: Not Available
Platform: Web Application - SQL Injection

superengine cms "index.php" SQL Injection

The "superengine cms" application is a content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "mod" parameter of the "index.php" script before using it in an SQL query.

Ref: http://www.securityfocus.com/bid/38334

10.9.87 - CVE: Not Available
Platform: Web Application - SQL Injection

Spain Busts Hackers For Infecting 13 Million PCs

BOSTON (Reuters) - Spanish police have shut down a ring of computer hackers who infected more than 13 million PCs with a virus that stole credit card numbers and other valuable data in what may be the biggest cyber-raid to date.

Spain’s Civil Guard said on Tuesday that it arrested three men suspected of running the so-called Mariposa botnet, named after the Spanish word for butterfly. A press conference to give more details is scheduled for Wednesday.

Mariposa had infected machines in 190 countries in more than half of the world’s 1,000 largest companies and in at least 40 big financial institutions, according to two Internet security firms that helped Spanish officials crack the ring, Canada’s Defense Intelligence and Spain’s Panda Security.

“It was so nasty, we thought ‘We have to turn this off. We have to cut off the head,’” said Chris Davis, CEO of Defense Intelligence, which discovered the virus last year. He added that the ring was shut down on December 23.

The virus was programed to steal all login credentials and record every key stroke on an infected computer, then send the data back to a “command and control center,” where the ringleaders stored the data.

“Basically they were going after anything that would make them money,” Davis said.

Mariposa initially spread by exploiting a vulnerability in Microsoft Corp’s Internet Explorer Web browser. It also contaminated machines by infecting USB memory sticks, he said.

(Reporting by Jim Finkle, additional reporting by Madrid newsroom. Editing by Robert MacMillan)

Photo: Anvica/Flickr

See Also:

• Threat Level Privacy, Crime and Security Online - Wired News
• Citibank Hack Blamed for Alleged ATM Crime Spree
• RIAA Believes MP3s Are A Crime: Why This Matters â€" Updated …
• Notorious Crime Forum DarkMarket Goes Dark
• Underground Crime Economy Healthy, Security Group Finds
• Albert Gonzalez Enters Plea Agreement in Heartland, Hannaford …