Hacking Expose!: 2010-03-28

iPad anti-virus shield guards against phantom threat

Wednesday, April 7, 2010

Mac security specialist Intego has begun offering the first antivirus scanner capable of inspecting Apple's much-hyped iPad, despite the questionable need for security scans on the device.

The iPad, which Apple began selling in the US last weekend, runs on the same operating system as the iPhone. Only jailbroken iPhones with default passwords have ever been infected with malware and even then only by a handful of high-profile worms, such as the Rickrolling worm in Australia and the D'oh bank credential stealing worm in the Netherlands, which both spread last November.

Whether either of these worms might be capable of infecting an iPad is unclear. Intego acknowledges there is no iPad malware to defend against as yet but argues it will be ready if and when the threat materialises.

"We're not saying there is malware in the wild," Peter James, an Intego spokesman explained. "But there are exploits that can take advantage of vulnerabilities."

James explained that the malware risk on the iPad, such as it is, mainly applies to devices that have been jailbroken to run apps not approved by Apple. Users of these devices can download cracked software that might pose a malware risk, or they could be exposed to future potential iPad-specific drive-by-download attacks while surfing online.

"Jailbreaking takes advantages of vulnerabilities," James told The Register. "Those users who don't jailbreak their devices have fewer security risks because they are protected by sandboxing. Jailbroken devices are not protected in same way.

"If and when iPad malware arrives we have the engine ready".

Intego's VirusBarrier X6 offers anti-virus protection for Mac PCs. A maintenance update to the software on Tuesday means that once an iPad is connected to a Mac the technology can copy files from the device and scan them to look for exploit code in files. Suspicious files are quarantined on the Mac and deleted from the iPad. Earlier updates along the same lines allowed files held on an iPhone to be scanned for problems.

"The software doesn't run on an iPad or iPhone itself. We're looking forward to multi-tasking that will make this possible and in the mean time offering the best we can," James said. "We can't detect things live but its the best compromise we can offer for now."

Intego's VirusBarrier X6 was promoted as the first anti-malware program to scan iPhones and iPod Touches. Now it gains the same bragging rights on the iPad.

Hundreds of malware strains are capable of infecting Mac-based PCs, compared to millions of Windows-specific malware varieties. Intego competes in the market to sell anti-virus software for Macs against the likes of Symantec and more recently Kaspersky.

The iPad-capable 10.6.5 version of VirusBarrier X6 is available as a free upgrade to existing users, as explained here. The software costs 59.95 for a licence covering two devices.

Police cuff 70 eBay fraud suspects

Romanian police have arrested 70 suspected cybercrooks, thought to be members of three gangs which allegedly used compromised eBay accounts to run scams.

The alleged fraudsters obtained login credentials using phishing scams before using these trusted profiles to tout auctions for non-existent luxury goods (luxury cars, Rolex watches and even a recreational aircraft). Buyers handed over the loot but never received any goods in return.

The 800 victims of the scam are estimated to have suffered 800,000 in losses since 2006. Victims were located across Western Europe, Scandinavia, the US, Canada and New Zealand.

Complaints from the victims led to a joint FBI and Romanian Directorate for Investigating Organised Crime and Terrorism (DIICOT) investigation culminating in the execution of 101 search warrants and multiple arrests across Romania on Tuesday.

A police video of one of the raids can be found here. More on the background to the case can be found on Gary Warner's CyberCrime & Doing Time blog here.

A Romanian police statement on the bust, part of Operation Valley of the Kings, can be found here (in Romanian).

Spies caught plundering secret Indian docs

An espionage gang that infiltrated Indian government computer networks across the globe has been pilfering highly classified documents related to missile systems, national security assessments and the United Nations, according to researchers who tracked the intruders for eight months.

The gang, dubbed the Shadow Network, was monitored by researchers from the Munk School of Global Affairs at the University of Toronto and the SecDev Group. With assistance from colleagues at the Shadowserver Foundation, the white hat hackers watched the spies as they systematically compromised computers in government offices on multiple continents.

Shadow Network members also infiltrated the systems of Indian embassies in Kabul, Moscow and Dubai, India's Military Engineer Services, and several private companies. Reports they grabbed were frequently stamped with "Secret," "Restricted," and "Confidential" notices. The plundered documents also included a year's worth of personal email from the Dalai Lama.

The researchers are the same ones who last year discovered another stealthy spy ring dubbed Ghostnet. That group also stole documents from the Dalai Lama and from governments and corporations in more than 103 countries.

It was while following Ghostnet that the researchers stumbled onto the Shadow Network, which is believed to be a separate operation. By gaining access to the control servers Shadow Network spies used, the researchers were able to observe the theft of vast amounts of Indian government documents.

To conceal their tracks and to build redundancy into their operation, the spies configured their control servers to work with a wide range of free internet services, including Twitter, Google Groups, Baidu Blogs, and Yahoo Mail. The free services allowed the attackers to maintain control of compromised computers even if they lost contact with the command and control servers, the researchers said.

Following a trail of digital breadcrumbs, the researchers traced the attackers to China's Sichuan Province, though they noted it's hard to say conclusively that's where the individuals were located. Chinese government officials strongly denied the government was behind the attacks.

Members of the Shadowserver Foundation said they have already reported Shadow Network operations to China's National Computer Network Emergency Response Technical Team and called on the Chinese government to shutter the spy network.

The researchers' report, titled Shadows in the Cloud: An investigation Into Cyberespionage 2.0, is available here and there are additional details from The New York Times here.

Research team uncovers cyberspy network targeting India

Chinese authorities again suspected.

Security researchers have uncovered another sophisticated cyberespionage network that stole classified documents from a number of computer systems belonging to government agencies, businesses and other organizsations.

The spying operation, dubbed Shadow Network, spread to computers in India, the United Nations and the Office of the Dalai Lama, according to a report published by five researchers, four of whom are based out of the Munk School of Global Affairs at the University of Toronto. The fifth researcher, Steven Adair, is a member of the U.S.-based nonprofit Shadowserver Foundation.

Through their eight-month investigation, the researchers not only isolated infected systems — as they had done in a prior investigation known as GhostNet, which revealed some 1,300 computers that had been infected by servers that traced back to China.

In this case, they also recovered a large amount of stolen data through a "drop zone" used by the attackers. For example, they were able to retrieve two documents marked "secret", five labeled "confidential", and six deemed "restricted." The researchers also recovered 1,500 letters sent from the Dalai Lama's office.

India, though, appears to have been the main target, with the researchers unearthing hijacked documents belonging to embassies in Kabul and Moscow, as well as other organisations, such as India's Military Engineer Services and India Strategic defense magazine.

"One day, while exploring open directories on one of the command-and-control (C&C) servers, I noticed that there were files in a directory that was normally empty," Nart Villeneuve, a senior research fellow at the university and one of the report's authors, said in a blog post. "It turned out that the attackers were directing compromised computers to upload data to this directory. The attackers subsequently moved the data off to another location and deleted the files at fairly rapid, but intermittent time intervals."

The investigators suspect the Shadow Network has ties to the Chinese government because one of the individuals who was connected to GhostNet helped to register domains used by the Shadow Network. Also, the researchers believe the nature of the documents recovered show "correlations with the strategic interests of the Chinese state."

"We were unable to determine any direct connection between these attackers and elements of the Chinese state," Villeneuve said. "However, it would not be implausible to suggest that the stolen data may have ended up in the possession of some entity of the Chinese government."

China has denied any involvement, according to a report by Xinhua, the Chinese state news agency.

Aside from their ability to install malware that went undetected on a vast number of computer systems, the culprits also leveraged cutting-edge ways to deploy their wares, according to the report. The operators delivered instructions to compromised machines by using social media websites such as Twitter, Blogspot and Google Groups as C&C hubs.

"[The report] points to a disturbing complex ecosystem of malware," the report said. "Although malware networks, cybercrime and espionage have been around for years, the evidence presented here shows how these networks can be aggressively adaptive systems, multiplying and regenerating across multiple vectors and platforms, and exploiting the vulnerabilities within the latest Web 2.0 technologies to expand their reach and impact."

See original article on scmagazineus.com

Secure Computing Magazine

Riverbed slips McAfee firewall into WAN optimizers

Riverbed Technology, which leads the WAN optimization appliance market in terms of customer count and installed base, has teamed up with security software and hardware appliance maker McAfee to load the latter's enterprise-grade firewall onto the its WAN appliances.

The Steelhead appliances are - like a lot of servers, storage arrays, and an increasing number of network and other embedded systems - based on x64 processors. When the latest lineup of the Steelhead appliances were launched last year, they allowed for up to five different applications to be loaded onto the box atop a VMware ESX Server virtual machine and run on the appliance. What this means for branch offices that typically do not have IT staff and certainly don't need more servers tucked in closets or under desks is that they can load a Windows server for print and file serving, or maybe a video streaming application, to be run locally on the Steelhead appliance while that appliance accelerates the performance of the wide area link back to the central data center and the applications that reside there.

Under a partnership Riverbed announced today, McAfee is allowing the software from its Firewall Enterprise firewall and intrusion protection system (IPS) appliance, also known by the name Sidewinder and itself a hardware appliance based on an x64 server, to run on Riverbed's Steelhead appliances. The McAfee Sidewinder appliances are not cheap, with street prices ranging from $4,410 to $16,740 depending on bandwidth and features, so the combination of the Steelhead appliance plus the virtual Sidewinder license can save them some dough and cut down on the number of boxes humming in the branch office.

On the entry Steelhead 250 appliances, which has enough oomph so a VM partition on the box running Sidewinder can secure the networking of between 10 and 50 remote users, the virtual Sidewinder license costs only $995. On the larger Steelhead 2050 appliance, which has a higher-end version of the Sidewinder firewall and which can secure a couple thousand end users working remotely, the license is $2,495. Those prices include one year of support for the firewall.

Riverbed and McAfee will be working together to cross-sell the Riverbed appliance married to the virtual Sidewinder firewall, and they are linking their tech support operations so the finger-pointing doesn't start when something goes wrong.

The virtual Sidewinder for Steelhead WAN optimizers will be available on April 19.

Vietnamese government denies Aurora-style hacks

Accusations are 'groundless', say officials.

The Vietnamese government has dismissed recent accusations that it may have been involved in cyber attacks on opponents of bauxite mining efforts in the region.

Google researcher Neel Mehta and McAfee chief technology officer George Kurtz both wrote on their respective blogs about hacking attacks against some Vietnamese computer users.

The attacks used similar methods to the now-infamous Operation Aurora attacks by Chinese hackers on Google and other companies, according to the blogs.

"We believe that the perpetrators may have political motivations, and may have some allegiance to the government of the Socialist Republic of Vietnam," wrote Kurtz at the time.

"This incident underscores that not every attack is motivated by data theft or money. This is likely the latest example of hacktivism and politically motivated cyber attacks."

However, Vietnam foreign ministry spokesperson Nguyen Phuong Nga said in a statement that such comments were "groundless".

"We have on many occasions clearly expounded our view on issues relating to access to and use of information and information technology, including the internet," the statement said.

"Vietnam law puts in place specific regulations against computer virus and malware as well as on information security and confidentiality."

Although the attacks are not thought to be related to those against Google's systems earlier this year, they still highlight the growing incidence of " malicious software being used for political ends", wrote Mehta.

Reseller throws filter hacking masterclass

Senior Australians learn to circumvent filter.

A Newcastle-based computer help desk business has become one of the first organisations in Australia to host a masterclass on how to "hack" the Federal Government's planned internet filter.

The class was held last Thursday by David Campbell of Newcastle-based service provider Clear Computers on behalf of euthanasia advocacy group Exit International. Campbell told around 70 senior citizens about the filter and how to get around it.

The hacking class is not illegal. While the controversial filter will block material that is 'Refused Classification' (RC), including illegal content like child pornography, it is not illegal to circumvent the filter per se.

"The independent report on the ISP-level filtering pilot trial found that technically competent people could circumvent filtering technologies," a spokesperson for the Department of Broadband, Communications and the Digital Economy told iTnews. (PDF, Page 2)

"Under the Government's policy it will not be an offence to circumvent the filtering measures or to show someone how to circumvent," she said.

Electronic Frontiers Australia's (EFA) vice chair Colin Jacobs said that while the Government might one day criminalise circumvention of its filter, a blanket ban would be a serious imposition on the practices of many businesses and individuals.

Lessons on circumventing filtering were likely to be legal, he said, as long as they covered everyday tools for re-routing internet traffic, and not 'hacking' by interfering with third-party systems.

"Of course, it's possible that the Government might criminalise circumvention of its filter," Jacobs told iTnews.

"Such an offence would be almost useless, as it is trivial to circumvent filtering and very often necessary to do so; [for example], using international VPNs to connect to private networks or to encrypt sensitive communications."

Jacobs expected a "plethora" of tools and instructions to be available to show Australians how to get around the filter, should it be implemented.

"Once the filter is in place, EFA will definitely look at providing as much information as possible on how the filter works," he told iTnews. "This might include circumvention information."

Exit International hoped its 'Hacking Masterclass' would enable seniors to access suicide information, should euthanasia websites be blocked by the Government's Clean Feed policy.

The organisation's founder Philip Nitschke expected the class to enable attendees who were "not likely to be knowledgeable with computer skills" to circumvent the filter.

"I reckon I can [get around the filter] ... my IT background is self-taught," Nitschke told iTnews following Campbell's hour-long class.

Nitschke planned to incorporate Campbell's filter circumvention presentation into Exit International's voluntary euthanasia workshops, which would reach an estimated 1000 people during the next month.

"They've got a lot of intelligence, a lot of enthusiasm and a lot of time," he said of the organisation's members, who had an average age of 75.

Campbell said he was impressed by 'Hacking Masterclass' attendees' attentiveness and by their questions about privacy and trust issues.

He began with a basic explanation of the concept of a filter -- "kind of like putting a lollypop person on a zebra crossing, and then everyone could just jaywalk around anyway" -- before demonstrating how proxies and encrypted VPNs would circumvent filters and firewalls.

"It was quite an experience to see people slowly grasp exactly what the internet is and how it operates," he told iTnews.

Internode finds bug in Ericsson DSLAMs

RSA says it fathered orphan credential in Firefox, Mac OS

Updated Digital certificate authority RSA Security on Tuesday acknowledged it issued a root authentication credential shipped in in the Mac operating system and Mozilla web browsers and email programs, ending four days of confusion about who controlled the ultra-sensitive document.

The "RSA Security 1024 V3" certificate is a master credential that can be used to digitally validate the certificates of an unlimited number of websites and email servers. It's one of several dozen "certificate authority certificates" that by default are shipped with Mac OS X and Mozilla's Firefox browser and Thunderbird email client. It's valid from 2001 to 2026.

But until a few minutes after this article was first published, no one knew who issued or controlled the credential. Both RSA and competing certificate issuer VeriSign previously said it wasn't theirs. Further compounding the mystery, recent audits of certificate authority credentials made no reference of it, according to this bug report posted to Mozilla's website for developers and a follow-up post on Google Groups.

Although now solved, the case of the orphaned certificate casts doubt on the security of some of the web's most important documents.

Owners of the certificate authority certificates act as locksmiths who can at will produce the digital keys used to prove a website or email server really is operated by the bank, retailer, or other trusted organization claiming ownership. The inclusion of a mysterious CA certificate into two separate organizations caused many to question whether it was the result of a clerical error or the deliberate act of a criminal.

"Either way, it's a very concerning situation," security researcher Moxie Marlinspike said before RSA stepped forward as the issuer. "Either an unknown attacker somewhere in the world has had unlimited access to SSL traffic for an unknown amount of time, or the people who we have entrusted with this critical piece of web infrastructure can't even keep track of their own certificates."

In a statement, Johnathan Nightingale, Mozilla's director of Firefox development, played down the significance of the discovery, saying all certificates are vetted according to this policy. But he also tacitly admitted Mozilla didn't know who controlled it.

"The RSA key here is one that's been around for some time, though, and whose corporate ownership has likely changed since its inclusion," he said. "What we know now is that neither RSA (maintainers of the similarly-named 2048 bit key) nor VeriSign (maintainers of the RSA Data Security Inc. key) currently use the root or get audits against it, which is why we're removing it."

Shortly after this article was published, a Mozilla spokeswoman said the organization later learned that the root certificate was indeed issued by RSA.

Members of Apple's public relations team didn't respond to an email seeking comment.

While the mystery remained unsolved, Firefox users on Google Groups proposed removing the RSA certificate from the NSS, or network security services, library that ships with Firefox. With the origin of the certificate now known, that revocation may not be as urgent.

But the episode makes you wonder: How many other certificates with murky origins are floating around in browsers, email clients and operating systems? And beyond that, how many of these certificates are really needed? Users should call for an accounting the CA certificates included in their software. And RSA should explain how it lost track of such a sensitive document.

Unknown SSL credential could imperil Firefox, Mac users

Mozilla web browsers and email programs and the Mac operating system contain a root authentication credential with unknown origins, a disturbing discovery that underscores the shaky foundation on which internet security is built.

But according to security researchers, no one knows who issued or controls the digital credential. Certificate issuers RSA and VeriSign both say it's not theirs, though they have certificates that closely resemble the name. And recent audits of certificate authority credentials make no reference of it, according to this bug report posted to Mozilla's website for developers and a follow-up post on Google Groups.

The discovery is troubling, because the owner of the certificate authority certificate acts as a locksmith that can at will produce the digital keys used to prove a website or email server really is operated by the bank, retailer, or other trusted organization claiming ownership. The inclusion of a mysterious CA certificate into two separate organizations may simply be a clerical error. Or it could be a deliberate act of a criminal who managed to to slip it past the security teams of Mozilla and Apple.

"Either way, it's a very concerning situation," said Moxie Marlinspike, a security researcher and hacker who has long been a critic of the SSL, or secure sockets layer, certificate system. "Either an unknown attacker somewhere in the world has had unlimited access to SSL traffic for an unknown amount of time, or the people who we have entrusted with this critical piece of web infrastructure can't even keep track of their own certificates."

Members of Apple's public relations team didn't respond to an email seeking comment.

Firefox users on Google Groups have proposed removing the RSA certificate from the NSS, or network security services, library that ships with Firefox. Since its owner has remained unknown for four days now, that's a good start.

But that shouldn't be where things end. Users of Firefox, Thunderbird, and OS X should call for an accounting of exactly how a CA certificate with unknown origins slipped into their wares and for an audit of all the credentials that remain in them now.

Spy Network Pilfered Classified Docs from Indian Government and Others

A spy network targeting sensitive government networks in India and other countries has been pilfering highly classified and other sensitive documents related to missile systems, the movement of military forces and relations among countries, according to a report released Tuesday.

It also grabbed nearly a year’s worth of personal correspondence from the Dalai Lama’s office, even after reports published last year indicated that the Dalai Lama’s network had been compromised in what is believed to be a separate breach.

The researchers say the network is an example of a sophisticated shift that has occurred in malware networks from “what were once primarily simple to increasingly complex, adaptive systems spread across redundant services and platforms” and from ones that primarily focused on exploitation for criminal purposes to ones that are focused on “political, military, and intelligence-focused espionage.”

The spy network, dubbed Shadow Network, was discovered by a group of computer security researchers in Canada and the United States, who have been monitoring the espionage for at least eight months and watched as the spies siphoned classified and other restricted documents from the Indian Defense Ministry and other networks.

The researchers — based primarily at the Munk School of Global Affairs’ Citizen Lab at the University of Toronto and at SecDev Group, a consultancy in Ottawa — are the same ones who reported last March on another spynet, dubbed Ghost Net, that had breached computers of the Dalai Lama and more than 1,200 other systems at embassies, foreign ministries, news media outlets and non-governmental organizations based primarily in South and Southeast Asia. The researchers, who worked with colleagues at the Shadowserver Foundation in the U.S., discovered the Shadow Network last year while investigating the Ghost Net. While the Ghost Net focused primarily on the Dalai Lama and Asia, the Shadow Network focused primarily on India, though also targeted the Office of the Dalai Lama, the United Nations, the Pakistan Embassy in the U.S. and numerous other institutions and private companies.

According to the report by the researchers, “Shadows in the Cloud”, the documents pilfered through the Shadow Network included classified assessments about security in several Indian states, as well as sensitive and confidential embassy documents about Indias relationships with Russia and nations in West Africa and the Middle East and “secret assessments of Indias security situation in the states of Assam, Manipur, Nagaland and Tripura, as well as concerning the Naxalites and Maoists, two political opposition groups. The spies also stole documents from the United Nations Economic and Social Commission for Asia and the Pacific.

The intruders obtained reports on several Indian missile systems as well as documents related to the travel of NATO forces in Afghanistan. There is evidence that computers at Indian embassies in Kabul, Moscow and Dubai, United Arab Emirates, and at the High Commission of India in Abuja, Nigeria had been compromised, including ones the process visa applications.

Among the stolen data, the researchers found visa applications submitted to Indian diplomatic missions in Afghanistan from nationals of 13 countries.

“In a context like Afghanistan,” the reseachers write, ” this finding points to the complex nature of the information security challenge where risks to individuals (or operational security) can occur as a result of a data compromise on secure systems operated by trusted partners.”

Aside from government networks, the attackers further targeted computers at the Institute for Defence Studies and Analyses in India, the India Strategic Defence Magazine and Force Magazine as well as the networks of companies based in India.

Last month, the Indian communications minister told reporters that government networks had been targeted by China, but that the attempted attacks had been unsuccessful. The Toronto researchers then contacted Indian intelligence officials to tell them about the spy network. The Indian Defense Ministry told the New York Times that it’s looking into the matter.

The attacks appear to come from a different source than the one behind the Ghost Net attack. The researchers say the Shadow Network appears to originate from a criminal gang based in Sichuan Province, while acknowledging that true attribution is generally difficult or impossible to surmise in hacking attacks.

Ghost Net used computer servers located on the island of Hainan. After the researchers exposed the Ghost Net last year, several of the command and control servers used in that attack went offline.

We snuck around behind the backs of the attackers and picked their pockets, Ronald J. Deibert, a political scientist and director of a cybersecurity research group at the Munk School, told the Times. Ive not seen anything remotely close to the depth and the sensitivity of the documents that weve recovered.

The researchers said the second spy ring was more sophisticated and difficult to detect than the Ghostnet operation, but like that other network, also pilfered e-mail from the Dalai Lama. The intruders obtained at least 1,500 letters sent from the Dalai Lamas office between January and November 2009.

The researchers traced some e-mails used in the attacks to hackers who appeared to be based in Chengdu, in Sichuan Province. Circumstantial evidence points to at least one of the alleged hackers being affiliated with the University of Electronic Science and Technology there.

Image:Diplomatic Security Special Agents escort the Dalai Lama from a speaking engagement at Rice University in Houston, TX, May 1, 2007. (Department of State)

See Also:

Electronic Spy Network Focused on Dalai Lama and Embassy Computers …

Appeals Court Throttles FCCs Net Neutrality Authority

A federal appeals court Tuesday rejected the Federal Communications Commission’s authority to sanction Comcast for interfering with peer-to-peer traffic, reversing the commission’s first attempt to enforce network neutrality.

The U.S. Court of Appeals for the District of Columbia Circuit vacated (.pdf) the agency’s 2008 decision ordering Philadelphia-based Comcast to stop hampering the peer-to-peer service BitTorrent as a traffic-management practice.

The FCC had acted in response to complaints Comcast was sending forged packets to broadbandcustomersto close their peer-to-peer sessions. Comcast appealed to the circuit court, arguing that the FCC overstepped its bounds.

FCC Chairman Kevin Martins replacement, Julius Genachowski, proposed new rules last year that the agency was hoping would sidestep an unfavorable circuit decision.

“Todays court decision invalidated the prior commission’s approach to preserving an open internet,” FCC spokesman Jen Howard said in a statement. “But the court in no way disagreed with the importance of preserving a free and open internet. Nor did it close the door to other methods for achieving this important end.”

Genachowski said the agency was enforcing the net neutrality Four Freedoms, a set of agency principles dating to 2005 that guarantee that cable and DSL users have the right to use the devices, services and programs of choice over their connections.

Digital rights groups pointed out that the three-judge panel’s unanimous decision stems from deregulation, in which the FCC, with the Supreme Court’s blessing, began regulating internet service providers as “information services” instead of as “telecommunication services.” The latter, which includes phone carriers, are subject to a bevvy of rules and obligations, including some that mimic net neutrality rules. They range from taxes to subsidize low-income users to “common carrier” rules that allow phone users to call whomever they like using whatever device they choose — from a Mickey Mouse-style phone to a fax machine.

“This crisis is not a result of a weak congressional law, but a direct consequence of the previous two commission’s misguided and overzealous attempts to completely deregulate America’s communications networks. Past FCC actions created a huge loophole in the law that leaves the agency unable to protect consumer privacy or promote universal broadband access,” said S. Derek Turner, Free Press’ research director.

Free Press, in 2007, urged the commission to sanction Comcast for its throttling practices — practices Comcast said were designed as traffic-management tools.

Comcast complied with the order and appealed.

Sena Fitzmaurice, a Comcast vice president, said the cable concern was “gratified” by the decision and said it appealed “to clear our name and reputation.”

“Comcast remains committed to the FCC’s existing open internet principles, and we will continue to work constructively with this FCC as it determines how best to increase broadband adoption and preserve an open and vibrant internet,” she said.

Public Knowledge, which with Free Press brought the Comcast complaint to the FCC, said the commission could sidestep Tuesday’s decision by bringing internet service “back under some common-carrier regulation similar to that used for decades.”

Absent that, or congressional intervention or a Supreme Court reversal, the court’s decision also throws the FCC’s Broadband Plan into doubt because “there are no protections in the law for consumers’ broadband services,” said Gigi Sohn, Public Knowledge’s president.

Sohn added that the commission “would not have to impose a heavy regulatory burden on the telephone and cable companies, yet consumers could once again have the benefit of legal protections and the Broadband Plan could go forward.”

The appellate panel’s decision comes two years after the FCC, under the Bush administration, ordered Comcast to stop its controversial practice of throttling file sharing traffic.

By a 3-2 vote, the commission concluded that Comcast monitored the content of its customers’ internet connections and selectively blocked peer-to-peer connections — allegations Comcast denied.

The selective blocking of file sharing traffic interfered with users’ rights to access the internet and to use applications of their choice, the commission said.

According to the commission, Comcast used deep-packet inspection to monitor customers’ internet traffic, and routed packets according to their content, not their destination.

“In essence, Comcast opens its customers’ mail because it wants to deliver mail not based on the address on the envelope but on the type of letter contained therein,” the commission ruled.

Comcasts throttling was widespread up to three-quarters of all file sharing connections in certain areas, the commission said, resulting in a significant disruption to internet traffic.

Photo: symbi/Flickr

See Also:

Comcast Ordered to Allow Free Flow of File Sharing Traffic …
Net Neutrality Debate Is Secretly All About Internet Television …
Net Neutrality Advocates Call For Fast, Universal Access To The …
Comcast Beginning ‘Net Neutrality’ Testing
Court to FCC: You Don’t Have Power to Enforce Net Neutrality …
Net Neutrality Gains Traction In 2008 Senate Races
Net Neutrality Advocates In Charge Of Obama Team Review of FCC …
Commission Ready To Act in Net Neutrality Fight, Says FCC Chief …

PCI Council readying end-to-end encryption guidance

The PCI Security Standards Council is studying a number of emerging technologies and plans to issue a guidance document on end-to-end encryption when it releases the next version of the PCI Data Security Standards (PCI DSS), due out in October. Bob Russo, general manager of the PCI Council, said researchers are preparing documentation on what he calls the latest industry "big buzz word." Other technologies being studied include the use of tokenization and chip and PIN technologies to protect credit card data and how virtualization affects data protection technologies. In this interview, conducted at the recent 2010 RSA Security Conference, Russo explains whether the next version of PCI DSS will have any major changes and why the Council takes a cautious approach to adding changes to the standard.

In 2009 there were no changes made to the PCI Data Security Standards. How would you characterize the year for the payment industry, given the massive breach at Heartland Payment Systems Inc. and the down economy?
Bob Russo: In 2009 we were seeing a lot of uptake on the standard. Since it's a global standard, we're seeing it throughout the world. We're doing lots of training and lots of awareness-type seminars for literally every place around the world. All of our training is pretty much sold out. This year we've had to add training sessions so people can understand what the standard is and get better prepared for an assessment. So overall 2009 was a very good year for the Council, but 2010 is a very busy year for us. We're releasing three standards this year in eight different languages, so we're working hard.

Bob Russo

The PCI Security Standards Council recently undertook a study examining emerging technologies that could be used in future versions of the standard. Can you talk about some of those technologies that we may see in the future?
Russo: We're studying a couple [of technologies] right now to give additional guidance on them hopefully this year when we release the standard. Chip (chip and PIN) [is being studied] as an initial technology, because chip is a mature technology. There's a lot known about the technology. We have a lot of experience with it outside the United States, so we're looking at chip and we're actually mapping how chip would compare with the standard. We certainly don't think that there's a silver bullet in any of these technologies, whether it is chip and PIN, end-to-end encryption as the buzz word goes, tokenization or anything of that nature.

The second [technology being studied] will be some form of encryption. I don't like the term end-to-end encryption. Whether it is point-to-point encryption, account data encryption or transaction-based encryption, whatever it ends up being, we will be mapping that as well. Then we'll be moving on to other technologies including tokenization and virtualization.

We're creating a framework right now where we map these technologies out and lay them next to the standards, so if somebody is using one of these technologies, [the framework] will let them know if they would satisfy certain requirements.

The standard is due for a revision in 2010. Can you give merchants an idea of what may be addressed?
Russo: At this point we're going through a ton of feedback. Our feedback analysis closes at the end of April. We're finding this feedback fits into three categories: additional guidance, clarifications and then these emerging trends or emerging requirements. With a couple of thousand pieces of feedback that we're looking through, there's conflicting types of things there. We have conflicting opinions on what certain things should be. … The biggest thing that will affect the standard going forward is: how to best protect the data and then how much will this cost a merchant, the return on investment and whether there's anything that changes fundamentally the way the merchant actually will have to comply with the standard in the way they do business. If there's something that changes fundamentally the way they do business, certainly we can't put that in initially and have people go out of compliance. In some cases that would have to be a best practice for a certain period of time. In the last version of the standard, requirement 6.6 was a best practice for 18 months, so people had the opportunity to back into it because it was a big change in the way they complied. It's still too early to tell if this will be a version 2 or a version 1.3.

After the Heartland breach, there's been a push for end-to-end encryption, not only from Heartland but from other payment processors. Is that something the council will look at?
Russo: With end-to-end encryption one of the questions we have is: From what end to what end? That's an issue. It's a very big buzz word. There are no standards yet for this type of encryption and how the keys are handled. In many cases you can end up making things less secure based on how you do this. You mentioned Heartland's [E3 product], that's one solution. There are probably a dozen solutions out there. Do they talk to each other? Are they interoperable? What if a merchant is using more than one? These are things that will have to be considered when looking at this. What we'll be studying is an encryption solution and the minimum level of things that need to be done with an encryption solution. Once we've got that we'll put out some guidance, probably nothing specific within the standard. The standard won't change, but there will be guidance based on using these things.

Tokenization is also making its way in some encryption products. Can that make its way in the next version of the standard?
Russo: Certainly [tokenization] guidance could make its way in. I don't see us requiring any kind of tokenization, end-to-end encryption or chip technology in this version, but certainly [we will issue] guidance on these things. If a merchant has already started down a path and spent some dollars on one technology, certainly it would not be in our best interest to say "you chose the wrong technology now you need to use this technology." So there will be guidance on each one of these things that we roll out.

PDF security hole opens can of worms

Tuesday, April 6, 2010

The security perils of PDF files have been further highlighted by new research illustrating how a manipulated file might be used to infect other PDF files on a system.

Jeremy Conway, an application security researcher at NitroSecurity, said the attack scenario he has discovered shows PDFs are "wormable". Computer viruses are capable, by definition, of overwriting other files to spread. Conway's research is chiefly notable for illustrating how a benign PDF file might become infected using features supported by PDF specification, not a software vulnerability as such, and without the use of external binaries or JavaScript.

The "wormable PDF" research comes days after another security researcher, Didier Stevens, showed how it was possible to both embed malicious executables in PDFs and manipulate pop-up dialog boxes to trick victims into running a malicious payload. Both Adobe and FoxIT are working on a fix against the security shortcomings in their respective PDF viewing packages illustrated by the research.

Conway, who last week published an advisory and proof of concept video demo on wormable PDFs, said he was inspired to hunt for related vulnerabilities in the PDF specification by Stevens' research. A fix capable of blocking the security loophole discovered by Stevens ought to also prevent the possibility of 'worming' PDFs. "If the vendors figure out a method to prevent Didiers example this same fix will stop this proof of concept as well," Conway writes.

A follow-up blog post by Conway explains the implications of the security shortcomings of PDF files in greater depth.

"I chose to infect the benign PDF with another, and launch a hack that redirected a user to my website, but this could have just as easily been an exploit pack and or embedded Trojan binary," Conway explains. "Worse yet this dynamic infection vector could be utilised to populate all PDFs for some new O-day attack, thereby multiplying an attackers infection vehicles while still exploiting user systems ('worm-able')."

An informative blog post by Mikko Hypponen, chief research officer at net security firm F-Secure, explains how all sorts of unexpected content is supported by the PDF specification.

Media files, JavaScript and forms that upload data a user inputs to an external web server are all supported by the PDF specification in addition to embedded executables. These little-known features go a long way towards explaining both why PDF applications such as Adobe Reader takes ages to load and why the file format has become such a firm favourite with hackers over the last year or so, Hypponen notes.

Joomla! dcsFlashGames Component "catid" Parameter SQL Injection

dcsFlashGames is a component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "catid" parameter of "com_dcs_flashgame" before using it in an SQL query.

Ref: http://www.securityfocus.com/bid/38981

10.14.67 - CVE: Not Available
Platform: Web Application - SQL Injection

(nv2) Awards "index.php" SQL Injection

(nv2) Awards is a web application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "id" parameter of the "index.php" script before using it in an SQL query. (nv2) Awards version 1.1.0 is affected.

Ref: http://forums.invisionize.com/nv2-Awards-120-t137847.html

10.14.72 - CVE: CVE-2010-0802
Platform: Web Application - SQL Injection

Eros Erotik Webkatalog "start.php" SQL Injection

Eros Webkatalog is a web application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "id" parameter of the "start.php" script before using it in an SQL query.

Ref: http://www.securityfocus.com/bid/39034

10.14.62 - CVE: CVE-2010-0964
Platform: Web Application - SQL Injection

Nicole Richie turns Twitter hacker on celeb chums

Airhead socialite Nicole Richie broke into the Twitter account of her chums last week as part of a prank that proves just about anyone can become a password hacker.

Richie, best known for co-starring with Paris Hilton on The Simple Life, panned the updates of reality TV star Kim Kardashian and her boyfriend Joel Madden. Several million followers of these accounts were then fed risque tweets suggesting Kardashian might enjoy a spot of girl-on-girl with Ritchie.

Meanwhile Madden's feed ran updates suggesting he wanted to smell Paula Abdul's pits, among other things.

Kardashian, who received some strange email via her BlackBerry as a result of the prank, subsequently posted a message on her blog letting interested parties know the two accounts had been hacked by Nicole Richie as part of an April Fool's joke. Richie had the help of Kardashian's sister Khloe in obtaining the password for her sibling's Twitter account.

Both parties to the rib-tickling social network shenanigans took the joke in good humour. More on the prank, including a list of the fake tweets, can be found in a blog entry by Sophos here.

The net security firm notes that the practice of breaking into the social networking accounts of friends has become widespread and far from restricted to celebrity pranksters. The tactic has even acquired a ugly moniker - fraped - a portmanteau of the words Facebook and raped.

Child abuse frame-up backfires on stalker

A stalker's plan to land a love rival in jail has backfired, resulting in a prison term, The Times reports.

Ilkka Karttunen, 48, successfully broke into the home of the object of his affection and downloaded child porn before taking the hard drive and sending it into the police with a note identifying the owner. The ruse was designed to get the husband of a co-worker Karttunen fancied arrested on child porn charges, clearing obstacles towards a possible relationship, at least by Karttunen's thinking.

The man was arrested, and subsequently prohibited from visiting his home or seeing his children. However, police were more thorough in their subsequent investigation than Karttunen would have liked. Suspicions over how the hard drive was sent to the police together with other factors fingered Karttunen as a suspect. Evidence from the computer suggested the Finn had broken into the family's home multiple times, taking pictures of a family calendar that showed when the husband would be at work.

A raid on Karttunen's home turned up a computer containing pictures and credit card details harvested from the family computer of the victim of the frame-up, who cannot be named for legal reasons. Forensics tests on the machine, which was hidden in Karttunen's garden shed, resulted in charges of harassment, perverting the course of justice and making indecent images of children against the Finn.

Karttunen denied all the charges but was convicted by a jury at Basildon Crown Court. The 48-year-old was jailed for four and a half years last week, given a restraining order and ordered to sign the sex offender's register after his release.

iPad jailbroken in less than a day

Video and pics posted online.

Apple's iPad is selling well, but hackers have been busy and the iPad has already been jailbroken, according to postings online.

Yesterday, Twitter user MuscleNerd posted a video and picture of what appears to be a jailbroken iPad, credited to hacker Comex. Comex is a member of the iPhone Dev team, who have also said that a jailbreak is possible but have yet to release it.

Both attacks appear to depend on the use of a variant of the Spirit application that is used to crack iPhones.

Apple is playing a continuing game of cat-and-mouse with those who seek to use their own software on the devices. In the past, updates have rendered devices useless and it bans some users from its App Store.

Oracle warns of critical flaws in Java

Company issues patch for SE and Business editions.

New parent company Oracle has released a critical update to address vulnerabilities in its Java platform.

The company said that the patch addresses flaws in both Java SE and Java for business. In total, the update includes fixes for 27 different vulnerabilities in Java.

The update will cover the Windows, Solaris and Linux versions of the Java SE and Java for business platforms. Because Apple has opted to develop and maintain its own Java components in-house, Oracle is not releasing an update for MacOS X systems.

Oracle is strongly recommending that all users of both Java platforms install the update. Additionally, those running the JRE, JDK and SDK components are advised to install the patch.

While Oracle did not specifically disclose whether the flaws could allow an attacker to execute malicious code on a targeted system, the company noted that all 27 of the flaws could be remotely targeted and exploited without user authentication.

While most end users will be able to receive the update through automatic update tools, administrators and those wishing to manually install the updates can obtain fixes for both Java SE and Java for Business directly from Oracle.

Privacy service knocked offline by 'no bullsh*t' registrar

A recently launched anonymization service suffered a setback last week when Gandi.net, a France-registrar that bills itself a "no bullshit company," revoked its secure sockets layer certificate without warning.

Last week's move against GoogleSharing caused its 30,000 users to instantly lose service, according to Moxie Marlinspike, the hacker who announced the anonymization proxy in mid January. It took him four days to get the site operational again, and by then, the vast majority of those users had stopped using the service.

In an email sent more than 24 hours later, a member of Gandi.net's abuse department said the certificate was revoked "due to multiple and deliberate serious breaches" of the registrar's terms of service. Specifically, the violations were incorrect information provided to Gandi.net's Whois database, a trademark violation for the unauthorized use of "google" in the domain name and the use of the certificate for unspecified "fraudulent activities."

GoogleSharing prevents Google from tracking searches and websites visited by specific individuals by mixing together requests from many different users so it's impossible to tell where the queries originate. A Firefox plugin redirects Google-bound traffic to a proxy, where requests are stripped of all identifying information and replaced with the details of a different GoogleSharing user. The Google response is them proxied back to the originating user.

"GoogleSharing thrives by being totally transparent to the end user," Marlinspike wrote in an email. "They install the addon and never have to think about it again. They don't have to do anything special or visit any special websites. By causing a four day interruption, they've likely killed the majority of our user base."

The hacker said it was true that some of information contained in the Whois database was not correct, but he insisted the service doesn't engage in fraud that the the inclusion of "google" in his domain name is protected by the fair use doctrine.

The revocation meant in an instant people who relied on GoogleSharing to anonymize Google search requests were suddenly unable to use the service. Because the service relies on a Firefox add-on that uses an authenticated page, their connections were killed with little explanation and no recourse.

The episode demonstrates the hazards of relying on internet companies that enforce terms of service reserving the right to play judge, jury and executioner with their customers' websites. Gandi.net took the action with no warning and didn't provide an explanation for more than a day. And even then, it failed to say exactly what "fraudulent activities" GoogleSharing had carried out.

So much for Gandi.net's claims of being a "no bullshit company."

"It's a big claim to make," the company's marketing monkeys write. Among other things, it means employees "are honest about what we do; we will be straightforward in how we deal with you" and "if we're ever hypocritical we will hold our hands up and clean up."

Conspiracy-minded observers might be tempted to point out that over the past decade Marlinspike has regularly been a thorn in the side of companies who make big bucks issuing the certificates used to authenticate banks, online retailers, and groups with other types of sensitive websites. By demonstrating practical attacks that allow hackers to spoof the widely used credentials, his research calls into question the effectiveness of SSL certificates and the companies that issue and use them.

Already, eBay-owned PayPal has retaliated against the independent researcher for showing how the criminals could impersonate the online payments processor. Now, Gandi.net has followed a similar course.

But the consequences of the revocation are far from over. Whereas the service pushed an average of 4Mbps before, it was generating only about 300kbps after it came back online.

Which seems to suggest that if you're doing anything considered remotely controversial on the net, you're better off relying on yourself for payment and certificate services. The internet isn't a democracy, and companies with self-serving terms of service can't be counted on to deliver due process. Not even those that bill themselves as "no bullshit."

eZ Publish SQL Injection and HTML Injection Vulnerabilities

eZ Publish is a content manager. Since it fails to sufficiently sanitize user-supplied data, the component is exposed to multiple issues. An attacker may leverage the HTML injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.

Ref: http://ez.no/de/developer/security/security_advisories/ez_publish_4_2/ezsa_2010_001_remote_vulnerability_in_ez_search

10.14.86 - CVE: Not Available
Platform: Web Application

SiteX "photo.php" SQL Injection

SiteX is a content manager implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "albumid" parameter of the "photo.php" script before using it in an SQL query. SiteX version 0.7.4 beta is affected.

Ref: http://www.securityfocus.com/bid/38976

10.14.66 - CVE: Not Available
Platform: Web Application - SQL Injection

eSmile "index.php" SQL Injection

eSmile is a web application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "cid" parameter of the "index.php" script before using it in an SQL query.

Ref: http://www.exploit-db.com/exploits/11382

10.14.71 - CVE: CVE-2010-0764
Platform: Web Application - SQL Injection

Security spending survey finds misaligned IT security budgets

Many enterprise IT security budgets may be focused too heavily on protecting credit card data and customer personal information rather than safeguarding more valuable corporate secrets. For most enterprises, secrets are more valuable than custodial data.
Forrester Research Inc.

That was the conclusion of a global survey of 305 people with primary responsibility over IT security budgets, conducted by Forrester Research Inc. CISOs value company earnings and financial information the most, yet the majority of IT security spending is aimed at protecting less valuable data, according to the survey, which was commissioned by Microsoft and RSA, the security division of EMC Corp.

The survey found most security spending is driven by compliance initiatives, which focuses on protecting less valuable custodial data in the form of customer personally identifiable information and credit card numbers. The data makes up a smaller proportion of a company's assets, about 38%, while 62% of valuable enterprise assets typically make up corporate secrets. But those in charge of the security budgets allocate dollars evenly, devoting half of the security budget to protecting corporate secrets, in the form of strategic plans, sales forecasts and financials and the other half to protecting custodial data as part of a compliance program. IT security budgets:Security jobs survey finds fewer budget cuts, lower security salaries: The period of declining IT security budgets as a result of the global recession may be coming to a close, according to a survey by security certification firm ISC-squared.

Mapping the path toward information security program maturity: Amid tight information security budgets, it can be hard to recommend the best ways to invest new dollars or focus new resources.

Expert: Information security spending often restricts innovation: In the opening keynote at the Black Hat USA 2009 conference, a former Google executive urged security pros to stop spending money on technologies that place restrictions on employee innovation.

Companies are protecting against having a high profile data breach, rather than preventing outsiders from accessing corporate intellectual property

"Catastrophic toxic data spills are dramatic and expensive, and they garner the most headlines. But for most enterprises, secrets are more valuable than custodial data," according to the Forrester report, "The value of corporate secrets."

The Forrester survey reached people at organizations in the United States, Europe, Australia and New Zealand. It found that many firms need to do a better job identifying valuable assets and weighing the risk of losing those assets. Once the most valuable assets are identified, spending on security can be allocated to better protect corporate secrets while maintaining a strong compliance program.

"I don't think we're calling for a wholesale reevaluation of how enterprises invest," said John Chirapurath, senior director of the Identity and Security Business Group at Microsoft. "It calls attention to the need to recognize the pitfalls and take the opportunity to assess risk in an organization and remediate that risk appropriately."

The survey also found a contrast in vertical industries. Firms in the manufacturing, information services, professional, scientific and technical services and transportation accrue between 70% and 80% of their information portfolio value from corporate secrets. But healthcare firms and governmental entities reported 60% or more of the value of their information assets are custodial data assets, such as patient medical records. SearchSecurity radio:

Insider threats being neglected
The focus on compliance has put more of an emphasis on preventing employee mistakes rather than securing the critical corporate secrets. While employee mistakes in the form of a lost smartphone or laptop and email leakage happen more often (57% of incidents), Forrester found that the loss of sensitive corporate data by a malicious insider is 10 times costlier on a per-incident basis.

The survey found the average cost for lost smartphone incidents was about $12,000 per incident, while lost laptops and accidental leakages cost $26,000 per incident. Meanwhile, a malicious theft by an insider costs about $363,000 per incident.

Firefox plans fix for decade-old browsing history leak

Firefox developers say they're close to plugging an information leakage hole that has plagued every major browser for more than a decade.

The cascading style sheets history attack makes it easy for web masters to compile vast lists of links visitors have previously viewed. It exploits technology in virtually every browser that causes visited links to be displayed in purple rather than blue. Mozilla has classified the weakness as a bug since at least 2002.

But fixing it has proved to be a vexing problem, largely because programmers didn't know how to close the hole without breaking key web functionality. Many proposed fixes threatened to bring browsers to a crawl or prevent users from knowing whether they had previously visited a website, trade-offs Mozilla, Microsoft and other browser makers have largely considered unacceptable.

Now, Mozilla security team member Sid Stamm says the hole will soon be closed in the open-source browser in a way that won't sacrifice usability. It incorporates technical changes designed to prevent the three most common attacks based on layout, timing and computed style of links.

"A few websites may look a little different, but visited links will still show up differently colored," he wrote here. "A few sites that use more than color to differentiate visited links may look slightly broken at first while they adjust to these changes, but we think it's the right trade-off to be sure we protect our users' privacy." (Additional technical details are here.)

Web application security expert Robert "RSnake" Hansen wasn't nearly as optimistic. In a blog post he said Mozilla's approach only makes it harder to exploit the weakness, rather than eliminating it.

"So let's not pat ourselves on the back too much here - it seems with every hole fixed there's two more that pop up and even when identified they take way too long to fix," he wrote. "I don't mean to harp on the Mozilla guys too much - at least they have a fix in the works. But that doesn't change the fact that we appear to be playing a very losing game of whack a mole."

It's also worth noting that most of the attacks can be eliminated by blocking a site's ability to run Javascript. That means users of the NoScript add-on for Firefox will in many cases be protected against the attack. Then again, it's getting harder and harder to do anything online without Javascript. Any site that has the ability to run code also has the ability to silently pilfer your browsing history.

And that means the changes by Mozilla are a step in the right direction, even if they don't completely eliminate the problem. Stamm has called on other browser makes to follow suit, which would also be a step in the right direction. The Register has placed queries with Google, Microsoft and Opera Software about their plans and will update this article with any responses.

President Ford Approved Warrantless Domestic Surveillance

In 1974, while the country was embroiled in a national debate over excessive government surveillance, then President Gerald Ford authorized the Federal Bureau of Investigation to conduct warrantless domestic surveillance, according to a classified memo recently obtained by the Center for Investigative Reporting.

The memo, signed December 19, 1974, was issued just one month before the Senate established an 11-member panel, known as the Church Committee, to investigate government surveillance programs. The Church Committee would ultimately uncover other unconstitutional spying activities, such as that conducted by the National Security Agency under the rubric of Operation Shamrock. Two days after the memo was signed, investigative reporter Seymour Hersh, writing in the New York Times, disclosed a covert government spying program that focused on monitoring political activists in the U.S.

Ford became president after Richard Nixon’s resignation in the wake of the Watergate spying scandal, and he later supported passage of the pro-privacy Foreign Intelligence Surveillance Act in 1978, which placed restrictions on wiretapping and required law enforcement to obtain permission from a special court to conduct domestic intelligence surveillance.

But according to the recently released top secret memo, just two years earlier, Ford had secretly authorized then-Attorney General William B. Saxbe “to approve, without prior judicial warrants, specific electronic surveillance within the United States which may be requested by the Director of the Federal Bureau of Investigation.”

Ford wrote in the memo to Saxbe that he had “been advised by you [Saxbe] and by the Department of State that such surveillance is consistent with the Constitution, Laws and Treaties of the United States.”

“This could be Bush after 9/11 or Obama after becoming president, but it’s President Ford 35 years ago, coping with Cold War struggles,”John Laprise, a visiting assistant professor at Northwestern University, told the Center. “It’s really a stunning document that raises all sorts of questions.”

Ford’s order authorizedsurveillancefor foreign intelligence and counterintelligence purposes, and would have involved spying on Americans or foreigners in the U. S. who were suspected of spying for foreign countries or foreign-based political groups. The open-ended surveillance authority could only be revoked by Ford or by order of a future president.

It’s not known to what extent the surveillance might have involved U.S. citizens or whether there was a specific incident or investigation that prompted the memo. In the memo, Ford writes that he “carefully reviewed the issues raised in your request for confirmation of authority and delegation with respect to warrantless electronic surveillance within the United States. . . .”

The surveillance had to be in service of several objectives — to protect the U.S. against attacks by a foreign power; to obtain foreign intelligence that was deemed to be essential to national security; or to obtain information that the secretary of state or the national security adviser deemed necessary to foreign affairs.

Ford wrote that the warrantless surveillance would only be authorized with the personal approval of the attorney general “upon submission of a written request by the Director of the Federal Bureau of Investigation providing complete justification for the conduct of such surveillance, including identification of the agency and Presidential appointee initiating the request” and that only “the minimum physical intrusion necessary to obtain the information sought will be used.”

The National Archives obtained the memo, which it shared with the Center for Investigative Reporting, based in California. A previous, slightly redacted version of the memo was released in 2006.

Last week, a federal judge ruled that the George W. Bush administration violated the Foreign Intelligence Surveillance Act when the NSA eavesdropped on the telephone conversations of two American lawyers who represented a now-defunct Saudi charity.

Image: NASA/Kim Shiflett

30-Year Computer Ban for Sex Offender Overturned

Saturday, April 3, 2010

Just in time for the iPad launch, a federal appeals court Friday overturned a 30-year computer ban imposed on a sex offender caught in an online police sting.

Mark Wayne Russell, 50, was arrested in 2006 after traveling from his home in Columbia, Maryland to a location in Washington D.C. where he expected to meet a 13-year-old girl he’d sexually solicited in a chat room. The “girl” was actually an undercover cop, and Russell was ultimately sentenced to 46 months in prison and ordered not to “possess or use a computer for any reason” before the year 2039.

That inflexible ban on computer use is “substantively unreasonable” and “aggressively interferes with the goal of rehabilitation,” ruled the U.S. Court of Appeals for the District of Columbia.

It’s the latest decision on an issue that has some, but not all, courts moving toward accepting the internet as a basic freedom that even convicts should not be permanently denied. In January, the 3rd U.S. Circuit Court of Appeals in Philadelphia overturned a lifetime internet ban against a child porn offender, calling such bans “draconian” (.pdf) in terms of employment opportunities and “freedoms of speech and association.” But a few months earlier, the first unconditional lifetime internet ban to be appealed (.pdf) was upheld by the Atlanta-based 11th U.S. Circuit Court of Appeals.

Before his arrest, Russell had worked as an applied systems engineer at Johns Hopkins University for 10 years. “It is hard to imagine white collar work in 2010 not requiring access to computers, just as white collar work 100 years ago would almost invariably have required the use of pens and pencils,” wrote (.pdf) Judge Stephen Williams for the three-member panel.

Upon release, Russell’s computer ban prevented him from applying for a job at a McDonalds, which required computer use for filling out the application, and barred him from other low-tech employment opportunities, including keeping inventory at a pet supply store, according to the ruling.

Prosecutors agreed with Russell’s lawyer that the blanket computer ban was unreasonable. Friday’s decision sends the case back for re-sentencing, where, at a minimum, Russell’s probation officer has to be given discretion to modify the computer ban, the court ruled.

Judge Karen Henderson concurred, but wrote a separate opinion to take issue with the view that Russell can’t get a job without touching a computer.

“We can judicially note that millions of Americans every day perform jobs without using (or even seeing) a computer,” Henderson wrote. “If Russell cannot find a job, it is more likely because of his criminal record than the computer ban.”

Photo: Vampire Bear

Law Against Police Bumper Stickers Unconstitutional

A local Ohio ordinance making it a crime for civilians to display bumper stickers of police organizations is unconstitutional, a federal judge says.

The First Amendment decision by U.S. District Judge Michael Barrett blocks the suburban Village of Lockland from enforcing the minor-misdemeanor statute, and comes after a nationwide scattering of similar decisions overturning ordinances forbidding citizens from wearing police and military garb.

The ordinance in question authorizes police to pull over drivers on suspicion that they were violating the bumper-sticker law, which reads: “No person who is not entitled to do so shall knowingly display on a motor vehicle the emblem of a local law enforcement agency or an organization of law enforcement officers.”

The legal challenge was brought by Jasir Singh, a 49-year-old grocery owner in the Village of Lockland, a suburb of Cincinnati. He was wearing a turban while driving a yellow Corvette through town in 2008, when he was pulled over because his bumper displayed a silver-dollar-sized emblem of the Fraternal Order of Police.

“That’s harassment when you don’t break a traffic law and you get pulled over, and they tell you that the reason is a sticker you’re not supposed to have,” Singh said in a telephone interview Friday.

He testified that a friend on the Cincinnati Police Department gave him the emblem, which symbolizes a 325,000-member fraternal order that calls itself “the voice of our nation’s law enforcement officers.”

The FOP, Lockland and the state of Ohio urged Judge Barrett to uphold the law, which carries a $100 fine for first-time offenders. They said the statute was necessary because officers sometimes let down their guard when they pull over vehicles displaying police-related insignia.

“This statute,” the judge ruled, “does not further that interest and may actually put police officers in greater harm since it can not be known to the police officer who is actually driving a motor vehicle regardless of who the vehicle is registered to or what emblem is placed on it.”

See Also:

Be Careful What Your Bumper Sticker Says
GOP ‘Caving’ on Trademark Lawsuit Threats
No Blood For Oil
Funny AntiGay-Marriage Ad Sparks YouTube Revolt
ACLU: Human Gene Patents Infringe Speech

TYPO3 Diocese of Portsmouth Database Extension SQL Injection

Diocese of Portsmouth Database (sav_diocesedatabase) is an extension for the TYPO3 content manager. The extension is exposed to an SQL injection issue because it fails to sufficiently sanitize input before using it in an SQL query. Diocese of Portsmouth Database versions 0.7.12 and earlier are affected.

Ref: http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/

10.13.90 - CVE: Not Available
Platform: Web Application

RepairShop 2 "prod" Parameter Cross-Site Scripting and SQL Injection Vulnerabilities

RepairShop 2 is a PHP-based customer service application. The application is exposed to a cross-site scripting issue and an SQL injection issue because it fails to sanitize user-supplied input to the "prod" parameter of the "index.php" script when "b" is set to "products.details". RepairShop 2 version 1.9.023 Trial is affected.

Ref: http://www.securityfocus.com/bid/38907

10.13.80 - CVE: Not Available
Platform: Web Application - SQL Injection

Bush-authored warrantless wiretapping suffers abrupt defeat

The last of the US warrantless wiretapping cases has come to a rather surprising and abrupt finish.

Judge Vaughn Walker hearing the case formerly known as Al-Haramain vs Bush has ruled for the plaintiffs and against the US government on a motion for summary judgment, essentially telling the government it had no case.

This rare victory for civil libertarians followed years of obfuscation and wrangling on the part of both the Bush and the supposedly open Obama administration regarding the propriety of the deeply controversial warrantless wiretapping program, and the scope of the so-called "state secrets" privilege.

The case concerned the Oregon branch of an Islamic charity known as Al-Haramain, based in Saudi Arabia and that the US Department of Justice (DoJ) alleged to be an Al-Qeada financier.

Not only was it the last case to reach closure - the other warrantless wiretapping cases were short-circuited by the US Congress, which granted immunity to the telcos involved - but it has been almost from the beginning the most bizarre.

The case survived because it was the only one that named the government as a defendant - the others had scrupulously avoided naming the government so the government would not intervene and invoke the state secrets privilege.

This is an evidentary privilege afforded to protect national security, and something that had been stretched beyond recognition by the previous Bush administration, and to a lesser extent, the Obama administration.

It is an evidentiary privilege that had already been controversial in legal circles due to the fact that in the landmark Supreme Court case that largely defined it, United States vs Reynolds, the government had lied through its teeth. The state also lied long afterwards, once the relevant documents were declassified and it emerged the government had sought to cover up run-of-the-mill negligence responsible for the deaths of several airmen.

Against this backdrop, the Bush administration, with its color-coded threat levels and politically minded fearmongering, began to assert the privilege in the broadest possible way, by claiming that any litigation over the warrantless wiretapping program threatened national security. It also waged a multiyear strategy of stalling what could not be pushed through Congress.

The Office of Foreign Assets Control (OFAC), which largely deals with money laundering issues, had been investigating ties between Al-Haramain and associates of Osama Bin Laden.

In the course of that investigation, OFAC obtained records of NSA wiretaps of conversations between Al-Haramain and its lawyers. In the subsequent criminal proceeding, OFAC mistakenly turned over copies of the wiretap transcripts to the lawyers, who then filed suit in federal court under a section of the Foreign Intelligence Surveillance Act that allows for damages in a civil suit for violations of FISA.

The Kafka-esque proceedings began in Oregon and were subsequently transferred to San Francisco, California, where it was consolidated with the other warrantless wiretapping cases.

Had the cases been tried in Virginia or Washington DC, where the courts tend to toe the government line on national security matters, the outcome might have been different. The Ninth Circuit in San Francisco, though, held to a traditional, narrow reading of the privilege - namely, that it is evidentiary in nature and not grounds for throwing out litigation in its entirety.

Although the government under both Bush and Obama repeatedly ignored court orders, and the attorneys surveilled were prohibited from testifying even to their own recollection of the documents, it ultimately did not matter.

It didn't matter, because so much material about both Al-Haramain and the warrantless wiretapping program had already entered the public record that Judge Walker ruled there was no disputed material fact in the case. In doing so, he granted a rare victory for civil libertarians against the national security state.

Judge Walker has scheduled a hearing to determine the nature and scope of damages, which will probably be the end of one of the strangest cases in American jurisprudence.

The other cases in this whole episode had floundered on the shoals of what is known in legalese as "standing": namely, the ability to assert an individualized harm in the face of government secrecy. It turns out, that the government is not that good at keeping secrets, after all, a fact that proved its undoing.

Joomla! "com_cb" Component "cat" Parameter SQL Injection

"com_cb" is a component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cat" parameter before using it in an SQL query.

Ref: http://www.securityfocus.com/bid/38916

10.13.85 - CVE: Not Available
Platform: Web Application - SQL Injection

Botnet research suggests progress in cybercrime war

The recent arrests of those suspected of being connected to the Mariposa botnet and the legal action by Microsoft to take down the command and control of the Waledac botnet may be a sign that those defending the Internet are gaining ground against botnets and the cybercriminals behind them. But a complex web of legal and jurisdictional issues remain, said botnet expert Joe Stewart, director of malware research at SecureWorks Inc. In a wide ranging interview at the 2010 RSA Conference, Stewart explained whether the tools and the resources are available to win the botnet war. He said more work needs to be done before victory can be declared. As soon as a botnet is taken down, cybercriminals have shown they can quickly rebound, deploying new bots to spread malware and harvest data, Stewart said.

We could use some cooperative action to take down some of the biggest and most damaging botnets.
Joe Stewart,
director of research, SecureWorks Inc. Let's talk about the evolution of botnets. When did they begin to proliferate? Was it SpamThru?
Joe Stewart: Botnets have been around for a long time. Going back to the 1990s with Internet relay chat (IRC), people wanted a way to maintain their chat rooms while they were away so they started making automated scripts that became known as bots that sit on a channel. They added new features and things started getting more sinister. Some people wrote a bot that would knock people off of their channels and it kind of escalated from there and became an entire culture around developing bots, using them for various purposes like DDoS. Then at the end of the last century into 2001 we started seeing bots used for larger cybercrime. It escalated outside of the IRC community into the kind of things we see today like the banking fraud, the spam and the DDoS attacks against websites not just IRC chat rooms.

How do you measure the strength of a botnet? Does size necessarily equate to strength?
Stewart: Strength is one element of bots when you are talking about something like a DDoS botnet, how much potential they have to take down a website. But not all bots are designed to do something like that. You're not going to see too much traffic from something like a bank fraud botnet. We try to do the best we can in getting counts of botnets because that's always interesting. How many people have been infected? What means they're using to infect PCs into the botnet? That's something we pay close attention to. That's a more important metric to us.

That is what was done with Conficker, right?
Stewart: That's right. With Conficker it was very important to establish how fast it was able to grow and what we can do to put in preventative measures at different levels to try and keep new PCs from joining that botnet. It seems like plenty joined and not many left, so we're still facing pretty large numbers from that botnet.

Is there a way to get botnets shut down? We saw the McColo action which disrupted some botnets. Microsoft took legal action to take out the command and control of the Waledac botnet. Do actions like these have any positive results?
Stewart: It's good to see people putting an effort towards the problem and raising people's attention to the overall problem, but taking out a botnet is not necessarily going to stop the criminal operation behind the botnet. Certainly they're making money in a lot of these schemes that they are using botnets for, so it's unlikely that they are just going to quit just because Microsoft killed their botnet one day. They will just deploy new bots. They can easily seed those out in the wild and pay somebody to spread those from Web exploits, sending out infected emails. So they can quickly build their botnet up again and get right back in the business. We have to have more cooperation across the board from ISPs, industry researchers and law enforcement. Ultimately you have to stop the people behind the botnet, not just the botnet itself.

Botnet research:Enterprise botnets contain thousands of malware variants: Smaller and contained on company networks, enterprise botnets pose a greater danger because they are difficult to detect and remove, according to new research.

Can "good" botnets fight bad botnets? Is a battle of the botnets security brilliance or destined to backfire? Information security threats expert John Strand gives advice.

Video: Botnets, malware and capturing cybercriminals Malware isn't getting more sophisticated, but cybercriminals have better tools to control their botnets and deploy more targeted attacks, says Gunter Ollmann of Damballa, Inc. Three people connected to the Mariposa botnet, were recently arrested. Do you think we'll see more arrests of this kind?
Stewart: I hope so. The problem is you have certain countries that seem willing to cooperate with law enforcement in the U.S. We've got plenty of people here that can study botnets, can uncover where the command and control is at and uncover details about who may be operating command and control, but in certain countries, when we report this, it seems to go nowhere. We're hoping with some of these recent discoveries like the Black Energy (botnet) targeting Russian banks, perhaps Russia might also join the larger research community and law enforcement action against botnets. We could use some cooperative action and take down some of the biggest and most damaging botnets.

I recently heard some experts say that the government should require ISPs to use deep packet inspection. That brings up privacy issues. Do you think that will ever happen?
Stewart: It's something that can be done without being intrusive. There's ways that you can look at a packet for signs of a botnet infection without necessarily compromising someones privacy. I don't want people to get up in arms thinking that because the ISP is suddenly alerting on botnets that this suddenly means they are reading their email messages. That's not what it means. It functions very similar to what an antivirus does. It's looking at each executable and trying to figure out whether it matches a known signature of a piece of malware. It's the same idea, just at the network level. Just because you have antivirus looking at your programs, doesn't mean they're going in those programs, reading all your serial numbers and all those things. They're just looking for patterns that indicate bad activity.

Let's talk about Operation Aurora. The attacks against Google and nearly two dozen other companies. You looked at the code. What exactly did you find?
Stewart: It was interesting that Google came out and admitted it happened, because we've seen this type of activity happening over the past five years. Most companies that get attacked don't say anything. That was the only thing really unusual about the attack. This is very typical of what we've been seeing going on for a long time. It's just a Trojan that is stealthy by matter of the fact that it was written specifically for this purpose. It wasn't necessarily sophisticated. It's something no one had seen because it wasn't widely deployed.

tenfourzero.net Shutter "admin.html" Multiple SQL Injection Vulnerabilities

tenfourzero.net's Shutter is a photo sharing application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "albumID" and "photoID" parameters of the "admin.html" script before using the data in an SQL query. Shutter version 0.1.4 is affected.

Ref: http://www.securityfocus.com/bid/38849

10.13.70 - CVE: Not Available
Platform: Web Application - SQL Injection

Mini CMS RibaFS "admin/login.php" SQL Injection

Mini CMS RibaFS is a PHP-based content management system. The application is exposed to an SQL injection issue due to insufficient sanitization of user-supplied data to the "login" field of the "admin/login.php" script. Mini CMS RibaFS versions 1.0 and earlier are affected.

Ref: http://www.securityfocus.com/bid/38881/info

10.13.75 - CVE: Not Available
Platform: Web Application - SQL Injection

Electronic Bodyguards bureau sets up shop in Switzerland

Burly bodyguards, however well armed and trained, are no longer enough to protect businesspeople on the move.

Electronic threats to their privacy and security and the risk of industrial espionage can also cause problems for VIPs and businesspeople. Peter Houppermans, an experienced security consultant who helped build the UK's Government Secure Intranet before working in banking security, aims to plug this gap with a new venture, dubbed Electronic Bodyguards.

The Electronic Bodyguards Group brings together several companies who are all experts in their specific niche, but too small to market themselves. All offer trust, discretion and client privacy.

The group is marketing its services to companies, but also executives and VIPs who need to safeguard their electronic as well as physical security when they travel. The group is focusing at the top end of the market for corporate and personal security.

The combination of competences in the group brings a number of interesting services. One service is a two-week find-and-fix security programme for VIPs who travel frequently, marketed to VIPs and private banking clients. The premise is that physical security is covered by insurance policies and bodyguards but doesn't address safety and reputation, problems that result from data theft or hacking, still less government intrusion and cyber espionage. eBodyguards aims to plug this gap.

"VIPs typically walk into a less secure setup as soon as they leave their office," Houppermans explained. "Bodyguards only look at perimeter, but the guy in the carpark with a laptop can pose a threat as can a lost BlackBerry that cannot be remotely killed."

Electronic Bodyguards Group (EBG) is marketing itself on the promise of a one-stop service with discretion as an integrated part of the offering. Houppermans said: "Why buy a consultant at 1,500/day if you can get the best in their field at 1,000?"

The organisation can handle jobs ranging from personnel screening to breach recovery as well as certified education and full business continuity planning. The group is even capable of handling covert ops that might normally be considered the work of private investigators. A recent case tackled by eBodyguards involved work on preventing data theft, where it combined software expertise with emergency management measures and surveillance to catch data thieves in the act.

The group is based in Switzerland and promises client confidentiality and privacy comparable to that of numbered Swiss bank accounts. Houppermans is essentially acting as an agent for ex-law enforcement agents and experienced security staff in a network of contacts he has built up over many years.

"In security there are various networks and groups, I am part of a few of them," Houppermans explained. "That means I can cross check someone quickly.

"The deal is collaborative marketing with a carefully selected set of people, all of whom I have to know personally before they become part of the group. I act as the client interface because I can quickly see which combination would be the perfect fit for the work, which also comes in handy to handle emergencies."

Houppermans prides himself in being able to pull together an A-Team of experts with different skills, all with at least 10 years relevant experience.

"I try to avoid too much capability conflicts, but I have a company of ex-police people who do very good anti-fraud and physical surveillance, a one group of white hat hackers, a business continuity firm who work for casinos and even Israeli banks.If a company needs a combination of skills, I generally coordinate the work myself."

So far, three firms are licensed to carry the Electronic Bodyguards Group brand, but Houppermans is already in discussion with others. Currently, the three licensed partners are Risk Control RCC, Dreamlab Technologies AG and Coprin AG.

Houppermans' own technical contribution to the mix is a secure email system that "isn't just technically secure (that was the easy bit) but also legally secure because I know how RIPA [the UK's main wiretapping regulation law] can be abused by insiders," he explained.

"By placing the email platform in Switzerland I ensure proper law enforcement process is followed," he added.

Law Against Police Bumper Stickers Unconstitutional

A local Ohio ordinance making it a crime for civilians to display bumper stickers of police organizations is unconstitutional, a federal judge says.

The First Amendment decision by U.S. District Judge Michael Barrett blocks the suburban Village of Lockland from enforcing the minor-misdemeanor statute, and comes after a scattering of similar decisions overturning ordinances nationwide forbidding citizens from wearing police and military garb.

The legal challenge was brought by Jasir Singh, a 49-year-old grocery owner in the Village of Lockland, a suburb of Cincinnati. In 2008, the Sikh was driving a yellow Corvette through town when he was pulled over because his bumper displayed a silver-dollar-sized emblem of the Fraternal Order of Police.

“That’s harassment when you don’t break a traffic law and you get pulled over and they tell you that the reason is a sticker you’re not supposed to have,” Singh said in a telephone interview Friday.

The FOP, Lockland and the state of Ohio urged Judge Barrett to uphold the law, which carries a $100 fine for first time offenders. They said the statute was necessary because officers sometimes let down their guard when they pull over vehicles displaying police-related insignia.

See Also:

Be Careful What Your Bumper Sticker Says
GOP ‘Caving’ on Trademark Lawsuit Threats
No Blood For Oil
Funny AntiGay-Marriage Ad Sparks YouTube Revolt
ACLU: Human Gene Patents Infringe Speech

Wednesday, April 7, 2010

Tuesday, April 6, 2010

Saturday, April 3, 2010

Most Recent Post

Help Me Expose This Article in Bulk!

Blog Search

Translate

DISCLAIMER

Blog Archive

Blog Stats

Powered by BloggerAutoFollow.com

About Me

Why So Serious?

Copyright (C) 2009,2010,2011 Hacking Expose!