Hacking Expose!: 2010-08-01

Alleged ring leader extradited in $9.4m RBS WorldPay heist

Saturday, August 7, 2010

Federal prosecutors say they have have extradited one of the leaders of an international crime ring accused of hacking in to bank card processor RBS WorldPay and stealing more than $9.4m in a 12-hour period.

Sergei Tsurikov, 26, of Tallinn, Estonia, was recent brought to the US, after being arrested in Russia in March. On Friday, he appeared in federal court in Atlanta, where according to the Associated Press he pleaded not guilty to charges that included conspiracy, wire fraud, computer fraud, and aggravated identity theft.

He and seven alleged accomplices were indicted in November and accused of carrying out a highly sophisticated attack on RBS WorldPay, an Atlanta-based unit of the Royal Bank of Scotland. They allegedly exploited a vulnerability to break into the company's network, where they retrieved payment card data as it was being processed.

They then obtained data for 44 payment cards, most of which were issued by a financial institution known as the Palm Desert National Bank. Over 12 hours on November 8, withdrawals made at more than 2,100 ATM terminals located in 280 cities in the US, Ukraine, Italy, Hong Kong, and elsewhere siphoned more than $9m from the accounts. The ring employed a large number of cashers who used card clones to withdraw money from ATMs and were permitted to pocket about 30 to 50 percent of the take.

Tsurikov and accused accomplice Viktor Pleschuk, 29, of St. Petersburg, Russia, allegedly monitored the fraudulent ATM withdrawals in real-time from within the compromised computer systems.

The 16-count indictment also accused Pleschuk; Oleg Covelin, 29; of Chisinau, Moldova; and an unidentified individual with the same offenses. Igor Grudijev, 32; Ronald Tsoi, 32; Evelin Tsoi, 21; and Mihhail Jevgenov, 34; each of Tallinn, Estonia, were also charged with access device fraud.

If convicted, Tsurikov faces 20 years for conspiracy to commit wire fraud and each wire fraud count; up to five years for conspiracy to commit computer fraud; up to five or 10 years for each count of computer fraud; a two-year mandatory minimum sentence for aggravated identity theft; and fines up to $3.5 million dollars. Prosecutors are also seeking forfeiture of the $9.4 million in proceeds from the alleged crimes.

Unpatched kernel-level vuln affects all Windows versions

Researchers have identified a kernel-level vulnerability in Windows that allows attackers to gain escalated privileges and may also allow them to remotely execute malicious code. All versions of the Microsoft OS are affected, including the heavily fortified Windows 7.

The buffer overflow, which was originally reported here, can be exploited to escalate privileges or crash vulnerable machines, IT research company Vupen said. The flaw may also allow attackers to execute arbitrary code with kernel privileges.

The bug resides in the CreateDIBPalette() function of a device driver known as Win32k.sys. It is exploited by pasting a large number of color values into an improperly allocated buffer, potentially allowing attackers to sneak in malicious payloads, vulnerability tracking service Secunia warned.

It affects fully patched installations of every supported Windows platform, from Windows XP SP 3 to Windows Vista, 7, and Server 2008. The latter three versions contain several defenses designed to lessen the effect of security vulnerabilities. It wouldn't be surprising if code execution attacks were possible only on earlier versions that don't have the defenses, which include DEP, or data execution prevention, and ASLR, short for address space layout randomization.

There are no reports of the vulnerability being exploited in the wild. Microsoft said it is investigating the reports but didn't have additional information. Microsoft is scheduled to issue a record 14 security bulletins during next week's Patch Tuesday.

Appeals court bashes warrantless GPS tracking

A federal appeals court has roundly rejected US government claims that it doesn't need a search warrant to surveil suspects using global positioning system location-tracking devices.

In a decision released Friday, a three-judge panel of the US Court of Appeals for the District of Columbia unanimously ruled that FBI agents should have obtained a warrant before planting a GPS device on the vehicle of a suspected drug dealer. That allowed agents to track his position every ten seconds for a full month and was accurate to within 100 feet. The device yielded more than 3,100 pages worth of data, according to documents filed in the case.

Attorneys from the American Civil Liberties Union and the Electronic Frontier Foundation filed a friend-of-the-court brief in the case arguing that absent a warrant, the planting of the device was an illegal search under the US Constitution's Fourth Amendment. The appeals court on Friday firmly rejected federal prosecutors' arguments that the suspect had no reasonable expectation of privacy because the vehicle's whereabouts could have been easily tracked using human surveillance.

It is one thing for a passerby to observe or even to follow someone during a single journey as he goes to the market or returns home from work, Judge Douglas H. Ginsburg wrote. It is another thing entirely for that stranger to pick up the scent again the next day and the day after that, week in and week out, dogging his prey until he has identified all the places, people, amusements, and chores that make up that persons hitherto private routine.

The decision comes in a case of one Antoine Jones, who was indicted for cocaine trafficking in the Washington, DC area. FBI agents secretly planted the device on his Jeep Cherokee while it was parked on private property. The Jeep's physical locations were then used by prosecutors to file charges against the man.

A lower court judge who presided over the case suppressed evidence collected while the vehicle was parked in a private garage but allowed other data to be admitted. The appeals court on Friday reversed that decision and threw out the GPS evidence entirely.

If adopted by appeals courts in other districts, the holding could have a profound affect on the rapidly growing use of GPS technology by police. Police cruisers in Los Angeles, for example, are outfitted with air guns that can shoot GPS-enabled darts at passing cars, the amicus curiae brief claimed. Police in Arlington and Fairfax counties near Washington used GPS devices 229 times from 2005 to 2007, the brief said.

Appeals Court Rules Against Secret Police GPS Tracking

A federal appeals court ruled Friday that the police can’t covertly track a suspect’s car using a GPS device for an extended period of time without getting a warrant.

The ruling in the D.C. Court of Appeals overturned the conviction of a suspected cocaine dealer, saying that the use of a secret GPS tracking device on the man’s vehicle for two months violated the Fourth Amendment’s protection against unreasonable searches and seizures. The ACLU and the Electronic Frontier Foundation filed a friend of the court brief supporting the challenge.

The government argued that a 1983 Supreme Court case U.S. v. Knotts, which allowed police to put a tracking beacon in a container to follow a driver to a secluded cabin, made it clear that GPS tracking was allowed without a judge’s approval.

But the court found otherwise in its ruling (.pdf), drawing a distinction between short term monitoring that’s not much different from a police tail and ongoing, secret and ubiquitious tracking.

Repeated visits to a church, a gym, a bar, or a bookie tell a story not told by any single visit, as does one’s not visiting any of these places over the course of a month. The sequence of a person’s movements can reveal still more; a single trip to a gynecologist’s office tells little about a woman, but that trip followed a few weeks later by a visit to a baby supply store tells a different story.*

Having tracked Jones’s movements for a month, the Government used the resulting pattern not just the location of a particular stash house or Jones’s movements on any one trip or even day as evidence of Joness involvement in the cocaine trafficking business. The pattern the Government would document with the GPS data was central to its presentation of the case.

EFF Civil Liberties Director Jennifer Granick welcomed the decision, and hoped the reasoning would spread to similar issues with the mobile phones most of us carry in our pockets.

“This same logic applies in cases of cell phone tracking,” Granick said in a press release. “We hope that this decision will be followed by courts that are currently grappling with the question of whether the government must obtain a warrant before using your cell phone as a tracking device.”

However, Friday’s ruling is binding only in the D.C. Circuit. Other circuit courts have found such tracking to be legal, including the 9th (covering many Western states) and 7th (Illinois, Wisconsin and Indiana). The split makes it the issue ripe for the Supreme Court to decide the issue, but it’s not clear if the government will appeal this ruling, given that a loss at the Supreme Court would affect the entire country.

Photo: GPS tracking logs from Portland visualized Credit:Aaron Parecki

See Also:

Bank Thieves Foiled by GPS-Spiked Cash
Feds ‘Pinged’ Sprint GPS Data 8 Million Times Over a Year
FBI Confirms Contracts with AT&T, Verizon and MCI
Cops Need Warrant for Cell Phone Location Data, Judge Rules
Judges Still Can’t Decide Legality of Cell Phone Tracking

Defcon speaker calls IPv6 a 'security nightmare'

The internet's next-generation addressing scheme is so radically different from the current one that its adoption is likely to cause severe security headaches for those who adopt it, a researcher said last week.

With reserves of older addresses almost exhausted, the roll-out of the new scheme known as IPv6 or Internet Protocol version 6 is imminent. And yet, the radical overhaul still isn't ready for prime time in large part because IT professionals haven't worked out a large number of security threats facing those who rely on it to route traffic over the net.

It is extremely important for hackers to get in here fast because IPv6 is a security nightmare, Sam Bowne, an instructor in the Computer Networking and Information Technology Department at the City College of San Francisco, said on day one of the Defcon hacker conference in Las Vegas. We're coming into a time of crisis and no one is ready.

Chief among the threats is the issue of incompatible firewalls, intrusion-prevention devices, and other security appliances, Bowne said. That means many people who deploy IPv6 are forced to turn the security devices off, creating a dangerous environment that could make it easier for attackers to penetrate network fortresses.

What's more, internet addresses that use the new protocol by default contain a 64-bit string that's generated by a computer's MAC, or Media Access Control, address. The use of the so-called extended unique identifier means that people who want to remain anonymous online will have to take precautions that aren't necessary under today's IPv4 system.

It means that everything you send or receive is labeled with your real MAC address and therefore if you were to do something naughty, like download copyrighted material, they would know who you are much better than they do if all they have is an IP version 4 address, Bowne said.

Some operating systems, including Windows Vista and Windows 7, have privacy settings turned on by default that cause the string to be randomly generated. While this setting helps preserve anonymity, it also has the potential to break many end-to-end communications, so it may not always be available, Bowne warned. Many organizations require the use of the extended unique identifier so they can keep tabs on their employees' internet usage, he added.

To be sure, IPv6 offers many features, including a method for easier end-to-end encryption, that should make networking more secure.

We've got a lot of benefits and we've taken a lot of the learning from a security perspective from IPv4 and implemented a lot of new security features into IPv6, said Joe Klein, a subject matter expert with the North American IPv6 task force, who was also attending Defcon. The problem with it is we're in a transition period and that's going to take anywhere from five to 10 years to fully implement it and start to provide end-to-end encryption.

The new protocol, because it hasn't been tested as widely as IPv4, is also likely to suffer from vulnerabilities resulting from buffer overflows and similar bugs, he said. The flaws will likely be worked out as it gains wide acceptance, but that will also take years, he added.

Bowne and Klein aren't the only people warning of growing pains in the net's addressing system. This recent submission to the Full-disclosure list claims Google's Gmail service is also having trouble adapting to the scheme.

Bowne who teaches classes in ethical hacking, network defense, and Windows 7 also outlined several attacks that exploit unique characteristics of IPv6 to wreak havoc on networks. Packet amplification attacks place a 0 in the routing header of each packet, causing them to travel in a looped path. Ping-pong exploits take advantage of the wealth of /64 subnets available in the protocol, allowing attackers to send packets from one non-existent connection to another. The result is an endless series of ICMP unreachable error messages. As a result, networks are flooded with garbage data.

The transition to IPv6 is necessary to deal with the growing exhaustion of IPv4 addresses. The older protocol, which is based on a 32-bit addressing system, yields about 4 billion unique numbers, fewer than the 7 billion humans who populate the planet. At the current usage rate, the allocation of free addresses could be used up by June of next year, according to some estimates. IPv6, by contrast, is a 128-bit scheme that allows for over 3.4x1038 addresses, which ought to keep the world going for quite some time.

Slides and other materials from Bowne's talk are here.

Hoax Facebook virus makes more trouble than a real virus

Friday, August 6, 2010

A hoax Facebook virus is spreading rapidly across the social network.

Many users have been hoodwinked into forwarding an inaccurate warning about the spread of non-existent malware that claims a girl committed suicide over a post her father wrote on her Facebook wall.

No such tragedy has occurred but many are forwarding the wrong-headed message (extract below) creating confusion in the process.

WARNING: THERE IS A VIRUS GOING AROUND AGAIN, IF YOU SEE A GIRL WHO KILLED HERSELF OVER SOMETHING HER FATHER WROTE ON HER WALL DO NOT OPEN IT, IT IS A VIRUS AND IT WILL NOT ALLOW YOU TO DELETE IT, PLEASE PASS THIS ON BEFORE SOMEONE OPENS IT. (IT IS A SELF REPLICATING TROJAN)

People are passing on the warning in the mistaken belief they are helping Facebook friends to avoid a threat. In reality, they are spreading a hoax about a non-existent virus infection. The bogus warning is arguably causing more of a nuisance than a genuine malware infection, according to net security firm Sophos.

It adds that miscreants have exploited the confusion created by the warning by establishing Facebook pages that supposedly offer pictures from the fictitious girl's Facebook wall, but are really designed to make money by tricking surfers into wasting their time completing online surveys of dubious merit.

Malware hoaxes were part and parcel of net life long before the advent of social networking. Surfers are advised to check out warnings with reputable sources before spreading them along.

Internet rumours suggest a girl called Emma killed herself on Christmas Eve 2008 after being bullied on Facebook. However, supposed extracts of conversations that led up to this "tragic event" show "Like" buttons, a feature Facebook only introduced months later.

A more detailed explanation of the genesis of the hoax and its effects can be found in a blog post by Sophos here.

Bound robbery victim IMs for help with toes

An Atlanta woman who was tied to her bed by an armed robber managed to alert her boyfriend by instant messenger - no mean feat since she was obliged to type with her toes.

According to the Atlanta Journal-Constitution, 39-year-old Amy Windom (pictured) was in bed around midnight on Tuesday when the intruder burst into her bedroom. She told the paper: We struggled for some amount of time. He hit me on the head with the gun.

The robber tied Windom's wrists to the bed posts and then spent almost an hour searching for booty. Once he left, Windom shouted for help and tried to free herself, without result.

She said: But the way he had tied my wrists with shoe strings, it was tightening around my wrists, cutting off my circulation and cutting into my skin. He tied me really well and I wasnt able to get myself free.

After further struggling and yelling, Windom realised at around 4.15am that the assailant had "left my laptop at the foot of my bed".

She continued: I flipped my legs over my head and turned off my alarm clock so my radio wouldnt be blaring and block me from hearing anybody walking by that might be able to help me, and I was like, wow, I guess I can do more than I thought with my feet, so I dragged my laptop over with my feet and I pried it open.

After unsurprisingly "struggling" to simultaneously hit control, alt and delete to unlock the PC, Windom enjoyed a "wonderful moment" when she realised her Wi-Fi connection was live.

She explained: I was worried that the guy had cut my phone line, so I was worried that I wouldnt have an internet connection.

Using one big toe as a mouse, and the end of the power cord gripped between toes on her other foot as an improvised typing tool - because my big toe was too big to hit individual keys" - she managed to get boyfriend John Hilton on IM, and he called cops just before 5.30am.

He told the Atlanta Journal-Constitution: I email her every morning before I go to work. I saw her on AIM, and she pinged me first and her first word was, HELP. CALL 911.

Hilton added that his quick-thinking girlfriend held onto her computer because although the intruder was "was interested in her laptop ... she said there was a way to trace it so he shouldnt take that".

He noted: "Shes got her wits about her all the time."

The Atlanta Journal-Constitution has more, including a screenshot of part of the IM conversation, right here.

Drumbeat CMS "index02.php" SQL Injection

The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "index02.php" script before using it in an SQL query. Drumbeat CMS version 1.0 is affected.

Ref: http://www.securityfocus.com/bid/41582

10.31.60 - CVE: Not Available
Platform: Web Application - SQL Injection

Firefox 4 beta crack ruse spreads Trojan to total idiots

Scammers are trying to con gullible marks into getting infected via a fake Firefox 4.0 beta download scam.

Preview editions of the next version of Firefox are available for download directly from Mozilla at no charge (natch). So it's pretty obvious that offers of Firefox 4 beta cracks or a keygen are entirely bogus and almost certainly malicious.

Fraudsters are therefore hoping the hoodwink the truly clueless into running a supposed Firefox 4 keygen tool or crack, both of which are being promoted via scam-boosting Twitter accounts.

The crack and keygen are both infected with a Trojan downloader, warns Sunbelt Software.

Surfers who follow through with the scam are also directed towards a site hosting a smorgasbord of other digital parasites, as explained in a blog entry by Sunbelt researcher Tom Kelchner here.

eBay photocopier data risk ignored

Analysis The security threat from carelessly ditched computers increasingly applies to a much wider range of office equipment, as sophisticated storage technology finds its way into humble devices such as fax machines and printers.

The risk that sensitive documents might make their way into the hands of undesirables was neatly illustrated by a recent News of the World investigation, which discovered sensitive information on office kit sold through a second-hand supplier.

Multi-purpose photocopiers, which double as scanners and printers, use hard drives to store data. Firms frequently fail to apply basic security precautions before disposing of the equipment, which sometimes ends up on eBay or second-hand office equipment suppliers.

As part of an investigation the News of the World bought a number of second-hand copiers, one of which contained data left over from its use by defence supplier Cobham.

With the assistance of experts, the paper was able to recover documents and faxes including an April purchase order from aerospace giant BAE Systems and NATO briefing notes. It also found a direct debit instruction that gave away the details of one of the firm's bank accounts, along with an authorised signature and the personal details of one worker from a vetting request.

The Canon machine was bought for 411.25 from JKBM.com of Ashford, Kent, a reseller of second-hand office machinery and copiers, who exports much of the equipment that passes through its hands, especially to Nigeria and Ghana. The IR3100CN copier came with a 40GB hard drive.

The NotW passed on details of its find to privacy watchdogs at the Information Commissioner's Office.

Cobham told the NotW that it intended to change its equipment disposal procedures in the wake of the incident. "We take data privacy very seriously and have rigorous procedures," he said. "We are taking all necessary steps to recover the equipment and its data and ensure there's no recurrence."

Independent security experts said the photocopier data disclosure risk has existed for about eight years, but was poorly understood even today.

"Since about 2002 commercial copiers are built with hard drives for purposes of networking and multitasking," said Robert Siciliano, a security consultant at net security firm McAfee."Organisations who upgrade their hardware are most often unaware of this fact.

"Once sold/donated/refurbished the data is up for grabs. Copiers need to fall under the same categories as computers and mobiles as devices that require compliance to security standards when reselling or disposing."

Harlan Simpson, director of data recovery firm Disklabs, explained that the majority of firms ignore the risk when it comes to getting rid of outdated kit.

"People are simply ignorant to the data stored on photocopiers - they just don't even realise that it's just data stored on a hard disk - the same as in their computers," Simpson explained.

"Because of this, it's treated like an old piece of hardware, not like the storage device it actually is. It's exactly the same with most fax machines."

"People have to learn which devices store data. Photocopiers, faxes, scanners, phones, computers, laptops, BlackBerrys, PDAs... all are potential data vulnerabilities."

While the risk involved in mobile phone are better understood, office kit disposal threat awareness is still in the 1990s, he added.

"We are all aware of the potential for data loss from BlackBerrys and memory sticks which has been frequently reported in the national press over the last few years. Disposing of a photocopier, fax machine, scanner, phone etc, in certain circumstances, can be no different to leaving a laptop or BlackBerry on a train or in a taxi.

"Everyone knows the risk with losing their laptops, few consider disposing of photocopiers in the same way. In some instances, we have even found the hard copies of documents left in the photocopiers."

Andrew Goodwill, a director at credit card fraud prevention firm 3rd Man, said that most of the copiers for sale through eBay are made available by second-hand firms.

Octopus-gate chief exec resigns over private data sale

The sale of private data by Hong Kong transport payments firm Octopus Holdings has forced the resignation of chief exec Prudence Chan.

Octopus, which sells cards used by Hong Kong residents to pay for subway and bus fares, has agreed to donate to charity the HK$44m ($5.7m) it made from selling the details of an estimated two million users as it seeks to draw a line under the scandal. David Tang, head of property projects at MTR Corp, a majority shareholder at Octopus, has been appointed as interim chief executive. Chan will remain at Octopus for a six-month handover period, Bloomberg reports.

The transport payment firm sold personal data to six firms without the consent of its customers. Chan initially denied the sale of the data to privacy commissioners but was forced to admit wrongdoing after further evidence emerged. Her dissembling provoked a public outcry and calls from local politicians for her to resign.

Octopus cards are held by the vast majority of HK residents and can be used to buy food at various outlets as well as paying for transportation. Some purchase the cards for cash but Octopus cards can also be recharged using credit cards. In addition, the firm operates a loyalty card scheme.

Private browsing modes in four biggest browsers often fail

Features in the four major browsers designed to cloak users' browser history often don't work as billed, according to a research paper that warns that users may get a false sense of security when using the built-in privacy settings.

The private-browsing modes are supposed to allow users to visit a website without leaving any trace on their computers, and yet Internet Explorer, Firefox, Chrome, and Safari frequently leave tracks, according to the research, which is scheduled to be presented at next week's Usenix Security Symposium in Washington DC. The makers of those browsers Microsoft, Mozilla, Google, and Apple respectively often hail the offerings as a way to enhance privacy when using shared computers.

One failure that affects IE, Firefox, and Safari happens when users save SSL, or secure sockets layer, client certificates while browsing in private mode. The browsers store a record of those actions in a file that allows anyone who has physical access to know exactly what site the user was visiting at the time. Similarly, when IE and Safari encounter a self-signed certificate, it is stored in a certificate vault that is preserved even after the private session ends.

Similarly, Firefox users who make security certificate settings while in private mode will have a partial copy of their browsing history stored in a file called cert8.db, the researchers said.

We discovered that all these browsers retain the generated key pair even after private browsing ends, the researchers wrote. Again, if the user visits a site that generates an SSL client key pair, the resulting keys will leak the site's identity to the local attacker.

The study (PDF here) showed each browser failing in specific settings.

The privacy mode in Firefox, for instance, is undermined when a user sets site-specific preferences or uses a variety of Mozilla-sanctioned plug-ins. The open-source browser also stores websites visited that dole out custom protocol handlers based on the HTML5 standard.

For its part, IE's InPrivate mode can be undermined when websites make SMB queries, since the Microsoft browser shares large chunks of code with Windows Explorer.

The researchers also devised a way for webmasters to detect when someone visiting their sites is using the privacy mode. It involves placing an iframe with a unique web address and then using JavaScript to check whether a link to that URL was displayed as purple (visited) or blue (unvisited).

The researchers said that to the best of their knowledge they are the first to demonstrate a way to detect private browsing mode but that may not really matter for much longer. The technique appears to use the decade-old browser history attack, which was recently fixed in Safari and will soon be fixed in Firefox. It's only a matter of time before Microsoft and Google follow suit.

Using the technique, they confirmed what we all suspected: the feature is mainly used when surfing to porn sites. Gift and news sites, not so much.

Pentagon Demands Wikileaks Return All Classified Documents

A Pentagon spokesman on Thursday demanded that the secret-spilling website WikiLeaks return and delete all the classified Defense Department documents in its possession, and stop soliciting new ones.

“The Defense Department demands that WikiLeaks return immediately to the U.S. government all versions of documents obtained directly or indirectly from the Department of Defense databases or records,” said spokesman Geoff Morrell, opening the Pentagon’s daily press briefing.

“WikiLeaks’s public disclosure last week of a large number of our documents has already threatened the safety of our troops, our allies and Afghan citizens who are working with us to help bring about peace and stability in that part of the world,” said Morrell. “Public disclosure of additional Defense Department classified information can only make the damage worse.

“The only acceptable course is for WikiLeaks to take steps immediately to return all versions of all of these documents to the U.S. government and permanently delete them from its website, computers and records.”

Wikileaks responded on Twitter by calling Morrell “obnoxious,” followed by a second tweet urging WikiLeaks supporters to donate to the organization. “Now is a good time to send WikiLeaks all your money!”

The statements ratchet up the tension between the U.S. government and WikiLeaks, which began with the May arrest of 22-year-old Army intelligence analyst Bradley Manning, who’s been charged with leaking classified information, including video of a deadly 2007 Army helicopter attack in Iraq that claimed the lives of a number of civilians. WikiLeaks had released that video under the title Collateral Murder in April 2010.

On July 25, WikiLeaks angered U.S. officials at the highest level with it published a detailed and mostly-classified log of 77,000 events in the U.S.-led war in Afghanistan from 2004 through 2009. The database, according to both the Pentagon and WikiLeaks,originated from the Defense Department’s Secret-level wide area network SIPRnet. Manning remains a “person of interest” in the leak, Morrell said Thursday.

Since the Afghan war logs were published, it’s emerged the records contain the names of some Afghan informants, who are now face potentially deadly reprisal from the Taliban, according to the Pentagon. In the wake of that discovery, WikiLeaks told the news website The Daily Beast this week that it was seeking the Pentagon’s help in screening a final 15,000 records from the same database before publishing them in a redacted form.

Morrell disputed that claim Thursday. “Wikileaks has made no such request directly to the Department of Defense,” he said.

Morrell also slammed WikiLeaks’ for a statement near the top of its submission page that reads “Submitting confidential material to WikiLeaks is safe, easy and protected by law.” Morrell called it a “brazen solicitation to U.S. government officials, including our military, to break the law” and said it was “materially false and misleading.”

“The Department of Defense therefore also demands that WikiLeaks discontinue any solicitation of this type,” he said.

WikiLeaks’ claim of legal protection is explained further down on its submission page as referring to legal protections in Sweden and Belgium, through which the sites’ electronic submissions are purportedly routed.

Asked if the Pentagon had any authority to act if WikiLeaks ignored its demands, Morrell responded “We will cross the next bridge when we come to it. … If doing the right thing isn’t good enough for them, we will figure out what alternatives we have to compel them to do the right thing.”

There may be more at stake for the U.S. government than the Afghan war logs.

Bradley Manning’s arrest came after he was turned in by an ex-hacker with whom he’d struck up an online friendship. In his chats with former hacker Adrian Lamo, Manning described leaking a database of 260,000 State Department diplomatic cables, and a classified Army event log from the war in Iraq covering 500,000 events from 2004 through 2009. WikiLeaks hasnt published those purported leaks, and has denied receiving the diplomatic cables.

On Saturday, WikiLeaks published without comment a 1.4GB encrypted file named “insurance.” The file is more than 19 times the size of the Afghan war log.

In his chats, Manning did not mention leaking information from the war in Afghanistan.

Earlier this week, Republican congressman Mike Rogers of Michigan made news by arguing that Manning should be charged with treason and face the death penalty — an argument that is not supported by U.S. law. Supporters of Manning plan a rally outside Quantico on Sunday.

Department of Defense photo by Cherie Cullen. Kim Zetter contributed to this report.

See also

WikiLeaks Posts Mysterious Insurance File
WikiLeaks Suspect’s YouTube Videos Raised ‘Red Flag’ in 2008
Pentagon Says Bradley Manning a Possible Suspect in Afghan Leak
Wikileaks Releases Stunning Afghan War Logs Is Iraq Next?
Wikileaks Cash Flows In, Drips Out
Suspected Wikileaks Source Described Crisis of Conscience Leading to Leaks
Army Intelligence Analyst Charged With Leaking Classified Information
U.S. Intelligence Analyst Arrested in Wikileaks Video Probe

Microsoft to set record with next Patch Tuesday

Microsoft's security patch release scheduled for next week will include a record number of bulletins that fix dozens of vulnerabilities in several of its products, the company said on Thursday.

The next Patch Tuesday, scheduled for August 10, will include 14 bulletins, eight of which are rated critical, Microsoft's highest severity classification, generally reserved for bugs that can be exploited to remotely execute malware on vulnerable systems with little or no interaction on the part of the end user. Six of those bulletins apply to Windows, another one applies jointly to Windows and Silverlight and the last to the Office suite.

The remaining bulletins are rated important, and apply to Windows and Office. In all, the 14 bulletins patch 34 vulnerabilities.

For those who keep track of such things, this will be the most bulletins we have ever released in a month; we have released 13 bulletins on a couple of occasions, Angela Gunn, a new member of the Microsoft Security Response Center blogged. However, in total CVE [Common Vulnerability and Exposure] count, this release ties with June 2010, so there's no new record there.

There are no reports any of the vulnerabilities are being exploited. Yes, a reboot is required for many of the patches.

Microsoft's advanced bulletins are designed to give system administrators a heads-up about changes that may affect their networks and software. This month's notice is here.

Adobe plans emergency patch for critical Reader bug

Adobe plans to release an emergency update patching a critical vulnerability in its ubiquitous Reader application that was disclosed at last week's Black Hat security conference in Las Vegas.

The fix will be made available during the week of August 16 for Windows, Mac OS X, and Unix versions of Adobe Reader 9.3.3, company officials said on Thursday. It will patch a hole that security researcher Charlie Miller disclosed during a talk demonstrating a tool called BitBlaze, which streamlines the analysis of crash bugs. Adobe has rated the vulnerability as critical because it can be exploited with little user interaction to remotely execute malicious code on a targeted system.

The announcement suggests that Adobe's security team is getting faster at responding to reported vulnerabilities. Over the past year, Reader has seen a string of unpatched vulnerabilities that have taken weeks to patch, even when the bugs are actively being exploited in the wild. And even then, updates often were available only for Windows, forcing Mac and Unix users to wait weeks for their patches.

Adobe has also pledged to add a security sandbox to the next major upgrade of Reader, a feature designed to mitigate the damage hackers can cause when software bugs are discovered.

There are no reports that that bug Miller disclosed is being exploited, but Adobe is going to release the patch outside of its next security update scheduled for October 12 anyway. We're guessing the out-of-band fix was prompted by several slides from his presentation that provided details that could make attacks possible. The vulnerability is indexed as CVE-2010-2862.

Cracking software retrieves iPhone 4 passwords

A Russian password-cracking company has released software it says can recover passwords stored on Apple's latest iPhone without modifying the device or any of the data stored on it.

ElcomSoft of Moscow says the latest version of its iPhone Password Breaker will recover the encrypted keychains that the iPhone 4 uses to store passwords for email accounts, websites, and third-party software. The company markets the software as a tool for forensic investigators, but there's nothing stopping creepy roommates and spouses from using it to surreptitiously snoop on people who use the Apple smartphone.

The software works by extracting the password used to encrypt an iPhone keychain once it has been backed up on a computer hard drive. iOS 4, which Apple released in June, gives users the option of encrypting the backup using a hardware key that's unique to each iPhone, or with a dedicated backup password.

The latest update allows ElcomSoft tool to grant forensic access to passwords stored in iPhone devices running iOS 4, with known or unknown backup passwords and without altering the content of the phone, the company said in a press release issued Thursday. In case the original backup password is unknown, ElcomSoft iPone Password Breaker will perform the recovery of the original password to backup. With a known backup password, keychains are recovered near instantly.

The company offers a wide variety of password-cracking tools that make use of video acceleration hardware from ATI or Nvidia, a process that's orders of magnitude faster than traditional CPU-only algorithms. The software is designed to work seamlessly with higher end PCs that have a GPU card installed.

A PDF of ElcomSoft's press release is here.

Caretaker faces jail for putting abuse images on boss's laptop

Thursday, August 5, 2010

A school caretaker has been warned he faces a likely jail sentence for putting child sex abuse images on another caretaker's laptop.

Neil Weiner, 39, of Dagenham, East London, also sent police a CD containing 177 child sex abuse images he claimed came from his co-worker's computer.

Police acted on the information and found another 235 images on Eddie Thompson's laptop. Weiner hoped his actions would get Thompson sacked so he would be promoted and get his job, PA reports.

Thompson said when the accusations were made public he was ignored by colleagues at the school and he and his wife were scared to leave the house.

Thompson told the court in a victim impact statement: "My life and good name was nearly destroyed by a villain who tried to destroy my reputation in a monstrous manner. This must be the work of a depraved mind."

Wiener was arrested in 2007 after police traced the mobile used to make the original anonymous call.

He was remanded in custody and warned he faces a substantial custodial sentence.

MyKazaam Address & Contact Organizer "contacts.php" SQL Injection

MyKazaam Address & Contact Organizer is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "var1" parameter of the "address_book/contacts.php" script before using it in an SQL query.

Ref: http://www.securityfocus.com/bid/41545

10.31.59 - CVE: Not Available
Platform: Web Application - SQL Injection

Virus writer charged with destroying property

Japanese police have arrested a suspected virus writer over allegations he created and distributed an old-school virus that targeted freetards and destroyed data.

Masato Nakatsuji, 27, from Osaka, allegedly created the "ika-tako" (squid-octopus) virus. The malware programmed to searched out and destroyed data files from file sharing networks and replaced them with a supposedly humorous icon of an octopus. The malware targeted users of file-sharing networks.

The malware was created in July 2009 and subsequently seeded onto file sharing networks, claiming an estimated 50,000 victims in the process.

Nakatsuji told police he wanted to test his programming skills as well as punish file sharers, the Japan Times reports.

The paper adds that Nakatsuji is believed to be the first person charged with destroying property by using a computer virus.

He previously received a suspended two-year prison sentence back for copyright infringement via the creation of a computer virus, an offence likely to mean that he's almost certain to go to prison as a recidivist offender if convicted over his latest alleged offence.

Facebook gets mobile privacy

Social networkers stricken by a sudden attack of paranoia can relax - you can now adjust your Facebook privacy settings from the palm of your hand.

Android users get a new client too, with embedded video playback and photograph management, but even Android users have to switch to the browser to adjust their privacy settings remotely.

The security site is at m.facebook.com/privacy, and worked for us when we had a quick look; though Facebook is warning that not everyone will be able to access it immediately as the service is rolled out.

The new Android client links into the notification tray and is a bit more finger-friendly, but it's an incremental improvement rather than anything spectacular. Its already in the Android Marketplace.

We have to wonder what kind of life-changing event would make one urgently need to adjust ones Facebook privacy settings, though its probably more a matter of being able to do it when you remember - like when someone in the pub, whom youve never met, mentions being able to see your profile.

Monitoring for security effectiveness

Workshop In the last of this mini-poll series, we wanted to find out whether the security monitoring mechanisms you have in place are seen as effective. To kick off, we should introduce a couple of factors we thought might make a difference, namely whether you want to monitor, and whether you have to monitor against security breaches.

For the former we asked whether security monitoring was an investment priority 45 per cent of the sample said it was.

For the latter we asked whether compliance was a driver for implementing monitoring capabilities 53 per cent of the sample agreed.

More on these sub groups in a minute but first lets look at what systems are currently being monitored. As you can see from Figure 1, the level of monitoring overall could loosely be described as variable email systems are the better of the class, whereas the emphasis on monitoring mobile equipment is relatively low.

Figure 1

So how does this picture change based on the "want to" / "have to" sub-groups? Taking compliance first, while it does make a difference, its not having a massive impact. Remember were asking about whether compliance is a major driver, so you might expect to see organisations a bit more, well, driven (Figure 2).

Figure 2

What you see here challenges the often-heard notion that compliance is an overriding driver for all risk-related investment. Clearly it is not. The reality is that reputational risk, operational risk, competitive exposure and the simple need for confidentiality in the normal course of doing business typically have a greater influence. Its not just about ticking boxes to stay legal.

Whatever the drivers, its clear that money talks. Unsurprisingly, those seeing security monitoring as an investment priority have also made greater investments in such capabilities. In particular these are concerned with areas in which activity and risk are largely defined by the behaviour of end users. Email, desktop and mobile systems, for example, are all considerably better covered (Figure 3).

Figure 3

Whats specifically being monitored for? As you can see from Figure 4, dubious web site access is top of the list, followed by loss of corporate laptops and mobiles, and then data loss via email.

Figure 4

Perhaps whats most interesting about this chart is how low down the list protections against personal equipment are. This is of course a tricky area how can you lock down things that are outside your domain, most of which you have little visibility on? But equally we are seeing the amount of personal equipment in business use continue to rise. From a security perspective, this is an accident waiting to happen.

But what of the business case for investment? Its all very well investing in improved monitoring facilities to help manage risk, but the benefit is difficult to get a handle on. Effective monitoring makes you more aware of the risks, so putting better systems in place can, ironically, actually elevate your perceived level of exposure. Meanwhile, those with poor monitoring facilities often see less in the way of threats, simply as a result of blissful ignorance. For these reasons, we didnt see a huge difference in the reported level of challenges and risks in many areas when we compared those who had prioritized monitoring related investments to those who hadnt.

But focusing on risk management anyway is a bit like trying to assess the return on investment from taking out insurance you are better protected but it doesnt really help with efficiency and effectiveness, ie the things that are front of mind in terms of day-to-day performance.

One area that did stand out, however, was the difference between groups when it comes to IT support overhead (Figure 5).

Figure 5

This is pretty important. It highlights the resource implications of security-related issues in general, in that someone, somewhere needs to spend time dealing with all incidents, large or small, when they arise. What we see on the above chart relates specifically to IT support overhead, but security related issues create extra work for business people too investigating the impact of a security breach, dealing with public relations fallout, placating disgruntled customers, or simply filling out paperwork to document whats happened. If we think of effective security monitoring as a way of pre-empting and preventing such issues arising, then it should be possible to work cost as well as risk into any business case.

So, if anyone still doubts that security can have a return on investment, just show them Figure 5 and see what they make of it.

Adobe confirms critical flaw in Reader and Acrobat

Affects current and earlier versions.

A critical flaw in Adobe Reader and Acrobat that was disclosed last week at the Black Hat Conference in Las Vegas could allow an attacker to compromise a user's system.

The flaw, which is caused by an integer overflow error in the way the PDF viewer parses fonts, was disclosed by Charlie Miller, principal security analyst at consulting firm Independent Security Evaluators. The vulnerability can be exploited by an attacker to corrupt memory via a specially crafted PDF file, according to an advisory from security firm Secunia. If exploited successfully, the flaw could allow an attacker to execute arbitrary code on an affected system.

“We are aware of the vulnerability reported by Charlie Miller at Black Hat and are in the process of developing a patch,” Adobe said in a statement.

Adobe is currently evaluating whether to distribute a fix for the vulnerability as part of its next quarterly update for Adobe Reader and Acrobat, scheduled for October 12, or as an “out-of-band” security update.

The vulnerability affects the current version of the software, Adobe Reader 9.3.3, and earlier versions for Windows, Macintosh and UNIX, Adobe said. It also affects Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh. There are no reports of the bug being exploited in the wild.

Meanwhile, a similar flaw affecting the mobile version of Apple's Safari browser is being exploited to jailbreak the latest iPhone, according to security researchers. The exploit, which is available at jailbreakme.com, makes use of two unique vulnerabilities, including a PDF font parsing vulnerability in Mobile Safari, to jailbreak the iPhone 4, thereby allowing users to install unapproved applications.

While the jailbreak hack is non-malicious, researchers warned that an attacker could potentially exploit the underlying vulnerabilities for more malicious purposes.

An Apple spokeswoman told SCMagazineUS.com that the company is aware of the issue.

"We have already developed a fix and it will be available to customers in an upcoming software update,” she said.

See original article on scmagazineus.com

Secure Computing Magazine

Apple preps iOS fix as Germany warns of iPhone peril

Apple plans to issue fixes for two security flaws that when exploited together allow attackers to remotely install malicious apps on iPhones, iPads, and iPod touches.

Although the critical vulnerabilities surfaced over the weekend, Apple officials didn't acknowledge them until Wednesday, the same day the German government warned that the vulnerabilities could be exploited when users viewed booby-trapped websites or email messages. No other user action is required.

CNET reported that an Apple spokeswoman issued a statement saying the company is aware of the bugs and we have already developed a fix and it will be available to customers in an upcoming software update. The statement didn't say when the update would be released.

So far, the only documented exploit of the bugs is on Jailbreakme.com, a site that makes it possible to jailbreak the Apple devices by doing nothing more than visiting the site and flicking a slider. The hack is innocuous and transparent, but there's nothing preventing malicious attackers from using the same vulnerabilities to do much more nefarious things and that could happen soon, the German Federal Office for Information Security warned.

"It has to be expected that hackers will soon use the weak spots for attacks," the agency said in a statement. This allows potential attackers access to the complete system, including administrator rights.

The Jailbreakme site exploits two distinct iOS vulnerabilities to pull off the hack. The first exploits a bug in Apple software that parses fonts in PDF files. That allows hackers to inject code of their choosing into the document-viewing app. A second bug allows them to break out of a security sandbox built into the devices so the code can access the root of the device.

Without a doubt, the unpatched vulnerabilities are the most serious to hit an unlocked mobile device from Apple since the iPhone debuted in 2007. If we didn't know better, we'd think the bugs were spawned by Adobe or Microsoft, considering the minimal amount of user interaction required and the ability of a successful exploit to completely root a device.

As such, iPhone users may want to think twice about following links included in Twitter, chat messages, and emails until the patch is released. Websense has a list here of alternate browsers that require a user to click on a button before PDFs are opened.

But because iPhones by default automatically open PDFs included in email, truly paranoid users may want to hold off checking email until the patch is released.

Judge trounces Register.com in Baidu.com hijacking case

A federal judge has given Chinese search-engine giant Baidu the green light to proceed with its negligence lawsuit against domain registrar Register.com in a court decision that said an error that wreaked havoc on the Chinese site smacked of intentional wrongdoing.

The ruling came after Register.com argued in March that it couldn't be sued for the ham-fisted blunder because its MSA, or master services agreement, barred most claims for employee screw-ups unless they involved gross negligence. The suit arose out of a January attack in which a Register.com employee turned over an account used to control Baidu's domain servers to a member of the Iranian Cyber Army even though the person presented incorrect credentials not once, but twice.

As a result, Baidu the world's number-three search engine and the biggest in China lost control of the baidu.com domain name for more than five hours. Register.com employees refused assistance when legitimate Baidu representatives appealed for help by phone and online chat, and didn't begin to address the problem until two hours after first being told of the snafu.

I hold that Baidu has alleged sufficient facts in its complaint to give rise to a plausible claim of gross negligence or recklessness, wrote US Judge Denny Chin, sitting by designation in the Southern District of New York. If these facts are proven they would provide a sufficient basis for a jury to find that Register acted in a grossly negligent or reckless manner, in which event the limitation of liability clause in the MSA would be ineffective.

Chin cited four considerations that led him to that conclusion. First, the Register.com employee agreed to change the email account associated with Baidu's account even though the intruder gave an incorrect response to a security question. Second, in a subsequent conversation, the employee didn't notice that intruder gave an invalid security code. Third, when the intruder asked that the email account be changed to antiwababi2008@gmail.com, the rep failed to notice it was hosted by Baidu's arch rival. And last, the rep provided the intruder with Baidu's user name, allowing the DNS-records hijack to proceed.

If these allegations are proven, then Register failed to follow its own security protocols and essentially handed over control of Baidu's account to an unauthorized intruder, who engaged in cyber vandalism, Chin wrote. On these facts, a jury surely could find that Register acted in a grossly negligent or reckless manner.

The amount of resources that Register.com is pouring into the defense of what almost everyone would agree is a massive cock-up is breathtaking. Here's hoping the domain registrar is also devoting as much energy to the protection of its customers.

Scotland Yard cuffs six in megaquid phish ring probe

Six suspected fraudsters have been arrested in the UK and Ireland over their alleged involvement in a bank and credit card phishing scam that affected tens of thousands of victims and resulted in losses of millions of pounds.

Five men and one woman, aged 25 to 40, were arrested in London and County Meath, Ireland on Tuesday and Wednesday following an investigation led by officers from the Met's Police Central e-Crime Unit (PCeU). The five UK suspects, all arrested following raids on addresses in London, remain in custody in central London pending further police inquiries. Each faces possible computer fraud and hacking charges.

The arrests were part of Operation Dynamophone, an investigation by the PCeU into a sophisticated phishing fraud network that systematically harvested online bank account passwords and credit card numbers. The MPS Territorial Support Group and the Irish Garda Sochna Fraud Investigation Bureau assisted the PCeU in serving warrants on the six suspects.

Police reckon 10,000 online bank accounts and 10,000 credit cards have been compromised as part of a fraud that has resulted in the attempted theft of 1.14 million and losses of 358,000 from online bank accounts. The value of credit card fraud associated with the scam is less certain but estimated at more than 3m.

Detective Inspector Colin Wetherill of the PCeU said: "We have taken this action to shut down an organised criminal network running an online phishing and account take-over operation. A great deal of personal information was compromised and cleverly exploited for substantial profit. By disrupting the operation we have hopefully prevented further loss to individuals and institutions across the UK."

He added that consumers ought to follow online safety advice from sites such as getsafeonline.org to safeguard themselves against the risk of becoming the victims of online fraud.

A Met Police statement on the case can be found here.

Scotland Yard nabs six for million pound scam

He added that consumers ought to follow online safety advice from sites such as getsafeonline.org to safeguard themselves against the risk of becoming the victims of online fraud.

A Met Police statement on the case can be found here.

Scotland Yard arrests six over multi-million phishing scam

Wednesday, August 4, 2010

He added that consumers ought to follow online safety advice from sites such as getsafeonline.org to safeguard themselves against the risk of becoming the victims of online fraud.

A Met Police statement on the case can be found here.

Botnet that pwned 100,000 UK PCs taken out

Security researchers have uncovered the command and control network of a Zeus 2 botnet sub-system targeted at UK surfers that controlled an estimated 100,000 computers.

Cybercrooks based in eastern Europe used a variant of the Zeus 2 cybercrime toolkit to harvest personal data - including bank log-ins, credit and debit card numbers, bank statements, browser cookies, client side certificates, and log-in information for email accounts and social networks - from compromised Windows systems.

Trusteer researchers identified the botnet's drop servers and command and control centre before using reverse engineering to gain access its back-end database and user interface. A log of IP addresses used to access the system, presumably by the cybercrooks that controlled it, was passed by Trusteer onto the Metropolitan Police.

Trusteer declined to point the finger as to the locations of the Zeus botmaster controlling the systems, beyond saying that compromised systems were controlled from eastern Europe.

"The cybercrime servers were hidden but the hackers were not using a lot of security, so it was possible to find a way into the database," Mickey Boodaei, Trusteer's chief exec told El Reg.

The original attack was probably seeded by a combination of infected email attachments and drive-by downloads, according to Amit Klein, Trusteer's chief technology officer. The Windows-based malware used to control zombie clients was a variant of the infamous Zeus cybercrime toolkit, a customisable Trojan keylogger and botnet-control client sold through underground forums that's become the sawn-off shotgun of the cybercrime economy over recent years.

"There are some significant changes between Zeus 1.x and Zeus 2.0: Zeus 2.0 installs differently, better adapted to newer Windows operating systems (Vista, 7). Additionally, Zeus 2.0 has built-in support for Firefox," Klein explained.

"There are Zeus binaries out there for few months already with version number 2.0.x.y. We do not control Zeus's version numbers - it's the Zeus writers who do that," he added.

Trusteer says the attack is an example of the growing trend of regionalised malware.

xbtit "index.php" SQL Injection

xbtit is a tracking system for BitTorrent. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "order" parameter of the "index.php" script before using it in an SQL query.

Ref: http://www.securityfocus.com/bid/39074

10.31.58 - CVE: Not Available
Platform: Web Application - SQL Injection

ZDI bug bounty program imposes fix deadline for vendors

31 high-risk vulnerabilities on waiting list.

In an effort to take back some of the control from vendors, the leading third-party bug bounty program plans to give providers six months to fix reported vulnerabilities -- or face limited public disclosure.

TippingPoint's Zero Day Initiative (ZDI) announced yesterday that it will impose a six-month deadline for vendors to patch reported issues. The new rules take effect today.

"This applies to all future vulnerabilities submitted through our program, as well as currently outstanding reports," wrote Aaron Portnoy, manager of security research, in a blog post.

That means ZDI may begin disclosing details about the vulnerabilities as soon as February 4, 2011, for all currently outstanding reports. According to the company's "Upcoming Advisories" page, 122 vulnerabilities reported by ZDI remain unfixed for periods ranging from one day to more than three years.

A review of the list reveals dozens of Microsoft, Cisco and Apple bugs that have gone many months without a fix. One still-unpatched vulnerability was reported to IBM 1,156 days ago, in June 2007.

"[W]hen the timeline is controlled by the affected vendor, sometimes they are less than punctual with regard to patch time," Portnoy wrote. "As it stands right now, there are currently 31 high-risk vulnerabilities reported by the ZDI over a year ago that are awaiting a patch from the vendor. We believe this places the end-user unnecessarily at risk for an extended period of time."

The danger to users is compounded by the fact that many of today's researchers are discovering vulnerabilities in concert with one another, Portnoy said.

Under the new policy, ZDI will publish an advisory that provides limited details about the vulnerability in question, including possible mitigations that can be deployed to lessen the threat, Portnoy said. ZDI only will publish this advisory if the affected vendor fails to respond or is not able to offer a valid reason for why the flaw could not be fixed in time.

"We realize some issues may take longer than the deadline due to complexity and compatibility reasons and we are willing to work with vendors on a case-by-case basis," he wrote. "To maintain transparency into our process, if any vulnerability is given an extension we plan on publishing the communication we've had with the vendor regarding the issue once it is patched."

ZDI pays researchers for exclusive rights to unpatched vulnerability details. The company benefits by being able to immediately provide protection to its customers, long before a fix is issued by the impacted vendor.

ZDI is not the only outlet demanding deadlines from vendors. Google engineers recently blogged that software makers should fix "critical" vulnerabilities within two months, and researchers should demand a patch deadline for any flaw they submit.

Not everyone agrees with programs such as ZDI. Microsoft plans to stick with its long-standing strategy of not offering payment for bug fixes. However, the software giant did recently drop the term "responsible disclosure" from its lexicon and unveiled an initiative known as "coordinated vulnerability disclosure" as a means to get researchers and vendors to better align their motives.

During a panel discussion at the recent Black Hat conference in Las Vegas, Cisco CSO John Stewart said he is not in favor of bug bounty programs.

Security researchers who voluntarily disclose vulnerabilities should be motivated by the goal of making the internet more secure, Stewart said. Providing cash for bug disclosures could shift researcher motivations from making the internet a better place to just making a profit.

See original article on scmagazineus.com

Secure Computing Magazine

Critical flaws discovered in widely used embedded OS

500 million devices could be affected.

Two critical vulnerabilities have been discovered in mission-critical systems used in 500 million devices, including VoIP phones, telecom equipment, military routing devices, automobile controls and spacecraft.

Last week at the Security B-Sides and DEFCON conferences in Las Vegas, HD Moore, chief security officer at Rapid7 and founder and chief architect of Metasploit, disclosed two critical vulnerabilities in VxWorks, which is used to power Apple Airport Extreme access points, Mars rovers and C-130 Hercules aircrafts, in addition to microwaves, switches, sensors, telecom equipment and industrial control monitors.

VxWorks has a service enabled by default that provides read or write access to a device's memory and allows functions to be called, Moore told SCMagazineUS.com. The vulnerable service, called WDB agent, is a “debugger” for the VxWorks operating system that is used to diagnose problems and ensure code is working properly when a product is being developed.

The debugging service, a selectable component in the VxWorks configuration enabled by default, is not secured and represents a security hole in a deployed system, according to an advisory issued by US-CERT.

The exposed WDB agent “allows anyone with network access to the device to take complete control of the device,” Moore told SCMagazineUS.com. “With a little bit of work, you could hijack just about any device.”

To determine how widespread the problem was, Moore wrote a scanner module for the Metasploit open-source penetration testing framework to run a network survey that encompassed more than 3.1 billion IP addresses, he said. More than 250,000 products representing 100 vendors were found with the WDB agent exposed, he said.

Moreover, unknown hackers spent most of 2006 scanning for the service, Moore said.

“There is a pretty good chance that someone already found this vulnerability and exploited it en masse all throughout 2006,” he said. “It was more than likely someone doing something malicious, but we have no clue what that was. There's just a huge variety of what you can do with this vulnerability – if you know how to apply it.”

Meanwhile, a separate vulnerability involving the hashing algorithm that is used in the standard authentication API for VxWorks could allow an attacker to brute force a password, Moore said.

The hashing algorithm is susceptible to collisions, meaning an attacker would be able to brute force a password in a relatively short period of time by guessing a string that produces the same hash as a legitimate password, according to a separate advisory posted by US-CERT.

Moore contacted the CERT Coordination Center at Carnegie Mellon University in Pittsburgh and provided researchers with a list of affected devices, with the goal of notifying as many vendors as possible. VxWorks customers include Northrop Grumman, Motorola, Dell, Apple, HP and Cisco.
VxWorks is produced by Wind River, acquired by Intel in 2009.

Wind River plans to fix the weak password hashing vulnerability in VxWorks 6.9, which has not yet been released, according to Moore. However, the vendor has not made any promises to fix older affected versions of the embedded operating system.

“I expect to see this bug live on almost indefinitely,” Moore said.

However, a Wind River spokesman told SCMagazineUS.com in an email that when contacted by Carnegie Mellon University's CERT Coordination Center, Wind River immediately assessed the alert, issued patches on August 2 and was instructed by CERT to provide a "synchronous public response."

These two bugs are “just the tip of the iceberg,” Moore wrote in a blog post.

The VxWorks platform largely has been ignored for the past 10 years and needs to be more thoroughly tested, he said.

See original article on scmagazineus.com

Secure Computing Magazine

Adobe confirms remote code-execution flaw in Reader (again)

A security researcher has uncovered yet another vulnerability in Adobe Reader that allows hackers to execute malicious code on computers by tricking their users into opening booby-trapped files.

Charlie Miller, principal security analyst at Independent Security Evaluators, disclosed the critical flaw at last week's Black Hat security conference in Las Vegas. It stems from an integer overflow in a part of the application that parses fonts, he said. That leads to a memory allocation that's too small, allowing attackers to run code of their choosing on the underlying machine. There are no reports of the flaw being targeted for malicious purposes.

Details of Miller's discovery come as hackers are exploiting a separate font-parsing bug in the PDF reader built by Apple to jailbreak the latest iPhone. While the hack is harmless, security firms including Symantec and McAfee have warned that the underlying flaw, when combined with a second one, could be used to execute malicious code on the Apple smartphone.

Apple has yet to acknowledge the vulnerabilities.

Brad Arkin, senior director of product security and privacy at Adobe, said members of the company's security team attended Miller's talk and have since confirmed his claims that the vulnerability can lead to remote code execution. The team is in the process of developing a patch and deciding whether to distribute it during Adobe's next scheduled update release or as an out-of-band fix that would come out in the next few weeks.

Key to the decision is determining whether there are enough details available from Miller's talk for the vulnerability to be exploited in real-world attacks.

Certainly, there's some information in the slides and screenshots of some of the crash information, Arkin told The Register. As we evaluate what's the right response, we're going to look in and decide is that information sufficient and if so, how long would it take for someone with malicious intent to convert that into an exploit.

Miller's discovery is the latest to document a vulnerability in Adobe Reader that puts its users at risk of attacks that can surreptitiously install malware that steals passwords or other sensitive information. The vulnerability affects versions for Windows, Unix, and Mac OS X.

Miller discussed the unpatched bug during a demonstration of a security software tool called BitBlaze, which helps researchers analyze crash bugs. The tool, was also instrumental in helping Miller gain insights into two exploitable bugs in OpenOffice that remain unpatched. Slides from his talk are here, and the white paper is here.

Location-based quantum crypto now possible, boffins say

Researchers say they have devised a foolproof way to encrypt messages that can be unlocked only by a recipient physically located in a specific place, solving a problem that has vexed cryptographers for years.

The technique for position-based quantum cryptography is scheduled to be presented at the 2010 IEEE Symposium on Foundations of Computer Science in October. It makes it theoretically possible for people to securely encrypt and decrypt messages without the use of pre-shared keys. Instead, the messages would be encrypted using keys based on a recipient's physical presence at a secure facility.

The aim of position-based cryptography is to use the geographical position of a party as its only credential, the researchers wrote in their paper. This has interesting applications, e.g., it enables two military bases to talk to each other over insecure (i.e., neither private nor authenticated) channels and without having any pre-shared key, with the guarantee that only parties within the bases learn the content of the conversation.

The technique builds off of previously reported research that suggested position-based crypto was impossible to pull off against multiple colluding adversaries scattered in different places. The researchers solved this problem by devising a way to use quantum mechanics to determine a party's location that can't be spoofed.

Our results open a fascinating new direction for position-based security in cryptography where security of protocols is solely based on the laws of physics and proofs of security do not require any pre-existing infrastructure, their paper states.

The task of verifying a recipient's location involves sending the quantum equivalent of bits using a protocol that requires the receiver to respond to random challenges. The so-called no-cloning principle of quantum mechanics makes impossible for people elsewhere to provide the correct answer.

The technique guarantees that the person sending the message shares a secret key with the recipient only if the latter is located at a specific location. Anyone located elsewhere will be unable to convert the message into plain text.

While the research solves an important problem, it's unlikely to see practical applications anytime soon, crypto and security expert Bruce Schneier said.

Don't expect this in a product anytime soon, he blogged. Quantum cryptography is mostly theoretical and almost entirely laboratory-only. But as research, it's great stuff.

The researchers are Nishanth Chandran, Ran Gelles, and Rafail Ostrovsky of the University of California, Los Angeles; Serge Fehr of the Cryptology and Information Security Group in Amsterdam; and Vipul Goyal of Microsoft Research in India. A PDF of the paper is here.

Hack uses Google Street View data to stalk its victims

A security researcher has devised an attack suitable for stalking and similarly creepy endeavors that uses JavaScript and geo location data from Google to pinpoint a victim's precise location.

In a talk titled How I Met Your Girlfriend, at the Black Hat conference last week, hacker Samy Kamkar demoed the technique, which he cleverly dubbed an XXXXSS. Here's how it works:

Kamkar lures the victim to a website that uses JavaScript to extract her router's Media Access Control address and report the unique identifier to the hacker. If JavaScript is unpalatable for some reason, there are other ways to do this.

Kamkar plugs the pilfered MAC address into Google Location Services. Within seconds, he has a map showing the victim's location within a few hundred feet.

Their web browser is compelling this exploit for you, Kamkar told the audience, which was attending the Black Hat security conference in Las Vegas. Pretty cool.

Over the past few years, Kamkar has used XSS, or cross-site scripting, exploits to achieve a variety of hacks. As the author of the Samy Worm, he served a brief stint in jail for unleashing a self-replicating exploit in 2005 that added more than 1 million friends to his MySpace account and in the process knocked the site out of commission. More recently, he's used XSS to burrow into firewalls and home routers.

Of course, a few things have to happen for the attack to work. First, the router needs to be set to use the default administrative password, or it needs to be a model that doesn't require credentials to access its system information page.

And the router's MAC address must already have been recorded by Google's ubiquitous fleet of Street View cars, which roam the earth snapping pictures and sniffing select Wi-Fi data.

But other than those caveats, the attack is relatively simple. If written correctly, the JavaScript will quickly cycle through scores of likely IP addresses until it finds the router location. Stalking has never been so simple.

This is geo location gone terrible, Kamkar said. Privacy is dead, people.

FrontAccounting Multiple SQL Injection Vulnerabilities

Tuesday, August 3, 2010

FrontAccounting is web-based accounting software. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied input. FrontAccounting versions prior to 2.1.7 and 2.2 RC are affected.

Ref: http://frontaccounting.com/wb3/pages/posts/release-2.2-rc104.php

10.31.57 - CVE: CVE-2009-4037, CVE-2009-4045
Platform: Web Application - SQL Injection

Hacker Wonderland: DefCon 18 in Photos

<< previous image | next image >>

LAS VEGAS — Roughly 10,000 computer hacking enthusiasts, poseurs, geeks, nerds and government agents gathered for DefCon this weekend. In its 18th year, the world’s largest hacker convention draws people from all walks of life to learn about the latest hacking techniques.

Talks this year ranged from hardware hacker Chris Paget’s demonstration of real-time cellphone eavesdropping, to defeating biometric locks with a hardware bypass, to the always popular Meet the Fed panel where hackers get to meet a group of federal agents involved in computer security. The talks aren’t the only events of interest. There are dozens of popular contests, fundraisers and parties.

DefCon has a long history of either outgrowing or being thrown out of various hotels. This year marked the final year at the Riviera Hotel which has been straining to accommodate the annually increasing crowds. DefCon organizer Jeff Moss, AKA Dark Tangent, announced the new venue during the closing ceremony. Next year’s DefCon will be held at the Rio, which has a much larger conference center along with more restaurants, bars and guest rooms than the Riviera.

Here is a look at some of the highlights of DefCon 18:

Above: The official DefCon badge (second from left) isn’t the only electronic neckwear offered at the convention. Limited edition breathalyzer badges (left) from the Null Space Labs hacker space in Los Angeles were given to some attendees. The 303 hacking crew from Colorado gave out badges to their members (second from right) and the Ninja Networks gave out badges for their exclusive party (right).

Photo: Dave Bullock/Wired.com

Freeway "ecPath" Parameter SQL Injection Issue

Freeway is an open-source ecommerce application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "ecPath" parameter of the "index.php" script before using it in an SQL query. Freeway version 1.4.3.210 is affected.

Ref: http://www.securityfocus.com/bid/41960

10.31.62 - CVE: Not Available
Platform: Web Application - SQL Injection

BCS Linux-baiting sparks flame war

An article on open source security has sparked off a furious backlash in the normally polite and businesslike world of a British Computer Society journal.

Commentards have reacted furiously to a piece by Steve Smith, managing director of IT security consultancy Pentura, in the July Edition of ITNow. A lengthy first response by Luke Leighton takes the article apart paragraph by paragraph and contains a dozen expunged swearwords. The opening line of the 4,000 word rebuttal, for example, reads "the BCS is supposed to be a reputable organisation, yet this article - every paragraph - is complete [DELETED]."

The "censorship" of Luke's swearing provoked a fresh round of protests.

Meanwhile, other readers criticised the article as being a "disappointing and unnecessarily biased article, to the point of being misleading" and worse. Part of the problem is that the article was not properly distinguished from being either an analysis or an opinion piece.

If it was properly flagged as an opinion then perhaps some of the criticism about unsupported assertions might have been avoided, or at least reduced.

Commentards pulled few punches in laying into the article. Open source security is a contentious issue. In covering the subject I myself have been at the receiving end of adverse criticism, some well merited and some not, so I have some sympathy for the author.

Smith's apparent central premise - that neither closed or open source software are inherently superior from a security perspective - isn't by itself especially contentious or controversial. But the headline chosen "Can open source be secure?" sets the wrong tone and his argument contains little or no substantiation, leaving him wide open to criticism. Part of the article tips over and appears to suggest that closed source is more secure because the underlying source code is secret, a security by obscurity argument given short shrift by commentards. Several accused Smith of being either misinformed or hopelessly biased.

The BCS acknowledged the criticism in a post on the comments thread provoked by Smith's article.

The open source vs proprietary software debate is always a heated one. We have asked the author of the article to respond to the reader criticism.

BCS is absolutely against censorship, but as a professional organisation we have a responsibility to remove expletives, profanity and any comment which could potentially be construed as libellous from our site. The original comment has been replaced with all deletes highlighted; we apologise for any upset the initial editing may have caused.

The anonymous Reg reader who brought the criticism of the piece to our attention wonders why comment wasn't solicited from the BCS Open Source Specialist Group (OSSG), which would be able to supply a well-informed opinion on the subject.

Mark Elkins, chair of the OSSG confirmed it had not been contacted and expressed regret at this oversight. Elkins told The Register that his main regret was that BCS members might go away from the article in the mistaken belief it ought to be read as the professional organisation's considered view on the subject of open source security, instead of an opinion.

"The post at http://ossg.bcs.org makes it clear that the BCS Open Source SG (OSSG) were not contacted about the articles in ITNow," Elkins explained. "Whilst OSSG is run by its members ITNow is run by full-time BCS staff. As so many articles appeared at once - effectively creating a theme on OSS - I think there was an obligation to involve OSSG. Unfortunately that did not happen, which is a shame because OSSG cannot possibly validate what it is has no knowledge of.

"Having read the articles in ITNow it is not fully clear to me what status they have. For example are they meant to be opinions, mini-case studies that are intended to reflect the state-of-the-art, or whatever. The reader is given no guidance on this. A danger is that they might be seen as the BCS view or BCS advice on Open Source.

"If OSSG had been contacted then we would undoubtedly made changes to what appeared. For example one of our Committee members Andrew Katz is a qualified solicitor acknowledged to be an an expert on Free and Open Source Software (FOSS) whose input would have added clarity to legal and other issues."

We contacted Pentura on Monday to ask how Smith plans to respond to the article but are yet to hear back. So it's unclear whether Smith will respond to his critics or whether ITNow will address the subject by some other means, perhaps by inviting Elkins and other members of the BCS Open Source group to submit a better informed and researched article on the subject of open source security.

Pentagon Wikileaks probe reaches MIT

The investigation into Bradley Manning - the US Army intelligence private suspected of sending tens of thousands of classified documents to Wikileaks - has led to the Massachusetts Institute of Technology (MIT), it's claimed.

Adrian Lamo, the hacker who reported Manning to authorities in May, said that two men at the prestigious university assisted in releasing the material, CNN reports. Lamo also said the men were connected to Wikileaks and gave Manning encryption software, and taught him to use it.

The claims follow a report in the New York Times on Saturday which also said Pentagon investigators were focused on 22-year-old Manning's acquaintances in the Boston area.

An MIT spokesman said: "We are monitoring the situation closely, but are not commenting at this time."

Manning has been in jail since May and has been charged with leaking a classified video of a helicopter attack in Baghdad. He is now also prime suspect for leaking more than 90,000 Secret intelligence reports from the front lines in Afganistan. He was flown back to the US from the Middle East on Friday.

Defense Secretary Robert Gates has suggested that security measures would have made it very difficult for Manning to send the reports to Wikileaks over the US Army network. The New York Times reported that investigators believe he copied the mass of files to CDs and may have physically passed them to a contact.

Manning visited Boston on leave in January.

Sophos downplays Android malware threat

Android users have little reason to fear an immediate onslaught of malware despite the demonstration of a rootkit-based attack at last week's Defcon conference, according to a leading anti-virus supplier.

Researchers at Spider Labs demonstrated proof-of-concept malware that could access messages and emails on an Android smartphone. Chester Wisniewski, a senior security advisor at Sophos who attended the presentation, was underwhelmed.

He pointed out that the demo was carried out on an already jailbroken HTC Legend. And, crucially, the researchers at Spider Labs failed to explain how end users might be at risk from malware along the lines of the proof-of-concept tool developed by the Spider Labs team. "They developed a rootkit but there's no way to install it," Wisniewski told The Reg. "No method of propagation was demonstrated."

Sophos has yet to see any examples of Android malware in the wild. Two or three worms targeting jailbroken iPhone devices appeared last year but the attacks have not reappeared as carriers have learned lessons from the outbreak and applied improved security controls, such as filtering SSH connections.

The likelihood of malware migrating onto new platforms is one of the key themes of a review of the security landscape by Sophos, published on Tuesday.

Microsoft is likely to respond to the success of the iPad with the launch of its own tablet-style device. A tablet-ready version of Windows 7 is already well advanced but the technology is likely to inherit the security problems of its desktop cousins, even if Microsoft takes a "walled garden" approach to application delivery, according to Sophos.

Whether the security problems of full-blown Windows platforms will be sufficiently addressed on the new platform remains to be seen; but with the browser being based on Internet Explorer and Adobe apparently working hard on Flash integration for the new platform, malware problems seem inevitable.

The Sophos report (pdf) goes on to suggest that Linux-targeting mobile attacks are likely to increase as devices running webOS and MeeGo (Nokias plan for a new mobile platform) become more commonplace in the market. The point is made in passing, without any substantiation, and sits oddly with the attempts by Sophos to downplay the threat of Android-based malware.

The study also charts general trends in the mainstream (desktop) malware landscape. Sophoss global network of labs received around 60,000 new malware samples every day in the first half of 2010, an average run rate of one new sample every 1.4 seconds per day every day. In the same period last year the rate was 40,000 samples per day. By that reckoning VXers have increased production by 50 per cent. Adobe came out a close second to Microsoft as hacker targets during the first six months of 2010, according to Sophos.

Booby-trapped websites and email in malware, which has returned as a hacker favourite over recent months, remain security menaces to businesses. Hackers often use vulnerabilities to plant malware or redirections to hacking portals on legitimate websites. These tactics - along with the prevalence of free hosting providers in Europe that offer minimum setup times to business and hackers alike - resulted in France, Italy and the Netherlands all joining the top ten of malware hosting countries since the start of the year. United States(42.29 per cent) andChina (10.75 per cent) remain the top two malware hosting menaces.

Xbox Live billing site snubs Firefox

Customers visiting an Xbox Live billing site with Firefox are liable to get a false warning that Microsoft's digital certificate is "invalid".

The certificate is fine and IE users are unaffected by the glitch, which represents the reappearance of an intermittent bug limited to gamers who use Mozilla's open source browser.

Reg reader Gordon, who gave us the heads up about the snafu, explained that he came across it in the process of trying to cancel his X-Box Live Gold account. After firing up Firefox, he was greeted by a confusing and unhelpful error message (extract below).

You have asked Firefox to connect securely to billing.microsoft.com, but we can't confirm that your connection is secure

billing.microsoft.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown.

Chris Boyd, a security consultant at Sunbelt and Microsoft MVP who has studied the security of online gaming in some depth, confirmed the glitch.

"It seems you get a cert error in Firefox 3.6.8 (the latest version), I don't have other versions to hand to try out," Boyd told El Reg. "[It] Works in IE, and the cert is viewable."

The latest problem appears to be a repeat of earlier glitches, such as one two years ago that affected "Firefox 3", he said. Reports of the problem from August 2008 can be found on gaming forums here.

The bug reappeared last month, according to a notice on a Mozilla support forum.

"There are a few other examples of this on the web, but nobody seems to have a definite answer," Boyd added.

We've passed on the details of the problem to Microsoft's Xbox team and will update this story when we hear more.