Hacking Expose!: 2010-10-31

Researcher outs Android exploit code

Saturday, November 6, 2010

A security researcher has released proof-of-concept code that exploits a vulnerability in most versions of Google's Android operating system for smartphones.

M.J. Keith of Alert Logic said he released the attack code to expose what he characterized as inadequate patching practices for the open-source mobile platform. Rather than find the underlying bug himself, he searched through a list of documented security flaws for Apple's Safari, which relies on the same Webkit browser engine used in Android. In short order, he had an attack that exploits about two-thirds of the handsets that rely on the OS.

They need a better patching system, Keith told The Register. They do a good job of repairing future releases, but I think a better patching system needs to be set up for Android.

The bug Keith's code exploits was fixed in Android 2.2, but according to figures supplied by Google, only 36 percent of users have the most recent version. That means the remainder are susceptible to the attack.

What's more, Keith said he had no trouble finding other documented Webkit vulnerabilities that have yet to be fixed in version 2.2.

I found about four or five and I wasn't trying to [do] an exhaustive search, he said.

A Google spokesman declined to comment for this post.

To be fair, Android's design does a good job of segregating the functions of one application from those of another. That would make it hard for someone exploiting the bug Keith demonstrated to gain root privileges or access to many of the targeted handset's resources. But it still would allow an attacker to access anything the browser can read, including a phone's Secure Digital memory card.

The bigger point, Keith said, is that most users have no idea their devices are vulnerable to bugs that were patched long ago on other platforms.

I wanted to demonstrate that nobody's being notified that their Android phone is vulnerable to this stuff, he explained. Google wants to pretend it's not there.

Cooks Source Copyright Infringement Becomes an Internet Meme

An internet firestorm is brewing over a small New England magazine accused of publishing recipes and articles lifted from the web without permission.

The dust-up began when food blogger Monica Gaudiodiscoveredthat Cooks Source had published a 6-year-old online article she wrote about apple pie, entitled “A Tale of Two Tarts.” Gaudio e-mailed the magazine’s editor, Judith Griggs, to complain, asking Cooks Source to post a public apology on its Facebook page and make a $130 donation to Columbia School of Journalism.

It was Grigg’s response that set off the still-raging internet backlash.

But honestly Monica, the web is considered ‘public domain’ and you should be happy we just didnt ‘lift’ your whole article and put someone elses name on it! It happens a lot, clearly more than you are aware of, especially on college campuses, and the workplace. If you took offence and are unhappy, I am sorry, but you as a professional should know that the article we used written by you was in very bad need of editing, and is much better now than was originally. Now it will work well for your portfolio. For that reason, I have a bit of a difficult time with your requests for monetary gain, albeit for such a fine (and very wealthy!) institution. We put some time into rewrites, you should compensate me! I never charge young writers for advice or rewriting poorly written pieces, and have many who write for me ALWAYS for free

Grigg’s posted Gaudio’s response to her blog, and the editor’s unapologetic and legally-flawed comments were soon sweeping the web. The Twitter hash tag “#buthonestlymonica” sprung to life, while Cooks Source’s Facebook page accumulated thousands of “fans” overnight posting mocking comments. “Cooks Source taking care of my pets while I was out of town, and when I got back my cat was pregnant, and someone had drunk all of my soy sauce.” Another said “Cooks Source text messages during movies. ” Another: “Cooks Source did not have sexual relations with that woman.”

More ominously for the magazine, critics began using the Cooks Source Facebook page as a organizing forum for a crowd-sourced comparison of the publication’s archive against other articles and recipes online. The effort turned up more that a few additional apparent infringements, and the Food Network is now reportedly investigating how some of its content wound up in the magazine.

The magazine removed its telephone number from its website, and the line is now disconnected. An e-mail to Cooks Source from Wired.com bounced Friday.

Cooks Source’s circulation numbers were not immediately known as the magazine does not report numbers to the Audit Bureau of Circulation or BPA Worldwide, the leading publishing auditors.

Now that Cooks Source is a full-blown American Dog Poop Girl, the magazine and its editor may start getting a little sympathy. At least one Twitter commenter thought the reaction was too heavy. “Hell hath no fury like a food blogger ripped off by a 2-bit print mag.”

See Also:

LimeWire Crushed in RIAA Infringement Lawsuit
Infringement Case Against McCain Advances
Court: Inmate Cannot Sue U.S. for Copyright Infringement
Courts Split over Legal Fees in Copyright Infringement Lawsuits …
Scribd Cries Foul on Unusual Infringement Lawsuit
MPAA Says No Proof Needed in P2P Copyright Infringement Lawsuits …
RIAA’s Sherman Speaks (Un)Believable ‘Catch 22 Update
Google Wins Viacom Copyright Lawsuit

Disguised imposter clears international flight

Canadian authorities are investigating an Asian man in his early 20's who disguised himself as an elderly caucasian male and was en route from Hong Kong to Vancouver before being discovered as an imposter.

The passenger in question was observed at the beginning of the flight to be an elderly Caucasian male who appeared to have young looking hands, a confidential intelligence alert (PDF), titled Unbelievable Case of Concealment and obtained by CNN, stated. During the flight the subject attended the washroom and emerged an Asian male that appeared to be in his early 20's.

Pictures showing the man in his 20's, his mask, and the imposter

The man, whose name and nationality weren't identified, later made a claim for refugee protection, according the alert, which didn't elaborate. It also said that he initially claimed to be in possession of only one bag, but later fessed up to having two additional pieces of luggage. They contained his personal clothing, a pair of gloves and a disguise kit that consisted of a silicone head and neck mask of an elderly Caucasian male, a brown leather cap, glasses and a brown cardigan.

The subject donned the 'disguise' for [Border Services Officers] and they noted that he very much resembled an elderly Caucasian man, complete with mimicking the movements of an elderly person, the confidential memorandum continued. The subject admitted at this time that he had boarded the flight wit the mask on and had removed it several hours later.

Boffins devise early-warning bot spotter

Researchers have devised a way to easily detect internet names generated by so-called domain-fluxing botnets, a method that could provide a first-alarm system of sorts that alerts admins of infections on their networks.

Botnets including Conficker, Kraken and Torpig use domain fluxing to make it harder for security researchers to disrupt command and control channels. Malware instructs infected machines to report to dozens, or even tens of thousands, of algorithmically generated domains each day to find out if new instructions or updates are available. The botnet operators need to own only a few of the addresses in order to stay in control of the zombies. White hats effectively must own all of them.

It's a clever architecture, but it has an Achilles Heel: The botnet-generated domain names which include names such as joftvvtvmx.org, ejfjyd.mooo.com, and mnkzof.dyndns.org exhibit tell-tale signs they were picked by an algorithm rather than a human being. By analyzing DNS, or domain name system, traffic on a network, the method can quickly pinpoint and disrupt infections.

In this regards, our proposed methodology can point to the presence of bots within a network and the network administrator can disconnect bots from their C&C server by filtering out DNS queries to such algorithmically generated domain names, the researchers wrote in a paper that was presented this week at the ACM Internet Measurement Conference in Australia.

The method uses techniques from signal detection theory and statistical learning to detect domain names generated from a variety of algorithms, including those based on pseudo-random strings, dictionary-based words, and words that are pronounceable but not in any dictionary. It has a 100-percent detection rate with no false positives when 500 domains are generated per top-level domain. When 50 domains are mapped to the same TLD, the 100-percent detection rate remains, but false positives jump to 15 percent.

The technique was developed by Sandeep Yadav, Ashwath K.K. Reddy, and A.L. Narasimha Reddy of Texas A&M's Electrical and Computer Engineering department, and Supranamaya Ranjan of Sunnyvale, California-based Narus. A PDF of their paper is here.

Report: Banking Apps for Android, iPhone Expose Sensitive Info

A number of wireless banking applications for iPhone and Android phone users contain privacy and security flaws that cause the phones to store sensitive information in cleartext that could be gleaned by hackers, according to a report.

The applications distributed by such top banks and financial institutions as Wells Fargo and Bank of America placed various types of information at varying degrees of risk. But at least one Android application, distributed by Wells Fargo, stored an account holder’s username and password on the phone in cleartext. The application also stored account balances on the phone, according to security researcher who spoke with the Wall Street Journal.

The applications store the information in the phone’s memory, allowing it to be easily gleaned from the phone if an attacker were to trick the user into visiting a malicious web site — for example, by sending the user a phishing e-mail containing a link to the malicious site.

A financial services application by the United Services Automobile Association was found to store a mirror image of the banking web page the phone user visited, which could reveal the user’s account balances and transactions as well as the routing numbers, which can be used to conduct electronic money transfers if a hacker also obtains the account number. The application didn’t store the accountholder’s username and password, but an attacker might obtain this information through a more targeted attack against the account holder’s phone if he determines the bank balance revealed on the phone makes the extra effort worth it.

Bank of America’s application also didn’t save usernames and passwords, but it did save the answer to a secondary security question in cleartext. An accountholder is asked the extra question only if the bank’s web site determines that the user is trying to log in from a device it doesn’t recognize — such as from a phone or computer he doesn’t normally use to conduct banking.

Andrew Hoog, chief investigative officer for viaForensics, said that only one of the seven applications his group examined contained no such security flaw. That application is distributed by the Vanguard Group.

Both Wells Fargo and USAA told the Journal that they had fixed the problem in updated applications released on Wednesday. Bank of America said it would be tweaking its application in a new update distributed in a few days.

Separately, Hoog’s company had found another security flaw with PayPal’s iPhone application that would allow someone on the same WiFi network as the user to obtain the user’s PayPal username and password. The security flaw exists because the application doesn’t try to verify the digital certificate of the PayPal web site. Therefore a hacker on the same network could conduct a man-in-the-middle attack that delivers a bogus PayPal page to the user’s browser, stealing the username and password when the user enters it.

PayPal has since updated its application to fix this flaw.

Photo: boostmobile/Flickr

Two 21-year-old ZBot mule suspects cuffed in Wisconsin

US authorities have captured a further two ZeuS-malware money mule suspects.

Dorin Codreanu and Lilian Adam, both 21-year-old natives of Moldova, were captured in Wisconsin. The arrest ends a month-long man hunt for the pair, named by the FBI on 30 September as among 37 suspects alleged to have set up bank accounts to receive stolen funds from compromised online banking accounts. The accounts were compromised using variants of the infamous ZeuS crimeware toolkit.

Both Codreanu and Adam face bank fraud charges, while Codreanu alone is charged with recruiting other alleged money mules among them Russian swimsuit stunner Kristina Izvekova, who remains at large.

The duo were named by the FBI as among 17 suspects at large and wanted for questioning* as part of an international investigation into a ZeuS malware ring that also resulted in charges against 11 suspects in the UK and five in the Ukraine. The Ukrainian quintet are alleged to have masterminded the whole scheme.

More commentary on the latest arrests in the case can be found in a blog post by Sophos here.

ZeuS has long been the weapon of choice for cybercrooks due largely to the ease with which Trojans in the ZeuS family can be configured to steal online data. Earlier this year an upstart crimeware toolkit called SpyEye emerged as a serious rival. Recent reports suggest that the coder behind ZeuS, who may be feeling the heat from increased police interest in ZeuS, handed over development duties for his malware baby to the developer of SpyEye.

ZeuS miscreants offer up honeypot

Friday, November 5, 2010

Cybercrooks are attempting to turn the tables on security researchers by setting up fake interfaces on their botnets in a bid to confuse and confound analysis.

The fake honeypot tactic was brought into play by a group using a variant of the infamous Zeus crimeware toolkit. The unknown miscreants targeted quarterly federal taxpayers with fake emails that sought to trick prospective marks into visiting a website loaded with exploits on the pretext that there had been a problem with their tax returns. If successful, the attack resulted in the infection of PCs with variants of ZeuS primarily designed to capture and extract bank login details.

In between waiting for the drop of confidential IDs from compromised machines, the crackers set up a trap for researchers. A bogus administrative panel hands out counterfeit statistics on the number of ZeuS-infected machines, as well as the ability to upload new bot malware, a feature designed to hoodwink security researchers or rival botnet operators.

A write-up of the ZeuS decoy admin console can be found in a post on the Last Line of Defense blog here.

"This admin interface acts as a 'hacker honeypot' that records detailed information about who attempted to access the admin console, as well as who attempted to hack into it," the post explains.

In a nice touch, the phoney login accepts default or easily guessed login credentials. Just for good measure, the interface is also also vulnerable to a simple SQL-injection vulnerability.

The deployment of the fake honeypot tactic in ZeuS-related malware operations is unlikely to be coincidental. The discovery of genuine ZeuS interfaces over recent months has been a major source of raw intelligence for security researchers. Although we can't say for sure at this point it's even possible that this data led to the recent run of arrests of ZeuS crimeware suspects in the UK, US and the Ukraine.

Crooks who use ZeuS as the weapon of choice for snaffling online banking credentials would doubtless be interested in frustrating this kind of researcher through the use of decoys. Viewed from this perspective, spying on what their opponents are up to would be a bonus for cybercrooks. And since ZeuS is highly customisable adding in the additional honeypot hooks would have been no great chore.

Plastic plod used police database to find dates

A female community support officer has pleaded guilty to 11 charges of obtaining personal information illegally after admitting using the Police National Computer to check out potential boyfriends.

Lucy Bevan, 25, of Longbenton, was fined 1,100 for the offences. She has since resigned from the police force.

Magistrates heard that Bevan accessed one man's file 151 times, and even checked the PNC for information on his mum.

In her defence the court heard she had acted unprofessionally but did not gain personally from her actions.

The chairman of the magistrates said: "For a police officer of some standing, this represents a calamitous error of judgement on your part, a serious breach of trust and an abuse of police power."

Senior officers became suspicious about Bevan's relationship with a man working in a shop in her patrol area. They checked her access log to the PNC and found she'd looked at his file 151 times, the Telegraph reports.

When they approached the man in question, he said Bevan had told him she'd looked at his file to check out his suitability as a boyfriend.

Northumbria Police apologised and said they hoped the prosecution would reassure people that they took such complaints seriously and made all efforts to ensure staff obey the rules.

Hackers v defenders in pan-Euro cyber security exercise

Early results from the first European cybersecurity exercise have highlighted the need to improve communication and improve procedures to better combat future cyber attacks.

Cyber Europe 2010 brought together 150 experts from 70 public bodies in 22 countries around Europe to deal with 320 simulated cyber-security incidents. These incidents involved simulated attempts by hackers to take out critical online services or to degrade overall internet availability.

Participants included Computer Emergency Response Teams, ministries, national regulatory authorities and others. Representatives of a further eight member states acted as observers.

Mission control for the exercise was run from Athens, Greece, with around 50 people attending.

European Union security agency ENISA said the exercise offered an opportunity to develop improved procedures for protecting critical infrastructure systems.

Dr Udo Helmbrecht, executive director of ENISA, commented: "This was a first key step for strengthening Europes cyber protection. Each mistake and error made were useful lessons-learnt; that is what exercises are for.

"Now, the challenge is for the Member States to analyse and properly implement these findings, of how to improve the communication channels and procedures. Both internally within a Member State, and in between Member States, across Europe, [so] to strengthen our common cooperation."

The exercise, modelled on earlier US cyber-preparedness exercises such as Cyber Storm, aimed to establish trust between security incident handlers with countries and their counterparts across Europe. It also sought to test the effectiveness of communication channels and to "increase mutual support procedures" during cyber attacks or other security incidents.

A media briefing by ENISA in Berlin on 10 November will provide more information and draft conclusions about the outcome of the exercise. A full report is expected early next year.

ENISA reckons EU member states would benefit from running their own national cyber-security exercise.

Participants in the exercise included UK information security agencies. In a statement, the Cabinet Office the European cyber security exercise went together with an earlier exercise involving cyber security incident handlers in the US and other countries.

The UK is an active participant in the first pan-European emergency cyber security exercise that is taking place today with involvement from BIS, CPNI and CSOC, the Cyber Security Operations Centre," it said.

"We place a huge importance on collaboration with our European and international partners and exercises such as this help to ensure that we have the right processes and procedures in place to deal with such events. Indeed we were also involved in a similar exercise coordinated by the Department of Homeland Security last month involving a number of nations."

IE bug fix not included in light Patch Tuesday

Microsoft is planning a light Patch Tuesday for November with just three bulletins that collectively address a total of 11 security vulnerabilities.

The trio cover flaws in Office (and Powerpoint) for Windows, Office for Mac 2011 and Forefront Unified Access Gateway. The Office for Windows patch is rated critical while the other two updates are rated as important.

Wolfgang Kandek, CTO of net security services firm Qualys, said the critical Office update is something of a rarity.

"Most vulnerabilities on the Office suite are categorised as 'important' because they typically require user interaction to get a successful exploitation," Kandek explained. "'Critical' here indicates a vulnerability that can be used to take control of the target machine without user interaction, such as MS10-064, where visualising an email in Outlook's preview pane was sufficient to trigger the flaw."

The one critical update in three bulletin compares to the record crop of 16 bulletins - four critical - in October's Patch Batch.

Before sysadmins kick back and enjoy the weekend safe in the knowledge that, for a pleasant change, there's very little patching work ahead on them next week, it's worth remembering that a recently discovered zero-day vulnerability in Internet Explorer remains unfixed. The code execution bug has already cropped up in targeted attacks, Symantec warns.

Microsoft's November Patch Tuesday pre-alert notice can be found here.

LightOpenCMS "index.php" SQL Injection Issue

LightOpenCMS is a web-based application implemented in PHP. LightOpenCMS is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data passed to the "id" parameter of the "index.php" script.

Ref: http://www.securityfocus.com/bid/44451

10.44.30 - CVE: CVE-2009-1766
Platform: Web Application - SQL Injection

Sinister scams 'sextort' social networkers

A rash of cases in which men use their hacking skills to extort sexually explicit images from women and girls is bringing new attention to the risks of storing sensitive data on social networks and internet-connected devices.

The most recent sextortion plot to be detailed in a court of law is that of George Samuel Bronk, a 23-year-old California man accused of appropriating nude and sexually explicit images of at least 170 women, Sgt. Kelly Dixon of the California Highway Patrol's Computer Crimes Division told The Register. He was arraigned on Tuesday in California state court in Sacramento on more than 30 counts, including hacking, possession of child pornography and impersonation. He didn't enter a plea, Dixon said.

Investigators have identified more than 20 victims whose images are included in the cache of stolen pictures and videos. In some cases, Bronk allegedly contacted the women and threatened to make the images public unless they supplied him with more nude pictures. He was caught after a Connecticut woman told her state police department that sexually explicit photographs of her had been posted to her Facebook page. Police ultimately fingered Bronk by linking his IP address to the woman's hacked Facebook and email accounts.

A Canadian man, 30-year-old Daniel Lesiewicz, admitted to luring hundreds of girls aged 13 to 18 into a similar trap, according to news reports. At a sentencing hearing last month, prosecutors said he used compromised Facebook accounts to pose as some of the victims' friends and convinced the girls to undress in front of their webcams. He then threatened to publish the images unless they gave him more.

In some cases, he terrorized the girls by calling their cellphones from what appeared to be their own numbers. One victim, who was 17 at the time, testified that she was so humiliated that she quit her summer job and dropped out of advanced college classes. Another victim attempted suicide, The Montreal Gazette reported. Sentencing has been postponed until later this month.

Earlier this week, the FBI's field office in Los Angeles sought help from the public in identifying more victims of Luis Mijangos, 31, of Santa Ana, California, who in June was arrested and accused of using infected computers to capture nude pictures and videos of about 230 individuals, at least 44 of whom were juveniles.

According to prosecutors, Mijangos used peer-to-peer file-sharing networks to trick his victims into installing software that gave him complete control of their machines. He then rifled through the hard drives for intimate images and other incriminating data, which he would use to extort sexually explicit videos from the victims, court documents allege. He has pleaded not guilty to charges that include extortion.

Crimes like these may be unusually plentiful in the news right now, but they're hardly new. In 2006, Adrian Ringland, then 36, from Ilkeston, Derbyshire, admitted blackmailing teenage girls into sending him explicit pictures after infecting their PCs with malware. He was sentenced to 10 years in prison.

The list of similar offenses goes on and on and on.

That the reports only seem to be increasing suggests that many people still don't understand the risks of storing photos and information online. Many of the victims' accounts were compromised by by correctly guessing the security questions used when an account holder forgets her password. In other instances, racy photos were nicked from compromised email accounts or computers. Those who collect such images would do well to keep them on drives that aren't attached to the net at all.

'Iranian Cyber Army' cons security researchers and fellow crooks

Fake data?

The Last Line of Defense (TLLOD) is questioning the amount of computers under the control of the 'Iranian Cyber Army', and believes that the botnet purveyors are actually hosting a fictitious administrator console designed as a honeypot to trip up white-hat researchers and attackers trying to learn about the group's operations.

Last week, researchers at cyberthreat management start-up Seculert claimed that the gang previously best known for defacements against Twitter and Baidu had shifted its operations to infecting machines with malware to amass a botnet.

Citing information from the group's crime server statistics page, researchers estimated that the botnet consisted of at least 400,000, but perhaps as many as 20 million, compromised machines.

But based on reconnaissance into a recent spam run that pushes Zeus-laden emails claiming to come from the U.S. Electronic Federal Tax Payment System (EFTPS), the cyber gang's exploit toolkit actually contains a control interface supplying bogus data, Thorsten Holz, a senior threat analyst at TLLOD, told SCMagazineUS.com in an email.

The goal of the interface, in fact, is not to provide valid data but to gain insight into the competition, TLLOD researcher Brett Stone-Gross said in a blog post.

"Note that it's common for most exploit toolkits to contain an admin interface that manages exploits, payloads, and tracks exploit success rates," he wrote. "However, the EFTPS exploit toolkit contains a completely fake admin console. This admin interface acts as a 'hacker honeypot' that records detailed information about who attempted to access the admin console, as well as who attempted to hack into it."

Aviv Raff, co-founder and CTO of Seculert, said that if TLLOD is right, he and his team might have fallen for the trick.

"According to the information they [TLLOD] present, the numbers in the statistics page [do] seem to be fake," Raff told SCMagazineUS.com via instant messenger. "If this is indeed fake, it would be interesting to know the real numbers."

Holz tossed one more possibility into the ring.

"I am not sure if the Iranian Cyber Army guys are actually from Iran," he said. "The backend had lots of Russian comments, and I think this is just another attempt to confuse researchers."

That would run counter to Raff's belief that the Iranian Cyber Army moved from defacements to malware possibly out of revenge, amid reports that the Stuxnet worm predominantly has been invading control systems belonging to Iran.

See original article on scmagazineus.com

Secure Computing Magazine

Jury Dings File Sharer $1.5 Million for 24 Songs

Jammie Thomas-Rasset, the first file sharer to take a Recording Industry Association of America lawsuit to a jury trial, was dinged late Wednesday $62,500 for each of 24 songs she pilfered on Kazaa — $1.5 million in all.

The result is the third verdict by a Minnesota jury in a case that has morphed into a real-life version of Groundhog Day. And Tuesday’s outcome is not likely to be the last word, either.

The Brainerd, Minnesota, woman has repeatedly vowed to appeal what her lawyers said were “excessive damages.” Making matters more confusing, the judge presiding over all three trials ruled after the previous trial that $54,000 was the maximum amount of damages for such conduct.

The verdict proves once again that federal juries are willing to slap file sharers with monster awards. The only other file sharing case to have gone to trial resulted in a Boston jury last year awarding the RIAA $675,000 for 30 songs — a decision on appeal after a judge reduced the verdict to $67,500.

The latest iteration of Thomas-Rasset comes more than four moths after U.S. District Judge Michael Davis ordered both sides to settle a case that has what best can be described as having a tortured past.

But negotiations failed. That’s largely why there were two trials and now a third — the third one ending and beginning Tuesday because no accord could be reached.

Under the latest failed negotiations, Thomas-Rasset refused to pay anything. The RIAA wanted $25,000 for the 24 tracks. That offer came after a second Minnesota jury had awarded $1.92 million, and the judge reduced it to $54,000 a year ago.

The Copyright Act allows a jury to award damages of up to $150,000 per purloined download. The Obama administration supported the nearly $2 million judgment.

We got to the latest stage of Thomas-Rasset after Judge Davis declared the $1.92 million verdict “shocking” and said damage awards “must bear some relation to actual damages.”

Davis’ decision last year was the first time a judge has reduced the amount of damages in a Copyright Act case. He ordered a new trial or settlement.

The third trial involved the jury assuming the woman’s liability, while affixing a new damages figure. Because of the posture of the case, the parties could not directly appeal the judge’s earlier decision lowering the jury’s verdict. Assuming the judge reduces the damages again, or leaves it intact, the appeals courts would be more inclined to take the case to avoid another day of legal groundhog.

Among the big bones of contention that would be addressed on appeal, Thomas-Rasset claims damages under the Copyright Act are unconstitutionally excessive. The RIAA claims the judge did not have the power to lower a Copyright Act jury award.

Thomas-Rasset famously lost her first trial in 2007, resulting in a $222,000 judgment. But months after the four-day trial was over, Judge Davis declared a mistrial, saying he add incorrectly instructed the jury that merely making copyrighted work available on a file sharing program constituted infringement, regardless of whether anybody downloaded the content.

Most of the thousands of RIAA file sharing cases against individuals settled out of court for a few thousand dollars. The RIAA has said it has ceased its campaign of suing individual file sharers.

Here are the 24 tracks at issue in the Thomas-Rasset case.

Hat Tip: Ben Sheffner

See Also:

First RIAA File Sharing Trial Morphs Into Groundhog Day
Settlement Rejected in ‘Shocking’ RIAA File Sharing Verdict
Jury in RIAA Trial Slaps $2 Million Fine on Jammie Thomas
New Jammie Thomas Lawyers Vow to Put RIAA on Trial
Jammie Thomas Lawyer: Get Me Off This Case!
Lawyers Challenge Lowered Amount of ‘Shocking’ File Sharing Award

Cops Pay $4,000 to Man Who Flipped Them Off

A suburban Oregon police department is paying a local man $4,000 to settle a civil rights lawsuit in which he claimed he was pulled over for flipping off the cops in traffic.

Twice he saluted with his middle finger while driving, and was pulled over each time by a Clackamas County patrol officer, resulting in what he said was a tongue lashing and “bogus” citations that were later dismissed. He sued (.pdf) in March.

“It was just time to settle,” the plaintiff, Robert Ekas, said in a brief telephone interview Thursday. The retired Silicon Valley systems analyst declined to elaborate.

Edward McGlone III, the counsel for Clackamas County, just outside Portland, said the local government settled (.pdf) rather than litigate for “business reasons.”

“It was just cheaper than proceeding in the case at this point,” he added. McGlone, too, declined to elaborate.

There’s no law against directing to police what might be the world’s oldest insulting gesture. But it’s not advised, as it may lead to a confrontation.

In a March interview, however, Ekas told us that he performed the middle-finger salute to the cops because “it seemed like the right thing to do.” He said it was a form of protest against a department he claimed wasabusing its citizenry.

The settlement comes a year after a Pittsburgh man was awarded $50,000 after he was wrongly cited for disorderly conduct after flipping off a cop.

For an authoritative legal and historical discussion of flipping the bird, read “Digitus Impudicus: the Middle Finger and the Law. (.pdf)

Photo: davidsonscott15/Flickr

See Also:

Court OKs Repeated Tasering of Pregnant Woman
Court Mixed on Constitutionality of Taking DNA From Arrestees …
Supremes Mull Whether Bad Databases Make for Illegal Searches …
University of Florida Student Tasered for asking Kerry a Question …
Judge Rules Post on Cop-Rating Site is Protected Speech

Myanmar loses internet connection

Massive DDoS attack against country.

Myanmar has been hit with a sustained distributed denial of service (DDoS) attack said to have knocked the country offline for several days.

An analysis of the attack by Arbor Networks estimated the DDoS traffic at between 10 and 15 Gbps.

"Normally Myanmar traffic peaks well under 100 Mbps," Arbor said in a blog post.

"Two days ago, DDoS traffic jumped into a sustained multi-gigabits per second."

The company believed that a "number of upstreams had begun to blackhole traffic to address space" owned by the country's main ISP, the Ministry of Post and Telecommunication (PTT).

Arbor said the motivation for the attack was unknown, although there was speculation it could be related to November 7 elections in the country.

PayPal rushes out patched iPhone app

PayPal has submitted an updated iPhone application after learning that the previous one failed to check the digital certificates that confirmed the authenticity of the online-payment website.

The hole leaves iPhone users who rely on the app open to man-in-the-middle attacks when connecting over unsecured networks such as Wi-Fi hotspots. PayPal learned of the flaw on Tuesday, when a Wall Street Journal reporter asked for comment. A day later, the company rushed out a patched version to Apple's app store.

We submitted a revised application to Apple within 24 hours of being notified, Anuj Nayar, spokesman for the eBay-owned division, told The Register. We don't believe that any customers have been affected. Even if they had been, it's very clear that our protection policy would cover them 100 percent.

It's not clear how long the defective iPhone app was in circulation. An app for Android-based phones wasn't affected.

It was only last week that PayPal plugged cross-site scripting hole on its mobile payments site that had the potential for misuse in phishing attacks.

DeluxeBB "xthedateformat" Parameter SQL Injection Issue

DeluxeBB is a web-based bulletin board implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data passed to the "xthedateformat" parameter of the "misc.php" script. DeluxeBB version 1.3 and prior are affected.

Ref: http://www.securityfocus.com/bid/44259

10.44.29 - CVE: Not Available
Platform: Web Application - SQL Injection

White House Orders Standard Practices on Unclassified Information

The White House released an executive order Thursday that aims to standardize how agencies handle unclassified information that carries statutory protections against dissemination.

Such information — designated “controlled unclassified information,” or CUI — is currently handled in an ad hoc manner, with each agency creating its own policies, procedures and markings for safeguarding the information. This can create confusion with those requesting documents under the Freedom of Information Act, and among agency personnel handling such requests.

“This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing,” according to the order, signed by President Obama. “The fact that these agency-specific policies are often hidden from public viewhas only aggravated these issues” (.pdf).

To standardize the management of such information, the directive orders all executive branch agencies to produce a list of all the categories and subcategories they currently use to distinguish CUI from other unclassified information and to submit the list within six months to the National Archives and Records Administration (NARA). For each category, the agencies must cite the relevant law, regulation or government policy that justifies protecting the information from dissemination.

“If there is significant doubt about whether information should be designated as CUI, it shall not be so
designated,” according to the order.

The NARA has a year to winnow these lists down to a single list of acceptable categories and subcategories for CUI.

Unclassified controlled information is protected from dissemination by various statutory exemptions passed by Congress and by government-wide policies. These include, for example, exemptions for information about individuals that is protected under the Privacy Act, information about law enforcement investigations and information about proprietary business information and trade secrets. In the case of the latter, businesses are allowed to block government entities, such as the Federal Trade Commission, from disseminating information to the public or to other corporations that they assert could harm their business interests.

Open-government advocacy groups such as the California First Amendment Coalition have often accused corporations and agencies of abusing these exemptions to protect their self-interests.

Photo: President Barack Obama opens a door in the Oval Office to greet children from the education documentary Waiting for Superman, Oct. 11.
Pete Souza/Official White House photo

See also:

Officials Hoard Valuable Databases Funded by Taxpayers

Symantec IM Manager Multiple SQL Injection Vulnerabilities

Symantec IM Manager is an instant messaging traffic manager. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Symantec IM Manager versions 8.4.15 and earlier are affected.

Ref: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101027_01

10.44.24 - CVE: CVE-2010-0112
Platform: Cross Platform

US Cyber Command becomes 'fully operational'

The US military's new Cyber Command has formally "achieved full operational capability", according to the Department of Defense (DoD).

I am confident in the great service members and civilians we have here at US Cyber Command. Cyberspace is essential to our way of life and US Cyber Command synchronizes our efforts in the defense of DoD networks. We also work closely with our interagency partners to assist them in accomplishing their critical missions, said General Keith Alexander, chief of Cyber Command and also of the feared National Security Agency (NSA), with which the Command shares a headquarters.

According to a statement issued yesterday announcing Full Operational Capability (FOC) for the cyber force:

Some of the critical FOC tasks included establishing a Joint Operations Center and transitioning personnel and functions from two existing organizations, the Joint Task Force for Global Network Operations and the Joint Functional Component Command for Network Warfare.

U.S. Cyber Commands development will not end at FOC, and the department will continue to grow the capacity and capability essential to operate and defend our networks effectively. There are also enduring tasks that will be on-going after FOC, such as developing the workforce, providing support to the combatant commanders, and efforts to continue growing capacity and capability.

The central cyber command coordinates the activities of the separate US armed services' cyber forces - the 24th Air Force and corresponding cyber formations in the US Navy, Army and Marine Corps. It will also work closely with the NSA (formally speaking a "combat support agency" of the Defense Department) and will cooperate with the Department of Homeland Security.

The cyber command is responsible for defending the .mil domain, while .gov comes under the DHS. Both agencies' role in other parts of the internet is yet to become clear, though it is evident that the military cyber warriors will maintain the ability to attack the networks of others as well as defending their own. (The 24th AF contains an entire unit, the 67th Network Warfare Wing, dedicated to nothing else - though it has a subsidiary role in red-teaming friendly networks when there are no enemies to attack.)

White House Issues New Directive on Unclassified Information

The White House released an executive order on Thursday signed by President Obama that aims to standardize how agencies handle unclassified information that carries statutory protections against dissemination.

Such information — designated “controlled unclassified information,” or CUI — is currently handled in an ad hoc manner, with each agency creating its own policies, procedures, and markings for safeguarding the information. This can create confusion with those requesting documents under the Freedom of Information Act, and among agency personnel handling such requests.

“This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing,” according to the order (.pdf). The fact that these agency-specific policies are often hidden from public view has only aggravated these issues.”

“If there is significant doubt about whether information should be designated as CUI, it shall not be so
designated,” according to the order.

The NARA has a year to winnow these lists down to a single list of acceptable categories and subcategories for CUI.

Open-government advocacy groups such as the California First Amendment Coalition have often accused corporations and agencies of abusing these exemptions to protect their self-interests.

President Barack Obama opens a door in the Oval Office to greet children from the education documentary “Waiting for Superman,” Oct. 11, 2010. (Official White House Photo by Pete Souza)

See also:

Officials Hoard Valuable Databases Funded by Taxpayers

Cops Pay $4,000 to Man Who Flipped Them Off

A suburban Oregon police department is paying a local man $4,000 to settle a civil rights lawsuit in which he claimed he was pulled over for flipping off the cops in traffic.

Twice he middle-finger saluted while driving and was pulled over each time by a Clackamas County patrol officer, resulting in what he said was a tongue lashing and “bogus” citations later dismissed. He sued in March. (.pdf)

“It was just time to settle,” the plaintiff, Robert Ekas, said in a brief telephone interview. The retired Silicon Valley systems analyst declined to elaborate.

Edward McGlone III, the counsel for Clackamas County, just outside Portland, said the local government settled (.pdf) rather than litigate for “business reasons.”

“It was just cheaper than proceeding in the case at this point,” he added. McGlone, too, declined to elaborate.

There’s no law against directing to police what might be the world’s oldest insulting gester. But it’s not advised as it may lead to a confrontation.

In a March interview, however, Ekas told us that he performed the middle finger salute to the cops because “It seemed like the right thing to do.” He said it was a form of protest against a department he claimed wasabusing its citizenry.

The settlement comes a year after a Pittsburgh man was awarded $50,000 after he was wrongly cited for disorderly conduct after flipping off a cop.

For an authoritative legal and historical discussion of flipping the bird, read “Digitus Impudicus: the Middle Finger and the Law. (.pdf)

Photo: davidsonscott15/Flickr

See Also:

Court OKs Repeated Tasering of Pregnant Woman
Court Mixed on Constitutionality of Taking DNA From Arrestees …
Supremes Mull Whether Bad Databases Make for Illegal Searches …
University of Florida Student Tasered for asking Kerry a Question …
Judge Rules Post on Cop-Rating Site is Protected Speech

US Cyber Command becomes 'fully operational'

The US military's new Cyber Command has formally "achieved full operational capability", according to the Department of Defense (DoD).

According to a statement issued yesterday announcing Full Operational Capability (FOC) for the cyber force:

Jury Dings File Sharer $1.5 Million for 24 Songs

Thursday, November 4, 2010

Jammie Thomas-Rasset, the first file sharer to take a Recording Industry Association of America lawsuit to a jury trial, was dinged late Tuesday $62,500 for each of 24 songs she pilfered on Kazaa — $1.5 million in all.

The result is the third verdict by a Minnesota jury in a case that has morphed into a real life version of Groundhog Day. And Tuesday’s outcome is not likely to be the last word, either.

The Brainerd, Minnesota woman has repeatedly vowed to appeal what her lawyers said were “excessive damages.” Making matters more confusing, the judge presiding over all three trials ruled after the previous trial that $54,000 was the maximum amount of damages for such conduct.

The latest iteration of Thomas-Rasset comes more than four moths after U.S. District Judge Michael Davis ordered both sides to settle a case that has what best can be described as a tortured past.

But negotiations failed. That’s largely why there were two trials and now a third — the third one ending and beginning Tuesday because no accord could be reached.

The Copyright Act allows a jury to award damages of up to $150,000 per purloined download. The Obama administration supported the nearly $2 million judgment.

We got to the latest stage of Thomas-Rasset after Judge Davis declared the $1.92 million verdict “shocking” and said damage awards “must bear some relation to actual damages.”

Davis’ decision last year was the first time a judge has reduced the amount of damages in a Copyright Act case. He ordered a new trial or settlement.

The third trial involved the jury assuming the woman’s liability while affixing a new damages figure. Because of the posture of the case, the parties could not directly appeal the judges earlier decision lowering the jurys verdict. Assuming the judge reduces the damages again, or leaves it intact, the appeals courts would be more inclined to take the case to avoid another day of legal groundhog.

Most of the thousands of RIAA file sharing cases against individuals settled out of court for a few thousand dollars. The RIAA has said it has ceased its campaign of suing individual file sharers.

Here are the 24 tracks at issue in the Thomas-Rasset case.

Symantec IM Manager Multiple SQL Injection Vulnerabilities

DeluxeBB "xthedateformat" Parameter SQL Injection Issue

PayPal rushes out patched iPhone app

PayPal has submitted an updated iPhone application after learning that the previous one failed to check the digital certificates that confirmed the authenticity of the online-payment website.

It's not clear how long the defective iPhone app was in circulation. An app for Android-based phones wasn't affected.

It was only last week that PayPal plugged cross-site scripting hole on its mobile payments site that had the potential for misuse in phishing attacks.

Myanmar loses internet connection

Massive DDoS attack against country.

Myanmar has been hit with a sustained distributed denial of service (DDoS) attack said to have knocked the country offline for several days.

An analysis of the attack by Arbor Networks estimated the DDoS traffic at between 10 and 15 Gbps.

"Normally Myanmar traffic peaks well under 100 Mbps," Arbor said in a blog post.

"Two days ago, DDoS traffic jumped into a sustained multi-gigabits per second."

The company believed that a "number of upstreams had begun to blackhole traffic to address space" owned by the country's main ISP, the Ministry of Post and Telecommunication (PTT).

Arbor said the motivation for the attack was unknown, although there was speculation it could be related to November 7 elections in the country.

New Internet Explorer bug found in the wild

Fake hotel confirmation used.

Attackers recently leveraged a zero-day vulnerability in Internet Explorer (IE) as part of a targeted email campaign that tried to trick users into following a link to a legitimate website infected with malware, according to researchers at Symantec.

The vulnerability, revealed in an advisory by Microsoft, affects all supported versions of IE. Jerry Bryant, group manager of response communications at Microsoft's Trustworthy Computing Group, said that the software giant is not aware of any affected customers.

An exploit that tried to take advantage of the flaw showed up on a credible website but has since been removed, Bryant said in a blog post. He did not name the victim site.

Symantec researcher Vikram Thakur said in a blog post that engineers learned that a "select group of individuals" were targeted through fraudulent emails seeking to confirm hotel room reservations.

The body of the messages contained a link, which pointed to the page of a legitimate website that contained a script designed to learn which browser and operating system versions the victims were running. If they were using IE 6 and 7, the script automatically directed them to a drive-by download page. Otherwise, it took them to a blank page.

"Visitors who were served the exploit page didn't realize it but went on to download and run a piece of malware on their computer without any interaction at all," Thakur wrote. "The vulnerability allowed for any remote program to be executed without the end user's notice."

Symantec researchers discovered that despite many employees being targeted globally, few victims actually accessed the malware file, which means most were using a browser other than IE 6 or 7.

Thakur also did not name the compromised site but said it was taken down a short time after Symantec notified Microsoft of the threat.

The Microsoft advisory contains a workaround that IT administrators are recommended to follow.

In addition, IE 8, the latest version, contains Data Execution Prevention safeguards, which likely will protect users from an exploit.

See original article on scmagazineus.com

Secure Computing Magazine

Analysis: Bigger Twitter, Facebook Flock Boosts Election Odds

The gubernatorial candidate with the most Twitter followers won Tuesday’s election in 22 of 34 declared races across the country, according to a Wired.com analysis.

The results showed 65 percent of the candidates with a bigger Twitter following won the chief executive’s post in their respective states. Three of the 37 races — in Minnesota, Illinois and Connecticut — were still too close to call Wednesday night and have not been counted in the analysis.

When it comes to Facebook, 20 of the 34 gubernatorial candidates with the most fans, or likes, won the chief-executive spot, according to our review of the data. That’s about 59 percent.

Jerry Brown, with more than 1.1 million Twitter followers, exults after winning California's governorship.

Those latter figures were closely aligned to a Facebook analysis of the 98 most hotly contested House races, where 74 percent of the candidates with the most Facebook fans won.

We’re not really sure what meaning to assign to the numbers, if any. It goes without saying that many other factors affect the outcome, including incumbency, money and personality — not to mention ideology.

And if there is any lesson to be learned from the data for future elections, Twitter and Facebook are just as important in marketing politicians as they are for household products and personalities. President Barack Obama understood this, riding an internet wave to victory two years ago.

But Facebook and Twitter popularity wasn’t always necessary to win Tuesday.

Take the case of Arkansas incumbent Mike Beebe, a Republican who was re-elected. He had 509 followers on Twitter compared to rival Jim Keet, with 955. The same was true on Facebook. Beebe had 4,982 fans compared to Keet’s 5,053.

In the Golden State, Attorney General Jerry Brown trounced Republican rival Meg Whitman. The Democrat had about 98,000 Facebook fans, less than half Whitman’s almost 208,000. But on Twitter, Brown had 1.1 million followers, compared to Whitman’s more than 242,000. Don’t forget Whitman spent at least $100 million more than Brown did.

Alaska had another contorted outcome, and it’s unrelated to Sarah Palin.

Incumbent Republican Sean Parnell, who won, had 565 Facebook fans, about half as many as Democratic challenger Ethan Berkowitz. On Twitter, Parnell had 288 followers compared to Berkowitz’s 56.

Finally, one other anomaly worth pointing out. Republican Rick Scott won Florida’s race having 1,800 Twitter followers fewer than opponent Alex Sink. Scott, however, had 55,477 Facebook fans compared to Sink’s almost 30,000.

Gov races

Threat Level editor Kevin Poulsen contributed to this report.

See Also:

The Obama Campaign: A Great Campaign, Or The Greatest?
Malicious RoboCalls Aim at Suppressing Election Day Turnout
GOP Site ‘Barackbook’ Mocks Obama’s Facebook Support
Feds Move to Break Voting-Machine Monopoly

DDoS attacks take out Asian nation

Myanmar was severed from the internet on Tuesday following more than 10 days of distributed denial of service attacks that culminated in a massive data flood that overwhelmed the Southeast Asian country's infrastructure, a researcher said.

The DDoS assault directed as much as 15 Gbps of junk data to Myanmar's main internet provider, more than 15 times bigger than the 2007 attack that brought some official Estonian websites to their knees, said Craig Labovitz, a researcher at Arbor Networks. It was evenly distributed throughout Myanmar's 20 or so providers and included multiple variations, including TCP SYN, and RST.

While DDoS against e-commerce and commercial sites are common (hundreds per day), large-scale geo-politically motivated attacks especially ones targeting an entire country remain rare with a few notable exceptions, Labovitz wrote, referring to the Georgia attacks, which coincided with the country's armed conflict with Russia. At 10-15 Gbps, the Myanmar [DDoS attack] is also significantly larger than the 2007 Georgia (814 Mbps) and Estonia DDoS.

The attacks come ahead of the November 7 general elections set by the military junta that rules Myanmar. Many critics of the government say it launched the attacks in an attempt to manipulate the outcome. Others have blamed external forces. The data flood began 10 days ago, according to The People's Daily in China, which borders Myanmar.

Group slams airport naked body scanners

An electronic privacy group has urged a federal appeals court to limit the use of full body scanners at US airports, arguing the machines are an unprecedented intrusion into the affairs of millions of Americans.

In a 55-page brief filed on Monday, the Electronic Privacy Information Clearinghouse accused the Department of Homeland Security's Transportation Security Administration of unilaterally mandating the use of the machines as the primary screening technique. By allowing government contractors to capture images of travelers' naked bodies, the policy violates a raft of federal laws, as well as Constitutional protections prohibiting unreasonable search and seizure, it argued.

The TSA subjects all air travelers to the most extensive, invasive search available at the outset, EPIC attorneys wrote. The TSA searches are also far more invasive than necessary to detect weapons. Alternative technologies, including passive millimeter wave scanners and automated threat detection, detect weapons with a less invasive search.

The machines run on an embedded version of Microsoft's security-challenged Windows XP operating system, and they also come equipped with an ethernet port and USB access, making them ripe for hackers. That means travelers can never be sure their images won't be intercepted by unauthorized parties. Some travelers have also questioned whether the machines expose them to unsafe levels of radiation.

What's more, the machines fail to detect many types of bombs, a fact that was brought home on Christmas of 2009, when Nigerian Umar Farouk Abdulmutallab is alleged to have snuck powdered explosives through an airport that used the scanners. His attempt to detonate the package in his underwear while his plane approached Detroit failed, but not because of the technology.

Despite the questions about the legality, safety and effectiveness of the scanners, the federal government went ahead in April 2009 with plans to make them the primary method of screening passengers. Previously, they were a secondary measure. Government officials have refused to follow the Administrative Procedure Act, which requires them to provide the public with the opportunity to express its views on fundamental changes and take them into account in final rules, critics argue.

A PDF of EPIC's brief is here.

Civil Liberties Watchdog Feingold Loses Senate Seat

Civil liberties advocates lost a Senate stalwart Tuesday night when Wisconsin senator Russ Feingold was defeated by Ron Johnson, a little known plastics manufacturer whose shibboleths against health care reform and government spending tapped into populist anger.

For years, Feingold was one of the few — and sometimes the only — voice in the Senate skeptical of the government’s increasing demands for domestic surveillance power and control of the internet. He was one of 16 Senators who voted against the Communications Decency Act of 1996, an internet censorship bill later struck down by the Supreme Court, was the only Senator in 2001 to vote against the USA Patriot Act, and he introduced a measure to censure President Bush for his illegal warrantless wiretapping program.

“Senator Feingold was a true champion of civil liberties,” said Marc Rotenberg, the president of the D.C.-based Electronic Privacy Information Center. “He spoke out against the Patriot Act and the dramatic growth of government surveillance programs when many other Senators stood by silently. His voice and his commitment to the Constitutional rights of all Americans will be missed.”

In 1997, before many Americans were online, Feingold set out to repeal the CDA, which criminalized sending “indecent materials” to minors on the net, even before the Supreme Court heard the case.

“One can be a speaker, a publisher and a listener using the internet,” Feingold said, years before the term Web 2.0 became trendy. “The threat of the Communications Decency Act is its undeniable ability to stifle this free-flowing speech on the Net.”

Feingold was a maverick in his own party, strongly opposing the wars in Iraq and Afghanistan and voting against the TARP bank bailouts. Unlike many Democrats, however, he embraced his vote on health care reform, saying there was nothing wrong with helping to get the uninsured health care.

Lee Tien, a senior staff attorney for the Electronic Frontier Foundation in San Francisco, echoed Rotenberg.

“We’ll miss him,” Tien said. “He was one of the few to stand up against the Patriot Act and telecom immunity.”

Feingold and retiring Senator Chris Dodd (D-Connecticutt) attempted to filibuster a provision that provided legal immunity to telecoms that helped the Administration spy on Americans’ internet and phone use without warrants. That provision, along with expanded government surveillance powers, eventually passed in July 2008 with the support of then-Senator Barack Obama, who promised to revisit that law, but has not.

Photo: Sen. Russ Feingold, D-Wis., makes his concession speech to his supporters Tuesday, Nov. 2, 2010, in Middleton, Wis., after loosing to Republican
challenger Ron Johnson for the Wisconsin U.S. Senate seat. (AP Photo/Joe Koshollek)

See Also:

White House Spy Docs Show Surveillance Was Illegal, Senator Feingold says
Chertoff Misleads on Laptop Searches, Feingold Charges
A Senator’s Lonely Privacy Fight
Telco Spy Immunity Up for Grabs
Bill Proposes Privacy for Americans’ Laptops at Border

Unpatched IE bug exploited in targeted attacks

Unknown attackers have been targeting a previously unknown vulnerability in Internet Explorer to take control of machines running the Microsoft browser, security watchers warned on Wednesday.

The exploits were hosted on a page of an unidentified website that had been breached without the owner's knowledge, according to antivirus provider Symantec, which discovered the attacks a few days ago. The perpetrators then sent emails that lured a select group of people in targeted organizations to the booby-trapped page, causing those who used IE versions 6 and 7 to be infected with a backdoor trojan.

The exploit required no interaction on the part of victims and gave no indication what was happening. While the exploit page was found on a single website, Symantec researchers warned the attacks may have been widespread.

Looking at the log files from this exploited server we know that the malware author had targeted more than a few organizations, they wrote. The files on this server had been accessed by people in lots of organizations in multiple industries across the globe.

In an encouraging sign, few of the visitors were affected because they weren't using a vulnerable browser, they added.

Version 8 of IE may also be vulnerable, but a security protection known as DEP, or data execution prevention which is turned on by default causes the browser to crash rather than to remotely execute the malicious code, Microsoft said. DEP, which was first added to IE 7, is designed to lessen the damage of such attacks by preventing data loaded into memory from being executed. While hackers have figured out ways to bypass the technology, so-called heap-spraying attacks don't work well with this particular bug.

The security flaw resides in a part of IE that handles CSS, or Cascading Style Sheets, tags. As a result, the browser under-allocates memory, allowing data to be overwritten in memory vtable pointers. By spraying memory with special data, an attacker can cause IE to execute code.

The report is the latest reminder of the benefits of moving to the latest version of IE or to a different browser altogether. Those who must use IE versions 6 or 7, should consider augmenting it with EMET, Microsoft's tool for locking down older applications. It can be used to add DEP and other security mitigations to a variety of programs, including IE and Adobe Reader.

Microsoft didn't say when it planned to patch the vulnerability, but Jerry Bryant, a spokesman for Microsoft response, indicated the bug probably didn't warrant a release outside of the company's normal update cycle. That means the earliest we're likely to see a fix is December 14.

Microsoft has more details here, here and here.

PAD Site Scripts Multiple Cross-Site Scripting and SQL Injection Vulnerabilities

Wednesday, November 3, 2010

PAD Site Scripts is a set of PHP scripts for maintaining PAD-enabled websites. The application is exposed to the multiple issues because it fails to sufficiently sanitize user-supplied input. PAD Site Scripts version 3.6 is affected.

Ref: http://www.securityfocus.com/bid/44239

10.44.33 - CVE: CVE-2009-3191,CVE-2009-3190
Platform: Web Application

Frontis "source_class" Parameter SQL Injection Issue

Frontis is a web application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "source_class" parameter of the "bin/aps_browse_sources.php" script before using it in an SQL query. Frontis version 3.9.01.24 is affected.

Ref: http://www.securityfocus.com/bid/44236

10.44.28 - CVE: CVE-2009-2013
Platform: Web Application - SQL Injection

Malicious RoboCalls Aim at Suppressing Election Day Turnout

Nefarious groups intent on deterring minority voters from casting their ballots on Tuesday have distributed fliers and initiated robocalls disseminating misinformation about the date of the election and how voters should cast their ballots.

According to the Election Protection Coalition, which has received more than 10,000 calls to its national election hotline, Latino voters in the Los Angeles area have been targeted by so-called robocalls — recorded messages — reminding them to vote on November 3, instead of the real date, November 2.

We have received reports of robocalls sent to Latino voters intended to mislead them about Election Day being on Wednesday, not today, said Kathay Feng, Executive Director of Common Cause and Election Protection Los Angeles Hotline. Voter suppression is illegal and we are calling for a full investigation and prosecution if this is in fact taking place.

Voters in Louisiana, Maine and New Hampshire reported receiving calls directing them to a website to vote online, instead of at the polls. Internet voting, however, is not available to any voters in the U.S. Only U.S. voters overseas — such as military personnel and others — have the option to cast ballots online and only in two states, Arizona and a handful of counties in West Virginia. A recent pilot project of an internet voting system that was to be deployed in this year’s election in Washington, DC, was quickly abandoned after computer security students at the University of Michigan subverted the system and made it play their school’s fight song.

Officials have expressed concern that the web address given in the robocalls could be a scam to steal voters’ identity if they enter personal information at the sites.

Other robocalls in Kansas have erroneously told voters they need to bring their voter registration card to the poll as well as proof of home ownership in order to cast a ballot — neither of which is true. The calls also state the election date as November 3.

Voters in minority neighborhoods in Houston, Texas, have received fliers alleging to come from a non-existent political group — the Black Democratic Trust of Texas. The fliers tell voters not to vote a straight Democratic ticket — an option in some jurisdictions where voters can press one button on a voting machine and the machine automatically selects every candidate in the voter’s chosen party.

The fliers read “Republicans are trying to trick us! When you vote straight ticket Democrat, it is actually voting for Republicans and your vote doesn’t count. We are urging everyone to VOTE for BILL WHITE. A VOTE for BILL WHITE is a VOTE for the ENTIRE DEMOCRATIC ticket.” The fliers end with the Obama presidential campaign message, “Yes We Can.”

In addition to voter suppression issues, there have been scattered reports throughout the day of voting machine malfunctions and voter registration snafus in various states.

Numerous callers in Pennsylvania, particularly in Philadelphia, reported machines being down when they arrived to the polls. Other machines froze up when voters used them. Philadelphia uses Shouptronic push-button electronic machines made by Danaher, one of the lesser-known voting machine companies.

Pam Smith, president of Verified Voting, a group that led the national fight for voting machine paper trails, said in a press conference that in Ohio, some voting machines had printer problems, preventing them from producing paper trails that can be used in post-election recounts and audits.

There have also been problems with optical-scan machines jamming in New York, preventing ballots from being processed at the polling location. When this happens, ballots are supposed to be secured at the polling place and scanned at a central election office when the polls close.

Voter registration issues have cropped up in Ohio, Michigan and Texas. In Ohio, public assistance agencies that processed voter registration applications failed to file them some of the forms with the election office in time for the election.

In Ann Arbor, Michigan, university students were told they weren’t registered to vote. An investigation showed that when they turned 21, the state automatically issued them new drivers licenses and updated their voter registration profiles with the address on their license. But because the address on their license didn’t always match their address at the university, they weren’t on the voter lists at university area polling places.

Voter registration issues have become a common problem ever since states switched to mandatory statewide voter registration databases to track voters.

Photo courtesy Mike Licht, NotionsCapital.com

See also:

Voter Database Glitches Could Disenfranchise Thousands
Voting System Pwned by Michigan Wolverines

Google's $8.5 million Buzz settlement a go

Google announced that it has received preliminary approval for its $8.5 million settlement of a class action brought against Google Buzz, the Gmail add-on that tried to turn the company's online email service into a social networking tool.

The settlement received preliminary approval from federal district court Judge James Ware on October 7, and Google revealed the news with a press release on Tuesday. "We are satisfied with the agreement and are glad to move forward, Google said in a statement. We have always been committed to offering users transparency and choice in Buzz and all our products, and will continue to work together with users to provide the best experience possible.

Google also took the unusual step of contacting all Gmail users via email. "Google rarely contacts Gmail users via email, but we are making an exception to let you know that we've reached a settlement in a lawsuit regarding Google Buzz (http://buzz.google.com), a service we launched within Gmail in February of this year," the email read. "Shortly after its launch, we heard from a number of people who were concerned about privacy. In addition, we were sued by a group of Buzz users and recently reached a settlement in this case."

Ordinary users cannot receive compensation from the class action. "Just to be clear, this is not a settlement in which people who use Gmail can file to receive compensation," Google told Gmailers. In settling the suit, Google will create an $8.5 million fund that will be used to distribute awards to organizations "focused on" internet privacy or privacy education. It will also be used to pay the lawyers and the people who sued.

The suit consolidates several civil cases filed over Google Buzz, which was rolled out to roughly 32 million Gmail users in February. By default, Buzz automatically exposed users' most frequent Gmail contacts to the public interwebs. You did have the option of hiding the list from the public view, but many complained that the checkbox that let you do so was less than prominently displayed.

Days later, Google agreed to move the checkbox to a more prominent position, and it changed the way it handles user contacts. But the suits came nonetheless.

The court will decide on final approval for the settlement in January.

Airport screeners go for the groin

US airline security staff have introduced a new pat-down technique that might be familiar to folks who request "extras" in a massage parlour.

Punters i.e., passengers and civil liberties groups are far from ecstatic over these new moves, variously describing them as "horribly invasive" and "humiliating".

Passengers who object to going through full-body imaging scanners were previously allowed to opt for a "pat-down". Now the only alternative will be a rather more intimate laying-on of hands.

After tests of their new pat-down or feel-up approach at Boston's Logan International Airport, the US Transportation Security Administration declared itself sufficiently satisfied to roll out the new measures, which will involve security staff sliding their hands over passengers' bodies, to all 450 of its airports.

Passenger-rights organisations are not amused. Kate Hinni, founder of the non-profit FlyersRights consumer group, is widely reported as claiming that the new searches amount to a "foreplay pat-down" that will "feel like a moral issue" for many travellers.

Speaking of the choice between exposing oneself in the new body-scanner peep show or opting for a rub-down, she said: "It's like having to choose the lesser of two evils: both are horribly invasive."

One passenger who was less than satisfied with the result was Rosemary Fitzpatrick, a CNN employee who claimed that she was subjected to a pat-down at the Orlando, Florida, airport on Wednesday after her underwire bra set off a magnetometer. She was then taken to a private area where a female screener ran her hands around her breasts, over her stomach, buttocks, and inner thighs, and briefly touched her crotch.

Ms Fitzpatrick, who has subsequently complained about the experience and the fact that passengers were not warned of it in advance stated: "I felt helpless, I felt violated, and I felt humiliated." She was, she said, reduced to tears at the checkpoint.

So is this all accidental? A cock-up on the part of transport officials with wandering hands?

Not according to Atlantic correspondent Jeffery Goldberg, who is ordinarily fiercely supportive of the security brigade.

Writing of his own recent touching-up by security staff, he records the response when he asked one of the TSA guards at Baltimore-Washington International Airport if they were looking forward to conducting the full-on pat-downs.

According to Goldberg, the agent told him: "Nobody's going to do it ... once they find out that we're going to do [it]."

Goldberg suggested that the TSA are adopting this approach in the hope that people would prefer the full-body scan to a grope from a stranger. The agent allegedly agreed, telling him: "That's what we're hoping for. We're trying to get everyone into the machine."

Whether the TSA will eventually get its way on this issue remains unclear. Passenger resistance is claimed to be great. The technique has been dubbed "Pat down search abuse" by the American Civil Liberties Union, which is now calling onair travellers to send them their personal stories and information about their experiences during screening.

Group Demands Immediate Halt of Full-Body Airport Scanners

A leading privacy group is urging a federal appeals court to suspend the government’s program of introducing full-body imagining machines at airports across the country.

The Transportation Security Administration in March began deploying 450 of them to dozens of airports nationwide.

“The suspicionless search of all airport travelers in this most invasive way violates the reasonableness standard contained in the Fourth Amendment,” Marc Rotenberg, executive director of the Electronic Privacy Information Center, said Tuesday. He said the devices, costing $1 billion, were designed “to store and record and transmit the unfiltered image of the naked human body. ”

The government is expected to respond next month to the U.S. Court of Appeals for the District of Columbia Circuit.

A test-image shown to reporters at Logan International this spring “showed the blurry outline of a female volunteer,” The Associated Press reported at the time. “None of her clothing was visible, nor were her genitals, but the broad contours of her chest and buttocks were. Her face also was blurred.”

The constitutional challenge aside, EPICalso charges that the Department of Homeland Security, in rolling out the devices, violated a host of bureaucratic policies requiring public review, including the Administrative Procedures Act.

What’s more, the group claims the machines, among other things, violate the federal Video Voyeurism Prevent Act, which protects against capturing improper images that violate one’s privacy.

Homeland Security Secretary Janet Napolitano said in a recent statement that the deployment is “enhancing our capability to detect and disrupt threats of terrorism across the nation.”

The so-called “backscatter machines,” however, cannot detect so-called “booty bombs” in which an explosive is inserted into the body.

Travelers can opt out of going through the imaging machines and instead undergo a pat down, including the crotch area.

See Also:

German ‘Fleshmob’ Protests Airport Scanners
Airport Scanners Can Store, Transmit Images
11 More U.S. Airports Get Body Scanners
Body Scanners Might Violate U.K. Child-Protection Laws
GSM Security Researcher Targeted in Airport Shakedown
Adding More Names to Watch Lists Isn’t Change, It’s a Step Back
TSA Nixes Flying Without ID

Hackers tap SCADA vuln search engine

A search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering, the US Computer Emergency Readiness Team has warned.

The year-old site known as Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. As white-hat hacker and Errata Security CEO Robert Graham explains, the search engine can also be used to identify systems with known vulnerabilities.

According to the Industrial Control Systems division of US CERT, that's exactly what some people are doing to discover poorly configured SCADA gear.

The identified systems range from stand-alone workstation applications to larger wide area network (WAN) configurations connecting remote facilities to central monitoring systems, the group wrote in an advisory (PDF) published on Thursday. These systems have been found to be readily accessible from the internet and with tools, such as Shodan, the resources required to identify them has been greatly reduced.

Besides opening up industrial systems to attacks that target unpatched vulnerabilities, the information provided by Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults, CERT warned. The organization advised admins to tighten security by:

Placing all control systems assets behind firewalls, separated from the business network

Deploying secure remote access methods such as Virtual Private Networks (VPNs) for remote access

Removing, disabling, or renaming any default system accounts (where possible)

Implementing account lockout policies to reduce the risk from brute forcing attempts

Implementing policies requiring the use of strong passwords

Monitoring the creation of administrator level accounts by third-party vendors

Short for Sentient Hyper-Optimized Data Access Network, Shodan contains a wealth of information about routers, servers, load balancers and other hardware attached to the internet. Its database was built by indexing metadata contained in the headers the hardware broadcasts to other devices. Searches can be filtered by port, hostname and country. In other words, not only can it identify a Solaris server, it can in many cases identify a Solaris server located in Pakistan that remains vulnerable to a known exploit.

CERT's warning comes a few month after reports that a worm called Stuxnet burrowed into SCADA systems controlling nuclear power plants. The attack, which many researchers speculate was intended to disrupt Iran's nuclear aspirations, demonstrated the success in which determined hackers have in penetrating control systems.

Web 2.0 sites rated on FireSheep sidejacking risk

An online services security report card shows the extent to which popular web services are exposing users to account hijacking, especially in open WiFi network environments.

The risk has been understood in security circles for years but remained underreported prior to last week's release of an account hijacking tool called FireSheep. The Firefox plugin allows surfers to sniff and capture login credentials for sites including Facebook and Twitter and to subsequently log into those accounts, all with a few clicks of a button.

Surfers can avoid the risk by using a VPN tunnel to surf the web. The objective of Eric Butler, who developed the browser add-on, is to put pressure on more Web 2.0 sites to use full end-to-end encryption for logins.

However, follow-up tests by security blogger George Ou has revealed that side-jacking attacks might still be possible even when the site runs SSL. Ou published the first version of an online services report card on Monday looking into how effectively (or not) websites protect user login details.

Ou makes Gmail teacher's pet with the only 'A' grade in the batch, while eBay gets a creditable B and both Yahoo and Amazon get a passing C-. Scorn in the report is reserved for Flickr and Hotmail (both of which scrape and D-) and, in particular, Facebook and Twitter.

The report card can be found here.

Google seems to classify self as potentially malign

Casual observers may have concluded that Google has defined a portion of its own search page as potentially malign this morning.

In reality, the warning that users visiting a particular page might become exposed to drive-by download attacks involves blogspot.com. Blogspot was caught serving content from a hacker-controlled domain, hence the health warning.

A screenshot of the snafu was captured by security researcher Mikko Hyppnen of F-Secure here.

"The warning about google.com was shown by the browser when accessing a page on Blogspot by clicking a link in Google search results," Hyppnen told El Reg. "The problem was on blogspot.com, not on google.com - it just looked that way."

The snag coincided with the expansion of Google's vulnerability rewards program to include bugs in its web services, such as search, Gmail and blogger.com.

UK nuke station denies Stuxnet shutdown

A British nuclear power station suffering an "unplanned outage" has categorically denied any link to the sophisticated Stuxnet worm.

One of two reactors at Heysham 1, owned by French energy giant EDF, was taken offline yesterday.

Parts of the site are run by Siemens S7 systems, prompting suggestions the sophisticated worm is to blame for the shutdown.

An EDF spokeswoman told The Register the suggestions amounted to "conspiracy theories".

"I can confirm that on Heysham 1 there is no Siemens S7 equipment in any safety-related applications," she said.

"There is absolutely no link between the cause of Heysham 1's trip yesterday and any 'cyber security' issues".

EDF declined to give a detailed technical explanation for the ongoing outage, citing regulations that forbid the release of such information. The regulations are designed to prevent distortion of the energy market based on speculation over when electricity production may resume.

Security researchers discovered earlier this year that Stuxnet exploits vulnerabilities in the type of Siemens control system used at Heysham, and in Microsoft Windows.

The sophistication of the attack - the EU information security agency ENISA called it "a new class and dimension of malware" - led many to believe it had been created by a state intelligence agency, possibly to disrupt Iran's civilian and military nuclear programme. Siemens and Microsoft have since released patches to secure their software.

To date there is no evidence that Stuxnet has affected any British facilities.

Canadian teen charged with school board hack

Tuesday, November 2, 2010

A 15-year-old who allegedly broke into a school board website before exposing the passwords of 27,000 fellow schoolchildren has been charged with computer hacking offences.

The unnamed Ontario youngster from the Thames Valley area had earlier claimed that he had only carried out the hack to expose the board's weak security.

He said he had purposely chosen to break into the student portal, where marks and timetables were revealed but no changes could be made.

The teen faces four charges, including using a password to commit a computer offence and fraudulently obtaining computing services. Assuming the case proceeds, the youngster is likely to face trial in a juvenile court.

UK teen charged with school board hack

A 15-year-old who allegedly broke into a school board website before exposing the passwords of 27,000 fellow schoolchildren has been charged with computer hacking offences.

The unnamed youngster from the Thames Valley area had earlier claimed that he had only carried out the hack to expose the board's weak security.

He said he had purposely chosen to break into the student portal, where marks and timetables were revealed but no changes could be made.

Sophos debuts freebie anti-virus scanner for Macs

Updated Sophos released a free of charge Mac anti-virus product for consumers on Tuesday in a bid to highlight the growing security risk against the platform and to shake fanbois out of their complacency.

The business-focused internet security firm is making Sophos Anti-Virus Home Edition for Mac available for download at no charge - with no time limit, and requiring no registration. The technology is a cut-down version of Sophos's pre-existing anti-virus software for Macs and will ship with detection of thousands of malware strains including Trojans and rootkits.

Sophos has no plans to release an equivalent free of charge Windows anti-malware scanner.

Three well-established freebie security scanners (AVG, Avast, Avira) already exist even without considering Microsoft's own Security Essentials software. Although commercial anti-virus packages for Macs have been sold for some time by the likes of Intego and Symantec - and more recently by Kaspersky and Panda - Sophos's software one of very few freebie scanners for Macs available to date.

It's not the first freebie scanner for Macs currently available, contrary to claims in the first version of this article. Others including, most notable, ClamAV exist.

Past threats to Mac users have included malware disguised as pirated software and uploaded onto P2P file-sharing networks, supposed video codecs that actually contain a Mac-specific Trojan horse and strains of Windows malware capable of infecting virtual installations of Windows running on a Mac.

Apple acknowledged the malware problem by integrating rudimentary protection against a handful of Mac Trojans in Snow Leopard, Sophos notes, arguing that users running its software are provided with more comprehensive protection against potential threats.

Carole Theriault, senior security consultant at Sophos, explained that while the picture is different in enterprise environments, "home Mac users aren't protecting themselves from malware".

Theriault admitted that Windows threats counted in their millions dwarf the number of strains of Mac malware, which can be counted in their thousands, but maintained there was a need for protection, whatever sales people in Apple Stores might say to the contrary. "We want to raise awareness," she explained.

The Sophos worker and Mac user has been running beta versions of its software on her machine over the past three months without noticing a performance hit. "It's not footprint-free but the impact is minimal," she reported.

Sophos Anti-Virus Home Edition for Mac is based on the enterprise version of the internet security firm's product but with the management hooks and extra bells and whistles removed to reduce complexity.

The UK-based firm sees the freebie Mac scanner as a medium-term commitment, even though the product is not there to make money, and it will cost Sophos to run a dedicated support forum and field queries. Unlike freemium scanner outfits such as AVG there are no plans to convert users onto paid-for consumer versions of Sophos Anti-Virus for Mac.

Many Mac users remain unpersuaded that Macs need anti-malware protection, so it will be interesting to see whether Sophos's move serves to shift perceptions. Whatever happens it's likely to take plenty of flak for Mac fanbois for even suggesting there's a malware risk.

"While most businesses recognise the importance of protecting their Mac computers from malware threats, most home users do not," said Chris Kraft, product management vice president at Sophos.

Sophos Anti-Virus Home Edition includes automatic on-access detection that runs in the background, so that users do not need to schedule scans in order to be protected. The technology also bundles a disinfection utility.

More on the software, together with hardware compatibility information, can be found out from a download micro-site here.

Sophos debuts first freebie anti-virus scanner for Macs

Sophos released the first free of charge Mac anti-virus product for consumers on Tuesday in a bid to highlight the growing security risk against the platform and to shake fanbois out of their complacency.

Sophos has no plans to release an equivalent free of charge Windows anti-malware scanner.

Three well-established freebie security scanners (AVG, Avast, Avira) already exist even without considering Microsoft's own Security Essentials software. Although commercial anti-virus packages for Macs have been sold for some time by the likes of Intego and Symantec - and more recently by Kaspersky and Panda - Sophos's software is the first freebie scanner for Macs available to date.

Carole Theriault, senior security consultant at Sophos, explained that while the picture is different in enterprise environments, "home Mac users aren't protecting themselves from malware".

"While most businesses recognise the importance of protecting their Mac computers from malware threats, most home users do not," said Chris Kraft, product management vice president at Sophos.

More on the software, together with hardware compatibility information, can be found out from a download micro-site here.

Saturday, November 6, 2010

Friday, November 5, 2010

Thursday, November 4, 2010

Wednesday, November 3, 2010

Tuesday, November 2, 2010

Most Recent Post

Help Me Expose This Article in Bulk!

Blog Search

Translate

DISCLAIMER

Blog Archive

Blog Stats

Powered by BloggerAutoFollow.com

About Me

Why So Serious?

Copyright (C) 2009,2010,2011 Hacking Expose!