Recently in News Category

Following the AT&T DNS poisoning late last month, one of China's largest ISPs, China Netcom, has suffered a similar setback. In the past, Chinese companies have had little trouble with information security as their domestic hackers primarily target foreign servers. This is starting to change, however, and China is going to have a huge problem trying to both maintain security and continue the fast pace of growth.

From ZDNet Blogs:

The DNS server of one of China's largest ISPs has been poisoned to redirect typos to a malicious site rigged with drive-by exploits.

According to a warning from Websense Security Labs, the DNS poisoning attacks are affecting customers of China Netcom (CNC) and are using a malicious iFrame to launch exploits for known vulnerabilities in RealNetworks' RealPlayer,  Adobe Flash Player and Microsoft Snapshot Viewer. [From ZDNet: Websense reports China Netcom DNS cache poisoning]

This is especially interesting after attending an IC3 talk on Tuesday morning on the various common types of online fraud. It's true that most of the victims of these scams are complicit in the get-rich-quick schemes, but barring the ones who commit criminal acts such as money laundering or forwarding shipments to Nigeria, it would be difficult to classify them as criminal.

From the Sydney Morning Herald:

THE Nigerian high commissioner says people who are ripped off by so-called Nigerian scams are just as guilty as the fraudsters and should be jailed.

*  *  *
"People who send their money are as guilty as those who are asking them to send the money," he said. [From smh.com.au: Jail the 'greedy' scam victims, says Nigerian diplomat]

This certainly has potential to be huge, but it's still too early to tell. If the technique can be directly applied against the common ciphers listed below, then it could render these ciphers completely impotent against a dedicated attacker.

From ComputerWorld:

Adi Shamir, who is the S in RSA, has presented material at the Crypto 2008 conference that has promised a new form of mathematical attack against a broad range of cryptographic ciphers, including hash functions (such as MD5, SHA-256), stream ciphers (such as RC4), and block ciphers (such as DES, Triple-DES, AES). The new method of cryptanalysis has been called a "cube attack" and formed part of Shamir's invited presentation at Crypto 2008 - "How to solve it: New Techniques in Algebraic Cryptanalysis".

* * *

Without access to the paper (expected to be published later this year), the full scope of the discovery can't be easily determined. It may be that it delivers an order of magnitude improvement over existing methods, but implementation will still take such a long period of time that it is effectively impractical for attack against time sensitive content. Then again, it may be that it has brought it into a viable timeframe, something that can be achieved with a handful of modern machines - nothing that is too far out of reach of the motivated and resourced attacker. [From Computerworld - New attack against multiple encryption functions]

The stakes have been raised in the battle against online crime. A Turkish hacker who was working with authorities was captured, tortured, and released in reprisal for his cooperation.

From Wired Blogs:

A Turkish computer hacker who was helping that country's media and national police investigate computer crimes was kidnapped and tortured by a notorious ATM hacker, according to a report from the Turkish press.

The victim, known online as "Kier," had been leaking information to Turkish reporters about an underground figure called Cha0, when he briefly disappeared. He resurfaced in May, and described being abducted and beaten by Cha0 and his henchmen. [From Wired Blogs: Hacker Reportedly Kidnaps and Tortures Informant, Posts Picture as a Warning to Others]

 

A Windows new remote-code execution vulnerability has been spotted in the wild. A proof-of-concept demonstration is available here.

From CyberInsecure:

a new public zero-day Windows vulnerability is being exploited in the wild. Microsoft Windows is prone to a remote code-execution vulnerability due to an unspecified error in 'NSlookup.exe'. Successfully exploiting this issue would allow the attacker to execute arbitrary code on an affected computer. Failed attacks will cause denial-of-service conditions. Microsoft Windows XP Professional SP2 is vulnerable; other versions and products may also be affected.

According to the alert, the issue is being actively exploited in the wild but details on the attacks are currently unavailable. At this moment there are no workarounds or vendor-supplied patches [From CyberInsecure:Zero-day Microsoft Windows NSlookup.exe Vulnerability Exploited In The Wild]

Technorati Tags: microsoft,windows,vulnerability,exploit

It looks like glitches in Apple's MobileME rollout and the accompanying user frustration have created opportunities for phishing scams. I think Apple has already burned through their security goodwill. It's time for the company to step up and start dealing with the rapidly emerging threat that targets its customers.

From The Register:

Data obtained by CardCops, a credit card protection service owned by the Affinion Group, shows sensitive information belonging to several hundred people with Mac.com email addresses being traded in underground forums frequented by identity thieves. The details include social security numbers, birth dates, mothers' maiden names, credit card numbers and other sensitive information.

The graphic to the right, which has been edited to remove personally identifying details, shows some of the data that's been available.

The information was phished using emails that began circulating around the same time Apple began its ill-fated transition from Mac.com to Me.com. The scams bore subjects such as "Billing problem." Following the link as recently as Tuesday while using Apple's Safari browser, we were taken to an authentic-looking page purporting to belong to Apple. It asked users to reinstate their accounts by entering a dizzying array of personal details. (Interestingly, while Internet Explorer warned us the page was a scam, neither Safari nor Firefox flagged it.) [From The Register: Apple faithful snared in phishing scam targeting Mac.com users]

The OpenVAS project, a free and open source replacement for Nessus, announced its first stable release yesterday afternoon. This release includes server installation packages for OpenSUSE, Fedora, Mandrake, Gentoo, and FreeBSD. A client only package is available for Windows.

Nessus, one of the standards in vulnerability scanners, was an open source project until a couple of years ago. This project is a fork from the last open version.

From Full Disclosure:

The OpenVAS project is proud to announce the release of the first stable
version of the "Open Vulnerability Assessment System". OpenVAS is a fork of
the Nessus security scanner; while Nessus switched to a proprietary license,
OpenVAS will continue to improve the scanner and will provide all components
as Free Software.{From FullDisclosure: OpenVAS Stable Release]

According to Wired, the Airforce has stopped work on "Cyber Command" just prior to being declared operational. The new command was controversial, since it was a unilateral move by the Airforce to snap cyberspace into their portfolio.

From Wired's defense blog:

The Air Force is about to suspend its controversial effort to reorganize its forces to "dominate" cyberspace. The provisional, 8,000-man Cyber Command has been ordered to stop all activities, just weeks before it was supposed to be declared operational.

"Transfers of manpower and resources, including activation and reassignment of units, shall be halted," according to an internal e-mail obtained by Nextgov's Bob Brewin -- and confirmed by Air Force sources. Instead, the Air Force's new leadership -- including incoming Chief of Staff Norton Schwartz -- will be given time to rethink how big the command will be, and what exactly it will do. [From Wired.com: Airforce Suspends Controversial Cyber Command]

Georgian President Mikheil Saakashvili will be giving an open press conference via telephone this afternoon. As far as I know, this event is unprecedented in providing access to online and community; sponsorship by a major news organization is not required to directly interact with a head of state.

From RBN:

Tbilisi, Georgia - Mikheil Saakashvili, President of Georgia, will be giving a briefing for international media via teleconference on Monday, August 11, at 11:00 CET (13:00 TBS, 10:00 UK Time, 05:00 ET).

WHEN: The call will take place on Monday, August 11, at 13:00 Tbilisi Time (11:00 Central European Time, 10:00 UK Time, 05:00 Eastern Standard Time); the call will run for approximately 30 minutes.

HOW TO JOIN THE CALL: To join the call, dial +1.706.679.3044 (internationally) or 877.810.6130 (in the USA) Provide the operator with this conference ID: 59983245 [From Russian Business Network (RBN): RBN - Georgia CyberWarfare - Conference Call]

Despite being delicately handled and patched at an unprecedented rate, Kaminsky's DNS vulnerability researc may have opened up a huge can of worms. Russian developer Evgeniy Polyakov has announced that fully patched DNS systems are still vulnerable to poisoning.

From his blog, Zbr's Days:

Two attacking servers, connected to the attacked one via GigE link, were used, each one attacked 1-2 ports with full ID range. Usually attacking server is able to send about 40-50 thousands fake replies before remote server returns the correct one, so if port was matched probability of the successful poisoning is more than 60%.

Attack took about half of the day, i.e. a bit less than 10 hours. So, if you have a GigE lan, any trojaned machine can poison your DNS during one night... [From Zbr's days.]

This has also been mentioned in the New York Times and the Inquirer. He has posted his proof of concept code here.

Is anyone really surprised that social networking sites such as Facebook and Myspace were discussed at this year's Blackhat in Vegas? The entire purpose of the genre is to share data, which can be difficult to do securely. According to one presentation, though, they aren't really even trying.

From Information Security Magazine:

Social networks like Facebook and MySpace are perfect models for the three D's of insecurity: insecure by design, insecure by default and insecure in deployment.

According to a pair of security consultants who spoke at the 2008 Black Hat briefings, security is clearly not part of the business model for owners of these wildly popular Web properties.

* * *

Speaking to a Black Hat audience in a rapid-fire, free-wheeling session Thursday, their key message was that when sharing something on a social network, assume it's going to be public.

If you give credit card information to Facebook, which it warns users not to do, you deserve to fail.

The duo demonstrated a series of all-too-easy MySpace attacks, which combine social engineering and technical hacks against an end-user population hungry for peer interaction and imbued with trust.[From MySpace, Facebook ignoring basic principles of security]

Audio recordings from the Last HOPE conference are available online here. It's a long and diverse list of topics that really reflects the history of both the conference and 2600 magazine. I'm sure you can find something that matches your interests and skill level.

I've tossed some onto an iPod for listening this week.

It looks like the Chinese government has problems with hackers from behind the Great Firewall. It's actually astounding that this hasn't been a larger and more public before now, especially considering the quality and quantity of hackers that keep coming out of China.

From Dark Visitor:

You would think, with the recent earthquake in Sichuan and the ongoing Olympics, that government websites dealing with emergency management would be inspected rather thoroughly. Not so much. Google spiders crawling the internet, show that the website has been hacked since at least 31 July 08.

Is it unusual for a Chinese hacker to attack their own government’s website? The first-generation of Chinese hackers had very strict rules about not hacking inside China but the current crop doesn’t seem to adhere to the same code. Doing a pull on Zone-h.com.cn, gives 1,952 known Chinese government websites that have been hacked. A fairly large number of those attacks appear to be carried out by Chinese hackers. [From The Dark Visitor » Chinese hackers eating Chinese hackers…with a side of government]

It looks like some cyberwar is accompanying boots on the ground as Russian troops and tanks invade. The Georgian Ministry of Foreign Affairs website has been defaced, containing photos of President Mikheil Saakashvili alternating with images of Hitler. Here is a screen capture:

It looks like the Apple security problems that have been buried in the news this year are adding up. According to IBM's annual security report, they have more disclosed vulnerabilities than any other vendor.

While Microsoft has been making their security practices progressively more transparent, Apple is notoriously close-lipped; one can only speculate about the actual numbers.

From InfoWorld:

Apple has taken the place of Microsoft for disclosing more vulnerabilities than any other vendor, according to an IBM security report.

The company rose from second place in 2007 to take the top spot away from Microsoft, which had fallen into third place behind open source content management system Joomla.

Final results were close, according to the IBM X-Force 2008 mid-year report , with Apple achieving vulnerability disclosure score of 3.2 percent, followed by Joomla with 2.7 percent and Microsoft at 2.5 percent. [From Apple gets bruised in vulnerability report | InfoWorld | News | 2008-08-06 | By Darren Pauli, Computerworld Australia]