Sunday, April 15, 2007

Remote hackers could trick users into running malicious code

Confidential vulnerability information managed by the CERT Coordination Center has again been leaked to the public, following a flurry of such leaks in March.

The latest information concerns a flaw in PDF (Portable Document Format) readers for Unix and could allow a remote attacker to trick users into executing malicious code on their machines, according to a copy of the leaked vulnerability report.

As with confidential CERT information that was leaked in March, the latest report was posted to a vulnerability discussion list by an individual using the name "hack4life."

The leaked information was taken from communication sent from CERT to software vendors affected by the PDF problem, according to Jeffrey Carpenter, manager of the CERT Coordination Center. The information appears to be from a vulnerability report submitted to CERT by a Cincinnati security researcher by the name of Martyn Gilmore.

Gilmore did not respond to requests for comment and CERT would not comment on how it obtained the PDF vulnerability information or on Gilmore's relationship with the Pittsburgh-based software vulnerability monitoring organization.

In the report, Gilmore describes a problem in the way that PDF viewing programs for the Unix platform process hyperlinks within valid PDF documents. When processing hyperlinks, common PDF readers use the Unix "shell" command (sh -c) to launch and pass commands to external programs. For example, clicking on a hyperlink for a Web page would launch the associated Web browser, according to the report.

However, Gilmore found that such programs do not properly check the syntax of such commands, enabling arbitrary shell commands to be executed on the vulnerable machine.

While attackers are limited by the privilege level of the user clicking the malicious link, the vulnerability could enable a remote attacker to use shell commands to delete files from the user's hard drive or perform other actions without the knowledge of the victim, the report said.

Adobe Systems Inc.'s Acrobat Reader 5.06 is affected by the problem in addition to the open-source reader Xpdf 1.01, according to the report.

CERT declined to discuss the details of the vulnerability.

The vulnerability information was scheduled to be released by CERT on June 23, according to an e-mail message purporting to be from hack4life that prefaced the leaked report.

The release date was obtained from CERT communications with its vendors, as well, but CERT declined to comment on whether it would be releasing an advisory regarding the PDF problem on June 23, according to Carpenter.

Hack4life cited "college and exams" for the lull in leaked CERT information in recent months and hinted at the likelihood of more disclosures in the future.

"I'll have plenty of time to keep you all up to date with what those fools at CERT are up to once college is finished," hack4life wrote.

In March, someone using the same name posted information on four vulnerabilities that CERT was investigating to the vulnerability discussion list Full-Disclosure. Those posts included sensitive information on a vulnerability in the Kerberos Version 4 protocol and a problem reported by Microsoft Corp. regarding spammers' abuse of Web redirectors, which forward users of Web portals such as MSN IP (Internet Protocol) addresses close to their geographic location.

The PDF information was disclosed to CERT after the vulnerabilities were leaked in March, Carpenter said.

Contacted by e-mail in March, hack4life denied any affiliation with CERT and said that the reports were "stolen in a recent computer intrusion."

"Fun and amusement" was the primary motivation for stealing and leaking the vulnerability reports. A secondary motivation cited in e-mail by hack4life was anger over CERT's perceived failure to publish vulnerability information in a timely manner.

At the time, CERT officials cast doubt on hack4life's assertion that the reports were hacked, saying that the information was most likely leaked by a member of one of the development teams CERT works with to evaluate vulnerabilities.

The latest incident reaffirms CERT's belief that the problem lies with its vendors rather than with its own systems, Carpenter said. While CERT does not yet know which vendor is responsible for the leak, the organization is confident that an insider threat or compromise at one of the companies it deals with is responsible for the leaks, he said.

CERT is communicating with vendors about the problem, but Carpenter would not comment on whether CERT is working with law enforcement to catch the person responsible for the leaks.

"I'm not going to get into those specifics at this point," he said.

CERT plans to consult with affected vendors and discuss how to proceed now that the information is public, he said.

Monday, April 09, 2007

VESA adds anti-piracy tech to DisplayPort

The Video Electronics Standards Association (VESA) has posted DisplayPort version 1.1, almost a year after the digital monitor connection standard was first published.

DisplayPort is pitched as the successor to not only DVI external monitor connections but also LVDS, used to hook up notebook panels. Heck, it'll even replace VGA, VESA said in a tone suggesting the analogue standard will be around for some time yet.

DisplayPort 1.1 adds support for the HDCP 1.3 anti-duplication system, essential for allowing protected content on Blu-ray Disc and HD DVD media to be carried at full resolution to a DisplayPort-connected screen. The new spec also adds low-power and low-voltage modes

vesa displayport connector

DisplayPort is an alternative to the HDMI screen connection standard being promoted by the consumer electronics industy. The crucial difference is support for audio information: HDMI hosts sound as standard, for DisplayPort 1.1 it's optional. VESA sees DisplayPort as the standard for business-oriented systems, while HDMI will be the natual choice of monitor port for computers aimed at consumers.

Microsoft hits Middle East pirates

Microsoft is taking legal action against several companies it accuses of selling academic copies of Office to ordinary punters.

Schools and colleges can get cut-price software from Microsoft, but Microsoft says some resellers, in Jordan and elsewhere, have been selling the software on to companies and consumers in the US.

Microsoft has filed nine lawsuits and sent over 50 cease and desist letters. The legal action was started in the US, where the software was sold.

Microsoft UK anti-piracy head Michala Alexander told The Reg: "We're taking action against several global organisations who have been getting hold of academic copies of Office and selling them on in breach of the terms and conditions."

Alexander said the launch of Vista has increased piracy for older versions of Microsoft software: "It's like the end of season sale. We've not seen any Vista products in the UK yet - we made a big investment in anti-piracy measures and I think the activation process certainly helps."

As part of the same crackdown, Microsoft has settled with eDirectSoftware one of its biggest distributors of academic software, after its involvement in a similar scheme. ®

Thursday, April 05, 2007

Hacking as an inside job

"Leaving your Web applications insecure makes no more sense than building a brick wall but using a gate made from chain link fencing." – James Gaskin
Whenever the President of the United States travels anywhere there are numerous individuals charged with making sure the President is secure and unharmed from attack. This is the premise behind Internet security. The work you have done on your site is the product of valuable time and energy. For some business owners the website represents significant research and creative energy. It is possible for a vulnerable website to be hijacked and remade in the image of something that only resembles your website in name only or to have safeguarded data copied for the use of a third party.

One of the biggest mistakes a website owner can make is allowing the work to be left unguarded. As reported in recent years hacking of a computer system can occur both from within a company or from a remote location, which makes the use of Internet security so important.
“Advances in firewall technology (making them easier to install and configure), improvements in vulnerability scanning and better explanations of how to repair them, and better intrusion-detection with fewer false-positives are all key technologies in this race.” – Dr. Charles C. Palmer
Some hackers argue they are not involved in felonious activities, but are simply seeking knowledge and using the internet to find answers, however the U.S. Government views the activity as a felony and punishable by applicable state and federal laws.

It should be noted that the term hacker has been adjusted. No longer is the term ‘hacker’ only used to describe someone gifted at programming and is able to break a website code to gain access to information. Today a hacker is also someone who misappropriates company data. Typically this scenario occurs from an inside and often trusted source.
“System administrators must learn about and maintain their systems securely. Users have to understand their security responsibilities.” – Dr. Charles C. Palmer
In many cases, business are now making a non-disclosure agreement a part of the hiring procedure to provide an extra legal recourse in the event that data is electronically removed and used in ways unauthorized by company heads.
“If a stranger came into your house, looked through everything, touched several items, and left (after building a small, out of the way door to be sure he could easily enter again), would you consider that harmless?” – Dr. Charles C. Palmer
Taking security issues seriously is needed in the development of a web-based business infrastructure. It may be worth exploring both on-site and off-site security features as a means of ensuring the long-term usability of your website.

Avoiding Internet Fraud and Scams

As ever more people use the internet for shopping, business transactions, online banking, etc., the incidence of internet fraud and scams has shot up in an alarming fashion. Not only has the level of internet crime increased but the scammers and fraudsters grow cleverer and more sophisticated every day. What can you do to fight back? In this article I will describe the most common scams of today so that you can recognize them for yourself and I will suggest how you might deal with them. Read on and find out how to avoid being taken!

Most of us are familiar with the dangers to our computers from viruses and similar destructive programs. There are many “fake” virus threats, however, which do no actual harm but can cause people to become alarmed and perhaps waste a lot of time. A recent example of this type of scam is the Death Ray virus scam which threatened to cause your computer to “explode in a hellish blast of glass fragments and flames”. A virus can damage software and files but NO virus can physically damage your computer hardware. If you inadvertently open an email containing such a threat simply delete the email and ignore it.

Then there is the classic “Nigerian” money scam. I put Nigerian in quotes because this particular scam started off purporting to come from Nigeria but now can originate from virtually any country. The most common are from countries where the political situation is such that the claims made in the scam are plausible. This is how it works. You will receive an email from someone saying that their money, usually a huge sum, is tied up in local banks. They need the money to pay bills or perhaps to get out of the country safely. You are asked to help them by having the money transferred to your account and you will be given a percentage of the cash for allowing them access. Needless to say once they have your bank account details you will never hear from them again, but you will see a large depletion of the money in your account!

You have probably heard of “phishing”. This refers to a particularly nasty scam which uses your personal details, credit card, bank account, social security, etc., to enable the thief to purchase goods, withdraw money and so on, all in your name. Never give your personal details in an email. Be sure that any web page that asks for such information is secure. Its address will begin with https:// rather than just http:// and there will be an icon in the form of a padlock in the right hand corner of your task bar. Clicking on the padlock will present a screen which gives details of the website’s security certificate.

Anything which says you have won a valuable prize in a competition or lottery which you did not enter should immediately start the warning bells ringing. You are likely to see many variations on this scam, including getting free cases of coke, free clothing from high profile stores, free cases of beer, free Dell computers and free cell phones. Usually you have to pay a fee to receive your prize. Once you have paid the fee you will never hear anything more. There is the added danger here of the thieves possibly having access to your credit card details.

A particularly deplorable form of scams are those relating to “work at home” opportunities. They prey on people on low incomes or the unemployed, people who are desperate for money. A rosy picture will be painted of the large amount of money that will be made for carrying out some menial task such as filling envelopes. They will ask for a fee upfront to pay for the supplies you will need to get started. You know you’ve been had when the supplies arrive; paper clips, paper, rubber bands and the like, at four times the cost of what you buy the items for in your local store. Not only that but when you complete any tasks you are set and send the work to them, they will say it was not up to the required standard and refuse to pay you. That is if you ever hear anything at all. If you are interested in working at home there are plenty of legitimate companies out there. They won’t contact you first and they won’t ask for money from you before sending you work.

Computer Security, Viruses And Threats

Today, many people rely on computers to do homework, work, and create or store useful information. Therefore, it is important for the information on the computer to be stored and kept properly. It is also extremely important for people on computers to protect their computer from data loss, misuse, and abuse. For example, it is crucial for businesses to keep information they have secure so that hackers can't access the information. Home users also need to take means to make sure that their credit card numbers are secure when they are participating in online transactions. A computer security risk is any action that could cause loss of information, software, data, processing incompatibilities, or cause damage to computer hardware, a lot of these are planned to do damage. An intentional breach in computer security is known as a computer crime which is slightly different from a cybercrime. A cybercrime is known as illegal acts based on the internet and is one of the FBI's top priorities. There are several distinct categories for people that cause cybercrimes, and they are refered to as hacker, cracker, cyberterrorist, cyberextortionist, unethical employee, script kiddie and corporate spy.

*The Hacker.
The term hacker was actually known as a good word but now it has a very negative view. A hacker is defined as someone who accesses a computer or computer network unlawfully. They often claim that they do this to find leaks in the security of a network.

*The Cracker.
The term cracker has never been associated with something positive this refers to someone how intentionally access a computer or computer network for evil reasons. It's basically an evil hacker. They access it with the intent of destroying, or stealing information. Both crackers and hackers are very advanced with network skills.

*The Cyberterrorist.
A cyberterrorist is someone who uses a computer network or the internet to destroy computers for political reasons. It's just like a regular terrorist attack because it requires highly skilled individuals, millions of dollars to implement, and years of planning.

*The Cyberextortionist.
The term cyberextortionist refers to someone who uses emails as an offensive force. They would usually send a company a very threatening email stating that they will release some confidential information, exploit a security leak, or launch an attack that will harm a company's network. They will request a paid sum of money to prevent the threat from being carried out, a bit like black mailing.

*The Unethical Employee.
An unethical employee is an employee that illegally accesses their company's network for numerous reasons. One could be the money they can get from selling top secret information, or some may be bitter and want revenge.

*The Script Kiddie.
A script kiddie is someone who is like a cracker because they may have the intentions of doing harm, but they usually lack the technical skills. They are usually silly teenagers that use prewritten hacking and cracking programs. *The Corporate Spy.
A corporate spy has extremely high computer and network skills and is hired to break into a specific computer or computer network to steal or delete data and information. Shady companies hire these type people in a practice known as corporate espionage. They do this to gain an advantage over their competition an illegal practice.

Business and home users must do their best to protect or safeguard their computers from security risks. The next part of this article will give some pointers to help protect your computer. However, one must remember that there is no one hundred percent guarantee way to protect your computer so becoming more knowledgeable about them is a must during these days.

When you transfer information over a network it has a high security risk compared to information transmitted in a business network because the administrators usually take some extreme measures to help protect against security risks. Over the internet there is no powerful administrator which makes the risk a lot higher. If your not sure if your computer is vulnerable to a computer risk than you can always use some-type of online security service which is a website that checks your computer for email and Internet vulnerabilities. The company will then give some pointers on how to correct these vulnerabilities.

The Computer Emergency Response Team Coordination Center is a place that can do this. The typical network attacks that puts computers at risk includes viruses, worms, spoofing, Trojan horses, and denial of service attacks. Every unprotected computer is vulnerable to a computer virus which is a potentially harming computer program that infects a computer negatively and altering the way the computer operates without the user's consent. Once the virus is in the computer it can spread throughout infecting other files and potentially damaging the operating system itself.

It's similar to a bacteria virus that infects humans because it gets into the body through small openings and can spread to other parts of the body and can cause some damage. The similarity is, the best way to avoid is preparation. A computer worm is a program that repeatedly copies itself and is very similar to a computer virus. However the difference is that a virus needs to attach itself to an executable file and become a part of it. A computer worm doesn't need to do that, it copies itself to other networks and eats up a lot of bandwidth.

A Trojan Horse named after the famous Greek myth and is used to describe a program that secretly hides and actually looks like a legitimate program but is a fake. A certain action usually triggers the Trojan horse, and unlike viruses and worms it will not replicate itself. Computer viruses, worms, and Trojan horses are all classified as malicious-logic programs which are just programs that deliberately harm a computer. Although these are the common three there are many more variations and it would be almost impossible to list them. You know when a computer is infected by a virus, worm, or Trojan horse if your computer displays one or more of these things:

* Screen shots of weird messages or pictures appear.
* You have less available memory than you expected.
* Music or sounds plays randomly.
* Files get corrupted.
* Programs are files don't work properly.
* Unknown files or programs randomly appear.
* System properties fluctuate.

Computer viruses, worms, and Trojan horses deliver their payload or instructions through three common ways.

1 - When an individual runs an infected program so if you download a lot of things you should always scan the files before executing, especially executable files.

2 - When an individual boots a computer with an infected drive, so that is why it's important to not leave removable media in your computer when you shut it down.

3 - When an unprotected computer connects to a network. Today, a very common way that people get a computer virus, worm, or Trojan horse is when they open up an infected file through an email attachment.

There are literally thousands of malicious logic programs and new ones come out by the numbers so that's why it's important to keep up to date with new ones that come out each day. Many websites keep track of this. There is no known method for providing 100% protection for any computer or computer network from computer viruses, worms, and Trojan horses, but people can take several precautions to significantly reduce their chances of being infected by one of those malicious programs. Whenever you start a computer you should have no removable media in the drives. This goes for CD, DVD, and floppy disks. When the computer starts up it tries to execute a boot sector on the drives and even if it's unsuccessful any given virus on the boot sector can infect the computer's hard disk. If you must start the computer using removable media for any reason, such as when the hard disk fails and you are trying to reformat the drive make sure that the disk is not infected.

How can you protect your computer?
The best way to protect your computer from any of the above is by using good quality internet securities software. Purchasing this from a reputable security company is recommended to ensure that your software is kept up to date with the most recent virus signatures. If you are not up to date an unrecognised virus will not be stopped by the software. A full security package will protect you from viruses, Worms, Trojan horses, keyloggers and will detect when a hacker is attempting to hack into your computer and prevent them from gaining access when you are online or connected to a network. It is not advisable to use a free antivirus service as these do not provide adequate protection and are a false economy. Recommended internet

Want to become a hacker?

Monday in a "chatroom interview" in Beijing someone asked me how to become a hacker. (Those of you visiting this web page from the People Magazine article, you should know the term "hacker" here refers to a computer programmer, not an internet vandal).

My interlocateur wanted to contribute to an open source project, but what tools should he use? What books should he read? Where should he hang out? Where should he start?

I've been asked this a few times so I thought I'd repeat my answer here. Miguel tells me he gets this question all the time too, and gives the same answer I do.

So, I'll let you in on the secret. Here are the steps to becoming a hacker:

  1. Download the source code to the program you want to change
  2. Untar it on your hard drive
  3. Get it to build and run
  4. Open the source code in an editor
  5. Find the part of the code that you need to change to make the program do what you want it to do
  6. Make the changes you need to make to the code and test it to make sure it works
  7. Run the diff -u command and email the output to the mailing list
That's it; follow those instructions and I guarantee you will be a hacker.

If there are no programs that you want to change, then maybe you don't want to be a hacker after all. Or maybe you haven't used software enough; how can you be a software user in 2005 and not have things you want to change?

Steps 1-4 sound stupid and obvious, but the fact is most people get stuck on step 1. Can you be a hacker if you don't have any source code on your computer? It might be possible but I haven't seen it done.

If you bloody your toes on step 3 a few times, don't be discouraged. It is ridiculous and humiliating but sometimes this step takes the longest and is the most difficult.

If you're lucky, step 5 is as easy as grepping the source tree for some relevant string from the program's GUI or output. It's more likely that you'll need to spend some time figuring out the layout of the code, sprinkling source files with printf's as you home in on the right area. It might also help to step through things in a debugger.

Step 5 gets easier the more experience you have. The more code you've read, the more programming patterns you know. Recognizing programming idioms makes it easier to figure out what someone else was thinking when he wrote the code you're trying to change. Of course step 5 is also easier if the software you're working on was written by a programmer with a lot of experience, who tries extra hard to write easy-to-understand code. Programmers with experience write easier-to-read code because they've been through the shock of having to fix a bug in code they wrote a year earlier and recognizing nothing.

Step 6 is commonly referred to as "hacking" but it's not always the part that takes the longest. If you're trying to hack a change into something big and complex, expect step 5 to eclipse step 6 in time consumption. One of the best hackers at Novell recently spent two months working on a hack involving Wine that ended up being a two line change. So prepare yourself mentally to spend a lot of time in step 5 before you reach step 6, and sometimes to go back from 6 to 5 a few times.

But most people don't reach this point, so if you're at step 6 you can safely call yourself a hacker. Whole books are written on how to do a good job of step 6, so I won't elaborate too much here, except to say that you probably can't be good at writing code until you've written a huge amount of it.

The real key to being a hacker is getting to the point where you're hacking. Without source code, a working build and a working knowledge of the layout of the code, you're not even able to start hacking. But once you know your way around in there and you're writing code and watching the program take shape, well, that's the fun part.

You just gotta get there.

Wednesday, April 04, 2007

McKinnon loses fight against extradition

Gary McKinnon, the alleged Pentagon hacker, has lost his appeal against extradition to the US on hacking charges.

McKinnon failed to convince Appeal Court judges on Tuesday to overturn a 2006 ruling by Home Secretary John Reid that his extradition should go ahead. The Scot now faces a US trial of breaking into and damaging US Government computers.

McKinnon is alleged to have hacked into computers belonging to the US Army, US Navy, US Air Force, Department of Defense, and NASA in 2001 and 2002. The Scot lost his first appeal against extradition in an High Court hearing last July but was given leave to take his case to a Appeal Court, a move that culminated in failure on Tuesday.

The unemployed sysadmin has had these charges over his head since March 2002 when he was arrested by officers from the UK's National High Tech Crime Unit. The case against him lay dormant until July 2005, when extradition proceedings were brought against him. His lawyers consistently argued that McKinnon ought to be tried in the UK over his alleged offences, rather than the US.

McKinnon (AKA Solo) admits he looked at computer systems without permission, but claims he did no harm. He got involved in hacking after reading Disclosure by Stephen Grea, which convinced him that the US had harvested advanced technology from UFOs (such as anti-gravity propulsion systems) and kept this knowledge secret, to the detriment of the public.

He was caught after US military agencies detected system intrusions which were traced back to the UK. UK authorities identified McKinnon as the attacker after obtaining records of British sales of a software tool called RemotelyAnywhere to McKinnon. Subsequent police work made him a prime suspect in the case, described by US authorities as the biggest military hack ever. ®

Technorati Profile

eBay users targeted by advanced Trojan

Updated eBay users are being targeted by an advanced Trojan that attempts to redirect traffic so it can silently bid on a car from the auction site's car section, Symantec is warning. It is the latest security headache for eBay, which has faced an onslaught of complaints from some users who say fraud on the site has increased to unacceptable levels over the past few months.

eBay officials are aware of the Trojan and are working with Symantec to prevent it from affecting buyers and sellers, a spokeswoman said.

Trojan.Bayrob implements a proxy server so that traffic intended for eBay is instead sent to one of several sites controlled by the attacker. Traffic is redirected by changing settings corresponding to at least six eBay URLs in the victim's hosts file. Once connected to rogue servers, Bayrob is programmed to download configuration data, including a variety of php scripts.

At least one of the scripts, Var.php, downloads variables such as tokenized versions of eBay pages designed to dupe a victim into thinking they are legitimate. One such page spoofs eBay's "Ask a question" section, which allows prospective buyers to - wait for it - ask sellers questions.

The tokenized variables let the attacker dynamically replace key strings such as the seller's name with ones doctored by the attacker, lending power and authenticity to the scheme. There are also feedback pages, for example, with high ratings, which are designed to give the victims confidence in the attacker and complete an auction.

This man-in-the-middle approach is unusual for eBay attacks, which usually involve phishing traps or keyloggers. But getting code to execute properly in man-in-the-middle attacks is difficult, and Symantec said the rogue servers did not appear to be returning variables needed to actually generate the spoofed pages.

eBay security has suffered several black eyes dating back to at least December, when longtime users say the number of fraudulent auctions being offered by users with high ratings began to grow. A hacker who goes by the name Vladuz has also embarrassed eBay security officials by gaining unauthorized access to servers on at least two occasions. The breaches allowed him to mock the company even as he posed as one of its employees.

eBay representatives have said Vladuz was able to penetrate only a limited section of eBay's system that is not able to access customer records and other sensitive information. They have also said most hijacked accounts are the result of users falling for phishing emails. ®

Blogger.com 'riddled' with malware

Blogger.com, home of the weblog publishing system owned by Google, has been infiltrated by a number of phishing sites, security watchers report.

In some cases, the Stration mass mailer is being used to drive traffic to these fraudulent sites. One such scam is a "storefront" for Pharmacy Express, which redirects from a Blogspot.com (now Blogger.com) link. The site is designed to harvest the personal information of prospective marks.

Beyond the problem of spam and phishing sites, a number of Blogger.com sites have been compromised with malicious code. For example, a blog site seemingly created by a Honda CR450 enthusiast is hosting the Wonka Trojan.

Hundreds of other Blogging sites (covering subjects ranging from Star Wars, school, furniture, Christmas, cars, and girlfriends) are also infected, according to net security appliance firm Fortinet, which has published an advisory highlighting its concerns. ®

Grum worm poses as IE7 beta

Hackers are trying to trick prospective marks into loading malware that poses as a "beta" version of Internet Explorer 7.

Widely circulated emails, which pose as messages from admin@microsoft.com and feature subject lines such as "Internet Explorer 7 Downloads", display an image which invites gullible users to download beta 2 of Internet Explorer 7. Users who click on the authentic-looking image download a file called ie7.0.exe infected by the Grum-A worm.

Besides the fact that downloading software advertised in unsolicited emails is a bad idea, surfers might also want to note that the full version of IE7 was released in October 2006 (the bet2 2 version was released in April 2006). Users should go direct to the original developer's site, or some other trusted outlet, when searching for software updates, yet many are yet to learn this lesson, a failing hackers are all too willing to exploit.

Punting malware that poses as software downloads from Microsoft is an all too common trick. The Gibe-F (AKA Swen) worm of 2003, for example, posed as a critical security update from the software giant, fooling many in the process. Two years ago hackers directed surfers to a bogus website masquerading as Microsoft's update site. ®

Vista keygen hoax exposed

Doubts have arisen about the effectiveness of a Windows key generator package that allegedly offered a means to circumvent Microsoft's anti-piracy protection.

Activation codes for Vista were said to have been obtained by brute force using key generator software that randomly tries a variety of 25-digit codes until it finds one that works.

Initial reports on Keznews suggested that the unsophisticated attack worked. Over the weekend, however, the author of the package has stepped forward to say these people must be either mistaken or telling porkies because the program is ineffective.

"The brute force keygen is a joke. I never intended for it to work. I have never gotten it to work. Everyone should stop using it," the anonymous coder said on a post to the Keznews forum.

Rather than go through the tedious business of running something like the key generation, we heard from Register readers that some people on either side of the Atlantic have surreptitiously used the activation codes printed on boxed copies of Vista or stickers on new PCs to get their system up and running with illicitly downloaded copies of Vista.

One reader cast doubt on this approach saying that Vista keys are normally inside copies of boxed software so users would have to undo shrink wrapped packaging. That still leaves the possibility of copying codes from stickers on PCs with Vista preloaded, however.

And although the Windows key generator may be a hoax, Hexus reports a more workable approach to cracking Vista.

The latest attack exploits Vista's System Locked Pre-installation 2 (SLP2) mechanism, technology which allows Microsoft's favoured hardware partners to avoid users having to activate their Vista installs. SLP2 combines an OEM specific certificate along with markers in the machine's BIOS and an appropriate product key.

The hack involves creating a BIOS emulator that serves up the correct BIOS data when needed. Used in combination with the appropriate OEM certificate and product key this defeats the activation mechanism. Information on the OEM certificates and other information needed for the hack to work are available. Withdrawing the affected keys in order to defeat the hack would likely upset Microsoft's OEMs.

Although Microsoft might still be able to defeat it, the hack might be effective in the short-term, and emulator writers might update their technology too, creating a serious headache for Microsoft, Hexus reports. ®

Windows Trojan masquerades as Vista hack

A week after Windows Vista's official launch hackers have devised their first attack, targeting pirates trying to install illegal copies of Microsoft's operating system.

A supposed Windows Vista crack called Windows Vista All Versions Activation 21.11.06 is reportedly doing the rounds, offering those tempted by the chance of sticking it to Microsoft the ability to install illegal versions of Windows Vista.

However, the software is not a Windows Vista crack and pirates get something they didn't expect - installation of a Trojan called PSW.Win32.LdPinch.aze - something with a "high" threat level.

Apparently, most anti-virus scanners can recognise the Trojan, but NOD32 and the latest software from Norton won't.

The installer follows in the footsteps of a Windows XP hack circulated by the devils0wn group in 2001, which allowed users to bypass product activation of Windows XP.

Windows Vista is currently available for download only to customers on Microsoft's volume licensing deals and won't become generally available until January. The Trojan would therefore likely hit certain business users and those working in businesses passing on copies to friends, family, or colleagues.

Worryingly for business users in general, though, is the fact the Windows Vista DVD has been designed to make it easy for third parties' software to be inserted with the operating system for mass distribution. That potentially lets hackers insert their code just as easily as Microsoft partners. ®

Thursday, February 22, 2007

U.K. Approves Extradition Order for Hacker

The U.K. approved an extradition request this week to send a computer hacker to the United States, where he'll be tried for allegedly crippling military networks shortly after the terrorist attacks in September 2001.

Gary McKinnon, 40, of London, has freely discussed his hacking exploits that led to the seizure of his equipment in March 2002. McKinnon, who admitted probing networks but claims he did no damage, fought extradition on the grounds he could be classified as an enemy combatant and held under similar conditions as other terrorist suspects held by the United States.

McKinnon has two weeks to appeal. If extradited, he will face trial in the U.S. District Court for the Eastern District of Virginia.

The U.S alleges that McKinnon gained access to 97 government computers between February 2001 and March 2002, copying files and deleting data. The systems included those used to replenish munitions and supplies for the U.S. Navy's Atlantic fleet and the NASA space agency.

In one incident, McKinnon allegedly deleted system files and logs that shut down 300 computers at a U.S. Navy base "at a critical time" immediately after the Sept. 11 attacks, according to court documents. His alleged exploits are estimated to have caused more than $US700,000 in damage in total.

McKinnon, who went by the nickname "Solo," used a program called "RemotelyAnywhere" to control computers and access files. The former systems administrator said the networks he accessed often had low security, with easy-to-guess administrator passwords.

McKinnon said he continued to hack even after his probed had been noticed. On one occasion he miscalculated the time zones between the U.S. and the U.K., accessing a computer while someone was using it. The connection was immediately cut by the user, McKinnon said.

Network Technician Wins Vista 'Rocketplane' Ride

Space could indeed become the final frontier for a 29-year-old network technician who was chosen as the winner of a Windows Vista promotional contest -- as long as the taxman doesn't put a crimp in his flight plans.

William Temple, who works at medical insurer HealthNet in California, was announced today as the winner of the US$250,000 grand prize from Microsoft's "Vanishing Point" promotion, qualifying him for a 2009 flight that would blast him 62 miles into the air -- to the edge of outer space. In a random drawing, Temple's name was selected from among those of the 87,000 registered players of Vanishing Point, an interactive puzzle game sponsored by Microsoft and Advanced Micro Devices.

The monthlong game involved arcane puzzles and cryptic clues that were handed out to would-be puzzle solvers via Las Vegas light shows during the Consumer Electronics Show, skywriting above four cities, coded images projected onto monuments and a fireworks finale above Seattle.

Temple was chosen as the winner last Tuesday despite freely admitting that he had accumulated only 370 points out of the 1,500 maximum and that after solving the first puzzle on his own, he benefited from solutions posted on the Internet by other game players. According to Microsoft, any player could win, but a higher number of points increased someone's chance of winning.

"We had some people who solved every single puzzle," said Aaron Coldiron, a Vista manager at Microsoft. "But we feel good about Will winning. He's right in the target demographic."

That demographic, according to Microsoft, was men who are between the ages of 18 and 35 and are interested in technology. Reaching that group via conventional advertising is increasingly difficult and expensive. Coldiron said the total cost of staging the Vanishing Point game was "less than a single Super Bowl commercial." The going rate to air a 30-second spot during this year's game was as much as US$2.6 million, which doesn't include the costs of producing the commercial.

Not that Microsoft isn't investing elsewhere: it's expected to spend US$500 million to market Vista this year, according to published reports.

Some US$50,000 of that money will go to help Temple pay taxes on his flight, which is valued at US$196,500. The tax payment could be crucial: In 2005, the winner of an Oracle contest that would have given him a free space flight ultimately declined the trip because he would have had to report the ride, valued at US$138,000, as income and pay US$25,000 in taxes as a result.

Coldiron said Microsoft is working with Temple to "understand his tax situation" and will offer additional money if his tax bill from the trip turns out to be even higher than the budgeted US$50,000.

If the tax situation works out, Temple would get to experience what Microsoft's marketing mavens are calling "the ultimate vista" -- a flight on the Rocketplane XP, which is built around a heavily modified Learjet body. The 62-mile altitude that the flight would reach compares with the 220 miles above Earth that NASA's space shuttles fly to reach the International Space Station, said John Herrington, a retired astronaut who will serve as the pilot of the Rocketplane.

Because the Rocketplane won't go as high as the shuttle, it will experience temperatures of only 700 degrees Fahrenheit as it descends back to Earth, Herrington said. That compares with 3,000 degrees for the space shuttle, he added.

Plans call for the hour-long ride to start in Burns Flat, Oklahoma, a town of 1,782 people located 100 miles west of Oklahoma City that houses the Oklahoma Spaceport, a former Air Force base that is expected to start launching test space flights next year.

The operator of the flight, Rocketplane's Rocketplane Kistler unit, plans to run 25 to 50 test flights during 2008, according to Herrington, who is the Oklahoma City-based company's director of flight operations. Rocketplane Kistler is one of two companies that was chosen by NASA last year to provide outsourced flights to the International Space Station for bringing up crew members and replenishing supplies.

The other company, California-based Space Exploration Technologies -- or SpaceX, for short -- has received more publicity than Rocketplane Kistler has thus far. SpaceX, which was founded by PayPal Inc. co-founder Elon Musk, is using a more traditional rocket design. It had a failed launch last March but is planning a second one next month, when it will attempt to transport the cremated remains of more than 100 people, including astronaut Gordon Cooper and Star Trek actor James "Scotty" Doohan.

A third company, Virginia-based Space Adventures, has already sent four private citizens, including Ubuntu Linux developer Mark Shuttleworth, into space using Soyuz spacecraft from the former Soviet Union. Charles Simonyi, a former chief software architect at Microsoft, is training for a flight with Space Adventures this March.

Robotic crawler performs check-up of power lines

U.S. researchers have developed an autonomous robotic crawler that scans power lines for weak points in an electrical grid. By monitoring and precisely locating problematic sections of cable, the robot is expected to improve the efficiency and reduce the costs involved in power line maintenance.

The maintenance of power lines has traditionally been an expensive process based on estimates. With no means of accurately measuring the wear of cables, power companies tend to either discard entire lengths of cable after a predetermined amount of time, or allow the cable to age until they fail.

"Removing an entire length of cable can be very expensive and costly, so removing an entire length of fully functioning cable after a set time period can be unnecessary," said Luke Kearney, undergraduate researcher and project coordinator at the University of Washington (UW). "[On the other hand,] allowing the cable to fail can cause widespread blackouts and can also be very expensive for the power companies to deal with."

UW's robot scans cables for internal damage by using sensors to track heat dissipation, partial electrical discharge, and any filaments of water that could have seeped into the insulation. Engineers can monitor the robot via wireless connection and watch the robot's surroundings through a front-mounted video camera.

Besides autonomously locating damaged sections of cable, the robot can also scan cable in areas which may be dangerous or difficult for humans to access. "In future years, it is our hope that the robot can be used in nuclear power plants to gather data in areas that may be dangerous to people," Kearney said.

The robot has only recently undergone its first field test at Lockheed Martin's Michoud NASA Assembly Facility in New Orleans, U.S., returning with the surprising finding that conditions in New Orleans are still unsafe even now, more than a year after the disastrous Hurricane Katrina struck.

Future prototypes can be designed to fit different cable configurations, including those used outside of the U.S., Kearney said.

More information is available from the project's Web site.

IE Bug Lets Hackers Phish With Google Desktop

A bug in Microsoft's Internet Explorer browser gives phishers a way to scan the hard drives of Google Desktop users, according to an Israeli hacker. Because of a flaw in the way IE processes Web pages, a malicious Web site could use the attack to steal sensitive information like credit card numbers or passwords from the hard drives of its visitors.

"Google Desktop users who use IE are currently completely exposed," wrote hacker Matan Gillon in an e-mail interview. "An experienced attacker can covertly harvest their hard drives for sensitive information such as passwords and credit card numbers. Since Google also indexes e-mails which can be read in the Web interface itself, it's also possible to access them using this attack."

The Details

Gillon has posted an extensive description of how such an attack would work, along with a proof of concept exploit, on his blog.

The IE bug concerns the way Microsoft's browser processes Web page layout information using the CSS (Cascading Style Sheets) format. The CSS format is widely used to give Web sites a consistent look and feel, but attackers can take advantage of the way that IE processes CSS to get Google Desktop to reveal sensitive information.

Hackers would first need to trick users into visiting a malicious Web site for the attack to be successful, Gillon says. The attack works with IE 6 and Google Desktop version 2, and may also work on other versions of Microsoft's browser, but not on non-Microsoft browsers like Firefox or Opera, he adds.

Turn Off JavaScript

Users can nullify the attack by turning off JavaScript in their browsers, Gillon says. This can be done by disabling "Active scripting" in IE's Internet Options menu. JavaScript is a popular scripting language used by Web developers to make their sites more dynamic.

Users need to be particularly wary of the Web sites they visit these days, because of another unpatched IE vulnerability that could be used to take over a user's PC. Hackers posted sample code that exploited this problem over a week ago, and Microsoft said that hackers are already using the code in attacks. As with the new CSS problem, users must first be tricked into visiting a malicious Web site for this IE bug to be exploited.

Some security experts believe that Microsoft is in the process of rushing out a patch to fix this problem before these attacks become more widespread. These attacks can also be avoided by disabling JavaScript in IE, or by using an alternative browser.

Microsoft executives were unavailable to comment on the CSS bug, but a spokeswoman for the company's public relations agency said the issue is being investigated. Microsoft is not aware of any attacks resulting from the hole, she said.

The Hacker's Diet: Computer Tools

The Hacker's Diet is accompanied by computer tools which permit logging the progress of a diet and subsequent weight management, producing progress reports, analyses, and charts. Computer tools are available both as spreadsheets and macros for Microsoft Excel and as an application for the handheld Palm Computing Platform.

You don't need a computer to use The Hacker's Diet; easy-to-work paper and pencil methods are presented in the book. But if you have a computer with Excel or a PalmPilot, the companion tools may save you time and provide more insight into the engineering underpinning of the methods described in the book, while producing an illustrated log of your progress.

Microsoft Excel Tools

A variety of Microsoft Excel spreadsheets (or "workbooks" in recent Microsoft-speak) are available which permit hands-on experimentation with the techniques presented in the book, forecasting diet plans, meal planning with automatic calorie counting, and a system for logging the progress of a diet and subsequent weight management which produces progress reports and charts.

In addition to the weight logging and analysis and meal planning packages, the feedback and trend fitting laboratories described in the book are included, as well as databases supporting the text.

Please visit the Excel Tools page to download a version compatible with the release of Excel you're using.

Palm Computing Tools

A handheld computer that's never far from your side is an excellent tool for logging your daily weight and providing real-time snapshots of the progress of your diet and long term weight management. An implementation of the Eat Watch, the central component of The Hacker's Diet, for the Palm Computing Platform (PalmPilot, Palm, etc.) puts this tool where it belongs--right in the palm of your hand. There's no more need for paper logs, spreadsheets, macros, or any Microsoft products whatsoever--just write your daily weight into your Palm and you can view weight logs, charts, trend analysis, and calorie balance right on your handheld computer.

Every time you HotSync, your weight log is backed up to your desktop machine, and a companion program (which runs on any computer with a vaguely standard C compiler) permits you to export your logs as illustrated HTML documents viewable with any Web browser and CSV files which can be imported into other applications.

Google Now a Hacker's Tool

Somewhere out on the Internet, an Electric Bong may be in danger. The threat: a well-crafted Google query that could allow a hacker to use Google's massive database as a resource for intrusion.

"Electric Bong" was one of a number of household devices that security researcher Johnny Long came across when he found an unprotected Web interface to someone's household electrical network. To the right of each item were two control buttons, one labelled "on," the other, "off."

Long, a researcher with Computer Sciences and author of the book, "Google Hacking for Penetration Testers," was able to find the Electric Bong simply because Google contains a lot of information that wasn't intended to lie unexposed on the Web. The problem, he said at the Black Hat USA conference in Las Vegas last week, lies not with Google itself but with the fact that users often do not realise what Google's powerful search engine has been able to dig up.

In addition to power systems, Long and other researchers were able to find unsecured Web interfaces that gave them control over a wide variety of devices, including printer networks, PBX (private branch exchange) enterprise phone systems, routers, Web cameras, and of course Web sites themselves. All can be uncovered using Google, Long said.

But the effectiveness of Google as a hacking tool does not end there. It can also be used as a kind of proxy service for hackers, Long said.

Although security software can identify when an attacker is performing reconnaissance work on a company's network, attackers can find network topology information on Google instead of snooping for it on the network they're studying, he said. This makes it harder for the network's administrators to block the attacker. "The target does not see us crawling their sites and getting information," he said.

Often, this kind of information comes in the form of apparently nonsensical information -- something that Long calls "Google Turds." For example, because there is no such thing as a Web site with the URL (Uniform Resource Locator) "nasa," a Google search for the query "site:nasa" should turn up zero results. instead, it turns up what appears to be a list of servers, offering an insight into the structure of Nasa's (the U.S. National Aeronautics and Space Administration's) internal network, Long said.

Combining well-structured Google queries with text processing tools can yield things like SQL (Structured Query Language) passwords and even SQL error information. This could then be used to structure what is known as a SQL injection attack, which can be used to run unauthorized commands on a SQL database. "This is where it becomes Google hacking," he said. "You can do a SQL injection, or you can do a Google query and find the same thing."

Although Google traditionally has not concerned itself with the security implications of its massive data store, the fact that it has been an unwitting participant in some worm attacks has the search engine now rejecting some queries for security reasons, Long said. "Recently, they've stepped into the game."

A Hacker's Tools of The Trade

Here's a rundown of some of the most interesting and popular techniques that hackers use to break into or damage web sites and computers.

Denial of Service Attacks

Denial of service attacks are designed to lock out legitimate users from web sites or networks. Hackers run programs that repeatedly request information from the victim's computer until that computer is unable to answer any other requests. Hackers can run programs of automated scripts that barrage the victim computer or network so that it becomes unusable by legitimate users, or even has to be shut down.

Distributed denial of service attacks (DDoS) are automated attacks that run simultaneously from multiple computers. Hackers can plant Trojan horse programs on the computers of unsuspecting accomplices throughout the network or internet. At a given hour, all involved computers coordinate requests for information from the overloaded victim computer. Due to the numbers involved, such an attack can be very difficult to stop.

[In February 2000, a number of high-profile web sites including Yahoo, Amazon.com, and eBay were hit with a series of distributed denial of service attacks which rendered the sites useless for a short time over the course of two days.]

DNS spoofing

When you point your browser to randomsite.com, your computer will look up that entry in a massive directory called the Domain Name Service (DNS) database, and then send you to the appropriate site.

However, computers don't understand names, they understand numbers. The DNS database matches every name to a numerical address. Servers throughout the internet maintain a constantly updating database of these DNS entries. A DNS spoof occurs when a hacker alters a DNS entry on a server to redirect the browser to an alternate site. If a consumer wanting to visit randomsite.com gets sent instead to evilcompany.com, then business can be stolen. A hacker can also create a fake site that pretends to be randomsite.com. In this way evilcompany.com might steal passwords, personal data or even credit cards from the consumer. Such hacks are not yet very common.

packet sniffers

Like many hacker tools, packet sniffers were initially designed as a tool for system administrators to help debug networking problems. Essentially, they are devices which allow the user to intercept and interpret "packets" of information traversing a network. Any information shared among a network of computers--username/password pairs, email, files being transferred--gets translated into "packets," which are sent out across the network.

Most of the internet uses the Ethernet transmission protocol. When you send a packet out on the Ethernet, every machine on the network sees the packet. Every piece of data you send over the internet contains an Ethernet header, a sort of numerical address, to make sure that the right machine gets the right information. Each machine is supposed to pay attention only to packets with its own Ethernet address in the destination field. However, an Ethernet packet sniffer is software which allows a hacker, or network administrator, to "eavesdrop" by recording information on packets not addressed to his or her computer.

social engineering

Social engineering is a hacker term for deceiving or manipulating unwitting people into giving out information about a network or how to access it. A hacker may pose as an employee who forgot his or her password, or a software vendor asking for information about a network in order to determine what the company's software needs are. In testimony before Congress, ex-hacker Kevin Mitnick discussed some of his most successful social engineering exploits.

Trojan Horse Programs

Trojans horse programs are "back doors" into a computer system. A hacker may disguise a trojan as another program, video, or game, in order to trick a user into installing it on their system. Once a trojan is installed, a hacker could have access to all the files on a hard drive, a system's email, or even to create messages that pop up on the screen. Trojans are often used to enable even more serious attacks. By hiding programs to be run later, hackers might gain access to other networks, or run DDoS attacks. The simplest Trojan horse replaces the messages shown when a login is requested. Users think they are logging into the system, so they provide their usernames and passwords to a program that records the information for use by the hacker. The most famous Trojan horse to date is probably Back Orifice, which was developed by the hacker group known as Cult of the Dead Cow. Once installed, this program gives the user access and control over any computer running a Windows 95/98 operating system or later.

web Page Defacements

Web pages are simply computer files stored in directories on a server computer. If a hacker gains access to these files, he or she can replace or alter them in any way. The Republican National Committee, the CIA, and The New York Times are just three of the highly publicized web page defacements over the past few years.

Viruses and Worms

Worms and viruses are surreptitiously "self-replicating" programs that can spread exponentially throughout a network. Such programs are not by definition harmful: The first worm released on the internet, the Morris Worm, was not meant to do harm, it was merely an experiment by a Cornell University graduate student. However, it replicated itself so efficiently and took up so much memory and computing resources on the internet that many computers crashed, and system administrators across the country were forced to take their machines off the internet.

Modern-day virus writers often have malicious intent, however, and they use viruses and worms to spread destructive programs among unwitting hosts. A virus spreads by infecting another object on the computer system--a program file, a document, or the boot sector of a floppy disk. A worm can copy itself from computer to computer on a network without needing a file or other object. The most famous worm was the ILOVEYOU bug, which infected an estimated 45 million computers. It propagated itself by exploiting a weakness in the Microsoft Outlook email software, and emailing itself to every address stored in the Outlook address book on an infected computer.

Base Technologies: One Hacker's Tools

Jeanson James Ancheta—a.k.a. Resili3nt—used readily available software and hardware to create a botnet-for-profit of at least 400,000 infected computers that netted him at least $60,000.
APPLICATION PRODUCT SUPPLIER
Bot code Modified versions of bot code from Rxbot,Lca3.exe, Winun.exe, Wininst.exe Various Web sites that provide free downloads plus Ancheta's own coding and reverse-engineering of other malicious code
Online communications Internet Relay Chat channels IRC.org
Hardware Laptops IBM, Toshiba, eMachines
Web servers Rented server space Sago Networks, FDC Servers, EasyDedicated
Internet access SBC, Adelphia Broadband connections Cable
Payment mechanisms Online payment service Online bank account PayPal Wells Fargo
SOURCE: Indictment filed in U.S. District Court in Los Angeles

Tuesday, February 20, 2007

Guide to Next Generation Networks

Next Generation Networking is a term that is being increasingly used to describe the latest state-of-the-art networking platforms, which service providers are either developing or are using today.

Next Generation networks enable businesses to run a full range of IP-based voice, video and data applications over a single network. With the technologies used, current communication needs can be met whilst ensuring new applications and services can be deployed quickly and efficiently to support future requirements.

This guide provides an overview of what Next Generation Networks (NGNs) are and how they compare to the legacy networks still in use by many organisations.

150 Ways to Let Hackers In

To paraphrase Paul Simon, there are 150 ways to leave your software open to attack, according to Fortify Software, the Palo Alto-based security software specialist.

In the latest update to its Fortify Security Coding Rulepack, the company says it has added a further 34 "vulnerability categories", bringing the grand total to 150.

Fortify's philosophy is that the best place to deal with security threats is in source code when software is being built. Well-designed code can prevent a wide range of attacks and Fortify's Source Code Analysis tool helps improve code design and keep out the malcontents.

"Security threats are a constant challenge to programmers - but their priorities are to meet deadlines and deliver new features. We can help by giving them good tools to help make software less vulnerable," says Jacob West, manager of the security research group at Fortify.

According to Fortify, the two most-prevalent forms of attack are cross-site scripting, where rogue code pretends to be from a trusted site, and SQL injection, where executable SQL commands are put into data streams.

West says cross-site scripting can be prevented by using data flow analysis. "You can identify data as it comes in and check that it is what it says it is. A billing address, for example, should only contain letters and numbers. If it contains special characters then it may well be suspect."

Similarly, SQL injection may be avoided by ensuring that SQL data streams do not contain executable instructions. "SQL injection introduces extra commands into an SQL stream which can circumvent access control and enable data to be changed. If you can control the SQL command input you can do almost anything. But you can prevent it by input validation and restricting what you allow in commands."

Broadband Routers Welcome Drive-by Hackers

Still using the default password that came with that nice broadband router you installed at home? Time to get off your butt and change it: visiting the wrong website is enough to have key settings changed on the most popular models.

Symantec warns attackers can employ a simple piece of JavaScript to modify a router's domain name server settings. Once the router is rebooted, a rogue DNS will send the victim to spoofed websites with malicious intent.

That could unleash all kinds of new phishing expeditions, Symantec says. For example, the new DNS could route a request for bankofamerica.com or Microsoft's update site to fraudulent sites that steal login details or install back doors.

A proof of concept works with popular models made by Linksys, D-Link and Netgear, but only if they use the default password. Hence, the attack can be thwarted by setting a new password that's not easy to guess.

As with many of the recently discovered browser-related vulnerabilities, attacks also require JavaScript to be enabled. Running a program such as the NoScript extension to Firefox is also a safeguard in these cases.

Hard Drive Contents Cough Up by IE and Firefox

Updated The latest versions of Internet Explorer and Firefox on Windows and (in the case of Firefox) Unix systems are vulnerable to attacks that could reveal the contents of sensitive files residing on a victim's hard drives.

The vulnerability resides in the functionality that allows the browsers to upload files to a remote server. It requires a victim to visit a booby-trapped website and enter text with certain characters in a comment interface or other input field.

Demonstration exploits, one for IE and the other for Firefox, show how typing a simple string into a message box reveals a Windows user's boot.ini file.

Petko D. Petkov, a researcher who has investigated the vulnerability, says similar techniques could be used to reveal more sensitive files on Windows or Unix-based machines, for example C:\WINDOWS\system32\config\SAM in the former or /etc/passwd in the latter.

The vulnerability in Firefox was tested with versions 2.0 and 1.5. It is a variant of a bug that was reported on Bugzilla as early as 2000, according to Michal Zalewski, who is credited with discovering the flaw in that browser.

Petkov is believed to have first determined that IE 7 is also vulnerable. ®

A Microsoft spokesman said the company is investigating the report. Initial findings by Microsoft's security team are consistent with the report, specifically that "an attacker could gain access to user files if the location of a given file is already known" and would then have to convince the victim to enter the location of that file in a Web page.

Legendary Turkish Hacker iskorpitx Strikes Down Under

Legendary Turkish hacker iskorpitx has turned his attention Down Under with an attack that grounded the websites of nearly 600 Kiwi businesses and about 300 international sites hosted by the same US-based web server.

As stuff.co.nz reports, "in each case the content of a site's homepage was replaced with an animated medieval knight, Turkish pop music, and a cryptic Turkish message".

Vodafone owned ISP ihug was the worst hit, though several other ISPs are also thought to have been involved. The problem affected sites hosted on a US server run by quik.com, the New Zealand subsidiary of which was bought by ihug last year. Only those ihug customers that were inherited as a result of the purchase were vulnerable to the hack.

Though the security weakness was supposedly fixed yesterday, many of the affected sites still remain offline, their homepages replaced with the quik internet logo (examples here and here).

iskorpitx is estimated to have made about 180,000 attacks in his career, including one that has been labelled the "biggest in history". In this attack he reportedly hacked 21,459 websites in one shot and defaced all with a picture of the Turkish flag and this missive:

"HACKED BY iSKORPiTX

(TURKISH HACKER)

FUCKED ARMANIAN-FUCKED FRANCE-FUCKED GREECE-FUCKED PKK TERROR

A list of his hacking history can be found here.

Do You Want Me to Hack Your Vista PC?

Microsoft is playing down the possibility that the speech recognition system in Windows Vista could be hijacked to delete files or perform other unauthorised actions.

Vista contains improved speech recognition technology, a factor which prompted security researchers to see if it was possible to create MP3 files on hacker websites or audio tracks distributed on P2P networks to issue spoken commands which takes control of PCs running Vista.

Microsoft said the exploit is technically possible but unlikely to be much of a threat in practice. The attack scenario relies on activation of the speech recognition feature (with a user's microphone and speakers switched on to receive commands) and for a user to be away from his desk, so that the mischief takes place without anyone intervening. Many PCs are left on all the time, so hitting unattended PCs on, for example, the trading floor of a bank simply by targeting them at night might be possible.

A number of security researchers and Vista geeks have already tested the approach and were able to delete files and visit, albeit with considerable difficulty, arbitrary websites. But Microsoft says a number of additional factors make attacks based on the approach implausible, if not impossible.

"It is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default. There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation," Adrian, a Microsoft security researcher wrote on Redmond's security response blog.

"While we are taking the reports seriously and investigating them accordingly I am confident in saying that there is little if any need to worry about the effects of this issue on your new Windows Vista installation," he added.

The SANS Institute's Internet Storm Centre (ISC), disputes Microsoft's assessment of the potential danger posed by the feature. "Downloading and executing a local privilege escalation is still eminently possible, you just need a suitable 0-day local privilege escalation for Vista. Indeed, any way to download and run arbitrary code as a valid user is never good news, this one just happens to be from the 'neat trick' pile," ISC duty staffer Arrigo Triulzi writes.

Is Vista Secure Enough for Business?

Five years after the release of Windows XP, Microsoft’s primary stated goal with Windows Vista has been to reduce security vulnerabilities and overall susceptibility to malware and other threats. A number of new security features have been introduced in an attempt to reflect the heightened priority of security. This paper describes Windows Vista security, provides an insight into the level of protection it provides for business users, and assesses how far the new features measure up to Microsoft’s aspirations for its new desktop operating system.

Bit of a Phone Phreak - By Kevin Poulsen, SecurityFocus Online

securityfocus.com Usenet posts show Gary McKinnon was a bit of a phone phreak, knew where to buy lock picks, and had an early interest in defense computers. A former employer says he was bored at work.

The British man accused of the most ambitious hack attacks against Defense Department computers in years was also a fine network administrator, according to a former co-worker.

A manager at the London-based telecom equipment seller Corporate Business Technology Ltd. recalls Gary McKinnon as a friendly -- if unremarkable -- presence at the company, where he provided IT support for an office of about 50 people. "He was personable, relatively happy around the office," says the manager, who declined to give his name. "You wouldn't have realized that he could do what he did."

McKinnon, now 36, worked for CBT for approximately ten months ending in late 1999, the company says. He left on good terms. "As I remember it, he decided to leave because he was bored working here," says the manager. "But at the time that he left, he didn't have any place to go to."

On Tuesday (Nov 12, 2002), U.S. officials in Virginia charged McKinnon with seven felony counts of computer fraud for allegedly penetrating 92 different systems belonging to the Army, Navy, Air Force, the Pentagon, and NASA, as well as six computers owned by private companies and organizations, in a year-long hacking spree that ended last March.

A related indictment unsealed the same day in New Jersey charges the Londoner with a September, 2001 attack against U.S. Navy systems at the Earle Naval Weapons Station that allegedly resulted in the network of 300 computers being shut down for a week.

The private computers listed in the Virginia indictment are mostly at traditional easy targets, like public libraries and universities, and may have been used as cut-outs to cover the hacker's tracks. Gregg Cannon, IT director at victim-company Tobin International in Texas, says federal investigators contacted and subpoenaed his company early this year after a test system outside the company firewall was compromised and used to attack government computers. "All the government would tell us is that it was overseas," says Cannon. "He didn't do any damage."

Diverse Interests

The U.S. is seeking McKinnon's extradition, which McKinnon is fighting in the U.K.

McKinnon's former co-worker said Wednesday that there was nothing about the network admin to hint at a future as a civilian infowarrior, "assuming it was him that did it."

A trail of Usenet messages posted by McKinnon in the late 1990's to public Internet newsgroups suggests McKinnon had an early interest in esoteric technological subjects.

Postings in 1997 to the U.K. phone hacking newsgroup alt.ph.uk show McKinnon, or someone with the same name, offering advice on purchasing lock picks in the U.K., tips on encrypting files, and hints on changing the electronic serial numbers in cellular telephones.

A flurry of less subversive posts in December, 1999 from an email address at Corporate Business Technologies have McKinnon advising colleagues in Windows-administration newsgroups on a variety of topics -- most of them security related.

One post from that period hints at an earlier start to McKinnon's interest in U.S. defense systems than the government has acknowledged. The message finds McKinnon advising someone on what brand of intrusion detection system to buy. He recommends ISS's RealSecure, because "The US Navy use[s] that and only that ..."

"[B]ut then," McKinnon adds without explanation, "they really need it."