Thursday, February 22, 2007

U.K. Approves Extradition Order for Hacker

The U.K. approved an extradition request this week to send a computer hacker to the United States, where he'll be tried for allegedly crippling military networks shortly after the terrorist attacks in September 2001.

Gary McKinnon, 40, of London, has freely discussed his hacking exploits that led to the seizure of his equipment in March 2002. McKinnon, who admitted probing networks but claims he did no damage, fought extradition on the grounds he could be classified as an enemy combatant and held under similar conditions as other terrorist suspects held by the United States.

McKinnon has two weeks to appeal. If extradited, he will face trial in the U.S. District Court for the Eastern District of Virginia.

The U.S alleges that McKinnon gained access to 97 government computers between February 2001 and March 2002, copying files and deleting data. The systems included those used to replenish munitions and supplies for the U.S. Navy's Atlantic fleet and the NASA space agency.

In one incident, McKinnon allegedly deleted system files and logs that shut down 300 computers at a U.S. Navy base "at a critical time" immediately after the Sept. 11 attacks, according to court documents. His alleged exploits are estimated to have caused more than $US700,000 in damage in total.

McKinnon, who went by the nickname "Solo," used a program called "RemotelyAnywhere" to control computers and access files. The former systems administrator said the networks he accessed often had low security, with easy-to-guess administrator passwords.

McKinnon said he continued to hack even after his probed had been noticed. On one occasion he miscalculated the time zones between the U.S. and the U.K., accessing a computer while someone was using it. The connection was immediately cut by the user, McKinnon said.

Network Technician Wins Vista 'Rocketplane' Ride

Space could indeed become the final frontier for a 29-year-old network technician who was chosen as the winner of a Windows Vista promotional contest -- as long as the taxman doesn't put a crimp in his flight plans.

William Temple, who works at medical insurer HealthNet in California, was announced today as the winner of the US$250,000 grand prize from Microsoft's "Vanishing Point" promotion, qualifying him for a 2009 flight that would blast him 62 miles into the air -- to the edge of outer space. In a random drawing, Temple's name was selected from among those of the 87,000 registered players of Vanishing Point, an interactive puzzle game sponsored by Microsoft and Advanced Micro Devices.

The monthlong game involved arcane puzzles and cryptic clues that were handed out to would-be puzzle solvers via Las Vegas light shows during the Consumer Electronics Show, skywriting above four cities, coded images projected onto monuments and a fireworks finale above Seattle.

Temple was chosen as the winner last Tuesday despite freely admitting that he had accumulated only 370 points out of the 1,500 maximum and that after solving the first puzzle on his own, he benefited from solutions posted on the Internet by other game players. According to Microsoft, any player could win, but a higher number of points increased someone's chance of winning.

"We had some people who solved every single puzzle," said Aaron Coldiron, a Vista manager at Microsoft. "But we feel good about Will winning. He's right in the target demographic."

That demographic, according to Microsoft, was men who are between the ages of 18 and 35 and are interested in technology. Reaching that group via conventional advertising is increasingly difficult and expensive. Coldiron said the total cost of staging the Vanishing Point game was "less than a single Super Bowl commercial." The going rate to air a 30-second spot during this year's game was as much as US$2.6 million, which doesn't include the costs of producing the commercial.

Not that Microsoft isn't investing elsewhere: it's expected to spend US$500 million to market Vista this year, according to published reports.

Some US$50,000 of that money will go to help Temple pay taxes on his flight, which is valued at US$196,500. The tax payment could be crucial: In 2005, the winner of an Oracle contest that would have given him a free space flight ultimately declined the trip because he would have had to report the ride, valued at US$138,000, as income and pay US$25,000 in taxes as a result.

Coldiron said Microsoft is working with Temple to "understand his tax situation" and will offer additional money if his tax bill from the trip turns out to be even higher than the budgeted US$50,000.

If the tax situation works out, Temple would get to experience what Microsoft's marketing mavens are calling "the ultimate vista" -- a flight on the Rocketplane XP, which is built around a heavily modified Learjet body. The 62-mile altitude that the flight would reach compares with the 220 miles above Earth that NASA's space shuttles fly to reach the International Space Station, said John Herrington, a retired astronaut who will serve as the pilot of the Rocketplane.

Because the Rocketplane won't go as high as the shuttle, it will experience temperatures of only 700 degrees Fahrenheit as it descends back to Earth, Herrington said. That compares with 3,000 degrees for the space shuttle, he added.

Plans call for the hour-long ride to start in Burns Flat, Oklahoma, a town of 1,782 people located 100 miles west of Oklahoma City that houses the Oklahoma Spaceport, a former Air Force base that is expected to start launching test space flights next year.

The operator of the flight, Rocketplane's Rocketplane Kistler unit, plans to run 25 to 50 test flights during 2008, according to Herrington, who is the Oklahoma City-based company's director of flight operations. Rocketplane Kistler is one of two companies that was chosen by NASA last year to provide outsourced flights to the International Space Station for bringing up crew members and replenishing supplies.

The other company, California-based Space Exploration Technologies -- or SpaceX, for short -- has received more publicity than Rocketplane Kistler has thus far. SpaceX, which was founded by PayPal Inc. co-founder Elon Musk, is using a more traditional rocket design. It had a failed launch last March but is planning a second one next month, when it will attempt to transport the cremated remains of more than 100 people, including astronaut Gordon Cooper and Star Trek actor James "Scotty" Doohan.

A third company, Virginia-based Space Adventures, has already sent four private citizens, including Ubuntu Linux developer Mark Shuttleworth, into space using Soyuz spacecraft from the former Soviet Union. Charles Simonyi, a former chief software architect at Microsoft, is training for a flight with Space Adventures this March.

Robotic crawler performs check-up of power lines

U.S. researchers have developed an autonomous robotic crawler that scans power lines for weak points in an electrical grid. By monitoring and precisely locating problematic sections of cable, the robot is expected to improve the efficiency and reduce the costs involved in power line maintenance.

The maintenance of power lines has traditionally been an expensive process based on estimates. With no means of accurately measuring the wear of cables, power companies tend to either discard entire lengths of cable after a predetermined amount of time, or allow the cable to age until they fail.

"Removing an entire length of cable can be very expensive and costly, so removing an entire length of fully functioning cable after a set time period can be unnecessary," said Luke Kearney, undergraduate researcher and project coordinator at the University of Washington (UW). "[On the other hand,] allowing the cable to fail can cause widespread blackouts and can also be very expensive for the power companies to deal with."

UW's robot scans cables for internal damage by using sensors to track heat dissipation, partial electrical discharge, and any filaments of water that could have seeped into the insulation. Engineers can monitor the robot via wireless connection and watch the robot's surroundings through a front-mounted video camera.

Besides autonomously locating damaged sections of cable, the robot can also scan cable in areas which may be dangerous or difficult for humans to access. "In future years, it is our hope that the robot can be used in nuclear power plants to gather data in areas that may be dangerous to people," Kearney said.

The robot has only recently undergone its first field test at Lockheed Martin's Michoud NASA Assembly Facility in New Orleans, U.S., returning with the surprising finding that conditions in New Orleans are still unsafe even now, more than a year after the disastrous Hurricane Katrina struck.

Future prototypes can be designed to fit different cable configurations, including those used outside of the U.S., Kearney said.

More information is available from the project's Web site.

IE Bug Lets Hackers Phish With Google Desktop

A bug in Microsoft's Internet Explorer browser gives phishers a way to scan the hard drives of Google Desktop users, according to an Israeli hacker. Because of a flaw in the way IE processes Web pages, a malicious Web site could use the attack to steal sensitive information like credit card numbers or passwords from the hard drives of its visitors.

"Google Desktop users who use IE are currently completely exposed," wrote hacker Matan Gillon in an e-mail interview. "An experienced attacker can covertly harvest their hard drives for sensitive information such as passwords and credit card numbers. Since Google also indexes e-mails which can be read in the Web interface itself, it's also possible to access them using this attack."

The Details

Gillon has posted an extensive description of how such an attack would work, along with a proof of concept exploit, on his blog.

The IE bug concerns the way Microsoft's browser processes Web page layout information using the CSS (Cascading Style Sheets) format. The CSS format is widely used to give Web sites a consistent look and feel, but attackers can take advantage of the way that IE processes CSS to get Google Desktop to reveal sensitive information.

Hackers would first need to trick users into visiting a malicious Web site for the attack to be successful, Gillon says. The attack works with IE 6 and Google Desktop version 2, and may also work on other versions of Microsoft's browser, but not on non-Microsoft browsers like Firefox or Opera, he adds.

Turn Off JavaScript

Users can nullify the attack by turning off JavaScript in their browsers, Gillon says. This can be done by disabling "Active scripting" in IE's Internet Options menu. JavaScript is a popular scripting language used by Web developers to make their sites more dynamic.

Users need to be particularly wary of the Web sites they visit these days, because of another unpatched IE vulnerability that could be used to take over a user's PC. Hackers posted sample code that exploited this problem over a week ago, and Microsoft said that hackers are already using the code in attacks. As with the new CSS problem, users must first be tricked into visiting a malicious Web site for this IE bug to be exploited.

Some security experts believe that Microsoft is in the process of rushing out a patch to fix this problem before these attacks become more widespread. These attacks can also be avoided by disabling JavaScript in IE, or by using an alternative browser.

Microsoft executives were unavailable to comment on the CSS bug, but a spokeswoman for the company's public relations agency said the issue is being investigated. Microsoft is not aware of any attacks resulting from the hole, she said.

The Hacker's Diet: Computer Tools

The Hacker's Diet is accompanied by computer tools which permit logging the progress of a diet and subsequent weight management, producing progress reports, analyses, and charts. Computer tools are available both as spreadsheets and macros for Microsoft Excel and as an application for the handheld Palm Computing Platform.

You don't need a computer to use The Hacker's Diet; easy-to-work paper and pencil methods are presented in the book. But if you have a computer with Excel or a PalmPilot, the companion tools may save you time and provide more insight into the engineering underpinning of the methods described in the book, while producing an illustrated log of your progress.

Microsoft Excel Tools

A variety of Microsoft Excel spreadsheets (or "workbooks" in recent Microsoft-speak) are available which permit hands-on experimentation with the techniques presented in the book, forecasting diet plans, meal planning with automatic calorie counting, and a system for logging the progress of a diet and subsequent weight management which produces progress reports and charts.

In addition to the weight logging and analysis and meal planning packages, the feedback and trend fitting laboratories described in the book are included, as well as databases supporting the text.

Please visit the Excel Tools page to download a version compatible with the release of Excel you're using.

Palm Computing Tools

A handheld computer that's never far from your side is an excellent tool for logging your daily weight and providing real-time snapshots of the progress of your diet and long term weight management. An implementation of the Eat Watch, the central component of The Hacker's Diet, for the Palm Computing Platform (PalmPilot, Palm, etc.) puts this tool where it belongs--right in the palm of your hand. There's no more need for paper logs, spreadsheets, macros, or any Microsoft products whatsoever--just write your daily weight into your Palm and you can view weight logs, charts, trend analysis, and calorie balance right on your handheld computer.

Every time you HotSync, your weight log is backed up to your desktop machine, and a companion program (which runs on any computer with a vaguely standard C compiler) permits you to export your logs as illustrated HTML documents viewable with any Web browser and CSV files which can be imported into other applications.

Google Now a Hacker's Tool

Somewhere out on the Internet, an Electric Bong may be in danger. The threat: a well-crafted Google query that could allow a hacker to use Google's massive database as a resource for intrusion.

"Electric Bong" was one of a number of household devices that security researcher Johnny Long came across when he found an unprotected Web interface to someone's household electrical network. To the right of each item were two control buttons, one labelled "on," the other, "off."

Long, a researcher with Computer Sciences and author of the book, "Google Hacking for Penetration Testers," was able to find the Electric Bong simply because Google contains a lot of information that wasn't intended to lie unexposed on the Web. The problem, he said at the Black Hat USA conference in Las Vegas last week, lies not with Google itself but with the fact that users often do not realise what Google's powerful search engine has been able to dig up.

In addition to power systems, Long and other researchers were able to find unsecured Web interfaces that gave them control over a wide variety of devices, including printer networks, PBX (private branch exchange) enterprise phone systems, routers, Web cameras, and of course Web sites themselves. All can be uncovered using Google, Long said.

But the effectiveness of Google as a hacking tool does not end there. It can also be used as a kind of proxy service for hackers, Long said.

Although security software can identify when an attacker is performing reconnaissance work on a company's network, attackers can find network topology information on Google instead of snooping for it on the network they're studying, he said. This makes it harder for the network's administrators to block the attacker. "The target does not see us crawling their sites and getting information," he said.

Often, this kind of information comes in the form of apparently nonsensical information -- something that Long calls "Google Turds." For example, because there is no such thing as a Web site with the URL (Uniform Resource Locator) "nasa," a Google search for the query "site:nasa" should turn up zero results. instead, it turns up what appears to be a list of servers, offering an insight into the structure of Nasa's (the U.S. National Aeronautics and Space Administration's) internal network, Long said.

Combining well-structured Google queries with text processing tools can yield things like SQL (Structured Query Language) passwords and even SQL error information. This could then be used to structure what is known as a SQL injection attack, which can be used to run unauthorized commands on a SQL database. "This is where it becomes Google hacking," he said. "You can do a SQL injection, or you can do a Google query and find the same thing."

Although Google traditionally has not concerned itself with the security implications of its massive data store, the fact that it has been an unwitting participant in some worm attacks has the search engine now rejecting some queries for security reasons, Long said. "Recently, they've stepped into the game."

A Hacker's Tools of The Trade

Here's a rundown of some of the most interesting and popular techniques that hackers use to break into or damage web sites and computers.

Denial of Service Attacks

Denial of service attacks are designed to lock out legitimate users from web sites or networks. Hackers run programs that repeatedly request information from the victim's computer until that computer is unable to answer any other requests. Hackers can run programs of automated scripts that barrage the victim computer or network so that it becomes unusable by legitimate users, or even has to be shut down.

Distributed denial of service attacks (DDoS) are automated attacks that run simultaneously from multiple computers. Hackers can plant Trojan horse programs on the computers of unsuspecting accomplices throughout the network or internet. At a given hour, all involved computers coordinate requests for information from the overloaded victim computer. Due to the numbers involved, such an attack can be very difficult to stop.

[In February 2000, a number of high-profile web sites including Yahoo, Amazon.com, and eBay were hit with a series of distributed denial of service attacks which rendered the sites useless for a short time over the course of two days.]

DNS spoofing

When you point your browser to randomsite.com, your computer will look up that entry in a massive directory called the Domain Name Service (DNS) database, and then send you to the appropriate site.

However, computers don't understand names, they understand numbers. The DNS database matches every name to a numerical address. Servers throughout the internet maintain a constantly updating database of these DNS entries. A DNS spoof occurs when a hacker alters a DNS entry on a server to redirect the browser to an alternate site. If a consumer wanting to visit randomsite.com gets sent instead to evilcompany.com, then business can be stolen. A hacker can also create a fake site that pretends to be randomsite.com. In this way evilcompany.com might steal passwords, personal data or even credit cards from the consumer. Such hacks are not yet very common.

packet sniffers

Like many hacker tools, packet sniffers were initially designed as a tool for system administrators to help debug networking problems. Essentially, they are devices which allow the user to intercept and interpret "packets" of information traversing a network. Any information shared among a network of computers--username/password pairs, email, files being transferred--gets translated into "packets," which are sent out across the network.

Most of the internet uses the Ethernet transmission protocol. When you send a packet out on the Ethernet, every machine on the network sees the packet. Every piece of data you send over the internet contains an Ethernet header, a sort of numerical address, to make sure that the right machine gets the right information. Each machine is supposed to pay attention only to packets with its own Ethernet address in the destination field. However, an Ethernet packet sniffer is software which allows a hacker, or network administrator, to "eavesdrop" by recording information on packets not addressed to his or her computer.

social engineering

Social engineering is a hacker term for deceiving or manipulating unwitting people into giving out information about a network or how to access it. A hacker may pose as an employee who forgot his or her password, or a software vendor asking for information about a network in order to determine what the company's software needs are. In testimony before Congress, ex-hacker Kevin Mitnick discussed some of his most successful social engineering exploits.

Trojan Horse Programs

Trojans horse programs are "back doors" into a computer system. A hacker may disguise a trojan as another program, video, or game, in order to trick a user into installing it on their system. Once a trojan is installed, a hacker could have access to all the files on a hard drive, a system's email, or even to create messages that pop up on the screen. Trojans are often used to enable even more serious attacks. By hiding programs to be run later, hackers might gain access to other networks, or run DDoS attacks. The simplest Trojan horse replaces the messages shown when a login is requested. Users think they are logging into the system, so they provide their usernames and passwords to a program that records the information for use by the hacker. The most famous Trojan horse to date is probably Back Orifice, which was developed by the hacker group known as Cult of the Dead Cow. Once installed, this program gives the user access and control over any computer running a Windows 95/98 operating system or later.

web Page Defacements

Web pages are simply computer files stored in directories on a server computer. If a hacker gains access to these files, he or she can replace or alter them in any way. The Republican National Committee, the CIA, and The New York Times are just three of the highly publicized web page defacements over the past few years.

Viruses and Worms

Worms and viruses are surreptitiously "self-replicating" programs that can spread exponentially throughout a network. Such programs are not by definition harmful: The first worm released on the internet, the Morris Worm, was not meant to do harm, it was merely an experiment by a Cornell University graduate student. However, it replicated itself so efficiently and took up so much memory and computing resources on the internet that many computers crashed, and system administrators across the country were forced to take their machines off the internet.

Modern-day virus writers often have malicious intent, however, and they use viruses and worms to spread destructive programs among unwitting hosts. A virus spreads by infecting another object on the computer system--a program file, a document, or the boot sector of a floppy disk. A worm can copy itself from computer to computer on a network without needing a file or other object. The most famous worm was the ILOVEYOU bug, which infected an estimated 45 million computers. It propagated itself by exploiting a weakness in the Microsoft Outlook email software, and emailing itself to every address stored in the Outlook address book on an infected computer.

Base Technologies: One Hacker's Tools

Jeanson James Ancheta—a.k.a. Resili3nt—used readily available software and hardware to create a botnet-for-profit of at least 400,000 infected computers that netted him at least $60,000.
APPLICATION PRODUCT SUPPLIER
Bot code Modified versions of bot code from Rxbot,Lca3.exe, Winun.exe, Wininst.exe Various Web sites that provide free downloads plus Ancheta's own coding and reverse-engineering of other malicious code
Online communications Internet Relay Chat channels IRC.org
Hardware Laptops IBM, Toshiba, eMachines
Web servers Rented server space Sago Networks, FDC Servers, EasyDedicated
Internet access SBC, Adelphia Broadband connections Cable
Payment mechanisms Online payment service Online bank account PayPal Wells Fargo
SOURCE: Indictment filed in U.S. District Court in Los Angeles

Tuesday, February 20, 2007

Guide to Next Generation Networks

Next Generation Networking is a term that is being increasingly used to describe the latest state-of-the-art networking platforms, which service providers are either developing or are using today.

Next Generation networks enable businesses to run a full range of IP-based voice, video and data applications over a single network. With the technologies used, current communication needs can be met whilst ensuring new applications and services can be deployed quickly and efficiently to support future requirements.

This guide provides an overview of what Next Generation Networks (NGNs) are and how they compare to the legacy networks still in use by many organisations.

150 Ways to Let Hackers In

To paraphrase Paul Simon, there are 150 ways to leave your software open to attack, according to Fortify Software, the Palo Alto-based security software specialist.

In the latest update to its Fortify Security Coding Rulepack, the company says it has added a further 34 "vulnerability categories", bringing the grand total to 150.

Fortify's philosophy is that the best place to deal with security threats is in source code when software is being built. Well-designed code can prevent a wide range of attacks and Fortify's Source Code Analysis tool helps improve code design and keep out the malcontents.

"Security threats are a constant challenge to programmers - but their priorities are to meet deadlines and deliver new features. We can help by giving them good tools to help make software less vulnerable," says Jacob West, manager of the security research group at Fortify.

According to Fortify, the two most-prevalent forms of attack are cross-site scripting, where rogue code pretends to be from a trusted site, and SQL injection, where executable SQL commands are put into data streams.

West says cross-site scripting can be prevented by using data flow analysis. "You can identify data as it comes in and check that it is what it says it is. A billing address, for example, should only contain letters and numbers. If it contains special characters then it may well be suspect."

Similarly, SQL injection may be avoided by ensuring that SQL data streams do not contain executable instructions. "SQL injection introduces extra commands into an SQL stream which can circumvent access control and enable data to be changed. If you can control the SQL command input you can do almost anything. But you can prevent it by input validation and restricting what you allow in commands."

Broadband Routers Welcome Drive-by Hackers

Still using the default password that came with that nice broadband router you installed at home? Time to get off your butt and change it: visiting the wrong website is enough to have key settings changed on the most popular models.

Symantec warns attackers can employ a simple piece of JavaScript to modify a router's domain name server settings. Once the router is rebooted, a rogue DNS will send the victim to spoofed websites with malicious intent.

That could unleash all kinds of new phishing expeditions, Symantec says. For example, the new DNS could route a request for bankofamerica.com or Microsoft's update site to fraudulent sites that steal login details or install back doors.

A proof of concept works with popular models made by Linksys, D-Link and Netgear, but only if they use the default password. Hence, the attack can be thwarted by setting a new password that's not easy to guess.

As with many of the recently discovered browser-related vulnerabilities, attacks also require JavaScript to be enabled. Running a program such as the NoScript extension to Firefox is also a safeguard in these cases.

Hard Drive Contents Cough Up by IE and Firefox

Updated The latest versions of Internet Explorer and Firefox on Windows and (in the case of Firefox) Unix systems are vulnerable to attacks that could reveal the contents of sensitive files residing on a victim's hard drives.

The vulnerability resides in the functionality that allows the browsers to upload files to a remote server. It requires a victim to visit a booby-trapped website and enter text with certain characters in a comment interface or other input field.

Demonstration exploits, one for IE and the other for Firefox, show how typing a simple string into a message box reveals a Windows user's boot.ini file.

Petko D. Petkov, a researcher who has investigated the vulnerability, says similar techniques could be used to reveal more sensitive files on Windows or Unix-based machines, for example C:\WINDOWS\system32\config\SAM in the former or /etc/passwd in the latter.

The vulnerability in Firefox was tested with versions 2.0 and 1.5. It is a variant of a bug that was reported on Bugzilla as early as 2000, according to Michal Zalewski, who is credited with discovering the flaw in that browser.

Petkov is believed to have first determined that IE 7 is also vulnerable. ®

A Microsoft spokesman said the company is investigating the report. Initial findings by Microsoft's security team are consistent with the report, specifically that "an attacker could gain access to user files if the location of a given file is already known" and would then have to convince the victim to enter the location of that file in a Web page.

Legendary Turkish Hacker iskorpitx Strikes Down Under

Legendary Turkish hacker iskorpitx has turned his attention Down Under with an attack that grounded the websites of nearly 600 Kiwi businesses and about 300 international sites hosted by the same US-based web server.

As stuff.co.nz reports, "in each case the content of a site's homepage was replaced with an animated medieval knight, Turkish pop music, and a cryptic Turkish message".

Vodafone owned ISP ihug was the worst hit, though several other ISPs are also thought to have been involved. The problem affected sites hosted on a US server run by quik.com, the New Zealand subsidiary of which was bought by ihug last year. Only those ihug customers that were inherited as a result of the purchase were vulnerable to the hack.

Though the security weakness was supposedly fixed yesterday, many of the affected sites still remain offline, their homepages replaced with the quik internet logo (examples here and here).

iskorpitx is estimated to have made about 180,000 attacks in his career, including one that has been labelled the "biggest in history". In this attack he reportedly hacked 21,459 websites in one shot and defaced all with a picture of the Turkish flag and this missive:

"HACKED BY iSKORPiTX

(TURKISH HACKER)

FUCKED ARMANIAN-FUCKED FRANCE-FUCKED GREECE-FUCKED PKK TERROR

A list of his hacking history can be found here.

Do You Want Me to Hack Your Vista PC?

Microsoft is playing down the possibility that the speech recognition system in Windows Vista could be hijacked to delete files or perform other unauthorised actions.

Vista contains improved speech recognition technology, a factor which prompted security researchers to see if it was possible to create MP3 files on hacker websites or audio tracks distributed on P2P networks to issue spoken commands which takes control of PCs running Vista.

Microsoft said the exploit is technically possible but unlikely to be much of a threat in practice. The attack scenario relies on activation of the speech recognition feature (with a user's microphone and speakers switched on to receive commands) and for a user to be away from his desk, so that the mischief takes place without anyone intervening. Many PCs are left on all the time, so hitting unattended PCs on, for example, the trading floor of a bank simply by targeting them at night might be possible.

A number of security researchers and Vista geeks have already tested the approach and were able to delete files and visit, albeit with considerable difficulty, arbitrary websites. But Microsoft says a number of additional factors make attacks based on the approach implausible, if not impossible.

"It is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default. There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation," Adrian, a Microsoft security researcher wrote on Redmond's security response blog.

"While we are taking the reports seriously and investigating them accordingly I am confident in saying that there is little if any need to worry about the effects of this issue on your new Windows Vista installation," he added.

The SANS Institute's Internet Storm Centre (ISC), disputes Microsoft's assessment of the potential danger posed by the feature. "Downloading and executing a local privilege escalation is still eminently possible, you just need a suitable 0-day local privilege escalation for Vista. Indeed, any way to download and run arbitrary code as a valid user is never good news, this one just happens to be from the 'neat trick' pile," ISC duty staffer Arrigo Triulzi writes.

Is Vista Secure Enough for Business?

Five years after the release of Windows XP, Microsoft’s primary stated goal with Windows Vista has been to reduce security vulnerabilities and overall susceptibility to malware and other threats. A number of new security features have been introduced in an attempt to reflect the heightened priority of security. This paper describes Windows Vista security, provides an insight into the level of protection it provides for business users, and assesses how far the new features measure up to Microsoft’s aspirations for its new desktop operating system.

Bit of a Phone Phreak - By Kevin Poulsen, SecurityFocus Online

securityfocus.com Usenet posts show Gary McKinnon was a bit of a phone phreak, knew where to buy lock picks, and had an early interest in defense computers. A former employer says he was bored at work.

The British man accused of the most ambitious hack attacks against Defense Department computers in years was also a fine network administrator, according to a former co-worker.

A manager at the London-based telecom equipment seller Corporate Business Technology Ltd. recalls Gary McKinnon as a friendly -- if unremarkable -- presence at the company, where he provided IT support for an office of about 50 people. "He was personable, relatively happy around the office," says the manager, who declined to give his name. "You wouldn't have realized that he could do what he did."

McKinnon, now 36, worked for CBT for approximately ten months ending in late 1999, the company says. He left on good terms. "As I remember it, he decided to leave because he was bored working here," says the manager. "But at the time that he left, he didn't have any place to go to."

On Tuesday (Nov 12, 2002), U.S. officials in Virginia charged McKinnon with seven felony counts of computer fraud for allegedly penetrating 92 different systems belonging to the Army, Navy, Air Force, the Pentagon, and NASA, as well as six computers owned by private companies and organizations, in a year-long hacking spree that ended last March.

A related indictment unsealed the same day in New Jersey charges the Londoner with a September, 2001 attack against U.S. Navy systems at the Earle Naval Weapons Station that allegedly resulted in the network of 300 computers being shut down for a week.

The private computers listed in the Virginia indictment are mostly at traditional easy targets, like public libraries and universities, and may have been used as cut-outs to cover the hacker's tracks. Gregg Cannon, IT director at victim-company Tobin International in Texas, says federal investigators contacted and subpoenaed his company early this year after a test system outside the company firewall was compromised and used to attack government computers. "All the government would tell us is that it was overseas," says Cannon. "He didn't do any damage."

Diverse Interests

The U.S. is seeking McKinnon's extradition, which McKinnon is fighting in the U.K.

McKinnon's former co-worker said Wednesday that there was nothing about the network admin to hint at a future as a civilian infowarrior, "assuming it was him that did it."

A trail of Usenet messages posted by McKinnon in the late 1990's to public Internet newsgroups suggests McKinnon had an early interest in esoteric technological subjects.

Postings in 1997 to the U.K. phone hacking newsgroup alt.ph.uk show McKinnon, or someone with the same name, offering advice on purchasing lock picks in the U.K., tips on encrypting files, and hints on changing the electronic serial numbers in cellular telephones.

A flurry of less subversive posts in December, 1999 from an email address at Corporate Business Technologies have McKinnon advising colleagues in Windows-administration newsgroups on a variety of topics -- most of them security related.

One post from that period hints at an earlier start to McKinnon's interest in U.S. defense systems than the government has acknowledged. The message finds McKinnon advising someone on what brand of intrusion detection system to buy. He recommends ISS's RealSecure, because "The US Navy use[s] that and only that ..."

"[B]ut then," McKinnon adds without explanation, "they really need it."