Sunday, April 15, 2007

Remote hackers could trick users into running malicious code

Confidential vulnerability information managed by the CERT Coordination Center has again been leaked to the public, following a flurry of such leaks in March.

The latest information concerns a flaw in PDF (Portable Document Format) readers for Unix and could allow a remote attacker to trick users into executing malicious code on their machines, according to a copy of the leaked vulnerability report.

As with confidential CERT information that was leaked in March, the latest report was posted to a vulnerability discussion list by an individual using the name "hack4life."

The leaked information was taken from communication sent from CERT to software vendors affected by the PDF problem, according to Jeffrey Carpenter, manager of the CERT Coordination Center. The information appears to be from a vulnerability report submitted to CERT by a Cincinnati security researcher by the name of Martyn Gilmore.

Gilmore did not respond to requests for comment and CERT would not comment on how it obtained the PDF vulnerability information or on Gilmore's relationship with the Pittsburgh-based software vulnerability monitoring organization.

In the report, Gilmore describes a problem in the way that PDF viewing programs for the Unix platform process hyperlinks within valid PDF documents. When processing hyperlinks, common PDF readers use the Unix "shell" command (sh -c) to launch and pass commands to external programs. For example, clicking on a hyperlink for a Web page would launch the associated Web browser, according to the report.

However, Gilmore found that such programs do not properly check the syntax of such commands, enabling arbitrary shell commands to be executed on the vulnerable machine.

While attackers are limited by the privilege level of the user clicking the malicious link, the vulnerability could enable a remote attacker to use shell commands to delete files from the user's hard drive or perform other actions without the knowledge of the victim, the report said.

Adobe Systems Inc.'s Acrobat Reader 5.06 is affected by the problem in addition to the open-source reader Xpdf 1.01, according to the report.

CERT declined to discuss the details of the vulnerability.

The vulnerability information was scheduled to be released by CERT on June 23, according to an e-mail message purporting to be from hack4life that prefaced the leaked report.

The release date was obtained from CERT communications with its vendors, as well, but CERT declined to comment on whether it would be releasing an advisory regarding the PDF problem on June 23, according to Carpenter.

Hack4life cited "college and exams" for the lull in leaked CERT information in recent months and hinted at the likelihood of more disclosures in the future.

"I'll have plenty of time to keep you all up to date with what those fools at CERT are up to once college is finished," hack4life wrote.

In March, someone using the same name posted information on four vulnerabilities that CERT was investigating to the vulnerability discussion list Full-Disclosure. Those posts included sensitive information on a vulnerability in the Kerberos Version 4 protocol and a problem reported by Microsoft Corp. regarding spammers' abuse of Web redirectors, which forward users of Web portals such as MSN IP (Internet Protocol) addresses close to their geographic location.

The PDF information was disclosed to CERT after the vulnerabilities were leaked in March, Carpenter said.

Contacted by e-mail in March, hack4life denied any affiliation with CERT and said that the reports were "stolen in a recent computer intrusion."

"Fun and amusement" was the primary motivation for stealing and leaking the vulnerability reports. A secondary motivation cited in e-mail by hack4life was anger over CERT's perceived failure to publish vulnerability information in a timely manner.

At the time, CERT officials cast doubt on hack4life's assertion that the reports were hacked, saying that the information was most likely leaked by a member of one of the development teams CERT works with to evaluate vulnerabilities.

The latest incident reaffirms CERT's belief that the problem lies with its vendors rather than with its own systems, Carpenter said. While CERT does not yet know which vendor is responsible for the leak, the organization is confident that an insider threat or compromise at one of the companies it deals with is responsible for the leaks, he said.

CERT is communicating with vendors about the problem, but Carpenter would not comment on whether CERT is working with law enforcement to catch the person responsible for the leaks.

"I'm not going to get into those specifics at this point," he said.

CERT plans to consult with affected vendors and discuss how to proceed now that the information is public, he said.

Monday, April 09, 2007

VESA adds anti-piracy tech to DisplayPort

The Video Electronics Standards Association (VESA) has posted DisplayPort version 1.1, almost a year after the digital monitor connection standard was first published.

DisplayPort is pitched as the successor to not only DVI external monitor connections but also LVDS, used to hook up notebook panels. Heck, it'll even replace VGA, VESA said in a tone suggesting the analogue standard will be around for some time yet.

DisplayPort 1.1 adds support for the HDCP 1.3 anti-duplication system, essential for allowing protected content on Blu-ray Disc and HD DVD media to be carried at full resolution to a DisplayPort-connected screen. The new spec also adds low-power and low-voltage modes

vesa displayport connector

DisplayPort is an alternative to the HDMI screen connection standard being promoted by the consumer electronics industy. The crucial difference is support for audio information: HDMI hosts sound as standard, for DisplayPort 1.1 it's optional. VESA sees DisplayPort as the standard for business-oriented systems, while HDMI will be the natual choice of monitor port for computers aimed at consumers.

Microsoft hits Middle East pirates

Microsoft is taking legal action against several companies it accuses of selling academic copies of Office to ordinary punters.

Schools and colleges can get cut-price software from Microsoft, but Microsoft says some resellers, in Jordan and elsewhere, have been selling the software on to companies and consumers in the US.

Microsoft has filed nine lawsuits and sent over 50 cease and desist letters. The legal action was started in the US, where the software was sold.

Microsoft UK anti-piracy head Michala Alexander told The Reg: "We're taking action against several global organisations who have been getting hold of academic copies of Office and selling them on in breach of the terms and conditions."

Alexander said the launch of Vista has increased piracy for older versions of Microsoft software: "It's like the end of season sale. We've not seen any Vista products in the UK yet - we made a big investment in anti-piracy measures and I think the activation process certainly helps."

As part of the same crackdown, Microsoft has settled with eDirectSoftware one of its biggest distributors of academic software, after its involvement in a similar scheme. ®

Thursday, April 05, 2007

Hacking as an inside job

"Leaving your Web applications insecure makes no more sense than building a brick wall but using a gate made from chain link fencing." – James Gaskin
Whenever the President of the United States travels anywhere there are numerous individuals charged with making sure the President is secure and unharmed from attack. This is the premise behind Internet security. The work you have done on your site is the product of valuable time and energy. For some business owners the website represents significant research and creative energy. It is possible for a vulnerable website to be hijacked and remade in the image of something that only resembles your website in name only or to have safeguarded data copied for the use of a third party.

One of the biggest mistakes a website owner can make is allowing the work to be left unguarded. As reported in recent years hacking of a computer system can occur both from within a company or from a remote location, which makes the use of Internet security so important.
“Advances in firewall technology (making them easier to install and configure), improvements in vulnerability scanning and better explanations of how to repair them, and better intrusion-detection with fewer false-positives are all key technologies in this race.” – Dr. Charles C. Palmer
Some hackers argue they are not involved in felonious activities, but are simply seeking knowledge and using the internet to find answers, however the U.S. Government views the activity as a felony and punishable by applicable state and federal laws.

It should be noted that the term hacker has been adjusted. No longer is the term ‘hacker’ only used to describe someone gifted at programming and is able to break a website code to gain access to information. Today a hacker is also someone who misappropriates company data. Typically this scenario occurs from an inside and often trusted source.
“System administrators must learn about and maintain their systems securely. Users have to understand their security responsibilities.” – Dr. Charles C. Palmer
In many cases, business are now making a non-disclosure agreement a part of the hiring procedure to provide an extra legal recourse in the event that data is electronically removed and used in ways unauthorized by company heads.
“If a stranger came into your house, looked through everything, touched several items, and left (after building a small, out of the way door to be sure he could easily enter again), would you consider that harmless?” – Dr. Charles C. Palmer
Taking security issues seriously is needed in the development of a web-based business infrastructure. It may be worth exploring both on-site and off-site security features as a means of ensuring the long-term usability of your website.

Avoiding Internet Fraud and Scams

As ever more people use the internet for shopping, business transactions, online banking, etc., the incidence of internet fraud and scams has shot up in an alarming fashion. Not only has the level of internet crime increased but the scammers and fraudsters grow cleverer and more sophisticated every day. What can you do to fight back? In this article I will describe the most common scams of today so that you can recognize them for yourself and I will suggest how you might deal with them. Read on and find out how to avoid being taken!

Most of us are familiar with the dangers to our computers from viruses and similar destructive programs. There are many “fake” virus threats, however, which do no actual harm but can cause people to become alarmed and perhaps waste a lot of time. A recent example of this type of scam is the Death Ray virus scam which threatened to cause your computer to “explode in a hellish blast of glass fragments and flames”. A virus can damage software and files but NO virus can physically damage your computer hardware. If you inadvertently open an email containing such a threat simply delete the email and ignore it.

Then there is the classic “Nigerian” money scam. I put Nigerian in quotes because this particular scam started off purporting to come from Nigeria but now can originate from virtually any country. The most common are from countries where the political situation is such that the claims made in the scam are plausible. This is how it works. You will receive an email from someone saying that their money, usually a huge sum, is tied up in local banks. They need the money to pay bills or perhaps to get out of the country safely. You are asked to help them by having the money transferred to your account and you will be given a percentage of the cash for allowing them access. Needless to say once they have your bank account details you will never hear from them again, but you will see a large depletion of the money in your account!

You have probably heard of “phishing”. This refers to a particularly nasty scam which uses your personal details, credit card, bank account, social security, etc., to enable the thief to purchase goods, withdraw money and so on, all in your name. Never give your personal details in an email. Be sure that any web page that asks for such information is secure. Its address will begin with https:// rather than just http:// and there will be an icon in the form of a padlock in the right hand corner of your task bar. Clicking on the padlock will present a screen which gives details of the website’s security certificate.

Anything which says you have won a valuable prize in a competition or lottery which you did not enter should immediately start the warning bells ringing. You are likely to see many variations on this scam, including getting free cases of coke, free clothing from high profile stores, free cases of beer, free Dell computers and free cell phones. Usually you have to pay a fee to receive your prize. Once you have paid the fee you will never hear anything more. There is the added danger here of the thieves possibly having access to your credit card details.

A particularly deplorable form of scams are those relating to “work at home” opportunities. They prey on people on low incomes or the unemployed, people who are desperate for money. A rosy picture will be painted of the large amount of money that will be made for carrying out some menial task such as filling envelopes. They will ask for a fee upfront to pay for the supplies you will need to get started. You know you’ve been had when the supplies arrive; paper clips, paper, rubber bands and the like, at four times the cost of what you buy the items for in your local store. Not only that but when you complete any tasks you are set and send the work to them, they will say it was not up to the required standard and refuse to pay you. That is if you ever hear anything at all. If you are interested in working at home there are plenty of legitimate companies out there. They won’t contact you first and they won’t ask for money from you before sending you work.

Computer Security, Viruses And Threats

Today, many people rely on computers to do homework, work, and create or store useful information. Therefore, it is important for the information on the computer to be stored and kept properly. It is also extremely important for people on computers to protect their computer from data loss, misuse, and abuse. For example, it is crucial for businesses to keep information they have secure so that hackers can't access the information. Home users also need to take means to make sure that their credit card numbers are secure when they are participating in online transactions. A computer security risk is any action that could cause loss of information, software, data, processing incompatibilities, or cause damage to computer hardware, a lot of these are planned to do damage. An intentional breach in computer security is known as a computer crime which is slightly different from a cybercrime. A cybercrime is known as illegal acts based on the internet and is one of the FBI's top priorities. There are several distinct categories for people that cause cybercrimes, and they are refered to as hacker, cracker, cyberterrorist, cyberextortionist, unethical employee, script kiddie and corporate spy.

*The Hacker.
The term hacker was actually known as a good word but now it has a very negative view. A hacker is defined as someone who accesses a computer or computer network unlawfully. They often claim that they do this to find leaks in the security of a network.

*The Cracker.
The term cracker has never been associated with something positive this refers to someone how intentionally access a computer or computer network for evil reasons. It's basically an evil hacker. They access it with the intent of destroying, or stealing information. Both crackers and hackers are very advanced with network skills.

*The Cyberterrorist.
A cyberterrorist is someone who uses a computer network or the internet to destroy computers for political reasons. It's just like a regular terrorist attack because it requires highly skilled individuals, millions of dollars to implement, and years of planning.

*The Cyberextortionist.
The term cyberextortionist refers to someone who uses emails as an offensive force. They would usually send a company a very threatening email stating that they will release some confidential information, exploit a security leak, or launch an attack that will harm a company's network. They will request a paid sum of money to prevent the threat from being carried out, a bit like black mailing.

*The Unethical Employee.
An unethical employee is an employee that illegally accesses their company's network for numerous reasons. One could be the money they can get from selling top secret information, or some may be bitter and want revenge.

*The Script Kiddie.
A script kiddie is someone who is like a cracker because they may have the intentions of doing harm, but they usually lack the technical skills. They are usually silly teenagers that use prewritten hacking and cracking programs. *The Corporate Spy.
A corporate spy has extremely high computer and network skills and is hired to break into a specific computer or computer network to steal or delete data and information. Shady companies hire these type people in a practice known as corporate espionage. They do this to gain an advantage over their competition an illegal practice.

Business and home users must do their best to protect or safeguard their computers from security risks. The next part of this article will give some pointers to help protect your computer. However, one must remember that there is no one hundred percent guarantee way to protect your computer so becoming more knowledgeable about them is a must during these days.

When you transfer information over a network it has a high security risk compared to information transmitted in a business network because the administrators usually take some extreme measures to help protect against security risks. Over the internet there is no powerful administrator which makes the risk a lot higher. If your not sure if your computer is vulnerable to a computer risk than you can always use some-type of online security service which is a website that checks your computer for email and Internet vulnerabilities. The company will then give some pointers on how to correct these vulnerabilities.

The Computer Emergency Response Team Coordination Center is a place that can do this. The typical network attacks that puts computers at risk includes viruses, worms, spoofing, Trojan horses, and denial of service attacks. Every unprotected computer is vulnerable to a computer virus which is a potentially harming computer program that infects a computer negatively and altering the way the computer operates without the user's consent. Once the virus is in the computer it can spread throughout infecting other files and potentially damaging the operating system itself.

It's similar to a bacteria virus that infects humans because it gets into the body through small openings and can spread to other parts of the body and can cause some damage. The similarity is, the best way to avoid is preparation. A computer worm is a program that repeatedly copies itself and is very similar to a computer virus. However the difference is that a virus needs to attach itself to an executable file and become a part of it. A computer worm doesn't need to do that, it copies itself to other networks and eats up a lot of bandwidth.

A Trojan Horse named after the famous Greek myth and is used to describe a program that secretly hides and actually looks like a legitimate program but is a fake. A certain action usually triggers the Trojan horse, and unlike viruses and worms it will not replicate itself. Computer viruses, worms, and Trojan horses are all classified as malicious-logic programs which are just programs that deliberately harm a computer. Although these are the common three there are many more variations and it would be almost impossible to list them. You know when a computer is infected by a virus, worm, or Trojan horse if your computer displays one or more of these things:

* Screen shots of weird messages or pictures appear.
* You have less available memory than you expected.
* Music or sounds plays randomly.
* Files get corrupted.
* Programs are files don't work properly.
* Unknown files or programs randomly appear.
* System properties fluctuate.

Computer viruses, worms, and Trojan horses deliver their payload or instructions through three common ways.

1 - When an individual runs an infected program so if you download a lot of things you should always scan the files before executing, especially executable files.

2 - When an individual boots a computer with an infected drive, so that is why it's important to not leave removable media in your computer when you shut it down.

3 - When an unprotected computer connects to a network. Today, a very common way that people get a computer virus, worm, or Trojan horse is when they open up an infected file through an email attachment.

There are literally thousands of malicious logic programs and new ones come out by the numbers so that's why it's important to keep up to date with new ones that come out each day. Many websites keep track of this. There is no known method for providing 100% protection for any computer or computer network from computer viruses, worms, and Trojan horses, but people can take several precautions to significantly reduce their chances of being infected by one of those malicious programs. Whenever you start a computer you should have no removable media in the drives. This goes for CD, DVD, and floppy disks. When the computer starts up it tries to execute a boot sector on the drives and even if it's unsuccessful any given virus on the boot sector can infect the computer's hard disk. If you must start the computer using removable media for any reason, such as when the hard disk fails and you are trying to reformat the drive make sure that the disk is not infected.

How can you protect your computer?
The best way to protect your computer from any of the above is by using good quality internet securities software. Purchasing this from a reputable security company is recommended to ensure that your software is kept up to date with the most recent virus signatures. If you are not up to date an unrecognised virus will not be stopped by the software. A full security package will protect you from viruses, Worms, Trojan horses, keyloggers and will detect when a hacker is attempting to hack into your computer and prevent them from gaining access when you are online or connected to a network. It is not advisable to use a free antivirus service as these do not provide adequate protection and are a false economy. Recommended internet

Want to become a hacker?

Monday in a "chatroom interview" in Beijing someone asked me how to become a hacker. (Those of you visiting this web page from the People Magazine article, you should know the term "hacker" here refers to a computer programmer, not an internet vandal).

My interlocateur wanted to contribute to an open source project, but what tools should he use? What books should he read? Where should he hang out? Where should he start?

I've been asked this a few times so I thought I'd repeat my answer here. Miguel tells me he gets this question all the time too, and gives the same answer I do.

So, I'll let you in on the secret. Here are the steps to becoming a hacker:

  1. Download the source code to the program you want to change
  2. Untar it on your hard drive
  3. Get it to build and run
  4. Open the source code in an editor
  5. Find the part of the code that you need to change to make the program do what you want it to do
  6. Make the changes you need to make to the code and test it to make sure it works
  7. Run the diff -u command and email the output to the mailing list
That's it; follow those instructions and I guarantee you will be a hacker.

If there are no programs that you want to change, then maybe you don't want to be a hacker after all. Or maybe you haven't used software enough; how can you be a software user in 2005 and not have things you want to change?

Steps 1-4 sound stupid and obvious, but the fact is most people get stuck on step 1. Can you be a hacker if you don't have any source code on your computer? It might be possible but I haven't seen it done.

If you bloody your toes on step 3 a few times, don't be discouraged. It is ridiculous and humiliating but sometimes this step takes the longest and is the most difficult.

If you're lucky, step 5 is as easy as grepping the source tree for some relevant string from the program's GUI or output. It's more likely that you'll need to spend some time figuring out the layout of the code, sprinkling source files with printf's as you home in on the right area. It might also help to step through things in a debugger.

Step 5 gets easier the more experience you have. The more code you've read, the more programming patterns you know. Recognizing programming idioms makes it easier to figure out what someone else was thinking when he wrote the code you're trying to change. Of course step 5 is also easier if the software you're working on was written by a programmer with a lot of experience, who tries extra hard to write easy-to-understand code. Programmers with experience write easier-to-read code because they've been through the shock of having to fix a bug in code they wrote a year earlier and recognizing nothing.

Step 6 is commonly referred to as "hacking" but it's not always the part that takes the longest. If you're trying to hack a change into something big and complex, expect step 5 to eclipse step 6 in time consumption. One of the best hackers at Novell recently spent two months working on a hack involving Wine that ended up being a two line change. So prepare yourself mentally to spend a lot of time in step 5 before you reach step 6, and sometimes to go back from 6 to 5 a few times.

But most people don't reach this point, so if you're at step 6 you can safely call yourself a hacker. Whole books are written on how to do a good job of step 6, so I won't elaborate too much here, except to say that you probably can't be good at writing code until you've written a huge amount of it.

The real key to being a hacker is getting to the point where you're hacking. Without source code, a working build and a working knowledge of the layout of the code, you're not even able to start hacking. But once you know your way around in there and you're writing code and watching the program take shape, well, that's the fun part.

You just gotta get there.

Wednesday, April 04, 2007

McKinnon loses fight against extradition

Gary McKinnon, the alleged Pentagon hacker, has lost his appeal against extradition to the US on hacking charges.

McKinnon failed to convince Appeal Court judges on Tuesday to overturn a 2006 ruling by Home Secretary John Reid that his extradition should go ahead. The Scot now faces a US trial of breaking into and damaging US Government computers.

McKinnon is alleged to have hacked into computers belonging to the US Army, US Navy, US Air Force, Department of Defense, and NASA in 2001 and 2002. The Scot lost his first appeal against extradition in an High Court hearing last July but was given leave to take his case to a Appeal Court, a move that culminated in failure on Tuesday.

The unemployed sysadmin has had these charges over his head since March 2002 when he was arrested by officers from the UK's National High Tech Crime Unit. The case against him lay dormant until July 2005, when extradition proceedings were brought against him. His lawyers consistently argued that McKinnon ought to be tried in the UK over his alleged offences, rather than the US.

McKinnon (AKA Solo) admits he looked at computer systems without permission, but claims he did no harm. He got involved in hacking after reading Disclosure by Stephen Grea, which convinced him that the US had harvested advanced technology from UFOs (such as anti-gravity propulsion systems) and kept this knowledge secret, to the detriment of the public.

He was caught after US military agencies detected system intrusions which were traced back to the UK. UK authorities identified McKinnon as the attacker after obtaining records of British sales of a software tool called RemotelyAnywhere to McKinnon. Subsequent police work made him a prime suspect in the case, described by US authorities as the biggest military hack ever. ®

Technorati Profile

eBay users targeted by advanced Trojan

Updated eBay users are being targeted by an advanced Trojan that attempts to redirect traffic so it can silently bid on a car from the auction site's car section, Symantec is warning. It is the latest security headache for eBay, which has faced an onslaught of complaints from some users who say fraud on the site has increased to unacceptable levels over the past few months.

eBay officials are aware of the Trojan and are working with Symantec to prevent it from affecting buyers and sellers, a spokeswoman said.

Trojan.Bayrob implements a proxy server so that traffic intended for eBay is instead sent to one of several sites controlled by the attacker. Traffic is redirected by changing settings corresponding to at least six eBay URLs in the victim's hosts file. Once connected to rogue servers, Bayrob is programmed to download configuration data, including a variety of php scripts.

At least one of the scripts, Var.php, downloads variables such as tokenized versions of eBay pages designed to dupe a victim into thinking they are legitimate. One such page spoofs eBay's "Ask a question" section, which allows prospective buyers to - wait for it - ask sellers questions.

The tokenized variables let the attacker dynamically replace key strings such as the seller's name with ones doctored by the attacker, lending power and authenticity to the scheme. There are also feedback pages, for example, with high ratings, which are designed to give the victims confidence in the attacker and complete an auction.

This man-in-the-middle approach is unusual for eBay attacks, which usually involve phishing traps or keyloggers. But getting code to execute properly in man-in-the-middle attacks is difficult, and Symantec said the rogue servers did not appear to be returning variables needed to actually generate the spoofed pages.

eBay security has suffered several black eyes dating back to at least December, when longtime users say the number of fraudulent auctions being offered by users with high ratings began to grow. A hacker who goes by the name Vladuz has also embarrassed eBay security officials by gaining unauthorized access to servers on at least two occasions. The breaches allowed him to mock the company even as he posed as one of its employees.

eBay representatives have said Vladuz was able to penetrate only a limited section of eBay's system that is not able to access customer records and other sensitive information. They have also said most hijacked accounts are the result of users falling for phishing emails. ®

Blogger.com 'riddled' with malware

Blogger.com, home of the weblog publishing system owned by Google, has been infiltrated by a number of phishing sites, security watchers report.

In some cases, the Stration mass mailer is being used to drive traffic to these fraudulent sites. One such scam is a "storefront" for Pharmacy Express, which redirects from a Blogspot.com (now Blogger.com) link. The site is designed to harvest the personal information of prospective marks.

Beyond the problem of spam and phishing sites, a number of Blogger.com sites have been compromised with malicious code. For example, a blog site seemingly created by a Honda CR450 enthusiast is hosting the Wonka Trojan.

Hundreds of other Blogging sites (covering subjects ranging from Star Wars, school, furniture, Christmas, cars, and girlfriends) are also infected, according to net security appliance firm Fortinet, which has published an advisory highlighting its concerns. ®

Grum worm poses as IE7 beta

Hackers are trying to trick prospective marks into loading malware that poses as a "beta" version of Internet Explorer 7.

Widely circulated emails, which pose as messages from admin@microsoft.com and feature subject lines such as "Internet Explorer 7 Downloads", display an image which invites gullible users to download beta 2 of Internet Explorer 7. Users who click on the authentic-looking image download a file called ie7.0.exe infected by the Grum-A worm.

Besides the fact that downloading software advertised in unsolicited emails is a bad idea, surfers might also want to note that the full version of IE7 was released in October 2006 (the bet2 2 version was released in April 2006). Users should go direct to the original developer's site, or some other trusted outlet, when searching for software updates, yet many are yet to learn this lesson, a failing hackers are all too willing to exploit.

Punting malware that poses as software downloads from Microsoft is an all too common trick. The Gibe-F (AKA Swen) worm of 2003, for example, posed as a critical security update from the software giant, fooling many in the process. Two years ago hackers directed surfers to a bogus website masquerading as Microsoft's update site. ®

Vista keygen hoax exposed

Doubts have arisen about the effectiveness of a Windows key generator package that allegedly offered a means to circumvent Microsoft's anti-piracy protection.

Activation codes for Vista were said to have been obtained by brute force using key generator software that randomly tries a variety of 25-digit codes until it finds one that works.

Initial reports on Keznews suggested that the unsophisticated attack worked. Over the weekend, however, the author of the package has stepped forward to say these people must be either mistaken or telling porkies because the program is ineffective.

"The brute force keygen is a joke. I never intended for it to work. I have never gotten it to work. Everyone should stop using it," the anonymous coder said on a post to the Keznews forum.

Rather than go through the tedious business of running something like the key generation, we heard from Register readers that some people on either side of the Atlantic have surreptitiously used the activation codes printed on boxed copies of Vista or stickers on new PCs to get their system up and running with illicitly downloaded copies of Vista.

One reader cast doubt on this approach saying that Vista keys are normally inside copies of boxed software so users would have to undo shrink wrapped packaging. That still leaves the possibility of copying codes from stickers on PCs with Vista preloaded, however.

And although the Windows key generator may be a hoax, Hexus reports a more workable approach to cracking Vista.

The latest attack exploits Vista's System Locked Pre-installation 2 (SLP2) mechanism, technology which allows Microsoft's favoured hardware partners to avoid users having to activate their Vista installs. SLP2 combines an OEM specific certificate along with markers in the machine's BIOS and an appropriate product key.

The hack involves creating a BIOS emulator that serves up the correct BIOS data when needed. Used in combination with the appropriate OEM certificate and product key this defeats the activation mechanism. Information on the OEM certificates and other information needed for the hack to work are available. Withdrawing the affected keys in order to defeat the hack would likely upset Microsoft's OEMs.

Although Microsoft might still be able to defeat it, the hack might be effective in the short-term, and emulator writers might update their technology too, creating a serious headache for Microsoft, Hexus reports. ®

Windows Trojan masquerades as Vista hack

A week after Windows Vista's official launch hackers have devised their first attack, targeting pirates trying to install illegal copies of Microsoft's operating system.

A supposed Windows Vista crack called Windows Vista All Versions Activation 21.11.06 is reportedly doing the rounds, offering those tempted by the chance of sticking it to Microsoft the ability to install illegal versions of Windows Vista.

However, the software is not a Windows Vista crack and pirates get something they didn't expect - installation of a Trojan called PSW.Win32.LdPinch.aze - something with a "high" threat level.

Apparently, most anti-virus scanners can recognise the Trojan, but NOD32 and the latest software from Norton won't.

The installer follows in the footsteps of a Windows XP hack circulated by the devils0wn group in 2001, which allowed users to bypass product activation of Windows XP.

Windows Vista is currently available for download only to customers on Microsoft's volume licensing deals and won't become generally available until January. The Trojan would therefore likely hit certain business users and those working in businesses passing on copies to friends, family, or colleagues.

Worryingly for business users in general, though, is the fact the Windows Vista DVD has been designed to make it easy for third parties' software to be inserted with the operating system for mass distribution. That potentially lets hackers insert their code just as easily as Microsoft partners. ®