Feeds:
Posts
Comments

Posts Tagged ‘hacker’

By JORDAN ROBERTSON, AP Technology Writer Wed Aug 27, 5:16 PM ET

SAN FRANCISCO – Intercepting Internet traffic, and spying on the communication between two computers, is a gold mine for hackers. Now Carnegie Mellon University researchers hope software they’ve built will make it harder for criminals to hit that jackpot.

The software, a free download for use with latest version of the Firefox Web browser, creates an additional way for people to verify whether the site they’re trying to visit is authentic.

Most browsers already alert users when a site appears bogus. One way is by warning that a site that claims to be equipped to handle confidential information securely hasn’t been verified by a third party, like VeriSign Inc. or GoDaddy.com Inc. Those are two of many companies that sell so-called Secure Sockets Layer certificates, which generate the padlock icon in the address bar.

The problem, the Carnegie Mellon researchers say, is that many people are perplexed about how to proceed once they get one of those warnings about a bad certificate.

Some click through, going on to malicious sites that steal their personal information, while others retreat, skipping over harmless sites that used less expensive, “self-signed” certificates.

So the researchers — David Andersen, Adrian Perrig and Dan Wendlandt — created a program that performs a novel extra step. It can tap into a network of publicly accessible servers that have been programmed to ping Web sites and record changes in the encryption keys they use to secure data.

Any discrepancy can be a sign that hackers are rerouting traffic through machines under their control, a pernicious type of attack known as a “man in the middle.”

As a result, the new program either overrides the security warning if a site is deemed legitimate, or throws up another warning if the subsequent probes reveal more red flags.

___

On the Net:

Carnegie Mellon researchers’ site:

http://tinyurl.com/6cblaz

Read Full Post »

iTunes advert

The software will allow the sharing of music bought on iTunes

The release of software from a firm run by a notorious Norwegian hacker is likely to cause waves in the music and film download world. Jon Lech Johansen became the “enfant terrible” of the DRM industry when he released software which cracked the encryption codes on DVDs, aged just 15.

His firm, DoubleTwist, has now released software allowing users to share digital media files across devices.

It would allow songs bought on Apple’s iTunes to be shared on other devices.

At the moment, the only portable music player which can store content downloaded from the iTunes store is Apple’s iPod.

Users can copy downloaded songs to a CD and then copy the disc back on to the computer so that the songs can then be moved to other portable devices – but the quality of the music is affected.

In 2003 Mr Johansen distributed a program which bypassed Apple’s Fairplay system, the software that enforces this relationship between iTunes and the iPod. Since then he has had several other well-publicised run-ins with the firm.

Tower of Babel

The new software from his San Francisco-based company DoubleTwist will allow users to share both user-generated and professionally created music, photos and video clips between computers, mobiles and game consoles.

Media which lives on a computer can be moved to a variety of mobile devices by dragging and dropping the files to a desktop folder which then drops copies on the external device over the web.

Initially the system will allow file-sharing with Sony’s PSP games console, Nokia’s N-series mobile, Sony Ericsson’s Walkman and Cybershot handsets and Microsoft’s Windows Mobile smartphones.

The software converts media stored in one file format to those used by the other devices in a system that mimics the process of ripping a CD onto a computer.

One hundred songs can be converted in about half and hour, with a slight degradation in sound quality, according to the firm.

“With digital media such as video from a friend’s cell phone or your own iTunes playlists, it’s a jungle out there,” said Monique Farantzos, co-founder of DoubleTwist.

“The digital media landscape has become a tower of Babel, alienating and frustrating consumers. Our goal is to provide a simple and well integrated solution that the average consumer can use to eliminate the headaches associated with their expanding digital universe,” she said.

The company is confident there will not be any legal challenges from Apple.

“All we are facilitating are friends sending things to one another,” Ms Farantzos told the Reuters news agency.

The software is available as a free download from the company’s website.

Read Full Post »

By Matthew Broersma, Techworld
February 14, 2008

The three bugs, which allow unauthorized access to kernel memory, exist in all versions of the Linux kernel up to 2.6.24.1, including Ubuntu, Red Hat, and othersSecurity researchers have uncovered “critical” security flaws in a version of the Linux kernel used by a large number of popular distributions.

The three bugs allow unauthorized users to read or write to kernel memory locations or to access certain resources in certain servers, according to a SecurityFocus advisory.

They could be exploited by malicious, local users to cause denial of service attacks, disclose potentially sensitive information, or gain “root” privileges, according to security experts.

The bug affects all versions of the Linux kernel up to version 2.6.24.1, which contains a patch. Distributions such as Ubuntu, Turbolinux, SuSE, Red Hat, Mandriva, Debian and others are affected.

The problems are within three functions in the system call fs/splice.c, according to an advisory from Secunia.

“In the 2.6.23 kernel, the system call functionality has been further extended resulting in … critical vulnerabilities,” said iSEC Security Research in an advisory.

Secunia disagreed about the bugs’ seriousness, giving them a less critical ranking.

Exploit code for the vulnerabilities has been released publicly on the hacker site milw0rm.com, and Core Security Technologies has also developed a commercial exploit for the bugs, researchers said.

Researchers advised system administrators to update their kernels immediately.

Last month, a U.S. Department of Homeland Security bug-fixing scheme uncovered an average of one security glitch per 1,000 lines of code in 180 widely used open-source software projects.

Secunia also previously discovered that the number of security bugs in open-source Red Hat Linux operating system and Firefox browsers, far outstripped comparable products from Microsoft last year.

Read Full Post »

  Robert McMillan, IDG News Service

The Web site for Indian antivirus vendor AvSoft Technologies has been hacked and is being used to install malicious software on visitors’ computers, security researchers said last week.

The download section of AvSoft’s S-cop Web site hosts the malicious code, according to Roger Thompson, chief research officer with security vendor AVG. “They let one of their pages get hit by an iFrame injection,” he said. “It shows that anyone can be a victim…. It’s hard to protect Web servers properly.”

The technique used on the site has been seen in thousands of similar hacks over the past few months. The attackers open an invisible iFrame Window within the victim’s browser, which redirects the client to another server. That server, in turn, launches attack code that attempts to install malicious software on the victim’s computer.

The malicious software is a variant of the Virut virus family.

The iFrame pages are commonly used by Web developers to insert content into their Web pages, but because it is possible to create an invisible iFrame window, the technology is often misused by hackers as a way to silently redirect victims to malicious Web sites.

AvSoft, based in New Delhi, sells an antivirus product called SmartCOP and has sold a second antivirus product called Smartdog. The company, which is not well-known in the U.S., also specializes in recovering data lost due to virus attacks. The company could not be reached for comment Thursday afternoon.

That data recovery service could come in handy for some, as Virut is known as a “parasitic infector” virus that is extremely difficult to remove. “It infects all of your programs on your local hard drives, and then it starts hitting your network drives as well the first time you run,” Thompson said.

Fortunately, the malware used to install Virut exploits only well-known bugs, meaning that users who are running antivirus software on fully patched systems will probably not be infected by the attack in its current state, security experts say.

Nobody knows how the malware got onto the Web site in the first place. News of the hack was reported on the Full Disclosure security discussion list on Thursday.

McAfee Security Research Manager Dave Marcus believes that the site was compromised by exploiting a Web programming error, most likely in the site’s SQL or PHP code. Security experts say that criminals have written automated programs that scour the Web for these types of flaws and then automatically infect sites, making this an increasingly common problem.

Read Full Post »

By TED BRIDIS, Associated Press Writer 

WASHINGTON – In the middle of the biggest-ever “Cyber Storm” war game to test the nation’s hacker defenses, someone quietly targeted the very computers used to conduct the exercise.

The surprising culprit? The players themselves, the same government and corporate experts responsible for detecting and fending off attacks against vital computer systems, according to hundreds of pages of heavily censored files obtained by The Associated Press. Perplexed organizers sent everyone an urgent e-mail marked “IMPORTANT!” instructing them not to probe or attack the game’s control computers.

“Any time you get a group of (information technology) experts together, there’s always a desire, ‘Let’s show them what we can do,'” said George Foresman, a former senior Homeland Security official. “Whether its intent was embarrassment or a prank, we had to temper the enthusiasm of the players.”

The exercise was a big deal for all concerned.

The $3 million, invitation-only war game simulated what the U.S. describes as plausible attacks over five days in February 2006 against the technology industry, transportation lines and energy utilities by anti-globalization hackers. The government is organizing a multimillion-dollar “Cyber Storm 2,” to take place in early March.

Among the mock disasters confronting officials in the previous exercise: Washington’s Metro trains shut down. Seaport computers in New York went dark. Bloggers revealed locations of railcars with hazardous materials. Airport control towers were disrupted in Philadelphia and Chicago. Overseas, a mysterious liquid was found on London‘s subway.

The list of fictional catastrophes — which also included hundreds of people on “No Fly” lists suddenly arriving at airport ticket counters — is significant because it suggests what kind of real-world trouble keeps the White House awake at night. Railway switches failed. Planes flew too close to the White House. Water utilities in Los Angeles were compromised.

The Homeland Security Department ran the exercise, with help from the State Department, Pentagon, Justice Department, CIA, National Security Agency and others.

Imagined villains included hackers, bloggers and even reporters. In one scenario, after mock electronic attacks overwhelmed computers at the Port Authority of New York and New Jersey, an unspecified “major news network” airing reports about the attackers refused to reveal its sources to the government. Other simulated reporters were duped into spreading “believable but misleading” information that confused the public and financial markets, according to the government’s documents.

The upcoming “Cyber Storm 2” in March also will simulate electronic attacks against chemical plants and communication lines, and include targets in California, Colorado, Delaware, Illinois, Michigan, North Carolina, Pennsylvania, Texas and Virginia.

“They point out where your expectations of your capabilities may be overstated,” Homeland Security Secretary Michael Chertoff told the AP. “They may reveal to you things you haven’t thought about. It’s a good way of testing that you’re going to do the job the way you think you were. It’s the difference between doing drills and doing a scrimmage.”

The AP obtained the Cyber Storm internal records nearly two years after it requested them under the Freedom of Information Act. The government censored most of the 328 pages it turned over, marked “For Official Use Only,” citing rules against disclosing sensitive information. The government is still reviewing hundreds more documents before they can be turned over to the AP.

“Definitely a challenging scenario,” said Scott C. Algeier, who runs a cyber-defense group for leading technology companies, the Information Technology Information Sharing and Analysis Center.

For the participants — including government officials from the United States, England, Canada, Australia and New Zealand and executives from technology and transportation companies — the mock disasters came fast and furious: hacker break-ins at an airline; stolen commercial software blueprints; problems with satellite navigation systems; trouble with police radios in Montana; school closures in Washington, Miami and New York; computer failures at border checkpoints.

The incidents, designed to tax responders, were divided among categories: computer attacks, physical attacks and psychological operations.

“We want to stress these players,” said Jeffrey Wright, the former Cyber Storm director for the Homeland Security Department. “None of the players took 100 percent of the correct, right actions. If they had, we wouldn’t have done our job as planners.”

How did they do? Reviews were mixed. Companies and governments worked successfully in some cases. But key players didn’t understand the role of the premier U.S. organization responsible for fending off major cyber attacks, called the National Cyber Response Coordination Group, and it didn’t have enough technical experts. Also, the sheer number of mock attacks complicated defensive efforts.

The little-known Cyber Response group, headed by the departments of Justice and Homeland Security, represents the largest government departments, including law enforcement and intelligence agencies.

The 2006 exercise had no impact on the real Internet. Officials said they were careful to simulate attacks using only isolated computers, working from basement offices at the Secret Service‘s headquarters in downtown Washington.

___

On the Net:

Homeland Security Department: http://www.dhs.gov

Justice Department: http://www.usdoj.gov

Read Full Post »

Erik Larkin, PC World 

If last November you googled one of thousands of innocuous and common search terms, such as “Microsoft excel to access” or “how to teach your dogs to fetch,” you were in line for an Internet attack that infects PCs with spam senders, password stealers, and other kinds of nasty malware.

Beginning on November 24 and continuing for less than a week, bad guys loaded up more than 40,000 Web pages with malicious software and thousands of common search terms. They then employed an automated network of malware-infected computers–known as a botnet–to link to those sites in blog-comment spam and other places. The mentions elevated the position of the poisoned sites in search results, often to the first page.

Click Here for Free Attack

The malicious sites had no useful information. Instead, a simple click on a link to such a site in the search results was enough to launch attacks against your PC. If the attack found any of a number of vulnerabilities in a range of programs, it would load.

“This was a massive wave,” says Alex Eckelberry, president and CEO of security firm Sunbelt Software.

The attack marks a new level of sophistication, using multiple techniques to raise site visibility in search results and deliver malware to a mass audience.

Sunbelt researcher Adam Thomas happened upon the attack when he ran a search of “netgear ProSafe DD-WRT” for router firmware. His trained eye saw a suspicious-looking result on the first page. More research and digging on other phrases turned up the vast array of attack sites.

None of the sites from this wave, or a smaller follow-up group, appear now on Google, and Eckelberry and other experts believe the search giant has blocked those specific domains. But Google isn’t saying what it did to stop this attack, or whether measures are in place to halt a recurrence.

Game On: Google Bombed

This massive attack had three notable features that point to the sophistication and planning behind it. The first is the culprits’ use of botnets to push a dark form of SEO (search-engine optimization), called a “Google bomb,” to boost their sites’ Google rankings.

“They did an extraordinary job optimizing the search results using the bots,” Eckelberry says.

Second, the poisoned sites carried JavaScript code on their pages designed to stop visitors coming via other search engines from being attacked–only visitors who came through a Google search were hit.

“[This trick was a] way of flipping the finger at Google,” says Eckelberry. Experts don’t know the motive behind directing the attacks at Google users, but online crooks have targeted specific sites and companies in the past when they felt threatened. Google recently launched an online form for reporting a site that Web users believe might contain malware.

Third, the manipulated pages carried code that kept the attack sites from appearing in results if the entered search term included certain expressions that security researchers commonly use. For example, Eckelberry had recently written about using “inurl” and “site,” two of the singled-out terms.

Despite Google’s steps to eliminate the impact of comment spam on its search result rankings, the use of SEO techniques is growing in the online criminal underground. And bad guys don’t employ the trick just to infect people’s PCs. WhiteHat Security chief Jeremiah Grossman says that whoever hacked Al Gore’s Web site recently added a link that could be seen only in the site’s source code.

The link, which pointed to an online pharmacy site, was designed to give the drug site more relevance. Grossman says that, according to underground contacts, the top result for “buy Viagra online” is worth about $50,000 a month.

How to Search Safely

Though this attack was crafty and effective, security experts say there’s no need to stop using Google, as long as you take some precautions. Most important: Keep your software patched and up-to-date. The attack sites used a programming kit called the “404 exploit framework,” which hits known software vulnerabilities, says Roger Thompson, president of security software maker Exploit Prevention Labs. You can close most of the targeted holes by enabling the automatic-update features for Microsoft Windows, Mozilla Firefox, Apple QuickTime, and other critical software, but you should also update to the latest version of WinZip, a targeted program that doesn’t have an auto-update feature.

And don’t let your guard down just because your software is current. Attack sites will often employ social-engineering tricks when they can’t worm into your PC through software holes. On its blog, Sunbelt provides an image of a common attack pop-up that attempts to trick you into installing a fake video codec that then tries to exploit a vulnerable PC. Your sharp eye can also catch many of these bogus results before you click. Watch for seemingly garbled text such as “vpn passthrough sting maphack light Motorola” in the text snippet shown for each search result. If the listing is for an oddly named page such as “leuwusxrijke.cn/769.html,” it could very well be a land mine.

Free downloads such as McAfee‘s SiteAdvisor and Exploit Prevention Labs’ LinkScanner Lite identify potentially dangerous search results with small icons. And the leading commercial security software suites offer browser protection. Keep a close eye on what you click on, too, and you’ll keep search paranoia at bay, as Eckelberry has. “I’m a Google fanatic,” he says. “I haven’t stopped using Google because of this.”

Read Full Post »

Robert McMillan, IDG News Service Sat Jan 19, 9:00 AM ET

Criminals have been able to hack into computer systems via the Internet and cut power to several cities, a U.S. Central Intelligence Agency analyst said this week.Speaking at a conference of security professionals on Wednesday, CIA analyst Tom Donahue disclosed the recently declassified attacks while offering few specifics on what actually went wrong.

Criminals have launched online attacks that disrupted power equipment in several regions outside of the U.S., he said, without identifying the countries affected. The goal of the attacks was extortion, he said.

“We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands,” he said in a statement posted to the Web on Friday by the conference’s organizers, the SANS Institute. “In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.”

“According to Mr. Donahue, the CIA actively and thoroughly considered the benefits and risks of making this information public, and came down on the side of disclosure,” SANS said in the statement.

One conference attendee said the disclosure came as news to many of the government and industry security professionals in attendance. “It appeared that there were a lot of people who didn’t know this already,” said the attendee, who asked not to be identified because he is not authorized to speak with the press.

He confirmed SANS’ report of the talk. “There were apparently a couple of incidents where extortionists cut off power to several cities using some sort of attack on the power grid, and it does not appear to be a physical attack,” he said.

Hacking the power grid made front-page headlines in September when CNN aired a video showing an Idaho National Laboratory demonstration of a software attack on the computer system used to control a power generator. In the demonstration, the smoking generator was rendered inoperable.

The U.S. is taking steps to lock down the computers that manage its power systems, however.

On Thursday, the Federal Energy Regulatory Commission (FERC) approved new mandatory standards designed to improve cybersecurity.

CIA representatives could not be reached immediately for comment.

Read Full Post »