Wed, 23 Jul 2008 04:13:23 +0000 http://www.hitb.org/ Hack In The Box Backend en-us http://www.hitb.org/images/hitb.gif http://www.hitb.org/ l33tdawg@hackinthebox.org http://www.hitb.org/index.php?name=News&file=article&sid=27537 Every year, more than 5,000 laptops are lost in taxis in London, New York, Chicago and other large cities. According to our research, in 2008 companies' topmost security investment was laptop encryption. Laptop hard drives are getting bigger and now can hold hundreds of thousand to hundreds of millions of sensitive records. As a CSO, one of your top priorities is probably to keep your company off the front page of the news. Is it inexcusable to have laptops in the field with unencrypted hard drives? With such new open source solutions as TrueCrypt, there are few excuses left: All laptops must be fully encrypted. Encryption technology is easy, but encryption solutions are hard. Key management and recovery make it difficult to manage large-scale encryption. Even low-cost encryption software for laptops can add up quite quickly if you deploy it on all laptops. Even if you can afford the cost of the software, however, you have to look at the complexity of the whole solutions Wed, 23 Jul 2008 04:13:23 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27536 I often disagree when the so-called experts talk about security in terms of binary decisions. Managing security risk is always a cost/benefit trade-off compared to the value of the thing being protected. I have always been particularly bothered by security proponents who repeat the mantra, "Security by obscurity is no security," when that declaration is demonstrably incorrect. Obscurity does have value, sometimes significant value, especially in the context of the defense-in-depth paradigm. I've written several articles defending obscurity each year, both here and elsewhere. Even though I can present facts and numbers, and readily demonstrate repeatable experiments to back up my conclusions, my critics usually rely solely on emotional arguments. At the very least, they can never show me how obscurity decreases security without coming up with hyperbolic, unlikely scenarios. A friend shared a popular saying with me: "I can show you the facts, but never convince you." Wed, 23 Jul 2008 04:12:34 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27535 Cyber-criminals have attacked key government and consumer websites, allowing them to steal the personal details of anyone browsing the sites, The Times has learnt. Eastern European hackers are suspected of placing the Asprox virus on more than a thousand British websites, including those run by the NHS and a local council, in the past two weeks. Experts described the Asprox virus as a alarming departure from commonplace viruses which tend to be spread through rogue e-mails and unregulated websites. Unlike other viruses, Asprox sits undetected on mainstream sites, with any visitor at risk of being infected. The virus automatically installs itself on a visitor's computer, allowing a hacker to access financial information. Wed, 23 Jul 2008 04:11:25 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27534 The blogosphere is awash with talk about the possible overall weakness of the Domain Name System (DNS) architecture. For its part, Microsoft's released a DNS fix in its patch slate for July, but Redmond seems to have problems just getting it to end users. Moreover, some users of the DNS fix have experienced additional difficulties. So far, since Microsoft's DNS fix was issued on July 10, there have been two separate problems associated with its installation. The software giant disclosed last week, in a technical posting on its SBS services blog, that some users experienced interruptions in the Exchange Server services component of application stacks sitting on various Windows operating systems. Wed, 23 Jul 2008 04:10:32 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27533 Chinese police have arrested a prominent Internet dissident for violating his probation terms, accusing him of posting articles on overseas websites and receiving guests without permission, a rights group said. China has been cracking down on dissent in the run-up to next month's Beijing Olympics, fearing any unrest could embarrass the country while the world is watching. Du Daobin, from the central province of Hebei, was given a suspended sentence for subversion in 2004 having been detained by police in Wuhan for posting online essays in support of fellow dissident, Liu Di. Du was then released into house arrest, Reporters Without Borders said in an emailed statement, but was arrested this week. Wed, 23 Jul 2008 04:09:45 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27532 Ten years after the passing of the Child Online Protection Act (COPA) the law has been ruled unconstitutional by the courts yet again. The 3rd U.S. Circuit Court of Appeals in Philadelphia today upheld a 2007 decision that the law was overly broad and that parental monitoring software and filtering software was a better way to protect children. "For years the government has been trying to thwart freedom of speech on the Internet, and for years the courts have been finding the attempts unconstitutional," said Chris Hansen, senior staff attorney with the ACLU First Amendment Working Group. "The government has no more right to censor the Internet than it does books and magazines." Wed, 23 Jul 2008 04:08:17 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27531 Apple held a financial results conference call last night, and while the figures were some of the best in Apple’s history, we were more interested in Steve Jobs’ teasing over brand new products. “We’re proud to report the best June quarter for both revenue and earnings in Apple’s history,” Jobs said, before dropping the bomb: “We set a new record for Mac sales, we think we have a real winner with our new iPhone 3G, and we’re busy finishing several more wonderful new products to launch in the coming months.” Jobs’ distinction between current Macs, the iPhone and the company’s “new products” suggests Apple’s got something entirely new to treat us with. But what? Wed, 23 Jul 2008 04:07:19 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27530 The San Francisco computer engineer accused of withholding access codes to the city's network surrendered the password during an unusual jailhouse visit by Mayor Gavin Newsom, authorities said Tuesday. Newsom came away with the access codes Monday night after talking with Terry Childs, 43, of Pittsburg, who has been held since July 13 on four felony counts stemming from what prosecutors describe as an effort to block administrative access to the network that handles 60 percent of the city's information, including sensitive law enforcement, payroll and jail booking records. Childs had given officials what turned out to be bogus passwords and then had refused to give the correct ones, even when threatened with arrest, authorities say. But Monday, Childs' defense attorney Erin Crane contacted the mayor's office, setting in motion the secret visit. Wed, 23 Jul 2008 04:06:35 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27529 In case you were worried, HOPE is not dead. Just as hackers experiment with technology, push boundaries, and subvert the concepts of what it means to be safe and secure, the organizers of the HOPE (Hackers on Planet Earth) conference have had some fun of their own. Despite calling the event this weekend "Last HOPE," it won't be the final one; just the most recent one, organizer Emmanuel Goldstein told attendees at the closing ceremonies Sunday night. There will be another one in two years. It will be called "Next HOPE," he said. Wed, 23 Jul 2008 03:35:02 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27528 Well-known security researcher Halvar Flake rediscovered the flaw in the domain-name system announced by a coalition of software makers and infrastructure providers earlier this month, posting a description of the issue on his Web site on Monday. In his posting, Flake -- the nom de guerre of Thomas Dullien, CEO of security firm Zynamics -- argued that speculating about the flaw helps software security and then proceeded to describe his theory of the issue. Details of the exact flaw have been kept quiet so that companies can patch the Internet's infrastructure, but the original finder of the flaw -- IOActive's director of penetration Dan Kaminsky -- had revealed the issue to a few researchers, but not to Flake. "I know that Dan asked the public researchers to 'not speculate publicly' about the vulnerability, in order to buy people time," Flake wrote. "This is a commendable goal. I respect Dan's viewpoint, but I disagree that this buys anyone time." Wed, 23 Jul 2008 03:34:18 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27527 Ignoring action just taken against Psystar, a new company known as Open Tech says it's making Mac OS X-compatible PCs, and believes it has found a loophole that prevents legal action from Apple. Open Tech Inc. is following in the same vein as its now well-known predecessor and is launching two purportedly "open" PCs, the Open Tech Home budget computer and the quad-core Open Tech XT, that are effectively just custom-built Intel systems based on commonly available -- and somewhat outdated -- parts. Unlike the similarly-designed Psystar Open Computer (initially OpenMac), Open Tech hopes to promise Mac compatibility while avoiding a conflict with Apple's Software License Agreement that forbids selling Mac OS X installed on non-Apple hardware. Wed, 23 Jul 2008 03:32:50 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27526 A computer admin at the school I attended bought a new proxy server to stop our file sharing. It was supposed to block "bad" Web sites in addition to filtering out some of the ports that P2P programs use. Trouble was, all we had to do was use a service such as Proxify to get around it. The whole student Internet service was set up poorly. It was on the same connection as the school’s computers in the labs, so anytime students started to browse heavily in the dorms or on the campus wireless, all the computers suffered massive slowdown in bandwidth. The admin was supposed to tell everyone to change their TCP/IP settings so they'd input the IP Address of the proxy server. He left everyone in the dark about this, though, relying on word of mouth to get the job done. (This is the same guy who freaked out when he saw us running Linux on our laptops -- he claimed Linux was only for hackers. He urged us to stay away from it and just run Windows XP.) Wed, 23 Jul 2008 03:30:52 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27525 The Webmaster of Jerusalem Online says Iranian hackers have been trying to damage his site, which offers English-language news from Israel and the Jewish Diaspora. The story began four days ago, when the Web site posted a video of Malcom Hoenlein, the executive vice chairman of the Conference of Presidents of Major American Jewish Organizations. Hoenlein called on the citizens of Iran to oppose their government, saying it does not represent them or care about their welfare, but is using them only to obtain its own extreme goals. Since the video appeared, Webmaster Ehud Rozen says, there have been numerous attempts to hack the site. Several hackers managed to get the Web site listed as "dangerous" on Google's search engine. The site investigated, and found that Iranian hackers probably were behind the attacks, Rozen said in a press announcement. "They didn't manage to harm Hoenlein's message, but they did succeed in erasing pictures and damaging links to the site," he wrote. Wed, 23 Jul 2008 03:29:01 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27524 WOMEN'S rights advocate Anamah Tan is the latest victim of an e-mail hoax that has hit at least three others in Singapore. The e-mail, sent to friends and business associates from her Yahoo account, claims that Dr Tan was robbed in London and appeals for money to help her return home. The author claimed the message was written in a hurry and said Dr Tan, a lawyer, was in London 'for an urgent situation'. 'Unfortunately for me, all my money was stolen at the hotel where I lodged,' it read. 'Please can you send me &pound1,500 today so I can return home. As soon as I get home I would refund it immediately. Write me so I can let you know how to send the money.' Wed, 23 Jul 2008 03:26:33 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27523 Dan Kaminsky is understandably swamped today, given the unexpected early release of information about the critical DNS flaw he discovered that potentially affects the security of every web site on the internet. But he found some time to speak with Threat Level about how he discovered the vulnerability that has system administrators scrambling to patch before an exploit -- which is expected to go public by the end of today -- is widely available. Kaminsky discovered the bug by chance about six months ago, which he promptly disclosed to people in the DNS community. At the end of March, an emergency summit was convened at Microsoft's headquarters, gathering sixteen people from around the world to discuss how to address the problem. Wed, 23 Jul 2008 03:25:44 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27522 A set of tools for performing 'cold boot' data recoveries has been posted. The tools could allow a user to recover disk encryption keys from a recently powered-down computer, according to the researchers who developed them. The source code for the tools was released earlier this week at the Hackers On Planet Earth (HOPE) conference. The tools follow a study earlier this year by a group of researchers at Princeton University. The study concluded that, given the right tools, it could be possible to recover disk encryption information from a recently shut-down machine. Because memory chips retain data for a short time after being powered down, an attacker could set the machine into a 'cold boot' and obtain the contents of the memory chips before the machine fully starts up. Wed, 23 Jul 2008 03:25:00 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27521 The year is 1983 and, in a Tokyo suburb, man (well, one man) is evolving a new use for his opposable thumbs. His tool: a strange lump of plastic attached, via cables and a bigger lump of plastic, to his television. Twenty-five years later, the ungainly set-up, known as the Nintendo Entertainment System, is a relic collecting dust in the gaming graveyard alongside the wood-panelled Atari 2600. But its legacy lives on. Today's consoles use remotes that have barely changed in principle since Nintendo launched its landmark "D-pad" controller. But change is afoot which is liberating our weary thumbs; within the past two years, we have learnt to wave our hands, dance and poke at screens and, soon, we will need only one muscle to control the action – the brain. Last week, Satoru Iwata, the president and chief executive of Nintendo, added weight to the chatter sweeping technology conventions and gaming forums – the new frontier in computer control is in the mind. "As soon as we think something in our brain, it will appear within a video game," he told reporters at the games industry's annual E3 conference in Los Angeles. Wed, 23 Jul 2008 03:23:30 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27520 In the olden days us security folks used to point to two kinds of attacks, targeted and random. Because targeted attacks were deemed to be the subject of Clancy and leCarre novels we quickly focused on so-called random attacks, ie. viruses and worms. Unfortunately the threatscape has evolved while the technologies we deploy have not. This can lead to problems. There is still some security in obscurity. If you are a lawn care or construction company without a website you are pretty safe from targeting other than from your employees, who, come to think of it are a big concern as well. Let me put it this way - there is a spectrum of risk. Everyone has to deal with targeting from employees, contractors, customers, and competitors. On one end of that spectrum is the local Italian eatery. On the other end is…oh, let’s see… the British Government. Wed, 23 Jul 2008 03:22:42 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27519 Threat Level was intrigued the other day to get an e-mail with the subject line, "God Destroys Boise for Not Being Gay Enough." Intrigued enough to open it. The body of the e-mail made an odd reference to Barack Obama being an anorexic, over-exerciser and had a link to a file called viewmovie.html on a U.K. domain owned by Virgin Media. That seemed sketchy, especially since I had no idea who the e-mail was from. So after a little search engine testing, it turns out the title seems to have been ripped comes from a somewhat obscure parody story written in June about a San Francisco evangelical preacher saying God was punishing Midwesterners with storms. Wed, 23 Jul 2008 03:22:01 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27518 The defacement of one of Kaspersky Lab's partner Web sites over the weekend occurred while the site was under construction and offered no data to steal, a senior company official said Tuesday. A hacker going by the nickname of "m0sted" broke in and left various messages on several pages of a partner site for Malaysia. Screenshots were posted on Zone-H.org, a site that tracks vandalism of other Web sites. The site actually belongs to one of Kaspersky's partners and was still under development, said David Emm, senior technology consultant. The site had not been formally launched or publicized, he said. "Naturally, we'll be making sure that it's locked down before it goes live and any business is conducted on the site," Emm said. Wed, 23 Jul 2008 03:21:21 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27517 Russian security company Kaspersky Lab's Web site for Malaysia was defaced on Saturday along with one of its online shopping sites, according to Zone-H, an organization that documents such attacks. The attacker, nicknamed "m0sted," wrote that the site was compromised through SQL injection, wrote Roberto Preatoni on a Zone-H posting. The attack involves inputting code into a form on a Web page in an attempt to get the back-end database to respond. It can enable the hacker to gain control over the Web site. Kaspersky has since locked down the site, which is apparently running Microsoft's Internet Information Services Web server. The site is no longer open to the public and requires a user name and password for access. Wed, 23 Jul 2008 03:19:27 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27516 Disclosing security problems is a good idea, says Bill Thompson, except when it isn't In the last few weeks we've seen two very different approaches to the full disclosure of security flaws in large-scale computer systems. Problems in the domain name system have been kept quiet long enough for vendors to find and fix their software, while details of how to hack Transport for London's Oyster card will soon be available to anyone with a laptop computer and a desire to break the law. These two cases highlight a major problem facing the computing industry, one that goes back many years and is still far from being unresolved. Wed, 23 Jul 2008 03:17:25 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27515 Organisers of the security world's Oscars, the Pwnie Awards, have announced the nominees for the second annual awards. The Pwnies celebrate both the achievements and failures in security research and the wider IT security scene, so they are best thought of as a mixture of the Razzies, which recognise the worst in Hollywood, and the Oscars. The list of 37 nominees for the nine Pwnie Award categories will be narrowed down to winners by the judges, who will meet at an undisclosed location in order to decide the winners, before an awards ceremony at the Black Hat conference in Las Vegas on 6 August. The list of nominees was narrowed from 134 submissions in categories including best client-side bug, most innovative research, lamest vendor response and most epic FAIL. Nominees in the bug category include URI protocol handler flaws, a class of flaw that put competing browser and application vendors at loggerheads in blaming others for vulnerabilities, the infamous Safari carpet-bombing bug and Apple's QuickTime media player application. QuickTime gets recognition as a result of numerous flaws with the application over the last 12 months. Wed, 23 Jul 2008 03:16:31 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27514 The old song had it right: Breaking up is hard to do. But a free new phone service called Slydial might make it easier to get through that and other awkward moments -- without actually having to talk to anyone. Slydial lets you connect directly with another person's cell phone voice mail, bypassing the traditional ringing process that often results, sometimes disastrously, with someone picking up on the other end. Users call (267) SLY-DIAL from either a cell phone or a landline and are prompted to enter another person's cell phone number. After playing a short advertisement -- unless users pay a subscription fee or 15 cents per call to skip ads -- Slydial puts callers directly into their target's voice mail. Wed, 23 Jul 2008 03:15:57 +0000 http://www.hitb.org/index.php?name=News&file=article&sid=27513 Former Philadelphia news anchor Larry Mendte on Monday was charged with hacking into the e-mail accounts of Alycia Lane, his co-anchor at CBS affiliate KYW-TV and reported rival, hundreds of times over the course of two years. During this time, Mendte allegedly leaked privileged legal information about Lane's personal life to the press "in an attempt to undermine his colleague's ongoing legal cases," said Acting U.S. Attorney Laurie Magid at a press conference on Monday. The resulting revelations contributed to Lane's firing in January, according to the Associate Press. The complaint does not specify how Mendte allegedly obtained the passwords to Lane's three e-mail accounts -- one KYW account and personal accounts at .Mac andYahoo (NSDQ: YHOO). Wed, 23 Jul 2008 03:15:09 +0000