Pentagon Warns of Cyber Attacks or Get the Duct Tape

March 2009

Get the Plastic and Duct Tape ready because Pentagon official warns of risk of cyber attacks. The head of the Pentagon’s Strategic Command warned Congress on March 17 that the United States is vulnerable to cyberattacks “across the spectrum” and that more needs to be done to defend against the potential of online strikes, which could “potentially threaten not only our military networks, but also our critical national networks.” But the Air Force General made clear to a House Armed Services subcommittee that he has not been asked to defend most government Web sites nor the commercial and public infrastructure networks whose destruction could cripple the nation. The General’s command, instead, has the responsibility “to operate and defend the military networks only and be prepared to attack in cyberspace when directed,” he said, adding, “I think the broader question is, who should best do this for the other parts of America, where we worry about defending power grids, our financial institutions, our telecommunications, our transportation networks, the networks that support them.” The responsibility of protecting civilian networks currently rests with the Department of Homeland Security, but the General’s testimony comes at a time when a Presidential-chartered 60-day study of cybersecurity is underway. A report from that study is expected next month.

Cybersquatting...

March 2009

UN agency: cybersquatting on the rise. The number of cybersquatting reports rose nearly 10 percent last year, according to a United Nations agency charged with protecting intellectual property worldwide. The World Intellectual Property Organization (WIPO) said on March 16 that a record-breaking 2,329 complaints of cybersquatting were filed with the agency in 2008, an 8 percent increase from 2007. Nearly half of the complaints came from U.S. organizations. Among the industries hit most by cybersquatting were biotechnology and pharmaceuticals, which accounted for 9.9 percent of the complaints to WIPO; banking and finance, 9.4 percent; Internet and IT, 8.8 percent; retail, 8.1 percent; food, beverage, and restaurants, 7.2 percent; entertainment, 6.5 percent; media and publishing, 6.3 percent; fashion, 6.0 percent; and hotels and travel, 6.0 percent. “Cybersquatting remains a serious issue for trademark holders. Supported especially by registrar and registry stakeholders, the sale and broad expansion of new top level domains in the open market, if not properly managed, will provide abundant opportunities for cybersquatters to seize old ground in new domains,” said the WIPO director general in a statement. WIPO’s report jibes with a recently released study by MarkMonitor, which examined abuse of the top 30 brands and found that most of the same ones still get spoofed online. In its Annual Brandjacking Index for 2008, MarkMonitor found 80 percent of sites it first discovered in the first quarter of 2007 abusing brands were still alive and well in 2008. The abuse ranges from using a famous brand name just to drive traffic to the misrepresented site, to infecting visitors, according to MarkMonitor.

Sniff This!!!

March 2009

Researchers sniff PC keyboard strokes from thin air. The PC keyboard an individual may be using could give away passwords. Researchers say they have discovered new ways to read what someone is typing by aiming special wireless or laser equipment at the keyboard or by simply plugging into a nearby electrical socket. Two separate research teams, from the Ecole Polytechnique Federale de Lausanne and security consultancy Inverse Path, have taken a close look at the electromagnetic radiation that is generated every time a computer keyboard is tapped. It turns out that this keystroke radiation is actually pretty easy to capture and decode, if someone is a computer hacker, that is. The Ecole Polytechnique team did its work over the air. Using an oscilloscope and an inexpensive wireless antenna, the team was able to pick up keystrokes from virtually any keyboard, including laptops. “We discovered four different ways to recover the keystroke of a keyboard,” said a Ph.D. student at the university. With the keyboard’s cabling and nearby power wires acting as antennas for these electromagnetic signals, the researchers were able to read keystrokes with 95 percent accuracy over a distance of up to 20 meters (22 yards), in ideal conditions. Laptops were the hardest to read, because the cable between the keyboard and the PC is so short, making for a tiny antenna. The researchers found a way to sniff USB keyboards, but older PS/2 keyboards, which have ground wires that connect right into the electric grid, were the best.

To Stop Online Fraud...

March 2009

Device fingerprinting aims to stop online fraud. Device ID, the practice of fingerprinting the means by which an account is accessed, is seen as a growth security industry in 2009. The market for Device ID is currently dominated by financial institutions aiming to curb ID fraud and credit card account theft, but the chief executive of Threatmetrix said he sees social networking as an emerging growth space as well. He also said there is a market for retail sites both in affiliate programs and in processing Card Not Present purchases online. Threatmetrix, which is sold as a SaaS solution, provides a deep inspection of the TCIP packet so that when someone logs into a bank online, over 150 parameters are inspected in real time. Among these are use of a proxy, using a known compromised PC, and turning off java_script or cookies. Threatmetrix scores these and delivers that final score to the enterprise customer. New in this version are tools to determine whether this is a single computer concurrently logging into several different account names, or one username being logged in by multiple PCs, activity say from a botnet. Additionally, the service looks at how fast a given account is accessed (humans can react only so fast). In most cases the abnormalities are fraud scenarios. Threatmetrix knows of about 200 million compromised machines worldwide, but he said his company only keeps an active database of about 12 million.

How Private is Google Docs

March 2009

Google discovered a privacy glitch that inappropriately shared access to a small fraction of word-processing and presentation documents stored on the company’s online Google Docs service. “We have identified and fixed a bug which may have caused you to share some of your documents without your knowledge. This inadvertent sharing was limited to people with whom you, or a collaborator with sharing rights, had previously shared a document,” the company said in a note, quoted at TechCrunch, that the search giant sent to affected people. “The issue only occurred if you, or a collaborator with sharing rights, selected multiple documents and presentations from the documents list and changed the sharing permissions. This issue affected documents and presentations, but not spreadsheets.” Google said in a later statement that the problem affected only 0.05 percent of documents stored at the site and that affected Google Docs users had been notified. Though the documents were shared only with people whom the Google Docs users had already shared documents, rather than with the world at large, the problem illustrates one downside of cloud computing, in which Internet servers host software previously run on a person’s own computer. The flip side of a cloud-computing advantage, that a person can get access to those documents from any Internet-connected computer or smartphone, is that technical problems or hacking attempts also can expose private information. It should be noted, though, that housing data on a local machine has risks of its own. A lost or stolen laptop can reveal any number of secrets.

Adobe Reader, PDF Attack

March 2009

No user action required in newly discovered PDF attack. Merely storing, without opening, a malicious PDF file can trigger an attack that exploits the new, unpatched zero-day flaw in Adobe Reader, a researcher has discovered. A researcher and IT security consultant with Contrast Europe NV on March 9 released a proof-of-concept demonstration that shows how a file infected with the Adobe flaw can trigger a new attack when the machine uses Windows Indexing Services. And the user does not even have to open or select the document. In addition, the researcher last week released a proof-of-concept demonstrating how PDF files could be exploited with minimal user interaction, just saving it to the hard drive and viewing it in Windows Explorer. But this latest attack vector is more risky, he says, because the user does not have to do anything with the file at all. “It requires no user interaction, and for the Windows Indexing Service, it can lead to total system compromise [with] privilege escalation,” the researcher says.

Apple's New Mac Mini...

March 2009

Aside from the different ports in the back, the new Mac Mini is nearly identical to the previous model. I prefer the DVI and the old firewire.
Thanks Macrumors and MacMiniColo.

Adobe Flash Player Update

March 2009

Adobe Systems Inc. has shipped an update for its ubiquitous Flash player that fixes at least five security flaws. A few of the flaws are critical, meaning users could have malicious software installed on their system merely by visiting a Web page that features a booby-trapped Flash movie. Individuals will need to apply two different versions of this patch: One is designed for Internet Explorer, and another updates the Flash player in Firefox, Opera and Safari. This can be accomplished by visiting the Web site twice, once with IE, and then again with Firefox or whichever other browser they are using. The patch plugs security holes in Flash player 10.0.12.36 and earlier. Updates are available for Flash versions made for Windows, Mac OS X, and Linux.

Phishing Targets MobileMe

March 2009

In another attempt to con MobileMe users into providing their credit card information, a scammer has sent out spam spoofed to appear to come from Apple, which directs users to a fake site designed to look like Apple’s. Users who follow the email link and enter their information on the poorly formatted, fake Apple Web page will be sorry. While sent with a spoofed sender address of noreply@me.com, the spam’s headers indicate that it actually appears to originate from gamma.oxyhosts.com, a server operated by a Web hosting outfit from the United Kingdom. The email contains formatting errors that should immediately tip off users, and directs to a sketchy URL: http.apple-billing.me.uk. The email’s headers that indicate it was sent using Outlook Express, but those are only visible when the user examines the phony email’s raw headers. Of course, Apple itself has also sent out official MobileMe notices containing the same formatting error. Apple also does not sign or encrypt its official emails to users, a step that might help in thwarting the regular phishing attempts that target MobileMe users. While Apple pioneered certificate based security in iChat messaging for its MobileMe users, it has been a laggard in making it easy for users to sign and encrypt their MobileMe email using certificates issued by Apple, despite support in Mail and most other modern email clients to handle this. The significant difference in the real message from Apple over the phony spam is that Apple’s official email cites the account’s User Name, the ending digits of their credit card number, and directs the user to navigate to MobileMe themselves to correct their information within the online account section, rather than providing a link to follow. Doing so would result in the user initiating a MobileMe Web session secured via SSL before they are ever prompted to enter their private account information. There is no SSL security on the fake site users are directed to by the spam. The fraud site is hosted by me.uk, a domain not affiliated with Apple, but which might sound reasonably correct to many users. The domain appears to be registered to “Nike Jegart, co 9 Vista Estrella South, Lamy, NM 87540.”

Malware Wxploits Google

March 2009

Malware distributors are taking advantage of Google Trends to earn top billing for their pages, according to security experts. Researchers at McAfee’s Avert Labs said that a number of malicious pages have seen their Trend ranking artificially enhanced so that the pages will be returned as top results for a number of Google searches. The McAfee senior threat researcher said that the malware writers appear to be using the Google service to find the most popular current search topics, then loading the pages with keywords and text to show up on result pages for those terms.” One thing they are doing is to pull the content off the pages that are already ranked high, which makes it a little more transparent when you see the search results,” said the researcher. After clicking on one of the malicious links, the user is redirected to a page which will attempt to exploit a three-year old vulnerability in Internet Explorer, as well as a number of fake ‘alert’ pop-ups designed to trick the user into installing rogue security software. The researcher suggests that users exercise extra caution when clicking on search results and avoid following links to unknown or suspicious domains.

US Tweak Net Privacy Guidlines

March 2009

The U.S. Federal Trade Commission issued new guidance for the self-regulated industry that urges Web sites to tell consumers that data is being collected during their searches and to allow them to opt out. This guidance recommends that mobile companies and Internet service providers also inform customers about data collection and allow users to decline. There are few U.S. laws about the collection and use of data from the Internet, with exceptions of instances where firms fail to live up to advertised promises to protect privacy, or fail to deliver an expected level of data protection.