WISH YOU A HAPPY AND SECURE YEAR 2009

Friday, May 23, 2008

Quote of the day

Quote of the day

Adversity cause some men to break; others to break records.

William A. Ward

New IT Term of the day

New IT Term of the day


passive impostor acceptance


In a biometric security system, when an impostor intentionally submits his own biometric sample and claims the identity of another enrollee (either intentionally or unintentionally) with the purpose of gaining access to a system. Passive impostor acceptance implies that the impostor successfully gains entrance into the system using the verified identity.

OpenSSL worked on Easily Guessable Key

BIG BUG : OpenSSL worked on Easily Guessable Key

After Debian's epic SSL blunder, a world of hurt for security pros

By Dan Goodin in San Francisco

21st May 2008

http://www.theregister.co.uk/2008/05/21/massive_debian_openssl_hangover/

It's been more than a week since Debian patched a massive security hole in the library the operating system uses to create cryptographic keys for securing email, websites and administrative servers. Now the hard work begins, as legions of admins are saddled with the odious task of regenerating keys too numerous for anyone to estimate.

The flaw in Debian's random number generator means that OpenSSL keys generated over the past 20 months are so predictable that an attacker can correctly guess them in a matter of hours. Not exactly a comforting thought when considering the keys in many cases are the only thing guarding an organization's most precious assets. Obtain the key and you gain instant access to trusted administrative accounts and the ability to spoof or spy on sensitive email and web servers.

Security pros have rightfully reacted swiftly to word of Debian debacle. But if you think last week's patch is like most other security fixes, you're dead wrong. Installing it is probably the easiest part of mopping up the resulting mess. Once it's installed, admins will be forced to search sometimes sprawling systems for every key that's ever interacted with the buggy version of Debian and a host of other OSes and applications that relied on it.

Certificates for defective keys will have to be revoked, new keys will have to be generated and, in the case of SSL certificates, registered with VeriSign or another certificate authority. No one knows how many keys need to be replaced, but it could number in the hundreds of thousands or millions. The keys are used for Secure Sockets Layer (SSL) transactions, which authenticate servers handling trusted websites and email, and to authenticate Secure Shell (SSH), which provides encrypted channels between sensitive computers.

The heft and tedium of tracking down, testing and regenerating so many keys, and the cost of paying certificate authorities to register them, has left some people feeling pessimistic about the prospects the problem will be fixed anytime soon.

"There's the pain-in-the-ass factor and then there's the cost factor," says Jacob Appelbaum, an independent security researcher, as he ticks off the reasons he believes organizations will be slow to tackle the problem. Sure, some will make an earnest effort, but "even those people are going to be overwhelmed and patch a lot of their systems but not all of them," he adds.

Weakened White House

Among the weak SSL certificates at time of publication is this one belonging to Whitehouse.gov. It's of little consequence, since the site doesn't conduct secure transactions, but it does show the ubiquity of the problem. The key is owned by content delivery provider Akamai Technologies and is used by about 20,000 websites. Akamai is in the process of replacing it.

Akamai has escaped relatively unscathed. All its keys involved in sensitive transactions are generated using a highly customized Debian derivative that didn't include the buggy random number generator. The single key used by Whitehouse.gov and the other Akamai customers, which was generated using a separate system running on standard Debian is the only one affected, says Andy Ellis, Akamai's senior director of information security.

"I can't imagine how painful this will be for people who are using large data centers with hundreds of certificates," Ellis said.

The unwieldy cleanup effort is akin to the aftermath of a serious Flash vulnerability found in December to be plaguing tens of thousands of websites. Three months after a patch was released, the sites - many carrying out banks financial and other sensitive transactions - remained vulnerable because they had yet to remove and regenerate an estimated 500,000 buggy flash applets. Both the Debian and Flash vulnerabilities are unusual, because applying the patch represents only the beginning of the healing process.

The Debian bug was introduced in September 2006. It vastly reduces the amount of entropy used when programs like the Apache webserver, Sendmail, Exim and some implementations of Kerberos use OpenSSL to perform basic cryptographic functions. As a result, attackers can crack SSL keys, x.509 certificate keys, SSH keys, and digital signatures in fewer than 33,000 guesses, rather than the seemingly-infinite number of tries that would normally be required.

Tools available from Ubuntu and Metasploit author HD Moore are designed to aid in the process of detecting weak keys, but Appelbaum, the independent researcher, says certain conditions will prevent even diligent searches from finding everything. For example, keys with nonstandard sizes may not be flagged even though they're vulnerable.

"What that means is you have tools that may cover large swaths of the key space, but they won't cover all of the key space," he says.

So if your organization hasn't begun a thorough audit of all the keys in its portfolio, now is the time to get to it. Like an outbreak of lice at the children's grade school, its an unpleasant task eradicating the pests, but it's got to be done.

"This is a bit of a nightmare for anybody who used Debian" or programs that relied on its OpenSSL library, says Vincent Danen, the security team manager for Mandriva, a Linux distribution that was not affected by the bug. "If you're running a Debian shop and you have 100 certificates, depending on who you've got as a certificate authority, you could be looking at big bucks to regenerate your keys and get them re-signed. It could take months or even years for all the keys to get weeded out."

UK Government Considering Database of all Phone calls

BIG BROTHER : UK Government Considering Database of all Phone calls

BBC NEWS

2008/05/20

http://news.bbc.co.uk/go/pr/fr/-/2/hi/uk_news/7409593.stm

Ministers are to consider plans for a database of electronic information holding details of every phone call and e-mail sent in the UK, it has emerged.

The plans, reported in the Times, are at an early stage and may be included in the draft Communications Bill later this year, the Home Office confirmed.

A Home Office spokesman said the data was a "crucial tool" for protecting national security and preventing crime.

Ministers have not seen the plans which were drawn up by Home Office officials.

A Home Office spokesman said: "The Communications Data Bill will help ensure that crucial capabilities in the use of communications data for counter-terrorism and investigation of crime continue to be available.

"These powers will continue to be subject to strict safeguards to ensure the right balance between privacy and protecting the public."

The spokesman said changes need to be made to the Regulation of Investigatory Powers Act 2000 "to ensure that public authorities can continue to obtain and have access to communications data essential for counter-terrorism and investigation of crime purposes".

But the Information Commission, an independent authority set up to protect personal information, said the database "may well be a step too far" and highlighted the risk of data being lost, traded or stolen.

Assistant information commissioner Jonathan Bamford said: "We are not aware of any justification for the state to hold every UK citizen's phone and internet records. We have real doubts that such a measure can be justified, or is proportionate or desirable.

"Defeating crime and terrorism is of the utmost importance, but we are not aware of any pressing need to justify the government itself holding this sort of data."

'Appalling record'

A number of data protection failures in recent months, including the loss of a CD carrying the personal details of every child benefit claimant, have embarrassed the government.

The plans also prompted concern from political groups.

The shadow home secretary, David Davis, said: "Given [ministers'] appalling record at maintaining the integrity of databases holding people's sensitive data, this could well be more of a threat to our security than a support."

Liberal Democrat home affairs spokesman Chris Huhne called the proposals "an Orwellian step too far".

He said ministers had "taken leave of their senses if they think that this proposal is compatible with a free country and a free people".

"Given the appalling track record of data loss, this state is simply not to be trusted with such private information," said Mr Huhne.

Cyber Threats to US Electrical Grid

THREAT : Cyber Threats to US Electrical Grid

Grant Gross

IDG News Service

May 21, 2008

http://www.pcworld.com/businesscenter/article/146153/lawmakers_see_cyber_threats_to_electrical_grid.html

The U.S. electrical grid remains vulnerable to cyber attacks that could cripple the economy, and the organization responsible for regulating electrical suppliers doesn't appear to be serious about fixing the problems, some U.S. lawmakers said Wednesday.

U.S. Representative James Langevin and other members of the House of Representatives Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology questioned whether the North American Electric Reliability Corp. (NERC), an electric industry group tasked with ensuring electric reliability, is doing its job.

NERC officials last October painted a "misleading" and rosy picture of the U.S. electric system's readiness for cyber attacks, said Langevin, a Rhode Island Democrat and chairman of the subcommittee. But Langevin has "little confidence" that the U.S. electrical grid has fully addressed the so-called Aurora vulnerability, a cyber attack aimed at shutting down electric utilities' generators or other equipment, he said.

"I still do not get the sense that we are addressing cybersecurity with the seriousness that it deserves," Langevin added. "I think we could search far and wide and not find a more disorganized, ineffective response to an issue of national security of this import. If NERC doesn't start getting serious about national security, it may be time to find a new electric reliability organization."

The U.S. and Canadian governments have given NERC authority to ensure the reliability of the electric grid. Last October, a NERC official told Congress that utilities covering 75 percent of the U.S. power grid were taking actions to fix Aurora vulnerabilities first identified by the U.S. Department of Homeland Security in 2006.

But the U.S. Government Accountability Office (GAO) released a report on Wednesday identifying numerous cyber vulnerabilities at the Tennessee Valley Authority (TVA), the nation's largest public power company. The GAO issued 92 recommendations to the TVA, which supplies power to 8.7 million U.S. residents in Tennessee and parts of six other states.

"The corporate network was interconnected with control systems networks GAO reviewed, thereby increasing the risk that security weaknesses on the corporate network could affect those control systems networks," the GAO report said.

On the TVA's control systems networks, firewalls were inadequately configured or bypassed, passwords were ineffectively implemented, and servers and workstations lacked key patches and effective virus protection, said Greg Wilshusen, director of information security issues at the GAO. "Until TVA fully implements these security program activities, it risks a disruption of its operations as the result of a cyber incident," Wilshusen said.

TVA's corporate network had some of the same vulnerabilities, including a lack of key software patches, limited security configurations and an intrusion-detection system with "significant limitations," the report said.

The TVA had already been working to fix the problems when the GAO investigation happened, said William McCollum Jr., chief operating officer of the TVA. The power supplier has addressed several of the issues identified by the GAO, McCollum said, and the TVA would address most of the problems by the end of the year. But McCollum could not give lawmakers a definite date when all the issues would be fixed.

NERC, with help from the Federal Energy Regulatory Commission, is implementing cybersecurity requirements that come online in July, instead of the advisories it had authority to issue in the past, said Richard Sergel, NERC's president and CEO.

Sergel pledged to push cybersecurity issues with electric utilities and paint a clearer picture of problems before Congress. "The responsibility to be clear [about problems] is ours," he said.

Phishers turn to legit sites to steal information

TOM & JERRY : Phishers turn to legit sites to steal information

Dan Kaplan

May 21 2008

http://www.scmagazineus.com/Phishers-turn-to-legit-sites-to-steal-information/article/110388/

Phishers have discovered a new way in which to launch phishing attacks that will allow the assaults to persist for much longer than usual.

They are turning to infiltrating legitimate websites on which to host their attacks -- a technique known as "hack-and-pier," according to Finnish anti-virus firm F-Secure.

Normally, internet service providers take down fraudulent websites within 24 hours, according to research, but when an authentic site is the culprit, much more work is involved.

"The site cannot simply be pulled offline without collateral damage to the legitimate business," Sean Sullivan, a technical specialist at F-Secure, said Wednesday on the company's blog. "So the website's administrator must be contacted to repair the damage."

Sullivan mentioned B.B.C. Sales & Service, a Canada-based beverage equipment provider, as one of a number of legitimate websites that has been exploited to host phishing scams. A company spokeswoman did not immediately respond to a request for comment Wednesday.

Sullivan said that until websites repair vulnerabilities that permit hackers access, this new style of attack will continue.

Chinese Internet censorship

Chinese Internet censorship: An inside look
Cisco, VPNs and other topics related to Internet access in China
By Carolyn Duffy Marsan, Network World, 05/12/2008
http://www.networkworld.com/news/2008/051208-china-internet.html
James Fallows, national correspondent for The Atlantic Monthly, has experienced "The Great Firewall of China" firsthand, an experience people from around the world will share this summer when the Olympics comes to that country. Based in Beijing, Fallows has researched the underlying technology that the Chinese use for Internet censorship, and he explained it in a recent article titled "The Connection Has Been Reset." (Reproduced below). We e-mailed Fallows questions about how the Chinese government controls Internet content available to its citizens, and here's what he had to say.
You describe four blocking mechanisms that the Chinese government uses to prevent Internet users from viewing content considered harmful. How common is it for Chinese Internet users to experience these sorts of redirections, resets and time-out mechanisms? Can you describe your own Internet surfing experience in China?
If you work from a Chinese Internet cafe – which is still where the vast majority of Chinese Internet activity happens, since so few people have connected computers in their own homes – you experience all of these blocking mechanisms as a matter of course. In some places, like schools, the blocking can be much cruder and indiscriminate. For instance, I have been in several public schools where the "connected" Internet computers were prevented from using any search engine whatsoever. It can be surprisingly hard to get around the 'Net if you can't run any searches! In cafes and in most home connections, all the mechanisms I describe would prevail.
In some hotels and other buildings that cater to Western visitors, the controls may be somewhat relaxed. The authorities don't really care that much about what non-Chinese citizens are able to find. But from my apartments in first Shanghai and now Beijing, I was not able to reach a wide variety of sites – including, often, my own blog at the Atlantic – unless I connected through a VPN. As a matter of course I fire up my VPN at the start of any online session, not just for security but because otherwise I'll be blocked the first time I try a Wikipedia or Technorati link.
Your article says the Chinese Internet control system is constantly changing and that citizens don't know what is off-limits on any given day. Does that make the control system more or less effective in your opinion?
My friend Eamonn Fingleton, says in a new book about China (In the Jaws of the Dragon) that many kinds of government control in China are surprisingly effective precisely because they are so variable and unpredictable in the way they're enforced. Fingleton uses the term "selective enforcement" to describe this process; some Chinese people refer to it by a Chinese saying that boils down to, "One eye open, one eye shut." The idea is that if you're never quite sure when, why and how hard the boom might be lowered on you, you start controlling yourself, rather than being limited strictly by what the government is able to control directly.
When it comes to the Internet, this haziness about just what is and is not permissible has two implications. At a purely technical level, it makes it harder to reverse-engineer the firewall's filters. One day, you can reach all pages at the BBC. The next day they're blocked. If you're trying to game out the system, you're stymied. And at a social level, it makes it hard for people to be sure that they're ever operating in a truly safe zone, since the rules of enforcement might shift tomorrow.
Which is worse: the Chinese government's Internet control system or the censorship systems used by the United Arab Emirates (UAE) or Singapore? Why?
Well, I don't like to use terms like "worse" in this situation. I will say that China's approach is less transparent. According to Andrew Lih, whom I quote in the story, when filters in the UAE or Singapore block a transmission, they tell you that, right in your face. When you can't reach a site from a computer in China, you're never quite sure what's happened. Is the problem with your ISP? With the site itself? Or is the firewall? You never know for sure.
Are average Chinese Internet users afraid of the government's Internet control system?
No. To begin with, not that many of them are even aware of it. The government discourages upfront discussion of the Great Firewall's existence, what sites or search terms are forbidden, etc. Moreover, to the extent people are aware of it, indications are that they are hardly up in arms. My wife, Deborah Fallows, represents the Pew Internet project in China. In March of this year she released a study showing that a strong majority of Chinese Internet users welcomed the idea of controls over Web content and thought it was only natural that the government would do the controlling. This is a startling concept to many Westerners, but she explains the logic of it here.
Many U.S. organizations -- like libraries and schools -- use similar blocking methods as the Chinese government to prevent users from going to pornography, gambling or hate speech sites. For example, when a student at my daughter's school was arrested for having a gun in his car, her school blocked access to the media coverage of the incident from the school's computers. Why is the Chinese Internet control system so objectionable?
"Objectionable" is your word, not mine. The point I would make is that it is much more thorough-going. In all matters of expression and inquiry in the United States, the default assumption is that people should be able to read or write whatever they want. The exceptions requiring control, like those you mention, are just that: exceptions. For instance: schoolchildren are exceptional cases, for obvious reasons; and public libraries could also be exceptions, for reasons of public decorum. In China, there is no such default assumption about individuals' presumed right to see, read or say whatever they want. That's the difference.
You mention two exceptions to the Chinese Internet control system: VPNs and proxies. Obviously, the Chinese can't shut down the VPNs or foreign businesses wouldn't operate in the country. Why don't they shut down proxies?
There is a bigger point here, which I think would surprise most Westerners who have not spent time in China: As a rule, the Chinese Communist Party is surprisingly selective in the repression and control it exercises within the country. In certain areas – "splittist" discussions like those about Tibet or Taiwan, challenges to Communist Party legitimacy, a few others – it tolerates no deviation at all and cracks down immediately. But in many others it tries to be only as repressive as it has to be. That is, it has some awareness of not needlessly antagonizing the population. When it comes to the Internet, this principle also applies. If it absolutely shut down VPNs and proxies, it would probably create more problems for itself, a lot more backlash and trouble, than it would avoid. So as long as VPN and proxy use by ordinary Chinese people remains relatively low, it's not worth the bother to close them down.
Does the Chinese government's Internet censorship strategy work at keeping online information "wholesome?" For example, is there less pornography available online to Chinese Internet users than there is elsewhere?
The "wholesomeness" of what is on the Internet is a big issue in public discussions of 'Net policy. Concern about sexual predators -- and even more basically about "addiction" to online games – comes up in the papers and generally builds public support for controls on the Internet. I am sure people looking for pornography can find it here as anyplace else, but it's less obviously on display in China (online and real-world) than a lot of other places.
In reading your article, it seems to me that the Chinese Internet control system is actually quite brilliant because it succeeds in making, as you point out, "the quest for information just enough of a nuisance that people generally won’t bother." Isn't it really up to the Chinese citizens themselves to care enough to get around the Internet control system? Do you see indications that they are trying to do that?
I agree that the system is quite impressive on its own terms. At least for now, it seems to have figured out the way to get maximum possible "benefits," in terms of limiting disruptive discussion or information, without having maximum oppressiveness or crudeness. Westerners do wonder why the Chinese public doesn't rise up to seek maximum freedom of information on its own. Part of the answers might be found in the Pew study, mentioned above. But at a more basic level, as one person I quoted in the article pointed out: Right now, even with the controls, more Chinese people have more access to more and freer information than has ever been true in the country's very long history. So for now it's understandable that more of them are thinking about what they can find than what they can't.
Cisco says it sold China the same mirroring routers that it makes available to any organization that needs to monitor Internet usage by its employees. If that's true, why should Cisco be criticized more than any other network vendor that sells gear to the Chinese?
This was a minor, passing point in my article, which reflected the fact that I had not done serious independent reporting on the question. What I can do is convey the prevailing view on the question among the Chinese net-cognoscenti. From this perspective, Cisco did a favor to the Chinese government several years ago by selling them the mirroring routers on which the Great Firewall is based, at a time when Chinese authorities could not easily have produced the systems on their own. The likely use of the routers was well understood – and it should be obvious why selling them to a government which intends to monitor its citizens is different from selling them to some company that wants to monitor its employees. But whatever the merits of the argument back then, the entire question is now moot. The Chinese authorities could buy the necessary routers from a variety of sources – notably from the homegrown firm Huawei. So, really few people here spend much time worrying about Cisco’s role anymore.

March 2008 Atlantic Monthly

China’s Great Firewall is crude, slapdash, and surprisingly easy to breach. Here’s why it’s so effective anyway.

by James Fallows

“The Connection Has Been Reset”

Illustration by John Ritter

Many foreigners who come to China for the Olympics will use the Internet to tell people back home what they have seen and to check what else has happened in the world.

James Fallows explains how he was able to probe the taboo subject of Chinese Internet censorship.
The first thing they’ll probably notice is that China’s Internet seems slow. Partly this is because of congestion in China’s internal networks, which affects domestic and international transmissions alike. Partly it is because even electrons take a detectable period of time to travel beneath the Pacific Ocean to servers in America and back again; the trip to and from Europe is even longer, because that goes through America, too. And partly it is because of the delaying cycles imposed by China’s system that monitors what people are looking for on the Internet, especially when they’re looking overseas. That’s what foreigners have heard about.

They’ll likely be surprised, then, to notice that China’s Internet seems surprisingly free and uncontrolled. Can they search for information about “Tibet independence” or “Tiananmen shooting” or other terms they have heard are taboo? Probably—and they’ll be able to click right through to the controversial sites. Even if they enter the Chinese-language term for “democracy in China,” they’ll probably get results. What about Wikipedia, famously off-limits to users in China? They will probably be able to reach it. Naturally the visitors will wonder: What’s all this I’ve heard about the “Great Firewall” and China’s tight limits on the Internet?

In reality, what the Olympic-era visitors will be discovering is not the absence of China’s electronic control but its new refinement—and a special Potemkin-style unfettered access that will be set up just for them, and just for the length of their stay. According to engineers I have spoken with at two tech organizations in China, the government bodies in charge of censoring the Internet have told them to get ready to unblock access from a list of specific Internet Protocol (IP) addresses—certain Internet cafés, access jacks in hotel rooms and conference centers where foreigners are expected to work or stay during the Olympic Games. (I am not giving names or identifying details of any Chinese citizens with whom I have discussed this topic, because they risk financial or criminal punishment for criticizing the system or even disclosing how it works. Also, I have not gone to Chinese government agencies for their side of the story, because the very existence of Internet controls is almost never discussed in public here, apart from vague statements about the importance of keeping online information “wholesome.”)

Depending on how you look at it, the Chinese government’s attempt to rein in the Internet is crude and slapdash or ingenious and well crafted. When American technologists write about the control system, they tend to emphasize its limits. When Chinese citizens discuss it—at least with me—they tend to emphasize its strength. All of them are right, which makes the government’s approach to the Internet a nice proxy for its larger attempt to control people’s daily lives.

Disappointingly, “Great Firewall” is not really the right term for the Chinese government’s overall control strategy. China has indeed erected a firewall—a barrier to keep its Internet users from dealing easily with the outside world—but that is only one part of a larger, complex structure of monitoring and censorship. The official name for the entire approach, which is ostensibly a way to keep hackers and other rogue elements from harming Chinese Internet users, is the “Golden Shield Project.” Since that term is too creepy to bear repeating, I’ll use “the control system” for the overall strategy, which includes the “Great Firewall of China,” or GFW, as the means of screening contact with other countries.

In America, the Internet was originally designed to be free of choke points, so that each packet of information could be routed quickly around any temporary obstruction. In China, the Internet came with choke points built in. Even now, virtually all Internet contact between China and the rest of the world is routed through a very small number of fiber-optic cables that enter the country at one of three points: the Beijing-Qingdao-Tianjin area in the north, where cables come in from Japan; Shanghai on the central coast, where they also come from Japan; and Guangzhou in the south, where they come from Hong Kong. (A few places in China have Internet service via satellite, but that is both expensive and slow. Other lines run across Central Asia to Russia but carry little traffic.) In late 2006, Internet users in China were reminded just how important these choke points are when a seabed earthquake near Taiwan cut some major cables serving the country. It took months before international transmissions to and from most of China regained even their pre-quake speed, such as it was.

Thus Chinese authorities can easily do something that would be harder in most developed countries: physically monitor all traffic into or out of the country. They do so by installing at each of these few “international gateways” a device called a “tapper” or “network sniffer,” which can mirror every packet of data going in or out. This involves mirroring in both a figurative and a literal sense. “Mirroring” is the term for normal copying or backup operations, and in this case real though extremely small mirrors are employed. Information travels along fiber-optic cables as little pulses of light, and as these travel through the Chinese gateway routers, numerous tiny mirrors bounce reflections of them to a separate set of “Golden Shield” computers.Here the term’s creepiness is appropriate. As the other routers and servers (short for file servers, which are essentially very large-capacity computers) that make up the Internet do their best to get the packet where it’s supposed to go, China’s own surveillance computers are looking over the same information to see whether it should be stopped.

The mirroring routers were first designed and supplied to the Chinese authorities by the U.S. tech firm Cisco, which is why Cisco took such heat from human-rights organizations. Cisco has always denied that it tailored its equipment to the authorities’ surveillance needs, and said it merely sold them what it would sell anyone else. The issue is now moot, since similar routers are made by companies around the world, notably including China’s own electronics giant, Huawei. The ongoing refinements are mainly in surveillance software, which the Chinese are developing themselves. Many of the surveillance engineers are thought to come from the military’s own technology institutions. Their work is good and getting better, I was told by Chinese and foreign engineers who do “oppo research” on the evolving GFW so as to design better ways to get around it.

Andrew Lih, a former journalism professor and software engineer now based in Beijing (and author of the forthcoming book The Wikipedia Story), laid out for me the ways in which the GFW can keep a Chinese Internet user from finding desired material on a foreign site. In the few seconds after a user enters a request at the browser, and before something new shows up on the screen, at least four things can go wrong—or be made to go wrong.

The first and bluntest is the “DNS block.” The DNS, or Domain Name System, is in effect the telephone directory of Internet sites. Each time you enter a Web address, or URL—www.yahoo.com, let’s say—the DNS looks up the IP address where the site can be found. IP addresses are numbers separated by dots—for example, TheAtlantic.com’s is 38.118.42.200. If the DNS is instructed to give back no address, or a bad address, the user can’t reach the site in question—as a phone user could not make a call if given a bad number. Typing in the URL for the BBC’s main news site often gets the no-address treatment: if you try news.bbc.co.uk, you may get a “Site not found” message on the screen. For two months in 2002, Google’s Chinese site, Google.cn, got a different kind of bad-address treatment, which shunted users to its main competitor, the dominant Chinese search engine, Baidu. Chinese academics complained that this was hampering their work. The government, which does not have to stand for reelection but still tries not to antagonize important groups needlessly, let Google.cn back online. During politically sensitive times, like last fall’s 17th Communist Party Congress, many foreign sites have been temporarily shut down this way.

Next is the perilous “connect” phase. If the DNS has looked up and provided the right IP address, your computer sends a signal requesting a connection with that remote site. While your signal is going out, and as the other system is sending a reply, the surveillance computers within China are looking over your request, which has been mirrored to them. They quickly check a list of forbidden IP sites. If you’re trying to reach one on that blacklist, the Chinese international-gateway servers will interrupt the transmission by sending an Internet “Reset” command both to your computer and to the one you’re trying to reach. Reset is a perfectly routine Internet function, which is used to repair connections that have become unsynchronized. But in this case it’s equivalent to forcing the phones on each end of a conversation to hang up. Instead of the site you want, you usually see an onscreen message beginning “The connection has been reset”; sometimes instead you get “Site not found.” Annoyingly, blogs hosted by the popular system Blogspot are on this IP blacklist. For a typical Google-type search, many of the links shown on the results page are from Wikipedia or one of these main blog sites. You will see these links when you search from inside China, but if you click on them, you won’t get what you want.

The third barrier comes with what Lih calls “URL keyword block.” The numerical Internet address you are trying to reach might not be on the blacklist. But if the words in its URL include forbidden terms, the connection will also be reset. (The Uniform Resource Locator is a site’s address in plain English—say, www.microsoft.com—rather than its all-numeric IP address.) The site FalunGong .com appears to have no active content, but even if it did, Internet users in China would not be able to see it. The forbidden list contains words in English, Chinese, and other languages, and is frequently revised—“like, with the name of the latest town with a coal mine disaster,” as Lih put it. Here the GFW’s programming technique is not a reset command but a “black-hole loop,” in which a request for a page is trapped in a sequence of delaying commands. These are the programming equivalent of the old saw about how to keep an idiot busy: you take a piece of paper and write “Please turn over” on each side. When the Firefox browser detects that it is in this kind of loop, it gives an error message saying: “The server is redirecting the request for this address in a way that will never complete.”

The final step involves the newest and most sophisticated part of the GFW: scanning the actual contents of each page—which stories The New York Times is featuring, what a China-related blog carries in its latest update—to judge its page-by-page acceptability. This again is done with mirrors. When you reach a favorite blog or news site and ask to see particular items, the requested pages come to you—and to the surveillance system at the same time. The GFW scanner checks the content of each item against its list of forbidden terms. If it finds something it doesn’t like, it breaks the connection to the offending site and won’t let you download anything further from it. The GFW then imposes a temporary blackout on further “IP1 to IP2” attempts—that is, efforts to establish communications between the user and the offending site. Usually the first time-out is for two minutes. If the user tries to reach the site during that time, a five-minute time-out might begin. On a third try, the time-out might be 30 minutes or an hour—and so on through an escalating sequence of punishments.

Users who try hard enough or often enough to reach the wrong sites might attract the attention of the authorities. At least in principle, Chinese Internet users must sign in with their real names whenever they go online, even in Internet cafés. When the surveillance system flags an IP address from which a lot of “bad” searches originate, the authorities have a good chance of knowing who is sitting at that machine.

All of this adds a note of unpredictability to each attempt to get news from outside China. One day you go to the NPR site and cruise around with no problem. The next time, NPR happens to have done a feature on Tibet. The GFW immobilizes the site. If you try to refresh the page or click through to a new story, you’ll get nothing—and the time-out clock will start.

This approach is considered a subtler and more refined form of censorship, since big foreign sites no longer need be blocked wholesale. In principle they’re in trouble only when they cover the wrong things. Xiao Qiang, an expert on Chinese media at the University of California at Berkeley journalism school, told me that the authorities have recently begun applying this kind of filtering in reverse. As Chinese-speaking people outside the country, perhaps academics or exiled dissidents, look for data on Chinese sites—say, public-health figures or news about a local protest—the GFW computers can monitor what they’re asking for and censor what they find.

Taken together, the components of the control system share several traits. They’re constantly evolving and changing in their emphasis, as new surveillance techniques become practical and as words go on and off the sensitive list. They leave the Chinese Internet public unsure about where the off-limits line will be drawn on any given day. Andrew Lih points out that other countries that also censor Internet content—Singapore, for instance, or the United Arab Emirates—provide explanations whenever they do so. Someone who clicks on a pornographic or “anti-Islamic” site in the U.A.E. gets the following message, in Arabic and English: “We apologize the site you are attempting to visit has been blocked due to its content being inconsistent with the religious, cultural, political, and moral values of the United Arab Emirates.” In China, the connection just times out. Is it your computer’s problem? The firewall? Or maybe your local Internet provider, which has decided to do some filtering on its own? You don’t know. “The unpredictability of the firewall actually makes it more effective,” another Chinese software engineer told me. “It becomes much harder to know what the system is looking for, and you always have to be on guard.”

There is one more similarity among the components of the firewall: they are all easy to thwart.

As a practical matter, anyone in China who wants to get around the firewall can choose between two well-known and dependable alternatives: the proxy server and the VPN. A proxy server is a way of connecting your computer inside China with another one somewhere else—or usually to a series of foreign computers, automatically passing signals along to conceal where they really came from. You initiate a Web request, and the proxy system takes over, sending it to a computer in America or Finland or Brazil. Eventually the system finds what you want and sends it back. The main drawback is that it makes Internet operations very, very slow. But because most proxies cost nothing to install and operate, this is the favorite of students and hackers in China.

A VPN, or virtual private network, is a faster, fancier, and more elegant way to achieve the same result. Essentially a VPN creates your own private, encrypted channel that runs alongside the normal Internet. From within China, a VPN connects you with an Internet server somewhere else. You pass your browsing and downloading requests to that American or Finnish or Japanese server, and it finds and sends back what you’re looking for. The GFW doesn’t stop you, because it can’t read the encrypted messages you’re sending. Every foreign business operating in China uses such a network. VPNs are freely advertised in China, so individuals can sign up, too. I use one that costs $40 per year. (An expat in China thinks: that’s a little over a dime a day. A Chinese factory worker thinks: it’s a week’s take-home pay. Even for a young academic, it’s a couple days’ work.)

As a technical matter, China could crack down on the proxies and VPNs whenever it pleased. Today the policy is: if a message comes through that the surveillance system cannot read because it’s encrypted, let’s wave it on through! Obviously the system’s behavior could be reversed. But everyone I spoke with said that China could simply not afford to crack down that way. “Every bank, every foreign manufacturing company, every retailer, every software vendor needs VPNs to exist,” a Chinese professor told me. “They would have to shut down the next day if asked to send their commercial information through the regular Chinese Internet and the Great Firewall.” Closing down the free, easy-to-use proxy servers would create a milder version of the same problem. Encrypted e-mail, too, passes through the GFW without scrutiny, and users of many Web-based mail systems can establish a secure session simply by typing “https:” rather than the usual “http:” in a site’s address—for instance, https://mail.yahoo.com. To keep China in business, then, the government has to allow some exceptions to its control efforts—even knowing that many Chinese citizens will exploit the resulting loopholes.

Because the Chinese government can’t plug every gap in the Great Firewall, many American observers have concluded that its larger efforts to control electronic discussion, and the democratization and grass-roots organizing it might nurture, are ultimately doomed. A recent item on an influential American tech Web site had the headline “Chinese National Firewall Isn’t All That Effective.” In October, Wired ran a story under the headline “The Great Firewall: China’s Misguided—and Futile—Attempt to Control What Happens Online.”

Let’s not stop to discuss why the vision of democracy-through-communications-technology is so convincing to so many Americans. (Samizdat, fax machines, and the Voice of America eventually helped bring down the Soviet system. Therefore proxy servers and online chat rooms must erode the power of the Chinese state. Right?) Instead, let me emphasize how unconvincing this vision is to most people who deal with China’s system of extensive, if imperfect, Internet controls.

Think again of the real importance of the Great Firewall. Does the Chinese government really care if a citizen can look up the Tiananmen Square entry on Wikipedia? Of course not. Anyone who wants that information will get it—by using a proxy server or VPN, by e-mailing to a friend overseas, even by looking at the surprisingly broad array of foreign magazines that arrive, uncensored, in Chinese public libraries.

What the government cares about is making the quest for information just enough of a nuisance that people generally won’t bother. Most Chinese people, like most Americans, are interested mainly in their own country. All around them is more information about China and things Chinese than they could possibly take in. The newsstands are bulging with papers and countless glossy magazines. The bookstores are big, well stocked, and full of patrons, and so are the public libraries. Video stores, with pirated versions of anything. Lots of TV channels. And of course the Internet, where sites in Chinese and about China constantly proliferate. When this much is available inside the Great Firewall, why go to the expense and bother, or incur the possible risk, of trying to look outside?

All the technology employed by the Golden Shield, all the marvelous mirrors that help build the Great Firewall—these and other modern achievements matter mainly for an old-fashioned and pre-technological reason. By making the search for external information a nuisance, they drive Chinese people back to an environment in which familiar tools of social control come into play.

Chinese bloggers have learned that if they want to be read in China, they must operate within China, on the same side of the firewall as their potential audience. Sure, they could put up exactly the same information outside the Chinese mainland. But according to Rebecca Mac­Kinnon, a former Beijing correspondent for CNN now at the Journalism and Media Studies Center of the University of Hong Kong, their readers won’t make the effort to cross the GFW and find them. “If you want to have traction in China, you have to be in China,” she told me. And being inside China means operating under the sweeping rules that govern all forms of media here: guidance from the authorities; the threat of financial ruin or time in jail; the unavoidable self-censorship as the cost of defiance sinks in.

Most blogs in China are hosted by big Internet companies. Those companies know that the government will hold them responsible if a blogger says something bad. Thus the companies, for their own survival, are dragooned into service as auxiliary censors.

Large teams of paid government censors delete offensive comments and warn errant bloggers. (No official figures are available, but the censor workforce is widely assumed to number in the tens of thousands.) Members of the public at large are encouraged to speak up when they see subversive material. The propaganda ministries send out frequent instructions about what can and cannot be discussed. In October, the group Reporters Without Borders, based in Paris, released an astonishing report by a Chinese Internet technician writing under the pseudonym “Mr. Tao.” He collected dozens of the messages he and other Internet operators had received from the central government. Here is just one, from the summer of 2006:

17 June 2006, 18:35

From: Chen Hua, deputy director of the Beijing Internet Information Administrative Bureau

Dear colleagues, the Internet has of late been full of articles and messages about the death of a Shenzhen engineer, Hu Xinyu, as a result of overwork. All sites must stop posting articles on this subject, those that have already been posted about it must be removed from the site and, finally, forums and blogs must withdraw all articles and messages about this case.

“Domestic censorship is the real issue, and it is about social control, human surveillance, peer pressure, and self-censorship,” Xiao Qiang of Berkeley says. Last fall, a team of computer scientists from the University of California at Davis and the University of New Mexico published an exhaustive technical analysis of the GFW’s operation and of the ways it could be foiled. But they stressed a nontechnical factor: “The presence of censorship, even if easy to evade, promotes self-censorship.”

It would be wrong to portray China as a tightly buttoned mind-control state. It is too wide-open in too many ways for that. “Most people in China feel freer than any Chinese people have been in the country’s history, ever,” a Chinese software engineer who earned a doctorate in the United States told me. “There has never been a space for any kind of discussion before, and the government is clever about continuing to expand space for anything that doesn’t threaten its survival.” But it would also be wrong to ignore the cumulative effect of topics people are not allowed to discuss. “Whether or not Americans supported George W. Bush, they could not avoid learning about Abu Ghraib,” Rebecca Mac­Kinnon says. In China, “the controls mean that whole topics inconvenient for the regime simply don’t exist in public discussion.” Most Chinese people remain wholly unaware of internationally noticed issues like, for instance, the controversy over the Three Gorges Dam.

Countless questions about today’s China boil down to: How long can this go on? How long can the industrial growth continue before the natural environment is destroyed? How long can the super-rich get richer, without the poor getting mad? And so on through a familiar list. The Great Firewall poses the question in another form: How long can the regime control what people are allowed to know, without the people caring enough to object? On current evidence, for quite a while.

Wednesday, May 21, 2008

Quote of the day

Quote of the day

The great enemy of the truth is very often not the lie -- deliberate, contrived and dishonest -- but the myth -- persistent, persuasive and unrealistic.

J F Kennedy

New IT Term of the day

New IT Term of the day


PAP


Short for Password Authentication Protocol, the most basic form of authentication, in which a user's name and password are transmitted over a network and compared to a table of name-password pairs. Typically, the passwords stored in the table are encrypted. The Basic Authentication feature built into the HTTP protocol uses PAP. The main weakness of PAP is that both the username and password are transmitted "in the clear" -- that is, in an unencrypted form.

New Research on Old Methods

SPYING : New Research on Old Methods

I spy your PC: Researchers find new ways to steal data

Robert McMillan

May 19, 2008

IDG News Service

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9086558&source=NLT_VVR&nlid=37

Researchers have developed two new techniques for stealing data from computers that use some unlikely hacking tools: cameras and telescopes.

In two separate pieces of research, teams at the University of California, Santa Barbara, and Saarland University in Saarbrucken, Germany, describe attacks that seem ripped from the pages of spy novels. In Saarbrucken, the researchers have read computer screens from their tiny reflections on everyday objects such as glasses, teapots and even the human eye. The Santa Barbara team has worked out a way to analyze a video of hands typing on a keyboard in order to guess what was being written.

Computer security research tends to focus on the software and hardware inside the PC, but this kind of "side-channel" research, which dates back at least 45 years, looks at the physical environment. Side-channel work in the U.S. was kicked off in 1962 when the National Security Agency discovered strange surveillance equipment in the concrete ceiling of a U.S. Department of State communications room in Japan and began studying how radiation emitted by communication components could be intercepted.

Much of this work has been top secret, such as the NSA's Tempest program. But side-channel hacking has been in the public eye too.

In fact, if you've seen the movie Sneakers, then the University of California's work will have a familiar ring. That's because a minor plot point in this 1992 Robert Redford film about a group of security geeks was the inspiration for their work.

In the movie, Redford's character, Marty Bishop, tries to steal a password by watching video of his victim, mathematician Gunter Janek, as he enters his password into a computer. "Oh, this is good," Redford says, "He's going to type in his password, and we're going to get a clear shot"

Redford's character never does get his password, but the UC researchers' Clear Shot tool may give others a fighting chance, according to Marco Cova, a graduate student at the school.

Clear Shot can analyze video of hand movements on a computer keyboard and transcribe them into text. It's far from perfect -- Cova says the software is accurate about 40% of the time -- but it's good enough for someone to get the gist of what was being typed.

The software also suggests alternative words that may have been typed, and more often than not, the real word is in the top five suggestions provided by Clear Shot, Cova said.

Clear Shot works with an everyday webcam, but the Saarland University team has taken thing up a notch, training telescopes on a variety of targets that just might happen to catch a computer monitor's reflection: teapots, glasses, bottles, spoons and even the human eye.

The researchers came up with this idea during a lunchtime walk about nine months ago, said Michael Backes, a professor at Saarland's computer science department. Noticing that there were a lot of computers to be seen in campus windows, the researchers got to thinking. "It started as a fun project," he said. "We thought it would be kind of cute if we could look at what these people are working on."

It turned out that they could get some amazingly clear pictures. All it took was a $500 telescope trained on a reflective object in front of the monitor. For example, a teapot yielded readable images of 12-point Word documents from a distance of 5 meters (16 feet). From 10 meters, the researchers were able to read 18-point fonts. With a $27,500 Dobson telescope, they could get the same quality of images at 30 meters.

Backes said he has already demonstrated his work for a government agency, one that he declined to name. "It was convincing to these people," he said.

That's because even though the reflections are tiny, the images are much clearer than people expect. Often, first-time viewers think they're looking at the computer screen itself rather than a reflection, Backes said.

One of his favorite targets is a round teapot. Looking at a spoon or a pair of glasses, you might not get a good view of the monitor, but a spherical teapot makes a perfect target. "If you place a sphere close by, you will always see the monitor," he said. "This helps; you don't have to be lucky."

The Saarland researchers are now working out new image-analysis algorithms and training astronomical cameras on their subjects in hopes of getting better images from even more difficult surfaces such as the human eye. They've even aimed their telescopes and cameras at a white wall and have picked up readable reflections from a monitor 2 meters from the wall.

Does Backes think that we should really be concerned about this kind of high-tech snooping? Maybe, just because it's so cheap and easy to do. He said he could see some people shelling out the $500 for a telescope just to try it out on their neighbors.

So how to protect yourself from the telescopic snooper? Easy. "Closing your curtains is maybe the best thing you can do," he said.

90% Spam coming from 20 Registrars

ABC : 90% Spam coming from 20 Registrars

Most Spam Sites Tied to a Handful of Registrars

By Brian Krebs

The Washington Post

May 19, 2008

http://blog.washingtonpost.com/securityfix/2008/05/most_spam_sites_tied_to_a_hand_1.html

New research suggests that more than three quarters of all Web sites advertised through spam are clustered at just 10 domain name registrars.

The data comes from millions of junk messages collected over the past year by Knujon ("no junk" spelled backwards and pronounced "new john"), an anti-spam outfit that works by convincing registrars to dismantle spam sites.

Knujon's co-founder Garth Bruen said the links in spam messages touting fake pharmacies, knock-off designer products, pirated software and phony lending institutions redirect users to a relatively minuscule subset of sites that are generally under the control of a small number of companies.

Bruen focuses most of his energy on calling attention to spam sites that list blatantly false information in their WHOIS records, the global online directory designed to list the contact data for individuals who register Web sites.

The Internet Corporation for Assigned Names and Numbers (ICANN), the Marina Del Rey, Calif.-based group charged with overseeing the domain name system, requires all Web domain registrars to collect and maintain accurate WHOIS data for all domain holders. Under the terms of their contracts with ICANN, registrars are supposed to cancel any Web site registrations with inaccurate WHOIS data if the domain holder does not update their records within 15 days of receiving notice from the registrar.

It should surprise no one that spammers rarely provide their real credentials when registering new sites. But the trouble is that relatively few registrars police their own WHOIS records, or bother to do any kind of rudimentary checks to verify that the information is accurate when the domain holder first registers the site. And, until very recently, Bruen said, ICANN hasn't done much about it.

"ICANN doesn't have any authority or mandate to deal with spam or Internet abuse, but it does have a mandate to make sure the WHOIS records are accurate," Bruen said. "A lot of our work has focused on what's clearly within ICANN's management and what's in the registrar's contractual agreement with ICANN. And ICANN doesn't like the fact that they're being forced to comply with their own standards by third parties."

Over the past several months, Knujon has submitted so many automated complaints about inaccurate WHOIS records at registrars that it crashed ICANN's database on several occasions.

Bruen said he tried to warn ICANN that this would happen.

"The absurd thing about this is I flew out there in June and said 'Here's the direction we're heading in with Knujon, and from what I can tell, your database can't handle what we have to submit'," Bruen recalls telling the ICANN folks.

Bruen said ICANN tacitly acknowledged in a recent newsletter that the complaint database crashes and that Knujon was responsible for filing 40 percent (19,873 out of 50,189) of all WHOIS inaccuracy reports submitted to ICANN in the latest reporting period.

In April 2007, ICANN launched a new program to address WHOIS compliance issues, including an annual WHOIS data accuracy audit. It also combed through all of the inaccurate WHOIS reports and sent certain registrars a "Notice of Concern," though it declined to publicly name those companies.

So who are the top 10 registrars most favored by spammers? You can see the list along with Knujon's methodology ay http://www.knujon.com/registrars/. A few of the names on it are unsurprising simply by virtue of their market share. Number five -- Bellevue, Wash., based eNom -- is the second largest registrar, according to DomainTools's registrarstats.com. Number six -- Pompano Beach, Fla., based Moniker -- has the eighth largest market share among registrars.

But size doesn't explain most of the names on the list. The registrars that scored the worst overall - Xinnet Bei Gon Da Software, BEIJINGNN, and Todaynic -- are all located in China, and are 18th, 47th and 99th in terms of market share, respectively.

Perhaps the most interesting name on the list is number 7 - a registrar out of Broomfield, Colo., called Dynamic Dolphin. According to Knujon, more than 10 percent of the company's 45,000-plus domains have false WHOIS data, and more than 17 percent of the domains registered through the company have been observed being advertised through spam.

A bit of digging into Dynamic Dolphin revealed that it is owned by a company called CPA Empire, which in turn is owned by Media Breakaway LLC. Those of you who read this post a few weeks back will recognize this company: Its CEO is Scott Richter, a notorious, self-avowed spammer who claims to have quit the business. As I noted in that post, anti-spam groups claim that Media Breakaway recently hijacked more than 65,000 IP address for use in sending e-mail and hosting commercial Web sites.

Dynamic Dolphin is a reseller of registrar services offered by number 9 on the list, an Indian company named Direct Information PVT Ltd. (Directi) and doing business as PublicDomainRegistry.com.

To its credit, Directi has been fairly active of late in removing spammy and outright nasty customers from its domain portfolio. Last year, the company canceled more than 18,000 registrations tied to the Russian Business Network (RBN), an ISP that experts say served as a front for organized Russian cyber criminals and child pornographers.

RBN was scattered to the four winds in November 2007, after stories from The Washington Post and other media outlets exposed the company's business activities and supporting networks. Experts say RBN may be dispersed, but it is hardly gone. Anti-spam groups have spotted cyber-crime activity that fits RBN's modus operandi at a number of Chinese ISPs and registrars since its original online base of operations was boarded up.

Mass SQL Injection Attack Targets Chinese Web Sites

BOUNCE : Mass SQL Injection Attack Targets Chinese Web Sites

Sumner Lemon,

IDG News Service

May 19, 2008

http://www.pcworld.com/businesscenter/article/146048/mass_sql_injection_attack_targets_chinese_web_sites.html

Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites, according to a security company in Taiwan.

First detected on May 13, the attack is coming from a server farm inside China, which has made no effort to hide its IP (Internet Protocol) addresses, said Wayne Huang, chief executive officer of Armorize Technologies, in Taipei.

"The attack is ongoing, ... even if they can't successfully insert malware, they're killing lots of Web sites right now, because they're just brute-forcing every attack surface with SQL injection, and hence causing lots of permanent changes to the victim websites," Huang said.

How it Works

In a SQL injection attack, an attacker attempts to exploit vulnerabilities in custom Web applications by entering SQL code in an entry field, such as a login. If successful, such an attack can give the attacker access to data on the database used by the application and the ability to run malicious code on the Web site.

A screenshot of a Web site belonging to the Mackay Memorial Hospital in Hsinchu, Taiwan, showed the rendering of the site had been affected and displayed the SQL string injected by the attack, Huang said.

Thousands of Web sites have been hit by the attack, he said, noting that 10,000 servers alone were infected by malware last Friday. Most of the affected servers are located in China, while some are located in Taiwan, Huang said. The attackers appear to be using automated queries to Google's search engine to identify Web sites vulnerable to the attack, he said.

Among the sites hit by the attack on Friday were Soufun, a real estate Web site, and Mycar168, a site for automobile enthusiasts.

The attackers aren't targeting a specific vulnerability. Instead they are using an automated SQL injection attack engine that is tailord to attack Web sites using SQL Server, Huang said. The attack uses SQL injection to infect targeted Web sites with malware, which in turn exploits vulnerabilities in the browsers of those who visit the Web sites, he said, calling the attack "very well designed."

Technical Details

The malware injected by the attack comes from 1,000 different servers and targets 10 vulnerabilities in Internet Explorer and related plugins that are popular in Asia, Huang said.

The vulnerabilities are MS06-014 (CVE-2006-0003), MS07-017 (CVE-2007-1765), RealPlayer IERPCtl.IERPCtl.1 (CVE-2007-5601),GLCHAT.GLChatCtrl.1 (CVE-2007-5722), MPS.StormPlayer.1 (CVE-2007-4816), QvodInsert.QvodCtrl.1, DPClient.Vod (CVE-2007-6144), BaiduBar.Tool.1 (CVE-2007-4105), VML Exploit (CVE-2006-4868) and PPStream (CVE-2007-4748).

Mass SQL injection attacks have increasingly become a security threat. In January, tens of thousands of PCs were infected by an automated SQL injection attack. That attack exploited a vulnerability in Microsoft's SQL Server.

38 Arrested in International Phishing Ring

ARRESTED : 38 Arrested in International Phishing Ring

Investigators take down mass phishing ring

Dan Kaplan

May 19 2008

http://newhaven.fbi.gov/dojpressrel/2008/nh051908.htm (US-DoJ Press Release)

http://www.scmagazineus.com/Investigators-take-down-mass-phishing-ring/PrintArticle/110320/

Thirty-eight people, including a host of U.S. residents and foreign nationals, were indicted on Monday in connection to two international phishing operations that preyed on unsuspecting bank customers.

The individuals were charged with masterminding a sophisticated Romanian-based scam that delivered hundreds of thousands of bogus emails, usually claiming to be from banks or other financial institutions, that sought to obtain users' personal information, the U.S. Department of Justice announced on Monday.

The cybercrooks used this data, including bank account and Social Security numbers, to create counterfeit credit and debit cards.

A Los Angeles federal grand jury on Monday returned a 65-count indictment, which charged 33 people with defrauding thousands of victims and hundreds of financial institutions, prosecutors said.

Seven others were indicted last week in Connecticut in connection to a related phishing scam that sent emails claiming to be from People' Bank, prosecutors announced Monday.

Two people were involved in both rings.

U.S. authorities, in conjunction with Romanian investigators, arrested nine people living in the Los Angeles area and many others living in Romania. The individuals were charged with a slew of offenses, including racketeering, trafficking counterfeit access devices, aggravated identity theft and bank fraud.

"International organized crime poses a serious threat not only to the United States and Romania, but to all nations," Deputy U.S. Attorney General Mark Flip said. "Criminals who exploit the power and convenience of the internet do not recognize national borders. Therefore, our efforts to prevent these attacks can't end at our borders either."

Sven Krasser, director of data mining research at enterprise security firm Secure Computing, told SCMagazineUS.com on Monday that the offenders likely leveraged botnets and proxy computers to shield themselves from law enforcement during the attacks but blew their cover when they tried to steal the money.

"It's not a common thing to actually get caught," he said. "They're quite into globalization."

Krasser said tracking down cybercriminals across borders is a difficult task because it requires cooperation, gathering evidence in multiple countries and accessing information not under a specific law enforcement body's authority.

"Partnerships and cooperation among all levels of law enforcement - both domestic and foreign - are the keys to tackling criminal activity that increasingly knows no borders," said U.S. Attorney Thomas O'Brien of the Central District of California.

Each charge ranges in penalty from five to 30 years in prison.

Monday, May 19, 2008

Quote of the day

Quote of the day

Life is a coin. You can spend it anyway you wish, but you can only spend it once.

New IT Term of the day

New IT Term of the day


packet filtering


Also referred to as static packet filtering. Controlling access to a network by analyzing the incoming and outgoing packets and letting them pass or halting them based on the IP addresses of the source and destination. Packet filtering is one technique, among many, for implementing security firewalls.

US-NSA Website Outage due to Configuration Error

ERROR : US-NSA Website Outage due to Configuration Error

NSA's website outage due to lack of topological "diversity"

Jim Carr

May 16 2008

http://www.scmagazineus.com/NSAs-website-outage-due-to-lack-of-topological-diversity/article/110254/

An easy-to-fix -- but often overlooked -- problem most likely took the National Security Agency's website and its mail services down for six or seven hours on Thursday, according to a security researcher at Arbor Networks.

Visitors couldn't reach the NSA's NSA.gov site because of misconfigured Domain Name Servers (DNS), Danny McPherson, chief research officer with Arbor, told SCMagazineUS.com on Friday. McPherson wouldn't speculate on the precise nature of the misconfiguration, but he had some ideas about why the outage occurred.

His analysis indicates that NSA committed several basic mistakes in the configuration of its DNS systems.

First, a web server was running on the same computer or the same IP address as one of the so-called authoritative name servers for nsa.gov. The authoritative name servers are the primary and secondary servers that translate the web addresses humans understand (i.e., NSA.gov) to machine-readable IP addresses (in the NSA.gov case, 189.182.93.126).

Moreover, the primary and secondary authoritative name servers were both downstream from the Qwest edge access router in Washington, D.C. They should have been separated topologically within the network infrastructure, according to McPherson.

This indicated that the architecture of the NSA's authoritative name servers lacked what McPherson called "diversity." In this context, diversity means placing the authoritative DNS servers in both geographically and topologically diverse locations, he explained.

The Internet Engineering Task Force's (IETF) RFP 2182 outlines what McPherson called industry best practices for deploying DNS servers. These stress configuration best-practices, such as ensuring that all authoritative servers run the identical copy of what is called the zone file, which maps addresses within the domain, and the physical and topological location of authoritative servers.

In addition, the guidelines suggest that authoritative servers not be placed within the same building or even city to avoid power-related outages. Moreover, they should not be connected to the same switch or router within an organization's network infrastructure, he said.

Google is a major offender of the IETF's diversity guidelines, according to McPherson. "If you take a look at Google, it doesn't have diversity because all of its name servers are on a single network block of IP addresses," he explained.

McPherson pointed out that YouTube recently experienced intermittent outages because of a similar lack of DNS diversity. And Microsoft's Hotmail web mail service suffered a similar blackout about 10 years ago due to the same lack of DNS diversity, he said.

"The NSA people had their name servers close together from a network topological perspective, and if they'd had diversity in their DNS architecture, the outage wouldn't have occurred," McPherson said. "This isn't something that takes much capital to fix."

McPherson said that the primary ‘control plane' protocols in use on the internet, namely DNS for name resolution and BGP [Border Gateway Protocol] for internet routing, are two of the weakest links in the availability and security chain.

"They are often overlooked simply because of their ubiquitous use and characteristics that make them essentially transparent to most users. Diversity and security of this infrastructure is critical.”

This Day in History

Thanks for your Visit