WISH YOU A HAPPY AND SECURE YEAR 2009

Friday, July 11, 2008

Quote of the Day

Quote of the day

For most Americans the Constitution had become a hazy document, cited like the Bible on ceremonial occasions but forgotten in the daily transactions of life.

Arthur M. Schlesinger, Jr

(1888-1965)

(The same is true for Indians and may be other nationalities also - Editor)

New IT Term of the day

New IT Term of the day


port triggering


A type of port forwarding where outbound traffic on predetermined ports sends inbound traffic to specific incoming ports. Port triggering "triggers" an open incoming port when a client on the local network makes an outgoing connection to a predetermined port on a server. Port Triggering is more secure than port forwarding, because the incoming ports are not open all the time, they are open only when a program is actively using the trigger port. One major advantage of port triggering is that it allows computers behind a NAT-enabled router to provide services which would normally require a static host (one with an unchanging network address). The disadvantage of port forwarding is that it only allows one client on the network to use a particular service that occupies a particular port.

Alliance forms to fix DNS poisoning flaw

GOOD STEP : Alliance forms to fix DNS poisoning flaw

Robert Lemos

SecurityFocus

2008-07-08

http://www.securityfocus.com/news/11526

An alliance of software makers and network-hardware vendors announced on Tuesday that they had banded together to fix a fundamental flaw in the design of the Internet's address system.

The vulnerability in the domain name system (DNS) -- the distributed database that matches a host and domain name with the numerical address of a computer server -- could give an attacker the ability to replace the addresses of popular Web sites with that of a malicious server, said Dan Kaminsky, director of penetration testing for security firm IOActive. Kaminsky found the flaw when he was doing non-security research on the domain name system (DNS) more than six months ago.

"It is a fundamental issue affecting the design," Kaminsky said. "Because the system is behaving exactly like it is supposed to behave, the same bug will show up in vendor after vendor after vendor. This one bug affected not just Microsoft ... not just Cisco, but everyone."

On Tuesday, a number of software and network-hardware vendors released patches for their products. On its regularly scheduled patch day, Microsoft released updates for Windows 2000, Windows XP and Windows Server 2003 to mitigate the issue, which the company ranked an Important vulnerability, its second highest grade of severity. Internet Software Consortium, the group responsible for the development of the popular Berkeley Internet Name Domain (BIND) server, also released a patch, confirming that its software contained the vulnerability. Both Cisco and Juniper also acknowledged flawed systems.

Vendors have also provided the fix to certain large clients. Yahoo will be upgrading their name servers from BIND 8 to the latest version of BIND 9, the Internet Software Consortium stated during the conference call. Internet service provider Comcast has already patched their servers for the issue, according to Internet infrastructure firm Nominum. Finally, the Computer Emergency Response Team (CERT) Coordination Center has contacted some other nation's response groups to inform them of the problem.

For the most part, however, Internet service providers and companies each received the fix on Tuesday, said Sandy Wilbourn, vice president of engineering at Nominum. The goal: To have every major service provider and company apply their software patches in 30 days.

For that reason, don't expect immediate action, Wilbourn said.

"For key customers on our network, we have made a special effort to get them an early release to help solve this problem, and a number of them have finished deployment," he said. "But the nature of this patch is that we wanted to get the vendor side covered and then have deployment over the next 30 days. Anyone that is not patched by today or tomorrow is not doing anything wrong."

The domain-name system (DNS) has been a popular way to attack the Internet in the past -- it's an ill-kept secret that the DNS system is insecure. The way that many software applications, such as browsers, handle DNS requests has opened up users to attack. Microsoft has fixed a few vulnerabilities in the way Windows handles domain names -- issues that could have lead to easier eavesdropping or simpler phishing attacks.

While Kaminsky and other Internet protocol experts that discussed the issue on Tuesday would not give specific details of the flaw, a CERT vulnerability note described the issue as a combination of DNS weaknesses. While the CERT note referred to the issue with a single Common Vulnerabilities and Exposures (CVE) identifier, Microsoft, in its security bulletin, referred to the issue as two flaws: a DNS socket entropy vulnerability and a DNS cache poisoning vulnerability.

The CERT vulnerability note describing the issue lists more than 90 software developers and network equipment vendors that may be affected by the issue.

The coordinated response was anything but assured six months ago.

Kaminsky began contacting a small group of domain-name system (DNS) experts and software vendors, resulting in a brainstorming session at the end of March.

On March 31, sixteen Internet and security experts met on Microsoft's campus in Redmond, Wash. The agenda was simple, according to Kaminsky: Decide if they properly understood the problem, figure out how to fix the issue, and set a timetable for release.

"We decided that the only way to do this would be a simultaneous release -- Microsoft patches, Sun patches, BIND patches" all at the same time, he said.

Another problem that vexed the response team: In many cases, researchers can use a patch to figure out the underlying vulnerability. But because the security flaw was a design issue, the group had options that could fix the problem in a way that did not spotlight the issue, Kaminsky said.

"This is the fundamental balancing act between how do we notify the good guys without bringing on the bad guys," he said. "We tried to give the good guys as much of a nonlinear advantage as possible. We think we gave them a month."

The solution implemented in the patches is to inject additional randomization into the domain name system (DNS) by randomizing the source ports used in DNS queries. The only permanent solution is to add authentication using a security-enhanced version of the protocol, such as DNSSec, but that proposal is bogged down by worries over adding costs to the name-server system.

Kaminsky's efforts to keep the issue secret until a patch appeared garnered praise from Jerry Dixon, former director of the National Cyber Security Division at the Department of Homeland Security.

"This really shows the value add of independent researchers and the research community helping to make the Internet more secure," said Dixon, who is now working with Team Cymru.

Kaminsky asked for the other researchers to show good judgement and not to release additional details of the flaws, if they find them.

"I'm making a request of the open-research community," he said. "Let's see if we can get the good guys fixed (first)."

For those researchers who believe they have pinpointed the problem: Kaminsky says to send him a note, and he will buy you a beer.

RFID enabled tickets for Olympic opening and closing

OLYMPICS : RFID enabled tickets for Olympic opening and closing

Now with your passport number and email

by Jeremy Goldkorn,

July 9, 2008

This article was written for Danwei by Chinapat

http://www.danwei.org/2008_beijing_olympic_games/rfid_enabled_tickets_for_olymp.php

The Olympics in Beijing has become a platform for rapid technology development and deployment in China. One of the new technologies becoming more commonplace is RFID (Radio Frequency Identification). Beijing has been using RFID subway passes for a while, and nothing but the best for the 2008 Games means RFID tags in the tickets.

A source at BOCOG has offered more details about the RFID-enabled tickets being issued for the Beijing Olympics this summer: All tickets to the opening and closing ceremonies will include RFID tags containing personal information about the ticket holder, including passport information and home and e-mail addresses.

Officials originally planned to embed RFID tags in all 6.8 million tickets issued for all Olympics events. These plans apparently went by the wayside, along with a plan to include place a photo of each ticket holder on their ticket. The RFID tags will only be in tickets for the opening and closing events, and photos of the tickets released to the press show no photos on them.

The technology was developed by Tsinghua University's Beijing Tsinghua Tongfang Microelectronics Company. The RFID chip’s dimensions of 0.3 square millimeters and 50 microns in thickness means it won’t even be noticeable by ticket holders.

The ticket holder's information is included in an attempt to thwart counterfeiting of the tickets, but the tickets have raised concern among security experts, who worry that the system may cause delays when entering the stadium or that the data on the RFID tags may be easy prey for hackers.

Chinese officials say the Games' security team will employ a team of at least 4,000 IT experts with 1,000 servers at their disposal. The system is currently being tested and readied for the Games.

Are banks going soft on e-crime?

CONCERN : Are banks going soft on e-crime?

Give victims chance to report crimes directly, say Lords

By Nick Heath

08 July 2008

http://software.silicon.com/security/0,39024655,39256996,00.htm

Banks are failing to pass on information about online fraud to police, according to a House of Lords committee.

The Lords science and technology committee has called for people to be able to report crime directly to the police, rather than having to rely on banks to pass it on to law enforcers.

The committee first made its recommendations on tackling online crime in its Personal Internet Security report in August 2007.

The committee's follow-up report says banks may have a "commercial" incentive not to refer cases to the police, and committee member Lord Broers said banks were referring "very few cases" - something the industry denies.

The government has said it will review whether people could report online fraud directly to the police but Broers said it had only received verbal "ministerial promises".

In its follow up report, the committee also urges the government to make it easier for victims of electronic fraud to get compensation, put funding in place for a central e-crime policing unit and create a data security breach notification law to be introduced.

Broers said: "There has been a general apathy towards these issues in government, they see them as complex and do not understand them. Meanwhile people are seeing these problems getting worse and worse and the criminals are getting away with it."

Home Office suggestions that the National Fraud Reporting Centre will have a national e-crime investigation arm were welcomed by the committee but it criticised the time it was taking to establish a countywide cyber crime unit.

Arguing for a data breach notification law, as called for by silicon.com's Full Disclosure campaign, the committee says a law would provide both an incentive to avoid data loss and an early warning for affected customers.

But a spokeswoman for the UK payments industry body Apacs said the committee had no figures to back up assertions banks were not passing online frauds to the police.

She said: "It is not in the banks interest to not have these frauds investigated, these are organised gangs behind these crimes and it is in our interest to stop them doing it."

45% of Global Browser Users at Risk by Non-updating Patches

RISK : 45% of Global Browser Users at Risk by Non-updating Patches

Study Finds Firefox Users More Safer Than IE Users

Ankur Goyal with CRPCC Team

July 10, 2008

Study Source - http://www.techzoom.net/publications/insecurity-iceberg/index.en

According to a study by The Swiss Federal Institute of Technology, Google and IBM's Internet Security Services, Mozilla Firefox users are the safest Web browser users on the Internet, globally.

The study titled "Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the 'insecurity iceberg" released on July 01, 2008 by Swiss Institute.

Out of estimated 1408 million web browser users world-wide, almost 637 million are at risk due to non-updating of their browser software security patches. Out of 637 million unsafe users globally, 577 million uses Microsoft Internet Explorer (IE); 38 million uses Firefox; 17 million uses Safari and 5 million uses Opera browsers.

Thus, about 45% of web browser users are at risk.

The study was spread over for 18 months. The researchers concluded Firefox users as by far the safest Web surfers on the Web with 83% users using most recently updated web browser. Next to Firefox, Safari users with 65% were using the latest version of the browser. The study concluded that only 48% of IE users were surfing the Internet with the most recent updated version of IE.

One of the main reasons of Firefox's safety ranking is due to its self updating by the software updates and patches. Firefox has a in-built updating mechanism which means that Firefox Mozilla users are far more likely to have the most up-to-date (and safest) version of their browser. On the other hand IE need to be updated via Windows Update.

It is not that, that Firefox has not been immune to security flaws. Just few hours after the most recent Firefox security patch release last month, researchers discovered an undisclosed security vulnerability. Despite these problems, Firefox browser is increasing in popularity with a current market share of around 19 percent.

Recently, there was a warning from US-CERT about Internet Explorer, which is the most widely used browser, that it has some very serious security flaws that can leave the user vulnerable to malicious browser attacks. The security hole found by researchers report the IE flaw affects three versions of Internet Explorer: IE6, IE7 and IE8, beta 1.

Microsoft is still not able to fix the problem, because unlike most malicious software the zero-day flaw allows code to be embedded into the user's operating system and shows no signs of any unusual activity, at least by current modes of malware detection.

Monday, July 7, 2008

Quote of the day

Quote of the day

You must have long range goals to keep you from being frustrated by short range failures.

Kathopnishad

New IT Term of the day

New IT Term of the day


port scanning


The act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer.

Types of port scans:

v vanilla: the scanner attempts to connect to all 65,535 ports

v strobe: a more focused scan looking only for known services to exploit

v fragmented packets: the scanner sends packet fragments that get through simple packet filters in a firewall

v UDP: the scanner looks for open UDP ports

v sweep: the scanner connects to the same port on more than one machine

v FTP bounce: the scanner goes through an FTP server in order to disguise the source of the scan

v stealth scan: the scanner blocks the scanned computer from recording the port scan activities.

Port scanning in and of itself is not a crime. There is no way to stop someone from port scanning your computer while you are on the Internet because accessing an Internet server opens a port, which opens a door to your computer. There are, however, software products that can stop a port scanner from doing any damage to your system.

Fake Microsoft patch spam makes rounds

FAKING : Fake Microsoft patch spam makes rounds
Sue Marquette Poremba
July 02 2008

http://www.scmagazineus.com/Fake-Microsoft-patch-spam-makes-rounds/article/112059/


A new spam attack falsely alerts users to download a Microsoft patch, but when responded to, the user is directed to a page that installs malware on the user's computer.

According to a report from security provider Websense, the message tells users that their Windows version is vulnerable to a critical security issue and directs them to a download page. The link actually uses an open redirect to a legitimate shopping site. From there, the redirect forwards users to a URL with a pop-up box, instructing the user to click “yes” to start the download, Dan Hubbard, chief technology officer at Websense, told SCMagazineUS.com on Wednesday.

“It's a deception attack, where it is made to look like a Microsoft update and the user has to take action, rather than an exploit where the user gets infected without saying yes to the download,” Hubbard said.

The downloaded malware infects the computer with a backdoor that can be exploited by hackers Hubbard said. However, the spam is easy to spot because Microsoft does not send email notifications about patch updates.

One of the more interesting aspects to this spam, Hubbard said, is the actual root of the domain name used – it will take the user to the U.S. Secret Service website.

“We believe they are doing that because some security products only look at the top-level domain name, rather than look at the whole name,” Hubbard explained. “In this case, the security product would see it was going to the Secret Service and let it go.”

Avivah Litan, Gartner vice president and distinguished analyst, said this is just more proof that cybercriminals are getting smarter.

“The people sending out the spam are figuring out how to avoid the filters or reputation systems,” she said.

It is just one more instance that shows the need for stronger authorization on the Internet, she said.

Brazil Signs Agreement with Google on Orkut

PATH-BREAKING : Brazil Signs Agreement with Google on Orkut

Google Fights Child Porn on Orkut

The search firm is joining with Brazilian authorities to put filters on the site to catch predators.

Reuters

July 05, 2008

http://www.pcworld.com/article/147982/google_fights_child_porn_on_orkut.html

BRASILIA (Reuters) - Internet search company Google signed an agreement with Brazilian public prosecutors last week to help combat child pornography on its social networking site Orkut, an accord that the company believes is the first of its kind internationally.

Under the agreement, Google will use filters to remove and prevent illegal content on Orkut, which has about half its users in Brazil. The company will also facilitate evidence gathering under judicial order in suspected crimes against children and teen-agers on Orkut without the need for international legal accords.

Google will also preserve for six months access logs of users being investigated for illegal conduct.

Google said it was the first such agreement that the company had signed and the firm believes it is the first internationally. Alexandre Hohagen, president of Google in Brazil, told a congressional committee, "It's an historic day not only for Brazil but for the Internet in the entire world."

Initially, Google had refused to work with prosecutors, saying it was subject only to U.S. laws, said Prosecutor Sergio Suiama. The company denied this, saying it had always been willing to cooperate with Brazilian authorities.

Brazilian prosecutors say 90 percent of illegal Internet content being investigated in Brazil involves Orkut. The site has 60 million users, half of them in Brazil.

Of 624 investigations by federal prosecutors in Sao Paulo state through the end of last year into human rights crimes on the Internet, 420 involved child pornography on Orkut.

"Orkut was lawless," said Suiama.

The accord was signed during a session of a congressional inquiry into pedophilia and follows legal battles since 2006.

Under the deal, public prosecution withdrew a lawsuit against Google, a company spokesman said.

The committee, which under Brazilian law has some police and judicial powers, ordered the investigation of 18,000 Orkut photo albums accused of harboring child pornography.

Google has more than a 60 percent share of the Web search market, according to industry figures.

Philippines Govt wants to add more in cyber crime bill

LAW : Philippines Govt wants to add more in cyber crime bill

By Erwin Oliva

INQUIRER.net

July 04, 2008

http://newsinfo.inquirer.net/breakingnews/infotech/view/20080704-146388/Govt-wants-to-include-more-provisions-in-cybercrime-bill

MAKATI City, Philippines -- A technical working group (TWG) composed of various stakeholders in government and the private sector are including additional provisions in the proposed cybercrime bill, a state prosecutor told INQUIRER.net.

State Prosecutor Geronimo Sy said the TWG has taken a "step back" to consider integrating provisions of an Internet Piracy Act filed at the House of Representatives.

Sy said the group hopes to finish the consolidation of these proposed laws before the opening of Congress in late July.

The Department of Justice (DoJ) and the Commission on Information and Communications Technology (CICT) are part of the TWG that has been working on the cybercrime bill, which incorporates provisions set during the Budapest convention on cybercrime.

The CICT and the DoJ have been working on the cybercrime bill since last year.

CICT officials were unavailable for further comment at this writing.

CICT chairman Ray Anthony Roxas-Chua III had said there were four versions of the cybercrime bill filed at the House of Representatives.

The cybercrime bill would contain definitions of cybercrime, punishment of such crimes and provisions on cooperation with the international community, among others.

Last year, the DoJ created a task force to deal with cybersecurity issues in legislation and investigation. The group was created to pursue the e-government agenda, institutionalize a cybersecurity regime and implement laws. The task force worked closely with the Council of Europe, a private organization, and local experts composed of IT practitioners and other stakeholders.

Among the top priorities of the group was to work for the passage of the cybercrime prevention act, which failed to pass in the previous Congress. The task force was expected to work with the National Bureau of Investigation and the Philippine National Police.

Also last year, the CICT, DoJ and the Council of Europe agreed to work together on the cybercrime bill.

Meanwhile, Sy said that two major cybercrime cases were filed by the National Bureau of Investigation this week. These cases involve Internet libel and qualified theft.

Attacks on Hosting Company in Lithuania

CYBER-TERROR : Attacks on Hosting Company in Lithuania

Jeremy Kirk

July 04, 2008

IDG News Service

http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9106878&taxonomyId=17&intsrc=kc_top

A vulnerability in a Web server contributed to attacks on some 300 Web sites in Lithuania earlier this week, a computer security expert said on Friday.

The Web sites were defaced after Lithuania passed a law prohibiting the public display of symbols dating from the Soviet Union era, as well as the playing of the Soviet national anthem.

The attacks, which started on Sunday and subsided by Monday, saw many Web sites defaced with pro-Soviet slogans and symbols in an apparent retaliation from hackers.

The majority of the Web sites were hosted on a single physical Web server, which had a vulnerability either in the Web server software or Linux operating system, said an official with Lithuania's Computer Emergency Response Team (CERT) on Friday. The hosting company was advised on how to fix the problem.

The server was hosted by a company called Hostex, formerly known as MicroLink Lithuania, said Marius Urkis, head of the Academic and Research Network (LITNET) CERT, a different but related computer security organization.

The attacks in Lithuania were reminiscent of a similar situation in Estonia in April and May 2007, after the government there decided to move a Soviet-era memorial to soldiers who served in World War II. That decision caused protests and violence from the Russian minority living in Estonia. Web sites run by the government, bank and schools experienced severe denial-of-service attacks, which were blamed on pro-Russian hackers. The Russian government denied involvement or knowledge of the attacks.

In Lithuania, the passage of the law has not caused protests or much outcry, although the ethnic Russian population in Vilnius is less than 10 percent, Urkis said.

Urkis said it is possible some Russians are upset over the law and would undertake the cyber attacks.

The CERT official said that the matter has been referred to the police, which has a special department under the Ministry of the Interior that handles cybercrime.

Officials do know that proxy servers likely located in Western Europe were employed to perform the hacking. That could make it more difficult for investigators, who will have to trace a winding electronic path in an attempt to find the perpetrators.

"I think it will take some time to find the real attackers," the CERT official said.

This Day in History

Thanks for your Visit