Saturday, August 16, 2008

Quote of the day

Quote of the day

Hold yourself responsible for a higher standard than anybody expects of you. Never excuse yourself.

New IT Term of the day

New IT Term of the day


Short for Role-Based Access Control, a system of controlling which users have access to resources based on the role of the user. Access rights are grouped by role name, and access to resources is restricted to users who have been authorized to assume the associated role. For example, if a RBAC system were used in a hospital, each person that is allowed access to the hospital's network has a predefined role (doctor, nurse, lab technician, administrator, etc.). If someone is defined as having the role of doctor, than that user can access only resources on the network that the role of doctor has been allowed access to. Each user is assigned one or more roles, and each role is assigned one or more privileges to users in that role.

The real cost of a security breach

COST : The real cost of a security breach

David Hobson, Managing Director of Global Secure Systems


August 12 2008


IT security in the early 1990's was relatively simple. Data was stored on mainframes, access control was limited and the need to share data was very limited. Today the rules have changed. More data must be shared, access to data is required from almost anywhere and the need to secure that data has grown through regulation and legislation. The user population is much more technical now, and the internet boom has enabled an increasing number of people to cause more trouble than ever. Most organizations acknowledge that the impact of a security breach to the business results in financial expense.

It's going to cost how much?

Firstly, there are the direct and easily correlated costs such as replacing any lost or stolen devices; investing in, or strengthening existing IT security; and if necessary strengthening the building's physical security.

In August 2007, Monster had to take action when it discovered that con artists had mined contact information from resumes of 1.3 million people, and possibly many more -- Monster has since confirmed that this was not an isolated incident. Files were stolen not only from Monster.com but from USAJobs.gov, the federal-government career-listing service operated by Monster. Monster has said it will have to spend at least $80 million on upgrades to its site, which will include security changes such as closer monitoring of the site and limits on the way data can be accessed.

It doesn't stop there

Some costs are harder to pin down, including the cost of contacting those whose records may have been exposed. Cost can include credit monitoring for those affected, and even the possibility of subsequent legal action taken by people who have suffered a financial loss as a result of their records being exploited.

Customer lawsuits can cause serious headaches for businesses that go far beyond reputation-slaying negative headlines. Aside from the actual monetary damages, lawsuits often leave companies on the hook for additional training and systems upgrades.

In the case of TJ Maxx's massive security breach recently solved, all affected customers were offered credit monitoring at company expense. Additionally the company disclosed that it has agreed to pay up to $24 million in a settlement with MasterCard. It also confirmed that it had to budget for various litigation and claims that have been, or may be, asserted against it or providing restitution on behalf of customers, banks, and/or card companies seeking damages allegedly arising out of the computer intrusion.

It runs deeper still

So what other concealed costs are there? There is bound to be an impact on share price, even if only temporarily, as stakeholders react to the news.

There is the lost marketing investment when a brand is damaged. This is closely followed by the recovery costs in the form of future/increased marketing budgets to regain market position, rebuild reputation, etc. Imagine the continuing damage if the company's communications can no longer be trusted. IKEA fell victim earlier this year when a hole in its website security allowed hackers and phishers access to its “contact IKEA” function enabling them to send bulk outbound mail via IKEA's email servers. The potential damage to the company's reputation and possibility of email blacklisting could be significant.

There could even be the risk of employee's jumping ship as internal morale dives when they feel their loyalty is compromised if the company they work for makes headline news for the wrong reasons. Filling vacancies is a costly exercise.

Information assurance is business critical and for many organizations, the data they own is their key asset, so why are so many failing to treat it as such? Failing to do so opens the corporate purse with no guarantee that it will ever be closed again. TJ Maxx itself summed it up when it said in its statement: “…we do not have enough information to reasonably estimate losses we may incur arising from the computer intrusion.”

Top ten tips on preventing a breach

1. Management sets the tone for their organisations by their own behavior. As such, good information practices are obligatory for all stakeholders, not just employees.

2. Be proactive – management should deal with information assurance issues proactively, rather than reactively as information assurance is far more cost effective in a preventative rather than a remedial context.

3. Information assurance is a business issue, not something extra for IT to handle. IT simply does not have the resources and/or authority to drive information assurance best practices through their organizations.

4. Understand that information assurance is an ongoing process, not an annual event just before the auditors arrive.

5. Information assurance is everyone's job and as such investments in training and awareness programs for all employees are critical.

6. Management should set out the company's expectations with respect to information assurance in clear, accessible policies.

7. The process for dealing with information security incidents should be defined in straightforward and unambiguous procedures.

8. Investments need to be made in technology that will result in the secure transport and processing of information by the company's information technology assets.

9. Suitable best practices should be identified and implemented rather than ad hoc approaches.

10. Expert advice should be sought and used at all times to advise and oversee efforts in respect to information assurance from an experienced and objective third-party perspective.

Jobs Confirms Apple Can Kill Apps On iPhones

KILL SWITCH : Jobs Confirms Apple Can Kill Apps On iPhones

The Apple CEO says it would be irresponsible not to be able to deactivate a malicious program sold through its App Store.

By Antone Gonsalves, InformationWeek

Aug. 11, 2008



Apple chief executive Steve Jobs has confirmed that a mechanism exists within the iPhone to let the company unilaterally remove software from the smartphone.

Jobs told The Wall Street Journal in an interview published Monday that the capability was necessary in case Apple inadvertently allows a malicious program to be sold through its App Store. Such programs could, for example, steal users' personal data.

"Hopefully, we never have to pull that lever, but we would be irresponsible not to have a lever like that to pull," Jobs said.

Hacker Jonathan Zdziarski was the first to discover the mechanism that periodically checks in with an Apple Web page for applications that should be removed. Until Jobs' comments, Apple had refused to discuss the matter.

Zdziarski's discovery raised privacy concerns among tech bloggers. Zdziarski said he felt uncomfortable with Apple's ability to control what applications were used on the iPhone. "The idea that Apple can choose what functionality my applications should have frightens me," he said.

Zdziarski, author of the books iPhone Forensics and iPhone Open Application Development, offered on his blog a way to disable the functionality using the Pwnage Tool, open source software that enables the iPhone to be used on wireless carriers other than AT&T, the exclusive mobile phone provider in the United States.

While Apple has yet to deactivate any iPhone applications remotely, the company has been criticized for removing applications from the App Store, launched this summer, without explanation. One such application was Nullriver's NetShare, which makes it possible for iPhone customers to use their high-speed Internet connections to provide Web access to a PC.

Also Read –

A look at risk-reward: Apple may nuke apps on your iPhone remotely


Fake Fireworks at Opening Ceremony

OLYMPIC : Fake Fireworks at Opening Ceremony

Beijing Olympic 2008 opening ceremony giant firework footprints 'faked'

Parts of the spectacular Beijing Olympics opening ceremony on Friday were faked because of fears over live filming, it has emerged.

By Richard Spencer in Beijing

The Telegraph, London

10 Aug 2008


As the ceremony got under way with a dramatic, drummed countdown, viewers watching at home and on giant screens inside the Bird's Nest National Stadium watched as a series of giant footprints outlined in fireworks processed gloriously above the city from Tiananmen Square.

What they did not realise was that what they were watching was in fact computer graphics, meticulously created over a period of months and inserted into the coverage electronically at exactly the right moment.

The fireworks were there for real, outside the stadium. But those responsible for filming the extravaganza decided in advance it would be impossible to capture all 29 footprints from the air.

As a result, only the last, visible from the camera stands inside the Bird's Nest was captured on film.

The trick was revealed in a local Chinese newspaper, the Beijing Times, at the weekend.

Gao Xiaolong, head of the visual effects team for the ceremony, said it had taken almost a year to create the 55-second sequence. Meticulous efforts were made to ensure the sequence was as unnoticeable as possible: they sought advice from the Beijing meteorological office as to how to recreate the hazy effects of Beijing's smog at night, and inserted a slight camera shake effect to simulate the idea that it was filmed from a helicopter.

"Seeing how it worked out, it was still a bit too bright compared to the actual fireworks," he said. "But most of the audience thought it was filmed live - so that was mission accomplished."

He said the main problem with trying to shoot the real thing was the difficulty of placing the television helicopter at the right angle to see all 28 footsteps in a row.

One advisor to the Beijing Olympic Committee (BOCOG) defended the decision to use make-believe to impress the viewer. "It would have been prohibitive to have tried to film it live," he said. "We could not put the helicopter pilot at risk by making him try to follow the firework route."

A spokeswoman for BOCOG said the final decision had been made by Beijing Olympic Broadcasting, the joint venture between the International Olympic Committee and local organisers that is responsible for providing the main "feeds" of all Olympic events to viewers around the world.

"As far as we are concerned, we let off the fireworks - that's what's important to us," she said.

Mr Gao said he was worried that technologically literate viewers who spotted the join might be critical, but comments online suggested more admiration of the result.

Although the event as a whole received rapturous reviews abroad, that has not been entirely the case at home. Some internet comments were hostile, saying that while it looked stunning the contents were vacuous.

Others focused on the sheer numbers of people involved - more than 16,000 performers, mostly from People's Liberation Army song and dance troops.

"That certainly showed China's unique character," said one comment. "Namely, that we have 1.3 billion people."

Browser toolbar to check site security

NEW TOOL : Browser toolbar to check site security

Robert Lemos

11 Aug 2008


LAS VEGAS -- Security researcher David Maynor hopes that his credit-card data has been stolen for the last time.

Tired of insecure sites losing his data, the chief technology officer at Errata Security, said the company plans to release a toolbar for major browsers that will check visited Web sites for obvious security issues. The add-on software will check for twenty signs -- such as the version numbers of the Web server and the content management system -- to make sure that the site has no obvious flaws.

"You don't think about checking that stuff every time you go to a Web site," Maynor said. "If you go to a site with this toolbar, you will know whether it's vulnerable" but not necessarily if it's secure.

Other browser plug-ins have attempted to solve the site security issues. Both SiteAdviser, owned by McAfee, and Web security firm Finjan have add-on software that will rate Web sites in terms of security. Microsoft, Mozilla and Opera have all added anti-malware technology to their latest browsers.

The software will not be probing sites, but making its judgement based on the content returned by the site to normal Web browsing queries, he said. If he had been using similar software, it might have alerted Maynor to the security problems of one Web site which allowed online criminals to steal a cache of credit-card data, among them the researcher's own information, he said.

The researcher, known for his controversial presentation of a flaw in wireless drivers, said Errata will release the toolbar, dubbed Barrier, on Monday. The company will aggregate usage statistics from the toolbars to help improve security, Maynor said.

Quote of the day

Quote of the day

Each problem that I solved became a rule, which served afterwards to solve other problems.

Rene Descartes

(1596-1650, French Philosopher and Scientist)

New IT Term of the day

New IT Term of the day


Short for Remote Access Trojan, a Trojan horse that provides the intruder, or hacker, with a backdoor into the infected system. This backdoor allows the hacker to snoop your system, use your infected system to launch a zombie (attacks on other systems), or even run malicious code.

Majority of malware attacks go undetected

UNDETECTED : Majority of malware attacks go undetected

Sue Marquette Poremba

August 11 2008


Most malicious internet attacks go undetected by anti-virus software, according to a report released Monday by Cyveillance, a digital intelligence company.

Data collected from several top anti-virus vendors during a 30-day period showed that more than half of the malware attacks went undetected. In addition, the Cyveillance 1H Online Fraud Report stated that malware attacks delivered via the web have more than doubled in frequency compared to the same period during the previous year.

Essentially, new malware threats are developed quicker than the anti-virus companies can develop fixes, James Brooks, director of product management at Cyveillance told SCMagazineUS.com on Monday.

“The AV companies are getting tens of thousands of new attack samples a week,” he said. “And a lot of these samples have to be broken down by their security labs, and you can only process so much at a time.”

Gartner analyst Peter Firstbrook said the Cyveillance test seems accurate.

The most important change going on is the division of labor in the attacker underground, which is causing fast-changing malware, he said.

“Today the threat environment has transformed to a more complex supply chain where players are highly specialized and consequently more productive," he said. "Vulnerabilities are sold to ‘software developers' who create packaged malware generation software that can then be used by multiple types of attackers and are capable of generating multiple unique targeted attacks and are continuously updated with new exploits."

According to Firstbrook, “Some [malware packages] have even gone open source. Consequently, the ability to launch a sophisticated targeted attack is no longer limited to those that have technical knowledge, increasing the potential universe of attackers.”

Researcher reveals critical Java bugs in Nokia phones

BUGS : Researcher reveals critical Java bugs in Nokia phones

14 security issues with the Nokia Series 40 handsets found

By Gregg Keizer,

IDG News Service

August 11, 2008


A pair of critical vulnerabilities in Sun Microsystems Inc.'s Java technology for mobile devices could be used by hackers to surreptitiously make calls, record conversations, and access information on Nokia Series 40 cell phones, a Polish researcher said Monday.

Adam Gowdiak, a researcher who has found numerous bugs in Java 2 Micro Edition (J2ME) in the past, said he reported the two vulnerabilities to Sun last Thursday, and notified Nokia the same day of the security issues in its handsets.

However, Gowdiak is taking a disclosure tack he admitted will be controversial. He has provided the vendors with only a small subset of the information he's uncovered, approximately one-to-two pages worth. To obtain the remainder, which includes proof-of-concept code, Sun or Nokia will have to pony up $29,826.

The flaws can be used by attackers to force-feed malicious Java applications to Nokia Series 40 phones, said Gowdiak. Those applications, in turn, could be crafted to conduct all kinds of mischief, including making phone calls from the phone, sending text messages from the phone, and recording audio or video. Hackers could also access any file on a Nokia 40 model phone, obtain read and write access to the phone's contact list, access the phone's SIM card, and more, added Gowdiak.

"This can completely wipe out any security within J2ME," said Gowdiak in an interview Monday. "It allows [attackers] to do anything malicious on any mobile device."

All told, Gowdiak said he had found 14 security issues with the Nokia Series 40 handsets. The Series 40 is the world's most widely-used mobile platform, according to Nokia. Gowdiak estimated that approximately 140 different Nokia handsets use the Series 40 platform.

All an attacker needs to hack a specific Series 40 handset is its phone number, Gowdiak claimed. A security flaw in the platform can be exploited by simply sending a maliciously crafted series of messages to a given phone. "By combining the vulnerabilities with the Series 40 issues, one could develop malware which could be simply deployed. And that malware won't be visible to the user," he said.

Gowdiak tested seven different Nokia Series 40 handsets -- "At least one from each major family in the series," he said -- but he suspects that other manufacturers' phones that use J2ME may also be vulnerable.

He said that the most current version of Sun's Java Wireless Toolkit also contains the critical bugs. The Toolkit is essentially a software developer's toolkit, or SDK, for building wireless applications based on J2ME. The implication, said Gowdiak, is that any application created with the Toolkit would also be open to attack, including those installed on handsets other than Nokia's.

Nokia did not respond to a request for comment Monday, and although Sun did return a call, its spokeswoman did not have any immediate information about the vulnerabilities reported by Gowdiak.

For his part, Gowdiak said security teams at both companies had confirmed receiving his reports last week. "They seem to be working on these issues," he added.

But the vulnerabilities may not be what many focus on, Gowdiak admitted.

To fund his start-up -- a Polish-based company called Security Explorations -- Gowdiak is selling copies of his research for 20,000 euros each. "There are six long months of work in this research," he said in justifying the price. "It was an enormous amount of research."

But Gowdiak is savvy enough to know that the move will be controversial. "Of course. The whole security arena is divided," he argued. "Some will be against this and some will be for it."

He said that the amount of information he had turned over to Sun and Nokia was "similar" to what he had disclosed to vendors previously. "We're not blackmailers, we're not black hats," he said. "They have a choice whether they want to sign up for our security research or whether they want to [devote] research engineers of their own to investigate the vulnerabilities.

"But in our opinion, they have full vulnerability information."

He also stressed the special nature of the vulnerabilities he had discovered. "This is the first time that such a widespread and critical attack has been demonstrated against Nokia's Series 40 devices," he said. "We have proved that these devices can be hacked and infected with malware in a very similar way PC computers are."

Still, he was on the defensive. "Some people will attack us, and hate us," he said, for selling research in this fashion. "But in time, people will be able to judge on their own whether we got it right."

He stopped short, however, of promising to release more information once Sun and/or Nokia had patched their software. "We're considering it," was as far as he would go.

Russia 'conducting cyber war' says Georgia

CYBER WAR : Russia 'conducting cyber war' says Georgia

Russia has been accused of attacking Georgian government websites in a cyber war to accompany their military bombardment.

By Jon Swaine

11 Aug 2008


Several Georgian state computer servers have been under external control since shortly before Russia's armed intervention into the state commenced on Friday, leaving its online presence in dissaray.

While the official website of Mikheil Saakashvili, the Georgian President, has become available again, the central government site, as well as the homepages for the Ministry of Foreign Affairs and Ministry of Defence , remain down. Some commercial websites have also been hijacked.

The Georgian Government said that the disruption was caused by attacks carried out by Russia as part of the ongoing conflict between the two states over the Georgian province of South Ossetia.

In a statement released via a replacement website built on Google's blog-hosting service, the Georgian Ministry of Foreign Affairs said: "A cyber warfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Ministry of Foreign Affairs."

Barack Obama, the Democratic US Presidential candidate, has demanded Moscow halt the internet attacks as well as observing a ceasefire on the ground.

Last April the computer systems of the Estonian Government came under attack in a co-ordinated three-week assault widely credited to state-sponsored Russian hackers. The wave of attacks came after a row erupted over the removal of the Bronze Soldier Soviet war memorial in Tallinn, the Estonian capital. The websites of government departments, political parties, banks and newspapers were all targeted.

Analysts have immediately accused the Russian Business Network (RBN), a network of criminal hackers with close links to the Russian mafia and government, of the Georgian attacks.

Jart Armin, a researcher who runs a website tracking the activity of the RBN, has released data claiming to show that visits to Georgian sites had been re-routed through servers in Russia and Turkey, where the traffic was blocked. Armin said the servers "are well known to be under the control of RBN and influenced by the Russian Government."

Mr Armin said that administrators in Germany had intervened at the weekend, temporarily making the Georgian sites available by re-routing their traffic through German servers run by Deutsche Telekom. Within hours, however, control over the traffic had been wrested back, this time to servers based in Moscow.

As in the barrage against Estonian websites last year, the Georgian sites are being bombarded by a distributed denial-of-service (DDoS) attack, in which hackers direct their computers to simultaneously flood a site with thousands of visits in order to overload it and bring it offline.

The Shadowserver Foundation, which tracks serious hacking, confirmed: "We are now seeing new attacks against .ge sites - www.parliament.ge and president.gov.ge are currently being hit with http floods."

Mr Armin warned that official Georgian sites that did appear online may have been hijacked and be displaying bogus content. He said in a post on his site: "Use caution with any web sites that appear of a Georgia official source but are without any recent news ... as these may be fraudulent."

The Baltic Business News website reported that Estonia has offered to send a specialist online security team to Georgia.

However a spokesman from Estonia's Development Centre of State Information Systems said Georgia had not made a formal request. "This will be decided by the government," he said.

How to Hack a Million With No Tech Skills

SO EASY : How to Hack a Million With No Tech Skills

Business hacks reap money from e-commerce sites

No '133t' tech skills required in many cases

Tim Greene

Network World

August 8, 2008


Anyone with a sharp eye for flawed business logic and a dim view of business ethics can exploit e-commerce Web sites for millions of dollars, security experts told Black Hat attendees.

For instance, one could infer how well a business is doing on the stock market and make appropriate purchases or sales to reap millions, said Jeremiah Grossman, chief technology officer, and Arian Evans, director of operations at White Hat Data Security.

Ordering a company's stock online and receiving an order number, then doing the same thing later and comparing the order numbers, which in many cases are sequential, can indicate how much of a company's stock is being traded over that time interval, said Grossman, who with Evans presented "Get Rich or Die Trying -- Making Money on the Web the Black Hat Way." Buying or selling based on that can result in big profit, he said.

In addition, White Hat has come across other exploits in its work penetration-testing customers' Web sites, Grossman says.

In one instance, an Estonian financial firm managed to crack the URL format used by Business Wire for embargoed press releases that detailed earnings-related data about corporations. The firm used that data before it was public and profited by $8 million before the Securities and Exchange Commission caught the activity and halted it.

In a similar case, an Ukranian hacker broke into Thompson Financial for data on a health care firm and reaped $300,000. The SEC froze those funds, but a judge ordered them released to the hacker because the hacker wasn't an insider and therefore couldn't be charged with insider trading. He might have been charged with hacking, but he was in the Ukraine, where official cooperation with prosecution was unlikely, Grossman said.

During his talk, Grossman displayed checks for $132,994.97 and $901,733.84 from Google Inc. to people who used "cookie stuffing" to reap payments for driving traffic to Web sites.

The way it's supposed to work, someone with a Web site includes a link to an affiliated business' page. If a consumer clicks on it, his computer gets a cookie, and if he buys something later, that cookie notes what Web site referred the buyer, and that site gets a payment.

Scammers have developed elaborate schemes to exploit the system, Grossman said, starting with sites automatically hitting visitors with the marker cookie as soon as they visit the scammer's pages. All visitors get the cookie, not just those that click on the link. If a visitor later happens to buy something from an affiliated site, the scammer gets money.

E-commerce sites got smart and kicked out affiliate networks that made suspiciously high claims, Grossman said, but scammers responded by stuffing cookies from Secure Sockets Layer Web pages because the cookies don't reveal what pages they came from.

Online ordering systems can also be a risk to businesses, Grossman warned. Home shopping network QVC was hit for $412,000 in merchandise by one scammer because of a lag in its online ordering system, he said. Customers could order items online, then immediately cancel the order, but the order would be sent anyway.

A North Carolina woman took advantage of this: She ordered and canceled merchandise, then sold it on e-Bay. She was caught only because her customers thought it was odd that she was mailing the items in QVC packaging and reported her.

She wasn't prosecuted for selling the goods because they were legally hers, Grossman said. Rather, he says, she pleaded guilty to wire fraud.

Other potentially lucrative hacks include:

v Guessing the numbers of online discount coupons and buying merchandise with them. One scammer got $50,000 worth of merchandise and was caught because he entered his new batches of guessed coupon numbers all at once in the middle of the night, causing a suspicious spike in traffic that the merchant noticed. Items were sent to a nonexistent address, and a colluding postal worker intercepted them and turned them over to him. He was prosecuted for mail fraud.

v Setting up multiple bank accounts and arranging for transfers among them. Before banks actually make electronic transfers, they make a small transfer -- cents or a few dollars -- just to make sure the real transfer will work. Scammers arrange for large transfers to a central account, then cancel them after the dry-run transfer. Enough of those can add up, Grossman said.

v Cracking captchas, the distorted numbers and letters that some sites use to verify that a human being, not a machine, is contacting the site. Some captchas use the same number-letter combinations over and over, so automated guessing can work to crack them, said Evans. Some sophisticated optical scanners can read captchas, and there are even overseas businesses that offer to break them for cash.

Quote of the day

Quote of the day

Whatever does not destroy me makes me stronger.

New IT Term of the day

New IT Term of the day


Short for Remote Authentication Dial-In User Service, an authentication and accounting system used by many Internet Service Providers (ISPs). When you dial in to the ISP you must enter your username and password. This information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system.

Though not an official standard, the RADIUS specification is maintained by a working group of the IETF.

Bluetooth 2.1 is easy to crack

VULNERABLE : Bluetooth 2.1 is easy to crack

By Neil Roiter, Senior Technology Editor


07 Aug 2008


LAS VEGAS -- Bluetooth 2.1, designed to be more secure than the previous version, is actually far more vulnerable, making it trivial for an attacker to obtain a password when he or she eavesdrops on a user pairing up two Bluetooth devices.

It's possible to use 2.1 securely, said Andrew Lindell, chief cryptographer for Aladdin Knowledge Systems Ltd., but the odds are stacked against it.

"Good protocol should be hard to get wrong and easy to get right," Lindell said Wednesday at the Black Hat briefings. "Even the best protocols can be badly implemented; in Bluetooth it is the opposite. Unless you really know what you are doing, it's easy to get wrong."

The problem is that the protocol is wide open if a fixed password is used, and secure if a one-time password (OTP) is employed, so it's useless to an attacker. The framers of version 2.1 intended it to use OTPs, but didn't require their use anywhere in the 1,400-page protocol document.

Lindell said that in Bluetooth 2.1, a fixed password can be stolen in less than a second using a man-in-the-middle attack, regardless of the length of the password. In 2.0, a long password could thwart the attacker.

An attacker doesn't need good fortune to be nearby when a user is pairing two devices. Bluetooth devices can be "tricked" into forcing a re-pairing. An alert user might think this is odd, but Lindell said, most people are used to odd or buggy behavior in their technology, and will simply shrug and re-pair.

Lindell described a second attack, in which an attacker can easily obtain the password of a lost or stolen Bluetooth device.

Although Bluetooth version 2.1 was released more than a year ago, there are almost no implementations. Even if manufacturers are aware of the undocumented OTP requirement, there are barriers to implementation.

Devices like hands-free car kits and Bluetooth mice have no user interface, for example. Even in other cases, manufacturers are likely to be reluctant to require customers to use OTPs as a matter of convenience.

The results could be a Bluetooth keyboard turned into a key logger or a Bluetooth car ear set turned into a listening device, a form of what is known as a "car whisperer."

"Or," joked Lindell, "An attacker could even talk to people over the earpiece and scare them."

Windows Vista security bypassed by researchers

UNSECURE : Windows Vista security bypassed by researchers

By Dennis Fisher, Executive Editor


07 Aug 2008


LAS VEGAS -- Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they've found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user's machine.

Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista's fundamental architecture and the ways in which Microsoft chose to protect it.

"The genius of this is that it's completely reusable," said Dino Dai Zovi, a well-known security researcher and author. "They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over.

"What this means is that almost any vulnerability in the browser is trivially exploitable," Dai Zovi added. "A lot of exploit defenses are rendered useless by browsers. ASLR and hardware DEP are completely useless against these attacks."

Many of the defenses that Microsoft added to Vista and Windows Server 2008 are designed to stop host-based attacks. ASLR, for example, is meant to prevent attackers from predicting target memory addresses by randomly moving things such as a process's stack, heap and libraries. That technique is useful against memory-corruption attacks, but Dai Zovi said that against Dowd's and Sotirov's methods, it would be of no use.

"This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista," Dai Zovi said. "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force."

Microsoft officials have not responded to Dowd's and Sotirov's findings, but Mike Reavey, group manager of the Microsoft Security Response Center, said Wednesday that the company is aware of the research and is interested to see it once it becomes public.

Dai Zovi stressed that the techniques Dowd and Sotirov use do not rely on specific vulnerabilities. As a result, he said, there may soon be similar techniques applied to other platforms or environments.

"This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable," Dai Zovi said. "I definitely think this will get reused soon, sort of like heap spraying was."

Ex-banker cheated of lakhs in phishing

VICTIM : Ex-banker cheated of lakhs in phishing

K Praveen Kumar,TNN

9 Aug 2008


CHENNAI: After hooking the young and the computer- savvy, phishers have struck a senior citizen in the city. N V Srinivasan, a 72-year-old retired bank manager from KK Nagar, saw his lifetime savings of Rs 21 lakh vanish after he inadvertently gave away details of his bank account by clicking open a phishing mail sent in the name of Punjab National Bank.

Srinivasan, who was leading a quiet retired life got a mail a few days ago, purportedly from the security department of Punjab National Bank, asking him to update his personal details by clicking a link given in the mail, to make the bank account more secure.

"The mail said that the bank was stepping up vigil against online frauds and told the account holder that he could continue using his account even during the updation process without affecting transactions. Believing this, Srinivasan clicked on the link in the mail and provided his personal information including the bank account number," a CCB official told The Times of India.

Srinivasan found his net banking facility blocked moments after he replied to the mail, but he didn't realise the enormity of the fraud. "He then sent a mail to Neelam Singh, a person named as the signatory and security head of the Punjab National Bank in the phishing mail. When he did not get a reply to the mail, Srinivasan went and checked with the bank, only to find that Rs 21 lakh had been withdrawn from his account," the official said.

Preliminary investigation by the CCB bank fraud wing and the cyber crime cell revealed that a woman had withdrawn the amount from an ICICI bank branch in Mumbai. "When we made inquiries, the bank authorities said that the woman had been making repeated inquiries about remittance of cash to a particular account saying that she was expecting the money from an urgent property transaction. The money was withdrawn from the account soon after it was credited," the official added.

Investigators are now trying to trace the internet protocol number from which the mail to Srinivasan was sent. "We don't think the mail originated from Mumbai. We are trying to locate the woman who had collected the amount. We will crack the network as soon as we locate the woman," the official said.

The official underscored the need for better awareness among people transacting through net banking. "People getting such mails should immediately check with the bank concerned. Before performing any banking transactions through the net, follow the instructions provided by the banks and look for security emblems and marks on the home page of the bank," the official said.

People and institutions trading in mail addresses and other data are proving to be a headache for banks and security agencies. "These institutions are paid Rs 10 per mail address. These are a readymade pool for fraudsters to work on. Make sure that you do not give out your mail addresses to people and institutions that are unknown to you," the official said.

Spanish hacker jailed for sending ex-manager's emails

JAILED : Spanish hacker jailed for sending ex-manager's emails

Graham Keeley in Barcelona

The Guardian,

August 6 2008


A hacker has been jailed for two years in Spain for revealing hundreds of private emails written by a former colleague. The emails, which were taken from the former manager's work computer, divulged details of his sex life.

The hacker sent them to the manager's ex-wife, to a woman with whom he was having a relationship, and to the mayor of a council where he was working.

The emails were also copied on to other people who knew the victim.

A judge in Barcelona yesterday jailed the hacker, who was not named, for two years for an offence of "revealing secrets". He was also ordered to pay a fine of €3,240 (£2,566) as well as €4,000 in compensation to the victim.

The judge ruled Spanish law allowed the courts to pursue anyone who "gets access to information of a personal or family nature held on information systems or computers which are public or private".

He said Spain's supreme court ruled the right to privacy "means the existence of a reserved area away from others which is necessary to maintain a minimum quality of human life".

In this case, only 2% of the emails contained information "of a highly personal nature". The judge said the way in which the victim's right to privacy had been violated was the most important factor, rather than the content of the emails.

The manager left the Barcelona company in 2006 and believed he had erased all his personal emails.

His former colleague's motive for hacking into his computer was not made clear in court. Nor did the court establish how the hacker managed to access the emails after the former manager believed they had been erased.

This Day in History

Thanks for your Visit