Some of the interesting technology stories around.
Security: Thumb sucking, slurping, snarfing, Excuse me? Sounds like a kid show, but security experts are using better names to make these hacks, data theft and more in the publics mind.
Phisher Says He Makes a Fortune Using Re-used Passwords What caught me was the phisher’s acknowledgment that he uses passwords stolen from social networking sites to break into e-mail accounts, where he then searches for financial account details. He says he can make $3-$4,000 a day selling this information. Interview is here.
Google buys a start-up once every few days, or around one a week “Google buys a start-up once every few days, or around one a week, Schmidt estimated” comes from a eWeeek article recapping a Google reporter briefing earlier this week. One of the things I have learned from being on the Fortune 100 side is that large amounts of cash in reserve typically don’t remain in reserve. Whether its stock buyback, capital expansion or acquisitions, the cash must go.
Yahoo To Finally Upgrade MyBlogLog Techcrunch talks about MyBloglog being upgraded, their past problems and are hoping it is looking up. “MyBlogLog, the ubiquitous blog widget that shows pictures of recent visitors to a site, was one of the “instant” success stories of 2006 – Yahoo acquired the company before most people even had a chance to hear about it. Like many blogs, we had the MyBlogLog widget on TechCrunch for months. We eventually removed it due to performance issues (it slowed down the site on a couple of occasions) and this incredible amount of spam that started to appear.”
Microsoft takes on the free world Microsoft claims that free software like Linux, which runs a big chunk of corporate America, violates 235 of its patents. It wants royalties from distributors and users. Users like you, maybe. Fortune’s Roger Parloff reports.
Joost Invitations: 2000+ Sent I?m happy to say Mashable has distributed thousands of Joost invitations over the past 2 weeks – I?m guessing in excess of 2000, although I haven?t done a manual count for obvious reasons. Praises be to those readers who reciprocated by inviting others, and curses upon those who didn?t. They still have a Joost invite thread here, but if you can’t get one, leave a comment here and I will send you one, I still have several hundred left.
Here is a roundup of some of the top security stories on the net.
Amero sentencing pushed back to mid-May The scheduled sentencing for Julie Amero, the former Connecticut middle school teacher found guilty of exposing her students to internet pornography pop-ups, was pushed back again today – this time to May 18. These guys must be trying to regroup or something to keep from looking stupid when they get back into court.
The real security threats facing businesses Video of Mark Sunner, chief security analyst at MessageLabs, discussing some of the security problems businesses will have to deal with, like Next-generation bots, new scales of Trojans and the interweaving of social engineering.
Hackers tailor malware to individual businesses Video of F-Secure’s Hypponen talking about how high-profile businesses now face an evolution of traditional malware attacks as hackers write malicious code designed specifically to break through their defences, with antivirus unable to spot such intrusions.
Infosecurity: Convergence of spam and viruses detected in new attack Hackers have launched an attack that combines spam and viruses in a new global campaign, according to the latest report from MessageLabs.
Kaspersky: Mac and Linux viruses to rise “significantly” According to security expert Eugene Kaspersky, we are at the brink of seeing a significant rise in malware attacks on Mac and Linux platforms. So, are hackers ready to target a broad range of platforms or is this merely hyperbole from a security firm that wants to sell products?
Beware Of Google AdWords Account Hacks via Computer Exploit It appears that some external program gained access to his computer. The program then logged into his AdWords account, set up several ads that redirected to “places like orbitz.com and business.com” and also tried to install “activex remote desktop program” on those computers through the redirects (to infect other computers). Then it blocked access for that computer to login into AdWords by setting the local host files to 127.0.0.1 adwords.google.com (which means if someone on that computer tries accessing adwords.google.com, they get a not found). This prevents this computer from logging into Google AdWords to see if changed have been made to the account.
‘Evil twin’ Wi-Fi access points proliferate That’s the term for a Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up by a hacker to eavesdrop on wireless communications among Internet surfers. Unfortunately, experts say there is little consumers can do to protect themselves, but enterprises may be in better shape.
5 Cheap But Effective Tips To Improve Security Periodically check for rogue wireless access points, plus four other simple, yet inexpensive, improvements you can implement to boost the security of your enterprise.
Web threats to surpass e-mail pests By next year, Internet users can expect more cyberattacks to originate from the Web than via e-mail, security firm Trend Micro predicts.
Some interesting security related stories.
U.S. Database Exposes Social Security Numbers The Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Agriculture Department programs were disclosed for years in a publicly available database, raising concerns about identity theft and other privacy violations.
Google draws privacy complaint to FTC “Google’s proposed acquisition of DoubleClick will give one company access to more information about the Internet activities of consumers than any other company in the world,” the complaint reads. “Moreover, Google will operate with virtually no legal obligation to ensure the privacy, security and accuracy of the personal data that it collects.”
This one could potentially be big, if the data that Google collects from the browsing habits of people with their toolbar, the information they gather from people searching their site(s), the data they collect from their ads on a major portion of the internet, the data they collect from their online programs, like Gmail, Google Docs & Spreadsheets, etc, the data they collect from people using Google Checkout, the data they collect from Youtube and all of the embedded videos, if this data is used by people working for Google or by someone who is able to access it from the outside, it is staggering, I am sure, the amount of information they could compile and use on people.
Depends on your definition I guess, sitting there with nothing running, no one could get into them, on the second day, they sent contestants urls via email and one hacker was able to exploit a vulnerability in Safari and open a back door that gave him access to everything. While they did not crack the OS itself, it did crack a tool that many people use on such a system, it’s the same as all of the IE vulnerabilities that get exploited, though they certainly have the better track record over Windows. Here is more from zdnet.
MacBook Pro hijacked with Safari zero-day Hackers Dino Dai Zovi and Shane Macaulay teamed up to hijack a MacBook Pro laptop at the CanSecWest security conference here, effectively pouring cold water on the Mac faithful’s belief that the machines are impenetrable. Dai Zovi, a former Matasano researcher who has been credited in the past with finding Mac OS X vulnerabilities, exploited a zero-day flaw in the built-in Safari browser to take complete control of the machine.
Seeing through walls Have you considered that someone could be reading what’s on your monitor from a few rooms away? It’s unlikely, but possible, as work by Cambridge University computer security researcher Markus Kuhn shows.
ISP Kicks Out User Who Exposed Vulnerability; Doesn’t Fix Vulnerability Apparently, a college student discovered and published a pretty major vulnerability found in the routers the company uses, allowing anyone to access the routers remotely. Rather than thank the customer for finding and highlighting a pretty serious vulnerability, the company has cut off his service and threatened him with lawsuits. Oh yeah, they also haven’t bothered to fix the vulnerability — despite it being published 7 weeks ago. The reasoning from the ISP is astounding. They claim that since they can’t find any evidence that anyone ever used the vulnerability, he must have discovered it by “illegal” means. Who knew that simply probing for security vulnerabilities was illegal? And, of course, the ISP told the guy he’s not allowed to talk about its legal threat to him — which isn’t actually legally binding. It’s not clear if the ISP doesn’t understand what it’s done or simply doesn’t want to fix the vulnerability.
Interact with the security community CanSecWest, the world’s most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social networking. The conference lasts for three days and features a single track of thought provoking presentations, each prepared by an experienced professional and talented educator who is at the cutting edge of his or her field. We give preference to new and innovative material, highlighting important, emergent technologies, techniques, or best industry practices.
Lots of security stuff to comment on today, so I thought I would do a news post with links to them all, save us all some time.
Spamdexing “R” Us A researcher is curious as to how many times a user can get hit with a driveby download and malware infection just by clicking on a Google search result. He took the AOL search data that was released accidentally by AOL and tried to figure it out.
A Fresh Look at Password Thieves Security Fix is still looking at the damage caused by VisualBreeze or “Vbriz” Trojan, it’s also known as “Dimpy.Win32VB.” Thousands of people are affected.
Malicious Web Site / Malicious Code: MS07-009 Exploit Code Released A full exploit was released for MDAC vulnerability MS07-009. Patch is available here.
Windows weakness can lead to network traffic hijacks IE still looks for proxy servers when it starts up, a malicious employee inside your network could take advantage it, here is how and how you can avoid it.
Many net users ‘not safety-aware’ Less than half of the UK’s internet users believe they are responsible for protecting their personal information online.
SANS to certify programmers for security nous The SANS Institute has assembled security vendors to create a secure coding assessment and certification exam for programmers. Participants have the option to sit through four exams leading to GIAC Secure Software Programmer (GSSP) status. The four examinations cover a specific programming language suite: C/C++, Java/J2EE, Perl/PHP and .NET/ASP. Visit here for the new website.
Trend Micro Moves Security into the Cloud Trend Micro’s products rely on a dynamic database of IP addresses that are updated constantly to prevent users from accessing sites that are known to distribute the malware used to build botnets. This domain reputation database maps over 300 million domains daily, and every five minutes there is a new entry.
OpenOffice.org Security Several security vulnerabilities have been reported on in the media in the last week, where users’ PCs could be open to attack if they opened certain documents or websites.
Vulnerability Summary for the Week of March 19, 2007 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week.
They say money talks, but sometimes it transmits as well. Recently, Canadian coins have been showing up in the pockets of American contractors with tiny transmitters in them, according to the Department of Defense. Security experts say the devices could be used to track defense industry personnel movements, meetings and more. One use for such a device could be for marking someone for assassination or kidnapping, but with coins, they could only remain in their pockets for a few minutes, depending on what those people are doing.
Security experts believe the miniature devices could be used to track the movements of defense industry personnel dealing in sensitive military technology.
“You might want to know where the individual is going, what meetings the individual might be having and, above all, with whom,” said David Harris, a former CSIS officer who consults on security matters.
“On at least three separate occasions between October 2005 and January 2006, cleared defense contractors’ employees traveling through Canada have discovered radio frequency transmitters embedded in Canadian coins placed on their persons,” the report says. Source: CBCNews
Kinda scary. All you really have to do, is use something those people would always keep with them, just getting it in their hands would be the hard part. Someone could maybe duplicate an id or badge and tag it with an RFID chip and swap them with the original. Hell, I could be carrying one in my work id and parking pass right now. Gotta go.
I’ve posted before about how security companies are up in arms about the new Windows PatchGuard protection from Microsoft that can block any application from accessing, or “hooking” Vista’s kernel commands, a technique utilized by vendors in sophisticated anti-tampering and behavior monitoring tools, and used by hackers in attacking computer systems with rootkits. Authentium says they have circumvented this feature using a loophole that allowed the operating system to support older hardware.
The company, based in Palm Beach Gardens, Fla., maintains that it has built a version of its Authentium ESP Enterprise Platform that can bypass PatchGuard without setting off the desktop alarms produced by the security feature when the Vista kernel is compromised.
When a program of any kind attempts to modify the kernel on a system running PatchGuard, which is already available in 64-bit versions of Microsoft’s Windows XP OS, the computer produces a blue screen and stops all other Windows applications from running.
Authentium said its workaround allows it to access the kernel without incurring the shut-down.
The company specifically said that it is using an element of the kernel meant to help the OS support older hardware to bypass the feature. The loophole allows the company’s tools to infiltrate Vista’s kernel hooking driver, and get out, without the OS knowing the difference. Source: eWeek
Looks of good reading there, including more info on PatchGuard and links to other articles where security companies have taken Microsoft to task over it. One industry insider says he thinks McAfee and Symantec have already done this themselves, but are keeping the heat on for a different reason,
At least one industry watcher believes that Symantec and McAfee have developed methods of their own for working with, or circumventing, PatchGuard, and contends that the firms have only kept the heat on Microsoft over the feature to keep antitrust regulators alert to Microsoft’s continued push into their territory.
Which makes sense, they have to protect their bread and butter. Alex Eckelberry from Sunbelt has posted a few articles on PatchGuard, but the one he posted today actually made a lot more sense than the other complaints I have seen from Symantec,
The lesson? We cannot predict how malware authors will work in the future, and that is one reason why PatchGuard is such a potentially dangerous technology.
PatchGuard creates a barrier to the kernel, against which security vendors (the major defensive bulwark for Microsoft) can’t get in to to help the operating system against an attack, at least without permission through APIs.
The ability of security companies to fully support the 64 bit Windows platform itself, a fact that Gartner’s Neil McDonald recently highlighted in his warning that if enterprises use HIPS technology, they should postpone deployment of Vista. After all, the APIs won?t even be available until 2008!
HIPS (which stands for Host Intrusion Prevention System), uses methods at the kernel to prevent certain types of attacks. HIPS is part of our Kerio line and it?s also part of other products out in the market. For example, our HIPS functionality helps protect against buffer overflow attacks, by watching for system functions being called from memory locations where they shouldn’t be called. As another example, our Kerio Server Firewall uses HIPS to provide application lockdown.
McAfee, Symantec and other companies, like Sunbelt, need this access. For Symantec, it?s around a number of technologies they’ve implemented at the kernel, including Tamper Protection, which prevents hackers from attacking Symantec products themselves. For us, it’s around HIPS, but it could also affect other technologies that we are developing.
Now, every other article I have read on PatchGuard and these security companies, and I could have missed a bunch I am sure, has just pretty much been whining about how Microsoft won’t allow use access to the kernel, this is the first good explanation of why they need this access. If some new threat, remember Code Red, comes out that requires access to the kernel to prevent it, then these security companies will have to ask Microsoft for an API to the kernel, where, before they could have just added the extra functionality. And we all know how long it takes Microsoft to issue patches, what will they do if a new threat comes out, will they help security vendors fix it, or will they try to fix it themselves?
I have been reading quotes online of developers from Symantec and McAfee complaining about the new security features of Windows Vista, specifically Patchguard, which, essentially crashes the computer when it detects that specific data structures have been hooked. All he noise coming from these security vendors just sounds like sour grapes to me, if Microsoft has found a way to make Windows more secure, then they should find a way to work with it. I know this is a big cash cow for McAfee, Symantec and others, but I think they are the only ones who are worried about it are them, I want a more secure OS because users don’t have a clue and don’t care to learn.
This is from a “perspective” post on News.com by George Heron, Chief Scientist at McAfee,
For decades, and in every Windows operating system prior to Vista, Microsoft has relied on the contributions of third-party security vendors to help keep the user safe.
These security products from independent software vendors even help keep people’s computers safe from Microsoft’s own critical software bugs, which notably have been on the increase in recent years.
This cooperative and relatively safe computing experience is about to change for the worse in Vista.
I’m not sure how we can end this story on a positive note. Dropping down to the core of the operating system, we see that Microsoft has implemented PatchGuard as a means of preventing access to kernel services that classically have been allowed and available in all previous versions of Windows. Source: News.com
Wonder what kind of strings you have to pull to get a post like that on News.com? Totally self serving, please don’t change the way we do business, don’t make us change the way our software works, etc. If they don’t change it now, they won’t be able to help the problem, and the main problem, as we all know is the OS. If Microsoft helps prevent some malware, viruses, rootkits, etc, who loses? The outside security companies like McAfee lose. In a recent post here, I referenced an article that said the number one software program at slowing down Windows was Norton Internet Security 2006 and in the top five was McAfee SecurityCentre. His conclusion was,
Well it’s clear to see what sort of application has most effect on Windows. Antivirus programs tether the performance of your computer alongside that of one three years its elder. If you really need an antivirus system, make sure you follow these benchmarks but also make sure you check how good the one you’re looking at really is. Nod32 gets good security reviews and seems to leave the system fairly nippy
The new version of Norton has shocked me a little. Every year since their Norton Antivirus 2002, they’ve added more and more “bloat”. They call them features, and looking at the box, you’d agree. Features have traditionally come at a price though. If you’re scanning more things, it’s going to take it more time. NIS2007 seems to do all the work of 2006 but with significantly less load on the FileIO. I’m not shouting “go out and buy it” because of the massive boot delay and there are still better products. Source: ThePCSpy
So, we are supposed to feel bad for Symantec and McAfee even with all of the extra bloat they add to a system? One of the first things I try when having a software problem is to check the anti-virus and see if it is the problem and a lot of times it is.
Here are some quotes from a Microsoft blog post called An Introduction to Kernel Patch Protection or what everyone has been referring to as Patchguard. Definitely a recommended read with info straight from Microsoft.
Hello, I’m Scott Field, an Architect working on Windows Kernel Security. There have been a lot of questions recently about a Windows technology called Kernel Patch Protection (sometimes referred to as PatchGuard) so I wanted to provide some context about the feature to help answer them. OS kernel design is a very specialized area of computer science that rarely receives a lot of public attention, so it’s understandable that there are a lot of questions out there. The purpose of this post is to give a basic primer on Kernel Patch Protection and why it is an important technology to increase the security and reliability of Windows-based PCs.
“Kernel patching” or “kernel hooking” is the practice of using unsupported mechanisms to modify or replace kernel code. Patching fundamentally violates the integrity of the Windows kernel and is undocumented, unsupported and has always been discouraged by Microsoft. Kernel patching can result in unpredictable behavior, system instability and performance problems like the Blue Screen of Death?which can lead to lost user productivity and data. More importantly, kernel patching has increasingly become a mechanism used by malware developers to attack Windows systems.
Kernel Patch Protection monitors if key resources used by the kernel or kernel code itself has been modified. If the operating system detects an unauthorized patch of certain data structures or code it will initiate a shut down of the system.
We have also been asked to provide a supported way for ‘known good’ vendors to continue hooking the kernel but prevent others from doing so. Unfortunately, there is no reliable mechanism for us to distinguish between ‘known good’ software and malicious software. Moreover, we cannot prevent a malicious software author from “bundling” purportedly good software in an attempt to thwart the system.
Since Microsoft announced our Trustworthy Computing initiative, helping to ensure the security of our customers has been one of our primary goals as an organization. Part of this is ensuring a rich ecosystem of powerful security products that will reduce the threats from malware and other types of attack. We would not develop a technology designed to lessen the security of our customers or weaken the security of the Windows platform.
Why would they block security companies? If it was the only way to block some of the malware being released today. McAfee, figure it out, Microsoft will help you if you need it.
Recently, Microsoft blocked the spreading of Trojans on the Messenger network by blocking .pif files, two out of the three viruses at the time were using .pif files to spread themselves. How did that work?
Not too Good!
Apparently, all the hackers had to do was change the extension to .PIF, or .Pif or .pIf, and the filters let the messages flow on through.
Each of the links lead to a different Trojan-downloader. The downloaders download a variety of adware and adware-related Trojans.
Moreover, IM-Worm.Win32.Licat.c is also downloaded, which in turn launches a new mass mailing of the original message. Nothing unusual, right?
Wrong! Both worms spread using links to .PIF files. But some of you might remember that Microsoft blocked messages containing “.pif”?
Yes they have, but… the MS block is case sensitive!
So the criminals used capital letters, “.PIF” and the network filters let the message flow right through. Other variations like .Pif, .pIf, and so on also work.
One of the best solutions for all instant messaging users is to only allow people on your buddy list to send you messages, while this wont block the viruses that your friends contract, it will at least block the ones from EVERYONE else. Then you still have to decide whether you really want to click on these links at all, it would probably be safest to message them back real quick and ask what it is, if they don’t know what link you are talking about, then they probably have a virus. As always, update your anti-virus, scan for spyware frequently and lets be careful out there.
Update: According to their weblog, here, MSN has fixed the problem with the different pid extensions working.
In an article posted at News.com, 180 Solutions announced that they have upgraded their security to keep some of their distributors from forcing their crappy software on users.
This is so funny, it’s taken me a couple hours to actually write this. First, if they have distributors who are forcing this stuff on users computers, then you get rid of the distributors, you fix your distribution model, it would be so easy for them to figure out who is doing this stuff. If they would police thier affiliates, it would fix a lot of OUR problems.
“Today’s announcement is the culmination of many months of hard work focused on building technology that is more resistant to unauthorized, nonconsensual installations of our software,” Keith Smith, CEO and co-founder of 180solutions, said in a statement.
Must stop laughing….
In addition to launching the new Seekmo Search Assistant, which will notify 180solutions of fraudulent downloads, the company announced that it will do away with 180search Assistant, one of its more controversial products.
Everybody remember that name “Seekmo Seach Assistant”, as it will probably be the software you will see after you have been blind sided by a driveby install, hehe. And I wonder what they mean by do away with, that probably just means that they won’t be advertising it anymore, it will still be forced on your pc’s by their “affiliates” since they can’t “track” this version. Will still be seeing it five years from now I bet.
The new software from 180solutions tracks and identifies compromised distribution channels through several different sources, including customer feedback. If the data reveals a potential fraud, then the company will notify customers who may be affected and will allow them to uninstall the software with “one-click removal,” the company said in statement.
Now there is an innovation, allow the user to uninstall it with one click, if every piece of software was this easy to uninstall…. wait, most software is that easy to uninstall. Most software allows removal thru the control panel, ah well, maybe they will catch up one day, we can’t blame them, they just write the stuff….wait, we can blame them.
“This takes away the financial incentive of fraudulent downloads,” said Sean Sundwall, a spokesman for 180solutions.
Hehe, it doesn’t take away the financial incentive for 180 solutions, we’ll still be seeing this stuff for years, who are they trying to kid.
In an article posted at news.com, John Thompson, CEO of Symantec, says we’re not going to whine about Microsoft competing with us in the security arena, and let’s face it, given Microsoft’s record with security, you can’t really blame him.
Microsoft is set to enter the security arena next year, but Symantec won’t compete by complaining to antitrust regulators or suing the software giant.
“We’re not looking to go whining to the EU or the DOJ for anything,” Symantec Chief Executive Officer John Thompson said Tuesday, referring to the European Union and the U.S. Department of Justice. Thompson was responding to questions from reporters after an event at the Commonwealth Club here.
Symantec, based in Cupertino, Calif., has responded to questions from EU competition authorities about its role in the security industry but has no intent to file a complaint about Microsoft, Thompson said.
“We’re not involved with anything with the EU,” Thompson said. “We don’t need competition in the courtrooms.” Instead, Thompson said Symantec will compete with its products, which he said are superior those Microsoft has yet to launch.
My experience with Symantec’s antivirus products has generally been good and a positive experience overall, although we did standardize on McAfee VirusScan, which I think is a better product. BUT, that does not be any stretch mean I wouldn’t dump them for a better product from Microsoft, especially if that product came already installed and ready to go. Microsoft may not do everything well, but they aren’t afraid to buy a company who does do it well and go from there. I like their anti spyware product and it’s ease of use, even though I don’t like some of the companies they mark as ignore, so there are tradeoff’s in almost every product. I’ll be cautiously pessimistic as always and try it out when they release it.