If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

Microsoft Security Advisory warned today that a possible attack against the MD5 hash digital certificate could allow an attacker to generate their own certificate with information from the original. Microsoft warned that only the X.509 certificates could be attacked, and suggests users to upgrade to the newer SHA-1 algorithm.

Although the information was not published publically to allow hackers the chance to launch attacks on the vulnerability, Microsoft is keeping a watch on the possible attack, even though the vulnerability does not come in a Microsoft product.

Read more @ Neowin.net

Australia has been known to have high levels of censorship. It should come as no surprise to those in the land down under that the government is planning to filter P2P and Bit Torrent traffic in live pilot tests.

Senator Conroy went on the record saying "technology that filters peer-to-peer and Bit Torrent traffic does exist and it is anticipated that the effectiveness of this will be tested in the live pilot trial".

It is a drastic step to filter out all P2P and Bit Torrent traffic as it assumes that those channels are only used for piracy. One example of legitimate use is the popular online game World of Warcraft. This game uses a Bit Torrent system of distrubution for its updates. Like any technology it can be used for both good and evil and choosing to block all on the account that it is only used for piracy is taking censorship to new levels.

Unsurprisingly the idea has fueled a serious debate in Australia; "I’m aware that this proposal has attracted significant debate and criticism ? on this blog and at other places in the blogosphere," Senator Conroy said. Many of the complaints stem around the idea that Senator Conroy is acting as a big brother.

If the Senator has his way and the filter is kept in place how far will the government be allowed to intervene? Simply blocking a technology for the potential illegal use is a preposterous idea as nearly all software can be used for malicious activities; it’s the user who makes the decision.

Chinese hackers have penetrated the White House computer network on multiple occasions, and obtained e-mails between government officials, a senior US official told the Financial Times.

On each occasion, the cyber attackers accessed the White House computer system for brief periods, allowing them enough time to steal information before US computer experts patched the system.

US government cyber intelligence experts suspect the attacks were sponsored by the Chinese government because of their targeted nature. But they concede that it is extremely difficult to trace the exact source of an attack beyond a server in a particular country.

”We are getting very targeted Chinese attacks so it stretches credulity that these are not directed by government-related organisations,” said the official.

The official said the Chinese cyber attacks had the hallmarks of the “grain of sands” approach taken by Chinese intelligence, which involves obtaining and pouring through lots of - often low-level - information to find a few nuggets.

Some US defence companies have privately warned about attacks on their systems, which they believe are attempts to learn about future weapons systems.

Read more @ Financial Times

If you needed any more reminders about why it isn’t a good idea to use external mail services to conduct critical business, the recent break-in to US Republican Vice-Presidential candidate Sarah Palin’s gov.palin@yahoo.com Yahoo inbox should be it. Of note is that following the disclosure of the inboxes the compromised address and another address, gov.sarah@yahoo.com, have been suspended.

US politics has been stung by a range of inappropriate email usage incidents, including the use of non-government email accounts to conduct official business. From the images presented as proof of email compromise, it seems that Sarah Palin was also doing this.

Various Information Security mailing lists have from time to time been filled with claims of inbox compromise, usually for free webmail services and it is always two parts voyeurism, two parts fear that it could be you next whenever someone has had their email exposed so publicly.

Some companies have decided that the economy of scale offered by services like Gmail are worth it to have their email needs handled through them rather than maintaining their own in-house systems and servers. The risk, as has been proven time and time again, is now that it only takes a simple password recovery to have your email exposed to all.

Password recovery procedures are an area where the balance between security and usability is so blurred that most times the security aspect is non-existent, despite appearances. The leading theories about how the breach to Sarah Palin’s account came about were that it was through the password recovery options associated with the Yahoo webmail interface.

Read more @ PCworld.com

Slates free developer tools for November, hopes other vendors write more secure code

Microsoft Corp. said today it will export some of its expertise in writing secure code to developers outside the company with several new initiatives, including a pair of free tools it plans to unveil in November.

The company has distilled some of the experience gained during the past five years through its Security Development Lifecycle (SDL) process and philosophy into the Threat Modeling Tool 3.0 and the Optimization Model. It will make both available for free download in two months.

"We’re put a lot of emphasis on tool developments to build more secure software," said Steve Lipner, senior director of security engineering strategy in Microsoft’s Trustworthy Computing group and the co-author of The Security Development Lifecycle. "But as we’ve moved SDL more and more into the culture of our company, we’ve been watching what’s happening on the outside."

And Microsoft isn’t liking what it sees.

Microsoft, claimed Lipner, has nearly halved its share of the total disclosed vulnerabilities from the first six months of 2007 to the same period this year, from 4.2% to 2.5%. Credit, he said, goes to SDL and Microsoft’s increased emphasis on writing more secure code.

It wants to share that knowledge, he added, and for a selfish reason. "We want to move toward a more secure Internet, and it’s important that there is secure development not only for our software, but also for other software that our customers use," Lipner said, explaining why Microsoft is proselytizing SDL to outside developers.

Read more @ computerworld.com

Weeks before bombs started falling on Georgia, a security researcher in suburban Massachusetts was watching an attack against the country in cyberspace.

Jose Nazario of Arbor Networks in Lexington noticed a stream of data directed at Georgian government sites containing the message: “win+love+in+Rusia.”

Other Internet experts in the United States said the attacks against Georgia’s Internet infrastructure began as early as July 20, with coordinated barrages of millions of requests — known as distributed denial of service, or D.D.O.S., attacks — that overloaded and effectively shut down Georgian servers.

Researchers at Shadowserver, a volunteer group that tracks malicious network activity, reported that the Web site of the Georgian president, Mikheil Saakashvili, had been rendered inoperable for 24 hours by multiple D.D.O.S. attacks. They said the command and control server that directed the attack was based in the United States and had come online several weeks before it began the assault.

An image from the Web site of the Georgian Parliament after it had been defaced.

Read more @ nytimes.com

At CES 2008, Neowin talked to a company called Bug Labs. They have created the BUGBase which allows for different add on modules (touch screen LCD, GPS, accelerometer, and web cam currently) to be plugged in and programmed to the users desire. It has built in RAM, CPU, Li-Ion battery, USB, Ethernet, mmc, serial interface, and a small LCD with button controls. The idea is simple: give the resources to the consumers to become the creators.
Even in the early stages, Bug Labs has a large community actively developing new ways to use and interact with the BUGBase and modules. A few neat programs developed so far are a security system that detects motion and uploads an image to flickr, GPSAlarm that sets off an alarm based on proximity rather than time, and several others you can browse here or in their forums.

The week of August 7th, 2008 the amount of malicious spam a single computer user received finally overtook health and product spam. Meant to exploit holes in your operating system, get credit card information from you, or simply just to copy your contact list, spam emails have become more than just a nuisance for the States, they have become outright dangerous.
Unfortunately, our government has not made a substantial leap to protect its citizens from this danger that is lurking in our homes and offices.

The Center for American Progress and the Center for Democracy and Technology have released a report which shows in 2007 “the FTC reported 221,226 internet-related fraud complaints, up from almost 16,000 in 2006 and more than 24,000 from 2005.” With these numbers so drastically high, and probably even higher than stated as many computer users don’t report all of the malware they receive via email, why don’t we hear about our states taking more action against spammers?

States generally have brought charges against those who they find are seeking personal data or cases where it involves pornography, but for cases involving spyware, adware and other types of phishing the Cyber-crime Newsletter released bi-monthly by the National Association of Attorneys General highlighted only 14 cases in which individuals or groups were brought before the states.

Source: Neowin.net

This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees.

Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista’s Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user’s machine using a variety of scripting languages, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.

While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren’t based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista’s fundamental architecture. According to Dino Dai Zovi, a popular security researcher, "the genius of this is that it’s completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That’s completely game over."

Microsoft has issued yet another security advisory in the wake of attacks targeting Word. The company said in the advisory that it has received reports of attackers targeting a flaw in the handling of .doc files. The attacks are not currently believed to be widespread, and the initial exploit attempts have been in specially targeted attacks.
The vulnerability lies in the way Word 2002 Service Pack 3 handles .doc files. An attacker could use a specially-crafted document to cause a memory overflow error and application crash. The error would then leave the system vulnerable and allow the attacker to remotely execute code on the target system. Microsoft said that the vulnerability only appears to exist in Office Word 2002 Service Pack 3. No other versions of Word or Office appear to be at risk for attack.
In addition to basic security practices such as enabling a firewall and antivirus software, Microsoft recommends that users exercise caution in loading mail attachments and avoid suspicious .doc files.

View: The full story @ vnunet