Recent Entries in Hacking

A popular browser for Windows is subject to a security hole for hackers, British researchers say, but this time it's not Internet Explorer.

The vulnerability involves Mozilla and Firefox browsers in this case, the Register reported Friday.

The flaw is said to affect Mozilla and Firefox on Windows XP or Windows 2000 only. Security firm Secunia rates the problem as "moderately critical."

Security researchers discovered users could be attacked by hackers using a bug in how Mozilla and Firefox handle the "shell:" function in Windows.

The function enables Web sites to invoke various programs associated with specific extensions.

Nearly a quarter of Net users have illegally downloaded a film at one time or another, says the MPAA (Motion Picture Association of America).

However, as a story in the UK's Guardian Unlinited points out:

"The unexpectedly high figure finds some explanation in the study's methodology: only broadband users were polled. Broadband penetration stands at only 43% even in the US, so the real figures - even assuming they are fair and accurate - would be under half the MPAA's."

What else is new? It's well known that entertainment industry statistics vary according to the state of the moon.

Microsoft's effort last week to fix a vulnerability in the Internet Explorer Web browser and end the latest series of Internet attacks doesn't address another closely related and dangerous vulnerability, according to a security specialist.

Dutch security expert Jelmer Kuperus published code on the Web last week that he says can be used to break into fully patched Windows systems using a slightly modified version of an attack called Download.Ject that Microsoft patched last week. The new attack targets a hole in a different Windows component than the one addressed by Microsoft's software patch. Using a similar attack, malicious hackers could break into even patched Windows machines, Kuperus says.,aid,116796,00.asp

Microsoft released an emergency configuration update over the July Fourth U.S. holiday that for the first time gives Internet Explorer users protection against the specific vulnerabilities exploited by the Download.Ject attack.

"We recommend that customers immediately install this configuration change through Windows Update," Microsoft said in a statement released Friday evening.

Microsoft's decision to release the configuration update 11 days before its next regularly scheduled Patch Tuesday on July 13 underscores what a serious problem the IE flaw represents. It is only the second time Microsoft has patched a flaw on any day other than the second Tuesday of the month since the company moved to a monthly patch cycle in October

  US-CERT: Beware of IE

The U.S. government's Computer Emergency Readiness Team (US-CERT) is warning Web surfers to stop using Microsoft's Internet Explorer (IE) browser.

On the heels of last week's sophisticated malware attack that targeted a known IE flaw, US-CERT updated an earlier advisory to recommend the use of alternative browsers because of "significant vulnerabilities" in technologies embedded in IE.

"There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME-type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different Web browser, especially when browsing untrusted sites," US-CERT noted in a vulnerability note.

MSNBC.Com - Unthinkable: How the Internet could become a tool of corporate and government power, based on updates now in the works.

Picture, if you will, an information infrastructure that encourages censorship, surveillance and suppression of the creative impulse. Where anonymity is outlawed and every penny spent is accounted for. Where the powers that be can smother subversive (or economically competitive) ideas in the cradle, and no one can publish even a laundry list without the imprimatur of Big Brother. Some prognosticators are saying that such a construct is nearly inevitable. And this infrastructure is none other than the former paradise of rebels and free-speechers: the Internet.

To those exposed to the Panglossian euphoria of Net enthusiasts during the 1990s, this vision seems unbelievable. After all, wasn't the Internet supposed to be the defining example of empowering technology? Freedom was allegedly built into the very bones of the Internet, designed to withstand nuclear blasts and dictatorial attempts at control. While this cyberslack has its, credit-card fraud and insincere bids on was considered a small price to pay for free speech and friction-free business models. The freedom genie was out, and no one could put it back into the bottle.

Certainly John Walker believed all that. The hackerish founder of the software firm Autodesk, now retired to Switzerland to work on personal projects of his choosing, enjoyed "unbounded optimism" that the Net would not only offset the powers of industry and government but actually restore some previously threatened personal liberties. But in .the past couple of years, he noticed a disturbing trend. Developments in technology, law and commerce seemed to be directed toward actually changing the open nature of the Net. And Internet Revisited would create opportunities for business and government to control and monitor cyberspace.

In September Walker posted his fears in a 28,000-word Web document called the Digital Imprimatur. The name refers to his belief that it's possible that nothing would be allowed to even appear on the Internet without having a proper technical authorization.

How could the freedom genie be shoved back into the bottle? Basically, it's part of a huge effort to transform the Net from an arena where anyone can anonymously participate to a sign-in affair where tamperproof "digital certificates" identify who you are. The advantages of such a system are clear: it would eliminate identity theft and enable small, secure electronic "microtransactions," long a dream of Internet commerce pioneers. (Another bonus: arrivederci, unwelcome spam.) A concurrent step would be the adoption of "trusted computing," a system by which not only people but computer programs would be stamped with identifying marks. Those would link with certificates that determine whether programs are uncorrupted and cleared to run on your computer.

The best-known implementation of this scheme is the work in progress at Microsoft known as Next Generation Secure Computing Base (formerly called Palladium). It will be part of Longhorn, the next big Windows version, out in 2006. Intel and AMD are onboard to create special secure chips that would make all computers sold after that point secure. No more viruses! And the addition of "digital rights management" to movies, music and even documents created by individuals (such protections are already built into the recently released version of Microsoft Office) would use the secure system to make sure that no one can access or, potentially, even post anything without permission.

The giants of Internet commerce are eager to see this happen. "The social, economic and legal priorities are going to force the Internet toward security," says Stratton Sclavos, CEO of VeriSign, a company built to provide digital certificates (it also owns Network Solutions, the exclusive handler of the "dot-com" part of the Internet domain-name system). "It's not going to be all right not to know who's on the other end of the wire." Governments will be able to tax e-commerce.and dictators can keep track of who's saying what.

Walker isn't the first to warn of this ominous power shift. The Internet's pre-eminent dean of darkness is Lawrence Lessig, the Stanford University guru of cyberlaw. Beginning with his 1999 book "Code and Other Laws of Cyberspace," Lessig has been predicting that corporate and regulatory pressures would usurp the open nature of the Net, and now says that he has little reason to retract his pessimism. Lessig understands that restrictive copyright and Homeland Security laws give a legal rationale to "total control," and also knows that it will be sold to the people as a great way to stop thieves, pirates, malicious hackers, spammers and child pornographers. "To say we need total freedom isn't going to win," Lessig says. He is working hard to promote alternatives in which the law can be enforced outside the actual architecture of the system itself but admits that he considers his own efforts somewhat quixotic.

Does this mean that John Walker's nightmare is a foregone conclusion? Not necessarily. Certain influential companies are beginning to understand that their own businesses depend on an open Internet. (Google, for example, is dependent on the ability to image the Web on its own servers, a task that might be impossible in a controlled Internet.) Activist groups like the Electronic Frontier Foundation are sounding alarms. A few legislators like Sens. Sam Brownback of Kansas and Norm Coleman of Minnesota are beginning to look upon digital rights management schemes with skepticism. Courts might balk if the restrictions clearly violate the First Amendment. And there are pockets of technologists concocting schemes that may be able to bypass even a rigidly controlled Internet. In one paper published by, of all people, some of Microsoft's Palladium developers, there's discussion of a scenario where small private "dark nets" can freely move data in a hostile environment. Picture digital freedom fighters huddling in the electronic equivalent of caves, file-swapping and blogging under the radar of censors and copyright cops.

Nonetheless, staving off the Internet power shift will be a difficult task, made even harder by apathy on the part of users who won't know what they've got till it's gone. "I've spent hundreds of hours talking to people about this," says Walker. "And I can't think of a single person who is actually going to do something about it." Unfortunately, our increasingly Internet-based society will get only the freedom it fights for.

Eccentric software developer Dave Winer has removed access to 3,000 weblogs hosted by the company he founded Userland at, without giving any prior notice. Bloggers have been told that if they ask nicely, they may have their data back next month. Winer blamed a computer for his decision.

This strange story grows stranger, however. Winer made the announcement after the fact, in a rare audio mumble: third parties had to provide their own transcriptions. The change didn't affect friends and paid subscribers, and Winer has admitted he's continuing in the hosting business - he's simply moving locations.

"The DNS service provider just can't handle the number of different domains under," said Winer. "We had to put them all in one place, and they had to be on one of my servers. Lawrence and I moved the sites over, and when we put the sites on the machine the performance of the machine became incredibly bad."

Network administrators tell us his excuse holds little water. Netcraft reports that is running Windows 2000 - not many people's first choice for BIND - but even so, it should be able to cope with what is a trivial load. "Either his hardware can't cope with the traffic, or his Win2K has some kind of resource limitation issue, or he's got something mis-configured," a sysadmin told us.

Cabir, the first virus to infect cell phones , was not designed to propagate massively, but rather to demonstrate that these kinds of devices can be infected by malicious code.

"This is a proof-of-concept worm," Patrick Hinojosa, CTO of Panda Software, told NewsFactor. "We won't see it spread very rapidly, because there are a number of physical limitations to keep it from mass replicating."

The Cabir code spreads to devices that run on the Symbian OS, which is used in many models of phones, including some manufactured by Nokia, Siemens and Sony Ericcson.

  Wireless worm appears

A newly detected worm spreads among mobile phones using the Bluetooth wireless technology, according to security firm F-Secure.

Called Cabir, the worm targets phones that use the Symbian Ltd. Series 60 operating system, according to F-Secure officials. When a user unwittingly installs the worm on a phone, the malicious code activates and starts looking for other Bluetooth devices to infect. It sends itself as a file called caribe.sis, which the user must accept and install to activate the worm.

Cabir is the first mobile phone virus to be detected, according to F-Secure officials. Although it does not appear to cause any damage, it shows that virus writers have the ability to attack phones, said Matias Impivaara, business manager of mobile security services at F-Secure.

  Bug causes Linux to crash

Running a simple C program crashes the Linux kernel. It does not require root access, but shell access is required. It affects both 2.4.2x and 2.6.x kernels on the x86 architecture

The flaw was by accident discovered by Stian Skjelstad while he was doing some code tests. He was quite surprised when I discovered that the code he was trying froze his machine. He reported it to the Linux-kernel mailing list and the gcc bugzilla 2004-06-09.

Remote exploitation of a buffer overflow vulnerability in Squid Web Proxy Cache could allow a remote attacker to execute arbitrary code. Squid Web Proxy Cache supports Basic, Digest and NTLM authentication.

A remote attacker can compromise a target system if Squid Proxy is configured to use the NTLM authentication helper. The attacker can send an overly long password to overflow the buffer and execute arbitrary code.

A law that the government said would clamp down on those who send millions of unsolicited junk emails is instead causing more hassle for anti-spam campaigners

Pioneering anti-spam organisation The Spamhaus Project has begun receiving threats from spammers, many of whom appear to have moved into Britain following the establishment of controversial UK laws that ostensibly outlaw the spamming of personal email addresses.

Spamhaus founder Steve Linford revealed told the Openwave messaging anti-abuse conference in London this week that this legislation has had a counterproductive effect. "For the first time we have very tenacious spamming gangs setting up in the UK," said Linford. "And, for the first time, we have spammers threatening us with legal action."

Microsoft's plan to reduce spam by forcing an email sender's machine to solve a puzzle may be defeated by the Internet's army of zombie PCs, say security experts

One of Microsoft's plans to fight the spam epidemic is unlikely to adversely affect spammers or reduce the quantity of spam, according to security experts.

Microsoft's chairman Bill Gates has been calling for the IT industry to work together and eradicate the spam problem. About six months ago he unveiled an initiative called Penny Black, which was a method for reducing a spammer's ability to send large volumes of unsolicited emails using Hotmail and MSN accounts. He suggested making the senders' computer process a complicated mathematical puzzle, which takes approximately 20 seconds, before each message is released. The puzzle's result is attached to the email's header, so that a receiving gateway can recognise emails that have been through the process and allow them to pass.

Two good reasons for having the latest Microsoft patches have emerged in the form of Bobax and Kibuv

Investigations into recent increases in port 5000 scans have revealed the existence of two new worms: Bobax and Kibuv.

The W32/Bobax-A worm, which employs the same Microsoft security vulnerability as the Sasser worm to break into computers, uses port 5000 to identify Windows XP systems (the port used for "Universal Plug and Play").

According to the Sophos Web site, this new worm "is capable of turning infected computers into spam factories and launchpads for denial-of-service attacks against Web sites."

The process is explained on the LURHQ security site: "unlike proxy Trojans which require the spammer to connect and send each individual piece of mail, Bobax sends the mail using a template and a list of email addresses. This has the benefit of offloading almost all the bandwidth requirements of spamming onto the Trojaned machines, allowing the spammer to operate with minimal cost."

This year marks the 20th anniversary of the Supreme Court's now famous Betamax decision. On January 17, 1984, the Court ruled that Sony's Betamax VCR was perfectly legal.

The majority opinion, written by Justice John Paul Stevens, said that although you could, in theory, use the device to record copyrighted television shows and movies and then sell them for profit, most consumers merely used their VCRs for "time-shifting," recording their favorite shows for viewing at a later time. Americans, the court decided, should be allowed this sort of "fair use."

Yet, as we celebrate this anniversary, we don't enjoy the same freedoms with television shows and movies purchased on DVD. It's illegal to make copies of any DVD.even if you're just making backup copies for your own personal use. The Digital Millennium Copyright Act, a law passed in 1998, prohibits anyone from circumventing "copyright protection systems" used by digital media, and today, all DVDs are equipped with such protection.,1759,1594064,00.asp

Microsoft is claiming that its $250,000 reward was responsible for the Sasser author's arrest, but experts say money alone will not stop the virus and spam problem.

Microsoft's $5m Reward Program may help catch script kiddies, such as the German teenager suspected of authoring a variant of the Sasser worm, but it is unlikely to have any effect on virus writers working for organised crime syndicates, say security experts.

Four months after the MSBlast worm tore through the Internet, Microsoft announced it had set up a $5m fund -- to be used for rewarding people who offer information leading to a conviction with $250,000. Since the launch of the fund, although a number of suspected malware authors have been arrested, none have yet been convicted.

A third of UK companies and public sector organisations are 'wide open' to hackers because they are ignoring basic security flaws, industry experts have warned.

According to security firm NTA Monitor, UK businesses are drowning under a rising tide of medium and low-level security vulnerabilities as they fight to deal with high-risk security flaws.

The company's research - based on analysis of almost 500 network perimeter security tests of clients in both the public and private sector - found that a third of corporate networks have at least 10 flaws, opening themselves to "considerable risk of malicious attack".

SAN FRANCISCO, California (Reuters) -- A flaw in Microsoft's almost universally used Windows operating system could allow hackers to take control of a PC by luring users to a malicious Web site and coaxing them into clicking on a link, the company warned on Tuesday.

The world's largest software maker issued the warning as part of its monthly security bulletin, along with a patch to fix the problem.

The security warning was rated "important," the second most serious on Microsoft's four-tiered rating scale for computer security threats. The highest is "critical."

Anti-virus software company Symantec Corp. called the vulnerability a "high risk" due to the impact the flaw could have if successfully exploited.

Canada will work with the United States to set up a continent-wide early warning system against cyber-attacks.

The move to beef up defences against an assault on key computer systems is part of a national security policy announced Tuesday. "We live in an information age where threats are not just physical," the government said in explaining the new policy. "Attacks can be launched from and against the Internet and the systems connected to it."

Up to $85 million has been set aside within the Defence Department to improve assessments of threats and vulnerabilities to computer networks, increase the ability to respond promptly and develop the early-warning system.

About Me

About the Blogger

I suppose if you've been reading my site for any length of time, you're probably curious to know who I am, and why I think people will read my blog. Online, I'm known as Zuckervati, mostly because it's easy...
» More ...

Mailing List Signup

What? There's a mailing list?

Sign up for the Mailing List

Follow Me on Twitter

Recent Entries

Tag Cloud

politik / film / video / skeptic / cewl / techno / humour / haxors / nosh / can-con / gaming / religion / weird / sex / funny / eco / music / stupid / photos / cocktails / George Bush / blogosphere / flickr / travel / evolution / politics / creationism / creationist / mobile / awful / photography / Star Wars / awesome / geek / bartending / coffee / drinking / mixology / alcohol / liquor / bartender / cocktail recipe / cats / food / Savoy Cocktail Book / science / Lovecraft / books / parody / Cthulhu / articles / TV / pets / John McCain / Movable Type / promos / cartoons / sci-fi / Canada / Radio Zuckervati / cool / Roger Ebert / system / atheism / comics / reviews / technology / writing / zombies / anime / anonymous / MMO / Star Trek / television / Alinea / animation / Batman / Futurama / Halloween / horror

Twitter Stream

D H McKee's bookshelf: to-read

Sunset and Sawdust
tagged: to-read
The Thicket
tagged: to-read
tagged: to-read