Recent Posts751
Living Room / Tech News Weekly: Edition 41 [NEW]
« Last post by Ehtyar on October 10, 2008, 06:18 PM »The Weekly Tech News
| Hi all. I apologize for the name of this post, but no this is not a repeat of last week's news. It seems the script I use to create the post templates (or as Mouse Man refers to it, the "time space continuum template") had me predicting the news for the coming week as opposed to reporting it for the week past. From now on this will be fixed. See last week's news here. Next, I'd like to thank 40hz for his excellent banner, which I will be using from now on.  Finally, it has been apparent that not being able to link to a specific article makes referencing and replying to the weekly news rather difficult, so I've taken the liberty of adding anchors to the title of each article. From now on, the title of each article will be a hyperlink to that specific article. Try it out by clicking here. Well that's about it, hope you like this week's news  |
1. Clickjacking FAQ
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115818&source=NLT_SEC&nlid=38
Another link: http://ha.ckers.org/blog/20081007/clickjacking-details/
And another: http://www.darkreading.com/document.asp?doc_id=165073
Aaand again: http://www.darkreading.com/document.asp?doc_id=165431
Index finger getting tired yet? http://www.webmonkey.com/blog/Hackers_are_Watching_You%3A_Flash_Clickjacking_Vulnerability_Exposes_Webcams_and_Mics
A very educational FAQ from ComputerWorld regarding the increasingly common "clickjacking" attack vector. Like we needed another reason to disable flash.
Last week, a pair of security researchers spread the news that a new class of vulnerabilities, called "clickjacking," puts users of every major browser at risk from possible attack.
Robert Hansen, founder and chief executive of SecTheory LLC, and Jeremiah Grossman, chief technology officer at WhiteHat Security Inc., spilled some beans last week after they gave a semi-closed presentation at OWASP AppSec 2008 in New York.
2. New Hack Trashes London's Oyster Card
http://www.techworld.com/security/news/index.cfm?newsID=105337&pagtype=all
Another link: http://arstechnica.com/news.ars/post/20081008-charlie-and-the-broken-rfid-mass-transit-authentication-system.html
Researchers have published source code that will allow tech-savvy people to duplicate smart cards used by Boston's rail network and the London Oyster, among others.
Researchers have published a cryptographic algorithm and source code that could be used to duplicate smart cards used by several major transit systems, including Boston's Charlie Card and the London Oyster card.
Scientists from the Dutch Radboud University Nijmegen presented their findings during the Esorics security conference on Monday in Malaga, Spain. They also published an article with cryptographic details.
3. Symantec Buys Message Labs
http://www.securitypronews.com/insiderreports/insider/spn-49-20081008SymantecBuysMessageLabs.html
Security firm Symantec has agreed to buy online messaging security firm MessageLabs for $US695 million, thereby securing its position in the SOftware-as-a-Service market..
Symantec, the largest maker of computer security and data backup software, said it will pay 310 million pounds sterling and $154 million in US dollars.
The company says its purchase of MessageLabs will give it a stronger position in the rapidly growing Software-as-a-Service (Saas) market and strengthen its lead in the messaging security industry.
MessageLabs is the top provider of online messaging security globally with more than eight million end users at more than 19,000 clients ranging from small business to Fortune 500.
4. Cyberscammers Taking Advantage Of Poor Economy
http://www.wubbfm.com/cc-common/news/sections/lifestylearticle.html?article=4379223
Another link: http://www.darkreading.com/document.asp?doc_id=165537
As one might expect, it appears the online nasties are already using people suffering from the economic downturn to benefit themselves. The attacks appear to be focusing on SPAM and phishing tactics.
Fear surrounding the growing economic calamity is feeding online criminals' efforts to steal consumers' personal information, computer-security experts say.
The number of fake Web sites, spam e-mail and phishing attacks has mushroomed as cybercrooks seek to take advantage of the sudden widespread alarm, the experts say.
Most scams center on spam and phishing against the backdrop of bank failures, mergers and takeovers, the experts tell USA Today.
5. U.S. Gov't Proposes Digital Signing of DNS Root Zone File
http://www.itworld.com/networking/55952/us-govt-proposes-digital-signing-dns-root-zone-file
The United States is finally accepting advice on how to protect the DNS root zone file from attacks. Naturally VeriSign is playing a mine-is-bigger-than-yours game with ICANN over who should hold the keys.
The U.S. government is soliciting input on a way to make the Internet's addressing system less susceptible to tampering by hackers.
Under the idea, records in the DNS (Domain Name System) root zone would be cryptographically signed using DNSSEC (Domain Name and Addressing System Security Extensions), a set of protocols that allows DNS records to carry a digital signature.
6. UCSniff - VoIP Eavesdropping Made Easy
http://www.theregister.co.uk/2008/09/30/voip_eavesdropping_tool/
A new tool has been released to demonstrate just how easy it is to eavesdrop on VoIP conversations.
A security consultant with expertise in protecting phone conversations as they travel over the internet has unveiled a new tool that demonstrates just how vulnerable voice over internet protocol, or VoIP, calls are to interception.
UCSniff bundles a hodgepodge of previously available open-source applications into a single software package that helps penetration testers assess the security of VoIP calls carried over a client's network. It also introduces several new features that make eavesdropping on specific targets a point-and-click undertaking.
UCSniff runs on a laptop that can be plugged in to the ethernet port of the organization being probed. From there, a VLAN hopper automatically traverses the virtual local area network until it accesses the part that carries VoIP calls. Once the tool has gained unauthorized access, UCSniff automatically injects spoofed ARP, or address resolution protocol, packets into the network, allowing all voice traffic to be routed to the laptop.
7. Elvis Has Left the Country
http://freeworld.thc.org/thc-epassport/
As a followup to story number 2 in last week's news, Hacker's Choice have released a video of an e-Passport self-scanner at Amsterdam airport accepting a modified passport purporting to belong to Elvis Presley.
The government plans to use ePassports at Immigration and Border
Control. The information is electronically read from the Passport
and displayed to a Border Control Officer or used by an automated
setup. THC has discovered weaknesses in the system to (by)pass the
security checks. The detection of fake passport chips does not
work. Test setups do not raise alerts when a modified chip
is used. This enables an attacker to create a Passport with an
altered Picture, Name, DoB, Nationality and other credentials.
8. Ransomware Author Tracked Down, But Not Nicked
http://www.theregister.co.uk/2008/10/01/gpcode_author_hunt/
A Russian national, allegedly the creator to the infamous Gpcode Trojan has been identified, but is unlikely to be charged due to Russia's lack of action against cybercrime.
The Russian VXer who created the infamous Gpcode ransomware Trojan has been identified - but an early arrest isn't likely.
With cybercrime way down the priority list in Russia, the malware author - known to the police after security firm Kaspersky Labs winkled out a likely IP number for him - is liable to remain at large for some time.
9. Hackers Penetrate South Korean Missile Manufacturer
http://www.theregister.co.uk/2008/10/01/missile_manufacturer_hacked/
Hackers have broken into a South Korean arms manufacturer's computer system, and may have stolen blueprints.
Black hat hackers were able to steal information from a South Korean missile manufacturer after planting malicious code on the company's computer system, according to news reports.
According to the country's National Security Research Institute, the code was installed on the computer network of LIGNex1 Hyundai Heavy Industries, a manufacturer of guided missiles, ground-to-air weapons, war ships, and submarines.
10. Ecommerce Standard Tightens Up Wireless Security
http://www.theregister.co.uk/2008/10/02/pci_dss_update/
In this latest revision, the Payment Card Industry Data Security Standard will disallow use of WEP from mid-2010 and will ban it in new establishments from April 2009. What a joke.
A revised version of an important security standard for ecommerce merchants was published on Wednesday.
Version 1.2 of the Payment Card Industry Data Security Standard (PCI DSS) mostly tweaks and clarifies the existing framework for the secure processing of credit card data. The 12 existing requirements - covering areas such as the need to used a firewall, store cardholder data securely and encrypt transmission of cardholder data - remain unchanged.
11. RealNetworks Sued Over DVD Copying Software
http://seattletimes.nwsource.com/html/businesstechnology/2008217705_realnetworks010.html
Another link: http://arstechnica.com/news.ars/post/20081005-judge-temporarily-halts-sale-of-realdvd-in-wake-of-lawsuit.html
Half of corporate Hollywood is suing RealNetworks to prevent them from selling their RealDVD DVD copying software.
Hollywood's six major movie studios Tuesday sued Seattle-based RealNetworks to prevent it from distributing DVD-copying software they said would allow consumers to "rent, rip and return" movies or even copy friends' DVD collections outright.
The studios stand to lose key revenue from DVD sales, estimated by Adams Media Research at $14 billion this year, if consumers stop buying DVDs and copy rental discs from outlets like Netflix and Blockbuster instead.
12. T-Mobile Confirm Theft of Personal Data On 17M Customers
http://www.darkreading.com/document.asp?doc_id=165280
T-Mobile, and its parent company Deutsche Telekom have admitted that a USB storage device was misplaced in 2006, and the incident not revealed to customers. Reports indicate the data may be in use by cyber-criminals.
Deutsche Telekom, owner of the T-Mobile wireless network, admitted this weekend that the mobile service suffered a data theft in 2006 that may have exposed the personal information of some 17 million customers.
Deutsche Telekom made a statement about the T-Mobile data theft on Saturday, anticipating the release of a story about the breach by the German magazine Der Spiegel on Sunday.
13. Free Tool Hacks Banking, Webmail, and Social Networking Sessions
http://www.darkreading.com/document.asp?doc_id=165303
A new tool will allow an attacker to hijack online sessions that use secure login.
A researcher will demonstrate a free, plug-and-play hacking tool this week that automatically generates man-in-the middle attacks on online banking, Gmail, Facebook , LiveJournal, and LinkedIn sessions -- even though they secure the login process.
Jay Beale, who recently released the so-called “Middler” open-source tool, will show it off at the SecTor conference in Toronto. Aside from the unnerving capability of hacking into sites that perform secure logins and then use clear-text HTTP, Middler is also designed for use by an attacker with no Web-hacking skills or experience. “The Middler allows an attacker with no Web application-hacking experience to launch attacks that previously required substantial time and skill,” according to Beale.
14. Metasploit Hacking Tool Now Open for Licensing
http://www.darkreading.com/document.asp?doc_id=165636
Metaspoit is now completely open source and openly licensed.
The wildly popular Metasploit hacking tool for the first time is now officially open source, open-license technology that can be incorporated into commercial tools.
The free research and penetration testing tool historically has had restricted, non-commercial licensing so that it could only be used by researchers or in-house penetration testers -- not repackaged, redistributed, or sold. But in the new version 3.2 -- due later this month in its final version -- Metasploit project lead HD Moore and his team have transformed Metasploit into an official open source project, complete with a BSD 3-Clause license arrangement that allows others to sell, rename, or “fork” the code in another direction.
15. Asus Install DVD Woes Continue With Worm On Eee Box
http://arstechnica.com/journals/hardware.ars/2008/10/09/asus-install-dvd-woes-continue-with-worm-on-eee-box
Discussion by Carol Haynes here: https://www.donationcoder.com/forum/index.php?topic=15272.0
This post should probably be cross-posted over at jobs.ars, because Asus may soon be looking for a new preloaded software department. For a second time this year, preloaded software on Asus's popular Eee line of PCs has show itself to have some unintended content. This time, the Windows versions of Asus' Eee box nettop have been loaded with an infectious computer worm.
Last month, recovery DVDs shipped with Eee netbooks were found to contain a software crack for WinRAR, along with secret Microsoft documents meant to be read only by PC OEMs. The DVD also contained MS software with application keys, and source code for a number of Asus applications. The scandal spread, with users finding the same files on recovery DVDs of other Asus computers, and even more bizarre files, including resumes and personal files of Asus employees. At the time, Asus told PCPro "We will be investigating this at quite a high level. Once the investigation is complete, we will ensure it doesn't happen again."
16. Antitrust Suit Against Apple and AT&T Will Proceed
http://arstechnica.com/journals/apple.ars/2008/10/07/judge-antitrust-suit-against-apple-and-att-can-proceed
A class action lawsuit against Apple and AT&T for bricking unlocked iPhones has been allowed to continue.
A federal judge has denied Apple's and AT&T's motions to dismiss a class-action lawsuit filed last year alleging various violations of antitrust and consumer protections laws. The judge agreed to Apple's motion, however, to limit the claims to laws of New York, California, and Washington, where the plaintiffs in the case reside.
The original lawsuit was filed last year after Apple released a contentious 1.1.1 update to iPhone's OS, which "bricked," or rendered inoperable, iPhones that had been modified to work on other carriers and/or run third-party software. When the phones became inoperable, Apple refused to honor the warranty on the grounds that the phones had unauthorized modifications.
17. Mono 2.0 Spreads .Net to Linux and Mac
http://www.linuxinsider.com/story/64746.html
Mono 2.0 is released. Not sure if .NET on Linux and Mac is a good thing or a bad thing myself :S
For developers who have fallen in love with .Net/C#, but aren't married to running their applications on Windows, the Mono Project aims to let Microsoft .Net-based apps run on Linux and Mac OS X, among several other platforms. Sponsored by Novell, the Mono Project has released Mono 2.0 of its cross-platform, open source .Net development framework.
Basically, Mono 2.0 lets users run both client and server applications on Linux, and helps developers figure out which changes they may need to make to their applications for .Net-to-Linux migrations.
18. Sony, Microsoft Virtual Communities to Start
http://news.wired.com/dynamic/stories/A/AS_TEC_JAPAN_SONY_MICROSOFT?SITE=WIRE&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2008-10-09-08-34-28
Just to tick off the Playstation/X-Box zealots, I thought I better post this article about the two companies blatantly ripping off Nintendo's Mii
Video game rivals Sony and Microsoft are going head-to-head in virtual worlds for their home consoles later this year.
Both companies announced their services, which use graphic images that represent players called "avatars," Thursday at the Tokyo Game Show.
Sony Corp.'s twice delayed online "Home" virtual world for the PlayStation 3 console will be available sometime later this year, while U.S. software maker Microsoft Corp., which competes with its Xbox 360, is starting "New Xbox Experience" worldwide Nov. 19.
19. Apple Hears Developers, Nixes IPhone NDA
http://www.webmonkey.com/blog/Apple_Hears_Developers__Nixes_iPhone_NDA
Apple has removed the non-disclosure agreement associated with the iPhone's Software Development Kit.
iPhone developers are free at last to talk about their applications. Apple has officially dropped the nondisclosure agreement that prohibited developers from discussing the iPhone’s operating system, application code and development kit, according to an announcement made on Apple’s website Wednesday morning.
Meanwhile, across the internet, Ewoks pound drums and sing songs. Or, rather, developers are finally venting their frustration and enjoying the freedom to talk about all their hard work over the last few months without fear of Apple’s retribution.
20. Gmail Helps Stop Your Drunken E-mail Rants
http://www.webmonkey.com/blog/Gmail_Helps_Stop_Your_Drunken_E-mail_Rants
*cough*
Is your Saturday morning inbox filled with regret and self-loathing for the drunken e-mails you fired off the night before? If so, Gmail might have a solution for you. Google’s Gmail Labs has a new experimental featured dubbed “Mail Goggles” which will attempt to prevent you from sending out those ill-advised late night e-mails.
Gmail developer Jon Perlow created Mail Goggles as a kind of e-mail sobriety test. It works by stopping your message when you hit send and then presents a series of simple math problems you need to solve before you really send the e-mail.
Ehtyar.
