The Weekly Tech News
Hi all. Just a few quick messages:
First, this is the new layout in response to feedback from last week's news. As always, any constructive feedback is appreciated.
Second, two of the articles in this week's news were submitted by forum members. If anyone would like to contribute a story that I may have missed in a previous week, or simply would like to ensure that I do include a story for a following week, please leave me a PM on the forum or on irc.
Thanks, Ehtyar.
1. TCP Flaws Put Websites At Riskhttp://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332898,00.htmlhttp://news.cnet.com/8301-1009_3-10056759-83.htmlResearches have found several fundamental flaws in TCP that, if exploited, may be capable of bringing down internet heavyweights like Google or Microsoft.
A pair of security experts are now discussing several fundamental issues with the TCP protocol that can be exploited to cause denials of service and resource consumption on virtually any remote machine that has a TCP service listening for remote connections.
The problems, which were identified as far back as 2005, are not simply vulnerabilities in products from one or two vendors, but are issues with the ways in which routers, PCs and other machines handle TCP connection requests from unknown, remote machines. The attacks can be carried out with very little bandwidth, such as that available on a cable modem, and there don't appear to be any workarounds or fixes for the problems at this point.
2. How To Clone and Modify E-Passportshttp://www.schneier.com/blog/archives/2008/09/how_to_clone_an.htmlA group of hackers have released a tool allowing people to clone and modify electronic passports by exploiting a weakness that is apparently the result of using self-signed certificates...but who do you make the CA of the entire globes' passports?
So what's the solution? We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job 'assessing' the person and not just the passport. Take the human part away and passport security falls apart.
3. Top Secret MI6 Camera Sold On e-Bayhttp://www.techcrunch.com/2008/09/30/top-secret-mi6-camera-sold-to-the-highest-bidder-on-ebay/A camera containing top secret information, including credentials for logging into their network, was sold by an MI6 agent on e-Bay.
A 28-year-old delivery man from the UK who bought a Nikon Coolpix camera for about $31 on eBay got more than he bargained for when the camera arrived with top secret information from the UK’s MI6 organization.
Allegedly sold by one of the clandestine organization’s agents, the camera contained named al-Qaeda cells, names, images of suspected terrorists and weapons, fingerprint information, and log-in details for the Secret Service’s computer network, containing a “Top Secret” marking.
4. Microsoft, Washington State Sue Scareware Purveyorshttp://voices.washingtonpost.com/securityfix/2008/09/microsoft_washington_state_tar.htmlMicrosoft and the state of Washington gave stepped up to take on groups that use false and/or misleading security alerts to trick concerned customers into purchasing software.
Microsoft Corp. and the state of Washington this week filed lawsuits against a slew of "scareware" purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software.
The case filed by the Washington attorney general's office names Texas-based Branch Software and its owner James Reed McCreary IV, alleging that McCreary's company caused targeted PCs to pop up misleading security alerts about security threats on the victims' computers. The alerts warned users that their systems were "damaged and corrupted" and instructed them to visit a Web site to purchase a copy of Registry Cleaner XP for $39.95.
5. Nasty web bug descends on world's most popular siteshttp://www.theregister.co.uk/2008/09/30/web_bug_bites_sites/http://news.cnet.com/8301-1009_3-10056854-83.htmlPrinceton University researchers have uncovered a series of cross-site request forgeries in some of the worlds most popular websites, one of which would have permitted fund transferal from a victims bank account. Internet Explorer and Firefox users are known to have been vulnerable.
Underscoring the severity of of an exotic form of website bug, security researchers from Princeton University have cataloged four cross-site request forgeries in some of the world's most popular sites.
The most serious vulnerability by far was in the website of global financial services company ING Direct. The flaw could have allowed an attacker to transfer funds out of a user's account, or to create additional accounts of behalf of a victim, according to this post from Freedom to Tinker blogger Bill Zeller.
6. Cybersecurity holes exposed in Los Alamos nuke labhttp://www.theregister.co.uk/2008/09/29/los_alamos_cyber_insecurity/The Los Alamos National Laboratory has been found to be severely under-secured by a US Government Accountability Office audit.
The Los Alamos National Laboratory - easily the world's most sensitive and sophisticated research institution - is marred by cybersecurity weaknesses that compromise the way information on its unclassified network is protected.
According to an audit by the US Government Accountability Office (GAO), the New Mexico-based LANL recently began implementing measures to shore up information security. But vulnerabilities remain on its unclassified network, which contains sensitive information involving controlled nukes, export control, and personal details of lab employees. Physical security was also found to be lacking at the facility, one of only three US National Nuclear Security Administration (NNSA) labs.
7. Time To Look For A Skype Alternative (Thanks 40hz)http://www.ghacks.net/2008/10/02/time-to-look-for-a-skype-alternative/http://news.cnet.com/8301-1009_3-10056127-83.htmlhttp://news.cnet.com/8301-1009_3-10057580-83.htmlThe voice over IP client Skype never got off the radar of privacy activists. There were always rumors about backdoors in the voice communication software and that several organizations were able to record calls made by Skype users although Skype claimed otherwise.
Skype messages were in the focus of privacy groups since first news about text filtering messages in China became known to the public. Back then Skype released an official statement that the text filter applied by the Chinese Skype partner Tom Online would not affect security and encryption mechanisms of Skype, that people’s privacy would not be compromised and calls, chats and other forms of communication on Skype would continue to be encrypted and secure.
Researchers and privacy activists of the University of Toronto discovered files on unprotected Chinese computers that contained filtered Skype messages that were recorded in China.
8. Adware supplies one third of all malwarehttp://news.cnet.com/8301-1009_3-10056912-83.htmlA report released by Panda security has alleged that one third of all new malware is generated by adware, particularly fake antivirus products.
On Thursday, Panda Security released its report for the third quarter stating that adware is responsible for one third of all new malicious software. In particular, the security company cited increased use of fake antivirus scanners.
The fake scanners typically report a computer infection and suggest downloading an application to remove the malware. Once downloaded, the scanners then ask computer users to purchase the application before it can remove an infection that never really exists. The goal of these attacks is financial gain.
9. New phishing attempt targets bank customershttp://news.cnet.com/8301-1009_3-10057180-83.htmlA bracket of the acquisitions (Thanks housetier)Phishers appear to be capitalising on the downfall of the global economy.
Many people are wondering what to do now that their bank has been acquired in the wake of the lending crisis. Well, whatever you do, don't click on links in e-mails purportedly sent by your bank.
Security firm SonicWall said Thursday that it has been seeing e-mails that attempt to lure people to fake bank Web sites, where they are asked to re-verify their personal and bank information as part of a merger.
10. Verizon gets industry-specific in breach reporthttp://news.cnet.com/8301-1009_3-10056490-83.htmlAn interesting report from Verizon detailing industry-specific vulnerability rends.
Risks factors for data breaches vary industry to industry and defy a "cookie cutter" approach to security, according to a report released Thursday by Verizon Communications.
The new report (PDF) builds on data released in June. The initial report spanned four years and included more than 500 forensic investigations involving 230 million compromised records.
11. Plant Tweak Could Let Toxic Soil Feed Millionshttp://blog.wired.com/wiredscience/2008/10/plant-tweak-cou.htmlA single genetic switch could allow crops to grow in aluminum-poisoned soil.
Thanks to a genetic breakthrough, a large portion of Earth's now-inhospitable soil could be used to grow crops -- potentially alleviating one of the most pressing problems facing the planet's rapidly growing population.
Scientists at the University of California, Riverside made plants tolerant of poisonous aluminum by tweaking a single gene. This may allow crops to thrive in the 40 to 50 percent of Earth's soils currently rendered toxic by the metal.
12. Google, Hotmail CAPTCHA Crackedhttp://arstechnica.com/news.ars/post/20081002-right-back-at-ya-captcha-bad-guys-crack-gmail-hotmail.htmlhttp://www.itsecurity.com/blog/20081003/xrumer-spambot-cracks-captchas/A previously well-known software XRumer has received a substantial upgrade, allowing it to break almost every form of CAPTCHA currently in use.
The decline in CAPTCHA efficacy has been an ongoing story in 2008, as hackers and malware authors have steadily found ways to chip away at the protection these security practices were once thought to offer. Now, new findings indicate that both Gmail and Windows Live Hotmail have been compromised again, this time via a more-streamlined attack process. With two of the largest webmail providers once again vulnerable, CAPTCHAs clearly aren't meeting the security needs of either company, and it may be time to reevaluate the use of them altogether.
13. RapidShare must remove infringing content proactivelyhttp://arstechnica.com/news.ars/post/20081001-german-court-says-rapidshare-must-get-proactive-on-copyrighted-content.htmlIf a German court ruling is upheld, Rapidshare may no longer be able to plead ignorance of infringing content hosted on their servers.
File sharing service RapidShare may find itself without a viable business model if a German court ruling stands. After getting sued by a German copyright holder, the company argued that it was doing all it could to screen out copyrighted material. The court, however, has ruled that its efforts were insufficient, raising questions about whether doing anything that was legally sufficient could be done without incurring enough costs to sink the company.
RapidShare is one of a large number of companies that will host large files for users who need to exchange them with friends and family. Like many of these companies, it offers a free service with limited features in the hopes of enticing users to spring for the cost of a premium service, which offers some significant perks, such as hosting larger files, unlimited download speeds, and permanent storage. All of this occurs through a simple web interface, and doesn't involve the P2P transfers that have attracted the ire of ISPs and the copyright industry. As a result, their popularity is growing rapidly; RapidShare accounts for five percent of all IP traffic in some regions.
14. Blizzard awarded $6 million in damages from WoW bot makerhttp://arstechnica.com/news.ars/post/20081001-blizzard-awarded-6-million-in-damages-from-wow-bot-maker.htmlWorld of Warcraft creator Blizzard have been awarded $6 million in a court case against Glider, a company that produced software to automate gameplay, thse of which was against Blizzard's Terms of Service.
The case Blizzard brought against bot-maker MDY Industries has been going on since 2006, and while a judge ruled in July that MMOGlider infringed on Blizzard's copyrights, the question of whether the bot violates the DMCA is still open. That has not stopped the judge from awarding $6 million in damages in the case.
It's unknown how much money MDY Industries has made from its product MMOGlider, which allows users to automate the boring parts of World of WarCraft and essentially grind forever with no user involvement, but the $25 program had sold around 100,000 copies as of last year. In other words, the product was big business. Unfortunately, it also violated the game's terms of service.
Ehtyar.