Tech News Weekly: Edition 46

[Ehtyar]

The Weekly Tech News

Hi all. No metanews this week ladies and gents. As usual, you can find last week's news here.

1. Valve Tried to Trick Half Life 2 Hacker Into Fake Job Interview

Spoiler

http://blog.wired.com/27bstroke6/2008/11/valve-tricked-h.html
Well known game making firm Valve attempted to lure a suspected German hacker to the United States (to be arrested) by offering him a job.

After the secret source code for its then-unreleased shooter Half Life 2 showed up on file sharing services in 2003, game-maker Valve Software cooked up an elaborate ruse with the FBI targeting the German hacker suspected in the leak, even setting up a fake job interview in an effort to lure him to the United States for arrest.

The gambit ultimately failed, and Axel "Ago" Gembe remained safely in Germany. He was indicted last month in Los Angeles on new charges of creating the Agobot malware, and sharing it with a crew of U.S. hackers who used it to stage denial-of-service attacks in 2003.

2. Security Experts Reveal Details of WPA Hack

Spoiler

http://www.heise-online.co.uk/security/Security-experts-reveal-details-of-WPA-hack--/news/111922
Followup from: https://www.donationcoder.com/forum/index.php?topic=15629.0#post_WPA_WiFi_Encryption_is_Cracked
For the more technically inclined: http://arstechnica.com/articles/paedia/wpa-cracked.ars
Also, WPA2 is not next on the chopping block: http://erratasec.blogspot.com/2008/11/wpa2-is-not-next-on-chopping-block.html
The researchers who last week claimed to have broken WEP encryption have revealed their technique; it's a variant of the chopchop attack used against WEP. IMO the attack probably isn't worthy of all the hype.

In their paper, Practical attacks against WEP and WPAPDF, Martin Beck and Erik Tews have published details about their attacks on WPA secured networks. The attack is essentially a variant of the chopchop attack used against WEP secured networks, which surfaced in early 2005. The name "chopchop attack" is a nod to the KoreK-developed chopchop tool, which allows the user to decrypt an arbitrary encrypted data packet without having to know the WEP key.

The program slices off the last byte of a WEP packet. Under the assumption that the final byte was the zero byte, it attempts to reconstruct a valid checksum with an XOR link from the last four bytes to a specific value. Then it sends the packet to an access point and observes whether it is accepted. If not, it assumes that the sliced off byte was a 1 – in the worst case it continues this process all the way to 256. This process is then repeated for every other byte in the packet. Once finished, the attacker has the packet in plain text.

3. Google Encourages Profile Verification

Spoiler

http://www.datastronghold.com/index.php/tech-news/1481-who-are-you-google-profiles-knows
Google are encourages users with profiles to have the information on them 'verified' by a third party.

Google also added an additional feature that lets people verify their actual information by checking the data against phone records or credit card records.  Here's what Google had to say about the verify procedure.

"Profiles will display a 'verified name' badge, if the user has verified their name through Knol. Any user can go through Knol's interface to obtain the verified badge," Google said in a statement.

4. IT Security 'Myth Or Truism'

Spoiler

http://edge.networkworld.com/news/2008/110608-security-myths.html
If nothing else, and interesting insight into the opinions of some of IT's best known security gurus. Shame about some of the awful questions.

They are etched into the conventional wisdom of IT security, but are these 12 articles of faith (to some) actually wise, or are they essentially myths? We've assembled a panel of experts to offer their judgments.

5. Firefox 3.0.4 Closes Nine Security Holes

Spoiler

http://www.heise.de/english/newsticker/news/118852
http://news.cnet.com/8301-1009_3-10096399-83.html
Mozilla's most recent Firefox fixes 9 security vulnerabilities, 4 critical. They involve crash bugs, a privilege escalation vulnerability, and a remote code execution vulnerability.

The Mozilla Foundation has released Firefox version 3.0.4 to close nine security holes. The developers rated four of the holes as critical because they allow attackers to execute arbitrary code on the victim's system. One of the critical holes is a classical buffer overflow that can be triggered via specially crafted server responses.

A flaw in the way the browser restores a session after a program crash can cause Firefox to violate the same-origin policy when executing JavaScript code, which could be exploited to execute the code in the context of a different website. Attackers could remotely trigger a crash and subsequent restart to steal a user's access data to other web pages, for example.

6. Spam Declines After Hosting Company Shut-down

Spoiler

http://news.cnet.com/8301-1009_3-10095730-83.html
A significant drop in eMail SPAM has been seen across the globe as a direct result of the closure of a notorious ISP.

Internet hosting site McColo disappeared on Tuesday. Along with it went thousands of pieces of spam, thanks, in part, to investigative work by Washington Post reporter Brian Krebs.

For about four months, security experts have been collecting data about McColo Corp., a San Jose, Calif.-based Web hosting service that may have been used by by the cyber underground, according to the The Washington Post. Krebs said that the McColo hosting company had been responsible for up to 75 percent of all spam spent.

7. Equifax Offers Its First I-card

Spoiler

http://news.cnet.com/8301-1009_3-10096835-83.html
As one might have expected: Equifax's new age-verification tool cumbersome, limited
The first 'online over-18 cards' have been dispensed by Equifax. Governments and corporate identities hope it will soon become the norm to posses an 'online wallet' in order to verify ones identity online. As a member of the tin-foil-hat-brigade, I'm far from impressed.

Equifax on Thursday introduced it's first information card or I-card, Equifax Over 18 card. I-cards are envisioned to be the online equivalent of a driver's license, passport, or similar ID. The basic idea is that customers would have an electronic wallet with various information cards that would allow customers to bypass typing in user names and passwords.

In this case, the Equifax card proves--via a trusted third party--that you are over 18 when accessing specially marked Web sites. "With fraud and identity theft on the rise, companies need better, more secure ways to conduct transactions online and take their identity management practices to the next level," said Steve Ely, president of Equifax Personal Information Solutions, in a statement.

8. IE Supports HTTPOnly Cookies

Spoiler

http://ha.ckers.org/blog/20081111/httponly-fix-in-msxml/
With the release of MS08-069 cookies marked as HTTPOnly will no longer be accessible to javascript in IE.

I’m happy to announce that Microsoft has released MS08-069 today. It’s got a lot of changes in it, but one in particular that I’ve been tracking for about a year now. MSXML has made a change so that HTTPOnly cookies cannot be read by XMLHTTPRequest within IE. Why is that good? It makes it so that JavaScript can no longer steal cookies that try to protect themselves. That’s a good thing.

It might seem like a big thing that that was even possible, but really it’s not as bad as it sounds, making this issue a lower priority in my mind. Cookies are rarely sent from the server to the client on every request and typically do require some information to be sent (like a username and password) before the Set-Cookie header is sent. So XMLHTTPRequest was really only useful for stealing cookies if the Set-Cookie header was sent on every request. Maybe there are some sites out there that do that, but it’s not that common. Either way, I’m glad MS got around to fixing it.

9. Visa Tests Credit Card With Random Number Generator

Spoiler

http://www.darkreading.com/security/privacy/showArticle.jhtml?articleID=212001898
Visa is now testing a credit card with a built in random number generator to replace the existing 'CCV' verification system in the hopes it will better protect against card-not-present fraud.

Visa is testing a new credit card that can generate a random-number passcode to help ensure it won't be used by unauthorized individuals.

In trials starting this week at four banks -- Bank of America UK, Corner Bank in Switzerland, Cal in Israel, and IW Bank in Italy -- Visa and EMUE Technologies are testing a Visa PIN card, an alternative to the "CCV" code currently printed on the back of most cards to help ensure that the individual is actually in possession of the card. The technology was first introduced in June.

10. AVG Incorrectly Flags User32.dll in Windows XP SP2/SP3

Spoiler

http://arstechnica.com/journals/microsoft.ars/2008/11/11/avg-incorrectly-flags-user32-dll-in-windows-xp-sp2sp3
A routine signature database update for AVG antivirus last week saw users of Windows XP SP2/SP3 warned that user32.dll was actually a virus, and upon removal could not boot their systems.

After a Sunday virus definition update, AVG's antivirus software began to mistakenly warn users that their system had a virus entitled PSW. banker4.APSA and suggested it had to be removed. The file that was being flagged was actually "user32.dll," a key Windows file. Many users chose to delete the file, which resulted in their Windows systems going into an endless reboot cycle, or stopped them from booting at all. Only users of Windows XP Service Pack 2 and Service Pack 3 seem to have been affected (users who have moved to Vista can apparently breathe a sigh of relief). Both AVG 7.5 or 8.0 was affected by the flawed definition file.

11. 26th Year of Asteroids Record

Spoiler

http://www.wired.com/science/discoveries/news/2008/11/dayintech_1113
The record for the highest score in the arcade game 'Asteroids' has been standing (and still is) for twenty-six years.

1982: Fifteen-year-old Scott Safran of Cherry Hill, New Jersey, sets the world record score in the arcade game Asteroids — the longest-standing videogame high score in history.1

Safran, who had been practicing nonstop at the game for the previous two years, agreed to play a marathon session of Atari's popular outer-space shooting game as part of a charity event in Pennsylvania. His mother drove him to the event and lent him a quarter, which he dropped into the machine Nov. 13.

12. Pentagon Clears Flying-Car Project for Takeoff

Spoiler

http://blog.wired.com/defense/2008/11/darpas-flying-c.html
The Pentagon has commissioned work on "Personal Air Vehicle Technology" which it hopes will lead to the development of a helicopter/car hybrid or something similar. Sorry guys, this is for military application only at the moment

Pentagon mad-science division Darpa is helping build thought-controlled robotic limbs, artificial pack mules, real-life laser guns and "kill-proof" soldiers. So it comes as no surprise, really, that the agency is now getting into the flying-car business, too.

Darpa hopes its "Personal Air Vehicle Technology" project, announced yesterday, will ultimately lead to a working prototype of a military-suitable flying car -- a two- or four-passenger vehicle that can "drive on roads" one minute and take off like a helicopter the next. The hybrid machine would be perfect for "urban scouting," casualty evacuation and commando-delivery missions, the agency believes.

13. First Direct Image of Multiple Exoplanets Orbiting a Star

Spoiler

http://blog.wired.com/wiredscience/2008/11/first-direct-im.html
Firstly...COOL!! In the past, planets were detected by the disturbances their field of gravity caused their star. Now, we can see them directly.

For the first time, astronomers have taken a visual image of a multiple-planet solar system beyond our own.

Using the Gemini North telescope and the W. M. Keck Observatory on Hawaii's Mauna Kea, researchers observed in infrared light three planets orbiting around a star about 130 light-years away from Earth, called HR 8799. The discovery, published today in Science Express, is a step forward in the hunt for planets, and life, beyond Earth.

14. Net Spying Firm and ISPs Sued Over Ad System

Spoiler

http://blog.wired.com/27bstroke6/2008/11/net-spying-firm.html
A class action lawsuit has been filed against advertising firm NebuAd and its partner ISPs for illegally spying on their customers in order to deliver targeted advertisements. Tin-foil-hat-brigade: 1, ISPs/NebuAd: 0.

Net eavesdropping firm NebuAd and its partner ISPs violated hacking and wiretapping laws when they tested advertising technology that spied on ISP customers web searches and surfing, according to a lawsuit filed in federal court Monday.

The lawsuit seeks damages on behalf of thousands of subscribers to the five ISPs that are known to have worked with NebuAd. If successful, the suit could be the final blow to the company, which abandoned its eavesdropping plans this summer after powerful lawmakers began asking if the companies and ISPs violated federal privacy law by monitoring customers to deliver targeted ads.

15. Google Fixes Embarrassing Android Bug

Spoiler

http://blog.wired.com/gadgets/2008/11/google-fixes-an.html
Google has fixed a rather odd flaw in Android that caused any text typed in any application to be passed to the phone's command shell, then executed with root privileges.

Google has fixed an a potentially devastating bug in its newly released Android operating system.

Some users of T-Mobile's G1 phone found that typing any word on the phone's keyboard — in any application — sent whatever they typed to the phone's command line shell.

Those commands were then executed with root user privileges, meaning there were no limitations on what the commands could do to the phone. For instance, texting the word 'reboot' would actually cause the phone to do so.

16. Obama Administration To Keep Fewer Secrets?

Spoiler

http://arstechnica.com/journals/law.ars/2008/11/07/setec-astronomy
An interesting collection of potential indications of a more open information policy from the soon-to-be Obama administration. Yay tin-foil-hat-brigade! For those of you that don't get the 'Setec Astronomy' reference, it's an anagram of 'Too Many Secrets', and you'd better get your arse down to the local rental place and get yourself a copy of Sneakers RIGHT NOW!!

Steven Aftergood of Secrecy News dangles this tantalizing (if vague) tidbit about classification policy under the Obama administration:

    “I know things are going to change,” one executive branch official with national security classification responsibility said this morning.  “The folks that are inbound have a keen appreciation for the kind of things that need to occur,” the official said.

Aftergood notes that Center for American Progress honcho John Podesta, the Clinton White House alumnus who's heading up Obama's transition team, delivered a broadside against overclassification in testimony before Congress just a few months ago:

    Excessive secrecy conceals our vulnerabilities until it is too late to correct them. It slows the development of the scientific and technical knowledge we need to understand threats to oursecurity and respond to them effectively. It short-circuits public debate, eroding confidence in the actions of the government. It undermines the credibility of the information security system itself, encouraging leaks and causing people to second-guess legitimate restrictions.

Ehtyar.

[city_zen]

Excellent job, Ehtyar 

And great news about that spammer company being taken down. I did notice a reduction in spam in the last few days. Let's hope it lasts ...

[Ehtyar]

Excellent job, Ehtyar 

And great news about that spammer company being taken down. I did notice a reduction in spam in the last few days. Let's hope it lasts ...

-city_zen (November 14, 2008, 07:18 PM)

Thanks
Highly unlikely it will last. spammers are used to this sort of thing, they'll be setup elsewhere in no time.

Ehtyar.

[city_zen]

Highly unlikely it will last. spammers are used to this sort of thing, they'll be setup elsewhere in no time.

-Ehtyar (November 14, 2008, 07:20 PM)

I know, it's inevitable. I guess it was just a bit of wishful thinking on my part ...

But eventually it's all about raising the costs for spammers, to make their business less profitable and therefore less attractive. If they're forced to other, and more expensive, hosts, a reduction of spam may be feasible.

[Ehtyar]

I know, it's inevitable. I guess it was just a bit of wishful thinking on my part ...

But eventually it's all about raising the costs for spammers, to make their business less profitable and therefore less attractive. If they're forced to other, and more expensive, hosts, a reduction of spam may be feasible.

-city_zen (November 14, 2008, 07:51 PM)

I like that way of thinking

Ehtyar.

[zridling]

Speaking of spam, did anyone else notice the naughtiest Dilbert comic ever this week?

Do you know what the "lucky guess" refers to?

[housetier]

Where is the source for #14?

(and how do make links that won't open a new tab/window?)

[mahesh2k]

  Ehtyar Great news as usual

[Ehtyar]

Sorry house man, fixed now. Link is here.

Ehtyar.

[housetier]

very good! thanks

[ewemoa]

Thanks for this week's edition

Number 13 is amazing.