Tech News Weekly: Edition 28-09

[Ehtyar]

The Weekly Tech News

Hi all. Enjoy As usual, you can find last week's news here.

1. Boffins Guess Social Security Numbers Via Public Data

Spoiler

http://www.theregister.co.uk/2009/07/07/ssn_guessing_algorithm/
http://arstechnica.com/tech-policy/news/2009/07/social-insecurity-numbers-open-to-hacking.ars
I don't imagine it's quite as easy as it sounds, but it looks like making SSNs the defacto form of identification it is now has come back to bite the US in the backside. Take heed rest of the world.

Predicting a person's social security number is a lot easier than previously thought, according to new scientific research that has important implications for identity theft.

Armed with publicly available information about where and when an individual was born, researchers from Carnegie Mellon University were able to guess the first five digits of a SSN on the first try for 44 percent of people born after 1989. The success rate balloons to as high as 90 percent for individuals born after 1989 in less populous states such as Vermont. Success rates also rise when the researchers got more guesses. The first five digits for six of 10 SSNs can be identified with just two attempts.

2. Apache Attacked by a "Slow Loris" (Thanks 40hz)

Spoiler

http://lwn.net/Articles/338407/
This story has been floating around for a while, and I've been dismissing it, but it's now pretty apparent that Apache aren't interested in doing anything about, and since Hertz Man brought it to my attention I thought it was worth posting. Apache is vulnerable to an attack vector that would allow an attacker to effectively DoS a server with only a single moderate-speed connection.

The slow loris is an exotic animal of southeast Asia that is best known for its slow, deliberate movements. This characterizes the technique used by a new Denial of Service (DoS) tool that has been named after the animal. Slowloris was released to the public by security researcher "RSnake" on June 17. Unlike previously utilized DoS methods, slowloris works silently. Still, it results in a quick and complete halt of the victim's Apache web server.

3. Teen Cuffed for Bomb Threat Webcam Pay-per-view

Spoiler

http://www.theregister.co.uk/2009/07/09/swatting_indictment/
In a story that makes you wonder what they're cutting the hard stuff with these days, a US 16 year old has been arrested for making prank calls to trigger an emergency response, then charging people to observe via live webcam feed.

A North Carolina teenager has been arrested and accused of phoning in bomb threats to schools and universities so he could charge admission for people to watch in real time over webcams as police responded.

Ashton C. Lundeby, 16, of Oxford, North Carolina took part in a group that used VoIP, or voice over IP, software and online gaming services to pull off the public stunts, which attracted hundreds of spectators, according to documents filed in federal court in Indiana Wednesday. Lundeby made bomb threats against 13 colleges or schools from the middle of 2008 through early March, prosecutors allege.

4. US [And Korean] Websites Buckle Under Sustained DDoS Attacks

Spoiler

http://www.theregister.co.uk/2009/07/08/federal_websites_ddosed/
http://news.bbc.co.uk/2/hi/asia-pacific/8142282.stm
I'm not aware of any apparent relation between these two attacks, but it seems the US and Korea are both suffering prolonged DDoS attacks against several high importance sites.

Websites belonging to the federal government, regulatory agencies and private companies have been struggling against sustained online attacks that began on the Independence Day holiday, according to multiple published reports.

At time of writing, most of the targets appeared to be afloat. Nonetheless, several targets have buckled under the DDoS, or distributed denial of service, attacks, which try to bring down a website by bombarding it with more traffic than it can handle. FTC.gov was experiencing "technical issues" on Monday and Tuesday that prevented many people from reaching the site, spokesman Peter Kaplan said.

5. Antisec Hackers Replace All Imageshack Images

Spoiler

http://www.cgisecurity.com/2009/07/antisec-hackers-replace-all-imageshack-images.html
Given that I never made a claim of objectivity when I started this weekly news cycle, I have no compunction in calling these people absolute scum-of-the-earth douche bags. These absolute scum-of-the-earth douche bags took it upon themselves to use a publicly published exploit to replace all the images on ImageShack to one protesting...public publishing of exploit code. Congratulations on revealing yourselves to be absolute scum-of-the-earth douche bags to the world Anti-Sec.

Thousands (Millions?) of sites img src'ing from imageshack are now displaying this hacked image. Certainly one of the largest pwnages I've seen in a long time. This is also the same group which recently hacked Astalvista.

6. NSA to Build Huge Facility in Utah

Spoiler

http://www.sltrib.com/ci_12735293
http://arstechnica.com/tech-policy/news/2009/07/r2e-nsas-power--and-money-sucking-datacenter-buildout-continues.ars
The NSA are propping up their massive computing infrastutre by building a massive branch in Utah.

Hoping to protect its top-secret operations by decentralizing its massive computer hubs, the National Security Agency will build a 1-million-square-foot data center at Utah's Camp Williams.

The years-in-the-making project, which may cost billions over time, got a $181 million start last week when President Obama signed a war spending bill in which Congress agreed to pay for primary construction, power access and security infrastructure. The enormous building, which will have a footprint about three times the size of the Utah State Capitol building, will be constructed on a 20

7. Goodbye, CompuServe! (We Thought You Already Died)

Spoiler

http://arstechnica.com/telecom/news/2009/07/goodbye-compuserve-we-thought-you-had-already-died.ars
In a blast-from-the-past, AOL has announced it is (finally?) killing off CompuServe, a company familiar to those who used the 'net in its infancy, most of whom probably thought it had been dead for some time...

A little piece of Internet history has now been laid to rest, as CompuServe was shut down for good just before this Fourth of July weekend. After some 30 years of service, CompuServe's new owner has finally pulled the plug, leaving us to reminisce about the days when the Internet was young and we were still using modems whose speed was measured in baud.

Most of us remember CompuServe fondly as one of the main Internet services from the 80s and 90s, and associate it with some of our first dabblings in the online world. Along with Prodigy, CompuServe offered a data connection to people across the globe, a connection that few had previously had at home. It set an early example for companies like AOL and even Apple's eWorld that launched in the early-to-mid 90s.

8. Goldman's Secret Sauce Could Be Loose Online; Markets Beware

Spoiler

http://arstechnica.com/tech-policy/news/2009/07/goldmans-secret-sauce-could-be-loose-online-markets-beware.ars
http://www.darkreading.com/insiderthreat/security/cybercrime/showArticle.jhtml?articleID=218400579
Investment bank Goldman Sachs has had data stolen by an ex-employee that could lead to publication of code that runs their automated trading desk, the heart of their business.

A Russian programmer named Sergey Aleynikov was picked up this past Friday by the FBI for allegedly stealing and passing along code that, if circulating out in the wild, could expose US markets to manipulation and cost Aleynikov's former employer, Goldman Sachs, millions. Bloomberg quotes assistant US Attorney Facciponti saying that "there is a danger that somebody who knew how to use this program could use it to manipulate markets in unfair ways. The copy in Germany is still out there, and we at this time do not know who else has access to it."

So how could a 32MB compressed source code archive pose a threat to markets and to America's most powerful investment bank? The story is actually less complex than it may sound.

9. Google Discloses Plans For New Malware-Resistant OS

Spoiler

http://www.darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=218401111
Google has announced it is working on "Chrome OS", an operating system based on Linux that will help protect against common Internet-based attack vectors by building tighter operating-system-level security around the browser.

Google is building its own operating system aimed at eliminating malware problems at the consumer's desktop.

The company late yesterday announced its work on the new Google Chrome OS, a lightweight OS that sits atop a Linux kernel and will run on X86 and ARM chips.

"We are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware," blogged Google's Sundar Pichai, vice president for product management, and Linus Upson, engineering director. "Most of the user experience takes place on the Web."

10. New Live Poll Allows Pundits To Pander To Viewers In Real Time (Thanks mouser)

Spoiler

http://www.theonion.com/content/video/new_live_poll_allows_pundits_to
The ONN has installed a new live polling system that allows panelists to see viewer reaction to their discussion in real-time. Keep your eye on the tracker as the conversation goes on

Ehtyar.

[mouser]

Great edition -- lot's of interesting stuff.
The Live Poll video is one of the funniest things i've seen all year. Love it.

[nosh]

Antisec Hackers Replace All Imageshack Images

Arschloches! (I only speak German on special occasions.)

Good thing they aren't lobbying for gun control.
*blam* *blam* "See?"

[tomos]

Great edition -- lot's of interesting stuff.

-mouser (July 12, 2009, 05:09 AM)

hear hear 

[Ehtyar]

Thanks guys

Ehtyar.

[rjbull]

CompuServe isn't exactly gone.  It's changed into another Webmail system, i.e. supply your own ISP instead of using CompuServe itself.  There's no option for POP3 that I can see, which is a pity as most of the alternatives I've tried do have POP3.

[Ehtyar]

CompuServe isn't exactly gone.  It's changed into another Webmail system, i.e. supply your own ISP instead of using CompuServe itself.  There's no option for POP3 that I can see, which is a pity as most of the alternatives I've tried do have POP3.

-rjbull (July 13, 2009, 09:45 AM)

That's gone if you ask me, they're just letting everyone keep their email addresses (assuming someone somewhere still holds one).

Ehtyar.

[rjbull]

That's gone if you ask me, they're just letting everyone keep their email addresses

-Ehtyar (July 13, 2009, 03:53 PM)

Could still be useful to me for legacy reasons.  Some programs and forums I bought/signed up for when CI$ was the only Internet address I had, and can't always remember which they are.  Some of them send information on updates, but only on rare occasions.  I thought it would be easier to keep that address than trying to change everything.  I wish CompuServe'd added POP3 like Google, Yahoo UK and GMX, but there you are.

[Ehtyar]

Fair enough.

Really I'm not sure how the free email services manage to keep a viable business model going after enabling POP3/IMAP/SMTP. Is it possible to have your CompuServe email forwarded to your Gmail/Yahoo account?

Ehtyar.

[rjbull]

Really I'm not sure how the free email services manage to keep a viable business model going after enabling POP3/IMAP/SMTP.

-Ehtyar (July 14, 2009, 07:06 AM)

Yes, that's a good point.  Maybe they get enough Web business to deliver ad revenue.  I hope they won't take your comment to heart   

Is it possible to have your CompuServe email forwarded to your Gmail/Yahoo account?

Don't think so.  I didn't think to look for that specifically, but there certainly wasn't anything obvious, and I've skimmed through the options.  It has a calendar and spam controls, but is pretty bare-bones.

[jgpaiva]

9. Google Discloses Plans For New Malware-Resistant OS

Oh please no..

"It just shifts the risk," he says. "It's just going to be a shift in attacks [to Web applications]...and we've already seen of lot of that [occurring]. If anything, [Chrome OS is] going to highlight Web application security issues."

-http://www.darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=218401111

It is NOT a Malaware-Resistant OS, it's not a "virus-free system". It's sounds just as dangerous as any other system, of even worse.. I mean, who says that building a kernel incorporating a browser is a good idea? Browsers are constantly targets of exploits, thus these exploits would allow the attacker root access to the system. Furthermore, if all of the apps are on the web, doesn't that mean that phishing (one of the worse attacks since it relies on the stupidity of the user and there's no antivirus for that) would get the attacker access to your whole life?

<rant mode>
I honestly am fed up with all this "my os has no viruses" crap. As long as there are bugs in the software, an attack is possible. And everyone knows that software had bugs, has bugs and will always have bugs.
I just with people would stop with all this "let's fool our costumers" marketing crap and worry with making really useful stuff with that money!
</rant mode>

[zridling]

Ehtyar, you manage to find some things I would never come across. Thanks!!

[Ehtyar]

Here here jgp!! I wtf'd when I read that myself, seems incredibly counter-intuitive to me.

My pleasure Zaine

Ehtyar.