Tech News Weekly: Edition 3-10

[Ehtyar]

The Weekly Tech News

Hi all. It's BAAAAACK!! Hope you enjoy The last Tech News was posted a month and a half ago. You can find it here.

1. Judge Slashes "monstrous" P2P Award by 97% to $54,000

Spoiler

http://arstechnica.com/tech-policy/news/2010/01/judge-slashes-monstrous-jammie-thomas-p2p-award-by-35x.ars
Looks like this whole Judges with sense thing is catching on. Jammie Thomas-Rasset has had her outrageous $1.92 million damages charge, brought by big media, dropped to $54,000. A little more reasonable for 24 songs wouldn't you say?

Judge Michael Davis is the senior federal jurist in Minnesota. He presides over the gleaming 15th floor courtroom where, earlier this year, P2P user Jammie Thomas-Rasset was slapped with $1.92 million in damages for sharing 24 songs. Davis made no comment on the amount of the award and showed no emotion as it was read out.

But now we know how he rely feels about the jury's work in that case: it led to a "monstrous and shocking" damage award that veered into "the realm of gross injustice."

2. Tor Software Updated After Hackers Crack Into Systems

Spoiler

http://www.theregister.co.uk/2010/01/22/tor_security_update/
Oops. Doesn't look like their VCS was compromised - seems the hackers had no idea what they were onto.

Privacy-conscious users of the Tor anonymiser network have been urged to upgrade their software, following the discovery of a security breach.

Two of seven directory authorities and a metrics data server were compromised in a hack discovered earlier this month, Tor developer Roger Dingledine explains. The three servers were taken offline and refurbished following the hack.

3. Bumps ahead as Vimeo, YouTube respond to HTML5 video demand

Spoiler

http://arstechnica.com/open-source/news/2010/01/bumps-ahead-as-vimeo-youtube-respond-to-html5-video-demand.ars
Vimeo and YouTube have both deployed opt-in (*sigh*) HTML-5 media players on their site. Unfortunately, both are using the H.264 codec instead of the open Ogg Vorbis alternative. They're also about half a year behind DailyMotion, but still, yay!

When Google began soliciting feedback from users about what features they would most like to see in the next version of YouTube, the response was an overwhelmingly enthusiastic request for standards-based open video: users called for Google to support the HTML5 video element.

Google responded by rolling out an experimental HTML5-based player on YouTube that allows users to watch videos without having to depend on Adobe's Flash plugin. Vimeo, another leading video hosting website, followed suit this afternoon and rolled out an HTML5 beta test of its own. Of course, both of them are lagging behind DailyMotion, which launched its HTML5 beta last year.

4. Analysis of 32 Million Breached Passwords

Spoiler

http://www.net-security.org/secworld.php?id=8742
Hrm...Bahahahaha!

Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism.

In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine.

5. Wrists Playing Up? You're Shagging Too Much

Spoiler

http://www.theregister.co.uk/2010/01/21/carpal_tunnel_syndrome/
THink you've got carpal tunnel? Picking a new position apparently helps...

A US researcher has suggested a possible link between dodgy wrists caused by carpal tunnel syndrome and sex, "when the hands become repeatedly extended while under pressure from the weight of the upper body".

The syndrome occurs when "the median nerve, which runs from the forearm into the hand, becomes pressed or squeezed at the wrist", as this handy guide explains. Symptoms range from "frequent burning, tingling, or itching numbness in the palm of the hand and the fingers" to "decreased grip strength" and the inability to tell hot from cold by touch.

6. Virgin Trials P2P Deep Packet Snooping

Spoiler

http://www.theregister.co.uk/2010/01/21/virgin_begins_cview_trials/
The headline should probably be "Virgin to trial P2P deep packet snooping", but whatever. Looks like major UK ISP Virgin Media will start using deep packet inspection to see just how much file sharing is taking place on their network. Though, of course, they won't be retaining any identifying aspects of the data...

The trial will see Virgin monitor about 40 per cent of its customers — none of whom will be informed of their participation. Virgin insists that the system seeks only to determine the amount of file-sharing traffic that infringes on copyright and that it will disregard data that can finger individual users.

The software, called CView, is provided by Detica, a BAE Systems subsidiary that specializes in high volume data collection. The ISP is using Deep Packet Inspection (DPI) to detect peer-to-peer traffic over its customers' broadband connections. P2P files are then matched against a third-party database of songs to determine if they violate copyright.

7. Google Hack Attack Was Ultra Sophisticated, New Details Show

Spoiler

http://www.wired.com/threatlevel/2010/01/operation-aurora/
I imagine everyone has heard about this. It's being called "Aurora", a vulnerability in IE6/XP that allowed suspected Chinese attackers to gain access to over 30 large corporations. The vulnerability was known only to Microsoft prior to the attack, and has since been taken care of with an out-of-band patch. The attackers were apparently very well prepared, and managed to steal a very significant quantity (and quality) of data, including source code from those they breached.

Hackers seeking source code from Google, Adobe and dozens of other high-profile companies used unprecedented tactics that combined encryption, stealth programming and an unknown hole in Internet Explorer, according to new details released by the anti-virus firm McAfee.

“We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack,” says Dmitri Alperovitch, vice president of threat research for McAfee. “It’s totally changing the threat model.”

8. NASA Extends the World Wide Web Out Into Space

Spoiler

http://www.nasa.gov/home/hqnews/2010/jan/HQ_M10-011_Hawaii221169.html
Took long enough, but it looks like astronauts will be enjoying live Internet from now on

Astronauts aboard the International Space Station received a special software upgrade this week - personal access to the Internet and the World Wide Web via the ultimate wireless connection.

Expedition 22 Flight Engineer T.J. Creamer made first use of the new system Friday, when he posted the first unassisted update to his Twitter account, @Astro_TJ, from the space station. Previous tweets from space had to be e-mailed to the ground where support personnel posted them to the astronaut's Twitter account.

9. No One Gives A Crap How Many Pigs You Have, Jerk!

Spoiler

http://www.youtube.com/watch?v=odBDAcOEKuI
Your friends think your farm is lame...

Ehtyar.

[mouser]

Tech News Weekly is back!

[lanux128]

hey, welcome back!

[Ehtyar]

Thanks guys

Ehtyar.

[4wd]

@5: Damn!  And I thought it was me playing too much FPS!

Guess I'll have to start saying, "Sorry love, tonight's Team Deathmatch."

@8: UhOh!  Closed environment + too much pr0n = Deliverance!

 

[Ehtyar]

@4wd R.O.F.L!!!

Ehtyar.

[f0dder]

Was the recent NTVDM local privilege escalation exploit used in the google attack?

That's a very interesting exploit, compared to your usual double-free/buffer-overrun/blablabla exploits, for a lot of reasons. Too bad MS didn't fix it long ago, they've been informed about it for a while. Also, while NTVDM is a very old component and you'd thus reason that "it's OK they haven't spent a lot of effort auditing NTVDM since it's a frozen target and unlikely to be exploited", there's been at least two privilege escalation attacks on NTVDM in the past...

[Ehtyar]

The Google attack (and the rest of them) was the IE RCE (high reliability for IE6/XP only...makes you wonder).

I don't believe the NTVDM has been exploited in the wild yet (at least not to great effect). I'm not terribly excited about it TBH; if/when someone finds a creative way of *using* it, it might get interesting.

Ehtyar.

[f0dder]

The Google attack (and the rest of them) was the IE RCE (high reliability for IE6/XP only...makes you wonder).

-Ehtyar (January 24, 2010, 07:56 PM)

Yes, that's apparently how they got into the systems - I'm wondering if they used NTVDM to go LUA->Admin.

I don't believe the NTVDM has been exploited in the wild yet (at least not to great effect). I'm not terribly excited about it TBH; if/when someone finds a creative way of *using* it, it might get interesting.

-Ehtyar (January 24, 2010, 07:56 PM)

Perhaps not used, but it's still one of the more interesting exploits for quite a while, even though it's "just" privilege escalation and not remote. Why? Partly because it in such an unlikely target... and very much so because it affects all 32bit NT versions. Want root? got root! (Oh, and it's not just LUA->Admin... it's full kernel-mode privileges without loading a .sys).

[Ehtyar]

AFAIK the NTVDM vuln was not used at all in the China hack.

I know why you found the NTVDM vuln interesting, I just don't particularly agree. I'd fine it more interesting if they found something that impressive in a moving target, or something more readily exploitable. This was like taking candy from a baby.

Ehtyar.

[f0dder]

This was like taking candy from a baby.

-Ehtyar (January 24, 2010, 08:43 PM)

Not exactly - finding an exploit like that requires a fairly decent understanding of not only Windows internals, but also above-average knowledge of CPU detail (and that's above-average for assembly programmers, mind you). There's automated tools that can find "areas of interest" for a number of exploit types, which can then be further analyzed by a security researcher (or malware writer) - this NTVDM exploit is something extraordinaire.

And while it might not be in the wild yet, you can be pretty sure it's already added to blackhat toolset, and will be added to drive-by rootkits any time now - with good reason. It's even worse than the linux kernel 2.4->2.6 privilege escalation exploit (which was bad enough - iirc that was around 8 years of kernel revisions, and multiple architectures).

Privilege escalation might not be as sexy as remote holes, but it's a dangerous addition once a hole is found... and when you get not only admin but can go kernel-mode "silently", and it can target such a large installation base - ouch!

[Ehtyar]

And when it's successfully exploited on such a grand scale, I'll be impressed. Until then, it's stationary target practice.

Ehtyar.

[SKA]

Possibly OT, but Google says attack came in thru its corporate VPN:
http://chenxiwang.wo...not-cloud-computing/

Bruce Schneier(comment on cnn) : a backdoor into Gmail(required by US Govt) may have been used:
http://www.cnn.com/2...e.hacking/index.html

SKA
   

[f0dder]

Bruce Schneier(comment on cnn) : a backdoor into Gmail(required by US Govt) may have been used:
http://www.cnn.com/2...e.hacking/index.html

-SKA (January 24, 2010, 10:20 PM)

Take that with a pinch of salt before panicking - even if a backdoor has been used. The way CNN states this makes it sound like there's a backdoor in gmail that's as easy to use as entering a special username+password, and that the hackers penetrated google with this...

It's probably more along the lines of machines being exploited through the aforementioned IE flaw (or other means), letting the hackers inside the corporate network - and from there on exploring said corporate network. And once in there, they'd be able to look at non-internet-facing servers - which might include gmail storage servers (I'd kinda expect those to be encrypted, but who knows).

It's pretty much all guesswork, anyway. And that CNN link... is that an essay directly written by Schneier, or is it a CNN butcher-piece of this? - the latter is a lot less sensationalist then the CNN piece, and doesn't support what is probably the most alarming paragraph of the CNN piece:

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

[Ehtyar]

Well said F0d Man. Media sensationalism at its finest.

Seems the essay was directly from Schneier, though.

Ehtyar.

[Stoic Joker]

Looking at the links SKA posted, there seems to be conflicting accounts on the initial entry point (Chenix Wang does however strike me as being a bit more pragmatic & believe-able). Not to mention that if the object is stealth it makes no sense to go through the trouble to hack the same network twice ... Especially if round 2 involves targeting something that by design is supposed to be monitored, logged, and scrutinized to the Nth power.

Most likely (to me) is to quietly slip into the VPN (because that's the (LEO's access level) gravy chute), and then use a few of the internal machines to create a tantalizing distraction of complexity. Sure G2G is tricky to get into if designed properly, but C2G (hehe) not so much. All you really need is someone with a badge & an iPhone to ask a ("support") question...and time.

[Edvard]

#9 
BWAHAHAHAHA!!!11!!11

I'm posting that on my Facebook...