by Elinor Mills
August 20, 2008 1:06 PM PDT

A security researcher has unearthed evidence via Google and its Chinese counterpart that supports claims that several Chinese gymnasts are younger than they should be for competing. The New York Times was probably the first to report about digital evidence that the Chinese athletes are underage.

"Online records listing Chinese gymnasts and their ages that were posted on official Web sites in China, along with ages given in the official Chinese news media, however, seem to contradict the passport information, indicating that He (Kexin) and Jiang (Yuyuan) may be as young as 14--two years below the Olympic limit," stated the Times article, posted about three weeks ago.

Then last week, the Associated Press found evidence of its own--a Xinhua state news agency report listing He's age as 13 just nine months before the Olympics began. The AP saved a copy of the Web page, which it said could not be accessed later in the day. This week security researcher "Stryde Hax" detailed his findings about discrepancies in the gymnasts' ages that he found via his own Internet searches.

The data he gathered bolsters the claims made by the Times and the AP. Stryde, who says he is a consultant at security firm Intrepidus Group, wrote on Tuesday about how he searched Chinese Web sites for Excel spreadsheets containing "He Kexin" and "1994," which is her alleged birthday, according to some of the uncovered Internet evidence.

By Gregg Keizer
August 12, 2008

Security researchers today disputed claims that a well-known Russian hacker-hosting network is responsible for cyberattacks against sites belonging to Georgia, the former Soviet republic that has been battling Russian military forces since Friday.

Rather than blame the notorious Russian Business Network -- as researcher Jart Armin did over the weekend -- other researchers said today that it appears that the attacks originated from a "hacker militia" of Russian botnet herders and volunteers.

"They mobilize themselves without a need for a central location to do so, distribute the targets, discuss the attack approaches, come up with a plan on the coordination, and you have everyone participating," Bulgarian security researcher Dancho Danchev said in an instant messaging interview early today.

Danchev and others have found evidence that points to a self-starting militia composed of volunteer hackers and cybercriminals who control large-scale bots, or collections of previously-compromised computers, as being behind the escalating attacks that have knocked Georgian sites offline.

By Peter Bright
August 11, 2008 - 07:30AM CT

One of the papers presented at the Black Hat USA 2008 security conference was an analysis a number of the protection mechanisms built into Windows Vista and Windows Server 2008 that are designed to make it harder to convert software bugs into security flaws.

How to Impress Girls with Browser Memory Protection Bypasses, authored by security researchers Mark Dowd at IBM and Alexander Sotirov at VMware, presented a number of attacks against Vista's various security features in isolation, and then attacks that could disable multiple protections all together. Put together, the result is that Vista's mitigation mechanisms are circumvented, making buggy software exploitable.

The security features being bypassed are all intended to minimize the impact of buffer overflows. Buffer overflows are a particular kind of programming error that occur when a program attempts to store too much data in the buffer allocated for the data. This causes anything following the buffer to be overwritten. Buffer overflows are exploitable when it's possible to insert arbitrary executable code into a process and then make that code run.

If an attacker can do this then the attacker has gained the ability to do whatever he likes to the victim's computer. This kind of flaw is quite a common one, especially in the programming languages C and C++. Many high-profile software flaws have been of this type, from the Morris worm of the 1980s to the Code Red worm of 2001, and more recently the animated cursor vulnerability.

by Robert Vamosi
August 7, 2008 1:13 PM PDT

LAS VEGAS--How confident are you when using your laptop at a conference? For years, a group called Wall of Sheep has been showing attendees of Defcon when their network connections are insecure. The Wall of Sheep board has been a fixture at Defcon, Black Hat's sister conference set to begin tomorrow at the Riviera Hotel and Casino.

The board displays the names (with some identifying information obscured) of those connecting to the Internet in insecure ways. The idea is both meant to shame and educate users on best practices. "If the 'Best of the Best' in security can be hacked, think of the average users," said Riverside, a member of Aries Security, a group that maintains the Wall of Sheep.

For most of the year, the individual members (of which there are about seven) are scattered across the country, working in security at various companies. But for two weeks they come together in Las Vegas to plan and mount their equipment, though not without glitches. On Thursday, Riverside was addressing some hardware failures in a conference room at Caesars Palace.

"We have redundancy," he said. In the back of the room were various boxes and other electronic equipment and wires. In the past they've used their own equipment, although this year they're starting to get donations. "We're vendor agnostic," said Riverside, adding that they are using Windows, Mac, and various flavors of Linux.

By John Markoff
August 5, 2008 10:30 PM PDT

A criminal gang is using software tools normally reserved for computer network administrators to infect thousands of PCs in corporate and government networks with programs that steal passwords and other information, a security researcher has found.

The new form of attack indicates that little progress has been made in defusing the threat of botnets, networks of infected computers that criminals use to send spam, steal passwords, and do other forms of damage, according to computer security investigators. Several security experts say that although attacks against network administrators are not new, the systematic use of administrative software to spread malicious software has not been widely seen until now.

The gang was identified publicly in May by Joe Stewart, director of malware research at SecureWorks, a computer security firm in Atlanta. Stewart, who has determined that the gang is based in Russia, was able to locate a central program controlling as many as 100,000 infected computers across the Internet. The program was running at a commercial Internet hosting computer center in Wisconsin.

Stewart alerted a federal law enforcement agency that he declined to identify, and he said that it was investigating the matter. Although the original command program was shut down, the gang immediately reconstituted the system, he said, moving the control program to another computer in the Ukraine, beyond the reach of law enforcement in the United States.

By Joel Hruska
August 05, 2008 - 10:35PM CT

Social websites like Facebook and MySpace have attracted a great deal of attention as targets of opportunity for phishing scams, but they are scarcely the only two social networking sites.

New information suggests that hackers have tuned in to the newfound popularity of microblogging, and are at the very least evaluating Twitter as a potential target. In a blog post at Kaspersky Labs' Viruslist, Dmitry Bestuzhev describes the attack and how it functions. The Twitter profile itself was created specifically for the attack; profile information is posted in Portuguese.

There's nothing on the page but a link to a video promising hot girl action, actually clicking on the file redirects the browser and instructs the user to download a new version of Adobe Flash that's supposedly required to watch the "film." By this point, alarm bells should've been ringing if they haven't already gone off; end-users who install the fake Flash update end up with what Dmitry describes as 10 banker Trojans, all disguised as MP3 files.

Based on information in the profile, the location of the web servers, and the e-mail the malware program sends, he believes this attack originated in Brazil—though it's virtually impossible to be 100 percent sure. The actual payload is nothing new, and delivery requires little more than a web server and some Trojans. The threat, as is typical with phishing schemes, lies within the attack vector itself.

August 4, 2008
By Robert McMillan

Nearly a month after a critical flaw in the Internet's Domain Name System was first reported, vendors of some of the most widely used firewall software packages are scrambling to fix a problem that can essentially undo portions of the patches that address this bug.

The DNS flaw affects server software made by many vendors, including Microsoft, Cisco Systems, and the Internet Systems Consortium. Some firewall software undoes a source port randomization feature that was introduced in the DNS patches. While this change doesn't completely negate the DNS patch, it could make it easier for attackers to pull off a cache-poisoning attack against the DNS server, security experts say.

This could lead to virtually undetectable phishing attacks against users of those DNS servers. Firewalls that do IP address translation -- converting the IP addresses used by computers on their internal networks to different IP addresses that are used by the other computers on the Internet -- can sometimes undo the source port randomization, security experts say.

The scope of the problem initially took some DNS experts by surprise, said Dan Kaminsky, the IOActive researcher who first discovered the DNS bug. "This is to some degree our fault," he said in an e-mail interview. "We underestimated the number of firewalls out there that were deployed in front of DNS servers." "Cisco, Juniper, Citrix and a number of other firewall vendors have been absolutely scrambling to update their equipment," he added.

By Nick Farrell
04 August 2008, 11:53 AM

THOUSANDS OF PEOPLE are finding themselves without a ticket to the Beijing Olympics after being taken in by an online scam. The slick, professional-looking Website, beijingticketing.com, which boasts offices in Sydney, London and New York, is actually a scam and its owners have done a runner.

The International Olympic Committee (IOC) has received complaints from hundreds of alleged victims all over the world with some customers handing over thousands of dollars for non-existent tickets. It seems that the biggest victim was a Texas-based travel agent, Jolanta Sochacka who shelled out $57,000 for a family of seven. She said that the company looked so legitimate because its website was so elaborate.

Hacks have tailed the company to an empty office in Phoenix, Arizona and the IOC and the US Olympic Committee (USOC) will today ask a federal judge in San Francisco for an order to shut the website down.

by Ryan Naraine
July 31st, 2008 @ 8:21 pm

Apple has shipped a Mac OS X security update with patches for at least 17 documented vulnerabilities, including a fix for the serious DNS cache poisoning vulnerability reported by hacker Dan Kaminsky. With Security Update 2008-005, Apple plugs holes that could lead to privilege escalation, denial-of-service, information disclosure and arbitrary code execution attacks. The update affects Mac OS X Server 10.4, Mac OS X 10.4.11, Mac OS X Server 10.5, and Mac OS X 10.5.4.

CVE-2008-1447 - BIND: A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1.

CVE-2008-2320 - CarbonCore: A stack buffer overflow exists in the handling of long filenames. Processing long filenames may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

CVE-2008-2830 - Open Scripting Architecture: A design issue exists in the Open Scripting Architecture libraries when determining whether to load scripting addition plugins into applications running with elevated privileges. Sending scripting addition commands to a privileged application may allow the execution of arbitrary code with those privileges. This update addresses the issue by not loading scripting addition plugins into applications running with system privileges.

by Dancho Danchev
July 30th, 2008 @ 8:08 am

A week after |)ruid and HD Moore release part 2 of DNS exploit, HD Moore’s company BreakingPoint has suffered a trafficMetasploit Logo redirection to a rogue Google site, thanks to the already poisoned cache at AT&T servers to which his company was forwarding DNS traffic :

“It happened on Tuesday morning, when Moore’s company, BreakingPoint had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what’s known as a cache poisoning attack on a DNS server on AT&T’s network that was serving the Austin, Texas area.

One of BreakingPoint’s servers was forwarding DNS (Domain Name System) traffic to the AT&T server, so when it was compromised, so was HD Moore’s company. When Moore tried to visit Google.com, he was actually redirected to a fake page that served up a Google page in one HTML frame along with three other pages designed to automatically click on advertisements.”

Moreover, last month, before the latest DNS cache poisoning vulnerability and exploits started taking place, Metasploit Project’s site was temporarily hijacked through ARP poisoning, perfectly demonstrating that old-fashioned DNS attacks remain intact.

By John Leyden
30th July 2008 15:22 GMT

Google allowed one of its Gmail SSL certificates to expire days after promising users improved webmail security. Because Google's certificate for IMAP/POP traffic expired on Tuesday users were confronted by a potentially confusing "invalid certificate" warning. In some cases users may also have been left unable to send email.

Google fixed the problem within hours on Tuesday afternoon (US time). The snafu comes less than a week after Gmail improved security by making sure users of the popular web mail service go through a secure connection each time they access their account online. Forgetting to renew a digital certificate can happen to any organisation, as Microsoft and HSBC (among many others) are able to testify. Even though a certificate is out of date a secure connection with a site can still be established.

Google makes it its business to index all the world's data so its own failure to manage a key domain is an embarrassing faux pas even though no harm, or much inconvenience, was caused. Reg reader Peter Houppermans, who brought the slip-up to our attention, notes that users are now so well trained against clicking on invalid certificates that this sort of thing should present no great problem. Well, except for the untrained users.

by Zack Whittaker
July 23rd, 2008 @ 5:37 am

Oh the fun. Once again, another police website has been hacked by a student, showing that even the police aren’t safe from all crimes. This is another link in the long chain of attacks over the years from egotistical teenagers trying to get a kick out of life without sticking a needle in their arm.

Bedfordshire Police had their website hacked and defaced, replacing the content with Arabic and an animation of a man carrying a Tunisian flag. The perpetrator of the attack is known to be a 17 year old US student by the name of Arfaoui Firas, and a site snapshot shows the website after it was defaced. This comes as the news of the website being brought back from the ashes has finally gone live again.

A spokesperson for Bedfordshire Police said, according to the BBC: “The website is hosted externally, away from all other police systems so no personal or confidential data could have been obtained. Bedfordshire Police take security extremely seriously, which is why the website is hosted independently and outside all other IT systems.”

Let’s throw in some background material here. Police forces around the country and around the world have databases packed with information about crimes, people and citizens, drivers licence details, things like that. To then have a website on the same network or server as the rest of these secure databases would be a huge security risk; which is why they don’t.

By Robert McMillan
July 23, 2008

One day after a security company accidentally posted details of a serious flaw in the Internet's Domain Name System (DNS), hackers are saying that software that exploits this flaw is sure to pop up soon.

Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, said Dave Aitel, chief technology officer at security vendor Immunity. His company will eventually develop sample code for its Canvas security testing software too, a task he expects to take about a day, given the simplicity of the attack. "It's not that hard," he said. "You're not looking at a DNA-cracking effort."

The author of one widely used hacking tool said he expected to have an exploit by the end of the day Tuesday. In a telephone interview, HD Moore, author of the Metasploit penetration testing software, agreed with Aitel that the attack code was not going to be difficult to write. The flaw, a variation on what's known as a cache poisoning attack, was announced on July 8 by IOActive researcher Dan Kaminsky, who planned to disclose full details of the bug during an Aug. 6 presentation at the Black Hat conference.

That plan was thwarted Monday, when someone at Matasano accidentally posted details of the flaw ahead of schedule. Matasano quickly removed the post and apologized for its mistake, but it was too late. Details of the flaw soon spread around the Internet. And that's bad news, according to Paul Vixie, president of the company that is the dominant maker of DNS software, the Internet Systems Consortium.

By Joel Hruska
July 22, 2008 - 09:40PM CT

ICANN has unanimously approved a request by the Public Interest Registry (which handles .org domains) to become the first generic Top Level Domain (gTLD) to switch to the DNS security protocol DNSSEC.

As part of the agreement, PIR will trailblaze DNSSEC, while simultaneously developing an education and adoption plan that can later be disseminated across the Internet's infrastructure, PIR's use of DNSSEC is a significant step forward, but a mixture of contentious political and technological issues have slowed the worldwide development and deployment process.

DNSSEC is intended to fix fundamental flaws in the original DNS protocol that leave it vulnerable to several different attack vectors, including cache poisoning. This is accomplished in part through the use of digital signatures. By using such signatures, the DNS resolver can check to see if information it is receiving is actually from the appropriate address; the digital signatures effectively act as a password (the analogy is not exact).

The DNS flaws themselves aren't anything new—they were discovered back in 1990—but the solution to the problem has been no less than eleven years in the making, putting the length of its development cycle almost on par with Duke Nukem Forever. DNSSEC development lasted from January 1997 to the present day, or roughly 11 years and six months.

July 22, 2008
By Robert McMillan

Convicted penny-stock spammer Eddie Davidson walked away from a federal minimum-security prison camp in Colorado on Sunday, the U.S. Department of Justice said Tuesday. Davidson, 35, had been serving 21 months in federal prison after pleading guilty to criminal spam charges in December.

He is now considered an escapee and is being pursued by U.S. marshals, with help from the Federal Bureau of Investigation, the U.S. Internal Revenue Service and local police. He earned millions of dollars between 2003 and 2006 by operating a spamming operation, called Power Promoters, out of his home. He would change the header information in his messages to make it appear as if they had come from legitimate companies such as AOL and then send them out to hundreds of thousands of addresses.

Davidson sent the messages on behalf of an unnamed Houston company, court filings state. He was asked to promote about 19 penny-stock companies, including one called Advanced Power Line Technologies in 2006 and 2007. He would earn fees based on the trading volume of the stocks he was promoting. The business was lucrative: The Houston company paid Davidson about $1.4 million for his services, court documents state.

Between 2003 and 2006, when his primary source of income was spam, bank account deposits into Davidson's account totalled about $3.5 million. Davidson, of Bennett, Colorado, had been incarcerated at the Florence Federal Correctional Complex, about 45 miles south of Colorado Springs