By John Leyden
April 1, 2008 13:45 GMT

The miscreants behind the Storm Worm botnet have taken advantage of April Fools' day in a bid to infect more Windows PCs. Security firms are warning users to avoid the temptation to click on April Fools' day emails that may redirect them to maliciously constructed websites. The latest attempt to dupe more gullible users into getting their PCs infected kicked off on Monday with a spam campaign designed to trick recipients into visiting websites under the control of hackers containing executables with names such such as foolsday.exe, Kickme.exe or funny.exe.

So far the miscreants punting the scam haven't even bothered to include exploit code, net security firm F-secure notes. Potential marks are simply invited to download the malware, promoted via a spam mail campaign. These spam emails feature Subject Lines such as "April Fool’s Day" and an equally unimaginative choice of images. Trend Micro reports that the miscreants behind the attack were too indolent to actually create their own image to represent the holiday, so they simply Googled "April Fools" and used the first image that showed up.

The creators of the Storm Worm have a history of using holidays and special events as lures for their malware. The last major Storm run was in the weeks leading up to Valentine's Day. As before, the latest spam campaign is designed to infect new computers that will then become part of the larger Storm Worm botnet. These compromised PCs can then be hired out to spammers, miscreants interested in running denial of service attacks, adware distributors, and other internet denizens.

by Robert Vamosi
April 1, 2008 12:11 PM PDT

Owen Thor Walker, an 18-year-old bot herder from Whitianga, New Zealand, plead guilty on Monday to six charges resulting from a botched botnet upgrade that led to a 2007 denial-of-service attack on the University of Pennsylvania.

Walker plead guilty to two charges of accessing a computer for dishonest purposes; two charges of accessing computer systems without authorization; one of damaging or interfering with computer systems; and one of possessing software for committing a crime. He could face five years in jail. However, according to reports from The New Zealand Herald, Judge Arthur Tompkins is considering Walker's age and cooperation with authorities and could recommend home detention or community service instead. Sentencing will take place May 28.

Walker, who uses the online name "AKill," was arrested last November as part of the FBI's Operation Botroast II, along with Ryan Brett Goldstein, 21, of Ambler, Penn. Walker and Goldstein allegedly caused a distributed denial-of service attack on the University of Pennsylvania this past summer that cost the school nearly $13,000 to mitigate. Apparently the DoS attack was unintentional.

According to various reports, Walker said he was attempting to upgrade his botnet code when a glitch took down his network. A botnet consists of thousands of infected computers worldwide that can spew spam, assist in a denial-of-service attack on a target, or spread new versions of the originating worm. From a central point, called a command and control center, a bot herder can send new code to those infected computers.

by Dawn Kawamoto
March 31, 2008 9:18 AM PDT

The MIT Kerberos Consortium, a security authentication and authorization group, announced Monday that Microsoft has joined its shindig. The consortium, which launched in September with Google, Apple, Sun Microsystems and a collection of universities, noted Microsoft is coming aboard as a founding sponsor.

Kerberos aims to offer consumers the same single sign-on authentication and authorization system that corporate America has been using to allow employees to access network services with one log-on. Kerberos is an offshoot of MIT's Project Athena, which was developed back in the 1980s. Microsoft uses the Kerberos network authentication protocol in such products as its Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. And Kerberos also serves as the main authentication tool in Microsoft's Active Directory.

"Microsoft joining the Kerberos Consortium is significant," Stephen Buckley, consortium executive director, said in a statement. "They represent a vast number of users of Kerberos. It is an important step forward towards our common ambition to create a universal authentication platform for the world's computer networks." What's next? Given its past troubles with its passport authentication efforts, is the next stop for Microsoft the Liberty Alliance Project?

By John Leyden
March 31, 2008 - 09:16 GMT

Apple is trailing way behind Microsoft in security patch responsiveness, according to a study by security researchers from IBM. Stefan Frei and Bernard Tellenback of IBM's X-Force security division analysed several years of vulnerability disclosures and patching processes from various vendors.

They found that Apple is getting worse at dealing with security problems while Microsoft is improving. Apple is experiencing more vulnerabilities, longer patching times, and more attacks on unpatched vulnerabilities, according to the duo. Frei and Tellenback presented their findings at a presentation entitled 0-day Patch – Exposing Vendors (In)Security Performance at last week's Black Hat conference in Amsterdam. A copy of the presentation can be found here. Colleagues of the duo reckon Apple's antagonistic attitude with security researchers is one of the reasons for its poor response.

"While I think that there are quite a few reasons why this is probably so, I’d be inclined to say that Apple’s biggest problem appears to be that they treat every new vulnerability as a potential PR disaster rather than an opportunity to visibly reinforce their work in securing their customers," writes Gunter Ollman of IBM's X-Force. "In recent times this has most critically been reflected in the way Apple works with security researchers."

By Jon Stokes
March 28, 2008 - 05:12AM CT

His speaker bio at Global Leaders says that he's "passionate about clean technology and environmental markets and serves on the board of Environmental Defense." His Amazon profile lists the following as his interests: "sailing, snowboarding, micro-lending, peace networking, social networks, high-tech start ups, entrepreneurship, leaderless leadership, travel."

Truly, he's a fantastic choice for a leadership position at the Environmental Protection Agency or the Department of Energy in an era when so-called "green technology" is emerging as the next frontier for US innovation... except that Rod A. Beckstrom—author, entrepreneur, and founder of Twiki.net—has been tapped as the new US cybersecurity czar.

So the top cybersecurity official in the US government, the head of the Department of Homeland Security's newly announced National Cyber Security Center, is a man with no government experience and no security experience. Crypto guru Bruce Schneier is not impressed. I typically defer to Schneier on all things cybersecurity, but in this instance, I have to admit to a great deal of optimism about this particular choice. Let me give some background on the job, and then I'll explain my cautious optimism.

It's a tough job. Frustration, a lack of support, a feeling that the government doesn't take cybersecurity issues seriously—each successive member in the parade of post 9/11 cybersecurity czars has cited these reasons for bailing from the job, sometimes after tenures as short as three months. Given the government's continued failing grades in information security, its repeated high-profile data breaches, the attacks of (Chinese?) hackers, it's no wonder that the post has a problem retaining talent.

by Larry Dignan
March 26th, 2008 @ 4:46 am

Mozilla has patched 10 vulnerabilities in Firefox 2.0 with update 2.0.0.13.
In an update early Wednesday Firefox addressed the following:

* MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
* MFSA 2008-18 Java socket connection to any local port via LiveConnect
* MFSA 2008-17 Privacy issue with SSL Client Authentication
* MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
* MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
* MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution

Of those six advisories, two were rated critical and two had a high impact. The vulnerabilities also impact Thunderbird and SeaMonkey. Secunia has compiled 10 CVE numbers for this update with the following recap: Some vulnerabilities and weaknesses have been reported in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, conduct cross-site scripting and phishing attacks, and potentially compromise a user’s system.

The CVEs addressed in the Firefox update include: CVE-2007-4879, CVE-2008-1195, CVE-2008-1233, CVE-2008-1234, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237, CVE-2008-1238, CVE-2008-1240 and CVE-2008-1241.

The memory corruption crashes (MFSA 2008-15) were rated critical by Mozilla. Mozilla in its advisory said: Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

By Egan Orion
March 26, 2008 - 6:45 AM

A SHARP Argentinian researcher has raised the alert about two security flaws he discovered in Apple's Safari for Windows web browser. Juan Pablo Lopez Yacubian characterised the vulnerabilities in the just lately released Safari for Windows 3.1 as serious, saying they could both potentially enable an attacker to remotely take over one's computer.

He said the most dangerous vulnerability could allow a maliciously structured website to "falsify the web address and enter another page or content." That would mean that you might see an expected URL in Safari's address bar but the actual source address might be different, potentially loading malicious code that could put your computer and data at risk.

The second vulnerability could be triggered by downloading a file with a very long filename, which could cause a buffer overflow condition possibly leading to memory corruption that might permit the execution of arbitrary code. Web User reports that security firm Secunia has classified both of these fresh vulnerabilities as "highly critical" flaws, its second highest severity rating. These two new Safari for Windows security flaws are as yet unpatched and so far Apple has refused to comment, according to Web User.

by Nathan McFeters
March 25th, 2008 @ 5:56 pm

Considering my previous posts on my experiences at Black Hat Federal received pretty good reviews, I thought it would make sense to again highlight a Black Hat trip. This time it was all the way out to Amsterdam, where Rob Carter and I will be speaking about URI Use and Abuse. For reference, I’ve created a gallery of photos of the trip that I’ll be updating as the conference goes on.

The conference is at the Movenpick hotel, just a short walk from the train station, the red-light district, and all that is the heart of Amsterdam. Rob and I spent most of our first day trying to find this place that Jeff Moss (founder of Black Hat) had mentioned for lunch, the Waag (pronounced more like a V instead of a W and ending with a G and K combination sound that I could never properly make, which sounds more like Vwaghk (I think)).

After explaining several times to the receptionist at the hotel that I was looking for the Wagg and not the “Vwaghk”, I accepted that she must know what she’s talking about and that I’m the fool, so I took her directions. Of course we got lost, which seems to be easy to do since the streets meander between waterways and there’s so much to see along the way. The architecture in Amsterdam is amazing! I kept looking for the Waag and getting side-tracked due to the amount of interesting buildings, shops, and characters to look at.

In an effort to enjoy the culture to the fullest extent, Rob and I stopped at a coffee shop called the Bulldog, which served outstanding coffee. Seriously, they did. Eventually after heading the completely wrong direction, a native was kind enough to turn us around and put us on the proper road to the Waag. It was an impressive structure and looked like a nice place for a meal, but I had to get back in time to conduct an interview with Marcus Pinto and Dafydd Stuttard (Portswigger) on the training session they are providing for Black Hat Europe attendees.

By Joel Hruska
March 24, 2008 - 08:10PM CT

The Inspector General's Office of the United States Department of Energy recently released the results (PDF) of a 15-month audit of the DoE's security practices as they apply to publicly available web sites and services. Unfortunately, the publicly available version of the report removes all details of the vulnerabilities discussed therein, making it impossible for Ars to discuss the severity of any particular flaw. The overall assessment of the report is mixed.

While there are specific departments and laboratories within the DoE that have implemented strong security practices, there are also a number of areas where the department needs significant improvement. For instance, visitors to US DoE web sites probably shouldn't be redirected to pornography, but this is exactly what happened last year after an attack on the Brookhaven National Laboratory briefly turned that site into a porn redirector. According to the report, DoE websites and/or data being are compromised to the tune of nearly 20 incidents a year, totaling 60 security incidents over the past three years.

Some of these have resulted in malicious defacement, while others appear to have been allowed by internal mistakes. The audit refers to eight incidents over the past two years which improperly exposed the personally identifiable information of individuals, but the information was available due to user error rather than malicious theft or a hack. But as the report makes clear, whether it's the result of a hack, or just poorly guarded data, it's all stemming from lax security policies and reviews.

Many of the security flaws uncovered during the 15-month audit lead back to one of two root causes. First, many of the web servers in question had not been formally authorized for operation via a process defined as certification and accreditation (C&A). Oftentimes, such servers were not fully compliant with federal security guidelines and rules, and presented potential attack vectors to the public that should have been closed.

by Larry Dignan
March 24th, 2008 @ 4:47 am

Microsoft has confirmed reports of vulnerability in Word that allows an attacker to exploit a system via the Microsoft Jet Database Engine, which shares data with Access, Visual Basic and third party applications.

Microsoft in its advisory said the potential for attack is “very limited.” Reports of the Word flaw were highlighted by Panda and Symantec in the last two weeks. On March 3, Panda researcher Ismael Briones stumbled on the new exploit. On Thursday, Symantec also noted the Jet vulnerability. According to Symantec.

The attacker needs only to find a trick to force the MS Jet library to open the file and trigger the vulnerability that will run the malicious shellcode. Some social engineering and a little help from Office applications will work out well in this specific attack. In fact, it is possible to call MSJET40.DLL directly from MS Word, without using Access at all.

Microsoft said in its advisory: Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue.

March 21st, 2008 @ 6:35 am
by Dana Blankenhorn

One big hole for open source lies in security. It’s not a real hole. It’s a meta-hole. But we still view it as a hole, so it’s a hole. That hole opened up again in Australia this week, where a “loud minority” got personal when Australian Taxation Office chief information officer Bill Gibson expressed concerns about open source security.

The assumption which makes this a meta-hole is that if the security scheme is open source, the security scheme is vulnerable. Thus visible software is vulnerable software. Catch-22 there. That’s what makes Red Hat’s latest announcement worth reading. They’ve made their certificate system open source. This is code originally obtained from AOL, some of which was already open source because it was part of the Apache Web server or Red Hat Directory Server.

It’s a major move from new CEO Jim Whitehurst, who came to the company from (shudder) Delta Air Lines. You may recall he had to prove his bonafides before a Matt Asay inquisition. (Matt had Jim sit in a comfy chair.) Jim’s lucky they didn’t have me conduct that interview. I would have asked what college he went to. (Rice University, our mutual alma mater, has a college system.) Then I would have poked him with the soft cushions.

This doesn’t mean the supposed contradiction between open source and security will disappear, any more than racism will fade because we acknowledge it. But it’s a start.

by Robert Vamosi
March 20, 2008 2:42 PM PDT

Part of the Sequoia Voting Systems Web site was defaced and subsequently taken down on Thursday, according to a report in InfoWorld. As CNET prepared this blog, the entire Sequoia Voting System site was frequently inaccessible. The defacement and subsequent takedown occurred Thursday morning on the company's Ballot Blog page.

Sequoia is one of a handful of electronic voting companies used in the United States. It has in recent days come under fire for apparent discrepancies in voter tallies in last month's New Jersey primary election. The Ballot Blog page on SequoiaVote.com had contained information from Sequoia regarding the Super Tuesday New Jersey election, but as of Thursday afternoon the blog site was available only on and off.

Last week an independent group representing New Jersey county clerks asked Princeton University computer science professor Ed Felten to investigate the discrepancies in the New Jersey vote tallies. Felten and his team have examined Sequoia and other voting systems in the past. Most recently, Felten's team of graduate students helped the California Secretary of State Debra Bowen conduct a survey of her state's electronic voting systems.

One of those graduate students, J. Alex Halderman, recently gave a talk at Shmoocon 4 suggesting that with improvements, electronic voting systems could work well in a future election. Last Friday, Sequoia systems contacted Felten and threatened legal action if he or his students conducted an investigation of a working New Jersey voting machine. On Monday, Felten posted the e-mail on his blog .

By Dan Goodin
March 19, 2008 - 20:40 GMT

DSL Reports, a website for broadband users, popped back online after being taken down by a distributed denial of service attack. At least 1,100 bot-infested machines took part in the assault, which at one point directed nearly 48MBps of malicious data at the site. The flood continues, although changes to the site's front-end server drastically improved its defenses. Several hours after the attack began, the DDoS was throwing about 12MBps of data at the site, enough for it to stay online.

"The traffic is small in size, but is entirely composed of tiny open-connection requests from an ever growing list of IPs," Justin, the site's operator said in this thread. "I'm black holing about 5 new ones a minute and we're over 1,100 now. Now I'll have time to try a different front-end server that may be more resistant to the type of open connection request this botnet is employing."

According to researcher Jose Nazario at Arbor Networks, the command and control center of the attacking botnet appears to be located at IP address 79.135.166.122. He is encouraging ISPs to block port 80 traffic to that server, which he says is "a busy DDoS net which has attacked numerous sites around the world." Despite its name, DSL Reports is a resource for techies looking for information on a host of topics.

It's security forum is a great place to learn general tips about how to stay one step ahead of online miscreants or to trouble shoot specific security problems. The site also provides forums and information on a variety of other topics from Unix administration to ham radio. There's no clear motive for the attack. It's possible a script kiddie took offense to a slight that was either explicit or merely perceived.There's no clear motive for the attack. It's possible a script kiddie took offense to a slight that was either explicit or merely perceived.

By John Leyden
March 18, 2008 - 11:38 GMT

A former Microsoft worker has identified security vulnerabilities in smart card plug-in software for Windows Vista that might allow hackers to take over vulnerable PCs. Dan Griffin used a fuzzing tool he developed, dubbed SCardFuzz, to find bugs in software from an unnamed smart card vendor.

Griffin, who left Redmond's smart card development team to work for small Seattle-based security consultancy JW Secure, plans to demo the hack (which he claims might allow attackers to gain full system access) at the CanSecWest security conference in Vancouver at the end of March. A Java applet supplied by the unnamed vendor allows programs to be created.

These might be potentially malicious. "Writing a hacker applet on the card is not that hard or far-fetched," Griffin told Dark Reading. The SCardFuzz tool creates an applet on smart cards that generates a stream of fake and jumbled data. This malformed data is used to probe Microsoft's Smart Card Minidriver interface for problems. SCardFuzz creates a heap-based buffer overflow in the unnamed vendor’s plug-in for Microsoft Vista, allowing hackers to crash or take control of vulnerable PCs.

"You insert it into a reader on an unattended machine ... And you can take out a system process and at best, make it crash, or at worst, take over that process and control it," Griffin explained. The same attack methodology ought to work under Windows XP, Heise security reports.

By Joel Hruska
March 18, 2008 - 05:04AM CT

One of the factors that make an ongoing malware attack so difficult to stop is the speed with which the assault can evolve. Over the past 12 days, an IFrame injection attack that originally focused on ZDNet Asia has been spreading across the 'Net, changing targets and payloads on an almost daily basis. An iFrame (short for inline frame) is an element of HTML that's used to embed HTML from another source into a webpage.

The timeline of the attack is provided below, thanks in no small part to security consultant Dancho Danchev, who has kept a play-by-play account of the IFrame attack on his blog. This particular IFrame exploit takes advantage of web site query caching. Web sites often cache the results of search queries that are run locally. These search results are forwarded to search engine providers (think Google or Yahoo), who use the information to generate their own search results.

Hackers exploit the system by typing a query immediately followed by the text of an IFrame. This data (including the IFrame) is then passed to various search engines and displayed if a user searches for a relevant keyword. When the user visits an apparently legitimate document, the IFrame activates and attempts to complete whatever instructions it has been given. The major advantage of an injected attack versus an embedded one is that an injected attack requires no direct access to a web site's server backend.

Instead, it takes advantage of the company's SEO (Search Engine Optimization) practices and poisons the results that are fed back to web surfers. The first wave of injections targeted ZDNet Asia and torrentreactor.net. The attackers shifted away from these two domains quickly and branched out into other web sites. One key purpose of the attack was to advertise the rogue antivirus product developed by the RBN (Russian Business Network), XP Antivirus.