Rating antivirus software: vendors to agree on standard testing guidelines
By Joel Hruska
December 05, 2007 - 01:00AM CT

Understanding which AV package provides the best level of total protection isn't easy. Products from Symantec (Norton Antivirus) and McAfee are virtually ubiquitous, but there are a dozen or more smaller players in the market, all of which advertise themselves as being the best solution for total antivirus protection.

Since each company creates its own benchmarks and comparisons, though, it's virtually impossible for an end user to compare one product against another. AV manufacturers are aware of this problem, and are working collectively towards a solution. As PC World reports, many of the larger players in the AV market met in Seoul last week to form the Anti-Malware Testing Working Group.

The new group will be tasked with creating a set of software benchmarks that can conduct behavioral tests on multiple suites of security software. Currently, most comparative AV tests are signature-based. This type of test is analogous to what occurs when an antivirus product runs a hard drive scan-virus files with various signatures are scattered throughout the data set that's being checked and each product is rated on how many of those various files it managed to detect.

Behavioral scans, on the other hand, are meant to replicate how a PC typically encounters malware, and they model a wide variety of scenarios from email virus detection to page redirects. Companies that have signed on to work with the new group include Symantec, F-Secure, and Sunbelt Software (no McAfee yet).

Ars Technica
complete article

Critics rap Microsoft safety study of IE, Firefox
By Liam Tung
December 4, 2007, 10:20 AM PST

Internet Explorer is more secure than Firefox, according to a senior Microsoft executive, who compared how many vulnerabilities were found in the two browsers--but critics say his study is flawed.

Jeff Jones, security strategy director of Microsoft's Trustworthy Computing Group, released a study last week comparing the flaws in Microsoft's Internet Explorer to Mozilla's Firefox browser; unsurprisingly, he concluded that Microsoft is doing a better job than Mozilla.

Challenging early predictions that Mozilla's Firefox browser would experience fewer vulnerabilities than IE, Jones conceded that both companies' browsers have experienced significant flaws. Jones said Mozilla has fixed more flaws in its browser than Microsoft during equivalent periods, which he said renders Firefox more vulnerable than IE.

"Since the release of Firefox 1.0 in November 2004, Mozilla has fixed 199 vulnerabilities in supported Firefox products--75 high severity; 100 medium severity; and 24 low severity. In the same timeframe, Microsoft has fixed 87 total vulnerabilities affecting all supported versions of Internet Explorer--54 high severity, 28 medium severity; and five low severity," Jones said.

CNET News
complete article

By Patrick Gray
December 4, 2007

Microsoft is releasing a patch for serious security vulnerability that allows lone attackers who register particular internet domain names to seize control of millions of computers. Ethical hacker and software engineer Beau Butler researched the bug and presented his findings to the inaugural Kiwicon security conference in Wellington, New Zealand, last month.

Microsoft was unaware of the bug until contacted by Next two weeks ago and has worked frantically to produce a fix. The glitch affects the way browser software attempts to automatically configure proxy settings and means millions of PCs around the world are attempting to download configuration information from the internet instead of their ISP.

By simply registering a special domain name an attacker could feed bogus configuration information to affected PCs, hijack their connections to the internet and seize control of them. Butler registered wpad.co.nz, which he says would have allowed him to hijack over 160,000 computers in New Zealand alone. The vast majority of browsers affected were Internet Explorer, but Butler says the glitch is also present in the open source Firefox browser.

The bug also means Australian computers attempt to download configuration information from domains including wpad.com.au. That domain is registered to John Walker, the managing director of Henge Systems, a technology consultancy and hosting provider that counts the Australian Federal Police and the Society for Worldwide Interbank Financial Telecommunication among its clients.

The Sydney Morning Herald
complete article

Apple QuickTime Exploit In The Wild
By Tom Espiner
December 3, 2007 - 8:14 AM PST

Symantec has found active exploit code in the wild for an unpatched Apple QuickTime vulnerability. Researcher Joji Hamada wrote in Symantec's Security Response Weblog on Saturday that the company had seen an active exploit for the vulnerability in Apple's media-streaming program that could lead to users downloading Trojan software.

Hamada said the exploit code was found on a compromised porn site that redirects users to a site hosting malicious software called "Downloader." Downloader is a Trojan that causes compromised machines to download other malicious software from the Internet. Symantec rates Downloader as "very low" risk. No patch is currently available for the vulnerability, which affects version 7.x, and which lies in a boundary error when QuickTime processes Real Time Streaming Protocol (RTSP) replies.

Symantec is advising concerned IT professionals to run Web browsers at the highest security settings possible, disable Apple QuickTime as a registered RTSP protocol handler, and filter outgoing activity over common RTSP ports, including TCP port 554 and UDP ports 6970-6999. Proof of concept code was published when the vulnerability was disclosed by security research company Secunia last week.

CNET News

Spam's end? Maybe, if time allows
By John Markoff
December 2, 2007, 10:35 PM

SANTA CLARA, Calif.--Twenty-five years ago Steven T. Kirsch built a better mouse. Now he believes he has found a way to create a better trap--for spam, not mice--if he has enough time to finish his project. An MIT-trained engineer, Kirsch was frustrated by the quality of the first computer mice in 1982, so he set out to improve them by incorporating an optical sensor.

Since then he has started four companies, all based on his frustrations with existing products or services. He has made forays into word processing document design, accelerating the Web, and in 1997 Infoseek, his search engine company, was the third ranking company in Web search. In many ways Kirsch, who is 50 years old, has come to exemplify what distinguishes Silicon Valley--a blend of engineering skills with persistent entrepreneurship.

Along the way he has amassed a personal fortune of about $230 million, a success that has permitted him and his wife to become significant philanthropists in Silicon Valley by contributing more than $75 million to the United Way campaign and other causes through his foundation. Recently he has taken on the challenge of e-mail spam.

This year he founded Abaca, a company with a new approach in the crowded market for stopping junk electronic mail. Abaca claims that it can filter out 99 percent of all spam, and supports the claim with a money-back guarantee. According to the result of an independent survey last February by Opus One, a computer industry consulting firm in Tucson, Ariz., that would be significantly better than the results of six leading spam blockers.

CNET News
complete article

Government-sponsored cyberattacks on the rise, McAfee says
By Jon Brodkin
November 29, 2007

Governments and allied groups worldwide are using the Internet to spy and launch cyberattacks on their enemies, targeting critical systems including electricity, air traffic control, financial markets and government computer networks, according to McAfee’s annual report examining global cybersecurity.

This year, China has been accused of launching attacks against the United States, India, Germany and Australia, but the Chinese are not alone: 120 countries including the United States are said to be launching Web espionage operations, according to McAfee’s Virtual Criminology Report, issued today and developed with input from NATO, the FBI, the United Kingdom’s Serious Organized Crime Agency, and various groups and universities.

“Cyber assaults have become more sophisticated in their nature, designed to specifically slip under the radar of government cyber defenses,” McAfee states. “Attacks have progressed from initial curiosity probes to well-funded and well-organized operations for political, military, economic and technical espionage.”

One attack against Estonia, allegedly carried out by Russia, disrupted government, news and bank servers for several weeks in April, McAfee notes. In the United States, a Pentagon computer network allegedly was hacked by China-based perpetrators in June, the McAfee report states.

Network World
complete article

Article submitted by jaelanicu

Comcast Using Malicious Hacker Technique Against Own Customers, New Report Says
By Sarah Lai Stirland
November 28, 2007 - 4:15:56 PM

One of the nation's largest telecommunications companies is using a controversial technique to cripple certain kinds of Internet traffic traveling across its networks, says a new report from the digital rigthts group the Electronic Frontier Foundation in San Francisco.

"Comcast is essentially deploying against their own customers techniques more typically used by malicious hackers (this is doubtless how Comcast would characterize other parties that forged traffic to make it appear that it came from Comcast or its subscribers,)" write the authors of the new report.

"In other words, Comcast is essentially behaving like a telephone operator that interrupts a phone conversation, impersonating the voice of one party to tell the other that this call is over, I'm hanging up." The nine-page investigation was conducted by EFF staff technologists Peter Eckersley, Seth Schoen and senior intellectual property attorney Fred von Lohmann.

The investigators say that their tests confirmed an earlier one conducted by the Associated Press that showed that Comcast is interfering with BitTorrent traffic. BitTorrent is a protocol used to efficiently distribute the online transmission of large files, and some entertainment companies have partnered with its creators to distribute its content online.

Wired Blog
complete article

Article submitted by jaelanicu

Congress Anti-Extremist Bill Targets Online Thoughtcrime
by Declan McCullagh
November 28, 2007 4:06 PM PST

Congress is about to approve the Violent Radicalization and Homegrown Terrorism Prevention Act of 2007. This is not necessarily a good thing for Internet users. I say that because VRAHTPA establishes a new federal commission tasked with investigating Americans with "extremist belief systems" and those who may engage in "ideologically based violence."

This effort is expected to cost $22 million. It's possible, of course, that nothing will come of VRAHTPA. Technically no new laws are being proposed except those creating the so-called National Commission on the Prevention of Violent Radicalization and Homegrown Terrorism.

But creating a homeland security commission staffed primarily by Washington types with security clearances, which will be run by Washington antiterror types, which meets mostly in secret, and which will present a classified report to the president about "extremist belief systems"--well, that has the potential to turn ugly.

Here's an actual example of censorial mission creep from Alabama's Department of Homeland Security, which believes domestic terrorists are those Americans who say the "U.S. government is infringing on their individual rights, and/or that the government's policies are criminal and immoral."

CNET Blogs
complete article

Zero Days: How To Protect Yourself
By Ryan Naraine
November 28th, 2007

The SANS Institute released its top 20 security risks for 2007, which documents the security arms race between cyber criminals and the folks playing defense. But let’s focus on the big scourge–zero day attacks.

The report released Wednesday (press release) gives a nice overview of zero day attacks, recaps the year and provides some tips on how to protect yourself. The last part is particularly handy given that zero days aren’t going extinct–Word, Office, Acrobat and RealPlayer were targets in 2007–any time soon. On the bright side, SANS says:

Several zero day attacks were recorded in 2007 although that number has dropped from the previous year. However, a lot more can be done. Here’s a look at SANS advice on thwarting the dreaded zero day.

* Adopt a deny-all stance on firewalls and perimeter devices that protect internal networks. My take: Shouldn’t this be a no brainer for most companies?
* Separate public-facing servers from internal systems. My take: Hopefully a few retailers will read this.
* Turn off unneeded services and remove user applications that do not support operational needs. My take: Prune those apps. It saves money too........

ZDNET Blogs
complete article

Google search results delivering massive malware attacks
By Ryan Naraine
November 27th, 2007

For the last two days, security software firm Sunbelt Software has been all over what could develop into a scary trend: Rigged Google search results that deliver big malware payloads. On Monday, Sunbelt reported “we’re seeing a large amount of seeded search results which lead to malware sites.”

The search terms leading you to these malware payloads were pretty basic fare. This screenshot courtesy of Sunbelt shows an example of the malware sites (Sunbelt’s post has a bunch of other examples). On Tuesday, Sunbelt researcher Adam Thomas followed up with another post. Thomas wrote:

Sunbelt Software has uncovered tens of thousands of individual pages that have been meticulously created with the goal of obtaining high search engine ranking. Just about any search term you can think of can be found in these pages.

Simply put, ******* near any Google search term–even terms like “hospice”– can take you to one of these malware sites. Computerworld quotes Sunbelt Software CEO Alex Eckelberry as saying "this is huge." I’m inclined to agree, especially considering Eckelberry’s inventory: “27 different domains, each with up to 1,499 [malicious] pages. That’s 40,000 possible pages.”

ZDNET Blogs
complete article

Yahoo's Cyber Monday mess finally fixed
by Elinor Mills
November 27, 2007 11:37 AM PST

I feel bad for the thousands of small merchants who rely on Yahoo for their e-commerce services. They totally missed the anticipated sales spike on Cyber Monday, so dubbed because it is the first big day of online sales after Thanksgiving, which heralds in the holiday shopping season.

The problem with error messages coming up during checkout transactions, cutting off the checkout process, was first reported by Yahoo to its Merchant Solutions customers. The problems started around 6 a.m. PT Monday with outages in Yahoo's systems that power the merchant stores, according to Yahoo's Yodel Anecdotal blog.

The issues lasted until about 1 p.m. PT when transactions began going through at a much higher rate, albeit much slower. By 6 p.m. PT things were back to normal, the blog entry said. That's at least seven hours with no service, and then another five hours with slow service, on what is believed to be a huge online-shopping day.

"We deeply regret the inconvenience this caused to both our merchants and their shoppers. Our customers' expectations were not met, nor were our own. And we are moving mountains inside Yahoo to find out why and how this happened, and to take steps to try to ensure it doesn't happen again," Rich Riley, senior vice president of Yahoo's online channel division, wrote in the entry, which also includes the words "mea culpa" in a purple box.

CNET Blogs
complete article

Mozilla patches three Firefox security vulnerabilities
by Robert Vamosi
November 27, 2007 5:32 AM PST

Mozilla on Monday released Firefox version 2.0.0.10. The update addresses three high-impact security vulnerabilities. Two concern cross-site request forgeries, which can be used to steal personal information while visiting certain sites, and one concerns memory corruption.

The update is being pushed out to all current Firefox users. New users can download the current Firefox release. The first cross-site request forgery vulnerability could allow an attacker to generate a fake HTTP referer header by exploiting a timing condition when setting the window location property. Mozilla says the referer header is supposed to reflect the address of the content that initiated the script.

"Instead, the referer was set to the address of the window (or frame) in which the script was running, and this vulnerability arises from that tiny difference." It credits Gregory Fleischer with reporting the issue. The second cross-site request forgery vulnerability concerns the JAR ZIP format, which enables Web sites to load pages packaged in ZIP archives containing signatures in Java archive format.

According to Mozilla, a Beford.org blogger noted that redirects confused Mozilla browsers about the true source of the JAR content: it was "wrongly considered to originate with the redirecting site rather than the actual source. This meant that an XSS attack could be mounted against any site with an open redirect, even if it didn't allow uploads."

CNET Blogs
complete article

Security chief asks Saudis to monitor Internet use
November 25, 2007, 6:04 PM PST

Saudis should do more to help the government monitor use of the Internet to help fight Islamic militancy, intelligence chief Prince Muqrin bin Abdul-Aziz said on Saturday. "We want to teach citizens how to monitor things on the Internet...mum and dad must pay attention to their kids," he told reporters.

The prince was giving details of a conference on information technology and national security his intelligence body will hold next week. The conference is part of a new effort to get Saudis to help the authorities tackle a four-year-old campaign by militants allied to al-Qaida against the U.S.-allied government. The campaign has died down over the last two years after a series of attacks on foreign residential compounds, government buildings, and energy-sector installations.

Authorities have arrested dozens of militant suspects this year. The government has raised fears that Saudis who have gone to Iraq to fight U.S.-led forces and the U.S.-allied government will return to Saudi Arabia to continue their struggle.

Prince Muqrin said the intelligence agency would also set up a Web site where citizens can, anonymously, share their suspicions about militant activity. Next week's conference marks the first time the intelligence services have joined in the government's public campaign against Islamist radicalism.

CNET News

Finding and exploiting holes in software features
November 23rd, 2007
By Nate McFeters

With the holiday season fast approaching, and being so in the spirit of giving, I thought I’d compile a list of the top features that led to security issues I discovered with co-researcher Billy Rios. With the New Year on its way, this should give the developers out there a chance to come up with some New Year’s resolutions regarding the lessons learned from a year in the wild world of computer security.

Picasa’s Button Import Feature and Built-in Web Browser/Server. Google’s Picasa includes a button import feature that can be accessed from a URI. This feature is actually quite useful; as it allows a user to click a link and import an XML description of a button into Picasa that when clicked will post images to Tabblo or Flickr albums. This is done with a Java applet that requires user interaction before upload.

Unfortunately, URIs are also accessible to attackers through cross-site scripting (XSS), so an attacker can XSS a Picasa user, load Flash which doesn’t do DNS pinning (this JUST missed our list), and then steal the user’s images without any interaction or confirmation. I use Picasa to modify my pictures, but I can’t help worrying about the built-in web browser and web server that Picasa includes.

Sure, the server is bound to the local loopback, but we can access it through Flash loaded in Picasa’s built-in browser as mentioned above. We could use the Flash we loaded in the built-in browser to attack the built-in server as well, which may lead to more vulnerabilities. Starting web servers on the local loopback appears to be a design pattern for Google as Google Desktop does the same.

ZDNET Blogs
complete article

Microsoft confirms that XP contains random number generator bug
By Gregg Keizer
November 21, 2007

Windows XP, Microsoft Corp.'s most popular operating system, sports the same encryption flaws that Israeli researchers recently disclosed in Windows 2000, Microsoft officials confirmed late Tuesday.

The researchers, Benny Pinkas from the University of Haifa and two Hebrew University graduate students, Zvi Gutterman and Leo Dorrendorf, reverse-engineered the algorithm used by Windows 2000's pseudo-random number generator (PRNG), then used that knowledge to pick apart the operating system's encryption.

Attackers could exploit a weakness in the PRNG, said Pinkas and his colleagues, to predict encryption keys that would be created in the future as well as reveal the keys that had been generated in the past. As recently as last Friday, Microsoft hedged in answering questions about whether XP and Vista could be attacked in the same way, saying only that later versions of Windows "contain various changes and enhancements to the random number generator."

Yesterday, however, Microsoft responded to further questions and acknowledged that Windows XP is vulnerable to the complex attack that Pinkas, Gutterman and Dorrendorf laid out in their paper, which was published earlier this month.

Computer World
complete article