Truecrypt 5.0 is out and it's free, For Windows, Mac OS/X and Linux
By Egan Orion
February 7, 2008 - 11:03 AM

TRUECRYPT - the vendor of free, open source, on-the-fly data encryption - has released version 5.0. Truecrypt is free and available for Windows Vista or XP, Mac OS/X, and Linux.

What's new in Truecrypt release 5.0 includes a version for Mac OS/X and the capability to encrypt the system hard drive, that is, where Windows Vista or XP is installed, with pre-boot authentication. What that means is that anyone who wants to use the system must first enter the password before the PC will boot.

This last is particularly relevant for most Windows users because they typically have Windows itself and all software and data on a single hard disk partition.

Other new features in Truecrypt 5.0 include:

* Pipelined operations to increase data read/write speed by up to 100 per cent under Windows.
* XTS mode of operation, the IEEE 1619 standard for cryptographic protection of data on block storage devices.
* Use of the SHA-512 hash algorithm, replacing SHA-1.
* A graphical user interface (GUI) for the Linux version.
* In the Linux version, abstraction from changes to the Linux kernel.

The Inquirer
complete article

Adobe Delivers Reader Patch (Very Quietly)
By Larry Dignan
February 6th, 2008

If you got a prompt to upgrade your Adobe Reader to version 8.1.2 you’re not alone. Betcha didn’t know it’s a major security fix though. Why? You wouldn’t know because Adobe hasn’t told anyone. The best information you’ll get is a few snippets in an Adobe Knowledge Base article. The Reader update is AWOL on Adobe’s security bulletin site.

Here’s what Adobe had to say: The Adobe Reader 8.1.2 update addresses a number of customer workflow issues and security vulnerabilities while providing more stability. - Oh really? I got this update prompt early this am and as usual I did the “remind me later” trick. I would have taken the update more seriously if I knew there was a vulnerability issue.

Ryan Naraine reports that this Adobe update on the sly plugs a vulnerability that allows rigged PDF files to launch code execution attacks. Immunity has posted a proof-of-concept exploit to boot. In the grand scheme of things Adobe is delivering a run of the mill patch. What’s annoying is the disclosure–or lack of it. This gets to the heart of what IBM’s ISS unit was talking about this yesterday when it reported that vulnerability disclosures were down in 2007. A sign of progress? Not quite. It’s is just that people are keeping mum about vulnerabilities.

Update: Adobe has issued a statement: On Feb. 6, Adobe made available an update to Acrobat and Adobe Reader 8.x. It updates the Windows and Mac versions of Acrobat to 8.1.2, and the Windows, Mac, Linux, and Solaris versions of Adobe Reader to 8.1.2. In addition to addressing bug fixes and providing support for Mac OS X Leopard (up through version 10.5.1), the update includes several important security fixes, among them a few of critical severity that could be remotely exploitable......

ZDNET Blogs
complete article

The High Cost Of E-Mail Autocomplete
by Ina Fried
February 5, 2008 2:16 PM PST

I've always been leery of Microsoft Outlook's autocomplete feature. That's the one that guesses who you want to send the e-mail to by looking at the first few letters you type. It's right most of the time. But with e-mail used to send everything from jokes, to family photos to corporate secrets, "most of the time" seems like far too low a bar.

Eli Lilly and its outside lawyers found out this the hard way this week when one of the esquires sent a note intended for a colleague to a New York Times writer with the same last name. (Note: I'm not certain which e-mail program the lawyer was using, and it's supposition, though a seemingly safe bet, that some sort of autocomplete was to blame.)

The result was that confidential negotiations with the government involving as much as $1 billion quickly became nonconfidential. The Times, doing what it does, got a big scoop. A representative for Pepper Hamilton, the law firm whose barrister sent the note, was not immediately available for comment. But, in good news for the firm, an Eli Lilly representative told Portfolio that the firm is not immediately getting the boot.

Still, that's some pretty big consequences for a feature that saves a few seconds' time. Sure, those seconds add up over time. But I imagine the lawyer in question would give any amount of time to have that e-mail back. I try to always give my address bar a second look before hitting send, but once or twice have found my note to a colleague going to an outside contact with a similar name.

ZDNET Blogs
complete article

So long ActiveX. Will I miss you?
By Larry Dignan
February 4th, 2008

I’m following the advice of US CERT and other security wonks and disabling my ActiveX controls in IE. The big question: Will I miss it? The short answer is probably not since I mostly use Firefox. However, there are times when I’ll toggle over to IE for various reasons and have hit the ActiveX prompt.

But given the latest Facebook, MySpace flaws and a conversation about ActiveX support I had earlier I’m going on an ActiveX diet. CERT has a point. But I’m more interested in the hard core IE users. Has anyone else taken this step? And has it been painful to live without ActiveX? You can disable your ActiveX controls by going into Internet Options and then unclicking the mumbo jumbo that Microsoft has on by default.

ZDNET Blogs

Google offers security and compliance services for any e-mail system
by Elinor Mills
February 4, 2008 9:01 PM PST

Google is using its Postini acquisition to offer security features for any e-mail system. The company is set to launch several new security products on Tuesday that are part of its Google Apps platform but are targeted at organizations that aren't using Gmail and other Web-hosted applications from Google.

The Powered by Postini services are message filtering with spam and malware filtering, for $3 per user per year; message filtering plus enhanced virus detection, content policy management, and other support to stop e-mail data leaks, for $12 per user per year; and message discovery, which adds one year of message data archiving, retention, and discovery to help companies comply with legal and government regulatory compliance requirements, for $25 per user per year.

The message discovery service will appeal to executives who are increasingly worried about employees downloading copyrighted content, such as MP3 files, at work and leaking confidential information in e-mails, said Sundar Raghavan, a product marketing manager for Google.

The packages are available online, as well as directly from Google or through channel partners. The policy management and 90-day message discovery services are available as part of the Google Apps Premier Edition, which includes Gmail, Google Docs, Google Calendar, Google Talk, and Start Page for creating a home page.

CJNET Blogs
complete article

Google offers security and compliance services for any e-mail system
by Elinor Mills
February 4, 2008 9:01 PM PST

Google is using its Postini acquisition to offer security features for any e-mail system. The company is set to launch several new security products on Tuesday that are part of its Google Apps platform but are targeted at organizations that aren’t using Gmail and other Web-hosted applications from Google.

The Powered by Postini services are message filtering with spam and malware filtering, for $3 per user per year; message filtering plus enhanced virus detection, content policy management, and other support to stop e-mail data leaks, for $12 per user per year; and message discovery, which adds one year of message data archiving, retention, and discovery to help companies comply with legal and government regulatory compliance requirements, for $25 per user per year.

The message discovery service will appeal to executives who are increasingly worried about employees downloading copyrighted content, such as MP3 files, at work and leaking confidential information in e-mails, said Sundar Raghavan, a product marketing manager for Google.

The packages are available online, as well as directly from Google or through channel partners. The policy management and 90-day message discovery services are available as part of the Google Apps Premier Edition, which includes Gmail, Google Docs, Google Calendar, Google Talk, and Start Page for creating a home page.

Facebook Image Uploader: The Flaws Continue
By Larry Dignan
February 4th, 2008

Security researcher Elazar Broad has found another vulnerability in Facebook’s Aurigma ImageUploader control. And these vulnerabilities are stacking up. In an advisory on the Full Disclosure email list on Sunday, Broad wrote: The control is vulnerable to a stack-based buffer overflow in the ExtractExif and ExtractIptc properties. See the exploit code for buffer offsets. Other properties may be vulnerable as well to a DoS and/or code execution.

The controls, distributed by Aurigma Imaging Technology, include: FaceBook PhotoUploader 4.5.57.0, Aurigma ImageUploader4 4.6.17.0, Aurigma ImageUploader4 4.5.70.0, Aurigma ImageUploader4 4.5.126.0 and Aurigma ImageUploader5 5.0.10.0. On the bright side, FaceBook PhotoUploader 4.5.57.1 is not vulnerable so upgrade pronto. Broad noted that the latest flaw is a different one than the photo uploader issues he flagged last week affecting Facebook and MySpace.

Last week, Broad flagged ActiveX photo uploader tools distributed by Aurigma Imaging Technology. Those attacks could allow rigged Web pages to hit Windows systems. There are two fixes here. You can disable the uploader tools involved in the aforementioned flaws or disable ActiveX components. Here’s a Microsoft walkthrough. Given how these vulnerabilities are springing up at a rapid clip you may just want to disable ActiveX.

ZDNET Blogs
complete article

Pirate gets four years in Taiwan clink
February 4, 12:02PM

THE CRIMINAL behind 90 per cent of the world’s high quality counterfeit volish software will spend the next four years in clink. Huang Her-sheng and three fellow fakers were sent down by a Taiwanese court. The sentences ranged from 18 months with Huang’s four years equalling the heaviest ever Taiwanese sentence for software piracy.

Huang ran Taipei based distributor Maximus Technology Inc., which over a six year period produced and dispatched $900 million in fakes to resellers and users in 22 countries from two CD plants. John Newton, manager of the Intellectual Property Crime project at INTERPOL, said: "The criminals behind counterfeit syndicates are organised, resourceful and willing to spend large amounts of money to develop and ship pirated goods to markets all over the world.

Piracy is a crime, pure and simple, and it is imperative we coordinate our efforts across the globe to stop these criminal syndicates and this illicit trade." "The prison sentences handed down in this case in Taiwan - and the dozens of other criminal cases brought by prosecutors around the world against others associated with these Taiwan-based defendants - provide another stark reminder of the consequences of counterfeiting Microsoft products," said David Finn, associate general counsel for Worldwide Anti-Piracy and Anti-Counterfeiting at Microsoft.

There was no mention of any fine or whether ultimately the whole operation turned a profit for the perps.

The Inquirer

Even SSL Gmail can get sidejacked
January 31st, 2008
by Larry Dignan

When Robert Graham demonstrated how Web 2.0 wasn’t safe at last year’s Blackhat, it was thought that at least the SSL mode (HTTPS) of Google Gmail would be spared from sidejacking. That presumption now appears to be false according to this updated blog posting from Graham.

Even with SSL enabled, Gmail sessions can still be hijacked by Graham’s Hamster and Ferret (or less easily with Wireshark and Mozilla’s cookie editor). Sidejacking is a term Graham uses to describe his session hijacking hack that can compromise nearly all Web 2.0 applications that rely on saved cookie information to seamlessly log people back in to an account without the need to reenter the password.

By listening to and storing radio signals from the airwaves with any laptop, an attacker can harvest cookies from multiple users and go in to their Web 2.0 application. Even though the password wasn’t actually cracked or stolen, possession of the cookies acts as a temporary key to gain access to Web 2.0 applications such as Gmail, Hotmail, and Yahoo. The attacker can even find out what books you ordered on Amazon, where you live from Google maps, acquire digital certificates with your email account in the subject line, and much more.

Gmail in SSL https mode was thought to be safe because it encrypted everything, but it turns out that Gmail’s JavaScript code will fall back to non-encrypted http mode if https isn’t available. This is actually a very common scenario anytime a laptop connects to a hotspot before the user signs in where the laptop will attempt to connect to Gmail if the application is opened but it won’t be able to connect to anything.

ZDNET Blogs
complete article

Security Threats Are Gender-Equal, But Men Think They Rock
By Jacqui Cheng
January 30, 2008 - 07:24PM CT

When it comes to online security, everyone thinks they're an expert. Especially men, it seems, as a new "report" funded by security software maker AVG suggests. The company says that, like most things, men tend to think that they know more about online security than women. That's apparently not true, however, as AVG states that everyone suffers online attacks equally, despite what they may think.

The findings come from a survey of 1,400 adults in the UK about their own knowledge of security while using the 'Net. Men were exceptionally confident in their own security prowess, and only 4 percent of them said they didn't know what kind on online protection they had in place. But confidence doesn't always translate into reality, it seems. AVG's survey found that a third of all users—both men and women—had suffered some form of identity theft.

And when asked whether they would change their habits as a result, only 20 percent said that they would. I guess when it comes to being complacent, men and women are on equal ground. "My gut feeling, because I'm a man, is that it is one of those societal gender things," AVG global security strategist Larry Bridwell said in a statement to vunet. "Men feel that they are more in control of what they do."

The problem, according to AVG, is that users don't have a lot of options in changing their risks factors, unless they just disconnect. "Users are locked in," Bridwell said, nothing that something as simple as travel now practically requires the use of e-commerce sites. But the suggestion that they can't do much else is not entirely true. Skeptical computing is essential, and the choice of computing platform has significant effects on one's risk factors.

Ars Technica
complete article

Mozilla Ups Unpatched Firefox Flaw To HIGH
By Larry Dignan
January 30th, 2008

Mozilla has given a proof of concept Firefox vulnerability a “high severity” rating because an attacker can collect session information such as cookies and history, according to Mozilla security chief Window Snyder.

Snyder said the vulnerability will be patched with Firefox 2.0.0.12, which will be pushed out “shortly.” On Jan. 22, Snyder confirmed a proof of concept vulnerability discovered by researcher Gerry Eisenhaur on Jan. 19. Simply put, Firefox leaks information that can allow an attacker to load any javascript file on a machine.

This “chrome protocol directory transveral” is in play whenever there are “flat” files–common in add ons–are installed. Chances are good that most Firefox users will have at least a few of these add ons installed. That’s a lot of data leakage. Mozilla initially gave the flaw a low severity rating, but changed its mind after further investigation.

Snyder writes: An attacker can use this vulnerability to collect session information, including session cookies and session history. Firefox is not vulnerable by default. If you are an author of any of these add-ons, please release an update to your add-on that uses .jar packaging.

ZDNET Blogs
complete article

Immunity Launches Exploit For Windows Worm Hole
By Larry Dignan
January 29th, 2008

A workable exploit attack for a TCP/IP vulnerability in Microsoft’s Windows has been launched into the wild courtesy of security firm Immunity. On Jan. 17, it became clear that you shouldn’t dawdle on deploying Microsoft’s MS08-001 patch.

That patch, issued Jan. 8, fixed a Transmission Control Protocol/Internet Protocol (TCP/IP) processing vulnerability that was critical for XP and Vista. After security firm Immunity issued a proof of concept, Microsoft acknowledged the vulnerability, but said an attack was “unlikely.” With Microsoft’s assessment it basically threw down the gauntlet.

A few days later Immunity is at it again–this time with a workable exploit. Immunity ships exploits for its paying subscribers has issued a flash movie detailing the exploit in action. It isn’t 100 percent reliable, but the odds are better than unlikely now.

ZDNET Blogs

Barracuda defends open-source antivirus from patent attack
By Ryan Paul
January 29, 2008 - 09:04AM CT

Mail and security appliance vendor Barracuda Networks announced plans today to defend the open-source ClamAV antivirus program from dubious patent threats made by Trend Micro, a prominent security software company. Trend Micro claims that its US Patent 5,623,600 broadly covers the concept of server-based antivirus software on FTP and SMTP gateways.

Trend Micro alleges that Barracuda's inclusion of the open-source ClamAV server-based antivirus software in commercial network security appliances constitutes patent infringement. Trend Micro has already wielded this patent against Symantec, McAfee, and a number of smaller companies, who have settled out of court despite issuing public statements denying that the patent is valid.

For most companies, the cost of settlement is cheaper than the cost of protracted litigation—a factor that companies count on when they attempt to collect licensing money. The most cost-effective solution for Barracuda would likely be to negotiate a licensing agreement with Trend Micro that provides limited patent indemnity to Barracuda customers (much like the controversial agreement between Microsoft and Novell), but Barracuda is unwilling to consider that option because it would leave all other downstream users at risk.

In an effort to protect the ClamAV project and its users from predatory infringement claims, Barracuda has decided to take the matter to court rather than settling. The company announced today that it has already filed for a declaratory judgment that Trend Micro's patent is invalid.

Ars Technica
complete article

Bavarian government caught looking for Skype backdoor
By Jeremy Reimer
January 28, 2008 - 10:43PM CT

Leaked documents sent from the government of the German province of Bavaria have revealed an attempt by the Ministry of Justice to contract out the development of software to intercept encrypted Internet communication, including conversations held over Skype.

The documents, which were leaked by the German political party Piraten, are addressed to a software firm by the name of Digitask and come in two parts. The first is a letter from the Bavarian ministry inquiring about Digitask's ability to develop this interception software, along with a list of suggested monthly rental prices that Digitask could charge the government to rent its interception solution.

The second is a reply from Digitask outlining how the company would deploy their solution. The method outlined involved the installation of malware referred to as the "Skype Capture Unit" that would be delivered in an executable file that "can for instance be attached to an e-mail or directly be installed on the target machine."

This software would then transfer unencrypted conversations to a remote Skype Recording Server that can record and replay 10 Skype interceptions in parallel. The Recording Server then sends the conversations through to Skype and their intended destination, a classic "man in the middle" attack that is difficult for the compromised user to detect.

Ars Technica
complete article

UK Military Laptop Theft Exposes Thousands To Risk Of Identity Theft
By Ryan Paul
January 27, 2008 - 09:45PM CT

The UK's Ministry of Defense (MOD) is conducting a review of information security policies in response to a serious data breach that transpired earlier this month. A laptop that was stolen from the car of a military recruitment officer contained information about approximately 600,000 people, most of whom were prospective recruits.

The database stored on the laptop was not encrypted—a significant violation of MOD data handling policies. The records, the earliest of which date back to 1997, primarily consisted of names and basic contact information, but more sensitive data—such as passport information, National Health Service numbers, medical details, and drivers' license numbers—were included for 153,000 individuals.

Financial and banking information of approximately 3,700 people was also stored on the laptop. The theft has compelled defense secretary Des Browne to launch extensive policy reviews and appoint a Data Protection Officer who will be responsible for evaluating MOD information security practices on an ongoing basis. Browne believes that the failure to use encryption is primarily the result of inadequate training.

"Our internal investigation has identified weaknesses in the application of MOD security procedures to this database, which is managed by the Army Recruiting and Training Division on behalf of all three services," said Browne in a statement made to the House of Commons. "In the time available it has not been possible to establish all of the facts, but it is clear that the database files were not encrypted, in breach of MOD procedures, and that there were shortcomings in security training and awareness among the relevant staff."

Ars Technica
complete article