by Elinor Mills
June 5, 2009 5:27 PM PDT

Jeff Moss, founder of the Black Hat and Defcon hacker and security conferences, was among 16 people sworn in on Friday to the Homeland Security Advisory Council. The HSAC members will provide recommendations and advice directly to Secretary of Homeland Security Janet Napolitano.

Moss' background as a computer hacker (aka "Dark Tangent") and role as a luminary among young hackers who flock to Defcon in Las Vegas every summer might seem to make him an odd choice to swear allegiance to the government. (Although before running his computer conferences, Moss also worked in the information system security division at Ernst & Young.)

I'd like to hear some of the banter as he rubs elbows with the likes of former CIA (Bill Webster) and FBI directors (Louis Freeh), Los Angeles County sheriff, Miami mayor, New York police commissioner, governors of Maryland and Georgia, former Colorado Sen. Gary Hart, and the president of the Navajo Nation. In an interview late on Friday, Moss, who is 39, said he was surprised when he got the call and was asked to join the group.

"I know there is a newfound emphasis on cybersecurity and they're looking to diversify the members and to have alternative viewpoints," he said. "I think they needed a skeptical outsider's view because that has been missing." Asked if there was anything in particular he would advocate, Moss said: "There will be more cyber announcements in coming weeks and once that happens my role will become more clear. This meeting was focused on Southwest border protection...

By Owen Fletcher
June 8, 2009 04:14 AM ET

China will require Web-filtering software on all computers sold in the country, another step in its efforts to control pornography and other content on the Internet. The move follows a government crackdown on online smut that has led to the closure of thousands of Web sites this year, and concern that such campaigns could expand to target content that is political rather than pornographic.

PC makers will be required to pre-install the Web site-blocking program or offer it on a CD-ROM included with all PCs sold in China after July 1, according to a translation of a Ministry of Industry and Information Technology notification seen by IDG News Service. The move is meant to protect youth from "unhealthy" information online, according to the statement.

The program, called Green Dam Youth Escort in Chinese, blocks only sites with pornographic content, and parents can turn it off, said Bryan Zhang, general manager of Jinhui Computer System Engineering, which designed the software. But the measure triggered concern about wider censorship. China blocked access to Web sites including Microsoft's Bing search engine last week, adding to a list of previously banned sites including YouTube and some blog services.

Twitter and Hotmail were also blocked ahead of the 20th anniversary last week of Beijing's bloody crackdown on democracy protests, though those Web sites could load again today. Dell Inc. will consider including the software with new PCs only if its purpose is to block pornographic content from children, and only if it can be disabled, said Amit Midha, Dell's president for Greater China.

By Gregg Keizer
June 3, 2009 08:19 PM ET

Microsoft today said it had fixed a bug in Bing that had infuriated Internet Explorer 6 (IE6) users when they discovered that the company's new search engine had hijacked their browsers. "Last night, we corrected the issue with Bing on machines running IE6," a Microsoft spokeswoman said Wednesday in an brief e-mailed reply to questions.

Starting Monday, when Microsoft took Bing live, IE6 users began complaining that although they had previously set other search engines as the default, searches typed into the browser were instead directed to Bing. "Woke up this morning to discover that Bing had hijacked [my IE6 address bar search]," said a user identified as "clmerc" on a Google help message forum. [I] can't change it via search/customize on the IE tool bar."

"Bing seems to have hijacked many user-programmed search preferences away from Google," echoed "Jimpobg" on another help thread. "Since I didn't know what Bing was, I really thought my computer was infected with malicious software. Well, actually....it WAS. Sounds like classic Microsoft behavior." Microsoft's spokeswoman ignored Computerworld's questions about the root cause of the problem, but one user on the Google forum explained that IE6 uses a Windows registry key to parse unknown text, such as a search phrase, that's typed into the address bar.

"The problem is, Microsoft developed their URL SearchHook to do one thing: Take the unknown text from the address bar and add it to the URL http://auto.search.msn.com/response.asp?MT=text+from+addressbar&srch=4&prov=gogl&utf8," said "Kilyo" on the same thread as clmerc. "But Bing stopped acknowledging [search] provider requests."

By Dan Goodin
2nd June 2009 19:36 GMT

More than 40,000 websites worldwide have fallen under the spell of a sneaky piece of attack code that silently tries to install malware on the machines of people who visit them, security experts from Websense have warned.

The mass attack has been dubbed Beladen because beladen.net is one of the internet domains used to unleash a swarm of exploits that target unpatched vulnerabilities in the Internet Explorer and Firefox browsers and programs such as Apple's QuickTime. It plants highly obfuscated javascript on the bottom of websites that's slightly different each time, making it impossible to spot infected sites using search engines.

The compromised websites are operated mostly by smaller businesses and government agencies, and so far Websense researchers have been unable to identify a common component that is being targeted. That leaves them guessing that the sites were penetrated by sneaking key-logging programs onto the PCs of people who maintain the sites, Stephan Chenette, manager for security research at Websense, told The Register.

"It's all that we can assume because there is no common injection amongst all these 40,000" sites, Chenette explained. "The only other possible explanation is the website owners have basically had their FTP credentials or account credentials compromised." It remains unclear how many end users are being affected, however. Mary Landesman, a researcher at ScanSafe, said less than 0.03 percent of its customer base tried to visit a site infected by Beladen in the entire month of May.

By Dan Goodin
2nd June 2009 00:03 GMT

Twitter users over the weekend were the target of a scam that tried to infect them with rogue anti-virus software and other malware, in what is one of the first times the micro-blogging site has been hit by a known for-profit attack, a security researcher said.

The problem started after a flurry of tweets directed users to a website promising "Best Video." The site appeared to offer content from YouTube, but behind the scenes, the site delivered a PDF document designed to infect those using vulnerable versions of Adobe's Reader program. Victims then received an urgent warning that their systems were infected and needed to cleaned using fraudulent security software.

"This attack is very significant," Kaspersky researcher Roel Schouwenberg writes here. "It would seem that at least one criminal group is now exploring the distribution of for-profit on Twitter. If the trends we've seen on other social platforms are any indicator for Twitter then we can only expect an increase in attacks." Twitter representatives said Saturday they had contained the problem after temporarily suspending accounts that had been compromised.

No confidential information was intercepted, they added. The high volume of posts on Twitter that encourage readers to follow obscured links to audio, video, and other content has created a click-first-ask-questions-later culture on the micro-blogging site that's ideal for drive-by attacks. And yet, this weekend's attack is one of the few to target Twitter users with exploits that install malware.

By John Timmer
May 29, 2009 3:10 PM CT

The White House has revealed the results of its cybersecurity review, which makes some specific recommendations about how the issue should be tackled by the executive branch. Meanwhile, a report suggests that the military may be starting up a parallel effort that's likely to include offensive capabilities.

The Obama administration has sent a number of signals that it takes the information infrastructure of the nation seriously, having approved stimulus money for broadband and established a post for a national CTO. In parallel with these actions, the administration authorized a review of the national cybersecurity policy, and that review is now complete.

Depending on how you read the resulting report, it concluded either that we don't have a cybersecurity policy, or that we have too many of them; in either case, its authors have made a number of very specific suggestions as to how to improve the situation. The report is fairly blunt, stating early on that "the architecture of the Nation’s digital infrastructure, based largely upon the Internet, is not secure or resilient."

As our network infrastructure has developed, the focus has been on things like performance, ease-of-use, and compatibility, and security consciousness was pretty low for much of its history. So, it's not a surprise that both government and private computer systems have been victimized, and evidence suggests that both private parties and foreign governments have been behind these attacks.

by Elinor Mills
May 28, 2009 2:24 PM PDT

Microsoft on Thursday said it is working on a security patch for a vulnerability in its DirectX streaming media technology in Windows that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.

The remote code execution vulnerability exists in the way Microsoft DirectShow, audio and video sourcing and rendering software, handles supported QuickTime format files, the company said. "Microsoft is aware of limited, active attacks that use this exploit code," Microsoft's security advisory said. "If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights." Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable but all versions of Windows Vista and Windows Server 2008 are not vulnerable, according to the advisory. For the attack to work an attacker would have to lure the victim to visit a malicious Web site that hosts the exploit.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Microsoft said it would release a patch to fix the hole as soon as it is ready for broad distribution. In the meantime, details on a workaround are available here, as well a "fix it" button.

By Dan Goodin
28th May 2009 00:34 GMT

Microsoft engineers have fortified the latest version of Windows with a feature designed to make it significantly harder for attackers to exploit bugs that may be lurking deep inside the operating system. The safeguard is called safe unlinking, and it's been dropped into a part of the Windows 7 kernel that allocates and deallocates chunks of memory.

Safe unlinking performs a series of checks before entries are removed to make sure attackers aren't trying to exploit the operating system using what's known as a pool overrun. "This simple check blocks the most common exploit technique for pool overruns," Peter Beck, a member of Microsoft's Security Science team writes here. "It doesn't mean pool overruns are impossible to exploit, but it significantly increases the work for an attacker."

During the past five years or so, Microsoft has added protections such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) to the Windows user mode, to make it harder for attackers to exploit bugs in browsers and other applications. With the percentage of security bulletins affecting the Windows kernel rising from under five percent in 2007 to more than 10 percent last year, Microsoft decided it was time to add the protection to the kernel.

Pool overruns are to the kernel as buffer overruns are to applications. The attacks work by manipulating doubly linked lists of memory entries, in which each block points to the previous and next entry in the list. By causing a chunk of memory to point to a tainted section of code, attackers can escalate privileges of the operating system. Safe unlinking aims to make such exploits harder by deallocating a block only after checking the integrity of the new memory structure.

By Robert Munro
Thursday, 28 May 2009, 11:29

CHINESE MEDIA have proudly reported that Hong Kong earned the highest email spam honour of any country or region in the world, in a report published by computing insecurity firm Symantec.

The latest Messagelabs Intelligence Report for May 2009 revealed that the volume of spam increased 5.1 per cent over the previous month to 90.4 per cent worldwide. Hong Kong email spam levels grew by 2.4 per cent in May to reach 92.3 per cent, according to the report. In comparison, spam levels were 86.6 per cent in the US and 90.3 per cent in the UK.

The report also said that some form of computer virus infected one in every 198.3 emails throughout China overall. Paul Wood of Symantec indicated that 2009 has seen CAPTCHA-breaking, social networking spam and webmail spam techniques combined. "Today, the bad guys are using the three together as a triple threat to heighten the effectiveness of their spamming," he said.

The majority of small businesses in China are not affected by spam however, because they are small market stalls that sell everything from food and clothing to knock-offs of western consumer goods and illegally-copied software and entertainment CDs and DVDs. The computers used in those multitudes of small Chinese businesses are impervious to email spam because they are abacuses, which of course are completely spam-proof.

by Ryan Naraine
May 26th, 2009 @ 12:39 pm

A security researcher is warning that the Twitter API can be trivially abused by hackers to launch worm attacks. The red-hot social networking/microblogging service has been scrambling to plug cross-site scripting and other Web site vulnerabilities to thwart worm attacks but, as researcher Aviv Raff points out, it’s much easier to misuse the Twitter API as a “weak link” to send worms squirming through Twitter.

Raff, well-known for his research work on browser and Web application vulnerabilities, points out that a single vulnerability on any of the third-party services (Twitpic, etc.) that use the API can trigger the next Twitter worm. An example for this threat is a vulnerability I found a few weeks ago in Twitpic.com website. Twitpic imports the profile information from Twitter, and displays it on the Twitpic.com profile page.

While twitter.com (finally) sanitizes and encodes HTML tags in the Twitter profile information (name, URL, bio, etc.), Twitpic.com failed to do so and by that allowed injecting scripts to the twitpic user profile page. This is a very simple persistent XSS, which can be easily abused to hijack twitpic.com user accounts. However, because twitpic.com also uses the Twitter API to automatically send twits on behalf of the user, whenever the user uploads a picture or comments on another user’s picture, it can also be easily used to create a Twitter worm.

Raff created a demo attack that automatically comments on a random picture on Twitpic.com, whenever a user visits the twitpic.com profile of the user he created – “twitpicxss.” Anyone who visted that profile page while logged in to the Twitpic service would automatically send a tweet to Twitter with the content he (Raff) set in the comment.

By Jacqui Cheng
May 27, 2009 2:33 PM CT

Botnets that send out spam seem to like workin' 9 to 5 and resting on Sundays, according to the latest report out of Symantec's MessageLabs. Spam levels are up this month, too, taking the total percentage of spam over the 90 percent mark. Hope you have a good junk filter!

Spam levels have risen over the past month to more than 90 percent of all corporate e-mail, according to Symantec’s May 2009 MessageLabs Intelligence Report (PDF). The latest report effectively communicates the concept of "spam, boy there sure is a lot of it," but goes into detail about the latest trends in spamming activity like botnet activity and the use of social networks.

In May, spam rose by 5.1 percent over April, with 57.6 of it coming from known botnets. One particular botnet called Donbot was named as the most active, and is responsible for 18.2 percent of all spam. Symantec wrote that much of the remainder (42.4 percent) of spam originated out of smaller or unclassified botnets. Despite the seemingly automated botnet activity, spammers are apparently most active during the US working day.

As Symantec noted in the report, this could be indicative that most active spammers are based in the US, or that they find the US workforce to be the best targets. "Spammers are finding this large target audience that’s online and more likely to respond as being very profitable for their nefarious activities," the company wrote. Spam levels also "drop significantly" on Sundays in all regions.

By Robert McMillan
May 26, 2009 05:38 PM ET

Spammers seem to be working a little bit harder these days, according to Symantec, which reported Tuesday that unsolicited e-mail made up 90.4 percent of messages on corporate networks last month.

That represents a 5.1 percent increase over last month's numbers, but it's nothing out of the ordinary. For years, spam has made up somewhere between 80 percent and 95 percent of all e-mail on the Internet. Symantec reported that nearly 58 percent of spam is now coming from so-called botnets --networks of hacked computers that can be misused by criminals to steal financial information, launch attacks or send spam.

The worst of the spamming botnets -- called Donbot -- generates 18.2 percent of all spam, according to Symantec. These botnet computers can be rented out on the black market by anybody, but in recent months some spammers have been moving away from botnets, experimenting with a new way to sneak their unwanted e-mail past corporate filters, according to Adam O'Donnell, a researcher with antispam vendor Cloudmark.

"Some of the larger ISPs are seeing a lot of non-bot-driven spam," O'Donnell said. With these campaigns, the spammer will rent legitimate network services, often in an Eastern European country such as Romania, and then blast a large amount of spam at a particular ISP's network. The idea is to push as many messages as possible onto the network before any kind of filtering software detects the incident.

by Elinor Mills
May 22, 2009 4:00 AM PDT

What if you reached to grab a newspaper out of a news stand and you found a rock in your hand instead? How about opening the front door to a grocery store and ending up on a boat?

This sounds like a Matrix movie, but the virtual equivalent of this is real and poses one of the most serious new risks on the Internet, according to Jeremiah Grossman, chief technology officer and co-founder of Whitehat Security. "Most exploits (like worms and attacks that take advantage of holes in software) can be patched, but clickjacking is a design flaw in the way the Web is supposed to work," Grossman said.

"The bad guy is superimposing an invisible button over something the user wants to click on...It can be any button on any Web page on any Web site." The technique was used in a series of prank attacks launched on Twitter in February. In that case, users clicked on links next to tweets that said "Don't Click" and then clicked on a button that said "Don't Click" on a separate Web page.

That second click distributed the original tweet to all of the Twitter user's followers, thus propagating itself rather quickly. At the time, Grossman called it a "harmless experiment," but the potential for harm by an attacker who isn't just having fun is huge. In a demo at CNET offices on Thursday, Grossman showed how someone could launch a clickjacking attack using Flash to spy on someone by getting them to turn on their computer Web cam without knowing it.

by Steven Musil
May 21, 2009 7:55 PM PDT

The FBI and the U.S. Marshals Service were forced to shut down parts of their computer networks after a mystery virus struck the law-enforcement agencies Thursday, according to an Associated Press report.

A spokesperson for the U.S. Marshals Service confirmed that it had disconnected from Justice Department computers as a precaution after being hit with the virus, while an FBI spokesperson would only say that it was experiencing similar issues, according to the report. "We too are evaluating a network issue on our external, unclassified network that's affecting several government agencies," FBI spokesman Mike Kortan told the AP.

The virus' type and origin are unknown, but spokespeople for both agencies said agencies' access to the Internet and e-mail was shut down while the issue was evaluated. Government regulations require agencies to report any security issues to US-Computer Emergency Readiness Team (US-CERT), but a call to CERT late Thursday for comment was not immediately returned.

By Robert McMillan
May 20, 2009 08:07 PM ET

The Conficker worm is still infecting systems at a brisk rate and continues to snag computers in Fortune 1000 companies, according to security researchers. The worm is infecting about 50,000 new PCs each day, according to researchers at Symantec, who reported Wednesday that the U.S., Brazil and India have been hit the hardest..

"Much of the media hype seems to have died down around Conficker/Downadup, but it is still out there spreading far and wide," Symantec said in a blog post. Conficker began spreading late last year, taking advantage of a recently patched flaw in Microsoft's Windows operating system to infect entire networks and also using removable storage devices to hop from PC to PC.

Security experts say it has now infected millions of computers worldwide, which now comprise the world's biggest botnet network. "We can see that companies that spend literally millions of dollars on equipment and gear to prevent infections … these Fortune companies have had this infection and it's stayed in their networks for a long period of time," said Rick Wesson, CEO of Support Intelligence and a member of the Conficker Working Group.

"It's really hard and really expensive, and if the Fortune companies can't stop it, how can you expect small businesses to do it?" The Working Group has set up so-called sinkhole servers that can communicate with infected machines. It has spotted infections within many Fortune 1000 companies, Wesson said. "Everybody got hit," he said. "Even Microsoft still has infections."