By Robert McMillan
July 23, 2008

One day after a security company accidentally posted details of a serious flaw in the Internet's Domain Name System (DNS), hackers are saying that software that exploits this flaw is sure to pop up soon.

Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, said Dave Aitel, chief technology officer at security vendor Immunity. His company will eventually develop sample code for its Canvas security testing software too, a task he expects to take about a day, given the simplicity of the attack. "It's not that hard," he said. "You're not looking at a DNA-cracking effort."

The author of one widely used hacking tool said he expected to have an exploit by the end of the day Tuesday. In a telephone interview, HD Moore, author of the Metasploit penetration testing software, agreed with Aitel that the attack code was not going to be difficult to write. The flaw, a variation on what's known as a cache poisoning attack, was announced on July 8 by IOActive researcher Dan Kaminsky, who planned to disclose full details of the bug during an Aug. 6 presentation at the Black Hat conference.

That plan was thwarted Monday, when someone at Matasano accidentally posted details of the flaw ahead of schedule. Matasano quickly removed the post and apologized for its mistake, but it was too late. Details of the flaw soon spread around the Internet. And that's bad news, according to Paul Vixie, president of the company that is the dominant maker of DNS software, the Internet Systems Consortium.

By Joel Hruska
July 22, 2008 - 09:40PM CT

ICANN has unanimously approved a request by the Public Interest Registry (which handles .org domains) to become the first generic Top Level Domain (gTLD) to switch to the DNS security protocol DNSSEC.

As part of the agreement, PIR will trailblaze DNSSEC, while simultaneously developing an education and adoption plan that can later be disseminated across the Internet's infrastructure, PIR's use of DNSSEC is a significant step forward, but a mixture of contentious political and technological issues have slowed the worldwide development and deployment process.

DNSSEC is intended to fix fundamental flaws in the original DNS protocol that leave it vulnerable to several different attack vectors, including cache poisoning. This is accomplished in part through the use of digital signatures. By using such signatures, the DNS resolver can check to see if information it is receiving is actually from the appropriate address; the digital signatures effectively act as a password (the analogy is not exact).

The DNS flaws themselves aren't anything new—they were discovered back in 1990—but the solution to the problem has been no less than eleven years in the making, putting the length of its development cycle almost on par with Duke Nukem Forever. DNSSEC development lasted from January 1997 to the present day, or roughly 11 years and six months.

July 22, 2008
By Robert McMillan

Convicted penny-stock spammer Eddie Davidson walked away from a federal minimum-security prison camp in Colorado on Sunday, the U.S. Department of Justice said Tuesday. Davidson, 35, had been serving 21 months in federal prison after pleading guilty to criminal spam charges in December.

He is now considered an escapee and is being pursued by U.S. marshals, with help from the Federal Bureau of Investigation, the U.S. Internal Revenue Service and local police. He earned millions of dollars between 2003 and 2006 by operating a spamming operation, called Power Promoters, out of his home. He would change the header information in his messages to make it appear as if they had come from legitimate companies such as AOL and then send them out to hundreds of thousands of addresses.

Davidson sent the messages on behalf of an unnamed Houston company, court filings state. He was asked to promote about 19 penny-stock companies, including one called Advanced Power Line Technologies in 2006 and 2007. He would earn fees based on the trading volume of the stocks he was promoting. The business was lucrative: The Houston company paid Davidson about $1.4 million for his services, court documents state.

Between 2003 and 2006, when his primary source of income was spam, bank account deposits into Davidson's account totalled about $3.5 million. Davidson, of Bennett, Colorado, had been incarcerated at the Florence Federal Correctional Complex, about 45 miles south of Colorado Springs

by Ryan Naraine
July 21st, 2008 @ 2:12 pm

[ UPDATE: Kaminsky has all but confirmed that, yes, the cat is out of the bag ] It looks very much like the nitty gritty of Dan Kaminsky’s super-secret — and heavily hyped — DNS cache poisoning vulnerability has been figured out by reverse engineering guru Halvar Flake.

Clearly irked by a demand request from Kaminsky and others to avoid speculating on the details of the flaw until the patch is fully deployed, Flake (left) published a reliable method to forge and poison DNS lookups. Flake, CEO and head of research at Sabre Security, said his speculation was driven by the need to discuss the vulnerability in public instead of a one-month embargo that culminates with Kaminsky’s presentation at the upcoming Black Hat conference.

“In a strange way, if nobody speculates publicly, we are pulling wool over the eyes of the general public, and ourselves,” Flake argued, before posting the following hypothesis: Mallory wants to poison DNS lookups on server ns.polya.com for the domain www.gmx.net. The nameserver for gmx.net is ns.gmx.net. Mallory’s IP is 244.244.244.244. Mallory begins to send bogus requests for www.ulam00001.com, www.ulam00002.com … to ns.polya.com.

ns.polya.com doesn’t have these requests cached, so it asks a root server “where can I find the .com NS?” It then receives a referral to the .com NS. It asks the nameserver for .com where to find the nameserver for ulam00001.com, ulam00002.com etc. Mallory spoofs referrals claiming to come from the .com nameserver to ns.polya.com. In these referrals, it says that the nameserver responsible for ulamYYYYY.com is a server called ns.gmx.net and that this server is located at 244.244.244.244. Also, the time to live of this referral is … long …....

by Robert Vamosi
July 21, 2008 11:38 AM PDT

For the last few months, I've been hearing some well-regarded security people tell me they are considering ditching their antivirus protection all together. They haven't done it, but these individuals feel the days of having a special application scan to remove malware on your desktop are numbered. Malware has changed, but the applications to ferret them out have not.

Antivirus programs, as we know them today, are based on 20-year-old technology of pattern matching. Pattern matching may have worked in the days of the Micheangelo virus and even as recently as Netsky, but methodically matching each and every file on a computer against a list of known malware is getting tedious, if not archaic. In 2007, Symantec detected more than 1 million viruses, with two-thirds created within the calendar year. Loading 1 million signatures, or even a percentage of that if generic signatures are used, is a pretty serious undertaking.

That's why vendors are talking to me about newer strategies for 2009 (and beyond). Among these is the exact opposite of signature file databases--something called whitelisting. If pattern matching is just another way of saying certain bad files have been blacklisted, whitelisting goes to the other extreme: it only allows certain trusted files to run on your machine.

That's more or less what Symantec CEO John Thompson called for at this year's RSA: "If the growth of malicious software continues to outpace the growth of legitimate software, techniques like whitelisting--where we identify and allow only the good stuff to come in--will become critical." He actually didn't say much more about whitelisting, yet everyone talks about this speech as though Thompson had provided clear guidance the year of whitelisting.

17 July 2008, 9:20 AM

IT'S EASY to check on a Google Gmail account to find out the actual name of the user, according to a five step plan here, or a four-step routine here. That's assuming a user input their real details in the first place. Google of course knows more about you than you probably do yourself. If you have a Gmail account have it open and do a Google search in a separate window, Google will remember all about it. Close it all up and then open up Youtube. Chances are that whatever topic you searched for in Google will be proferred up on the video site, whether you want it or not. Blinking cheek.

by Elinor Mills
July 14, 2008 4:12 PM PDT

Photobucket on Monday fixed a security hole that allowed people to view private photos of strangers. All that was needed was the user ID of someone with a private album on Photobucket and the file name of one photo in their album, said Byron Ng, a Vancouver, B.C.-based computer technician who exposes security flaws in social networks and other sites.

Many MySpace users use Photobucket to post material on their MySpace pages, he said in an e-mail, adding, "This is a way to find 'some' private Photobucket albums." MySpace and Photobucket are both owned by News Corp. Photobucket fixed the hole Monday afternoon after being contacted by CNET News in the morning. "Photobucket is aware of the issue and it has been resolved. A fix was rolled out this afternoon, less than 24 hours after the site was made aware of the issue," a Photobucket representative said in an e-mail.

by Robin Harris
July 14th, 2008 @ 4:20 pm

FTP - file transfer protocol - is the most commonly used method for moving files around Web. Now Steve Frank, a founder and developer for Mac software company Panic, has come out and recommended that people stop using FTP.

I wrote about this (see If hackers don’t get you, maybe Google will) after my other blog, StorageMojo, was hacked. I’m glad to see a vendor of FTP software - I use their fine product Transmit - jump on board with a strong recommendation. Why? Here are a couple of the best reasons he gives.

* Unless totaled over a secure socket, FTP is 100% insecure. Your password, and the contents of all your files are sent in the clear, free to be examined or captured by any network hop between you and your server. . . .

* FTP is not friendly with firewalls. Because it constantly needs to establish new connections, this has led us to “passive mode” which might as well be black magic as far as most people are concerned. Briefly, passive mode means the client initiates data connections to the server, rather than the default where the server makes connections to the client (yes, really)......

By Robert McMillan
July 10, 2008

Hackers are a skeptical bunch, but that doesn't bother Dan Kaminsky, who got a lot of flack from his colleagues in the security research community after claiming to have discovered a critical bug in the Internet's infrastructure.

Kaminsky made headlines on Tuesday by talking about a major flaw in the DNS (Domain Name System), used to connect computers to each other on the Internet. In late March he grouped together 16 companies that make DNS software -- companies like Microsoft, Cisco and Sun Microsystems -- and talked them into fixing the problem and jointly releasing patches for it.

But some of Kaminsky's peers were unimpressed. That's because he violated one of the cardinal rules of disclosure: publicizing a flaw without providing the technical details to verify his finding. On Wednesday he took things a step further on his blog, asking hackers to avoid researching the problem until next month, when he plans to release more information about it at the Black Hat security conference.

The flaw appears to be a serious one that could be exploited in what's called a "cache poisoning attack." These attacks hack the DNS system, using it to redirect victims to malicious Web sites without their knowledge. They have been recognized for years but can be hard to pull off. But Kaminsky claims to have found a very effective way of launching such an attack, thanks to a vulnerability in the design of the DNS protocol itself.

by Dancho Danchev
July 8th, 2008 @ 5:03 pm

Right after the U.S Independence Day fireworks, Storm Worm latest campaign launched a couple of hours ago, isStorm Worm says the U.S have invaded Iran back online this time attempting to once again exploit client-side vulnerabilities, this time serving iran_occupation.exe by spreading false rumors of U.S invasion in Iran. The text reads :

“Just now US Army’s Delta Force and U.S. Air Force have invaded Iran. Approximately 20000 soldiers crossed the border into Iran and broke down the Iran’s Army resistance. The video made by US soldier was received today morning. Click on the video to see first minutes of the beginning of the World War III. God save us.”

Despite that you’re highly advised to stay away from spam and phishing emails in general unless you know what you’re doing, the latest Storm Worm domains used in the “Iran invasion campaign” should get a priority for the time being :

statenewsworld . com
morenewsonline . com
dailydotnews . com
dotdailynews . com
newsworldnow . com

By Nick Farrell
09 July 2008, 7:26 AM

PUNTERS who use the ZoneAlarm security package might not want to install MS update KB951748. According to several news groups, the first thing you will notice after running the update is that your internet connection dies as KB951748 made changes to the networking files that Zonealarm doesn't like.

It then decides to block everything just to be safe. You can get around the problem by setting the Internet Zone Security permission slider from high to medium and that will give you your connection back but that is not really a good idea if you want high security. Sniffing around the forums we found similar advice although, apparently, the best bet is to reset the ZoneAlarm database.

No word has come from Microsoft or ZoneAlarm yet on the problem which appears to be caused by the update not liking the different file sizes and checksums. It might be a bad idea to install KB951748 until after either of the companies releases some more concrete information.

by Nathan McFeters
July 8th, 2008 @ 8:40 pm

From Bill Sisk, security response communications manager for Microsoft:
Microsoft Security Advisory (953635)
Vulnerability in Microsoft Word Could Allow Remote Code Execution
Published: July 8, 2008

Microsoft is investigating new public reports of a possible vulnerability in Microsoft Office Word 2002 Service Pack 3. Our initial investigation indicates that customers who use all other supported versions of Microsoft Office Word, Microsoft Office Word Viewer, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, and Microsoft Office for Mac are not affected.

At this time, Microsoft is aware of limited, targeted attacks that attempt to use this vulnerability. While Microsoft Office Word 2000 does not appear vulnerable to this issue, Word 2000 may unexpectedly exit when opening a specially crafted .doc file that the attacker is using in an attempt to exploit the vulnerability.

Interesting, I’m wondering if this is a file format flaw. After Microsoft released their file format specs, one could expect this type of thing might come to light, BUT that doesn’t mean Microsoft releasing those specs was a bad thing. I think that in the future, if not right away, Microsoft will see a good number of flaws reported to them on these file format spec flaws, which is GOOD because that means the hackers aren’t sitting on the flaws.

by Elinor Mills
July 8, 2008 11:03 AM PDT

Google on Tuesday said it is now using an e-mail authentication technology to keep phishers from luring Gmail users to fake eBay and PayPal Web pages in order to steal usernames and passwords. The technology, DomainKeys, uses cryptography to verify the domain of the sender of an e-mail.

It allows e-mail providers to validate the domain from which an e-mail originates, and it enables easier detection of phishing attempts by helping identify abusive domains. Last October, Yahoo announced that it was protecting Yahoo Mail users with eBay and PayPal accounts from phishing attempts using the same technology.

The DomainKeys technology is covered by a patent assigned to Yahoo. The company released it under a dual-license scheme that allows the companies to use it royalty-free under the GNU General Public License (GPL 2.0), which enabled the Internet Engineering Task Force to approve it as a proposed Internet standard.

by Nathan McFeters
July 7th, 2008 @ 11:08 pm

A few days ago I wrote a story about AVG’s LinkScanner causing a massive amount of additional traffic on the net in the name of protecting customers… yeah. Well, here’s a quote from the original article to give some background:

Apparently AVG is spamming the Internet with traffic that looks to be coming from Internet Explorer. AVG software pre-crawls search results to try to protect users, but uses a user agent that makes the software appear to be Internet Explorer. This pre-crawling is flooding websites with meaningless traffic (Slashdot claims it is up to 6% of their traffic, which given Slashdot’s load is CONSIDERABLE). More importantly, they’re apparently aware of this bad behavior and are changing their user agent to avoid filters.

From that story, I posted a poll that asked, “Do you think that AVG’s LinkScanner should be added to the badware list?” A respectable 1,065 people voted on this, and a resounding 77% of people believed that AVG’s LinkScanner should be added to the badware list.

Well, it would seem that we here at ZDNet and our loyal readers were not the only community out their banging the drum to call for action (but I’d like to think we played some part in the change), but AVG seems to be reversing their position on LinkScanner. Slashdot has a recent story that states that, “a website that is featured heavily in many Google Australia search results, Whirlpool (Australia’s largest technology forum), has been particularly affected by AVG’s LinkScanner.”

by Dancho Danchev
July 7th, 2008 @ 1:44 pm

In what appears to be either a common scenario of “when the security solution ends up the security problem itself”, or a product launch basing its strategy on outlining the increasing number of critical vulnerabilities found in competing antivirus products, the IT/Security consulting firm n.runs AG claims to have discovered approximately 800 vulnerabilities within antivirus products based on exploiting a standard malware scanning process known as “parsing” :

“During the past few months, specialists from the n.runs AG, along with other security experts, have discovered approximately 800 vulnerabilties in anti-virus products. The conclusion: contrary to their actual function, the products open the door to attackers, enable them to penetrate company networks and infect them with destructive code. The positioning of anti-virus software in central areas of the company now poses an accordingly high security risk.

The tests performed by the consulting company and solutions developer n.runs have indicated that every virus scanner currently on the market immediately revealed up to several highly critical vulnerabilities. These then pave the way for Denial of Service (DoS) attacks and enable the infiltration of destructive code – past the security solution into the network. With that, anti-virus solutions actually allow the very thing they should instead prevent.”

In between the ongoing efforts put by malware authors to obfuscate their binaries, release as many as possible in the shortest time frame achievable, or ensure that they bypass the most popular personal firewalls before releasing them by applying quality assurance to their malware campaigns, can antivirus products be a security issue themselves? But of course, and the increasing number of vulnerabilities discovered is clearly indicating the increasing interest in proving the point in general.