RGN - Raiders Game Net

MS investigates public IE CSS XSS flaw

Mike_Nomad — Wed, 08 Sep 2010 11:22:52 GMT

Microsoft investigates public IE CSS XSS flaw; Twitter, Hotmail vulnerable

By Peter Bright | Last updated about 10 hours ago

Late last week, a security flaw in Internet Explorer 8 was publicly disclosed to the Full Disclosure mailing list. The flaw allows attackers to steal private information from online services such as web mail and Twitter, allowing attackers to, for example, delete e-mails or send tweets from their victims' accounts.

The post was made by Google employee Chris Evans. He stated that the reason for going public was to try to persuade Microsoft to fix the problem—the new flaw is a variant on an older attack, and the details of the flaw were made public in a paper authored by Carnegie Mellon students that Evans reviewed. While the other major browser vendors have made fixes to their browsers to prevent attack—Chrome 4.0.249.78, Safari 4.0.5, and most recently Firefox 3.6.7 and 3.5.11 all include protection against the flaw—Microsoft has thus far failed to update Internet Explorer to provide protection.

The attack compromises the same-origin policy. The same-origin policy is designed to prevent scripts from one domain from accessing data belonging to another domain. For example, a script from example.org should not be able to access cookies or page content from twitter.com. These attacks, where one site (controlled by the attacker) compromises the secret data of another site, are called cross-site scripting (XSS) attacks. There are many different ways that a site on one domain can embed content from another domain; images are commonly embedded in this way, as are Flash movies to deliver content from sites like YouTube.

This particular attack uses a different approach to embed: it uses cascading stylesheets (CSS), which are used to control the fonts, colors, and layout of HTML pages. CSS is particularly interesting for this style of attack because of the way in which it is interpreted by the browser. The CSS specification requires browsers to be extremely forgiving of improperly-formed CSS. In part, this is so that future versions of CSS can include new features without breaking page display in browsers that do not support those new features; in part, it's due to Postel's law—the concept that computer programs should be as generous as possible in their interpretation of data they are given.

This fault-tolerant handling of CSS files is what leads to the vulnerability. A malicious page can tell the browser to embed any other page and to try to treat that embedded page as if it were CSS. Most of the time, even with CSS's error-tolerant parsing, this won't achieve anything. HTML pages just look too different from CSS to be successfully parsed as CSS. However, if the embedded page is written in just the right way, it will look sufficiently like CSS to trick the browser into interpreting it as such.

For example, this (deliberately constructed) tweet looks just enough like CSS that, when used as a CSS file, the browser will interpret the page as if it were, in part, CSS. CSS lets you load stylesheets from anywhere

This is a problem, because although scripts on the malicious page cannot, in general, read information that has been embedded from other domains, they can programmatically access CSS rules, even if those CSS rules came from CSS files loaded from other domains—and even if those "CSS rules" came from files that were not really CSS at all.

This problem is in general mitigated by the CSS specification. Although it demands that browsers be liberal in their interpretation, there are limits: strings wrapped in double quote marks, for example, should not be able to contain new lines. The end of the line should cause the end of the string. Though this does not eliminate the problem, it does mean that it would require extremely bad luck for the issue to ever manifest itself as a real problem.

The exception, however, is Internet Explorer. Internet Explorer is even more lenient than the CSS specification says it should be. In particular, it will disregard line-breaks embedded in strings, and will instead attempt to parse everything as part of the string. CSS uses such strings for, among other things, font families and URLs. The example tweet, when interpreted as CSS, begins specifying the font family, but rather than including a font name, it just has a double quote mark. This starts a string, causing Internet Explorer to treat everything that follows as part of font's name.

This includes secret information. When signed in to Twitter, every page includes an "authenticity token." This is used to prevent arbitrary sites from making Twitter updates on someone's behalf without their knowledge—every tweet made via the Twitter website must include the correct authenticity token. That should be safe—it's a standard technique for preventing XSS attacks similar to this, and unlike other aspects of Twitter's security, is properly implemented—because the same-origin policy should prevent sites from stealing the authenticity token from Twitter pages.

{} body { font-family:" HTML> treated as if it were part of the font name> This is how Internet Explorer interprets the page as CSS. Everything before the tweet is ignored; everything after becomes part of the font name.

But using this CSS-based XSS attack, any malicious page that embeds this tweet as if it were CSS can read the authenticity token. With that knowledge, it can freely tweet using someone else's credentials. Similar techniques are used to secure web mail systems against XSS attacks, and the same CSS-based techniques can be used to defeat them, too. The paper describes using the method against IMDB, Yahoo! Mail, and Hotmail, and the Full Disclosure post demonstrates the attack against Twitter.

In addition to demonstrating the attack, the paper also describes ways in which it can be guarded against. At its heart, the problem is with how the CSS specification is written; if the specification required stricter handling of CSS files, it would not be possible to steal data in this way. The specification is well-intentioned, as the lenient parsing makes it easier to update CSS to incorporate new features, and sufficiently many sites depend on lenient handling that no browser can afford to be completely strict. An effective trade-off is to use lenient parsing for CSS loaded from the same domain, and stricter parsing—that gives up when an error is encountered, rather than trying to persevere until it comes across anything that looks like CSS—when loading CSS from other domains.

Four of the mainstream browsers—Opera, Safari, Chrome, and Firefox—have been updated to do precisely this. The exception is Internet Explorer 8; it uses lenient CSS parsing rules regardless of the domain used to access a CSS file. This is made especially unfortunate by Internet Explorer's uniquely vulnerable status—because the browser is even more lenient than it ought to be, it's far more vulnerable than the others. It's this combination of a lack of a patch and greater vulnerability that caused Chris Evans to report the flaw publicly.

The Internet Explorer 9 Platform Previews are also vulnerable to the same issue. Though the previews have made great strides in improving their standards compliance, all four previews show the same excessively lenient, nonstandard behavior as Internet Explorer 8. Older versions of the browser are also likely to be affected.

Microsoft has responded that it is investigating the flaw, but no patch is available yet; indeed, the tweet is the only response the company has made. Those curious can check out a simple proof of concept that will demonstrate the issue by posting to Twitter as the currently logged-in user.

This is not the first time that a Google employee has publicly disclosed a Microsoft security flaw; Tavis Ormandy received both criticism and support for his decision to make public a flaw back in June. This situation is a little different, however; this flaw is undoubtedly public, thanks to the Carnegie Mellon paper and the fixes made by other browsers. Evans believes that Microsoft may even have known about the problem as far back as 2008; if true, it makes the lack of response particularly embarrassing.

SOURCE

*********

Will the never-ending flow of BUGGY software from Microsoft ever abate?

MS investigates public IE CSS XSS flaw

Mike_Nomad — Wed, 08 Sep 2010 11:21:51 GMT

Microsoft investigates public IE CSS XSS flaw; Twitter, Hotmail vulnerable

By Peter Bright | Last updated about 10 hours ago

Late last week, a security flaw in Internet Explorer 8 was publicly disclosed to the Full Disclosure mailing list. The flaw allows attackers to steal private information from online services such as web mail and Twitter, allowing attackers to, for example, delete e-mails or send tweets from their victims' accounts.

The post was made by Google employee Chris Evans. He stated that the reason for going public was to try to persuade Microsoft to fix the problem�the new flaw is a variant on an older attack, and the details of the flaw were made public in a paper authored by Carnegie Mellon students that Evans reviewed. While the other major browser vendors have made fixes to their browsers to prevent attack�Chrome 4.0.249.78, Safari 4.0.5, and most recently Firefox 3.6.7 and 3.5.11 all include protection against the flaw�Microsoft has thus far failed to update Internet Explorer to provide protection.

The attack compromises the same-origin policy. The same-origin policy is designed to prevent scripts from one domain from accessing data belonging to another domain. For example, a script from example.org should not be able to access cookies or page content from twitter.com. These attacks, where one site (controlled by the attacker) compromises the secret data of another site, are called cross-site scripting (XSS) attacks. There are many different ways that a site on one domain can embed content from another domain; images are commonly embedded in this way, as are Flash movies to deliver content from sites like YouTube.

This particular attack uses a different approach to embed: it uses cascading stylesheets (CSS), which are used to control the fonts, colors, and layout of HTML pages. CSS is particularly interesting for this style of attack because of the way in which it is interpreted by the browser. The CSS specification requires browsers to be extremely forgiving of improperly-formed CSS. In part, this is so that future versions of CSS can include new features without breaking page display in browsers that do not support those new features; in part, it's due to Postel's law�the concept that computer programs should be as generous as possible in their interpretation of data they are given.

This fault-tolerant handling of CSS files is what leads to the vulnerability. A malicious page can tell the browser to embed any other page and to try to treat that embedded page as if it were CSS. Most of the time, even with CSS's error-tolerant parsing, this won't achieve anything. HTML pages just look too different from CSS to be successfully parsed as CSS. However, if the embedded page is written in just the right way, it will look sufficiently like CSS to trick the browser into interpreting it as such.

For example, this (deliberately constructed) tweet looks just enough like CSS that, when used as a CSS file, the browser will interpret the page as if it were, in part, CSS.
[code][code] CSS lets you load stylesheets from anywhere

This is a problem, because although scripts on the malicious page cannot, in general, read information that has been embedded from other domains, they can programmatically access CSS rules, even if those CSS rules came from CSS files loaded from other domains�and even if those "CSS rules" came from files that were not really CSS at all.

This problem is in general mitigated by the CSS specification. Although it demands that browsers be liberal in their interpretation, there are limits: strings wrapped in double quote marks, for example, should not be able to contain new lines. The end of the line should cause the end of the string. Though this does not eliminate the problem, it does mean that it would require extremely bad luck for the issue to ever manifest itself as a real problem.

The exception, however, is Internet Explorer. Internet Explorer is even more lenient than the CSS specification says it should be. In particular, it will disregard line-breaks embedded in strings, and will instead attempt to parse everything as part of the string. CSS uses such strings for, among other things, font families and URLs. The example tweet, when interpreted as CSS, begins specifying the font family, but rather than including a font name, it just has a double quote mark. This starts a string, causing Internet Explorer to treat everything that follows as part of font's name.

This includes secret information. When signed in to Twitter, every page includes an "authenticity token." This is used to prevent arbitrary sites from making Twitter updates on someone's behalf without their knowledge�every tweet made via the Twitter website must include the correct authenticity token. That should be safe�it's a standard technique for preventing XSS attacks similar to this, and unlike other aspects of Twitter's security, is properly implemented�because the same-origin policy should prevent sites from stealing the authenticity token from Twitter pages.

{} body { font-family:" HTML> treated as if it were part of the font name> This is how Internet Explorer interprets the page as CSS. Everything before the tweet is ignored; everything after becomes part of the font name.

But using this CSS-based XSS attack, any malicious page that embeds this tweet as if it were CSS can read the authenticity token. With that knowledge, it can freely tweet using someone else's credentials. Similar techniques are used to secure web mail systems against XSS attacks, and the same CSS-based techniques can be used to defeat them, too. The paper describes using the method against IMDB, Yahoo! Mail, and Hotmail, and the Full Disclosure post demonstrates the attack against Twitter.

In addition to demonstrating the attack, the paper also describes ways in which it can be guarded against. At its heart, the problem is with how the CSS specification is written; if the specification required stricter handling of CSS files, it would not be possible to steal data in this way. The specification is well-intentioned, as the lenient parsing makes it easier to update CSS to incorporate new features, and sufficiently many sites depend on lenient handling that no browser can afford to be completely strict. An effective trade-off is to use lenient parsing for CSS loaded from the same domain, and stricter parsing�that gives up when an error is encountered, rather than trying to persevere until it comes across anything that looks like CSS�when loading CSS from other domains.

Four of the mainstream browsers�Opera, Safari, Chrome, and Firefox�have been updated to do precisely this. The exception is Internet Explorer 8; it uses lenient CSS parsing rules regardless of the domain used to access a CSS file. This is made especially unfortunate by Internet Explorer's uniquely vulnerable status�because the browser is even more lenient than it ought to be, it's far more vulnerable than the others. It's this combination of a lack of a patch and greater vulnerability that caused Chris Evans to report the flaw publicly.

The Internet Explorer 9 Platform Previews are also vulnerable to the same issue. Though the previews have made great strides in improving their standards compliance, all four previews show the same excessively lenient, nonstandard behavior as Internet Explorer 8. Older versions of the browser are also likely to be affected.

Microsoft has responded that it is investigating the flaw, but no patch is available yet; indeed, the tweet is the only response the company has made. Those curious can check out a simple proof of concept that will demonstrate the issue by posting to Twitter as the currently logged-in user.

This is not the first time that a Google employee has publicly disclosed a Microsoft security flaw; Tavis Ormandy received both criticism and support for his decision to make public a flaw back in June. This situation is a little different, however; this flaw is undoubtedly public, thanks to the Carnegie Mellon paper and the fixes made by other browsers. Evans believes that Microsoft may even have known about the problem as far back as 2008; if true, it makes the lack of response particularly embarrassing.

SOURCE

*********

Will the never-ending flow of BUGGY software from Microsoft ever abate?

Server Event Schedule

Mike_Nomad — Tue, 07 Sep 2010 19:57:26 GMT

SERVER EVENT SCHEDULE

24 hr/7days

Monday: ................................ World at War/CoD5

Tuesday: ................................ RGN Vietnam Mod/WaW

Wednesday: .......................... Modern Warfare/ CoD4

Thursday: .............................. World at War/CoD5

Friday: ................................... Red Orchestra: OSTFront 41-45/ RO

Open House Weekends.... player's choice!

Suggestions? Comments?

Labor Day 2010

OneShot — Mon, 06 Sep 2010 12:17:28 GMT

To all our friends and visitors from the entire staff at RGN

Have a safe and enjoyable last Holiday of Summer

You earned it!

AT&T Claims are Misleading

Mike_Nomad — Fri, 03 Sep 2010 13:18:40 GMT

IETF: AT&T's Net neutrality claim is 'misleading'

by Declan McCullagh - September 2, 2010 3:53 PM PDT

The head of the Internet's leading standards body said Thursday that it is "misleading" for AT&T to claim that its push to charge customers for high-priority service is technically justified.

Internet Engineering Task Force chairman Russ Housley told CNET that AT&T's arguments to federal regulators, which cited networking standards to justify "paid prioritization" of network traffic, were invalid.

"AT&T in their letter (to the Federal Communications Commission) says the

IETF envisioned this," Housley said. "That's not my view."

This particular debate began earlier this week, when AT&T sent the FCC a letter (PDF) arguing that telecommunications providers need the ability to set different prices for different forms of Internet service. Paid prioritization, AT&T said, was a form of network management that was "fully contemplated by the IETF" more than a decade ago.

At 24 years old, the IETF is a highly respected organization of engineers and computer scientists that intentionally shies away from Washington politicking. That's partly because the group is international--half of its meetings are held outside North America--but also because IETF participants tend to admit that they have relatively little expertise in non-technical areas touching on law and economics.

AT&T did not immediately respond to a request for comment on Thursday. AT&T Vice President Hank Hultquist said in a blog post earlier in the day that he was inviting critics to a "public forum," and pointed to a letter from the New America Foundation that he said lent support to AT&T's views.

"We didn't foresee AT&T throwing our name into this discussion," the IETF's Housley said. He added: "This characterization of the IETF standard and the use of the term 'paid prioritization' by AT&T is misleading."

Everyone agrees that, in the late 1990s, the IETF revised its networking standards to allow network operators to assign up to 64 different traffic "classes," meaning priority levels. That concept of "differentiated services" is referred to today as DiffServ, which allows high-priority communications like videoconferencing to be labeled with a higher priority than bulk file-transfer protocols that aren't as sensitive to brief slowdowns.

A July 1999 IETF specification (RFC 2638) discusses paid prioritization by saying: "It is expected that premium traffic would be allocated a small percentage of the total network capacity, but that it would be priced much higher." Another specification (RFC 2475) published half a year earlier says that setting different priorities for packets will "accommodate heterogeneous application requirements and user expectations" and "permit differentiated pricing of Internet service." (An RFC is a policy document, often accepted as standards, published by the IETF.)

The disagreement arises from what happens if Video Site No. 1 and Video Site No. 2 both mark their streams as high priority. "If two sources of video are marking their stuff the same, then that's where the ugliness of this debate begins," Housley says. "The RFC doesn't talk about that...If they put the same tags, they'd expect the same service from the same provider."
Which is, by the way, more or less what liberal advocacy groups like Free Press have told the FCC. "DiffServ was not designed to be a tool to allow the network provider to drive application-level discrimination," Free Press Research Director Derek Turner said earlier this week.

Ever since a federal appeals court torpedoed the FCC's attempt to punish Comcast, pro-regulation groups have been lobbying agency Chairman Julius Genachowski for a new set of regulations, while a majority of members of the U.S. Congress has opposed the idea. Google and Verizon responded by announcing their own proposal, which includes a "presumption" that paid prioritization on wired networks is illegal.

On the broader question of Net neutrality, though, including what any laws or regulations should say, the IETF has not taken a formal position. The group discussed the topic at a meeting in Stockholm in July 2009 but did not reach a consensus leading to a public position statement.

Update Friday 12:30 a.m. PDT: I heard back from AT&T spokesman Michael Balmoris, who said: "Our letter highlighted recent Free Press filings at the FCC, which insisted that compensation arrangements were inconceivable under the IETF documentation for Differentiated Services (DiffServ). We simply quoted from the IETF documents, which state otherwise."

And there seems to be some disagreement about whether Russ Housley was speaking for the entire IETF. George Ou, policy director at the Digital Society think tank, sent me e-mail analyzing the RFCs and saying: "In the context of Housley essentially calling AT&T a liar, his comments are outrageously deceptive."

SOURCE

AT&T Wants to Charge MORE

Mike_Nomad — Wed, 01 Sep 2010 12:31:14 GMT

AT&T: Net rules must allow 'paid prioritization'

by Declan McCullagh - August 31, 2010 2:17 PM PDT

AT&T said Tuesday that any Net neutrality plan restricting its ability to engage in "paid prioritization" of network traffic would be harmful and contrary to the fundamental principles of the Internet.

Telecommunications providers need the ability to set different prices for different forms of Internet service, AT&T said, adding that it already has "hundreds" of customers who have paid extra for higher-priority services.

"Our view is that if the Federal Communications Commission is going to be making policy decisions on this front, it should base them on the facts, as opposed to dogma," an AT&T representative told CNET on Tuesday. In a blog post, AT&T vice president Hank Hultquist argued that the Internet Engineering Task Force's specifications specifically permit paid prioritization.

The flap over paid prioritization started a few weeks ago when Free Press, a pro-regulatory advocacy group, sent letters (No. 1 and No. 2) to the FCC dubbing the concept "discriminatory" and claiming it will "only benefit the few content giants that have deep enough pockets to pay for favorable treatment."

In a telephone interview on Tuesday, Free Press research director Derek Turner said that allowing paid prioritization would undercut the entire concept of Net neutrality, which had its previous legal foundation swept away earlier this year when a federal appeals court shot down the FCC's attempt to punish Comcast for temporarily throttling BitTorrent transfers.

Since that ruling, liberal interest groups have been lobbying FCC chairman Julius Genachowski for a new set of regulations, while a majority of members of the U.S. Congress has opposed the idea. Google and Verizon responded by announcing their own proposal, which includes a "presumption" that paid prioritization on wired networks is illegal.

"A ban on paid prioritization is the DNA of the open Internet," Turner said. He called AT&T's arguments a "straw man," saying that: "What AT&T is describing is a practice that we have no problem with, which is that an end user can buy a T1 and set priority flags, and AT&T respects those priority flags."

Prioritization 'expected'
But the designers of the protocols that make up the modern Internet had something a bit more ambitious in mind. In the late 1990s, the Internet Engineering Task Force revised those standards to allow network operators to assign up to 64 different traffic "classes," meaning priority levels.

Free Press "wants to force consumers to be charged higher rates to pay for the construction of more broadband infrastructure than would be needed if networks could be better managed," says Berin Szoka, a senior fellow at the Progress and Freedom Foundation, which has been critical of new broadband regulations.

A July 1999 IETF specification (RFC 2638) discusses paid prioritization by saying: "It is expected that premium traffic would be allocated a small percentage of the total network capacity, but that it would be priced much higher." Another specification (RFC 2475) published half a year earlier says that setting different priorities for packets will "accommodate heterogeneous application requirements and user expectations" and "permit differentiated pricing of Internet service."

Today that concept of "differentiated services" is referred to as DiffServ. It's part of quality-of-service technologies that companies like AT&T offer, usually to business customers, that rely on DiffServ packet headers to group different types of classes of service together. Real-time voice communication may be ranked the highest, followed by financial transactions, then e-mail, and finally bulk file-transfer protocols that aren't as sensitive to brief slowdowns.

It's true that DiffServ markings are typically used inside corporate networks to support applications like VoIP. But a video-conferencing site that has connectivity through AT&T could presumably use DiffServ to prioritize its packets over, say, online shopping and BitTorrent transfers--and keep that priority all the way to an AT&T home customer.

Which is precisely the argument that AT&T is making. In a strongly-worded letter (PDF) sent Monday to the FCC, AT&T says that the protocol specification "in no way limits the use of DiffServ to packets marked by 'end users,' as opposed to content providers or network operators."

"The (FCC) should view with healthy skepticism the opinions it receives on technical Internet matters from an advocacy group with no demonstrable expertise or operational experience in those matters," AT&T's letter says.

"Paid prioritization over Internet access is not, as Free Press maintains, some lurking future menace that would pervert the intent of the IETF. To the contrary, it was fully contemplated by the IETF."

Free Press' Turner disagrees. "DiffServ was not designed to be a tool to allow the network provider to drive application-level discrimination," he says. He says that his organization will send a letter to the FCC by Wednesday explaining its position.

SOURCE

Google testing voice calling in Gmail

Mike_Nomad — Wed, 25 Aug 2010 13:16:39 GMT

Google testing voice calling in Gmail

Google could soon launch a voice-calling feature within Google Chat
that resembles the user interface used in Google Voice. (Credit: CNET)

by Tom Krazit - August 24, 2010 5:06 PM PDT

Google could be ready to turn Gmail into a communications hub by adding the ability to make phone calls from the Google Chat interface.

CNET has learned that Google is testing a Web-based service within Gmail that will allow users to place phone calls from their in-boxes. It's launched from the Google Chat window on the lower left-hand side of a Gmail page and allows users to place and receive calls from within their contacts through a user interface that strongly resembles the one used in Google Voice.

Google has been edging in this direction for some time. Google Talk was released years ago as a VoIP (voice over Internet Protocol) desktop client, and it has also spent a lot of time and money evangelizing Google Voice, a service that transcribes voice mails and allows users to have one phone number that rings multiple phones.

The call history screen on Google's new
Web-based voice calling application.
(Credit: CNET)

But a Web-based VOIP client--which is what the new service appears to be--is another matter entirely. This is the likely culmination of Google's work to integrate Gizmo5's similar product, which it acquired late last year, into its arsenal. Hints that such a service was coming first surfaced in June on the Google Operating System blog, which is not affiliated with Google.

It's not clear if Google Voice will be changing, or whether this new service is a completely separate offering. The user interfaces appear the same--for example, the same icons are used to label missed calls or placed calls--but Google Voice is not a VoIP service. Users of the new chat/phone call service aren't required to have a Google Voice account, and calls placed to U.S. or Canadian numbers will be free, with discounts on international calls as compared to standard rates.

Skype is the obvious target of such an application, but there are lots of companies that make both desktop-based and Web-based VoIP clients.

"Google is always testing new features and products, but we have nothing specific to announce right now," a Google representative said.

SOURCE

MS warns about app security flaw

Mike_Nomad — Tue, 24 Aug 2010 10:58:25 GMT

Microsoft warns about application security flaw

by Ina Fried - August 23, 2010 4:07 PM PDT

Microsoft issued an advisory on Monday about a security issue that could leave many Windows applications vulnerable to attack.

The advisory deals with a type of attack mechanism known as DLL preloading, or binary planting. Although the attack mechanism is not new or entirely unique to Windows, Microsoft acknowledged that there appears to be a new remote-attack vector that could allow more systems to be attacked quickly.

Two researchers at the University of California at Davis published a paper earlier this year on how programs that were vulnerable could be automatically detected. In recent days, security expert and Metasploit creator HD Moore published more information about this issue and is adding the vulnerability to his Metasploit program.

Moore said he did so in an effort to both make customers aware and encourage vendors to patch their applications, and he noted that he opted not to publicly list all the affected programs, though he did release a tool that helps users uncover which of their software could be vulnerable.

"As a compromise between releasing the full list of affected products and not saying anything at all, I decided to push a generic exploit module to the Metasploit Framework and release an audit kit that can be used to identify affected applications on a particular system," Moore said in a blog post." The audit kit should make it easier for other folks to identify vulnerable applications and hopefully have them addressed by the vendor."

The existence of such proof-of-concept code makes it likely that an attack could appear in the wild soon, according to Joshua Talbot, a senior intelligence manager for Symantec security response. "Attackers then look at that and try to adapt it for their own uses," he said.

Last Thursday, security research firm Acros Security warned that iTunes was vulnerable to such an attack. However, Moore and others point out that the vulnerability appears to affect far more than just iTunes, with potentially dozens of Windows programs similarly open to attack.

In the past, such attacks have required a malicious library to be implanted onto a local system. However, new research shows how the malicious code could also be planted on a network share, potentially making it much easier to attack vulnerable systems.

In its advisory on Monday, Microsoft said it has also issued guidance to developers on how to avoid the vulnerability and that it is checking its own code to see if any Microsoft products are at risk.

"We are currently conducting a thorough investigation into how this new vector may affect Microsoft products," Microsoft said in a blog post.

Microsoft said it has also released a software tool that "allows system administrators to mitigate the risk of the vulnerability in question by altering the library-loading behavior for the operating system or for specific applications."

Attacks using such libraries have been growing, as Windows and other operating systems have become more hardened to attacks that exploit memory corruption flaws, Talbot said.

Talbot recommended that users look at a mitigation suggested by Microsoft that involves changing a registry key setting so that libraries cannot be loaded over a network. Talbot also suggested that users take other steps, such as being cautious when clicking links or visiting unknown sites and also to make sure that their antivirus software is up-to-date.

Current antivirus software won't necessarily stop a vulnerability from being exploited, Talbot said, but the software can sometimes detect the payloads that an attacker might try to install on a vulnerable system.

SOURCE

Scorpion German Thread Temp Moved...

Mr.Ray — Sun, 22 Aug 2010 19:45:00 GMT

Scorpion,

I have temporarily moved your post to our staff section so that we have the opportunity to get the translation exact. I do know what it is basically about but I want the exact translation.

From what I did understand of it you are perfectly free to play where you like and to have whatever mod on your server that makes you happy. We also have the right to admin our servers as we see fit so as to make everyone as happy as we possibly can.

Broadband Speeds are Bogus

Mike_Nomad — Wed, 18 Aug 2010 10:05:00 GMT

Your fears confirmed: "up to" Broadband Speeds are Bogus

By Nate Anderson

Broadband providers in the US have long hawked their wares in "up to" terms. You know�"up to" 10Mbps, where "up to" sits like a tiny pebble beside the huge font size of the raw number.

In reality, no one gets these speeds. That's not news to the techno-literate, of course, but a new Federal Communications Commission report (PDF) shines a probing flashlight on the issue and makes a sharp conclusion: broadband users get, on average, a mere 50 percent of that "up to" speed they had hoped to achieve.

After crunching the data, FCC wonks have concluded that ISPs advertised an average (mean) "up to" download speed of 6.7Mbps in 2009. That's not what broadband users got, though.

"However, FCC analysis shows that the median actual speed consumers experienced in the first half of 2009 was roughly 3 Mbps, while the average (mean) actual speed was approximately 4 Mbps," says the report. "Therefore actual download speeds experienced by US consumers appear to lag advertised speeds by roughly 50 percent."

The agency used metrics data from Akamai and comScore to make this determination, though a more accurate direct measurement is currently taking place under FCC auspices. The more accurate measurement will put small boxes in people's homes for weeks at a time, recording actual line speeds in thousands of US homes at all times of the day and night. But, until that data set is complete, Internet traffic data from Akamai and comScore will have to suffice.

SOURCE

Facebook dislike a Scam

Mike_Nomad — Tue, 17 Aug 2010 11:32:48 GMT

Sophos flags Facebook "dislike button" Scam

by Caroline McCarthy - August 16, 2010

Security firm Sophos has highlighted yet another scam that's zipping around Facebook in the form of a third-party application, this one spreading in the form of links claiming to be from friends that encourage members to install a Facebook "dislike button."

Sophos wrote about the scam in a blog post Monday, pointing out that a link to it tends to appear in wall posts that appear to be from the user's friends ("I just got the Dislike button, so now I can dislike all of your dumb posts lol!!") but which are actually automated messages from friends who have already been duped. The scam's purpose is to force users to complete a survey contained in the application, a bit of trickery that has already been known to be perpetuated through scam links like "Justin Bieber trying to flirt" and "Anaconda coughs up a hippo," the two of which presumably would be enticing to rather different demographics of Facebook users.

As Facebook's surging membership numbers have blazed past 500 million around the world, its channels of fast social connection and messaging have become a prime target for scammers and viruses. This one's particularly nasty because a "dislike button," offering some kind of counterpoint to Facebook's own "like" button, is something that many members have been clamoring for.

Beyond tricking a user into completing a survey, and hence gaining access to your profile and the ability to spam your friends, there doesn't appear to be much about the scam that's dangerous. Eventually, after the user completes the survey, it does redirect to FaceMod, the maker of a Facebook-based "dislike" button that takes the form of a Firefox browser plug-in. Sophos points out that the scam does not appear to have any direct connection to FaceMod.

"If you really want to try out FaceMod's add-on (and note - we're not endorsing it, and haven't verified if it works or not), get it direct from the Firefox Add-ons Web page, not by giving a rogue application permission to access your Facebook profile," the Sophos post by analyst Graham Cluley read.

SOURCE

VJ Day Victory over Japan

Mike_Nomad — Sun, 15 Aug 2010 12:10:42 GMT

Surrender of Japan, Tokyo Bay, 2 September 1945

Japanese representatives on board USS Missouri (BB-63) during the surrender ceremonies, 2 September 1945.

Standing in front are:

Foreign Minister Mamoru Shigemitsu (wearing top hat) and General Yoshijiro Umezu, Chief of the Army General Staff.
Behind them are three representatives each of the Foreign Ministry, the Army and the Navy. They include, in middle row, left to right:
Major General Yatsuji Nagai, Army;
Katsuo Okazaki, Foreign Ministry;
Rear Admiral Tadatoshi Tomioka, Navy;
Toshikazu Kase, Foreign Ministry, and
Lieutenant General Suichi Miyakazi, Army.
In the the back row, left to right (not all are visible):
Rear Admiral Ichiro Yokoyama, Navy;
Saburo Ota, Foreign Ministry;
Captain Katsuo Shiba, Navy, and
Colonel Kaziyi Sugita, Army.

(Identities those in second and third rows are from an annotated photograph in Naval Historical Center files.)

Dec 7, 1941 - For many veterans and their families, memories of VJ Day aren't as sharp as those of Dec. 7, 1941. Then again, there was a question at the time as to when VJ Day actually occurred. VJ Day, or Victory in Japan Day, marked the day the Japanese surrendered to the Allies ...

Never Forget Pearl Harbor and especially The Bataan Death March.

On the Bataan Death March, approximately 54,000 of the 75,000 prisoners reached their destination - Camp O'Donnell.

Stuxnet could hijack power plants, refineries

Mike_Nomad — Fri, 13 Aug 2010 11:31:33 GMT

Stuxnet could hijack power plants, refineries

by Elinor Mills - August 13, 2010 4:00 AM PDT

A worm that targets critical infrastructure companies doesn't just steal data, it leaves a back door that could be used to remotely and secretly control plant operations, a Symantec researcher said on Thursday.

The Stuxnet worm infected industrial control system companies around the world, particularly in Iran and India but also companies in the U.S. energy industry, Liam O'Murchu, manager of operations for Symantec Security Response, told CNET. He declined to say how may companies may have been infected or to identify any of them.

"This is quite a serious development in the threat landscape," he said. "It's essentially giving an attacker control of the physical system in an industrial control environment."

The malware, which made headlines in July, is written to steal code and design projects from databases inside systems found to be running Siemens Simatic WinCC software used to control systems such as industrial manufacturing and utilities. The Stuxnet software also has been found to upload its own encrypted code to the Programmable Logic Controllers (PLCs) that control the automation of industrial processes and which are accessed by Windows PCs. It's unclear at this point what the code does, O'Murchu said.

An attacker could use the back door to remotely do any number of things on the computer, like download files, execute processes, and delete files, but an attacker could also conceivably interfere with critical operations of a plant to do things like close valves and shut off output systems, according to O'Murchu.

"For example, at an energy production plant, the attacker would be able to download the plans for how the physical machinery in the plant is operated and analyze them to see how they want to change how the plant operates, and then they could inject their own code into the machinery to change how it works," he said.

The Stuxnet worm propagates by exploiting a hole in all versions of Windows in the code that processes shortcut files ending in ".lnk." It infects machines via USB drives but can also be embedded in a Web site, remote network share, or Microsoft Word document, Microsoft said.

Microsoft issued an emergency patch for the Windows Shortcut hole last week, but just installing the patch is not enough to protect systems running the Siemens program because the malware is capable of hiding code in the system that could allow a remote attacker to interfere with plant operations without anyone at the company knowing, according to O'Murchu.

"There may be additional functionality introduced into how a pipeline or energy plant works that the company may or may not be aware of," he said. "So, they need to go back and audit their code to make sure the plant is working the way they had intended, which is not a simple task."

Symantec researchers know what the malware is capable of but not what it does exactly because they are not done analyzing the code. For instance, "we know it checks the data and depending on the date it will take different actions, but we don't know what the actions are yet," O'Murchu said.

This new information about the threat prompted Joe Weiss, an expert in industrial control security, to send an e-mail on Wednesday to dozens of members of Congress and U.S. government officials asking them to give the Federal Energy Regulatory Commission (FERC) emergency powers to require that utilities and others involved in providing critical infrastructure take extra precautions to secure their systems. The emergency action is needed because PLCs are outside the normal scope of the North American Electric Reliability Corp.'s Critical Infrastructure Protection standards, he said.

"The Grid Security Act provides emergency powers to FERC in emergency situations. We have one now," he wrote. "This is essentially a weaponized hardware Trojan" affecting PLCs used inside power plants, off-shore oil rigs (including Deepwater Horizon), the U.S. Navy's facilities on ships and in shore and centrifuges in Iran, he wrote.

"We don't know what a control system cyberattack would look like, but this could be it," he said in an interview.

The situation indicates a problem not just with one worm, but major security issues across the industry, he added. People fail to realize you can't just apply security solutions used in the information technology world to protect data to the industrial control world, he said. For example, Department of Energy intrusion detection testing didn't and would not have found this particular threat and anti-virus didn't and wouldn't protect against it, Weiss said.

"Antivirus provides a false sense of security because they buried this stuff in the firmware," he said.

Last week, a Department of Energy report concluded that the U.S. is leaving its energy infrastructure open to cyberattacks by not performing basic security measures, such as regular patching and secure coding practices. Researchers worry about security problems in smart meters being deployed in homes around the world, while problems with the electrical grid in general have been discussed for decades. One researchers at the Defcon hacker conference in late July described security problems in the industry as a "ticking time bomb."

Asked to comment on Weiss' action, O'Murchu said it was a good move. "I do think this is a very serious threat," he said. "I don't think the appropriate people have realized yet the seriousness of the threat."

Symantec has been getting information about computers infected by the worm, which appears to date back at least to June 2009, by observing connections the victim computers have made to the Stuxnet command-and-control server.

"We're trying to contact infected companies and inform them and working with authorities," O'Murchu said. "We're not able to tell remotely if (any foreign attack) code was injected or not. We can just tell that a certain company was infected and certain computers within that company had the Siemens software installed."

O'Murchu speculated that a large company interested in industrial espionage or someone working on behalf of a nation-state could be behind the attack because of its complexity, including the high cost of acquiring a zero-day exploit for an unpatched Windows hole, the programming skills and knowledge of industrial control systems that would be necessary and the fact that the attacker tricks victim computers into accepting the malware by using counterfeit digital signatures.

"There is a lot of code in the threat. It's a large project," he said. "Who would be motivated to create a threat like this? You can draw your own conclusions based on the countries targeted. There is no evidence to indicate who exactly could be behind it."

SOURCE

Zeus Trojan steals $1 mln from U.K. banks

Mike_Nomad — Wed, 11 Aug 2010 09:47:15 GMT

Zeus Trojan steals $1 million from U.K. bank accounts

by Elinor Mills - August 10, 2010 2:54 PM PDT

This illustration shows the different moving parts to the online scam.
(Credit: M86 Security)

Consumers and businesses in Great Britain have lost more than $1 million so far this summer from a Trojan that is infecting their computers, prompting them to log into their bank accounts, and then is surreptitiously transferring money to scammers in other countries, security researchers said on Tuesday.

About 3,000 bank accounts were found to be compromised at one financial institution, which was not identified, according to a white paper released by M86 Security.

The multilevel scheme uses a combination of a new version of the Zeus keylogger and password stealer Trojan, which targets Windows-based computers and runs on major browsers, and exploit toolkits to get around anti-fraud systems used at bank Web sites, the report found.

Bank sites that offer two-factor authentication, such as one-time passcodes and ID tokens, are ineffective because the malware has taken over the browser after the victim has logged into the banking site, Bradley Anstis, vice president of technology strategy at M86 Security, told CNET.

"This latest iteration of Zeus is dedicated to online banking," and is bringing malware to a new level of technical sophistication, Anstis said. The Trojan uses encrypted communications between the infected computers and the command-and-control servers and performs illegal online banking transactions," he said. M86 Security is working with law enforcement.

It appears to works similarly to the URLZone bank Trojan reported by Finjan a year ago that targeted German bank customers.

Here's how the latest online scam works.

A computer user is compromised by either visiting a legitimate Web site that is secretly hosting the malware, or a site designed to host the malware, or a legitimate site hosting the malware in an advertisement. The primary attack came through malicious advertisements, including ads delivered by Yahoo's Yieldmanager.com, the report said.

The malware redirects a Web surfer to an exploit kit, either the Eleonore Exploit Toolkit or the Phoenix Exploit Toolkit, that then exploits a vulnerability on the surfer's computer and drops the Trojan on the machine. The Eleonore Exploit Toolkit includes exploits for vulnerabilities in Adobe Reader, Java, and Internet Explorer, among others.

"The initial infection where the exploit kit compromised the victim's machine used a number of vulnerabilities that we list in the paper, one of those was an IE vulnerability that affected IE v6 & v7," Anstis said. "However that was only one of the six or so vulnerabilities that could have been used for this initial infection. The exploit kit tests the victim machine for each one in order to get a successful infection."

While more than 280,000 compromised computers were running some variant of Windows, there were about 3,000 Macs running the exploit kit that were part of the botnet, along with about 300 PlayStations and seven machines running Nintendo Wii, the report found.

The Trojan contacts a command-and-control server located in Eastern Europe to get instructions that sit on the victim's computer, waiting for the opportunity to act.

When the user accesses his or her bank Web site, the Trojan transfers the log-in ID, date of birth, and a security number to the command-and-control server. Once the user accesses the transactional section of the bank Web site, the Trojan receives new JavaScript code from the outside server to replace the original bank JavaScript used for the transaction form.

When the user interacts with the transaction form for legitimate business, the Trojan works behind the scenes to manipulate the transaction. First it checks the account balance and if it is over a certain amount it will determine how much to steal within a limit so as not to trigger automatic fraud detection alarms.

The money is transferred to bank accounts of so-called "money mules," typically innocent people recruited to use their own bank accounts to funnel money through. From there, the money is transferred to accounts in other countries that are controlled by the scammers.

Anstis declined to identify the bank whose customers were targeted. "Interestingly, this company did offer free security software," he said. Either "the owners of the compromised accounts didn't take them up (on the offer) or the software wasn't effective."

SOURCE