iPhone hacker 'Comex' let go from work with Apple

Comex said he forgot to reply to an email from the company, but revealed few other details

The famed iPhone hacker "Comex," who engineered ways to hack Apple's mobile operating system, is no longer doing work for the company, according to Twitter postings.

"So...no point in delaying. As of last week, after about a year, I'm no longer associated with Apple," wrote Comex, who has more than 196,000 followers.

He wrote the reason is that he failed to respond to an email from the company. It's rare but not unprecedented for someone who has a hacked a company's software to end up working there. Comex couldn't be immediately reached for comment.

Later on Thursday he tweeted: "Now I feel like a big damn drama queen."

Comex is widely respected in the iPhone hacker realm for his work with the JailbreakMe applications, which exploited Apple's software to allow the installation of programs not vetted by the company in its App Store, a modification known as "jailbreaking." Apple doesn't like the practice, although it is legal in the U.S. under an exception to the Digital Millennium Copyright Act.

In July 2011, Comex and his team released JailbreakMe 3.0, which used a pair of vulnerabilities to install unauthorized software on iOS versions 4.3.3 and prior. It worked with the first and second versions of the iPad and the iPhone.

Comex also delivered in July 2010 with JailbreakMe 2.0, which also used two vulnerabilities to exploit iOS. Apple patched the problems shortly after JailbreakMe 2.0 was released.

Elite iOS hackers are still at work to develop a jailbreak for iOS 6, Apple's latest version which was released last month. A "tethered" jailbreak exists, but an iOS 6 device must be connected to a computer when the attack occurs.

The more graceful way is to engineer an untethered jailbreak. iPhone hackerssaid at the Hack in the Box security conference last week that Apple has improved the security of iOS making it more difficult, but not impossible, to eventually perform an untethered jailbreak.

Source: computerworld.com

Read More

Hacker to use cloud for brute force WiFi crack

WPA-PSK not powerful enough in a cloud world.

A security researcher claims to have figured out a quick and inexpensive way to break a commonly used form of password protection for wireless networks using powerful computers that anybody can lease from Amazon.com over the Web.

Thomas Roth, a computer security consultant based in Cologne, Germany, says he can hack into protected networks using specialised software that he has written that runs on Amazon's cloud-based computers. It tests 400,000 potential passwords per second using Amazon's high-speed computers.
That leaves businesses as well as home networks prone to attack if they use relatively simple passwords to secure their networks.

Amazon leases time on computers to developers and companies that don't have the money to buy their own equipment, or don't use it frequently enough to justify doing so. Customers include individual programmers and corporate users.

A spokesman for Amazon said that Roth's research would only violate his company's policies if he were to use Amazon Web Services (AWS) and its Elastic Compute Cloud (EC2) computing service to break into a network without permission of its owner.

"Nothing in this researcher's work is predicated on the use of Amazon EC2. As researchers often do, he used EC2 as a tool to show how the security of some network configurations can be improved," said Amazon spokesman Drew Herdener.

"Testing is an excellent use of AWS, however, it is a violation of our acceptable use policy to use our services to compromise the security of a network without authorisation."

Roth will distribute his software to the public and teach people how to use it later this month at the Black Hat hacking conference in Washington, D.C.

He said he is publicising his research in a bid to convince skeptical network administrators that a commonly used method for scrambling data that travels across WiFi network passwords is not strong enough to keep crafty intruders from breaking in to networks.

That encryption method, dubbed WPA-PSK, scrambles data using a single password. If a potential intruder is able to figure out the password, he or she can gain access to computers and other devices on the network.

Roth said that the networks can be broken into if hackers use enough computer power to "brute force" their way into figuring out the passwords that protect networks.

Those passwords were difficult for the average hacker to break until Amazon.com recently started leasing time on powerful computers at relatively inexpensive rates: It takes the processing capability of multiple computers to perform mathematical calculations needed to break the passwords.

The online retailer charges users 28 cents a minute to use machines that Roth used in his attack. It would cost at least tens of thousands of dollars to purchase and maintain that equipment.

Roth said that he used his software and Amazon's cloud-based computers to break into a WPA-PSK protected network in his neighborhood. It took about 20 minutes of processing time. He has since updated his software to speed its performance and believes he could hack into the same network in about 6 minutes.

"Once you are in, you can do everything you can do if you are connected to the network," he said.

Roth said he was not publicising his discovery to encourage crime, but to change a misconception among network administrators:

"People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a ton of money to do so," he said. "But it is easy to brute force them."

Read More

1.5 million stolen Facebook IDs up for sale

A hacker named Kirllos is offering to sell the accounts in an underground forum for 2.5 cents per account
A hacker named Kirllos has a rare deal for anyone who wants to spam, steal or scam on Facebook: an unprecedented number of user accounts offered at rock-bottom prices.
Researchers at VeriSign's iDefense group recently spotted Kirllos selling Facebook user names and passwords in an underground hacker forum, but what really caught their attention was the volume of credentials he had for sale: 1.5 million accounts.

IDefense doesn't know if Kirllos' accounts are legitimate, and Facebook didn't respond to messages Thursday seeking comment. If they are legitimate, he has the account information of about one in every 300 Facebook users. His asking price varies from $25 to $45 per 1,000 accounts, depending on the number of contacts each user has.
To date, Kirllos seems to have sold close to 700,000 accounts, according to VeriSign Director of Cyber Intelligence Rick Howard.

Hackers have been selling stolen social-networking credentials for a while -- VeriSign has seen a brisk trade in names and passwords for Russia's VKontakte, for example. But now the trend is to go after global targets such as Facebook, Howard said.

Facebook has more than 400 million users worldwide, many of whom fall victim to scams each day. In one such scam, criminals send out messages from a compromised account, telling friends that the account's owner is trapped in a foreign country and needs money to get home.

In another, they send Web links that lead to malicious software, telling friends that it's a hilarious or sensationalistic video.

"People will follow it because they believe it was a friend that told them to go to this link," said Randy Abrams, director of technical education with security vendor Eset. Once the malware gets installed, criminals can steal more passwords, break into bank accounts, or simply use the computers to send spam or launch distributed denial of service attacks. "There's just a plethora of things that people can do if they can trick people into installing their software," he said.

Kirllos' Facebook prices are extremely cheap compared to what others are charging. In its most recent Internet Security Threat Report, Symantec found that e-mail usernames and passwords typically went for between $1 to $20 per account -- Kirllos wants as little as $0.025 per Facebook account. More coveted credit card or bank account details can go for much more, ranging between $0.85 to $30 for credit card numbers to $15 to $850 for top-quality online bank accounts.

Read More

More than 100 companies targeted by Google hackers

Two months after hack, security firm says another 68 command-and-control servers have been identified

IDG News Service — The hackers who broke into Google two months ago have gone after more than 100 companies, according to an estimate by security vendor Isec Partners.

Researchers have been closing in on the unidentified criminals responsible for the attack over the past month. In the process, they have uncovered another 68 so-called command-and-control servers, used to control the hacked machines.

Investigators had already identified 34 hacked companies after examining the single command-and-control server used in the Google attack, and the discovery of another 68 servers could mean that many more companies were compromised than previously thought. "It's easily over 100 companies," said Alex Stamos a partner with Isec Partners.

In the weeks since Google went public with details of the hack, informal discussion lists have sprung up, including security experts and staffers from companies that have been compromised. In those discussions, "that list of control machines keeps getting longer and longer," Stamos said.

The code used in the attacks, known in security circles as Aurora, has been in use for at least 18 months, Stamos said. But the security industry was unaware of Aurora until Google discovered the intrusion last December. That allowed hackers to get onto corporate networks undetected.

Other technology companies, including Intel, Adobe, and Symantec, have also been hit by the attack, which investigators have traced back to China.

To break into victim companies, the hackers sent carefully targeted e-mail or instant messages to victims, hoping to trick them into visiting Web pages or opening malicious documents that would then attack their computers.

The worst part of the attack is what happens once the initial victim has been compromised. The hackers then use a variety of techniques to acquire additional usernames and passwords and fan out across the targeted company's network, downloading sensitive data, which is then moved offshore.

This type of targeted attack is not new, but it is dangerous because it is so good at circumventing traditional security measures, said Rob Lee, a computer forensics instructor with the SANS Institute. "We've been dealing with [these attacks] for five years," he said. "They're basically going around all the security appliances via email."

Not all of these attacks have been linked to Aurora, but Lee said that "there have been hundreds of companies infiltrated."

Stamos agreed that traditional security products such as antivirus and intrusion detection systems are not enough to stop the attack. "The interesting thing to me about these attackers is they're very patient," he said. "They'll spend a lot of time writing custom malware to get around people's antivirus."

"They'll use a social network to learn about one person in the company, and then will send emails or chats messages as that person's friend," he added.

Read More

Hackers attack IE7 flaw

Less than a week after the last round of Microsoft Internet Explorer patches, security experts are already warning that exploit code is in circulation.

The particular flaw, MS09-002, is being exploited using a specially crafted Word document which is emailed to users. Once opened it installs malware onto the target system, including a Trojan to allow the malware to update itself.

"Several anti-virus vendors reported MS09-002 exploits in the wild. We can confirm that the exploit for the CVE-2009-0075 vulnerability (Uninitialized Memory Corruption) in Internet Explorer 7 is definitely in the wild and working on an unpatched Windows XP machine," said Bojan Zdrnja of the Sans Internet Storm Center.

"Initially there was some confusion about this attack as most anti-virus vendors mentioned Word documents. The exploit targets Internet Explorer 7, but so far it has been delivered to the end user as a Word document.

"That being said there is absolutely nothing preventing attackers from using the exploit in a drive-by attack and we can, unfortunately, expect that this will happen very soon."

The first malware to try and exploit the flaw looks to have been reverse-engineered rather than being in existence before the patch was announced, experts said. The malware collects information from infected computers, encrypts it and sends it to a server in China.

The short turnaround time from patch to malware will leave IT administrators racing to update corporate servers in time, and they are advised to warn users about potential threats.

Read More

Hackers clone passports in drive-by RFID heist

A British hacker has shown how easy it is to clone US passport cards that use RFID by conducting a drive-by test on the streets of San Francisco.

Chris Paget, director of research and development at Seattle-based IOActive, used a US$250 Motorola RFID reader and an antenna mounted in a car’s side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration.

During the demonstration he picked up the details of two US passport cards, which are fitted with RFID chips and can be used instead of traditional passports for travel to Canada, Mexico and the Caribbean.

“I personally believe that RFID is very unsuitable for tagging people,” he said.

“I don’t believe we should have any kind of identity document with RFID tags in them. My ultimate goal here would be, my dream for this research, would be to see the entire Western Hemisphere Travel Initiative be scrapped.”

Using the data gleaned it would be relatively simple to make cloned passport cards he said. Real passport cards also support a ‘kill code’ (which can wipe the card’s data) and a ‘lock code’ that prevents the tag’s data being changed.

However he believes these are not currently being used and even if they were the radio interrogation is done in plain text so is relatively easy for a hacker to collect and analyse.

The ease with which the passport cards were picked up is even more worrying considering that less than a million have been issued to date.

Paget is a renowned ‘white hat’ ethical hacker and has made the study of the security failings of RFID something of a speciality.

In 2007 he was due to present a paper on the security failings of RFID at the Black Hat security conference in Washington but was forced to abandon the plans after an RFID company threatened him with legal action.

He points out that RFID tags are increasingly being used in physical security systems such as building access cards and the technology needs significant security adding before it could be considered safe for commercial use.

Copyright © 2009 vnunet.com

Read More

Second mass hack exposed

Hot on the heels of a recent hack in which 10,000 sites were compromised, researchers have disclosed a new large-scale attack..

Researchers at McAfee estimated that the attack has been active for roughly one week, and in that time frame has managed to place itself on roughly 200,000 web pages.

Most of the infected pages are running the phpBB forum software, said McAfee. The compromised pages are embedded with a Javascript file that links to the site hosting the attack.


Rather than attempt to exploit browser vulnerabilities, the attack attempts to trick a user into manually launching its malicious payload.

"This contrasts [Thursday’s] attack in that the vast majority of those were active server pages (.ASP)," explained McAfee researcher Craig Schmugar on a company blog posting.

"The ASP attacks are different than the phpBB ones in that the payload and method are quite different. Various exploits are used in the ASP attacks, where the phpBB ones rely on social engineering."

The infected pages bring up what appears to be a pornographic web site. Upon loading the page, a 'fake codec' social engineering attack is attempted. The user is told that in order to view the movie on the page, a special video codec must be installed.

The user then downloads a trojan program which installs a malware package on the users system then delivers a fraudulent error message telling the user that the supposed codec could not be installed.

Copyright © 2008 vnunet.com

Read More

British UFO hacker's extradition case to be reviewed

IDG News Service —

A British hacker who sought to find evidence of UFOs on U.S. military computers has another chance at avoiding extradition after a court ruling Friday.

The High Court in London ruled that Gary McKinnon can have his case reviewed by the director of public prosecutions for England and Wales, Keir Starmer, according to statement released by McKinnon's attorney.

McKinnon is seeking to be prosecuted in the U.K. although his extradition order has been approved by the U.K. government. He has managed to avoid extradition so far through a series of legal maneuvers and appeals, all of which have been unsuccessful but held up his transfer to the U.S.

McKinnon was indicted in November 2002 in the U.S. District Court for the Eastern District of Virginia. He faces charges of illegally accessing and damaging U.S. government computers.

The U.S. government alleges his exploits cost at least US$700,000 and caused the shutdown of critical military networks shortly after the Sept. 11, 2001, terrorist attacks. McKinnon could face a sentence of 60 years or more.

Most recently, McKinnon has tried to garner support that, for medical reasons, if he is extradited and sentenced he should be allowed to serve a sentence in the U.K. Now McKinnon is pushing to only be prosecuted in the U.K. due to the stress he would endure from a U.S. trial.

He has been diagnosed with Asperger Syndrome, which is a neurological disorder characterized by obsessive behavior and deficiencies in social interaction.

McKinnon has admitted to hacking the computers and described how he did it in detail at computer security conferences in London. From his north London home, McKinnon began probing military computers looking for evidence of UFOs.

He used a program called "RemotelyAnywhere" to control U.S. military computers. Many of the computers he accessed were set up with default passwords, which made them easy to access, McKinnon has said.

He timed his hacking when no one was working at the U.S. offices. But on one occasion he miscalculated the time difference. Someone using a computer that McKinnon controlled noticed the cursor moving on its own. The connection was severed, and U.K. police eventually tracked McKinnon down.

IDG News Service

Read More

'Amazing' worm attack infects 9 million PCs

Biggest infection in years, says Finnish security firm.
Calling the scope of the attack "amazing," security researchers at F-Secure Corp. today said that 6.5 million Windows PCs have been infected by the "Downadup" worm in the last four days, and that nearly 9 million have been compromised in just over two weeks.

Early Friday, the Finnish firm revised its estimate of the number of computers that had fallen victim to the worm, and explained how it came to the figure. "The number of Downadup infections [is] skyrocketing," Toni Koivunen, an F-Secure researcher, said in an entry to the company's Security Lab blog. "From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing."

On Tuesday, Koivunen put the number of infected systems at 2.4 million, then updated the estimate Wednesday to 3.5 million, an increase of 1.1 million in just 24 hours.

"We haven't seen outbreaks of this scale in many years," said Mikko Hypponen, chief research officer at F-Secure, in an e-mail reply to questions. "[It] reminds me of the old Loveletter/Melissa/Sasser/Blaster cases size-wise," he added, ticking off some of history's biggest malware attacks.

Downadup -- which also goes by the name "Conficker" -- exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008. Although Microsoft fixed the flaw with one of its rare "out of cycle" updates in late October, about a third of all PCs have not yet been patched, according to Qualys Inc., another security company. Those PCs are the ones being hijacked by the worm.

In his Friday blog post, F-Secure's Koivunen also provided some background on the company's estimate, in part because some people had expressed disbelief in the number. According to Koivunen, F-Secure came to its 8.9 million-machine estimate by spying on the worm's communication with hacker-controlled servers.

Once it's gotten onto a PC, Downadup generates a list of possible domains, selects one, then uses that URL to reach a malicious server from which it downloads additional malware to install on the hijacked computer. F-Secure, however, has registered some of those domains, and has been able to monitor traffic through those URLs.

By examining logs of connection attempts to the domains, F-Secure discovered several hundred thousand different IP addresses -- over 350,000 as of today -- as well as a counter embedded in each that spells out the number of additional PCs that the infected machine has compromised.

"So this number tells us how many other computers this machine has exploited since it was last restarted," explained Koivunen. A sample log provided by F-Secure showed 12 Downadup-infected PCs, which collectively had infected 186 additional systems. Just one of the originally infected computers successfully attacked 116 other machines.

"We wrote a program that parses the logs, extracting the highest value for the IP/User-Agent pairs ... then added together to get our figures," said Koivunen. "As you can see now, they are very conservative."

Earlier this week, the already-high number of Downadup infections prompted Microsoft to add detection for the worm to its Malicious Software Removal Tool (MSRT), the anti-malware utility that the company updates and redistributes each month to Windows machines. Microsoft released the latest edition of the MSRT with anti-Downadup capabilities last Tuesday.

Like other security researchers, those from Microsoft have put some of the blame on users slow to patch their PCs. "Either Security Update MS08-067 was not installed at all or was not installed on all the computers," a pair of security researchers who work at Microsoft said Tuesday.

Microsoft has recommended that Windows users install the emergency update, then run the January edition of the MSRT to scrub the worm from compromised computers.

Read More

NASA Hacker May be Tried in UK

NASA hacker Gary McKinnon could be prosecuted in the UK after his lawyers informed the Crown Prosecution Service (CPS) that he would enter a guilty plea if the case was heard in the U.K.

McKinnon broke into U.S. military computers, including those belonging to NASA, in 2001 in a bid to prove the U.S. government has knowledge of UFOs.

While McKinnon says his exploits did not cause any damage, the U.S. allege that McKinnon stole 950 passwords and deleted files at a naval base in New Jersey, responsible for replenishing munitions and supplies for the Atlantic fleet. They also maintain the intrusions disrupted computer networks used by the military that were critical to operations conducted after the terrorist attacks of September 11, 2001. The U.S. estimates the damage caused by McKinnon at $700,000.

McKinnon currently faces extradition to the U.S. to stand trial, following the European Court of Human Rights' decision in August 2008. However, this latest move by his lawyers, means that if McKinnon was found guilty, he would be punished in the U.K. and extradition would be very unlikely.

"McKinnon has had tremendous support from the hacker community and even ordinary people - many IT workers have a lot of sympathy for his ongoing plight and would rather see him tried in Britain as opposed to the U.S.," said Graham Cluley, senior technology consultant at security firm Sophos.

"Any form of hacking is illegal and should be punished as such, and hacking into U.S. government networks is bound to come with harsh repercussions -- anyone thinking about engaging in these types of activities in the future should think twice. This man's sorry tale should warn other would-be hackers that they are playing with fire if they break into sensitive networks, and shouldn't be surprised if the full force of the law goes after them."

Read More

Hack forces Twitter into 'full security review'

Analysts say breach could could force IT to rethink its use of the microblogging tool

January 7, 2009 (Computerworld) Twitter Inc. has launched a comprehensive review of the defenses in its popular social network and microblogging service after hackers hijacked the accounts of several high-profile users on Monday.

In interviews this week, analysts said they were surprised that sites such as Twitter, which are potentially hot targets for hackers and phishers, had long avoided such major attacks, and thus strong scrutiny by its corporate users.

Since the widely publicized hack of Twitter, analysts said they are closely watching how the site and especially its corporate customers respond to the security breach.

"Certainly, with all the coverage Twitter has had about this, it will bring security to [Twitter's] attention," said Caroline Dangson, an analyst at Framingham, Mass.-based market research firm IDC.

"It reminds us that we're dealing with a medium that is less secure and [that] we need to be more conscious of what we're putting out there and not take it for granted like we have," she added.

San Francisco-based Twitter confirmed on Monday that hackers had broken into the accounts of more than 30 celebrities and organizations, including President-elect Barack Obama, Britney Spears, and the Fox News and CNN cable television networks.

The company said tools used by its support team were illegally accessed and used to send malicious messages, many of them offensive, to the compromised accounts.

The network was breached just two days after identity thieves launched a phishing campaign that tried to dupe users of the microblogging service into divulging their usernames and passwords.

In a blog post on the company's Web site, Twitter co-founder Biz Stone said he considers the compromise that led to the account hijackings to be "a very serious breach of security."

In an e-mail to Computerworld, Stone said, "We're doing a full security review on all access points to Twitter." The first steps will be to "strengthen the security surrounding sign-in" and to further restrict access to the company's own support tools, he said.

Ken van Wyk, principal consultant at KRvW Associates LLC in Alexandria, Va., said that while individual users are unlikely to change microblogging habits because of the breach, corporate IT managers should move quickly to evaluate how such incidents could affect their firms.

"We're seeing [Twitter] used more and more for communications between managers and employees to keep everyone informed about what's going on," he said. "I suspect that a few of those folks might have a knee-jerk reaction to something like this and stop using it."

Van Wyk added that the breach could inspire some IT organizations to develop applications that provide Twitter-like capabilities for in-house use.

Dangson also noted that companies should evaluate potential alternatives to Twitter or complementary, more secure tools to use with the service.

"We're not going to see a lot of people stop using [Twitter] because of this, but they might consider other forms of communication — more closed networks for certain information they're trying to share," she said. "I think people will be more cautious, but they won't stop using Twitter."

Stone said that he expects that corporate users will see Twitter's "reaction and immediate behavior" following the breach as "a signal that we're serious about security and supporting commercial use."

As for home users, vanWyk said, "I don't think people will say, 'Hey, now this place is corrupt.' I suspect [Twitter] will come away unscathed."

However, he added, "I think it would be good for companies to suffer a little bit when there's a major security breach. If they come through unscathed, where is the lesson? Where's the push to improve security?

Read More

Twishing attacks steal data in 140 characters or less

Twitter, and its 140-characters-or-less message restriction has become quite popular over the past year, attracting attention from organizations and individuals all across the globe. American conservatives are scrambling to reach out to constituents (and educate elected officials) through the social network, and the Israeli Consulate held a Tweet-friendly conference on that nation's response to recent problems in the Gaza Strip. Even the US military is interested in the nation's tweeting trend, and is investigating whether or not the service could be used to plan or coordinate terrorist attacks. The malware industry, ever one to follow a popular trend, has taken notice of Twitter; preliminary attempts to breach the social network and exploit it as a malware distribution point are already underway.

According to blogger Nathania Johnson, she recently received a tweet from a friend directing her to "this funny blog about you" followed by a link to blogspot. She clicked on the link and was warned away by installed anti-phishing software (I assume), which correctly flagged the site as a forgery. Hapless users who actually clicked on the link were bounced away to a Twitter-look-alike at a different URL where they were prompted to enter their login ID and passwords.

Normally, I'd be tempted to excoriate someone for clicking on a link that practically screams "spam," but Twitter is a unique case. One of the more reliable ways of detecting spam/phishing is watching for grammar mistakes, spelling errors, and the lack of personalization within the missive. The 140 character limit on Twitter, however, encourages its users to be as concise and compact as possible; sending a URL leaves even less room for an additional message. This type of brief exchange actually plays to a phisher's strengths, provided they can craft even the most basic hook. As Nathania herself notes, "it was a very strange message," but she clicked it anyway. Fortunately, she was warned off, but lots of other Twitter users weren't.
Responses to the spam have been varied. Nathania herself posits that a flood of phishing schemes could drive people away from Twitter entirely, Dan Tynan of Computerworld is calling this both an inevitable development and the end of Twitter's innocence, while BoingBoing reports that Fox News has revealed some unexpected news about Bill O'Reilly's sexuality.

Twitter is likely to come out of this with nary a ripple. Spam, malware, and phishing are facts of life that every single website has had to deal with. Methods of dealing with the problem vary from website to website, but tweeters can look forward to a great many more micro-conversations.

Read More

Root inside: researchers claim crack for Intel's vPro

Two security researchers based in Poland claim to have cracked Intel's vPro—specifically the trusted execution technology (TXT) part formerly known as LaGrande. Little is currently known about the crack, which the team will fully unveil at the forthcoming Black Hat conference in Washington. They have revealed that it involves two stages, and that an attacker can use it to "compromise the integrity of a software loaded via an Intel TXT-based loader in a generic way."

The first stage of the attack [PDF] is apparently based on "an implementation flaw in a specific system software," specifically the part that loads trusted code into memory. The second stage exploits the design of the current release of TXT.

The researchers, who work for a group called Invisible Things, claim to have found more than one implementation flaw that can enable the first stage of the attack, and Intel will be releasing information to the developer community on how to make your applications immune to it. The design-based exploit will presumably be addressed in a later release of TXT.
Right now, few people are actually using TXT, so the impact on Intel's customer base should be pretty minimal, if any. But it has to bother the company that an exploit was even found at all.

vPro is a critical link in Intel's larger vision for networked computing. At this past IDF, I talked with Intel's Andy Tryba about the company's vision of widespread remote tech support—instead of walking my aunt through a troubleshooting session over the phone, Intel would like to see me remotely and securely log into her machine and fix it. Or, Apple could remotely and securely log into her machine, if she's a Mac user.

Obviously, such a support scenario would need a lot more than just vPro, and Tryba acknowledged that. vPro is only a building block out of which which a company like Apple or Best Buy, or a third party software developer, could build a complete remote support solution. But of course, that building block has to be secure before users will feel comfortable handing over the keys to their machine to a faceless corporation (or to their nephew).

With so few details of the attack made public, it's difficult to assess its potential impact. In a statement to InfoWorld, Intel merely indicated that they're working with Invisible Things on addressing the issue.

Read More

Theoretical attacks yield practical attacks on SSL, PKI

Hashing algorithms—mathematical functions that produce a short "fingerprint" from pieces of data—are one of the cornerstones of computer security. These fingerprints, named hashes, are used in password systems, in the public key infrastructure (PKI) that makes online shopping relatively safe, and in many file distribution systems. In each case, the hash is used because of an important property that hash algorithms all have: they are one-way functions.

Given a hash, there's no practical way of determining what the input was or of generating an input that hashes to the same value. For example, a system's password database will usually contain only hashes of users' passwords. Even if hackers manage to read the password database, they cannot log on to the system because there is no way to determine the password from the hashes in the database.
MD5

One widespread hash algorithm is Message-Digest algorithm 5, or MD5. MD5 was developed in the early 1990s and, due to its use in a variety of Internet specifications, is commonly used whenever a hash function is needed. As with any other algorithm with security implications, MD5 has been studied by security researchers ever since its release.

What the researchers are looking for is a way to generate collisions, that is, different files that have the same hash value. The best attack on a hash algorithm would allow an attacker to generate a file with a specific hash without any constraints on the content of the generated file.

Such an attack has not been found for MD5; however, this is not the only kind of attack that exists. In 2004, an attack was discovered/devised that allowed someone to create two files with the same MD5 hash. These files would have to be identical, except for one portion of 128 contiguous bytes. These bytes would be allowed to differ.

Although cryptography experts were troubled by this result, it did not lead to the wholesale abandonment of MD5. Many felt that the practical applications of such an attack would be so limited as to render the findings relatively unimportant; in other words, it was a theoretical curiosity but not a practical flaw of the algorithm.

This attack was then extended in 2007 to allow collisions to be generated with much greater freedom, in an attack called the "chosen prefix attack." The 2007 attack allows attackers to take two arbitrary files (the "chosen prefixes") and then generate suffixes for those files that will cause the total (each file with its respective suffix) to have the same MD5 hash.

If the original 128 byte attack did not cause wholesale rejection of MD5 then perhaps this one should have. However, its reception was similar to that of the 2004 work: interesting theory, but not a practical vulnerability. It allowed some neat tricks—such as fake predictions of the winner of the 2008 US Presidential Election—but didn't jeopardize any of the systems that depended on MD5 for their security.

Now, a paper presented at the 25th Chaos Communication Congress security conference in Berlin this week should finally put paid to the dismissal of the flaws as "theoretical."
PKI

One of the systems that can use use MD5 is PKI. PKI is the system that allows computers and people to prove their identity to computer systems. The most visible use of PKI is the certificates used by secure websites to prove that a secure connection to https://amazon.com/ is indeed connecting to Amazon's computers, and not those of some ne'er-do-well hacker. It does this by establishing a hierarchy of trust.

At the root, the most trusted level, are the Certificate Authorities (CAs), companies like Verisign and Thawte. The CAs are supposed to then issue certificates only to people and organizations that have proven their identities. When this has been done to the CA's satisfaction, the CA issues a certificate, a small file that says, for example, "this server is operated by Amazon, according to Verisign."

Each certificate references the certificate of the group that issued it, and some certificates ("Intermediate CA" certificates) can be used to create new certificates, allowing a multi-level hierarchy of trust to be established. The CA's certificates are issued by the CAs themselves, and these certificates are typically pre-loaded into web browsers and operating systems so that any certificates issued by them are automatically trusted.
The importance of these certificates to online commerce is immense. Without them, although securing connections against passive eavesdroppers is easy (just use encryption), there would be no way of ensuring that one was in fact communicating with the site one thought one was communicating with.

Encryption alone cannot prevent "man-in-the-middle" attacks; these are attacks where the malicious party actively intercepts and decrypts the traffic between client and server. The client believes it is creating a secure connection to the remote server, but in fact is making a connection only to the man in the middle, who in turn makes a secure connection to the server. The man in the middle can then eavesdrop at his leisure, passing traffic between client and server as he sees fit.

PKI prevents this attack. Although the man in the middle can intercept the traffic, he cannot recreate the proof of identity that the legitimate server has; this means that the client computer can reject the connection, safeguarding credit card details and passwords.

The certificates themselves are typically requested online. The person wanting a certificate creates a Certificate Signing Request, which contains information about their identity, the kind of certificate they would like, the domain name they are requesting a certificate for, and some cryptographic data, then sends this to the CA. The CA validates the identity information and then cryptographically signs the CSR, producing a certificate.

It's here that MD5 comes into play; cryptographic signing of an object is performed by first hashing that object, and then encrypting the hash. One of the hashing algorithms that can be used for the hashing step is MD5. It is this feature that was exploited by the security researchers.
From theory into practice

Essentially, the researchers required two chosen prefixes. The first prefix was that of a legitimate CSR for a domain that the researchers genuinely owned. The second prefix was a CSR for an Intermediate CA. This kind of CSR should not normally be signed by the root CA, because Intermediate CAs can be used to issue certificates to anyone, and those certificates would be trusted because they could be referenced back to a trusted root.

To each of these CSRs was appended a computed suffix ensuring that the MD5 hashes were identical. The legitimate CSR was then sent to the CA, which duly signed it and issued the certificate. The legitimate CSR in the issued certificate was then replaced with the Intermediate CA CSR.

This didn't violate the integrity of the certificate (because the CSRs hashed to the same value), which meant that the researchers had created a fully functional, trusted Intermediate CA certificate, capable of creating whatever certificates the researchers wanted. In so doing they showed once and for all that the theoretical attack had practical value; chosen prefixes are enough to undermine systems built using MD5.

They could take that Intermediate CA certificate and issue certificates for (say) amazon.com and use them to sit as a man in the middle. The traditional problem with being a man in the middle—that you cannot provide the proof of identity that the legitimate server can provide—disappears. The amazon.com certificate will be trusted by the client browser and hence will not raise any alarm bells.

The actual process of creating the bogus Intermediate CA certificate was a little more complex, as the root CA adds a small amount of extra information to the CSR before signing it. However, the researchers found a root CA that added highly predictable information to the CSR; this meant they had to generate a few hundred suffixes (to accommodate the few hundred possible pieces of information that the CA could add, and hence the few hundred chosen plaintexts), but this was not a significant difficulty; they used custom software running on a cluster of 200 PS3s in a day or two.

So, using MD5 in certificates is well and truly broken, and theoretical flaws can have practical repercussions. Although most CAs no longer use MD5 in their certificates (preferring stronger hash algorithms such as SHA-1), the researchers found that many certificates in-use do use MD5; just under a third of the certificates they looked at used MD5 signatures. The vast majority of these were created by one CA, RapidSSL, which happens to be the same CA that the researchers used to generate their bogus certificate.

The CAs that the researchers spoke to indicated that they would soon cease using MD5 for their certificates, thereby closing this particular vulnerability. CAs should also ensure that the extra information they add to the CSR is not readily predictable, which would both provide some protection against this attack and might also prevent future, as-yet-unknown attacks.

For their part, the researchers are not detailing certain improvements they made to the suffix generation process until they believe it will be safe to do.

While recommendations for the CAs are clear, what this means for the general public is harder to say. The major browser vendors have been informed of the issue; thus far none has committed to any particular course of action. The most heavy-handed route would be to remove the root CA for the vendors that have been issuing MD5 certificates. This would neuter any bogus certificates from these CAs, but would also break any legitimate certificates.

It's impossible to know if such an attack has been perpetrated for real, and if it hasn't, this would be a hugely disruptive change for no real gain. Even if browser vendors do not remove the CA certificates in question, end-users can stop trusting the root CA certificates if they choose and if they are willing to tolerate the inconvenience this will cause.

The Extended Validation certificates that cause green or gold address bars in many browsers are also immune to this problem, as EV certificates prohibit the use of MD5. Simply looking for a padlock icon is no longer enough to be sure that communication with the remote server is truly secure.

Looking to the future, one lesson that will hopefully be learned is that the security industry should not be so cavalier with "theoretical" attacks. More traditional computer security flaws such as buffer overflows are already generally treated as exploitable unless proven otherwise, and patched accordingly; in light of this pessimistic viewpoint, the dismissal of cryptography findings as merely theoretical is perhaps a little surprising.

That is not to say that there are not such findings; many cryptographic attacks serve only to reduce the time taken to break encryption from trillions to hundreds of billions of years and so are not especially significant, but out-of-hand dismissal without proper evaluation is clearly a dangerous course of action.

Read More

With Gaza conflict, cyberattacks come too

Thousands of Web pages have been hit by hackers from Morocco, Lebanon, Turkey and Iran.
December 31, 2008 (IDG News Service) The conflict raging in Gaza between Israel and Palestine has spilled over to the Internet.
Since Saturday, thousands of Web pages have been defaced by hacking groups operating out of Morocco, Lebanon, Turkey, Iran, said Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham.

The defacements have primarily affected small businesses and vanity Web pages hosted on Israel's .il Internet domain space. One such site, Rosh Ha’ayin, Israel's Galoz Electronics Ltd, whose hacked Web site read "RitualistaS GrouP Hacked your System!!! The world isn't insurance!!! For a better world," on Wednesday.

Other attackers have placed more incendiary messages condemning the U.S. and Israel and adding graphic photographs of the violence. Warner said he has seen no evidence that any Israeli government site has been hit by these attacks, although they have been targeted.

On Saturday, Israel launched air strikes into Gaza in response to earlier rocket attacks from Hamas and other militant groups. The online attacks began soon after, Warner said. "It really got serious on Sunday," he said. "All the stops got pulled out."

Since then, Warner estimates that about 10,000 Web pages have been hacked. Many of these intrusions have been documented on sites such as Arabic Mirror, which keeps track of hacked Web sites. Often these are mass defacements where many pages hosted on the same server are hit.

The defacements are being carried out by loose-knit hacking groups that meet in several online forums to coordinate their attacks. One hacker, called Cold Z3ro claims to have hacked nearly 5,000 Web pages, Warner said.

Web defacement community took off in the militant Muslim community in 2006 when hundreds of Danish Web sites were hacked after a Danish newspaper printed cartoons depicting the prophet Mohammed. One group, which had about 70 members at the time of the Danish cartoon incident, now boasts more than 10,000 hackers,

Read More

Software executive sentenced for hacking

President of Platte River Associates also faces charges of "trading with the enemy"
The president of a U.S. software company has been sentenced to probation after pleading guilty to stealing password-protected files from a competitor.
Jay E. Leonard, 61, was sentenced to 12 months supervised probation and a $2,500 fine after pleading guilty to one count of unauthorized access to a protected computer, a misdemeanor charge.

He said that one of Leonard's employees may have turned his boss in. He knew Leonard professionally and was "very surprised" by the incident, he said.

Leonard accessed the Zetaware site from a Sprint wireless network at Houston's George Bush Intercontinental Airport, located near Zetaware's headquarters, the plea agreement states.

In a separate case, Platte River Associates is also facing charges of "trading with the enemy," for allegedly allowing its software to be used to evaluate oil and gas development opportunities off the shore of Cuba, which is under a U.S. trade embargo. "The company has expressed an interest in pleading guilty," in that case, although no plea has been accepted by the judge, according to Jeffrey Dorschner, a spokesman for the United States Attorney's office prosecuting the two cases.

Leonard and his attorney did not return calls seeking comment for this story.

Read More

Heroin hacker steals information on 59,000 workers

American company Luxottica Retail, the former owner of the Things Remembered stores seemed to have forgotten to have the right amount of security on the company mainframe.

The red-faced retailer has admitted that more than 59,000 of its former workers could be affected after a huge security breach.

A routine check by the information technology department discovered that a hacker had been inside a computer mainframe and downloaded the personal information of more than 59,000 former workers.

The victims are all over the US and will have lost names, addresses and Social Security numbers to the hacker.

However the cyber-raider cannot have been all that clued up either. Investigators were allegedly able to trace the hacker’s IP address to one Molly Burns.

The 30-year-old has a five-page long arrest record that includes theft, forgery and drug charges.

Inspector Knacker of the Arizona Yard swooped on her apartment during a heroin raid earlier this year and already has a number of her computers at the station.

Investigators are now waiting on the results of a forensics examination of the computers in the hope of finding some of the Luxotta files.

Burns apparently didn’t hang around to answer copper's questions. She has apparently legged it.

Three different police departments in Arizona are also looking for her so her hacking exploits will be only one of many things coppers want a word with her about.

Meanwhile the company sent letters to all the former employees letting them know what happened.

Apparently Luxottica Retail has improved its computer security so that a hacker who is such a novice they don’t think to hide their own IP address can't break down the door.

That's the problem with heroin... it does cloud your judgement a bit.

theinquirer.net (c) 2008 Incisive Media

Read More

New worm exploits critical Windows bug

A worm that exploits the bug Microsoft patched in an emergency update 11 days ago is actively attacking systems, several security companies and researchers said Monday.

The worm, which Symantec Corp. labeled " Wecorl " but was dubbed "MS08-067.g" by Kaspersky Lab and Microsoft itself, likely originated in China, said Kevin Haley, a director with Symantec's security response team. "It may have come out of China," said Haley, who added that it appeared to target Chinese language versions of Windows 2000.

Haley confirmed that the worm is both different from the information-stealing Trojan horse that prompted Microsoft to issue the out-of-cycle patch on Oct. 23, and circulating in the wild.

Other researchers echoed Symantec's take that the worm installs multiple components on victimized PCs, including a Trojan downloader and rootkit code to mask it from security software. Helsinki-based F-Secure Corp ., for example, identified the former as "Trojan-Dropper.Win32.Agent.yhi" and the rootkit bits as "Rootkit.Win32.KernelBot.dg."

According to Haley, if the worm manages to infect a Windows PC, it also tries to attack all the machines on the same subnet. "If it can get behind the [fire]wall, then it can infect other systems," Haley said.

"That circumvents the firewall mitigation that Microsoft noted," said Andrew Storms, director of security operations at nCircle Network Security Inc. "Enterprises typically have laptops configured to be location aware so when they're on the company network, parts of the firewall are disabled, or port 139 is allowed from known IP addresses."

In the security bulletin it released two weeks ago, Microsoft said that "standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter."

Within days of the emergency patch , hackers had published working attack code on the Internet.

F-Secure said that the just-released worm is based on the exploit code that had been posted online last week. nCircle's Storms agreed that's likely.

Symantec rated the worm as a "Very Low" threat, although it maintained its ThreatCon, an all-around indicator of Internet security, at "2" because Microsoft issued an emergency patch. "It doesn't appear to be very widespread, although that could change, of course," said Haley.

As counter-intuitive as it sounds, Storms said that the appearance of a worm is actually a good thing. "Evidence that we're finding and detecting it means we're in a better situation than we were earlier," he argued. "If it had gone undetected and unfound [it would have meant] that enterprises didn't have any defense-in-depth. But because we're finding it, that means we have signatures for it."

Storms urged users who had not installed the MS08-067 update to do so immediately. "The worm may not have many legs, but you should get ahead of the game and deploy now," he said.

Read More

Warning on Halloween web fraud

Scammers are latching onto Halloween web sites as a method of spreading infectious code internet monitoring company Websense is warning.
The company is warning that sites selling Halloween gifts and services have been targeted as never before and internet users can be put at risk of infection from code embedded within them.

“One particular example is a Web site selling Halloween costumes. The deobfuscation returned by ThreatSeeker shows that the JavaScript has multiple layers of obfuscation,” the company said in an alert.

“The script contacts a malicious server in the .biz TLD. Within the ThreatSeeker network, we have seen almost ten thousand sites infected with the same obfuscation technique.”

Another technique involves building a redirect into a popular web site. Websense has detected over 13,000 such script injections in popular sites.

Read More