SecurityTeam.us

Wi-Fi hijack risk for Macs

Fri, 22 Sep 2006 09:48:00 -0400

A trio of security flaws in Apple software that runs wireless-networking hardware could allow Macs to be hijacked over Wi-Fi, Apple said on Thursday. The Mac maker released security updates to repair the problems, which together affect the AirPort wireless driver in Mac OS X 10 Panther version 10.3.9 and Mac OS X Tiger 10.4.7, according to Apple's security alert. Both Intel-based and Power PC-based versions of the Mac operating system are affected, on regular computers as well as on servers, it said. Apple said in the alert describing one of the flaws: "Attackers on the wireless network may cause arbitrary code execution." 'Arbitrary code execution' means the intruder can commandeer the system. The other two flaws allow the same type of compromise but can also cause system crashes or, in one case, privilege escalation, it added. There are no known exploits for the vulnerabilities addressed by the update, Apple said. This means Mac users should not be under immediate threat of attack. Apple's security patches come a month after security researchers at SecureWorks demonstrated at the Black Hat security confab how an attacker could gain complete control over a laptop by sending malformed network traffic to a vulnerable computer. They showed a video of a successful attack on an Apple MacBook. The researchers used a third-party wireless card in the MacBook for their demonstration but said the AirPort wireless technology built into the laptop was also vulnerable, creating controversy in the Apple community. In a statement released after Black Hat in August, Apple critiqued SecureWorks for saying Macs were insecure. A company representative said at the time: "Despite SecureWorks being quoted saying the Mac is threatened, they have provided no evidence that it is." But Apple's security patches are not related to the Black Hat presentation, a company representative said on Thursday. Instead, the company itself hunted for bugs in its wireless software and uncovered the vulnerabilities, according to the representative. The representative said: "In August, SecureWorks approached Apple with a potential flaw that they felt could affect wireless drivers on Macs. They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit. "Today's update pre-emptively strengthens our drivers against potential vulnerabilities, and while it addresses issues found internally by Apple, we are open to hearing from security researchers on how to improve security on the Mac." A SecureWorks representative did not have an immediate comment. The three vulnerabilities addressed by Apple all have to do with how the AirPort wireless driver handles "frames". An attacker could exploit the flaw by crafting a malicious frame and making it available on a wireless network used by vulnerable Macs, Apple said. The first of the flaws, identified by CVE-2006-3507, affects Power Mac, PowerBook, iMac, Mac Pro, Xserve and Power PC-based Mac Minis equipped with wireless capabilities. The second issue, identified by CVE-2006-3508, impacts Intel-based Mac Mini, MacBook and MacBook Pro computers equipped with wireless. CVE, or common vulnerabilities and exposures, is a list that provides an index of standardised names for vulnerabilities. The third problem, identified by CVE-2006-3509, is specific to how the AirPort wireless driver interacts with third-party wireless software, according to Apple. It also impacts Intel-based Mac Mini, MacBook and MacBook Pro systems equipped with wireless. Apple did not list the iBook on its list of affected systems but it also did not mention the iBook as one of the machines not affected by any of the three flaws. The Mac OS security updates are available via Apple's software update utility in the operating system, and from Apple's download site. Only one update is required, and the utility will present the applicable fix, Apple said. By Joris Evers, CNET News

Spot a Bug, Go to Jail

Wed, 10 May 2006 19:40:56 -0400

A new federal prosecution again raises the issue of whether computer security experts must fear prison time for investigating and reporting vulnerabilities. On April 28, 2006, Eric McCarty was arraigned in U.S. District Court in Los Angeles. McCarty is a professional computer security consultant who noticed that there was a problem with the way the University of Southern California had constructed its web page for online applications. A database programming error allowed outsiders to obtain applicants' personal information, including Social Security numbers. For proof, the man copied seven applicants' personal records and anonymously sent them to a reporter for SecurityFocus. The journalist notified the school, the school fixed the problem, and the reporter wrote an article about it. The incident might have ended there, but didn't. The school went through its server logs and easily traced the activity back to McCarty, who had made no attempt to hide his tracks. The FBI interviewed McCarty, who explained everything to the agents. Then the U.S. Attorney's Office in Los Angeles charged the security expert with violating 18 U.S.C. 1030, the federal computer crime law. Will they ever learn? In 2002, the U.S. Attorney in Texas charged Stefan Puffer with violating section 1030 after Puffer demonstrated to the Harris County District Court clerk that the court's wireless network was readily accessible to attackers. The prosecution claimed that Puffer, a security consultant, unlawfully accessed the system. Puffer argued that he was trying to help the county. A jury acquitted Puffer in about 15 minutes. In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure. Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction. The McCarty prosecution, brought by the same office that so egregiously mishandled the McDanel incident, is in the same vein. As with Puffer and McDanel, the government will have to prove not only that McCarty accessed the school system without authorization, but also that he had some kind of criminal intent. Likely, they will point to the fact that McCarty copied some applicant records. "It wasn't that he could access the database and showed that it could be bypassed," Michael Zweiback, an assistant attorney for the Department of Justice's cybercrime and intellectual property crimes section, told the SecurityFocus reporter. "He went beyond that and gained additional information regarding the personal records of the applicant." But if he wanted to reveal USC's security gaffe, it's not clear what else he could have done. He had to get a sampling of the exposed records to prove that his claims were true. SecurityFocus reported that USC administrators initially claimed that only two database records were exposed, and only acknowledged that the entire database was threatened after additional records were shown to them. In any event, McCarty had arguably already done enough to get himself prosecuted by this Justice Department. The federal statute and copycat state laws prohibit accessing computers or a computer system without authorization, or in excess of authorization, and thereby obtaining information or causing damage. What does it mean to access a networked computer? Any communication with that computer -- even if it's simply one system asking another "are you there?" -- transmits data to the other machine. The cases say that e-mail, web surfing and port scanning all access computers. One court has even held that when I send an e-mail, not only am I accessing your e-mail server and your computer, but I'm also "accessing" every computer in between that helps transmit my message. That means the law frequently rests on the definition of "authorization." Many cases suggest that if the owner doesn't want you to use the system, for whatever reason, your use is unauthorized. In one case I took on appeal, the trial court had held that searching for airline fares on a publicly available, unprotected website was unauthorized access because the airline had asked the searcher to stop. One Western District of Washington case, Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., says that when a company employee knows he is going to leave his position to go work for a competitor, but continues to use his computer account and copy information there for the purposes of aiding his new bosses, his access is unauthorized. A federal court in Maryland went the other way in a case with similar facts: In International Association of Machinists and Aerospace Workers v. Werner-Matsuda, a union employee who accessed her computer account for the purposes of helping a rival union recruit members did not violate the law. The statute proscribes unauthorized access, not authorized access for unwanted purposes, said the court. What this means for McCarty is that there are ample legal reasons for the prosecution to drop the charges against him. Yet, there are also ample legal reasons why a security professional, upon finding a database flaw, might worry that the find would bring criminal charges rather than thanks. This situation must change. People need to be able to exercise a little bit of self-help before plugging their data into web forms, and security professionals who happen upon vulnerabilities shouldn't have to choose between leaving the system wide open to attack and prosecution. One solution might be to focus more heavily on whether the user has criminal intent when accessing the system. Another might be to criminalize specific activities on the computer, but not access to a public system itself. A third might be to define unlawful access as the circumvention of some kind of security measure. As we have more cases like McCarty's, McDanel's and Puffer's, perhaps security professionals will pressure state legislatures and Congress to improve the computer crime laws. By Jennifer Granick, Wired News

Computer researchers warn of powerful new Internet attacks

Mon, 20 Mar 2006 16:41:24 -0500

Security researchers are warning about a new variety of unusually powerful Internet attacks that can overwhelm popular websites and disrupt e-mails by exploiting the computers that help manage global Internet traffic. First detected late last year, the new attacks direct such massive amounts of spurious data against victim computers that even flagship technology companies could not cope. In one of the early cases examined, the unknown assailant apparently seized control of an Internet name server in South Africa and deliberately corrupted its contents. Name servers are specialized computers that help direct Internet traffic to its destinations. The attacker then sent falsified requests to the compromised directory computer, which unleashed overwhelming floods of amplified data aimed wherever the attacker wanted. Experts traced at least 1,500 attacks that briefly shut down commercial websites, large Internet providers and leading Internet infrastructure companies during a period of weeks. The attacks were so targeted that most Internet users did not notice widespread effects. Ken Silva, the chief security officer for VeriSign Inc., compared the scale of attacks to the damage caused in October 2002 when nine of the 13 computer "root" servers that manage global Internet traffic were crippled by a powerful electronic attack. VeriSign operates two of the 13 root server computers, but its machines were unaffected. "This is significantly larger than what we saw in 2002, by an order of magnitude," Silva said. Silva said the attacks earlier this year used only about six per cent of the more than one million name servers across the Internet to flood victim networks. Still, the attacks in some cases exceeded eight gigabits per second, indicating a remarkably powerful electronic assault. "This would be the Katrina of Internet storms," Silva said. The U.S. Computer Emergency Readiness Team, a partnership with the Homeland Security Department, warned network engineers in December to properly configure their name servers to prevent hackers from using them in attacks. It called the attacks "troublesome" because name servers must operate to help direct Internet traffic. Experts call the attack technique a "distributed reflector denial of service." Ted Bridis, Canadian Press

Arbor Networks stops DDoS attacks against broadband sites in the Netherlands

Thu, 09 Mar 2006 12:20:39 -0500

Arbor Networks has tracked a malicious botnet that has been trying to wreak havoc against broadband sites hosted in the Netherlands. The Arbor security team decoded the botnet on 1st March and, after logging its activities, correlated a series of distributed denial of service (DDoS) attacks against broadband sites hosted in the Netherlands as having emanated from the network of compromised hosts. The Arbor security team contacted the Dutch Computer Emergency Response Team (CERT), GOVCERT.NL, the next day and provided them with all the gathered intelligence to assist in the shutdown of the botnet. Bot software often employs the Internet Relay Chat (IRC) network protocol to communicate. The IRC server - likely a compromised host - that was used in these attacks resides on a network hosted in the Netherlands. During the Arbor security team's analysis of the botnet, data was discovered suggesting that the botnet "controller" was either an individual or group of individuals who spoke Dutch, and were employing Arabic-named IRC channels, usernames and passwords to control the botnet. courtesy: SecurityPark.net

Mac OS X hacked in under 30 minutes

Mon, 06 Mar 2006 14:43:00 -0500

Gaining root access to a Mac is "easy pickings," according to an individual who won an OS X hacking challenge last month by gaining root control of a machine using an unpublished security vulnerability. On Feb. 22, a Sweden-based Mac enthusiast set up his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications. Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later this poor little Mac was owned and this page got defaced." The hacker who won the challenge, who asked ZDNet Australia to identify him only as "gwerdna," said he gained root control of the Mac in less than 30 minutes. "It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain misconfigurations and other obvious things but then I decided to use some unpublished exploits--of which there are a lot for Mac OS X," gwerdna told ZDNet Australia. According to gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple. "The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server--with various remote services running and local access to users? There are various Mac OS X hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access. "There are only limited things you can do with unknown and unpublished vulnerabilities. One is to use additional hardening patches--good examples for Linux are the PaX patch and the grsecurity patches. They provide numerous hardening options on the system, and implement non-executable memory, which prevent memory based corruption exploits," gwerdna said. Gwerdna concluded that OS X contains "easy pickings" when it comes to vulnerabilities that could allow hackers to break into Apple's operating system. "Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders," gwerdna added. Apple's OS X has come under fire in recent weeks with the appearance of two viruses and a number of serious security flaws, which have since been patched by the Mac maker. In January, security researcher Neil Archibald, who has already been credited with finding numerous vulnerabilities in OS X, told ZDNet Australia that he knows of numerous security vulnerabilities in Apple's operating system that could be exploited by attackers. "The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common UNIX platforms...If this situation was to change, in my opinion, things could be a lot worse on Mac OS X than they currently are on other operating systems," said Archibald at the time. An Apple Australia representative said Monday the company was unable to comment at this stage. Apple in the U.S. could not be reached for comment. Munir Kotadia of ZDNet Australia CNet News

PHP Apps A Growing Target for Hackers

Thu, 02 Feb 2006 12:07:00 -0500

Security holes in PHP-based content management and forum apps are an increasingly active front in Internet security, as hackers target unpatched weaknesses. The latest example is Monday's hack of chip maker AMD's customer support forums, in which an older version of Invision Power Board was compromised and used to distribute malware using the Windows Metafile (WMF) exploit. While Windows flaws like the WMF vulnerability are useful to hackers assembling armies of compromised desktop computers, security holes in PHP applications provide access to more powerful servers hooked directly to high-speed network connections. Internet criminals have targeted unpatched vulnerabilities in open source CMS apps including phpBB, PostNuke, Mambo, Drupal and others, hoping to build botnets for use in phishing scams and distributed denial of service (DDoS) attacks. Compromised web forums hosted more than 600 phishing spoof sites identified by the Netcraft Toolbar Community in 2005 (as noted in our Year in Phishing roundup). The DDoS capabilities of server-based zombies was demonstrated in a December attack by a large botnet of Linux machines, in which attackers flooded their target with more than 6 gigabytes of data per second. Hosting providers with multiple IP addresses being used in the botnet included Level 3, Savvis, AT&T WorldNet, 1&1 Internet, Interland and The Planet. The network used in the December attack was assembled by exploiting known security holes, including a vulnerability in the Limbo CMS that had been patched at least six weeks earlier. The growth of PHP-based content management systems is a testimony to the success of the open source movement, which has created a lengthy list of powerful, user-friendly applications that can be installed by web site operators with little or no PHP coding experience. Active support communities for these projects offer templates and mods for easy customization, and mobilize to deploy fixes for security holes. But as is the case with most web software, a significant number of users fail to install security patches in a timely fashion. This provides an opportunity for hackers, who typically use public advisories to identify security flaws in specific programs and files, and then query search engines to locate vulnerable versions of the software. Some programs with consistent security problems continue to grow in popularity. The open source bulletin board system phpBB has experienced a series of security problems, and has been banned by some web hosts. The MSN search engine recently began returning no results for the search term "phpBB" to deter hacker scans. That hasn't prevented a 79 percent increase in active sites using phpBB between June and December of 2005, according to data from our Web Server Survey and related datasets. Most of the security issues with PHP-driven programs are found not in PHP itself, but rather in the libraries and applications built atop the server-side scripting language. The most widespread of these, a flaw in XML-RPC libraries identified in July, affected a lengthy list of popular programs including WordPress, Drupal, PostNuke, Serendipity, phpAdsNew and phpWiki. More than four months later, hackers were actively targeting the flaw. Netcraft provides security monitoring of dedicated servers as well as web application security testing that can identify outdated software and other common security risks on networks. Netcraft News

ISF Warns Of Spit And Other New Security Threats From VoIP

Mon, 12 Dec 2005 07:50:00 -0500

A new report from the Information Security Forum (ISF) warns that along with existing security problems associated with IP networks, VoIP will present new and more sophisticated threats - such as caller ID spoofing, voice modifiers, SPIT (voicemail SPAM) and packet injections. With VoIP now poised to hit the business market in a big way, the ISF believes that failure to address these serious risks may bring voice communications to a grinding halt and result in identify theft and loss of sensitive information. With a combination of caller ID spoofing and freely available voice modification software, it is relatively easy to pose convincingly as someone else ? similar to web site spoofing and phishing. But the ISF believes that one of the most virulent problems posed by VoIP will come about as a direct result of the low cost of sending voice messages over the Internet. SPIT ? spam over internet telephony ? could become a huge problem for companies. This could range from staff wasting time clearing unwanted voicemail messages to a total loss of service. Other VoIP security issues highlighted in the ISF report range from redirection of calls and packet injections where words are inserted into the data stream mid ?conversation, to the interception of sensitive voice traffic in transit and theft of VoIP bandwidth. In surveying ISF members to research the report, concerns were also expressed that as VoIP becomes more popular, organised criminals will turn their attention to sabotaging businesses by disabling phone systems through DoS attacks or spreading malicious viruses or worms. The problems of poor quality transmission and loss of service are gradually being overcome, which is expected to lead to more widespread adoption and reliance on VoIP in the future. This trend is also being driven by cost savings, improved functionality, ease of access and low cost of entry. ?Although VoIP is being increasingly used in the home environment, most businesses are still reliant on the Public Switch Telephone Network,? said Nick Frost, Consultant at the ISF. ?We take it for granted but it is extremely resilient, something that VoIP can not currently deliver. But it is inevitable that eventually VoIP will take over as the voice service of choice, bringing with it these additional new security risks.? This latest ISF report along with over 150 authoritative reports on information security issues is available to ISF members.

Hackers, Scammers Hide Malicious JavaScript On Web Sites

Thu, 20 Oct 2005 16:14:00 -0400

Hackers and scammers have suddenly turned to a new technique to hide malicious JavaScript on compromised or criminal sites, a security researcher said Thursday. According to Dan Hubbard, the senior director of security and research at Websense, a family of obfuscation routines with the umbrella name of "JS/Wonka" has spread wildly in the last few weeks. "For whatever reason, the number has just skyrocketed since the last of September," said Hubbard. "There are 10,000 unique sites using this exact same method. The strange thing is, they're completely different types of sites." It's not uncommon to see hackers and scammers try to hide their malicious JavaScript code, said Hubbard. They want the code to be invisible to both Internet users and site operators. But the scale Websense is seeing is unprecedented. For the most part, the JS/Wonka routines rely on converting characters to and from their respective Unicode values. JavaScript does those conversions automatically, so it's a small-footprint method that doesn't require much expertise on the part of the code writer. Oftentimes the JavaScript code's hidden within an IFRAME that's been defined with zero values, making it invisible to the naked eye. Internet Explorer has several IFRAME vulnerabilities -- both patched bugs and flaws reported but not yet patched -- which the attackers leverage. Attackers have sometimes created Byzantine paths between Web sites to further obscure their work, sending users from one site to another via IFRAME exploits and hidden JavaScript. Sites seen using the JS/Wonka routines include those that spoof search engine results, disable pop-up blockers, falsely claim that the PC is infected with spyware, and market spammed products such as fake pharmaceuticals, low-rate mortgages, pornography, and illegally-copied software. Internet Explorer isn't the only browser vulnerable to JS/Wonka, however. Alternate browsers, including the popular Firefox, can be fooled with JavaScript tricks, too, and have been victimized by numerous JavaScript vulnerabilities in 2005. "The interesting thing here is the sheer climb in volume of sites using these routines," said Hubbard. "It's either a toolkit or coordination between hackers. There's no public toolkit we've found, but there are banks of domain names using JS/Wonka that are registered to similar names." About half of the more than 10,000 sites using JS/Wonka are either compromised or malicious Web sites attempting to stick malware or spyware on unsuspecting users' PCs, said Hubbard. The other half of the sites use the encoded, obfuscated JavaScript to display spoofed search results which link to sites selling products typically shilled through spam, or used by sites trying to hide their URLs from affiliate advertising vendors because those sites may be breaking contractual agreements. Some Web advertising and/or adware firms, for instance, have blamed their wide-flung affiliates for secretly installing software, including some programs that verge on spyware, when they're accused by users and anti-spyware vendors for infecting PCs. Such affiliates may want to hide their URLs to make it harder for their partners to check up on their installation practices. Three out of four of the sites found using JS/Wonka are hosted in the U.S., said Websense, another indication that either a group of scammers is working together, or that a obfuscation toolkit has just been made available, and hasn't had time to spread overseas. The Websense alert, which includes samples of the JavaScript code -- useful for site operators, said Hubbard, since they can search for characters in the samples to see if their site is infected -- can be downloaded in PDF format from the San Diego-based firm's Web site. By Gregg Keizer Courtesy of TechWeb News

Firefox URL Domain Name Buffer Overflow

Fri, 09 Sep 2005 18:05:08 -0400

The vulnerability is caused due to an error in the handling of an URL that contains the 0xAD character in its domain name. This can be exploited to cause a heap-based buffer overflow.

Successful exploitation crashes Firefox and may potentially allow code execution but requires that the user is tricked into visiting a malicious web site or open a specially crafted HTML file.

The vulnerability has been confirmed in version 1.0.6, and is reported to affect versions prior to 1.0.6, and version 1.5 Beta 1.

SOFTWARE:
Mozilla Firefox 1.x

SOLUTION:
Don't browse untrusted web sites.

PROVIDED AND/OR DISCOVERED BY:
Tom Ferris

ORIGINAL ADVISORY:
http://security-protocols.com/advisory/sp-x17-advisory.txt

VERIFY ADVISORY:
http://secunia.com/advisories/16764/

Secunia Security Advisories

The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)

Mon, 29 Aug 2005 20:08:00 -0400

"An exclusive look at how the hackers called TITAN RAIN are stealing U.S. secrets" by TIME Magazine It was another routine night for Shawn Carpenter. After a long day analyzing computer-network security for Sandia National Laboratories, where much of the U.S. nuclear arsenal is designed, Carpenter, 36, retreated to his ranch house in the hills overlooking Albuquerque, N.M., for a quick dinner and an early bedtime. He set his alarm for 2 a.m. Waking in the dark, he took a thermos of coffee and a pack of Nicorette gum to the cluster of computer terminals in his home office. As he had almost every night for the previous four months, he worked at his secret volunteer job until dawn, not as Shawn Carpenter, mid-level analyst, but as Spiderman--the apt nickname his military-intelligence handlers gave him--tirelessly pursuing a group of suspected Chinese cyberspies all over the world. Inside the machines, on a mission he believed the U.S. government supported, he clung unseen to the walls of their chat rooms and servers, secretly recording every move the snoopers made, passing the information to the Army and later to the FBI. The hackers he was stalking, part of a cyberespionage ring that federal investigators code-named Titan Rain, first caught Carpenter's eye a year earlier when he helped investigate a network break-in at Lockheed Martin in September 2003. A strikingly similar attack hit Sandia several months later, but it wasn't until Carpenter compared notes with a counterpart in Army cyberintelligence that he suspected the scope of the threat. Methodical and voracious, these hackers wanted all the files they could find, and they were getting them by penetrating secure computer networks at the country's most sensitive military bases, defense contractors and aerospace companies. Carpenter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack took 10 to 30 minutes. "Most hackers, if they actually get into a government network, get excited and make mistakes," says Carpenter. "Not these guys. They never hit a wrong key." Goaded by curiosity and a sense that he could help the U.S. defend itself against a new breed of enemy, Carpenter gave chase to the attackers. He hopped just as stealthily from computer to computer across the globe, chasing the spies as they hijacked a web of far-flung computers. Eventually he followed the trail to its apparent end, in the southern Chinese province of Guangdong. He found that the attacks emanated from just three Chinese routers that acted as the first connection point from a local network to the Internet. It was a stunning breakthrough. In the world of cyberspying, locating the attackers' country of origin is rare. China, in particular, is known for having poorly defended servers that outsiders from around the world commandeer as their unwitting launchpads. Now Chinese computers appeared to be the aggressors. If so, the implications for U.S. security are disturbing. In recent years, the counterintelligence community has grown increasingly anxious that Chinese spies are poking into all sorts of American technology to compete with the U.S. But tracking virtual enemies presents a different kind of challenge to U.S. spy hunters. Foreign hackers invade a secure network with a flick of a wrist, but if the feds want to track them back and shut them down, they have to go through a cumbersome authorization process that can be as tough as sending covert agents into foreign lands. Adding in extreme sensitivity to anything involving possible Chinese espionage--remember the debacle over alleged Los Alamos spy Wen Ho Lee?--and the fear of igniting an international incident, it's not surprising the U.S. has found it difficult and delicate to crack these cases. In Washington, officials are tight-lipped about Titan Rain, insisting all details of the case are classified. But high-level officials at three agencies told TIME the penetration is considered serious. A federal law-enforcement official familiar with the investigation says the FBI is "aggressively" pursuing the possibility that the Chinese government is behind the attacks. Yet they all caution that they don't yet know whether the spying is official, a private-sector job or the work of many independent, unrelated hands. The law-enforcement source says China has not been cooperating with U.S. investigations of Titan Rain. China's State Council Information Office, speaking for the government, told TIME the charges about cyberspying and Titan Rain are "totally groundless, irresponsible and unworthy of refute." Despite the official U.S. silence, several government analysts who protect the networks at military, nuclear-lab and defense- contractor facilities tell TIME that Titan Rain is thought to rank among the most pervasive cyberespionage threats that U.S. computer networks have ever faced. TIME has obtained documents showing that since 2003, the hackers, eager to access American know-how, have compromised secure networks ranging from the Redstone Arsenal military base to NASA to the World Bank. In one case, the hackers stole flight-planning software from the Army. So far, the files they have vacuumed up are not classified secrets, but many are sensitive and subject to strict export-control laws, which means they are strategically important enough to require U.S. government licenses for foreign use. Beyond worries about the sheer quantity of stolen data, a Department of Defense (DOD) alert obtained by TIME raises the concern that Titan Rain could be a point patrol for more serious assaults that could shut down or even take over a number of U.S. military networks. Although he would not comment on Titan Rain specifically, Pentagon spokesman Bryan Whitman says any attacks on military computers are a concern. "When we have breaches of our networks, it puts lives at stake," he says. "We take it very seriously." As cyberspying metastasizes, frustrated network protectors say that the FBI in particular doesn't have enough top-notch computer gumshoes to track down the foreign rings and that their hands are often tied by the strict rules of engagement. That's where independents--some call them vigilantes--like Carpenter come in. After he made his first discoveries about Titan Rain in March 2004, he began taking the information to unofficial contacts he had in Army intelligence. Federal rules prohibit military-intelligence officers from working with U.S. civilians, however, and by October, the Army passed Carpenter and his late-night operation to the FBI. He says he was a confidential informant for the FBI for the next five months. Reports from his cybersurveillance eventually reached the highest levels of the bureau's counterintelligence division, which says his work was folded into an existing task force on the attacks. But his FBI connection didn't help when his employers at Sandia found out what he was doing. They fired him and stripped him of his Q clearance, the Department of Energy equivalent of top-secret clearance. Carpenter's after-hours sleuthing, they said, was an inappropriate use of confidential information he had gathered at his day job. Under U.S. law, it is illegal for Americans to hack into foreign computers. Carpenter is speaking out about his case, he says, not just because he feels personally maligned--although he filed suit in New Mexico last week for defamation and wrongful termination. The FBI has acknowledged working with him: evidence collected by TIME shows that FBI agents repeatedly assured him he was providing important information to them. Less clear is whether he was sleuthing with the tacit consent of the government or operating as a rogue hacker. At the same time, the bureau was also investigating his actions before ultimately deciding not to prosecute him. The FBI would not tell TIME exactly what, if anything, it thought Carpenter had done wrong. Federal cyberintelligence agents use information from freelance sources like Carpenter at times but are also extremely leery about doing so, afraid that the independent trackers may jeopardize investigations by trailing foes too noisily or, even worse, may be bad guys themselves. When Carpenter deputized himself to delve into the Titan Rain group, he put his career in jeopardy. But he remains defiant, saying he's a whistle-blower whose case demonstrates the need for reforms that would enable the U.S. to respond more effectively and forcefully against the gathering storm of cyberthreats. A TIME investigation into the case reveals how the Titan Rain attacks were uncovered, why they are considered a significant threat now under investigation by the Pentagon, the FBI and the Department of Homeland Security and why the U.S. government has yet to stop them. Carpenter thought he was making progress. When he uncovered the Titan Rain routers in Guangdong, he carefully installed a homemade bugging code in the primary router's software. It sent him an e-mail alert at an anonymous Yahoo! account every time the gang made a move on the Net. Within two weeks, his Yahoo! account was filled with almost 23,000 messages, one for each connection the Titan Rain router made in its quest for files. He estimates there were six to 10 workstations behind each of the three routers, staffed around the clock. The gang stashed its stolen files in zombie servers in South Korea, for example, before sending them back to Guangdong. In one, Carpenter found a stockpile of aerospace documents with hundreds of detailed schematics about propulsion systems, solar paneling and fuel tanks for the Mars Reconnaissance Orbiter, the NASA probe launched in August. On the night he woke at 2, Carpenter copied a huge collection of files that had been stolen from Redstone Arsenal, home to the Army Aviation and Missile Command. The attackers had grabbed specs for the aviation-mission-planning system for Army helicopters, as well as Falconview 3.2, the flight-planning software used by the Army and Air Force. Even if official Washington is not certain, Carpenter and other network-security analysts believe that the attacks are Chinese government spying. "It's a hard thing to prove," says a network-intrusion-detection analyst at a major U.S. defense contractor who has been studying Titan Rain since 2003, "but this has been going on so long and it's so well organized that the whole thing is state sponsored, I think." When it comes to advancing their military by stealing data, "the Chinese are more aggressive" than anyone else, David Szady, head of the FBI's counterintelligence unit, told TIME earlier this year. "If they can steal it and do it in five years, why [take longer] to develop it?" Within the U.S. military, Titan Rain is raising alarms. A November 2003 government alert obtained by TIME details what a source close to the investigation says was an early indication of Titan Rain's ability to cause widespread havoc. Hundreds of Defense Department computer systems had been penetrated by an insidious program known as a "trojan," the alert warned. "These compromises ... allow an unknown adversary not only control over the DOD hosts, but also the capability to use the DOD hosts in malicious activity. The potential also exists for the perpetrator to potentially shut down each host." The attacks were also stinging allies, including Britain, Canada, Australia and New Zealand, where an unprecedented string of public alerts issued in June 2005, two U.S. network-intrusion analysts tell TIME, also referred to Titan Rain--related activity. "These electronic attacks have been under way for a significant period of time, with a recent increase in sophistication," warned Britain's National Infrastructure Security Co-Ordination Center. Titan Rain presents a severe test for the patchwork of agencies digging into the problem. Both the cybercrime and counterintelligence divisions of the FBI are investigating, the law-enforcement source tells TIME. But while the FBI has a solid track record cajoling foreign governments into cooperating in catching garden-variety hackers, the source says that China is not cooperating with the U.S. on Titan Rain. The FBI would need high-level diplomatic and Department of Justice authorization to do what Carpenter did in sneaking into foreign computers. The military would have more flexibility in hacking back against the Chinese, says a former high-ranking Administration official, under a protocol called "preparation of the battlefield." But if any U.S. agency got caught, it could spark an international incident. That's why Carpenter felt he could be useful to the FBI. Frustrated in gathering cyberinfo, some agencies have in the past turned a blind eye to free-lancers--or even encouraged them--to do the job. After he hooked up with the FBI, Carpenter was assured by the agents assigned to him that he had done important and justified work in tracking Titan Rain attackers. Within a couple of weeks, FBI agents asked him to stop sleuthing while they got more authorization, but they still showered him with praise over the next four months as he fed them technical analyses of what he had found earlier. "This could very well impact national security at the highest levels," Albuquerque field agent Christine Paz told him during one of their many information-gathering sessions in Carpenter's home. His other main FBI contact, special agent David Raymond, chimed in: "You're very important to us," Raymond said. "I've got eight open cases throughout the United States that your information is going to. And that's a lot." And in a letter obtained by TIME, the FBI's Szady responded to a Senate investigator's inquiry about Carpenter, saying, "The [FBI] is aggressively pursuing the investigative leads provided by Mr. Carpenter." Given such assurances, Carpenter was surprised when, in March 2005, his FBI handlers stopped communicating with him altogether. Now the federal law-enforcement source tells TIME that the bureau was actually investigating Carpenter while it was working with him. Agents are supposed to check out their informants, and intruding into foreign computers is illegal, regardless of intent. But two sources familiar with Carpenter's story say there is a gray area in cybersecurity, and Carpenter apparently felt he had been unofficially encouraged by the military and, at least initially, by the FBI. Although the U.S. Attorney declined to pursue charges against him, Carpenter feels betrayed. "It's just ridiculous. I was tracking real bad guys," he says. "But they are so afraid of taking risks that they wasted all this time investigating me instead of going after Titan Rain." Worse, he adds, they never asked for the passwords and other tools that could enable them to pick up the investigative trail at the Guangdong router. Carpenter was even more dismayed to find that his work with the FBI had got him in trouble at Sandia. He says that when he first started tracking Titan Rain to chase down Sandia's attackers, he told his superiors that he thought he should share his findings with the Army, since it had been repeatedly hit by Titan Rain as well. A March 2004 Sandia memo that Carpenter gave TIME shows that he and his colleagues had been told to think like "World Class Hackers" and to retrieve tools that other attackers had used against Sandia. That's why Carpenter did not expect the answer he claims he got from his bosses in response to Titan Rain: Not only should he not be trailing Titan Rain but he was also expressly forbidden to share what he had learned with anyone. As a Navy veteran whose wife is a major in the Army Reserve, Carpenter felt he could not accept that injunction. After several weeks of angry meetings--including one in which Carpenter says Sandia counterintelligence chief Bruce Held fumed that Carpenter should have been "decapitated" or "at least left my office bloody" for having disobeyed his bosses--he was fired. Citing Carpenter's civil lawsuit, Sandia was reluctant to discuss specifics but responded to TIME with a statement: "Sandia does its work in the national interest lawfully. When people step beyond clear boundaries in a national security setting, there are consequences." Carpenter says he has honored the FBI's request to stop following the attackers. But he can't get Titan Rain out of his mind. Although he was recently hired as a network-security analyst for another federal contractor and his security clearance has been restored, "I'm not sleeping well," he says. "I know the Titan Rain group is out there working, now more than ever." By NATHAN THORNBURGH, Time Magazine --With reporting by Matthew Forney/Beijing and Brian Bennett, Timothy J. Burger and Elaine Shannon/Washington Copyright ? 2005 Time Inc.

Windows Flaw May Let Hackers Hide Code From AV Scanners

Fri, 26 Aug 2005 23:16:00 -0400

A flaw in how Windows handles entries in the all-important registry can be used by hackers to hide evidence of malicious code from a wide swath of commercial anti-virus and anti-spyware scanners, the SANS Internet Storm Center reported Friday. While the disclosure of the bug by Danish vulnerability tracker Secunia on Wednesday got little attention, Internet Storm Center (ISC) analysts believed it was far more dangerous than it looked. "Once we started to play with [the vulnerability], the nastiness became apparent: An overly long registry entry can be added, but won't be shown by regedit and regedt32," wrote ISC handler Daniel Wesemann on the group's alert site. "Even better, all registry entries that get added afterward under the same key, even if not overly long, will be hidden as well." Other security professionals agreed. "This newly-discovered vulnerability can hide other entries in the registry, hiding malicious code 'autorun' entries, for example, behind this long registry key," said Mitchell Ashley, the chief technology officer of Colorado-based StillSecure. "I'd compare it to the early days of buffer overflow of DNS and Bind requests," added Ashley. "If your security software doesn't catch this, you're wide open today. If it can't find evidence of malware, you could very easily be the next target." Extra-long key entries (those greater than 254 characters) are mishandled by the Windows registry editor, and essentially "disappear" from view, as do others added to the key after that because the editor stops at that too-long key, thinking it is the last in the section. Worse, many malicious code scanners have a similar blind spot, and also stop processing the registry for anomalous entries when they come to a too-long key. The technique would let attackers add their malicious software to the "Run" registry key (at "HKey_Local_MachineSoftwareMicrosoftWindowsCurrentVersionRun") which lists the programs or components that automatically launch at Windows' boot. Typically, worms post changes to the registry there so that they run at Windows startup; anti-virus and anti-spyware scanners often look for these unanticipated changes to the registry to detect fishy activity. "It's crucial that [scanners] be able to see into the registry," argued Ashley. The weakness, said Secunia, affects Windows 2000 and XP, including fully patched XP SP2 systems. "We have started to see some possible reports of malware which utilizes this concealment technique in the wild," said the ISC in its Friday bulletin written by handler Robert Danford. "We expect this trend to continue over the life-cycle of the next few weeks as vendors patch their products as necessary to allows these keys to be visible to their scan engines." Ashley confirmed that his firm had found code in the wild that was exploiting the vulnerability, but added that no infections had been reported as of mid-day Friday. ISC has also assembled a partial list of those scanning engines which detect the "invisible" registry keys, and those which don't (or do, but crash while doing so). Among the former, claimed the ISC, are StillSecure's SafeAccess, while the latter category included Spybot Search & Destroy, Symantec's SystemWorks, and Microsoft's Windows AntiSpyware. "Although the vulnerability is in Windows, I think it's a programmatic error that other [security vendors] have made in limiting the length of registry keys they examine," said StillSecure's Ashley as he touted SafeAccess' ability to handle the bug. "We built our product to accommodate unusual or anomalous entries. To keep up with attackers, you definitely have to think outside of the box, because they do." By Gregg Keizer, TechWeb News

Bot Battle Brewing

Thu, 18 Aug 2005 11:27:00 -0400

Just as the author of the Zotob bot worm was tentatively identified Wednesday as the same individual who wrote some of the Mytob worms, several security firms warned users that a Bagle vs. Netsky-style battle between bots is under way. "Competing factions seem to be dueling for control of the botnets of PCs in order to perpetrate wider Internet criminal activity," said Alex Shipp, a senior anti-virus technologist at U.K.-based security vendor MessageLabs, in a statement e-mailed to TechWeb. "We may well now see a period of intense malware activity as these groups vie for pole position." He also claimed that the businesses hit by the attack are only so much "collateral damage in the malware authors' attempts to compromise home computers to generate zombie armies." Shipp based his bot battle take on the fact that one of the most recent bots that exploits the Windows 2000 Plug and Play vulnerability also takes shots at a rival. The Bozori bot, also dubbed Zotob.f, includes code to disable rival bot worms that may be already in place, including Esbot.a, Zotob.b, and Zotob.d. That practice is common, said Gunter Ollmann, the director of Internet Security Systems' (ISS) X-force research group, and is used by bot authors to maintain control of the machines they've compromised. The most notable back-and-forth between hackers was in early 2004, when the writers of the Bagle and Netsky worm families engaged in a long-running tit for tat exchange where each tried to delete the other's code. The battle led to a veritable flood of malicious code that last weeks. Some see the beginnings of a repeat. "In the most significant activity we've seen in more than a year, networks have been invaded over the last 72 hours by at least three fast, vicious groups exploiting vulnerabilities," a spokesperson for Computer Associates said in an e-mail. Unlike in 2004's Bagle vs. Netsky brouhaha, however, the motive isn't notoriety -- the Netsky author, for instance, was a German teenager -- this battle between bot families is driven by pure capitalism, albeit on a criminal scale. "Gaining access to an extensive network of compromised computers is a valuable asset to criminals, as the worms can allow them to gain control of the computers and use them to send spam, launch an extortion denial-of-service attack against a Web site, steal confidential information, or blast out new versions of malware to other unsuspecting computer users," said Chris Kraft, senior security analyst for Sophos, in a statement. At least one security analyst, however, doesn't see a criminal conspiracy in the offing, but instead thinks it's just bot business as usual. "Bots typically include code to automatically disable anti-virus software tools or access to updates, such as Microsoft's Windows Update, or anything else that can detect the bot or take control away from the attacker," said ISS's Ollmann. "It's a matter of interpretation," he admitted, "but I don't think anyone if actively targeting other botnets. They always take steps to prevent any known bot from working on their compromised machines, so it's more a case of wanting to maintain control that to grab a host on someone else's botnet." In other Zotob news on Wednesday, MessageLabs said that it had tentatively identified the author of the Zotob variants as a hacker known only as "Diab10," who was responsible for some of the Mytob worms launched this year. MessageLabs based its Diab10 connection at least in part on the fact that Zotob is very similar to Mytob (which in turn has substantial code from the even-earlier MyDoom). "[This] could spell the beginning of a period of intense malware activity similar to the Netsky-Bagle wars," said MessageLabs in an e-mailed statement. By Gregg Keizer, CMP Media LLC.

Microsoft Issues Critical Security Bulletins, Says Exploits Already Exist

Tue, 12 Jul 2005 20:16:51 -0400

Microsoft on Tuesday released a trio of security bulletins, all tagged as critical, two for Windows, the third for older editions of Microsoft Word. The July list of vulnerabilities and patches may be a fraction of June's even dozen, but they're no less important to patch, said Mike Murray, the director of research at vulnerability management vendor nCircle. "All three of these are worth patching, of course," said Murray, "because even for the one where an exploit isn't yet public, one probably will be." But with the next breath, Murray noted that all three -- and virtually all of the year's vulnerabilities out of Microsoft -- are bugs on the client side, and require some kind of help from the user for an attacker to exploit them. "I don't necessarily agree with Microsoft that Windows XP SP2 is the reason [for better security]," said Murray. "I think it's because Microsoft's code is maturing, especially its Web server code. We haven't seen a Web server vulnerability in, what, the last two years?" The new SQL Server 2005, now slated for an early November release, will be the real test of Microsoft's security investments, Murray said. If that software proves secure, it will accelerate the enterprise trend of looking beyond the firewall for defense. "Client-side vulnerabilities like we're seeing here shift the onus from focusing on the firewall to making sure you patch all vulnerabilities so the exploit window is short, and educating your users on best practices," argued Murray. For two of this month's three bulletins, the exploit window is already open: active exploits are circulating for both the critical vulnerabilities in Windows. One is MS05-036, which involves the Microsoft Color Management Module, a part of the operating system that provides consistent color mappings between different devices and applications. According to Microsoft, the module's method of handling color profiles is flawed, and could be used by a hacker to produce a buffer overflow, then gain control of the PC remotely. A malicious image file specially created by the attacker could, for instance, be planted on a Web site or sent to a potential victim by e-mail. Once the vulnerability 's exploited, the attacker could then hijack the computer to install his own code -- a backdoor Trojan, for instance -- or snatch data. All currently-supported editions of Windows -- including Windows 2000, XP SP2, and Windows Server 2003 SP1 -- are vulnerable, said Microsoft, and should be patched immediately, in part because exploits already exist. "This vulnerability isn't that new," said Murray. "An exploit for the color management bug has been in the underground for a while now." Nor is the second critical Windows bulletin, dubbed MS05-037, new. The vulnerability at the heart of that alert is the same as the one Microsoft noted July 1 in a Security Advisory, the company's new mechanism for warning users of bugs before patches are issued. The "Javaprxy.dll" file, which is part of the Microsoft Java Virtual Machine, can be exploited to crash Internet Explorer and/or grab control of a compromised PC. Earlier, Microsoft issued a work-around that when downloaded and run, changed the registry to disable Javaprxy.dll. This bulletin does the same thing; the only difference is that it's pushed out via Auto Update and available using the Microsoft Update service. "If you have applied the download available from the advisory update issued on July 5, 2005, you do not need to apply this security update," said Microsoft in the bulletin. This is the first time that a Microsoft security advisory has been upgraded to a security bulletin, as well as the first time that a bulletin was used to automate the delivery of a work-around, rather than a true patch that fixed the root of the problem. The third July bulletin, MS05-035, concerns two versions of Microsoft Word, Word 2000 and Word 2002, and according to one analyst, may be the most dangerous of the bunch. "I see this one as the most serious," said Brian Grayek, the chief technology officer for network security vendor Preventys. "People are more likely to update their anti-virus software than anything else. Then the operating system, sort of when they think about it. But hardly anyone updates their applications." This leaves a hole though which hackers can drive their exploits, Grayek said, noting that automatic updates of Microsoft Office applications are both relatively recent and work only with the newest operating systems of Windows 2000, XP, and Server 2003. Another contributor to a high ranking of the Word bug is the fact that an exploit would arrive as a .doc file, a format that's generally trusted since malware rarely poses, or hides inside, Word documents. Also on Monday, Microsoft updated the anti-spam filter definition file for its Outlook e-mail client, and posted a new version of the Windows Malicious Software Removal Tool. The software now detects and destroys several additional worms and Trojans, including Wootbot, Optix, Optixpro, Hacty (also known as YYTHAC), and Prustiu (also known as Delf.fn). July's fixes can be downloaded using the new Microsoft Update service, Windows Update, or for enterprises, the relatively new Windows Server Update Services. By Gregg Keizer, TechWeb News

Man Charged With Stealing Wi-Fi Signal

Wed, 06 Jul 2005 22:00:00 -0400

Police have arrested a man for using someone else's wireless Internet network in one of the first criminal cases involving this fairly common practice. Benjamin Smith III, 41, faces a pretrial hearing this month following his April arrest on charges of unauthorized access to a computer network, a third-degree felony. Police say Smith admitted using the Wi-Fi signal from the home of Richard Dinon, who had noticed Smith sitting in an SUV outside Dinon's house using a laptop computer. The practice is so new that the Florida Department of Law Enforcement doesn't even keep statistics, according to the St. Petersburg Times, which reported Smith's arrest this week. Innocuous use of other people's unsecured Wi-Fi networks is common, though experts say that plenty of illegal use also goes undetected: such as people sneaking on others' networks to traffic in child pornography, steal credit card information and send death threats. Security experts say people can prevent such access by turning on encryption or requiring passwords, but few bother or are unsure how to do so. Wi-Fi, short for Wireless Fidelity, has enjoyed prolific growth since 2000. Millions of households have set up wireless home networks that give people like Dinon the ability to use the Web from their backyards but also reach the house next door or down the street. It's not clear why Smith was using Dinon's network. Prosecutors declined to comment, and a working phone number could not be located for Smith. By the Associated Press

Organized cybercrime has IT security experts scared

Tue, 05 Jul 2005 21:47:00 -0400

Unlike the script kiddies of yesterday, today?s cyber-criminals are sophisticated, organized and out for a profit, according to a McAfee report released Tuesday. With the study, entitled ?McAfee Virtual Criminology Report: North American Study into Organized Crime and the Internet,? McAfee hopes to educate the marketplace about the threats it is facing online, said Jack Sabbag, vice-president and general manager for Canada at McAfee Inc. in Pointe-Claire, Que. ?It?s a new kind of risk,? said James Lewis, a senior fellow and director of the Technology and Public Policy program at the Center for Strategic and International Studies in Washington, D.C., of the threat posed by professional criminals who are exploiting the Internet. And the threat of cyber-crime has 40 per cent of online shoppers and a third of those who use online banking services questioning whether they need to be more cautious about using these tools, he said. The threat is getting worse -- two years ago, there were about 300 malicious threats emerging a month; today the figure has rocketed to 2,000, according to McAfee. This is largely due to a sharp increase in the number of bot nets. These are networks of computers that can be controlled remotely. One FBI estimate put the cost of cyber crime at about $400 billion in 2004 alone. There are several types of cybercrimes, which Lewis went over during a press briefing. These include extortion, reputational damage, fraud, phishing, service disruption, information theft and money laundering. In the Internet version of extortion, criminals threaten to disrupt a company?s networks or launch a denial of service attack unless they agree to put money into an offshore bank account. A blow to a company?s reputation can mean thousands or millions can be lost in sales, and such attacks can be carried out either by hackers or a competitor. Phishing attacks are the cybercrime du jour, Lewis said. They are a success because ?authentication remains a week point.? It?s dangerous because it erodes people?s confidence in the Internet, he said. And for criminals, such crimes are low cost ? it costs them virtually nothing send out hundreds or thousands of e-mails. Even if the response rate is low, criminals can still reap a profit, Lewis said. Information theft is probably the most profitable type of cybercrime, he said. In one case of industrial espionage, for example, one company in Israel was able to put spyware on its competitor?s networks and gather information. According to McAfee, there are four types of cyber-criminals: script kiddies, cyber punks, hackers and crackers, and cyber gangs. Script kiddies don?t generally know what they?re doing, he said. ?It?s roughly the same as magic.? Script kiddies have some words, and they don?t know how they work, but they can use them to accomplish various things. They are usually under the age of 20. Cyber punks are generally not seeking profit, but notoriety and bragging rights. Hackers and crackers, on the other hand, begin to realize that their dubious talent can be used to turn a profit, though they may also be out for accolades from the hacker community. There are hackers who are as sophisticated as the best programmers out there, Lewis said. They generally work alone. Cyber gangs are groups of career criminals or hackers who have the technical expertise to move their activities onto the Internet. The groups are often based in countries with weak cybercrime laws. ?They are not what you think of when you say mafia, but in a way, they are as successful,? Lewis said. Cyber gangs are virtual entities and can be based in different countries. They use the Internet to communicate. It?s the cyber gangs that have law enforcement officials worried today, he said. ?Ten years ago, we were mainly looking at amateurs, and now we?re looking at professionals.? Much as organizations such as SETI Institute, which searches for extraterrestrial intelligence, realized that networks of thousands of computers, most of which are sitting idle, can be turned into super computers, cyber-criminals use bots to link computers together, Lewis said. Most unprotected computers are likely to be probed within an hour of being online and at least 50 per cent of machines in North America are infected in some way, he said. Other cybercrime tools include keyloggers, bundling, denial of service, packet sniffers, rootkits, spyware, scripts, social engineering, trojans, worms, viruses and zombies. Social engineering -- in which criminals trick people into giving them information by praying on their vulnerabilities and needs -- is an important element of cyber fraud, but one for which is difficult to defend against, Lewis said. ?It?s not something you can fix technologically,? he said. Worms and viruses, on the other hand, are two modes of attack that ?in some ways we have a handle on,? he said. Attacks on mobile devices and voice over IP networks are areas where McAfee expects to see more attacks, according to the report. by Poonam Khanna

Mass TCP Port Attack Could Be Imminent, Analyst Warns

Thu, 23 Jun 2005 16:13:00 -0400

An ominous increase in sniffing activity on TCP Port 445 could signal an impending mass malicious code attack targeting a recently patched Microsoft vulnerability, according to a warning from security researchers. Researchers at Symantec Corp.'s DeepSight Network have detected a surge in scans on Port 445, an indication that malicious hackers may have already created exploits for a flaw in Microsoft Corp.'s implementation of the SMB (Server Message Block) protocol. In Windows 2000, Windows XP and Windows Server 2003, Microsoft uses TCP Port 445 to run SMB directly over TCP/IP to handle the sharing of files, printers, serial ports, and also to communicate between computers. The vulnerability, which was rated "critical," was patched one week ago in Microsoft's MS05-027 bulletin, and the increased noise on that port could be the first sign that a password brute force attack is imminent, Symantec DeepSight warned. A spokesperson for Microsoft's Security Response Center said the company was not aware of any active attempts to exploit the vulnerability. "Port scanning is an activity that may be indicative of an attempt to discover attack vectors against any vendor product and is not an activity unique to Microsoft products," she added. She said software engineers at Redmond would continue to analyze and monitor for any malicious activity but stressed that she was not aware of any customers being attacked via sniffing against TCP Port 445 and have not received any indication of malicious activity associated with MS05-027. However, the company urged enterprise customers to apply the update and enable firewalls to block TCP Port 445 at the perimeter as a protection mechanism. John Pescatore, VP of security research at Gartner Inc., said the reports of increased sniffing on Port 445 are a "serious concern for enterprise security managers" because such activity usually means a mass attack is imminent. "Such attacks typically follow a highly predictable timeline," Pescatore said, warning that attackers have in the past reverse-engineered patches to create exploit code or widespread circulation. Once exploits are created, attackers typically scan associated ports to pinpoint vulnerable systems before launching a mass attack. "The Port 445 activity may indicate that?in the week since Microsoft released the Windows patch?attackers have reached the fourth state in this process and may be preparing a mass attack employing the widely used SMB protocol," Pescatore warned. He recommended that enterprise IT administrators accelerate efforts to ensure all Windows systems are patching. In the interim, Pescatore said businesses should implement shielding or other workarounds until the patching process is complete. "[Administrators must] immediately review all firewall policies (including those covering personal firewall software) to ensure that Port 445 access is blocked wherever possible [and] update all intrusion prevention system filters (both network- and host-based) to block attempts to exploit this vulnerability," Pescatore added. By Ryan Naraine, eWeek

Mozilla / Firefox / Camino Dialog Origin Spoofing Vulnerability

Tue, 21 Jun 2005 08:02:00 -0400

Secunia Research has discovered a vulnerability in Mozilla, Firefox, and Camino, which can be exploited by malicious web sites to spoof dialog boxes. The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open e.g. a prompt dialog box, which appears to be from a trusted site.

Successful exploitation normally requires that a user is tricked into opening a link from a malicious web site to a trusted web site.

Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/

The vulnerability has been confirmed in Mozilla 1.7.8, FireFox 1.04, and Camino 0.8.4. Prior versions may also be affected.

SOFTWARE:
Mozilla Firefox 1.x
Mozilla Firefox 0.x
Mozilla 1.7.x
Camino 0.x

SOLUTION:
Do not browse untrusted web sites while browsing trusted sites.

PROVIDED AND/OR DISCOVERED BY:
Jakob Balle, Secunia Research

ORIGINAL ADVISORY:
http://secunia.com/secunia_research/2005-11/

VERIFY ADVISORY:
http://secunia.com/advisories/15489/

Secunia Security Advisories

Microsoft Internet Explorer Dialog Origin Spoofing Vulnerability

Tue, 21 Jun 2005 08:00:00 -0400

Secunia Research has discovered a vulnerability in Internet Explorer, which can be exploited by malicious web sites to spoof dialog boxes. The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open e.g. a prompt dialog box, which appears to be from a trusted site.

Successful exploitation normally requires that a user is tricked into opening a link from a malicious web site to a trusted web site.

Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/

The vulnerability has been confirmed in a fully updated version 6.0. Prior versions may also be affected.

SOFTWARE:
Microsoft Internet Explorer 6.x

SOLUTION:
Do not browse untrusted web sites while browsing trusted sites.

PROVIDED AND/OR DISCOVERED BY:
Jakob Balle, Secunia Research

ORIGINAL ADVISORY:
http://secunia.com/secunia_research/2005-9/

VERIFY ADVISORY:
http://secunia.com/advisories/15491/

Secunia Security Advisories

Opera Dialog Origin Spoofing Vulnerability

Tue, 21 Jun 2005 07:54:00 -0400

Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious web sites to spoof dialog boxes. The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open e.g. a prompt dialog box, which appears to be from a trusted site.

Successful exploitation normally requires that a user is tricked into opening a link from a malicious web site to a trusted web site.

Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/

The vulnerability has been confirmed in version 8.0. Prior versions may also be affected.

SOFTWARE:
Opera 8.x
Opera 7.x

SOLUTION:
Update to version 8.01.
http://www.opera.com/download/

PROVIDED AND/OR DISCOVERED BY:
Jakob Balle, Secunia Research.

ORIGINAL ADVISORY:
http://secunia.com/secunia_research/2005-8/

VERIFY ADVISORY:
http://secunia.com/advisories/15488/

Secunia Security Advisories

Microsoft Outlook Express News Reading Buffer Overflow

Wed, 15 Jun 2005 07:37:00 -0400

A vulnerability has been reported in Microsoft Outlook Express, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the parsing of NNTP responses when using Outlook Express as a newsgroup reader. This can be exploited to cause a buffer overflow via a malicious newsgroup server.

Successful exploitation requires that a user queries a malicious newsgroup server for news.

SOFTWARE:
Microsoft Outlook Express 6
Microsoft Outlook Express 5.5

SOLUTION:
Apply patches.

Outlook Express 5.5 SP2 on Windows 2000 (requires SP3 or SP4):
http://www.microsoft.com/downloads/details.aspx?FamilyId=a6932151-2ae2-4c6e-861a-6ff5bde61191

Outlook Express 6 SP1 on Windows 2000 (requires SP3 or SP4) or
Windows XP (requires SP1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=89e4d8ee-4d8e-4660-a53d-28502b3d2518

Outlook Express 6 SP1 for Windows XP 64-Bit Edition for Itanium
(requires SP1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=b765c0e1-f4e2-495b-aae5-2db3eeaf71bb

Outlook Express 6 for Windows XP 64-Bit Edition Version 2003 for
Itanium:
http://www.microsoft.com/downloads/details.aspx?familyid=69901ec1-a11f-4135-9874-3698bcf7c760

Outlook Express 6 for Windows Server 2003 for Itanium-based systems:
http://www.microsoft.com/downloads/details.aspx?familyid=5fc7d68b-92a6-4c03-8d88-b2501aea8da6

Outlook Express 6 for Microsoft Windows Server 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=d439eee9-05eb-4ecb-9e86-6259f1acaabb

The vulnerability does not affect the following versions:
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 with SP1 for Itanium-based systems
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows XP Service Pack 2

PROVIDED AND/OR DISCOVERED BY:
Discovered by anonymous person and reported via iDEFENSE.

ORIGINAL ADVISORY:
MS05-030 (KB897715):
http://www.microsoft.com/technet/security/bulletin/ms05-030.mspx

iDEFENSE:
http://idefense.com/application/poi/display?id=263&type=vulnerabilities

VERIFY ADVISORY:
http://secunia.com/advisories/15695/

Secunia Security Advisories