German Goverment Urges Everyone to Stop Using Internet Explorer

Following the recent bug  that was discovered in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8 and Internet Explorer 9 which makes PC's vulnerable to attack by hackers, the German government advised the public on Tuesday to stop using the browser temporarily.

The security flaw, which affects hundreds of millions of Internet Explorer browser users around the globe, publicly surfaced over the weekend.

Microsoft had said on Monday that attackers can exploit the bug to infect the PC of somebody who visits a malicious website and then take control of the victim's computer.

The German government's Federal Office for Information Security, or BSI, said that it was aware was aware of targeted attacks and that all that was needed was to lure web surfers to a website where hackers had planted malicious software that exploited the bug in Internet Explorer to infect their PCs.

"A fast spreading of the code has to be feared," the German government said in its statement.

BSI advised all users of Internet Explorer to use an alternative browser until the manufacturer has released a security update.

Officials with Microsoft did not respond to a request for comment on the move by the German government.

The company late on Monday urged customers to install a piece of security software as an interim measure, buying it time to fix the bug and release a new, more secure version of Internet Explorer.

Microsoft did not say how long that will take, but several security researchers said they expect the update within a week.

The free security tool, which is known as the Enhanced Mitigation Experience Toolkit, or EMET, is available through an advisory on Microsoft's website: blogs.technet.com/b/msrc/

The EMET software must be downloaded, installed and then manually configured to protect computers from the newly discovered threat, according to the posting from Microsoft. The company also advised customers to adjust several Windows security settings to thwart potential attackers, but cautioned that doing so might impact the PC's usability.

Some security experts had said it would be too cumbersome for many PC users to implement the measures suggested by Microsoft. Instead they advised Windows users to temporarily switch from Internet Explorer to rival browsers such as Google Inc's Chrome, Mozilla's Firefox or Opera Software ASA's Opera.

Internet Explorer was the world's second-most widely used browser last month, with about 33 percent market share, according to StatCounter. It was close behind Chrome, which had 34 percent of the market.

Apple and Amazon Falls Prey to Social Engineering

WiReD writer's Apple iCloud account was compromised and his iPhone, iPad and MacBook remotely erased. The writer's Google Mail and Twitter accounts were also hacked.

Although Honan blames himself for not having two-factor authentication enabled on his Gmail login, he also said that Amazon made it "remarkably easy" for the miscreant to gain control of his Apple iCloud account. He added that Apple had its own "security flaws" after allowing the hijacker to bypass Honan's preset security questions on his iCloud account.

"Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information - a partial credit card number - that Apple used to release information," he wrote in a postmortem examination of the digital attack.

"In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."

Honan claims that he later chatted to his hacker via Twitter, email and AIM, and after Honan agreed not to press charges, the hijacker revealed how he broke into the Twitter, Google and Apple accounts.

The hacker, who called himself Phobia, said he didn't have to use brute force to figure out Honan's passwords for the accounts, but instead used clever social engineering to work his way from call centre to call centre.

Phobia said that the whole intrusion was designed to take control of Honan's Twitter feed because it had a three-character handle: @mat.

He followed the Twitter account's profile page to Honan's website, where he learned of his Gmail address. Phobia then started a password reset process for the Gmail account and thereby bagged another of Honan's email addresses: the Gmail account was setup to send a password reset message to the scribe's @me.com inbox. Although that address was partly obscured by Google (m••••n@me.com), Phobia guessed what it was because it had the same starting character as Honan's Gmail username.

Now that Phobia knew Honan had an AppleID account (associated with the @me inbox), he knew he could take over his iDevices.

Amazon pulled into epic hack attack

Phobia phoned Amazon masquerading as Honan and used his email address and billing address (found in Honan's Whois records for his website) to add a fake credit card to his Amazon account. The hacker hung up and then phoned Amazon again, claiming he'd been locked out of his account and used the fake credit card number, plus real email and address, to persuade Amazon tech support to let him into the account.

Once in Honan's Amazon account, Phobia could read the last four digits of the writer's real credit card in the payment settings page. Unfortunately, those four numbers, along with the addresses, were all Apple tech support needed in a subsequent phone call to allow Phobia to reset Honan's iCloud backup storage login, giving him access to pretty much every account and device Honan owned.

Graham Cluley, senior technology consultant at Sophos, told The Reg that Amazon's verification process for adding the credit card wasn't thorough enough. "A billing address and email address are probably too easy to dig out," he said.

But, as Honan himself admitted, it's normal practice for retailers to star out all but the last four digits of credit or debit cards, so Amazon had no reason not to do the same for an online account.

"Amazon made it too easy for someone to add a credit card to an account (and subsequently gain access to the account), but Apple made it too easy to access account information using the final four digits," Cluley said.

"There's any number of questions Apple could have asked - either extra support questions or they could have asked about recent purchases on iTunes or the App Store."

Apple said that its "internal policies were not followed completely" and it was reviewing its processes for password resets. Amazon had not returned a request for comment at the time of publication.

Have you enable two-factor authentication on your gmail account, are you still using the same password across all the websites you visit, and when last did you change your password. We'll like to hear your experience

VMware source code stolen, impact unclear

VMware ESX source code has been stolen and posted online, but the company says its virtualization platform doesn't necessarily pose an increased risk to customers.

The stolen code amounts to a single file from sometime around 2003 or 2004, the company says in a blog post.

"The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers," according to the blog written by Iain Mulholland, director of the company's Security Response Center.

The code was stolen from a Chinese company called China Electronics Import & Export Corporation (CEIEC) during a March breach, according to a posting on the Kaspersky Threat Post blog.

The code along with internal VMware emails were posted online three days ago.

VMware didn't respond immediately to a request for more information about the impact of the breach on customers.

Eric Chiu, president of virtualization security firm Hytrust, says it's hard to say what VMware customers should do because there's not enough detail about how the exposed code is being used in current products.

In general, though, customers should review the security for virtual environments to address the fact that a compromised hypervisor exposes multiple virtual machines.

While the incident is reminiscent of the breach last year of RSA source code, the circumstances differ. An RSA partner was breached and that breach was used to send a malware-laced email to an RSA staffer who opened it.

In VMware's case, the CEIEC network was hacked and finding the source code was fortuitous.

This is what VMware posted in a blog: "Yesterday, April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.

"The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers. VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today. We take customer security seriously and have engaged internal and external resources, including our VMware Security Response Center, to thoroughly investigate. We will continue to provide updates to the VMware community if and when additional information is available."

Hackers break into Linux Foundation and Linux.com, both taken offline

It's barely two week kernel.org Linux archieve site suffered an attack, the Linux Foundation has removed its websites from the web completely to clean up from a "security breach."

A notice posted on the Linux Foundation said the entire infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011.

The group said, they have made this decision in the interest of extreme caution and security best pratices and believed this breach was connected to the intrusion on kernel.org.

More from the Linux Foundation announcement:

We are in the process of restoring services in a secure manner as quickly as possible. As with any intrusion and as a matter of caution, you should consider the passwords and SSH keys that you have used on these sites compromised. If you have reused these passwords on other sites, please change them immediately. We are currently auditing all systems and will update this statement when we have more information.

We apologize for the inconvenience. We are taking this matter seriously and appreciate your patience. The Linux Foundation infrastructure houses a variety of services and programs including Linux.com, Open Printing, Linux Mark, Linux Foundation events and others, but does not include the Linux kernel or its code repositories.

Although the Kernel.org site is still offline after that compromise which was discovered on August 28th, most of the services offered by the Linux Foundation will be restored immediately the breach has been neutralized and new security measures put in place.

Almost 300,000 Iranian IP Addresses Likely Compromised

Close to 300,000 unique IP addresses from Iran requested access to google.com using a rogue certificate issued by Dutch digital certificate authority DigiNotar, according to an interim report by security firm, Fox-IT, released on Monday

The rogue certificate, issued on July 10 by DigiNotar, was finally revoked on Aug. 29.

"Around 300.000 unique requesting IPs to google.com have been identified," Fox-IT said in the report. On Aug. 4 the number of requests rose quickly until the certificate was revoked on Aug. 29. Of these IP (Internet Protocol) addresses, more than 99 percent originated from Iran.

The list of IP addresses will be handed over to Google who can inform users that their e-mail might have been intercepted during this period, Fox-IT said.

Not only the e-mail itself but also a login cookie could have been intercepted, it added. Using this cookie the hacker is able to log in directly to the Gmail mailbox of the user and other services from Google.

"The login cookie stays valid for a longer period," Fox-IT said. It would be wise for all users in Iran to at least logout and login, but even better change passwords, it added.

A sample of the IP addresses outside of Iran during the period were mainly Tor-exit nodes, proxies and other VPN (virtual private network) servers, and almost no direct subscribers, according to the report which analyzed OCSP (Online Certificate Status Protocol) request logs.

Current browsers perform an OCSP check as soon as the browser connects to an SSL (secure sockets layer) website protected through the https (hypertext transfer protocol secure) protocol.

Tor is a distributed anonymous network used by people to prevent being tracked by websites or to connect to instant messaging services and other services when these are blocked by their local Internet service providers.

A total of 531 digital certificates were issued for domains that included google.com, the CIA, and Israel's Mossad,

The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers was to intercept private communications in Iran, Fox-IT said.

Google said on Aug. 29 that it received reports of "attempted SSL man-in-the-middle (MITM) attacks" against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran.

The attacker used a fraudulent SSL certificate issued by DigiNotar which has since revoked it, Google said in a blog post.

Trend Micro, another security firm, said on Monday that domain validation.diginotar.nl was mostly loaded by Dutch and Iranian Internet users until Aug. 30. Domain name validation.diginotar.nl is used by Internet browsers to check the authenticity of SSL certificates that are issued by DigiNotar.

DigiNotar is a small Dutch certification authority with customers mainly in the Netherlands. "We, therefore, expect this domain name to be mostly requested by Dutch Internet users and perhaps a handful of users from other countries but certainly not by a lot of Iranians," Trend Micro's senior threat researcher, Feike Hacquebord, said in a blog post.

From analysis of Trend Micro Smart Protection Network data, the company found that a significant part of Internet users who loaded the SSL certificate verification URL (uniform resource locator) of DigiNotar were from Iran on Aug. 28, but by Aug. 30 most traffic from Iran disappeared, and on Sept. 2 about all of the Iranian traffic was gone.

It became public in the evening of Aug. 29 that a rogue *.google.com certificate was presented to a number of Internet users in Iran, according to the Fox-IT report. The false certificate had been issued by DigiNotar and was revoked that same evening.

The security firm was contacted the next day and asked to investigate the breach and report its findings before the end of the week.

Fox-IT's report indicates that the initial compromise at DigiNotar may have occurred on June 17. DigiNotar noticed the incident on June 19 in its daily audit procedure but doesn't appear to have done anything about it. The company could not be immediately reached for comment.

The first rogue certificate *.google.com, was issued on July 10. All the other rogue certificates were issued between July 10 and July 20.

The hack implies that the current network setup and procedures at DigiNotar are not sufficiently secure to prevent this kind of attack, Fox-IT said. The most critical servers, for example, contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place, it added.

Hackers gain unauthorized access into Linux source code site

As Linux fans know, there are two kinds of hackers: the good guys who develop free software, such as the Linux kernel, and the bad guys who break into computers.

The bad guys paid the good guys an unwelcome visit earlier this month, breaking into the Kernel.org website that is home to the Linux project. They gained root access to a server known as Hera and ultimately compromised "a number of servers in the kernel.org infrastructure," according to a note on the kernel.org website Wednesday.

Administrators of the website learned of the problem Sunday and soon discovered a number of bad things were happening on their servers. Files were modified, a malicious program was added to the server's startup scripts and some user data was logged.

Kernel.org's owners have contacted law enforcement in the U.S. and Europe and are in the process of reinstalling the site's infrastructure and figuring out what happened.

They think that the hackers may have stolen a user's login credentials to break into the system, and the site is making each of its 448 users change their passwords and SSH (Secure Shell) keys.

The hack is worrying because Kernel.org is the place where Linux distributors download the source code for the widely used operating system's kernel. But Kernel.org's note says that, even with root access, it would be difficult for a hacker to slip malicious source code into the Linux kernel without it being noticed. That's because Linux's change-tracking system takes a cryptographic hash of each file at the time it is published.

So once a component of the Linux kernel has been written and published to Kernel.org, "it is not possible to change the old versions without it being noticed," the Kernel.org note said.

This kind of compromise has become disturbingly common. In January, servers used by the Fedora project -- the community version of Red Hat Enterprise Linux -- were hacked. And around the same time another open-source software development site called SourceForge was also broken into.

IBM Plans To Create Chips That Mimic Human Brain

Computers, like humans, can learn. But when Google tries to fill in your search box based only on a few keystrokes, or your iPhone predicts words as you type a text message, it's only a narrow mimicry of what the human brain is capable.

The challenge in training a computer to behave like a human brain is technological and physiological, testing the limits of computer and brain science. But researchers from IBM Corp. say they've made a key step toward combining the two worlds.

IBM announced yesterday that it has received $21 million in funding from the Defense Advanced Research Projects Agency (DARPA) to develop a series of experimental computer chips designed to replicate the human brain’s perceptive, active and cognitive abilities.

According to IBM, the “neurosynaptic” chips “recreate the phenomena between spiking neurons and synapses in biological systems, such as the brain, through advanced algorithms and silicon circuitry” — meaning that they can be used to build complex, multi-sensory learning systems (“cognitive computers”) that behave more like human brains than calculators.

These computers will be able to learn through experiences, detect patterns and develop hypotheses, as well as remember and learn from the outcomes.

IBM and its partners even think the computers will be able to rival the brain’s compact size and relatively low power usage. The team’s long-term goal is to build a system with 10 billion neurons and 100 trillion synapses that is less than two liters in volume and consumes merely one kilowatt of power. To do so, they’ll need to abandon traditional Von Neumann architecture in favor of more efficient architecture that does away with set programming and integrates memory and processors.

The chips will be particularly advantageous in processing and reacting to information from multiple sensory modes in real time. IBM describes two potential use cases, one in which a system monitoring the world’s water supply could record and report metrics such as temperature, pressure, wave height, acoustics and ocean tide, and issue tsunami warnings based on its decision making; and another in which a grocer stocking shelves could use an instrumented glove that monitors sights, smells, texture and temperature to flag bad or contaminated produce.

“This is a major initiative to move beyond the von Neumann paradigm that has been ruling computer architecture for more than half a century,” observes Dharmendra Modha, project leader for IBM Research. “Future applications of computing will increasingly demand functionality that is not efficiently delivered by the traditional architecture. These chips are another significant step in the evolution of computers from calculators to learning systems.”

To learn more, watch IBM researchers John Arthur and Paul Merolla describe the inspiration for the project (called “SyNAPSE”) below, and/or check out research.ibm.com.

HP murders WebOS tablets, PC Business up for Sale!

Am still finding it hard to believe, but it's the truth. HP has announced that it will discontinue its webOS TouchPad and webOS phones, just weeks after the arrival of the TouchPad and a little more than a year after the company acquired the webOS mobile operating system from Palm in a $1.2bn purchase.

To make matters even more confusing the company, according to Bloomberg and reported by tech blogger Paul Thurrott, plans to sell off it’s PC business, the biggest PC making business in the world that is, and move solely into servers for the future.

In a press release floated before the company's quarterly earnings call, HP also confirmed that it is considering a spinoff of its PC business. In April, the company announced that it would bring webOS to PCs as well as new mobile devices.

Separately, the statement confirmed that HP is in discussions to buy enterprise software company Autonomy. The HP homepage, however, clearly says that the company is "to acquire Autonomy":

"HP...plans to announce that its board of directors has authorized the exploration of strategic alternatives for its Personal Systems Group (PSG). HP will consider a broad range of options that may include, among others, a full or partial separation of PSG from HP through a spin-off or other transaction," read Thursday's press release from HP.

"In addition, HP reported that it plans to announce that it will discontinue operations for webOS devices, specifically the TouchPad and webOS phones."

The company said it would "continue to explore options to optimize the value of webOS software going forward."

This week, AllThingsD reported that US retailer Best Buy is sitting on about 250,000 unsold TouchPads, and HP had slashed the price of the tablet in hopes of selling more units.

In its press release, HP said that its fiscal third quarter revenues reached $31.2 billion, up from $30.7 billion a year ago. This is less than Wall Street analysts anticipated, and they will also be disappointed with HP's fourth quarter forecast, which puts revenues between $32.1 billion to $32.5 billion.

HP announced that its total fiscal 2011 revenue will be $127.2 billion to $127.6 billion range, which is less than its previous estimates: between $129 billion and $130 billion.

Anonymous Vows To Destroy Facebook On November 5

Hacktivist group Anonymous, which has been responsible for cyber-attacks on the Pentagon, News Corp, and others, has vowed to destroy Facebook on November 5th (which should ring a bell).

Citing privacy concerns and the difficulty involved in deleting a Facebook account, Anonymous hopes to "kill Facebook," the "medium of communication [we] all so dearly adore."

This isn't the first time Anonymous has spoken out against social networks.

After Google removed Anonymous' Gmail and Google+ accounts, Anonymous pledged to create its own social network, called AnonPlus.

Read Also: Anonymous Inventing a More Sophisticated DDos Tool

The statement of intent cites privacy issues for Facebook users as their main impetus for turning November 5 into a Facebook Gunpowder Plot:

Operation Facebook

DATE: November 5, 2011.

TARGET: https://facebook.com

Press:
Twitter : https://twitter.com/OP_Facebook
http://piratepad.net/YCPcpwrl09
Irc.Anonops.Li #OpFaceBook
Message:

Attention citizens of the world,

We wish to get your attention, hoping you heed the warnings as follows:
Your medium of communication you all so dearly adore will be destroyed. If you are a willing hacktivist or a guy who just wants to protect the freedom of information then join the cause and kill facebook for the sake of your own privacy.

Facebook has been selling information to government agencies and giving clandestine access to information security firms so that they can spy on people from all around the world. Some of these so-called whitehat infosec firms are working for authoritarian governments, such as those of Egypt and Syria.

Everything you do on Facebook stays on Facebook regardless of your "privacy" settings, and deleting your account is impossible, even if you "delete" your account, all your personal info stays on Facebook and can be recovered at any time. Changing the privacy settings to make your Facebook account more "private" is also a delusion. Facebook knows more about you than your family. http://www.physorg.com/news170614271.htmlhttp://itgrunts.com/2010/10/07/facebook-steals-numbers-and-data-from-your-iph....

You cannot hide from the reality in which you, the people of the internet, live in. Facebook is the opposite of the Antisec cause. You are not safe from them nor from any government. One day you will look back on this and realise what we have done here is right, you will thank the rulers of the internet, we are not harming you but saving you.

The riots are underway. It is not a battle over the future of privacy and publicity. It is a battle for choice and informed consent. It's unfolding because people are being raped, tickled, molested, and confused into doing things where they don't understand the consequences. Facebook keeps saying that it gives users choices, but that is completely false. It gives users the illusion of and hides the details away from them "for their own good" while they then make millions off of you. When a service is "free," it really means they're making money off of you and your information.

Think for a while and prepare for a day that will go down in history. November 5 2011, #opfacebook . Engaged.

This is our world now. We exist without nationality, without religious bias. We have the right to not be surveilled, not be stalked, and not be used for profit. We have the right to not live as slaves.

We are anonymous
We are legion
We do not forgive
We do not forget
Expect us

Facebook is widely known for its issues around user privacy - most notably, that they’re terrible with it.

The list of Facebook’s privacy failures and transgressions is lengthy and probably not complete, including Danah Boyd’s Harvard/UC Berkeley paper Facebook’s Privacy Trainwreck to frequent changes to user settings without notification, to new issues raised by researchers at Carnegie Mellon University.

Anonymous is known for launching distributed denial-of-service attacks which harms its target by getting a large group of people to access the site continually until the influx in traffic slows the site down so much that the servers can’t handle it.

Since Facebook is such a huge site–750 million users huge–it would take a lot for Anonymous to slow down Facebook’s servers. Anonymous tried to take down Amazon in the same way earlier this year, but Amazon’s huge amount of server power was too much for the group.

The group is giving us time to think and “prepare for a day that will go down in history” before they deploy the attack on the 5th of November.

World Wide Web Celebrating 20th birthday

An illustration from Tim Berners-Lee's original proposal for an organizational system using hyperlinks and a computer network--a system then referred to as the Mesh. The proposal preceded the Web's public debut by a couple of years.

Happy birthday, Web!

On August 6, 1991--20 years ago--Tim Berners-Lee posted a summary of a project for organizing information on a computer network using a "web" of hyperlinks: the "WorldWideWeb," or W3. At the same time, the W3 made its debut as a publicly available service on the Internet. Now, as the Web turns 20, those of us here at CNET and sister site CBS News.com are giving it a big thank you for revolutionizing the world as we know it.

There have been some definite downsides to the Web, such as online predation and a reduction in privacy, but the good has far outweighed the bad. Web companies have created millions of jobs across the globe, opened people up to different cultures and ideas, and created a level of transparency in politics that's never quite been achieved before.

Through social, economic, and political actions online, the world has become entirely different than it was two decades ago. News travels faster than ever; every single person with access to the Internet has a voice to vent frustration or foster a following; and social interactions have become more varied and far-reaching.

The Web has changed the way people think and revolutionized the world as we know it in a remarkably short period of time. From clunky modems to smartphones, Web-based technology has come a long way. The only question is how far will it continue to evolve in the next 20 years?

Here's a slideshow of the favorite things to come out of the "W3."

20 presents the World Wide Web has given us

Source: CBSNews.com

2011 Black Hat Security Conference

The 2011 Black Hat security conference in Las Vegas is promising a smorgasbord of (in)security fun. From vulnerabilities in PLCs (programmable logic controllers) to the security design of Apple’s iOS and potential hacker attacks on medical implant devices, the range of presentations this year could be the best ever.

Here's my list of 10 can't-miss hacks and presentations.

1. Hacking Androids for Profit

The growing popularity of smart phones has generated a predictable surge in security research around mobile platforms and this year’s Black Hat agenda contains quite a few good presentations.

This talk, by Riley Hassell and Shane Macaulay, puts Android under the microscope with a promise to reveal new threats to Android Apps and discuss known and unknown weaknesses in the Android OS and Android Market.

The researchers will discuss the inner working of Android apps and the risks any user faces when installing and using apps from the marketplace.

2. Exploiting the iOS Kernel

Stefan Esser is best known for his epic work around PHP security but if you’ve been following his Twitter stream lately, you’d notice the German researcher has taken a liking to Apple’s iOS platform.

In this Black Hat session, Esser is promising a deep-dive discussion of kernel level exploitation of iPhones. It will include details on previously disclosed kernel vulnerabilities, the exploitation of uninitialized kernel variables, kernel stack buffer overflows, out of bound writes and kernel heap buffer overflows.

Esser also plans to look closely at the kernel patches applied by iPhone jailbreaks to provide an understanding of how certain security features are deactivated. He also plans to release a tool that allows the selectively de-activation some of certain kernel patches for more realistic exploit tests.

3. Apple iOS Security Evaluation: Vulnerability Analysis and Data Encryption

When Dino Dai Zovi speaks about Apple and security, you stop and listen.

Best known for his successful hijack of a MacBook at the CanSecWest hacker conference, Dai Zovi has now turned his attention to Apple’s iOS, the smartphone platform that powers iPhones and iPads.

Dai Zovi performed a detailed audit of the security mechanisms and features of iOS 4 and will share his findings on things like Trusted Boot, Mandatory Code Signing, Code Signing Enforcement, Sandboxing, Device Encryption, Data Protection, and (as of iOS 4.3) Address Space Layout Randomization.

The security assessment focused on the concerns of an enterprise considering a deployment of iOS-based devices or allowing employees to store sensitive business data on their personal devices so we can expect to hear about the real-world implications of using iPhones and iPads in the enterprise.

Dai Zovi is promising to document the risks of a lost device or a remote iOS compromise through a malicious web page or e-mail and, based on the strengths and weaknesses identified, make concrete recommendations on what compensating measures an organization can and should take when deploying iOS-based devices for business use.

4. Hacking Google Chrome OS

Google + the cloud + web applications is a recipe for a fun security cocktail.

In the last few months, two members of the WhiteHat Security’s Threat Research Center — Matt Johansen and Kyle Osborn — hacked away at Google’s Cr-48 prototype laptops and discovered a slew of serious and fundamental security design flaws.

Now, they are sharing their findings with the Black Hat audience, promising to discuss security holes that could expose users to the following types of attacks:

• Exposing of all user email, contacts, and saved documents.


• Conduct high speed scans their intranet work and revealing active host IP addresses.


• Spoofing messaging in their Google Voice account.


• Taking over their Google account by stealing session cookies, and in some case do the same on other visited domains.

Johansen and Osborn said Google was informed of the findings and has already fixed some vulnerabilities they plan to discuss many of the underlying Google Chrome OS weaknesses that remain — including for evil extensions to be easily made available in the WebStore, the ability for payloads to go viral, and javascript malware survive reboot.

5. Exploiting Siemens Simatic S7 PLCs

Dillon Beresford (right), a security researcher at NSS Labs, has already courted controversy with this topic. The talk was originally scheduled for the TakeDownCon security conference in May but was withdrawn after some bigwigs (including the Department of Homeland Security) got nervous about the pre-patch disclosure ramifications.

At Black Hat, Beresford is promising to cover newly discovered Siemens Simatic S7-1200 PLC vulnerabilities and to demonstrate how an attacker could impersonate the Siemens Step 7 PLC communication protocol using some PROFINET-FU over ISO-TSAP and take control.

Beresford is a brand-name security researcher in the SCADA world. Earlier this year, he developed an exploit for one of the most popular high performance production SCADA/HMI software applications in China which is widely used in power, water conservancy, coal mine, environmental protection, defense and aerospace.

Because security holes in Siemens’ PLCs played a key role in the success of the mysterious Stuxnet worm, Beresfords’s Black Hat disclosures is sure to raise eyebrows.

6. SSL And The Future Of Authenticity

Moxie Marlinspike has generated a reputation as privacy and anonymity advocate who goes beyond mere talk. He has many free tools and utilities for both the Web and mobile systems and spends his time warning anyone who would listen about the dangers of web tracking software.

Widely considered a security research expert on protocols, cryptography, privacy, and anonymity, Marlinspike will focus on SSL (Secure Socket Layer) encryption at this year’s Black Hat conference.

He is promising to provide an in-depth examination of the current problems with authenticity in SSL, discuss some of the recent high-profile SSL infrastructure attacks in detail, and cover some potential strategies for the future. Marlinspike’s talk conclude with a software release that aims to definitively fix the disintegrating trust relationships at the core of this fundamental protocol.

As a side note, Marlinspike will be speaking at BSidesLV, providing “thoughts on LulzSec through the historical lens of Russian Nihilism and Motiveless Terrorism.” That’s another good one to put on the schedule. The BSidesLV talk has since been withdrawn. Bummer.

7. Vulnerabilities in Wireless Water Meter Networks

What if a hacker could tamper with your water meter to do dangerous things? It may sound far-fetched but, after Stuxnet, no one should doubt the ramifications of designer malware planted on critical systems.

This Black Hat talk is particularly interesting because the speaker, John McNabb of South Shore PC Services, spent 13 years managing a small water system and claims to have deep knowledge of how these things work.

McNabb says research into wireless water meters is crucial because they are a potential security hole in a critical infrastructure and can pose a wide range of problems.

In this talk, McNabb promises to present an overview of drinking water security, review reported water system security incidents and the state of drinking water security over the past year. He will also provide a deep dive into the hardware, software, topology, and vulnerabilities of wireless water meter networks and how to sniff wireless water meter signals.

8. Battery Firmware Hacking

Clearly not satisfied with hacking into MacBooks and iPhones, Charlie Miller has his eyes on the chip that control your computer’s battery.

Miller, a brand-name hacker who now works as Principal Research Consultant at Accuvant Labs, will use the Black Hat stage to discuss the embedded controller used in Lithium Ion and Lithium Polymer batteries. In his research, he found that the controller is used in a large number of MacBook, MacBook Pro, and MacBook Air laptop computers.

Miller explains:

“In this talk, I will demonstrate how the embedded controller works. I will reverse engineer the firmware and the firmware flashing process for a particular smart battery controller. In particular, I will show how to completely reprogram the smart battery by modifying the firmware on it. Also, I will show how to disable the firmware checksum so you can make changes. I present a simple API that can be used to read values from the smart battery as well as reprogram the firmware. Being able to control the working smart battery and smart battery host may be enough to cause safety issues, such as overcharging or fire.”

As reported by Andy Greenberg at Forbes.com, Miller found that the batteries’ chips are shipped with default passwords, such that anyone who discovers that password and learns to control the chips’ firmware can potentially hijack them to do anything the hacker wants.

9. Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System

Theoretical research into the hacking of medical devices is nothing new but this talk by Jerome Radcliffe stands out because of the wide usage of the target — insulin pumps to treat diabetes.

Radcliffe, who wears an insulin pump and continuous glucose monitor, said the devices can be considered a “Human SCADA system.”

After attending a DefCon presentation on hardware hacking of proprietary systems and wireless communication methods, Radcliffe said he was inspired to hack into the devices to see if the communication methods could be reverse engineered or whether a device can be created to perform injection attacks.

“Manipulation of a diabetic’s insulin, directly or indirectly, could result in significant health risks and even death,” he explained. In this talk, Radcliffe plans to explain his discoveries around the propriety protocols and the hardware interfacing.

10. Playing In The Adobe Reader X Sandbox

Adobe’s addition of a sandbox called ‘Protected Mode’ into Reader X has put a significant roadblock for malicious hackers. However, it has set up a perfect cat-and-mouse game where attackers are working overtime to bypass the mitigations.

In this talk by Paul Sabanal and Mark Yason from IBM ISS’s X-Force Advanced Research Team, Black Hat attendees will get a deep technical explanation of the implementation details of the Adobe Reader Protected Mode sandbox and the the results of reversing efforts to understand the mechanisms and data structures that make up the sandbox.

The researchers also plan to discuss the limitations and weaknesses of the sandbox and offer possible avenues to achieve privilege escalation. “We will demonstrate how an attacker could leverage the limitations and weaknesses of the Adobe Reader Protected Mode sandbox to carry out information theft or corporate espionage. We will be demonstrating a proof-of-concept information stealing exploit payload bootstrapped by exploiting a publicly known Adobe Reader X vulnerability,” the researchers explained.

Phishers Targeting Google AdWords account

Cybercrooks have launched a "Google AdWords" phishing campaign in an attempt to trick marks into handing over sensitive login credentials to a bogus, newly registered, website.

Spam messages promoting the ruse falsely claim that a recipient's campaign has been stopped and they need to login to their "Adwords account" in order to reactivate it. The widely distributed spam messages link to a realistic replica of the Google AdWords page, net security firm Sophos warns.

The dodgy site – google-oa.net – was only registered this week.

Google AdWords accounts normally use the same login credentials as other associated Google accounts (Gmail, Google Docs etc). It could be that the fraudsters behind the scam are just as interested in these accounts as in compromised access to Google AdWords accounts, though this much remains unclear.

The whole scheme further illustrates that phishing fraudsters are going after a wider range of targets outside of old favourites such as PayPal and online banking accounts. Phishing fraudsters in Brazil, for example, have begun targeting air miles accounts, trading stolen vouchers as a form of currency in exchange for renting access to botnets via underground markets.

Intended victims of the air miles or Google AdWords scams might be less aware of the risk and therefore more likely to respond to fraudulent emails, perhaps.

Skype Promises to Fix Cross Site Scripting Bug

Skype has promised to fix a cross-site scripting flaw that exposes Windows users of VoIP technology to potential attack.

The flaw was discovered by independent security researcher Levent Kayan, who warned that a hacker might be able to enter a string of JavaScript code into the "mobile phone" field. This would enable a hacker – provided he or she could trick a victim into adding them as a contact – to either compromise the user's Skype account or to load malware onto the user's PC. Skype said that the bug is not very serious, but nonetheless promised an update by the end of the week.

The server-side bug created a possible mechanism for miscreants to redirect Skype users to potentially malicious websites, providing they successfully tricked users into adding them as a contact, as the VoIP outfit explains in an update to its official security blog.

Skype for Windows is not correctly validating some fields of your contacts' profiles. What this means is if one of your Skype contacts has put some specific strings into their profile, it could result in your Skype Home area being redirected to another web page or a message being displayed.

In order for someone to cause these messages to be popped up or to redirect you to a website, they would first have to be one of your accepted Skype contacts. However, this vulnerability should not be there and there is a fix, which we are finalising testing of, that is due to be pushed out early next week.

Cross Site Scripting (XSS) flaws, in general, can be used to present content or pop-ups from potentially hostile websites as if the content had originated from other domains. The class of vulnerability is sometimes used as an adjunct to more highly evolved and subtle phishing scams.

Skype said the necessary fix will be applied without troubling its users with software updates, indicating the bug can be resolved by an update to backend systems alone.

How LulzSec Exploited on the Security Mistakes of The Sun

Infamous pranktivist hackers LulzSec exploited basic security mistakes on a News International website to redirect users towards a fake story on the supposed death of media mogul Rupert Murdoch, it has emerged.

The bogus story claimed that Murdoch had died after ingesting a "large quantity of palladium" (a rare metal*) before stumbling into his "famous topiary garden" (an in-joke reference to Topiary, the most famous member of LulzSec).

Later the same trick was used to redirect visitors of The Sun's website to LulzSec's Twitter feed.

Both hacks relied on exploiting security weaknesses on a site called new-times.co.uk/sun, which had been set up by News International while it was building a paywall for The Times. Hackers used an exploit, identified by The Guardian as likely to be a "local file inclusion" program, to exploit vulnerabilities in order to gain administrative control of this site. The site, although retired, was still linked to NI's Content Management System.

Hackers then used compromised access to the CMS behind The Sun's site to add their own redirection script to the "breaking news" element of the site. The rogue JavaScript was programmed to redirect surfers to locations under the control of hackers once the page reloaded. First it was pointed towards the spoofed story at new-times.co.uk/sun and later towards LulzSec's Twitter feed.

The level of compromised access may have allowed LulzSec access to NI's email database, but this remains unclear.

LulzSec famously disbanded last month after 50 days of mayhem that saw it attack numerous targets including FBI-affiliated security consultancies, UK police agency SOCA, numerous games publishers and Sony. In an update to its Twitter feed the group said it couldn't resist returning for one last gig. "Thank you for the love tonight. I know we quit, but we couldn't sit by with our wine watching this walnut-faced Murdoch clowning around."

The websites of The Sun and The Times were pulled down on Monday following the hack. Both have been restored. The server behind new-times.co.uk has been taken offline, probably permanently.

Meanwhile, the very-much-alive Rupert Murdoch is due to face a grilling from Parliament later today, when he will be expected to answer questions on the News of the World voicemail hacking scandal.

Lulzsec Redirects Homepage Murdoch-Owned 'The Sun' To @LulzSec Twitter Account

Hackers breached the security of Rupert Murdoch's Sun website and briefly redirected many visitors to a hoax article falsely claiming the tabloid media tycoon had been found dead in his garden.

The hack caused many people visiting thesun.co.uk to instead reach www.new-times.co.uk/sun/, which contained a story headlined "Media moguls [sic] body discovered". The breach came as several other Murdoch-owned sites, including The Times,The Sunday Times, newsinternational.co.uk, and rupertmurdoch.co.uk suffered outages that made them inaccessible. The domain name system servers used to revolve many of those sites weren't responding to queries at time of writing.

"Murdoch, aged 80, has said [sic] to have ingested a large quantity of palladium before stumbling into his famous topiary garden late last night, passing out in the early hours of the morning,” the bogus article claimed.

Murdoch-Owned 'The Sun' hacked by Lulzsec

LulzSec Twitter-page bragging

The redirections didn't work consistently, making it possible for many Sun visitors to reach the real site as intended. At time of writing, many attempts to reach the site caused redirects to the Twitter account of LulzSec, the prankster hacker collective that has made sport of attacking sites belonging to Sony, the Central Intelligence Agency, and other high-profile targets. LulzSec took responsibility for the Sun hack as well.

“It's not an easy thing to do,” Jeremiah Grossman, CTO of security firm WhiteHat Security, said of the redirection of The Sun's site. “If you can do that, you would classify it as being hacked.” It wasn't clear if the attackers had targeted the site's content management system, upstream provider, or another component.

DNS servers ns1.newsint.co.uk and ns0.newsint.co.uk, upon which the Murdoch-owned sites rely, did not respond to pings at time of writing. Trace routes to the servers' underlying IP addresses also failed.

Window Server 8: Preview by Microsoft

Microsoft has given a peek into Windows 8 Server, the successor to Windows Server 2008 R2 and companion to the tablet-tastic Windows 8 client.

The company is reported Tuesday to have boasted Windows 8 Server will pack more than 100 new features.

Speaking at its Worldwide Partner Conference (WPC), however, Microsoft seems to have zeroed in on just one: the new Hyper-V it's positioning as an enabler of cloud computing when used to virtualize server

operating systems and applications in your data center.

Microsoft's teaser came in the shadow of virtualization giant VMware's vSphere 5 launch in San Francisco, California, on the same day.

There, VMware chief executive Paul Maritz – a former Microsoft exec with 14 years at the company – boasted that according to various industry analysts VMware virtual machines are about six months away from running 50 per cent of the world's server workloads.

Microsoft is coming from behind in virtualization, and claimed at WPC in Los Angeles, California, that HyperV is the fastest growing virtualization stack.

Cutting to the features at WPC, Microsoft unveiled Hyper-V Replica that will let you replicate virtual machines either immediately or according to a schedule. This will, Mary-Jo Foley reports, let you do something like replicate a mission-critical database to an offsite data vendor.

Microsoft claimed it will be vendor-agnostic and support different storage, data center and software and service providers. In keeping with Microsoft's goal of getting customers to put more of their data in its cloud by not charging for imports, Microsoft will also give Windows Server 8 users unlimited replication without an additional fee per virtual machine.

Hyper-V, meanwhile, will also support more than 16 virtual processors per machine.

Microsoft called Windows 8 Server "the next step in private cloud computing".

Microsoft backed the cloud play by talking planned software that'll unify management of apps running on virtualized Windows servers and on Microsoft's Windows Azure cloud.

It announced Systems Center 2012, which will feature an account controller that gives single sign-in to all your apps on different servers, and that provides a tiled view of apps. You will be able to deploy apps using a set of best practices. Systems Center 2012 is due to ship this year.

On the apps front, Microsoft dressed an announcement about a third test build for the next version of SQL Server, codenamed Denali, with a demo of the ability to suck in data from the Windows Azure Data Market to the new database. It did this while showing off what it called "PowerPoint for data" that lets you customize and re-size data fields and turn them into charts and graphs by simply clicking and tugging at them using your mouse.

The Data Market is an online data store with pre-built integration for SQL Server, Office and Bing.

Microsoft, meanwhile, said that finished applications are now available for sale on the Windows Azure Marketplace - there are 578 offerings. Announced in November, the Marketplace, which includes the data Market, was originally a place for sharing data.

Source: The Register

.XXX Set to Launch Search Engine Devoted

ICM Registry, the company behind the forthcoming .xxx domain extension, plans to launch a search engine devoted entirely to porn at search.xxx.

The news emerged during a panel discussion at the YNOT Summit 2011, a porn industry trade show in San Francisco late last month (depressingly SFW video at YouTube.)

ICM president Stuart Lawley confirmed to El Reg that search.xxx will index only porn sites found at .xxx addresses. The company is currently testing potential technology partners.

The site will be fed traffic from about a dozen "premium" .xxx domain names, potentially including the likes of porn.xxx and sex.xxx, and will be monetised with ads and sponsorship, he said.

During the YNOT panel, ICM sales director Vaughn Liley defended the company from adult industry claims that .xxx domains will be too expensive, too risky and offer little value.

Pricing for .xxx names is expected to start at roughly $75 per year, compared to .com rates of around $12, but they will be substantially more expensive during the pre-launch "sunrise" and "landrush" periods, which begin in early September.

Existing porn companies with large portfolios of domains in other extensions are concerned that they will be forced to spend thousands on defensive registrations or risk being cybersquatted.

Search traffic, Liley said, is one way that webmasters may be able to recoup their registration fees and increase revenue. ICM recently also announced a free subscription to McAfee Secure for all of its customers.

"I believe that in 12 or 18 months time that some of the animosity that has been shown to us as a company will evaporate and people will go 'actually, this has been very good for my business,'" he told an audience of pornographers that, while still largely sceptical, was less openly hostile than during previous such debates.

Some porn publishers are also worried that .xxx domains carry the risk that ICM's policy-setting body, IFFOR (International Foundation for Online Responsibility) may create draconian new rules that will damage their businesses in future.

"The longer you're on it, more you invest into it, the more you're potentially trapped," YNOT president Connor Young said during the panel. "[The benefits] would have to be monumental, would have to be something so substantial, for me to put myself in the position where three or four years down the line they have that kind of control over my business."

IFFOR's Policy Council will be loaded with porn industry representatives and free speech advocates, however, which ICM believes should deflect these concerns.

Other search engines, such as Google and Bing, will also index .xxx sites, but some porn webmasters say they're not always particularly porn-friendly. Google Instant, for example, does not auto-complete porn-related search terms. Yes, that's right. It won't finish them off ...

Google + Estimated to Attain 10 Million Users

The new Google Social Network has been the hot discussion of tech bloggers around the world of which majority are taking side with Google+ to be the best alternative to Facebook and just now an analyst estimated Google+ to likely reach 10 million users.

Note: the figures did not come from Google, but from Paul of Ancestry.com, not Microsoft co-founder Paul Allen. He came up with an interesting tactics to calculate the number of Google+ members. Trust me it's fascinating.... just read on.

According to Paul.....,  I project that Google will easily pass 10 million users tomorrow and could reach 20 million user by this coming weekend if they keep the Invite Button available. As one G+ user put it, it is easy to underestimate the power of exponential growth.

My model is simple. I start with US Census Bureau data about surname popularity in the U.S., and compare it to the number of Google+ users with each surname. I split the U.S. users from the non-U.S. users. By using a sample of 100-200 surnames, I am able to accurately estimate the total percentage of the U.S. population that has signed up for Google+. Then I use that number and a calculated ratio of U.S. to non-U.S. users to generate my worldwide estimates. My ratio is 1 US user for every 2.12 non-U.S. users. That ratio was calculated on July 4th through a laborious effort, and I haven't updated it since. That is definitely a weakness in my model that I hope to address soon. The ratio will likely change over time.

Since I have been tracking this same cohort of surnames from my first day, I am able to accurately measure growth over time.

I am not claiming perfect accuracy, but I do think the model is sound. A quant has suggested a mathematical formula that I can use to calculate a range of Google users with a 99% level of accuracy, and one of my employees is working on that math now. I hope to include that in future models.

Here is one way to look at my model. Imagine the U.S. government in 2020 has no money left. I know that's hard to imagine, but stay with me. Imagine they wanted to conduct a 2020 census and subsequent decennial censuses with a degree of accuracy (let's say 95%) and to do it on a shoestring budget.

They had complete data for 2010 - the population and growth rates for every city and town in the country. To do 2020, they could just take a random sampling of 100 cities and towns across the U.S. that were representative and conduct the census JUST for those cities every 10 years. If those 100 cities averaged the same growth rates as the rest of the country, then their decennial censuses would be fairly accurate but very inexpensive. (Obviously the US example won't work and shouldn't be tried, since the purpose of the U.S. census is in part to determine Congressional representation - so a complete census must be done in the entire country.)

But my project is like that - a low-budget sampling. I have randomly selected 100 uncommon U.S. surnames and I am tracking the number of Google+ users with those names - updating my counts every 2-3 days. I am assuming that the growth in G+ users with those surnames is similar to the growth in G+ users with the other 150,000 or so surnames in the U.S. If I had resources to include 500 or 1,000 surnames in my sample, then I believe my model would be more accurate. But my time and budget available for this project are small, so it is what it is. And then I take the 2.12 - 1 non-US to US ratio to complete the calculations.

Honestly I can't remember any social network site climbing to such height at a very short period of time although we can't rule out the fact that they already have existing products which has solid user base and they will be leveraging from those angle as well.

Although there have been no response from Google to confirm this estimates, but if perchance they are true, then its only the creator that know the future of Facebook.

Anonymous Releases Highly Classified Goverment Documents

In the days following the dispersal of LulzSec, Operation Anti-Security continues on with the rogue hacker group Anonymous releasing a considerable amount of information from IRC Federal, a government contractor with FBI, Army, and DOJ partnerships, to name a few. To quote Anonymous’s release notes:

Today we release the ownage of another government-contracted IT company, IRC Federal. They brag about their multi-million dollar partnership with the FBI, Army, Navy, NASA, and the Department of Justice, selling out their “skills” to the US empire. So we laid nuclear waste to their systems, owning their pathetic windows box, dropping their databases and private emails, and defaced their professional looking website.

In their emails we found various contracts, development schematics, and internal documents for various government institutions including a proposal for the FBI to develop a “Special Identities Modernization (SIM) Project” to “reduce terrorist and criminal activity by protecting all records associated with trusted individuals and revealing the identities of those individuals who may pose serious risk to the United States and its allies”. We also found fingerprinting contracts for the DOJ, biometrics development for the military, and strategy contracts for the “National Nuclear Security Administration Nuclear Weapons Complex”.

Additionally we found login info to various VPNs and several Department of Energy login access panels that we are dumping *live* complete with some URLs to live ASP file browser and upload backdoors - let’s see how long it takes for them to remove it (don’t worry we’ll keep putting it back up until they pull the box.

This is an embarrassing situation for a company dealing with such sensitive information and yet another lesson learned through exploitation that security needs to be much more than what it currently is for many such high-profile/significant sites.

And though the information leaked sounds important at first-glance, the coming days will reveal whether or not this is just another forgetful “hacktivist” release that merely reiterates the flaws of current security measures, or if something significant will come of it all.

Rest assured that either way, the continued hammering of governments and government contractors is sure to yield significant changes in approaches to security. But that’s only in the short term. The larger concern of many is how these actions might provoke new legislation that seeks to prohibit certain facets of Internet access/usage. Never mind if these “hacktivists” manage to get a hold of something truly significant that gives some sort of disastrous advantage/insight to feared terrorist/criminal/anti-government organizations.

Source: Zdnet

Facebook Scammers Exploiting the Video Call Features to Send Virus

It's barely a week Facebook launched its Video calling features and scammers are already exploiting the avenue to send scam and viruses to Facebook Users.

According to Sophos' Naked Security blog, "This particular scam doesn't use the actual Facebook video service as Paul has predicted they will do, but it certainly is trying to ride the media coattails and attention Facebook's announcement generated this week.

What is clever about this one is that if it were true that Facebook Video Chat was an application, you might be more easily convinced to approve the application to have more liberal permissions.”

However, there are a few more noticeable problems with the permissions request if one actually takes the time to read. After all, why would an app that comes directly from Facebook ask to access your data at any time? Facebook can already do that. It could also be argued that a video calling app shouldn’t need to post to your wall and news feed, but Google Hangouts actually does something similar on Google+.

Apparently there will still be more scam targeting dudes, who will be taking advantage of the new Facebook features.

So next time you see a wall post on Facebook that says “Enable Video Calls,” don’t click on it. If you want to set up the valid and official version of Video Chat with Skype, check out Facebook’s authentic instructions. Never download any executables or other applications claiming to enable this service.