The old vulnerability that Aviv Raff reported to Microsoft long time ago is described in two articles by Aviv Raff: IE7 DLL-load hijacking Code Execution Exploit PoC, and Internet Explorer 7 - Still Spyware Writers Heaven, both dating back to 2006(yeah that’s really “a long long time ago”). This vulnerability lies in Windows Internet Explorer loading program library files(DLL) from user’s Desktop instead of its own library file folder(usually C:\WINDOWS\SYSTEM32), when filenames are set to some specific values.

The ministry claimed it needs access to customer data in order to protect the country from terrorists operating in Kashmir, who may be using BlackBerrys to communicate with each other. RIM, however, was understandably reluctant to give the government unrestricted access to its own network, and the two sides have been in talks ever since. RIM and the ministry are now reportedly close to an agreement, but details on what that agreement might entail differ greatly.

A recent article from the Agence France-Presse (AFP) implies that RIM, while aware of and responsive to Indian security concerns, is unwilling to compromise the security of its network. The company reaffirmed that e-mail transmitted using its service would be safe from “snoopers” and stated, “governments have a wide range of resources and methodologies to satisfy national security and law enforcement needs without compromising commercial security requirements.” The story makes no mention of any specific agreements between RIM and Indian security officials, beyond stating that RIM is looking forward to positive results.

Indian sources, meanwhile, are singing a different tune. According to The Indian Express, RIM has been informed that it will have to install servers and network equipment within India if it wishes to continue operating within the country. If RIM acquiesces, any such build-out would be subject to Indian law, and traffic passing through the center could be monitored to whatever degree the Union Home Ministry deems necessary.

The Hindustani Times, meanwhile, may have another piece of the puzzle. The paper claims that RIM has already agreed to hand over sensitive customer data to the government, provided that the government’s Department of Telecommunications (DoT) take responsibility if such information is ever lost or stolen. The agreement reportedly covers financial liability as well, leaving RIM off the hook if the Indian government’s SpyBerry program is ever hacked.

It may be a month or two before Research In Motion announces the details of its agreement with the Union Home Ministry, but the information coming out of India is at least plausible. RIM has yet to state, point-blank, that it will not allow the Indian government to access its network traffic in some form or another, and until that happens, all bets are off.

For the spammers, the entire attack strategy includes more than registering email accounts using Anti-CAPTCHA operations; sending mass emails over the Internet; infecting thousands of user machines; and stealing information. In addition, spammers want to increase the overall time a spam campaign survives online and make it increasingly difficult to trace the campaign back. To this end, they use randomized, complex networks, through which they advertise their products and services.

To achieve success, spammers have been using a combination of tactics at different levels in their attacks.

This combination of tactics can be conceptualized in three different stages.

Stage 1: Spammers using Anti-CAPTCHA registered accounts for mass-mailing purposes

Anti-CAPTCHA registrations of Microsoft Windows Live Mail, Microsoft Windows Live Hotmail, Google’s Gmail, and Yahoo Mail accounts have already brought a certain level of success to spammers. To some extent, spammers can defeat Antispam filters that rely heavily on Reputation-based detection by using these Anti-CAPTCHA accounts for spamming from their corresponding (well-reputed) email service providers.

Stage 2: Spammers’ tactics in advertising their products and services

Spammers’ next tactic in this strategy comprises advertising their content using sophisticated techniques. Spammers are creating visual social engineering attacks, consisting of accounts registered at free Web space providers, by adopting the CAPTCHA breaking process, and then using these accounts as redirectors or doorway pages to advertise products and services (See Figure 3.2: Redirection or doorway page to actual spam domain). An illustration of this spammer tactic was reported by Websense recently where Google’s Blogger Anti-CAPTCHA operations were carried out for SPAM runs.

Stage 3: Spammers’ tactics to protect their advertising infrastructure online

With a certain degree of success so far, spammers’ next significant tactic in their 3-stage strategy is to increase the overall time their spam domains and advertising networks remain online, and make it increasingly harder to trace them back, because of their randomized and complex networks. This ensures that they remain virtually impossible to shut down.

Websense has observed that spammers have increased their use of multiple fast-flux networks to advertise their products, as a part of this attack strategy. The fast-flux concept provides spammers with a scalable, robust, and multi-layered network structure. The layered structure and the complex behavior of the network provide protection to spammers’ domains, thereby making it difficult to trace them back.

Read full story

As if warfare weren’t already creepy enough, BAE Systems, a British defense company, has released a promotional video of robotic spiders, dragonflies and snakes it is developing to aid soldiers in combat zones. The robotic creatures are being funded by a $38 million contract with the U.S. Army that is part of a massive, and costly, effort to modernize the weaponry of the armed forces. The robots will slither and crawl around corners, into caves, and through booby-trapped streets, sending images back to screens in a command center or to a screen mounted on a soldiers wrist.

The purpose is to “extend the warfighter’s senses and reach, providing operational capabilities that would otherwise be costly, impossible, or deadly to achieve,” says Joseph Mait, MAST cooperative agreement manager for the Army Research Laboratory.

Other remote controlled devices are in the works as well, such as the unmanned drones that are currently used for bombing raids and reconnaissance. The hope is that using these robots will cut down on the number of casualties suffered by U.S. forces, and possibly civilians, while improving the accuracy of missile attacks and raids. However the potential for misuse of these robots, such as spying on citizens or other governments, is straight out of some sci-fi movie.

In any case we hope we never see one of these little creatures on our windowsill. [Source: Daily Mail UK]

Promotional video shows a ‘bug’ being sent into a danger zone in a special vehicle

“What we are doing is providing an enhanced awareness for soldiers, basically an extension to their eyes and ears,” he said.

“The creatures have external sensors. They can be tossed out into a building or a cave or even a pile of rubble and then send images back to the troops.

Pictures from the bug are beamed back to the operator, allowing the target to be blown up

“The idea is to get a number of these working together – some tiny, some maybe up to a foot in length, and all going into a building together carrying out different tasks. Eventually we hope to have animals flying and slithering.

“The five-year programme has just started but we could have them with soldiers within six months, and then continue to develop the concept as the project goes along.”

Despite the high-tech gadgetry involved, BAE Systems insists once production is in full swing, each bug will cost no more than £100 to produce.

Called a lateral SQL injection, the attack could be used to gain database administrator privileges on an Oracle server in order to change or delete data or even install software, Litchfield said in an interview on Thursday.

Litchfield first disclosed this type of attack at the Black Hat Washington conference last February, but on Thursday he published a paper with technical details.

In a SQL injection, attackers create specially crafted search terms that trick the database into running SQL commands. Previously, security experts thought that SQL injections would work only if the attacker was inputting character strings into the database, but Litchfield has shown that the attack can work using new types of data, known as date and number data types.

Litchfield’s attack targets the Procedural Language/SQL programming language used by Oracle developers.

A noted database hacker, Litchfield is best known as the researcher who published details on the bug used in the 2003 SQL Slammer worm, which targeted Microsoft’s SQL Server database.

Litchfield wasn’t sure how widespread lateral SQL injection vulnerabilities are, but he thinks the attack could cause real damage in some scenarios.

“If you happen to be using Oracle and you write your own applications on it, then yes, you could be writing vulnerable code,” he said. “The sky is not falling … but it’s certainly something that people should be made aware of.”

Database programmers should review their code to be sure it is checking to make sure that all of the data it is processing is legitimate, and not injected SQL commands, he said.

Source: Computerworld

You know XSS has hit the mainstream when it reaches this level of visibility.

(It is unclear who the prankster supports in the campaign)

The discovery illustrates a series of attacks from the Rock Phish group, which is a gang reportedly based in Russia that has been targeting financial institutions since 2004.

Among RSA’s key findings:

• Rock Phish attacks account for 50 percent of phishing incidents and have stolen “tens of millions of dollars” from bank accounts.
• This is the first time crimeware has been used in a Rock Phish attack.
• Victims of these phishing attacks get their personal data stolen and are infected by the Zeus Trojan. Double the pain for victims.

RSA’s Uriel Maimon said in a blog post:

The Rock Phish group is a phishing gang believed to be based out of Russia — and, by some accounts, is responsible for roughly 50% of phishing attacks by volume. The Rock gang has also pioneered several new approaches in phishing: in 2004 it was the first (and, for a long time, they were the only) gang to employ bot-nets in its phishing infrastructure in order to make the attacks live longer and be more scalable. It also pioneered new techniques in its spam mails so the mail could more easily evade spam filters.

Within the past few weeks there has been a new advance — the inclusion of identity theft malware (or Crimeware) into the Rock group’s phishing attacks. I have written before about the problems this type of malware poses, but coupled with the robust infrastructure the Rock group has at its disposal, this is more than double the trouble.

In general, the latest Rock Phish attack includes the following:

• Victim is duped into going to a phishing site;
• Victim is infected with the Zeus Trojan even if he or she doesn’t submit information;
• Zeus is masked;
• The Zeus Trojan can take screen shots, control a machine and steal passwords so even if you don’t fork over information initially the malware will get it.

Source: zdnet, RSA

PayPal public relations have clarified their position as below:

PayPal is developing features to block customers from logging into PayPal when using obsolete browsers on outdated or unsupported operating systems. An example of such a browser/OS combination might be, for example, Internet Explorer 4 running on Windows 98. We have absolutely no intention of blocking current versions of any browsers, including Apple’s Safari, from our website.

Apparently, a research paper released the week before by Michael Barrett, the firm’s chief information security officer, mentioned that the payment service would ban browsers that lacked a way to block known or suspected phishing sites, and didn’t support Extended Validation (EV) certificates, was what sparked off this piece of news and thankfully PayPal has responded soon enough. Safari is one browser that does not come with an anti-fraud blocker, and it also does not support EVs - a recently introduced digital certificate system that is meant to reassure consumers that the site has been vetted and is legitimate, leading people to speculate that this PayPal paper has also lumped Safari under the same roof as the mentioned Internet Explorer 3 from 1996 and Microsoft’s 1997’s IE4 as well.

Here’s a little bit of history lesson for the uninitiated - Apple currently supports only Safari 3.0 with security updates as well as various patches, and good to know that Safari 2.0 which shipped with Mac OS X 10.4 (aka Tiger) is still supported as well, unlike IE4 that came with Windows 98. PayPal’s revised criteria is “obsolete browsers on outdated or unsupported operating systems” will be blocked, which means IE5 is no go when 2010 rolls around while Safari 2.0 on Tiger will continue to receive support until Apple ships the successor to Mac OS X 10.5. Keep on shopping, guys!

Source: Computer World

GMP hopes the move will help it raise public awareness of local incidents and facilitate the exchange of information on crime. GMP is the first police force in the UK to use the site in this way.

According to Worklight Inc, a Web 2.0 security specialist, GMP’s use of Facebook is in line with an increasing trend for organisations to use social network sites as business tools. However, Worklight also highlights the need for tight control in order to eliminate security risks. WorkLight claims its technology allows organisations to use Web 2.0 consumer services, including Facebook, for business purposes, without the attendant security risks.

Source:Techwatch UK

The problem is caused by inadequate checking while typefaces embedded in PDF files are being processed, but no further details are known as yet. When manipulated PDF files are opened, injected code can be executed with the user’s rights. An entry has already been added to the Common Vulnerabilities and Exposures (CVE) database, but it gives no further details.

In addition to Xpdf, affected software includes the poppler project and, in some Linux distributions, also KOffice, if code from Xpdf is statically linked in, as is the case with Ubuntu. Several Linux distributors are already issuing updated Xpdf, poppler and KOffice packages that fix the problem. Administrators should install these updates without delay.

See also:

• New xpdf packages fix arbitrary code execution, vulnerability report by the Debian developers
• poppler vulnerability, vulnerability report by Kees Cook of the Ubuntu Security Team
• KOffice vulnerability, vulnerability report by Kees Cook of the Ubuntu Security Team

Source: heise-online.co.uk