“The attacks, which researchers say are the world’s first iPhone worm in the wild, target jailbroken iPhones that have SSH software installed and keep Apple’s default root password of ‘alpine.’ In addition to showing a well-coiffed picture of Astley, the new wallpaper displays the message ‘ikee is never going to give you up,’ a play on Astley’s saccharine addled 1987 hit ‘Never Gonna Give You Up’.”

“Tricking victims in to inadvertently playing the song has become a popular prank known as Rickrolling.”

And, it’s a lot more than a joke, confirms Peter Hansteen on That grumpy BSD guy

“The rickroller is about bad passwords, no more, no less,” he says, going on, “this incident only underscores what we’ve been repeating until your eardrums wear thin an my vocal cords swell from exhaustion: Publishing your username and password is a really bad idea. It’s almost as bad as picking a guessable password.

“Add to this that the fact, as we’ve noted here earlier, there is a whole cloud of hijacked machines out there beavering away at guessing passwords right now, and they have been at it for quite a while.”

Finally, he adds, “some words of advice for those of you who want to avoid both rickrolling and getting cracked by other password guessing” »»»

You should at least consider setting a password policy and enforcing it with something like John the ripper, which more than likely is available at the cost of a few keystrokes from your package system. And of course there is the fine art of sshd configuration. Some of the things you could do are, in no particular order:

• disable root logins over the network
  
• use packet filtering or other means to restrict where users can log in from
  
• disable password logins entirely allowing only key-based logins
  
• set up your sshd to listen on a non-standard port

… whatever your users can bear to live with.

Now you know.

Follow p2pnet on Twitter.

First they ignore you, then they laugh at you, then they fight you, then you win ~ Mahatma Gandhi

The Register – World’s first iPhone worm Rickrolls angry fanbois, November 8, 2009
That grumpy BSD guy – Rickrolled? Get Ready for the Hail Mary Cloud!, November 15, 2009

It last published fixes in May,  and now it’s come out with another batch of ‘updates’ —-

—- 58 (count ‘em) to be exact.

“Today’s security update was the sixth from Apple this year, and the second that included patches for Snow Leopard, launched in late August,” says Computerworld, noting the patches included several in the QuickTime media player it’d supposedly “fixed separately in early September”.

“Seems a little large, but really, it’s par for the course for Apple,” the story has Andrew Storms, director of security operations at nCircle Network Security, saying.

In May, Apple patched a record 67 vulnerabilities; it addressed 55 in February, 33 in September, and 19 in two separate August updates, says Computerworld, going on »»»

More than half of the vulnerabilities patched today, 32 out of the 58, were accompanied by the phrase “may lead to arbitrary code execution,” which is Apple’s way of saying that a flaw was critical and could be used by attackers to hijack a Mac.

Apple does not assign ratings or severity scores to the bugs it patches, unlike other major software makers, such as Microsoft and Oracle.

“Apple plugged holes in 37 different components of Mac OS X, ranging from AFP Client and the open-source Apache Web server software to CoreGraphics, the Help Viewer and the Spotlight desktop search engine,” the story says.

Follow p2pnet on Twitter.

First they ignore you, then they laugh at you, then they fight you, then you win ~ Mahatma Gandhi

Computerworld – Apple delivers mammoth update, patches 58 bugs, November, 2009

When, almost exactly a year ago, military computers were invaded by a worm, the DoD forbade the use of USB thumb drives, memory sticks/cards and camera flash cards, although hard drives were OK as long as “proper procedures” were followed.

The past tense is used because, blogged Department of the Navy CIO Rob Carey recently, the ban has now been lifted.

Kind of.

because that doesn’t mean anyone anywhere will be able to use them in any context.

“The bottom line is, the days of using personally owned flash media or using flash media collected at conferences or trade shows are long gone,” said Carey, continuing »»»

What we connect to our home PCs is very different from what is and will be allowed to occur on DON networks. I expect (and support) that only approved, identifiable flash media of known origin will be permitted for use; and only by authorized and trained personnel, in support of mission-essential functions that could not be performed via non-flash media means. In the meantime, we are working on moving our access to information to the use of collaborative workspaces, file shares and portals within our protected enclaves. This will reduce our reliance on USB flash media, mitigate unnecessary risk to the GIG, and protect our data and information by keeping it stored within our network boundaries.

What does that mean, exactly?

“In the future, we expect that a government-owned and procured USB flash media, that is uniquely and electronically identifiable for use in support of mission-essential functions on DoD networks will be permitted for use by authorized individuals,” says the blog, adding:

“We are working on upgraded anti-virus and malware detection, alert and eradication capabilities as well as implementation of controls to deny network access to unauthorized USB flash media and revised operating procedures for scanning and cleaning flash media. Those who are authorized to use portable media devices will receive updated user training and awareness and be informed again of his/her accountability through compliance audits and inspections.

(Cheers, Don)

Follow p2pnet on Twitter.

blogs - A Security Update: Flash Drives, September, 2009

It, “posted a warning of the breach on its Web site on Friday,” says the IDG New Service.

On Saturday, the newspaper said the system had been secured and those affected had been contacted by e-mail,”

But it “downplayed the impact, saying it affected “only a minority” of the 10,328,290 unique users who visit the site annually, and that some of the data lost was up to two years old, says the story, going on:

” ‘The police remain anxious to keep information about the apparent theft to a minimum, in order not to compromise their investigations, but did agree with us that we could inform those users who may be affected,’ the Guardian said. ‘We stress our regret that this breach has occurred. This is apparently a deliberate and sophisticated crime, of which the Guardian is a victim in addition to some of our users’.”

The Metropolitan Police e-Crime Unit is investigating, but there have been no arrests, says IDG, adding:

“The Guardian’s Jobs Web site runs on software from a company called Madgex. Officials from the company could not immediately be reached on Monday morning.

It isn’t clear what information was pilfered from the Guardian’s Jobs site, but users can upload their CVs. Information in resumes and CVs could be of great use to data thieves, since those documents may contain e-mail addresses, postal addresses, job histories and a wealth of other personal information. The data could be used for identity fraud.

Follow p2pnet on Twitter.

IDG New Service - Guardian Jobs Site Falls Victim to ’sophisticated’ Hack, October 26, 2009

Now, one of the flood of security bulletins Microsoft released yesterday impacts not only Internet Explorer (IE), but also Firefox with a “browse-and-get-owned” danger.

And it’s all down to a Microsoft plug-in pushed to Firefox users eight months ago in a Windows Update, says Computerworld.

“While the vulnerability is in an IE component, there is an attack vector for Firefox users as well,” say Microsoft engineers on Microsoft’s Security Research & Defense blog, admitting »»»

A browse-and-get-owned attack vector exists. All that is needed is for a user to be lured to a malicious website. Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application). Please not [sic] that while this attack vector matches one of the attack vectors for MS09-061, the underlying vulnerability is different.  Here, the affected process is the Windows Presentation Foundation (WPF) hosting process, PresentationHost.exe.

While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox. (See pic).

Via this plug-in it is possible to launch XBAP, and reach this vulnerability, from within Firefox.

Particularly galling to users was, “once installed, the .NET add-on was virtually impossible to remove from Firefox,” says Computerworld, continuing »»»

The usual “Disable” and “Uninstall” buttons in Firefox’s add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org.

Annoyances also said the threat to Firefox users is serious. “This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC,” said the hints and tips site. “Since this design flaw is one of the reasons [why] you may have originally chosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste.”

Specifically, the.NET plug-in switched on a Microsoft technology dubbed ClickOnce, which lets .NET apps automatically download and run inside other browsers.

What to do?

“Customers should apply MS09-054 as this addresses the underlying vulnerability for all users, both IE and Firefox,” says Microsoft, adding, “While you’re evaluating and testing your deployment of MS09-054, you may want to consider the following workarounds.

“For IE users, our recommended workaround is to disable XBAP in the Internet zone. By default, IE8 on Win2k8 and Win2k3 already has XBAP disabled in the internet zone. For others, you can disable XBAP via the following security setting in IE.

“For Firefox users with .NET Framework 3.5 installed, you may use ‘Tools’-> ‘Add-ons’ -> ‘Plugins’, select ‘Windows Presentation Foundation’, and click ‘Disable’.”

This is all very well for people who know what they’re up to, but most ordinary folks won’t have a clue, and that’s even if they know about this ‘dangerous vulnerability’.

Follow p2pnet on Twitter.

Computerworld – Sneaky Microsoft plug-in puts Firefox users at risk, October 16, 2009

Because, it says, it’s received information, “regarding a possible Windows Live Hotmail ‘hack’ or phishing scheme where password details of thousands of Hotmail accounts have been posted online.”

An anonymous user posted details of the accounts on October 1 at pastebin.com, a site commonly used by developers to share code snippets, says the story, going on:

“The details have since been removed but Neowin has seen part of the list posted and can confirm the accounts are genuine and most appear to be based in Europe.

“The list details over 10,000 accounts starting from A through to B, suggesting there could be additional lists. Currently it appears only accounts used to access Microsoft’s Windows Live Hotmail have been posted, this includes @hotmail.com, @msn.com and @live.com accounts.”

Neowin says it past the alert to Microsoft’s Security Response Center and PR teams in the UK and US and is, “currently awaiting feedback on the situation.”

Follow p2pnet on Twitter.

Neowin – Thousands of Hotmail passwords leaked online, October 4, 2009

Problem?  McAfee.

Again.

“Faulty virus definition updates from McAfee that flagged legitimate JavaScript files as potentially malign caused a headache for some sysadmins,”  says the story, going on the false alarm, “which meant benign content was flagged as infected by Exploit-Packed-c-gen,” was corrected promptly by a set of revised definition updates.

But not before causing trouble.

“In response to our inquiries, McAfee issued a statement apologising for the snafu, which it said affected only a ‘limited number’ of customers,” adds El Reg.

McAfee, which recently flagged actress Jessica Biel as a Threat to the Net, still owes p2pnet an unknown amount of money for using us in its advertising waffle without our permission, at the same time falsely claiming p2pnet is a, “distributor of downloads some people consider adware, spyware or other potentially unwanted programs”.

Mind you, it’s been saying that for years and isn’t showing any inclination to put things right.

Or to pay us.

Follow p2pnet on Twitter.

The Register – McAfee false alert snares innocent JavaScript files, September 4, 2009
Threat to the Net – McAfee shock-horror Jessica Biel report !,  August 25, 2009
saying that for years – McAfee targets p2pnet. Again., August 28, 2008

With that in mind, Dino Dai Zovi (right), a security researcher and co-author of “The Mac Hacker’s Handbook,” told attendees at the Black Hat security conference in Las Vegas he’d found a way to take control of Apple computers, “and steal data that is scrambled to protect it from identity thieves,” says the story.

It’s being call “Machiavelli” and works solely on machines that’ve already been compromised, “such as ones attacked with pirated software,” says redOrbit.

Machiavelli can, “take over Apple’s Safari browser and use passwords for financial accounts and encrypted data on bank statements,” it says.

“There is no magic fairy dust protecting Macs,” the story has Dai Zovi stating.

“They are advancing. Our concern is that they are just not advancing as fast as they are gaining market share,” it has Charlie Miller, co-author of “The Mac Hacker’s Handbook,” noting.

“The authors claim that the Mac operating system will be significantly easier to compromise once hackers set their minds to do it,” says redOrbit, adding:

“The Mac system has many more codes than Windows, which means many more possible glitches that could be exploited.”

Follow p2pnet on Twitter.

Reuters – Mac flaw could let hackers get scrambled data, July 28, 2009
redOrbit – Flaw Could Open Apple Computers To Malicious Software, , July 39, 2009

After all, the point about good encryption software and the systems that surround it is that they provide a way to keep your secrets secret, while open government and the effective regulation of financial services would seem to require the widest possible dissemination of all sorts of operational data, from MPs expenses to bank investment portfolios.

And once something is on a website, in an email or available for inspection through a published program interface then it is no longer secret, however well the copy on your internal network might be protected.

Phil Dunkelberger, CEO of encryption specialists PGP Corporation, believes that openness and secrecy are actually two sides of the same coin, and that the fundamental question concerns the ways organisations and individuals manage their data so that they can decide on policies for disclosure and stick to them.

He also thinks that the best way to make companies and businesses take data security seriously is to make them aware of just how much it costs them when they are careless, which is why PGP sponsors the independent Ponemon Institute  to produce an authoritative survey of how companies use encryption, how many data breaches they suffer and how much it costs them.

Dunkelberger was in London this week to launch the latest report on the UK data breaches, which found that 70% of UK organisations have had at least one incident in the past year, with public sector respondents admitting to an average of 4.5 breaches per organisation.

Separate research by Ponemon estimates that the average cost of incidents is £60 per record lost or £1.7 million per organisation, and of course the wider impact on people’s lives as they have to change bank details or clear their credit records is also significant.

Over half of the data breaches that feature in the Ponemon report were caused by staff error, with people losing computers or data storage devices, deliberately breaking procedures because they did not understand their importance, or simply making mistakes that the systems developers had not anticipated.

Whatever its flaws, computerised data processing is not going to go away, and the proliferation of mobile devices, portable data storage and online access means that the problem of data leakage is not going to go away either.

And recent moves towards more openness between organisations and more transparency in both public and private sectors makes it impossible to simply lock the data up in a corporate vault, however well-constructed.

The tension between openness and security has always existed, and modern technologies do not change the fundamental reality that once a secret is shared then it is less of a secret.

The best way to keep a computer secure is to disconnect it from the network and unplug the power, but this also makes it rather less useful, so any sensible data management policy has to accept that perfect security is not possible and have procedures to mitigate the impact of the inevitable leaks and failures.

A good system  should also allow for effective disclosure. A proper MPs expenses system would not have relied on scanned receipts, released as thousands of pages of PDF files with potentially sensitive data blacked out by hand, but have been built around a database in which all data was stored, cross-referenced to original documents for verification.

Releasing the expenses data would then only have required changing the permissions on a few database tables.

Of course, explaining this to MPs would have taken a lot of effort, because few of our elected representatives have any background in computing or any real understanding of the principles of systems thinking.

We can’t be too hard on MPs. Data security is a complex area that involves hard mathematics and complicated software and requires an ability to think clearly about the interrelationships between multiple overlapping systems, only some of which are computer-based, and few us have the necessary training to do this.

But if we are going to have a network society that relies on computer-based systems then everyone needs to understand how those systems operate and how they are put together.  Just as a democracy can only really function if the citizens are actively engaged in the decision-making process and not merely turing out to vote every few years, a wired world needs people who appreciate what is being done in their name.

At last weekend’s OpenTech conference I talked yet again about the growing divide between the geeks, who can code and know about computers, and the users who simply take what systems they are offered and work with them.

OpenTech was a conference about getting things done, not just talking about it, so we decided that every new member of parliament elected at the next General Election should be taught the basics of programming, so that when they come to vote on expensive IT systems they at least know how computers work.

We might even persuade them all to use encryption sensibly on their office computers, laptops and phones, and to use digital signatures for their emails.

It may be a small start, but it would be a start. And once MPs are doing data security properly it might offer a good model for the rest of us.
Follow p2pnet on Twitter.

First they ignore you, then they laugh at you, then they fight you, then you win ~ Mahatma Gandhi

July, 2009

Provincial privacy commissioner Frank Work made the “dire diagnosis” as police were investigating, “how someone hacked into the Alberta Health Services computer system in Edmonton and had a chance to view and photograph the medical files of 11,582 people,” says the Edmonton Sun.

Compromised data included names, addresses, health-care numbers, lab test results and diagnoses, the story has officials saying.

“I’m very worried,” said Work, who’s, “awaiting forensic results from AHS information systems experts that might determine how the security breach could have happened”.

Electronic medical records were exposed from May 14-29, “”after an attack by new variations of a Trojan-horse-style virus called Coreflood and Coreflood.C that could have come in via an e-mail, a laptop or other device,” the story quotes Bill Trafford,  AHS senior VP and CIO discerning.

“Trafford admitted those forms of viruses have been circulating for several years but new variations can essentially be tweaked to beat the most up-to-date anti-virus software,” the Sun says.

Coreflood infected only the Edmonton network, “but patient files from anywhere in Alberta may have been affected,” says AHS spokeswoman Shannon Evans in the Calgary Herald.

Evans said the virus worked by taking sporadic screen shots of infected computers.

“So say somebody was looking at a Word document, it might have taken a screen shot of that and then that data would be uploaded to a server outside the AHS network,” she said.

People with concerns can contact 1-877-583-9977.

Follow p2pnet on Twitter.

Edmonton Sun – Privacy breach shocker, July 9, 2009
Calgary Herald – Files at risk after virus infects Alberta Health computer, July 8, 2009

Early reports indicate that hackers have penetrated the T-Mobile U.S. network and stolen proprietary operating data, customer databases and financial records. According to a post on insecure.org, the hackers have claimed to be auctioning the pilfered data to the highest bidder. T-Mobile competitors, they say, turned them down.

In an update, “T-Mobile says it’s aware of the alleged breach of its network security, as reported in an email to insecure.org over the weekend”.

Additionally, says Marc, “Hackers offer T-Mobile data and documents to the highest bidder: http://www.information-age.com/channels/security-and-continuity/news/1050817/hackers-offer-tmobile-data-and-documents-to-the-highest-bidder.thtml Email from the alleged hackers: http://seclists.org/fulldisclosure/2009/Jun/0062.html and an update here http://www.theregister.co.uk/2009/06/08/tmobile_us_loss

“Hackers claim to have stolen all T-Mobile US’s corporate data, customer accounts, network infrastructure – the whole lot,” says Marc, adding:

“Happy Monday.”

Follow p2pnet on Twitter.

June, 2009

It was a 267-page draft, “intended as a formal declaration to the International Atomic Energy Agency as part of U.S. obligations under the nuclear Non-Proliferation Treaty,” says the Washington Post.

It contained descriptions of sensitive civilian sites, including the locations of facilities that store enriched uranium and other materials used in nuclear weapons.

Inquiries by news organizations, “prompted its hasty removal,” says the story, noting the document, first reported by the Secrecy News blog, was available for about 24 hours on a, “Government Printing Office Web”.

“Nuclear experts said it was theoretically possible that the document could benefit terrorists contemplating an attack on one of the facilities,” says the story, adding:

“Still, because the information was unclassified and most of it is publicly available through other sources, the release generally was deemed more embarrassing than harmful.”

Follow p2pnet on Twitter.

Washington Post – List of U.S. Nuclear Sites Inadvertently Posted Online, June 3, 2009

It features “defense analyst’ Daniel Ragoza as he, “investigates intrusions into military and contractors’ networks”.

Would someone such as Daniel have fingered Gary McKinnon, the UK hacker who, looking for material on UFOs, penetrated US systems, and who’s now  fighting extradition to America? (And isn’t that a Darth Vadar look-alike on the screen?)

Be that as it may, the Obama government cyber cop will have, “broad authority to develop strategy to protect the nation’s government-run and private computer networks, according to people who have been briefed on the plan,” says the Washington Post, going on:

“The adviser will have the most comprehensive mandate granted to such an official to date and will probably be a member of the National Security Council but will report to the national security adviser as well as the senior White House economic adviser, said the sources, who spoke on the condition of anonymity because the deliberations are not final.”

The announcement will coincide with the release of a report evaluating US “cybersecurity initiatives and policies,” says the story.

“The report recommends that members be appointed to the Privacy and Civil Liberties Oversight Board, an independent executive branch agency created by Congress in 2007 to ensure that privacy concerns are considered in the implementation of counterterrorism policies and laws.”

Interim White House cybersecurity adviser and former intelligence official Melissa Hathaway is a contender for the new position, adds the story.

Follow p2pnet on Twitter.

Washington Post – Obama Set to Create A Cybersecurity Czar With Broad Mandate, May 26, 2009
Gary McKinnon – New Gary McKinnon petition online, May 17, 2009

And he says so 0n on the official Privacy Commissioner of Canada blog.

Why?

Because until recently, identity theft on Twitter, “seemed to be limited to pranksters impersonating celebrities, the most famous being a fake Tina Fey who, according to rumour, even got a laugh out of Tina Fey herself,” says the post.

Now, however, even the non-famous are the targets of the latest identity theft scam, it says, pointing to a PC World story which explains »»»

To find your “porn name” you are asked to take the name of your first pet, and combine it with the street you grew up on or your mother’s maiden name. Silly, sure. But look more closely: All of these are common security questions.

By playing the game, “you could be revealing private information that Web scoundrels could potentially use to access your online accounts and bank information.”

According to Graham Cluley on UK security firm Sophos, porn star name game names are a very big deal with hackers looking for marks.

There’s been a “major trend for users of the Twitter website to Tweet their porn star names,” to the joy of  identity thieves looking to harpoon user data.

But, “although Twitter has warned people not to post personal details to the #twitterpornnames hashtag, or indeed elsewhere on Twitter, it seems there is little that can be done to persuade some people,” says Cluley.

Follow p2pnet on Twitter.

blog – It’s all fun and games until someone brings up FiFi, May 12, 2009
PC World – Security Alert: Twitter Porn Names Scam, May 12, 2009
Sophos – Graham Cluley’s blog, May 12, 2009

Microsoft is, strangely, “disappointed”.

The anti-piracy app vendor, Uniloc, was awarded $388 million, says The Register.

Uniloc, “makes software that prevents the creation, distribution and use of unauthorized copies of software,” says the IDG News Service.

“The company had accused Microsoft of infringing on a patent in the anti-piracy software registration system Microsoft uses as part of its product activation system.”

Redmond is “disappointed with the verdict and added it planned to appeal,” says El Reg.

Uniloc targeted Microsoft’s Windows XP operating system and some Office programs, says the San Jose Mercury News.

Microsoft argued it used a different method for registering software and that Uniloc’s patent was invalid, says the story, adding:

“The $388 million equals about eight days of profit for the company, based on fiscal second-quarter net income of $4.17 billion on sales of $16.6 billion.”

The Register – Microsoft ordered to pay $388m patent infringement damages, April 9, 2009
IDG News Service – Jury Awards $388 Million in Microsoft Patent Violation Case, April 8, 2009
San Jose Mercury News -  Microsoft told to pay $388 million over piracy patent, April 8, 2009

restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.

The Australian government is trying desperately to take a page out of Communist China’s book by trying to impose China-style censorship on its citizens.

And yet the Oz ignoble leader Kevin Rudd is reportedly upset because when he recently visited China (for a few tips, maybe?) Chinese spies repeatedly tried to, “infiltrate prime ministerial email and mobile phone communications,” says The Australian, going on »»»

“The Australian understands Mr Rudd and his travelling party were under constant cyber attack during his latest trip to China, in August last year, with authorities trying to access the laptop computers and mobile phones used by the Australians.”

The blatant nature of Beijing’s electronic espionage is understood to have alarmed the Rudd Government and led to a further tightening of communications security procedures for senior government figures travelling to China.

Intelligence sources said Beijing had also made repeated attempts to break into government and business IT networks, as well as foreign embassies based in Canberra.

Last week, the Government blocked Chinese-owned Minmetals from acquiring the Prominent Hill mine in South Australia as part of its $2.6billion bid for OZ Minerals, citing national security concerns because of its proximity to the Woomera weapons testing range.

Security experts, “observe that Australian government defence and security agencies are also a prime target for Beijing’s cyber espionage because of the closeness of the US alliance and the extremely close defence partnership with Washington,” says the story, adding:

“Since 2001, Australian military and intelligence co-operation with the US has grown closer than ever and Australian agencies are gaining unprecedented access to US defence planning.”

China-style censorship – Australian censor plan a ‘dead parrot’, March 24, 2009
The Australian – Chinese spies target PM Kevin Rudd’s email, Aprilm3, 2009

restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.

Well, tomorrow is C Day when another virus will supposedly wreak havoc online.

It’s called the April Fool virus, or the Conficker C worm, sometimes misspelled Conflicker or Confickr.

The first A variant was detected in October 2008, “taking advantage of previously unknown vulnerability in a Microsoft operating system that has subsequently been patched,” says the Canadian Internet Registration Authority (CIRA), represents anyone with a .ca domain.

Then came a “stronger and more robust” version, Conficker B, unique because of the, “number of tricks that have been incorporated into its design and the degree to which it has been able to spread”.

“In early March, a third variant, Conficker C, appeared,” says the CIRA, going on:

“Whereas Conficker B generated a daily list of 250 new domains to connect to in search of a command and control file, this latest variant will begin on April 1 generating a daily list of 50,000 country-code domains in which these files could be hidden. These names are drawn from 110 country-code domains, including the Canadian extension dot-ca.

“Without a clear idea of the motive behind the creation of the worm and its variants, or the actions the botnet will take, Conficker is being regarded as a potential threat to Internet infrastructure around the world.”

Looks bad. So, after tomorrow, will we have to start using carrier pigeons to communicate with each other?

We’ll soon see and while we wait, it’s God’s gift to security firms.

Even McAfee.

They’re churning out Conficker-inspired PR puffs like there’s no tomorrow, many of them producing patches they say will protect people against Conficker Conflicts.

But April 1?

Forget that.

It’s already bitten into the UK government IT system, “joining millions of others who have fallen victim to it,” says infopackets, going on, “An email sent to MPs, lords and their staff revealed that parliament’s IT network appears to be completely unsecured.

“The Conficker/Downadup worm has been in circulation since November 2008 and a patch is available from Microsoft that fixes it. The fact that parliament’s systems have become infected indicates that their anti-virus software, if there is any, hasn’t been updated since last year and could be vulnerable to other attacks.”

However, “there’s lots of shoddy analysis to go around,” writes George Hulme in InformationWeek, going on to quote the  CBC as saying in Conficker: world’s greatest April Fool’s joke or ‘digital Pearl Harbor’? »»»

Airplanes won’t fall out of the sky, and your banking information is probably safe, says John Leishman, of Geeks on the Way, a North American computer-troubleshooting company based in Calgary.

“We used to dread when a new virus came out,” Leishman told CBCNews.ca. “Our phones were overrun. Even though it was our business, it wasn’t good for long-term corporate relations.”

During those bad old days of viral infections, truly nasty things happened, he said. Computers were shut down, systems hacked, data wiped out.

“Now it’s more ego driven, rather than maliciously driven,” said Leishman. Data is no longer lost the way it used to be, because so many computer users have become wiser and anti-viral software better.

“What pile of obsolete CRTs has this guy been sleeping under?” – Hulme wonders, continuing »»»

First, Conficker.C is more of a threat to Web sites, corporate networks, and other Internet-networked services than individual PCs. These botnets are designed, generally, to spew Spam or shoot so much traffic as to interrupt the availability of networks or Web sites in distributed denial of service attacks. Especially in this case, the end user systems are targeted only as a means to an end: they are not the end goal.

Second, renting these botnets is big business in the underground. Botnet owners rent their ability to send spam. And, it is apparently profitable.

Third, many of the major worms: Code Red, SQL Slammer, Blaster didn’t destroy anything (except availability) in their wake. And, up until very recently, most “hacks” were performed by the curious and technically inclined to snoop on digital networks where they didn’t belong.

Today, malware is more crime driven than ever before. And by crime, I mean more than trespassing. I mean data theft, identity theft, spam, spyware, phishing attacks, credit card theft, etc.

Forth, and this is the most debatable point. I believe anti-virus has helped to reduce some classes of viruses: but this is not why data isn’t the target as was the case with such mass e-mailers as the ILOVEYOU virus of 2000. Data isn’t destroyed because spyware and worms that destroy data don’t propagate well, as they’re quickly identified. This flies against the need to be stealthy to be profitable.

Meanwhile, “I’ve been working with the Honeynet Project’s Tillmann Werner and Felix Leder, who have been digging into Conficker’s profile on the network,” blogs security researcher Dan Kaminsky, adding »»»

What we’ve found is pretty cool:  Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly.  You can literally ask a server if it’s infected with Conficker, and it will tell you.  Tillmann and Felix have their own proof of concept scanner [link broken - Jon], and with the help of Securosis‘ Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys.

We figured this out on Friday, and got code put together for Monday.  It’s been one heck of a weekend.

The technical details are not complicated — Conficker, in all its variants, makes NetpwPathCanonicalize() work quite a bit differently than either the unpatched or the patched MS08-067 version — but I’ll let Tillmann and Felix describe this in full in their “Know Your Enemy” paper, due out any day now with all sorts of interesting observations about this annoying piece of code.  (We didn’t think it made sense to hold up the scanner while finishing up a few final edits on the paper.)

Click here for Microsoft on the subject.

Stay tuned.

»»»

wreak havoc online – Conficker C: poised to strike April 1, March 25, 2009
CIRA -  Backgrounder: The Conficker worm
Even McAfee – p2pnet to McAfee: Pay us what you owe!, March 29, 2009
infopackets – UK Parliament Network Latest Conficker Victim, March 30, 2009
InformationWeek – Conficker: Loathing the FUD and Misunderstanding, March 28, 2009
Dan Kaminsky – Taming Conficker, The Easy Way, March 30, 2009

p2pnet news view

China has been accused of, “using malicious software to infiltrate and take control of almost 1,300 computers in 103 countries, including those used in several foreign ministries, embassies and the private office of the exiled Tibetan politician,” says the story.

But, “This is purely another political issue that the West is trying to exaggerate,” it quotes Song Xiaojun, a Beijing-based strategy and military analyst as saying, going on:  “As China grows, some in the West are trying every opportunity to manufacture fears over China’s threat.”

The investigation, undertaken  by Information Warfare Monitor (IWM) Canada’s Secdev Group and the Munk Centre for International Studies at the University of Toronto, revealed GhostNet, said to have compromised, “Nato and foreign ministries, embassies, banks and news organisations across the world, as well as computers used by the Dalai Lama and Tibetan exiles,” says Times Online, going on»»»

Chinese hackers are thought to have targeted Western networks repeatedly. Computers at the Foreign and Commonwealth Office and other Whitehall departments were attacked from China in 2007. In the same year, Jonathan Evans, the MI5 Director-General, alerted 300 British businesses that they were under Chinese cyber-attack.

British intelligence chiefs have warned recently that China may have gained the capability effectively to shut down Britain by crippling its telecoms and utilities. Equipment installed by Huawei, the Chinese telecoms giant, in BT’s new communications network could be used to halt critical services such as power, food and water supplies, they said.

Psiphon freedom-of-choice software

At the bottom of every p2pnet story is, “Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.”  It’s been there for years and links to Psiphon freedom-of-choice software that, “gives citizens worldwide access to an open Internet,” as the site states, going on the  application was developed as a human rights software project by the Citizen Lab at the Munk Centre for International Studies.”

It’s also been shortlisted for the prestigious Freedom of Expression award in the The Economist New Media category, with the awards to be presented on April 21 in London.

But that’s far from the Munk Centre’s only contribution to online freedom, as this latest revelation makes clear.

States China Daily:

“The researchers, who were commissioned by the Dalai Lama to examine its computers for signs of bugging, said they had found the foreign ministries of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan had been targeted.

” ‘Cyber security has been a global issue, but this time those who see China as an emerging threat again have picked the subject as a new weapon,’ Zhu Feng, a professor with the school of international studies at Peking University, said.

A ‘targeted surveillance attack designed to collect actionable intelligence’

The title of the Information Warfare Monitor report is The snooping dragon: social-malware surveillance of the Tibetan movement .

By Shishir Nagaraja of the Information Trust Institute University of Illinois at Urbana-Champaign, and Ross Anderson of the Cambridge University Computer Laboratory, it says in its introduction [our paragraph breaks] »»»

In this note we document a case of malware-based electronic surveillance of a political organisation by the agents of a nation state. While malware attacks are not new, two aspects of this case make it worth serious study.

First, it was a targeted surveillance attack designed to collect actionable intelligence for use by the police and security services of a repressive state, with potentially fatal consequences for those exposed.

Second, the modus operandi combined social phishing with high- grade malware.

This combination of well-written malware with well-designed email lures, which we call social malware, is devastatingly effective.

Few organisations outside the defence and intelligence sector could withstand such an attack, and al- though this particular case involved the agents of a major power, the attack could in fact have been mounted by a capable motivated individual.

This report is therefore of importance not just to companies who may attract the attention of government agencies, but to all organisations. As social-malware attacks spread, they are bound to target people such as accounts-payable and payroll sta who use computers to make payments.

Prevention will be hard. The traditional defence against social malware in government agencies involves expensive and intrusive measures that range from mandatory access controls to tiresome operational security procedures. These will not be sustainable in the economy as a whole.

Evolving practical low-cost defences against social-malware attacks will be a real challenge.

In conclusions, “we described how agents of the Chinese government compromised the computing infrastructure of the Office of His Holiness the Dalai Lama,” say Nagaraja and Ross, adding »»»

They used social phishing to install rootkits on a number of machines and then downloaded sensitive data. People in Tibet may have died as a result. The compromise was detected and dealt with, but its implications are sobering. It shows how diffcult it is to defend sensitive information against an opponent who uses social engineering techniques to install malware.

We have described this social malware attack here and considered its consequences. Although the attack we describe in this case study came from a major government, the techniques their agents used are available even to private individuals and are quite shockingly effective. In fact, neither of the two authors is confident that we could keep secrets on a network-connected machine that we used for our daily work in the face of determined interest from a capable motivated opponent. The necessary restrictions on online activity would not be consistent with effective academic work. Organisations that maintain sensitive information on network-attached computers and that may have such opponents had better think long and hard.

The implications are serious already for people and groups who may become the target of hostile state surveillance. In the medium term we predict that social malware will be used for fraud, and the typical company has really no defence against it. We expect that many crooks will get rich before effective countermeasures are widely deployed.

Stay tuned.

China Daily – Analysts dismiss ‘cyber spy’ claims, March 30, 2009
Times Online – Chinese hackers ‘using ghost network to control embassy computers’, March 30, 2009

If you can see the image below, you’ve just hacked Google Docs:

The above image should not be accessible to you.  It’s supposed to be embedded solely within a protected Google Docs document, which I have not shared. In fact, I’ve actually deleted that document.  It shouldn’t even exist anymore.  Yet here you are, viewing my precious picture in all its glory, nakedly served by Google servers,  outside of the protective Docs environment.

Is this a neat hack? Or is there more to it – a lot more, perhaps?

The latter, says peekay.

At the end of his post, “Note,” he says, “These findings are based upon my investigations stemming from Issue #1 above.  I disclosed this particular issue to Google on March 18.  I tend to follow rfpuppy’s Full Disclosure Policy and so waited five business days for Google to comment.  I’ve yet received any response from Google other than the usual automated, canned reply (which I don’t consider a real response.)”

Google responds on its blog, but first, what’s all the fuss about?

With a “massive blunder on Google’s part,” as TechCrunch described in in the background, problems – three of them – are summarised like this, says peekay:

1. No protection for embedded images
2. File revision flashback
3. I’ll help myself to your Docs, thanks

The issue revealed by TechCrunch was down to the fact a Google  failure meant the company had to send a notice to a, “number of users of its Document and Spreadsheets products stating that it may have inadvertently shared some of their documents with contacts who were never granted access to them”.

Google apologised “for the inconvenience that this issue may have caused,” saying it was,  “treating this issue with the highest priority”.

Of item #1, “embedded images are not protected by the sharing controls,” says peekay [the emphasis is his].

That, he goes on, “means anyone with access to the URL can view the image” and, “If you’ve shared a document containing embedded images with someone, that person will always be able to view those images

“Even after you’ve stopped sharing the document.

“Or as the image above demonstrates, even after you’ve deleted the document [docs.google.com/File?id=dtfqs27_1f3vfmkcz_b fore ther pic at the top].

Of item #2, “In Google Docs, a diagram is a set of instructions that’s rasterized into an image (in PNG format),” says peekay, but, “Each time you modify a diagram, a new raster image is created, but the old versions remain accessible via a URL, in the format: docs.google.com/drawings/image?id=1234&…&rev=23&ac=1 ”

To view a previous version, all you have to do is change the rev= number.

And last, but not least, under item #3, peekay adds »»»

So you learned your lesson from above, and stopped sharing your documents.  You’ve kicked everyone out from your Docs.  This negates the purpose of Docs somewhat, but you’d rather be safe than sorry.

Working solo, you happily add new ideas to your secret document, patting yourself on the back before you go on a well-deserved vacation.

Too bad while you’re sipping piña coladas on the beach, those same suppliers you’ve just kicked out have added themselves back [his emphasis] to your Docs and stealing your new ideas!  What?

It’s true.  Even if you unshare a document with a person, that person can in certain cases still access your document without your permission, a serious breach of privacy.  For now I’m withholding the mechanics of when/why/how this happens, pending further research and feedback from Google if any.

But, Not a problem, reckons Google, in effect, saying in its blog »»»

… a researcher publicly reported some concerns with Google Docs. At Google, we treat the privacy and integrity of our users’ data with the highest priority. We quickly investigated, and we believe that these concerns do not pose a significant security risk to our users.

Head on over to Google if you want details about why it says not to worry but meanwhile, as peekay says of item #2 »»»

It’s 4am and you’re been working all night on a document.   This document contains a Docs diagram, blueprinting that million-dollar-idea you have in your head.

You want to share this document with potential suppliers, but you don’t want to reveal all of your secrets just yet.   So you diligently redact the diagram, removing all the sensitive parts of the blueprints.  Satisfied that your idea is safe, you share the document (view-only).

Next thing you know, your idea has been stolen.  A Chinese company quickly ships knockoffs based on your complete blueprints.  What happened?

Unknown to you, anyone you shared the document with can view any version of any diagram [peekay's emphasis] embedded in the document.  The fact that you’ve deleted sensitive parts of the diagram doesn’t matter, because the viewer can see the older versions.

Says Google »»»

The second concern that the researcher raised is that viewers may be able to see revisions of drawings that are included in a document, using the new “Insert Drawing” feature. The ability for document collaborators to view revision history is a feature built into Docs. The ability to view past versions of the drawings is limited to authorized persons who have been given explicit access to the document with the embedded drawing. We may consider explicitly preventing viewers from accessing drawing revisions. For now, if document owners decide they don’t want viewers to have access to their revisions, they can simply make a new copy of the document (from the File menu) and share that new version. The revision history of both the document and all embedded drawings is removed in copies of documents.

At the beginning of his post, “Update 3/26: I’m now in contact with Google Security,” says peekay, adding:

“Update 3/28: I’m aware of Google’s official response to the issues raised in this blog.  I am continuing to share my findings with Google Security and appreciate the excellent feedback they are providing me.  It would be premature for me to provide further comment at this time.”

Adds Google, “We have begun adding more documentation in the Help Center here and here to describe in more detail the functions related to each concern. We are also exploring alternative design options that might further address the concerns.”

Stay tuned.

peekay – Security issues with Google Docs, March 26, 2009
TechCrunch – Google Privacy Blunder Shares Your Docs Without Permission, March 7, 2009

And it’s been doing it for years.

McAfee, a, “company which seems to spend as much time coming up with creative data interpretation as it does safeguarding our computers,” suggests 18% of searches on Brad Pitt, “led to malware infested websites,” observed techradar.com in 2008.

The news came in its second annual list of the “riskiest celebrities” on the Net.

Every once in a while I get an email from someone telling me McAfee has defamed p2pnet as a “distributor of downloads some people consider adware, spyware or other potentially unwanted programs”.

That’s total, self-serving McAfee crap. p2pnet never has, and never will, distributed malware, or anything even remotely like it.

In fact, as McAfee itself admits, “In our tests, we found downloads on this site were free of adware, spyware, and other potentially unwanted programs.”

And yet this morning »»»

WARNING – 127.0.0.1 – Submitted on 2009/03/29 at 11:14am

WARNIGN [sic] TO EVERYONE – P2PNET IS A MALWARE SITE

MCAFEE http://www.siteadvisor.com/sites/p2pnet.net – When we tested this site we found links to antispyware.com, which we found to be a distributor of downloads some people consider adware, spyware or other potentially unwanted programs.

I deleted this Reader’s Write [http://www.p2pnet.net/story/16394/comment-page-1#comment-970545] which’d appeared under an old story from July 5 last year.

p2pnet as McAfee advertising vehicle

McAfee’s SiteAdvisor has for years been offering Automated Web Safety Testing Results for p2pnet.net.

I’d laugh, but unfortunately, some people who can’t see any further than their noses are sucked in by this arrant McAfee nonsense.

It’s been using p2pnet to promote the McAfee SiteAdvisor ’service’.

But now it’s also hijacked p2pnet to advertise something it’s calling ‘McAfee SECURE shopping’ which is no more than a tacky come-on for sites peddling “Clothing & Accessories; Collectibles & Art;,Food & Wine; Health & Beauty; Home & Garden,” all of which McAfee assures us have passed “daily tests to help protect against identity theft”.

Anyone who visits any of the advertisers, who’ve paid McAfee good money to be linked indirectly to p2pnet, had better hope it’s more effective than the McAfee  SiteAdvisor.

All kinds of perils and dangerous links

Visit the the McAfee  SiteAdvisor for p2pnet the first time and you could be forgiven for thinking there really is something terribly wrong.

It’s fearsome with big Red Xs, red lettering in boldface, charts which, unless you look at them closely, seem to suggest all kinds of perils and dangerous links.

And when you scroll further down the page, you can’t miss a bunch of  ‘warnings,’ each with a red-for-danger icon, posted by ‘reviewers’ such as this from the first one:

“P2P Sites period are no good that includes this one. Recommendations: DO NOT VISIT THIS SITE OR GO NEAR IT IF ANOTHER SITE USES THIS SITE FOR ANY PURPOSES DON’T USE THAT SITE EITHER!”

There are eight of these, all of them of similarly erudite and clearly written by security experts.

Not.

There are, however, 16 positive mentions, only two of which are included in this list of ‘warnings’.

And by way of an update [2:00 pm Pacific, March 29], “Mcafee’s own TOP RANKED site advisor/reviewer ‘dean’ even says siteadvisor is a total waste and gives users a false sense of security that is outright dangerous,” says a Reader’s Write.

It links to the post below which, under Bad shopping experience, states »»»

This is no way that I can, in good conscience, recommend SiteAdvisor. Lately, the proliferation of green ratings for sites that distribute well-documented rogue software or obvious scams leave me no choice. It is downright dangerous to depend on SiteAdvisor’s ratings.

The web site remains useful, so that you can look up what others are saying. But the ratings are, in many cases, bogus. Thus, don’t even bother considering the purchase of SiteAdvisor Plus. It would be a complete waste of money. Even the free version, which I formerly recommended to many friends is not worth the effort. Why install software that is purposefully misleading?

At least if ratings on questionable were in the “unrated” stage, one could reasonably conclude that caution should be exercised. However, SiteAdvisor has gotten into the habit of slapping green ratings on just about any site, willy-nilly, including the following scams:

http://www.siteadvisor.com/sites/best-paid-survey-sites.com
http://www.siteadvisor.com/sites/bestpaidsurveyaround.com
http://www.siteadvisor.com/sites/cash-4-survey.com
http://www.siteadvisor.com/sites/cash-for-survey.com
http://www.siteadvisor.com/sites/cash4survey-scam-review.com
http://www.siteadvisor.com/sites/cash4surveyscamreview.com
http://www.siteadvisor.com/sites/officialpaidsurvey.com
http://www.siteadvisor.com/sites/www-bestsurveys.com
http://www.siteadvisor.com/sites/www-paidsurveyreviews.com
http://www.siteadvisor.com/sites/www-top-paid-surveys.com
http://www.siteadvisor.com/sites/paid-survey-scam-busters.com
http://www.siteadvisor.com/sites/surveyabsolute.com

Be sure to stop by these review pages and tell them what you think of their ratings of sites that promote obvious scams. Also see my previous review.

Meanwhile,  the greater majority of the p2pnet ‘reviews,’ both for and against, were posted  three years ago. The most recent one (quoted three sentences up) arrived in April last year.

Rogue application AntiSpyware XP

Both McAfee and the comment poster cited earlier name Antispyware.com – a long-time supporter of p2pnet – as a “distributor of downloads some people consider adware, spyware or other potentially unwanted programs,” but, “It is NOT a scam app,” I posted in p2pnet a couple of months back.

There is, though, a rogue application called AntiSpyware XP, or XP AntiSpyware, which, “redirects the user to a fake/scare scan page of the infamous XP AntiSpyware /XP AntiVirus rogue security applications,” I quoted Bharath’s Security Blog” as saying.

“The WinSoftware, Inc aka LocusSoftware Inc aka Innovative Marketing is behind this scam,”  its stated unequivocally.

“They are using many sites to redirect the users to their fake/scare scan pages.”

XP AntiSpyware even rips off the genuine AntiSpyware logo.

The AntiSpyware XP people change their active scam site all the time, says Bharath, adding:

“The site XPDownloadings.com works as a repository for the rogue installers while the XP-Antivirus.com site is used for payment processing.

“The scammers also avails a user to sign up for an upgrade to “File Shredder 2008” FileShredder2008.com, which is again a crapware they are exploiting Lavasoft’s application name ‘File Shredder’.”

And there are lots of other references to AntiSpyware XP, or XP AntiSpyware.

So, McAfee, when are you going to:

• Pay me the money you owe me for using p2pnet to promote your ‘product’?
• Make a formal public apology for wrongly listing p2pnet as a dangerous site?

Over to you …

Jon Newton – p2pnet

McAfee’s Blubster deal – May 29, 2007
McAfee adamant! p2pnet stays Red! – June 1, 2007
McAfee targets p2pnet. Again – August 28, 2008
Looking for a lawyer: p2pnet v McAfee – August 30, 2008
McAfee shock-horror Brad Pitt report - September 17, 2008
AntiSpyware vs AntiSpyware XP – January 12, 2009

March, 2009