Paul Hardwick: Software

PC World - Vista's UAC Warnings Can't Be Trusted, Symantec Says

Fri, 02 Mar 2007 03:19:06 GMT

Windows Vista's User Account Control (UAC), a system that Microsoft says makes the new operating system safer from attack, can be spoofed and shouldn't be completely trusted, a Symantec researcher said on Wednesday.

Ollie Whitehouse, an architect at Symantec's advanced threats research team, first used a blog entry Tuesday to point out how a hacker could use a file included with Vista to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.

Tricking Vista's UAC To Hide Malware.

Fri, 02 Mar 2007 03:14:53 GMT

Tricking Vista's UAC To Hide Malware. Vista's User Account Control, love it or hate it, represents a barrier against unwanted software getting run on users' computers. A Symantec researcher has found a simple way to spoof UAC and says that it shouldn't be completely trusted. The trick is to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself. [Slashdot]

Windows for Warships nears frontline service | The Register

Fri, 02 Mar 2007 03:07:50 GMT

The Type 45 destroyers now being launched will run Windows for Warships: and that's not all. The attack submarine Torbay has been retrofitted with Microsoft-based command systems, and as time goes by the rest of the British submarine fleet will get the same treatment, including the Vanguard class (V class). The V boats carry the UK's nuclear weapons and are armed with Trident ICBMs, tipped with multiple H-bomb warheads.

All this raises a number of worrying issues. First up is basic reliability and usability. Most of us have stared in helpless despair at the dreaded blue screen; how much worse would you feel if that wasn't just your desktop gone but your combat display, and it really was the screen of death?

Windows For Warships Nearly Ready.

Fri, 02 Mar 2007 02:59:26 GMT

Windows For Warships Nearly Ready. mattaw writes "The Register is carrying the sanest and balanced article on Windows deployment in UK warships that I have read to date in the public domain. As an ex-naval bod myself we have long considered that this is potentially a REAL problem. The main issues are the huge amount of unrelated code that is imported with the kernel and the need for incredibly fast response times." [Slashdot]

Solaris Worm Blasts Way Through Operating System.

Fri, 02 Mar 2007 02:02:48 GMT

Solaris Worm Blasts Way Through Operating System. "Hi, I'm Casper, I am a bored Sun developer and I wrote this piece of code." [GT: Security and Privacy]

Malware Adopts Disguises in Attempt to Dupe IT Defenses.

Fri, 02 Mar 2007 01:55:38 GMT

Malware Adopts Disguises in Attempt to Dupe IT Defenses. Top ten threats and hoaxes reported in February 2007. [GT: Security and Privacy]

MPAA Fires Back at AACS Decryption Utility.

Fri, 02 Mar 2007 00:43:21 GMT

MPAA Fires Back at AACS Decryption Utility. RulerOf writes "The AACS Decryption utility released this past December known as BackupHDDVD originally authored by Muslix64 of the Doom9 forums has received its first official DMCA Takedown Notice. It has been widely speculated that the utility itself was not an infringing piece of software due to the fact that it is merely "a textbook implementation of AACS," written with the help of documents publicly available at the AACS LA's website, and that the AACS Volume Unique Keys that the end user isn't supposed to have access to are in fact the infringing content, but it appears that such is not the case." --- From the thread "...you must input keys and then it will decrypt the encrypted content. If this is the case, than according to the language of the DMCA it does sound like it is infringing. Section 1201(a) says that it is an infringement to "circumvent a technological measure." The phrase, "circumvent a technological measure" is defined as "descramb(ling) a scrambled work or decrypt(ing) an encrypted work, ... without the authority of the copyright owner." If BackupHDDVD does in fact decrypt encrypted content than per the DMCA it needs a license to do that." [Slashdot: Your Rights Online]

Microsoft Tackles 'False Positives' in Antipiracy Tool.

Wed, 28 Feb 2007 23:12:38 GMT

Microsoft Tackles 'False Positives' in Antipiracy Tool. Windows Genuine Advantage Notifications is revised to cut customers some slack after erroneous reports. [PC World: Latest Technology News]

Symantec: Vista Fairly Secure but Still Full of Holes.

Wed, 28 Feb 2007 23:09:10 GMT

Symantec: Vista Fairly Secure but Still Full of Holes. There are still many ways attackers can exploit Windows Vista and leave users open to threats, according to a Symantec study. [PC World: Latest Technology News]

Windows Genuine Advantage's newest setting: "you might be a pirate"

Wed, 28 Feb 2007 01:28:12 GMT

Windows Genuine Advantage is an anti-piracy tool loathed by many, tolerated by some, and even appreciated by others. How you feel about it may depend in part on whether or not you've been caught in its snares: the "authentic software" validation tool is known to have falsely identified thousands of "pirated" Vista installs.

As Microsoft steps up its war against piracy, the company has decided to slightly nuance Windows Genuine Advantage (WGA). Rather than identify users as either in the clear or not, the company has added a third classification for users who set off some, but not all of WGA's undisclosed piracy-detection functionality. Users will now find that Windows XP installs are labeled as genuine, non-genuine or "not sure."

While Microsoft has not responded to requests for comment, it's quite obvious what is going on here: Microsoft has added "not sure" as a way of cutting down on the number of false positives associated with WGA. As many as one in five PCs were failing WGA checks, but this new setting should both reduce this and give Microsoft the chance to investigate further the kinds of things that are landing folks in the "not sure" category.

Although the Windows Genuine Advantage Notification tool is "optional," Microsoft is in the process of pushing out the tool as a "critical" and thus automatic update (affectionately dubbed WGA Notifications 1.7 KB905474). The update has been known about for over a month, but users are just now seeing it show up as a critical update to Windows XP.

Administrivia: Now we have a overheated CPU ( 60 degrees centigrade )

Wed, 28 Feb 2007 00:39:01 GMT

OK, if the DDOS attack wasn't enough. Now our server went down with a temperature overload. We were up to 60 degrees centigrade when we shut down. The CPU and a broken fan have been replaced.

Administrivia: Our data-center was hit by a DDOS attack today.

Tue, 27 Feb 2007 22:19:59 GMT

Sorry for being either very slow or off the net for a while recently. The data-center we are part of was hit by a DDOS (Distributed Denial Of Service) attack recently. At the moment it looks to be under control, but we are keeping an eye on things.

Windows Genuine Advantage Gets More Lenient.

Tue, 27 Feb 2007 21:37:02 GMT

Windows Genuine Advantage Gets More Lenient. Troglodyte writes in with word that Microsoft is revamping its Windows Genuine Advantage program so that it labels fewer users pirates. WGA now has a third category besides "genuine and "not genuine," called "not sure." Quoting: "[I]t's quite obvious what is going on here: Microsoft has added 'not sure' as a way of cutting down on the number of false positives associated with WGA. As many as one in five PCs were failing WGA checks, but this new setting should both reduce this and give Microsoft the chance to investigate further the kinds of things that are landing folks in the 'not sure' category." [Slashdot]

Migrating to Windows Vista: Recognize the Security Risks.

Tue, 27 Feb 2007 21:25:09 GMT

Migrating to Windows Vista: Recognize the Security Risks. (Source: Messagelabs) What are the security risks involved in migrating to Microsoft Vista? This white paper examines the implications in terms of messaging and web security which IT managers urgently need to consider. [Computerworld Privacy News]

Google Sharpens Malware Alerts for Webmasters.

Tue, 27 Feb 2007 21:14:00 GMT

Google Sharpens Malware Alerts for Webmasters. Google improves the way it notifies sites that they are afflicted with malware. [PC World: Latest Technology News]

Sarasota: Could a Bug Have Lost Votes?

Tue, 27 Feb 2007 21:10:24 GMT

Sarasota: Could a Bug Have Lost Votes?

At this point, we still don[base ']t know what caused the high undervote rate in Sarasota[base ']s Congressional election. [Background: 1, 2.] There are two theories. The State-commissioned study released last week argues that for the theory that a badly designed ballot caused many voters to not see that race and therefore not cast a vote.

Today I want to make the case for the other theory: that a malfunction or bug in the voting machines caused votes to be not recorded. The case sits on four pillars: (1) The postulated behavior is consistent with a common type of computer bug. (2) Similar bugs have been found in voting machines before. (3) The state-commissioned study would have been unlikely to find such a bug. (4) Studies of voting data show patterns that point to the bug theory.

[...]

Conclusion

What conclusion can we draw? Certainly we cannot say that a bug definitely caused undervotes. But we can say with confidence that the bug theory is still in the running, and needs to be considered alongside the ballot design theory as a possible cause of the Sarasota undervotes. If we want to get to the bottom of this, we need to investigate further, by looking more deeply into undervote patterns, and by examining the voting machine hardware and software.

Intelligent Enterprise Magazine: How a Smarter Database Can Protect Your Data

Mon, 26 Feb 2007 23:48:06 GMT

Firewalls, intrusion detection systems, authorization and authentication all have their place in securing the enterprise, but these technologies rarely plug a hole that has leaked millions of records with sensitive information since the well-publicized ChoicePoint breach about two years ago, according to the Privacy Rights Clearing House. Data inside a database that is protected by all of the above is still easy plunder for a legitimate user or a hacker successfully masquerading as one.

"The database isn't smart enough to care that you execute the same type of SQL query over one thousand times in a matter of seconds and walk away with a list of social security numbers," explains Noel Yuhanna, analyst with Forrester Re-search. "And the network doesn't care either; it just looks at packets, which may or may not contain the personal information of all your customers." What is lacking, according to Yuhanna, is an end-to-end security solution. Such a solution would be impressive as it would have to address security concerns from the network stack layer all the way up to the application layer. Nothing like that exists, currently, and IT managers would be ill advised to wait for it to materialize.

Surveillance Cameras Get Smarter - International Business Times

Mon, 26 Feb 2007 23:16:37 GMT

Look around - You might not be the only one watching. The never-blinking surveillance cameras, rapidly becoming a part of daily life in public and even private places, may be sizing you up as well. And they may soon get a lot smarter.

Researchers and security companies are developing cameras that not only watch the world but also interpret what they see. Soon, some cameras may be able to find unattended bags at airports, guess your height or analyze the way you walk to see if you are hiding something.

Most of the cameras widely used today are used as forensic tools to identify crooks after-the-fact. (Think grainy video on local TV news of convenience store robberies gone wrong.) But the latest breed, known as "intelligent video," could transform cameras from passive observers to eyes with brains, able to detect suspicious behavior and potentially prevent crime before it occurs.

Surveillance Cameras Get Smarter.

Mon, 26 Feb 2007 23:12:54 GMT

Surveillance Cameras Get Smarter. kog777 writes to mention that the IB Times is taking a look at where surveillance camera technology is headed. Soon researchers tell us that cameras will be available that not only record, but are able to interpret what they see. "The advancements have already been put to work. For example, cameras in Chicago and Washington can detect gunshots and alert police. Baltimore installed cameras that can play a recorded message and snap pictures of graffiti sprayers or illegal dumpers. In the commercial market, the gaming industry uses camera systems that can detect facial features, according to Bordes. Casinos use their vast banks of security cameras to hunt cheating gamblers who have been flagged before." [Slashdot: Your Rights Online]

Tor Open To Attack.

Mon, 26 Feb 2007 23:00:19 GMT

Tor Open To Attack. An anonymous reader writes "A group of researchers have written a paper that lays out an attack against Tor (PDF) in enough detail to cause Roger Dingledine a fair amount of heartburn. The essential avenue of attack is that Tor doesn't verify claims of uptime or bandwidth, allowing an attacker to advertise more than it need deliver, and thus draw traffic. If the attacker controls the entry and exit node and has decent clocks, then the attacker can link these together and trace someone through the network." [Slashdot: Your Rights Online]

The Importance of Securing AJAX Web Applications.

Mon, 26 Feb 2007 22:42:53 GMT

The Importance of Securing AJAX Web Applications. This paper, submitted by Acunetix, reviews AJAX technologies with specific reference to JavaScript and briefly documents the kinds of vulnerability classes that should raise security concerns among developers, website owners and the respective visitors. By Acunetix. [Infosec Writers Latest Security Papers]

Mozilla Plugs Firefox Security Holes.

Mon, 26 Feb 2007 22:33:13 GMT

Mozilla Plugs Firefox Security Holes.

Mozilla on Friday published software updates to fix a baker's dozen security and compatibility problems with its Firefox Web browser. The new version includes fixes for serious security flaws along with updates designed to make Firefox play nicer with Vista, Microsoft's new Windows operating system.

Users of supported versions 2.x and 1.5.x already should have received an alert that updates have been installed. If you haven't received one, you may be running an older, unsupported (and insecure) version of Firefox such as version 1.0.x. To check your version, click "Help" and then "About Firefox."

[Security Fix]

Fraudsters Declare War on Anti-Scam Services.

Sun, 25 Feb 2007 04:15:24 GMT

Fraudsters Declare War on Anti-Scam Services.

Spammers have been attacking and threatening several of the groups and individuals who have been performing some of the most important work in hobbling online scams, spam and computer viruses.

The SANS Internet Storm Center on Thursday found a piece of malicious code (called "sans.exe") designed to update a group of several thousand infected computers that SANS has been monitoring. The code includes text strings that suggest an attack on the center if two of its crime fighters don't stop interfering with his money-making spam operations. The message, in part, read:

"You better f*** off SANS.org especially that [SANS chief technology officer] Johannes Ullrich (phone and e-mail address deleted) and Kevin Hong (phone and e-mail address deleted). I really don't have anything against you, just piss off alright?" [sic]

"I guess we always felt like this [was] going to happen at some point," Ullrich said in an online chat with Security Fix this morning. "Adding taunts like this to their code isn't what you would expect from a professional criminal trying to stay low profile. [It] points to a more juvenile 'hooligan' mentality," than hardened cyber crook.

Last month, a number of anti-spam Web sites came under a sustained "distributed denial of service" (DDoS) attack, an electronic assault during which the attackers use thousands of compromised personal computers to overwhelm a target with so much bogus traffic that the PCs can't accommodate legitimate visitors.

The attacks were made possible by tens of thousands - perhaps millions - of computers infected by the recent e-mail virus known as the "Storm worm. The virus links all infected computers into a peer-to-peer data network using the same technology as the eDonkey file-sharing network. The attackers later instructed the networked machines to attack sites such as spam trackers Spamhaus and the personal Web site of Joe Stewart, the SecureWorks researcher who conducted some of the most detailed analysis of the Storm worm.

The Web sites for CastleCops -- an all-volunteer, online scam fighting community -- also have been under a consistent denial-of-service attack for the past couple of weeks. Its main site and user forum are not working again this morning. Security Fix has spotlighted the laudable work this volunteer group does in bringing down phishing Web sites and analyzing new malicious software.

CastleCops co-founder Robin Laudanski said the intermittent site shutdowns have been inconvenient, but added that they have bolstered support for the group from within the security community.

"I take [the attacks] as a compliment because if we weren't putting a dent in the bad guys' pocketbooks, we wouldn't be getting attacked," Laudanski said. "It means we're being a pain, and that we're doing something right."

[Security Fix]

Second Google Desktop Attack Reported.

Sun, 25 Feb 2007 03:52:17 GMT

Second Google Desktop Attack Reported. Google Desktop is vulnerable to a Web-based attack that could give an attacker access to data indexed by the software, say security researchers. [PC World: Latest Technology News]

Mozilla Fixes Firefox Bugs.

Sun, 25 Feb 2007 03:48:10 GMT

Mozilla Fixes Firefox Bugs. An update to Firefox fixes a number of security flaws in the browser. [PC World: Latest Technology News]

Critical IE Graphics Flaw Resurfaces.

Fri, 23 Feb 2007 17:06:50 GMT

Critical IE Graphics Flaw Resurfaces. Plus: More Office holes, and a major Adobe problem that affects all browsers. [PC World: Latest Technology News]

Social Networks Key to 2008 Race.

Fri, 23 Feb 2007 16:51:14 GMT

Social Networks Key to 2008 Race. Social networking sites have changed the game for political candidates. [PC World: Latest Technology News]

Microsoft to Tighten Anti-Piracy Noose in Vista.

Thu, 22 Feb 2007 16:10:50 GMT

Microsoft to Tighten Anti-Piracy Noose in Vista.

In response to "overly optimistic" sales forecasts for its Vista operating system, Microsoft Corp. plans to "dial up" the anti-piracy technology built into this latest version of Windows. No doubt this move will boost Microsoft's sales to some degree, but if previous experience with Microsoft's anti-piracy methods in Windows XP is any indicator, this new effort is just as likely to alienate or anger many legitimate users.

CEO Steve Ballmer revealed the anti-piracy plans in a conference call with Wall Street financial analysts last week, according to this Computerworld article. "'One way Microsoft can bump up Windows sales is to tighten the screws on pirates,' Ballmer said. "Piracy reduction can be a source of Windows revenue growth, and I think we'll make some piracy improvements this year."

The Computerworld story says the expansion of the Windows Genuine Advantage plan is part of an effort to squeeze more revenue from China, India, Brazil, Russia and other emerging markets.

Online PC help forums are littered with reports from legitimate Windows users who have been errantly flagged as software pirates by Microsoft, so here's hoping that the company can iron out some of the kinks in its anti-piracy detection and reporting technology.

[Security Fix]

Serious Flaw in Google Desktop Prompts Patch.

Thu, 22 Feb 2007 16:06:04 GMT

Serious Flaw in Google Desktop Prompts Patch.

Search engine giant Google has issued an update for people running its powerful Desktop software. Researchers had demonstrated a potentially devastating security hole in the software that could allow bad guys to snoop on users' computers or even to install additional software.

For the uninitiated, Google Desktop is free software that sits on your computer and indexes your e-mail, chat conversations, documents and previous Web searches to make them easy to find. But according to a discovery last year by Waltham, Mass., security company Watchfire, attackers could hijack a user's sensitive data in older versions of the software.

This flaw appears to be quite dangerous, but the mechanics of it and the steps the bad guys would need to take seem complicated. Anyone who wants to learn more about this flaw should check out Watchfire's research paper here. There also is a longish video that provides a real-world example of how an attack could work.

I've always expected someone to discover a vulnerability like this. I've almost avoided installing the program entirely because of these concerns. But my need to quickly find files on my machine won out, as Microsoft's built-in Windows search capability is just too slow and ineffective. As Security Fix and others have noted, security is all about trade-offs. For the sake of productivity, this was one trade-off I was willing to make.

The good news is that Google has shipped an update to close this security hole. The bad news is that users may need to jump through a few hoops to get the new version.

I had some serious problems trying to update my installation of Google Desktop. No matter which option I tried, the program icon for Google Desktop in my Windows system tray stubbornly refused to respond. I had to dig into the Windows registry to find which version of the program I was running. According to Watchfire, any version of Google Desktop that is not version number 5.0.0701.30540 is vulnerable. The registry said my version was 3.2005.907.1757. I clearly needed to update.

I was surprised to discover that I already had an application called Google Updater installed. However, it clearly had not updated for me. When I tried to run it, the program kept producing an error message saying it could not continue. Appropriately, I "Googled" for clues to the origin of the error message. I followed advice on Google Groups to temporarily disable the anti-virus software on my machine and close any browser windows. Nothing seemed to work.

I ultimately had to completely reinstall Google Desktop and Google Updater. I then had to reboot to get the current version working properly. The latest version appears to have a function that will periodically check for and install updates as they are made available. I'm not sure whether the previous Google Updater had this option, and it isn't clear as to whether the new updater actually does what it says.

Users who have to update their Google Updater as I did may find that Google has bundled the new Updater into its "Google Pack." It seems Google is perpetually in beta phase: Earlier today, when I first visited the Google Pack page while the older, non-working version of Google Updater was installed, I had to uncheck several software options that were pre-enabled in Google Pack. This included Google Earth, Google Screensaver Pack and a six-month trial of Symantec anti-virus software. Now, after installing the latest Google Updater, when I revisit that same page, the Symantec option is gone and none of the items are pre-checked. Curiously enough, Google also is offering Adobe Reader 7, which as any avid Security Fix reader already knows, is dangerously out of date.

[Security Fix]

Ambiguity In Ajax Lockdown Framework.

Mon, 19 Feb 2007 21:47:00 GMT

Ambiguity In Ajax Lockdown Framework. Aditya Sood contributes this paper on some contradictions he has found against a framework that is based on the concept of fusing ajax applications with direct web remoting. By Aditya Sood. [Infosec Writers Latest Security Papers]

Half of pirated Vista is malware.

Mon, 19 Feb 2007 01:35:42 GMT

Half of pirated Vista is malware. You can't cheat an honest person, they say. Like generations of scammers before them, some malware writers are taking that "advice" to heart, releasing their Trojan software and keyloggers as "cracked" versions of Vista oon peer-to-peer service. Who's going to turn them in, after all -- a would-be pirate? [Computerworld Security News]

Firefox Flaw Could Let Attackers Change Cookies.

Mon, 19 Feb 2007 01:21:10 GMT

Firefox Flaw Could Let Attackers Change Cookies. Attackers could change the way Web sites are displayed and how they work. [eWEEK Security]

Handling False Positives and Creating Custom Rules.

Mon, 19 Feb 2007 01:08:40 GMT

Handling False Positives and Creating Custom Rules.

It is inevitable; you will run into some False Positive hits when using web application firewalls. This is not something that is unique to ModSecurity. All web application firewalls will generate false positives from time to time. The following information will help to guide you through the process of identifying, fixing, implementing and testing new custom rules to address false positives.

Every rule set can have false positive in new environments
False Positives happen with ModSecurity + the Core Rules mainly as a byproduct of the fact that the rules are [base "]generic[per thou] in nature. There is no way to know exactly what web application is going to be run behind it. That is why the Core Rules are geared towards blocking the known bad stuff and forcing some HTTP compliancy. This catches the vast majority of attacks.

Use DetectionOnly mode
Any new installation should initially use the log only Rule Set version or if no such version is available, set ModSecurity to Detection only using the SecRuleEngine DetectionOnly command. After running ModSecurity in a detection only mode for a while review the events generated and decide if any modification to the rule set should be made before moving to protection mode.

Don't be too hasty to remove a rule
Just because a particular rule is generating a false positive on your site does not mean that you should remove the rule entirely. Remember, these rules were created for a reason. They are intended to block a known attack. By removing this rule completely, you might expose your website to the very attack that the rule was created for. This would be the dreaded False Negative.

ModSecurity rules are open source
Thankfully, since ModSecurity[base ']s rules are open source, this allows you the capability to see exactly what the rule is matching on and also allows you to create your own rules. With closed-source rules, you can not verify what it is looking for so you really have no other option but to remove the offending rule.

[Web Security Blog]

AOL and OpenID: Where we are

Sun, 18 Feb 2007 23:59:33 GMT

It's not really a secret that AOL has been experimenting with OpenID. As I've said, I think that user-centric, interoperable identity is hugely important to enable the social experiences we're trying to provide. This is a work in progress, but things are coming along thanks to our authentication team's diligent effort. Here's where we are today:

Every AOL/AIM user now has at least one OpenID URI, http://openid.aol.com/<;sn>.
This experimental OpenID 1.1 Provider service is available now and we are conducting compatibility tests.
We're working with OpenID relying parties to resolve compatibility issues.
Our blogging platform has enabled basic OpenID 1.1 in beta, so every beta blog URI is also a basic OpenID identifier. (No Yadis yet.)
We don't yet accept OpenID identities within our products as a relying party, but we're actively working on it. That roll-out is likely to be gradual.
We are tracking the OpenID 2.0 standardization effort and plan to support it after it becomes final.

Update: Thanks for all the responses; I've posted a followup over on dev.aol.com.

MPAA Violates Another Software License.

Sun, 18 Feb 2007 23:45:13 GMT

MPAA Violates Another Software License. Patrick Robib, a blogger who wrote his own blogging engine called Forest Blog recently noticed that none other than the MPAA was using his work, and had completely violated his linkware license by removing all links back to the Forest Blog site, not crediting him in any way. The MPAA blog was using the Forest Blog software, but had completely stripped off his name, and links back to his site. He only found about it accidentally when he happened to visit the MPAA site. [Slashdot: Your Rights Online]

Scanning Ajax for XSS entry points.

Sun, 18 Feb 2007 23:36:31 GMT

Scanning Ajax for XSS entry points. This contribution from Shreeraj Shah, introduces one to a quick way to identify XSS entry points in an application. By Shreeraj Shah. [Infosec Writers Latest Security Papers]

Microsoft Warns of More Office Exploits.

Sun, 18 Feb 2007 20:01:36 GMT

Microsoft Warns of More Office Exploits.

Just days after Microsoft issued patches to plug some 20 security holes in its software, the software giant is warning users that bad guys are exploiting two more vulnerabilities in its Office product suite.

On Valentine's Day, Microsoft said it had received reports of a previously unknown flaw in Office 2000 and Office XP. Now, Symantec is reporting that there is a virus honing in on an unpatched PowerPoint bug. Microsoft has not confirmed that report.

We've seen this pattern before. Hackers wait until Microsoft issues its monthly batch of patches to start exploiting unpatched flaws that they've found or purchased from bug-finders. The hackers well know that they can exploit them for at least another four to eight weeks before Microsoft can offer a patch.

In early January, Security Fix published a study of critical patches Microsoft issued in 2006 for Office products. Those accounted for nearly half of all critical updates the company shipped last year. I predicted that Office would continue to be the company's Achilles heel this year, and so far that appears to be true. This latest PowerPoint bug could be the 14th critical security hole reported in Office this year. If it continues at this rate, Microsoft will have patched more than twice as many Office vulnerabilities by the end of this year than it did in all of 2006.

Be extremely cautious of opening e-mail attachments that you weren't expecting -- even if they appear to have been sent by someone you know and trust. If you harbor doubts about whether the sender really meant for you to click on an e-mail attachment, fire off a brief reply to confirm its validity before opening it.

[Security Fix]

Upgrade to Vista, Get More DRM.

Fri, 16 Feb 2007 19:02:51 GMT

Upgrade to Vista, Get More DRM. Watching "premium content" in Windows Vista requires users to play nice with Microsoft's built-in digital rights controls. In Monkey Bites. [Wired News: Top Stories]

QDN: The growing consensus behind OpenID

Fri, 16 Feb 2007 18:28:06 GMT

It's because of this that I'm so happy to see an initiative like OpenID succeeding. A few years ago, the idea of OpenID was floated by the inestimable Brad Fitzpatrick (the father of LiveJournal, now a Six Apart property) as a way for people to carry around virtual identity cards on the net, and to securely use those credentials as a way of demonstrating to others on the internet who they really are. Between then and now, OpenID's development has taken place out in the open, on mailing lists and wikis and web forums, and the result is a technology that Microsoft adopted last week and AOL has been quietly rolling out to its online service and instant messenger users for a few months now. That's a great adoption rate, and I'd like to think that it's because it's a technology that's sorely needed on today's web. I'm not naive enough to think that it's a salve to cure all the net's wounds -- for example, there's still work to be done to make sure that anonymous ID providers don't become the way spammers and miscreants get around the system -- but I'm hopefuly enough to recognize that OpenID might be one of the more important building blocks to us all being able to trust our online interactions just a bit more.

Apple Works To Stave Off Big Mac Attack.

Fri, 16 Feb 2007 15:54:56 GMT

Apple Works To Stave Off Big Mac Attack.

Apple Inc. on Thursday issued patches to plug five separate security holes in software included on its Mac OS X computers. Mac users can download the free updates through the Mac's built-in software update feature or directly from Apple downloads.

The five flaws were vulnerabilities identified in January as part of the controversial Month of Apple Bugs project. Among those addressed in this go-round's batch are bugs in iChat, Apple's built-in instant messaging software and Finder, the Mac's ubiquitous file-search capability.

Mac users hope that Apple soon will issue a remedy for the flaw the MoAB curators detailed in the software update function on Apple. That's the same program that the company uses to push security fixes to its customers. I've received a half dozen e-mails from Mac users wondering how to mitigate the threat from this particular flaw. By my count, Apple still has to address at least 15 Mac-specific vulnerabilities highlighted in the MoAB project. But it's not clear which, if any, of these flaws are serious.

While there are scant indications that any nefarious characters are busy exploiting the weaknesses noted by the MoAB crew, it might benefit Apple and their customers if the firm explained how users could minimize their exposure to any of these potentially serious vulnerabilities.

"It should be very interesting to see what security changes Apple institutes in OS X 10.5, and if they dedicate more resources to improving the base security of the operating system," said Gartner analyst Rich Mogull. "Now that Apple is becoming more of a target, they should take advantage of the opportunity to improve fundamental platform security before we start seeing more exploits in the wild."

[Security Fix]

E-Commerce News: Privacy: Web Privacy Group Certifies Safe Ad, Tracking Programs

Fri, 16 Feb 2007 01:57:16 GMT

TRUSTe, an organization that aims to safeguard the privacy of Web surfers, is providing certification to advertising or behavior-tracking software programs that it deems safe to download. "The Trusted Download Program represents another important step toward making downloadable software more transparent," said Ari Schwartz, deputy director of Center for Democracy and Technology.

EFF - miniLinks for 2007-02-13.

Thu, 15 Feb 2007 00:44:41 GMT

miniLinks for 2007-02-13.

Data Retention Bill Resurfaces in Congress
Europe's data-hoarding regulations slide west.

EMI Considers Dropping DRM
If true, Steve Jobs may get his dream.

Warner: Dropping DRM Is "Without Logic or Merit"
The majors remain stubbornly attached to the DRM status quo.

DVD Jon's Thoughts On Jobs' DRM Memo
DVD Jon takes a closer look at Steve Job's anti-DRM positions.

Internet Speakeasies Bypass Chinese Cyber-Cafe Ban
Chinese youth interpret prohibition as damage and route around it.

Skype Snoops Your BIOS as Part of DRM License Enforcement
"It is quite normal to look at indicators that uniquely identify the platform." Not when you're using a supposedly secure VoIP program, it's not.

File Sharing Has Negligible Effect on Album Sales
The lifestyles of German uploaders ingeniously used to examine the buying patterns of U.S. file-sharers in this Journal of Political Economy paper.

Tor: When Network Administrators Come Knocking
A professor stands his ground for Internet anonymity.

The Worst Consumer Privacy Infringers
A Bottom Ten of companies with the worst privacy policies.

Captain Copyright Says Goodbye
Vanquished with radioactive controversium.

Dancing Your Rights Away
A New York choreographer sends DMCA takedowns over the Electric Slide.

Towards Better International IP Laws
Coalition launches, invites participation in Internet Governance Forum (IGF) Dynamic Coalition on Access to Knowledge and Freedom of Expression.

[EFF: Deep Links]

New Hack Simplifies HD Video Copying.

Thu, 15 Feb 2007 00:26:52 GMT

New Hack Simplifies HD Video Copying. Hacker claims to have discovered cryptographic key that can circumvent copy restrictions on HD DVD and Blu-ray movies. [PC World: Latest Technology News]

U.S. Researchers Claim New System Kills Worm Outbreaks.

Thu, 15 Feb 2007 00:21:19 GMT

U.S. Researchers Claim New System Kills Worm Outbreaks. Technique claims to be able to stop Internet worms within milliseconds of an outbreak. [PC World: Latest Technology News]

Hacker, Microsoft duke it out over Vista design flaw | Zero Day | ZDNet.com

Wed, 14 Feb 2007 04:11:29 GMT

Joanna Rutkowska has always been a big supporter of the Windows Vista security model. Until she stumbled upon a "very severe hole" in the design of UAC (User Account Control) and found out -- from Microsoft officials -- that the default no-admin setting isn't even a security mechanism anymore.

Rutkowska, a hacker with a track record of defeating Vista's security mechanisms, believes UAC has a major flaw in the way it automatically assumes that all setup programs (application installers) should be run with administrator privileges.

"[When] you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing it to load kernel drivers! Why should a Tetris installer be allowed to load kernel drivers?," Rutkowska asked in a post on her Invisible Things blog.

That's because Vista uses a compatibility database and several heuristics to recognize installer executables and, every time the OS detects that an executable is a setup program, "it will only allow running it as administrator."

This, in Rutkowska's mind, is a "very severe hole in the design of UAC."

"After all, I would like to be offered a choice whether to fully trust given installer executable (and run it as full administrator) or just allow it to add a folder in C:Program Files and some keys under HKLMSoftware and do nothing more. I could do that under XP, but apparently I can't under Vista, which is a bit disturbing," she added.

A few days after Rutkowska flagged the UAC shortcoming, Microsoft's Mark Russinovich wrote a detailed technical explanation of the way the mechanism works. One thing that stood out in Russinovich's explanation is an admission of sorts that the default configuration of UAC puts the user at risk of a sophisticated code execution attack.

Slashdot | "Very Severe Hole" In Vista UAC Design

Wed, 14 Feb 2007 04:01:17 GMT

Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges -- and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."

Microsoft Releases Patches to Fix 20 Security Holes.

Wed, 14 Feb 2007 00:24:06 GMT

Microsoft Releases Patches to Fix 20 Security Holes.

Microsoft Corp. today issued a dozen software updates to plug at least 20 security holes in its Windows operating system and other software, including fixes for a number of vulnerabilities in Office that hackers are currently exploiting to hijack vulnerable PCs. Windows users can download the free updates by visiting Microsoft Update or by enabling automatic updates.

The company labeled half of the vulnerabilities "critical," its most severe rating. Critical security holes are those that bad guys could exploit to seize control over vulnerable machines without any action on the part of the user, or those that could be exploited just by convincing a user to click on a link in an e-mail, or visit a particular Web page.

Today's patch bundle addresses a total of eight separate vulnerabilities in different versions of Office, Word, Excel and PowerPoint, six of which are already being exploited by hackers, according to Microsoft. As usual, those most in danger are Office 2000 users. These users cannot download the updates through the usual Windows/Microsoft update site. Instead, Office 2000 users must scan their machine at Microsoft's Office Update site and apply any outstanding fixes listed there.

Regardless of which version of Office you are using (or whether you are running Office at all), be extremely careful about opening attachments in e-mails that you were not expecting -- even if they appear to come from someone you know.

Microsoft also issued updates to correct four flaws in most versions of its Internet Explorer Web browser, all of which earned a "critical" rating. Worse yet, instructions detailing how to exploit two of these IE flaws have already been posted online (one set of instructions dates back to Oct. 2006).

Another patch fixes a critical flaw in the way that Microsoft's security software scans portable document format files (.PDF -- Adobe Acrobat documents, for example) for malicious software. According to Microsoft, this bug affects Windows Live OneCare, Microsoft Antigen, Windows Defender, Windows Defender in Windows Vista, Microsoft Forefront Security for Exchange Server and Forefront Security for SharePoint.

Interestingly, Microsoft said it also is investigating new public reports of a potential vulnerability in both Windows Mobile Internet Explorer and Windows Mobile Pictures and Video -- applications built into most Microsoft Smartphone and PocketPC mobile phones.

There were other patches released today. Home users should not delay in applying these updates: Last month, hackers infiltrated the official Web site of Dolphins Stadium -- the site of Superbowl XLI -- and seeded it with a Trojan horse program that installed a password stealing program on Windows machines if users browsed to the site without having applied a patch that Microsoft issued just two weeks prior.

[Security Fix]

Microsoft Fixes Critical Flaw in Security Products.

Wed, 14 Feb 2007 00:09:20 GMT

Microsoft Fixes Critical Flaw in Security Products. Software patches include critical fixes for bugs in Microsoft Office and the scanning engine used by the company's security products. [PC World: Latest Technology News]

Three Minutes With Vista Security Guru Ben Fathi.

Mon, 12 Feb 2007 19:44:25 GMT

Three Minutes With Vista Security Guru Ben Fathi. Vista's bug count so far is OK with the Windows security manager. [PC World: Latest Technology News]

An American Idol for Crypto Geeks.

Mon, 12 Feb 2007 19:02:53 GMT

An American Idol for Crypto Geeks. The federal government is holding a competition for a new cryptographic hash function that will become the national standard. Really, this is exciting stuff. Commentary by Bruce Schneier. [Wired News: Security Blanket]

Pop-up Blocker Problem Found in Firefox.

Mon, 12 Feb 2007 02:52:32 GMT

Pop-up Blocker Problem Found in Firefox. Security analysts say a flaw in the pop-up blocker in the Firefox browser could allow an attacker to access local files. [PC World: Latest Technology News]

A Dozen Patches Expected From Microsoft Next Week.

Sat, 10 Feb 2007 22:53:44 GMT

A Dozen Patches Expected From Microsoft Next Week.

Microsoft Corp. said today that it plans to release at least a dozen patch bundles next Tuesday to plug security vulnerabilities in its Windows operating systems and other software.

This patch batch could wind up breaking records for the most number of vulnerabilities fixed in one go by the company, as each patch can and often does address multiple security flaws. Microsoft said most of them will address "critical" flaws -- security holes so serious that they could be exploited by an attacker or computer worm to take complete control over the affected computer with little or any action on the part of the user.

The company said it plans to release at least three patches to fix security problems in its Microsoft Office productivity suites. Currently, there are more than a half dozen unpatched Office flaws for which exploit code is already available online, and most of those are already being exploited for targeted attacks.

Interestingly, Microsoft noted that one of the critical patch bundles will address security flaws in Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, and Microsoft ForeFront -- Microsoft programs designed to defend Windows machines from spyware, viruses and worms.

As always, Security Fix will bring you the lowdown on these updates when Microsoft officially releases them on Tuesday.

[Security Fix]

Asking the Right Question: Penetration Testing vs. Vulnerability Analysis Tools, Which Is Best?

Sat, 10 Feb 2007 22:51:44 GMT

Asking the Right Question: Penetration Testing vs. Vulnerability Analysis Tools, Which Is Best? Dennis Hurst of Spi-Dynamics contirbutes this paper which discusses how penetration testing and assessments have matured and become more complex when dealing with web facing applications. By Dennis Hurst. [Infosec Writers Latest Security Papers]

Perils in Parallels? or Killing your Mac with windows?

Sat, 10 Feb 2007 22:48:18 GMT

Perils in Parallels?

Earlier this week Security Fix managed to install a new copy of Microsoft's Windows Vista Ultimate on top of Apple's Mac OS X operating system running on a Macbook Pro. I did this using Parallels, a powerful, free "virtual machine" program that lets users run two or more operating systems side by side at the same time.

When I went to behold the Frankenstein I'd created, I literally gasped when I realized that Vista now had complete access to read, write, or destroy files on my Mac's hard drive. The guest operating system -- in this case Vista -- has almost full run of the data on the underlying hard drive (the critical system files appear to be guarded). I later found a rather longish thread about this feature at the Parallels user forum.

In everything else, Parallels strikes me as an extremely powerful, elegant and useful application. But the Parallels people should change the default behavior of the software to disallow the sharing of directories between the operating systems by default. There may be more dangerous implications of this design: I am still in the process of monkeying around with different scenarios.

I found the whole situation to be rather ironic. After all, virtual machines, such as VMware, have been very popular among virus researchers because they typically were used to protect people from threats, not introduce new ones. Security researchers have long used virtual machines to execute malicious software in a controlled environment that can be reset back to its previous, pristine state with the push of a button.

In response, a number of online threats will check to see if they're being run in VMware or some other kind of virtual environment. If the answer is yes, those viruses or worms generally refuse to run, in an effort to escape analysis and live longer, undetected, in the wild.

This scenario with Parallels presents the opposite threat: Virus writers could, by default, simply begin to tell their creations to check whether they are being run in a Parallels virtual machine, and if so run some basic checks to see which operating system the host machine is running, and then drop appropriate malicious code in key places on the host system.

Such a scenario may sound far-fetched, but the reality is that if you can dream it up, the bad guys online are probably already doing it. Here's hoping the good folks at Parallels fix this feature in their next release.

It's worth noting that this sharing of files, directories, etc., between the host and guest operating system(s) also is quite possible on VMware products as well, except that the default setting on VMware is not to let the guest operating system have read, write and delete privileges pretty much anywhere on the host OS.

To disable this functionality in Parallels, close out of the guest operating system, an in Parallels Desktop click on "edit." From there, click on "Shared Folders" and uncheck the box next to the option "Enable global sharing for drag-and-drop." You can then add any specific folders that you'd still like to share from that menu.

[Security Fix]

The Chronicle: 2/9/2007: Caught in the Network

Sat, 10 Feb 2007 22:35:45 GMT

I wasn't particularly impressed. I had helped edit and revise that policy when I worked for the information-technology office before I earned my Ph.D., and I knew that neither Tor nor any similar program had existed when the policy was first written. I also knew that the provisions in question were vague.

My visitors next produced page after page of logs detailing my apparent use of Tor. While I couldn't dispute most of the details in the logs, they seemed inaccurate. For example, the technician said I had been using Tor earlier that morning. In fact, I had been at Wal-Mart that morning looking for a good deal on an HDTV; I had reached my office only about five minutes earlier.

More important, the logs did not prove any wrongdoing on my part. All they demonstrated was that I, like thousands of others around the world, had installed and infrequently used Tor. In my case, of course, there was no wrongdoing.

Nonetheless, my visitors made two requests: that I stop using Tor, and that I avoid covering it in class.

Having been on the administrative end of academic technology, I appreciate the difficulties facing the information-technology staff. No one pats you on the back if nothing goes wrong, but if something does -- if a virus or worm sweeps through the campus's network infrastructure, or someone hijacks some computers to churn out spam -- you are off everyone's Christmas-card list. The last thing my former colleagues needed was some smarmy faculty member spouting off about academic freedom and threatening to demonstrate Tor to 100-plus students each semester.

Their job is to protect the network that allows me to do my job: to teach classes that are mostly or entirely online, and to conduct research. If they weren't here as the first or even only line of defense against the unscrupulous elements of our technological society, my university would cease to function. It's as simple as that.

Furthermore, I do not rely heavily on Tor, or even think much about it outside the context of my courses. I find all that routing makes it slow to use, even with the superfast connection I have at work.

But it is being used all around the world, by people in countries that restrict their access to information, by corporate whistle-blowers, and by digital-rights activists. It's even being used by average people like me, as a way to keep innocuous and personal online activities private.

So in the head-on collision between my appreciation of the role IT staff members play on my campus and my understanding of the role I have to play for my students, my need for academic freedom won. I found myself lecturing my three visitors into near catatonia about the uses of Tor.

Finally, they shook my hand, thanked me for talking with them, reminded me that I was probably violating the responsible-use policy, and left. They had bigger game to catch: the other Tor user on the campus.

A moment later, I heard another knock on my door. One of the detectives had come back to ask if I would reconsider my position. I told him that while I would think about giving up Tor, I honestly felt that this was a clear case of academic freedom, and I could not bow to external pressure. I reminded him that Tor is a perfectly legal, open-source program that serves a wide variety of legitimate needs around the world.

He nodded and left. Feeling an odd mixture of righteous indignation, patriotism, and dread, I closed the door.

University Professor Chastised For Using Tor.

Sat, 10 Feb 2007 22:28:22 GMT

University Professor Chastised For Using Tor. Irongeek_ADC writes with a first-person account from the The Chronicle of Higher Education by a university professor who was asked to stop using Tor. University IT and campus security staffers came knocking on Paul Cesarini's door asking why he was using the anonymizing network. They requested that he stop and also that he not teach his students about it. The visitors said it was likely against university policy (a policy they probably were not aware that Cesarini had helped to draft). The professor seems genuinely to appreciate the problems that a campus IT department faces; but in the end he took a stand for academic freedom. [Slashdot: Your Rights Online]

Microsoft to Support OpenID.

Wed, 07 Feb 2007 18:51:02 GMT

Microsoft to Support OpenID.

SAN FRANCISCO: Microsoft Chairman Bill Gates today said his company would throw its support behind "OpenID," an open-source, distributed identity management system that seeks give computer users a more secure way to manage their online credentials.

"Everywhere you go on the Web there are issues about reputation and trust," Gates said in the keynote address this morning here at the RSA Security conference here. "Some blog environments want anonymous people to [be able to] say anything, and in other environments, they want you to represent some credentials about who you are. And that's just not going to scale with the kind of password thing we have today."

In a (very simplified) example, OpenID works like this: The key to your online identity is a Web address, such as http://myblog.someplace.com. You pick one of several OpenID providers -- such as Vox, OpenID, Verisign or LiveJournal (OpenID is the brainchild of LiveJournal founder Brad Fitzpatrick) -- to be the trusted host for your identity credentials. When you visit a site that has implemented OpenID, you're asked to enter your personal Web address, which you've configured to query your identity credentials stored at your chosen OpenID provider, which in turn will ask you to login using whatever credentials it requires. These couple of blogs have more coherent and complete explanations of how OpenID is supposed to work.

OpenID is most often cited as a way to help Internet users navigate the zillions of blogs and other Web 2.0 applications that require users to sign up and manage different usernames and passwords. Some advocates say it also has the potential to help users guard against phishing scams and related forms of online fraud, but others say the whole system is likely to be a boon for phishers and online scam artists everywhere.

Gates said Microsoft would support OpenID 2.0 in conjunction with CardSpace, a feature similar in nature to OpenID that is built in to Windows Vista. CardSpace seeks to make managing digital identities easier and safer by replacing usernames and passwords as the means of identifying oneself on the Web.

Microsoft's acceptance of an open standard is being cautiously praised by many technologists in the blogosphere, who see the software giant's participation as key to fixing the more complex problems with online identity management and authentication. Microsoft has tried to control the online ID space in the past with programs like MSN Passport, which largely failed to gain traction beyond Microsoft's own online properties. Single sign-on programs also have been touted by Yahoo! and Google.

Bruce Schneier, a cryptography expert and chief technology officer for online security provider BT Counterpane, greeted Microsoft's announcement with reservation, saying Microsoft has a long history of "supporting and then co-opting" open standards.

"They tried to get their own system working, and I think it's telling that they are now supporting an open system," said Schneier, who's giving a talk at RSA later today on what he calls "the psychology of security."

"In some ways it's worrisome, but I'm reasonably confident in the Web 2.0 world that the distributed control of OpenID is strong enough, that it's not Microsoft-driven," he said.

[Security Fix]

Exploiting JSON Framework : 7 Attack Shots.

Wed, 07 Feb 2007 18:36:50 GMT

Exploiting JSON Framework : 7 Attack Shots. This article, contributed by Aditya Sood, defines the layout of the exploiting factors of web attacks ie where the JSON framework is compromised. By Aditya Sood. [Infosec Writers Latest Security Papers]

Vista a Threat to Internet Freedom?

Tue, 06 Feb 2007 15:57:00 GMT

Vista a Threat to Internet Freedom? BBC columnist Bill Thompson warns readers that new DRM technology, especially that found in Vista, is damaging the freedoms that the internet was based on. "The freedom of expression that was once available to users of the Internet Protocol is being stripped away. Our freedom to play, experiment, share and seek inspiration from the creative works of others is increasingly restricted so that large companies can lock our culture down for their own profit. [...] governments and corporations around the world are making a concerted effort to dismantle the open internet and replace it with a regulated and regulable one that will allow them to impose an 'architecture of control.'" [Slashdot: Your Rights Online]

Technology News: Consumer: New Site Encourages Community Web Surfing

Tue, 06 Feb 2007 03:11:30 GMT

Me.dium.com tracks your Web browsing habits and reveals which sites are being visited at any given moment by people and friends with similar patterns. Those people and their sites appear as colored icons in a Web browser session. The point is to let you see when some of your friends or even a crowd of strangers are gathering on a site presumed to be of interest to you.

Super Bowl Site Trojan Aims to Nab Passwords.

Mon, 05 Feb 2007 18:46:38 GMT

Super Bowl Site Trojan Aims to Nab Passwords.

This story was updated at 3:02 p.m. Please read the entire post. -- The official Web site of Dolphin Stadium -- the location of this weekend's Super Bowl XLI game -- has been infected with a Trojan horse program. The virus seeks to download keystroke-logging software on Windows machines if users visit the site without the latest security updates from Microsoft, security experts warn.

Websense said the site still hosts the virus, and it advises people to steer clear of the site for now. The Trojan tries to use two different exploits to break into Windows PCs; one of them was fixed by a patch Microsoft issued just last month.. It is clear that the bad guys are counting on major traffic to the site this weekend. According to Websense, the site is receiving a large number of visitors, thanks in part to some Super Bowl search terms that prominently link to the site. According to Web traffic-monitoring firm Alexa, the stadium site receives about 784,000 hits per week.

If you haven't been diligent about applying Microsoft patches, please take a moment to do that now by visiting Microsoft Update.

Microsoft always advises consumers to better protect themselves by visiting only "trusted sites." However, this type of attack highlights that even popular consumer sites can harbor serious problems. High-profile Web sites like Dolphin Stadium's should do even a rudimentary security review to thwart this type of attack.

Update, 3:02 p.m. ET: Stadium spokesman George Torres now says the site has been cleaned up. I've confirmed his claims with a few outside experts. It also appears that the same virus may have been seeded into other sites. The main "podcasts" page on the Web site for the Center for Disease Control and Prevention appears to have been infected at some point (ah, the irony). It is unclear when that could have occurred, and it does not appear to be there now. The folks at CDC are checking on the situation. There obviously are multiple sites currently infected with this Trojan, so make sure you're up to date on Microsoft patches.

This attack depends on the user allowing Javascript computer code to run in the browser. I often plug the "noscript extension for Mozilla's Firefox browser, which helps block this attack even on machines that do not have the patch.

[Security Fix]

Groklaw - A Brave New Modular World - Another MS Patent Application

Fri, 02 Feb 2007 03:03:10 GMT

A reader sent me a link to a new patent application by Microsoft. Not the Bluej one, which has been in the news and which Microsoft, commendably, has withdrawn, but another one, for what seemed to me to be a modular operating system, "System and method for delivery of a modular operating system".

Microsoft and modular are two words I wouldn't normally associate with one another, so I thought maybe I'd misunderstood it. Heaven only knows, patent applications are generally written to confuse, not illuminate, and so I sent it to Dr. Stupid to ask if he'd please explain it to me. He did, and his explanation was so interesting, I asked if I could share it with you.

As best as I can understand it, it's not an attempted patent on a modular system per se. That obviously wouldn't fly. As he points out, it's not new. The patent relates to a method of delivery of an operating system where you start off with a very basic operating system, a kind of crippled starter edition, and then you pick and choose (and purchase) additional functionality, with DRM used to make sure you don't self-help. It's like modular copyleft, turning the advantages of GNU/Linux -- modularity there increases what you can do and what you can add and how well everything works -- and instead turns the concept on its head by using modularity plus DRM to restrict and contain and enforce.

Microsoft Applies To Patent DRM'ed OS Modules.

Fri, 02 Feb 2007 02:59:09 GMT

Microsoft Applies To Patent DRM'ed OS Modules. wellingj writes "Microsoft has applied for a patent that sounds on the face of it like it ought to improve OS stability and reliability: the patent proposes to modularize device drivers much like Linux does. But, going further, Microsoft would apply DRM to these modules -- as Groklaw puts it, 'using modularity plus DRM to restrict and contain and enforce.' The net result is that you might have to pay extra for OS hardware support. Things like USB keys, DVD-ROMS, Raid drives, and video cards might not be supported out of the box. LXer indulges in some dystopian speculation." [Slashdot: Your Rights Online]

Birth of the Verbal Hack?

Fri, 02 Feb 2007 02:47:19 GMT

Birth of the Verbal Hack?

Microsoft Corp. said Wednesday that a voice-recognition feature built into Vista -- the new version of Windows that went on sale this week -- could be exploited remotely to delete files on a victim's machine if he or she visited a Web site that tried to issue specific commands through the computer's audio system.

Online computer security forums were abuzz this week with discussions of ways to exploit the new feature. In the DailyDave online security newsgroup, one commenter described a successful test in which he managed to delete his entire "My Documents" folder using the voice command feature. An attack recorded as an audio file and automatically played when a user visits a malicious Web site could have the same effect, security experts said.

Microsoft noted that the voice-recognition feature is not turned on by default in Vista, and that such an attack would be extremely difficult to execute.

In a posting on its security Web site, Microsoft said a targeted system "would need to have the speech recognition feature previously activated and configured. Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as 'copy,' 'delete,' 'shutdown,' etc. and acting on them. Of course this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation. There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation."

While Microsoft said the feature could be exploited to delete a victim's documents, it pointed out that a key component of security on Vista -- the "user account control" (UAC) feature that requires a user to enter his or her password before making any significant changes to the system -- would prevent an attacker from, installing software or creating new user accounts on the victim's PC.

Rich Mogull, a security analyst with Gartner Inc., said he doubts that many users will bother to configure and run the voice command feature in Vista, and even for those who do the real threat of falling victim to such an attack would be fairly low.

Still, Mogull said, "if they are running it, and someone can get the right kind of file to play when no one is looking, yep- you could do nasty stuff."

My personal favorite perspective on this comes from the venerable security guru Dan Geer, who offered the following challenge on the DailyDave list:

"Here's $500 for the first documented case of someone using the white courtesy phone in an airport to page Mr Shootdown, Reese Sett, Sleep Now, or whatever and blanking all the laptops in a concourse. An extra $500 if it's DC National..."

[Security Fix]

Sony Settles With FTC Over Rootkit Debacle.

Thu, 01 Feb 2007 03:31:50 GMT

Sony Settles With FTC Over Rootkit Debacle. Company agrees to settle charges over copy-protection software it included in music CDs. [PC World: Latest Technology News]

New York Settlements Go After Adware Funding.

Tue, 30 Jan 2007 18:00:48 GMT

New York Settlements Go After Adware Funding. Three high-profile companies that advertised through nuisance adware programs have agreed to pay fines and reform their practices, according to the New York Attorney General. Attorney General Andrew Cuomo announced Monday that his office had reached settlements with Priceline, Travelocity and Cingular. The settlements arose out of the AG's in-depth investigation of DirectRevenue LLC, a New York-based adware distributor. Cuomo's office says the settlements mark the first time that advertisers have been held responsible for doing business with adware distributors that engaged in deceptive practices. CDT -- which issued two reports last year detailing the ways in which mainstream advertisers were funding nuisance adware -- applauded the settlements. [Center for Democracy and Technology]

Web Advertisers Settle N.Y. Spyware Lawsuit.

Tue, 30 Jan 2007 17:49:36 GMT

Web Advertisers Settle N.Y. Spyware Lawsuit.

Three of the most aggressive buyers of online advertising space today agreed to pay fines and reform their advertising practices as part of a landmark anti-spyware settlement.

Mobile phone giant Cingular Wireless LLC, and travel sites Priceline.com and Travelocity.com agreed to settle their part in an ongoing investigation by the New York State Attorney General's office, which last year sued adware/spyware purveyor DirectRevenue for deceptively and fraudulently installing its pop-up ad serving and Web tracking software on millions of PCs without approval or consent of consumers.

This is an important settlement on a number of levels. Online help forums are awash in desperate messages from consumers whose machines were besieged by pop-up ads after visiting a Web site that used slimy drive-by tactics to install DirectRevenue's software, which is notoriously difficult to remove from a host machine. If you've never read the evidence against DirectRevenue's business practices (this is a company that, according to prosecutors, actually had a department named "Dark Arts"), check out this document for a very entertaining and revealing read.

Perhaps more significantly, these advertisers were just as culpable for supporting DirectRevenue's sleazy business practices long after anti-spyware activists like Ben Edelman, Suzi Turner and others published evidence of the illegal distribution methods of DirectRevenue and the Webmasters it paid to install its software. As I catalogued in a Washington Post story published in 2006, experts consistently documented adware bundles like the ones distributed by Directrevenue being installed on computers that contract distributors had already infected with computer viruses and worms.

Ari Schwartz, deputy director for the Center for Democracy & Technology, a consumer policy group in Washington, D.C., said today's settlement was important for because it recognizes the oft-overlooked role that advertisers continue to play in supporting the adware and spyware industry.

"The dirty secret about unwanted adware is that many legitimate companies -- knowingly or not -- fund its proliferation with their advertising dollars. Until we cut off that funding, there will always be a financial incentive for companies to bombard users with adware that they neither want nor need," Schwartz said in a written statement.

While the settlement is a welcome and important one, the terms and fines could have been a bit stiffer. Under the terms of the agreement, all three companies will have to pay between $30,0000 and $35,000 each to New York state, and each will have to more clearly reference the adware vendor in each ad that's displayed. In addition, "prior to contracting with a company to deliver their ads, and quarterly thereafter, the companies must investigate how their online ads are delivered. The companies must immediately cease using adware programs that violate the settlement agreements or their own adware policies."

[Security Fix]

Vista DRM Cracked by Security Researcher.

Mon, 29 Jan 2007 20:17:58 GMT

Vista DRM Cracked by Security Researcher. An anonymous reader writes "Security researcher Alex Ionescu claims to have successfully bypassed the much discussed DRM protection in Windows Vista, called 'Protected Media Path' (PMP), which is designed to seriously degrade the playback quality of any video and audio running on systems with hardware components not explicitly approved by Microsoft. The bypass of the DRM protection was in turn performed by breaking the Driver Signing / PatchGuard protection in the new operating system. Alex is now quite nervous about what an army of lawyers backed by draconian copyright laws could do to him if he released the details, but he claims to be currently looking into the details of safely releasing his details about this at the moment though." [Slashdot]

Professor Michael Geist on Vista's Fine Print.

Mon, 29 Jan 2007 18:10:29 GMT

Professor Michael Geist on Vista's Fine Print. Russell McOrmond writes "With Microsoft's Vista set to hit stores tomorrow, Michael Geist's weekly Law Bytes column (Toronto Star version, homepage version) looks at the legal and technical fine print behind the operating system upgrade. The article notes that in the name of shielding consumers from computer viruses and protecting copyright owners from potential infringement, Vista seemingly wrestles control of the "user experience" from the user. If you are a Canadian and think that the owner of computers should be in control of what they own, rather than some third party (whether virus authors or the manufacturer/maker), then please sign our Petition to protect Information Technology property rights." [Slashdot]

Wired News: Tax Takers Send in the Spiders

Mon, 29 Jan 2007 02:53:12 GMT

Websites around the world are getting a new computerized visitor among the Googlebots and Yahoo web spiders: The taxman. A five-nation tax enforcement cartel has been quietly cracking down on suspected internet tax cheats, using a sophisticated web crawling program to monitor transactions on auction sites, and track operators of online shops, poker and porn sites.

The "Xenon" program -- a reference to the super-bright auto headlights that light up dark places -- was started in The Netherlands in 2004 by the Dutch equivalent of the IRS, Belastingdienst. It has since been expanded and enhanced by international group of tax authorities in Austria, Denmark, Britain and Canada, with the assistance of Amsterdam-based data mining firm Sentient Machine Research.

Xenon is primarily a spider: a program that downloads a web page, then traverses its links and downloads those as well, ad infinitum. In this manner spiders can create huge datasets of web material, while preserving the relationships between pages at the moment they were spidered -- something that can reveal a lot about the people that made the pages.

It's unclear how effective Xenon has been in generating investigative leads. Contacted by Wired News, the tax departments of Canada and the United Kingdom confirmed participation in the program, but declined further comment.