There is an input validation flaw in Internet Explorer that allows you to specify arbitrary arguments to the process responsible for handling URL protocols.

This is the simplest way to get RCE from a browser that has ever been disclosed.

Larholm.com - Me, myself and I ? Internet Explorer 0day Exploit

From the cryptography@metzdowd.com list:

A fascinating IEEE Spectrum article on the incident in which lawful
intercept facilities were hacked to permit the secret tapping of
the mobile phones of a large number of Greek government officials,
including the Prime Minister:

http://www.spectrum.ieee.org/print/5280

Hat tip: Steve Bellovin.

Perry
--
Perry E. Metzger perry@piermont.com

This is worth reading. An operation leverages the "lawful intercept" features of telephone switches, combined with rootkit malware specifically designed for the switches, and a collection of corrupt employees for some very unlawful intercepts. One, possibly two deaths. One of the most sophisticated computer intrusions I have ever heard of. Most likely a state intelligence organization. Americans widely suspected.

How the Greek cellphone network was tapped

Generally speaking, vulnerability details have always been given to the vendor by responsible researchers free of charge. In exchange, vendors generally credit researchers with discovery or assistance. Often vendors will hire their own internal code audit teams instead of waiting for external security researchers to find bugs in their products. These people get paid, but they usually don't get credited for specific vulnerabilities.

The bottom line here is that no one is attempting to extort money out of vendors by holding a gun to their head and demanding payment. Computer Security problems are real, and vendors do need to address them, either by waiting for people to disclose bugs in their products or paying for proactive security analysis, but thats reality. There are a lot of bad people in the world who put a lot of effort into finding and exploiting 0day vulnerabilities in order to deploy spyware or commit various kinds of espionage. These people will find and exploit vulnerabilities in your product if internal audit or external researchers don't get to them first. Generally speaking, the later is a preferable scenario for everyone.

Now enter this company:

We can work with you to generate and enforce intellectual property such as patents relating to fixes for newly discovered, private or zero day security vulnerabilities, weaknesses, or technical flaws that you have found.

We target the intellectual property against the vendors of the vulnerable products and other security providers such as suppliers of intrusion prevention technologies.

You share in the income.

These people are saying: "I have a way to break into networks run by your customers through a bug in your product, and I'm going to publishing it to the world in the patent database, where any criminal can look it up and use it, but you can't fix it unless you pay me."

This seems very much like holding a gun to someone's head and demanding payment.

Whats even more insidious about this idea is that the patent holder has the right to refuse to license their patent at any price... A criminal organization could find a vulnerability, patent it, and use their patent to prevent their victims from fixing the problem.

I'd support legislation explicitly banning this practice.

INTELLECTUAL WEAPONS

skullaria wrote:
Dear Customer,

You submitted the following rating request to SonicWALL CFS Support:
Rate memestreams.net as "31.Web Communications" at 2007-05-26 00:25:00.393

The request has been reviewed and rated as:
"31.Web Communications" at 2007-05-28 03:14:05.533

You should see this rating change reflected within 1 to 3 business days.

Thank you for your request,
SonicWALL CFS Support

It doesn't say anything about removing MemeStreams for the Hacking/Proxy Avoidance Category. Does anyone on MemeStreams have a Sonicwall?

SonicWall MAY have listened...

A U.S. House of Representatives committee has decided to send a bill to the floor that would require all touch-screen voting systems to produce a paper receipt for each ballot cast.

This is potentially of interest...

Congress to vote on paper trail for e-voting systems

CalicoPenny let us know about yet another "30 days" effort, this one to name the names of major companies infected with spam-spewing bots. Support Intelligence began the effort on March 28, out of frustration at not being able to attract the attention of anyone who could fix the problems at these companies.

Adam and Rick back in the news.

Slashdot | Exposing Bots In Big Companies

Although he was aware that the FBI was already seeking a warrant to search Heckenkamp's computer in order to serve the FBI’s law enforcement needs, Savoy believed that the university's separate security interests required immediate action. Just as requiring a warrant to investigate potential student drug use would disrupt operation of a high school ... requiring a warrant to investigate potential misuse of the university's computer network would disrupt the operation of the university and the network that it relies upon in order to function. Moreover, Savoy and the other network administrators generally do not have the same type of "adversarial relationship" with the university’s network users as law enforcement officers generally have with criminal suspects.

This case is going to have widespread ramifications. Overall I'm pretty unhappy with this conclusion and I think this will be abused left and right in ways these judges wouldn't have intended or approved of.

There is a wide varience in competence among system's administrators, particularly between different Universities. Technical schools that have complex networks tend to attract smart people to their IT staffs who could probably handle this deputization responsibly. However, smaller schools with less interesting technology tend to have less competent admins... People who have difficulty understanding the difference between a security breach, and someone doing something with the network that they don't understand or haven't explicitly approved, but isn't a security breach. I suspect that some of these people will take an unreasonably broad view of their powers under this ruling.

(The same thing can also be said of private computer network administrators, who might also be deputized by this. Its not clear whether this ruling would fit outside the context of a University. It might.)

In general, people had always assumed that retalitory hacking was illegal. Here, the 9th has actually managed to make the wild west of the Internet a little bit wilder. I think ultimately that undermines the purpose that the Court is supposed to be serving. I hope this goes up to the SCOTUS.

9th Circuit Appeals Courth Authorizes University Admins to Hack Student Computers

According to an article by David Leppard, Scotland Yard has uncovered evidence that Al Qaeda operatives were going to blow up Telehouse Europe, a large colocation facility in Britain that is the country's largest Internet hub. Suspects who were recently arrested had conducted reconnaissance against Telehouse and had planned to infiltrate the organization and blow it up from inside.

Part of me doesn't want to take this seriously, but in fact this would likely cause significant economic disruption...

Technology Review: Could Al Qaeda Plunge England into an Internet Blackout?

This Ross Anderson paper from 2001 is worth (re-)reading. I'd be interested in any pointers to further reading along these lines.

I particularly liked this quote, from the French economist Jules Dupuit in 1849:

It is not because of the few thousand francs which would have to be spent to put a roof over the third-class carriage or to upholster the third-class seats that some company or other has open carriages with wooden benches ... What the company is trying to do is prevent the passengers who can pay the second-class fare from traveling third class; it hits the poor, not because it wants to hurt them, but to frighten the rich ... And it is again for the same reason that the companies, having proved almost cruel to the third-class passengers and mean to the second-class ones, become lavish in dealing with first-class customers. Having refused the poor what is necessary, they give the rich what is superfluous.

Here's the abstract of the paper:

According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved.

In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.

Anderson has been working this theme over the past several years; his latest paper is The Economics of Information Security - A Survey and Open Questions.

Why Information Security is Hard