Acidus saw a rather interesting dirty trick today on a phishing site today. The Favicon for the site was the exact same padlock image that is normally shown for a secure website. While the site couldn't turn the address bar green, it is certainly praying on the habit people are developing with IE7 and Firefox to look for security info in the address bar.
CalicoPenny let us know about yet another "30 days" effort, this one to name the names of major companies infected with spam-spewing bots. Support Intelligence began the effort on March 28, out of frustration at not being able to attract the attention of anyone who could fix the problems at these companies.
State Department got mail, and got owned - Yahoo/AP
Topic: Computer Security
1:37 pm EDT, Apr 19, 2007
A break-in targeting State Department computers worldwide last summer occurred after a department employee in Asia opened a mysterious e-mail that quietly allowed hackers inside the U.S. government's network.
The mysterious State Department e-mail appeared to be legitimate and included a Microsoft Word document with material from a congressional speech related to Asian diplomacy, Reid said. By opening the document, the employee activated hidden software commands establishing what Reid described as backdoor communications with the hackers.
Compromise at the State Dept due to a Word document? Great job Microsoft...
Weren't they saying something recently about malformed Word documents crashing Word not being a problem? Makes you wonder how many of those "not a problem" bugs can result in situations like this...
TJX: Hackers Stole 46 Million Card Numbers (General Dynamics Corp. (GD), International Business Machines Corp. (IBM), TJX Cos. (TJX), (US459200)) | SmartMoney.com
Topic: Computer Security
4:58 pm EDT, Mar 29, 2007
via Dow Jones wire:
Discount retailer TJX Cos. outlined a massive customer data theft in a regulatory filing late Wednesday, with stolen information covering transactions dating back as far as December 2002.
Media reports said at least 45.7 million credit and debit card numbers were stolen. The company (TJX) , whose stores include TJ Maxx, Home Goods and Marshall's, said it learned of the suspicious software on its computer system on Dec. 18, 2006.
The following day it immediately initiated a probe and hired General Dynamics Corp. (GD) and International Business Machines (IBM) to help in the investigation. TJX first disclosed the breach on Jan. 13.
TJX said information was stolen from a portion of its computer systems in Framingham that process and store information related to payment card, check and unreceipted merchandise return transactions for customers in T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico and the Winners and HomeSense stores in Canada.
Billy Hoffman: 'Would you like a destoyed Internet with your JavaScript?'
Topic: Computer Security
12:10 pm EDT, Mar 25, 2007
A security researcher at ShmooCon on Saturday demonstrated, but did not release, a tool that turns the PCs of unknowing Web surfers into hacker help.
As expected, SPI Dynamics researcher Billy Hoffman demonstrated a Web application vulnerability scanner written in JavaScript. The tool, called Jikto, can make an unsuspecting Web user's PC silently crawl and audit public Web sites, and send the results to a third party, Hoffman said.
"The whole point was to show how scary cross-site scripting has become."
"Once one person has talked about the ability to do it, it doesn't take that long for somebody else to come up with it," said one ShmooCon attendee who asked to remain anonymous. "It will come out."
This week on Reflection we have a very young guy from the webappsec field.
Billy’s knowledge on Ajax is tremendous ... his ability to think differently has helped him achieve so much in such a short time.
I got a chance to meet with him in the WASC meetup at RSA. He is a very lively character. Let me put it this way, if billy is a part of a conversation, you won’t get bored even if you just stand there and listen.
Anyone who has worked with Billy knows, he is one of the best security researchers in the world. Billy is among the first people I contact when I need to bounce an idea off someone, and the insight he brings to the table is always impressive. Based on my firsthand experience, it is incomplete to the degree of inaccuracy to simply say "he thinks outside the box". Billy destroys the box before your eyes while telling you what you need to keep in mind when building your next box.
We can say with confidence, that when what comes after "Web 2.0"/AJAX is created, Billy's work will be one of the factors driving design decisions.
I enjoy watching him repeatedly pop up in the press. I feel proud to have known him back when he was just an unknown college student getting sued for the first time.. :)
Oh, btw.. Billy is also a member of the Industrial Memetics Team, and actively contributes to MemeStreams development. We consider ourselves lucky.
They won't divulge their real names, they call their project a "whiny, attention-seeking ploy," and they appear to take their fashion cues from Beastie Boys music videos.
"The purpose of the exercise is not so much to expose MySpace as a hive of spam and villainy (since everyone knows that already), but to highlight the monoculture-style danger of extremely popular websites," wrote Mondo Armando in an e-mail interview.
"We could have just as easily gone after Google or Yahoo or MSN or IDG or whatever. MySpace is just more fun, and is becoming notoriously [obnoxious] about responding to security issues," he said.
The MySpace hackers launched their project late Thursday expressing simultaneous enthusiasm and disdain for the task ahead. "If it ends up being just as lame as the Month of Apple Bugs, then we haven't really missed the mark. If it's funnier, then great," they wrote on their project's blog. "If it kills this Month of Whatever fad, then hurray for everyone, it's over."
They intend to primarily publish cross site scripting bugs, which can allow an attacker to execute malicious script within a victim's browser, but they may also publish bugs that affect browsers or technologies like Flash or QuickTime.
"Documental sobre los hackers" (documentary about hackers)
From DefCon 2006. 24 minutes long. Pretty watchable even for English-speakers, as most of the interviews are in English with Spanish subtitles.
Elonka points out this Argentinian documentary on Defcon. This is one of the best segments I've ever seen covering a hacking convention.
I don't know the names of everybody that got interviewed, but overall it's a good piece. Covers all the main Def Con elements, from Capture the Flag, to the Wall of Sheep, to the Lockpicking Contest, clips of people from Adam Laurie to Johnny Long to Jeff Moss, and much of the partying in between. ;) Billy Goto can be seen showing off his black badge (permanent free admission, from winning Hacker Jeopardy in a previous year), and my own fleeting seconds of Argentinian fame are around 16:25 (wearing my IGDA T-shirt) and a somewhat inebriated interview clip at 18:05. ;) I love my title description: "Ilanka, diseñadora de juegos, hacker" ("Elonka: Game designer, hacker.") Only it sounds c00ler in Spanish. ;)
Hacker builds tracking system to nab Tor pedophiles | Zero Day | ZDNet.com
Topic: Computer Security
12:43 am EST, Mar 9, 2007
Amidst concerns that pedophiles are using public Tor (the Onion Router) servers to trade in child pornography, �ber-hacker HD Moore is building a tracking system capable of pinpointing specific workstations that searched for and downloaded sexual images and videos of kids.
Moore, the brains behind the Metasploit Project, has come up with a series of countermeasures that include using patched Tor servers and a decloaking engine to detect the exact location of a pedophile within an organization or residence.
HD Moore first discussed his "countermeasures" at a meeting of the Austin Hackers Association (AHA) last summer when it became clear that the EFF-backed anonymity/privacy network was being used for the most nefarious purposes. Further confirmation came last September when German authorities cracked down on Tor node operators because of the proliferation of child porn.
As to whether this is enough for law enforcement authorities to make an arrest and build a case, Moore's answer: "No idea."
He is embedding a web bug in certain tor requests that implements a javascript based check for local IP address and a udp query to get an external IP. This raises some interesting questions:
1. People running anti-tor servers can undermine the anonymity provided by tor unless users are serious enough not to have their DNS going out in the clear, and serious enough to have browser extensions disabled. None of these ideas are new.
2. This seems to suggest the idea that someone would go to the trouble of running a tor server because they want to protect anonymity but decide to run this because they are uncomfortable with some of the uses of that anonymity.
3. In this case the anonymity they are providing is undermined based on a keyword match which is unreliable at best.
4. H.D. Moore is pro full disclosure of exploit code but against anonymous web browsing?
5. Why go to a lot of trouble undermining your anonymity system in order to target people downloading child porn through your proxy when you can use the same filter script to identify the server if you are running an exit node? Servers are worse than users, targetting them doesn't undermine the purpose of the service you are running, and you don't need any javascript tricks to target them.
Bottom line: The goal here is to educate tor users, not to track them.
