daily online news

Online miscreants are beefing up their cultural outreach skills.

According to a new report from McAfee, attacks are increasingly being tailored to victims in specific geographical regions. Spam, phishing emails and even malware now address their potential victims in their native tongues, often with flawless grammar. Attackers have also become familiar with local culture, including sports and other pastimes, and often incorporate them into their ploys to further the chances of tricking their Marks.

"We really wouldn't have had this conversation two years ago," said Dave Marcus, a security research and communications manager at McAfee. Back then, "the distribution of malware was very English language centric."

As a result, spam and malware targeting Germans are likely to target their enthusiasm for the World Cup. Attacks on Japanese, meanwhile, are likely to piggyback on the popularity in that country of Winny, a P2P file sharing program. And Chinese scams will likely involve gold farming, which refers to the harvesting of virtual valuables in games such as World of Warcraft.

The multicultural celebration comes as more parts of the world connect to the internet for the first time. With a larger proportion of non-English speakers than ever before, it makes sense attackers are trying to find new, more effective ways to pwn their machines and steal their banking credentials.

McAfee's findings, which are were published Thursday, dovetail with recent research from Thomas Holt, a professor of criminal justice at the University of North Carolina at Charlotte. It found that the marketplace for rootkits, Trojans and other malware increasingly transcends national boundaries. A title first released in Spain may be appropriated by a crime syndicate in China, which adds support and other features tailored to the local language.

The trend toward localized threats is particularly important for international travelers, who need to adjust their defenses as they move from one country to the next.

When Marcus is in the US, he says he never receives spam on his mobile phone. But as soon as he travels the UK, he immediately receives fraudulent SMS messages, and when in Tokyo, it's not unusual for him to receive spam sent over Bluetooth connections.

"It's very, very localized, and that's not to say I can't deal with it," he says. Still, he adds, "I will want to gather some of that local information

an RFID security expert, used the Black Hat DC 2008 conference here, to demonstrate a new Python script he's working on to read the contents of smart-chip-enabled credit cards.

As part of his presentation Wednesday, Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer's wallet, Laurie both read and displayed its contents on the presentation screen--the person's name, account number, and expiration clearly visible.

Demonstrations like that show the potential misuse of RFID technology in the near future. Without touching someone, a thief could sniff the contents of an RFID-enabled credit card just in passing. The same is true for embedded RFID chips in the human body, work access badges, some public transit cards, and even the new passports in use in more than 45 countries.

As a disclaimer, Laurie said he spoke to American Express, the company that issued the volunteer's card. Laurie said that American Express told him: "We are comfortable with the security of our product." Laurie added that the company told him the number he displayed on the presentation screen was not the account number printed on the card, which Laurie proved by opening the wallet and comparing. However, Laurie noted that the captured account number could still be used for online transactions.

The credit card industry has argued that use of the RFID-enabled cards will save customers time when processing payments.

An extreme example can be found in Spain. Laurie said a public beach there encourages visitors to have RFID tags injected into their bodies. The point? Merchants along the beach scan your wrist to obtain a unique ID from which they can debit your account. The advantage? You won't have to go to the beach with your wallet, which might get stolen.

Laurie, who has an injected RFID-tag, showed how easy it was not only to read the tag, but also to re-write the tag. During his demo, he used the coding sequence reserved for animal tagging to have his RFID chip declare him an animal.

On his RFIDiot Web site, Laurie offers the Python scripts free of charge and also sells the hardware necessary to read and write to RFID tags and cards.

VIRTUAL CONSOLE has gone back to the future with its decision to offer Wii gamers a new (old) format of classic games from the bestselling computer dinosaur, the Commodore 64, later this year.

Gamers will soon be able to play retro titles like International Karate and Uridium from the record-breaking C64, the best selling single computer model ever, apparently.

The C64's popularity spawned over 4,000 games between 1982-1994 and some of these 'new oldies' are set to join classic games from Nintendo, SEGA, Turbografx and NEOGEO already available to nostalgic Wii owners.

CEO of Commodore Gaming, Bala Keilman, reckons the "massive impact the Commodore 64 had on video-gaming is still evident today with many gamers remembering the computer and its games with great fondness. By working with Nintendo of Europe, we are ensuring that future generations of gamers can play some of the best and most popular titles that kick-started thecomputer games revolution and so keep the C64 legacy in gamers hearts."

The reincarnated games will be available for download on the European Wii Shop Channel soon

Quebec provincial police say they've dismantled a computer hacking network that targeted unprotected personal computers around the world.

Police raided several homes across Quebec on Wednesday and arrested 16 people in their investigation, which they say uncovered the largest hacking scam in Canadian history.

The hackers collaborated online to attack and take control of as many as one million computers around the world that were not equipped with anti-virus software or firewalls, said provincial police captain Frederick Gaudreau.

"That way, they were able to introduce some Trojans or worms in those computers, and that way they were able to take control of the computers from abroad," he said at a Montreal news conference on Wednesday.

The majority of computers attacked by the network were in Poland and Brazil, but some PCs in Manitoba and the United States were also hacked, he said.

Several government computers were also compromised, but investigators will not say in which country.

The computers were used to set up fake websites that solicited users to click on them and provide personal information, Gaudreau said.

Police won't reveal what the information was used for but investigators estimate that the network profited by as much as $45 million.

The 14 suspects arrested Wednesday are between the ages of 17 and 26, and face charges related to the unauthorized use of computers.

One of the adages of computing is that no hardware is safe when a hacker has physical access to the machine. In an age of booming laptop sales, people haven't found that reassuring and have frequently turned to disk encryption in an effort to protect their personal data. A new paper (PDF) by a group of Princeton computer scientists suggests that disk encryption is vulnerable to a hack that will be hard to correct for: data about the encryption can be extracted from the machine's RAM.
memory persistence

Most people know that the contents of RAM are lost when a machine powers down. The paper notes, however, that this process isn't instantaneous. In their tests, the authors found that various forms of RAM take anywhere from 2.5 to 35 seconds to reach a null state (newer RAM got there faster). That process is temperature-dependent; dropping the RAM to -50°C cut the rate at which memory was lost to 0.1 percent per minute. If that temperature seems hard to reach, it's not. The researchers achieved it by turning a canned air dispenser upside-down and spraying it on the RAM chip. Dropping the chip in liquid nitrogen kept the error rate at a similar level for up to an hour.

That's more than long enough to move the chip to a new machine for analysis. But the researchers also developed ways to hack the RAM while in place. A quick reboot will also preserve the contents of memory but, in most cases, large portions of that memory are quickly overwritten by the operating system during the boot sequence. To avoid this problem, the researchers devised tiny kernels that took up very little memory while dumping the remaining contents onto disk for further analysis. These included versions that booted from USB drives or operated over a netboot infrastructure.

With the memory contents in hand, the next step was to crack the encryption and compensate for the sporadic memory errors. Here, the researchers relied on the fact that most decryption systems store information derived from the encryption keys in memory to speed calculations. These key schedules have a some known features that make finding them largely a matter of scanning for patterns in the memory. Once near matches are identified, they can be set aside for more detailed analysis (including corrections for memory errors), eliminating most brute force aspects of the cracking.

The authors also noted that memory in the the RAM chips they examined decayed in a stereotypical pattern across their tests, allowing for the possibility of sophisticated error correction based on the identification of these patterns. That level of sophistication, however, wasn't needed for their current implementations.

The paper describes algorithms for recognizing and extracting AES, DES, RSA, and tweak key information from memory. The authors have also turned these on most of the common encryption methods, including TrueCrypt and dm-crypt, as well as Mac OS-X's FileVault and Vista's BitLocker. Using an external USB drive, the authors were able to identify and extract the key and mount a BitLocker-encrypted volume in about 25 minutes. While wandering around the memory of an Intel Mac, they not only cracked the FileVault encryption but also stumbled onto multiple copies of the login password.

The paper includes a number of suggestions for improving security in the face of this kind of attack, but most of them would involve either changes in the hardware architecture or a radical overhaul of the encryption process itself. In most cases, the changes would simply make the attack harder, rather than impossible. Overall, it seems that disk encryption may help prevent casual data loss, but it is no match for a well-prepared attacker.

O2 has plugged a security hole that allowed customers to view text messages sent by other UK subscribers online.

The issue involves O2's Bluebook application, which allows subscribers to save any text messages they send or receive for viewing online. Coding errors in Bluebook created a means for registered users to view other user's messages (and phone numbers) simply by changing the message ID number in URLs used to access messages on the site. In a statement, the mobile phone giant said that it has fixed the problem.

"We have identified and closed a loophole in Bluebook which allowed O2 Bluebook customers logged into their own account to view the message of another Bluebook customer by changing the URL in the browser window. This allowed them – in one particular window only - to view a random text message of another Bluebook user and in some cases the phone number of the sender," an O2 spokeswoman explained.

O2 said the security slip-up emerged as the "result of an internal review" on Friday 8 February. It said the loophole was closed on Monday 11 February. The issue was reported to us by Reg reader Tom, who claimed that the issue was actually reported to O2 on 4 February.

The mobile phone operator apologised for the slip-up, adding that it had implemented unspecified security measures to guard against similar coding problems in future.

"We apologise to our Bluebook customers for this lapse. We have conducted a thorough review to make sure it cannot happen again and that their details are secure," the spokewoman added.

Flaws that leave customer data viewable by simple URL manipulation are a common coding mistake, and one that 02 itself has fallen victim to in the past. The mobile phone giant was obliged to disable logins to its Bill Manager website in August 2006 when it emerged that registered users could see other customers' call records. The service, which allows small businesses to manage their spending on mobile calls, was subject to much the same URL manipulation coding snafu as the Bluebook site. The slip-up exposed sensitive call records, though more sensitive billing records were not accessible through the application and therefore not exposed.

URL manipulation also opened the way for the curious to view the details of applicants applying for jobs at oil giant Shell in Jan 2003. More seriously, the same class of vulnerability exposed credit card details of customers of utility Powergen back in July 2000

Trend Micro has warned that hackers are intensifying attacks on legitimate websites to spread malware.

The security firm's 2007 Threat Report and 2008 Forecast debunked the myth about "not visiting questionable sites". Just because a user visits a gambling or adult-content site does not necessarily mean that web threats are lurking in the shadows.
But legitimate sites with the latest sports news, or links in a search engine result, could potentially infect visitors with malware.

Trend Micro explained that an underground malware industry has carved itself a thriving market by exploiting the trust and confidence of web users.

The Russian Business Network, for example, was notorious last year for hosting illegal operations including child pornography, phishing and malware distribution.

Apple also had to contend with the Zlob gang, proving that even alternative operating systems are not safe havens for the online user.

'Gromozon', malware disguised in the form of a rogue anti-spyware security application, also made its mark in 2007.

The Storm botnet expanded in scope last year, and Trend Micro researchers found proof that the botnet is renting its services to host fly-by-night online pharmacies, pump-and-dump scams, and even portions of its backend botnet infrastructure.

The most popular communication protocol among botnet owners during 2007 was still Internet Relay Chat, possibly because software to create IRC bots is widely available.

Such bots are easily implemented and at the same time movement to encrypted P2P is being used and tested in the field.

Trend Micro found that nearly 50 per cent of all threat infections came from North America last year, but that Asian countries are also experiencing a growth. Around 40 per cent of infections stem from that region.

Social networking communities and user-created content such as blog sites became infection vectors due to attacks on their underlying web 2.0 technologies, particularly cross-site scripting and streaming.

Infection volumes nearly quadrupled between September and November 2007, indicating that malware authors took advantage of the holiday seasons to send spam or deploy spyware while users were shopping online.

Based on the emerging trends of this year, Trend Micro forecasts that legacy code used in operating systems, and vulnerabilities in popular applications, will continue to be attacked in an effort to inject in-process malicious code.

Criminals can exploit this code to run malware in efforts to breach computer and network security and steal confidential and proprietary information.

High-profile sites will continue to be the most sought-after attack vectors by criminals to host links to phishing and identity theft code.

These sites include social networking, banking/financial, online gaming, search engines, travel, commercial ticketing, local government, news, jobs, blogs, and ecommerce sites for auctions and shopping.

Communication services such as email, instant messaging and file sharing will continue to be abused by content threats such as image spam and malicious URLs.

Data protection and software security strategies will become standard in the commercial software lifecycle due to the increasing high-profile incidents, Trend Micro believes.

This will also put a focus on data encryption technologies during storage and transit, particularly in the vetting of data access in the information and distribution chain.

A missile launched from a Navy cruiser soared 130 miles above the Pacific and smashed a dying and potentially deadly U.S. spy satellite Wednesday, the Pentagon said. Several defense officials said it apparently achieved the main aim of destroying an onboard tank of toxic fuel.

Officials had expressed cautious optimism that the missile would hit the satellite, which was the size of a school bus. But they were less certain of hitting the smaller, more worrisome fuel tank, whose contents posed what Bush administration officials deemed a potential health hazard to humans if it landed intact.

In a statement announcing that the attack on the satellite, the Pentagon said, "Confirmation that the fuel tank has been fragmented should be available within 24 hours." It made no mention of early indications, but several defense officials close to the situation said later that all indications point to the destruction of the fuel tank. One explained that observers saw what appeared to be an explosion, indicating that the tank was hit.

Because the satellite was orbiting at a relatively low altitude at the time it was hit by the missile, debris will begin to re-enter the Earth's atmosphere immediately, the Pentagon statement said.

"Nearly all of the debris will burn up on re-entry within 24-48 hours and the remaining debris should re-enter within 40 days," it said.

The USS Lake Erie, armed with an SM-3 missile designed to knock down incoming missiles _ not orbiting satellites _ launched the attack at 10:26 p.m. EST, according to the Pentagon. It hit the satellite about three minutes later as the spacecraft traveled in polar orbit at more than 17,000 mph.

The Lake Erie and two other Navy warships, as well as the SM-3 missile and other components, were modified in a hurry-up project headed by the Navy in January. The missile alone cost nearly $10 million, and officials estimated that the total cost of the project was at least $30 million.

The launch of the Navy missile amounted to an unprecedented use of components of the Pentagon's missile defense system, designed to shoot down hostile ballistic missiles in flight _ not kill satellites.

The operation was so extraordinary, with such intense international publicity and political ramifications, that Defense Secretary Robert Gates _ not a military commander _ made the decision to pull the trigger.

Gates had arrived in Hawaii a few hours before the missile was launched. He was there to begin a round-the-world trip, not to monitor the missile operation. His press secretary, Geoff Morrell, told reporters traveling with Gates that the defense chief gave the go-ahead at 1:40 p.m. EST while en route from Washington.

Morrell said Gates had a conference call during the flight with Air Force Gen. Kevin Chilton, head of Strategic Command, and Marine Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff. They told him that "the conditions were ripe for an attempt, and that is when the secretary gave the go-ahead to take the shot, and wished them good luck," Morrell said.

At 10:35 p.m. EST, Gates spoke to both generals again and "was informed that the mission was a success, that the missile had intercepted the decaying satellite, and the secretary was obviously very pleased to learn that," said Morrell.

The government organized hazardous materials teams, under the code name "Burnt Frost," to be flown to the site of any dangerous or otherwise sensitive debris that might land in the United States or elsewhere.

Also, six federal response groups that are positioned across the country by the Federal Emergency Management Agency were alerted but had not been activated Wednesday, FEMA spokesman James McIntyre said before the missile launch. "These are purely precautionary and preparedness actions only," he said.

President Bush gave his approval last week to attempt the satellite shootdown on grounds that it was worth trying to destroy the toxic fuel on board the satellite before it could possibly land in a populated area.

The three-stage Navy missile, designated the SM-3, has chalked up a high rate of success in a series of tests since 2002, in each case targeting a short- or medium-range ballistic missile, never a satellite. A hurry-up program to adapt the missile for this anti-satellite mission was completed in a matter of weeks; Navy officials said the changes would be reversed once this satellite was down.

The government issued notices to aviators and mariners to remain clear of a section of the Pacific Ocean beginning at 10:30 p.m. EST Wednesday, indicating the first window of opportunity to launch the missile.

Having lost power shortly after it reached orbit in late 2006, the satellite was out of control and well below the altitude of a normal satellite. The Pentagon determined it should hit it with an SM-3 missile just before it re-entered Earth's atmosphere, in that way minimizing the amount of debris that would remain in space.

Left alone, the satellite would have been expected to hit Earth during the first week of March. About half of the 5,000-pound spacecraft would have been expected to survive its blazing descent through the atmosphere and would have scattered debris over several hundred miles.

in a talk at Black Hat D.C. 2008, two researchers set out to see whether phishing sites were created by the "Einsteinian, ninja hackers that the media makes them out to be."

In a talk titled "Bad Sushi: Beating Phishers at their own game," Nitesh Dhanjani and Billy Rios found not a sophisticated gang of elite coders, but hundreds of bad coders all copying one another, and often stealing from each other.

Dhanjani and Rios expressed disapproval of antiphishing products that use black lists to block known phishing sites. One, because some legitimate server admins might have their compromised account password visible on such lists. Two, because the researchers were able to open those lists and see the servers that were being compromised.

They followed one of the servers that had shown up on one black list multiple times. What they found was a poorly configured Internet-facing server, one that was easily compromised, and therefore hosting several phishing sites.

Once they found a compromised Web server, they then wondered: how hard is it to create an authentic-looking phishing site? Dhanjani and Rios found kits online, prepackaged with images and forms from Bank of America, Citibank, and PayPal, among others. Just install one of these kits on a compromised server and you're in business.

Looking deeper into the code used in these kits, they found that one kit had been copied many times, with different images. Moreover, the creator of the kit was skimming off the people using the kit; every time someone fell for a phishing site, their personal data not only went to the phisher who put up the site, but also to the author who wrote the kit.

With personal information flowing in, what does the average phisher do next? Dhanjani and Rios googled to find sites trading personal data--not a surprising find. What they found was that U.S. and U.K. IDs often sold for much less than European and Asian data. They could not account for the difference.

They also found forums and sites dedicated to ATM "skimming." Skimming is the physical use of secondary readers and keypads on ATMs used to capture account numbers and PINs. Often the ATM transaction goes through, and the customer doesn't realize the account has been compromised until later.

Dhanjani and Rios suggested that site administrators should lock down their sites so that phishing kits don't take root. They also suggested that sites require more security in order to raise the bar. By requiring a customer to use two-factor authentication, or a persistent cookie, many of the financial phishing sites would cease to be effective, they said.

Quebec provincial police said Wednesday they have dismantled what they called the largest and most damaging computer-hacking network ever uncovered in Canada.

During several action-packed early-morning hours Wednesday, provincial police and RCMP officers dismantled the latest hacking ring by successfully carrying out 17 lightning-fast raids in 12 towns small and large across Quebec, including Montreal.

They collared 17 hacking suspects aged 17 to 26. All are male except for one, a 19-year-old woman.

Some of the suspects were to appear in court Wednesday while others were released with the promise to appear.

Police raiding parties also sealed and carted away dozens of hard drives and other computer components from the homes of each of the suspects.

This hardware is believed to contain the smoking guns -- a bonanza of incriminating data to document the alleged ring, said SQ Capt. Frederick Gaudreau, lead investigator.

"This is a new form of organized crime," he proclaimed to reporters summoned to SQ headquarters in Montreal.

Savvy youngsters who've grown up with computers can take advantage of lax or inattentive users connected via broadband to the Internet.

That's what this ring did, Capt. Gaudreau alleged, adding that its operators extended their electronic tentacles from some of Quebec's smaller towns to seize control, via sophisticated remote-access software, of almost a million computers in more than 100 countries.

With so-called Trojan-horse and worm software, poorly protected computers can be hijacked and turned into so-called zombies, even while their users wonder why their Internet connection has slowed so dramatically.

The hackers, Capt. Gaudreau alleged, used these hijacking techniques to carry out identity theft, data theft of other kinds, spamming and denial-of-service attacks.

These acts caused an estimated $45-million in damages, Capt. Gaudreau added, to governments, businesses and individuals.

He refused to provide any further breakdown, such as an estimate of the volume of financial fraud committed.

The country's most notorious hacker to date was a 15-year-old Montrealer with the handle Mafiaboy.

The law provides a maximum of 10 years behind bars for illegal use of computer services -- but after crippling some of the world's most heavily trafficked Web sites eight years ago, Mafiaboy ended up with just eight months in youth detention.

Capt. Gaudreau issued repeated pleas for computer users to keep their anti-virus software up-to-date and to properly configure network firewalls.

Victims of the ring had neglected to do one or both -- opening the door for the ring's kingpins to plant malicious software programs with impunity, he alleged.

Each of the hackers detained Wednesday surreptitiously controlled an average of about 5,000 computers, Capt. Gaudreau alleged.

The victims were largely -- but not exclusively -- located outside Canada, he said.

The ring required "hundreds" of officers from the SQ and the RCMP to take down, he added.

The probe began in 2006, he said, following complaints from government agencies, businesses and individuals.

Painstaking forensic audits of thousands of gigabytes of computer data seized will now be required before provincial police can write the final chapter of this Internet saga.

Police expect the necessary evidence is likely to be served up on the dozens of computer hard drives confiscated Wednesday, Capt. Gaudreau said.

Many of the victims documented by investigators were located in Poland, Brazil and Mexico, he added.

Seven of those arrested Wednesday have been charged with illegally obtaining computer services, an offence that carries a maximum penalty of 10 years in prison.

Further charges against these seven could follow, Gaudreau said, depending on the data found on their computers.

Others were released after questioning, Gaudreau said, and haven't been charged but may face charges later.

The 17, communicating with each other largely via Internet, each operated with multiple computers, Capt. Gaudreau alleged, from 17 locations in 12 cities, towns and hamlets across the province.

Japanese police have arrested a "prolific spammer" who allegedly bombarded inboxes with hundreds of millions of messages punting internet gambling and dating sites.

Investigators reckon Yuki Shiina, 25, sent as many as 2.2 billion spam messages using what appears to be rudimentary spamming techniques. Shiina reportedly faked the message headers of junk mail he sent in a bid to avoid detection, an offence against local anti-spam laws. The availability of appropriate anti-spam laws in Japan is noteworthy given the country's apparent lack of anti-malware laws. Shiina's arrest is not the first made in Japan over alleged junk mail offences. Four men suspected of sending an internet-congesting 5.4 billion spam emails to promote a dating website were arrested in January 2007.

The ACLU obtained a victory at the trial court level in August 2006. A federal judge in Michigan ruled that the NSA's once-secret terrorist surveillance program, which operated without court orders, "ran roughshod" over Americans' constitutional rights Americans and violated federal wiretapping law.

The Supreme Court's decision, which arrived without comment, lets that opinion stand.

The Supreme Court's inaction does not, however, directly affect about 40 cases pending before a federal judge in the Ninth Circuit appeals court in San Francisco.

Oleksandr Dorozhko made almost $300,000 in stock-option trading by using insider information that was obtained after someone hacked into the network of a company called IMS Health. Jeremiah Grossman, the CTO of WhiteHat Security, says here that the loophole, if left unclosed, could also aid hacks that technically don't require the bypassing of password requirements or other security measures. Prosecutors with the Justice Department are probably free to file criminal charges against Dorozhko for computer hacking. So thanks to the arcana of US securities laws, illegal hacking does pay

Five undersea cables were damaged in late January and early February leading to disruption to Internet and telephone services in parts of the Middle East and south Asia.

The Falcon cable has since been repaired, along with the Flag Europe Asia (FEA) cable which was damaged off Egypt's Mediterranean coast. The status of the remaining cable is still unclear.

In a move that legal experts said could present a major test of First Amendment rights in the Internet era, a federal judge in San Francisco on Friday ordered the disabling of a Web site devoted to disclosing confidential information.

The site, Wikileaks.org, invites people to post leaked materials with the goal of discouraging “unethical behavior” by corporations and governments. It has posted documents said to show the rules of engagement for American troops in Iraq, a military manual for the operation of the detention center at Guantánamo Bay, Cuba, and other evidence of what it has called corporate waste and wrongdoing.

The case in San Francisco was brought by a Cayman Islands bank, Julius Baer Bank and Trust. In court papers, the bank said that “a disgruntled ex-employee who has engaged in a harassment and terror campaign” provided stolen documents to Wikileaks in violation of a confidentiality agreement and banking laws. According to Wikileaks, “the documents allegedly reveal secret Julius Baer trust structures used for asset hiding, money laundering and tax evasion.”

On Friday, Judge Jeffrey S. White of Federal District Court in San Francisco granted a permanent injunction ordering Dynadot, the site’s domain name registrar, to disable the Wikileaks.org domain name. The order had the effect of locking the front door to the site — a largely ineffectual action that kept back doors to the site, and several copies of it, available to sophisticated Web users who knew where to look.

Domain registrars like Dynadot, Register.com and GoDaddy .com provide domain names — the Web addresses users type into browsers — to Web site operators for a monthly fee. Judge White ordered Dynadot to disable the Wikileaks.org address and “lock” it to prevent the organization from transferring the name to another registrar.

The feebleness of the action suggests that the bank, and the judge, did not understand how the domain system works, or how quickly Web communities will move to counter actions they see as hostile to free speech online.

The site itself could still be accessed at its Internet Protocol address (http://88.80.13.160/) — the unique number that specifies a Web site’s location on the Internet. Wikileaks also maintained “mirror sites,” or copies usually produced to ensure against failures and this kind of legal action. Some sites were registered in Belgium (http://wikileaks.be/), Germany (http://wikileaks.de) and the Christmas Islands (http://wikileaks.cx) through domain registrars other than Dynadot, and so were not affected by the injunction.

Fans of the site and its mission rushed to publicize those alternate addresses this week. They have also distributed copies of the bank information on their own sites and via peer-to-peer file sharing networks.

In a separate order, also issued on Friday, Judge White ordered Wikileaks to stop distributing the bank documents. The second order, which the judge called an amended temporary restraining order, did not refer to the permanent injunction but may have been an effort to narrow it.

Lawyers for the bank and Dynadot did not respond to requests for comment. Judge White has scheduled a hearing in the case for Feb. 29.

In a statement on its site, Wikileaks compared Judge White’s orders to ones eventually overturned by the United States Supreme Court in the Pentagon Papers case in 1971. In that case, the federal government sought to enjoin publication by The New York Times and The Washington Post of a secret history of the Vietnam War.

“The Wikileaks injunction is the equivalent of forcing The Times’s printers to print blank pages and its power company to turn off press power,” the site said, referring to the order that sought to disable the entire site.

The site said it was founded by dissidents in China and journalists, mathematicians and computer specialists in the United States, Taiwan, Europe, Australia and South Africa. Its goal, it said, is to develop “an uncensorable Wikipedia for untraceable mass document leaking and analysis.”

Judge White’s order disabling the entire site “is clearly not constitutional,” said David Ardia, the director of the Citizen Media Law Project at Harvard Law School. “There is no justification under the First Amendment for shutting down an entire Web site.”

The narrower order, forbidding the dissemination of the disputed documents, is a more classic prior restraint on publication. Such orders are disfavored under the First Amendment and almost never survive appellate scrutiny.

A security researcher has posted code for an exploit targeting a component of Microsoft Office.

The vulnerability lies in a conversion tool used to convert Microsoft Works WPS files into Word RTF files The flaw could allow an attacker to remotely execute code on a user's system.

Microsoft repaired the vulnerability as part of its monthly security release on 12 February.

When the update was released Microsoft credited discovery of the flaw to iDefense, which in turn credited security researcher Damian Put.

Two days after the patch was released, a user by the name of 'chujwamwdupe' posted the sample exploit code to security site milw0rm.

The US Computer Emergency Response Team urged users to protect against the vulnerability by installing Microsoft's most recent security update.

BOFFINS at Georgia Tech, have come up with a prototype of a seek and destroy system to eradicate botnets.

The unfortunately named Botsniffer uses anomaly detection tools to spot botnet command and control channels in a LAN.

Since it does not need any knowledge of signatures or server addresses it can detect and disrupt botnet infected hosts in any network.

The boffins showed off their botsniffer to the Internet Society's Network and Distributed System Security Symposium.

They wowed delegates with its ability to capture network command and control protocols use statistical algorithms.

Botsniffer can also be installed as a plug-ins for the Open Sauce intrusion/detection system. So it will soon be possible to Snort a plugin while sniffing your bot.

Reports are emerging of a dangerous computer virus called Mocmex - capable of hacking online gaming accounts - finding its way onto home PCs via digital photo frames.

The frames in question - made in China for Insignia, and sold in the US by the huge Best Buy chain - have been discontinued, but not recalled. However, says Engadget, the virus threat they represent is worse than originally thought.

Mocmex is able to block many types of anti-virus software and bypass the Windows firewall (it attacks only Windows PCs). It's set to steal gaming passwords at present, but experts at Computer Associates say it's capable of stealing any personal information on your machine.

The hacking and strip-mining of online gaming accounts, particularly MMOs, can be a profitable business, with one player's in-game items and currency potentially worth thousands of dollars.

If you insist on replacing the most mundane, everyday objects in your life with digital gadgets, we might suggest that having a picture frame steal your virtual sword is exactly the fate you deserve. But then, we're a bit old-fashioned like that.

A woman who admitted rifling through emails in AOL accounts maintained by her former employer, Nannies Inc, while working for a competitor agency, has been fined £500 plus £60 costs.

Susan Holmes, 36, of Beckenham in Kent, pleaded guilty to unauthorised access to a computer (contrary to section one of the Computer Misuse Act 1990) at a hearing at Horseferry Road Magistrates Court last Friday (15 February).

Nannies Inc uses an AOL account to handle registration forms. A marked drop off in emails sent to that account between January and March 2007 led to suspicions that something was amiss.

Analysis of the connection logs from AOL found several connections from a suspect IP addresses, later traced back to Holmes. Although Holmes left Nannies Inc five months previously she was still reading company email, a breach made possible by the child care agency's failure to change email passwords following her exit.

Holmes was arrested in October following an investigation by officers at the Specialist Computer Crime Unit at Scotland Yard.

A Ukrainian hacker may be allowed to keep over $250,000 in profits owing to a loophole in US law.

Oleksandr Dorozhko is alleged to have hacked into the servers of IMS Health and taken a look at the company's forthcoming results announcement hours before its release to the stock market.

Dorozhko placed a series of sell orders on the stock, investing $41,671 of his own money in sell options that would be worthless in three days unless the stock fell.

When the results, which were disappointing, were released the stock fell sharply and Dorozhko made $296,456 on the trade.

The deal set off warning bells on the US Securities and Exchange Commission (SEC) computer systems that watch for insider trading, and the brokerage account containing the funds was frozen.

But because the stock information was obtained by hacking, rather than a personal tip-off, a judge has ruled that there is no legal way to deny the money to Dorozhko.
"Dorozhko's alleged 'stealing and trading' or 'hacking and trading' does not amount to a violation of securities laws," US District Judge Naomi Reice Buchwald ruled last month, according to The New York Times.

"Dorozhko did not breach any fiduciary or similar duty 'in connection with' the purchase or sale of a security."

While the judge acknowledged the absurdity of the situation she said that the only way to proceed was for a hacking prosecution against Dorozhko.

But the US Department of Justice has already refused to do this on the ground that obtaining a prosecution in the Ukraine would be too difficult.

The SEC still maintains that the information was obtained by deception, but from a computer system and not a human being.

Dorozhko's lawyer is fighting this assertion, however. "They want you to believe that there is a deception of a computer," he said. "All there is is a high-tech lock pick."

Three-step guide

Fundamentally, there's nothing terribly new about the problems posed by Asynchronous JavaScript and XML (AJAX) when it comes to security, we just need to apply some good old security principles to this new technology.

The problems occur because, unfortunately, there are an awful lot of devils hidden inside the details.

One major security challenge for AJAX applications is that moving your code to the client involves a ton of data formats, protocols, parsers, and interpreters. These include JavaScript, VBScript, Flash, JSON, XML, REST, XmlHttpRequest, XSLT, CSS and HTML in addition to your existing server-side technologies. As if that wasn't enough, each of the AJAX frameworks has its own data formats and custom framework formats.

An application's "attack surface" approximates the ways in which an attacker can cause damage to your application or its users. The more technologies you use, the bigger your attack surface.

Here, then, are three simple ways of reducing your AJAX application's attack surface:
Know what runs where

AJAX is making it increasingly difficult to be sure where your code is going to run. Take the Google Web Toolkit (GWT) for example. You program in Java and the environment takes some of that code and compiles it to JavaScript that runs on the client. If you make a mistake and implement authentication, access control, validation, or other security checks in the code that runs on the client, an attacker can simply bypass them with Firebug.

Imagine you've carefully coded rules to be sure that administrative functions are never shown to ordinary users. This sounds good, but you forgot that the user interface code is running on the client. So the attacker uses Firebug to invoke the administrative functions. If the proper checks aren't in place on the server side, the attacker just gained administrative rights. Many Rich Internet Application (RIA) frameworks also have this issue.

The solution is to be very careful about making the boundary between the client and the server very clear.
Keep data separate from code

Hackers frequently use a technique called "injection" to bury commands inside innocent-looking data and get interpreters to execute their commands for them. This simple trick is at the heart of many security attacks including SQL injection, command injection, LDAP injection, XSS, and buffer overflows. Preventing injection in a target-rich environment like the modern browser takes discipline.

The key to stopping injection attacks is never executing data that might contain code. But with AJAX, lots of data and code get passed around and mashed together in the DOM. There has never been a data structure that mixes together code and data more than modern HTML.

So be very careful with data that might include user input. Assume it's an attack unless you've carefully canonicalized, validated, and properly encoded. Imagine you're invoking a REST interface and the request contains user data. The response you receive is a JSON string that includes that user data. Don't evaluate that string until you're sure that there can't be anything but safe data in there. Even just adding that data to the DOM might be enough to get it to execute if there's JavaScript code buried in there.
Beware encoding

Encoding makes everything complicated. Attackers can hide their attacks inside innocent-looking data by encoding it. Back-end systems may recognize the encoding used and execute the attack. Or they may decode the attack and pass it on to a system that's vulnerable to it.

Attackers may use multiple different encoding schemes, or even double encode to tunnel their attacks through innocent systems. There are dozens and dozens of encoding schemes and no way to tell which schemes will be recognized by the interpreters you're using. This makes recognizing attacks very difficult, if not impossible.

Every time you send or receive data both sides have to know the intended encoding. Never try to make a "best effort" attempt to guess the right encoding. You can't prevent an attacker from sending data with some other encoding through the channel, but you don't have to execute it. Here are a few examples:

Set HTTP encoding in the header:


Content-Type: text/xml, charset=utf-8

Use a meta tag in the HTML:

Set XML encoding in the first line of XML documents:



Nail it

Remember, your AJAX application's attack surface is under your control. The choices you make can drastically affect the size of your application's attack surface. Be sure you ask questions about where your code runs, what data formats and protocols are involved, and which parsers and interpreters get invoked. And most importantly, be sure to nail down how you're going to keep code and data separate.

Two security researchers at ShmooCon demonstrated on Saturday how a laptop connected to a VoIP telephone could, in some cases, expose a business' internal network to outsiders.

John Kindervag, senior security architect for Vigilar, said that public waiting areas in hospitals, conference rooms, and hotel rooms are particularly vulnerable to this attack since often there is no IT staff around. Appearing on stage at the East Coast computer hacker conference with Kindervag was Jason Ostrom, manager of Vigilar's Vulnerability Assessment and Compliance Practice team, who used the ShmooCon conference to show off his latest version of VoIP Hopper, a tool he uses for penetration testing of companies that are running voice over IP phone systems.

Kindervag said that VoIP was gaining acceptance with large companies and organizations for many reasons: there are no toll calls over the Internet; there's less cabling involved; employees can move offices without having to rewire or change switching operations for their phones; and finally, voice mail notices can appear in one's Outlook inbox. "This is very popular among CIOs," Kindervag said.

But Ostrom's tool allows one to hook up a laptop computer to a public VoIP phone and connect to the company's or organization's internal network with full administrator access. VoIP Hopper can be used to intercept Cisco Discovery Protocol (CDP), which announces the device type and the SNMP agent address of neighboring devices, and automatically create a new ethernet device. This could allow someone to map or otherwise do damage to a company's network from a public waiting area. The tool also allows one to physically remove the phone and have a laptop spoof the phone's MAC address, so the network is unaware that a laptop has replaced the expected phone.

To prevent such attacks, the researchers recommend turning off CDP. They also recommend disabling port 2 on any public VoIP phone, and include the public phone within a firewall.

Machines will achieve human-level artificial intelligence by 2029, a leading US inventor has predicted.

Humanity is on the brink of advances that will see tiny robots implanted in people's brains to make them more intelligent, said Ray Kurzweil.

The engineer believes machines and humans will eventually merge through devices implanted in the body to boost intelligence and health.

"It's really part of our civilisation," Mr Kurzweil explained.

"But that's not going to be an alien invasion of intelligent machines to displace us."

Machines were already doing hundreds of things humans used to do, at human levels of intelligence or better, in many different areas, he said.

Man versus machine

"I've made the case that we will have both the hardware and the software to achieve human level artificial intelligence with the broad suppleness of human intelligence including our emotional intelligence by 2029," he said.

"We're already a human machine civilisation; we use our technology to expand our physical and mental horizons and this will be a further extension of that."

Humans and machines would eventually merge, by means of devices embedded in people's bodies to keep them healthy and improve their intelligence, predicted Mr Kurzweil.

"We'll have intelligent nanobots go into our brains through the capillaries and interact directly with our biological neurons," he told BBC News.

The nanobots, he said, would "make us smarter, remember things better and automatically go into full emergent virtual reality environments through the nervous system".

Mr Kurzweil is one of 18 influential thinkers chosen to identify the great technological challenges facing humanity in the 21st century by the US National Academy of Engineering.

The experts include Google founder Larry Page and genome pioneer Dr Craig Venter.

The 14 challenges were announced at the annual meeting of the American Association for the Advancement of Science in Boston, which concludes on Monday.

Microsoft is taking a leaf out of the virus writers' handbook, hoping to use friendly "worms" to distribute software patches surreptitiously.

Like the malicious worms that spread from computer to computer by self-replicating and automatically seeking out new computers to infect, the friendly worms will be used to distribute updates to users without forcing them to download anything from a central server.

The research is being spearheaded by a team from Microsoft Research in Britain, and opens up the possibility of worm races between virus writers and the software companies to see who can reach vulnerable machines faster.

Unlike malicious worms seek to exploit vulnerabilities in operating systems, the friendly worms would seek to patch those vulnerabilities before the computer is attacked.

Milan Vojnovic, who is part of the research team, told New Scientist his friendly worms would be more efficient than malicious worms because they were smarter at seeking out vulnerable, unpatched machines. They could then "infect" a network of computers using the smallest number of probes.

Vojnovic said his worms were capable of learning from past experience.

The worm starts by randomly probing for an uninfected host and then targets other computers on the same network. If it fails to find a cluster of uninfected hosts it changes its strategy in order to maximise the number of computers it can patch.

"After it fails to reach new uninfected hosts a fixed number of times in a row, say 10, it moves on to find new groups using random sampling," Vojnovic told New Scientist.

The Microsoft research will be presented at the 27th Conference on Computer Communications in the United States in April.

According to a recently released Sophos Security Threat Report, the "Storm" worm was 2007's most disruptive computer threat, with about 50,000 variants seen over the course of the year.

The worm spread via links inside spam emails disguised as news alerts, electronic greeting cards and videos.

The US presidential primaries have become the latest lure for spreading malware as attackers use 'videos' of candidates to tempt users into downloading Trojan applications.

Researchers at Symantec and McAfee reported that malware distributors are using presidential candidate Hillary Clinton as bait for a malicious file download.

Symantec warned of an attack which uses spam emails to spread a 'video' of Clinton. A file named 'mpg.exe' downloads another Trojan application which infects the user's system.

Researchers at McAfee noted a similar attack which uses links hidden inside emails again promising a video of Clinton but redirecting to a page hosted on Google ads.

That page then redirects to another site which attempts to download and install a Trojan application.

The attacks have surfaced eight days after Super Tuesday on which a number of large states cast their votes for each party's presidential candidate.

"It is surprising that we did not see more of this attack yesterday, one week after Super Tuesday," said McAfee researcher Alex Hinchliffe in company blog.

McAfee noted that the Clinton emails are similar to a series of attacks claiming to offer videos of Jennifer Lopez, Beyoncé and Britney Spears.

"We urge you to be vigilant and keep your anti-spam and anti-malware protection up to date," wrote Hinchliffe. "Remember, if it sounds too good to be true, it normally is."