Hacked by Chinese

China Expands Internet Controls: Register Or Be Blocked

BEIJING — China has issued new regulations that expand its Internet controls by tightening procedures for domain name registration.
The Ministry of Industry and Information Technology posted the new rules over the weekend, part of a three-phase plan to target what it called pornography accessible through cell phones.
The regulations require telecom companies and Internet service providers to carry out "complete and thorough" checks to determine if Web sites are officially registered. Any Web sites that have not registered with the ministry should be taken off the Internet, the order says.
But the new rules have the potential to freeze out thousands of legitimate Web sites by creating a pre-approved "whitelist" of sites.
It also tightens the registration process for domain names. Any service provider must have a business license and the Web site itself must also have a business license or be registered – which would appear to prohibit sites set up by individuals.
It was unclear if the new rules would apply to foreign Web sites, though many sites have already been blocked by China's Internet authorities, including Youtube, Facebook, Twitter and host of other media and news Web sites.
Beijing's pervasive policing of cyberspace and attempts to block the Internet – among the world's most stringent – are often referred to as the "Great Firewall of China."
The communist government says the main targets of its Web censorship are pornography, gambling and other sites deemed harmful to society. Critics, however, say that often acts as cover for detecting and blocking sensitive political content.
Earlier this year, China had backed down from a requirement for new computers to be loaded with a controversial Internet-filtering software known as Green Dam Youth escort after a major outcry from Chinese citizens and computer companies. That software had also been introduced as a filter against porn.
___________
On the Net: (in Chinese) http://www.miit.gov.cn

Hackers Brew Self-Destruct Code to Counter Police Forensics

Hackers have released an application designed to thwart a Microsoft-packaged forensic toolkit used by law enforcement agencies to examine a suspect’s hard drive during a raid.
The hacker tool, dubbed DECAF, is designed to counteract the Computer Online Forensic Evidence Extractor, aka COFEE. The latter is a suite of 150 bundled, off-the-shelf forensic tools that run from a script. Microsoft combined the programs into a portable tool that can be used by law enforcement agents in the field before they bring a computer back to their forensic lab. The script runs on a USB stick that agents plug into the machine.
The tools scan files and gather information about activities performed on the machine, such as where the user surfed on the internet or what files were downloaded.

Someone submitted the COFEE suite to the whistleblower site Cryptome last month, prompting Microsoft lawyers to issue a take-down notice to the site. The tool was also being distributed through the Bit Torrent file sharing network.
This week two unnamed hackers released DECAF, an application that monitors a computer for any signs that COFEE is operating on the machine.
According to the Register, the program deletes temporary files or processes associated with COFEE, erases all COFEE logs, disables USB drives, and contaminates or spoofs a variety of MAC addresses to muddy forensic tracks.
The hackers say that later releases of the program will allow computer owners to remotely lock down their machine once they detect that it has fallen into law enforcement hands. The hackers, however, have not released source code for the program, which would make it easy for anyone to see if the program contains malware that might also harm a computer or allow the attackers to take control of it.
Update: The developers of DECAF have taken issue with Threat Level referring to them as hackers. “We’re just two developers who support the free flow of information and privacy,” one of them wrote Threat Level in an anonymous e-mail. “You could say we’re just average joes.”
Photo: Jim Forest/Flickr

Google's reCAPTCHA busted by new attack

Significant success rate

By Dan Goodin in San Francisco

A security researcher has devised a successful attack on a Google-owned system for blocking malicious scripts on web-based email services and other types of sites.

The attack, described in a paper released Saturday, uses a combination of OCR, or optical character recognition, techniques and other methods to break reCAPTCHA, a widely used security measure acquired by Google in September. Short for Completely Automated Public Turing test to tell Computers and Humans Apart, the CAPTCHA is designed to block automated scripts from carrying out certain tasks by first requiring users to solve an optical puzzles that aren't easily cracked by computers.

Jonathan Wilkins of iSEC Partners said the method had a total success rate of 17.5 percent against reCAPTCHA. The rate is significant because of the wide use of botnets by spammers and other miscreants. Even a modest-sized network of 10,000 infected machines with a success rate of 0.01 percent would yield 10 successes every second. That could translate into 864,000 new accounts every day, he said.

"Given this, the attacker doesn't have to rebuild a complete set of solutions, just enough to get this minimal success rate," Wilkins wrote.
A Google spokesman said the data collected in the report was collected in early 2008 and didn't reflect enhancements made to reCAPTCHA since then.
"Therefore, this study does not reflect the effectiveness of reCAPTCHA's current technology against machine solvers," the spokesman wrote in an email. "We've found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we've received very positive feedback from customers."
ReCAPTCHA is employed on a variety of websites when visitors want to create accounts or carry out other actions that are often exploited by malicious scripts. It presents users with two words scanned from text books, one that is recognized by OCR software and one that is not. Presentation is manipulated by warping the letters and adding lines. The result is text that is easy for humans to recognized but difficult for computer programs to parse.
One of reCAPTCHA's biggest weaknesses is that it uses English words that are usually found in a dictionary, giving crackers a readily available way to check the accuracy of their guesses. Also diluting its effectiveness, the system accepts "off-by-one" errors such as "lone" instead of "tone." Wilkins also found that the lines added to confuse OCR methods were easily eliminated using processes known as erode and dilate.
A technique known as separation was also key in breaking optical puzzles into their individual letters.
"Running against 200 challenges, this method solved 10 correctly. A success rate of 5 percent," Wilkins wrote. "It further got one word correct in 25 other cases. If we presume that in half of the cases the failed word would be the unknown word for reCAPTCHA, this gives us a total success rate of 17.5 percent."
ReCAPTCHA was designed by researchers from Carnegie Mellon University as a way to solve two problems at once - scanning books more accurately and preventing automated scripts from wreaking havoc on public websites. Scanned words that are unrecognizable by OCR software are included in the puzzles, along with a word that is known. If a user correctly types in the known word, reCAPTCHA assumes the entry for the unknown word is also correct.
Google has said it plans to apply the system to its ambitious book-scanning project that has come under criticism by some scholars and publishers. A PDF of Wilkins paper is here. ®
This article was updated to add comment from Google.

7 Most hacked software of 2009

Which are the software that are top on hackers' hitlist? Applications and software that are most vulnerable and are the potential targets of scammers and hackers to install malicious codes into your PC?

Forbes recently released 2009's `Most-Hacked Software' list. The list names the software and applications that were biggest targets of hacker attacks in 2009. The software used most by hackers and other cyber criminals to sneak into your system and cause havoc.

Here's over to the 7 Most Hacked Software of 2009.

Adobe Reader

This year's Most hacked software belongs to (no not Microsoft) Adobe. Adobe Inc's popular software Adobe Reader is the most hacked software of the year. Security firm iDefense reportedly tracked as many as 45 bugs in the Adobe Reader programme this year. The number is up from 14 in 2008 and seven in 2007.

Security experts feel that Reader being a universally used programme makes it highly vulnerable. Also, its complex code base offers a high risk of flaws.

Internet Explorer

At No. 2 on the Most Hacked Software list is Microsoft's Internet Explorer. Little surprising that the browser with majority marketshare (almost 65%) is hot on hackers and scammers target list. According to the news report, IE's complex code base with no shortage of bugs helps hackers.

Security researchers found 30 bugs in IE this year, almost the same number as last year and way down from 49 found in 2007.

Mozilla Firefox

The open source browser Mozilla Firefox is the year 2009's third Most Hacked Software. Closest rival to Internet Explorer with approximately 25% marketshare, recorded an increase in vulnerabilities this year.

Researchers and cybercriminals found as many as 102 bugs in Firefox this year, an increase of 12 bugs vi-a-vis last year's 90 bugs. Wondering what makes its more vulnerable than IE which showed 30 bugs? Remember, the two cannot be compared directly as Firefox is an open-source programme and Mozilla publicly reveals all its bug finds.

Adobe Flash

At No. 4 on the Most Hacked Software list is Adobe's popular design software Flash, commonly used for viewing animations and movies. The report found 11 vulnerabilities in the programme this year, down 8 from 19 last year.

According to the report, the vulnerabilities pose a potential danger as the software used for viewing videos and animation requires no interaction with the user to infect the machine with malicious software.

Apple Quicktime

Next on the hit-list of hackers is Apple Quicktime, a multimedia framework used for handling various formats of digital video, media clips, sound, text, animation and music. Though Apple talks about immunity from bugs in its machines, however, security experts feel that relative security comes from its low marketshare and not careful coding.

According to the report, 26 bugs were found in Quicktime in 2009, down 10 from 36 found in 2008. The number looks high compared to mere 3 found in Windows Media Player.

Microsoft Office

At No. 6 is another Microsoft software, Microsoft Office. IDefense tracked 41 bugs in Microsoft's popular suite of apps in 2009, down from 44 in 2008. According to the report, hackers many a times use Microsoft Office applications like PowerPoint, Excel or Word document to plant malicious code

Windows

Another Microsoft software on Most Hacked Software list is at no. 7. The company's Windows-based operating system continue to be top on hackers radar. Experts believe that the fact that Windows vulnerabilities can be exploited without a user actually doing anything makes the software hacker-prone.

For example the Conficker worm spread to over 7 million PCs last year without requiring a user to visit a website, or open an attachment or actually do anything else, other than just leave their computers running.

Security firms dismiss English shellcode threat

IT security experts have dismissed a research paper warning about malware that can be hidden within what appears to be plain English prose, noting that this threat is nothing new.
In a recent report titled "English Shellcode", the four authors wrote that their ability to automatically generate such code debunked "the common belief that components of polymorphic shellcode cannot reliably be hidden".
Shellcode, which refers to a set of machine instructions that acts as the payload of an exploit, is typically different from non-executable data such as plain text.
The researchers, the majority of whom hail from academic backgrounds, said shellcode, on the contrary, can be disguised as pseudo English language spam as some ASCII character strings and native machine instructions "have identical byte representations".
Security experts, however, told ZDNet Asia that the threat is not new and unlikely to make much of an impact on the security landscape.
Paul Ducklin, Asia-Pacific head of technology at Sophos, pointed out that "producing printable-yet-executable machine code isn't something new" and is similar to the Eicar (European Institute for Computer Antivirus Research) test file, which was created 20 years ago to validate the operation of antivirus software.
According to Ducklin, all shellcode can be hard to detect "not so much because of how it's encoded--whether as unobfuscated Intel instructions, Java bytecode or broken English--but because it can crop up at unexpected locations in malicious files".
"Shellcode is almost always in a part of a file that shouldn't need to be scanned at all," he explained. "So the complexity of detecting shellcode is almost always in how you take potentially dangerous files apart in the first place, rather than how you scan the taken-apart file for threats."
Effective antivirus tools are able to locate malicious or unwanted machine code embedded in a "possibly enormous" program consisting almost entirely of machine code, said Ducklin. "This, in my opinion, is a much trickier problem than detecting 'English' shellcode," he noted.
"Since we are already facing up to and dealing with a problem tougher than that of detecting 'English' shellcode, I don't think anyone needs to be worried by this new report.
"In short, I am afraid to have to say to the U.S. academics who wrote this paper, 'Guys, you've got too much time on your hands'," mused Ducklin.
Vitaly Kamluk, director of research at Kaspersky Lab, concurred that the report is unlikely to have an impact on the security landscape. "It is not a new type of threat, just a variation of an existing one," he pointed out.
Kamluk added that churning out such code is an extremely laborious task, and therefore, will not attract much attention from cybercriminals. "The complexity of this type of code is tremendous and the probable return is small," he said.
Ronnie Ng, Symantec's systems engineering manager for Singapore, added that issues associated with the technique made it "very unlikely to be practical and used in the wild".
Ng explained: "First, even if the sentence represents some machine code on a byte level, it will not be executed unless it is loaded and processed by the CPU as actual executable code. Otherwise, if the CPU understands the bytes simply as a representation of characters, it will just attempt to display the code as characters and no damage is actually executed.
"The other challenge is trying to find the words or word sequences that would execute what the attacker wants it to do… It would take a fair amount of computing power to find such strings."
Cybercriminals, he noted, generally target low-hanging fruit and more popular technologies so they are more likely to focus on methods that can produce maximum results with minimum effort.
Evolving security landscape
Danny Siew, Trend Micro's Asia-Pacific senior director for technical support, said the latest research is a reminder that users need to be adequately protected as the security landscape is constantly evolving and threats increasingly sophisticated.
"The major issue [here] is, at a single glance, it is hard to tell if a 'package' is malicious or not," he pointed out. "The creation and subsequent delivery of these threats underscore the need for users to employ a holistic, multilayered solution that protects them from the cloud to the endpoint."
Symantec's Ng added: "One thing is resoundingly clear: basic security protection is not good enough. An inflection point has been reached where new malicious programs are being created at a higher rate than good programs."
The variety and sophistication of threats are rendering traditional approaches to antivirus ineffective, he said. Instead of focusing solely on analyzing malware, security software scan software files using methods such as whitelisting and reputation-based security.
A co-author of the paper did not respond to e-mail queries from ZDNet Asia.

Scam Shopping Websites Shut After Major Swoop

Police have been involved in a massive operation to close down hundreds of illegal internet shopping sites, Sky News can confirm.

Over recent weeks, officers from the Metropolitan Police e-Crime Unit have been working to identify more than 1,200 scam websites, which claimed to offer designer goods, jewellery and electronic items.
In reality, customers either received nothing, or were sent counterfeit products.
It is thought many thousands of people may have been caught up in the scam, which is believed to have netted organised criminal networks millions of pounds.
The officer in charge of the operation, Detective Superintendent Charlie McMurdie, told Sky News: "Fraudsters target the victim's desire to buy designer goods at reduced prices, particularly at this time of year.
"The risk begins when your desire to purchase blinds your judgement or leads you to illegal websites. If it looks too good to be true, it probably is."
Victims also ran the risk of the criminals stealing their identity, credit card and banking details for misuse elsewhere.
All of the sites involved had UK domain names, but the vast majority of them were based in the Far East.
Detectives worked closely with the internet registry body Nominet, which is responsible for issuing UK domain names to more than seven million companies and organisations.

Over 1,200 sites have been closed

Lesley Cowley, chief executive, said: "We received clear instructions from the police to take down the .co.uk domain names, which have been under investigation for criminal activity.
"We worked closely with the police and our registrars to quickly carry out the instruction to shut down access to these sites.
"The vast majority of .co.uk domains are legitimate, but where there are investigations about improper or illegal activity, we work with law enforcement bodies such as the Metropolitan Police to help identify and then limit the number of illegal or fake websites."
Sky News has been told that Consumer Direct, Trading Standards, the Office of Fair Trading and many manufacturers also helped to identify the fraudulent web sites.
The operation concentrated on sites selling a number of designer items - including Ugg Australia Boots, GHD hair straighteners, and jewellery from Tiffany & Co and Links of London.
Because the vast majority of the sites were registered from Asia and mostly used false or misleading details, it made it almost impossible for victims to complain about poor quality, counterfeited items or goods not received.
It also made it difficult for Trading Standards or other law enforcement agencies to take action.
The operation is particularly pertinent now, as this time of year sees a massive increase in the number of people using internet shopping sites to purchase christmas gifts.
However, the many thousands already caught out by the scam websites have virtually no hope of getting their money back.
Commenting on the news, Consumer minister Kevin Brennan added: "Scam websites cost the UK consumer and the UK economy thousands of pounds each year.
"These sorts of website prey on consumers and, as you can see from the work of the Metropolitan police today, all agencies involved are working hard to make sure that this sort of con is stamped out.
"We already have 'scambusters' teams throughout the country and, as we announced earlier this year, we are planning to set up new internet enforcement teams to target online scams in order to protect consumers."

Avast false positive: Update

Avast false positive was wrecking havoc on the developers when we caught up with it. Avast has started detecting all the binaries created with Delphi as malware. Those developers working on Delphi apps were the first to encounter the anomaly. Initially this looked like an isolated incident, but gradually spread like wild fire. Avast's user forum was flooded with threads of revelations on Avast false positives drawing a broader picture of the scene. It seems a sort of thing like SNAFU that hit iTunes a few months ago. It disturbed iTunes after an update. The problem was quickly fixed, and it was the same for Avast.
In case, you are one of the victims of Win32:Delf-MZG false positive, go for manual update and check to see the new bits are available. As of now, we could see on the Avast!web forum - Win32:Delf-MZG false positive was fixed in the latest VPS - 091203-1 for the update.

Update

To check the Avast false positive issue statement you may have a look at update.