oDaddy to stop registering domains in China

At least one company is ready to follow Google's stance on doing business in China: GoDaddy.
During a congressional hearing Wednesday to discuss Internet freedom and China, GoDaddy executives plan to announce that they will stop registering domain names in China in response to a new government policy that requires extensive information about registrants, according to The Washington Post. Starting last December, individuals and businesses that wished to register a .cn domain name were being asked to submit a photograph of themselves as well as a serial number identifying their business license in China.
"This is the first time a registry has asked us to retroactively obtain additional verification and documentation of individuals who have registered a domain name through our company," Christine Jones, general counsel at GoDaddy, said in a copy of her prepared remarks provided by GoDaddy. The company will continue to manage existing registrations but will no longer offer new .cn domain names, she said.
Jones also told the committee that GoDaddy has faced increased numbers of DDoS (Distributed Denial of Service) attacks since the beginning of the year. "In the first three months of this year, we have repelled dozens of extremely serious DDoS attacks that appear to have originated in China, based on the IP addresses from which the attacks derived. Had our security systems not countered these attacks, the result would have been a widespread take-down of our customers' hosted Web sites," Jones said in her prepared testimony.
Google's Alan Davidson, director of public policy, also plans to speak before the hearing, coming two days after Google announced its decision to move its Chinese-language search engine from mainland China to Hong Kong in order to bypass government laws on Internet censorship.
"Internet censorship is a challenge that no particular industry--much less any single company--can tackle on its own," Davidson plans to say during his testimony, according to a copy of his prepared remarks posted on Google's public policy blog. "However, we believe concerted, collective action by governments, companies and individuals can help promote online free expression and reduce the impact of censorship."
For the most part, U.S. companies have reiterated plans to stay in China and adhere to their laws following Google's initial announcement in January and subsequent moves this week. Earlier this year, Secretary of State Hillary Clinton urged companies to do their part in pressuring governments to open up the Internet to their citizens, but many companies feel the issue is much more properly dealt with at the national level, according to trade group representatives.
This article was first published as a blog post on CNET News.

iPhone, Safari, IE 8, Firefox hacked in contest

Researchers on Wednesday demonstrated that they could hack a non-jailbroken iPhone, Safari running on Snow Leopard and Internet Explorer 8 and Firefox on Windows 7 as part of the annual Pwn2Own contest at the CanSecWest security show here.
Charlie Miller, principal security analyst at Independent Security Evaluators, won US$10,000 after hacking Safari on a MacBook Pro without having physical access to the machine. Miller won US$5,000 last year by exploiting a hole in Safari, and in 2008 nabbed US$10,000 hacking a MacBook Air, all on the same computer.
Peter Vreugdenhil, an independent security researcher from the Netherlands, will receive US$10,000 for using his exploit to bypass security features in IE 8.
Also winning US$10,000 was Nils, head of research at UK-based MWR InfoSecurity, who targeted Firefox. He declined to provide his last name. As a computer science student at the University of Oldenburg in Germany last year he won US$15,000 for exploits he demonstrated in IE 8, Safari, and Firefox.
And finally, Ralf Philipp Weinmann, of the University of Luxembourg, and Vincenzo Iozzo, of German company Zynamics, hacked the iPhone and will share the US$15,000 prize. Because Iozzo was delayed en route to the contest, his Zynamics colleague Thomas Dullien, better known as Halvar Flake in the security community, served as his proxy, organizers of the contest sponsored by TippingPoint's Zero Day Initiative said.
Miller declined to provide details on his exploit, but said the target computer was compromised after visiting a Web site hosting the malicious code.
"I got an interactive shell (interface) on his box so I could run any commands I want," he said. "He had no idea and his machine was totally patched."
Miller wrote the exploit in less than a week. "It was very reliable," he said. "Some researchers say it's 'weaponized,' which means it always works."
To hack IE 8, Vreugdenhil said he exploited two vulnerabilities in a four-part attack that involved bypassing ASLR (Address Space Layout Randomization) and evading DEP (Date Execution Prevention), which are designed to help stop attacks on the browser. As in the other attacks, the system was compromised when the browser visited a Web site hosting the attack code.
The exploit gave him user rights on the targeted computer, which he demonstrated by running the calculator on the machine.
Nils said he exploited a memory corruption vulnerability and also had to bypass ASLR and DEP as a result of a weakness in Mozilla's implementation. "It's Mozilla's turn to fix this," he said. "If properly used, they can be good mitigators."
He said it took him only a few days to write the exploit, which was created to run the Windows calculator for the demo. But "I could have started any process," he said.
Asked to comment on the researchers' ability to bypass ASLR and DEP, a Microsoft representative said the company would investigate the vulnerabilities. "We're not aware right now of any attacks taking place," said Pete LePage, an IE product manager.
For the iPhone contest, Iozzo and Weinmann wrote an exploit in about two weeks that was designed to steal the contents of the SMS database on an iPhone.
To accomplish the attack the target iPhone was used to visit a Web site hosting exploit code. "The payload executes and uploads the local SMS database of the phone to the server we control," said Weinmann.
The exploit was written to bypass the digital code signatures used on the iPhone to verify that the code in memory is from Apple, he said. The exploit then looked for chunks in Apple's code that could be pieced together to accomplish the attack, according to Weinmann.
"Bypassing the code signing was a major issue," Flake said. The technique used has been known since 1997 but has not been used on an ARM processor until now, he added.
While the attack was used to grab just the SMS data, which would include deleted messages, it could be designed to access contacts, photos, and other data on the iPhone, and without the user having any idea an attack was underway, the researchers said.
TippingPoint shares information on the exploits with the affected vendors so they can work on patches.
This article was first published as a blog post on CNET News.

How the butterfly botnet was broken

At its height, the Mariposa botnet consisted of about 13 million computers in 190 countries. A joint operation by researchers from Canadian security firm Defence Intelligence and Spain's PandaLabs, in conjunction with the U.S. FBI and the Guardia Civil, led to the arrest of three men in Spain earlier this month in connection with the Mariposa botnet.
The men, who had no specific computer training, are believed to have played a part in operating the command-and-control servers for the botnet, according to PandaLabs' technical director Luis Corrons, who spoke to ZDNet Asia's sister site ZDNet UK about "Mariposa"--which means butterfly in Spanish--following the arrest of the three men.
Q: When did security researchers start tracking the botnet?
A: It started in May 2008. Defence Intelligence noticed companies were getting infected and found a new botnet, which was Mariposa. They started an investigation and found links to Spain. They found that some of the command-and-control servers were located in Spain. Defence Intelligence was monitoring bots that were infected and were trying to connect. Different domains seemed to be located in Spain, so Defence Intelligence contacted us.
Read more of "How the butterfly botnet was broken" at ZDNet UK.

HP Broadcom Integrated NIC Has a Hole

  Title: HP Broadcom Integrated NIC Firmware Remote Command Execution Vulnerability (SSRT100022)
  Date Published: March 17, 2010
  Date of Last Revision: March 17, 2010
  Threat Assessment: MEDIUM - Action Required by 2010-04-14

  Target Audience: Administrators who manage any systems using HP Broadcom Integrated NIC Firmware versions 1.24.0.9 and earlier as well as 8.04 on the following hardware are affected:
  • HP Small Form Factor or Microtower PC with Broadcom Integrated NIC
  • Broadcom Integrated NIC Management Firmware versions impacted
  • Broadcom Integrated NIC Management Firmware version provided in sp47557
For information and bulletins to service customer-facing (trade) systems, please refer to the EDS Threat and Vulnerability Management Service ( http://esis.corp.hp.com/esis ).

OPERATING SYSTEMS AFFECTED


All Windows OS
APPLICATIONS AFFECTED


Broadcom NIC 1.X
Broadcom NIC 8.X
PROBLEM SUMMARY


Multiple HP devices running HP Broadcom Integrated NIC Firmware are prone to a remotely exploitable remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code with administrative privileges, resulting in a complete compromise of the affected computer.

TECHNICAL DETAILS


An attacker can remotely exploit this issue over the network to execute commands with SYSTEM-level privileges. Successful exploits will completely compromise affected computers.
ADDITIONAL ISSUES

  Remote Attack Possible: Yes
  Administrative Privilege Gained: Yes
  Attack Scripts Available: No
CORRECTIVE ACTION

Refer to the RESOLUTION section of each SSRT bulletin (listed in the REFERENCES section below) for additional details and instructions to fix the vulnerability.
REFERENCES

HPSBGN02511 SSRT100022 rev.2 - HP Small Form Factor or Microtower PC with Broadcom Integrated NIC Firmware, Remote Execution of Arbitrary Code
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02048471

HP SSRT Identifier: 
 SSRT100022
CVE Number: 
 CVE-2010-0104

Google to shut China search engine

Google has drawn up detailed plans for the closure of its Chinese search engine and is now “99.9 per cent” certain to go ahead as talks over censorship with the Chinese authorities have reached an apparent impasse, according to a person familiar with the company’s thinking.
In a hardening of positions on both sides, the Chinese government also on Friday threw down a direct public challenge to the US search company, with a warning that it was not prepared to compromise on internet censorship to stop Google leaving.
The signs that Google was on the brink of closing Google.cn, its local search service in China, came two months after it promised to stop bowing to censorship there. But while a decision could be made very soon, the company is likely to take some time to follow through with the plan as it seeks an orderly closure and takes steps to protect local employees from retaliation by the authorities, the person familiar with its position said.
Google is also seeking ways to keep its other operations in China going, although some executives fear that a backlash from the Chinese authorities could make it almost impossible to keep a presence in the country.
When the search giant first promised to end censorship in response to what it claimed were a series of cyber-attacks mounted from inside China, many China-watchers warned that its public defiance of Beijing would provoke a stern response.
On Friday, Li Yizhong, minister for industry and information technology, said: “If [Google] takes steps that violate Chinese laws, that would be unfriendly, that would be irresponsible, and they would have to bear the consequences.”
One person close to the search company, meanwhile, said that its senior executives remained “adamant” about ending the censorship. The company has also ruled out keeping the search service going by handing majority control, or even the entire business, to a local player, this person said.
Google’s executives have made it clear that they still hope to stay in the country, whatever the fate of Google.cn. “It’s very important to know we are not pulling out of China,” Eric Schmidt, Google’s chief executive, told the Financial Times at the time. “We have a good business in China. This is about the censorship rules, not anything else.”
The company’s other operations, which pre-date the launch of Google.cn four years ago, include its research centre in Beijing and a sales force that sells advertising on the Chinese-language Google.com search service, based outside China, to advertisers inside the country.
Mr Li encouraged Google to continue its operations in the country. “[Google] has taken 30 per cent of the Chinese search market.
“If you don’t leave, China will welcome that, if you don’t leave, it will be beneficial for the development of the internet in China.”

RSA 1024-bits Key Encryption Cracked

Re: RSA
RSA Encryption method is used for almost every secured transactions and the RSA 1024 bit encryption is used in almost every banking sites and credit card transaction points. Some scientists from the University of Michigan have found that the code can be cracked in 100 hours which would otherwise take years in Brute force attacks.
The procedure makes the processor stressed with voltage regulations to the processor while it is using the keys to decode. The scientists tweaked the device’s power supply and the fluctuating voltages of the CPU generated single hardware error per clock cycle. This can cause the server to flip single bits of the private key at a time. The single pieces of the private key can now be gathered together to form the full password. They successfully hacked 1024 bits encryption using 104 hours of processing time from a small cluster of 81 Pentium 4 chips.
Now, the question arises, is this a real flaw in the RSA algorithm and do we need to worry seriously while making transactions in the websites? The direct answer would be, no. This fault is not a real fault of the RSA algorithm and we don’t need to worry about it because, to crack a password in this method one would need to plant a voltage tampering system within your system and it can’t be done remotely. This is a type of side channel attack that requires a physical access to the hardware involved with the cryptosystems. This means, unless a thief literally breaks into your house and plants a device within your computer, there is no need to worry!

Phishers target more global brands

While financial institutions still top the phishing radar, cybercriminals are now moving beyond to top brands, with one of the recent victims being a hardware manufacturer, according to the latest Anti-Phishing Work Group (APWG) report.
Released Sunday, the APWG Phishing Activity Trends Report for the fourth quarter of 2009 revealed that 356 brands were hijacked in October, an increase of 4.4 percent over the previous high of 341 recorded last August. The study was compiled using data from APWG and its members MarkMonitor, Websense and Panda Security.
The organization noted that the number of unique phishing reports submitted to APWG had dropped nearly 29 percent against an all-time high of 40,621 in August, registering 28,897 in December following a steady decline throughout the quarter. However, member reports and reviews in the second half of 2009 indicated a substantial increase in phishing attempts geared at personnel with financial authority.
APWG Chairman Dave Jevans explained in the report: "Spear phishing and whale-phishing, which target individuals inside of corporations, or of high net worth, appear to be increasing.
"Phishers and malware attackers are sending e-mail to individuals in a highly-targeted fashion, attempting to gain access to corporate online banking systems, corporate VPNs (virtual private networks) and other online resources."
According to Jevans, the attacks do not contribute significantly to the overall volume of unique phishing e-mail because they are not broad-based or generic spam. Instead, the attackers customize the e-mail messages to specifically target individual users.
The number of unique phishing sites detected between last October and December remained steady, at between 45,000 and 46,500.
Despite the rise in the types of brands hijacked, cybercrime syndicates continued to focus on the financial services during the last quarter of 2009; financial institutions accounted for 39 percent of overall brands targeted. Thirty-three percent of the phishing attacks recorded during the period focused on payment services companies, while auction-related brands made up 13 percent.
The United States again led the world in Q4 for the number of phishing sites hosted, accounting for over 90 percent of the total in October and November. Asian economies Hong Kong, China and Korea were also ranked among the top 10, with China making it to No. 2 with a 5.2 percent share in December.
However, Patrick Runald, Websense's senior manager for security research, noted that going forward, China is likely to "disappear from the top 10 list" due to the tightened regulations the China Internet Network Information Center has introduced for the ".cn" top-level domain.

Backdoor found in Energizer USB battery charger

Software that can be downloaded for use with the Energizer Duo USB battery charger contains a backdoor that could allow an attacker to remotely take control of a Windows-based PC, Energizer and US-CERT is warning.
"The installer for the Energizer Duo software places the file UsbCharger.dll in the application's directory and Arucer.dll in the Windows system32 directory," the U.S. Computer Emergency Readiness Team said in an advisory on Friday. "Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. Its capabilities include the ability to list directories, send and receive files, and execute programs."
The Windows software was made available via a download with the Energizer Duo Charger, Model CHUSB, Energizer said in a statement.
The battery maker said it does not know how the Trojan got into the software. "Energizer has discontinued sale of this product and has removed the site to download the software," the statement said. "Energizer is currently working with both CERT and U.S. government officials to understand how the code was inserted in the software."
For systems with the software installed, US-CERT recommends removing the Energizer Duo software and Arucer.dll file, as well as blocking access to port 7777 via network perimeter devices or firewall software.
The Trojan may have been in the software since it was first offered three years ago, according to Symantec.
"We were interested in finding out how long this file had been available to the public. The compile time for the file is May 10, 2007. It is impossible to say for sure that this Trojan has always been in this software, but from our initial inspection it appears so," Symantec wrote in a blog post. "The Trojan still operates whether this device is found or not, so a USB charger doesn't need to be plugged in for the Trojan to be functioning."
If the Trojan does date back to 2007, that is around the same time that there were a rash of products like digital photo frames hitting U.S. shelves infected with malware, said Marcus Sachs, director of the SANS Internet Storm Center.
"This may simply be from that time frame when all the factories in China were not clean and many were putting malware onto stuff, not intentionally but because the hygiene wasn't good," he said in an interview on Monday.
"Who knows where the server (hosting the software) is located," he said. "It could have been exposed to the unclean conditions that were rampant there."

How Data Centers Handling Cyber Terrorism

datacenter Jill Eckhaus , chief executive, AFCOM, the leading association of data center management professionals, said that today's IT managers are facing big challenges about how to handle cyberterrorism . AFCOM is going to hold a Data Center World show between March 7-11 in Nashville, Tenn where the participants will learn different upcoming menace for cyber terrorism and how to cope with that. The AFCOM officials briefed that cyberterrorism is much bigger threat than the threat from a hacker.

Recently, a survey was conducted by data center provider Digital Realty. It revealed that most of the data centers are in expanding mode in the next 2-3 years. They also found out of 300 North American Companies surveyed that 83% plan for data center expansions in the next two years because they need more power. Many companies are also consolidating their data center operations. The new data centers are coming in an area with cheap access to power and a climate that allows use of free cooling.
“A hacker might be a student just looking for a challenge,” Eckhaus says. “Cyber terrorists want to destroy the United States. That’s the difference.”
The recent AFCOM survey of 400 data centers revealed that only one-third have considered cyber terrorism as part of the disaster recovery plans, only one-quarter have policies and procedures manuals in place for cyberterrorism, and only one-fifth provide cyber terrorism employee training. Also, end users are keeping close eye on data centers because they are demanding more. They realized how important data centers are and they can not do good business without them. Customers also expect that the performance of data center never fails or slows down.
Additionally, going green for data centers  is equally crucial now a days. All of the major corporates demand that data center should run in such a way that they can save power cost as well as looks environmental friendly to the users. That's why it is getting difficult day by day to provide enough power and cooling to the data centers. Simultaneously, data centers have to realize that demand for information services are growing day by day. Storage need will also increase due to global Internet traffic and use of mobile Internet devices. Additionally, many data centers are offering Cloud Computing models that require strict uptime enabled by redundancy.

The danger of complexity: More code, more bugs

The old method of counting lines of code to judge programmer productivity may have helped contribute to the current deplorable state of software security.

Antoine de Saint-Exupery once said, "Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away." He lived from 1900 to 1944, before the job title of "software engineer" was even a twinkle in someone's eye.
Aside from being the inspiring author of a number of books including The Little Prince, he was also an aviator and an engineer, which may help explain how he produced such a timeless quote that is so very relevant to the world of software development today.
A more obvious, but more specialized, statement in that regard was made by Edsger W. Dijkstra: "My point today is that, if we wish to count lines of code, we should not regard them as 'lines produced' but as 'lines spent': the current conventional wisdom is so foolish as to book that count on the wrong side of the ledger."
Recent source lines of code (SLOC) reviews and estimates suggest that a very conservative guess would place the number of bugs in most modern software at the rate of about one per 1000 lines of extremely well-written source code with great attention to security detail. Most software is not written nearly this well, and I am sure my own bug rate is somewhat higher than this conservative estimate.
Writing code for patches intended to fix bugs surely does help reduce the number of bugs in a system, but most software systems get much more code added to them every year to add features than to eliminate bugs. Bug fixes help keep people happy with current versions of the software, but new features actually sell new versions. Worse yet, even bug fixes are certainly not immune to containing bugs.
According to some estimates, between ten and fifteen percent of security patches actually introduce new vulnerabilities. The implications of this are frightening.
If you have ever wondered how so many bugs are found in your software every year, wonder no more. In 2003, something on the order of five thousand new security vulnerabilities were reported to CERT, and that number per year has only grown since then. The reason we find all these bugs every year is simple: some of the most popular pieces of software in the world are freaking huge.
It gets even worse. Software does not only tend to be really, really big--it also tends to get bigger at an alarming rate. Consider the growth rate of Microsoft Windows operating systems that use the NT kernel over the years, for instance[1]:
Year Operating System SLOC (Millions) Delta (Millions) Delta Per Year (Millions)
1993 Windows NT 3.1 4.5 N/A N/A
1994 Windows NT 3.5 7.5 +3 +3
1996 Windows NT 4.0 11.5 +4 +2
2000 Windows 2000 30 +18.5 +4.5
2001 Windows XP 40 +10 +10
2003 Windows Server 2003 50 +10 +5

This tells us that, if we are very kind with the numbers:
  • MS Windows Server was released with 50 million lines of code making up the behemoth piece of software. That's 50,000,000 lines of code. If you were to try to count that high, and could actually say the names of the numbers between one and fifty million at a steady rate of one per second (unlikely, given how long it takes to read 47,777,777 out loud), it would still take you more than 1.5 years to count that high without pausing to eat, drink, sleep, or even draw a very deep breath. Even counting at that rate to the 5,000,000 of NT 3.1 would take you about four months.
  • Given an extremely conservative estimate of one vulnerability per 1000 lines of code, NT 3.1 had 5000 security vulnerabilities, and Server 2003 was released with ten times that many.
  • MS Windows OSs using an NT-based kernel grew in size at a staggering rate. Averaging the rate of growth in the above table, we get more than 4.5 million per year, or 4,550,000 lines of code added per year.
  • The number of vulnerabilities introduced by all this additional code added to MS Windows systems based on the NT kernel, by the very conservative estimate I already provided, is one per 1000. This means that MS Windows was adding new bugs at a rate of about 4,550 per year. That means that MS Windows alone gained almost as many vulnerabilities as were actually discovered, for all software reported to CERT, in the year 2003. Given that MS Windows is actually a fairly small part of CERT's total database of bugs, the implications are dismaying. CERT's database shows 65 results for the year 2008 on a search under the term "Windows", which means that--if you take 2008 as representative--are being added about 65 times as quickly as they are being found.
It no longer seems surprising that vulnerabilities are discovered in software all the time. What seems surprising is that they are not being found more often.
If you want to produce secure software, you should focus on following the advice of people like Antoine de Saint-Exupery and Edsger W. Dijkstra. All else being equal, if you can find a way to eliminate lines of code without compromising the proper functioning of the software, you will probably improve the security of the software substantially.
Given how much more can be done per line of code when using higher-level languages, an argument might be made to use as high-level a language as you reasonably can for the task at hand, too.
Sometimes, the need to add more code to an application is unavoidable. Try to keep it to a minimum, though. When it comes to application security, complexity kills.
Notes
1: These numbers are estimates gleaned from Wikipedia's "Source lines of code" article. In some cases, Wikipedia's numbers are more vague than these. The numbers used here are actually meant to provide more specific, if not any more accurate, estimates for ease of calculation.
Subscribe to: Posts (Atom)