13BIT IT news Blog

This video shows a method by which a user can use a Linux distro called BackTrack to gain system access to Windows Vista without logging into Windows or knowing the username or password for any accounts. To accomplish this, the user renames cmd.exe to Utilman.exe, this is the program that brings up the Accessibility options for users without sight or with limited vision. The attack takes advantage of the fact that the Utility Manager can be invoked before the user logs into the system. The user gains System access, which is a level higher than Administrator. The person who discovered this security hole claims that XP, 2000, 2003 and NT are not vulnerable to it; only Windows Vista is.

http://www.offensive-security.com/movies/vistahack/vistahack.html

Zone-H have recently posted the statistical breakdown of the collected website defacements from the last few years. Surprisingly, in 2007 more Linux servers suffered a successful attack than all versions of Windows, combined. Similarly, more Apache installations were successfully attacked than all IIS versions combined. A day after posting this data, Zone-H have questioned the appropriateness of continuing to operate the archive. Despite the valuable information that can be gleaned from the service, it may soon be lost to the world. The natural successor to the now-defunct Alldas archive of defaced websites, Zone-H's archive maintains records of over 2.6 million defaced sites but may be shut down due to the continuous accusations of impropriety leveled against them any time they disclose and mirror a reported defacement.

http://www.zone-h.org/

 

The Cult of the Dead Cow hacking group has released a free tool that turns Google into a point-and-click vulnerability scanner.

Cult of the Dead Cow, or cDc, an old-school hacking crew famous for its anti-censorship stance, has shipped a new tool that turns the Google search engine into an easy-to-use vulnerability scanner.
Taking its cue from Johnny Long's Google Dorks—search queries that reveal sensitive information—cDc's new Goolag Scan pushes the envelope even more, offering a stand-alone Windows GUI-based application to power the searchers.
The open-source program comes with about 1,500 custom Google search queries embedded by default to run searches for vulnerable Web applications, misconfigured Web servers with open backdoors, sensitive user names and passwords, and other documents accidentally exposed on the Internet.
"It's no big secret that the Web is the platform," said Oxblood Ruffin, a spokesperson for the hacker think tank. "This platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for Web site owners to patch up their online properties.
"We've seen some pretty scary holes through random tests with the scanner in North America, Europe and the Middle East. If I were a government, a large corporation, or anyone with a large Web site, I'd be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious," Ruffin said.
The utility ships as a .Net program that can be manually configured to power Google queries for specific servers or for an entire set of domains.
For example, a business can ask Goolag Scan to search for vulnerable servers or "files containing juicy information" on all its Web sites, turning the scanner into a useful auditing tool.

A wave of bugs in the plug-in technology used by Microsoft Corp.'s Internet Explorer browser has some security experts, including those at US-CERT, recommending that users disable all ActiveX controls.
The U. S. Computer Emergency Readiness Team, part of the U.S. Department of Homeland Security, put it bluntly in advisories posted in the last two days: "US-CERT encourages users to disable ActiveX controls as described in the Securing Your Web Browser document," the organization recommended.
US-CERT's advice was prompted by multiple vulnerabilities in high-profile ActiveX components used by members of Facebook and MySpace and by users of Yahoo Inc.'s music services.
Three new vulnerabilities in the photo uploader software used by both Facebook and MySpace were disclosed yesterday by researcher Elezar Broad, who on Monday also posted sample attack code for a pair of critical bugs in Yahoo's Music Jukebox. Last week, Broad had pinned the Facebook and MySpace ActiveX controls with two other flaws. All five of the Facebook/MySpace vulnerabilities originated with an ActiveX control developed by Aurigma Inc.
As the number of vulnerabilities mounted, security professionals began ringing the alarm. On Monday, for instance, Symantec analysts urged users to "use caution when browsing the Web" and told IT administrators to disable the relevant ActiveX controls by setting several "kill bits" in the Windows registry.

US-CERT, however, offered up more aggressive advice as it recommended users move IE's security level to the "High" setting, which completely disables all ActiveX controls. Setting IE's security level to 'High' disables all ActiveX controls. To get here, select Internet Options from the Tools menu, then click on the Security tab. Click Internet at the top for the zone, then move the slider up to the maximum.
"That's the easiest way to protect yourself," agreed Oliver Friedrichs, director of Symantec Corp.'s security response group. "But it can also have an adverse impact on your browsing experience." A compromise, said Friedrichs, would be to disable "only those plug-ins that pose a current and imminent threat," such as the flawed ActiveX controls used by Facebook, MySpace and Yahoo.
Disabling individual ActiveX controls, however, requires editing the Windows registry. That's too scary for most home users to contemplate, but business users are another matter. "That approach is hard to argue against in the enterprise," said Friedrichs, who noted that there are tools available that let corporate IT administrators push registry changes -- including new keys that disable specific ActiveX controls -- to all users.

The SANS Institute's Internet Storm Center acknowledged that setting kill bits is beyond the ken of most users; one of its researchers came up with a graphical interface-based tool that sets and clears the kill bits of six ActiveX controls that have been tagged with bugs in the past week. The free tool can be downloaded at the ISC's Web site. The SANS Institute's free 'kill bit' tool provides checkbox-simple settings to disable half a dozen ActiveX controls. It's much easier than monkeying with the Windows registry.

More...

A team of Russian hackers has found a way to decipher a Yahoo CAPTCHA, thought to be one of the most difficult, with 35% accuracy. The Russian group's notice, posted by one "John Wane," is dated January 16. This site hosts a rapidshare link to what looks to be demonstration software for Windows, and quotes the Russian researchers: "It's not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100,000 tries per day, taking into the consideration the price of not automated recognition " one cent per one CAPTCHA.

http://internetcommunications.tmcnet.com/topics/broadband-mobile/articles/18772-yahoos-captcha-brokenis-spam-tsunami-the-offing.htm
http://network-security-research.blogspot.com/
http://www.0x000000.com/?i=502
http://rapidshare.com/files/84243632/YahooCAPTCHARecognition.rar.html

Before you recycle your old computer, cell phone or smart phone, make sure that you wipe it clean of data. If you don't, your personal life could be laid bare. Worse, you could become a victim of identity theft.
But wiping your device clean of data may be harder than you think. Here are details about how to do it for cell phones and PCs.

Cleaning up cell phones and smart phones
With cell phones and smart phones like BlackBerries, you need to worry about more than your data -- make sure that your account has been terminated. If not, others will be able to make phone calls from your device, and you'll be footing the bill. So double-check with your carrier that the account has been terminated before you donate or sell your phone. If you've switched your account over to a new device and deactivated the old device on that account, check your bill carefully to make sure that the old phone isn't somehow still using that account.
Next, erase all of your stored information, including your phone book, any stored incoming or outgoing text messages, and memory of incoming and outgoing phone numbers, e-mails and so on. You can do this manually, one by one, of course, but if you do, there's a good chance you might miss some. And it can also be exceedingly time-consuming. So check your phone's manual for how to do a complete reset. A reset will wipe your phone of data and restore it to its factory settings.
A superb resource for figuring out how to reset cell phone data is put together by ReCellular, which buys, recycles and refurbishes wireless devices. Its cell phone data eraser site gives detailed instructions on how to erase data from many different makes and models of cell phones. Just choose your make and model, and you'll be able to download specific instructions for resetting it.

Wiping PCs
Just deleting files isn't good enough when you are going to recycle your computer. It's quite simple for anyone to restore those deleted files, even if they're no longer in the Recycle Bin. In fact, even deleting files and reformatting your hard disk won't completely do the trick. Someone knowledgeable enough and dedicated to the task will be able to restore your files, even from a reformatted disk.
Think there's nothing to worry about? You couldn't be more wrong. In 2003, two graduate students at MIT's Laboratory for Computer Science bought 158 used hard disks on eBay and other places. From those hard disks, they were able to discover 5,000 credit card numbers, personal and corporate financial records, medical records and personal e-mails.
Only 12 of the 158 hard disks had been properly cleaned of their data. Approximately 60% of the hard drives had been reformatted, and about 45% of the drives had no files on them (the drives couldn't even be mounted on a computer) -- yet the students were still able to recover data from them, using a variety of special tools. For details, see the news story from MIT.
What can you do? Get a disk-wiping program, preferably one that meets the U.S. Department of Defense's standards for disk sanitation. These programs will overwrite your entire hard disk with data multiple times, ensuring that the original data can't be retrieved. If you use them, be patient, because it can take several hours to wipe the hard disk.
Computerworld features editor Valerie Potter vouches for the free Darik's Boot and Nuke, which, unlike some competing programs, worked smoothly on the old Windows 98 machine that she recently put out to pasture. Download the software, which then creates a boot disk that wipes everything on the hard drive. It can be used with floppy disks (remember those?), USB flash drives, CDs and DVDs. A similar program that has gotten good reviews is Eraser.
If you've got a Mac, you can use Apple's built-in Disk Utility or download a third-party application like Mireth Technology's ShredIt X 5.8 ($25, free trial), which lets you shred single files as well as wipe your local hard drive, network hard drives and CD-RWs.
Everything clean? OK, now it's time to sell, donate or recycle your equipment. Find out what to do in "Out with the old: What to do with your unwanted tech gear."

"An open-source bittorrent client, Deluge, now provides an internal, anonymizing browser to protect its users from overzealous ISPs. The client runs on Windows, Linux and OS X. From the site: "Everyone knows that it is common practice for ISPs to do their best to either block or throttle bittorrent users. We believe that this is wrong and unethical, as there are many legal uses for bittorrent. If an ISP is throttling or blocking bittorrent traffic, you can pretty much bet that they're tracking which users visit bittorrent-related sites so that they can better block or throttle those users." Their forum has more info"

The problem is compounded by the fact that some of the most popular Web development tools for generating SWF produce files containing the recently disclosed vulnerabilities. "Researchers from Google have documented serious vulnerabilities in Adobe Flash content which leave thousands of websites susceptible to attacks that steal the personal details of visitors. A web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites. Removing the vulnerable content will require combing through website directories for SWF files and then testing them one by one. Updates in the Adobe software that renders SWF files in browsers are also likely, but they probably wouldn't quell the threat completely... No patch in sight from Adobe, that's the price to pay for depending on proprietary solutions."

Whatever useful stuff the good guys come up with, the bad guys ain't far behind. A few months back I wrote about researchers at Carnegie Mellon coming up with a way to use CAPTCHA tools to help decipher words in text by the Internet Archive. The basic idea is that the effort to prevent spammers and others automating their intrusion into websites (signing up for stuff, comment spam etc) should not be wasted.
Now a sleazeball has found a way to do the same thing: get folk to decipher CAPTCHA texts through a small program, delivered by Trojan, that offers striptease in exchange for guessing the texts correctly (Trend Micro, via via Seth Godin):
A nifty little program which Trend Micro detects as TROJ_CAPTCHAR.A disguises itself as a strip-tease game, wherein a scantily-clad “Melissa” agrees to take off a little bit of her clothing. However, for her to strut her stuff, users must identify the letters hidden within a CAPTCHA. Input the letters correctly, press “go” and “Melissa” reveals more of herself.
However, the “answers” are then sent to a remote server, where a malicious user eagerly awaits them. The “strip-tease” game is actually a ploy by ingenious malware authors to identify and match ambiguous CAPTCHA images from legitimate sites, using the unsuspecting user as the decoder of the said image.
As Trend Micro points out, the CAPTCHAs in this case are from Yahoo! Web site, suggesting that a spammer is building up Yahoo! accounts.

CAPTCHA Wish Your Girlfriend Was Hot Like Me? - TrendLabs | Malware Blog - by Trend Micro

The newest version of OS X, Leopard, has already been adapted to run on a PC. "The OSx86 Scene forum has released details of how Windows users can migrate to Apple's new OS, without investing in new hardware -- even though installing Leopard on an PC may be counter to Apple's terms and conditions. The forum is offering full instructions on how to install the system, including screenshots of the installation process. Not all the features of Leopard function with the patch -- Wi-Fi support, for example, is reportedly inoperable. Historically, Apple's likely next move will be to track down and act against those behind the hack.

http://forum.osx86scene.com/

This is the homepage of the Shape Contexts based approach to break Gimpy, the CAPTCHA test used at Yahoo! to screen out bots. This method can successfully pass that test 92% of the time. See EZ-Gimpy in action at Yahoo! The approach this soft take uses general purpose algorithms that have been designed for generic object recognition. The same basic ideas have been applied to finding people in images, matching handwritten digits, and recognizing 3D objects.

http://www.cs.sfu.ca/~mori/research/gimpy/

Windows XP SP3 build 3205 is the first official & authorized release of the next Windows XP service pack; and has been made available to testers as a part of the Windows Server 2008/Windows Vista SP1 beta program. NeoSmart Technologies has the run-down on the included 1,073 patches/hotfixes including security updates. Contrary to popular belief, Windows XP SP3 does ship with new features/components, most of which have been backported from Windows Vista. Some included features: 'New Windows Product Activation model: no need to enter product
key during setup. Network Access Protection modules and policies have been brought to XP after being one of the more-well-received features in Windows Vista. New Microsoft Kernel Mode Cryptographic Module - the Windows XP SP3 kernel now includes an entire module that provides easy access to multiple cryptographic algorithms and is available for use in kernel-mode drivers and services. New "Black Hole Router" detection - Windows XP SP3 can detect and protect against rogue routers that are discarding data.

http://neosmart.net/blog/2007/windows-xp-sp3-beta-build-3205-released-analysis-included/

Online auction house eBay recently did a threat assessment to better understand the forces ranging against them. The company is keeping the fine details under wraps, but the biggest source of danger for the company is apparently botnets. You're never going to guess who was running them. '[Dave Cullinane, eBay's chief information and security officer] noticed an unusual trend when taking down phishing sites. 'The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,' he said. Rootkit software covers the tracks of the attackers and can be extremely difficult to detect. According to Cullinane, none of the Linux operators whose machines had been compromised were even aware they'd been infected. Because Linux is highly reliable and a great platform for running server software, Linux machines are desired by phishers, who set up fake websites, hoping to lure victims into disclosing their passwords.

http://computerworld.co.nz/news.nsf/scrt/CD0B9D97EE6FE411CC25736A000E4723

Microsoft CEO Steve Ballmer took a knock at one of his chief rivals during a speech to an audience in the U.K., saying Google reads customer email as part of a failed bid to drive ad-based revenue.

The software giant's chief made the remarks during a discussion about consumer software revenue models, and Ballmer used the dialogue as an entry point to take his shot at Google. The video is available to watch via the web site Mydeo.com. Ballmer made his remarks after an audience member asked him if an advertising model could support software business in the future. The CEO said a combination of models - - commercial and ad-paid - - would go forward.

"What's a good example? Will online publications be largely ad-funded as things move from the physical world to the online world?" Ballmer said. "I think the answer is yes.

"Have we seen the migration of things even like email? . . . Our Windows Live Hotmail, in and of itself, doesn't generate much ad revenue. So we've had to put, essentially, a whole portal around it because the traffic around it is very valuable but it's not very easily monetized in the context of mail.

"Google's had the same experience, even though they read your mail and we don't," Ballmer said, to chuckles and and a couple of gasps in the audience. "That's just a factual statement, not even to be pejorative. The theory was if we read your mail, if somebody read your mail, they would know what to talk to you about. It's not working out as brilliantly as the concept was laid out."

Ballmer isn't the first to fire salvos at Google's Gmail privacy policy. Privacy advocates have been critical over the policy almost since the beginning, but the popularity of the service has skyrocketed nonetheless.

The event at which Ballmer spoke, the Microsoft Startup Accelerator Programme, took place on Oct. 1 and Lars Lindstedt, the head of Microsoft's U.K. Software Economy and Emerging Business programs, wrote about it on his blog.

Google, which operates the free Gmail service, publicly acknowledges that its "processes personal information" via cookies and on its servers, so it can provide "our products and services to users," as well as to keep its service running well.

It adds:

Google processes personal information on our servers in the United States of America and in other countries. In some cases, we process personal information on a server outside your own country. We may process personal information to provide our own services. In some cases, we may process personal information on behalf of and according to the instructions of a third party, such as our advertising partners.

 

Google doesn't say it "reads" email, however.

Microsoft and Google have been gearing up for a major war over software as a service and web-based applications, with Google offering Gmail and Google docs, and Microsoft offering Hotmail, Office and preparing for Windows Live Office.

Have you ever wondered what technology some of the really big websites use? The likes of Digg, YouTube, Myspace and so on?
There is a very interesting website called High Scalability that is dedicated to, as they put it themselves, “building bigger, faster, more reliable websites.” They collect information about the architecture of high-traffic websites to serve as examples to others.

Underlying technology breakdown

We used some of the data from High Scalability to create a table with the OS, web server, scripting language and database used by nine of the largest websites in the world.
The ones we selected were Flickr, YouTube, PlentyOfFish, Digg, TypePad, LiveJournal, Friendster, MySpace, Wikipedia.

Quick Overview

OS: Linux 7 - Windows 2
Web server: Apache 7 - IIS 2 - Lighttpd 2
Scripting: PHP 4 - Perl 4 - ASP.NET 2 - Python 1 - Java 1
Database: MySQL 7 - SQL Server 1 (possibly 2)
Five of the sites use Memcached, a memory caching system originally developed by LiveJournal that has become a popular way to ease the load on for example databases.
Note that not all information at the High Scalability website is complete (but it’s still a great resource).

Looking at these architectures some observations come to mind: Most of these sites are using LAMP as the core runtime stack. Some have gone so far as to develop their own file system (Google, GFS). Some are using caching to solve the database bottleneck (memcached and the like). Many of them were forced to develop these solutions themselves, as at the time there was no ready-made alternative that could meet their requirements.
The application stack of these Web applications is very different from the stack that mission-critical applications in the financial world are built with. In the financial world, Java -- and to a lesser degree J2EE -- is used extensively. In recent years scalability requirements in capital markets led to a rapid shift in the middleware stack, introducing Compute Grid solutions for virtualization of CPU resources, enabling parallelization of batch applications. Data Grids were also introduced, enabling the virtualization of memory resources. Spring is becoming the common development framework in this world. At GigaSpaces, we're seeing more and more cases where Spring acts as a complete alternative to J2EE.
If we examine both worlds, we can see that both are facing similar challenges related to scalability. Not surprisingly, both ended up introducing similar solutions for addressing the scalability challenges:

On the Data Tier we see the following:
1. Adding a caching layer to take advantage of memory resources availability and reduce I/O overhead
2. Moving from a database-centric approach to partitioning, aka shards  

On the Business Logic Tier:
3. Adding parallelization semantics to the application tier (e.g., MapReduce)
4. Moving to scale-out application models to achieve linear scalability
5. Moving away from the classic two-phase commit and XA for transaction processing  (See: Lessons from Pat Helland: Life Beyond Distributed Transactions)

While there are many similar challenges, and to a certain degree, similar architectures, it seems that both worlds (Web and Financial) took different routes as it relates to the application stack.

Over at the High-Scalability site, someone posted the question: Why doesn't anyone use j2ee?
The answer given in that post can be summarized as follows:

1. LAMP provides a cost-effective solution (most of it relies on *free* open source stack).
2. Java is still used, but not as the primary language, i.e., it is used as one component either in the back-end or the front-end (e.g., servlets).

Finding out more

If you want to read more about these websites, we highly recommend that you head on over to High Scalability. They have a thorough breakdown of the architecture and design choices for each one.

It seems that the team in Autopatcher.com doesn't give up. Author Antonis Kaladis is working on next release.
Maybe autopatcher will not work in the same way that previous version (one file containing all patches). Now is more like Win update solution. Anyway, is great to see that the project is active again.

 

 http://www.autopatcher.com/139#more-139

(Computerworld) The contentious stealth update that Microsoft delivered to customers this summer blocks 80 patches and fixes from installing after Windows XP is restored using its "repair" feature, researchers said today.

Scott Dunn, who first reported the problem in a story posted Thursday morning to the "Windows Secrets" newsletter, said that users who reinstall Windows XP with the repair option cannot retrieve the full set of updates from Windows Update (WU). The problem, he said, has been traced to the so-called "stealth update" to WU which Microsoft has acknowledged sending to users beginning in July.

http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9039258

We did a research on other IT Blogs and google'd a while, but seems that no one noted this at this moment.
Some companys, like Kaspersky (and Microsoft?) seems to tolerate a bit of pirated copies of their software. But today, Kaspersky (like Microsoft days ago declaring about BSOD?) BLOCKED all abused/pirated/copies of their activation keys. We see lot of traffic right now of people looking for non-listed keys, but that is useless. The products affected are: Kaspersky Antivirus 7, Kaspersky Internet Security 7 both personal and bussiness editions.

Citing recent highly publicized corporate data breaches that have beset major companies like Ameritrade, Citigroup, and Bank of America, McAfee CEO David DeWalt, said that cyber-crime has become a US$105 billion business that now surpasses the value of the illegal drug trade worldwide. Despite the increase in government compliance requirements and the proliferation of security tools, companies continue to underestimate the threat from phishing, data loss, and other cyber vulnerabilities, DeWalt said. 'Worldwide data losses now represent US$40 billion in losses to affected companies and individuals each year, DeWalt says. But law enforcement's ability to find, prosecute, and punish criminals in cyberspace has not kept up: "If you rob a 7-11 you'll get a much harsher punishment than if you stole millions online," DeWal remarked. "The cross-border sophistication in tracking and arresting cyber-criminals is just not there."

http://www.itnews.com.au/News/61497,cyberthreats-outpace-security-measures-says-mcafee-ceo.aspx

It's been about a year since David Maynor claimed to have found a way to take over a Mac using a flaw in a Wireless driver. He's now published his work for public scrutiny. Maynor had been under a nondisclosure agreement, which had previously prevented him from publishing details of the hack, but the NDA is over now and by going public with the information, Maynor hopes to help other Apple researchers with new documentation on things like Wi-Fi debugging and the Mac OS X kernel core dumping facility.

http://www.computerworld.com.au/index.php/id;1809081490;fp;4;fpid;16

Blumer is a software company oriented to web based solutions. Based on Argentina, we serve many customers around the world. You can find a brief explanation about our services here (spanish version, english will be ready soon):

Solutions.pdf (51.04 kb)

What is the single biggest issue that bothers open source advocates about proprietary software? It is probably the ability of the vendor to pull stunts like Microsoft's recent stealth software
update and subsequent downplaying of any concerns. Their weak explanation seems to be a great exercise in circular logic: 'Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications.' News.com is reporting that all of the updated files on both XP and Vista appears to be in windows update itself. This is information that was independently uncovered by users and still not released by Microsoft.

http://www.pcworld.com/businesscenter/article/137208/microsoft_downplays_stealth_update_concerns.html

InformIT has posted a two part article by Seth Fogie that describes how a wireless IP camera can be owned and abused. The first part describes how the cameras feed can be sniffed, replaced, or even DoSed off the air by a PDA. The second part then takes a look at the web application interface of the camera (an Axis207W) and exposes numerous vulnerabilities that lead to exposed passwords, a software based DoS, global XSS ” and the kicker ” a CRSF attack that through which an attacker can remotely penetrate the network it is installed on.

http://www.informit.com/articles/article.aspx?p=1016099
http://www.informit.com/articles/article.aspx?p=1016102

A consignment of laptops from German manufacturer Medion, sold through German and Danish branches of giant retail chain Aldi, have been found to be infected with the boot sector virus 'Stoned.Angelina', first seen as long ago as 1994. The affected notebook models (German language) Medion MD 96290 have been pre-installed with Windows Vista Home Premium and Bullguard anti-virus, which reportedly is unable to remove it. A special removal tool was released to clean the laptops. Aldi has shared the same warning as well. Two years ago several thousands of Creative Zen Neeon MP3 players were shipped with a Windows worm Wullik.B.

http://www.virusbtn.com/news/2007/09_14.xml

A Las Vegas man faces about 20 years in prison today after pleading guilty in a case where he impersonated intellectual property lawyers and tried to bully owners out of their domain names. "According to the FBI, David Scali is charged with registering an e-mail account under an alias and then sending e-mails in which he claimed to be the intellectual property lawyer. In the e-mails, which were sent in late June and early July of 2006, Scali threatened to file $100,000 trademark infringement lawsuits against the owners of various Internet website names unless they gave up their domain name registrations within two days.