Hackers get hold of critical internet flaw

[martini]

http://www.canada.com/victoriatimesc...9-463760d0f39f

Hackers get hold of critical Internet flaw
"We are in a lot of trouble," says expert. "This is a big deal."

Glenn Chapman
AFP

Friday, July 25, 2008

A skull-and-crossbones symbol is placed over a computer keyboard at a 'hacker academy' in Paris, France. Internet security researchers on Thursday warned that hackers have caught on to a "critical" flaw that lets them control traffic on the Internet.



by Thu Jul 24, 7:33 PM ET

Internet security researchers are warning that hackers have caught on to a "critical" flaw that lets them control traffic on the Internet.

An elite squad of computer industry engineers that labored in secret to solve the problem released a software "patch" two weeks ago and sought to keep details of the vulnerability hidden at least a month to give people time to protect computers from attacks.

"We are in a lot of trouble," said IOActive security specialist Dan Kaminsky, who stumbled upon the Domain Name System (DNS) vulnerability about six months ago and reached out to industry giants to collaborate on a solution.

"This attack is very good. This attack is being weaponized out in the field. Everyone needs to patch, please," Kaminsky said. "This is a big deal."

DNS is used by every computer that links to the Internet and works similar to a telephone system routing calls to proper numbers, in this case the online numerical addresses of websites.

The vulnerability allows "cache poisoning" attacks that tinker with data stored in computer memory caches that relay Internet traffic to its destination.

Attackers could use the vulnerability to route Internet users wherever the hackers wanted, no matter what website address is typed into a web browser.

The threat is greatest for business computers handling online traffic or hosting websites, according to security researchers.

The flaw is a boon for "phishing" cons that involve leading people to imitation web pages of businesses such as bank or credit card companies to trick them into disclosing account numbers, passwords and other information.

"I was not intentionally seeking to cause anything that could break the Internet," Kaminsky said Thursday during a conference call with peers and media. "It's a little weird to talk about it out loud."

Kaminsky built a web page, www.doxpara.com, where people can find out whether their computers have the DNS vulnerability. As of Thursday, slightly more than half the computers tested at the website still needed to be patched.

"People are spending tens of thousands of hours getting this patch out the door," Kaminsky said.

The US Computer Emergency Readiness Team (CERT), a joint government-private sector security partnership, is among the chorus urging people to quickly protect computers linked to the Internet.

"Just like you should wear a seat belt going down the road to be safe in a car accident, the same applies here," said Jerry Dixon, a former director of cyber security at the US Department of Homeland Security.

"The patch is your seat belt. The exploit is out there and you definitely need to take precautions. Now is not the time to keep waiting."

Two "exploits," software snippets that take advantage of the vulnerability, have been unleashed on the Internet in the past 24 hours, Securosis analyst Rich Mogul said during the conference call.

"The threat is there," Mogul said.
© AFP 2008

[amor de cosmos]

the site says my computer seems to be safe

[martini]

Quote:

Originally Posted by amor de cosmos

the site says my computer seems to be safe

Safe here too.
Looks like most of us home users should be fairly safe. This is like the Wild Wild West!
--------------------------------------------------------------------
Internet flaw a boon to hackers

Glenn Chapman
AFP

Thursday, August 07, 2008

While most businesses are still hustling to protect their Internet traffic, 15 per cent Fortune 500 companies have "done nothing" to defend their computers.
CREDIT: Justin Sullivan/Getty Images
While most businesses are still hustling to protect their Internet traffic, 15 per cent Fortune 500 companies have "done nothing" to defend their computers.

Computer security professionals crammed into a Las Vegas ballroom on Wednesday for the first public briefing on an Internet flaw that lets hackers hijack traffic on the World Wide Web.

"There is bunch of weird (stuff) going on out there right now," expert Dan Kaminsky told AFP, confirming that attacks are being launched online despite efforts to conceal and patch the vulnerability in the Internet's foundation.

Kaminsky, the director of IOActive penetration testing, was met with applause and cheers when he stepped to a podium at the premier Black Hat conference to reveal details of an attack that is a boon to ill-willed hackers.

An elite squad of computer industry engineers labored in secret to solve the problem, and released a software "patch" in early July but sought to keep details of the vulnerability hidden until Black Hat to give people time to protect computers from attacks.

The Domain Name System (DNS) flaw was figured out and spread online within two weeks of the patch's release and US telecom giant AT&T was the first confirmed victim of an attack.

Kaminsky said that while most businesses are still hustling to protect their Internet traffic, 15 per cent of Fortune 500 companies have "done nothing" to defend their computers.

"How do you force a server to 1.badguy.com?" Kaminsky asked rhetorically as he addressed the crowd. "Oh, let me count the ways. God, it's good to be finally able to talk about this stuff."

Kaminsky stumbled upon the DNS vulnerability about seven months ago and reached out to industry giants to collaborate on a solution.

DNS is used by every computer that links to the Internet and works similar to a telephone system routing calls to proper numbers, in this case the online numerical addresses of websites.

The vulnerability allows "cache poisoning" attacks that tinker with data stored in computer memory caches that relay Internet traffic to its destination.

The flaw has existed since 1983 and may well have been exploited without victims noticing.

The vulnerability also lets hackers hijack emails and supposedly secure online transactions.

The potential for using it as a weapon in nation-sanctioned cyber war or organized crime sprees were "wide open," said Jerry Dixon, former director of cyber security for the US Department of Homeland Security.

"I've spent the last month terrified of large companies having all their email stolen because of a bug I found out about," Kaminsky said.

The vulnerability is centered in servers used by companies to access the Internet and handle email.

Home computer users whose online activities are channeled through Google, Yahoo, Microsoft or other major Internet properties should be safe because those firms have been alerted to the problem, according to Kaminsky.

"Most home users are more likely than not operating in a protected environment," Kaminsky said. "It is more likely they will be less protected at work that when they are at home."

That is because some companies have yet to safeguard their computer networks.

The patch is a temporary fix and doesn't defend against every kind of what is referred to as a "man in the middle" attack.

The US Computer Emergency Readiness Team (CERT), a joint government-private sector security partnership, is among the chorus urging people to quickly protect computers linked to the Internet.

Kaminsky built a web page, www.doxpara.com, where people can find out whether their computers have the DNS vulnerability. On Wednesday, he released details of the vulnerability on the website.

"We have to get better about fixing the infrastructure," Kaminsky said. "We got lucky fixing this bug but may not be so lucky next time."

In a warm touch, Kaminsky's grandmother Raia Maurer baked cookies for the security experts attending her grandson's talk.

"I'm so proud of him," Maurer said. "He explained it so even I can understand it."
© AFP 2008

[martini]

In today's TC:

Microsoft releases emergency patch for perilous IE flaw

AFP

Tuesday, December 16, 2008


SAN FRANCISCO – Microsoft has released an emergency patch to fix a perilous software flaw allowing hackers to hijack Internet Explorer browsers and take over computers.

The U.S. software giant said Tuesday that in response to "the threat to customers" it immediately mobilized security engineering teams worldwide to deliver a software cure "in the unprecedented time of eight days."

The patch is available at http://www.microsoft.com/technet/sec.../ms08-078.mspx

Researchers at software security firm Trend Micro say attacks based on the vulnerability in the world's most popular Web browser are "spreading like wildfire" with millions of computers already compromised.

Microsoft typically releases patches for its software on the second Tuesday of each month and rushing this fix to computer users out-of-cycle is testimony to the severe danger of the threat, according to Trend Micro.

"When the patch is released people should run, not walk, to get it installed," said Trend Micro advanced threat researcher Paul Ferguson.

"This vulnerability is being actively exploited by cyber-criminals and getting worse every day."

Trend Micro has identified about 10,000 websites that have been infected with malicious software that can be surreptitiously slipped into visitors' unprotected IE browsers to take advantage of the flaw.

Hackers can take control of infected computers, steal data, redirect browsers to dubious websites, and use machines for devious activities such as attacks on other networks, according to security specialists.

"What makes this so insidious it takes advantage of a big gaping hole of IE, which has the largest install base of any browser on the market," Ferguson said.

IE is used on nearly three-quarters of the world's computers, according to industry statistics from November.
© Canwest News Service 2008
http://www.canada.com/victoriatimesc...tml?id=1083022

[mat]

Martini - thanks for posting that. Us Mac people are going 'told you so', although unix systems (which are the base for Mac OS) are now getting hacker attention.

Having worked developing corporate websites for over a decade I cannot understand why anyone would use either a MS OS individual computer, or even worse a MS coded web server - but then, it took years of PHD qualified experts to teach me that UNIX has built in stability and DOS is flawed from the start.

My advice - buy a computer you can afford, if not MAC OS, then go Linux.

[martini]

Quote:

Originally Posted by mat

Martini - thanks for posting that. Us Mac people are going 'told you so', although unix systems (which are the base for Mac OS) are now getting hacker attention.

Having worked developing corporate websites for over a decade I cannot understand why anyone would use either a MS OS individual computer, or even worse a MS coded web server - but then, it took years of PHD qualified experts to teach me that UNIX has built in stability and DOS is flawed from the start.

My advice - by a computer you can afford, if not MAC OS, then go Linux.

Interesting. I don't think I'll be able to get out of the Windows world, but I never did use Explorer or Outlook. What you're saying about DOS makes sense.
Did you ever see the movie Pirates of Silicon Valley?

[Bingo]

Cyber warfare: A different way to attack Iran's reactors

(CNN) -- A report expected this week from the International Atomic Energy Agency (IAEA) has Israel abuzz with talk of the potential for a pre-emptive strike on Iran's nuclear facilities.

Western diplomats have told CNN that the report says Iran has mastered the critical steps necessary to design and build a nuclear weapon.

Missiles are not, of course, the only way to launch an attack.
Iran's nuclear facilities are under siege from cyber attacks. And one, the Stuxnet virus, was able to penetrate Iran's Natanz nuclear facility, researchers say.

How did it work?

More:

http://edition.cnn.com/2011/11/08/te...html?hpt=hp_c2