Slashdot

A post by Cyberveillance a couple of weeks back revealed a complex black-hat operation involving Google searches leading to hundreds of thousands of bogus blogs, exploiting the "long tail" of search results and isolated from Google's auto-detection of malware sites by a shifting network of redirectors. The fake blog posts are innocuous when visited directly, but make aggressive attempts to install a fake Windows anti-virus tool (which is actually a Trojan horse) if clicked through from Google. Other search engines do not index the bogus sites. The Unmask Parasites site has a detailed two-part analysis of the badware operation, which puts some numbers on its scope: almost 688,000 bogus scareware blogs can be located in Google; some of them have upwards of 1000 posts. This analysis also reveals that a large majority of the sites hacked to host fake blogs are on the network of Servage.net. From the second Unmask Parasites link: "What we have here is millions of rogue web pages targeting the long tail of web search (millions of keywords) where each page tries to install fake (and malicious) "anti-virus" software on visitors' computers. While this black-hat campaign is active for at least 6 months, webmasters of the compromised sites and their hosting providers don't simply notice this illicit activity. The good news is Google seems to have noticed this problem. Probably thanks to the Cyveillance blog post. During the week after that post I see a steady decrease in search results returned by the queries that you can find in this post."

nk497 writes "F-Secure researchers are calling attention to the fact that it's impossible to run third-party anti-virus on iPhones, because the SDK doesn't allow for it. It's a problem, as they claim malware will start to target the phone. 'None of the existing anti-virus vendors can make one, without help from Apple,' chief research officer Mikko Hypponen said. 'Apple hasn't been too interested in developing antivirus solutions for the iPhone, because there are no viruses, which of course, isn't exactly true.' At the moment, the only worms faced by the iPhone have targeted unlocked, jailbroken devices — so Apple's not too bothered protecting users of such phones." While Apple claims that the iPhone's closed nature offers protection to its users, and security vendors maneuver for a piece of a market now closed to them, clearly both sides are pushing their own self-interest.

Eugen tips news that Microsoft has sent DMCA takedown notices to several websites to stop them from offering the Computer Online Forensic Evidence Extractor (COFEE) tool for download after it was leaked earlier this month. One of the sites, Cryptome.org, has posted their correspondence with Microsoft over the software. "... Microsoft contacted Network Solutions, which hosts Cryptome, and since John Young, the owner of the website, wasn't too keen on losing his whole website for the sake of a single 15MB file, he removed the download link and sent Network Solutions a notice of compliance."

Three Navy SEALs are facing assault charges after the capture of one of the most wanted terrorists in Iraq, Ahmed Hashim Abed. Abed is believed to have organized the murder and mutilation of four Blackwater USA security guards in Fallujah. The accused terrorist, who had a bloody lip, claims that he was punched in the face and not giving a foot massage, or allowed to listen to his iPod as one might expect when a SEAL team captures you. The SEALs have requested a trial by court-martial.

After this weekend's report of a dangerous flaw in IE (which Microsoft confirmed today), intrudere points out an exclusive report in The Register on a new hole in IE8 that could allow an attacker to pull off cross-site scripting attacks on Web sites that ought, by rights, to be safe from XSS. This is according to two anonymous sources, who told El Reg that Microsoft had been notified of the vulnerability a few months ago.

tsu doh nimh writes "Alan Ralsky, the 64-year-old dubbed the 'Godfather of Spam,' was sentenced to 51 months in prison on Monday, the Washington Post's Security Fix blog reports. According to anti-spam group Spamhaus.org, Ralsky has been spamming since at least 1997, using dozens of aliases and tens of thousands of 'zombies' or hacked PCs to relay junk e-mail. Also sentenced — to 40 months in jail — was Ralsky's 48-year-old son-in-law, Scott K. Bradley, and two other men named last year in a 41-count indictment for wire fraud, mail fraud, money laundering and violations of the CAN-SPAM Act." And eldavojohn writes "19-year-old Dmitriy Guzner, Anonymous member and Scientology DDoS attacker, received one year and one day in jail for his admitted crime. His sentence could have been a maximum ten years. According to the Church of Scientology, Anonymous has harassed and attacked them with '8,139 threatening phone calls, 3.6 million e-mails, 141 million hits on its website, ten acts of vandalism against its property, 22 bomb threats, and eight death threats against Church leaders.'"

An anonymous reader writes to tell us that finding malicious code might have just become a little harder. Last week at the ACM Conference on Computer and Communications Security, security researchers Joshua Mason, Sam Small, Fabian Monrose, and Greg MacManus presented a method they developed to generate English shell code [PDF]. Using content from Wikipedia and other public works to train their engine, they convert arbitrary x86 shell code into sentences that read like spam, but are natively executable. "In this paper we revisit the assumption that shell code need be fundamentally different in structure than non-executable data. Specifically, we elucidate how one can use natural language generation techniques to produce shell code that is superficially similar to English prose. We argue that this new development poses significant challenges for in-line payload-based inspection (and emulation) as a defensive measure, and also highlights the need for designing more efficient techniques for preventing shell code injection attacks altogether."

Pickens writes "The NY Times reports that a program to detect plutonium or uranium in shipping containers has stalled because the United States has run out of helium 3, a crucial raw material needed to build the 1,300 to 1,400 machines to be deployed in ports around the world to thwart terrorists who might try to deliver a nuclear bomb to a big city by stashing it in one of the millions of containers that enter the United States every year. Helium 3 is an unusual form of the element that is formed when tritium, an ingredient of hydrogen bombs, decays — but the government mostly stopped making tritium in 1989 after accumulating a substantial stockpile of Helium 3 as a byproduct of maintaining nuclear weapons. 'I have not heard any explanation of why this was not entirely foreseeable,' says Representative Brad Miller, chairman of a House subcommittee that is investigating the problem. Helium 3 is not hazardous or even chemically reactive, and it is not the only material that can be used for neutron detection. The Homeland Security Department has older equipment that can look for radioactivity, but it does not differentiate well between bomb fuel and innocuous materials that naturally emit radiation like cat litter, ceramic tiles and bananas — and sounds false alarms more often. In a letter to President Obama, Miller called the shortage 'a national crisis' and said the price had jumped to $2,000 a liter from $100 in the last few years. With continuing concern that Al Qaida or other terrorists will try to smuggle a nuclear weapon into the United States, Congress has mandated that, by 2012, all containers bound for the US be inspected overseas."

An anonymous reader writes to share the findings of a recent transatlantic survey which suggests that the recession is pushing workers to be a little bit more accommodating when it comes to sharing, viewing, or stealing sensitive information from the company they work(ed) for. "Pilfering data has become endemic in our culture as 85% of people admit they know it's illegal to download corporate information from their employer but almost half couldn't stop themselves taking it with them with the majority admitting it could be useful in the future! [...] The survey entitled 'the global recession and its effect on work ethics,' carried out for a second year by Cyber-Ark – found that almost half of the respondents 48% admit that if they were fired tomorrow they would take company information with them and 39% of people would download company/competitive information if they got wind that their job was at risk. Additionally a quarter of workers said that the recession has meant that they feel less loyal towards their employer."

Opera 10.10 has been released, and with it their new "Unite" technology, which allows users to share content directly between all of their own devices. Unite wraps both web browser and web server into a single package in an attempt to change the way users think about their browser. "'We promised Opera Unite would reinvent the Web,' said Jon von Tetzchner, CEO, Opera. 'What we are really doing is reinventing how we as consumers interact with the Web. By giving our devices the ability to serve content, we become equal citizens on the Web. In an age where we have ceded control of our personal data to third-parties, Opera Unite gives us the freedom to choose how we will share the data that belongs to us.'"

alphadogg writes "Attack code has been identified that could be used to break into a PC running older versions of Microsoft's Internet Explorer browser. The code was posted Friday to the Bugtraq mailing list by an unidentified hacker. According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."

After the report last week that Brazil's e-voting machines had withstood the scrutiny of a team of invited hackers, reader ateu writes with news that a hacker has shown that the Linux-based voting machines aren't perfectly safe; he was able to eavesdrop on them (translated from Portuguese) by means of Van Eck phreaking.

An anonymous reader writes "After the ikee worm that displayed a picture of Rick Astley on jailbroken iPhones, the first malicious iPhone worm (Google translation; original, in Dutch) has now been discovered in the wild. Internet provider XS4ALL in the Netherlands encountered several of such devices (link in Dutch) on the wireless networks of their customers and put out a warning. After obtaining a copy of the malware it was discovered that the jailbroken phones, which are exploited through openSSH with a default password, scan IP ranges of mobile internet providers for other vulnerable iPhones, phone home to a C&C botnet server, are able to update themselves with additional malware and have the ability to dump the SMS database as well. Owners of a jailbroken iPhone with a default root password are advised to flash to the latest Apple firmware in order to ensure no malware is present."

angry tapir writes "Cyber attacks on the US Department of Defense — many of them coming from China — have jumped sharply in 2009, a US congressional committee has reported. Citing data provided by the US Strategic Command, the US-China Economic and Security Review Commission said that there were 43,785 malicious cyber incidents targeting Defense systems in the first half of the year. That's a big jump. In all of 2008, there were 54,640 such incidents. If cyber attacks maintain this pace, the yearly increase will be around 60 percent. The full report (PDF) is available online."

Bourdain writes with news out of the University of Arkansas, where researchers are looking for ways to combat counterfeit RFID tags. Passive tags typically wait for a reader to transmit a signal of the appropriate strength and frequency before sending their own transmission. The scientists found that the amount of power required to trigger this varies quite a bit from one tag to the next, especially when many different frequencies are sampled. This and other physical characteristics give the tag its own "fingerprint" that is independent of the signal information stored in its memory, which the researchers say will facilitate the detection of cloned tags.

An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.

AdamWill writes "After the controversy over Fedora 12's controversial package installation authentication policy, including our discussion this week, the package maintainers have agreed that the controversial policy will be tightened to require root authentication for trusted package installation. Please see the official announcement and the development mailing list post for more details."

Christmas Shopping writes with this excerpt from Kaspersky Labs' threatpost: "Back in September, when Google launched the Google Chome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure. Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a 'high risk' security vulnerability that could allow an attacker to bypass cross-origin protections." "Google has hurried out a patch," he adds.

CWmike writes "Microsoft has denied that it has built a backdoor into Windows 7, a concern that surfaced yesterday after a senior National Security Agency (NSA) official testified before Congress that the agency had worked on the operating system. 'Microsoft has not and will not put "backdoors" into Windows,' a company spokeswoman said, reacting to a Computerworld story Wednesday. On Monday, Richard Schaeffer, the NSA's information assurance director, told the Senate's Subcommittee on Terrorism and Homeland Security that the agency had partnered with the developer during the creation of Windows 7 'to enhance Microsoft's operating system security guide.' Thursday's categorical denial by Microsoft was accompanied by further explanation of exactly how the NSA participated in the making of Windows 7. 'The work being discussed here is purely in conjunction with our Security Compliance Management Toolkit,' said the spokeswoman. The company rolled out the Windows 7 version of the toolkit late last month, shortly after it officially launched the operating system."

An anonymous reader writes "Officers from the Metropolitan Police's Central e-Crime Unit have made Europe's first arrests in the battle against the ZeuS or Zbot Trojan which threatened to compromise thousands of computers. Officers arrested a man and woman, both aged 20 years, in Manchester for offenses under the 1990 Computer Misuse Act and the 2006 Fraud Act. Both suspects were interviewed by PCeU detectives and have been bailed for further in-depth inquiries to be completed. The arrests in connection with the malware represent some of the first in the world, and the first in Europe to combat the distribution and control of ZeuS."