Found: An Achilles heel for Conficker
A few of the folks scrutinizing Conficker realized something mighty interesting on Friday: The malware not only changes what Windows looks like on the network, if you ask a server whether it's got a case of the Conficker, it will tell you -- remotely and without authentication, even. One insanely hectic weekend later, there are multiple brand-new enterprise-class scanners available for netadmins' network-protection needs.
So far on Monday, versions are being integrated into scanners from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle and Qualys. There's also a proof-of-concept tool available as well. The charge was led by the Honeynet Project's Tillman Werner and Felix Leder and moved along by Dan Kaminsky at Doxpara, along with Securosis' Rich Mogull, and the Conficker Cabal Working Group.
T-minus two days...Ready or not, here comes Conficker
The computers -- over a million of them at last count, it is believed -- are in place. The Microsoft vulnerability making it all possible has been patched by, presumably, everyone who's going to do so. The poisonous code itself has been upgraded. We've seen the effect of the early tests, we've pondered the bounty on the developers' heads, and yet we've got to start asking ourselves: What's going to happen when Conficker lights up on Wednesday?
Wouldn't you like to know. Wouldn't a lot of people like to know.
CERT suggests one-click Conficker check
Does the machine you're using have a case of the Mondays Conficker worm? CERT on Sunday issued a bulletin updating the infection situation and suggesting that if users are unable to load two particular URLS -- one at Symantec, one at McAfee -- it might indicate that the machine is infected, since Conficker interferes with access to those sites. Windows users may want to take a second to click for themselves.
Fortinet releases monthly threat report
Seven high-severity exploit attempts and one that rates as critical -- that would be Conficker, of course -- made the March Threatscape Report from Fortinet, the Top of the Pops for the rightfully unpopular, released Friday. No new malware variants made the list, compiled between February 21 and March 20. Malware infection attempts made up the lion's share of threatening traffic, with spyware and phishing attempts together making up less than a third of attempts.
Despite the looming threat posed by the Conficker exploit (which accounted for 2% of all exploit attempts reported by Fortinet during the month), the most active malware around is actually Virut.A, a squirrelly two-year-old that's held down spots in the Top 5 for a full year now and ascends to #1 this month, with a huge burst of speed in early March and just before St. Patrick's Day. Virut.a infects .exe and .scr files, attaching its encrypted code to the files and attempting to sneak out via port 65520 to connect to a bot-involved IRC server in Poland.
The Melissa virus turns 10
The computer worm that gave macros a bad name and changed the shape of malware detection was first detected ten years ago today (Thursday). Melissa was a stake in the heart of the old signature-based anti-virus model and pointed the way toward both more interesting forms of detection and more virulent malware.
Like most infants, Melissa started out as a harmless expression of love -- in this case, allegedly a hacker's love for a lap dancer (don't judge). It was, appropriately enough, first distributed via alt.sex, the Usenet group. The host Word file allegedly contained information for an assortment of adult-entertainment sites, but the payload was the Word macro, which functioned in the 97 and 2000 versions of Microsoft's word processor as well as in various versions of Excel. If a Melissa-infected file was opened in one of those programs, the poisonous macro looked into Outlook's address book and sends itself to 40-50 of the names it found there.
Another day, another Google privacy kerfuffle
One suspects that sooner or later Google will catch grief from every single person who's ever felt grumpy about all those other people cluttering up his or her planet, as yet another privacy "watchdog" complains about the search site's Street View maps. This time it's the UK's Privacy International, the director of which says that various British citizens have experienced "clear embarrassment and damage" thanks to months- or years-old images on the site. PI is asking the UK's Information Commissioner's Office (ICO) to shut the service down.
Setting aside the question of why a group based in the nation with the highest number of surveillance cameras per citizen would bother stressing about Street View, the "clear embarrassment and damage" clause leads to just one question for the casual observer: What in the name of Tim Berners-Lee are they doing in the streets of the UK these days, and does the term ASBO come into play at any point?
Region woes hose Obama gift to UK prime minister
It's either a minor diplomatic gaffe or an incredibly nuanced commentary on the current state of international copyright protec... nope, definitely a gaffe: The 25 classic DVDs given to British prime minister Gordon Brown when he recently visited President Obama turned out to be more DRM than drama.
According to the report in the Telegraph, when Mr. Brown returned to 10 Downing Street and tried to relax with the movies, his player returned a wrong-region message and would go no further. It's an embarrassment, atop the original fuss made when the gift was contrasted with Mr. Brown's thoughtful and historically rich gift to Mr. Obama. On the bright side, wouldn't it be something if an incident like this one clarified thinking on certain long-deplored aspects of digital rights management? Or at the very least, caused Vice-President Biden to have to explain why he thinks DRM is a reasonable thing to do to law-abiding -- let alone law-making -- citizens and lawfully purchased products?
Great minds think alike... on hacker exploits
Ah, the CanSecWest season -- spring is springing, Pwn20wn is smiting browsers, and the fearsome Invisible Things Lab team of Joanna Rutkowska and Rafal Wojtczuk have debuted another attack on SMM (system management mode) memory. Thing is, so has researcher Loic Duflot; in his case, right at the CanSecWest conference. The public disclosure was coordinated for Thursday, but the exploit itself was discovered independently by both teams.
Rutkowska's got the whole story on her site. Invisible Things and Duglot's team are all good eggs, so Intel was informed about the exploit well before CanSecWest attendees got the details. The exploit itself (PDF available here) allows for privilege escalation from Ring 0 to the SMM on various newer motherboards with Intel CPUs. "Informing Intel," by the way, turns out to be the weirdest part of the story -- turns out that not only has the company known about the SMRAM-related security gap since 2005, they've mentioned it in a patent application.
In search of better Web security: Three approaches
It feels as if we've been waiting forever for Microsoft Internet Explorer 8, which is why the fuss a few days back over Microsoft Research's "Gazelle" project -- ZOMG NEW BROWSER MAYBE!!!! -- was sort of refreshing and fun, if pretty far removed from reality as we know it.
The confusion came down to some observers' misunderstanding of the relationship between Microsoft Research and the parts of the company that actually ship products. Microsoft Research is, of course, a research facility; they think interesting thoughts, they test their theories, and after that maybe their ideas are taken up and maybe they're not.
Diebold admits serious design flaw in e-voting machines
Premier Election Systems -- the company formerly known as Diebold -- admitted in a public hearing on Thursday that the software used to manage audit logs on their electronic-voting systems had flaws that would not only drop certain votes entered into the system, but can delete the audit logs that could indicate a problem.
The testing, conducted after an election last June in Humboldt County, Calif., revealed at the time flaws in Diebold / Premier's GEMS system later confirmed by the California Secretary of State. The hearings now underway will help state officials to decide whether to decertify the GEMS v. 1.18.19 system for use in future state elections. The Humboldt testing revealed that the software dropped ballots under certain circumstances. Further investigation by the Secretary of State's office confirmed that problem -- and revealed that the audit logs themselves could be radically altered, sometimes with just one click. The problems with the audit logs, had they been known during the certification process (as Diebold knew for years, it was revealed today), should have disqualified the systems from being certified at all.
Inside EPIC's privacy claim against Google: What's the evidence?
By now, the matter of Google's multiple small disasters with its early round of cloud-based applications -- troubles which led to the unauthorized sharing ability of some files -- is one of public record, and certainly the company has made plenty of public apologies. But was it criminally deceptive in promising to users a safe system, only to then be hit with safety issues? The Electronic Privacy Information Center advocacy group says yes, and it has taken its case to the US Federal Trade Commission.
In a formal complaint issued this morning (PDF available here), EPIC uses citations from Google's online marketing promotions for its cloud-based applications, along with links to news articles about the company's recent headaches, to build the case that the company makes promises to users that it can't keep.
Twitter folk preyed on (again)
Abuse of Twitter users is getting to be such a regular thing than a wiser journalist would write a macro for the story, though for once they're not being duped into revealing their passwords. That said, Rik Ferguson at Trend Micro is reporting today that a site sharing a name with a brand-new iPhone application for the popular microblogging service has a nasty little malware payload waiting for the unwary.
The application, TweetFollow, was released just last week. It is safely available from its developers at b1te.com, as well as from Apple's apps store. It is not, however, available from tweetfollow.com, which instead has a JavaScript infection called, in Trend Micro parlance, JS_IFRAME.AKK. The domain was registered on December 31, 2008 to John Dennis of Netus Group, with whom Betanews has left a message requesting clarification concerning a) how the site is connected to the TweetFollow application and b) why the site has JavaScript cooties. We'll keep you posted.
Swedish dread over looming IPRED copyright law
TorrentFreak and other peer-to-peer-interested sites are taking a hard look at a controversial law that will make it easier for copyright holders to get personal information on people they claim are infringing on their rights. Despite massive public disapproval, rules based on the EU's Intellectual Property Rights Enforcement Directive (IPRED) goes into effect on Wednesday, April 1. (No fooling.)
The law, which permits the rights holders to petition the court for the names of people associated with IP addresses via which infringement is alleged to have occurred, will also increase penalties and eventually criminalize large-scale infringement. In a recent poll, 48% of Swedes said they believe the new law is wrong, with just 32% approving. More memorably, Rikard Falkvinge, chairman of Sweden's Pirate Party and co-leader of the Facebook protest, castigated the digital literacy of the legislation's authors, telling TorrentFreak that "These laws are written by digital illiterates who behave like blindfolded, drunken elephants trumpeting about in an egg packaging facility."
After years in eclipse, fresh L0phtCrack version released
A Windows password-auditing tool acquired by Symantec only to be shelved when the lawyers got a look at the thing has been re-acquired by its original authors, who have released a long-awaited Version 6 to the public. L0phtCrack languished for years after the company decided that the tool, popular with hackers, could raise liability issues.
Once upon a time, Mudge, Dildog, and Weld Pond released L0phtCrack, which can be used as a password-auditing tool or, if you're playing offense, a tool for cracking passwords on systems not belonging to you. In 2000, the Boston-based L0pht Heavy Industries hacker collective (est. 1992, and famous for telling Congress they could take the Internet down in 30 minutes) morphed into @stake, becoming a marginally more mainstream security consultancy. In 2004, Symantec acquired @stake.
A phishing scheme may have exposed 700 Comcast customers
A document that appeared on the online sharing service Scribd appeared to show thousands of comcast.net accounts, along with their passwords. It was probably posted there as a display of somebody's phishing prowess, though it would appear it took two months or more before anyone finally noticed.
Well, someone finally noticed. As it turns out, only about 700 of those 4,000 or so addresses were for real Comcast subscribers, the company confirmed to Betanews this morning, which creates some doubt as to whether the would-be phisher stole these account names from Comcast itself or from a really bad screen-scraper routine.
© 1998-2026 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.