Hackers exploit latest IE zero-day with drive-by attacks: Via Computerworld Cybercrime/Hacking News.

Hackers are exploiting the just-disclosed unpatched bug in Internet Explorer (IE) to launch drive-by attacks from malicious Web sites, security researchers said today.

"This attack appears to be rather targeted at the moment, but as with other unpatched vulnerabilities in the past, this has the potential to explode now that the word is getting out," said Craig Schmugar, a threat researcher at McAfee, in a blog post today.

Attacks are launched from Web sites in a classic drive-by fashion, said Schmugar and others. "Visiting the page is enough to get infected," Schmugar said.

Symantec also confirmed that it has spotted in-the-wild attacks exploiting the critical vulnerability in IE6 and IE7 that Microsoft acknowledged yesterday. "We're still seeing just limited attacks," said Ben Greenbaum, a senior research manager on Symantec's security response team. "The exploit is carried out simply by visiting a Web page hosting the vulnerability. When the browser opens the page, the exploit causes the user's computer to download and execute another piece of malware." [ Read more ... ]

‘Sophisticated’ Hack Hit Intel in January: Via Threat Level.

Intel is the latest U.S. corporation to acknowledge that it was hacked in January in a sophisticated attack that occurred at the same time that Google, Adobe and others were targeted.

The giant California-based chip maker was rumored to have been among some 34 companies that were targeted, but said on Tuesday there was no evidence to tie its hack to the attack on Google and others.

“We did not see the kind of broad-based attack as described by Google,” said Intel spokesman Chuck Mulloy. “Companies routinely see hackers trying to get into their system. It is a risk factor and that’s why it was in the 10k. We’ve seen no loss of [intellectual property] as a result of any of these attacks.”

In its latest 10k filing to the Securities and Exchange Commission, Intel disclosed that it had been the target of a “sophisticated incident occurred in January 2010 around the same time as the recently publicized security incident reported by Google. [ Read more ... ]

Probe Traces Google Hack to Chinese Schools: Via Threat Level.

NEW YORK (Reuters) - Recent cyber attacks on Google and other American corporations have been traced to a top Chinese university as well as a school with ties to the Chinese military, The New York Times reported on Thursday, citing people involved in the investigation.

Those people told the Times that the Chinese schools involved are Shanghai Jiaotong University and the Lanxiang Vocational School. They said the attacks may have started as early as April 2009 — earlier than previously thought.

According to the report, investigators believe there is evidence suggesting a link to a computer science class at the vocational school taught by a Ukrainian professor.

Google jolted U.S.-China ties with its Jan. 12 announcement that it had faced a “highly sophisticated and targeted attack” in mid-December, allegedly from inside China. [ Read more ... ]

Facebook Privacy, Security Fears Grow with Social Network Risks: Via Security from eWeek.

According to Sophos, 60 percent of businesses consider Facebook the riskiest social networking site, underscoring a new level of wariness for social networks at a time when a researcher from Kaspersky Lab says compromised accounts for Twitter and other sites can go for big bucks in the cyber-underworld.

Businesses are growing more concerned about the use of social networks, starting with Facebook.

According to a survey of 502 IT professionals by Sophos, businesses are seeing more malware and spam, and 60 percent of respondents put Facebook ahead of MySpace, Twitter and LinkedIn as the riskiest social networking site. The statistics, which were included in Sophos' "Security Threat Report: 2010" (PDF), revealed that while 33 percent block Facebook for productivity reasons, businesses are also concerned with the prospect of spam, malware and data leakage on social networks. [ Read more ... ]

China Accuses U.S. of Cyberwarfare: Via Threat Level.

In the wake of a recent speech by U.S. Secretary of State Hillary Clinton condemning countries that censor the internet and engage in hacking, China has lobbed a return volley and accused the United States of hypocrisy and initiating cyberwarfare against Iran.

An editorial in the People’s Daily — the main mouthpiece for China’s Communist Party — accused the U.S. of doublespeak and of using “online warfare” to instigate violent unrest in Iran via Twitter and YouTube following that country’s national elections in June.

“We’re afraid that in the eyes of American politicians, only information controlled by America is free information, only news acknowledged by America is free news, only speech approved by America is free speech, and only information flow that suits American interests is free information flow,” said the Sunday editorial, according to the Guardian newspaper.

The editorial was taking aim at a speech by Clinton on Thursday in which she said that access to information, and the internet, is a basic human right, but that countries around the world were erecting virtual walls in place of the physical walls that generally characterize oppressive regimes. [ Read more ... ]

Microsoft Learned of IE Zero-Day Flaw Last September: Via Threat Level.

Microsoft was aware months ago of a critical security vulnerability well before hackers exploited it to breach Google, Adobe and other large U.S. companies but did not patch the hole completely until Thursday.

The software giant had intended to release a patch for the flaw in February — more than four months after learning about it, but had to speed up that plan and role it out this week in the wake of news that Google and others had been hacked through the flaw, the world’s largest software maker acknowledged Thursday.

Meron Sellen, a security researcher at BugSec, an Israeli firm, quietly reported the vulnerability to Microsoft in September, according to security firm Kaspersky.

Microsoft confirmed it learned of the so-called “zero-day” flaw months ago.

According to Microsoft, “An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. [ Read more ... ]

Gmail takes the lead on email security: Via EFF.org Updates.

Last night, Google announced that Gmail sessions will now be fully encrypted with HTTPS by default. This is excellent news — EFF congratulates Google for taking this significant step to safeguard their users' privacy and security.

Previously, it was possible to encrypt your access to Gmail, but it required altering the default configuration. Now every Gmail user will get the benefits of encryption without needing to know that they need it.

With this development, Google has taken a clear two-step lead over its competition: other major hubs for personal communication such as Facebook, Yahoo! mail, Hotmail, and LiveJournal do not even make the use of HTTPS possible, let alone the default. A handful of smaller, specialist webmail providers do offer HTTPS, but Google is alone in bringing basic email security to the mainstream Web. [ Read more ... ]

Order to Shut Down Websites Critical of Apex Technology Group is Dangerous and Wrong: Via EFF.org Updates.

Over the holidays, a New Jersey court issued an order requiring upstream providers to shut down three anti-H1-B websites that is deeply dangerous and wrong. The order not only tries to remove allegedly defamatory messages but also requires a complete shutdown of the websites and even purports to require the cooperation of the hosting companies and domain registrars of the websites to do so and for other service providers to identify anonymous speakers.

The plaintiff in the lawsuit, Apex Technology Group, is a staffing and consulting services company. Apex describes itself as "delivering sophisticated technology-enabled solutions to maximize complex business needs." The dispute apparently started when someone uploaded a document purporting to be an Apex employment agreement to docstoc.com, and noted several terms the poster considered unfair to H1-B workers (copy of original post). The H-1B is a non-immigrant visa that allows U.S. employers to temporarily employ foreign workers in specialty occupations. The defendant websites allegedly linked to this post and document, and Apex demanded its removal. Curiously, Apex simultaneously claimed that the document defamed them and that they were its copyright owners. This is unusual, since people rarely defame themselves with their own copyrighted works. [ Read more ... ]

Adobe will be top target for hackers in 2010, report says: Via Computerworld Security News.

Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers in 2010, surpassing Microsoft Office applications, a security vendor predicted this week.

"Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot," security vendor McAfee said in its "2010 Threat Predictions" report (PDF).

Hackers usually target the most widely used products in order to achieve the maximum impact. [ Read more ... ]

Facebook Rolls Out New Privacy Settings: Via Bits Blog - NYTimes.com .

Wednesday is privacy day for Facebook’s 350 million members. The company is asking users to review all their privacy settings.

The social networking site is giving members new privacy options, and in particular, will now allow people to choose custom privacy settings for each piece of content they post to the service.

Facebook would like people to think the move is aimed solely at empowering users and giving them more control over their data. But there are other motivations. This is also a calculated move by the company to fix some of the problems that have come with its torrid growth. And the changes could help Facebook compete head-on with rivals such as Google and Twitter in becoming the Web’s foremost repository of information about people and what they are doing in real time. [ Read more ... ]

4 Hackers Indicted in $9.5 Million Bank Card Attack: Via Threat Level.

Four men have been indicted in Georgia on charges that they hacked into the Atlanta-based bank card processing company RBS WorldPay. They allegedly used an army of flunkies to steal $9.5 million in cash from ATM machines around the world in a span of hours.

Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a fourth person identified only as “Hacker 3″ were indicted by a federal grand jury in what’s being described as “perhaps the most sophisticated and organized computer fraud attack ever conducted.”

The hack involved reverse-engineering PINs for payroll debit card accounts — the holy grail of bank card hacking. Another four people based in Estonia were also indicted on access-device fraud charges in connection with the hack. [ Read more ... ]

Google Book Plan Hits Privacy Snag: Via Threat Level.

Opposition to the pending Google book settlement took a turn Tuesday as civil rights groups told a federal court that the plan to digitize millions of books threatens readers’ privacy.

The Electronic Frontier Foundation, the American Civil Liberties Union, and the Samuelson Law, Technology and Public Policy Clinic of the University of California claimed in a court brief that reading could be chilled from Google maintaining personal identifying information about what titles the public browses, reads and purchases.

The groups joined a growing chorus opposed to Google’s pending plan. The bulk of the opposition, however, stems largely from copyright concerns — not privacy. The privacy groups contend Google likely could maintain a so-called “digital dossier” (.pdf) about individuals’ reading habits and interests. [ Read more ... ]

The Medium - Facebook Exodus: Via NYTimes.com.

Leif Harmsen, once a Facebook user, now crusades against it. Having dismissed his mother’s snap judgment of the site (“Facebook is the devil”), Harmsen now passionately agrees. He says, not entirely in jest, that he considers it a repressive regime akin to North Korea, and sells T-shirts with the words “Shut Your Facebook.” What especially galls him is the commercialization and corporate regulation of personal and social life. As Facebook endeavors to be the Web’s headquarters — to compete with Google, in other words, and to make money from the information it gathers — it’s inevitable that some people would come to view it as Big Brother.

“The more dependent we allow ourselves to become to something like Facebook — and Facebook does everything in its power to make you more dependent — the more Facebook can and does abuse us,” Harmsen explained by indignant e-mail. “It is not ‘your’ Facebook profile. It is Facebook’s profile about you.” [ Read more ... ]

Hackers Use Twitter to Control Botnet: Via Threat Level.

Hackers are now using Twitter to send coded update messages to computers they’ve previously infected with rogue code, according to a report from net-monitoring firm Arbor Networks.

This looks to be the first reported case of hackers using the popular micro-messaging company to control botnets, which are assemblages of infected PCs that can be directed to spy on their users, send spam, or attack web sites with fake traffic.

Arbor Network’s Jose Nazario, an expert on botnets, discovered the so-called command-and-control structure. Infected computers were following the Twitter feed “Upd4t3″ (now suspended) through its RSS feed. [ Read more ... ]

Judge Rules Against RealDVD: Via EFF.org Updates.

UPDATE: Just one day after Judge Patel's ruling against RealDVD, a California appeals court has ruled against Kaleidescape, reversing the lower court and sending that case back for a fresh determination of whether Kaleidescape violated the terms of the DVD-CCA license. More bad news for innovators who want to bring legitimate consumers DVD jukebox products.

Judge Patel (who also handled Napster and Bernstein cases) has granted a preliminary injunction in favor of the major motion picture studios and DVD-CCA in their legal battle with Real Networks over its RealDVD products.

The case involves the legality of two products intended to allow DVD owners to make digital copies onto hard drives for later playback. One product, which Real briefly offered until being hit with a temporary restraining order in November 2008, was software intended for use on a personal computer. The second, which never made it out of prototype, was a "video jukebox" that combined DVD player and a hard drive -- what Real hoped would be a sub-$300 competitor for the fantastic (and fantastically expensive) Kaleidescape media server. [ Read more ... ]

Lazy Hacker and Little Worm Set Off Cyberwar Frenzy: Via Wired: Threat Level.

Talk of cyberwar is in the air after more than two dozen high-level websites in the United States and South Korea were hit by denial-of-service attacks this week. But cooler heads are pointing to a pilfered five-year-old worm as the source of the traffic, under control of an unsophisticated hacker who apparently did little to bolster his borrowed code against detection.

Nonetheless, the attacks have launched a thousand headlines (or thereabouts) and helped to throw kindling on some long-standing international political flames — with one sworn enemy blaming another for the aggression.

Welcome to the New World Order of cybersecurity. [ Read more ... ]

NSA Must Examine All Internet Traffic to Prevent Cyber Nine-Eleven, Top Spy Says - Via Threat Level:

The nation's top spy, Michael McConnell, thinks the threat of cyberarmageddon! is so great that the U.S. government should have unfettered and warrantless access to U.S. citizens' Google search histories, private e-mails and file transfers, in order to spot the cyberterrorists in our midst.

That's according to a sprawling 18-page story on the Director of National Intelligence by Lawrence Wright in the January 21 edition of the New Yorker. (The story is not online).

In the piece, McConnell returns, in flamboyant style, to his exaggerating ways, hyping threats and statistics to further his bureaucratic aims. For example, McConnell regurgitates the hoary myth that computer crime costs America $100 billion a year. THREAT LEVEL traced down the source of that fake-factoid in September to a former privacy officer for the state of Colorado. [ Read more ... ]

Verizon and Feds To Seek Dismissal of Anti-Spying Suit Thursday: >Telecom giant Verizon and their Justice Department backers will be asking a federal judge Thursday afternoon to throw out a lawsuit seeking millions in damages for Verizon's alleged mass transfer of customer calling records to the National Security Agency.'

The government intervened in the case to assert the 'state secrets' privilege, saying the case involved national secrets and must be thrown out . The Verizon suit is one of five consolidated cases, along with the better known case against AT&T, that have been moved to U.S District Chief Judge Vaughn Walker in San Francisco's federal court.

The Verizon plaintiffs have been facing a difficult case, since their allegations that MCI violated federal phone privacy laws centers on MCI (now owned by Verizon) allegedly turning over its phone call database to the government.

That was first revealed by the USA Today and subsequently confirmed by Congress members who were briefed on the program.' However, the Bush Administration never confirmed or denied the transfers, unlike the warrantless eavesdropping program, which the Adminstration confirmed.' [ Read more ... ]

'Cyberwar' and Estonia's Panic Attack: If you flip towards the back of this month's Wired magazine (15.09) you'll find an earnest two-page graphic depicting IP packets blasting off like ICBMs from Asia, arcing in a polar trajectory and slamming into six defenseless U.S. cities.

Yes, our friends across the hall from Wired News have succumbed to the sweet siren call of the cyberwar story. And they want you to know that It Could Happen Here.

Writer Joshua Davis was dispatched to the smoking ruins of Estonia to assess the damage wrought by last spring's DDoS attacks against the country's web, e-mail and DNS servers. Josh is a talented writer, and he returned with a story that offers some genuine insights -- a few, though, are likely unintentional. [ Read more ... ]

NBC "allows" bloggers to use debate footage: On Wednesday, NBC announced that it will join rivals CNN and ABC in making video footage of presidential debates aired on its networks freely available for non-commercial use. Under licensing terms posted on the MSNBC website, the footage is available for redistribution free of charge, provided that credit is given to MSNBC. The license also prohibits footage of NBC journalists from appearing in campaign commercials. [ Read more ... ]

Sony-BMG Sues Maker of Bad DRM: "

Major record company Sony-BMG has sued the company that made some of the dangerous DRM (anti-copying) software that shipped on Sony-BMG compact discs back in 2005, according to an Antony Bruno story in Billboard.

Longtime Freedom to Tinker readers will remember that back in 2005 Sony-BMG shipped CDs that opened security holes and invaded privacy when inserted into Windows PCs. The CDs contained anti-copying software from two companies, SunnComm and First4Internet. The companies’ attempts to fix the problems only made things worse. Sony-BMG ultimately had to recall some of the discs, and faced civil suits and government investigations that were ultimately settled. The whole episode must have cost Sony-BMG many millions of dollars. (Alex Halderman and I wrote an academic paper about it.) [ Read more ... ]

Online CD Seller Fights Universal's Bogus Infringement Allegations: "

Record Industry Takes Aim at Right of 'First Sale'

San Francisco - An eBay seller is taking on Universal Music Group (UMG) in court after the record industry giant targeted his online music sales with false claims of copyright infringement.

The Electronic Frontier Foundation (EFF) and the San Francisco law firm of Keker & Van Nest LLP are representing Troy Augusto, whose online auctions included sales of promotional CDs distributed by Universal. Augusto does business on eBay under the name Roast Beast Music and specializes in sales of rare and collectible music. [ Read more ... ]

E-Commerce News: Privacy: Microsoft Joins Privacy Parade: "Closely following announcements regarding privacy policies from competitors Google and Ask.com, Microsoft has trumpeted a new strategy of its own for its Live Search utility. The company has enacted what its says are enhanced steps to protect the privacy of Windows Live users. It also called for an industry-wide discussion to develop global privacy principles for data collection. [ Read more ... ]

Confirmed: Microsoft's Windows Media DRM cracked (again): "The Zune may not be the most popular portable media player, but you wouldn't know it based on the game of cat and mouse that has been going on for nearly a year between Microsoft and 'hackers' who have continually found ways to defeat Microsoft's DRM.

Ars Technica has been able to confirm that the latest attacks on Microsoft's Windows Media DRM work as proclaimed. Via an update of the Individualized Blackbox component (IBX), FairUse4WM can now remove DRM for Microsoft IBX versions 11.0.6000.6324 and earlier, on both XP and Vista.

The release of the update was first announced on the Doom9 forums, where user 'Divine Tao' indicated that he found a way to update FairUse4WM to support new keys (v1.3 Fix2). It would appear as though 'Divine Tao' is not working with the same hacker(s) who broke the Windows Media DRM code last summer, as the user says that access to the FairUse4WM source code is not possible for him or her. ('Divine Tao' is an anagram of 'viodentia,' however, which is suspicious.) [ Read more ... ]

Google - DoubleClick Deal Draws Criticism:BRUSSELS, Belgium (AP) -- Europe's major consumer group BEUC said Wednesday that it feared Internet search engine Google Inc.'s takeover of online ad tracker DoubleClick Inc. would damage European Union privacy rights and limit consumers' choice of Web content.

Their plea to EU regulators comes after U.S. consumer privacy advocacy groups asked the U.S. Federal Trade Commission to look at how the two companies, when combined, would have access to an unprecedented amount of data on consumers' Web usage and Internet search habits.

Cornelia Kutterer, BEUC's senior legal adviser, said the association had asked the European Commission and other European authorities to look into privacy concerns -- even though the two companies have not yet requested EU approval for the US$3.1 billion (euro2.29 billion) deal. [ Read more ... ]