[SecurityRatty] tag: rights

No Court Order Needed to Spy on Americans Overseas, Appeals Court Rules

Wed, 26 Nov 2008 16:58:00 +0000

The government does not need a judge's approval to wiretap Americans overseas, an appeals court ruled, rejecting the appeal of an American convicted of helping plan the 1998 East Africa embassy bombings. The ruling comes as rights groups challenge the government's warrantless wiretapping program and newly granted powers to set up electronic dragnets inside the United States.

News Report on Non Vulnerability in Windows Vista

Thu, 20 Nov 2008 15:41:16 +0000

Are editors so excited to use the headline “Vulnerability in Windows Vista” in their SEO URLs that they will have their reporters write a story on a non-issue?

IDG News has published a news report titled, “Researchers find vulnerability in Windows Vista“. The report says:

An Austrian security vendor has found a vulnerability in Windows Vista that it says could possibly allow an attacker to run unauthorized code on a PC.

The problem is rooted in the Device IO Control, which handles internal device communication. Researchers at Phion have found two different ways to cause a buffer overflow that could corrupt the memory of the operating system’s kernel.

In one of the scenarios, a person would already have to have administrative rights to the PC. In general, vulnerabilities that require that level of access somewhat undermine the risk since the attacker already has permission to use to the PC.

Somewhat undermine the risk? If you need admin rights to exercise a bug it is not a security issue since you could already run any code with whatever privilege you wanted. Microsoft is not issuing a patch, but creating a bug fix in a service pack, yet this is newsworthy? This story has no comment from anyone but the finder of the bug. Let’s see if other news outlets pick up on this one.

Zeus Crimeware Kit Gets a Carding Layout

Mon, 10 Nov 2008 02:53:52 +0000

With cybercriminals clearly expressing their nostalgia for several notorious and already shut down credit card fraud communities, they seem to have found a way to once again give their self-esteem a boost. Following the ongoing modification of open source crimeware kits and the inevitable innovation introduced by third parties, last week a new layout was introduced for Zeus, once again courtesy of a group that's piggybacking on Zeus popularity.

It's particularly interesting to see how a one-man operation evolves into a group of third-party developers starting to claim ownership rights over the modified versions despite that they're basically brandjacking the Zeus brand and building business models on the top of it.

Open source crimeware and web malware exploitation kits on the other hand undermine the business model of a great number of "malware/spyware for hire" vendors, which surprisingly doesn't stop them from continuing offering their services and products which are often using the de facto crimeware kits as the foundations for their propositions. Are the buyers even aware of this fact? From a buyer's perspective in times when most of the output is sold in bulk form, or access to the botnet rented for a specific period of time, the buyer doesn't care about the cybercrime platform of use, but is looking for transparent ways to justify the investment he's made into renting the service.

Now that Zeus administrators and their cybercrime clerks in the face of those managing the campaigns knowingly or unknowingly knowing the type of campaigns and the data that they manage, can listen to their favorite music within Zeus and choose different layouts for the command and control interfaces while commiting cybercrime, what's next?

Convergence and improved monetization.

Windows 7 UAC changes just 'lipstick,' argues vendor

Wed, 29 Oct 2008 01:00:00 +0000

Microsoft's plans to change the controversial User Account Control security feature in Windows 7 represent only cosmetic changes, a developer of enterprise rights management tools said today.

Massive SQL Injection Attacks - the Chinese Way

Tue, 21 Oct 2008 12:18:48 +0000

From copycats and "localizers" of Russian web malware exploitation kits, to suppliers of original hacking tools, the Chinese IT underground has been closely following the emerging threats and the obvious insecurities on a large scale, and so is either filling the niches left open by other international communities, or coming up with tools setting new benchmarks for massive SQL injection attacks, like the case with this one :

"A professional web site vulnerability scanning, use of tools, SQL injection is a new generation of tools to help Web developers and site of the station quickly find vulnerabilities in order to be able to effectively prepare Security work. At the same time, the tool to Web developers to demonstrate the ways in which hackers are using these vulnerabilities, hackers, as well as through the loopholes to do things, can effectively raise the safety awareness of relevant personnel."

Nothing's wrong with the marketing pitch at the first place, but going through the features, the "massive SQL injections through search engine reconnaissance" and automatic page rank verification which you can see in the attached screenshots, ruin the "security auditing" marketing pitch. The tool not only allows easy integration of potentially vulnerable sites obtained through search engines reconnaissance, but also, is prioritizing the results based on the probability for successful injection, next to the page rank of the domains in question. A simple demonstration offered by the company is also, directly enticing its users to "localize" the search engine reconnaissance, by filtering the search results for a particupar country, in this case they used French sites for one of the demos. Here are some excerpts from its CHANGE log speaking for themselves :

"2008.7.15 release version 1.3

- New powerful "automatic machine cycle" feature
- Automatic machine cycle is to provide assistance to the advanced user manual into the use of a very
- powerful and flexible module, the main sites used for some special filtering into the hand, is almost a
- universal tool, you can achieve the following:

1. In support of GET / POST / COOKIES in a variety of ways, such as the injection.
2. Scan the key to the page (background, upload, WebShell, databases, backup files, etc.).
3. According to the dictionary to violence landing back-guess solution WebShell password and password (required to verify that the code can not guess solution).
4. Page language does not limit the types and databases (to provide specific statements into the database).
5. At the same time, support for the circulation of the two variables and two dictionaries, fast running and violent content of the database solution to guess a password."

It gets even more interesting in terms of the massive SQL injection attacks mentality which is pretty evident on all fronts :

"- The use of the three search engine sites scans to invade the side to complete
- in scanning probe into the Web site ranking points
- added, "VBS upload to download", "upload directory Web site viewer," "FTP upload to download configuration file" function to make it more convenient for the sa rights to use the site.
- New "sequence document scanners"
- What is the sequence document scanners role? Upload to find loopholes, some of the procedures to upload the file after the upload will be renamed, rename the way the system is usually based on time or incremental increase in the number prefix code for the upload process, if not to return after the file name, Upload files to know the url is usually very difficult to sequence the use of paper scanner can be scanned out

- The best reverse domain name query engine, and quasi-wide
- in scanning the database of basic information, an increase of the database of information related to the process, the link has information on the database server user login (sa need permission)
- control of the interface had a big adjustment, the interface process easier to understand and operate.
- based on a significant site of the wrong mode of access to a comprehensive code optimization and more accurate access to the content, accuracy and access to show progress.
- added, "VBS upload to download", "upload directory Web site viewer," "FTP upload to download configuration file" function to make it more convenient for the sa rights to use the site.

- point into the types of improved detection order to improve the efficiency of detection.
- improved automatic keyword detection, automatic keyword detection more accurate.
- probe into the points the way to improve and increase the use of automatic detection of the keyword detection.
- type of database to improve the detection, the use of the contents of the length of the failure to detect the type of database automatically switch to the probe through the keyword.
- automatically save and load solution has been to guess the tree structure of the database, guess Solutions has been the content and structure of the database will automatically save and open the next time the injection point will be automatically made available, the solutions do not have to guess again, the continuity of work Greatly increased.

- solved from the database to read large amounts of data (on hundreds of thousands or millions of records), the half-way card program will die.
- increased significantly on the wrong model of ASP.NET and SQL Server2005 significant mode of dealing with mistakes, error messages can be extracted from a Web directory!
- significant amendments to the wrong mode, some of the injected one by one point in the field or access to the contents of the issue can not be successful (error code in hand); for increased access to specific points table and into the field.

- amendments to the text of a significant error patterns to detect and correct use of loopholes in the system can be used more to expand. (Text significantly in the wrong mode in version 1.1 already supported, but in the version 1.2 upgrade in the process of scanning to improve the performance of the Gaodiao careless. -_-#)
- on a variety of encoded text can be significantly wrong in the right-compatible, able to correctly handle the ASP.NET page of the text marked wrong. Through custom error keyword, truly compatible with any language, any coding error message.
- crack anti-improvement and enhancement.
- An increase of auto-detection feature keywords.

- Mssql database specifically for significant points into the wrong mode of detection and the use of up and down the hard work, and many other software can not detect the point of injection can also be used.
- Automatic save and load access to the database, to allow manual known to add tables and fields for solutions to guess.
- Can be used to amend the degree of accuracy; optimize the code to reduce memory footprint; enhance the stability of multi-threading.
- Significant amendments to the wrong mode solution guess the contents of the database must be checked first field defects."

The public version of the tool has been in the while for over an year, with a VIP version available to customers only.

Liberal Democrat leader visits our lab

Fri, 17 Oct 2008 15:05:08 +0000

This week, Nick Clegg, leader of the UK Liberal Democrat Party, and David Howarth, MP for Cambridgeshire, visited our hardware security lab for a demonstration of Chip & PIN fraud techniques.

They used this visit to announce their new party policy on protections against identity fraud. At present, credit rating companies are exempt from aspects of the Data Protection Act and can forward personal information about an individual’s financial history to companies without the subject’s consent. Clegg proposes to give individuals the rights to “freeze” their credit records, making it more difficult for fraudsters to impersonate others.

EFF, ACLU slam carrier immunity law

Thu, 16 Oct 2008 20:00:00 +0000

A U.S. law that allows telecom carriers to be granted immunity in some suits alleging illegal government surveillance is unconstitutional, two civil-rights groups argued late Thursday.

Privacy groups praise bill curbing warrantless laptop searches

Wed, 08 Oct 2008 00:00:00 +0000

Privacy and civil rights groups are welcoming legislation that proposes tough new standards for conducting searches of laptops and other electronic devices at U.S. borders.

The NSA Teams Up with the Chinese Government to Limit Internet Anonymity

Thu, 18 Sep 2008 02:34:11 +0000

Definitely strange bedfellows:

A United Nations agency is quietly drafting technical standards, proposed by the Chinese government, to define methods of tracing the original source of Internet communications and potentially curbing the ability of users to remain anonymous.
The U.S. National Security Agency is also participating in the "IP Traceback" drafting group, named Q6/17, which is meeting next week in Geneva to work on the traceback proposal. Members of Q6/17 have declined to release key documents, and meetings are closed to the public.

[...]

A second, apparently leaked ITU document offers surveillance and monitoring justifications that seem well-suited to repressive regimes:

A political opponent to a government publishes articles putting the government in an unfavorable light. The government, having a law against any opposition, tries to identify the source of the negative articles but the articles having been published via a proxy server, is unable to do so protecting the anonymity of the author.

This is being sold as a way to go after the bad guys, but it won't help. Here's Steve Bellovin on that issue:

First, very few attacks these days use spoofed source addresses; the real IP address already tells you where the attack is coming from. Second, in case of a DDoS attack, there are too many sources; you can't do anything with the information. Third, the machine attacking you is almost certainly someone else's hacked machine and tracking them down (and getting them to clean it up) is itself time-consuming.

TraceBack is most useful in monitoring the activities of large masses of people. But of course, that's why the Chinese and the NSA are so interested in this proposal in the first place.

It's hard to figure out what the endgame is; the U.N. doesn't have the authority to impose Internet standards on anyone. In any case, this idea is counter to the U.N. Universal Declaration of Human Rights, Article 19: "Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers." In the U.S., it's counter to the First Amendment, which has long permitted anonymous speech. On the other hand, basic human and constitutional rights have been jettisoned left and right in the years after 9/11; why should this be any different?

But when the Chinese government and the NSA get together to enhance their ability to spy on the world, you have to wonder what's gone wrong with the world.

DRM In The Cloud

Tue, 16 Sep 2008 03:52:18 +0000

**This is a cross-post from Securosis**I have a well publicized love-hate opinion of Digital Rights Management. DRM can solve some security problems but will fail outright if applied in other areas, most notably consumer media protection. I remain an advocate...