Archive for February, 2011

The World Wide Web Consortium (W3C) has accepted and published Microsoft’s proposal for a standard protecting consumer privacy. Acceptance by W3C–the governing body responsible for HTML5–is a significant hurdle for Microsoft as it works to give users more control over their own online privacy and the tools necessary to block unwanted Web tracking.

Dean Hachamovitch, Corporate Vice President, Internet Explorer, acknowledges that online privacy is a high priority for consumers and governments around the world. Microsoft recently introduced Tracking Protectionwith the release candidate (RC) for Internet Explorer 9 (IE9)–which allows users to opt-out of online tracking, and block the content that does the tracking.

Hachamovitch says, “Microsoft’s privacy submission to the W3C ensures that Tracking Protection is fully interoperable and can be used universally. Microsoft believes that all customers should have the opportunity to control their online experience.”

post on Microsoft’s IEBlog recognizes the value of the HTTP header approach for notifying compliant sites of a user’s preferences, but adds, “Enabling consumers merely to express their intent to not be tracked is just not sufficient. It’s a subset of what effective tracking protection should do. IE9’s Tracking Protection also enables consumers to block the content that does the tracking.”

The approach seems to combine the tracking lists approach originally included in IE9 by Microsoft with some variation of the HTTP header do-not-track solution proposed by Mozilla and supported by the FTC–which originated the push for a universal do-not-track solution in the first place.

Ashkan Soltani, a researcher and consultant focused on privacy, security, and behavioral economics, commented, “I think it’s a great move and demonstrates recognition by Microsoft that for this to work, you want both technology and policy to work in tandem.”

Soltani explains, “You want technical mechanisms like the IE9 Tracking Protection Lists that attempt to provide some level of protections for consumers. However there will always be ways to circumvent these mechanisms, much like we’ve seen with Flash cookies, CSS history, or DNS masquerading (the tracking ‘arms race’ so to speak). This is where the header will hopefully come in and provide a reliable signal from consumers about tracking which hopefully regulatory groups can then act on.”

Christopher Soghoian, Graduate Fellow, Center for Applied Cybersecurity Research, Indiana University, notes the simple irony of the hybrid approach. “It is very interesting that Microsoft has now embraced the HTTP Header that Mozilla pioneered.”

Regardless of the browser wars aspect of the competing solutions, there seems to be consensus on the problem itself. For Microsoft, having the W3C on its side will go a long way toward developing a standard approach that can be embraced on a broader scale.

Advertisements

Hacker Writes Easy-to-use Mac Trojan

Posted: February 26, 2011 in Analysis

n a sign that hackers, like everyone else, are taking an interest in everything Apple, researchers at Sophos say they’ve spotted a new Trojan horse program written for the Mac.

It’s called the BlackHole RAT (the RAT part is for “remote access Trojan”) and it’s pretty easy to find online in hacking forums, according to Chet Wisniewski a researcher with antivirus vendor Sophos. There’s even a YouTube video demonstration of the program that shows you what it can do.

Sophos hasn’t seen the Trojan used in any online attacks — it’s more a bare-bones, proof-of-concept beta program right now — but the software is pretty easy to use, and if a criminal could find a way to get a Mac user to install it, or write attack code that would silently install it on the Mac, it would give him remote control of the hacked machine.

BlackHole is a variant of a Windows Trojan called darkComet, but it appears to have been written by a different developer. The darkComet source code is freely available, so it looks like BlackHole’s author simply took that code and tweaked it so it would run on the Mac, Wisniewski said.

Mac OS X has been gaining market share on Windows lately, and that’s starting to make it a more interesting platform for criminals. Wisniewski said that while Mac malware is still very rare, he has seen another Trojan, called HellRTS, circulating on file-sharing sites for pirated Mac software.

Myths about iPad

Posted: February 22, 2011 in Analysis

Myths about Apple’s iPad are all over the web. People I meet tell me the iPad can’t do this thing or the other.

Rubbish. Hogwarts. I mean hogwash.

Let’s take a look at the five biggest myths and see why they are wrong.

1. The iPad can’t do Flash. This is like saying a Corvette can’t haul 4X8 pieces of lumber. Of course it can’t.

That’s because the Corvette was designed to do other things. The iPad was designed for safety and resistance to crashes. Flash, the method many older websites use to show video, was designed for neither of those things. So the iPad shows other, safer kinds of video — HTML5 video and MP4 video, for example.

Is this a great loss? No, it’s a decision from Apple that protects iPad users. And guess what? YouTube, the No. 1 video site worldwide, sends iPads a non-Flash version of any video when you use the iPad YouTube app instead of an ordinary web browser. (The app makes finding videos much easier, too.)

As for sites that don’t care about safety, they’ll have to wise up before long, too. Apple, the second largest company in the world and the biggest player in the video business, has stopped putting Flash on Macs, and Microsoft has decided to make HTML5 its biggest video priority.

2. The iPad doesn’t have a USB connection. Nonsense. To keep the iPad’s case simple as well as beautiful, Apple put the iPad’s USB connector inside the standard dock connector on one of the long sides of the iPad. You simply plug in Apple’s USB converter to turn that connector into a USB jack. The USB converter is part of Apple’s camera connection kit for the iPad. Another part of it is an SD memory card reader.

3. The iPad can’t print. And your momma can’t dance. The iPad is a wireless device, so all its printing is done wirelessly. This capability is built into the current version of the iPad’s main software. You have two ways to print wirelessly — using a compatible printer (Epson and HP have them now, and all other major printer companies will jump on board soon), or using software on your Mac or Windows PC that enables wireless sharing of any printer plugged into your Mac or PC. (Make sure your iPad has the current software by plugging it into your Mac or PC and using iTunes to check for updates.)

The Mac software is Printopia, from www.ecamm.com/mac/printopia. For the Windows version, go to http://tinyurl.com/27j6kol.

4. The iPad can’t use any directly connected (non-wireless) peripherals. Hooey. You can plug any thumb drive into an iPad using the camera kit adapter from Apple, for one thing. And you can connect any audio device, such as a microphone or headset that connects by USB. You can hook up a projector using the VGA adapter from Apple. Any keyboard can connect, too, although you probably should consider the Apple iPad keyboard dock, which has an excellent keyboard, a connector and an upright holder, or the Apple Bluetooth keyboard, which works wirelessly.

And, if you use a standard powered USB hub like you’d use with any computer, you can plug in external USB speakers that need a lot of power. And I haven’t even begun to mention what you can do if you change the built-in operating system using the Cydia method, athttp://cydia.saurik.com/. It’s called “jailbreaking” the iPad, but ignore the scary word; it’s totally legal and simple enough for the average blockhead, and means you’re letting the iPad run apps that don’t come from the Apple App store.

With jailbreaking active, you can connect a mouse or a hard drive to your iPad, among other peripherals. More info on jailbreaking can be found at these sites: http://tinyurl.com/2d4q9h9and http://tinyurl.com/37g25ce. (Note that the iPhone can also be jailbroken, so you’ll see references to the iPhone also. None other than the U.S. government has pronounced jailbreaking legal, so don’t let anyone tell you otherwise.)

5. The iPad doesn’t multitask. Pfft! The day I wrote this column, I checked my iPad and found it had 24 apps running at the same time. You can run your mail program, use your Web browser, chat on Facebook, listen to music, read The New York Times, print something and do any number of other things at the same time. (Multitasking was added last November.)

McAfee released its McAfee’s Q4 Threat Reportearlier this week, indicating a sharp rise in mobile-based malware attacks from 2009 to 2010 and forecasting more of the same for the coming year. Users of Apple products haven’t ever really needed to show much concern for security threats as the company’s computers are largely considered to be “virus safe” in many regards. The same is not true of the iPhonehowever, as a group of German researchers recently discovered.

It took the group of researchers at Fraunhofer Institute Secure Information Technology just six minutes to retrieve private information like stored passwords from the iPhone’s innards without ever cracking its master passcode. Apple products use a password management system called keychain which can be accessed directly in the device’s file system following a jailbreak, with no passcode required. The actual password retrieval process is somewhat complicated and heavy on the tech jargon, but it basically boils down to the fact that the keychain data is both separate from the device’s encrypted passcode and easier to access.

“As soon as attackers are in the possession of an iPhone or iPad and have removed the device’s SIM card, they can get a hold of e-mail passwords and access codes to corporate VPNs and WLANs as well,” the researchers said in a statement. “Control of an e-mail account allows the attacker to acquire even more additional passwords: For many web services such as social networks the attacker only has to request a password reset.”

In addition to releasing a large number of security updates on Tuesday,Microsoft released an important change to the behavior of Windows XP and Windows Vista. Windows will not run or offer to run programs automatically off of USB media, both flash keys and hard disks.

This feature goes all the way back to Windows 95, which automatically played music CDs and ran programs on CD-ROMs. This was called AutoPlay and has evolved into a broader set of features AutoRun. The feature has turned into a big security problem on USB media.

Malware programs these days typically search for USB-based storage and write themselves to it. When the key or hard disk is inserted into a new computer, the AutoRun menu offers to run the malware which is disguised as something to entice the user.

This malicious use has become so common that Microsoft is disabling it by default. Users who apply the update will still see an AutoRun menu when they plug in a key, but it will not have any options for running programs off of the device. This is the behavior that Windows 7 has had from its release. Certain high-end, security-hardened USB keys will still have the old behavior, as will CDs and DVDs.

The update is not labeled as a security update but it is rated “Important,” so users with the recommended settings for Windows Update will have it installed automatically. If you want to re-enable the feature, Microsoft has also created a Fix It to turn it back on.

SAN FRANCISCO (AFP) – A hacker group behind online attacks on companies that withdrew services to WikiLeaks busted through the defenses of a computer security firm working with federal agents to expose their identities.

Hackers operating under the banner “Anonymous” took credit for breaking into the website of HBGary Federal, stealing tens of thousands of email messages and temporarily routing traffic to a page with a vitriolic message.

“You’ve tried to bite the Anonymous hand,” a copy of the message online Monday stated. “You angered the hive and now you are being stung.”

Efforts to visit HBGary’s website on Monday were met with an automated post saying the page was “under construction.”

Plundered email accounts included that of HBGary chief executive Aaron Barr, whose separate Twitter account was also reportedly compromised by someone who “tweeted” personal information about him and rude messages.

Stolen email messages were made available online at a popular peer-to-peer file sharing website, Chester Wisniewski of Sophos computer security firm said in an online post regarding the hack.

The HBGary hack was more sophisticated than the distributed denial of service (DDoS) attacks last year on the Amazon, Visa and MasterCard websites in apparent retaliation for their decisions to stop working with WikiLeaks.

WikiLeaks had triggered political ire in Washington for its publication of thousands of classified US diplomatic cables and military reports from Iraq and Afghanistan.

“Unlike the DDoS attacks for which Anonymous has made headlines in recent months, this incident involved true hacking skills,” Wisniewski said.

In a typical DDoS attack, a large number of computers are commanded to simultaneously visit a website, overwhelming its servers, slowing service or knocking it offline completely.

HBGary had been working to expose the culprits behind the DDoS attacks and was poised to sell identifying information about members of Anonymous to the FBI, according to Wisniewski.

Last month, British police arrested five people and the US Federal Bureau of Investigation launched raids across the United States as part of a probe into cyberattacks by Anonymous.

LONDON – WikiLeaks founder Julian Assange and his entourage of lawyers, supporters, protesters and journalists are headed back to a London court for a showdown between the secret-spilling computer hacker and Swedish authorities who want him extradited to face sex crimes allegations.

A two-day hearing that begins Monday will decide Assange’s legal fate. It will also keep the spotlight away from WikiLeaks’ revelations and on its opinion-dividing frontman.

Assange is accused of sexual misconduct by two women he met during a visit to Stockholm last year. At Belmarsh Magistrates’ Court, a high-security judicial outpost beside a prison, defense lawyers will argue that he should not be extradited because he has not been charged with a crime, because of flaws in Swedish prosecutors’ case — and because a ticket to Sweden could land him in Guantanamo Bay or on U.S. death row.

American officials are trying to build a criminal case against WikiLeaks, which has angered Washington by publishing a trove of leaked diplomatic cables and secret U.S. military files. Assange’s lawyers claim the Swedish prosecution is linked to the leaks and politically motivated.

Preliminary defense arguments released by Assange’s legal team claim “there is a real risk that, if extradited to Sweden, the U.S. will seek his extradition and/or illegal rendition to the USA, where there will be a real risk of him being detained at Guantanamo Bay or elsewhere.”

The document adds that “there is a real risk that he could be made subject to the death penalty” if sent to the United States. Under European law, suspects cannot be extradited to jurisdictions where they may face execution.

Many legal experts say the Guantanamo claims are fanciful, and Sweden strongly denies coming under American pressure.

Nils Rekke, head of the legal department at the Swedish prosecutor’s office in Stockholm, said Assange would be protected from transfer to the U.S. by strict European rules.

“If Assange was handed over to Sweden in accordance with the European Arrest Warrant, Sweden cannot do as Sweden likes after that,” he said. “If there were any questions of an extradition approach from the U.S., then Sweden would have to get an approval from the United Kingdom.”

Assange’s lawyers will also battle extradition on the ground that he has not been charged with a crime in Sweden and is only wanted for questioning.

They argue that “it is a well-established principle of extradition law … that mere suspicion should not found a request for extradition.”

Lawyers for Sweden have yet to disclose their legal arguments.

WikiLeaks sparked an international uproar last year when it published a secret helicopter video showing a U.S. attack that killed two Reuters journalists in Baghdad. It went on to release hundreds of thousands of secret U.S. military files on the wars in Iraq and Afghanistan, and it later began publishing classified U.S. diplomatic cables whose revelations angered and embarrassed the U.S. and its allies.

The furor made Assange, 39, a global celebrity. The nomadic Australian was arrested in London in December after Sweden issued a warrant on rape and molestation accusations.

Released on bail on condition he live — under curfew and electronically tagged — at a supporter’s country mansion in eastern England, Assange has managed to conduct multiple media interviews, sign a reported $1.5 million deal for a memoir, and pose for a magazine Christmas photo shoot dressed as Santa Claus.

He drew a large media scrum at a brief court appearance in London last month, where he vowed to step up the leak of a quarter million classified U.S. diplomatic cables.

The full extradition hearing should shed light on the contested events of Assange’s trip to Sweden, where WikiLeaks’ data are stored on servers at a secure center tunneled into a rocky Stockholm hillside. Two Swedish women say they met Assange when he visited the country and separately had sex with him, initially by consent.

In police documents leaked on the Internet, one of the women told officers she woke up as Assange was having sex with her, but let him continue even though she knew he wasn’t wearing a condom. Having sex with a sleeping person can be considered rape in Sweden.

Assange is also accused of sexual molestation and unlawful coercion against the second woman. The leaked documents show she accuses him of deliberately damaging a condom during consensual sex, which he denies.

The picture is more confused by the fact that one Stockholm prosecutor threw out the rape case, before a more senior prosecutor later reinstated it and asked for Assange’s extradition from Britain so she could question him.

Assange’s lawyers argue that amid the confusion, the European arrest warrant was improperly issued. They allege Assange “has been the victim of a pattern of illegal and/or corrupt behavior by the Swedish prosecuting authorities,” who leaked his name to the media, rejected his requests to be interviewed from London, and failed to make the evidence against him available in English.

They also say the accusations against Assange would not constitute a crime in Britain, and complain they have not been given access to text messages and tweets by the two women which allegedly undermine their claims. They say text messages exchanged by the claimants “speak of revenge and of the opportunity to make lots of money.”

Whatever happens in court this week, Assange’s long legal saga — and his stay in the tranquil Norfolk countryside — is far from over. The extradition hearing is due to end Tuesday, but Judge Howard Riddle is likely to take several weeks to consider his ruling — which can be appealed by either side.

Assange, meanwhile, may be tiring of his nomadic life. On Friday he told a meeting in Melbourne by video link that Australian Prime Minister Julia Gillard “should be taking active steps to bring me home.”