Microsoft Bing, discovery engine or porn engine?

Within days of the official launch of microsoft’s new ‘bing’ search engine, users have found ways to exploit it, in order to get around corporate firewall, filtering and policy options for viewing explicit pornographic and otherwise prohibited material.

The site streams video and places images directly into to the browser on the bing page, bypassing the original web address and thus avoiding any url based filtering. Explicit content is only shown to users who have set there adult content filtering to off, put this is on a user by user basis, which companies have very little control over, the default is to safe search for users that are not logged in, under a user profile.

Microsoft already have produced a work around, enabling IT departments to block all explicit content. This works very simply by redirecting all explicit results to the web address http://explicit.microsoft.com which can then be blacklisted on firewalls and filter lists.

This morning the urls were already being blocked by websense and other filtering services, and the bing.com server was reportedly receiving so many requests it was not able to allow users in to log in under their own profile.

Related posts : the bling of bing

Advertisements
Microsoft Bing, discovery engine or porn engine?

Vast global spy network discovered!

Sounds like the stuff of fiction doesn’t it? Covert networks and unknown organisations, spying on hundreds of government offices, embassies, news/media organisations and personal computers around the world. But apparently its true. Unlike in the movies though this was discovered by a group of researchers based in a basement office at the University of Toronto.

Self confessed  computer geeks Ronald Deibert and Nart Villeneuve were asked by the office of the Dalai Lama, the exiled Tibetan leader, to examine its computers for signs of malicious software, or Malware. Using a combination of fieldwork, technical scouting, and laboratory analysis, during a ten month investigation, they not only found evidence of Maleware, but  discovered a far reaching network, spanning 1,295 infected computers in 103 countries, 30% of which could be described as high-value targets.

The Canadian researchers have been practicing what some term ‘Hacktivism’ from the Citizen Lab,  part of  Munk Center for International Studies at Toronto University for some time. Citizen Lab has a reputation for using technology to combat corporate and governmental attempts to control cyberspace, and say that the Malware found is remarkable both for its sweep and for its Big Brother-style capacities. What they’re referring to is, that it  is not been merely “Phishing” for random information, but has the ability to turned on the camera and audio-recording functions of an infected computer enabling them to see and hear what is going on in a room. The researchers were able to manipulate the code and infect a machine in their office, allowing them to monitor the commands given to the infected computers,  to see the names of documents retrieved by the spies.

A 53 page report into Ghost.net was published on-line under the ‘Information Warfare Monitor’ banner yesterday (29/03/09). The report is careful not to make any claims, as to who is behind the operation and in fact  is quick to say that the investigation has raised more questions than answers.

Two computer researchers at Cambridge University, Shishir Nagaraja and Ross Anderson, also worked with the Tibetans, and released released their report “The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement” yesterday (29/04/09). The British report went much further in its accusations against the Chinese, and warned that other hackers could adopt the tactics used in the Malware operation.

While it has long since been assumed that various governments are running these kind of operations, this is by far the largest yet to be discovered, and its still currently active infecting around 14 new computers a day.

John Markoff of the New York times reports that a spokesman for the Chinese Consulate in New York dismissed the idea that China was involved. “These are old stories and they are nonsense,” the spokesman, Wenqi Gao, said. “The Chinese government is opposed to and strictly forbids any cybercrime.”

Like with any other piece of Maleware, machines can be infected when users either click on an email attachment or a website which installs code onto the client device, allowing commands to be sent to the machine remotely, temporarily taking control of it. As an IT manager, i am only too familiar with Maleware and have some idea of just how hard it can be to spot and remove, But i think i must watch to much TV, in that i assumed that embassies and such high profile organisations as NATO, and the office of the Dalai Lama would be running enough anti maleware and network intrusion software to prevent this type of attack.

Sources: Tracking Ghost net Report, Snooping dragon ReportThe New York Times, The Toronto Star

Related:FBI Honeytrap Darkmarket.ws is sprung, FBI protect us from terrorism by watching Warcraft?

Vast global spy network discovered!

Spotify loose user data

In a security notice posted on their blog on the 4th March, Spotify announced to users that an unknown group had managed to compromise their security protocols. The breach meant that the attackers had access to information that could allow testing of a very large number of passwords, possibly finding the right one.

Spotify is an internet based music service
Spofity in in internet based music service

Spotify is an internet based music serviceSpotify are quoted as saying “Along with passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed. Credit card numbers are not stored by us and were not at risk. All payment data is handled by a secure 3rd party provider ”.

All users that have accounts created on or before December 19th 2008 have been advised to change their Spotify passwords and strongly encourage to change passwords for any other services using the same password.
What this means in real terms is that a hacker (or group of hackers) managed to access a detailed description of how Spofity encode and send the passwords between the browser and their server.  (This is refered to as their Protocols).  The passwords them selves are not actually stored on the server (or transfer over the internet) instead a special mathematical code is applied to the password within the browser to a form a complex code that only the server can understand, (this is referred to as a  password hash) . It is almost impossible to convert back from a password hash to a password, so the passwords themselves have not been exposed, but hackers have been able to download these hashes. What this means is that the hackers are able to do brute force attacks, sending a every large number of possible passwords for example starting with the letter a then aa, ab, ac adding more and more letters and numbers and trying every number until 1 opens the account,  they then have access to your account, unless you have changed your account before they get the chance.

The next logical step for a hacker would be to see if you have used the same name and password for other services, especially on line bank or betting accounts etc. Even itunes accounts for example were they could purchase and song to sell them on. Once exposed the account information itself may even be sold to criminal gangs for use in identity theft.

So what can you do to protect yourself from this kind of exposure? Can can try only signing up to services that you would trust to protect your information, using complex password (8 charachers or more combining numbers letters and other charachters – if possible). Not using the same password for multiple accounts and never using words or names these are easily discovered with dictionary attacks – even if you switch letters for numbers that look the same,for example  s’s for 5’s).

Spotify loose user data

Viruses target social networks

Last week i fell victim to a virus. More correctly i fell victim to  a piece of maleware / spyware. Being as i a work in IT it didn’t cause to much of a problem, but it did make me take another look at the whole spyware problem.

The first think that surprised me wass that my current anti virus/maleware software had not picked it up. I’m a bit of a security control freak and actually run online, gateway , server and desktop Av, none of which detected or matched the patterns in this virus. The virus managed to set up its own proxy server on my machine, bypass my own proxy server, disable my local Av software and  run a number of exe files that mimicked the windows alert modules telling me the system had detected a problem and offering to install software to help. In fact even when i ran deep scans with trend, and spybot search and destroy, 2 leading titles in anti maleware they reported that my system was running normally with to viruses found. It was obvious that i did have a problem, in that there were around 160 exe files running and a new windows explorer window appearing every couple of minutes. It didn’t take long to do a quick google search on the individual exe files and find something that could remove it.

The second thing that surprised me, how easily i almost fell for providing my credit card details on a machine i knew to be affected. After 2 days of working on my laptop, while the very time consuming deep scans ran on my workstation,  I was so pleased to have found something that promised to kill the virus for once and for all that i very almost, went ahead and payed the $30 for an online license.

The third thing worth mentioning is how i fell for getting the virus in the first place. I guess it was a cross between a social engineering attach and a straightforward maleware attack. I in short i got a message on facebook inviting me to view a movie clip from a friend, this then took me to what looked like that persons you tube account, but where you would expect to see the movie playing there was a message saying that my version of flash player was out of date and to click to continue, the usual warning popped up before installing. All of which i clicked through, as it look so similar to a genuine flash updater. Next think you know i’ve restarted and all sorts of pop ups are saying a virus has been detected and linking to software products to purchase to remove this.

When you think about it, this is genius. The latest generation of internet users are very into social networks, but are much less tech savvy when it comes to security, and protecting themselves. They are so used to clicking ‘yes’,  ‘install’, ‘accept’, ‘i agree’, without reading anything of what they are actually agreeing to that they are easy targets when it comes to installing harmful stuff, like maleware and viruses. I myself am a classic example, busy day in the office and a box pops asking me to agree to an update to software i trust from a person i know and i say yes without a second thought.

It would seem that i am nt the only one thought, cnet this week reported on the koobface virus currently hitting facebbok users, and there are no end of others popping up everyday.

Viruses target social networks

Personal email and public office.

The internet has played an important role in the 2008 American elections, with all sides using email, social networks, blogs and other web based tools to secure votes. But yesterday it was suggested the who ever gets the post of president will have to give up their own personal mail, and blogs. The reason that the oval office feel that these are too immediate forms of communication and don’t allow time for a future president to consider what they are saying.

Governor of Alaska and Republican vice-presidential nominee Sarah Palin’s personal Yahoo! account (gov.palin@yahoo.com) was reportedly hacked last month .The hacker posted screen shots of two e-mails, a Yahoo! inbox, a contact list and several family photos to Wikileaks.org

But it doesn’t end there, Matthew Mosk of the wasington post reports that in a lawsuit filed in Alaska Superior Court, Republican activist – Andrée McLeod seeks to force Gov. Sarah Palin to produce copies of official correspondence she sent and received on private e-mail accounts.

It is alleged that defendant Sarah Palin, as a matter of routine, has used and continues to use, (at least) two private e-mail accounts, to conduct official business of the State of Alaska. McLeod has questioned whether Palin was using private e-mail accounts to conduct state business in a manner that would skirt open-records laws,

Personal email and public office.

Credit Card Fraud and Online Games.

Further to my previous post on rumoured FBI plans to data mine online game World of Warcraft, in an unrelated incident “.net” magazine and “the register” have recently reported that UK Banks the Halifax and Royal Bank of Scotland have started blocking Visa and Master Card payments to game publisher Blizzard Entertainment.

Following an increase in the number of fraudulent card payments for world of war craft game subscriptions, the bank has set the default action for these payments to block. This does not affect existing account holders, and legitimate card holders can contact the bank and have their account overridden to allow these transactions if desired. The banks have stated that they do not believe that publisher Blizzard Entertainment are at all involved in these fraudulent transactions but due to the nature of the type of transaction there is a great enough security risk to justify their action.

This is not the first credit card problem that Blizzard Entertainment have had to content with. In 2005, many World of War Craft customers received statements stating that the 8.99 charge was being made by the Croyden Park Hotel, Croyden or Swallow St. George Hotel, Harrogte, after card processing company Euro Conex based in Dublin, Ireland made a processing error on the payments.

Interestingly World of War Craft, actually offer their own credit card scheme in the US, that allows users to earn game time at 1% of every dollar purchased.

This kind of credit card fraud is very popular, because it is relatively difficult to trace. It is  comparatively easy of set up an account with a false name and address, but comparatively hard to trace an account back through an isp to a phycial address or person. It’s a card not present transaction not requiring a pin number, there are no phyisical goods are being delivered, so there is no delivery address to trace back to, making it much easier for stolen cards or card details to be used.

According to industry organisation APACS, the numer of card not present card frauds affecting UK gambling sites rose by #12.7 million in the first half of 2007, It is estimated that mail order websites suffered 13 million pounds worth of fraudulent transactions in 2007. Many of which come from overseas transactions.

Credit Card Fraud and Online Games.

Macbook air hacked in just 2 minutes.

The ninth annual CanSecWest conference held, at the Mariott Renaissance Harbourside hotel in downtown Vancouver, British Columbia kicked off on March 26, offering a $10,000 reward for anyone hacking the new macbook air with an original zeroday attack. The Prize (put up by TippingPoint, the security division of networking giant 3Com) did not stand for long, being claimed within the first 2 minutes of the conference opening.

Well known security researcher Shane Macaulay claimed the prize, but it is believed Dino Dai Zovi was the real creater of the attack, and that he and Macaulay had some sort of deal over the competition entry. Dino Dai Zovi, has a strong track record with exposing flaws in Apple, Windows and other Networking software, having previously and somewhat famously exposed flaws in Safari and Quicktime.

While neither Shane Macaulay, Dino Dai Zovi made any statements about whether mac or pc were more secure (and both are users of both Macbooks and pc’s) they have previously been on record as saying that Mac are not as immune to attacks as many of their users may like to believe.

The 2 other note books, a sony vaio and a Fujitsu U810 were not successfully hacked during the expo and remained unclaimed.

A zero day attack is defined as an computer threat that tries to exploit unknown, undisclosed or unpatched vulnerabilities in a computer application.

The flaw in Safari, that was exploited during the expo was actually in the way QuickTime handles Java. This threatens everyone running the Mac OS X and may even expose pc users running Safari and quicktime. It is expected that a patch to protect users from this flaw will be released soon.

Macbook air hacked in just 2 minutes.