Microsoft Bing, discovery engine or porn engine?

Within days of the official launch of microsoft’s new ‘bing’ search engine, users have found ways to exploit it, in order to get around corporate firewall, filtering and policy options for viewing explicit pornographic and otherwise prohibited material.

The site streams video and places images directly into to the browser on the bing page, bypassing the original web address and thus avoiding any url based filtering. Explicit content is only shown to users who have set there adult content filtering to off, put this is on a user by user basis, which companies have very little control over, the default is to safe search for users that are not logged in, under a user profile.

Microsoft already have produced a work around, enabling IT departments to block all explicit content. This works very simply by redirecting all explicit results to the web address http://explicit.microsoft.com which can then be blacklisted on firewalls and filter lists.

This morning the urls were already being blocked by websense and other filtering services, and the bing.com server was reportedly receiving so many requests it was not able to allow users in to log in under their own profile.

Related posts : the bling of bing

Microsoft Bing, discovery engine or porn engine?

Vast global spy network discovered!

Sounds like the stuff of fiction doesn’t it? Covert networks and unknown organisations, spying on hundreds of government offices, embassies, news/media organisations and personal computers around the world. But apparently its true. Unlike in the movies though this was discovered by a group of researchers based in a basement office at the University of Toronto.

Self confessed  computer geeks Ronald Deibert and Nart Villeneuve were asked by the office of the Dalai Lama, the exiled Tibetan leader, to examine its computers for signs of malicious software, or Malware. Using a combination of fieldwork, technical scouting, and laboratory analysis, during a ten month investigation, they not only found evidence of Maleware, but  discovered a far reaching network, spanning 1,295 infected computers in 103 countries, 30% of which could be described as high-value targets.

The Canadian researchers have been practicing what some term ‘Hacktivism’ from the Citizen Lab,  part of  Munk Center for International Studies at Toronto University for some time. Citizen Lab has a reputation for using technology to combat corporate and governmental attempts to control cyberspace, and say that the Malware found is remarkable both for its sweep and for its Big Brother-style capacities. What they’re referring to is, that it  is not been merely “Phishing” for random information, but has the ability to turned on the camera and audio-recording functions of an infected computer enabling them to see and hear what is going on in a room. The researchers were able to manipulate the code and infect a machine in their office, allowing them to monitor the commands given to the infected computers,  to see the names of documents retrieved by the spies.

A 53 page report into Ghost.net was published on-line under the ‘Information Warfare Monitor’ banner yesterday (29/03/09). The report is careful not to make any claims, as to who is behind the operation and in fact  is quick to say that the investigation has raised more questions than answers.

Two computer researchers at Cambridge University, Shishir Nagaraja and Ross Anderson, also worked with the Tibetans, and released released their report “The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement” yesterday (29/04/09). The British report went much further in its accusations against the Chinese, and warned that other hackers could adopt the tactics used in the Malware operation.

While it has long since been assumed that various governments are running these kind of operations, this is by far the largest yet to be discovered, and its still currently active infecting around 14 new computers a day.

John Markoff of the New York times reports that a spokesman for the Chinese Consulate in New York dismissed the idea that China was involved. “These are old stories and they are nonsense,” the spokesman, Wenqi Gao, said. “The Chinese government is opposed to and strictly forbids any cybercrime.”

Like with any other piece of Maleware, machines can be infected when users either click on an email attachment or a website which installs code onto the client device, allowing commands to be sent to the machine remotely, temporarily taking control of it. As an IT manager, i am only too familiar with Maleware and have some idea of just how hard it can be to spot and remove, But i think i must watch to much TV, in that i assumed that embassies and such high profile organisations as NATO, and the office of the Dalai Lama would be running enough anti maleware and network intrusion software to prevent this type of attack.

Sources: Tracking Ghost net Report, Snooping dragon ReportThe New York Times, The Toronto Star

Related:FBI Honeytrap Darkmarket.ws is sprung, FBI protect us from terrorism by watching Warcraft?

Vast global spy network discovered!

Spotify loose user data

In a security notice posted on their blog on the 4th March, Spotify announced to users that an unknown group had managed to compromise their security protocols. The breach meant that the attackers had access to information that could allow testing of a very large number of passwords, possibly finding the right one.

Spotify is an internet based music service
Spofity in in internet based music service

Spotify is an internet based music serviceSpotify are quoted as saying “Along with passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed. Credit card numbers are not stored by us and were not at risk. All payment data is handled by a secure 3rd party provider ”.

All users that have accounts created on or before December 19th 2008 have been advised to change their Spotify passwords and strongly encourage to change passwords for any other services using the same password.
What this means in real terms is that a hacker (or group of hackers) managed to access a detailed description of how Spofity encode and send the passwords between the browser and their server.  (This is refered to as their Protocols).  The passwords them selves are not actually stored on the server (or transfer over the internet) instead a special mathematical code is applied to the password within the browser to a form a complex code that only the server can understand, (this is referred to as a  password hash) . It is almost impossible to convert back from a password hash to a password, so the passwords themselves have not been exposed, but hackers have been able to download these hashes. What this means is that the hackers are able to do brute force attacks, sending a every large number of possible passwords for example starting with the letter a then aa, ab, ac adding more and more letters and numbers and trying every number until 1 opens the account,  they then have access to your account, unless you have changed your account before they get the chance.

The next logical step for a hacker would be to see if you have used the same name and password for other services, especially on line bank or betting accounts etc. Even itunes accounts for example were they could purchase and song to sell them on. Once exposed the account information itself may even be sold to criminal gangs for use in identity theft.

So what can you do to protect yourself from this kind of exposure? Can can try only signing up to services that you would trust to protect your information, using complex password (8 charachers or more combining numbers letters and other charachters – if possible). Not using the same password for multiple accounts and never using words or names these are easily discovered with dictionary attacks – even if you switch letters for numbers that look the same,for example  s’s for 5’s).

Spotify loose user data

Viruses target social networks

Last week i fell victim to a virus. More correctly i fell victim to  a piece of maleware / spyware. Being as i a work in IT it didn’t cause to much of a problem, but it did make me take another look at the whole spyware problem.

The first think that surprised me wass that my current anti virus/maleware software had not picked it up. I’m a bit of a security control freak and actually run online, gateway , server and desktop Av, none of which detected or matched the patterns in this virus. The virus managed to set up its own proxy server on my machine, bypass my own proxy server, disable my local Av software and  run a number of exe files that mimicked the windows alert modules telling me the system had detected a problem and offering to install software to help. In fact even when i ran deep scans with trend, and spybot search and destroy, 2 leading titles in anti maleware they reported that my system was running normally with to viruses found. It was obvious that i did have a problem, in that there were around 160 exe files running and a new windows explorer window appearing every couple of minutes. It didn’t take long to do a quick google search on the individual exe files and find something that could remove it.

The second thing that surprised me, how easily i almost fell for providing my credit card details on a machine i knew to be affected. After 2 days of working on my laptop, while the very time consuming deep scans ran on my workstation,  I was so pleased to have found something that promised to kill the virus for once and for all that i very almost, went ahead and payed the $30 for an online license.

The third thing worth mentioning is how i fell for getting the virus in the first place. I guess it was a cross between a social engineering attach and a straightforward maleware attack. I in short i got a message on facebook inviting me to view a movie clip from a friend, this then took me to what looked like that persons you tube account, but where you would expect to see the movie playing there was a message saying that my version of flash player was out of date and to click to continue, the usual warning popped up before installing. All of which i clicked through, as it look so similar to a genuine flash updater. Next think you know i’ve restarted and all sorts of pop ups are saying a virus has been detected and linking to software products to purchase to remove this.

When you think about it, this is genius. The latest generation of internet users are very into social networks, but are much less tech savvy when it comes to security, and protecting themselves. They are so used to clicking ‘yes’,  ‘install’, ‘accept’, ‘i agree’, without reading anything of what they are actually agreeing to that they are easy targets when it comes to installing harmful stuff, like maleware and viruses. I myself am a classic example, busy day in the office and a box pops asking me to agree to an update to software i trust from a person i know and i say yes without a second thought.

It would seem that i am nt the only one thought, cnet this week reported on the koobface virus currently hitting facebbok users, and there are no end of others popping up everyday.

Viruses target social networks

Personal email and public office.

The internet has played an important role in the 2008 American elections, with all sides using email, social networks, blogs and other web based tools to secure votes. But yesterday it was suggested the who ever gets the post of president will have to give up their own personal mail, and blogs. The reason that the oval office feel that these are too immediate forms of communication and don’t allow time for a future president to consider what they are saying.

Governor of Alaska and Republican vice-presidential nominee Sarah Palin’s personal Yahoo! account (gov.palin@yahoo.com) was reportedly hacked last month .The hacker posted screen shots of two e-mails, a Yahoo! inbox, a contact list and several family photos to Wikileaks.org

But it doesn’t end there, Matthew Mosk of the wasington post reports that in a lawsuit filed in Alaska Superior Court, Republican activist – Andrée McLeod seeks to force Gov. Sarah Palin to produce copies of official correspondence she sent and received on private e-mail accounts.

It is alleged that defendant Sarah Palin, as a matter of routine, has used and continues to use, (at least) two private e-mail accounts, to conduct official business of the State of Alaska. McLeod has questioned whether Palin was using private e-mail accounts to conduct state business in a manner that would skirt open-records laws,

Personal email and public office.

Credit Card Fraud and Online Games.

Further to my previous post on rumoured FBI plans to data mine online game World of Warcraft, in an unrelated incident “.net” magazine and “the register” have recently reported that UK Banks the Halifax and Royal Bank of Scotland have started blocking Visa and Master Card payments to game publisher Blizzard Entertainment.

Following an increase in the number of fraudulent card payments for world of war craft game subscriptions, the bank has set the default action for these payments to block. This does not affect existing account holders, and legitimate card holders can contact the bank and have their account overridden to allow these transactions if desired. The banks have stated that they do not believe that publisher Blizzard Entertainment are at all involved in these fraudulent transactions but due to the nature of the type of transaction there is a great enough security risk to justify their action.

This is not the first credit card problem that Blizzard Entertainment have had to content with. In 2005, many World of War Craft customers received statements stating that the 8.99 charge was being made by the Croyden Park Hotel, Croyden or Swallow St. George Hotel, Harrogte, after card processing company Euro Conex based in Dublin, Ireland made a processing error on the payments.

Interestingly World of War Craft, actually offer their own credit card scheme in the US, that allows users to earn game time at 1% of every dollar purchased.

This kind of credit card fraud is very popular, because it is relatively difficult to trace. It is  comparatively easy of set up an account with a false name and address, but comparatively hard to trace an account back through an isp to a phycial address or person. It’s a card not present transaction not requiring a pin number, there are no phyisical goods are being delivered, so there is no delivery address to trace back to, making it much easier for stolen cards or card details to be used.

According to industry organisation APACS, the numer of card not present card frauds affecting UK gambling sites rose by #12.7 million in the first half of 2007, It is estimated that mail order websites suffered 13 million pounds worth of fraudulent transactions in 2007. Many of which come from overseas transactions.

Credit Card Fraud and Online Games.

Macbook air hacked in just 2 minutes.

The ninth annual CanSecWest conference held, at the Mariott Renaissance Harbourside hotel in downtown Vancouver, British Columbia kicked off on March 26, offering a $10,000 reward for anyone hacking the new macbook air with an original zeroday attack. The Prize (put up by TippingPoint, the security division of networking giant 3Com) did not stand for long, being claimed within the first 2 minutes of the conference opening.

Well known security researcher Shane Macaulay claimed the prize, but it is believed Dino Dai Zovi was the real creater of the attack, and that he and Macaulay had some sort of deal over the competition entry. Dino Dai Zovi, has a strong track record with exposing flaws in Apple, Windows and other Networking software, having previously and somewhat famously exposed flaws in Safari and Quicktime.

While neither Shane Macaulay, Dino Dai Zovi made any statements about whether mac or pc were more secure (and both are users of both Macbooks and pc’s) they have previously been on record as saying that Mac are not as immune to attacks as many of their users may like to believe.

The 2 other note books, a sony vaio and a Fujitsu U810 were not successfully hacked during the expo and remained unclaimed.

A zero day attack is defined as an computer threat that tries to exploit unknown, undisclosed or unpatched vulnerabilities in a computer application.

The flaw in Safari, that was exploited during the expo was actually in the way QuickTime handles Java. This threatens everyone running the Mac OS X and may even expose pc users running Safari and quicktime. It is expected that a patch to protect users from this flaw will be released soon.

Macbook air hacked in just 2 minutes.

Are IP addresses personal data?

.net this month (April) has an interesting piece about whether our ip addresses should be regarded as personal information and protected under the data protection act.

It would seem that this debate has been raging across Europe if not the world, with the German data protection commissioner (peter Scharr) telling the European Parliament that if a person can be identified from an IP address, then it has to be regarded as private. A recent French court, on the other hand argued that IP addresses relate to specific computers or networks and not specific users therefore they do not constitute personal data.

While it may seem an insignificant point, as to whether an IP should be classed as personal data or not, it has huge impact of the way search engines and webmasters collect data on who is accessing, and indeed how there sites are being used.

Googles spokes person told .net that it “depended on the context”, where an ISP assigns an IP address to a user, and knows that users name and address this may be considered personal data, but where an IP address is collected by a website simply as a statistic then it is not. Google store IP addresses for all users performing a search for at least 2 years to help improve their search statistics and accuracy.

The implications for all of the worlds websites and search engines that collect IP’s for statistical purposes having to treat these as confidential data, and go through the data protection procedures to protect them are huge.

Another huge implication will be to the peer to peer piracy police, where IP addresses are being used to identify, track and prosecute people illegally copying, sharing and publishing audio/video and software illegally.

This is a very grey area and I would imagine that the debate will go on for some time.

Are IP addresses personal data?

FBI protect us from terrorism by watching Warcraft?

It would seem that the anti terrorism authorities in the States are investigating running a data mining programme, to watch the popular role playing game “World of Warcraft”.

They currently regard this project as a seed, or pilot to see whether information gained from tracking behaviours of on line games can help identify risks to national security. With plans to investigate other forms of social networking and on-line behaviour if the project proves successful.

Known as “norming” there application would establish normal behaviour patterns of players and flag up players that deviate from those patterns.

It is not clear as to whether they are looking to identify the behaviour of the kind of person who may become a future terrorist or whether they are looking for people using these environments as a means of training or communication, but if it works it gets my vote.

FBI protect us from terrorism by watching Warcraft?

Using a neighbour’s wifi?

If you are one of the millions of UK internet users, that think because one of their neighbours has an unsecured wifi connections, then they can get free internet access. Then you’d better watch out.

Under the 2003 Communications Act it is illegal to use another person’s service provider to access the Internet. The offence, carries a maximum penalty of five years in jail or a fine.

Often refered to as “piggy backing” or “cyber squatting”, using open wifi networks illegally is quite common, and up until now there have been few if any prosecutions of offenders. But on sunday 17th Feb the police were called to a home in Tweedmouth, Berwick, Northumberland, after a woman had reported two men behaving suspiciously outside her home. The two men were arrested on suspicion of allegedly logging on to another person’s internet connection illegally.

Both men were believed to have been checking their emails using the womans wireless broadband and have been released on bail pending further enquiries.

Berwick Neighbourhood Inspector Sharon Stavers said “This is a very unusual offence and it appears the two men were doing nothing more sinister than checking their emails and getting some time on the internet for free. However, this is an offence and people pay good money to have the internet in their homes.”

If you have an unsecured open wifi connection, then my advice would be to secure it as quickly as possible, using the highest form of protection you can, and not to publish the connection unless you have to.

If you need access to wifi away from home then, my suggestion would be to use one of the thousands of legitimate “hotspots” across the country. There are now free hotspots, on many trains, cafes, and hotels. Fast food restaurant McDonald’s recently announced that its 1,200 UK outlets would soon get free wireless internet access, for customers.

Using a neighbour’s wifi?