STE WILLIAMS

Cnet has come under fire for wrapping downloads of the popular Nmap network analysis tool and other open-source software packages with a toolbar of dubious utility.

Nmap is a popular open-source network auditing and penetration-testing tool that allows sysadmins to run network troubleshooting and penetration tests. Over the last few days, users who have downloaded the tool from Cnet popular download.com site have been, by default, offered it in conjunction with the Babylon Toolbar.

Sysadmins can opt out of receiving the toolbar, which changes their browsing experience, home page and default search engines, but they are clearly directed towards accepting the software, as a blog post by Sophos illustrates.

Gordon Lyon (Fyodor), the developer of Nmap, has cried foul over the way the toolbar has been pushed, objecting in a post to the North American Network Operators’ Group (Nanog) mailing list (extract below).

The problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn’t put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!

Lyon added that consumers downloading VLC, the popular open-source media player software, are also being offered the Babylon toolbar, via what he described as a a “Trojan installer”.

Several anti-virus firms apparently agree with this assessment because Cnet’s Nmap installer is already detected as a Trojan by BitDefender and F-Sc and as a potentially unwanted program by Panda, McAfee and others, according to VirusTotal (here).

Our own incomplete checks suggest that only Windows users are offered the Babylon Toolbar when they download VLC.

Paul Ducklin, Sophos’s head of technology, Asia Pacific, shares Fyodor’s concerns, arguing that download.com should be offering the toolbar only to those make an informed choice to use it, via an opt-in process.

“A software installation for product X which attempts to foist an unrelated product Y onto your computer by default is poor security practice,” Ducklin writes. “Anything outside the obvious remit of the installer should be clearly and unequivocally opt-in, not opt-out.”

We asked Cnet to respond to these criticisms and will update this story as and when we hear back with an explanation about its business practices in this area. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/06/cnet_nmap_toolbar_wrapping_row/

A security hole on Facebook has been exposing private pictures of countless users, including the Social Network’s founder and CEO Mark Zuckerberg.

A photo pilfering exploit posted to a bodybuilding.com forum on Monday included step-by-step instructions for viewing pictures designated as private by the Facebook users who posted them. It worked by manipulating a feature that allows people to report inappropriate profile pictures to Facebook officials. The routine allowed snitches to report additional pictures, even when designations made the images off-limits to all but a select set of friends.

Not all the participants in the forum reported success. It would appear that those located in the US got better results than others. Several hours after the disclosure vulnerability was reported, 13 images purportedly lifted from Zuckerberg’s account were posted below a headline that read: “It’s time to fix those security flaws Facebook…”

They show Zuck wining and dining with friends, chatting with President Barack Obama, and holding what appears to be a freshly slaughtered chicken, in keeping with a recent predilection to eat only meat he has killed himself.

This is one of 13 images purportedly extracted from Mark Zukerberg’s Facebook account

In a statement, Facebook officials said:

Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously. The bug allowed anyone to view a limited number of another user’s most recently uploaded photos irrespective of the privacy settings for these photos. This was the result of one of our recent code pushes and was live for a limited period of time. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed.

The privacy of our user’s data is a top priority for us, and we invest significant resources in protecting our site and the people who use it. We hire the most qualified and highly-skilled engineers and security professionals at Facebook, and with the recent launch of our Security Bug Bounty Program (http://www.facebook.com/whitehat/ ), we continue to work with the industry to identify and resolve legitimate threats to help us keep the site safe and secure for everyone.

It’s not the first time someone has figured out how to bypass Facebook permissions designed to give users tight control over who gets to see images and announcements posted to their pages. In 2008, a Canadian computer technician was able to view private photos of Paris Hilton, Zuckerberg, and others by guessing the ID of the photo. Last year, the social network was caught exposing the name and photo of all 500 million of its users when their email addresses were typed in to the log-in page.

Monday’s discovery of yet another hole in Facebook’s safety net is the latest reminder that the only way to be sure something doesn’t get published to world+dog is to keep it off the internet in the first place. Permission systems such as those on Facebook and other sites may make users feel better, but they have little effect on hackers with enough determination or time on their hands. ®

This post was updated to include comment from Facebook.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/06/facebook_exposes_zuckerberg_pics/

Researchers at Microsoft have discovered that tools first developed to fight email spam can be applied in helping to understand how the process by which HIV mutates to avoid attack by the immune system.

Microsoft Researchers David Heckerman and Jonathan Carlson were asked to help AIDS researchers in Africa to make sense of data from HIV vaccine testing programmes. The data was compiled by a consortium of hospitals and universities, including MIT, the Center for the AIDS Programme of Research in South Africa (CAPRISA) and the KwaZulu-Natal Research Institute for Tuberculosis and HIV.

To their surprise they discovered that Microsoft’s algorithms for the detection of spam emails were useful in understanding the mutation of HIV.

“It turns out there are a lot of similarities between the way spammers evolve their approaches to avoid filters and the way the HIV virus is constantly mutating,” a post by Steve Clayton on Microsoft Research’s blog explains.

To make sense of the data the researchers hit on the idea of fine-tuning a computational biology tool, called PhyloD, with algorithms used for spam filtering. PhyloD contains an algorithm, code and visualisation tools to perform complex pattern recognition and analysis. By adding lessons learned from spam filtering it was possible to more quickly narrow in on possible areas of weakness that can be targeted for later lab research into developing therapies and possible vaccines.

Instead of trying to every possible variable and possible correlations the reapplied spam filtering algorithm created the basis of a more elegant search. Even so a huge number-crunching exercise was still needed. But access to Microsoft’s high-performance computing centre made it possible to carry out this task over a single weekend.

The work led to the discovery of six times as many possible attack points on the HIV virus than had previously been identified. Similar approaches might be applied to studies on the analysis of breast cancer and other deadly diseases, the Microsoft team reckons.

The HIV analysis research is part of a wider vaccine project. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/06/ms_research_hiv/

Codebreakers are split over whether there might be a hidden challenge in the GCHQ-set code-breaking puzzle set last week.

The signals intelligence agency set a puzzle at canyoucrackit.co.uk in its attempt to drum up potential interest in a career at the spy centre from outside its traditional graduate programme. The three-part puzzle was broken independently by several people, but Dr Gareth Owen, a computer scientist and senior lecturer at the University of Greenwich in England, was the first to post a detailed explanation of the crack.

The challenge involved making uncovering a code-word starting with a 16×10 grid of paired hexadecimal numbers. The first stage involves recognising that the numbers are executable code (a decryption algorithm) as well as unpicking some steganography involving the image of the numbers. The second stage involves building a virtual computer to execute code that, when correctly done, outputs the link to the third stage.

The third stage involves finding the licence key to run a linked program. Finding the licence key involves decoding the program and seeing how it works. Three hidden numbers from the first two stages of the process are needed to get the final answer that reveals the keyword.

Other amateur codebreakers who also tried their hand at the codebreaking challenge included John Graham-Cumming, the man behind the project to build Charles Babbage’s Analytical Engine. Graham-Cumming also launched the successful petition for an apology from the British government for its persecution of Alan Turing.

Intriguingly, Graham-Cumming reckoned there might be a hidden part four to the GCHQ Code Challenge because of the amount of non-random data in part two. In addition, GCHQ modified its canyoucrackit.co.uk website to say “The challenge continues”… further suggesting there might be some hidden puzzle.

We put these observation to Owen who got in touch with his contacts at GCHQ, who told him that that data that Graham-Cumming has put under the microscope is just a “random filler” adding that they had wanted to set up a puzzle at this point of the challenge but they “ran out of time to do anything interesting”.

That explanation satisfied Owen, at least to the point where he decided not to commit to another all night in code cracking, but not Graham-Cumming, who continues to have his doubts. “I don’t believe that’s the whole story,” Graham-Cumming writes. “There’s a distinct pattern worth investigating.”

Graham-Cumming explains his theory about a hidden challenge in some detail in a blog post here. He concludes, good-naturedly, “If anyone from GCHQ is reading… can you email me a simple ‘carry on’ or ‘stop wasting your time’. Need to sleep…”

Doubts about the “random junk” explanation in the canyoucrackit.co.uk puzzle arise not just because the spy agency is naturally a master at misdirection but because a previous puzzle from GCHQ a few years back had a hidden solution as well as a main solution.

“The data is far from random at at least one level as I’ve recovered the key and crypto mechanism as demonstrated,” Graham-Cumming added on Tuesday morning. “It has been confirmed that I am correct on that.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/06/hidden_gchq_code_breaking_challenge/

A Google researcher has resurrected an attack that allows website operators to steal the browsing history of visitors almost a year after all major browser makers introduced changes to close the gaping privacy hole.

Proof-of-concept code recently posted by Google security researcher Michal Zalewski works against the majority of people using the Internet Explorer, Chrome, and Firefox browsers. In an informal test carried out by The Register, the attack was able to list recently visited sites on computers running both Microsoft Windows and Apple OS X. It worked even though all three browser makers have patched their wares to stop them from divulging the addresses of sites visited over the past month or so.

“My proof of concept is fairly crude, and will fail for a minority of readers,” Zalewski wrote. “But in my testing, it offers reliable, high-performance, non-destructive cache inspection that blurs the boundary between :visited and all the ‘less interesting’ techniques.”

Previous exploits usually exploited a mechanism built into all browsers that causes recently visited websites to appear differently than non-visited sites. Attacks based on the CSS, or cascading style sheet, definitions weren’t merely theoretical. Last year, academic researchers caught YouPorn.com and 45 other sites pilfering visitors’ surfing habits by targeting the browser vulnerability, which first came to light more than a decade earlier

Zalewski said browser makers closed the hole by “severely crippling” CSS functions built around the :visited selectors. His proof-of-concept, according to comments accompanying the sourcecode (link may not work in all browsers), takes a different approach known as cache timing. It starts by loading an iframe tag containing a list of website into the page accessed by the visitor. It then calculates how quickly the websites are rendered. Those that load more quickly must be stored on the browser cache, an indication they have been visited recently.

Cache timing has long been identified as a way to extract browsing history, as noted in a well-known paper (PDF) penned by Princeton University computer scientist Ed Felton. Up to now, the problem with the approach has been that the attacks were slow and easy to detect, making them impractical.

Zalewski said his method was able to overcome these disadvantages by allowing browsers to abort the underlying request quickly. As a result, it’s able to test about 50 websites per second with no visible signs that anything is amiss. With minor tweaks – including optimizations, parallelism, and possibly a delay calibration, the code could be capable of detecting “several hundred” URLs. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/05/browser_history_attack_revived/

The Mexican government has shut down a secret mobile network reckoned to be run by one of the country’s drug cartels, possibly the ruthless Zetas.

Military army troops confiscated 1,400 radios, 2,600 mobile phones, computer equipment, 167 antennas and 166 power supplies including solar panels as part of the operation. The kit is thought to have powered an encrypted mobile phone network that spanned four border states in northern Mexico.

The Mexican Defence department said that the network had been used by drug runners to communicate among themselves and to track military movements. The Zetas, who are fighting a ruthless turf war against their former bosses in the Gulf Cartel, are big players in all four states covered by the covert network (Tamaulipas, Nuevo Leon, Coahuila and San Luis Potosi).

Last summer the Mexican navy dismantled a communications network linked to the Zetas in the Gulf state of Veracruz, AP reports. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/05/mexico_shutters_cartel_mobile_network/

Websites publicising doubts about the fairness of the Russian parliamentary election last weekend have become the victim of denial of service attacks.

Popular Russian radio station Moscow Echo and election-monitoring group Golos, the website of opposition weekly New Times as well as several other sites were left inaccessible on Sunday. Moscow Echo’s editor blames a concerted attempt to censor discussion about alleged electoral fraud.

“The attack on the website on election day is clearly an attempt to inhibit publication of information about violations,” Moscow Echo editor-in-chief Alexei Venediktov said on Twitter, AFP reports. Golos said that its main website as well as an micro-site plotting the locations of alleged electoral violations were under “massive DDoS attacks”. Information on the map of violation page is crowd-sourced.

Golos head Liliya Shibanova was detained by customs officials who confiscated her computer on Saturday, AFP adds. The news agency adds that Moscow Echo has complained to the Central Election Committee, calling for a criminal investigation of the attacks. Popular local blogging site LiveJournal (effectively the Russian blogosphere) was also hit by a wave of denial of service attacks over the last few days. Anton Nossik, the media director of LiveJournal owner SUP, suggested the hackers responsible for the attacks might be on the federal payroll, although he offered no evidence in support of this.

A more likely scenario would be that a militia of patriotic red team hackers got together, perhaps with the encouragement of the Kremlin, to launch the assaults. A contrary view comes from Eugene Kapersky, boss of Russian infosec firm Kaspersky Labs, who said his firm hasn’t detected any DDoS attacks.

Pro-Kremlin youth activists also complained that their site had come under attack from opposition groups – an attack which, if genuine, failed to render the site inaccessible.

The 450 seats in the State Duma, the lower house of the Russian parliament, were contested on Sunday.

Early results suggest Prime Minister Vladimir Putin’s United Russia party will emerge as a victor of Sunday’s polls but with a reduced majority. Putin has been outspoken in his criticism of Golos, even going so far as describing the group as a “bunch of Judases”.

More commentary on the information security aspects of the alleged election day attacks can be found in a blog post by Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/05/russian_election_day_ddos_spate/

The GCHQ-set code-breaking puzzle was solved over the weekend.

The signals intelligence agency last week set a puzzle at canyoucrackit.co.uk in its attempt to unearth potential recruits beyond its traditional graduate programme. Late last week it emerged that the successful completion page for the puzzle was available by a simple Google search.

Many people have since cracked the code properly including Dr Gareth Owen, a computer scientist and senior lecturer at the University of Greenwich in England. Owen has posted a full video explanation of how to solve the three-part puzzle here.

Would-be code-breakers were presented with a 16×10 grid of paired hexadecimal numbers. The first stage involves recognising executable code as well as unpicking some steganography.

Stage two involves developing a virtual machine to execute code.

The final stage involves constructing a file with ‘gchqcyberwinAAAABBBBCCCC’ where A, B, C are the codes from earlier in the challenge. This code, when run, generates a web address which has the keyword (the web address is wrong if you put the wrong a,b,c in).

“The last stage contains a deliberate security hole, which GCHQ emailed me to say was deliberate to make solving the problem easier – but it turns out I took a short cut instead and bypassed this bit,” Owen explained.

Reaching the successful completion page was a “rather disappointing end to quite a lot of work,” as he puts it.

GCHQ is offering would/be applicants who crack the code a starting salary of just £25k, very low for a skilled job, as the Daily Telegraph notes.

Owen summed up the feelings of many when he told El Reg: “Why are we paying world-class cyber security experts what we pay passport-stampers at the border-control-agency?” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/05/gchq_code_breaking_puzzle_solved/

Julian Assange can request a final appeal against his extradition to Sweden, judges ruled this morning.

They accepted that the WikiLeaks founder could ask the Supreme Court for permission to appeal on the grounds of “general public importance”.

Technically, the High Court in fact refused to let Assange have the right to appeal, but the Supreme Court gets the final say on whether he can now fight the extradition one last time.

If Assange’s bid is successful, than this will be a very high-profile test of the Supreme Court’s decision making capabilities.

In early November, Assange lost his battle in High Court and was ordered by Lord Justice Thomas and Mr Justice Ouseley to return to Sweden to face rape and sexual molestation allegations brought against him by two women.

It’s been almost a year to the day since Assange was arrested on 7 December 2010 by Scotland Yard officers from the Met’s extradition unit on behalf of Swedish authorities.

He was cuffed on a European arrest warrant issued by Sweden.

The Metropolitan Police said at the time that Assange had been “accused by the Swedish authorities of one count of unlawful coercion, two counts of sexual molestation and one count of rape, all alleged to have been committed in August 2010.”

However, the Swedish authorities are yet to file any charges against the Wikileaker-in-chief.

Australian-born Assange, 40, was granted bail earlier this year, after his lawyers secured funds of around £200,000 from a number of celebrity friends. His High Court appeal hearing, against an extradition order to Sweden in relation to the allegations, began in June.

In February, Assange – whose website has leaked 250,000 of confidential diplomatic cables – was told by Judge Howard Riddle at Belmarsh Magistrates Court, in south east London, that he would be extradited to Sweden.

Since then, the WikiLeaks boss has been operating under strict bail conditions and has an electronic tag around his ankle.

Assange has repeatedly denied any wrongdoing, and has said that his relations with both women, who allege rape and sexual molestation, were entirely consensual.

He has spent much of the year unsuccessfully battling the extradition request.

Assange has previously described himself as a “a non-profit free speech activist” and a “journalist”. He also applied for a trademark covering own name.

It was registered on 13 May this year with the UK’s Intellectual Property Office. That mark states that Assange is a UK resident.

Had his appeal been denied today, Assange could have been on his way to Sweden within 10 days of such a ruling.

Instead, he will remain effectively under house arrest and has 14 days to apply to the Supreme Court for permission to appeal.

Meanwhile Bradley Manning, the US army private who allegedly supplied the great bulk of interesting information published by WikiLeaks, will get his first hearing on 16 December in the military trial brought against him.

Manning has been in custody in Virginia and then Kansas for 18 months, after he was arrested on suspicion of being WikiLeaks’ major source for the diplomatic cables published by the website and various news outlets.

The private faces severe penalties if convicted on multiple charges of lifting information from classified US computer networks to which he had access while serving as a junior intelligence analyst in Iraq. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/05/julian_assange_decision/

A simple Google search unlocks the supposedly secret completion page to GCHQ’s code-cracking competition.

The signals snooping agency launched a codebreaking competition this week, promoted via social networks, that aimed to find would be code breakers that conventional recruitment efforts might miss. The canyoucrackit.co.uk challenge involved making sense of a 16×10 grid of 8-bit hexadecimal numbers to figure out a password, and then developing a virtual machine to execute code that would lead to the final page.

Puzzle-solvers had 10 days to crack the codes. However instead of solving this puzzle, which was not trivial to conquer, at least if some of the emails we’ve received are any guide, the completion page could be reached via a simple Google search.

Oops.

“All it takes to find the page is to use the site: command in Google, as the ‘Can You Crack It?’ webmaster seemingly didn’t hide the success page from search engines,” Graham Cluley of net security firm Sophos explains.

Given the interest in the competition perhaps it was inevitable that someone would find some sort of side-channel to cheat the challenge, which doesn’t mean that the exercise is now not worth participating in especially for those keen on puzzle-solving and base-16 crosswords.

The canyoucrackit.co.uk website was set up in partnership with a recruitment agency and at arm’s length from GCHQ itself. El Reg doubts anyone from the intelligence agency was involved in setting up the website, but we unable to immediately confirm this on Friday afternoon. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/03/gchq_code_crack_compo_snafu/