Google Chrome vulnerable to carpet-bombing flaw

Google’s shiny new Web browser is vulnerable to a carpet-bombing vulnerability that could expose Windows users to malicious hacker attacks.

Just hours after the release of Google Chrome, researcher Aviv Raff discovered that he could combine two vulnerabilities — a flaw in Apple Safari (WebKit) and a Java bug discussed at this year’s Black Hat conference — to trick users into launching executables direct from the new browser.

Raff has cooked up a harmless demo of the attack in action, showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.

Source:
http://blogs.zdnet.com/security/?p=1843

Posted in Internet, Privacy, Security, Windows | No Comments

Google announces Google Chrome web browser

Google has confirmed that it is launching Google Chrome, a new web browser. Rumours of a Google browser project had been around since 2004, but a posting on the Blogoscoped site has turned those rumours into something much more tangible. It reported on the arrival of a 38 page comic book, drawn by Scott McCloud, which detailed Google’s Chrome web browser. Some hours later, Google posted on its official blog, saying that it “hit ‘send’ a bit early on a comic book”, and went on to confirm all the details which were laid out in the book.

Chrome appears to be a radical reworking of a modern browser’s internal architecture, with each tabbed session in the browser running as its own process. Plugins are run as separate child processes to the tabbed sessions process. This decoupling, along with a more isolating security model which keeps web page executable content on a tight lead, is designed to give a more reliable browser. One web page locking up does not lock up the entire browser. There is even a task manager for advanced users to identify badly performing processes and selectively stop them.

Chrome uses the Webkit engine, also used by Apple’s Safari and Nokia among others, to render web pages. JavaScript execution is handled by V8, yet another new high performance JavaScript engine in the mold of TraceMonkey and SquirrelFish, with dynamic code generation and optimisation and a precise memory management for fast garbage collection. Chrome has also incorporated Google’s Gears as standard, giving web applications in Chrome access to database, geolocation and desktop integration.

The most visible changes in Chrome are in its tabs, home page and address bar. The tabs for pages appear to be located at the very top of the window, with the address bar and tools underneath. The home page is dynamically composed of your top nine used sites in a three by three thumbnail view and with your most common searches listed to the right of the thumbnails. The address bar is now “the Omnibox”, described as an extra smart autocompleting text field, drawing completion data from your web searches as well as your browser bookmarks and history. For those worried about their privacy, a private browsing mode is also built in so users won’t see that surprise gift for a loved one appearing in the Chrome home page.

Source:
http://www.heise-online.co.uk/news/Google-announces-Google-Chrome-web-browser–/111443

Posted in Internet, Privacy, Security, Software, Windows | No Comments

ISR-evilgrade – Inject Updates to Exploit Software

ISR-evilgrade is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates and exploiting the system or software.

How does it work?

It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems. Evilgrade needs the manipulation of the victims DNS traffic, it works in conjunction with man-in-the-middle techniques or MITM such as DNS, ARP, DHCP, etc.

Source:
http://www.darknet.org.uk/2008/08/isr-evilgrade-inject-updates-to-exploit-software/

Posted in Internet, Networking, Privacy, Security, Software | No Comments

Email Address Dictates Spam Volume

Everyone knows that some people get more spam than others, but new research shows that it may have something to do with the first letter of your email address.

Richard Clayton, a security researcher at the University of Cambridge in the U.K., says he found evidence that the more common the first letter in your email address is, the more spam you get: in other words, [email protected] typically gets a higher volume of spam than [email protected], or [email protected]. He says that’s simply because there are more combinations of names that begin with “A” than with “Q” or “Z.”

Over an eight-week period, Clayton studied around 8.9 million emails at a U.K. ISP and found that the email addresses that began with “A” received 35 percent spam in their inboxes, while “Z’s” got about 20 percent — after sorting out real emails versus invalid ones that had likely been generated by a spamming tool. Clayton says it’s likely that spammers using dictionary attacks could be the cause of this disproportionate distribution of spam.

Clayton acknowledges that his study didn’t end up proving what he had hoped it would – that alphabetic order was an indicator of how much spam you got. He says it’s likely that since dictionary attacks are not commonly occurring in real-time, the phony email addresses he saw possibly had been stored in spammer databases for some time.

Matt Sergeant, senior anti-spam technologist for MessageLabs, says a dictionary-type spam attack that ekes out as many email addresses it can by letter is the mark of an old-school spammer, not a sophisticated one. “You don’t have this pattern with the more malcious spammer. Botnets distribute and split up lists of email addresses and distribute them among the entire botnet simultaneously,” for instance, Sergeant says.

MessageLabs has seen a similar pattern with spam in domain names, he says. “Domain names that start with ‘A’ get more spam than domain names that start with ‘Z,’” he says.

Source:
http://www.darkreading.com/document.asp?doc_id=162585

Posted in Internet, Privacy, Security | No Comments

Demonstration Reveals Net Superattack to be Very, Very Real

A pair of security researchers recently demonstrated that a theoretical attack possible against the internet’s most embedded infrastructure can, in fact, be very real.

The attack exploits normal behavior in the internet routing protocol BGP, which ISPs use to determine how best to route traffic destined for other parts of the internet. If an attacker is positioned correctly – which means, generally, that he either has control of an ISP’s routing equipment, has found a way to intercept and alter another ISP’s BGP traffic, or has found an ISP that doesn’t filter internal BGP traffic originating from someplace other than its routing equipment – he can use the protocol to trick the internet’s routers into diverting traffic to his network, making it available for snooping or man-in-the-middle alteration, all before it reaches its destination.

Detailed by Anton “Tony” Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, the technique relies heavily on an inherent trust in the data that BGP routers have in each other, once the updates they receive are verified by an admittedly loose authentication scheme – a necessary evil that allows two points in a completely decentralized mesh network, where they are sometimes located across the world, to find the most optimal path between each other.

The weaknesses of that trust became especially clear earlier this year, when an identical phenomenon knocked video-sharing supersite YouTube offline for several hours last February: a Pakistani attempt to block the site inside the country inadvertently spilled out into the world when misconfigured Pakistani routers sent BGP updates to the world, claiming that the country’s servers were the best available YouTube route. The resulting traffic quickly overwhelmed its internet capacity, before it was shut off entirely by an upstream provider in Hong Kong.

The duo demonstrated their technique publicly at the DEF CON Conference earlier this month, where they captured traffic bound for the convention and routed it through a data center in New York.

The technique is technically considered to be an IP hijack, and in the past had always resulted in a noticeable outage for the affected networks. The difference, according to Pilosov and Kapela, is that their version works without any outages, and potentially from anywhere in the world.

Source:
http://www.dailytech.com/Demonstration+Reveals+Net+Superattack+to+be+Very+Very+Real/article12792.htm

Posted in Hardware, Internet, Networking, Privacy, Security | No Comments