Details of Major Internet Flaw Posted by Accident

July 22, 2008 – 5:53 AM

The bug has to do with the way DNS clients and servers obtain information from other DNS servers on the Internet. When the DNS software does not know the numerical IP (Internet Protocol) address of a computer, it asks another DNS server for this information. With cache poisoning, the attacker tricks the DNS software into believing that legitimate domains, such as idg.com, map to malicious IP addresses.

In Kaminsky’s attack a cache poisoning attempt also includes what is known as “Additional Resource Record” data. By adding this data, the attack becomes much more powerful, security experts say. “The combination of them is pretty bad,” Liu said.

An attacker could launch such an attack against an Internet service provider’s domain name servers and then redirect them to malicious servers. By poisoning the domain name record for www.citibank.com, for example, the attackers could redirect the ISP’s users to a malicious phishing server every time they tried to visit the banking site with their Web browser.

Kaminsky declined to confirm that Flake had discovered his issue, but in a posting to his Web site Monday he wrote “13>0,” apparently a comment that the 13 days administrators have had to patch his flaw before its public disclosure is better than nothing.

“Patch. Today. Now. Yes, stay late,” he wrote.

Source:
http://www.pcworld.com/businesscenter/article/148722/details_of_major_internet_flaw_posted_by_accident.html

Seven Things IT Should Be Doing (but Isn’t)

July 21, 2008 – 1:20 PM

Pity the poor IT managers.

They’re expected to know what their end-users want need, even if their end-users can’t articulate it themselves. They’re under constant pressure to develop new skills (like AJAX) while maintaining old ones (COBOL, anyone?), and to not only maintain line-of-business apps but jazz them up to meet the expectations of the Facebook generation.

They’ve got to deal with a data tsunami that increases more than 30 percent per year while simultaneously protecting the company jewels from devastating data spills. They’re required to gird for disasters of unknown proportions and figure out how to keep the business going in the aftermath.

Source:
http://www.pcworld.com/businesscenter/article/148697/seven_things_it_should_be_doing_but_isnt.html

Google Mail has more spam

July 21, 2008 – 12:38 PM

Roaring Penguin Software says its research shows that the proportion of email coming from Google Mail accounts that is spam has almost quadrupled, from 7 to 27 per cent. This means that more than one email message in four coming from a Google Mail account was classified as spam, which makes up more than 2 per cent of all spam email originating from America.

The origin of spam email is becoming ever more significant, because spam filters are increasingly basing their analyses of email messages on where they come from – and Google is still considered to be a good address. At any rate, no postmaster can afford to put the Google Mail server on his black list and refuse email from there as a matter of principle.

It is still unclear why Roaring Penguin Software has generalised its results to conclude that spam from free email providers is increasing. The figures presented show the reverse. In fact, a striking feature is that the proportion of spam registered as coming from Yahoo and Hotmail remained largely constant over the period observed. This suggests that the observed rise in spam from Google Mail is associated with the recent cracking of Google Captcha – Spammers outwit Google’s captchas. That enables spammers to create Google Mail accounts for sending spam, automatically. It may be that Roaring Penguin avoid making this connection in order to stand out against their reporting competitors WebSense and MessageLabs, who had already noted in March a doubling of the proportion of spam in Google Mail.

Source:
http://www.heise-online.co.uk/news/Google-Mail-has-more-spam–/111139

How To Get Refunded on Prepackaged Vista

July 21, 2008 – 12:37 PM

Buying a PC can come along with some unwanted preinstalls. And now with Microsoft mandating that third party hardware manufacturers bundle Vista (not XP), that unwanted preinstall can include an entire OS. Given that a portion of any commercial PC’s purchase price includes funds allotted to software, XP users may find themselves forced into buying Vista even though they won’t be using it.

That is, unless they do like one user and use a simple exploit. Just don’t accept the software’s end-user license agreement (EULA).

Most of us click that “I agree” box without ever thinking twice. But what if you don’t agree with those terms and conditions? It gives you perfect fodder for going back to the computer manufacturer and demanding a refund on the software. After all, the EULA itself says to “contact the manufacturer or installer to determine their return policy for a refund or credit” if you don’t agree with its policy.

One guy used this technique to score a fat $200 check from HP before installing Linux onto his system.

Source:
http://gizmodo.com/5027302/how-to-get-refunded-on-prepackaged-vista

Relay server attack tactic dupes auto-reporting

July 21, 2008 – 6:53 AM

Sysadmins have begun noticing a coordinated attack on servers with open SSH ports that tries to stay under the radar by only attempting to guess a password three times from any compromised machine. Instead of mounting an attack form a single compromised host, hackers have worked out a means to relay a brute force attack between multiple assault machines.

IT consultant and developer Nazar Aziz picked up on the attack, which started around the beginning of July, when he noticed a pattern of assaults on a small bank of dedicated Linux servers he manages. After falling victim to a hacking attack a few months back, Aziz is unusually paranoid diligent about going through system logs generated by DenyHosts, a security tool for SSH servers. This diligence allowed Aziz to detect a pattern in the attacks that most would miss.

Sysadmins often run monitoring software or intrusion detection systems that detect brute force SSH break-in attempts. But by running only three queries from each machine, that attack may go unrecorded because it falls below the detection thresholds of security software. Attempts to make more guesses would result in actions such as the blocking of an IP address and record of the attack being made.

The assault is aimed at breaking into Linux systems with easily-guessable passwords rather than exploiting any particular security vulnerability, Aziz added. It’s not clear who’s behind the assault, which appears to originate from a botnet network of compromised Linux boxes. Aziz explained that the assault is different from other brute force hacking attacks he’s seen before.

Source:
http://www.channelregister.co.uk/2008/07/14/brute_force_ssh_attack/