News - Security

A fatal flaw with the DNS (Domain Name System) is being exploited in Internet attacks and more attacks are likely, the security researcher who discovered the flaw said on Thursday.

Dan Kaminsky

(Credit: Declan McCullagh/CNET News)

"I do think we are going to see attacks. I think we have been seeing attacks already going on in the field," said Dan Kaminsky, director of penetration testing for IOActive, who warned the industry about the DNS vulnerability nearly five months ago. "We're doing everything we can to mitigate and reduce its incidence."

Kaminsky mentioned a DNS-related incident with China Netcom (possibly the incident reported by the ZD Net Zero Day blog), but said it wasn't clear that it was due to the vulnerability he found. "There are other scenarios that I can't, unfortunately, get into," he added.

Basically, the problem exists in the DNS system, which translates Web addresses into numerical IP addresses and serves as the phone book for the Internet. An attacker exploiting the vulnerability could redirect Web surfers to malicious sites, even if the surfers typed in the legitimate Web address. For example, someone could type in the address for a bank and end up at a site that looks like the bank site but is a fake site set up to grab sensitive information like passwords.

Security firm MessageLabs recorded a 52 percent increase in suspicious DNS traffic between July and August, "indicating that the online underworld is poised to launch targeted attacks in coming weeks," the firm said in a statement released early on Thursday.

To be fair, some of that suspicious traffic is due to security researchers gathering statistics, according to Kaminsky. But there's no way to tell how much of it is for research purposes, he said.

"People are sweeping the Internet looking for vulnerable systems," he said. "What they have in store, we don't know."

Those stats only show part of the problem--researchers aren't able to scan the traffic going to servers used for directing e-mail and corporate Web browser traffic, and thus are missing the stats on attempts to find unpatched systems via those alternative modes, Kaminsky said.

"The most important thing for people to patch are the name servers that back up their mail servers," he said.

Meanwhile, people can use test code to find out if their systems are safe at Doxpara.com.

"The good news is that there are hundreds of millions of users protected against these attacks. The bad news is it's not everybody," he said.

Kaminsky first warned security software vendors about the problem in a secret meeting at Microsoft headquarters in March so they could start writing patches to address the problem. On July 8, he went public with the information, but not the details, of the flaw, at the same time Microsoft, Cisco, and other vendors released their patches in an unprecedented, synchronized multivendor effort.

Kaminsky planned to release details about the vulnerability during a talk he was scheduled to give at the Black Hat security conference a month later in order to give people more time to patch their systems. But within a few weeks, security bloggers were speculating about and leaking technical details of the vulnerability. A few days later there was exploit code reported in the wild.

Those developments forced Kaminsky to go public with some details about his finding in a conference call with journalists on July 24. Then he talked more about it at Black Hat in Las Vegas two weeks ago, reporting that 70 percent of Fortune 500 companies have tested and patched mail servers successfully, while 61 percent have patched non-mail servers.

A new type of Internet-based attack is spreading in which Flash-based ads seize control of a Web surfer's clipboard and paste in a link to a malicious site in the hopes that it will be spread from there into e-mails, blogs, and instant messages.

The ads have been spotted on MSNBC.com, Newsweek.com, and Digg.com, and victims have reported on numerous forums and blogs that they appear to be fake alerts that a virus has been detected on the computer and offer to clean it up, according to antivirus vendor Sophos.

The malicious link, which includes "xp-vista-update" in the URL, is copied into the clipboard and can not be over-written by copying new text to the clipboard. Users must reboot the computer to remove the link, The Register reports.

The malware appears to affect Mac, Windows, and Linux machines and Firefox, Internet Explorer, and Safari browsers, according to ZD Net's Zero Day blog.

Chris Thornton, who created the "ClipMate" clipboard extender for Windows, gave an interesting description of the situation on his Clipboard Extender Dot Com blog:

"Someone wrote a little piece of Adobe Flash code to copy text to the clipboard. Then they put it in a loop, to do it once a second. Then they put it in an innocent-looking flash-based banner ad, with their harmful URL as the payload. Then they signed up for some advertising networks, and submitted their bad ad, presumably paying considerable $$$ to get it featured on sites that you and I visit regularly, such as MSNBC and Digg. And when someone has this ad loaded, they can copy all they want, but everything they paste will be just that URL. So if you are writing an e-mail to Aunt Millie, telling her to look at your eBay auction located at (paste), or to download Picasa to organize her photos - download here (paste), she's going to get the virus when she visits the bad site."

A security researcher has unearthed evidence via Google and its Chinese counterpart that supports claims that several Chinese gymnasts are younger than they should be for competing.

The New York Times was probably the first to report about digital evidence that the Chinese athletes are underage.

"Online records listing Chinese gymnasts and their ages that were posted on official Web sites in China, along with ages given in the official Chinese news media, however, seem to contradict the passport information, indicating that He (Kexin) and Jiang (Yuyuan) may be as young as 14--two years below the Olympic limit," stated the Times article, posted about three weeks ago.

Then last week, the Associated Press found evidence of its own--a Xinhua state news agency report listing He's age as 13 just nine months before the Olympics began. The AP saved a copy of the Web page, which it said could not be accessed later in the day.

Stryde uses Google Translate on a document found in the Baidu search engine indicating that Chinese Olympic gymnast He Kexin was born in 1994 and thus below the required age to compete in the Beijing Games. Click the image above for a larger version.

(Credit: Stryde)

This week security researcher "Stryde Hax" detailed his findings about discrepancies in the gymnasts' ages that he found via his own Internet searches. The data he gathered bolsters the claims made by the Times and the AP.

Stryde, who says he is a consultant at security firm Intrepidus Group, wrote on Tuesday about how he searched Chinese Web sites for Excel spreadsheets containing "He Kexin" and "1994," which is her alleged birthday, according to some of the uncovered Internet evidence.

Stryde found only one result, on an official Chinese government sports site, but when the result was clicked on, the page had been removed, and He's name had been removed from the cached results.

Stryde had a similar experience searching on Baidu, China's most popular search engine, except that he found that two spreadsheets with the 1994 birth year for He remained in the cache. He asked readers to mirror the caches and post them online to thwart attempts by the Chinese government to deny the existence of the evidence.

On Wednesday, Stryde had a follow-up entry on his blog, in which he details what happened when he ran his search on Google.cn, Google's Chinese-language search site. There he found the original spreadsheet he found the day before and another one. A few hours later, when he checked, however, the original spreadsheet had been removed. He then found the result in Baidu.

Stryde's conclusions are insightful and chilling: "What is this post really about? I don't really feel that it's about the gymnastics age limit, or even really about whether fraud occurred. At this point, I believe that any reasonable observer already understands that age records have been forged. This story now is really about Internet censorship, the act of removing evidence while at the same time claiming that the evidence is wrong. For the first time, I watched search records shift under my feet like sand, facts draining down a hole in the Internet. Will this stand?"

Click here for more stories on tech and the Beijing Olympics.

If you've used a credit card reader in Ireland recently you may want to call your credit card company and monitor your account.

Scammers posing as bank workers replaced credit card readers in retail stores in northeast Ireland with fake readers that captured the data on as many as 10,000 credit and debit cards, according to an IDG News Service report.

The Bank of Ireland shut down some cards and limited overseas withdrawals, while Ireland's National Police Service launched an investigation.

Criminals can make clone cards with the data they get off the magnetic stripe from the cards that pass through the dummy readers.

The security team behind Google's mobile platform, Android, has tried to raise its profile among security researchers by appealing for their vigilance in monitoring the platform.

In an e-mail to the popular Full Disclosure mailing list, the Android security team said that because flaws in the system are inevitable, Google would require help from the security research community both in finding and disclosing those vulnerabilities.

"As you may expect, building and maintaining a secure mobile platform is a difficult task," wrote an Android security team member. "While we have found and fixed many of our own bugs as well as flaws in other open-source projects, we realize that the discovery of additional security issues in a system this large and complex is inevitable."

The team requested that security researchers disclose Android vulnerabilities to Google, rather than making them generally available.

"We do appreciate and encourage responsible disclosure, especially since Android will be deployed on many different devices that will require a large amount of coordination to patch," wrote the security team member. "Help from security researchers in the form of usable bug reports and responsible timelines will greatly assist us in securing the ecosystem of Android devices as quickly as possible."

Google had not responded to a request for comment at the time of writing.

Multiple vulnerabilities in the Android platform were reported in March. Although Android is not yet deployed on any devices, exploits for the vulnerabilities were tested on an Android emulator included in its software development kit.

A long-awaited beta version of the SDK was made available to developers Monday.

Tom Espiner of ZDNet UK reported from London.

This post was updated at 1:45 p.m. PDT with comment from MBTA General Manager Daniel Grabauskas.

BOSTON--The three Massachusetts Institute of Technology students who have been barred by a court order from discussing subway card vulnerabilities are now free to say what they want.

In a ruling certain to be cheered by computer researchers, a federal judge here Tuesday let the 10-day-old gag order expire. U.S. District Judge George O'Toole Jr. refused to grant a preliminary injunction requested by the Massachusetts Bay Transportation Authority that would have blocked the students from talking about their findings until January 1, 2009.

The MBTA's requested injunction would have replaced a temporary restraining order granted during the Defcon hacker conference, which automatically expires on Tuesday under federal court rules.

First page of subway-hacking presentation that was the subject of an injunction to stop its distribution--after it had already been distributed.

The MIT students planned to make a presentation at Defcon on security vulnerabilities in the Massachusetts transit authority's electronic card and ticketing system. But a different federal judge who was on duty that weekend blocked the presentation after MBTA sued the students and MIT.

Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: that the students' presentation was likely a violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses.

Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA.

On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer "transmission." Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system. Lawyers for the MBTA claimed Tuesday they had proof the students had violated the law, but stopped short of specifying what they did.

Lawyers for the MBTA could still appeal O'Toole's ruling to the U.S. First Circuit Court of Appeals. Unless either side backs down or a settlement happens, a trial on the T's lawsuit against the students and MIT will eventually occur, but so far, no date has been set.

In a statement released on Tuesday afternoon, MBTA General Manager Daniel Grabauskas sounded conciliatory toward the students and hinted that the transit authority may be willing to work with the students outside of the courts.

"The 10-day process yielded a lot more information than we had at the start, and that was a key objective all along," Grabauskas said. "The students had repeatedly said the lawsuit was an impediment to opening up a productive dialogue with the MBTA about their findings. Now that the court proceedings are behind us, I renew my invitation to the students to sit down with us and discuss their findings. A great opportunity now presents itself."

He added, "With respect to the information that was sealed, I have every expectation that the students will act in accordance with the principles of 'responsible disclosure.'"

Lawyers for the students, in a case that has generated more attention in local media concerned about problems in the transit system than it has among national media concerned about privacy issues, welcomed the judge's decision. "This was a case of shooting the messenger," said Cindy Cohn, a lawyer with the Electronic Frontier Foundation, a San Francisco-based advocacy group that was representing the students along with the Massachusetts affiliate of the ACLU and the Fish & Richardson law firm.

But Ieuan Mahony, a lawyer for the Boston law firm Holland & Knight who is representing the MBTA, said the transit authority had no interest in chilling computer security research. Instead, he said it merely wanted to ensure that a method for wide-scale fare violations wasn't disseminated.

Security researchers working for the MBTA spent the last several days working through a confidential 30-page analysis--which has not been made public--that students had sent to the court and T officials. The document detailed the complete method for breaking the local Charlie card payment system, including specific details the students say they didn't plan to reveal at the Defcon conference.

MBTA said in documents filed with the court that fixing the security flaws would take five months. ("Students have the ability to cause significant harm to the CharlieTicket system, during the roughly five-month window that remedial actions will require.")

T officials concluded that the students had, in fact, found a way to break the paper Charlie card system, but had only found theoretical methods for breaking the plastic Charlie card, an RFID smart card that can have T fares electronically added to it.

Mahony said the 30-page analysis was a "very useful document," adding, it's "invaluable, but there are additional materials that cause us great concern." In particular, the transit authority wanted correspondence with Defcon officials and materials from their class with MIT professor Ron Rivest, a cryptographer best known as one of the co-inventors of the RSA public key encryption system, which is commonly used in e-commerce.

Despite the First Amendment implications of the case, O'Toole made it clear he intended to steer clear of the Bill of Rights. "I appreciate the breadth of views of others," he said, "but my views are considerably more limited." (Federal judges generally try to avoid constitutional issues if the dispute can be resolved by interpreting the text of a statute. In this case, it was a 1986 law that he decided didn't properly apply in this case.)

What the students intend to do now that the gag order has been lifted is unclear. If they wished, they could still make the Defcon presentation at some other forum. Cohn said she hasn't spoken with the three, who are still on summer break.

One of the students, Zack Anderson, told The Boston Globe in an interview published Monday that after the dust-up with the MBTA is done, he intends to work on a company that converts heat from a car's shock absorbers into energy for the car's engine. He reiterated in the interview that the students never intended to cause harm to the transit system.

"It wasn't to enable others to get a free fare or cause any sort of havoc," Anderson told the Globe. "It was really to show how major the issues are in this system, which also might resonate in many other systems around the world."

But one thing is certain: they have no intention of revealing the 30-page document that contained the specific details that told someone how to break the Charlie card system.

CNET News' Declan McCullagh contributed to this report.

Symantec is buying PC Tools, which sells PC utilities software designed to boost the security and privacy of Windows-based computers, Symantec said on Monday.

Terms of the deal were not disclosed. The transaction is expected to close by the end of the year.

The purchase will allow Symantec to expand its reach in emerging regional markets, the company said in a statement.

PC Tools, an Australia company, will continue to offer products under the PC Tools brand and will maintain separate operations within Symantec's consumer business unit.

Updated 6:50 p.m. PT with Facebook saying no hole in Free Gifts app.

MySpace was working to fix a security hole on Monday that allows people to see private comments friends have written on members' pages.

"MySpace is committed to keeping all users as safe and secure as possible. Today, MySpace was alerted to an issue within the MySpace Mobile WAP site and is working to roll out an immediate fix," a MySpace spokesperson wrote in an e-mail.

With the MySpace hole, people have to go through the company's mobile page and know the user ID of a member to read their private comments, said Canadian computer technician Byron Ng, who alerted CNET News to the issue and said he had previously contacted MySpace as well.

Getting someone's user ID is easy; just hover over the name and the user ID is the first group of numbers buried in the coding at the bottom of the page.

In addition, security vulnerabilities publicized by Ng in June that allow MySpace users to delete bulletins from groups they don't control, to pin and unpin topics in groups they aren't members of, and to post messages to a group they are banned from remained unfixed. Those issues are expected to be fixed within the week, MySpace said.

Meanwhile, Facebook was investigating possible security issues of its own, including a third-party app that lets people see comments written on member pages, even if they aren't their friends.

"We're still checking on Advanced Wall but we've confirmed that there is not a hole in Free Gifts," a Facebook spokesman wrote in an e-mail. "It's only public gifts that can be seen in the manner you propose below, which is how they are meant to be seen.... Private gifts are not shown on this page."

Facebook users should remember that photos and videos are public unless the person who posts them sets the privacy setting to private.

Beyond these security issues, people can use a method called "social engineering" to get access to a stranger's profile by being accepted as a friend in their network, Ng said.

For instance, someone could create a profile that looks like a party promoter that many members will become friends with just to hear about events. Or, someone could create a profile with the same name as someone who is already in a target's friend list with the hopes that the target will be confused and accept the imposter, Ng said.

"If the average citizen is worried about people spying, never add anyone, even a 'friend,' without telephone or e-mail confirmation that it is legitimate," Ng writes in an e-mail.

For people who want to keep an eye on who is viewing their MySpace pages, there are two sites that offer tracking services: ProfileSnitch.com and WhoVisited.com.

Those sites allow MySpace members to embed HTML code in their profile pages that reports back to the tracking sites so members can see who was viewing their pages. This only works with MySpace and not Facebook, however, because MySpace allows members to use HTML in their profiles and Facebook does not, NG said.

After he's done with his security dust up with the Massachusetts Bay Transportation Authority, Zack Anderson plans on slightly different work: A company that turns heat from a car's shock absorbers into energy for the car's engine.

Hopefully, a government agency won't take offense to that work, as well.

Anderson is one of three Massachusetts Institute of Technology students who were blocked by the MBTA and a judge's order from making a presentation on vulnerabilities in the T's card-based fare system at the recent Defcon conference in Las Vegas. They're still blocked from making that presentation under a gag order that expires Tuesday. A hearing will be held in federal court in Boston Tuesday morning to determine whether the temporary restraining order should be converted into a preliminary injunction.

In an interview with the The Boston Globe, Anderson defended the presentation the students planned to make at Defcon. "It wasn't to enable others to get a free fare or cause any sort of havoc," Anderson told The Globe. "It was really to show how major the issues are in this system, which also might resonate in many other systems around the world."

The MBTA, not surprisingly, doesn't seem so willing to participate in this particular scientific discourse. In a hearing last week, a federal judge ordered the students to hand over classroom material and any correspondence they've had with Defcon organizers. The students have already provided the judge and T officials with two reports, including a 30-page paper that included details the students say they didn't intend to reveal in their Defcon talk.

The students and the MBTA are still fighting over what documents they should have to reveal, including unpublished research notes.

A new controversy is brewing in the lawsuit pitting three Massachusetts Institute of Technology students against the Massachusetts transit agency: Whether or not their unpublished research notes and other material must be handed over to the state government.

The MIT students are asking a federal judge not to require them to hand over unpublished research notes and other material to the Massachusetts Bay Transportation Authority, which obtained a restraining order against a conference presentation earlier this month. They already have turned over their prepared presentation and have prepared a separate security analysis for the agency.

First page of subway-hacking presentation that was the subject of an injunction to stop its distribution--after it had already been distributed.

The students filed a motion over the weekend saying that a judge hearing the case "plainly erred" by ordering them to divulge the material. Instead of turning over more material by a Saturday deadline, the students apparently handed over only correspondence with organizers of the Defcon conference.

This dispute is likely to come to a head at a hearing scheduled for 7:30 a.m. PDT on Tuesday before U.S. District Judge George O'Toole Jr. in Boston. Last week, O'Toole denied the students' request to postpone the document-delivery deadline to allow an emergency appeal to the U.S. First Circuit Court of Appeals.

The hearing is required under federal court rules because the temporary restraining order expires on Tuesday. O'Toole has the option of converting the order into a more formal preliminary injunction (with or without modifications) or allowing it to expire.

So far, O'Toole has not proven especially sympathetic to the students, who are represented by the San Francisco-based Electronic Frontier Foundation. He refused to lessen the sting of the original temporary restraining order, even though the MBTA had suggested it. He also granted much of the MBTA's request for unpublished documents, which EFF says runs afoul of clear legal precedent.

MBTA has demanded copies of documents including correspondence with the Defcon conference, a paper prepared for an MIT class, software, physical equipment, modified MBTA farecards, notes from meetings, and so on. MBTA also wants to conduct a four-hour deposition of computer science major Zack Anderson and a two-hour deposition of MIT professor Ron Rivest. (The other student defendants are Alessandro Chiesa and R.J. Ryan.)

Here's an excerpt from EFF's latest brief, filed over the weekend, which objects to its clients being forced to turn over unpublished material in a prior restraint case:

More broadly, the Discovery Order amounts to a grant of pre-publication review and, as such, flies in the face of long established free speech principles. Such an order would never be permitted if the content in question were, for example, a reporter's notes, and it should not stand here. Through this discovery process, MBTA has enlisted the court's power to obtain pre-publication review of academic speech by a public authority, and delay publication until its review is complete...

Prepublication review has been permitted only in the most extraordinary circumstances. For example, a contract requiring such review was held constitutional where the defendant, a former Central Intelligence Agency agent, had voluntarily agreed to limit publications regarding CIA activities. The Court held that the government had "a compelling interest in protecting both the secrecy of information important to our national security and the appearance of confidentiality so essential to the effective operation of our foreign intelligence service" and the prepublication review requirement was a reasonable means for protecting that interest. Even in these extraordinary cases, there has never been discovery to determine what the CIA agent knew (or court review of the agent's knowledge), just a review of what they proposed to publish.

No such extraordinary circumstance exists here. The MBTA already has ample information about its own security systems, what the students know, what they intended to say at Defcon, and what they would like to be free to say now if the TRO is lifted. The MBTA appears to wish to review everything the students have ever done or thought related to their research in order to pass judgment (in the context of the preliminary injunction proceeding) on anything they might say about it in the future. The First Amendment does not countenance that type of pre-publication review, and neither should this Court.