Technology Info

Almost everyone hates spam. The only people that don’t hate it are the ones that make vast amounts of money from sending it. The profits they turn are so large that regardless of what spam fighters do, the amount of spam keeps increasing. According to web security firm MessageLabs, spam accounted for 81.5 percent of all e-mail traffic in June.

This number, which is calculated based on 3 billion e-mail connections that MessageLabs scans every single day, more or less corresponds with US-specific data. An analysis of year-to-date spam rates for individual US states shows that the percentage of e-mails that were spam range from 77 (Montana) to 91 percent (Illinois). In other words, in every single state in the US, over three quarters of e-mails sent are junk. The average spam level in the US was 86 percent in June. (link)

Security researcher and author Kris Kaspersky plans to demonstrate how an attacker can target flaws in Intel’s microprocessors to remotely attack a computer using JavaScript or TCP/IP packets, regardless of what operating system the computer is running.

Kaspersky will demonstrate how such an attack can be made in a presentation at the upcoming Hack In The Box (HITB) Security Conference in Kuala Lumpur, Malaysia, during October. The proof-of-concept attacks will show how processor bugs, called errata, can be exploited using certain instruction sequences and a knowledge of how Java compilers work, allowing an attacker to take control of the compiler.

“I’m going to show real working code…and make it publicly available,” Kaspersky said, adding that CPU bugs are a growing threat and malware is being written that targets these vulnerabilities.

Different bugs will allow hackers to do different things on the attacked computers. “Some bugs just crash the system, some allow a hacker to gain full control on the kernel level. Some just help to attack Vista, disabling security protections,” he said. (link)

Until recently, the development of mobile-friendly websites has been regarded as nothing more than an irrelevant black art. That has since changed, thanks to more web-capable phones making their way into the mainstream (such as, of course, the iPhone). But the landslide of new and improved mobile sites has opened the doors to a sort of standard-free chaos, where almost anything (that works) goes and security is a second thought. The Open Mobile Terminal Platform (OMTP) group hopes to change that, however, by launching a new initiative that focuses on mobile development without sacrificing important principles like security.

The project will be called BONDI and will be supported by a number of OMTP members: 3 Group, AT&T, T-Mobile, Telenor, Telefónica, Telecom Italia, and Vodafone. The group plans to “harmonize the various open and proprietary ongoing initiatives and this cooperative work will minimise the potential for technology fragmentation,” and will provide a secure web services interface for developers to use when creating mobile sites. “The new handset software will be engineered in such a way as to prevent fraudulent and malicious activity through unauthorized access to functions or sensitive personal information,” says OMTP. (link)

“Visiting the affected PlayStation site runs a script that pretends to do an online security scan of your computer, and presents a bogus warning message that your PC is infected with a variety of different pieces of malware,” the SophosLabs blog explains. “Users frightened by the scareware ‘warnings’ might rush to spend money on useless software.”

SQL injection attacks involve passing malicious code to SQL databases as user input. An improperly configured or vulnerable SQL application can be made to execute that input. All that’s needed is to add HTML into a Web page that calls a script on a malicious site.

Since January, SQL injection attacks have surged across the Web. Researchers at the SANS Internet Storm Center and elsewhere have said that the reason for this is the existence of an automated tool that searches for sites running vulnerable software and attacks them. Attackers can configure the tool to insert any code they want. (link)

A recent collaborative study between Google, the Swiss Federal Institute of Technology, and IBM offers new insight into how many people surfing the web are doing so safely. According to the report, a clear majority of users (some 59 percent) are using the latest version of their preferred Internet browser—but that still leaves 40.1 percent who aren’t. That’s a troublingly high number for anyone working in IT security, given that virtually all (89.4 percent) of the vulnerabilities reported in 2007 were remote exploits. Not all of these exploits specifically targeted the web browser, but it’s become the target of choice for an increasingly large percentage of all attacks. Proper browser security is therefore of paramount concern. (link)

Over the past five years, 43 US states have adopted data breach notification laws, but has all of this legislation actually cut down on identity theft? Not according to researchers at Carnegie Mellon University who have published a state-by-state analysis of data supplied by the US Federal Trade Commission (FTC).

“There doesn’t seem to be any evidence that the laws actually reduce identity theft,” said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper’s authors.

Romanosky’s team took a state-by-state look at FTC identity theft complaints filed between 2002 and 2006 to see whether there was a noticeable impact on complaints in states that had adopted data breach notification laws such as California’s SB 1386, which compels companies and institutions to notify state residents when their personal information has been lost or stolen. Their paper is set to be presented at a conference on Information Security Economics held at Dartmouth College later this month.

Since 1999 the FTC has invited identity theft victims to log information about their cases on its Web site. The data are then made accessible to law enforcement, which uses the information to help analyze crime trends. A lot of people complain, but it represents only a subsection of all identity theft cases. In 2006, for example, the FTC logged 246,035 identity theft complaints, while a Javelin Strategy survey estimated that there were 8.9 million ID theft victims that year. (link)

Companies that assign addresses for Web sites appear to be cutting corners on security more when they assign names in certain domains than in others, according to a report to be released Wednesday by antivirus software vendor McAfee Inc.

McAfee found the most dangerous domains to navigate to are “.hk” (Hong Kong), “.cn” (China) and “.info” (information).

Of all “.hk” sites McAfee tested, it flagged 19.2 percent as dangerous or potentially dangerous to visitors; it flagged 11.8 percent of “.cn” sites and 11.7 percent of “.info” sites that way.

A little more than 5 percent of the sites under the “.com” domain — the world’s most popular — were identified as dangerous. (link)

The Bush administration last week filed responses to a federal magistrate judge’s questions relating to ongoing litigation over what critics say is thousands of missing e-mails. Administration lawyers submitted a 22-page legal brief and a 7-page declaration from Theresa Payton, CIO of the White House’s Office of Administration. The brief strenuously objected to the demands of the lead plaintiff, the National Security Archive (which filed suit alongside Citizens for Responsibility and Ethics in Washington), that special measures be taken to preserve hard drives and removable media that could be useful in future forensic efforts to retrieve e-mails.

Federal law requires executive branch agencies, including the Executive Office of the President, to preserve e-mails related to the performance of their official duties. The National Security Archive (NSA) claims that the White House has failed to preserve approximately five million e-mails from March 2003 to October 2005.

The White House protests that it has already preserved sufficient backup tapes to enable future recovery of any missing emails. It says that there are now 60,000 backup tapes in storage, including 438 “disaster recovery” backup tapes that were made during the critical period of March to October of 2003. Payton says that these backup tapes “should” contain “substantially all” of the emails in question. (link)

Computer attacks typically do not inflict physical pain on their victims.

But in a rare example of an attack apparently motivated by malice rather than money, hackers recently bombarded the Epilepsy Foundation’s website with hundreds of pictures and links to pages with rapidly flashing images.

The breach triggered severe migraines and near-seizure reactions in some site visitors who viewed the images. People with photosensitive epilepsy can get seizures when they’re exposed to flickering images, a response also caused by some video games and cartoons.

The attack happened when hackers exploited a security hole in the foundation’s publishing software that allowed them to quickly make numerous posts and overwhelm the site’s support forums. (link)

Setting up a wireless network can be a hassle … ok, it IS a hassle. Once you finally get everything up and running you’re still not done. Wireless security is a must for any network. (ABC’s of securing wireless networks) Despite the unlikely event that someone is tapping into your network, it’s better to be safe, than sorry.

On another front, Microsoft has been developing a forensic USB tool capable of bypassing PC security. Maybe this answers why there are so many bugs in the Windows OS? Hmm. So I encrypt my laptop, passwords all over, biometric security, and Microsoft is selling a USB tool for $99.99 that will undo all of that. *&^%$#@!!

Losing data? How about accidentally deleting data? Take a look at how the Bush government lost incriminatory emails, how convenient. I’m sure they went to great lengths to contact IT specialists, 2nd and third opinions while failing to contact an established data recovery company. What about the backups? Oh I see, accidentally wiped those too huh? (cover-up)