Hack In The Box

Microsoft Exchange Server under major security risk

Thu, 12 Feb 2009 22:13:16 +0100

On the face of it, Microsoftâ€™s latest monthly update seems quite light with â€˜justâ€™ two critical vulnerabilities. But one of them, for Exchange Server, is an absolute doozy. The issue, which affects the 2000, 2003 and 2007 editions, means that a hacker could take complete control of a system â€“ with administrative privileges â€“ simply by sending a specially crafted message with a rogue winmail.dat file, the attachment which tells e-mail programs how to display a Rich Text Format document. To make things worse, the problem could affect users who simply preview the message without having to open it. The vulnerability is understandably rated critical, though Microsoftâ€™s separate exploitability index gives it a medium rating for the likelihood of hackers taking advantage. Thatâ€™s a fairly arbitrary rating based on the fact that thereâ€™s no evidence the hacking community has figured out how to exploit the issue yet.

Typo3 hack on German Interior Minister's web site

Thu, 12 Feb 2009 22:12:45 +0100

Anyone who hasn't yet fixed the hole in the Typo3 content management system that was reported yesterday should install the current update without delay. Vulnerable pages can easily be found using Google, and then they can be trashed. Wolfgang SchÃ¤uble, Germany's Interior Minister, found this out last night when his web site acquired a link to the German Working Group on Data Retention, which is protesting against that controversial government scheme. The perpetrators kindly left a clue to how they got into the system by mentioning the Typo3 update: apparently they were able to access the configuration file "localconf.php" using a special URL. A more worrying point is that they could use Google to find the administrator's password hash held there, and crack it very easily.

Texas judge orders site to identify anonymous trolls, flamers

Thu, 12 Feb 2009 22:11:57 +0100

A Texas judge has ordered an online news site to unveil identifying details about 178 anonymous commenters on the site. The order came after a couple, Mark and Rhonda Lesher, sued the numerous anonymous commenters posting to Topix.com for making what they considered to be "perverted, sick, vile, inhumane accusations" about them.

The Leshers were originally thrust into the Texas spotlight in 2008 after being accused of sexually assaulting an unidentified former client of Mark Lesher. That's when thousands of comments began piling up on the community news aggregator Topix to discuss the sexual assault charges. As with most things on the Internet, many Topix users felt free to let loose with nasty comments about the Leshers.

IDC Predicts Further Declines in Microprocessor Market

Thu, 12 Feb 2009 22:11:12 +0100

IDC on Wednesday released its findings concerning central processing units market in Q4 2008 and once again confirmed that the PC market in general is facing steep drop in demand. The analysts from the market tracking firm believe that declines will continue in Q1 2009 and Q2 2009, which will hurt both PC makers as well as CPU vendors, such as Advanced Micro Devices and Intel Corp. â€œThe decline in PC processor unit shipments in the fourth quarter was the worst sequential decline since IDC started tracking processor shipments in 1996. After hinting at a decline last September, the market fell of a cliff in October and November,â€ said Shane Rau, director of semiconductors at personal computing research at IDC. In Q4 2008, worldwide PC processor unit shipments declined by17.0% quarter over quarter (QoQ) and by 11.4% year over year (YoY), according to IDC; market revenue declined by 18.0% QoQ and by 22.2% YoY to $6.78 billion. For the full year 2008, total PC processor unit shipments grew 10%, while revenue grew only 0.9% to $30.8 billion.

RIM says BlackBerry subscriptions soaring

Thu, 12 Feb 2009 22:10:36 +0100

Research In Motion raised its forecast for subscriber additions in the current quarter but warned its profit will come in near the bottom of its previous expectations. New product introductions contributed to record levels of net subscriber-account additions throughout December, as the BlackBerry maker also enjoyed a successful holiday sales surge, the company said. The delayed and hotly anticipated BlackBerry Storm debuted to long lines and sellouts in late November. Following the holidays, new subscriber additions have continued to exceed the company's expectations, though RIM expects the gains to become more normal next month. On Wednesday, RIM raised its earlier forecast of net subscriber-account additions for the fourth quarter, ending Feb. 28, by 20%. On Dec. 18, it had forecast 2.9 million net additions for the quarter. RIM also said it expects revenue for the quarter to be at or near the midpoint of the company's previous guidance. The December forecast called for fourth-quarter revenue between US$3.3 billion and $3.5 billion.

MySpace founder concedes defeat

Thu, 12 Feb 2009 22:10:01 +0100

The co-founder of News Corp's MySpace has thrown in the towel in the global battle against Facebook, predicting the social networking site will forever play second fiddle to its younger upstart. Facebook and MySpace between them have about 280 million active users while Microsoft claims through its various online networks and gaming ventures, such as its Xbox Live, to reach about 500 million users a month worldwide. In an interview with the Herald this week from Los Angeles, MySpace's co-founder, Brett Brewer, said MySpace and News Corp would have to concede Facebook has worldwide domination.

http://www.hackinthebox.org/index.php?name=News&file=article&sid=29914

Thu, 12 Feb 2009 22:09:03 +0100

Cuba announced is own version of Linux at a Havana conference today on technological sovereignty. Called Nova, the operating system is seen as a way to combat Microsoft, and thus the U.S., dominance in the software market. Cuba now joins the likes of China and Russia in developing a national version of Linux in a push to free their countries from dependency on Microsoft for operating system software. Cuba began computer sales to the public only last year and estimates roughly 20 percent of computers in its country are now running on Linux and hopes to push that total to 50 percent within five years. Cuba sees Windows as a threat because it claims U.S. spy agencies have access to the code and says free software is more in line with the Cuban ideology.

How the IT Guy is Becoming the Security Guy

Thu, 12 Feb 2009 22:08:06 +0100

I recently read an interesting article in the Wall Street Journal (October 16, 2008, â€œNew Data Privacy Laws Set for Firmsâ€) that outlines new state-by-state regulations for data security. The article contains a great quote that I think sums up the major concerns for IT managers right now, but it doesnâ€™t come from IBM or Cisco or even Sharp. It comes from the network manager for the Northeast-based pizza chain, Papa Ginos, who says, â€œAnybody in IT has to become the security guy.â€ I truly believe this quote illustrates how IT managers in companies of all sizes are quickly realizing the importance of data security and are learning more about what steps need to be taken to ensure that the network, and ultimately the company, are safeguarded against data theft. Technology makes an ever-increasing contribution to profitability in todayâ€™s highly competitive business landscape. However, the same technology that enables high productivity in the workplace can easily be compromised if not sufficiently secured. The consequences of inadequate protection could be financial loss, identity theft, risk to intellectual property, or even the ruination of an upstanding business due to identity theft.

Videogames Good for Children

Thu, 12 Feb 2009 22:06:59 +0100

Videogames can be good for children, encouraging creativity and cooperation, a European Union report concluded Wednesday which ran counter to the violent reputation of some titles. In conclusions that may either surprise or reassure parents of game addicts, the study by the European Parliament Committee on the Internal Market and Consumer Protection found a number of benefits and no definitive link to violent behavior. "Videogames are in most cases not dangerous and can even contribute to the development of important skills," said Toine Manders, the Dutch liberal lawmaker who drafted the report. "(They stimulate) learning of facts and skills such as strategic reflection, creativity, cooperation and a sense of innovation," a news release on the report said.

Police drop investigation into 'rent-a-Lords'

Thu, 12 Feb 2009 22:06:29 +0100

The Metropolitan Police has ended its investigation into four peers - Lord Moonie, Lord Truscott, Lord Taylor of Blackburn and Lord Snape - in part because getting evidence was proving too difficult. The four men were caught in a Sunday Times sting allegedly offering improper help to undercover journalists in exchange for cash. They were allegedly caught on tape claiming to be able to delay or even amend legislation for corporate lobbyists. The story led to a flurry of updates to the Lords' Register of Interests and led credit agency Experian to end its relationship with Lord Taylor. The company said it was surprised to hear Lord Taylor's apparent description of the work he did for it. Lord Taylor claimed to have amended draft legislation in favour of the company. He said he was paid up to Â£100,000 a year for his help, which he described as cheap.

GPS Navigation comes to G1

Thu, 12 Feb 2009 22:06:00 +0100

Today, TeleNav announces the first GPS navigation application for the G1. TeleNav brings their 3D, turn by turn, traffic, speech recognition and other features that make it the premiere on-phone GPS choice to the G1 starting February 24th. T-Mobile G1 users can sign up for a free 30-day trial. Iâ€™ve been using TeleNav on my Windows Mobile phone for some time and now and I am a big fan. Iâ€™ve found their POI (point of interest) database is among the most complete while their directions are on par with stand alone GPS devices. I saw a prototype of this offering at CES this year and my one word summary is â€œslick.â€œ Designed specifically for the G1, TeleNav takes advantage of both landscape and portrait modes. The UI has been designed with touch in mind and the result is, well, classy. This application is among the best looking apps Iâ€™ve seen for Android.

Intel developing optical chip-to-chip interconnects

Thu, 12 Feb 2009 22:05:21 +0100

Intel Corp. is studying optical interconnects with an eye toward replacing chip-to-chip electrical interconnects in order to overcome looming bandwidth issues as microprocessors with an increasing number of cores usher in the era of tera-scale computing. Ian Young, an Intel Fellow and director of the No. 1 semiconductor company's advanced circuits and technology integration project, presented a paper at the IEEE's International Solid State Circuits Conference (ISSCC) here Wednesday (Feb. 11) describing progress in integrating the waveguides, detectors and modulators needed for integrating photonic interconnects directly onto CMOS chips. Young described the performance of an eight-channel, 90-nm device that has demonstrated transmission and reception speed of up to 10Gb/s. The company's longer-term goal is to make optical components that can achieve higher bandwidth of between 100GB/s to 1 TB/s, Young said.

Public cloud, meet private cloud

Thu, 12 Feb 2009 22:04:16 +0100

ryan Doerr, chief technology officer at Savvis Inc. a cloud infrastructure provider in St. Louis, admits that the industry has a ways to go before IT users with private clouds in their data centers can manage the seamless swapping of resource allocation with subscription services out on the public Internet. But he argues his company has taken the first small steps toward bridging the systems management gap between public and private clouds. Today Savvis announced Savvis Compute Cloud with the intent to give IT more direct control over resources located in any of Savvis's 29 data centers. For example, instead of calling a Savvis technician to provision a new virtual machine, a process that can take from hours to days, through the SavvisStation Portal, an authorized IT user can make changes directly. This new capability applies for both dedicated servers an enterprise has subscribed to as well as slices on multi-tenant servers.

Virus 2090 Annoys Korean Computer Users

Thu, 12 Feb 2009 16:19:00 +0100

A destructive bug dubbed ``2090'' is biting Korean computer users hard, security experts said Thursday. The computer virus adjusts computers' clocks to ``10:00 AM January 1st 2090,'' and may inflict serious damage to systems based on Microsoft Windows. ``Computer users must be more careful in downloading files from the Internet or by e-mail and update their vaccine programs and leave real-time monitoring functions on,'' said Cho Si-haeng, director of AhnLab's security emergency response center, adding, ``It would also be wise to download security patches to protect computers.'' Security software makers such as AhnLab (home.ahnlab.com), Inca Internet (www.inca.co.kr), Hauri (www.hauri.co.kr) and EstSoft (www.estsoft.com) are providing free downloads of their vaccines, developed to suppress the 2090 virus.

US lawmaker's twittering raises security concerns

Thu, 12 Feb 2009 16:21:00 +0100

The top Republican on the US House of Representatives intelligence committee landed in hot water this week after using his Twitter page to update the public on his precise whereabouts while travelling through Iraq and Afghanistan. The disclosure prompted the Pentagon to review its policy, which regards such information as sensitive and lit up the liberal blogosphere with accusations of hypocrisy. Republican Pete Hoekstra says he did nothing wrong. He pointed to announcements by other high-ranking officials, including House Speaker Nancy Pelosi, which list the countries they plan to visit. "The policy that we have and that we did on this trip is consistent and well restrained from what other folks have done in the past," said Hoekstra, a Republican.

NSA identifies top 25 programming errors

Thu, 12 Feb 2009 16:23:56 +0100

The critical importance of integrating security into programming is obvious to anyone who thinks about it, and it has been the subject of countless minatory or sometimes pleading articles. Google "secure programming" as one example of appropriate keywords and youâ€™ll find nearly a million hits. Back in 2001, I wrote five columns on the subject which I later collected and updated as the short paper â€œProgramming for Securityâ€ thatâ€™s currently on my Web site. Now the National Security Agency, working with MITRE Corp., SANS, and dozens of industry experts from many other organizations, has published a valuable list of the top 25 most dangerous programming errors. The best description of the project that I have found is the SANS Institute report.