The Computer Fraud and Abuse Act Is a Failed Experiment

Posted on by

Over the years, legislatures and the courts progressively have treated the unauthorized movement of data bits over someone else’s chattel into a “trespass” of that chattel–an activity I’ll call “online trespass to chattels.” For example, many states have enacted computer crime laws that restrict unauthorized use of Internet and telecommunications equipment.

via The Computer Fraud and Abuse Act Is a Failed Experiment – Forbes.

As a result, these proposed changes will end the adverse consequences from the online trespass to chattels experiment while letting chattel owners prevent socially disadvantageous online usage of their chattels.

That Internet War Apocalypse Is a Lie

Posted on by

CloudFlare CEO Matthew Prince tells a harrowing story of warding off the internet attack after Spamhaus hired him—which is certainly true—but warns us of existential threats to the net still lurking out there, like lost Soviet nukes:

via That Internet War Apocalypse Is a Lie.

This would be so terrifying if it weren’t advertising. Prince, of course, is in the business of selling protection against online attacks. And his company is, as far as I can tell, pretty good at this business. But he’s also clearly in the business of scaring people: in his blog post today, he warns that the Spamhaus attack “may prove to be relatively modest” compared to what comes next. Bigger nukes, I suppose.

Here’s an another excerpt on the latest DDoS kerfuffle that made a lot of news recently.

So what’s the answer? Short of shutting down all 27 million resolvers, the Open DNS Resolver Project and others such as DNS service providers Afilias recommend the implementation of source address validation. An IETF RFC, BCP-38, exists that spells out how to use source address validation and build such an architecture to defeat IP source address spoofing.

via Open DNS Resolvers Center Stage in Massive DDoS Attacks | threatpost.

According to the article one component to implementing this requires cooperation from ISPs who may not see this as a priority.

Sslstrip Tutorial

Posted on by

Description: SSLstrip was released by Moxie to demonstrate the vulnerabilities he spoke about at Blackhat 2009. In this video we will look at how to get started with SSLstrip. We setup 2 vmware machines, one running Widnows XP (victim) and the other Backtrack 3 (Attacker). Before we actually begin hacking using SSLstrip, we need to setup the entire Man in the Middle Mechanism and packet redirection / forwarding mechanism. We do this by using the following commands in sequence:

via Sslstrip Tutorial.

This tool assumes a man in the middle setup and that http traffic (port 80) gets redirected to a port sslstrip listens to on the attacker’s machine (port 10000 in this video).  Sslstrip then intercepts https traffic and returns to the victim http traffic.  The victim thinking his traffic is encrypted is  transmitting in plain text while sslstrip manages the ssl session with the victim’s destination (i.e. bank).  Since this attack is using http the victim does not need to validate an ssl certificate thus it’s transparent.  Detecting this attack is simple because the browser returns http in the displayed url instead of https so an alert victim should know.  But not everyone may notice this.

Rackspace, Red Hat Win Decisive Patent Victory

Posted on by

Uniloc USA, Inc. filed the complaint against Rackspace in June 2012 in federal court in the Eastern District of Texas. The complaint alleged that the processing of floating point numbers by the Linux operating system violated U.S. Patent 5,892,697. Rackspace and Red Hat immediately moved to dismiss the case prior to filing an answer. In dismissing the case, Chief Judge Leonard Davis found that Uniloc’s claim was unpatentable under Supreme Court case law that prohibits the patenting of mathematical algorithms. This is the first reported instance in which the Eastern District of Texas has granted an early motion to dismiss finding a patent invalid because it claimed unpatentable subject matter. In the ruling released today, Judge Davis wrote that the asserted claim “is a mathematical formula that is unpatentable under Section 101.”

via Rackspace, Red Hat Win Decisive Patent Victory (NYSE:RHT).

MySQL’s creator on why the future belongs to MariaDB

Posted on by

MariaDB was created to be a drop-in replacement for MySQL. Widenius says that as long as MySQL has a larger user base than MariaDB, remaining drop-in compatibility will be essential, in order to make the transition between the databases trivial.

“However, being a drop-in replacement doesn’t stop us from changing the underlying code to make it faster and better or add new features,” he says.

via Dead database walking: MySQL’s creator on why the future belongs to MariaDB – MariaDB, open source, mysql, Oracle – Computerworld.

Defense Companies Cash in on Gov’t Hyped ‘Cyber-Security’ Threat

Posted on by

Bloomberg News reports that within the past two weeks security contractors Lockheed Martin and Raytheon have signed an agreement under the Department of Homeland Security’s Enhanced Cybersecurity Services program providing new revenue streams and, more notably, unparalleled access to personal information classified as “U.S. government data.”

via Defense Companies Cash in on Gov’t Hyped ‘Cyber-Security’ Threat | Common Dreams.

Android Trojan Found in Targeted Attack

Posted on by

After the installation, an application named “Conference” appears on the desktop

via Android Trojan Found in Targeted Attack – Securelist.

Some sort of malware for android is in the wild.  Theoretically any app one loads on any computer can be malicious.  This was spread via email but the next line highlights something:

If the victim launches this app, he will see text which “enlightens” the information about the upcoming event:

Note the highlighted text.  If you don’t want to become a victim don’t launch applications unless you know why they are there.  Here is the extent of damage to this piece of malware:

While the victim reads this fake message, the malware secretly reports the infection to a command-and-control server. After that, it begins to harvest information stored on the device. The stolen data includes:

  • Contacts (stored both on the phone and the SIM card).
  • Call logs.
  • SMS messages.
  • Geo-location.
  • Phone data (phone number, OS version, phone model, SDK version).

A lot of legitimate applications transmit this information back to home base.  I don’t see this piece of malware being that big of a deal.  Rule of thumb:  Don’t install any .apk files from untrusted sources — like random emails.  If you do happen to install a malicious application, don’t open any app unless you know what it is and why it is there.

Honeypot Stings Attackers With Counterattacks

Posted on by

The PHP portion included a field for “members” to enter their “secret code” to enter the “private zone,” he explains. “So it’s a good idea to try a SQL injection attack” there, he says of the lure.

“My script had [a] few checks for some patterns, and when a SQL injection attempt was detected, the script [threw the] Java applet, ‘GUI for member zona. Welcome,'” he says. The Java applet then installed a backdoor on the attacker’s Windows machine, he says.

via Honeypot Stings Attackers With Counterattacks – Dark Reading.

In his research paper (PDF) on the experiment, Sintsov explains it this way: “Obviously, reverse penetration has a number of moral, ethical and legal issues