Jump to content

      













Photo

Hackers get hold of critical internet flaw


  • Please log in to reply
17 replies to this topic

#1 martini

martini
  • Member
  • 2,444 posts

Posted 27 July 2008 - 09:08 AM

http://www.canada.co...19-463760d0f39f

Hackers get hold of critical Internet flaw
"We are in a lot of trouble," says expert. "This is a big deal."

Glenn Chapman
AFP

Friday, July 25, 2008

A skull-and-crossbones symbol is placed over a computer keyboard at a 'hacker academy' in Paris, France. Internet security researchers on Thursday warned that hackers have caught on to a "critical" flaw that lets them control traffic on the Internet.



by Thu Jul 24, 7:33 PM ET

Internet security researchers are warning that hackers have caught on to a "critical" flaw that lets them control traffic on the Internet.

An elite squad of computer industry engineers that labored in secret to solve the problem released a software "patch" two weeks ago and sought to keep details of the vulnerability hidden at least a month to give people time to protect computers from attacks.

"We are in a lot of trouble," said IOActive security specialist Dan Kaminsky, who stumbled upon the Domain Name System (DNS) vulnerability about six months ago and reached out to industry giants to collaborate on a solution.

"This attack is very good. This attack is being weaponized out in the field. Everyone needs to patch, please," Kaminsky said. "This is a big deal."

DNS is used by every computer that links to the Internet and works similar to a telephone system routing calls to proper numbers, in this case the online numerical addresses of websites.

The vulnerability allows "cache poisoning" attacks that tinker with data stored in computer memory caches that relay Internet traffic to its destination.

Attackers could use the vulnerability to route Internet users wherever the hackers wanted, no matter what website address is typed into a web browser.

The threat is greatest for business computers handling online traffic or hosting websites, according to security researchers.

The flaw is a boon for "phishing" cons that involve leading people to imitation web pages of businesses such as bank or credit card companies to trick them into disclosing account numbers, passwords and other information.

"I was not intentionally seeking to cause anything that could break the Internet," Kaminsky said Thursday during a conference call with peers and media. "It's a little weird to talk about it out loud."

Kaminsky built a web page, www.doxpara.com, where people can find out whether their computers have the DNS vulnerability. As of Thursday, slightly more than half the computers tested at the website still needed to be patched.

"People are spending tens of thousands of hours getting this patch out the door," Kaminsky said.

The US Computer Emergency Readiness Team (CERT), a joint government-private sector security partnership, is among the chorus urging people to quickly protect computers linked to the Internet.

"Just like you should wear a seat belt going down the road to be safe in a car accident, the same applies here," said Jerry Dixon, a former director of cyber security at the US Department of Homeland Security.

"The patch is your seat belt. The exploit is out there and you definitely need to take precautions. Now is not the time to keep waiting."

Two "exploits," software snippets that take advantage of the vulnerability, have been unleashed on the Internet in the past 24 hours, Securosis analyst Rich Mogul said during the conference call.

"The threat is there," Mogul said.
© AFP 2008

#2 amor de cosmos

amor de cosmos

    BUILD

  • Member
  • 4,448 posts

Posted 27 July 2008 - 11:40 AM

the site says my computer seems to be safe :)

#3 martini

martini
  • Member
  • 2,444 posts

Posted 07 August 2008 - 08:15 PM

the site says my computer seems to be safe :)


Safe here too.
Looks like most of us home users should be fairly safe. This is like the Wild Wild West!
--------------------------------------------------------------------
Internet flaw a boon to hackers

Glenn Chapman
AFP

Thursday, August 07, 2008

While most businesses are still hustling to protect their Internet traffic, 15 per cent Fortune 500 companies have "done nothing" to defend their computers.
CREDIT: Justin Sullivan/Getty Images
While most businesses are still hustling to protect their Internet traffic, 15 per cent Fortune 500 companies have "done nothing" to defend their computers.

Computer security professionals crammed into a Las Vegas ballroom on Wednesday for the first public briefing on an Internet flaw that lets hackers hijack traffic on the World Wide Web.

"There is bunch of weird (stuff) going on out there right now," expert Dan Kaminsky told AFP, confirming that attacks are being launched online despite efforts to conceal and patch the vulnerability in the Internet's foundation.

Kaminsky, the director of IOActive penetration testing, was met with applause and cheers when he stepped to a podium at the premier Black Hat conference to reveal details of an attack that is a boon to ill-willed hackers.

An elite squad of computer industry engineers labored in secret to solve the problem, and released a software "patch" in early July but sought to keep details of the vulnerability hidden until Black Hat to give people time to protect computers from attacks.

The Domain Name System (DNS) flaw was figured out and spread online within two weeks of the patch's release and US telecom giant AT&T was the first confirmed victim of an attack.

Kaminsky said that while most businesses are still hustling to protect their Internet traffic, 15 per cent of Fortune 500 companies have "done nothing" to defend their computers.

"How do you force a server to 1.badguy.com?" Kaminsky asked rhetorically as he addressed the crowd. "Oh, let me count the ways. God, it's good to be finally able to talk about this stuff."

Kaminsky stumbled upon the DNS vulnerability about seven months ago and reached out to industry giants to collaborate on a solution.

DNS is used by every computer that links to the Internet and works similar to a telephone system routing calls to proper numbers, in this case the online numerical addresses of websites.

The vulnerability allows "cache poisoning" attacks that tinker with data stored in computer memory caches that relay Internet traffic to its destination.

The flaw has existed since 1983 and may well have been exploited without victims noticing.

The vulnerability also lets hackers hijack emails and supposedly secure online transactions.

The potential for using it as a weapon in nation-sanctioned cyber war or organized crime sprees were "wide open," said Jerry Dixon, former director of cyber security for the US Department of Homeland Security.

"I've spent the last month terrified of large companies having all their email stolen because of a bug I found out about," Kaminsky said.

The vulnerability is centered in servers used by companies to access the Internet and handle email.

Home computer users whose online activities are channeled through Google, Yahoo, Microsoft or other major Internet properties should be safe because those firms have been alerted to the problem, according to Kaminsky.

"Most home users are more likely than not operating in a protected environment," Kaminsky said. "It is more likely they will be less protected at work that when they are at home."

That is because some companies have yet to safeguard their computer networks.

The patch is a temporary fix and doesn't defend against every kind of what is referred to as a "man in the middle" attack.

The US Computer Emergency Readiness Team (CERT), a joint government-private sector security partnership, is among the chorus urging people to quickly protect computers linked to the Internet.

Kaminsky built a web page, www.doxpara.com, where people can find out whether their computers have the DNS vulnerability. On Wednesday, he released details of the vulnerability on the website.

"We have to get better about fixing the infrastructure," Kaminsky said. "We got lucky fixing this bug but may not be so lucky next time."

In a warm touch, Kaminsky's grandmother Raia Maurer baked cookies for the security experts attending her grandson's talk.

"I'm so proud of him," Maurer said. "He explained it so even I can understand it."
© AFP 2008

#4 martini

martini
  • Member
  • 2,444 posts

Posted 18 December 2008 - 09:57 AM

In today's TC:

Microsoft releases emergency patch for perilous IE flaw

AFP

Tuesday, December 16, 2008


SAN FRANCISCO – Microsoft has released an emergency patch to fix a perilous software flaw allowing hackers to hijack Internet Explorer browsers and take over computers.

The U.S. software giant said Tuesday that in response to "the threat to customers" it immediately mobilized security engineering teams worldwide to deliver a software cure "in the unprecedented time of eight days."

The patch is available at http://www.microsoft...n/ms08-078.mspx

Researchers at software security firm Trend Micro say attacks based on the vulnerability in the world's most popular Web browser are "spreading like wildfire" with millions of computers already compromised.

Microsoft typically releases patches for its software on the second Tuesday of each month and rushing this fix to computer users out-of-cycle is testimony to the severe danger of the threat, according to Trend Micro.

"When the patch is released people should run, not walk, to get it installed," said Trend Micro advanced threat researcher Paul Ferguson.

"This vulnerability is being actively exploited by cyber-criminals and getting worse every day."

Trend Micro has identified about 10,000 websites that have been infected with malicious software that can be surreptitiously slipped into visitors' unprotected IE browsers to take advantage of the flaw.

Hackers can take control of infected computers, steal data, redirect browsers to dubious websites, and use machines for devious activities such as attacks on other networks, according to security specialists.

"What makes this so insidious it takes advantage of a big gaping hole of IE, which has the largest install base of any browser on the market," Ferguson said.

IE is used on nearly three-quarters of the world's computers, according to industry statistics from November.
© Canwest News Service 2008
http://www.canada.co...html?id=1083022

#5 mat

mat
  • Member
  • 2,070 posts

Posted 18 December 2008 - 08:17 PM

Martini - thanks for posting that. Us Mac people are going 'told you so', although unix systems (which are the base for Mac OS) are now getting hacker attention.

Having worked developing corporate websites for over a decade I cannot understand why anyone would use either a MS OS individual computer, or even worse a MS coded web server - but then, it took years of PHD qualified experts to teach me that UNIX has built in stability and DOS is flawed from the start.

My advice - buy a computer you can afford, if not MAC OS, then go Linux.

#6 martini

martini
  • Member
  • 2,444 posts

Posted 18 December 2008 - 10:41 PM

Martini - thanks for posting that. Us Mac people are going 'told you so', although unix systems (which are the base for Mac OS) are now getting hacker attention.

Having worked developing corporate websites for over a decade I cannot understand why anyone would use either a MS OS individual computer, or even worse a MS coded web server - but then, it took years of PHD qualified experts to teach me that UNIX has built in stability and DOS is flawed from the start.

My advice - by a computer you can afford, if not MAC OS, then go Linux.


Interesting. I don't think I'll be able to get out of the Windows world, but I never did use Explorer or Outlook. What you're saying about DOS makes sense.
Did you ever see the movie Pirates of Silicon Valley?

#7 Bingo

Bingo
  • Member
  • 16,666 posts

Posted 08 November 2011 - 03:52 PM

Cyber warfare: A different way to attack Iran's reactors

(CNN) -- A report expected this week from the International Atomic Energy Agency (IAEA) has Israel abuzz with talk of the potential for a pre-emptive strike on Iran's nuclear facilities.

Western diplomats have told CNN that the report says Iran has mastered the critical steps necessary to design and build a nuclear weapon.

Missiles are not, of course, the only way to launch an attack.
Iran's nuclear facilities are under siege from cyber attacks. And one, the Stuxnet virus, was able to penetrate Iran's Natanz nuclear facility, researchers say.

How did it work?

More:

http://edition.cnn.c....html?hpt=hp_c2

#8 Bingo

Bingo
  • Member
  • 16,666 posts

Posted 24 June 2016 - 10:17 PM

A photo circulating online of Facebook CEO Mark Zuckerberg's personal laptop has ignited a conversation about data security, and how people can protect themselves against hackers.

The photo shows a smiling Zuckerberg sitting next to his laptop. But the curious thing is that his computer's camera and microphone are covered with tape.

Covering a computer's camera doesn't protect the device from being hacked, but it does prevent a hacker from being able to see whatever the camera sees. Covering a laptop's microphone can muffle the audio enough to prevent a hacker from listening in, uninvited.

http://www.cbc.ca/ne...-tape-1.3649678

 



#9 Bingo

Bingo
  • Member
  • 16,666 posts

Posted 07 September 2017 - 04:00 PM

Cyber criminals have accessed sensitive information -- including names, social security numbers, birth dates, addresses, and the numbers of some driver's licenses.

Additionally, Equifax said that credit card numbers for about 209,000 U.S. customers were exposed, as was "personal identifying information" on roughly 182,000 U.S. customers involved in credit report disputes. Residents in the U.K. and Canada were also impacted.

The breach occurred between mid-May and July, Equifax said. The company said it discovered the hack on July 29.

The data breach is one of the worst ever, by its reach and by the kind of information exposed to the public.

http://money.cnn.com...each/index.html



#10 Bingo

Bingo
  • Member
  • 16,666 posts

Posted 04 January 2018 - 01:33 PM

 Billions of devices are affected by two major security flaws revealed by cybersecurity researchers on Wednesday.

The flaws -- dubbed Meltdown and Spectre -- affect processing chips made by Intel (INTC)AMD(AMD) and ARM Holdings. That means if you use a desktop, laptop, smartphone or cloud service from Apple (AAPL)Google (GOOGL)Amazon (AMZN) or Microsoft (MSFT) you might be vulnerable.

Intel says it is working with AMD and ARM to fix the problem, and many tech firms have already released -- or are about to release -- software updates to secure their devices.

Microsoft has already released security updates for Windows users, and is taking steps to protect users of its cloud computing services. Google and Amazon are also updating their cloud services. Apple did not respond to a request for comment.

http://money.cnn.com...iner/index.html



#11 Bingo

Bingo
  • Member
  • 16,666 posts

Posted 04 January 2018 - 01:55 PM

If the hackers already work for the people doing the updates, things could get worse.



#12 On the Level

On the Level
  • Member
  • 1,151 posts

Posted 04 January 2018 - 06:30 PM

There could be a lot of money to be made to get your organizations apps out of the cloud....   5 years out?



#13 sebberry

sebberry

    Resident Housekeeper

  • Moderator
  • 17,931 posts
  • LocationVictoria

Posted 04 January 2018 - 09:00 PM

There could be a lot of money to be made to get your organizations apps out of the cloud....   5 years out?

 

I dunno.  We all seem to tolerate it when big companies are hacked now.  I think we assume there will be protections in place for us individuals if our own information is hacked. 

 

Way too much complacency.


Victoria current weather by neighbourhood: Victoria school-based weather station network

Victoria webcams: Big Wave Dave Webcams

 


#14 PraiseKek

PraiseKek
  • Member
  • 354 posts

Posted 06 January 2018 - 06:44 PM

Specter is a problem with the design of chips from all manufacturers. Branch prediction / speculative execution was a feature in Intel Pentium II chips. Basically the gist of it is modern CPUs execute multiple paths of a program at once and then when the result of something is determined the non-relevant paths are discarded. This optimizes waiting around for slow things like hard disks and RAM. Problem is you can basically read the results of those other paths using some cleaver jiggery pokery. 

 

The next generation of CPUs will probably clear out the CPU registers or restrict reading them in some way but the bottom line is the next generation of chips might not be much faster.



#15 LJ

LJ
  • Member
  • 8,586 posts

Posted 06 January 2018 - 07:43 PM

But is everybody happy with a possible 30% loss in processing speed when the fix is made?


Life's a journey......so roll down the window and enjoy the breeze.

#16 Matt R.

Matt R.
  • Member
  • 1,877 posts

Posted 06 January 2018 - 09:35 PM

Just went from a 2011 Mac mini to an Intel i7 7700k, I won’t be noticing any reduction in speed.

Matt.

#17 sebberry

sebberry

    Resident Housekeeper

  • Moderator
  • 17,931 posts
  • LocationVictoria

Posted 07 January 2018 - 09:37 AM

But is everybody happy with a possible 30% loss in processing speed when the fix is made?

 

People got all bent out of shape when their VW diesel went from 50 to 47mpg after the fix, so I'm guessing they're going to be quite cross with Intel. 


  • Matt R. likes this

Victoria current weather by neighbourhood: Victoria school-based weather station network

Victoria webcams: Big Wave Dave Webcams

 


#18 lanforod

lanforod
  • Member
  • 6,681 posts
  • LocationSaanich

Posted 07 January 2018 - 10:14 AM

There will be very little actual performance hit here for 99%+ of people. The media really blew that part of the news out of proportion.


Edited by lanforod, 07 January 2018 - 10:14 AM.


 



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


To advertise on VibrantVictoria, call us at 250-884-0589.