Expert finds vulnerabilities in Microsoft browser | Reuters

 

Expert finds vulnerabilities in Microsoft browser

BOSTON (Reuters) - A security research firm said it discovered another set of vulnerabilities in Internet Explorer, a day after Microsoft Corp patched the Web browser following a high-profile cyber attack on Google in China.

 

The software maker issued a patch on Thursday to fight malicious software that was used in the attack on Google Inc and dozens of other companies which operate in China.

Research firm Core Security Technologies said on Friday that it discovered another set of vulnerabilities in Internet Explorer that hackers can link together and exploit, to remotely access all of the data on a personal computer.

"There are three or four ways to conduct this type of attack," said Jorge Luis Alvarez Medina, a security consultant with Boston-based Core, who will demonstrate the vulnerability at the Black Hat security conference in Washington, which begins February 2.

A spokeswoman for Microsoft said she could not immediately comment on the matter.

Alvarez Medina said hackers can exploit a string of four or five minor vulnerabilities in Internet Explorer, which is used on hundreds of millions of PCs around the world.

Although none of the vulnerabilities are serious enough to compromise a machine, a hacker could take control of a PC by exploiting all of them at once, he said.

The combination would overwhelm the browser, giving a hacker access to all data on the PC after a user clicks on a malicious link, he said.

Alvarez Medina added that he was uncertain whether any hackers had already exploited the weaknesses, which Microsoft has yet to patch.

He said that Core was working with Microsoft to find a way to mitigate the risk, but added that he believed other vulnerabilities would crop up even after a solution to these.

"It is likely that people will come up with new ones over time," he said.

(Reporting by Jim Finkle, editing by Leslie Gevirtz)

'Trivial' Passwords Enabled Huge Hack

 

 

The hackers who stole and published 33 million passwords from the Rockyou.com website in December needn't have bothered, a security company has revealed. Many of them were so trivial they could have been guessed anyway.

According to a new analysis of the hacked passwords, the most popular password used on the Rockyou site was '123456'. Ridiculously, the second most popular password was '12345' closely followed (in order) by '12345687', 'Password', 'iloveyou', 'princess', and the imaginative 'rockyou'.

To put the use of '123456' into perspective, it was used on 290,731 accounts out of the nearly 33 million, which sounds small until Imperva reveals that the top 20 passwords were all equally transparent, and around 20 percent of the 5,000 most popular passwords were "names, slang words, dictionary words or trivial passwords." In 20th place, 13,856 accounts secured themselves with the word 'QWERTY'.

Helpfully, Imperva puts this disastrous state of affairs into perspective in its downloadable report that should probably be required reading for companies that do not enforce password complexity. (See "The Art of Creating Strong Passwords" for tips.)

"If a hacker would have used the list of the top 5,000 passwords as a dictionary for brute force attack on Rockyou. com users, it would take only one attempt (per account) to guess 0.9 percent of the users passwords or a rate of one success per 111 attempts," say its authors.

"At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1,000 accounts. And the problem is exponential," which is a technical way of saying that it would have been trivial to hack into many of the accounts one by one even without the serious breach that compromised the whole database.

Such hacking would have had rewards beyond Rockyou -- it is believed that the same passwords on the Rockyou accounts were defaults for user webmail accounts on Gmail, Yahoo, Hotmail, and others.Imperva makes some common sense suggestions on how websites and users can be educated to minimise such unnecessary vulnerability. Put CAPTCHAS on sites -- they slow down brute forcing -- enforce password changes, make users adopt password complexity, and never store or ransmit passwords in the clear.

Businesses are also asked to pay attention to the blurring of work and leisure web browsing.

"Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like '123456'," said Imperva's CTO, Amichai Shulman.

According to Shulman, passwords are no more sophisticated than they were 20 years ago, it's just that vastly more people are now being careless, increasing the potential effects of such naivety.

December's hack of Rockyou.com was blamed on an SQL injection vulnerability that compromised the company's entire and apparently unencrypted database. According to Imperva, the full database was posted for sale after the hacker posted a small portion first.

Google Mots clés : 'Trivial' Passwords Enabled Huge Hack

Google shows renewed vigor with robust 4Q results

 

Google Inc. appears to have regained its financial stride after wobbling through most of 2009.

The Internet search leader strutted its stuff in the fourth quarter, producing a profit that blew past analyst estimates while revenue growth accelerated from a leisurely stroll to a quickening gallop.

The results released late Thursday were driven by an upturn in Internet advertising, the main source of Google's income. More marketing generally coincides with an improving economy, or at least a feeling that things are getting better.

Google also is benefiting from media trends that are shifting more advertising from newspapers and broadcasters to the Internet.

"We are clearly not in a recession right now, but the pace of recovery is different in different markets," Patrick Pichette, Google's chief financial officer, said in a Thursday interview.

The United States so far appears to be bouncing back from the recession quicker than Europe, Pichette said.

Investors seemed disappointed with Google's fourth quarter, largely because the revenue only matched analyst forecasts instead of topping the predictions.

But the pendulum swung once the market had more time to digest the results.

By late Thursday, the company's shares were only 40 cents below their closing price of $582.98 after initially sagging by as much as $33.98, or nearly 6 percent, in extended trading. The shares have doubled in value since the stock market hit its lows last March.

Google made $1.97 billion, or $6.13 per share, in the final three months of 2009. That was up dramatically from income of $382 million at the same time in 2008, when Google's earnings were deflated by charges to reflect the eroding value of some investments.

Fourth-quarter revenue totaled $6.7 billion, a 17 percent increase from a year ago. It also marked the second consecutive quarter in which Google's year-over-year revenue growth has increased, returning the company to the trajectory it had been on before bogging down in the U.S. recession began in December 2007.

"There's some sense of normalcy," Pichette said.

Analysts think Google's revenue could rise by about 20 percent this year -- up from about 9 percent in 2009.

The brightening outlook has encouraged Google to loosen its pursestrings to hire more employees, make more acquisitions and mine new business opportunities such as mobile phones. Investors aren't thrilled with that commitment because Google won't say how much it's prepared to spend, raising worries that its profit margins might not expand as much as its revenue this year.

Google added 170 workers in the fourth quarter, bringing its payroll to 19,835 employees. If it can find enough qualified candidates, Google would like to hire about 2,000 workers this year, with an emphasis on engineering and ad sales, Pichette said.

Eric Schmidt, Google's chief executive, told investors in the conference call that the company will likely make at least one acquisition per month, "some big, more small." The company's biggest pending acquisition is a proposed deal to buy AdMob, a mobile advertising service, for $750 million.

Google's recent decision to sell a mobile phone, called Nexus One, has been particularly vexing for investors because the costs to promote and support the device could be greater than the revenue it brings in for the forseeable future, said Signal Hill Group analyst Todd Greenwald.

If nothing else, the fourth-quarter performance is likely to give people something to talk about other than Google's threat to shut down its China-based search engine and perhaps pull out of the world's most populous country in a dispute over censorship and computer security.

Schmidt didn't say anything new about Google's uncertain future in China during a conference call with analysts. He reiterated that Google hopes to find a way to maintain a presence in China while emphasizing the company intends to stop censoring search results in the country within "a reasonably short time." That plan conflicts with China's restrictions against showing content that the government deems subversive or pornographic.

 

By MICHAEL LIEDTKE

SAN FRANCISCO

Google shows renewed vigor with robust 4Q results - BusinessWeek

Hack de la PS3 : c'est fait ! Attention au piratage de masse

 

Nous venons d'apprendre que la PS3 aurait vient d'être hackée par Georges Hotz, précédemment connu pour avoir été la première personne à être parvenu à désimlocker l'iPhone en 2007.

Au sein du parc de consoles actuelles, force est de constater que le piratage y est bien implanté, ou presque. Cependant, depuis sa sortie en 2006, la PlayStation 3 n'a jamais pu être hackée. Cela s'explique par une architecture matérielle et logicielle somme toute plus complexe que sur les autres machines. Après un large nombre de rumeurs et autres faux espoirs, nous venons d'apprendre que le monolithe de Sony vient d'être véritablement cracké.
L'exploit est signé Georges Hotz, aka Geohot, un gaillard de 20 ans qui s'était précédemment fait connaître pour avoir désimlocké l'iPhone en août 2007. Il vient de spécifier sur son blog qu'il a désormais accès à la lecture et à l'écriture des données de la mémoire du système, mais aussi aux instructions de bas niveau du processeur (l'hyperviseur).
Ainsi, Geohot est parvenu à effectuer des copies du système d'exploitation de bas niveau, ainsi que celui de l'utilisateur. Il spécifie qu'il va maintenant faire de la rétroconception, à savoir étudier le fonctionnement de l'ensemble du système. Il souligne également que sa méthode ne devrait pas être corrompue par un futur firmware de Sony. Pour l'instant, aucune copie ne sera diffusée sur Internet.

La Playstation 3 était la dernière console du marché à ne pas connaitre le piratage, le hack de la PS3 démontré aujourd'hui va clairement changé la donne.

Hack de la PS3 : c'est fait ! Attention au piratage de masse

Should you dump Internet Explorer, NOW?

 

D`oh, now there's a redundant question.

Yesterday, ZDNET blogger Ed Bott asserted that "it's time to stop using IE6." I s-o-o-o-o disagree. For many organizations and all consumers, it's time to stop using any version of Microsoft's browser -- IE6, IE7, IE8 and forget someday releasing IE9. Less than a week ago, the German government told its citizens to switch from Internet Explorer. This is good advice for you, too.

On Thursday (Jan 14), McAfee pegged a previously publicly unknown Internet Explorer exploit as one of the mechanisms used to invade computers or networks among more than 20 U.S. companies. On Tuesday (Jan. 12), Google disclosed the security breaches, which were traced back to China. McAfee dubbed the attacks "Operation Aurora." On Friday (Jan. 15), McAfee and Microsoft reported that code for the zero-day exploit was in the wild, potentially putting millions of Windows PCs at risk.

Bott singled out IE6, presumably because of Microsoft's cleverly worded Thursday blog post, security bulletin and statements to the press. From Thursday's blog post: "Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time." Bott writes: The entry point? According to Microsoft, it's IE6."

I found the IE6-only assertion puzzling since the early version of McAfee's blog post, credited to CTO George Kurtz, explains: "Our investigation has shown that Internet Explorer is vulnerable on all of Microsoft's most recent operating system releases, including Windows 7." McAfee later updated the post to say that to date the attacks targeted IE6. Nowhere did Kurtz say that only IE6 was vulnerable to the exploit.

Betanews' Scott Fulton made the right observations early Thursday evening: "One may reasonably ask, just who at Google -- the maker of Chrome, its own Web browser -- would be a potential target who also would happen to be running IE6 on Windows 7 -- a system which, by default, installs IE8?"

Yes, who at Google would run IE6 on Windows 7? Easy answer: A developer looking to ensure IE6 compatibility with new Google services. But even that's a stretch. More likely: IE7 and IE8 are vulnerable to to exploit. On Friday, Microsoft acknowledged this circumsatnce in yet another blog post, and Bott responsibly noted this in his ZDNet post. According to Microsoft: "Newer versions of Internet Explorer are affected by this vulnerability." Updated Microsoft Security Advisory 979352 qualifies the extent of vulnerability in IE7 and IE8 under "mitigating factors." Not everyone is safe, regardless of Internet Explorer version.

The Problem with Mitigating Factors

I've long accused Microsoft of conducting "security by PR" campaigns instead of clearly disclosing security risks. Security by PR seeks to minimize the real risk while disclosing information about a vulnerability. With respect to the Aurora exploit, Microsoft was quick to warn of the risk -- after there had been some disclosure by Google and later McAfee's release of the attack vector's schematics. Initially, Microsoft singled out IE6. In the second blog post and updated 979352 bulletin -- released after it was widely reported that other browser versions are vulnerable -- did Microsoft really come clean; that is creditworthy.

Bott is a responsible journalist, who also knows his way under the hood of Microsoft operating systems. But he also is sometimes too much the Microsoft cheerleader (Whereas I am accused of being a Microsoft critic). In my reading of the updated bulletin, he overlooks like the broader IE risks. Bott writes: "Under the 'Mitigating Factors' heading, the Microsoft Security Response Center specifically notes that the exploit used in this case does not run under IE7 and IE8 in Windows Vista or Windows 7." Perhaps Bott didn't see the v1.1 of the 979352 bulletin before posting.

In the "affected software" section, Microsoft lists IE7 and IE8 running on Windows XP, Vista, 7, Windows Server 2003 and 2008. The "mitigating factors" is downright scary reading, so let's have a Sunday scare and go through them:

1. The MSRC bulletin observes that DEP, Data Execution Protection, is enabled on IE8 running on Windows Vista, XP and 7. Fine, but what about IE7? For December, according to Net Applications, IE 7 browser usage share was a seemingly meager 15.53 percent. IE6 and IE8 were neck and neck with usage share of 20.99 percent and 20.88 percent, respectively. IE usage share for all versions was 62.69 percent in December, meaning that the majority of people weren't automatically protected by DEP. The feature can be manually enabled in IE 7, but how many people will realistically do this? It's on by default in IE8 for a reason.

2. "Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems limits the impact of the vulnerability." Key word is "limits." Protected mode doesn't protect against the attack but only limits it.

3. "An attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability." That's pretty damn self explanatory.

4. "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user." The bulletin rightly observes that "users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights." Right, and with the majority of PC users running Windows XP, which default privilege is administrator, how many are likely running as something less? Many larger businesses will limit rights, but most consumers and small businesses won't know the difference. There's a reason why Microsoft lowered default privileges in Windows Vista and 7.

5. According to the MSRP bulletin, the default security setting for IE running on Windows Server 2003 and 2008 is "high." As it should be. But the better security measure is obvious: Never use a Web browser on a server behind the corporate firewall.

6. "By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone." It's a good feature and one that would greatly minimize risks posed by mitigating factor #3. Problem: People will stupidly change this setting because they want to see pretty e-mail and run scripts or ActiveX controls. Microsoft put in the right mechanism, it's too bad some users will create security risk by flipping the switch that allows remote images and scripts to load.

Choose Your Browser Wisely

Some Betanews readers will ask why the Aurora exploit should be reason to dump Internet Explorer? After all, there have been plenty of other exploits. Why now? Answer: The large number of exploits. The newest zero day exploit is yet just another reason to dump Microsoft's browser. Based on declining IE usage share, many Internet users clearly see IE as an anarchism, a browser which belongs to an aging PC-centric business model. According to Net Applications, IE usage share dropped from 69.23 percent to 62.69 percent between February and December. During the same time period, Firefox continued its steady climb, going from 22.58 percent to 24.61 percent. Meanwhile, Chrome soared from 1.54 percent to 4.63 percent usage share -- little more than a year after being released in beta.

There has been plenty of punditry about why Google developed its own browser. It's not rocket science: Internet Explorer. The company's business is all about the Web, where a modern, standards-based browser would be the better way to consume Google products or services. Something else: Internet Explorer 7 and 8 are too complex, offering all kinds of prompts and warnings -- the majority of which deal with privacy or security. By comparison, Chrome and Firefox use simpler, less-prompted approaches that hide security complexity from users. Generally, there only prompts when there is real risk, like trying to navigate to known malicious sites.

Some of that complexity makes IE7 and IE8 dangerous browsers to use. The complexity creates two flipside-of-coin problems:

1. Users become dumb to the prompts and develop click-thru behavior. Who really reads those security prompts or browser bar warnings? It's easy enough to click thru the security warning popup or browser bar prompt blocking some script, ActiveX control or file download. When end users develop the habit of clicking through, they can mindlessly click thru nefarious popups, thus downloading unwanted malware.

In fairness, IE7 and IE8 pack some nifty safety tricks, like "Protected Mode." But couldn't these work silently without other security features teaching users bad habits? The better approach would be to prompt only when there is high risk, so that people pay attention. Google and Mozilla take this more sensible approach.

2. IE7 and IE8 complexity lead to false senses of security. If there's no prompt or warning, then users can feel the Website is safe. The Aurora exploit demonstrates attack is still possible without warning. Users aren't safe. This is the flipside of Microsoft's problem of offering IE users too many prompts.

The point: Ed Bott is right to assert that "any IT professional who is still allowing IE6 to be used in a corporate setting is guilty of malpractice." But should anyone run IE7 or IE8? I say absolutely not. Microsoft has hoisted big usability and ongoing security problems onto Internet Explorer users. Two reasons why:

• Backwards compatibility is one of Microsoft's top design priorities
• Microsoft has too much invested in legacy Internet Explorer to start over

But start over, with a WebKit based browser, is what I recommended in September. It's particularly sensible in the mobile device market, where between November and December, Web surfing from Android handsets rose 54 percent, according to Net Applications. Windows Mobile didn't even make the Top 5, which included Java ME.

I often have wondered why Microsoft hasn't produced a decent mobile browser, and plenty of other technophiles have voiced confusion about this matter, too. What if security is a major reason -- that Microsoft is finding it hard to release a decent mobile browser without all the desktop baggage? Surely, Microsoft's mobile leadership can't be that incompetent not to realize how important the mobile browsing market is becoming. There must be another reason why Microsoft can't release a decent mobile browser.

This long post ends with two simple questions: What is your primary Web browser? If the answer is some version of Internet Explorer, why? I switched to Chrome, after so expectantly hoping Microsoft would fix in IE8 the usability problems pervasive in IE7.

Google Mots clés : The end of IE, Internet explorer hacked, Microsoft Internet explorer

Apple turns up heat in Nokia battle

 

HELSINKI (Reuters) - Nokia said it would defend itself vigorously against Apple's new complaint to the United States International Trade Commission.

Technology  |  Media

The two phone giants are in the midst of a major legal battle, which started last October when Nokia charged Apple for using its patented technologies without paying for them.

Apple filed the new ITC complaint on Friday.

"Nokia will study the complaint when it is received and continue to defend itself vigorously," said a company spokesman.

"However, this does not alter the fact that Apple has failed to agree appropriate terms for using Nokia technology and has been seeking a free ride on Nokia's innovation since it shipped the first iPhone in 2007," he said.

In late December Nokia also filed a claim with the ITC, alleging Apple infringed seven of its patents in "virtually all of its mobile phones, portable music players, and computers" sold.

"The fact that two such prominent companies have now filed complaints will likely mean the ITC will seek to deal with this as a matter of urgency," said Ben Wood, head of research at British consultancy CCS Insight.

"That said, a lengthy legal battle is almost inevitable irrespective of a decision from the trade commission," he said.

The ITC can ban selling products in the United States -- a market crucial for Apple, but Nokia makes only a fraction of its sales there.

Analysts say it could take years to solve the legal battle.

"This dispute is still in its infancy. I don't think Nokia is finished with evaluating the infringements by Apple, it might be just the surface," said Steven Nathasingh, chief executive of U.S. research firm Vaxa Inc.

Nokia, along with Ericsson and Qualcomm, holds many key patents for making mobile phones.

Nokia has stumbled badly in the fast-growing smartphone sector and relative newcomer Apple has gained ground against the market leader thanks to the iPhone, but still trails Nokia in smartphones sales.

The legal dispute, potentially involving hundreds of millions of dollars in annual royalties, reflects the shifting balance of power in the mobile industry as cellphones morph into handheld computers that can play video games and surf the Web.

Apple, which entered the industry in mid-2007, overtook Nokia in the September quarter as the cellphone maker generating the highest total operating profit.

Google Mots clés : Nokia, Apple, iphone vs nokia

Cyber-attaques contre Google: des experts accusent les autorités chinoises

 

Le siège de Google à Pékin, couvert de fleurs après que l'entreprise a annoncé qu'elle ne comptait plus censurer les résultats de son moteur de recherche, le 12 janvier 2010/REUTERS/J.LEE

SECURITE - Selon leurs premières observations, l'attaque est trop sophistiquée pour être due à un simple pirate...

De notre correspndant à Los Angeles

Un célèbre adage diplomatique américain dit «Parle doucement mais porte un gros bâton». Depuis mardi, tout le monde marche sur des œufs suite à la révélation par Google des cyber-attaques dont il a été victime avec une vingtaine d'autres compagnies en Chine.

Certes Google a expliqué que l'attaque semblait avoir visé des comptes Gmail de militants des droits de l'homme. Oui, il en a profité pour menacer de se retirer de Chine si les autorités n'assouplissaient pas leur politique de censure. De son côté, Washington a également indiqué vendredi qu'il allait demander «dans les prochains jours» des explications à Pékin pour savoir si les autorités comptaient «enquêter et engager des poursuites». Mais toute le monde s'est bien gardé d'accuser le gouvernement chinois directement.

D'autres ont moins de réserve. Carlos Carillo est un consultant pour Mandiant, un groupe spécialiste en cyber-sécurité. Google a fait appel à lui et d'autres pour enquêter sur l'attaque. Il livre ses premières conclusions à Computer World. «La qualité du code pointe-t-elle vers un support des autorités chinoises?» «Je dirais que oui», répond-il. Selon lui, le malware utilisé lors de l'attaque «est unique», l'un des «plus sophistiqués» qu'il a vus depuis des années.

Des attaques courantes

Contacté par 20minutes.fr, Mandiant s'en tient à ce premier diagnostique. L'entreprise précise que «l'attaque est du niveau habituellement visant les Etats, pas les entreprises». Même son de cloche chez McAfee, qui précise qu'une faille jusqu'ici non connue dans Internet Explorer aurait été exploitée –d'autres vecteurs semblent également avoir été utilisés.

Un point est troublant dans l'histoire. Google dit avoir contacté d'autres entreprises touchées, et personne n'a semblé vouloir parler publiquement de l'affaire. De telles attaques arrivent régulièrement mais sont gardées sous silence, explique à 20minutes.fr un expert en sécurité qui souhaite rester anonyme. Contre des entreprises, mais aussi des pays. Les Etats-Unis, la France, et Chine ou la Russie: tout le monde dispose de cyber-espions, selon lui.

Google Mots clés : cyber crime, cyber attaque, google hacked, chine drot de l'homme

La France et l'Allemagne déconseillent l'utilisation d'Internet Explorer

 

Deux organismes allemands et français ont émis une mise en garde en fin de semaine contre l'utilisation d'Internet Explorer, demandant à Microsoft de régler les défauts de sécurité de son navigateur. Jeudi 14 janvier, le géant américain du logiciel avait annoncé qu'une faille de sécurité de son navigateur avait été exploitée pour mener les cyber-attaques qui ont poussé Google à menacer de cesser ses activités en Chine (Voir l'enquête du Monde "L'avenir incertain de Google en Chine").

 

 

Navigateurs : Microsoft tente d'apaiser la Commission européenne

Suite à cette annonce, l'Office fédéral allemand pour la sécurité de l'information (BSI) a demandé aux Allemands de cesser d'utiliser Internet Explorer. De son côté, le Certa (Centre d'expertise de réponse et de traitement des attaques informatiques) recommande depuis vendredi "l'utilisation d'un navigateur alternatif" à Internet Explorer "dans l'attente d'un correctif". Selon le Certa, une "vulnérabilité" dans le navigateur "permet à une personne malintentionnée d'exécuter du code arbitraire à distance". Cette mise en garde concerne les versions 6, 7 et 8 d'Internet Explorer.

Microsoft a toutefois rejeté ces accusations, assurant que les défauts de sécurité rencontrés par Google ne concernent pas les particuliers. Selon Microsoft, la faille rencontrée cette semaine peut être solutionnée en réglant les paramètres de sécurité du navigateur sur "élevé". Mais selon le BSI, cette disposition est insuffisante. "Utiliser Internet Explorer en 'mode sécurité' rend les attaques plus difficiles, mais ne les empêche pas complètement", explique le BSI. Le Certa conseille de son côté de naviguer avec un compte aux droits limités quel que soit le navigateur, et de désactiver les fonctions JavaScript et ActiveX, ce qui peut toutefois rendre inaccessibles certains sitess.

Selon le site Market Share, 63 % des internautes utilisent Internet Explorer, contre 25 % pour Firefox.

Google Mots clés : Google chine, Internet expolrer, piratage