Friday, January 21, 2005

Flaw found in Office encryption

Flaw found in Office encryption:

“The data protection feature in Microsoft Word and Excel documents has a major flaw that could allow snoopers to decode password-protected files, a security researcher has warned.

The problem arises because Microsoft programmers did not implement the encryption correctly in its Office applications, Hongjun Wu, a cryptographer at the Institute of Infocomm Research in Singapore, wrote in a paper on the topic.

‘A lot of information could be retrieved from those encrypted files,’ Wu said in the paper. ‘If anyone has used the encryption in Microsoft Office...then it is time for him/her to assess the damage that has been caused.’

The current issue is almost identical to the weak system key issue in 1999, said Bruce Schneier, chief technology officer of Counterpane Internet Security and author of "Applied Cryptography."

"This is a kindergarten crypto mistake," Schneier said. "And to make it twice is worse."

Schneier, who wrote about the issue on his blog earlier this week, hammered at Microsoft for not learning from past mistakes.

Microsoft RC4 Flaw

One of the most important rules of stream ciphers is to never use the same keystream to encrypt two different documents. If someone does, you can break the encryption by XORing the two ciphertext streams together. The keystream drops out, and you end up with plaintext XORed with plaintext -- and you can easily recover the two plaintexts using letter frequency analysis and other basic techniques.

The easy way to prevent this attack is to use a unique initialization vector (IV) in addition to the key whenever you encrypt a document.

Microsoft uses the RC4 stream cipher in both Word and Excel. And they make this mistake. Hongjun Wu has details (link is a PDF).

In this report, we point out a serious security flaw in Microsoft Word and Excel. The stream cipher RC4 [9] with key length up to 128 bits is used in Microsoft Word and Excel to protect the documents. But when an encrypted document gets modified and saved, the initialization vector remains the same and thus the same keystream generated from RC4 is applied to encrypt the different versions of that document. The consequence is disastrous since a lot of information of the document could be recovered easily.

This isn't new. Microsoft made the same mistake in 1999 with RC4 in WinNT Syskey. Five years later, Microsoft has the same flaw in other products.”


http://www.schneier.com/blog/archives/2005/01/microsoft_rc4_f.html

http://eprint.iacr.org/2005/007.pdf

http://news.zdnet.com/2100-1009_22-5543940.html?tag=nl.e589

Latest MSN Messenger Worm Can Hijack System Info

Latest MSN Messenger Worm Can Hijack System Info:

“The latest threat comes follows October's Funner worm attack and signals a growing trend to use instant messaging as a delivery mechanism for malicious activity.

According to an advisory from F-Secure, the new W32/Bropia-A worm users MSN Messenger to lure users into downloading one of the following files: "Drunk_lol.pif"; "Webcam_004.pif"; "sexy_bedroom.pif"; "naked_party.pif"; or "love_me.pif."

Once executed, Bropia-A also drops a variant of the Rbot backdoor Trojan. Rbot represents the large family of backdoors fitted with the ability to control a victim's machine remotely by sending specific commands via IRC channels.

F-Secure warned that the bot can also be used to hijack system information, log keystrokes, relay spam or steal sensitive data. Bropia.A can also disable a mouse's right button and manipulate Windows mixer volume settings, according to the company.


http://www.eweek.com/article2/0,1759,1752988,00.asp?kc=ewnws012105dtx1k0000599

Sun Fixes Critical Java Plug-In Flaws

Sun Fixes Critical Java Plug-In Flaws :
“A pair of vulnerabilities in the Sun Java Plug-In technology could put users at risk of system bypass attacks, Sun Microsystems Inc. confirmed Thursday.

The Santa Clara, Calif.-based company said the more serious of the two vulnerabilities could allow an untrusted applet to elevate privileges through JavaScript calling into Java code. For example, an untrusted applet may grant itself permissions to read and write local files, or may execute local applications that are accessible to the user running the untrusted applet.

A second bug may allow an untrusted applet to inappropriately interfere with another applet in the same Web page, the company said, noting that the interference may cause the applet to incorrectly load non-code resources such as files and Web pages.

The Java Plug-in technology is included as part of the Java 2 Runtime Environment, Standard Edition (JRE). It is used to establish a connection between popular browsers and the Java platform, allowing applets on Web sites to be run within a browser on the desktop.

Independent security research firm Secunia rates the flaws as "extremely critical," and it is urging users to apply the vendor patches immediately.

Sun Java JRE 1.3.x, Sun Java JRE 1.4.x, Sun Java SDK 1.3.x and Sun Java SDK 1.4.x.”

http://www.eweek.com/article2/0,1759,1753018,00.asp?kc=ewnws012105dtx1k0000599

'Evil Twin' Haunts Wi-Fi Users

'Evil Twin' Haunts Wi-Fi Users :
“An IT security expert, an academic and the U.K. government's cybercrime unit will give Londoners an introduction to the security dangers of wireless networking on Thursday—with the star of the show being an attack method dubbed the "Evil Twin."

The Evil Twin is essentially a wireless version of a phishing scam—users think they're connecting to a genuine hot spot but are actually connecting to a malicious server, which can then extract information such as bank details. The attack can be carried out by anyone with the right equipment in the vicinity of a legitimate base station, according to Dr. Phil Nobles, wireless Internet and cybercrime expert at the U.K.'s Cranfield University.

"The [malicious base station] jams the connection to a legitimate base station by sending a stronger signal within close proximity to the wireless client, thereby turning itself into an 'Evil Twin,'" Nobles said in a statement. Users are invited to connect via a fake log-in prompt, he said. Nobles will be demonstrating this and other attack methods at the Science Museum in London.

The free event—which also includes presentations from the U.K.'s National High Tech Crime Unit and an IT security specialist—is designed to give the public some idea of the potential dangers they face when using public Wi-Fi hot spots. The U.K. has one of the highest concentrations of Wi-Fi hot spots in the world, with over 1,000 commercial hot spots in London alone. Overall, the U.K. has more than 9,300 hot spots, second only to the United States, with more than 22,000, according to online Wi-Fi guide Jiwire.com.

Users can mitigate most problems simply by turning security measures on. Most wireless laptops ship with security deactivated.

http://www.eweek.com/article2/0,1759,1752906,00.asp?kc=ewnws012105dtx1k0000599

Thursday, January 20, 2005

Diligently maintain your firewall and antivirus software

Diligently maintain your firewall and antivirus software:
“The most tempting target for a veteran cracker is a developer’s network because beating top programmers puts a feather in their hat. While a server that contains unencrypted personal financial records is a favorite mark for crooks out to make money, some of the most skilled crackers still see breaking other people’s work as a fun game. For them, penetrating a development platform is the best way to find confidential code, plant a back door, or prove their chops by showing what they can do.…

Developer networks are often the least secure in the company because these networks must be open enough to share code easily, have actual code rather than just complied programs, and frequently contain older versions of protocols and software. It's essential to have a firewall between the network and the rest of the company, as well as between the developer network and the Internet (unless under the rare circumstances in which the workgroup is all located in one office and uses a dedicated network without any outside access).

Developer networks also tend to get the least security maintenance. Programmers are so busy, and management may think that since the programmers are experts their network doesn’t need special attention. Developers are likely doing the most time-sensitive, mission-critical jobs in the company, and no one wants to be blamed for shutting down a network by applying a patch that doesn’t work right or by kicking all the users off for routine maintenance.

If security software was perfect, you could lock down the developer network with a solid firewall and good antivirus software. After all, programmers are far less likely to browse the Web or open e-mail attachments from strangers than most office workers, and those two occurrences are the prime causes of security problems.

http://builder.com.com/5100-6387_14-5171910.html?tag=nl.e601

CSS Tooltips - Part Two

CSS Tooltips - Part Two:
By: John Gallant , Holly Bergevin

“In Part One of this CSS Tooltips series, we covered the basic coding necessary to create a hovered pop-up that can serve as a supplemental "tooltip" explanation for a link. The next step is to arrange for this effect to be used with any page element, and not just links.

A Matter Of Support

The heart of the CSS tooltip method depends on the :hover pseudo-class. The W3C makes no restrictions as to which elements may be in the :hover state. In theory this means it can apply to any page element. Most modern browsers now support this CSS 2 feature, but sadly, Internet Explorer for Windows lags behind in this area. IE/Win supports the CSS :hover pseudo-class only on link elements. It's really too bad, because having clean CSS tooltips for an image or a complex math formula would be highly desirable to most authors.

However, it happens that IE5/Win and above can be made to support hovering on any element, via a (freely available) jscript called from within the CSS file. Microsoft calls this proprietary "pathway" for the Jscript a behavior. Calling a script from within a CSS file is a non-valid use of CSS, and normally we would not recommend any such thing. But in this case it's a matter of making IE "support" a standard CSS rule that it otherwise would not.

Further, it's possible to place this "behavior call" in a separate style sheet and link that CSS into a page from within a conditional comment (also Microsoft proprietary code) that appears to other browsers as just a normal comment. Only IE will look inside and see the behavior code lurking within!

Thus, for us code purists the result is nice clean HTML and CSS, with all the invalid code squirreled away out of sight. Explorer can see that invalid code only because it is capable of looking inside HTML comments for extra code it can parse. The W3C specifications don't care what lies within any HTML comments, so the page will validate just fine. ”

http://www.communitymx.com/content/article.cfm?cid=52428


Wednesday, January 19, 2005

Worm exploits tsunami to spread virus

Worm exploits tsunami to spread virus:

A mass e-mail posing as a plea for aid to help the victims of last month's Asian tsunami disaster is actually a vehicle for spreading a computer virus, Web security firm Sophos said Monday.

The worm appears with the subject line: "Tsunami donation! Please help!" and invites recipients to open an attachment called "tsunami.exe"--which, if opened, will forward the virus to other Internet users.

It could also initiate a denial-of-service attack against a German hacking Web Site, Sophos said, in which the site's server would be bombarded with messages, putting it out of action.

"Duping innocent users into believing that they may be helping the tsunami disaster aid efforts shows hackers stooping to a new low," Sophos senior technology consultant Graham Cluley said in a statement.

Sophos added that it had so far received only a small number of reports of the worm, which it said was not the first to try to take advantage of the Indian Ocean catastrophe in order to spread.

Another worm earlier this month propagated the message that the tsunami was God's revenge on "people who did bad on earth."

And there have been a number of mass e-mails sent out in an attempt to steal money, many of them versions of the so-called Nigerian Letter scam, to which readers are invited to reply with their details, apparently in order to help transfer large sums of money and receive a cut themselves.


http://news.zdnet.com/2100-1009_22-5539215.html?tag=nl.e539

Advanced Windows XP User Features

Advanced Windows XP User Features:
By John Mueller, Peter Norton.

“Windows XP comes with more ways to modify your interface than any previous version of Windows. Not only can you use the new Windows interface, but many of the features of the Windows 2000 interface are available as well. All of this flexibility means that you can have the interface you really want—the one that will make you most productive. Unfortunately, all of this flexibility can also mean confusion on the part of the user. That's why I placed what I consider advanced user features in a separate chapter.

In the preceding chapter, we looked at the simplified Windows XP interface. This interface is easy to use, but doesn't provide much in the way of flexibility. Windows XP also supports what I call a standard interface, the kind of interface that most Windows users have come to expect. This chapter will show you how to convert from the simplified interface to the standard interface that many power users will want. In addition, we'll discuss how to obtain the Windows 2000 interface. Just because you're using Windows XP doesn't mean that you have to settle for an interface that doesn't suit your tastes.

Part of using the standard interface is negotiating the Classic Start Menu, the one found in previous versions of Windows. Chapter 2 discussed the new, simplified Start Menu that you'll see when you start Windows XP. This chapter concentrates on the standard menu components as well as on the standard toolbars. In fact, I'll show you how to create your own toolbars to make working with Windows more efficient.

One issue we really didn't discuss in the preceding chapter is the Desktop—the part of the display where you place icons, applications, and data files. Windows XP has two different Desktops. The first is the standard desktop found in even the old versions of Windows 9x. The second is the relatively new Active Desktop. We'll discuss both desktops, and you'll discover how to make maximum use of the Active Desktop if you decide to take the plunge and use it.

This chapter discusses advanced Explorer techniques. You'll learn how to configure Explorer to suit your needs and use it to reconfigure your system, and you'll even get some customization tricks that no one should be without. Most importantly, you'll learn why this tool is so essential for novice and expert alike.

This chapter ends with a discussion of some important but miscellaneous interface configuration issues. You'll learn about the Startup folder and how to use it to make your system self-configuring (at least to an extent). Anyone who has read Chapter 2 will see the effects of using Web content in folders. You can change the appearance of the Web content to suit your needs, so the effects in Chapter 2 are only the beginning. These sections will also tell you about screen savers and themes. If you used themes under Windows 9x and liked them, you really need to see how Microsoft has improved theme support for Windows XP.

Switching to the Standard Interface

The simplified Windows XP interface has many appealing features, but it also hides some of the power of Windows. If you perform the same tasks every day, the hidden features may not make much of a difference. An accountant who uses the same application all day to compute someone's tax bill won't worry much if he or she doesn't see the Administrative Tools folder. However, many power users will find the hunt for their favorite administrative tool frustrating. Speed is of the essence for the power user.

The standard interface is one that reflects the power of the original Windows 9x interface and the functionality of the Windows XP feature set. It allows a power user to find what he needs quickly. The same interface that confuses the novice and thwarts someone who performs the same task every day makes the power user more efficient. I'm making these distinctions because the myth of the perfect interface seems to pervade the media. The perfect interface is a myth. There's only the interface that works best for you, which is why I'm happy to see that Microsoft is adding much-needed flexibility to Windows XP.

Enabling the standard interface is as simple as making a few changes to your environment. Begin by right-clicking the Start Menu and selecting Properties.


http://www.informit.com/articles/article.asp?p=29744

Tuesday, January 18, 2005

Company offers 10GB of Net storage, for free

Company
offers 10GB of Net storage, for free
:
A company called Streamload is offering consumers a
free 10 gigabyte online storage locker for multimedia files,
potentially raising the stakes for larger companies such as Yahoo and
America Online.


Streamload typically provides online storage space for a price, making
it one of the few companies to survive in that business through the
dot-com shakeout. However, it is increasingly competing with larger
companies that offer online homes for digital photographs, and even
the huge archive space provided by Google's Gmail service.

Company executives say the offer of big online storage lockers, once
used only by advanced computer users, is now more relevant to a
broader public that has large collections of digital photographs and
MP3 files.

"It seems to have come to appeal not only to the hard-core early
adopters, but to mainstream users," Streamload CEO Steve Iverson said.
"It's no longer a novelty to have an MP3 player, and even having a
place online to store MP3 files so you can fill up your iPod on the
road has become more common."

Iverson's argument illustrates one side of a race between falling
prices for data storage, such as computer hard drives, and the
increasing ease of storing data on a network.

Some computer experts have argued that when all devices are connected
to the Net, storing data locally will be unnecessary. Others note that
cheap hard drives that are expanding to hold hundreds of gigabytes
mean that it will be more efficient to store data locally whenever
possible.

Streamload's service does allow its customers to share files stored on
the system, much as Yahoo Photos allows subscribers to provide access
to photographs to friends. In the past, this has led to online storage
lockers being used to hold and distribute pirated music, movies and
software, but Iverson said his company had guards in place against
this.

People who sign up for the free 10GB service can only download 100MB a
month and can only upload files of 100MB at a time. Customers who pay
about $10 a month have much looser restrictions. ”

http://news.zdnet.com/2100-9588_22-5537230.html?part=rss&tag=feed&subj=zdnet

Microsoft: No Plans to Tweak DRM Download Mechanism

Microsoft: No Plans to Tweak DRM Download Mechanism:

“Amid reports that malicious hackers are using the anti-piracy mechanism to infect computers with spyware, adware, dialers and computer viruses, Microsoft officials stressed that the latest attack scenario does not exploit a vulnerability in the software.

"Not every problem comes with an automatic technology solution. In this case, the priority is to educate users and get them to understand the importance of not downloading files from untrusted sources," said Mike Coleman, lead product manager with Microsoft's Windows division.

"If strangers are trying to entice you to open a file, chances are they're setting you up for a bad experience. We need to continue our work on getting people to understand what's going on and get them to develop better download habits," Coleman told eWEEK.com.

Security experts warn that crackers are rigging .wmv files to use the DRM (digital rights management) features of Windows Media Player to browse sites infested with malware.

The WMP software includes an option to "acquire licenses automatically for protected content." When a user tries to play a DRM-protected file, the software triggers an Internet Explorer browser session and walks the user through the installation process.

Ben Edelman, a Harvard University student who tracks the spyware scourge, has published a demonstration of the exploits and warned that users with older versions of Windows will receive "confusing and misleading messages" regarding the DRM licenses.

After attempting to download the DRM license, Edelman said his test computer became infected with 58 folders, 786 files and a whopping 11,915 registry entries. "Not one of these programs had showed me any license agreement, nor had I consented to their installation on my computer," he said.

Tom Liston, a researcher who tracks malicious Internet activity for the SANS Internet Storm Center, said the attack scenario puts users at risk even if they use an alternative browser. "You're only as safe as the version of IE installed on your system."

Panda Software said the rigged video files are being distributed on peer-to-peer networks to dump two Trojans—Trj/WmvDownloader.A and Trj/WmvDownloader.B—on PCs.

Microsoft's Coleman said the company takes all security risks seriously and urged Windows users to take advantage of the protections built into Windows XP Service Pack 2.


http://www.eweek.com/article2/0,1759,1751248,00.asp?kc=EWRSS03129TX1K0000610v

Searching for Quick Answers To Odd Questions

Searching for Quick Answers To Odd Questions:
By Mary Ellen Bates
Looking for an obscure fact, and need the answer right now? Forget search engines: Specialized search tools can help you track down offbeat information in a flash.

Search engines are great, but they often obscure simple, direct answers to straightforward questions in a sea of other information. For example, what was the original title of the first Godzilla movie? (Gojira, released in 1954) Who said "I'm as pure as the driven slush?" (Tallulah Bankhead) What percentage of adults have gone to a jazz performance in the last year? (11%).

Here are a few of my favorite sites for finding answers to those there-must-be-an-answer-out-there questions.

For the electronic equivalent to the "ready reference" shelf of resources that most librarians keep hidden behind their desks, check out RefDesk. It is particularly good for answering factual questions—Where do I get the new Windows XP Service Pack? Where is the 386 area code? How do I contact my member of Congress?

Another resource for lots of those quick-fact questions is InfoPlease, the publishers of the Information Please almanac. Right now, it's full of Olympics data, but it also has links to facts and factoids that you would look up in an almanac, atlas, or encyclopedia.

If you want numbers, start with the Statistical Abstract of the US. This source, produced by the U.S. Census Bureau, gives you everything from the divorce rate by state to airline cost indexes going back to 1980. It's a virtual "secret weapon" for pulling numbers together quickly.


http://searchenginewatch.com/searchday/article.php/3450911

Google Plugs Cookie-Theft Data Leak

Google Plugs Cookie-Theft Data Leak :

“For the second time this week, security flaws in the company's Web-based products have been uncovered, and the latest—in the Froogle comparison-shopping service—could have serious ramifications for Google's attempt at identity management.

In a statement sent to eWEEK.com, the search darling confirmed it was alerted to a "potential security vulnerability affecting Froogle," but no details were provided.

"We have since fixed this vulnerability, and all current and future Froogle users are protected," Google said.

According to Israeli security researcher Nir Goldshlager, a malicious hacker could exploit the hole by embedding a JavaScript in a URL pointing to Froogle. Once the link is clicked, the JavaScript triggers a browser redirect to a malicious Web site where the target's Google cookie is stolen.

Goldshlager, who was recently credited with finding a flaw in the Lycos e-mail service, said the cookie contains usernames and passwords for the "Google Accounts" centralized log-in service. He said the flaw also could be used to hijack Gmail accounts.

The Google Accounts identity management service is programmed to provide universal access to all Google services that require a login.

It powers logins for Google Groups, Google Alerts, Google Answers and Google Web APIs, and plans are in place to expand the service to include Google Adwords and the company's e-commerce store.

"The system authenticates the hacker as the victim, using the stolen cookie file. Thus no password is involved in the authentication process. The victim can change his password as many times as he wants, and it still won't stop the hacker from using his box," Goldshlager said.

Earlier this week, Google was forced to address a separate bug in Gmail that allowed access to other users' personal e-mails. By altering the "From" address field of an e-mail sent to the service, a malicious hacker could potentially find out a user's personal information, including passwords.


http://www.eweek.com/article2/0,1759,1751689,00.asp?kc=ewnws011705dtx1k0300599