Finally some GOOD news on the malware front

NC State Research Shows Way to Block Stealthy Malware Attacks
NCSU News (11/03/09) Shipman, Matt

North Carolina State University (NCSU) researchers have developed a way to block rootkits and prevent them from contaminating computer systems. Rootkits often work by hijacking a number of hooks, or control data, in a computer’s operating system.

“By taking control of these hooks, the rootkit can intercept and manipulate the computer system’s data at will,” says NCSU professor Xuxian Jiang. To prevent a rootkit from taking over an operating system, Jiang’s research team determined that all of an operating system’s hooks had to be protected.

“The challenging part is that an operating system may have tens of thousands of hooks–any of which could potentially be exploited for a rootkit’s purposes,” Jiang says. “Our research leads to a new way that can protect all the hooks in an efficient way, by moving them to a centralized place and thus making them easier to manage and harder to subvert.”

By placing all of the hooks in one place, the researchers were able to leverage hardware-based memory protection to prevent the hooks from being hijacked. The research will be presented at the ACM Conference on Computer and Communications Security in Chicago on November 12.

…. and

New Honeypot Mimics the Web Vulnerabilities Attackers Want to Exploit
Dark Reading (10/29/09) Higgins, Kelly Jackson

Glastopf is a new open source Web server honeypot project that enables researchers to study Internet attacks by acting as Web servers with thousands of vulnerabilities that provoke cybercriminals into attacking. Glastopf creator Lukas Rist says the program dynamically emulates vulnerabilities that attackers are looking for, so the decoy is more realistic and can gather more detailed information.

“Many attackers are checking the vulnerability of the application before they inject malicious code,” Rist says. “My project is the first Web application honeypot with a working vulnerability emulator able to respond properly to attacker requests.”

Rist built Glastopf through the Google Summer of Code program, in which student developers write code for open source projects. Glastopf uses a combination of known signatures of vulnerabilities and records the keywords an attacker uses when visiting the honeypot to ensure they are indexed in search engines, which attackers regularly use to find new targets. The project has a central database to collect Web attack data from the honeypot sensors, which are installed by participants who want to share their data with the database.

“The project will contribute real-world data and statistics about attacks against Web apps–an area where we do not have good collection tools yet,” says Rist’s project mentor Thorsten Holz. He says Glastopf tricks an attacker by returning content that is often found on vulnerable versions of Web applications, such as characteristic version numbers or similar information.

Don’t ask a computer how hard it was raining …

Even the Most Sophisticated Computers Can’t Tell a Dog From a Cat
The Independent (London) (01/06/09) Bishop, Chris

Chris Bishop, chief research scientist for Microsoft Research in Cambridge, England, says there is still much that needs to be explored about digital intelligence. Bishop says that it is still very difficult for computers to recognize structures or objects in data.

Scientists tried to solve the pattern recognition problem by using artificial intelligence in the 1970s, but the fact that there are always exceptions to handcrafted rules ultimately led them to abandon the expert systems idea. Researchers are now focusing on having computers learn from experience similar to humans, by programming them to learn from data and then training them to solve the problem.

A supercomputer is no match for even a toddler when it comes to recognizing variations in size, color, shapes, lighting, and background. Still, researchers have made some advances, and the resulting practical applications now enable robots in factories to see what they are assembling, and allow tumors to be detected in medical images. Bishop says he is looking forward to developments in the years to come.


I love that after all this time, a toddler can still outdo a computer with his/her recognition skills.

Putting IT in its place

Google Executive Urges Improvements to Technology Infrastructure (11/18/08) Nagesh, Gautham

Google CEO Eric Schmidt says the U.S. federal government should invest in green technology and a national computer infrastructure to help create jobs and foster American innovation. Schmidt, part of President-elect Barack Obama’s transition team, also supports a smart power grid that uses two-way communications and advanced sensors to deliver electricity more efficiently. He says Obama supports such an approach. Schmidt says the federal government has a critical role in creating the framework that will allow technological innovation to flourish.

“Let’s take this economic crisis and deal with it as an opportunity to get our infrastructure right,” he says. The government also should make more frequencies available to TV and other broadcast mediums to allow for greater innovation, says Schmidt, citing the fact that only 55 percent of Americans have access to broadband, and the fact that the United States, which invented the technology, ranks 15th in the world in terms of broadband availability.

Schmidt called for a universal broadband strategy to give all Americans access to high-speed Internet service by increasing competition among carriers, as well as for greater investment in research, noting that the creation of the Internet was largely due to the DARPA-furnished grants to study computer networking in the 1960s and 1970s. He also says the federal government should do more to promote math and science education and not force foreign students to leave the country after getting their education in the United States.

I just like the acronym

The Next Generation Wireless Chips
University of Cologne (11/04/08) Kollner, Raphael

Europe’s Integrated Circuit/Electromagnetic Simulation and design Technologies for Advanced Radio Systems-on-chip (ICESTARS) project will enable the development of low-cost wireless chips that can operate in a frequency range of up to 100GHz.

“In the future, mobile devices will provide customers with services ranging from telephony and Internet to mobile TV and remote banking, anytime, anywhere,” says University of Cologne professor Caren Tischendorf. “It is impossible to realize the necessary, extremely high data transfer rates within the frequency bands used today.”

ICESTARS project leader Marq Kole says that by the end of the project in 2010, project participants hope to have accelerated the chip development process in the extremely high frequency range with new methods and simulation tools. ICESTARS is funded by the European Commission and is led by NXP Semiconductors.German semiconductor company Qimonda will develop advanced analog simulation techniques for the project.

Other partners include Finland-based software developer AWR-APLAC, which will focus on frequency-domain simulation algorithms, and Belgium’s MAGWEL, which will focus on electromagnetic simulations.

In addition to the University of Cologne, university partners include Upper Austria University of Applied Sciences, Germany’s University of Wuppertal, and the University of Oulu in Finland. University partners will focus on modeling questions, algorithmic problems, and simulations issues that need to be solved for testing analog circuits with digital signal processing in the extremely high frequency range.

Can’t Sleep, Clowns Will Eat Me

A Photo That Can Steal Your Online Credentials
IDG News Service (08/01/08) McMillan, Robert

Researchers at the Black Hat computer security conference in Las Vegas next week will demonstrate an attack that could steal online credentials from users of popular Web sites. The attack uses a new type of hybrid software file the researchers have dubbed a GIFAR. By placing the file on Web sites that allow users to upload images, the researchers can circumvent security precautions and take over the Web page users’ accounts.

GS Software’s John Heasman says the GIFAR is a Java applet in the form of an image. GIFAR is a contraction of the graphics interchange format (GIF) and Java Archive (JAR), the two file types that make up the applet. The researchers will demonstrate how to create the GIFAR, while omitting a few details to prevent it from being used for a widespread attack. To a Web server, the file looks exactly like a GIF file, but a browser’s Java virtual machine will open the file like a JAR file and run it as an applet, giving the attacker an opportunity to run Java code on the victim’s browser, which treats the applet as though it was written by the Web site’s developers.

The researchers say the attack could work on any site that allows users to upload files, possibly even sites that are used to upload banking card photos or sites such as The GIFAR attack can be prevented by improving filtering tools so Web sites can detect the hybrid files, and Sun could also improve the Java runtime environment.

Useful technology

Adapting Websites to Users
Technology Review (06/09/08) Naone, Erica

Researchers at the Massachusetts Institute of Technology’s Sloan School of Management are working to enable Web sites to automatically adapt to each visitor so the sites present information in a way that each user wants to see it. Although some Web sites already offer personalized features, they primarily use information taken from a user’s profile, stored cookies, or lengthy questionnaires. The Sloan system adapts to unknown users within the first few clicks on a Web site by analyzing each user’s choices.

Sloan professor John Hauser says a Web site running the system would detect a user’s cognitive style, watching for traits such as whether or not they are detail oriented, and would adjust accordingly. Every time the system learned something new about the user the Web site would make a subtle change until the Web site suddenly feels more natural, comfortable, and easy to navigate. Hauser says users should not even realize the Web site is being personalized.

A prototype developed for British Telecom’s Web site is designed so that the first few clicks visitors make are likely to reveal aspects of their cognitive style. For example, the first page users see asks them to choose to compare plans using a chart or to interact with a broadband advisor. Within about 10 clicks, the system understands the user’s cognitive style and morphs the Web site. In addition to guessing each user’s cognitive style, the system can track which versions of the Web site are most effective for each cognitive style.

On computers

“All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can’t get them together again, there must be a reason. By all means, do not use a hammer.”
– IBM Manual, 1925

“A computer once beat me at chess, but it was no match for me at kick boxing.”
– Emo Philips


Patches Pose Significant Risk, Researchers Say
SecurityFocus (04/23/08) Lemos, Robert

A team of computer scientists has developed a technique that exploits patches and updates by automatically comparing the vulnerable and repaired versions of a program and creating attack code. The technique, which the researchers call automatic patch-based exploit generation (APEG), can generate attack code for most major vulnerabilities in minutes by automatically analyzing a patch design to fix a flaw. If Microsoft does not change how it distributes patches to customers, attackers could create a system that attacks the flaws in unpatched systems minutes after an update is sent out, says Carnegie Mellon computer science PhD candidate David Brumley. The technique is built on methods used by many security researchers, who reverse engineer patches to find vulnerabilities fixed by the update. Normally the process can take a few days, or even hours, but Brumley and his colleagues were able to use APEG to create exploits in five recent Microsoft patches in under six seconds each time. The system does not create fully weaponized exploits and may not work on all types of vulnerabilities, but it shows that developing exploits from patches can be done in minutes. The researchers suggest that Microsoft could increase the likelihood that customers receive patches before attackers can reverse engineer them by obfuscating the code, encrypting the patches and waiting to distribute the key simultaneously, and using peer-to-peer networks to increase the distribution of patches.

I know I should treat all this as a challenge but I’m ready to pull my hair out. We work to keep everything patched to a safe level, which requires a lot of time.   If one is using WSUS for the windows patches, that’s scheduled and pushed out on a regular basis, but that means there are gaps and the machines are vulnerable for a certain amount of time between patches.  GAG.  If one is letting the computer do the automatic updates, you are at Micro$oft’s mercy as to which download group the machine will be in. I’ve had 3 day gaps between machines getting the same updates pushed out.  Does that sound safe?

Not so much.

Feh.  I think I’ll take up painting or something and see if I can make a living from that.  Umm hmm.


So, do you like the new look on this blog or should I go back to the old one?  Weigh in, people!

I don’t like this one quite as much as I thought I was going to.  And I can’t get the blogtitle to bump down just a bit.  My CSS skillz are teh sUX0rz.

Pre-Installed Viruses

Some Viruses Come Pre-Installed
Associated Press (03/13/08) Robertson, Jordan

A number of electronics products made in Chinese factories have been found to contain viruses that steal passwords, distribute spam, and open up computers to hackers. For instance, digital picture frames sold at Sam’s Club contained a previously unknown virus that steals gaming passwords and disables antivirus software, according to security researchers at Computer Associates.

Viruses have also been found on digital picture frames sold by Best Buy and Target, as well as on Apple iPods and TomTom navigation equipment. Security experts say the viruses are being loaded during the final stage of production, in which the devices are plugged into a computer and tested to ensure that they work properly.

Experts note that the viruses are probably coming from a careless factory employee plugging an infected device into the testing computer, rather than hackers or the factories themselves. Nonetheless, hackers could someday use infected Chinese-made devices as an avenue of attack, security experts say.

“We’ll probably see a steady increase over time,” says Symantec computer researcher Zulfikar Ramzan. “The hackers are still in a bit of a testing period–they’re trying to figure out if it’s really worth it.”