The Sun’s website hacked like so:

The LulzSec attack on News International’s systems to redirect readers from the Sun to a fake story, and to try to get at its internal email store, appears to have been two-pronged.

Some of the more skilled hackers, including some from the hacker collective Anonymous, had been probing it in detail for about two weeks before the hack. One was to break into its email archive; the other was to hack and “deface” the site itself, by putting up a fake story – the same method LulzSec originally came to attention by doing when it hacked the PBS site to claim that Tupac Shakur was not dead.

However as far back as 2009 a weakness was found in the “Contact us” form of the Sun’s site that meant that it could be used to attack the database holding emails for the system.

Some former News International employees’ names and mobile phone numbers have been given out on Twitter by people affiliated to the hacker collective Anonymous. However, they are not current: some include people who left the company in 2007. But that also implies that they may have access to email archives dating back to when some phone hacking occurred.

Monday night’s hack of the Sun occurred because one of the hackers found a weakness in a “retired” server for the News International “microsites” – used for small or unimportant stories – running Sun’s Solaris operating system.

The most likely candidate for that hack – which would use the weakness discovered in 2009 – is the “mailback” page at http://www.new-times.co.uk/cgi-bin/newtimesmailback, which on Tuesday morning had been deactivated, along with the whole of the new-times site.

The server hosted the outdated “new-times.co.uk” site put up when the Times was building its paywall.

The hacker used that and then ran a “local file inclusion” program to gain access to the server – meaning they had extensive control over it.

That then gave them access across large parts of the News International network, possibly including the archived emails, and to the Sun’s “content management system” (CMS) – which formats news onto pages. That will have included the code for the “breaking news” element of the Sun’s main webpage; changing the entire content on the page would be too obvious.

By including a line of Javascript in the “breaking news” element, the hackers were able to ensure that anyone visiting the Sun’s home page would, as the ticker was automatically refreshed, they would be redirected to anywhere that the hackers chose.

Initially they made it redirect to a fake page they had created at new-times.co.uk/sun which attempted to look and read like a Sun story claiming that Rupert Murdoch had been found dead. That page used a template of another story that first appeared on 14 July, suggesting that the hackers either grabbed an archived story or have had access since then.

After the team at News International tried to regain control, the hackers then redirected the main News International page to the Twitter page for LulzSec.

But the problems for the News International team aren’t over. A number of email addresses and passwords were being tweeted last night on various feeds – implying that the hackers may have gained access to the email archive and be preparing to release it. If that happens, the effects could be titanic.

Botclouds: a cyberattacker’s dream

OFFLOADING your software and data to a cloud computing service has never been easier.

Apple last week became the latest tech company – after Google and Amazon – to offer cheap online storage, with its new iCloud service allowing users to access music, documents and other files from any Apple device. But cloud services could also be used to launch attacks, send spam and commit fraud.

“Right now it’s just a few attacks, most aren’t well publicised and a lot can go undetected,” says Kassidy Clark of the Delft University of Technology in the Netherlands.

“As long as cloud service providers are not taking proactive steps to prevent these things, I think this trend will increase.”

As well as basic online storage, firms such as Amazon, which provides the largest cloud service, also offer virtual computing.

This allows people to rent as many “virtual computers” as they need.

Now Clark and colleagues have investigated how the cloud could be used to build a botnet, a network of infected computers under an attacker’s control.

Traditional botnets are built over time by taking control of ordinary people’s computers without their knowledge, but a cloud botnet – or botcloud – can be put together in a couple of minutes just by purchasing space in the cloud with stolen credit card details.

“It makes deployment much faster,” says Clark, who presented his findings at the CLOSER cloud computing conference in Noordwijkerhout, the Netherlands, last month.

“You don’t have to wait months for millions of machines around the world to get infected.”

To find out just how easy it is to construct a botcloud, Clark and colleagues hired 20 virtual computers from a leading cloud service provider for around €100 and used them to carry out attacks on their own web server.

They first attempted a distributed denial of service (DDoS) attack, which floods a target with massive amounts of traffic.

The botcloud pumped out 20,000 page requests per second and brought the server down in just 10 seconds.

Clark also built a larger botcloud and used it to simulate “click fraud” – clicking links in pay-per-click adverts in order to generate fraudulent revenue.

Advertising companies normally stop this by tracking the internet protocol (IP) address of each individual computer and blocking one if it clicks a link too many times.

The researchers circumvented this defence by setting up a botcloud of 1000 virtual computers, each with its own address.

Neither botcloud attack was detected or shut down by the cloud provider.

So are botclouds being used? There were certainly rumours that the recent attack on Sony’s PlayStation Network was carried out via Amazon servers rented using stolen credit cards, but these have not been substantiated.

“We have seen spam coming from some of these environments, but not on a massive scale,” says Paul Wood, a senior analyst at Symantec.cloud, which provides cloud-based security services.

He says that it is even possible for a virtual computer in the cloud to become infected by an ordinary botnet, because cloud users don’t normally run anti-virus software.

Thomas Roth, a security researcher in Cologne, Germany, who recently showed how to use Amazon’s servers to crack Wi-Fi passwords, agrees the lack of anti-virus protection in the cloud is a problem.

“I think that Amazon should provide infrastructure for doing vulnerability assessments and virus scans,” he says.

“Amazon Web Services employs a number of mitigation techniques, both manual and automated, to prevent the misuse of the services,” Amazon told New Scientist.

“We have automatic systems in place that detect and block many attacks before they leave our infrastructure.”

But Wood warns that attacks from the cloud could easily take off in countries with more lax web policing.

“It’s only a matter of time before a Russian or Chinese equivalent of Amazon offers similar services,” agrees Clark.

“You put malicious or illegal software there, it doesn’t matter, they will never take you offline.”

Mozilla move spotlights PDF’s ascent on the Web

PDF files have long been an awkward fit with the Web, but a new project from the developers of Firefox shows how online PDFs are changing for the better.

For years, the only way to view them was with viewer software from Adobe Systems, which created the Portable Document Format in the 1990s.

Clicking a link to a PDF often meant a wait as the software loaded, followed by an alien interface, framed within the browser window, that meant actions like searching and printing were different.

It’s faster today, but PDFs still don’t feel like native Web documents.

But PDF has become an international standard, and now PDFs are becoming less obstreperous.

Google started indexing PDF content and showing PDFs in search results years ago, helping to ensure their utility on the Internet.

And browsers have begun handling them better, too.

Google’s Chrome, for example, added a PDF reader directly into the browser so that Adobe Reader, Mac OS X’s Preview, or other third-party applications aren’t required.

(Well, except in cases where Chrome’s plug-in isn’t up to snuff; happily, it now sometimes warns you when a PDF has elements it can’t handle.)

Chrome is tackling the performance issue, too, making a PDF reader plug-in that uses the Native Client software technology.

Now Mozilla has begun a project of its own called pdf.js: a PDF reader that uses Web technology, not native software, to render PDFs in the browser.

Eventually it will be built directly into Firefox, said programmer Andreas Gal in a blog post last week.

Thus, while Google is working on native-code PDF abilities–software tailored for a specific processor–Mozilla is working on an approach that uses the browser’s engine instead.

Indeed, security has been a problem for PDF reading on the Web.

Adobe’s widely used free Reader software needs regular attention as new security vulnerabilities are uncovered, some of zero-day problems that emerge before a patch is ready.

Browser technology is by no means immune to security problems, but Web applications don’t get the same privileges granted to native software, so that makes attacks harder.

The project uses JavaScript, the programming language of Web pages and Web applications, to interpret the PDF coding.

It should be noted that Gal has been involved for years in improving Firefox’s JavaScript execution speed.

Another Web standard in use is the HTML5 Canvas technology for two-dimensional drawing.

For a look at how well the project compares to other PDF rendering software, check at the screenshots below.

Canvas is fast, something Mozilla likes given the sour sentiments that often arise at the prospect of loading a PDF.

But it’s got drawbacks, too, said Chris Jones in a blog post. For one thing, it’s a low-level interface that doesn’t easily let people select text.

For another, high-quality printing is hard.

To get around those drawbacks, Mozilla also might use a PDF renderer using another Web technology, Scalable Vector Graphics (SVG).

The idea is to render a quick version using Canvas, then swap in a more elaborate SVG-based version after it’s been created, Jones said, mentioning that other approaches are possible, too.

To gauge progress, people can open a Web-based version of pdf.js showing a 2009 research paper about JavaScript that Gal and others wrote.

Ordinarily I’d include a parenthetical warning to readers that they link leads to a PDF, but in this case, it leads to an ordinary Web page that shows a PDF.

Mozilla hopes the pdf.js will improve people’s experience with PDFs, but ultimately help phase out the technology, too.

“It’s important to note that we’re not trying to promote PDF to a first-class web citizen like HTML5 is,” Gal said.

“Instead we hope that a browser-native PDF renderer written on the Web platform allows Web technologies to subsume PDF.”

Perhaps the work will make PDF fade into the background.

But people use PDFs for its advantages in formatting flexibility, archiving information in a standard file format, and sharing documents across a variety of operating systems and programs.

It seems possible to me, therefore, that Mozilla work to make PDFs easier and safer to use on the Web might actually strengthen the technology’s position.

FTC, Senate rachet up Google antitrust probes

 

The Federal Trade Commission and the U.S. Senate appear to be stepping up their antitrust investigations of Google, a development that could prove perilous for the Mountain View, Calif.-based company, which is already fending off a formal investigation in Europe.

The FTC is planning to serve Google with civil subpoenas as part of an examination of market power in Google’s search advertising business, according to a report this morning in The Wall Street Journal.

A Google representative declined to comment on any discussions with the FTC or the possibility of a broad antitrust investigation.

Google has shed market share to Microsoft over the past year, according to data released last week by research firm Compete.

It’s dropped from 73.9 percent to 63.6 percent, while Microsoft’s Bing has increased its market share to 17 percent.

So far, at least, Google has managed to avoid experiencing what happened to Microsoft at the hands of an ungentle Justice Department, which filed a broad antitrust suit in the late 1990s that eventually included a demand that the Redmond, Wash., company be split into halves.

In 2001, a federal appeals court rejected a breakup but allowed the rest of the case to proceed.

Microsoft was not exactly eager to compromise with Washington, D.C., regulators and bureaucrats. Chief Executive Steve Ballmer once said “to heck with Janet Reno,” the attorney general during the Clinton administration.
For a while, it sounded like Microsoft founder Bill Gates was channeling capitalist doyenne Ayn Rand, saying in 1998 that the technology industry’s successes were due to lack of interference from Uncle Sam, and claiming that “the government is still trying to slow Microsoft down.”

It even launched a Web site, FreeToInnovate.com, which let like-minded souls send a pointed note to their member of Congress.
Google, by contrast, has shown more of a willingness to compromise: In March, it settled an FTC investigation into Google Buzz by agreeing to 20 years of privacy oversight.

A few days later, it inked a deal with the Justice Department, including non-discrimination terms, that let it buy ITA Software for $700 million.

Most prominently, Google abandoned a proposed advertising partnership with Yahoo at the last minute, a move that avoided a near-certain DOJ antitrust lawsuit.

Also this week, a U.S. Senate committee probing antitrust and Internet search topics is threatening to subpoena Google CEO Larry Page or Chairman Eric Schmidt to testify on a hearing that will be held before the August recess.

These types of tussles over witness lists are commonplace: politicians know that a CEO’s appearance will draw more press attention, so they tend to ask for it.

But when Apple was pressed for details about location privacy by a Senate committee last month, it sent a vice president, not CEO Steve Jobs.

Google has been reluctant to provide either Page or Schmidt for the Senate antitrust subcommittee’s hearing, saying other executives would be more appropriate.

Utah Sen. Mike Lee, the senior Republican on the panel, said yesterday he was “very disappointed in Google’s response.”

“We’re in talks with the subcommittee and will send an executive who can best answer their questions,” a Google spokesman said this morning.

Google has proposed David Drummond, its senior vice president and chief legal officer, who also heads its business development and acquisition teams, as the executive best able to address the committee’s concerns.

In 2007, Drummond testified before the Senate antitrust subcommittee about the antitrust implications of the Google-DoubleClick merger.

A year later, he returned to the same panel to discuss the proposed advertising relationship with Yahoo.

A June 10 letter to Google from Lee and Wisconsin Sen. Herb Kohl, the Democratic chair of the subcommittee, said: “A hearing on this important topic would be incomplete without the direct perspective and views from one of Google’s top two executives, each of whom has played a prominent role at the company throughout the last decade.”

LulzSec claims attack on US police website

The hacking collective LulzSec says it has hacked into the website and database of the Arizona Department of Public Safety (DPS) and released details of staff, emails and correspondence on public file-sharing sites.

A number of DPS officers told the Associated Press that they had been inundated with calls to their home and mobile phones from strangers on Thursday night, and that they were trying to change their numbers.

A DPS spokesman confirmed that the agency’s computer system had been breached and was taking additional security safeguards that he wouldn’t disclose.

The hackers said they had specifically targeted the department in that state because of its tough immigration law “and the racial profiling anti-immigrant police state that is Arizona”.

Arizona has introduced tough identification laws which have been criticised by President Obama and others.

However, they have been frozen due to legal challenges.

But even as the details were being released, pressure was growing on the group from rival hackers unhappy about what they see as a lack of discretion in the choices of its targets.

LulzSec has taken credit for hacking into Sony Pictures Europe, a number of games sites including Eve Online and Sega, defacing the PBS website and attacking the CIA website, the US Senate computer systems and the UK’s Serious Organised Crime Agency.

The collective said on its website that it was releasing “hundreds of private intelligence bulletins, training manuals, personal email correspondence, names, phone numbers, addresses and passwords belonging to Arizona law enforcement.”

The LulzSec group also said it planned to release “more classified documents and embarrassing personal details of military and law enforcement” every week but it was unclear whether other Arizona agencies were targeted.

Meanwhile rival hackers, including one called The Jester – an ex-US military member – have been concentrating on tracking down the group’s website and identifying its members.

The Jester said on Twitter on Thursday that he had traced the Lulz Security website to an ISP in Malaysia, and provided a program for people to help track it down.

Other hackers are also trying to gather data about the group, which the Guardian understands was weakened earlier this month after some members worried about the outcome of attacking US government sites.

In the UK one man, Ryan Cleary, has been arrested by the police and charged with offences under the Computer Misuse Act relating to attacks on a number of sites including Soca’s.

The Maricopa County Sheriff’s Office in Arizona was taking unspecified countermeasures to protect its computer system, officials there said on Thursday night.

Manuel Johnson, a spokesman for the FBI’s Phoenix division, said the agency was aware of the situation but couldn’t comment on whether the FBI was investigating it.

The Arizona Republic reported that experts worked Thursday evening to close external access to DPS’ system.

Page 1 of 33123...102030...Last »