TechCrunch

Popular technology blog Techcrunch has been hacked and is currently down with all but a message noting that the site has indeed been compromised.

The blog has experienced frequent downtime of late but as have other blogs who host on Rackspace including, Mashable and The Inquisitr – we fortunately aren’t (we’re with Slicehost, owned by Rackspace interestingly enough).

This case appears different however with other blogs remaining live and Techcrunch admitting they had been targeted with a message that reads:

Earlier tonight techcrunch.com was compromised by a security exploit.
We’re working to identify the exploit and will bring the site back online shortly.

Earlier, presumably when the initial hack took place, text with a link to a rapid share download site was posted:

Oddly enough, sister blog CrunchGear is running smoothly, which indicates that TechCrunch in particular rather than its network was targeted.

The irony here of course, as it would be for us, is TechCrunch is a reliable source for information on site downtime.

More info over at Inquisitr and and Technologizer.

Update:

TechCrunch is now back up, interestingly all comments gone. Stay tuned for more info as to what happened.

Update 2:

A statement now on the blog reads:
“As some people noticed, at approximately 10:30 pm PST on Monday evening the main site in the TechCrunch Network – techcrunch.com – was hacked and redirected. The site was back up briefly at 11:30 pm but shortly went down again. As of 2:00 am, the site is back up and appears to be stable.

At this point we’re still gathering information on how the site was compromised, and will update this post with additional information.”

Source: thenextweb

Microsoft Learned of IE Zero-Day Flaw Last September

Microsoft was aware months ago of a critical security vulnerability well before hackers exploited it to breach Google, Adobe and other large U.S. companies but did not patch the hole until Thursday.

The software giant had intended to release a patch for the flaw in February — more than four months after learning about it — but had to speed up that plan and roll it out this week in the wake of news that Google and others had been hacked through the flaw, the world’s largest software maker acknowledged Thursday.

Meron Sellen, a security researcher at BugSec, an Israeli firm, quietly reported the vulnerability to Microsoft in September, according tosecurity firm Kaspersky.

Microsoft confirmed it learned of the so-called “zero-day” flaw months ago.

According to Microsoft, “An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The flaw, which primarily affected IE6, allowed hackers to download malware to employee computers to gain access to intellectual property at Google, as well as information connected to Gmail users. It’s unknown what the hackers obtained from some 33 other companies — hi-tech, financial and defense — that were also targeted in the attack.

Although Microsoft recognized the severity of the flaw at the time Sellen reported it, the company held off releasing a patch so it could be included in a cumulative update for IE planned next month, the company said.

A zero-day flaw is a vulnerability for which there is currently no patch. It’s also a flaw that is generally unknown to the software vendor, which gives hackers who may be aware of the flaw a jump on developing malware to exploit it.

It’s unknown if other companies were breached through the flaw prior to the high-profile hacks disclosed last week. Most companies are unwilling to acknowledge a breach, let alone provide public details about how they were hacked.

Google disclosed last week it discovered in mid-December that it had been hacked in an attack originating from China, about three months after Microsoft learned of the vulnerability. Adobe followed Google, announcing it, too, was hacked. Security firm iDefense said it had information that at least 34 companies were breached in the coordinated attack.

On Thursday, meanwhile, Microsoft released a cumulative security update for Internet Explorer that fixes the flaw, as well as seven other security vulnerabilities that would allow an attacker to remotely execute code on a victim’s computer.

“Our investigation into this responsibly reported vulnerability began early September,” Jerry Bryant, senior security program manager for Microsoft, said in a statement. “As part of this investigation we began working on an update to help protect customers. We became aware of the recent attacks in mid-January and as part of our investigation determined the vulnerability being used in these attacks was similar to the one investigated in September.

Source: wired

Component Directory Lockdown – New in Firefox 3.6

We hate crashes. When Firefox crashes, we try to get you back on your feet as quickly as possible, but we’d much rather you not crash in the first place. In Firefox 3.6, we are changing the way that some third party software hooks into Firefox which should eliminate a good chunk of those crashes without sacrificing our extensibility in any way. In the process, we’ll also be giving you greater control over the code that runs in your browser.

Background

Firefox is built around the idea of extensibility – it’s part of our soul. Users can install extensions that modify the way their browser looks, the way it works, or the things it’s capable of doing. Our add-ons community is an amazing part of the Mozilla ecosystem, one we work hard to grow and improve.

In addition to the standard mechanism for extending the browser via add-ons and plugins, though, there has historically been another way to do it. Third-party applications installed on your machine would sometimes try extend Firefox by just adding their own code directly to the “components” directory, where much of Firefox’s own code is stored.

There are no special abilities that come from doing things this way, but there are some significant disadvantages.  For one thing, components installed in this way aren’t user-visible, meaning that users can’t manage them through the add-ons manager, or disable them if they’re encountering difficulties. What’s worse, components dropped blindly into Firefox in this way don’t carry version information with them, which means that when users upgrade Firefox and these components become incompatible, there’s no way to tell Firefox to disable them. This can lead to all kinds of unfortunate behaviour: lost functionality, performance woes, and outright crashing – often immediately on startup.

In Firefox 3.6 (including upcoming beta refreshes), we’re closing this door. Third party applications can still extend Firefox via add-ons and plugins the way they always could, but the components directory will be for Firefox only.

What Does This Mean For Me?

If you’re a Firefox user, this should be 100% positive. You don’t have to change anything, your regular add-ons should continue to work properly – you just might notice fewer crashes or odd bugs. If you do notice that something has stopped working, particularly a third party addition to Firefox, you might want to contact the producer of that addition to ensure they know about the change.

If you’re a Firefox component developer, this shouldn’t be a big change, either. If you’re already packaging your additions as an XPI, installed as an add-on it’s business as usual. If you have been dropping components directly, though, you’ll need to change to an XPI-based approach. Our migration document on the Mozilla Developer Connection outlines the changes you’ll need to make, and should be pretty straightforward. The good news is that once you’ve done this, your add-on will actually be visible to users and will support proper version information so that our shared users are guaranteed a more positive experience.

If you haven’t downloaded the new Firefox beta yet, and want to give it a spin, you can find a copy here.

Source: mozilla developer center

FireFox

Mozilla developers have blocked a Firefox plugin that was quietly pushed out by Microsoft, saying that it presents a security risk.

Microsoft shipped the Firefox add-on as part of a .Net software update last February, causing outrage among some Firefox users, who complained that the software was sneaked onto their systems without their knowledge or approval and was extremely difficult to remove.

On Tuesday, Microsoft warned that Firefox users who have not applied a recent Internet Explorer patch were vulnerable to a “browse-and-get-owned attack” because of a bug in the Microsoft .Net Framework Assistant add-on.

“All that is needed is for a user to be lured to a malicious website,” Microsoft said. Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application).

The flaw is a nasty one, but users who have installed the MS09-054 IE update, released Tuesday are protected from this attack, “regardless of the attack vector,” Microsoft said.

To protect users who may not have installed Microsoft’s patch, Mozilla is automatically blocking two add-ons: the Microsoft .Net Framework Assistant and a related plugin called the Windows Presentation Foundation. The open-source browser started blocking the software late Friday night.

“Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism,” wrote Mozilla Vice President of Engineering Mike Shaver in a blog posting. “Microsoft agreed with the plan, and we put the blocklist entry live immediately.”

Buggy plugins are a growing problem, as cyber criminals have increasingly leveraged flaws in products such as Adobe Flash Player and QuickTime to launch browser-based attacks. Earlier this week, Mozilla launched a Plugin Check site where Firefox users can see if their plugins are up-to-date.

Source: PCWorld

Apple has released a software patch to address a recently described security flaw in the iPhone.

Experts revealed on Thursday that modified SMS messages could result in iPhones being disconnected from the network or hijacked altogether.

Apple said phones incorporating other mobile operating systems, such as Windows Mobile and Google Android, were also potentially vulnerable.

It added that no-one had actually used the flaw to gain access to an iPhone.

A spokesperson for O2, the iPhone’s service provider in the UK, said: “We will be communicating to customers both through the website and proactively. We always recommend our customers update their iPhone with the latest software and this is no different.”

Access all areas

Charlie Miller and Collin Mulliner told the Black Hat conference in Las Vegas that the hack works by slightly modifying the data – sent by the network and which the user does not see – that arrives as part of a text message.

The system that processes such messages is similar across different operating systems and can, once compromised, gain access across a range of applications including a phone’s address book or camera.

The team say that hackers could develop programs to exploit the weakness in as little as two weeks, but told the conference that publicising the means of attack was necessary to ensure the problem was addressed.

“If we don’t talk about it, somebody is going to do it silently. The bad guys are going to do it no matter what,” Mr Mulliner, an independent security expert, said.

The team wrote software to exploit the weakness, targeting iPhones on four networks in Germany as well as AT&T in the US. However, they believe it would work equally well in any country.

The approach is particularly dangerous because messages are delivered automatically, and users cannot tell that they have received the malicious code.

The problem could be fixed by directly patching the vulnerability in smartphones’ operating systems, or the network providers could scan for messages that look to be trying to gain access to phones via the malicious code.

The researchers said they had informed Google of the hack and that the company had already taken steps to address the problem.

The Black Hat gathering, part of a leading series of conferences for information and computer security experts, took place from 25 to 30 July.

Apple were not available to comment on the flaw.

Source: BBC News

An update for Blackberry users in the United Arab Emirates could allow unauthorised access to private information and e-mails.

The update was prompted by a text from UAE telecoms firm Etisalat, suggesting it would improve performance.

Instead, the update resulted in crashes or drastically reduced battery life.

Blackberry maker Research in Motion (RIM) said in a statement the update was not authorised, developed, or tested by RIM.

Etisalat is a major telecommunications firm based in the UAE, with 145,000 Blackberry users on its books.

In the statement, RIM told customers that “Etisalat appears to have distributed a telecommunications surveillance application… independent sources have concluded that it is possible that the installed software could then enable unauthorised access to private or confidential information stored on the user’s smartphone”.

It adds that “independent sources have concluded that the Etisalat update is not designed to improve performance of your BlackBerry Handheld, but rather to send received messages back to a central server”.

The concern over this unauthorised access only came to light when users started reporting problems with their handsets.

After downloading the update, users across the country noticed significantly reduced battery life, poor reception and in some cases, handsets stopped working altogether.

Users have complained that the firm’s customer service is unable to provide information on the problem. Initial advice led many users to simply buy new batteries.

‘Surveillance solutions’

The update has now been identified as an application developed by American firm SS8. The California-based company describes itself as a provider of “lawful electronic intercept and surveillance solutions”.

It is not clear why Etisalat wanted to include the software in the download.

The firm issued a brief statement last week, calling the problem a “slight technical fault”, saying that the “upgrades were required for service enhancements”.

Etisalat told BBC News that it stands by last week’s statement and has not yet responded to further requests for comment.

“There may be a good reason they wanted to install the software,” said one Blackberry user in Dubai who did not want to be named.

“But my biggest problem is that my phone won’t work. If you call customer service you either can’t get through, or they don’t know what to tell you. I don’t know what to do.”

RIM has now issued its own update allowing users to remove the application. Customers of the country’s rival service, Du, have not been affected.

Source: BBC News

Mozilla has announced the availability of Firefox 3.5.1, the first minor point release in the 3.5 series. The purpose of this release was largely to patch a critical security vulnerability that was found in the browser’s new TraceMonkey JavaScript engine.

In a report submitted to Mozilla’s bug tracking system on July 9, Firefox user “zbyte” described a bug that causes the browser to crash when text is typed into an input box in the site apport.ru. Firefox developers attempted to isolate the bug and produce a minimal test case that exhibits the crash. They determined that the apport.ru crasher was triggered by a certain usage of JavaScript’s “escape” function, which performs string encoding. The underlying problem, however, is a tracing bug.

Last year, Mozilla announced a project intended to significantly boost Firefox’s JavaScript execution performance by introducing new optimization techniques and a just-in-time (JIT) compilation engine. They added Adobe’s nanojit native code generator to SpiderMonkey, the browser’s existing JavaScript interpreter. To further boost performance, they used an optimization technique called tracing that was pioneered by research scientists Dr. Michael Franz and Dr. Andreas Gal. The resulting hybrid engine, which they call TraceMoneky, is enabled by default in Firefox 3.5.

Tracing optimization involves recording the path of execution and generating fragments of native code that can be used on subsequent execution of the same path. This method of optimization has a small memory footprint and is highly effective for dynamic programming languages like JavaScript.

When the TraceMonkey runtime is executing a trace, it uses mechanisms referred to as “guards” to determine if the code it has recorded is still applicable to the current path of execution. When it is not, it will “bail” and return to the interpreter. When this happens during the execution of a real native function, such as one that is coded in C, it is called a “deep bail.” The Firefox bug behind the vulnerability that led to the 3.5.1 release relates to how the runtime cleans up after a deep bail.

“This is a JS engine bug dealing with deep bailing not properly restoring the return value from the result of the (fast native) escape function. We then try to do something with the uninitialized memory and crash in the interpreter,” wrote Mozilla’s Blake Kaplan in a comment on the bug report. Kaplan later attached patch that Gal wrote to fix the issue.

Security researchers discovered the bug report in Mozilla’s bug tracker and determined that the bug was exploitable. Simon Berry-Byrne published an example using Mozilla’s test case that demonstrates how a malicious web page could use heap spraying to exploit the vulnerability and execute arbitrary code.

The security researchers would likely not have discovered the issue if it had been marked as hidden in Mozilla’s bug tracker, which is a common practice that the organization uses when dealing with bugs that could have serious security implications. Gal commented that the emergence of an exploit was “self-inflicted” because this step wasn’t taken. In any case, the Firefox 3.5.1 update was issued quickly in response to the exploit.

Following the release of Firefox 3.5.1, researchers Berry-Byrne and fellow researcher Andrew Hayes discovered another bug that can be exhibited in certain conditions with the “escape” function. They have published a demonstration of this second bug at milw0rm, but have incorrectly characterized it as a stack overflow issue. Contrary to the report issued by the national vulnerability database, this second bug is not, in fact, exploitable.

In a post at the Mozilla security blog, Mozilla VP of engineering Mike Shaver says that Mozilla is conducting further investigation into the issue, but is confident that it is not a vulnerability.

Source: ars technica

President Obama on Friday said the U.S. government is “not as prepared” as it should be to respond to disruptions caused by computer or Internet attacks and announced that a new cybersecurity coordinator position would be created inside the White House staff.

The still-to-be-named coordinator will oversee a new bureaucracy tasked with digital infrastructure protection, which had previously been handled by the Department of Homeland Security. “We will ensure that these networks are secure, trustworthy and resilient,” Obama said. “We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.”

Obama’s announcement, which was expected, came as the president released the outcome of a 60-day review that sought to rethink how the federal government should address cybersecurity. Business groups had sought to raise cybersecurity’s profile in the administration but remained wary about regulatory mandates from Washington; security hawks would prefer the new bureaucracy to have more authority over the private sector.

The final report represents a political compromise. It suggests “intrusion detection and prevention systems” and “warning of cyber intrusions and attacks,” while stressing that collaboration with privacy groups and industry is vital. New laws compelling companies to share more information with the federal government about intrusions may be necessary, it says, but only “as a last resort.”

During his remarks in the White House’s East Room on Friday, Obama also seemed to seek a balance between warning of the dangers of terrorists or other miscreants using the Internet and saying the government will not go too far. “Our pursuit of cybersecurity will not — I repeat, will not include — monitoring private sector networks or Internet traffic,” he said.

The report also goes out of its way to recognize the civil liberties concerns that could arise by a greater focus on private networks: the word “privacy” appears no fewer than 69 times in the document.

In a cybersecurity “crisis,” the plan is for the coordinator to become the “White House action officer for cyber incident response.” That’s a similar role to the White House officials who help to monitor terrorist attacks or natural disasters. (The new coordinator’s fiefdom will be shared between the National Economic Council and the National Security Council.)

While there has been some private grumbling that the new coordinator will not report directly to the president — a prized symbol of access in Washington circles — reaction to the administration’s announcement was generally positive.

Senators John Rockefeller (D-W.V.) and Olympia Snowe (R-Maine), members of the Commerce and Intelligence committees, said in a statement that “no other president in American history has elevated this issue to that level and we thank (Obama) for his leadership.” The Center for Democracy and Technology said it “is evident that the report’s authors listened to the concerns of privacy and civil liberties groups.”

Cybersecurity headaches

The origin of many of the feds’ cybersecurity headaches can be traced back to the process that led to the creation of the Department of Homeland Security nearly seven years ago. Politicians in Washington, D.C. decided to glue together a medley of federal agencies to create a massive bureaucracy that would, as one of its new goals, provide a better focus on cybersecurity.

“The department will gather and focus all our efforts to face the challenge of cyberterrorism,” President Bush said when signing the 500-or-so-page bill into law in November 2002. “This department will be charged with encouraging research on new technologies that can detect these threats in time to prevent an attack.”

Some tasks might benefit from centralization in one of the world’s largest bureaucracies. But it soon became evident that cybersecurity was not one of them. By 2005, government auditors concluded that the department failed to live up to its cybersecurity responsibilities and may be “unprepared” for emergencies; as recently as last fall, DHS Secretary Michael Chertoff said his agency needed to develop a plan to respond to a “cybercrisis.”

That led some outside groups to argue that cybersecurity efforts should be taken over by the National Security Agency, which already is responsible for protecting government computers through its “information assurance” arm, or perhaps the White House staff.

Lending an unusual spice to what would normally be a quiet, internecine power struggle was March’s resignation of Rod Beckström, director of Homeland Security’s National Cybersecurity Center. In his farewell letter, Beckström blasted what he said was an NSA power grab, saying the secretive military agency “effectively controls DHS cyber efforts through detailees, technology insertions.”

The week before Beckström’s resignation, Director of National Intelligence Admiral Dennis Blair suggested to a House committee that the NSA was ready for the job, saying “there are some wizards out there at Fort Meade.” But a few weeks later, after a congressional hearing that was hardly enthusiastic about the idea, NSA director Keith Alexander denied his agency had any interest in the job.

In February, Obama ordered a 60-day review of the federal government’s cybersecurity efforts, and appointed Hathaway — who had worked for the director of national intelligence in the Bush administration — to lead it.

In addition, The New York Times reported on Friday that the Pentagon is preparing a new military command for cyberspace that would operate in parallel with the civilian effort that Obama is expected to announce. He is “expected to sign a classified order in coming weeks that will create the military cybercommand” and recognize “that the United States already has a growing number of computer weapons in its arsenal and must prepare strategies for their use,” the newspaper said.

During Friday’s remarks, Obama noted that his campaign had been the subject of a cyber intrusion in which hackers accessed policy papers and travel plans but not fundraising data.

Source: CNET News – by Declan McCullagh

Facebook stopped a phishing attack on Thursday, its second day in a row of dealing with a worm on the site that lures people to a fake Facebook page and prompts them to log in.

Unsuspecting Facebook users get a message from a friend urging them to “check this out” and including a link to a Web page that appears to be a Facebook log-in page, but it is a fake site that steals their information when they type in their username and password. The worm also sends a copy of the message to the infected Facebook member’s contacts.

In the latest attack, the Web address was “FBStarter.com.” In Wednesday’s attack, the address was “BAction.net.”

The attacks were stopped within a few hours in each case, said Facebook spokesman Barry Schnitt. He said it was too early to say whether the two phishing attacks are related. “We are investigating,” Schnitt said.

Once Facebook learns of a phishing attack, either by members notifying the company or employees noticing that a URL is being distributed to a lot of people, the company deletes the URL from members’ pages, blocks fresh postings, and removes the redirect to the URL that appears in e-mail messages, Schnitt said.

Facebook also goes in and resets the passwords of member accounts that had been used to distribute the spam, he said.

The company also alerts anti-fraud partner MarkMonitor, which passes the phishing URL on to the major browsers to block it and contacts ISPs to take the site down, according to Schnitt.

To protect against phishing scams, Facebook users should make sure that the URL they are visiting says “www.facebook.com.” If it doesn’t use that domain it’s likely to be spam. Also, members that are already logged in to Facebook will not be asked to log in again.

“People should have a healthy dose of suspicion, and ask themselves ‘why did I get logged out?’” Schnitt said. “If something looks a little strange you should check the address bar.”

Facebook users who think they have been affected by the scam should change their passwords and review their Facebook stream for any unauthorized changes. If they use their Facebook password for other sites, they should change those passwords as well.

And if they are using their Facebook authentication to log in to any other sites, they should check for any unauthorized changes on those sites.

Source: CNN

Federal authorities aren’t looking to prosecute them, but to pay them to secure the nation’s networks.

General Dynamics Information Technology put out an ad last month on behalf of the Homeland Security Department seeking someone who could “think like the bad guy.” Applicants, it said, must understand hackers’ tools and tactics and be able to analyze Internet traffic and identify vulnerabilities in the federal systems.

In the Pentagon’s budget request submitted last week, Defense Secretary Robert Gates said the Pentagon will increase the number of cyberexperts it can train each year from 80 to 250 by 2011.

With warnings that the U.S. is ill-prepared for a cyberattack, the White House conducted a 60-day study of how the government can better manage and use technology to protect everything from the electrical grid and stock markets to tax data, airline flight systems, and nuclear launch codes.

President Barack Obama appointed a former Bush administration aide, Melissa Hathaway, to head the effort, and her report was delivered Friday, the White House said.

While the country had detailed plans for floods, fires or errant planes drifting into protected airspace, there is no similar response etched out for a major computer attack.

David Powner, director of technology issues for the Government Accountability Office, told Congress last month that the U.S. has no recovery plan for a digital disaster.

“We’re clearly not as prepared as we should be,” he said.

Administration officials says the U.S. has not kept pace with technological innovations needed to protect its computer networks against emerging threats from hackers, criminals or other nations looking for national security secrets.

U.S. computer networks, including those at the Pentagon and other federal agencies, are under persistent attack, ranging from nuisance hacking to more nefarious assaults, possibly from other nations, such as China. Industry leaders told Congress during a recent hearing that law enforcement and other protections are too outdated to fend off threats from criminals, terrorists and unfriendly foreign nations.

Just last week, a former government official revealed that spies had hacked into the U.S. electric grid and left behind computer programs that would let them disrupt service. The intrusions were discovered after electric companies gave the government permission to audit their systems, said the ex-official, who was not authorized to discuss the matter and spoke on condition of anonymity.

Cyberthreats are also included as a key potential national security risk outlined in a classified report put together by Adm. Mike Mullen, chairman of the Joint Chiefs of Staff. Pentagon officials say they spent more than $100 million in the last six months responding to and repairing damage from cyberattacks and other computer network problems.

Nadia Short, vice president at General Dynamics Advanced Information Systems, said the job posting for ethical hackers fills a critical need for the government.

The analysts keep constant watch on the government networks as part of a program called Einstein that was initiated by the Bush administration under the U.S. Computer Emergency Readiness Team.

Short said the $60 million, four-year contract with US-CERT uses the ethical hackers to analyze threats to the government’s computer systems and develop ways to reduce vulnerabilities.

Faced with such cyberchallenges, Obama ordered the 60-day review to examine how federal agencies manage and protect their massive amounts of data and what the government’s role should be in guarding the vast networks that control the country’s vital utilities and infrastructure.

Over the past two months, Hathaway met with hundreds of industry leaders, Capitol Hill staff and other experts, seeking guidance on what the federal government’s role should be in protecting information networks against an attack. She sought recommendations on how officials should define and report cyberincidents and attacks; how the government should structure its cyberoversight; and how the nation can increase security without stifling innovation.

A task force of technology giants, including representatives from General Dynamics, IBM, Lockheed Martin and Hewlett-Packard Co. urged the administration to establish a White House-level official to lead cyberefforts and to develop ways to share information on problems more quickly with the private sector.

The administration has struggled with the basics, such as who should control the nation’s cyberspace programs. There appears to be some agreement now that the White House should coordinate the overall effort, rejecting suggestions that the National Security Agency take it on — a plan that triggered protests on Capitol Hill and from civil liberties groups worried about giving such control to spy agencies.

Source: Yahoo! & AP