Tech News Weekly: Edition 41

Hi all. I apologize for the name of this post, but no this is not a repeat of last week's news. It seems the script I use to create the post templates had me predicting the news for the coming week as opposed to reporting it for the week past. From now on this will be fixed. See last week's news here. Next, I'd like to thank 40hz for his excellent banner, which I will be using from now on.  Finally, it has been apparent that not being able to link to a specific article makes referencing and replying to the weekly news rather difficult, so I've taken the liberty of adding anchors to the title of each article. From now on, the title of each article will be a hyperlink to that specific article. Try it out by clicking here. Well that's about it, hope you like this week's news.

Last week, a pair of security researchers spread the news that a new class of vulnerabilities, called "clickjacking," puts users of every major browser at risk from possible attack.

Robert Hansen, founder and chief executive of SecTheory LLC, and Jeremiah Grossman, chief technology officer at WhiteHat Security Inc., spilled some beans last week after they gave a semi-closed presentation at OWASP AppSec 2008 in New York.

Researchers have published a cryptographic algorithm and source code that could be used to duplicate smart cards used by several major transit systems, including Boston's Charlie Card and the London Oyster card.

Scientists from the Dutch Radboud University Nijmegen presented their findings during the Esorics security conference on Monday in Malaga, Spain. They also published an article with cryptographic details.

Symantec, the largest maker of computer security and data backup software, said it will pay 310 million pounds sterling and $154 million in US dollars.

The company says its purchase of MessageLabs will give it a stronger position in the rapidly growing Software-as-a-Service (Saas) market and strengthen its lead in the messaging security industry.

MessageLabs is the top provider of online messaging security globally with more than eight million end users at more than 19,000 clients ranging from small business to Fortune 500.

Fear surrounding the growing economic calamity is feeding online criminals' efforts to steal consumers' personal information, computer-security experts say.

The number of fake Web sites, spam e-mail and phishing attacks has mushroomed as cybercrooks seek to take advantage of the sudden widespread alarm, the experts say.

Most scams center on spam and phishing against the backdrop of bank failures, mergers and takeovers, the experts tell USA Today.

The U.S. government is soliciting input on a way to make the Internet's addressing system less susceptible to tampering by hackers.

Under the idea, records in the DNS (Domain Name System) root zone would be cryptographically signed using DNSSEC (Domain Name and Addressing System Security Extensions), a set of protocols that allows DNS records to carry a digital signature.

A security consultant with expertise in protecting phone conversations as they travel over the internet has unveiled a new tool that demonstrates just how vulnerable voice over internet protocol, or VoIP, calls are to interception.

UCSniff bundles a hodgepodge of previously available open-source applications into a single software package that helps penetration testers assess the security of VoIP calls carried over a client's network. It also introduces several new features that make eavesdropping on specific targets a point-and-click undertaking.

UCSniff runs on a laptop that can be plugged in to the ethernet port of the organization being probed. From there, a VLAN hopper automatically traverses the virtual local area network until it accesses the part that carries VoIP calls. Once the tool has gained unauthorized access, UCSniff automatically injects spoofed ARP, or address resolution protocol, packets into the network, allowing all voice traffic to be routed to the laptop.

The government plans to use ePassports at Immigration and Border
Control. The information is electronically read from the Passport
and displayed to a Border Control Officer or used by an automated
setup. THC has discovered weaknesses in the system to (by)pass the
security checks. The detection of fake passport chips does not
work. Test setups do not raise alerts when a modified chip
is used. This enables an attacker to create a Passport with an
altered Picture, Name, DoB, Nationality and other credentials.

The Russian VXer who created the infamous Gpcode ransomware Trojan has been identified - but an early arrest isn't likely.

With cybercrime way down the priority list in Russia, the malware author - known to the police after security firm Kaspersky Labs winkled out a likely IP number for him - is liable to remain at large for some time.

Black hat hackers were able to steal information from a South Korean missile manufacturer after planting malicious code on the company's computer system, according to news reports.

According to the country's National Security Research Institute, the code was installed on the computer network of LIGNex1 Hyundai Heavy Industries, a manufacturer of guided missiles, ground-to-air weapons, war ships, and submarines.

A revised version of an important security standard for ecommerce merchants was published on Wednesday.

Version 1.2 of the Payment Card Industry Data Security Standard (PCI DSS) mostly tweaks and clarifies the existing framework for the secure processing of credit card data. The 12 existing requirements - covering areas such as the need to used a firewall, store cardholder data securely and encrypt transmission of cardholder data - remain unchanged.

Hollywood's six major movie studios Tuesday sued Seattle-based RealNetworks to prevent it from distributing DVD-copying software they said would allow consumers to "rent, rip and return" movies or even copy friends' DVD collections outright.

The studios stand to lose key revenue from DVD sales, estimated by Adams Media Research at $14 billion this year, if consumers stop buying DVDs and copy rental discs from outlets like Netflix and Blockbuster instead.

Deutsche Telekom, owner of the T-Mobile wireless network, admitted this weekend that the mobile service suffered a data theft in 2006 that may have exposed the personal information of some 17 million customers.

Deutsche Telekom made a statement about the T-Mobile data theft on Saturday, anticipating the release of a story about the breach by the German magazine Der Spiegel on Sunday.

A researcher will demonstrate a free, plug-and-play hacking tool this week that automatically generates man-in-the middle attacks on online banking, Gmail, Facebook , LiveJournal, and LinkedIn sessions -- even though they secure the login process.

Jay Beale, who recently released the so-called “Middler” open-source tool, will show it off at the SecTor conference in Toronto. Aside from the unnerving capability of hacking into sites that perform secure logins and then use clear-text HTTP, Middler is also designed for use by an attacker with no Web-hacking skills or experience. “The Middler allows an attacker with no Web application-hacking experience to launch attacks that previously required substantial time and skill,” according to Beale.

The wildly popular Metasploit hacking tool for the first time is now officially open source, open-license technology that can be incorporated into commercial tools.

The free research and penetration testing tool historically has had restricted, non-commercial licensing so that it could only be used by researchers or in-house penetration testers -- not repackaged, redistributed, or sold. But in the new version 3.2 -- due later this month in its final version -- Metasploit project lead HD Moore and his team have transformed Metasploit into an official open source project, complete with a BSD 3-Clause license arrangement that allows others to sell, rename, or “fork” the code in another direction.

This post should probably be cross-posted over at jobs.ars, because Asus may soon be looking for a new preloaded software department. For a second time this year, preloaded software on Asus's popular Eee line of PCs has show itself to have some unintended content. This time, the Windows versions of Asus' Eee box nettop have been loaded with an infectious computer worm.

Last month, recovery DVDs shipped with Eee netbooks were found to contain a software crack for WinRAR, along with secret Microsoft documents meant to be read only by PC OEMs. The DVD also contained MS software with application keys, and source code for a number of Asus applications. The scandal spread, with users finding the same files on recovery DVDs of other Asus computers, and even more bizarre files, including resumes and personal files of Asus employees. At the time, Asus told PCPro "We will be investigating this at quite a high level. Once the investigation is complete, we will ensure it doesn't happen again."

A federal judge has denied Apple's and AT&T's motions to dismiss a class-action lawsuit filed last year alleging various violations of antitrust and consumer protections laws. The judge agreed to Apple's motion, however, to limit the claims to laws of New York, California, and Washington, where the plaintiffs in the case reside.

The original lawsuit was filed last year after Apple released a contentious 1.1.1 update to iPhone's OS, which "bricked," or rendered inoperable, iPhones that had been modified to work on other carriers and/or run third-party software. When the phones became inoperable, Apple refused to honor the warranty on the grounds that the phones had unauthorized modifications.

For developers who have fallen in love with .Net/C#, but aren't married to running their applications on Windows, the Mono Project aims to let Microsoft .Net-based apps run on Linux and Mac OS X, among several other platforms. Sponsored by Novell, the Mono Project has released Mono 2.0 of its cross-platform, open source .Net development framework.

Basically, Mono 2.0 lets users run both client and server applications on Linux, and helps developers figure out which changes they may need to make to their applications for .Net-to-Linux migrations.

18. Sony, Microsoft Virtual Communities to Start
http://news.wired.com/dynamic/stories/A/AS_TEC_JAPAN_SONY_MICROSOFT?SITE=WIRE&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2008-10-09-08-34-28
Just to tick off the Playstation/X-Box zealots, I thought I better post this article about the two companies blatantly ripping off Nintendo's Mii

Video game rivals Sony and Microsoft are going head-to-head in virtual worlds for their home consoles later this year.

Both companies announced their services, which use graphic images that represent players called "avatars," Thursday at the Tokyo Game Show.

Sony Corp.'s twice delayed online "Home" virtual world for the PlayStation 3 console will be available sometime later this year, while U.S. software maker Microsoft Corp., which competes with its Xbox 360, is starting "New Xbox Experience" worldwide Nov. 19.

iPhone developers are free at last to talk about their applications. Apple has officially dropped the nondisclosure agreement that prohibited developers from discussing the iPhone’s operating system, application code and development kit, according to an announcement made on Apple’s website Wednesday morning.

Meanwhile, across the internet, Ewoks pound drums and sing songs. Or, rather, developers are finally venting their frustration and enjoying the freedom to talk about all their hard work over the last few months without fear of Apple’s retribution.

Is your Saturday morning inbox filled with regret and self-loathing for the drunken e-mails you fired off the night before? If so, Gmail might have a solution for you. Google’s Gmail Labs has a new experimental featured dubbed “Mail Goggles” which will attempt to prevent you from sending out those ill-advised late night e-mails.

Gmail developer Jon Perlow created Mail Goggles as a kind of e-mail sobriety test. It works by stopping your message when you hit send and then presents a series of simple math problems you need to solve before you really send the e-mail.