The Hypocrisy Weblog

According to the Swedish IDG news-service, Swedish home electronic chain “TeknikMagasinet” is selling USB memory sticks (ZAP Slider USB 8G) that are/were infected with a trojan.

An angry reader of IDG’s daily IT-newspaper “Computer Sweden” contacted them and shared his story. The reader had bought 3 usb memory sticks and all of them were in unbroken casings. All 3 usb memory sticks had 60 Megabyte used and when plugged into a Microsoft Windows Vista computer, the anti virus application reacted and warned against a trojan being present on the memory stick. Also Microsoft Windows XP were used as a test-subject and the anti virus application reacted on this platform as well.

The reader claimed to have contacted TeknikMagasinet, asking for an explanation, however there was no alleged return-contact by anyone over at the home electronics chain.

Christian Ekstrand at TeknikMagasinet says that only a small number in a particular batch of usb memory sticks that TeknikMagasinet manufacture themselves in Taiwan were infected and that “only 50 usb memory sticks were infected” (as far as he knows). Mr Ekstrand says that he can however not speak about how many , if any, of the customers of TeknikMagasinet that bought the particular products were affected by the incident. He also says that this is the first incident over the last 4-5 years that TeknikMagasinet has co-operated with the particular plant in Taiwan. Also, he said that the reason to why the Computer Sweden reader didn’t hear from TeknikMagasinet was that they weren’t able to reach him and that they in no way or form is trying to tone down the incident.

Mr Ekstrand continues to say that “the virus is pretty harmless and for example only tries to steal World of Warcraft login information” and that “the customer should not be at risk if they have an anti virus program installed” (translating / paraphrasing).

A personal reflection here is that I don’t know if I agree that calling a keylogger that tries to steal information and installs itself automatically as something minor. Who knows what other information the keylogger can harvest if deployed in a customer’s computer. Would it still be a “minor issue” if the customer ends up losing financial information such as his/her credit card number?

UPDATE: Christian Ekstrand comments in the article’s comment section that the virus came in through a control computer that was used by an employee of the plant to surf privately. Private surfing is prohibited at the plant, Christian says. Check this link for information about the trojan.

The other night the power went off at my parent’s house, which I was in for the night. This didn’t turn out to be the vanilla power outage where your electricity flickers off and on again, no this one created poltergeist-like effects.

So, the short story is that the power went out 4 in the morning, nothing odd with that – it happens. Then one hour later, at 5 o’clock the power flickers on and then goes off again. A couple of minutes later the power comes on again, but something doesn’t seem right. I check the lights, and they are shining presumably weaker. I try to go online, as my dsl-modem with attached Linksys access point should have automagically went online – no go. I check the dsl-modem and it looks to be dead. (I swear silently for myself, thinking that I have to get a new modem = more hazzle.)

Seconds later I hear a loud humming noise coming out from the speakers next to the office area. Hmm, I start to think to myself (beside hearing sounds “from the other side”) that something must be messed up with the quality of electricity coming in to the house, and I quickly pull out all electronics, fridges and other appliances that might be in danger. (One of the freezers was standing and clicking on it’s own, and I was actually expecting Pinhead and his cenobites to enter at any moment.)

Next step was to see what actually is coming out of the sockets in the wall, and what do you know?! The voltage is ~110V instead of the regular ~230V as is standard.

During me lounging around, my dad wakes up (the most alert 70 year old you’ll see – ever) and we start to check the fuses inside the house – where-as all are functioning. In order to find the fault source, we go outside to the main fuse box to and both check the fuses there – all are alright.

The natural next step is to see what kind of voltage there are on the phases. *woopsie* Only 1 phase out of 3 are working and the one that is working shows half of what it should, yes you guessed right; 110V.

As we have gone through all the steps at the local facilities, we then call the energy company, where a perky young lady answers (my not so perky) father in the other end that she will notify the electrician on call. (I was trying to hide my laughter hearing him grunting newly awake ) A couple of minutes later, the electrician calls up my father and they discuss the problem. Knowing the area, my father tells the workers what has been sources of error in the past and awaits their arrival.

When this is done, I go to sleep as I know that there is not much I can do by then. (The time is now around 6.30 in the morning.)

I wake up a couple of hours later, and find out that the error was quite a transient one. A “line fault”, for sure, but that was only a partial cable-break to a cable that was running under the creek close to my parents’ house. This partial error was transient in nature, to the degree that it didn’t go completely off and the broken cable served as a giant resistor. Thus, the low voltage levels and malfunctioning phases at the end-point of the consumer’s facility – aka, the border fuse box.

When awake, I put on the DSL-modem again; It worked just fine. It was just a cheap (OEM) ac-adapter that only handled ~230V. The Linksys access point worked like a charm however, as this ac-adapter could take both ~110V and ~230V.

Lesson to be learned from all of this; Never take electricity for granted – it is actually quite a complex process to manufacture and bring into your home. (Plus of course to watch out for Pinhead when opening the freezer )

Until the next time… keep your fingers out of the sockets.

It is possible for a malicious site visitor to register a special username and gain administrative privileges on your Wordpress Blog. (Described below)

It is recommended to update now!

Wordpress 2.5 Cookie Integrity Protection Vulnerability

Original release date: 2008-04-25
Last revised: 2008-04-25
Latest version: http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-integrity.txt
CVE ID: CVE-2008-1930
Source: Steven J. Murdoch <http://www.cl.cam.ac.uk/users/sjm217/>

Systems Affected:

Wordpress 2.5

Overview:

An attacker, who is able to register a specially crafted username on
a Wordpress 2.5 installation, is able to generate authentication
cookies for other chosen accounts.

This vulnerability exists because it is possible to modify
authentication cookies without invalidating the cryptographic
integrity protection.

If a Wordpress blog is configured to freely permit account creation,
a remote attacker can gain Wordpress-administrator access and then
elevate this to arbitrary code execution as the web server user.

The vulnerability is fixed in Wordpress 2.5.1

I. Description

Since version 2.5, Wordpress authenticates logged-in users through a
cryptographically protected cookie, based on papers by Fu et al [1]
and Liu et al [2]. This measure was introduced partly in response to
vulnerability CVE-2007-6013 [3,4].

The new cookies are of the form:

“wordpress_”.COOKIEHASH = USERNAME . “|” . EXPIRY_TIME . “|” . MAC

Where:

COOKIEHASH:  MD5 hash of the site URL (to maintain cookie uniqueness)
USERNAME:    The username for the authenticated user
EXPIRY_TIME: When cookie should expire, in seconds since start of epoch
MAC:         HMAC-MD5(USERNAME . EXPIRY_TIME) under a key derived
from a secret and USERNAME . EXPIRY_TIME.

The flaw in this scheme is that USERNAME and EXPIRY_TIME are not
delimited in the MAC calculation. Hence the cookie may be modified,
without altering MAC, provided that the concatenation of USERNAME and
EXPIRY_TIME remains unchanged.

This class of vulnerability, the cryptographic splicing attack, was
commented on by Fu et al [1], but Wordpress does not employ their
recommended defence.

An attacker wishing to exploit this vulnerability would therefore
create an unprivileged account with its username starting with
“admin”. The cookie returned on logging into this account can then be
manipulated so as to be valid for the administrator account.

II. Impact

A remote attacker, who can create an account with specially crafted
username, is able to gain administrator level access to the Wordpress
installation. Through standard techniques, this can be escalated to
arbitrary PHP code execution as the web server system user.

III. Solution

Upgrade to Wordpress 2.5.1

Workarounds:

- De-select “Anyone can register” in the Membership section of
General Settings to disable account creation.

References:

[1] Dos and Don’ts of Client Authentication on the Web,
Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster
http://pdos.csail.mit.edu/papers/webauth:tr.pdf
[2] A Secure Cookie Protocol,
Alex X. Liu, Jason M. Kovacs, Chin-Tser Huang, Mohamed G. Gouda
http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf
[3] Wordpress Cookie Authentication Vulnerability: CVE-2007-6013
Steven J. Murdoch,
http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt
[4] http://trac.wordpress.org/ticket/5367

Timeline:

2008-04-22: security@wordpress.com notified
Confirmation of receipt received
2008-04-25: Wordpress 2.5.1 released incorporating patch
Vulnerability notice published

Reference: [Link]

Parts of my day has been dedicated to creating backup routines and gathering enough space to mirror saved data and to download and later burn out the Ubuntu Hardy Heron disc-image.

The problem here is… The software distribution system that Canonical (the company behind Ubuntu) just doesn’t work very well in times of a new release. You see, Canonical have local mirrors – and that is all fine, but then when you want to access and download the actual iso-image or perhaps (like myself) get access to a torrent-file in order to actually save Canonical bandwidth, then they rely on local universities out there – universities that just don’t have the infrastructure to even serve the download requests coming in.

So, in the middle of the day I sit and try to get access to the .torrent-file in order to start my download and even help distribute Canonical’s software, but… I can’t!

Canonical need to decide to either switch their distribution model to rely mainly on distributed data models such as bittorrent, or to invest more in the physical infrastructure behind their software distribution to the end-user.

As it is now, it just does not work very well.

Enough complaints for one day, I am now in the process of installing Ubuntu 8.04 (“fresh upgrade”) on one of my laptops, as this machine is really in need of new and improved acpi drivers/settings etc.
(Yes, you guessed correctly – it is a Dell Inspiron that you can’t close the lid on and/or switch off or it freezes up.)

I will give impressions of Ubuntu Hardy Heron in an upcoming post after I have used the system a bit.

See you soon!

Say, would you like a gunrack with that bed?

The perfect xmas gift! Notice the disclaimer in the end [link]

There’s a lot of talk about “social media” and “social networks” these days, but what I think really makes a difference for many of us is the social filtering made by one or more (sometimes online) friends.

I have a few good friends that are active within a wide range of areas, where-as one person is a bleeding edge kind of software guy (open source / Ubuntu Linux) and whom both try out and give me tips on cool new software for my Ubuntu box (yes, I run both Windows and Ubuntu). Instead of me having to put down time and effort (and sometimes risk) in trying new software, my Linux friend does that job for me.

Another friend is an avid web 2.0 fan, whom jump on basically every site out there. Through him I get reviews of what is good or not, and combining this intelligence with a more general buzz I can decipher what is hot or not.

A third friend is an experienced journalist, and he gives me fresh ideas and angles – especially when it comes to politics, but also other fields.

The fourth friend is a security expert, who shares his deep knowledge from within the security community.

The fifth friend… Well, you get the point – right?! The friendship chain of trust is a very good and (most often) trust-worthy source of information. This is why it is so important to form social bonds with the right people, this is not something that Google, Facebook or Wikipedia can offer you.

In short; never understimate the value of personal relationships.

cnet’s web 2.0 blog, “Webware” has announced it’s Webware 100 winners-list. The question is now; how is this list relevant to anyone in the Internet-business? Each and every category, 10 of them, has 10 winners each – and each and every site on the top 100-list anyone who’s involved in working with the Internet (in any way) have heard of.

The categories are; Browsing, Communications, Community, Data, Entertainment, Media, Mobile, Productivity and Commerce, Publishing, Reference.

Surely, it is a good ego boost for the people behind the services to get recognition, but does it serve any journalistic purpose? I am not so sure about that; Rafe Needleman and the Webware crew are preaching for the already saved. There is no internal ranking of the sites in the individual categories – so how do I as a visitor know which site got more votes than the other? (Yes, alright – they do have a list of the over-all top 10 and the sites that got over 1000 votes, though it doesn’t show the internal ranking in between the sites within each category. Perhaps the over-all statistic material wasn’t enough?! I don’t know…)

From my own perspective I am glad that the swizz army-knife-like site Netvibes, which deserves more media coverage – as it is a really nice service to keep track on all your communication needs ranging from rss-feeds (sites, forums, email, blogs etc), to email, to skype, to.. yeah – you get the idea.

Google was the company with most services in the top 100-list, yet this is not surprising as they are the biggest site on the Internet.

To the Webware authors; Please make the list more detailed the next time and get a broader statistic foundation (aka get more people to vote on the list), then we’re talking about a relevant list.

Via slashdot: xseedit writes “The RIAA has moved their main Web site www.riaa.com from IIS on Win2003 to Apache 2.2.3 on Red Hat. It appears that the move did not go smoothly as it resulted in an 8-hour downtime starting yesterday around noon, according to Netcraft. And the RIAA is still showing a ‘temporarily under construction’ page. They also moved their DNS from the small company that had been hosting them for the past 4 years, Tomorrow’s Solutions Today (TST Inc.), to Mindshift Technologies. One can only guess what happened here, but the move seems to have been sudden and unplanned. They still haven’t moved the riaa.org, riaa.net, and musicunited.org domains — those are still pointing to the TST nameservers that no longer accept queries for those domains. TST Inc. deserves credit, however. They seem to have managed to host the RIAA quite successfully for the past 4 years. Will Mindshift do a better job hosting one of the most reviled, and therefore most attacked, Web sites in the world? I wonder if anybody at the RIAA or TST would care to comment on the reasons behind this sudden move. Could it be that the RIAA is being sued by its hosting provider? Or perhaps the sue-happy organizaiton is suing its provider?”

As seen above, RIAA’s website has moved both server environment as well as ISP (Internet service provider). Comments on slashdot express the irony they see of RIAA moving from the closed-source environment being Microsoft Windows Server 2003 to the GPL:ed ditto of Red Hat Enterprise Linux.RIAA is probably one of the prime targets for various attacks (code, ddos, dos) on the Internet, and the move to a more resilient environment such as Red Hat Enterprise Linux was probably a necessity in the end. Also, one can figure that they grew out of the resources that their old ISP, Tomorrow’s Solutions Today, could provide.

What do you think was the reason for switching both server-environment as well as ISP?

After the Mac-hack contest announced by CanSecWest in April, Apple has been a popular target to find security flaws in. I should think that the more a brand sell, the more popular it is to hack…

However, the Safari-hack must’ve broken some kind of record as 3 minutes after the public beta of Apple’s Safari-browser for Microsoft Windows was released, self-proclaimed security-expert Aviv Raff found a serious bug in Safari which will make the browser crash and much possibly open up the browser for exploits.

Raff was clearly unhappy with Apple’s claim that Safari was designed to be “secure from day one” (he called this claim “pathetic”) but he said he wasn’t particularly going after Apple. “I don’t pick just on Apple,” he said. “I’ve posted about Microsoft and Mozilla issues too.”

It is not clear if this flaw exists on the Mac OS-version of Safari.

In other words; Do not think that you’ll be secure just because you opt-in for Apple OS X (or Ubuntu, or… yes, you get it). Apple, in this case, has been having security-issues with their products. An example of that is their multimedia player Quicktime, where serious vulnerabilities went for weeks without being patched.

Via PC World

DVRDude @ Digg wrote the following: “I noticed women of ebay posing provocatively — presumably to boost sales. How did this come about? In an effort to limit fraudulent listings, ebay is requiring PS3 and Wii sellers to photographs of receipts, user names, and consoles… So a few entrepreneurs must have recalled their Advertising 101 ’sex sells’ lesson. I took tons of screen grabs!”

A valid observation, yes indeed – what “DVRDude” didn’t observe was to be prepared to handle the visitor numbers a digg would bring. Great video-clip, thanks for that – but a “less great” idea to embed the video-clip you uploaded to YouTube on a webserver that couldn’t handle the load

Fact remains: These eBay auctions really show how the times have changed. (Conclusion: I don’t remember when half-naked girls were used for selling second hand items) It doesn’t take much time / marketing-resources to figure out what sells and what does not. In my personal curiosity I wonder if the eBay-auctions with half-naked ladies got higher end-bids than the ones without these bells n’ whistles (that’s a double pun btw;)).

As the song goes: “Mad World”