An angry reader of IDG’s daily IT-newspaper “Computer Sweden” contacted them and shared his story. The reader had bought 3 usb memory sticks and all of them were in unbroken casings. All 3 usb memory sticks had 60 Megabyte used and when plugged into a Microsoft Windows Vista computer, the anti virus application reacted and warned against a trojan being present on the memory stick. Also Microsoft Windows XP were used as a test-subject and the anti virus application reacted on this platform as well.

The reader claimed to have contacted TeknikMagasinet, asking for an explanation, however there was no alleged return-contact by anyone over at the home electronics chain.

Christian Ekstrand at TeknikMagasinet says that only a small number in a particular batch of usb memory sticks that TeknikMagasinet manufacture themselves in Taiwan were infected and that “only 50 usb memory sticks were infected” (as far as he knows). Mr Ekstrand says that he can however not speak about how many , if any, of the customers of TeknikMagasinet that bought the particular products were affected by the incident. He also says that this is the first incident over the last 4-5 years that TeknikMagasinet has co-operated with the particular plant in Taiwan. Also, he said that the reason to why the Computer Sweden reader didn’t hear from TeknikMagasinet was that they weren’t able to reach him and that they in no way or form is trying to tone down the incident.

Mr Ekstrand continues to say that “the virus is pretty harmless and for example only tries to steal World of Warcraft login information” and that “the customer should not be at risk if they have an anti virus program installed” (translating / paraphrasing).

A personal reflection here is that I don’t know if I agree that calling a keylogger that tries to steal information and installs itself automatically as something minor. Who knows what other information the keylogger can harvest if deployed in a customer’s computer. Would it still be a “minor issue” if the customer ends up losing financial information such as his/her credit card number?

UPDATE: Christian Ekstrand comments in the article’s comment section that the virus came in through a control computer that was used by an employee of the plant to surf privately. Private surfing is prohibited at the plant, Christian says. Check this link for information about the trojan.

It is recommended to update now!

Wordpress 2.5 Cookie Integrity Protection Vulnerability

Original release date: 2008-04-25
Last revised: 2008-04-25
Latest version: http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-integrity.txt
CVE ID: CVE-2008-1930
Source: Steven J. Murdoch <http://www.cl.cam.ac.uk/users/sjm217/>

Systems Affected:

Wordpress 2.5

Overview:

An attacker, who is able to register a specially crafted username on
a Wordpress 2.5 installation, is able to generate authentication
cookies for other chosen accounts.

This vulnerability exists because it is possible to modify
authentication cookies without invalidating the cryptographic
integrity protection.

If a Wordpress blog is configured to freely permit account creation,
a remote attacker can gain Wordpress-administrator access and then
elevate this to arbitrary code execution as the web server user.

The vulnerability is fixed in Wordpress 2.5.1

I. Description

Since version 2.5, Wordpress authenticates logged-in users through a
cryptographically protected cookie, based on papers by Fu et al [1]
and Liu et al [2]. This measure was introduced partly in response to
vulnerability CVE-2007-6013 [3,4].

The new cookies are of the form:

“wordpress_”.COOKIEHASH = USERNAME . “|” . EXPIRY_TIME . “|” . MAC

Where:

COOKIEHASH:  MD5 hash of the site URL (to maintain cookie uniqueness)
USERNAME:    The username for the authenticated user
EXPIRY_TIME: When cookie should expire, in seconds since start of epoch
MAC:         HMAC-MD5(USERNAME . EXPIRY_TIME) under a key derived
from a secret and USERNAME . EXPIRY_TIME.

The flaw in this scheme is that USERNAME and EXPIRY_TIME are not
delimited in the MAC calculation. Hence the cookie may be modified,
without altering MAC, provided that the concatenation of USERNAME and
EXPIRY_TIME remains unchanged.

This class of vulnerability, the cryptographic splicing attack, was
commented on by Fu et al [1], but Wordpress does not employ their
recommended defence.

An attacker wishing to exploit this vulnerability would therefore
create an unprivileged account with its username starting with
“admin”. The cookie returned on logging into this account can then be
manipulated so as to be valid for the administrator account.

II. Impact

A remote attacker, who can create an account with specially crafted
username, is able to gain administrator level access to the Wordpress
installation. Through standard techniques, this can be escalated to
arbitrary PHP code execution as the web server system user.

III. Solution

Upgrade to Wordpress 2.5.1

Workarounds:

- De-select “Anyone can register” in the Membership section of
General Settings to disable account creation.

References:

[1] Dos and Don’ts of Client Authentication on the Web,
Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster
http://pdos.csail.mit.edu/papers/webauth:tr.pdf
[2] A Secure Cookie Protocol,
Alex X. Liu, Jason M. Kovacs, Chin-Tser Huang, Mohamed G. Gouda
http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf
[3] Wordpress Cookie Authentication Vulnerability: CVE-2007-6013
Steven J. Murdoch,
http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt
[4] http://trac.wordpress.org/ticket/5367

Timeline:

2008-04-22: security@wordpress.com notified
Confirmation of receipt received
2008-04-25: Wordpress 2.5.1 released incorporating patch
Vulnerability notice published

Reference: [Link]

What did dawn on me was that I didn’t disable my plugins before I went a head and updated the software, however this sweat was only momentarily as it the process went without any issues even so.

In any case, don’t hesitate to take the plunge – it is one great piece of kit this Wordpress. Except for the improved internal cache-handling, the backend is a real treat; fast and easy to use. The auto-update of your installed plugins is another nifty feature.

Thank you for your understanding.

I have a few good friends that are active within a wide range of areas, where-as one person is a bleeding edge kind of software guy (open source / Ubuntu Linux) and whom both try out and give me tips on cool new software for my Ubuntu box (yes, I run both Windows and Ubuntu). Instead of me having to put down time and effort (and sometimes risk) in trying new software, my Linux friend does that job for me.

Another friend is an avid web 2.0 fan, whom jump on basically every site out there. Through him I get reviews of what is good or not, and combining this intelligence with a more general buzz I can decipher what is hot or not.

A third friend is an experienced journalist, and he gives me fresh ideas and angles – especially when it comes to politics, but also other fields.

The fourth friend is a security expert, who shares his deep knowledge from within the security community.

The fifth friend… Well, you get the point – right?! The friendship chain of trust is a very good and (most often) trust-worthy source of information. This is why it is so important to form social bonds with the right people, this is not something that Google, Facebook or Wikipedia can offer you.

In short; never understimate the value of personal relationships.

The categories are; Browsing, Communications, Community, Data, Entertainment, Media, Mobile, Productivity and Commerce, Publishing, Reference.

Surely, it is a good ego boost for the people behind the services to get recognition, but does it serve any journalistic purpose? I am not so sure about that; Rafe Needleman and the Webware crew are preaching for the already saved. There is no internal ranking of the sites in the individual categories – so how do I as a visitor know which site got more votes than the other? (Yes, alright – they do have a list of the over-all top 10 and the sites that got over 1000 votes, though it doesn’t show the internal ranking in between the sites within each category. Perhaps the over-all statistic material wasn’t enough?! I don’t know…)

From my own perspective I am glad that the swizz army-knife-like site Netvibes, which deserves more media coverage – as it is a really nice service to keep track on all your communication needs ranging from rss-feeds (sites, forums, email, blogs etc), to email, to skype, to.. yeah – you get the idea.

Google was the company with most services in the top 100-list, yet this is not surprising as they are the biggest site on the Internet.

To the Webware authors; Please make the list more detailed the next time and get a broader statistic foundation (aka get more people to vote on the list), then we’re talking about a relevant list.

Via slashdot: xseedit writes “The RIAA has moved their main Web site www.riaa.com from IIS on Win2003 to Apache 2.2.3 on Red Hat. It appears that the move did not go smoothly as it resulted in an 8-hour downtime starting yesterday around noon, according to Netcraft. And the RIAA is still showing a ‘temporarily under construction’ page. They also moved their DNS from the small company that had been hosting them for the past 4 years, Tomorrow’s Solutions Today (TST Inc.), to Mindshift Technologies. One can only guess what happened here, but the move seems to have been sudden and unplanned. They still haven’t moved the riaa.org, riaa.net, and musicunited.org domains — those are still pointing to the TST nameservers that no longer accept queries for those domains. TST Inc. deserves credit, however. They seem to have managed to host the RIAA quite successfully for the past 4 years. Will Mindshift do a better job hosting one of the most reviled, and therefore most attacked, Web sites in the world? I wonder if anybody at the RIAA or TST would care to comment on the reasons behind this sudden move. Could it be that the RIAA is being sued by its hosting provider? Or perhaps the sue-happy organizaiton is suing its provider?”

As seen above, RIAA’s website has moved both server environment as well as ISP (Internet service provider). Comments on slashdot express the irony they see of RIAA moving from the closed-source environment being Microsoft Windows Server 2003 to the GPL:ed ditto of Red Hat Enterprise Linux.RIAA is probably one of the prime targets for various attacks (code, ddos, dos) on the Internet, and the move to a more resilient environment such as Red Hat Enterprise Linux was probably a necessity in the end. Also, one can figure that they grew out of the resources that their old ISP, Tomorrow’s Solutions Today, could provide.

What do you think was the reason for switching both server-environment as well as ISP?

However, the Safari-hack must’ve broken some kind of record as 3 minutes after the public beta of Apple’s Safari-browser for Microsoft Windows was released, self-proclaimed security-expert Aviv Raff found a serious bug in Safari which will make the browser crash and much possibly open up the browser for exploits.

Raff was clearly unhappy with Apple’s claim that Safari was designed to be “secure from day one” (he called this claim “pathetic”) but he said he wasn’t particularly going after Apple. “I don’t pick just on Apple,” he said. “I’ve posted about Microsoft and Mozilla issues too.”

It is not clear if this flaw exists on the Mac OS-version of Safari.

In other words; Do not think that you’ll be secure just because you opt-in for Apple OS X (or Ubuntu, or… yes, you get it). Apple, in this case, has been having security-issues with their products. An example of that is their multimedia player Quicktime, where serious vulnerabilities went for weeks without being patched.

Via PC World

DVRDude @ Digg wrote the following: “I noticed women of ebay posing provocatively — presumably to boost sales. How did this come about? In an effort to limit fraudulent listings, ebay is requiring PS3 and Wii sellers to photographs of receipts, user names, and consoles… So a few entrepreneurs must have recalled their Advertising 101 ’sex sells’ lesson. I took tons of screen grabs!”

A valid observation, yes indeed – what “DVRDude” didn’t observe was to be prepared to handle the visitor numbers a digg would bring. Great video-clip, thanks for that – but a “less great” idea to embed the video-clip you uploaded to YouTube on a webserver that couldn’t handle the load

Fact remains: These eBay auctions really show how the times have changed. (Conclusion: I don’t remember when half-naked girls were used for selling second hand items) It doesn’t take much time / marketing-resources to figure out what sells and what does not. In my personal curiosity I wonder if the eBay-auctions with half-naked ladies got higher end-bids than the ones without these bells n’ whistles (that’s a double pun btw;)).

As the song goes: “Mad World”

The site is worth a try, if not for the novelty of it! If you have never used a trace-tool, this is an easy start to discover the “hidden” world of the Internet.