Hackers crack Vista Activation Server

Pirates have released another ingenious workaround to Vista's copy protection: a hacked copy of Microsoft's yet-to-be-released volume licencing activation server, running in VMware.

Volume Activation 2.0 is one of the more controversial features of Vista: it means that every copy of Vista has to be activated, even the Business/Enterprise volume licenced editions.

However, to make life easier for administrators, Microsoft worked in a more convenient system of in-house for en masse activation of PCs called KMS – Key Management Service.

The idea behind KMS is that you have a single PC running KMS which can then handle activation for all your Vista clients, so that they don’t have to connect back to Microsoft every single time.

The downside of KMS is that the activation is only good for 180 days, to discourage people bringing in their home systems, activating them and wandering off again.

Bearing in mind that KMS wasn’t scheduled to be released until next year, pirates have managed to get hold of KMS and produce a standalone, fully-activated KMS server called “Windows Vista Local Activation Server – MelindaGates”. Tongue-in-cheek of course…the first “cracked” version of Vista was called Vista BillGates.

Contextual Link Exchange Programs

Stop exchanging reciprocal links!
If you maintain a blog or general websites. your inbound links are primarily coming from back end links pages you are probably noticing that this is becoming less and less effective. Even if the pages are based on a theme they are still not passing very much reputation since they are on pages with hundreds of links.

Start swapping contextual links.
It is much more effective to get links embedded within the context of an article or blog that is based on the same theme as your site. If you use appropriate anchor text this can greatly supplement your SEO efforts. Not only will your pages rank higher in the search engines you will also be building residual traffic from the content pages linking to you.
This is really common sense. If you place yourself in the shoes of the people who are visiting your contextual partners site would you be more likely to be interested in a page linked from the article you are reading or to a page within their link exchange directory? I don’t know about you but I often visit pages linked to from articles. I also stay away from back end directories like they are a pit filled with poisonous snakes.

So how do you kick the reciprocal habit?
You could simply search for related articles and contact webmasters with contextual exchange proposals. This method is a little tedious. It works but it is not always time efficient. Many webmasters prefer simple directory submission.
Another, more efficient, option is to join the V7 Contextual Link Network. Contextual Links @ V7N provides the perfect link - the ideal link - by design. The link is no longer a matter of happenstance, random haphazard or something to be left to divine intervention. The perfect link is now a commodity.

Conclusions

Websites building perpetual traffic as opposed to disposable traffic are much more likely to sustain themselves. Writing web content is an excellent way to build passive income. An article can potentially pull visitors from search engines for years. In my opinion self sustaining websites or pages are the basis for building larger and larger income streams.

Webmasters have the option to display additional ads to increase the EPM. Although this may have short term benefits it can damaging in the long term. If the end user is dissatisfied with the number of ads on the site they may not return in spite of the quality of content. This is what I call “disposable traffic“.

Afterall, you could always hit up Google and search for your site topic and look out for sites providing targeted links. ;)

$12,000 for a serious Vista or IE 7 bug

Bug hunters of the world, VeriSign's iDefense has an updated bug bounty challenge for you.

For the current quarter, the company will pay $8,000 for a security vulnerability that lets an attacker remotely gain control over a computer running Microsoft's Windows Vista or Internet Explorer 7, the company said on its Web site. iDefense will pay for a maximum of six vulnerabilities, if more are reported only the first six will qualify, it said.

In addition to the $8,000 award for the submitted vulnerability, iDefense will pay between $2,000 and $4,000 for working exploit code that exploits the submitted vulnerability, the company said.

Internet Explorer 7 is the latest version of Microsoft's widely used Web browser and Vista is the newest release of its operating system. Microsoft has promoted both as its best work yet in terms of browser and operating system security.

The "quarterly hacking challenge" is part of iDefense's existing bug bounty program. The company started the challenges last year. Previous ones focused on Microsoft software in general, databases, Web browsers and instant message applications. The typical bounty has always been $10,000.

A few companies offer monetary rewards for pinpointing software vulnerabilities. These are mostly security companies that pay for flaws found in other companies' software products. The payouts are used to gain a competitive edge over rivals by having their security products recognize more vulnerabilities. The security companies typically report the issues to the applicable vendors so a patch can be produced.

Flaw finders could also sell vulnerability information to cybercrooks on underground online markets.

Microsoft doesn't agree with paying for vulnerability details, the company has said. Instead, the company works with security research and security software companies.

Posted by Joris Evers

Criminals Loved Password Stealers In 2006

A lot of the spam that crawled into inboxes all over the world arrived with one mission - trick the person into dropping a password stealing program onto the system.

Criminals Loved Password Stealers In 2006

Once in place, the majority of those password stealers looked for a specific category of logins. Bank and financial institution passwords offered the criminal spammers the greatest potential for a payoff, so the programs they created looked for those.

Password stealers became much more numerous in 2006. Researcher Francois Paget at McAfee blogged how such programs increased by 240 percent for 2006.

The majority of those password stealers, about 62 percent of the group, sought out financial information. Gamers should be wary of them as well, as Paget noted 18 percent of these programs targeted logins for MMORPGs like World of Warcraft.

A smaller number, 10 percent, sought out social networking and instant messaging login information. That could indicate a belief that many people tend to use the same login information to access other, more lucrative sites, making a theft of such details key to accessing other websites.

Spam has been the vector for criminal activities like these, but as new technologies gain mainstream usage, the attacks shift as well. One password stealer dubbed PWS-JO was discovered recently traveling across Skype's VoIP network.

That password stealer also had the capability to connect to a remote site and bring in additional components. However, McAfee said in its description of the program that the particular site no longer appears to be accessible.

During 2006, McAfee observed the number of password stealers jump from 5,000 to 12,000. That can only increase over time.

PHP security under scrutiny

PHP = pretty hard to protect?

A week after a prominent bug finder and developer left the PHP Group, data from the National Vulnerability Database has underscored the need for better security in PHP-based web applications.

A search of the database, maintained by the National Institute of Standards and Technology (NIST), found that web applications written in PHP likely account for 43 per cent of the security issues found so far in 2006, up from 29 per cent in 2005. While flaws in the language itself account for a very small percentage the total, the problems with PHP underscore the difficulty that developers - many of them amateurs - have in locking down applications written in the language, said Peter Mell, senior computer scientist for the NIST and the program manager for the National Vulnerability Database.

"In the dynamic programming language (and) scripting realm, we certainly have a problem," Mell said. "Any time a third or more of the vulnerabilities in a given year are attributed to a single language, you know you have a problem."

The concerns come as attackers and security researchers have increasingly focused on finding flaws in web applications. Earlier this year, one researcher highlighted the upward trend in web flaws in general, and PHP in particular, when data for the first nine months of 2006 showed that vulnerabilities in web applications had taken the top three spots in a list of most common flaws. The researcher, Steven Christey, found that about 45 per cent of the vulnerabilities found as of September were either cross-site scripting flaws, database injection bugs, or PHP file inclusion vulnerabilities.

At the heart of the debate is the popular language, PHP - an acronym that originally stood for Personal Home Page tools when it was a small project created by Rasmus Lerdorf in 1994. Two Israeli developers, Zeev Suraski and Andi Gutmans, rewrote the language parser in 1997 and changed the name to PHP: Hypertext Preprocessor, adopting the recursive naming convention historically used by some Unix programs. The language is now used by websites hosted on nearly 20 million domains and 1.3 million IP addresses, according to data collected by Internet monitoring service Netcraft for its October 2006 survey.

The popular dynamic web programming language came under scrutiny last week after a longtime developer, Stefan Esser, left the PHP Group's internal security team, criticising its members for not responding quickly to security issues. Members of the PHP Group fired back at Esser, stating his reasons for leaving were less about security and more about not working together with the team.

Esser quit the PHP security team on 9 December, after a rocky relationship with the group, but claimed that security issues constituted his main reason for leaving.

"The reasons for this are many, but the most important one is that I have realised that any attempt to improve the security of PHP from the inside is futile," Esser wrote in his blog. "The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user, but the moment you criticise the security of PHP itself you become persona non grata."

Esser promised to publicly release more advisories on the security holes he finds in PHP and will not hold back, even if there is not a patch available for the problem, he said. Esser did not respond to requests for comment from SecurityFocus.

The PHP Group and Zend, the company founded by the two original Israeli developers that rewrote PHP in the mid-1990s, have disputed Esser's version of events.

"I do not believe the main reason for his disengagement has to do with the way we deal with security issues, but the way he interacted with other people on the team," said Zeev Suraski, co-chief technology officer for Zend. Suraski also stressed that the PHP Group has looked for ways of making web applications written in the language more secure, in spite of less security-savvy developers. The move away from making a set of global variables accessible by PHP scripts, for example, attempted to make the language more foolproof, he said. It also took more effort to develop than to create version 5.0 of the language, Suraski said.

"We have shown in the past that we are willing to change defaults and sometimes to remove features, just to make it more difficult for developers to make security mistakes," Suraski said.

---

Yet, mistakes are still being made and in record numbers.

A search of the National Vulnerability Database revealed that, as of 15 December, out of the 6,198 vulnerabilities recorded in 2006, as many as 2,690 - or 43 per cent - had the word "PHP" in the description. A random sampling of the flagged flaws showed that the search appeared to only reveal issues in PHP applications. A search of the database using "PHP" as a vendor flagged some 84 vulnerabilities for 2006 (including in optional components of the language, such as PEAR), while a search using "PHP" as the product returned 33 bug, ostensibly in the core functions.

The vast numbers of bugs attributed to PHP applications is not surprising given that many amateur developers create their websites using the language, said NIST's Mell.

"I think it is tough for the general public to write secure dynamic web applications," he said. "As much as possible scripting languages for Web sites should be dummy proof. In many incidences, I, a security professional, wondered how to code some bit securely. I wanted to, but how to do it was not immediately obvious."

Flaws in PHP applications have caused headaches for many webmasters. A year ago, the Lupper worm spread among vulnerable applications that used the PHP extensions for extensible markup language (XML), or RPC-XML. Other worms have utilised flaws in popular PHP bulletin board programs as well.

Continuing to educate PHP developers on the latest techniques to secure their applications is extremely important, said Chris Shiflett, a manager in the web application security practice at OmniTI and author of O'Reilly's Essential PHP Security.

"To say PHP has a security problem suggests that it's impossible to develop a secure PHP application, but to say PHP doesn't have a security problem suggests that everything is perfect - neither is true," Shiflett said. "Web application security is a rapidly evolving discipline, and it's difficult for the average developer to keep up with the pace."

Developers need to start thinking about security as soon as start designing their applications, he said. Moreover, the focus on securing code needs to continue throughout the life of the website, he added.

"Over time, web application security should start to mature just as other security disciplines have, but that only means the pace of evolution will slow down, not stop," Shiflett said. This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Bots, breaches and bugs plague 2006

Online fraudsters, big-time spammers and computer intruders had little problem finding security holes to exploit in 2006.

“ Cybercrime and the criminals behind malware are getting more and more organized. They can afford to hire professionals, and it is becoming a business for many people. ”
Karel Obluk, chief technology officer, Grisoft

Whether the openings came from user ignorance or poor judgment, a software maker's error or misconfiguration, the profiteers of the Internet had a banner year turning the security mistakes of others into money.

Signs of the trend are obvious. The number of phishing sites used by online fraudsters jumped more than eight-fold year over year, according to the Antiphishing Working Group. The number of denial-of-service attacks doubled between January and June, according to Symantec, the owner of SecurityFocus. And, mail service provider MessageLabs intercepted, on average, one targeted Trojan horse attack every day in 2006, up from one a week in 2005.

If there is a lesson in 2006, it's that cybercrime is a booming business.

"Cybercrime and the criminals behind malware are getting more and more organized," Karel Obluk, chief technology officer for antivirus firm Grisoft, told SecurityFocus. "They can afford to hire professionals, and it is becoming a business for many people."

The trend is quickly making the defacto term for such code--malicious software or malware--a misnomer. The virus writers and spyware coders are not creating the code for malicious reasons but to make money illegally, making the term coined by antivirus firms--crimeware--more appropriate.

For example, spammers are using bot nets--large numbers of compromised computers controlled by a single person--to help them send a greater volume of messages. The development has increased the global volume of spam by at least a third in the last six months, according to Symantec, though other firms put the increase as high as 450 percent.

When one firm, Blue Security, claimed to have impacted the operations of major spammers, one bulk e-mailer decided to take on the Israeli company. A sustained denial-of-service attack took down the company's Web site, domain registrar and blog site. The company eventually capitulated and closed its doors.

"This is their primary form of employment now--it's a 9-to-5 job," Oliver Friedrichs, senior director for Symantec Security Response, said in a recent interview. "They are not doing it on weekends, and they are not doing it during the summer months."

Other cybercriminals are taking a more personal approach: Hijacking people's stock accounts and using the access to drive up the price of certain thinly-traded penny stocks has also become popular. Details of one scheme appeared in the court papers filed by the U.S. Securities and Exchange Commission (SEC) in support of a civil action against one apparent stock scammers. A Russian national allegedly used a company registered in Belize and based in Estonia to execute trades in stock whose prices had been manipulated by compromised accounts.

Such attacks are not isolated incidents. Account intrusion has resulted in $22 million in losses in the third quarter alone for two U.S. financial firms. TD Ameritrade posted $4 million in losses in their third quarter to account for replacing the funds customers lost due to account hijacking. E*Trade Financial reported that online identity theft by hackers cost them $18 million in the same period.

Identity theft, of course, continued to be a major worry in 2006. Because of data breach disclosure laws that have passed in the majority of states, companies, government agencies and schools regularly released details of significant data leaks.

In May, the Department of Veterans Affairs revealed that the names, social security numbers and birth dates of nearly 26.5 million veterans had been stored on a laptop and external hard drive that were stolen from an employee's home. The laptop and hard drive were later recovered, but the incident resulted in the federal government tightening data handling and laptop security rules.

Both the University of California, Los Angeles and the University of Texas at Austin reported major breaches this year affecting hundreds of thousands of students.

In total, more than 48 million personal records were exposed in 2006, according to the Data Loss Archive and Database maintained by Attrition.org

Firefox update guards against critical flaws

Patch issued, calamity averted

By John Leyden

Firefox users need to upgrade their browsers following the discovery of multiple security vulnerabilities.

The flaws affect both Firefox 1.x and the latest Firefox 2.0.x releases. Surfers need to upgrade to version 1.5.0.9 or 2.0.0.1 of the browser, respectively. Users also need to upgrade to a new version of the Mozilla email client, Thunderbird 1.5.0.9, for similar reasons.

The nine security bugs (reported by various security researchers) create a means for hackers to swipe sensitive information, run cross-site scripting attacks, or gain control of vulnerable systems, security notification firm Secunia reports.

The bugs involve flaws in Firefox's JavaScript engine, the feed preview feature of Firefox 2.0, Scalable Vector Graphics (SVG) processing code, and various buffer overflow flaws in other components of the browser software, as explained in greater detail here. ®