Fake Intel Processors Shipped

Posted on March 9, 2010 by sophieparker

It’s been reported by Neowin that Newegg has shipped out fake?Intel i7 processors.?Consumers have been said to have received ?a piece of scrap metal for the processor and a clay mould for the heatsink. So not really much of an effort to counterfeit then. Intel are now in the process of investigating how this has happened and how many have been shipped.

Intel have confirmed at least one case of these fakes having been received by a consumer. It has been said that 300 fakes were accidently mixed in with a batch of 2,000 by Newegg’s distributor. But exactly how much of an accident this was remains to be seen. There has even been speculation that cease-and-desist letters have been sent out?to websites that have published the news.

Newegg?at first?claimed that these fakes are “demo units”, but Intel contradicted this by confirming them to be counterfeit. However, Newegg themselves have now also confirmed the existence of these fakes. And have ended their relationship with the supplier in the following statement:

Newegg is currently conducting a thorough investigation surrounding recent shipments of questionable Intel Core i7-920 CPUs purchased from Newegg.com.

Initial information we received from our supplier, IPEX, stated that they had mistakenly shipped us “demo units.” We have since come to discover the CPUs were counterfeit and are terminating our relationship with this supplier. Contrary to any speculation, D&H Distributing is not the?vendor? that supplied us with the Intel Core i7-920 CPUs in question.

Newegg?s top priority is to proactively reach out to all customers who may have been affected to ensure their absolute satisfaction. We have already sent out a number of replacement units and are doing everything in our power to resolve the matter promptly and with the least amount of inconvenience to our customers.

We have always taken pride in providing an exceptional experience for each customer, and we apologize for any inconvenience to our valued customers. We take matters like this extremely seriously, and are working in close cooperation with Intel and the appropriate law enforcement authorities to thoroughly investigate this incident.

Argos E-mail Reciepts Contain Credit Card Data In Source

Posted on March 8, 2010 by sophieparker

Argos have exposed customers credit card details and CCV security numbers?in their e-mail receipts. A customer who checked his e-mail receipt found buried in the HTML source code, was his full credit card number and security code. Meaning that if any of these e-mails were to be intercepted the credit card details could potentially be found, and somebody else’s hard earnt money spent. The customer who exposed this breach had recently had his details fraudulently misused, but this has not been linked to Argos.

Worryingly, it’s? unknown how long this exposure has been going on for, and the number of consumers affected. Argos have said the fault has already been corrected. They are currently working with the Information Commissioner’s office to deal with the breaches effects.

It seems however that the whole thing could have been easily avoided, if Argos had simply had a good content filtering product in place. This would have meant that encryption of the e-mail receipts was enforced, or that the data was blocked from being sent out at all. The basic default or standard security?rules of most content filtering packages would do this.

This incident just goes to show how important it is to filter both inbound and outbound mail. And pretty awesome (in the true sense of the word), that a company as large as Argos hasn’t enforced this basic security procedure.

Encryption Hole In OpenSSL

Posted on March 5, 2010 by sophieparker

A severe vulnerability has been found by computer boffins in the worlds most prolific software package. The hole would allow hackers to retrieve a machine’s private cryptographic key.

The bug is in the OpenSSL cryptographic library. Which is pretty scary stuff as the open-source package is used worldwide in OSs and applications. It could potentially be applied to many devices. Smartphones and Media-players with anti-copying mechanisms will be most easily affected.

Wherever the origin of information is needed to be verified is where the OpenSSL library come in, and it does much more than just? SSL. However, the issue is said to be easily fixed. Scientist at Michigan University say applying cryptographic “salt”? to an error-checking algorithm will do the trick. This extra randomization will make the attack impossible. OpenSSL engineers are currently pushing out a patch, so don’t panic.

The process of carrying out the attack in the real world is somewhat impracticle. To grab bits of a key you have to inject slight fluctuations in a devices power supply as it is processing the encrypted data. It took the boffins over 100 hours to deduce an entire key. So..not very likely some one will actually do this is it? The boffins also said:

“This is probably not as much of a threat to a server system as it is to a consumer device, The place where this would be more applicable would be if you want to attack a Blu-ray player (where) you have an environment where someone is giving you a device that has a private key to protect intellectual property and you have physical access to the device.”

Right. So getting into a comms room and doing this to a server for over one hundred hours undetected seems unlikely. But if the machine overheats or experiences fluctuations “naturally”, it will leek secret data. This could then be intercepted by attackers. the boffins have also tried natural radiation and laser sources.

It may also be possible to apply this method to other crypto libraries, such as the one created by Mozilla.

Sounds like pulling this off would take a highly trained team of covert operatives. So?I don’t think your average business has much to worry about.

IE Bug Confirmed By Microsoft

Posted on March 4, 2010 by sophieparker

Microsoft has confirmed a potentially dangerous and unpatched vulnerability in Internet explorer, when the F1 button is pressed in earlier versions of windows.

The bug is within the VBS that is integrated with Internet Explorer. Making it potentially possible to create a website that trick the use into pressing the F1 button. The site then pushes out malware to the user. A pretty clever technique for getting?malware onto a network, and no doubt effective. however, this only works on older versions of windows, XP, 2000 and server 2003. Vista, 7 and Server 2008 are not affected.

Microsoft have said that they are not aware of any attacks that are using this technique. But now that the cat’s out of the bag it’s surely only a matter of time. They have criticised security researchers, saying that they should have come to them first before releasing the information. Microsoft published th following statement regarding the matter:

?Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves every one’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.?

The Redmond Security bods are still looking into vulnerability.?But a patch is likely to be on the cards, obviously. MS have not said when it will arrive, but the next patch Tuesday is drawing near. Probably too near, it looks likely that the patch will not be released till April/May time.

End To End Trust Vision For Internet

Posted on March 3, 2010 by sophieparker

Microsoft’s vision for end to end trust is based around cloud computing. They are working towards a claims-based identity metasystem, and are making a call for the prevention/disruption of cybercrime.

Scott Charney, ?CVP of? Microsofts TCG said:

?End to End Trust is our vision for realizing a safer, more trusted Internet. To enable trust inside, and outside, of cloud computing environments will require security and privacy fundamentals, technology innovations, and social, economic, political and IT alignment.?

Charney further explained it is key to implement securer identity solutions. This will provide a securer private access to cloud and on site applications. Thus making for a more secure Internet and enterprises.

Microsoft have also previewed their U-Prove technology. Aimed at online providers to protect privacy and enhance security for online transactions. Microsoft will be releasing portions of the intellectual property for U-Prove as well as open source software development kits in java and C#, for some input and evaluation.

Details have also been released in regards to a new partnership with the Fraunhofer Institute. They will be working together on a project that will integrate U-Prove and Microsoft’s identity platform with the proposed future use of electronic identity cards by the German Government.

Microsoft have also released (as part of their Business ready security strategy) Forefront Identity Manager 2010. Enabling policy based ID management across diverse environments. It will?provide the customer with more end user capability and provide administrative tools to the IT Professional.

Microsoft’s Operation b49, an initiative to eradicate the Waledac Botnet, is also another example of how Microsoft is aggressively and collectively targeting cybercrime.

Charney Said:

?We are committed to collaborating with industry and governments worldwide to realize a safer, more trusted Internet through the creative disruption and prevention of cybercrime,?

If you would like to know more about Microsoft’s vision go to http://www.microsoft.com/endtoendtrust

New security flaw found in Windows 2000 and XP

Posted on March 2, 2010 by AlexTaylor

The security team at Microsoft are investigating a vulerability in Windows 2000 and Windows XP that coule potentially allow attackers to install malicious code onto remote computers.

Through a combination of VB Scripts and Internet Explorers online help – although interation from the user is required, possible attackers could prompt the user to press the F1 key to execute the malicious code.

It’s being investigated at the moment by the security team at Microsoft and once it’s completed – Microsoft will tell users what to do.

Security vulnerability in flash files could make 8 million websites open to attack

Posted on December 23, 2009 by TonyBrown

A vulnerability has been uncovered in the way some sites have implemented banner click counters on their flash (SWF) files.

A security?consultant called MustLive said that these files contain actionscript (flash’s internal scripting language) that counts the number of banner clicks using the url or clickTAG options.

This exploit makes the webpages that they’re on vulnerable to cross site scripting (XSS) and?may possibly have the ability to?inject?code (to make a viewer download a trojan/virus) or steal user credentials.

If you search google with the terms ‘ filetype:swf inurl:clickTAG ‘ or ‘ filetype:swf inurl:url ‘ it returns many million sites that have the potential to be exploited.

It is worth noting however that it’s not Adobe Flash that’s the source of the vulnerability – it’s poorly written and implemented actionscript.

Microsoft says IIS Denial of Service attack now includes anonymous users

Posted on September 8, 2009 by TonyBrown

The recently exploit that targetted the IIS FTP service on Windows 2000 has now been seen to crash windows 2003 servers even using the anonymous account – This means that the number of possible exploitable servers has increased dramatically.

The using the exploit, attackers can cause the ftp service to crash by connecting as an anonymous user – then sending specific ftp commands, the FTP service would then need to be manually restarted.

More information on the exploit can be found here

4mdc2wprys

Get a unique insight into the way hackers use the latest exploits

Posted on August 27, 2009 by TonyBrown

All systems engineers and IT managers that have any responsibilty in their companys security systems should keep themselves updated with the latest exploits and techniques used by hackers.

I’m listing below the sites that I use and keep an eye on to ensure the systems that are important to my network and customers are not affected.

astalavista.net
Currently down, but coming back soon – Was always great for discussions and info on the latest exploits.

milw0rm.com
A searchable library of exploits in just about anything searchable by OS – check it out to ensure your business systems aren’t affected.

digitalmunition.com
Another site that lists security advisories – see how insecure Apple OSX is here…..

xssed.com
A cross site scripting resource database with lists of vulnerable websites, also has information on defending against XSS attacks.

secumania.org
Basically a security news site that also has lists of the latest exploits and vulnerabilities.

It’s always a good idea to try to get into the heads of the people who are trying to attack corporate networks. Keeping an eye on these sites gives you an insight into the minds and motivations of these people.