Things could change for Microsoft with the introduction of “Morro” - a free solution that Microsoft describes as “comprehensive protection from malware including viruses, spyware, rootkits and trojans…will be architected for a smaller footprint that will use fewer computing resources, making it ideal for low-bandwidth scenarios or less powerful PCs”. “Morro” would be available in the second half of 2009; Windows Live OneCare subscription service will be discontinued effective June 30, 2009.

According to Microsoft’s official press release:

“Customers around the world have told us that they need comprehensive, ongoing protection from new and existing threats, and we take that concern seriously,” said Amy Barzdukas, senior director of product management for the Online Services and Windows Division at Microsoft. “This new, no-cost offering will give us the ability to protect an even greater number of consumers, especially in markets where the growth of new PC purchases is outpaced only by the growth of malware.”

It would be interesting to see how Symantec and McAfee respond to this move by Microsoft.

This comes as welcome news by the cyber security community as EstDomains.com has been used by cyber criminals for years to hide their identities and conduct various malicious activities such as using domains for bot command & control servers, drive-by downloads as well as spamming.

Here are some links of interest that provide more information on this story:

1. F-Secure Weblog - “Case EstDomains” 
2. The Washington Post Company - “ICANN De-Accredits EstDomains for CEO’s Fraud Convictions”
3. Notice sent to EstDomains.com by ICANN (pdf)

The team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, Oct. 26) and a fix was deployed within a matter of hours. Yahoo! appreciates Netcraft’s assistance in identifying this issue.

As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com.

The session authentication cookies could have been used for accessing Yahoo! services such as Yahoo! Mail and Yahoo! HotJobs amongst others.

According to an army document produced in August this year for the Pentagon’s Department for Acquisition, Technology and Logistics and first reported last week by Inside Defense:

“Exfiltrations of unclassified data from [military contractor computer] systems have occurred and continue to occur, potentially undermining and even neutralizing the technological advantage and combat effectiveness of the future force,”

“Current … efforts largely focus on mitigating risks of compromise to war-fighting technologies as a result of traditional espionage or industrial theft,”

“hostile actors can exfiltrate large volumes of unclassified program information in a single attack that can potentially net enough information to enable adversaries to narrow a capability gap.”

Sure this initiative will bear fruit but I think more needs to be done within the Government security departments to combat potential cyber security threats. Only this week I saw Airport Security personnel hooked up on MSN.com at the Chicago O’Hare International Airport on a light day. Open Internet is a risky area for airport security personnel don’t you think?

More on the story here

One can only wonder whether the information on the hard drive was encrypted or not…

According to the report:

LIGNex1 develops and manufactures Hyunmoo surface-to-surface missile, Haeseong ship-to-ship missile and Shingung portable ground-to-air weapons. Hyundai Heavy Industries manufactures Haeseong, the nation’s first Aegis ship, plus destroyers and submarines for the Navy. Although the development costs of such high-tech weapons are kept secret, the construction of the King Sejong the Great-class destroyer is said to cost over W1 trillion (US$1=W1,165) and development of Haeseong ship-to-ship missile W100 billion with each missile at approximately W2 billion.

The National Security Research Institute, which is affiliated with the Electronics and Telecommunications Research Institute, believes hackers have planted vicious codes through which they stolen information. “The research institute suspects the culprits are Chinese or North Korean hackers but doesn’t know specifically what information they stole,” Kim said. “In the worst case, the blueprints of missiles and Aegis ship could have been stolen.”

The shut down plan follows arrest of one of its administrators, Cha0 (Cagatay Evyapan), by Turkish police earlier this month.

The whole story is covered in great detail this story on Wired’s Blog, Threat Level.  So, what’ next after DarkMarket.ws?

DarkMarket emerged after ShadowCrew.com was taken offline and I reckon it is not going to take long before another online community fills the void left by DarkMarket’s departure from the scene.

There are already a handful of other established online forums that cater to the needs of cyber criminals and new ones crop up all the time offering some high-value loot for those in need:

Fig. 1- A post on a DarkMarket wanna-be forum

Fig. 2: Same post, more details

Some of the more established forums would welcome the extra traffic that they generate from the less experienced DarkMarket users, looking for other market places to trade in:

Fig. 3: "Real-looking" credit cards packed with actual victim data are now being sold online.

Fig. 4: They sure do look "real"

Indepent trading sites are likely to see a surge in their business too as some of the cyber criminals are likely to deal direct without exposing any of their information on any online forums:

Fig. 5: One of the more "reputable" stolen credit card sales website.

Although none of the existing online hacker market places can truly replace the stature of DarkMarket, there is likely to be a surge in competition amongst the various online underground sites to try and reach the level of popularity that DarkMarket currently enjoys.

Any new community formed by the existing DarkMarket admins is likely to see stricter membership controls which probably served as the weak link for the forum; DarkMarket user-level access accounts were being retailed at competing forums privately for US$800 and above, just a couple of weeks ago.

It would be interesting to see what comes next after DarkMarket - and how the law enforcement agencies play catch-up with the notorious underground hacker market places.

1. “Carpet bomb” - September 3, 2008. Security researcher Aviv Raff managed to discover this vulnerability hours after the browser was released. The vulnerability, when exploited could litter the user’s download directory with numerous irrelevant files or could potentially be used to exploit other vulnerabilities that may exist on the user’s machine.

Raff describes on his site how a specially-crafted java archive file (JAR), combined with a social engineering ploy could trick a user in to downloading and executing the file without any warning from the browser.

The vulnerability comes from Google’s use of an outdated version of WebKit, the open source browser engine toolkit used also by Apple’s Safari browser. The WebKit version used in Chrome is the same used in Safari 3.1, which had its own set of vulnerabilities.

2. URL Handler Crash - September 3, 2008. Rishi Narang discovered an issue in Chrome that can crash Chrome altogether when the user visits a specially-crafted URL, throwing the following (G)message:

Whoa! Google Chrome has crashed. Restart now?

3. ‘SaveAs’ Buffer Overflow - September 5, 2008. SVRT-Bkis, a security team from Vietnam discovered this vulnerability that can allow an attacker to take control of the user’s computer.

The vulnerability lies in the “Save page as…” function which causes a buffer overflow when saving pages with very long page titles.  This aids the attackers to execute arbitrary code on users’ systems.

As of this writing, Google has patched this vulnerability.

4. “Tool tip” DoS - September 8, 2008. Exodus of BlackHat Security (Israel) has discovered that a large object title can crash Chrome. This works on the current version of Chrome (0.2.149.29 Built 1798). The PoC is here.

Update: Click here for an updated list of all publicly tracked Chrome issues.

Article updated - October 01 - 3PM +4GMT

The report states:

A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007.

Update (August 27 - 11PM +4GMT) - FOX News is reporting that Best Western has denied the extend of the hacking incident claiming the report by the Sunday Herald as “grossly unsubstantiated” and “largely erroneous.”

Best Western did, however, confirm that a hacker was able to penentrate its computer network in one of the hotels in Berlin and install a trojan on one of the computers designed to steal data.

Here’s more from the announcement:

One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.

While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.

Interestingly, RedHat has posted a critical openssh security update at the same time encouraging all customers with systems based on the x86 architecture to apply the update. Here’s more from the errata:

Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the conten distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers.

In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an updated version of these packages, and have published a list of the tampered packages and how to detect them at