Morten Krakvik from the Norwegian Honeynet Project is reporting that MSN Norway is among the latest victims of malvertising, a practice where a bogus advertising provider tricks leading portals into accepting advertisements from its network, which often end up redirecting to live exploit URLs. The recent wave of malvertising that also targeted Digg, MSNBC and Newsweek, is very similar to the malvertising campaigns that took place in February which were targeting popular sites as Expedia, Excite, Rhapsody and MySpace. The only thing the malvertisers keep changing are the fake security software domains that they push through their campaigns.

Flash player versions susceptible to exploitation are :

Adobe Flash 9.0.16
Adobe Flash 9.0.28
Adobe Flash 9.0.45
Adobe Flash 9.0.47
Adobe Flash 9.0.115

According to Krakvik’s analysis, the malicious ad came from bannersrotator DOT com which is still active, and serving the malicious ad (tunnel28.swf) currently detected by 9 out of 36 antivirus scanners as SWF:CVE-2007-0071, or SWF.Exploit.

Who’s to blame anyway? The end users for not bothering to patch their browsers and third-party applications at the first place, the portals for doing business with such obviously rogue advertising providers like bannersrotator DOT com, or the advertising networks sacrificing security for efficiency and not screening the ads and newly joining advertisers like bannersrotator DOT com?

It’s the lack of decent situational awareness demonstrated by all parties. For instance, the end user thinking that patching their browser is where it all ends, the portals for not taking advantage of publicly obtainable tools aimed at analyzing malicious flash files, and the advertising networks themselves, for choosing efficiency next to security and helping rogue security software providers have their ads syndicated across legitimate sites.

Pre-boot authentication mechanisms, designed to prevent a stolen or lost machine being booted, may allow an attacker to recover the password. An advisory by security provider iViZ Techno Solutions claims that current hard disk encryption tools and boot managers exhibit a vulnerability which allows attackers to retrieve users’ passwords. The tools apparently fail to delete the plain text character strings stored in memory after a password has been processed. Mostly, products which use BIOS functions for pre-boot password authentication are affected.

If a program itself doesn’t delete it, the password will remain at memory address 0x40:0x1e until the computer is switched off. However, potential attackers need to have physical access to a computer to retrieve the password after the password has been entered and the computer been booted. This considerably limits the relevance of such an attack, as the attacker already has full access to the user’s data, operating system and applications in this case. Attacks only become interesting if a trojan retrieves the password and the attacker subsequently steals the laptop. Attackers could also exploit a known password if the same password is used for other services or for encrypting emails.

Affected are Microsoft BitLocker, Lilo, Grub, DriveCrypt, TrueCrypt, DiskCryptor as well as BIOSes from IBM, Lenovo, and Hewlett Packard. Vendors informed by iViZ responded in different ways. According to the advisory, Microsoft resolved the problem with Service Pack 1 in Vista, while the developers of Lilo and Grub apparently didn’t react at all. Various Linux distributors are said to have started developing their own solutions. IBM, DriveCrypt and DiskCryptor developers have not responded. Intel and Hewlett Packard, on the other hand, have acknowledged the problem and are said to be working on a solution. The authors of TrueCrypt are said to have denied the existence of the problem; however, this could be because iViz tested version 5.0 and not the current version 6.0a of TrueCrypt.

Three days after we (pbnetworks) broke the story on Insecure.org posting confidential information the Register posted more information on the subject.

As you know Insecure.org posted personnel information on Alan Shimel, a chief strategy officer for security firm StillSecure. Petko D. Petkov, of the GNUCitizen ethical hacking collective had his GMail account compromised and two gigs of information disclosed. Finally the group calling itself the Great Council of Internet Superheros made it way into security researcher Tom Ferris website and was able to do a ls on his directory and posted that information.

The identity of the Great Council of Internet Superheros is unknown although unidentified sources say that two of the members are in England and Spain with a third maybe somewhere in the United States.

VMware Workstation is prone to a local denial-of-service vulnerability.

A local attacker can exploit this issue to crash the affected computer denying service to legitimate users. Due to the nature of this issue arbitrary code-execution may be possible; however this is has not been confirmed.

VMware Workstation 6.0.0.45731 is vulnerable; other versions may also be affected.

The following exploit code is available:

• /data/vulnerabilities/exploits/6262

Solution:
Currently we are not aware of any vendor-supplied patches.

References:
VMware Homepage (VMware)

Three Massachusetts Institute of Technology undergraduates are once again free to publicly discuss gaping security holes in the Boston subway system after a federal judge refused to renew a gag order requested by transportation officials.

US District Judge George A. O’Toole rejected arguments by the Massachusetts Bay Transportation Authority officials that disclosure of flaws in the subway’s electronic payment system constituted a violation of the Computer Fraud and Abuse Act (CFAA). The students had been barred from publicly discussing the defects since August 9, when a different federal judge halted their Defcon presentation, titled “Anatomy of a Subway Hack.”

The Electronic Frontier Foundation, which represented the trio, asserted the gag order was an unconstitutional restraint on their free-speech rights, but O’Toole seemed to steer clear or those arguments. Instead, he focused on the language in the CFAA, which discusses the transmission of malicious code to protected computers.

“The judge today correctly found that it was unlikely that the CFAA would apply to security researchers giving an academic talk,” EFF Staff Attorney Marcia Hofmann said in a statement. “A presentation at a security conference is not some sort of computer intrusion. It’s a protected speech and vital to the free flow of information about computer security vulnerabilities.”

The students aren’t out of the woods yet. The MBTA’s lawsuit naming Zack Anderson, 21, RJ Ryan, 22 and Alessandro Chiesa, 20, and MIT where they attend undergraduate courses, continues. The complaint, filed in US District Court in Boston, seeks unspecified monetary damages for violation of the CFAA, negligent supervision and other causes of action.

The research uncovered errors in both of the MBTA’s electronic fare payment systems. The students received an A for their work from Ronald Rivest, who prior to becoming an MIT professor was one of the mathematicians who developed the RSA cryptography algorithm.

The irony of the lawsuit is that most of the information about the vulnerabilities has already circulated widely. All 87 pages of their Defcon presentation have been online for weeks now. And raw research into the Mifare card, the radio frequency identification chip at the heart of the MBTA’s CharlieCard, was announced earlier this year. The students have also submitted a 30-page security analysis and have agreed to meet with MBTA security personnel to answer questions.

For the first time, attorneys with the MBTA acknowledged in court papers filed Monday that the system had vulnerabilities and estimated it could take five months to fix them. They had requested a preliminary order preventing disclosure that would take the place of a temporary restraining order that expired Tuesday.

The episode is a lesson in what’s come to be known as responsible disclosure in computer security circles. MBTA officials weren’t informed of the research findings until a few days before the scheduled Defcon talk. Proponents of responsible disclosure argue researchers should share security vulnerability findings with manufacturers of the affected wares prior to going public to minimize the damage.

What’s more, the students issued teasers for their talk that included statements such as “Want free subway rides for life?”.

Whatever, the shortcomings of its clients, the EFF argued the MBTA was designed to punish the messenger.

“The MBTA ultimately is trying to silence some uncomfortable truths that these students uncovered,” EFF attorney Cindy Cohn said, according to the Associated Press. “They brought an action against three college kids rather than address the problems in their own house.”