New Viruses Download Child Porn Onto Your Computer

Getting a virus that uses your computer to send itself, and spam, out without your knowledge is bad. Getting a virus that hides kiddie porn on your computer is much, much worse.

Apparently, pedophiles have started using viruses to hide their vile stash on strangers computers. And guess what? Nobody believes that it was a virus that put them there when those pictures are found.

People have ended up going to jail because the exams that courts do on your computer are so expensive, judges don’t like paying for them. And people have gone broke clearing their names.

The moral of the story? Use virus-protection software, and don’t go to shady sites on the web. Because, yikes. [ABCNews]

Send an email to Adam Frucci, the author of this post, at adam@gizmodo.com.

http://gizmodo.com/5401312/oh-sht-new-viruses-download-child-porn-onto-your-computer

Remote repair for infected phones in development

Angela Moscaritolo

In response to the growing threat of mobile malware, researchers at Georgia Tech are planning to study mobile device security and ultimately hope to devise a way to remotely repair infected devices.

“Today, there haven’t been widespread attacks, but we are seeing attackers starting to pay attention to mobile devices and we expect that that’s only going to be increasing,” Jonathon Giffin, an assistant computer science professor, told SCMagazineUS.com on Tuesday.

Giffin and fellow assistant professor Patrick Traynor will lead a research study into cyberattacks within cellular networks, to be funded by a three-year, $450,000 grant from the National Science Foundation.

The researchers and a team of graduate students plan to build a cellular network test bed on campus to simulate how cellular devices communicate, Giffin said. Subsequently, they plan to study how attacks against mobile devices operate inside the test bed.

“We do hope that this is a test bed that will be useful to others who would like to do research into cellular security as well,” Giffin said.

The researchers also plan to investigate whether service providers, such as AT&T and Verizon Wireless, are capable of detecting infected devices in their networks, he said. Infected devices often send a high volume of traffic to a known malicious server or generate a high volume of text messages. So, service providers should be able to locate an infected device by monitoring network traffic patterns for anomalies..

“One of the hallmarks of our design is to use the network itself to identify attacks,” Giffin said.

Ultimately, the researchers want to develop a remote repair method that would enable service providers to clean malicious code off an infected device without the device having to be brought into a service center, Giffin said. The remote repair solution might be similar to remote wipe technologies that are used today to clear all the data off a mobile device that has gone missing.

Traynor has contacted a number of major carriers about the project and there is “a sense of excitement all around,” he said. “We need to develop solutions today so we are ready when these widespread attacks occur.”

When contacted by SCMagazineUS.com on Tuesday, a Verizon Wireless spokeswoman the company will await the outcome of the research before commenting. A spokesperson at AT&T could not be reached.

The hacker community clearly is ramping up efforts to study mobile devices.

This week, it was reported that a prank worm is circulating over jailbroken iPhones in Australia. In addition, late last month, a proof-of-concept (PoC) application was released that enables an attacker to remotely activate a BlackBerry microphone and listen in on surrounding sounds and conversations.

http://www.scmagazineus.com/Remote-repair-for-infected-phones-in-development/article/157504/

First-known iPhone worm ‘Rickrolls’ jailbroken Apple handsets

By Sam Oliver

The iPhone’s first worm — a playful, wallpaper-changing prank that only affects jailbroken phones — could be a sign of more dangerous things to come.

A hacker who identifies himself as “ikex” created the worm, which changes the user’s wallpaper to a picture of 1980s pop star Rick Astley, who sang the 1987 hit “Never Gonna Give You Up.” The software includes the message: “ikee is never gonna give you up.”

The term jailbreaking refers to a hack that allows users to run software not approved by Apple on the iPhone. It can grant users the ability to install custom wallpapers and themes, enable tethering, or unlock the handset for use on a non-approved carrier.

The ikex worm is simply a prank known as “Rickrolling,” an Internet bait-and-switch meme when users expect to see a video on a certain topic, only to find themselves watching Astley’s cheesy 1987 music video. According to Forbes, the worm does nothing malicious.

“The world’s first iPhone worm is also hardly a true criminal exploit,” the report said. “Instead, it seems to be half warning, half prank. Ikee’s author, who identifies himself or herself as ‘ikex’ in the worm’s source code, also wrote in the code that “People are stupid, and this is to prove it so,” adding that users should read their phones’ manuals.”

For now, the worm is said to be spreading among jailbroken iPhones in Australia. It affects only users who did not change their default SSH password, which allows file transfers between phones.

“It’s not that hard, guys,” ikex wrote in the source code. “But hey who cares its only your bank details at stake.”

Mikko Hyppönen, researcher with F-Secure, discussed the worm on his company’s Web site. It lets users know how to change their root password, and also warns that the software could become more dangerous.

“The creator of the worm has released full source code of the four existing variants of this worm,” he said. “This means that there will quickly be more variants, and they might have nastier payload than just changing your wallpaper or might try password cracking to gain access to devices where the default password has been changed.”

This summer, Apple quickly fixed a text messaging exploit that could have affected all iPhones. The exploit took advantage of the fact that SMS can send binary code to a phone. That code is automatically processed without user interaction, and can be compiled from multiple messages, allowing larger programs to be sent to a phone.

The exploit, discovered by security researcher Charlie Miller, exposed the iPhone completely, giving hackers access to the camera, dialer, messaging and Safari.

Miller also, back in 2007, discovered the iPhone’s first security flaw. It allowed malicious Web sites to take advantage of flaws within the Safari Web browser.

http://www.appleinsider.com/articles/09/11/09/first_known_iphone_worm_rickrolls_jailbroken_apple_handsets.html

New tool seeks to block rootkits by protecting their targets

Rootkits often replace functions provided by an operating system’s kernel in order to infect a machine and obscure their presence. A paper describes a way of blocking rootkits by gathering all these functions in one place in memory, then locking down the memory.

By John Timmer

In recent years, malware authors have developed increasingly sophisticated rootkits that burrow into the operating system itself, modifying basic filesystem and process management code in a way that ensures they are essentially invisible to anyone using the machine: no files visible, no processes apparent. While some progress has been made in detecting when a rootkit has compromised a system, preemptively blocking an attack has remained challenging, since the malware relies on important system functions. A team of computer scientists have now described a tool, called Hook Safe, that uses virtualization to preempt rootkits by moving and protecting the kernel functions that they target.

Rootkits burrow their way into an operating system’s kernel using a process called hooking.  The services provided by a kernel—file system and hardware access, memory management, etc.—are accessible through callable functions. The kernel keeps track of where the functions reside in memory using pointers, which contain the address in memory of the function. Hooking involves replacing a legitimate function pointer with one provided by malware. So, for example, the malware might replace (or hook) a file system function with one that behaves perfectly normally except when it comes to the areas of the filesystem where the malware lives; in that case, it returns information that suggests the files aren’t there. Any software that uses the kernel for filesystem access will never know the rootkit is present.

Obviously, the simplest way of blocking a rootkit would be to prohibit this process by marking kernel memory as read-only. But there are two problems with this approach. For starters, the ability to perform a kernel hook has many legitimate uses, such as when a new input device hooks into the portions of the kernel that handle mouse or keyboard input. The other problem is that the function pointers are scattered around the kernel’s memory footprint, and are sometimes created and destroyed as the kernel creates new objects, like networking sockets. Locking the entire kernel down as read-only would cripple the operating system.

(The authors call this problem the “protection granularity gap.” It’s possible to lock down a page of memory that contains function pointers but, in doing so, you invariably lock down some dynamic data, which causes problems. There is currently no technology that provides a fine enough granularity to lock down the parts of a memory page that contain the pointers.)

The authors tackle these two problems separately. To identify legitimate kernel hooks, the authors run a clean version of the operating system (in this case, Ubuntu 8.04) under a modified version of the QEMU emulator. Their modified version of QEMU tracks all the kernel hooks that take place in the course of normal operations, and generates a unique signature for each of them. That allows this activity to be recognized and allowed during normal operations.

They solve the granularity gap by creating a shadow copy of every kernel hook they’ve identified, all collected in contiguous memory pages that can be marked as read only and protected by a custom version of the Xen hypervisor. Their original location in the kernel gets replaced by a jump statement, that shifts execution to what they call a trampoline, which bounces execution to the safe shadow copy, and then returns it to the original execution point. The variable-sized x86 instructions make this a bit more challenging than it might otherwise be, but the authors manage to compensate.

If the hook is used simply to execute the function, everything should take place as normal. If it’s used to replace the hook, the protected memory page invokes the Xen hypervisor. Their modified version checks the signature of the action, comparing it against the list generated when the kernel ran under QEMU. If the activity is recognized, it’s allowed to go forward. If not, the shadow copy of kernel hooks is kept unmodified.

The authors solved a number of other potential problems in their paper. For example, they block writing to hardware registers, and limit Direct Memory Access transfers to kernel space. Hooks in dynamically allocated kernel objects are tracked using a modified version of the kernel’s memory allocator. The fact that the system only becomes active after the kernel is loaded into memory is solved by identifying a few key kernel globals, and walking the memory tree below them.

How does it all work? The authors tested a variety of Linux rootkits, and found that all of them failed on a system protected by Hook Safe, some being unable to infect the target machine, the rest remaining visible to a user after infection. For a variety of typical processes, the overhead of the system was negligible. The worst performance occurred when unzipping a file or using the Apache webserver under heavy load. Both of these require the allocation of lots of memory within the kernel, which invoked some of the authors’ code in addition to the normal allocation routines. Still, the worst case was only a six percent performance hit.

The biggest potential problem here, which is recognized by the authors, is that their database of acceptable hooks will end up being incomplete. This is already a problem in the lab, but could be a nightmare in the real world, where software updates and new drivers may appear on a monthly basis. Still, it’s easy to envision systems that update the profile of legitimate hooks as part of a software update process, or provides users with the opportunity to approve changes.

A paper describing Hook Safe will be presented at the ACM Conference on Computer and Communications Security.

http://arstechnica.com/business/news/2009/11/new-tool-seeks-to-block-rootkits-by-protecting-their-targets.ars

House panel OKs law addressing cyberstandards

Angela Moscaritolo

A draft bill approved Wednesday by a House subcommittee would require the National Institute of Standards and Technology (NIST) to facilitate U.S. involvement in the creation of international cybersecurity standards.

The proposed Cybersecurity Coordination and Awareness Act, approved Wednesday by the House Subcommittee on Technology and Innovation, would also require NIST to develop and implement a cybersecurity awareness and education program and engage in research and development to improve identity management systems. Also, it would amend the Cybersecurity Research and Development Act to update technical terms.

The proposed legislation was drafted by staff of the House Committee on Science and Technology to implement some of the recommendations in the 60-day Cyberspace Policy Review, a report released this May that outlines the federal government’s new approach to securing cyberspace. According to the review, international standards are needed for the investigation and prosecution of cybercrime, the approaches for network defense and response to cyberattacks.

“The Cyberspace Policy Review recommended coordination of U.S. government representation in international cybersecurity technical standards development,” Subcommittee Chairman Rep. David Wu, D-Ore., said in his opening statement Wednesday. “Currently, responsibilities are parsed among different agencies without any consistent policy. A coordinated policy will ensure that these representatives operate with the overarching need of the U.S. infrastructure in mind.”

The proposed legislation would require NIST to coordinate U.S. representation with regard to international cybersecurity standards development and create a plan to engage with international organizations to develop standards.

Currently there are more than a dozen international organizations that develop policies related to cybersecurity including the United Nations, NATO and the International Organization for Standardization (ISO).

As part of the proposed legislation, NIST would also be required to work with federal agencies, industry and educational institutions to create easy-to-understand cybersecurity standards and best practices as part of an awareness program to increase the public understanding of cyberthreats.

Also, NIST would be required to establish a research-and-development program focused on strengthening the security of identity management systems.

The proposed legislation now will move to the full House Committee on Science and Technology.

http://www.scmagazineus.com/House-panel-OKs-law-addressing-cyberstandards/article/157153/

Hacker charged for marketing systems to steal bandwidth

A federal indictment was unsealed Monday in Boston charging a hacker with selling hardware and software designed to steal internet bandwidth.

The defendant, Ryan Harris, 26, ran TCNISO, a San Diego company that sold products designed to modify cable modems so that users could access ISP networks without authorization “to obtain internet service without making the required payment,” according to the indictment.

During the past six years, Harris was able to glean $1 million from the business before the feds caught up with him, documents showed.

The TCNISO products enabled users to disguise their cable modem by mimicking the MAC address of the modem of a paying internet subscriber. They also allowed users to obtain faster, or “uncapped,” internet service without paying the premiums charged by the ISP, using “configuration files that the ISP would otherwise only provide to a legitimate subscriber paying for premium access,” according to the indictment.

The company sold the software as standalone products and preloaded onto cable modems, according to the indictment.

Harris also marketed a book titled “Hacking the Cable Modem,” written under his alias, DerEngel.

Harris was released without bail on condition that he surrenders his passport and that he promises to appear in court as directed, Christina Sterling, spokeswoman for the U.S. Department of Justice in Boston, told SCMagazineUS.com Tuesday.

He is scheduled to appear in court on Nov. 18, though prosecutors are seeking a continuance into December, she said.

If convicted, Harris faces up to 20 years in prison, to be followed by three years of supervised release, a $250,000 fine and restitution on each of the six counts with which he is charged.

Harris could not be reached for comment Tuesday.

http://www.scmagazineus.com/Hacker-charged-for-marketing-systems-to-steal-bandwidth/article/156976/

Unfinished Windows 7 feature turns laptops into Wi-Fi hotspots

Free app lets iPhones, other devices connect to Internet via software-based router

By Gregg Keizer

A Philadelphia developer has rooted out an unfinished feature of Windows 7 that turns any laptop into a wireless access point, allowing other Wi-Fi-enabled devices to share the connection without special software.

Nomadio, which specializes in military network consulting and development, used the new “Virtual Wi-Fi” feature in Windows 7 to create Connectify, a free application that it released as a beta last Friday.

Virtual Wi-Fi was crafted in Microsoft’s research group as a way to “virtualize” one wireless card as several separate adapters. The project was discontinued in 2006, but the work made its way into Windows 7 as “Native 802.11 Virtual Wireless Fidelity (Virtual Wi-Fi) object identifiers (OIDs)”.

“A year ago, Microsoft talked a lot about this as a big feature in Windows 7,” said Alex Gizis, the CEO of Nomadio. “But driver support didn’t get finished. The low-level code is in there, but the driver-level stuff isn’t. And there’s no app or setting in Windows to turn it on.”

Explaining that the feature was “half there” in Windows 7, Gizis said his company realized “we have the rest of the software here, in our networking work.”

The resulting Connectify differs from the Internet connection sharing that Windows already supports via an “ad hoc” network connection, which lets several Windows computers share a single connection. “For one thing, it shows up as a real wireless access point,” Gizis said. “Two, Internet connection sharing has issues. It returns to the default settings every time you shut down a connection. And three, you can join another wireless network and still run the Connectify Hotspot on the same Wi-Fi card.”

One application came immediately to mind, Gizis continued. “You’re sitting in a coffee shop that charges you for a wireless connection. With Connectify, I can pay for that connection, and still have all my other devices, like my iPhone, connected to the Internet.”

Connectify lets a Windows 7 laptop “tether” other wireless devices to a single Internet connection by effectively turning that PC into a software-based wireless router, added Gizis. “We’ve done a lot of military networking, including a lot of mesh networks,” he said, “where special routers connect to each other.” That technique, he said, was ideal for keeping in-the-field troops connected to the Internet.

Gizis has used his Connectify-equipped Windows 7 laptop as a wireless access point for his Apple iPhone, for example, and to provide a wireless connection to multiple PCs when only one Ethernet jack was available.

“There are a lot of neat scenarios where this comes in handy,” he said. “For example, people can use a wireless printer without any setup, which usually requires that you first plug the [wireless] printer into the computer with a USB cable so it can select the network.”

Although the Connectify beta is free to download, Gizis said that Nomadio would likely pin a price on the final, full-featured version when that’s ready to release in about six weeks. “I think we’ll end up with two-tier model, one that’s free, potentially ad-supported, and then sell a full version,” said Gizis.

Windows 7 is required on the notebook acting as a wireless hotspot, but any wireless-equipped device, including PCs running Windows XP or Vista, or even Mac laptops, can reach the Web through Connectify without any additional software. Connectify also encrypts the traffic to and from the software “hot spot” using WPA2-Personal (AES) encryption.

The beta of Connectify can be downloaded from Nomadio’s Web site.

Apple’s Mac OS X already offers a similar feature under the “Internet Sharing” preferences setting.

http://www.computerworld.com/s/article/9140133/Unfinished_Windows_7_feature_turns_laptops_into_Wi_Fi_hotspots

Threat Level Privacy, Crime and Security Online Feds’ Smart Grid Race Leaves Cybersecurity in the Dust

By Kim Zetter

Amid the government-funded rush to upgrade America’s aging electric system to a smart grid comes a strange confluence of press releases this week by the White House and the University of Illinois.

Tuesday morning, President Obama, speaking at Florida Power and Light (FPL) facilities, announced $3.4 billion in grants to utility companies, municipal districts and manufacturers to spur a nationwide transition to smart-grid technologies and fund other energy-saving initiatives as part of the economic stimulus package.

FPL will receive $200 million to install 2.6 million smart meters and other technologies that promise to reduce energy costs for customers. CenterPoint Energy in Houston, Texas, gets $200 million to install 2.2 million smart meters (.pdf) and more than 550 sensors and automated switches. Baltimore Gas and Electric in Maryland is another $200-million recipient.

Strange, then, that another press release distributed Monday by the Information Trust Institute at the University of Illinois announces a grant of $18.8 million to four academic institutions to fund a five-year research project into securing the power grid. The project is supposed to make certain that the smart meters and other devices implemented by power companies can resist hackers and other attackers.

The latter grant, from the U.S. Departments of Energy and Homeland Security, provides funding to the Institute, along with Dartmouth College, the University of California at Davis in California and Washington State University for a research program called Trustworthy Cyber Infrastructure for the Power Grid.

“It reflects a strong consensus that cybersecurity and resilience will be critical to the realization of a modernized, reliable, and efficient power grid, so that it will be able to guarantee delivery of electricity to consumers and maintain critical operations, even when malicious cyber attacks occur,” reads the press release.

The only problem is, by the time the research project is completed, most of the nation will have already adopted untested and unsecured technologies.

Richard Clarke

 

How do we know they’re insecure?

Earlier this year IOActive, a computer security firm in Washington state, was contracted to examine the security of smart meters deployed by an unnamed utility company in the northwest. Mike Davis, an IOActive security consultant, and his fellow researchers developed a malicious worm that, in a simulated attack, was able to spread from meter to meter to take out power in more than 15,000 homes in 24 hours. Davis says IOActive submitted his findings to the Department of Homeland Security. DHS, in response to a Threat Level FOIA request, said it can’t find the report in its files.

“Given the degree of seriousness that the Obama administration is applying to cybersecurity and the smart grid, we can look forward to the kind of things happening here that happened to Brazil, where hackers successfully brought down the power,” says Richard Clarke (at right), chairman of the Good Harbor security consulting firm and former special adviser to President George W. Bush on cybersecurity.

Clarke is referring to veiled reports made last year by the CIA’s chief cybersecurity officer, Tom Donahue, that extortionists had taken down the power grid in multiple regions outside the United States. The location of those outages has never been publicly identified.

“Smart grid” refers to the transition from the current, outdated power-grid infrastructure to a more technologically advanced structure that allows expanded real-time monitoring and energy delivery that’s more efficient and cost effective for utilities and consumers. The technology promises to solve a number of problems, but it also (as the Illinois press release states) could “introduce new problems, such as increasing the vulnerability to cyber attack as power grid resources become increasingly linked to the internet.”

“The concern is that the existing technologies can’t offer [security] guarantees, and that we could even open the door to new risks if we carelessly put together new systems that don’t have resilience and security guarantees built in from the ground up,” explained Ilesanmi Adesida, dean of the College of Engineering at Illinois, in the Information Trust Institute’s press release.

So why would the federal government accelerate the adoption of insecure technologies at the same time it touts cybersecurity as one of the nation’s biggest national security concerns?

According to the Department of Energy, the government has the smart-grid security issues under control.

Spokeswoman Jen Stutsman said all the entities awarded smart-grid funds under Obama’s $3.4 billion stimulus grant were required to submit a cybersecurity plan with their proposal.

“Each application was examined by at least two interoperability and cybersecurity experts, and it was a central component to the selection criteria for each of the awards,” Stutsman said.

Stutsman wouldn’t identify the experts who reviewed the cybersecurity plans or provide details about the plans applicants submitted.

According to the grant-proposal requirements, each applicant was required to submit a summary of known cybersecurity risks (.pdf) and explain how the applicant would mitigate them. They also had to identify the cybersecurity criteria they used for selecting vendors and technologies and the cybersecurity standards or best practices they planned to follow. And they had to explain how they would adapt to new standards that might emerge — such as those being developed by the National Institute of Standards and Technology.

Stutsman, addressing why the government would urge the move to smart meters before researchers had fully examined them, said that DoE “has spent years researching cybersecurity issues” and is “constantly and on a continuing basis … putting in place policies and programs that will help us gather more information.”

While the department is modernizing the electrical grid and using knowledge it already has, she said it will continue to apply new information as it becomes known. The government, she said, will continue to monitor utilities and others “to ensure that we are taking every step we can to secure the country’s electric grid.”

Himanshu Khurana, principal scientist for the Information Trust Institute’s power-grid research project, noted that many of the grants to utility companies and municipalities are for a three-year period.

“So there is still time between something being announced and everything being deployed for making sure that the technologies” are evaluated, he said.

Separate to his Institute’s research grant, Khurana belongs to a team that has been contracted by one of the utility companies that received a federal grant. His team’s job will be to help evaluate the utility company’s network and the technologies it plans to deploy and perhaps develop needed software.

“So people have reached out to cybersecurity experts and formed appropriate teams,” he said. “Now, it’s hard to provide assurance right now that everything is going to go safe. But the plan is feasible and there has been a lot of weight given to cybersecurity in the administration’s grants.”

Clarke is not so confident.

“We have no way of having any confidence that there’s any cybersecurity plans since we don’t know anything about the qualifications of the experts who examined them or the criteria they’re using to judge them,” he said. “In the absence of someone like the NSA or the cybercenter at DHS [to certify every smart-grid proposal], there’s no reason to believe they’re taking security seriously.”

More important than asking companies to submit a cybersecurity plan for future technologies, he says, is to require that utility companies and energy distributors pass an audit for their current state of security.

He says he’s spoken with auditing firms that have examined utility companies and energy distributors and found that — in every case — they were able to infiltrate the company’s production SCADA system (Supervisory Control and Data Acquisition) from the public internet in less than an hour.

“No grant should be given to any company that doesn’t pass an audit today with its existing system,” he said. “Paper audits are worthless. Real-world audits are what count. So if the company today has flagrantly bad performance with regard to cybersecurity, then it shouldn’t win an award for new technology until it fixes that problem.”

Photo of U.S. grid courtesy U.S. Commerce Dept. Photo of Richard Clarke by John Earle; courtesy Good Harbor Consulting.

http://www.wired.com/threatlevel/2009/10/smartgrid

Software That Fixes Itself

Credit: Technology Review

A new tool aims to fix misbehaving programs without shutting them down.

By Erica Naone

Martin Rinard, a professor of computer science at MIT, is unabashed about the ultimate goal of his group’s research: “delivering an immortal, invulnerable program.” In work presented this month at the ACM Symposium on Operating Systems Principles in Big Sky, MT, his group has developed software that can find and fix certain types of software bugs within a matter of minutes.

When a potentially harmful vulnerability is discovered in a piece of software, it takes nearly a month on average for human engineers to come up with a fix and to push the fix out to affected systems, according to a report issued by security company Symantec in 2006. Rinard’s group hopes that its new software, called ClearView, will speed this process up, making software significantly more resilient against failure or attack.

ClearView works without assistance from humans and without access to a program’s underlying source code (an often proprietary set of instructions that defines how a piece of software will behave). Instead, the system monitors the behavior of a binary: the form the program takes in order to execute instructions on a computer’s hardware.

By observing a program’s normal behavior and assigning a set of rules, ClearView detects certain types of errors, particularly those caused when an attacker injects malicious input into a program. When something goes wrong, ClearView detects the anomaly and identifies the rules that have been violated. It then comes up with several potential patches designed to force the software to follow the violated rules. (The patches are applied directly to the binary, bypassing the source code.) ClearView analyzes these possibilities to decide which are most likely to work, then installs the top candidates and tests their effectiveness. If additional rules are violated, or if a patch causes the system to crash, ClearView rejects it and tries another.

ClearView is particularly effective when installed on a group of machines running the same software. In that case, what ClearView learns from errors on one machine is used to fix all the others. Because it doesn’t require access to source code, Rinard says that ClearView could be used to fix programs without requiring the cooperation of the company that made the software, or to repair programs that are no longer being maintained. He hopes the system could extend the life of older versions of software, created by companies that have gone out of business, in addition to protecting current software.

To test the system, the researchers installed ClearView on a group of computers running Firefox and hired an independent team to attack the Web browser. The hostile team used 10 different attack methods, each of which involved injecting some malicious code into Firefox. ClearView successfully blocked all of the would-be attacks by detecting misbehavior and terminating the application before the attack could have its intended effect. The very first time ClearView encounters an exploit it closes the program and begins analyzing the binary, searching for a patch that could have stopped the error.

Article Continues – http://www.technologyreview.com/computing/23821/

Eavesdropping on Smartphone Secrets

Researchers say that smartphones are vulnerable to an attack used to steal information from smartcards.

By Erica Naone

As phones become increasingly like pocket computers many people have called for closer scrutiny of their security. When explaining this, these people usually point out that today’s phones are a lot like the desktop PCs of the mid-1990s. Attackers can apply a huge body of experience from attacking desktop machines when looking for a way into mobile devices.

However, some experts argue that mobile phones are actually simple enough to be vulnerable to attacks originally designed for embedded systems.

“The phone is a very stripped down environment,” says Benjamin Jun, vice president of technology at Cryptography Research, a security research company based in San Francisco, CA. “Which means that someone who’s trying to attack the device generally has an easier time, because it’s not as complicated as a desktop system.”

To demonstrate this, Cryptography Research adapted a smartcard attack for use against today’s smartphones.

About a decade ago, the company found that a technique called differential power analysis would allow an attacker to extract the cryptographic keys from a smartcard by analyzing its patterns of power consumption. As it turns out, Jun says, that the same type of analysis will reveal the cryptographic keys that a phone uses to access a carrier’s network, or to secure data stored on the device. In contrast, such an attack would be hard to pull off on a more complicated device, simply because a laptop, for example, would run more programs at the same time and produce a lot more noise.

The smartcard attack called for the attacker to be in possession of the object, but, in adapting it for smartphones, the researchers found a way to do the same types of calculations based on leaked electromagnetic signals picked up with an antenna.

Jun believes attacks on mobile devices are particularly serious because these devices are being used to access high-value corporate data.

But the bad news has a positive flip side. Jun notes that, just as attackers have experience exploiting vulnerabilities on embedded systems, manufacturers have experience developing countermeasures. Because embedded systems have even more limited memory and processing power than today’s mobile devices, he thinks these countermeasures would be relatively easy to translate to smartphones.

“The main question is whether protections can be done entirely in software or not,” Jun says. Entirely software-based solutions would be cheapest to roll out, he notes. Hardware countermeasures, however, are readily available, and have already been shipped in millions of smartcards.

http://www.technologyreview.com/blog/editors/24306/?a=f