Microsoft breaks IE8 interoperability promise

Microsoft said the right things, then blew it.


In March, Microsoft announced that their upcoming Internet Explorer 8 would: “use its most standards compliant mode, IE8 Standards, as the default.”


Note the last word: default. Microsoft argued that, in light of their newly published interoperability principles, it was the right thing to do. This declaration heralded an about-face and was widely praised by the web standards community; people were stunned and delighted by Microsoft’s promise.


This week, the promise was broken. It lasted less than six months. Now that Internet Explorer IE8 beta 2 is released, we know that many, if not most, pages viewed in IE8 will not be shown in standards mode by default. The dirty secret is buried deep down in the «Compatibility view» configuration panel, where the «Display intranet sites in Compatibility View» box is checked by default. Thus, by default, intranet pages are not viewed in standards mode.



How many pages are affected by this change? Here’s the back of my envelope: The PC market can be split into two segments — the enterprise market and the home market. The enterprise market accounts for around 60 per cent of all PCs sold, while the home market accounts for the remaining 40 per cent. Within enterprises, intranets are used for all sorts of things and account for, perhaps, 80 per cent of all page views. Thus, intranets account for about half of all page views on PCs!


Furthermore, web standards are discriminated against in IE8 by the icon that appears next to standards-compliant web pages:



The picture shows a broken page. A broken page? Why is broken page icon shown next to standards-compliant pages? The idea, apparently, is to encourage users to escape standards-mode by clicking on the broken page. There’s a dastardly logic here: showing a broken page may make users wonder if they are seeing pages correctly. Authors are probably not too thrilled by having a broken page shown next to their pages, and the only way to avoid the icon is to not trigger standards mode. The message is clear: don’t use standards!


I have a few suggested remedies. First, I suggest that IE8 not introduce version targeting which only perpetuates the problem of non-compliant pages. Instead, IE8 should respect the established conventions which don’t need manual switching between modes. If Microsoft insists on displaying some kind of icon next to standards-compliant web pages, I suggest they use this image instead:



Microsoft has a long-standing tradition of saying the right things about standards, but shipping non-standard products. IE8 could be different. Microsoft have done the hard technical work. They’ve made a promise they can keep. I call on them to make the right choice. ®

McAfee SiteAdvisor sued over ‘spyware’ tag

If 7Search wins, you lose


In a case that could tie the hands of companies trying to protect their customers from internet threats, a website owner with past ties to a notorious piece of spyware has filed a lawsuit claiming it is being unfairly maligned by warnings from McAfee that the site poses a risk to its customers.


7Search.com filed the complaint in US District Court in Illinois. It seeks unspecified monetary damages and an injunction ordering McAfee’s SiteAdvisor service to designate the site as safe. SiteAdvisor, which warns users when they are about to visit a site that may pose security threats, currently displays a warning that reads: “Feedback from credible users suggests that downloads on this site may contain what some people would consider adware, spyware, or other potentially unwanted programs.”



7Search.com insists there are no software downloads available whatsoever on its site and argues the warning amounts to a willful attempt to injure a legitimate business.


“Customers of 7Search who have opened accounts with 7Search.com have later terminated that business relationship as a result of seeing McAfee’s false, deceptive, confusing and/or misleading statements and representations about 7Search.com,” the complaint contends.


7Search was the site that once upon a time offered the much reviled 7FaSST Search Toolbar, which according to analyses such as this was a purported browser accelerator program that in some cases used ActiveX to forcibly install itself on users’ PCs. Once there, it logged detailed information about user’s browsing habits.


In its complaint, 7Search says that “Since at least 2003 there have been no direct downloads available on the 7Search.com site.”


What the complaint doesn’t say is that people who own 7Search.com have ties to browseraccelerator.com, a site that pushes a browser toolbar that “helps users improve their online experience dramatically by displaying within a browser everything an informed consumer needs to know about the web site being visited.”


Eric Howes, director of malware research at security provider Sunbelt Software, installed the software on a virtual machine and quickly noticed the software was offering search results that mixed sponsored links from unsponsored links.


“What they’re trying to do is sneak adversing past the user without the user recognizing the search results … are sponsored, paid-for results,” he said. He also said the software by no means represented a high risk because it didn’t appear to track individual users or forcibly install itself. Still, he said: “We would probably target it because of the overwhelming presence of advertising.”


Indeed, two Sunbelt products, Viper and CounterSpy, block the installation of the program.


7Search.com’s owner also appears to have ties to validatedsearch.com, a site that competes with McAfee’s SiteAdvisor by providing third-party certification to end users that a given website is trustworthy. The administrative contact for both sites, as well as browseraccelerator.com is listed as one Patrick Devereaux in Chicago, according to Whois search results.


The viability of lawsuits that take action against anti-malware providers for their warnings has been questioned by some legal experts. They say a provision in the Communications Decency Act (CDA) expressly protects providers of “interactive computer services” who provide services that filter pornography or other potentially unwanted content.


“An anti-spyware vendor saying, ‘Don’t go here, but go here instead’ is exactly the kind of filtering decision that the statute was designed to protect,” said Eric Goldman, a professor of law at Santa Clara University.


Indeed, a federal judge recently invoked the CDA in blocking a similar suit crudware maker Zango filed against anti-virus provider Kaspersky. The decision is now on appeal.


Additionally, Goldman says free speech guarantees likely protect vendors as well.


We sure hope so. The lawsuits’ outcome will have a profound impact on the protections anti-malware providers are permitted to offer at a time when threats on the internet are skyrocketing. If they win, we all lose. ®


Update


A McAfee spokesman just issued the following company statement: “SiteAdvisor rates Web sites to make the Web safer to surf. Our methodologies provide for a repeatable and objective reasoning based on facts and the threat landscape. At times people disagree with our ratings. Those Web site owners are encouraged to work with us on such matters.”

Reformed hacker Kevin Mitnick on his tell-all book

There was a time when the name Kevin Mitnick represented everything that the world’s chief security officers feared most: a reckless geek with the power to break any network in the world.


In the mid 1990s, Mitnick became the world’s poster boy for the “hacker threat” when he was identified as the guy sneaking into and stealing code from networks including those belonging to Sun Microsystems, Motorola, Novell and Fujitsu.


Prosecutors and journalists, including the New York Times’ John Markoff, further aggrandized his cybercrime exploits, claiming he was a criminal hacker mastermind who had wiretapped the FBI to stay ahead of his pursuers, hacked into Pentagon computers and could launch nuclear weapons simply by whistling tones into a pay phone.




 






Mitnick wound up serving five years in prison — four before his conviction and eight months in solitary confinement. He got out in 2000. Now Mitnick, 45, has reinvented himself as a security consultant. In his second career, he performs the same cyber-intrusions he once used to steal data to suss out flaws in companies’ defenses. That means Mitnick has to convince major corporations and even government agencies that he’s a trustworthy professional — rather than a cyberpunk.


But Mitnick isn’t hiding his hacker background. In fact, he says the notoriety of his criminal past has only boosted his business. And last month, at the HOPE hacker conference in New York, Mitnick announced that a lapsed statute of limitations will allow him to publish a book detailing his exploits as a cybercriminal and a fugitive. The book won’t be ready for about a year, but Forbes.com talked with Mitnick about telling all, the state of cybersecurity and why true hackers make the best security professionals.


Forbes.com: What can we expect in the book?


Kevin Mitnick: It’s pretty much my autobiography, the story of my years as a hacker and a fugitive told from my point of view — starting out from my younger years in telephone phreaking when I was 11-years-old, to my arrest, to my post-arrest career as a security professional. There’s going to be a lot of information revealed about hacks I pulled off. The statute of limitations has lifted on a lot of that stuff, so now I can talk about it publicly.


Forbes.com: Can you give us a preview of the exploits you’re going to recount in the book?


Mitnick: I’m trying to save that all for the book. What I can tell you is what won’t be in the book — I won’t be whining about my trial or my mistreatment by the government or [Mitnick-chronicling] John Markoff.


This book is going to be a kind of Catch Me if You Can in cyberspace. It’s going to be what’s real in my history and what isn’t, what I did and how I did it and how I’ve since turned my life around.


Forbes.com: What are some of the myths about Kevin Mitnick that just aren’t true?


Mitnick: I never wiretapped the FBI, though I did wiretap an informant who was working with the FBI and chasing me for the bureau. Some other myths: that I hacked into the National Security Agency, that I hacked into NORAD.


Forbes.com: And some things you did do?


Mitnick: Well, I compromised all the phone companies, essentially. Even when I was a kid I had the capability to disrupt the telephone systems for entire states.


I hacked into the systems of all the major software companies at the time: Digital Equipment, Sun Microsystems, IBM, Silicon Graphics. Also most of the companies that made cellular phones at the time, like Nokia, Motorola, Fujitsu.


Forbes.com: What drove you?


Mitnick: Curiosity. It was never about making money or even getting free phone calls. It was about the thrill of exploration.


Forbes.com: Do you think that background has made you a better computer security analyst?


Mitnick: Today, they’re teaching computer security in schools, and people think that if you pass the CISSP test, [a program in cybersecurity certification] you know what you’re doing. But passing a test doesn’t make you skilled in computer security. You have to have what I call “hack sense.” The best hackers know to think, to defeat obstacles, to solve puzzles. They know how to out think the people who have architected systems. They understand the human factor.


‘The best hackers know to think, to defeat obstacles, to solve puzzles. They know how to out think the people who have architected systems. They understand the human factor.’—Kevin Mitnick

Someone from CISSP might be able to detect vulnerabilities and assess the risk factor from each of those vulnerabilities. But someone with “hack sense,” might be able to see, for instance, that three low-level vulnerabilities can be leveraged together to create a single, high-level vulnerability.


I don’t want to generalize too much. Other organizations like SANS are much more qualified. But CISSP in particular has created this certification and made a lot of money by convincing organizations that employees need it. And I think it’s essentially worthless.


Forbes.com: So do you look for hackers with when you’re hiring?


Mitnick: I look at a potential employee’s skill set in general. But for almost anyone who’s very skilled, they’d be lying if they said they’d never broken into a system without permission


Forbes.com: On the flip side, do you lose business because of your history as a criminal hacker?


Mitnick: It’s hard to say, because I don’t get calls from people who tell me they’re not hiring me because they don’t trust. I’m sure that I’m not called in some cases because of my history. But of course no one ever calls me to say they’re not hiring me.


Fortunately there are companies that do trust me to do work. I’ve even worked for the FAA [Federal Aviation Administration] and for other government agencies that I can’t disclose.


In general, I’ve gained more business than I’ve lost because of the notoriety given to me by the U.S. government, because of the way my case was blown out of proportion by prosecutors and the media. I don’t have to search for business.


Forbes.com: The government devoted years to prosecuting you and making sure you served a long sentence. Do you believe that prosecution makes the information technology world more secure? Is it more important to chase down hackers or protect the fort?


Mitnick: I think you need both. You do need to prosecute people who break the law. In fact, I’ve never argued that I shouldn’t have been punished. I argued that I shouldn’t have been held for four and a half years without a trial, putting me in solitary confinement for eight months.


Forbes.com: What do you see as the biggest threats to cybersecurity today?


Mitnick: Cybersecurity used to be about the network or operating system. Now it’s more at the application layer. Companies and their contractors build their own applications hosted on a public website, and the people who write them aren’t trained in secure coding. The mistakes they make can be leveraged to break the system.


Forbes.com: A report last month from the Identity Theft Resource Center showed that data theft by employees has more than doubled since the year before. Are insider data breaches a problem that can be solved?


Mitnick: I help my customers monitor what information is going into and coming out of their organization, to monitor where employees are going on the network and if someone is handling a lot of information they’re not supposed to.


But if you have a legitimate employee with a clean record who accesses information in their normal course of duties, then how can you stop it? If someone really wants to steal from you, they’re going to.

Microsoft’s newest browser may block ads

The next version of Microsoft Corp.’s web browser makes it easier for people to surf the internet without leaving a trace.


Companies that sell advertisements online — including Microsoft — can electronically gather tidbits about web surfers’ habits, and then use that information to help decide what kinds of ads to show.


However, in the newest “beta” test version of Microsoft’s forthcoming Internet Explorer 8, which was made available Wednesday, a mode called InPrivateBrowsing lets users surf without having a list of sites they visit get stored on their computers.


‘I wouldn’t put Microsoft as being the arbiter of what should and shouldn’t be tracked.’—James Pratt, IE8 product manager

The program also covers other footprints, including temporary internet files and cookies, the small data files that websites put on visitors’ computers to track their activities.


Both Internet Explorer 7, Microsoft’s current browser, and Mozilla’s recently released Firefox 3, already allow users to block cookies. The top two browsers also let users delete private information such as temporary files and browsing history after the fact. But they can’t turn off that collection entirely.


The beta also introduces an additional InPrivateBlocking mode, which can block third-party content from appearing on websites.


For example, a news site might carry stock quotes from one company and weather information from another. Companies that provide such content may also be collecting and sharing information about what people do online. But users who turn on InPrivateBlocking won’t see that content or be exposed to such data collection without their consent.


InPrivateBlocking can also keep some types of ads from appearing — including those served up by Microsoft’s own advertising platform, whose success is considered critical to the software maker’s future.


J.J. Richards, a general manager in Microsoft’s advertising division, responded in a statement that consumers understand that they get free content and services in exchange for advertising, but want “transparency, trust and control with respect to the sites they visit.


“If IE8 helps heighten awareness of this value exchange, that’s a step in the right direction,” he said.


Users can review company list


Users surfing with InPrivateBlocking turned on can review a list of which companies are trying to display or collect data. Users also can click a link to read more and decide case by case whether to permit certain ones to go ahead.


“Today as a user, we have no visibility or control over how that information is shared and recorded,” said James Pratt, a product manager for IE8. “I wouldn’t put Microsoft as being the arbiter of what should and shouldn’t be tracked.”


InPrivateBlocking isn’t purely an ad-blocker by design, but publishers are still worried, said Mike Zaneis, vice-president of public policy for the Internet Advertising Bureau, which represents web publishers.


If InPrivateBlocking were to be widely adopted by IE8 users, small sites that rely almost exclusively on outside companies to serve ads couldn’t survive, he said.


The internet ad economy didn’t crash after ad-blocking plug-ins appeared for Firefox, but Zaneis said that may have more to do with Firefox’s much smaller market share. (Firefox’s challenge to IE has grown, however; the browser is used by more than 10 per cent of web surfers.)


If IE8 blocks programs that track how many times an ad is seen — a calculation that helps determine payments to advertisers and publishers – that could also bring down the web ad marketplace, Zaneis noted.


“We’ll wait and see what the marketplace looks like,” he said. “I think [Microsoft] realizes, we all realize, that it’s a beta version, and it’s sure to change before it’s finalized.”


An earlier IE8 beta showed off many bells and whistles that make web browsing easier.


Since then, Microsoft said it also improved the address bar’s ability to figure out users’ intended web destination as they type.


Microsoft would not say when it plans to release a final version of the newest browser, but said this second beta is ready for average users to try.


Hijacking huge chunks of the internet – a new How To

It’s easy. Those tubes are busted



The exploit of the routing protocol known as BGP, short for Border Gateway Protocol, is akin to the poor man’s traffic intercept employed by intelligence agencies throughout the world. Like the recently discovered domain name system cache poisoning bug, the exploit is notable because it highlights weaknesses in some of the net’s core underpinnings.

The man-in-the-middle attack was demonstrated earlier this month at the Defcon hacker conference in Las Vegas when researchers Anton “Tony” Kapela and Alex Pilosov redirected traffic bound for the conference network to a system they controlled in New York and then routed it back to Las Vegas.

The attack is able to arbitrarily re-direct traffic by exploiting the implicit trust placed in BGP routers. Anyone with access to a BGP router can intercept data sent to one or more target IP addresses. Attackers can simply drop the packets as Pakistan did earlier this year when it blocked worldwide access to YouTube. Or the attackers could monitor or even alter the traffic before sending it along to its intended destination.

It’s fair to say that Wired.com’s report has gotten the attention of security experts.

“When you can forcefully route someone’s traffic through you before it reaches it targeted destination, that’s really bad,” Jeremiah Grossman, CTO of security firm White Hat Security, said in an online chat. “Looking at these vuln announcements, 2008 will be known as the year where we could have taken down the internet.”

Other researchers, without discounting the serious conclusions raised by the research, said they weren’t convinced the attacks would remain stealthy for long. While virtually anyone can join the BGP club, members typically take a keen interest in the actions of their peers. Logs of BGP routing tables date back to at least 1999, said Dan Kaminsky, who first alerted the world to the DNS bug.

“If you abuse your abilities you’re going to lose your abilities,” Kaminsky explained. “The BGP community is small enough and logged enough that those elements that are doing consistently nasty stuff will be dealt with.”

Kaminsky also said pulling off the BGP attack would require a level of expertise that exceeded typical attacks, such as the ubiquitous SQL injection exploits or those targeting the DNS bug.

“Theres not going to be a Metaspoit module that any kid can run that can go ahead and run this attack,” he said.

The research nonetheless should raise concern since it further highlights that fundamental parts of the internet – parts that were never designed to be secure – frequently act as the gatekeepers that protect our commerce and communications from a growing number of crooks and snoops. It describes a technique that could make wide-scale spying or fraud if not trivial then certainly possible for groups with just a bit of expertise and determination. And as such, it takes so-called Digital Pearl Harbor scenarios squarely in the realm of possibility.

More from Wired.com, including a detailed explanation of how the attack works and possible ways to prevent it, is here. ®

Houston, we have a virus

Worm infects International Space Station laptops


A computer worm that ferrets out passwords managed to stow away on laptops aboard the International Space Station, NASA has confirmed. It is not the first time a NASA computer has become infected.


SpaceReg.com identified the infection as W32.TGammima.AG, a worm that spreads by copying itself to removable media devices. Once in place, it steals passwords to various online games, according to anti-virus software provider Symantec, which first spotted the worm 12 months ago.

“This is not the first time we have had a worm or a virus,” a NASA spokesman told Wired News. “It’s not a frequent occurrence, but this isn’t the first time.”

The infected machines were not considered mission critical, meaning they weren’t responsible for command and control. The NASA spokesman was unable to say if the infected laptops were connected to mission-critical systems.

Exactly how computers aboard the tightly controlled space station get infected by a common internet parasite is a bit of a head scratcher. Because more than one laptop was infected, it’s reasonable to assign blame to an internal network or thumb drive. Then again, floating around in outer space can be a lonely experience, so other forces may have been at work. ®

Scumbags punt Trojan with baby kidnap lure

A new low



The contemptible junk mail messages attempt to panic recipients into opening email attachment supposedly carrying images of abducted infants but in reality loaded with a variant of the Resex information stealing Trojan.

Net security firm Sophos reports that the malicious emails come with subject lines such as “We have hijacked your baby” and claim a $50,000 reward is needed for the child’s safe return. Images of the email can be found here

Lucre-loving malware authors have few scruples using national or internal disasters or fictitious news events – up to and including the supposed outbreak of World War III – to punt their wares. But even by these debased standards, the Resex Trojan lure represents a new low.

Fortunately, few people have thus far fallen for the trick. Sophos said that incidents of infection by the Trojan remain, well, low. ®

SpyBot Defintions Update 27.08.08

2008-08-27
Adware
++ BannerStyles.Optimizer ++ RXToolbar + SmartShopper + Zango + Zango.ShoppingReport ++ MorpheusToolbar
Hijacker
++ CoolWWWSearch.Aff.Madfinder
Keylogger
+ Ardamax
Malware
++ Fakealert.gen + Fraud.XPAntivirus + Fraud.Antivirus2008 + IEDefender + MalwareProtector2008 ++ WinDefender + WinSpywareProtect ++ XPSecurityCenter
PUPS
++ Joke.FakeFormat ++ WildTangent
Security
+ Microsoft.Windows.AppFirewallBypass
Spyware
+ ShopAtHome
Trojan
++ CSR.tr ++ Fraud.AntiSpyware2008XP ++ Fraud.Installer.as + Hupigon13 + Smitfraud-C.MSVPS + Virtumonde.dll + Virtumonde.prx + Virtumonde.sci + Virtumonde.sdn + Win32.Agent.bm ++ Win32.Agent.cui ++ Win32.Agent.dj.rtk ++ Win32.Agent.rso ++ Win32.Agent.uzf ++ Win32.AutoRun.bck + Win32.BHO.je ++ Win32.Brontok.q ++ Win32.Bzub.fh ++ Win32.Delf.vb ++ Win32.Disabler.i + Win32.Exchanger.ch ++ Win32.Injecter.adv ++ Win32.Mutant.yf + Win32.Poison.k + Zlob.Downloader.Gen ++ Win32.ShowPass ++ Win32.Small.aafc ++ Win32.VB.el ++ Wukill.B ++ Zlob.Downloader.mot ++ Zlob.rtk
Worm
+ Win32.Socks.T (1471)
Total: 1188431 fingerprints in 286605 rules for 4213 products.

Microsoft dishes dirt on IE8 ‘*** mode’

‘Off the record’ browsing is go


Microsoft has outlined the new privacy tools available in its forthcoming browser Internet Explorer 8 (IE8).


Earlier this week the company’s program manager Andy Zeigler confirmed rumours from last week that Microsoft would include a privacy browsing feature affectionately known as “porn mode”.



He said four new controls with be available in IE8 for people keen to take their web browsing “off the record”.


Features expected to appear in IE8 beta 2, due later this month, include the ability for web surfers to manage their history, cookies and other info stored by the browser. They will also be able to control how their browsing history is shared by websites.


Microsoft’s “InPrivate Browsing” tool has caused quite a kerfuffle among bloggers over the past few weeks. Dubbed “porn mode”, the feature, when enabled, will switch off cookies, browsing and search history, and it won’t save form data and passwords. In addition, it will automatically clear the cache at the end of the browser session.


“InPrivate Subscription” will let surfers subscribe to lists of websites to block or allow, while “InPrivate Blocking” will inform users about sites that might check their browsing history and give them the power to block it. ®

Security Update for Internet Explorer 7 for Windows XP (KB938127)

Brief Description
A security issue has been identified in the way Vector Markup Language (VML) is handled
that could allow an attacker to compromise a computer running Microsoft Windows and gain
control over it. You can help protect your computer by installing this update from
Microsoft

Quick Details
File Name: IE7-WindowsXP-KB938127-v2-x86-ENU.exe
Version: 938127
Security Bulletins: MS07-050
Knowledge Base (KB) Articles: KB938127
Date Published: 8/25/2008

Overview
A security issue has been identified in the way Vector Markup Language (VML) is handled
that could allow an attacker to compromise a computer running Microsoft Windows and gain
control over it. You can help protect your computer by installing this update from
Microsoft.
http://www.microsoft.com/technet/security/bulletin/ms07-050.mspx 
http://www.microsoft.com/downloads/details.aspx?FamilyID=9f5da816-194c-478e-8a96-9421a0c52c9f&DisplayLang=en