Sempai.inFo - 411

Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.

The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.

The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet’s core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy.  The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosed a serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness.

"It’s a huge issue. It’s at least as big an issue as the DNS issue, if not bigger," said Peiter "Mudge" Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. "I went around screaming my head about this about ten or twelve years ago…. We described this to intelligence agencies and to the National Security Council, in detail."

The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper’s network.

Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotel ) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed to target addresses, not from them, and it can’t always vacuum in traffic within a network — say, from one AT&T customer to another.

The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs.

BGP eavesdropping has long been a theoretical weakness, but no one is known to have publicly demonstrated it until Anton "Tony" Kapela, data center and network director at 5Nines Data , and Alex Pilosov, CEO of Pilosoft , showed their technique at the recent DefCon hacker conference. The pair successfully intercepted traffic bound for the conference network and redirected it to a system they controlled in New York before routing it back to DefCon in Las Vegas.

The technique, devised by Pilosov, doesn’t exploit a bug or flaw in BGP. It simply exploits the natural way BGP works.

(Read More )

I finally got a hold of someone on the online chat at Voipgo after trying nearly nonstop for days. The first support agent was rude to me and then closed the session in mid conversation. Sat on Q for another 20min and got to talk to a second agent this one a lot more polite. But was told I have to send an email to a second email address to get refunded and services turned off and that it would take a few days to get response on that. I was heated at this point and requested to talk to someone in management which he was unable to connect me to and said that they wouldn’t call me after I requested it. So finely I sent an email to that second address and told them how unhappy I was with both service and support. Requested refund for last 2 months (in which time I made a total of 1 successful crappy quality call) And warned them that if they do not respond quickly I will be contacting both my Bank and the Better Business Bureau.

*Note: Something that Voipgo will continue to deny up and down is you will get charge a foreign transaction fee by most bank and credit companies. So my $17.95/month was actually $17.95 + 0.52 = $18.47

So back in May of this year I was shopping around for VoIP services, I didn’t really have the need for it but thought it would be nice to have a phone at home as all I had was a cell phone at the time. After shopping around and talking to the various company’s that offer VoIP services I picked Voipgo .

First Impression
At first the service was great, had a few minor issues but they were dealt with quickly.. Calls were clear and there was no delays in the calls. Support was a pleasure to talk to and easy to get a hold of. This lasted for about 2 weeks..

Headache
I got 2 calls one day on the 3rd week from my dad and my girlfriend saying that calls to my Voip phone was not connecting or the phone would just ring forever during which time my phone would never ring.. Contacted support about the issue and they said it was fixed… I played tag with Support on this issue on and off for about a month, having the issue at lest 2-3 times a week..

After the first month of service call quality started degrading to the point that you couldn’t understand what I was saying on the phone. During this time there would be high peaks in delay in the call (say something and the other end wouldn’t hear it for about 5-10seconds). Then during the call audio started to *disappear* would say a whole sentence "Hey its hot here, hows the weather where your at?" and they would hear "Hey its .. here, …… weather …. your.." c’mon how do you have a decent conversation with that kind of phone clarity..  I contacted support countless times on this issue..

Then in July I had them move my service to a new server they put up in hopes to have some what better services.. Well I was sorely mistaken on that, things went from bad to worse. Server was down all the time, reset several times, and none of my current issues were resolved to top it off. Support was suddenly nearly impossible to get a hold of.

Enough Is Enough
ok so after finally getting fed up with my services I sent in a very heated email with priority set to high to Voipgo support on July 17, 2008.. Yesterday July 31, 2008 I *still* had not a single response to that email. I called support after work only to sit on hold for 25min and hang-up, then sat on hold for online support for 80min only to get a message that operator closed my session and refresh the page and support has been closed (offline) since. Now it is Aug 1, 2008 and I have observed Online support to be offline all day. When I call in there’s a message about experiencing high call volume and get placed on hold indefinitely. I will be giving them until Monday afternoon to give response or I will be debating legal taking action against them as its impossible to even cancel service.

Will post update.

Thanks to Microsoft wanting to add more security and features to Windows Vista with SP1 some gamers have to suffer with the random issues that come along with it. I recently built a brand new computer (2days ago) and had an issue running one of my Favorite online games City of Heros/City of Villains with Ventrilo.

Issue: For some reason Ventrilo was not picking up my PTT key while in game but if I minimized the game it would work just fine..

Fix: Right click the Ventrilo shortcut and select run as Administrator and then click allow. This should solve the issue for many games with this issue.

Why: City of Heros runs as Administrator due to the continuous access to the Program Files folder. A work around for this is to install City of Heros to C:\ rather then C:\Program Files\ or to a non OS harddrive but that work-around didnt work for me some reason. So because Vista has such an annoying security feature called UAC. When City of Heros or other random games (that run as Administrator) are the active window aka your playing the game, UAC blocks other programs from hooking your mouse and keyboard events. So running Ventrilo as Administrator allows it to hook events when your in game because its running as the same user. Oddly enough it still works as normal when your not in game as well (example: Surfing the internet)

The executives in charge of online payment system E-gold have pleaded guilty to money-laundering charges, the US Department of Justice said on Tuesday.

Principal E-gold director Douglas Jackson, who is also chief executive of E-gold affiliate Gold & Silver Reserve, pleaded guilty to conspiracy to engage in money laundering and operating an unlicensed money-transmitting business. Jackson now faces up to 25 years in jail and a fine of $750,000 (£376,000).

E-gold senior directors Barry Downey and Reid Jackson each pleaded guilty to charges related to operating a money-transmitting business without a licence. They could each be fined $25,000 and receive a jail sentence of up to five years.

At sentencing in November, E-gold and Gold & Silver Reserve, as organisations, face a maximum fine of $3.7m. Additionally, as part of their plea bargain, E-gold and Gold & Silver Reserve will forfeit $1.75m in the form of a money judgement.

"By failing to comply with money-laundering laws and regulations, the E-gold operation created an environment ripe for exploitation by criminals seeking anonymity in conducting online transactions," said acting assistant attorney general Matthew Friedrich. "This case demonstrates that online payment systems must operate according to the applicable rules and regulations created to ensure lawful monetary transactions."

Security experts and law-enforcement officers have known for years that criminals were using E-gold accounts. ZDNet.co.uk reported in 2006 that a piece of ransomware had instructed users to pay money into an E-gold account to recover hijacked data.

E-gold provides digital currency services over the internet through the sites e-gold.com and omnipay.com. According to the Department of Justice, the E-gold operation was attractive to criminals because it did not require users to provide their true identity, or any specific identity at all.

E-gold continued to allow accounts to be opened without verification of user identity, despite knowing that the operation was being used for criminal activity, including child exploitation, investment scams, credit-card fraud and identity theft, the Department of Justice said.

In addition, E-gold designed a system that expressly encouraged users whose criminal activity had been discovered to transfer crime proceeds to other E-gold accounts. E-gold had assigned employees with no relevant experience to monitor hundreds of thousands of accounts used for criminal activity.

Jackson said the case provided an opportunity for "a new beginning" at E-gold.

"The resolution of the criminal case… provides for a second chance — an opportunity to address the flaws embedded in the E-gold system and to transform the E-gold operation into the institution that I, the other directors, and our long-suffering employees and contractors have always envisioned — one that serves to advance the material welfare of mankind," wrote Jackson in a blog post.

E-gold and Gold & Silver Reserve will continue as organisations, but will now have to comply with US federal and state laws related to operating as a licensed money-transmitting business, and address the issue of money laundering. E-gold will also have to prove its claim that all transactions are backed by physical gold.

(Original Post )

Mr Cerf was interviewed at the Fortune Brainstorm conference in Half Moon Bay. He often speaks about net neutrality. In this interview he says that companies such as Verizon misquoted him in full page adverts in major newspapers.
He says the Telcos are acting like little kids in a tantrum. "I’m not going to build this system unless you give me three scoops of ice cream and a pony. My reaction to this is quite negative. It’s harmful to the national interest to behave in this way."
Mr Cerf wants a split in the way broadband providers operate so that they are not allowed to interfere with any applications on the Internet and that the carriers charge themselvesl, from an acconting point of view, how much bandwidth they use.
He says that carriers should be provided with incentives to make them behave differently or there should be an incentive for competitors to come into the market that can effectively compete with them and to take away their monopoly position.
Here is the 3.45 minute interview, my apologies for the lighting but the audio is very interesting.

(Original Post )

Technorati Profile

Your precious firewall can’t save you now!

Weak or nonexistent implementations in computer security software can leave otherwise-secure computers wide open for attack – so open, in fact, that in some cases it’s as if there’s no firewall running at all.

Speaking at the annual HOPE (Hackers on Planet Earth) conference in New York, security researcher Joe Klein of Command Information said that the internet is full of computers surreptitiously running IPv6, unbeknownst to their owners. Compounding the problem is the number of operating systems shipped with IPv6 enabled by default, which includes Windows Vista, Linux’s 2.6 kernel, Sun’s Solaris, Mac OS X, and a variety of cell phones operating systems, including Windows Mobile 5 and 6.

Computers with a lackluster IPv6 setup – even if they have a strong IPv4 firewall or Intrusion Detection System (IDS) in place – are just as naked in IPv6 space as they would be in IPv4-space without a firewall, with any program that listens for connections allowed to accept them. Most operating systems, by default, use a handful of “listeners” used for networking and internal processes – and it is these listeners that are frequently the first to be targeted in an attack.

A number of computer worms, including Blaster and its follow-up Welchia, worked by exploiting a buffer overflow with Windows’ internal RPC infrastructure, which listens on port 135 and is ordinarily covered up by a firewall.

Network administrators who don’t keep tabs of their systems face a huge risk, said Klein. Operational dangers aside, administrators who work for organizations that have to comply with regulations like HIPAA or Sarbanes-Oxley risk non-compliance if they don’t secure their IPv6 implementations – whether they realize they have one or not.

“Essentially, we have systems that are wide open to a network,” said Klein. “It’s like having wireless on your network without knowing it.”

Security researchers have for some time found hackers exploiting IPv6. A 2002 post from Lance Spitzer of the Honeynet project observed a hacker that broke in to a Solaris-based honeypot through normal means, enabled IPv6 connectivity in the OS, and then set up a tunnel out of the network that went into another country. The break-in was only discovered due to network packet-sniffing, and even then Spitzer says he was unable to decode the data being sent out.

One of the biggest threats is the variety of backwards-compatibility schemes designed to tunnel IPv6 traffic through an IPv4 system, like Teredo or the 6to4 system: the very act of tunneling often circumvents firewalls by nature.

“Teredo/ISATAP is currently and will continue to be a major red flag for networks that have both IP versions enabled, because tunneling confuses the heck out of a lot of firewalls and IDS deployments,” said an unnamed DoD security specialist, in an interview with Wired’s Threat Level.

With internet progressives trying to switch the internet to IPv6 as fast as it can – a widget on Command Interface’s web site estimates that the internet will run out of IPv4 addresses in about two and a half years – some fear that technological progress may be outpacing the security that keeps it safe.

(Original Post )

Just wanted to let all of you in on a bit of good news from the Mouse and Keyboard on the Xbox360 world.

For those of you who may already be familiar with the XIM (Xbox Input Machine), you know that it was capable of taking the XFPS’s capabilities and enhancing them 10-fold to make a usable mouse and keyboard experience with most games on the console. Since you’re familiar, read below for the good news.

For those of who who don’t know the XIM, read on. XIM started as an enhancement for the XFPS. Anyone who has used the XFPS regardless of which edition knows that no matter what you do it just doesn’t offer the same experience. The guy behind the project, OBsIV found that it was possible with the combination of additional hardware and a special piece of software that you could create a much more accurate experience with the mouse and keyboard in games like COD4 and Halo 3. But, this experience wasn’t quite as good as it could be due to the limitations in the hardware that the XIM used. So he went back to the drawing board and created a piece of hardware and new software that could deliver the experience that you’ve always hoped to get with a mouse and keyboard on a console, appropriately named XIM2.

So, what’s the good news in all of this blabbering? The XIM2 is now being pre-ordered and will ship in 2 weeks.

Official Site: http://xim360.com
Pre-ordered Thread: xim360.com

(Original Post )

Pandora’s internet radio has always been one of those sites that was really cool in concept, but too inconvenient to ever go mainstream. The service was long tied to computers only, and while it eventually expanded to special internet radios and some mobile phones, it still has yet to become a household name. But with the launch of Pandora’s new iPhone app last Friday, it looks like the service is about to hit critical mass. It’s a free, mobile, digital radio station that only plays music you like and lets you skip the stuff you don’t. And it rocks.

The personalized music service employs a small army of 50 musicians to create a “Music Genome” that describes each song according to 600 attributes. Listeners input a few of their favorite artists, and the site analyzes the Genome to serve up an endless stream of recommended music.

We introduced the app last Friday, when we called it our “flat out favorite application so far”, and since then it hasn’t failed to impress. Streamed music plays flawlessly over Edge and 3G networks - during a 40 mile drive I didn’t once run into any kind of skipping or static. Even better, the app currently has no advertisements playing, though we can probably expect that to change.

Unsurprisingly, Pandora’s usage stats are overwhelmingly positive. Pandora is currently the fourth most popular free app on iTunes (behind Apple’s Remote, AIM, and WeatherBug), and has reportedly been seeing a new listener every 2 seconds. Usage over the weekend hit an all-time high for the service, with 3.3 million tracks streamed to iPhone listeners alone. Perhaps more impressive is the retention rate of listeners, who are averaging over an hour of listening per day.

If there’s one thing that could kill the service, it’s ads. Pandora is going to need to monetize the app somehow - let’s hope it allows us to pay an upfront fee (say, $10) to avoid the annoying interruptions that have made listening to traditional radio a painful experience.

(Original Post )

WASHINGTON -(Dow Jones)- Federal Communications Commission Chairman Kevin Martin Friday said he would not seek to fine cable giant Comcast Corp. (CMCSA, CMCSK) for slowing some Internet traffic.

Instead, Martin said he wants the Comcast to stop its practice of prioritizing certain applications that tend to use a lot of bandwidth. "It is not a reasonable network management practice," he said at a press conference to discuss his recommendation.

"We would tell Comcast that they have to stop engaging in that practice. They have to disclose to the commission where they are engaging in that practice."

Martin has proposed that Comcast change the practice within a "reasonable time frame," which could be the end of the year.

"We would say that as they are moving to a new network practice that they need to disclose to us and to consumers," Martin said.

The other four commissioners must weigh in on Martin’s proposal before it can take effect.

Comcast has said it would challenge the order if the other commissioners agree to it.

Comcast argues that Martin is unfairly imposing a new rule and punishing the company at the same time.

"You can’t enforce this because there aren’t any rules," said Comcast Spokeswoman Sena Fitzmaurice. "It violates all sorts of due processes in the way you are supposed to create rules."

Martin said he is aware of Comcast’s concern. "I think that’s one of the reasons why I have not proposed that we put a fine," he said.

Comcast A shares recently were off 2.5% at $18.19.

(Original Post )