Hacking and Anonymous surfing

Hundreds of thousands of URLs have been compromised—at the time of writing, 694,000—in an enormous and indiscriminate SQL injection attack. The attack has modified text stored in databases, with the result that pages served up by the attacked systems include within each page one or more references to a particular JavaScript file.

The attack appears to be indiscriminate in its targets, with compromised machines running ASP, ASP.NET, ColdFusion, JSP, and PHP, and no doubt others. SQL injection attacks, which exploit badly-written Web applications to directly perform actions against databases, are largely independent of the technology used to develop the applications themselves: the programming errors that allow SQL injection can be made in virtually any language. The underlying cause is a programmer trusting input that comes from a Web page—either a value from a form, or a parameter in a URL—and passing this input directly into the database. If the input is malformed in a particular way, the result is that the database will run code of the attacker’s choosing.

In this case, the injected SQL is simply updating text fields within the database, to make them include an extra fragment of HTML. This HTML in turn loads a JavaScript from a remote server, typically “http://lizamoon.com/ur.php” or more recently, “http://alisa-carter.com/ur.php.” Both domain names resolve to the same IP address, and presently that server is not functional, leaving browsers unable to load the malicious script when they visit infected pages. Previously, it contained a simple script to redirect users to a fake anti-virus site.

There have been a lot of rumors floating around the web that the iPhone 5 release would be delayed until fall. Apple has had a pattern of releasing new iPhone hardware in the summer during its World Wide Developers Conference, but according to a release from Apple earlier this week, only new versions of Mac OS and iOS will be introduced this year (not that they’d spoil the iPhone 5 in the invite).

So what’s up with the delay? Macotakara, a Mac blog in Japan, reports Apple hasn’t ordered components for the next-gen iPhone. Because of that, the iPhone 5 could be planned for Apple’s 2012 fiscal year, which starts on September 25. It’s likely that Apple could release the phone in October or November so the company doesn’t miss the big holiday season sales. From what we’ve seen around the web, a fall release is imminent. But, Apple has fooled us in the past, and the company has been known to quickly change its plans at times.

The delay may be worth the wait, though. A fall release seems awfully suspicious and leads us to believe we may be seeing a 4G iPhone. LTE is being introduced to more and more phones, and many Android devices with LTE capabilities are expected this fall. So, autumn would be the perfect time to jump into the LTE game and not get left in the dust, which has never been Apple’s way of doing things.

When Alex Eckelberry first read news reports on Wednesday that some of Samsung’s R Series laptops contained keylogging software, he was as astounded as everybody else.

“I was really interested in the story. I thought if someone had found a keylogger, that’s pretty hardcore,” said Eckelberry, who is general manager of GFI Security, a maker of e-mail and Web security products. The only other known instance of a vendor secretly installing similar software was Sony BMG, which got into all sorts of trouble for the infamous rootkit brouhaha in 2005.

Eckelberry’s surprise at Samsung quickly turned to acute embarrassment when he began getting reports from colleagues that the evidence for the supposed keyloggers was based on a false positive from VIPRE, a malware-detection product sold by GFI. The problem wasn’t that Samsung was secretly installing keyloggers on its systems, but that GFI’s software was mistakenly reporting that the laptops contained the malware. “We just fell on our sword on this,” Eckelberry said in an interview today. “It’s just mud on our face.”

Cisco has issued an update to address security holes in its Secure Access Control System (ACS.) The company said that the update would address a flaw which could potentially allow an attacker to reset passwords on user accounts, without first needing to enter the original password.

Once an attacker has changed the password, the credentials could then be used to access user accounts and perform actions under the stolen account name. Additionally, the original user would be unable to log into the account and correct the issue due to the changed password.

Cisco said that the vulnerability affects ACS versions 5.1 with updates previous to the Patch 6 release unstalled. ACS 5.2 with updates prior to Patch 3 are also vulnerable to attack. Users can check their version of ACS by entering the software’s command line interface and entering the ‘show version’ command.

Facebook has fixed its HTTP fallback mechanism for users who have the persistent HTTPS option turned on and are trying to use apps that don’t support it.

Back in January, Facebook introduced a setting which allows users to have full-session HTTPS turned on automatically when they log in.

However, the implementation was lacking in several respects, including the fact that most apps and Facebook Chat did not work over such secure connections. Trying to use an unsupported app gave users the option to switch back to HTTP, but also cleared the persistent HTTPS setting under Account Security without any warning.

Enterprise customer experience management expert MDS today announced the results from the second instalment of its Connecting with Business Customers Report, a nationwide research study of 200 IT and telecoms managers across the UK. The findings have revealed that 28% of businesses are struggling to separate personal and work mobile calls for VAT purposes, whilst 59% of telecoms managers admitted that if employees think they can get away with it they will let the company pay for their personal calls where possible.

“Organisations that provide their staff with a mobile phone risk getting into trouble if employees are found to be using work mobiles for personal calls,” commented Drew Rockwell, CEO of MDS. “If companies claim VAT back on their entire mobile phone bill without excluding personal calls they are potentially liable.”

With nearly half of all businesses (42%) now providing mobile telephony to their workforce, more and more employees are being put in a position of trust by their employer. Unfortunately for telecoms managers assigned with controlling the comms spend, this rise in employee mobility is also seeing a significant rise in rogue telecom usage and consequent bills across business. In 40% of companies, work mobile phones are now seen as a personal perk rather than a company asset.

The CEO of computer maker Acer has stepped down after disagreeing with the company’s board of directors over the future of the business. Gianfranco Lanci, who had been chief executive at Acer since 2008, disagreed with the board over the company’s ongoing strategy, according to the statement from Acer.

“On the company’s future development, Lanci held different views from a majority of the board members and could not reach a consensus following several months of dialogue,” the statement read.

“[Both sides] placed different levels of importance on scale, growth, customer value creation, brand position enhancement, resource allocation and methods of implementation.” JT Wang, chairman of the board of directors, will take over as CEO until a permanent replacement can be found.

The creators of “Zodiac Island” say they lost an entire season of their syndicated children’s television show after a former employee at their Internet service provider wiped out more than 300GB of video files.

WeR1 World Network, the show’s creator, is suing the ISP, CyberLynk of Franklin, Wisconsin, and its former employee, Michael Jewson, for damages, saying CyberLynk should have done a better job of protecting its data.

The problems started in February 2009 when CyberLynk terminated Jewson’s employment for an undisclosed reason. One month later, on March 26, Jewson allegedly logged back into his former employer’s systems and went on a data-wiping rampage. The lost data included an entire season of “Zodiac Island” — 6,480 files — that was stored on a CyberLynk FTP server. The show’s producers had been using the server for nearly a year as a drop box where contributors from the U.S., Manila, Beijing and Hong Kong could collaborate on episodes.

In yesterday’s Senate Judiciary Hearing, “Oversight of the Federal Bureau of Investigation,” FBI Director Robert Mueller testified about the Bureau’s desire to extend three expiring provisions of the USA PATRIOT Act — PATRIOT Section 215, authorizing secret court orders for the Internet and financial records of innocent Americans; the “lone wolf” wiretapping provision, which unconstitutionally allows foreign intelligence investigators to bypass traditional wiretapping protections and spy on people inside the U.S. who have no link to any foreign organization; and the “John Doe” roving wiretaps provision, which allows blank-check wiretapping orders that don’t identify the suspect or the particular phone or Internet connections to be tapped.

During the question and answer portion of Mueller’s testimony, Senator Grassley asked the FBI Director: have “any of these three provisions been subject to any negative reports of finding abuse?” Mueller responded, “I’m not aware of any.” Well, Director Mueller — EFF is aware of some.

As part of EFF’s FLAG Project, we issued a FOIA request for records of intelligence violations stemming from the FBI’s use of the expiring provisions of the PATRIOT Act. In the FBI’s response to our request, we uncovered evidence of multiple reports of violations (pdf); however, in typical FBI fashion, the reports are almost entirely redacted. As a result, the details of most of the violations remain secret. Nevertheless, by comparing the FBI’s response to our PATRIOT Act request with the Bureau’s response to another EFF FOIA request, the murky details of at least one violation involving PATRIOT provisions became clear: FBI agents, using a “John Doe” roving wiretap, monitored the conversations of “young children” for “approximately” five days.

The Institute of Electrical and Electronics Engineers has approved IEEE 802.16m, the standard for the next generation of WiMax, which may deliver downstream speeds of more than 300M bps (bits per second).

IEEE 802.16m, also known as WirelessMAN-Advanced or WiMax-2, was developed as the next step after 802.16e, the first global standard for mobile WiMax. The new standard was more than four years in the making, according to the IEEE, but it arrives as WiMax appears surrounded and outnumbered in the mobile world. A significant majority of carriers that have committed to building so-called 4G (fourth-generation) networks have chosen LTE (Long-Term Evolution), which shares some underlying characteristics with WiMax but comes from a different standards body.

At the CEATAC trade show in Tokyo last year, Samsung demonstrated a pre-standard 802.16m network that achieved a speed of 330M bps. The standard is designed to provide speeds of about 100M bps to end users. It can use several techniques to surpass the performance of current WiMax technology, including MIMO (multiple-in, multiple out) technology for sending more than one stream of data. It can also be used with small base stations called femtocells and with self-organizing networks, according to the IEEE. The new standard is backward compatible with the current WiMax.