Security Advisor

Microsoft Fixes Issue Discovered in Pwn2Own Contest

This month's Patch Tuesday included a fix for an Internet Explorer exploit found by Steven Fewer. Plus: Anonymous releases personal information of San Francisco public transit users; Facebook, Twitter and Research in Motion discuss possible actions to dissuade rioting in London; AOL attacked by a server-side incursion.

• By Jabulani Leffall
• 08/15/2011

Going back to last week's Patch Tuesday it now appears that the cumulative fix for Internet Explorer included a remedy for an exploit a researcher used to "pwn" the popular browser and clock $15,000 in the process at the Pwn2Own contest back in March.

This isn't the only time Harmony Security's Steven Fewer, who took home the 15 Gs and a Sony laptop in March, exploited IE (his win in March was with IE 8 on Windows 7). August's patch pointed to another bug he had actually discovered in IE 9, according to this link.

Thankfully, the cumulative patch last week covered that one too.

Microsoft probably wishes there were fewer vulnerabilities in the popular browser but in the meantime Fewer is getting more dough for his discoveries.

The Anonymous 'Train' of Thought
The hacker collective Anonymous is increasingly less so these days, with links to mischievous denial of service attacks in Syria and Turkey. It was also rumored to be a part of the massive Sony hack. This resulted in the electronics and entertainment giant taking a special charge against earnings to compensate plaintiffs whose data were exposed.

Now Anonymous is taking its show to the San Francisco Bay area. The group disclosed the personal data of more than 2,000 passengers on Bay Area Rapid Transit (BART) trains, reportedly in effort to get back at BART authorities for scudding mobile services last Thursday.

The personal identifiable information (PII) data, including names, phone numbers and e-mails of riders with user profiles on MyBart.org, got snatched up via an SQL injection attack. Such attacks are based on Redmond's SQL Server application. The attacks for the last few years have been the bane of many of database or network administrator's existence in the Windows IT space.

In an SQL injection attack, a hacker usually inputs commands into a Web form, connects to a database or uses back-end architecture for Web sites and other data-heavy interfaces.

The rollout of PII info didn't include financial information, BART officials said. But in a manifesto of sorts in which it released the personal data of BART passengers taken from MyBart.org, Anonymous issued a vulgar call to arms, which included the appeal, "Join us to make 2011 the year of leaks and revolutions."

...Speaking of Leaks and Revolts
Syria, Egypt, Tunisia and Libya, during what is now being called the "Arab Spring" shut down Internet access in their country during the more heated periods of respective civil unrest. Could that happen in a western society, like say, England?

Social networks, such as Twitter and Facebook are now part of the social fabric of dissidence in not only emerging economies but now in the United Kingdom. Some U.K. leaders have proposed blackout periods if riots resume in London and the surrounding areas.

According to the BBC,  some dozen people are as of now either detained or charged with inflammatory and incendiary calls for violence on Facebook. Some have even Tweeted about their looting adventures.

While British Home Secretary Theresa May intends to meet with Facebook, Twitter and Research in Motion officials about ways to aid law enforcement during civil unrest, spokespeople from that cabinet post have called a shutdown of these services "unrealistic."

Blimey!

AOL Hacked
It was some time during the Internet boom in 1999 that, as a reporter with the Richmond Times-Dispatch, I strolled into AOL Inc.'s headquarters in Reston, Va. for an interview with then CEO Steve Case and others to figure out exactly what AOL was -- Internet service provider or media powerhouse?

We know now that it appears to be neither.

But on that visit, I encountered George Vradenburg, then general counsel of AOL. When I spied a copy of Sun Tzu's the Art of War on his desk and asked him about it, he replied simply, "the world is a very dangerous place."

He was right but neither one of us would know for some time, just how right. How ironic and fitting then that AOL's site was hacked over the weekend.

Although the issue is now fixed, it's the latest PR blow for the once mighty media and Internet Service Provider (ISP) giant. An attacker launched a server-side incursion using a decidedly client side application. The hacker calling itself HodLuM posted this: "AOL S3RV3RZ ROOT3D BY HODLUM LOLZ!" Apparently the hacker used an HTML file reportedly written in Microsoft Word.

While Vrandenberg is no longer with the company, I'm sure he'd agree today that even old Sun Tzu couldn't have accounted for a world of worms, botnets, Trojans, malware, spyware, fake security updates, code embedded office, click jacking, social media spoofing and people who call themselves HodLuM and laugh at the defacement of an embattled company's Web site.