Security

Military Goods for Sale and Miscreants Aplenty

Psssst ... Hey, you over there! Yeah, you. Wanna buy some F-14 components? No? How about some night-vision goggles? According to the Government Accountability Office, such purloined military equipment can be found online at eBay or Craigslist. Seems like it was a week for wild-and-woolly Internet-related news. SANS Institute researchers found a software tool that uses Google's search engine to sniff out sites that have vulnerable applications, University of Washington researchers found that a small portion of Internet traffic is messed with by ISPs, and a Chinese hacker group is calling for a denial-of-service attack as a protest of the protests related to the upcoming Beijing Olympics.

1. GAO: Stolen U.S. military gear sold on eBay, Craigslist: In the market for body armor, night-vision googles or protective gear in the event of a nuclear or biochemical attack? Well, who isn't these days? Such goods are easy enough to find, as it turns out -- all it takes is an online trip to eBay or Craigslist, according to the Government Accountability Office, which found a variety of stolen U.S. miliary equipment for sale at those sites. GAO undercover investigators sniffed around between January 2007 and March 2008 and turned up an impressive list of purloined military goods, including F-14 aircraft components, a U.S. Army combat uniform complete with accessories, body armor vests and night-vision goggles that contained a component that identifies friendly fighters wearing infrared tabs. Executives of both companies appeared before a congressional subcommittee investigating the matter and insisted they have strong antifraud efforts in place.

2. Chinese hackers poised for anti-CNN attack on April 19: Chinese hackers have apparently called for a denial-of-service attack against CNN's Web site on April 19, as well as for street protests in Germany, France, the Netherlands and the U.K. as a counter to media coverage of demonstrations against the upcoming Olympics in Beijing. Protesters have turned out in recent weeks as the Olympic torch has made its jog around the world, with demonstrations focused on Tibet and human rights violations in China. The Chinese site, Anti-CNN, doesn't much care for what it says are lies and distortions in Western media coverage of China and the attendant protests, and so has called for a protest of its own.

3. Don't skip Vista, Forrester study says: Companies should get going on migrating client desktops to Microsoft's Vista operating system, and those without plans to update should rethink that decision, an independent study from Forrester Research urges. With a lot of talk about companies forgoing Vista and planning OS migration around the forthcoming Windows 7 release, Forrester sets out why that's not a good idea. Chief among those reasons is that Microsoft plans to end support and security patches for Windows 2000 and XP, with Windows 7 not expected out until 2010 at the earliest. Forrester also noted that Vista does have features and capabilities, including security functions and user enhancements, that make it worth using.

4. FCC Net neutrality hearing draws diverse views: Network neutrality isn't just about keeping Internet pipes open -- it involves issues as diverse as copyrights, Internet investments, entertainment choices and freedom of religion, according to those who testified at a U.S. Federal Communications Commission hearing this week at Stanford. FCC commissioners weighed in with different stances on the subject, with some warning of a need for government intervention and others urging the government to stay out of it. "The dynamic Internet, perhaps the most expansive and liberating technology since the printing press, is, in fact, under threat," said Commissioner Michael Copps, who is a Democrat. "We will keep it open, we will keep it free, only if we act forcefully to make that happen." In the second of its public hearings on the matter, the FCC heard about service providers who have blocked content from going over their networks, including comments from Michele Combs of the Christian Coalition of America, who said that Comcast blocked sharing a digital text of the King James Bible and could block online programming from her group to promote its own Christian-focused channel.

5. SANS solves mystery of mass Web site infections: The SANS Institute discovered a software tool that uses Google's search engine to find Web sites running some types of vulnerable applications, Bojan Zdrnja said on the SANS blog, calling the finding a "rare gem." The discovery is helping researchers understand how 20,000 Web sites have been hacked so far this year. "While we had a general idea what they do during these attacks, and we knew that they were automated, we did not know exactly how the attacks worked, or what tools the attackers used," Zdrnja wrote.

6. Oracle to expand SAP lawsuit, may target execs: Oracle plans to file a second amended complaint against rival SAP and its TomorrowNow subsidiary, alleging "a pattern of unlawful conduct that is different from, and even more serious than" charges made in its original lawsuit filed a year ago. The amended complaint will allege that TomorrowNow employees stole software applications from Oracle with the knowledge of SAP executives. The original lawsuit contends that TomorrowNow employees pretended to be Oracle customers so that they could obtain software patches and other materials from a Web site for Oracle support. Those materials were used to undercut Oracle prices and to lure customers to ditch Oracle for SAP, Oracle claims. SAP has steadfastly denied that its executives knew anything about any alleged shenanigans aimed at Oracle, which hasn't named names yet. "It appears that SAP AG and SAP America knew -- at executive levels -- of the likely illegality of TN's business model from the time of their acquisition of TN and, for business reasons, failed to change it," Oracle alleges. SAP counters that Oracle is exaggerating, filing "press releases" under the guise of court papers and trying to keep the case going longer than it should.

7. Microsoft confirms testing of 'Albany' low-cost Office suite: Microsoft will release a subscription-based productivity software suite and has distributed a beta version to testers. Code-named Albany, the suite will combine Office Home and Student 2007; Office Live Workspaces; Windows Live Mail, Messenger and Photos client software; and Windows Live OneCare. The suite will be aimed at -- you guessed it -- Google Docs and other free or low-cost productivity software suites. Microsoft doesn't plan a public beta for Albany, which it plans to release by year's end.

8. Storm clouds looming for Internet, experts say: A shortage of IP (Internet Protocol) addresses, strains on routing tables and other challenges to Internet growth and effectiveness were top of mind for attendees at the annual FutureNet conference, which focuses on communications services. The IP address problem could hit within the next few years and owes to IPv4 running out of capacity to meet demand. That version of IP provides some 4.7 billion possible IP addresses, but the explosion of Internet growth means that the shortage will be real and has reached "crisis" proportions, according to Akinori Maemora, chairman of the Asia Pacific Network Information Centre. "Most people in the world are still in a state of denial about it," said Tony Hain, Cisco Systems' IPv6 technical leader. IPv6 is the next version of IP, which will provide more capacity and help alleviate some of the crunch, but not for long.

9. CEO subpoena scam fires up anew: Several thousand corporate executives were tricked into downloading malicious software early in the week, and that success apparently led miscreants to toss out the phishing scam on a smaller scale a few days later. The scam involved sending e-mails to senior executives, including some CEOs, telling them they had been subpoenaed in a federal court case. Clicking on the e-mails would take executives to a site similar to a legitimate federal court home page in California. The targeted scam uses names of executives, as well as the names and correct phone numbers of their companies. So, perhaps a reminder is in order that although the U.S. court system uses e-mail for some communications and allows electronic filings and the like, subpoenas are still delivered the old-fashioned way.

10. ISPs meddled with their customers' Web traffic, study finds: Ha! We knew it! Some Web pages are changed in transit, at times in harmful ways, say researchers at the University of Washington. OK, so this unsavory practice happens to only about 1 percent of Web pages, and only a small number of ISPs (Internet service providers) are putting ads into Web pages that go over their networks, but still ... The researchers also discovered that certain Web-browsing and ad-blocking software puts security vulnerabilities into pages, making surfing the Web more dangerous. "The Web is a lot more wild than we originally expected," said Charles Reis, a Ph.D. student at the university and co-author of a paper about the finding that ISPs mess with customer traffic.

Subscribe to the Security Watch Newsletter

Comments