“This means that an attacker can now upload a movie, set a kewl popular keyword (e.g. ‘Paris Hilton’), and own any user that will search for a video with those keywords through Skype,” explains Israeli security researcher Aviv Raff, who has published a harmless proof-of-concept demo to illustrate concern about the bug.

Raff blames a poor security architecture in how Skype hooks into Internet Explorer for the vulnerability. Skype uses Internet Explorer web control within the application to render internal and external HTML pages.

Skype is running these web controls in Local Zone and, worse, accessing HTML pages in an unlocked Local Zone mode, Raff explained.

Other security researchers agreed with Raff that the bug opens the door up to all sorts of mischief. “The attack vector is a bit convoluted, but very much possible and quite practical,” said Petko Petkov, a UK-based penetration tester. “The most obvious approaches would be to either social engineer the user or spam DailyMotion with hundreds of infected movies that correspond to popular keywords.”

The eBay VoIP subsidiary said that the vulnerability was “neutralized before attackers took advantage of it”. Skype said on Friday that it has temporarily disabled users’ ability to add videos from the DailyMotion gallery until an official fix has been made available. In turn, DailyMotion is addressing the vulnerability on their website, it added. A security advisory from Skype on the vulnerability can be found here.

Petkov criticised Skype’s security architecture more generally. He suggested that unencrypted data within Skype’s ads created a means for hackers to taint ad traffic with malware by using packet injection tools such as Airpwn in environments such as public wireless hotspots. Skype is yet to respond to our request for comment on this by tapas time.

The attack was first detected by security software company Marshall Software on Wednesday morning in its New Zealand test lab.

Marshall Software vice president (Product) Bradley Anstis said this could be the precursor to more advanced and malicious attacks.

“Once you’ve got the client installed on someone’s machine, because it’s (malware), they have the ability to remotely control that application.

“So it’s quite easy to turn on some keylogging or data mining type application that may actually be built into the malicious code they’ve installed… You’ll never really know until they start to open up features inside an application,” Mr Anstis said.

And with a greater number of employees logging onto social networking sites at work, businesses are just as vulnerable as home users.

He said the best protection was educating MySpace users on how to identify dodgy websites and spam email, a view echoed by MySpace Australia’s Director of Safety & Security, Rod Nockles.

Other details were murky: Donahue didn’t say when or where the cyber attacks had occurred, or how many people had been affected. He also glossed over what element of the systems had been exploited.

In recent months, security researchers have emphasized long-standing security vulnerabilities in the Supervisory Control and Data Acquisition (SCADA) systems that control U.S. critical infrastructure systems ranging from power plants to dams to public transit (See ” America’s Hackable Backbone”).

At the DefCon hacker conference in August, researcher Ganesh Devarajan of the security firm Tipping Point gave a presentation showing techniques that hackers can use to find points in SCADA systems that are vulnerable to hijacking and sabotage. The next month, the Associated Press obtained a U.S. Department of Homeland Security video, known as the “Aurora Generator Test,” demonstrating how a cyber-intrusion could be used to physically destroy a large power generator.

In the past two years, hackers have in fact successfully penetrated and extorted multiple utility companies that use SCADA systems, says Alan Paller, director of the SANS Institute, an organization that hosts a crisis center for hacked companies. “Hundreds of millions of dollars have been extorted, and possibly more. It’s difficult to know, because they pay to keep it a secret,” Paller says. “This kind of extortion is the biggest untold story of the cybercrime industry.”

Paller told Forbes.com in June that he expected those incidents to increase, and warned that a botched extortion attempt could lead to accidental damage. “There’s been very active and sophisticated chatter in the hacker community, trading exploits on how to break through capabilities on these systems,” he said. “That kind of chatter usually precedes bad things happening.”

Cyber-extortion and its collateral damage aren’t new, says Bruce Schneier, chief technology officer for security firm BT Counterpane. He says that offshore-hosted Web sites, most often offering pornography and gambling, are frequent victims of hacker extortion. Targeting power companies, however, is a new wrinkle, he says.

But Schneier suggests that security researchers shouldn’t assume that SCADA was the weak link in the power system attacks revealed Friday. If, as the CIA suggests, the penetration involved “inside knowledge” of the system, it may have been performed by an employee with administrative access. “How much of this is a computer vulnerability, how much is a human vulnerability?” he asks. “I wouldn’t jump to any conclusions.”

Regardless of the tactics used to hack the foreign power systems, he warns that the U.S. has no special immunity. “There’s nothing magical about a system being in the U.S.,” he says. “The same vulnerabilities are everywhere.”

The SANS Institute’s Paller, who says Donahue had carefully considered the decision to reveal the power grid attacks, believes the CIA made its revelation with American security in mind. “My sense is that they wouldn’t have disclosed this if they thought the problem had been fixed,” he says.

The “smoking guns” pointing to a government-directed effort are keystroke logs of the attacks, which have been devoid of errors usually found in amateur hack attacks, the use of spear phishing to gain entry into computer networks, and the massively repetitive nature of the assault, the SANS research director said.

“This is not amateur hacking. They are going back to the same places 100 times a day, every day. This kind of an effort requires a massive amount of money and resources,” Paller told SCMagazineUS.com.

Paller said that monitoring all internet traffic – including email – to government and private-sector networks is necessary in order to pinpoint breaches and, ultimately, to prevent cyberspies from extracting critical data. The traffic must be carefully analyzed to detect “micro-patterns” that reveal breaches, he said.

“We have to find the needle in the haystack,” he said.

SANS earlier this week placed espionage from China and other nations near the top of its annual list of cybersecurity menaces, reporting that targeted spear phishing is the weapon of choice used in the assault on U.S. databases and those of its allies.

“They are using spear phishing because it is so effective, and it is the least difficult technique [of gaining entry]” Paller said. “They can target anyone within an organization who has a computer. Once they get in, they can go everywhere.”

In November, President Bush requested $154 million in funding for what is expected to be a seven-year, multibillion-dollar program to track cyberthreats on government and private networks. The proposed countermeasures include the reduction of access points between government computers and the internet from a current level of 2,000 to 50, and the assignment of up to 2,000 DHS and NSA security experts to full-time monitoring of critical infrastructure networks to prevent unauthorized instrusion.

Key members of Congressional oversight committees have complained that they have not been fully briefed on the proposal and they have raised concerns about the potential infringement on privacy.

According to the SANS research director, the monitoring envisioned by the government’s cybersecurity plan can be implemented without trampling on privacy rights as long as procedures are in place to ensure that it is the traffic itself, rather than the contents of email messages, that is being monitored.

“Monitoring email traffic is not the same thing as reading everyone’s email,” Paller said.

The scope of the cybersecurity problem was underlined in a profile of U.S. Director of National Intelligence (DNI) Mike McConnell published this week in the New Yorker magazine.

The New Yorker article reported that the Defense Department currently is detecting about three million unauthorized probes on its computer networks every day, while the State Department fends off two million probes daily.

These probes often turn into full-scale attacks, the magazine reported, such as the assault last year on the Pentagon that required 1,500 computers to be taken offline. American allies also have been targeted: In May, the German government blamed the Chinese military after it discovered a spyware program had been planted inside government computers in several key ministries. Chinese officials called the accusation “preposterous.”

McConnell has made information security a top priority for the myriad intelligence agencies he oversees, including the NSA, CIA and the Pentagon’s intelligence arm.

The DNI said that Chinese computer attacks have intensified in recent months, while hacking activity emanating from Russia has remained at Cold War levels. Ed Giorgio, a security consultant who worked at the NSA under McConnell, told the New Yorker that China now has 40,000 hackers collecting intelligence off U.S. information systems and those of U.S. allies.

As intense as the assault on U.S. intelligence networks appears to be, cyberespionage directed by foreign governments against U.S. companies is an even bigger problem, McConnell said. “The real question is what to do about industry. Ninety-five percent of this is a private-sector problem,” he told the New Yorker.

The SANS Institute’s annual listing of top 10 cyber menaces reported that China and other nations last year had engineered “massive penetration” of U.S. federal agencies and defense contractors, stealing terabytes of data. The institue said that these attacks are expected to intensify this year.

“In 2008, despite intense scrutiny, these nation-state attacks will expand,” SANS warned. “More targets and increased sophistication will mean many successes for attackers. Economic espionage will be increasingly common as nation-states use cybertheft of data to gain economic advantage in multinational deals.”

SANS said the “attack of choice” by foreign cyberwarriors is a form of targeted spear phishing using attachments and well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source. SANS also said overseas hackers are making use of newly discovered Microsoft Office vulnerabilities and hiding their techniques to circumvent virus checking.

According to Raff, when a web server returns a 401 status code, it causes Firefox to display an authentication dialogue box. The 401 status code is returned by the web server when it recognises that the HTTP data stream sent by a browser or bot is correct, but access to the URL requires further user authentication.

The authentication dialogue box displays the server URL in what is called the WWW-Authenticate header field. This URL is in part defined by the realm value and, according to Raff, it is possible for an attacker to create a specially crafted realm value that will look as if the authentication dialogue came from a trusted website. This is due to Firefox failing to sanitise single quotes and spaces in the WWW-Authenticate header field, after a legitimate realm value enclosed in double quotes has been given.

At least two possible attack vectors are opened by this reported flaw, according to Raff. Man-in-the-middle attackers could create a web page with a link to a trusted website such as a bank. When a victim clicks on the link on the malicious page, the trusted web page would be opened in a new window. A script would be executed to redirect the newly opened window to the attacker’s web server, allowing username and password details to be compromised.

Alternatively, an attacker could embed an image in an email or web page which, when clicked on, would return a specially crafted dialogue login from the attacker’s web server, again allowing authentication details to be compromised.

President of Mozilla Europe, Tristan Nitot, told ZDNet.co.uk that Mozilla is in the process of investigating the report, and so could not comment further at this time.

“We take security seriously,” said Nitot. “We are taking this report seriously, and are investigating.”

The company’s Security Engineering and Response Team (Asert) said the iPhone will be the “victim of a serious attack” in 2008, noting that the mobile device will probably be hit by “drive-by attacks”. Arbor described these attacks as malware embedded in commonly used information, such as images, which are capable of conducting “dangerous actions” when rendered in the iPhone’s web browser.

Because of the attention the iPhone has generated over the past year, Asert said hackers will be lured by the idea of being the first to penetrate the new platform and attack Apple users.

Arbor is not the first to issue security warnings about the iPhone. A team of US security researchers in July said they had written two exploits capable of causing “serious problems” with the design and security implementation on the phone.

Research house Gartner also issued a cautionary note in June calling for enterprises to outlaw the Apple device from their office environment, due to a lack of support from major mobile security tools and mobile email vendors, among other issues.

A Gartner analyst, however, later predicted that Apple may introduce an enterprise-class version of the iPhone that will better meet the requirements of a corporate environment.

Other threats in 2008
According to Asert, 2008 will also see an increase in “Chinese on Chinese” online attacks, involving specifically Chinese-language software such as QQ messenger. Arbor noted that such attacks are expected to grow next year as new Chinese users join the online community, more software is written for the Chinese market, and Chinese cybercriminals become increasingly sophisticated and organised.

The IT security vendor also expects much larger Storm botnets and peer-to-peer attacks to be prevalent next year.

“2007 was the year of the browser exploit, the data breach, spyware and the Storm worm. We expect 2008 to be the year of the iPhone attack, the Chinese hacker, P2P network spammers and the hijacking of the Storm botnet,” Jose Nazario, senior security engineer at Arbor Networks, said in the statement.

“Online fraud is soaring and security attacks are now being used in countless and ever more sophisticated ways to both steal and launder money. Financial and other confidential data is being obtained, sold and utilised in the highly developed black market,” Nazrio said.

“In 2008, this market will continue to grow and it is important that businesses implement the processes and technology necessary to protect themselves and their customers,” Nazrio added.

These attacks have been around for a few years, but are now impacting Windows in the wild. NVLabs last year published a proof of concept MBR rootkit and the first one, BootRoot, appeared in 2005 courtesy of eEye Digital Security.

According to Symantec, Trojan.Mebroot controls a system by overwriting the MBR with its own code. This rootkit also appears to be a derivative of the BootRoot. The Trojan.Mebroot kernel has been altered to load a custom back door Trojan.

Symantec notes:

The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task. This issue has been known for quite some time, and still affects the 2K/XP families, while Vista was partially secured in 2006 (after Release Candidate 2) after a successful attack demonstration made by Joanna Rutkowska.

Trojan.Mebroot, which was mapped last week by gmer, runs on Windows XP for now. Vista users would have to accept a User Account Control warning. The SANS Institute has the history of the latest rootkit and notes that it take advantage of “old, easy to patch” vulnerabilities that include:

* Microsoft JVM ByteVerify (MS03-011)
* Microsoft MDAC (MS06-014) (two versions)
* Microsoft Internet Explorer Vector Markup Language (MS06-055)
* Microsoft XML CoreServices (MS06-071)

Aviation regulators have refused to certify Boeing’s new 787 Dreamliner passenger jet until it redesigns its computer system to protect against such an event, The Times has learned.

The Federal Aviation Authority is concerned that terrorists could use the Dreamliner’s in-flight Internet system to connect to “systems critical to the safety and maintenance of the aircraft.”

In a report released last week, the FAA said that Boeing had left the pilots’ computers open to attack by connecting the Dreamliner’s entertainment system to the pilots’ controls.

A hacker with a computer and some IT training potentially could hijack the system from his seat.

“The proposed architecture of the 787 allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required to the safe operation of the airplane,” the FAA report says.

“This new passenger connectivity may result in security vulnerabilities from intentional corruption of data and systems critical to the safety of the airplane.”

Boeing now has to fulfill special conditions before the Dreamliner is certified safe. The 787’s maiden flight is scheduled for March with deliveries supposed to begin in November.

David Learmount, safety editor of Flight International magazine, said: “The FAA is obviously very concerned about this. It’s not the kind of organization that fires shots across the bows if it doesn’t think it was needed.

“It’s not good enough to have systems which can be hacked into and then disabled by the pilot,” he added. “The hacker might have put a bug into the system which screws up the navigation. The FAA don’t want a system like that. They’re saying: Don’t bring us an aircraft someone can hack into.”

On the message boards of the Professional Pilots Rumor Network Web site, pilots also expressed their concern.

One wrote: “The possibility of a wired connection between passenger Internet services and flight systems is really scary! No sane person would implement this.”

The Dreamliner is the most successful new commercial airplane in Boeing’s history. It is Boeing’s response to the Airbus A380 super-jumbo and is crucial to the company’s success.

Lori Gunter, a Boeing spokeswoman, said that Boeing had designed a system to counter the threat but admitted that it had not yet been tested.

Gunter said that data could pass between the passenger and flight networks, but said there were “protections in place to ensure that the passenger Internet service doesn’t access the maintenance data or the navigation system under any circumstances.”

Fast facts on the Boeing 787 Dreamliner:

— The carbon-composite, aluminum and titanium Dreamliner is Boeing’s most successful new aircraft, with more than 600 orders

— The use of lightweight composites makes the aircraft 20 per cent more fuel-efficient than similar-size rivals

— Moisture in the cabin air is higher than average, promising a more pleasant flying experience

— The 787 seats between 210 and 250 people and flies at Mach 0.85, about 570 mph

— There will be four variants. It is scheduled to enter service in May. The shorter-range 787-3 and the stretched 787-9 are scheduled to enter service in 2010

— Prices will range from $150 million to $200 million, depending on model and configuration

“Today’s charges seek to knock out one of the largest illegal spamming and fraud operations in the country, an international scheme to make money by manipulating stock prices through illegal spam email promotions,” US attorney Stephen Murphy said in a statement.

Under the scheme, the group sent spam touting thinly traded Chinese penny stocks, drove up their stock price, and reaped profits by selling the stock at artificially inflated prices, the statement said.

Detroit Free Press said prosecutors described Ralsky as one of the most prolific spammers in the US.

According to the indictment, Ralsky’s group used various illegal methods to maximise the amount of spam that evaded spam-blocking devices and tricked recipients into opening, and acting on, the advertisements in the spam.

The indictment followed a three-year investigation. Investigators estimate that those charged earned approximately $3m (£1.5m) during the summer of 2005 alone as a result of their illegal spamming activities.

Three people have been arrested, including Ralsky’s son-in-law, Scott Bradley, and How Wai John Hui, a dual national of Canada and Hong Kong. The others, including a Russian national, still are being sought, the Justice Department said.

Detroit News reported that Ralsky was believed to be in Europe and quoted his attorney, Philip Kushner, as saying Ralsky would voluntarily surrender to federal authorities in the next few days.

“Mr Ralsky intends to fight these charges, which are brought under a new federal statute that has not been interpreted by the courts,” Kushner told the paper.

Trojan.Qhost.WU, discovered by security firm BitDefender, has been designed to replace ads served by Google on third-party websites that use Google’s AdSense network. The ads are replaced with alternative ads called from hosts outside the AdSense network.

“The Trojan sits on the user’s ‘hosts’ file — located in the “%WINDIR%\System32\drivers\etc” directory — to redirect the initial query… to a malicious host,” explained BitDefender.

Although it has not been established whether the ads served — or the pages that the ads link to — contain malicious software, BitDefender virus analyst Attila-Mihaly Balazs said it is “a very likely situation, given that they are promoted using malware in the first place”.

Fears for consumers centre on the dramatic rise in the use of web pages to inject malicious HTML code through browsers. Security firm Sophos earlier this year highlighted that as many as 30,000 new web pages each day were being used to spread malicious software.

However, the biggest victim in this case may be Google itself, as it makes the majority of its money from advertising. According to Nishad Herath, senior researcher at McAfee’s AvertLabs, Google is powerless to stop the Trojan stealing Google’s space on third-party sites.

“There’s nothing a search vendor can do to protect against the problem since it works by locally modifying content that’s being displayed on the browser. There’s absolutely nothing that Google or any ad vendor can do about that,” said Herath.

Publishers on Google’s AdSense network may also lose revenue if the Trojan becomes widespread.

“[The Trojan] takes away viewers and thus a possible money source from their websites,” said BitDefender’s Balazs.

Meanwhile, Google has an entirely different battle on its hands as it attempts to maintain the integrity of its AdSense network. By making it easy for businesses to buy ad space on its network, Google has faced the problem of malicious advertisers exploiting the network to deliver malware to users.

“Google’s business model is to make it easy for advertisers to place ads on Google’s network of publisher sites that produce relevant content. What’s happened is that some advertisers include malicious content as part of the advertisement or they host malware on the links that people go to when they click on a link,” said McAfee’s Herath.

“Ad vendors have been cracking down on these sites as they find out about them. It’s a big problem because you have to go through all the links to find out whether they contain malicious content or not,” he added.

Google yesterday said its policy is to remove sites that redirect users to malicious pages, but this approach will not prevent the Trojan from damaging its revenue since it sits on the user’s PC and causes the browser to bypass the AdSense network completely.

“While you would expect the ad vendors to sort of deal with the quality of people who they allow to advertise using their networkings, things like this Trojan are a client-side issue,” said Herath.