If you’ve seen the 1983 movie “WarGames,” in which a young Matthew Broderick accidentally uses computers to bring the world to the edge of “global thermonuclear war,” then you have a pretty good idea what hackers and security researchers are super-concerned about these days — in real life.

Here at the Black Hat hacker conference at Caesars Palace, computer security experts have shown ways they can use virtual tools to tap into and tamper with all kinds of stuff in the real world, which is the gist of what made “WarGames” so scary.

No longer limited to the digital domain, hackers — many of them working for good — are now targeting prison systems, the power grid and automobiles. They’ll target anything with a mini-computer inside of it. These days, that’s pretty much everything.

Researcher Don Bailey pointed out that there’s even a pill bottle with a cellular connection, so that it can remind its owner when to take his or her medicine.

His first thought: “I’m not sure if that’s a good idea.”

A computer worm called Stuxnet is the main reason hackers and security types are focusing on these “real-world exploits” right now. While Stuxnet isn’t grabbing as many headlines these days as Anonymous and LulzSec — two hacking groups that have been stealing personal data and taking over big-name websites — in-the-know security experts and ex-government officials say the idea behind that worm is actually far scarier.

“The Stuxnet attack is the Rubicon of our future,” Cofer Black, the former head of the CIA’s Counterterrorism Center, said during a keynote talk here.

Stuxnet showed, for the first time, that a bit of malicious computer code could control industrial systems. The common wisdom is that the worm, which spread all over the Internet last year, was designed to attack and possibly blow up nuclear facilities in Iran.

No one knows for sure who wrote that worm, and its powers were never put to use. But the code is out there, and security researchers and hackers are jumping at the chance to study that code and figure out what else it — or something like it — could do.

The examples surfacing at Black Hat and DEF CON, a companion hacker conference attended by 15,000 people, sound like they’re pulled from a Hollywood thriller.

Tiffany Rad, a computer science professor by day, showed that a little-known electronic component in correctional facilities could be hacked and used to throw open all the doors that lock prisoners in their cells.

“Where there exists a computer, there’s still a chance of breaking that computer,” said Teague Newman, who worked with Rad on the hack. The two say they have gone to the federal government with their research. They won’t publish the exact code someone could use to tap into prison lock systems for fear that such an event would actually occur.

The prison hack wasn’t even that hard, they said. Working in a home basement in Virginia on a budget of $2,000, it took the duo only two hours to figure out and exploit the bug, which attacks a Siemens networking component called a programmable logic controller.

“It was not difficult,” Newman said.

Siemens is working on a fix, but it won’t necessarily come quickly.

“We need time to go after those vulnerabilities,” said a Siemens engineer who asked not to be named because he’s not authorized to speak on the record. “It’s not like in the IT world where you can quickly create a patch. We are really talking about critical systems here … so if you create a patch you want to make sure the patch doesn’t influence operations and the PLC (the networking component) is still running afterwards as designed.”

Rad and Newman said that company doesn’t deserve all the blame. The way prison security systems are networked, and the way employees use them, are also at fault.

Central computers that control locks should not be hooked up to the Internet, for example, but they often are, the researchers said.

Other Black Hat speakers discussed the vulnerabilities of electrical grid and water systems, which, theoretically, could be attacked using similar methods. And further attacks focused on holes in cellular networks.

Again, the targets are real-world, not virtual.

Bailey of iSEC Partners demonstrated a way to hack into the mobile components on many cars to unlock or start the vehicles with a few texts from his Android phone. But breaking into cars isn’t the scary part, Bailey said in an interview.

“I could care less if I could unlock a car door,” he said. “It’s cool. It’s sexy. But the same system is used to control phone, power, traffic systems. I think that’s the real threat.”

As for solutions, Bailey said the problem is the cost and lack of regulation.

“The issue is not just architecture but its cost,” he said. “A lot of the errors and the vulnerabilities I’m seeing (are) in overall architecture. It’s all systems — whether it’s your car or your tracking device or your pill bottle or whatever.

“It’s the issue of no regulations, no standards and no one enforcing any semblance of security.”

Security professionals need to step back from the technology and look at how these real-world systems — from prisons to power plants — are designed, said Tom Parker, vice president of security services at FusionX, a computer security company.

“We’re making the same mistakes over and over again,” he said, adding that these at-risk networking components are doing more than they were designed to do.

None of the researchers argue that society should stop putting little computers inside everything. Instead, they said, we need to work harder to make those little computers secure. And if we don’t, they say, the consequences could be huge.

In the typically bizarre correspondence, LulzSec describes itself as a “band of pirate-ninjas” and claims not to mean any harm to the department.

Setting the tone, Lulzsec [...]]]> Notorious hacker collective LulzSec has targeted the NHS, publishing an email sent to the health organisation which highlights holes in its security systems.

In the typically bizarre correspondence, LulzSec describes itself as a “band of pirate-ninjas” and claims not to mean any harm to the department.

Setting the tone, Lulzsec begins: “We’re a somewhat known band of pirate-ninjas that go by LulzSec. Some time ago, we were traversing the Internets for signs of enemy fleets.”

It’s not Star Wars, you know

“While you aren’t considered an enemy – your work is of course brilliant – we did stumble upon several of your admin passwords, which are as follows…”

Here followed a number of passwords, although LulzSec was kind enough to blank them out when it published the email on Twitter.

It also clarified in a later tweet exactly where it had been poking around: “Subdomain NHS access compromised 5 core admins and contact info of several affiliates. Luckily they stored nothing of importance on that DB.”

The Department of Health, meanwhile, is keen to stress that it’s no big deal. A spokesperson told the BBC, “This is a local issue affecting a very small number of website administrators.

“No patient information has been compromised. No national NHS information systems have been affected. The Department has issued guidance to the local NHS about how to protect and secure all their information assets.”

Bones and that

Concluding on a somewhat irrelevant note, LulzSec stresses that it merely wants to help the NHS with its “local issue”:

“We mean you no harm and only want to help you fix your tech issues. Also, we hope that little girls feasts on the bones of many giving souls. All the best.”

The weird point about the little girls feasting on bones is a reference to Alice Pyne, a 15-year-old girl with terminal cancer whose bucket list includes a wish to “make everyone sign up to be a bone marrow donor.”

The new three-product family includes Titanium Antivirus+, Titanium Internet Security, and Titanium Maximum Security.

Titanium [...]]]> Trend Micro released Titanium Security 2011 that utilizes a cloud-client strategy that combines cloud-based web, email, and file reputation services with Trend Micro’s Smart Scanning technology for real-time, up-to-date protection against today’s threats.

The new three-product family includes Titanium Antivirus+, Titanium Internet Security, and Titanium Maximum Security.

Titanium 2011 transforms the customer experience across a number of key benchmarks, including faster scan times, as well as lower memory and CPU usage, balancing thoroughness with efficiency. Faster boot time, quicker file copying, a smaller installer size, and full scan optimization after initial installment are other enhancements.

Using a revamped, widget-like interface, Titanium 2011 users can easily navigate and control settings and reports. The software also helps parents keep their children safe from cyber criminals and inappropriate content when they go online and can fight spam.

The Titanium Maximum Security version adds easy-to-use options including secure erase, remote file lock in case of computer theft, a system tuner, and 10GB of secure online backup and sync with sharing features.

Trend Micro Titanium 2011 products are priced as follows:

Titanium Antivirus+ ($39.95 for 1 PC, $59.95 for 3 PCs) – Includes antivirus, antispyware and Web threat protection, stopping malicious downloads and finding and blocking malicious links in emails or IMs.

Titanium Internet Security ($49.95 for 1 PC, $69.95 for 3 PCs) – Includes everything in Titanium Antivirus+ plus spam blocking, customizable parental controls, data theft prevention, and helps prevent unauthorized changes to applications.

Titanium Maximum Security ($59.95 for 1 PC, $79.95 for 3 PCs) – Includes everything in Titanium Internet Security plus 10 GB secure online backup with sync and sharing features, system optimization, Secure Erase, Wi-Fi protection and Remote File Lock to remotely secure confidential files in case your PC is stolen.

Google and Microsoft added keyloggers to their browsers in an attempt to [...]]]> Long considered to be malware and a threat to privacy and security, keylogging software has been found on Microsoft Internet Explorer 8 and Google Chrome. However, these keyloggers were not placed there by hackers—the companies put them there on purpose.

Google and Microsoft added keyloggers to their browsers in an attempt to improve searches for their users. Keylogging allows the browser to determine common or most likely searches based on the user’s past usage. They also store user log-ins and passwords for the user’s convenience, track activity to help determine the cause of errors, and employers use keyloggers to track employee productivity. While this is all very useful for the companies doing the tracking, it makes anti-malware protection more complicated, because the malware filters like Kaspersky cannot simply delete all keyloggers as they have up until this point.

Cyber criminals use keylogging to capture and record each keystroke you make to steal personal information like user IDs, passwords and anything else they can use to steal your identity. However, some companies are now using keylogging for more legitimate purposes.

In order to determine the best course of action regarding keyloggers, Kaspersky Labs, an industry leader in anti-malware protection, is seeking legal counsel. While they do not want to accuse legitimate companies of wrongdoing, they still want to provide the best and most comprehensive anti-malware protection on the market. If it were up to Eugene Kaspersky, CEO of the company, users would not stand for these privacy-invading programs to be present on their browsers and request the companies to remove them. “That would save us a lot of work, and we already have plenty to do,” he told Computer Weekly. Google is already reacting to the public’s aversion to keylogging by promising to keep the information anonymous, but Microsoft has made no such announcements as of yet.

What it all comes down to is this: is the convenience provided by keylogging worth compromising the security of your computer?

The vulnerability comes [...]]]> James Slater found a cross-site-scripting vulnerability on Twitter.com which Twitter claims is now fixed.  According to James, it is not fixed.  The vulnerability allows malicious JavaScript to be embedded with user tweets.   This can result in user accounts being compromised and the owner can loose control of their account.

The vulnerability comes down to Twitter’s application programming interface (API) that allows developers to interface with Twitter through their own software.  Popular software packages like Twirl, TweekDeck, and HootSuite use this API to create and read posts on behalf of the user.  The API does not filter the url of the applications using Twitter, allowing malicious JavaScript to be sent along with the URL.

This threat is almost impossible for the average user to protect against, as just seeing the tweet is enough to have your account taken over.  Twitter’s response to this vulnerability was to filter out space characters from the address box in the application, but this only makes it slightly more difficult.

Malware Attacks on websites and blogs are increasing day by day. There are many forms and shapes in which these malware programs attack your websites. Some are easily seen, while some are hidden and not [...]]]>

Malware Attacks on websites and blogs are increasing day by day. There are many forms and shapes in which these malware programs attack your websites. Some are easily seen, while some are hidden and not easily discovered. For instance, if a website is hacked, most of the time it is defaced and the entire world knows within minutes about the attack. These types of attacks are generally launched by hackers, who want to prove a point or two.

But there are some other types of attacks, which are more sophisticated and they insert a malicious script in your website code. On the face of it, you don’t see any change, but silently, your website is now one of the many similar platforms for that hacker to launch a bigger attack somewhere else. Your website is being used only as a pawn in the bigger game plan.

This situation is very risky. Soon your website will be tracked as a malicious site by various security agencies, including Google. And once this happens, and Google detects malware or phishing attacks are coming from your website they will place a warning next to your results listing, an interstitial warning page when the user clicks the result and a pop-up warning if the Google Toolbar is installed. As soon as this happens, your site is virtually killed.

How to Get Warning Alerts to Protect Your Website from Malware Attacks

Thankfully, Google comes to your rescue here. Google has recently started Safe Browsing API, which is a simple method for developers to download Google’s list of suspected phishing and malware URLs for which malware warning alerts are issued to the users of Firefox and Google Desktop. There are many applications under development at present which will make use of this API.

One such useful service is SERPGuard. It is a FREE malware alert service that regularly checks the Google Safe Browsing Blacklists. And whenever any mention of your website URLs appears there, it immediately shoots you warning signals, through emails, twitter and RSS. You just have to sign up with a FREE account with them and verify your site by uploading a small code to your webpages, and it starts monitoring your site for any malware and fishing attacks.

A really useful service in the long term.

The vulnerability comes [...]]]> James Slater found a cross-site-scripting vulnerability on Twitter.com which Twitter claims is now fixed.  According to James, it is not fixed.  The vulnerability allows malicious JavaScript to be embedded with user tweets.   This can result in user accounts being compromised and the owner can loose control of their account.

The vulnerability comes down to Twitter’s application programming interface (API) that allows developers to interface with Twitter through their own software.  Popular software packages like Twirl, TweekDeck, and HootSuite use this API to create and read posts on behalf of the user.  The API does not filter the url of the applications using Twitter, allowing malicious JavaScript to be sent along with the URL.

This threat is almost impossible for the average user to protect against, as just seeing the tweet is enough to have your account taken over.  Twitter’s response to this vulnerability was to filter out space characters from the address box in the application, but this only makes it slightly more difficult.

More information about this vulnerability can be found on David Naylor’s site.  David Naylor is a well known search marketing consultant who broke the news to Twitter.