One in four hackers runs Opera to ward off other criminals

Hackers using multi-exploit attack "toolkits" take defensive measures of their own against other criminals, a security researcher said today.

"Exploit kit operators do use mainstream browsers, but they're much more likely to use Opera than the average user, because they know that the browser isn't targeted by other hackers," said Paul Royal, a principal security researcher with Atlanta-based Purewire.

While the most generous Web measurements peg Opera, a browser made by Norwegian company Opera Software, at a 2% share of the global market, 26% of the hackers who Purewire identified use the far-from-popular application.

Because of its small market share, few hackers bother to unleash exploits for Opera vulnerabilities, said Royal.

Purewire obtained this insight, and others, by infiltrating hackers' systems using a bug in the analytics software included with a pair of hacker toolkits, notably one dubbed "LuckySploit," said Royal. "We forged a 'refer' field and put in a little JavaScript," he explained, "and that revealed the hackers to us via their IP addresses."

Out of 51 exploit kit-using hackers, Purewire's tactic successfully identified the IP addresses of 15, as well as the browsers they ran. "We essentially did a code audit," said Royal. "Even criminals who attack others cannot architect reliable software," he added, talking about the vulnerabilities in the toolkits.

Most multi-strike attack kits, including LuckySploit, serve up a grab bag of exploits, including code that leverages vulnerabilities in Microsoft's Internet Explorer (IE), in ActiveX controls that IE uses, and in Adobe's Flash Player and Reader.

Criminals also try to hide from law enforcement by distancing themselves from the servers that host their exploit kits, said Royal. Of the 15 hackers Purewire identified, only two -- both with IP addresses traced to Latvia -- resided in the same country that also hosted the system containing their attack kit.

Most had at least one country between where they lived and where their malware-serving machine was located.

"This is a first stab," Royal said when asked what value could be placed on the information Purewire rooted out. "If we can discover the IP addresses of exploit kit operators, we can then turn that over to law enforcement."

Exploit toolkits are a prominent weapon in hacker arsenals, especially for "drive-by" attacks launched when unwary users are tricked into visiting Web sites by spam. Last month, for example, thousands of legitimate, but compromised, sites served up a multi-strike kit that included an exploit of a then-unpatched vulnerability in a Microsoft-made ActiveX control.

Microsoft frees Linux driver source code

Computerworld - Microsoft Corp.'s unprecedented release last week of more than 20,000 lines of driver code to the Linux community could put pressure on several top suppliers of closed-source drivers to make similar moves.

Observers note that virtualization vendor VMware Inc., Wi-Fi chip maker Broadcom Corp. and graphics chip maker Nvidia Inc. still decline to offer their Linux drivers under the General Public License, a free software license widely used in the open-source community.

Doing so would allow the drivers to be included in the open-source Linux kernel, making the installation process much smoother. It would also enable developers to tinker with and fix them.

Gordon Haff, an analyst at Illuminata Inc., said he doesn't expect Microsoft's move to persuade those vendors to open their drivers.

Graphics companies like Nvidia, he said, "have been taking heat over Linux drivers for years. But they see their driver technology as just too big a part of their competitive advantage to give much."

And VMware, as "the 800-pound gorilla," doesn't have to release its code, Haff added. "The pressure is more on the Linux distributors to work with VMware than the other way around."

Officials at VMware and Nvidia didn't respond to requests for comment. In a statement, Broadcom said that it "is working with the community to make this happen over the next several months."

Tom Hanrahan, director of Microsoft's Open Source Technology Center, said in a statement that submitting the code for inclusion in the Linux kernel marks "the first time we've released code directly to the Linux community."

The drivers enable Linux virtual machines to run on top of Microsoft's Hyper-V virtualization software. They are already available for enterprises in a patch and will be generally available in several months as part of the next major Linux kernel update, said Greg Kroah-Hartman, a longtime Linux developer at Novell Inc. and head of the Linux Driver Project, which works with manufacturers to submit kernel code to the open-source community.

Opera, Chrome not officially supported by Office Web Apps

DG News Service - Microsoft Corp. has left the Opera and Google Chrome browsers off the list of those officially supported by its Web-based Office applications, which will be available worldwide in technical preview sometime this month.

In a blog posting on the Office Web Apps blog, Microsoft listed its Internet Explorer 7 and 8 browsers as well as Mozilla Firefox 3.5 on Windows, Mac and Linux, and Safari 4 on Mac, as the official browsers supported by applications. Office Web Apps are Web-based versions of Microsoft's Word, PowerPoint, Excel and OneNote desktop applications.

Absent from that list are the Opera and Chrome browsers, which have significantly less market share than either Internet Explorer or Firefox but are still competitors in the global browser market.

Opera is the European-based browser company that was instrumental in the European Commission's bringing an antitrust suit against Microsoft over the inclusion of Internet Explorer in Windows. The suit has caused Microsoft to pull Internet Explorer 8 out of Windows 7 in Europe and offer a choice of browsers in the operating system.

Google, which makes Chrome, is one of Microsoft's main competitors, and recently unveiled a plan to build a desktop OS of the same name to compete with Windows. Microsoft's decision to put its Office productivity apps online is due to competition from Google Docs -- Google's Web-based office suite -- in the low end of the market for productivity applications.

Microsoft said in the post, attributed to Gareth Howell, program manager for Office Web Apps, that people should try using the applications in other browsers besides the officially supported ones, and provide feedback to the company about how they work.

"If you prefer to use another browser you should still give the Web Apps a try," he wrote in the post. "While we cannot officially support all browsers, customers will not be blocked from using them. It is a goal of the Web Apps to have broad compatibility and reach."

In comments about the blog post, one Opera user playfully chided Microsoft for not supporting Opera with the applications.

"Not MY browser then...**sniff**," posted a user called "Massif." "That's fine, I'll be alright. Opera users need a little love too occasionally though, we can't live on acid tests alone."

Howell responded to Massif's post by apologizing and adding that Microsoft may consider officially supporting other browsers after the release of the applications.

"Sorry that we didn't get your favorite browser into the officially supported list this time," Howell posted. "Once the Web Apps release we'll investigate expanding our supported browser matrix. Give it a try in Opera and let us know if you see issues."

Microsoft said the company optimized Office Web Apps for the most commonly used browsers first and plans to add others over time.

Opera and Google did not immediately respond to requests for comment.

DDoS attack that downed Twitter also hit Facebook

Computerworld - The same denial-of-service attack that took down Twitter this morning also slammed Facebook but with much less dramatic results.

Facebook noted on its site this afternoon that it too was fending off a distributed denial-of-service attack that was slowing its site. Unlike Twitter, which was down for two hours this morning, Facebook remained online.

"You may have had trouble accessing Facebook earlier today because of network issues related to an apparent distributed denial-of-service attack," the company wrote. "We have restored full access for most people. We'll keep monitoring the situation to make sure you have the reliable experience you expect from us."

Web site performance monitor AlertSite reported that Twitter's site wasn't back 100% until 2 p.m. EDT. AlertSite also noted that Facebook appeared to suffer little more than a few sporadic errors. Facebook's availability was at 97% at 10 a.m. when the attack was underway, and it was up to 100% availability soon after that.

While there's little more than online chatter and guesswork about the origins of the attacks, security analysts say the incident raises red flags that two giant Internet companies, like Twitter and Facebook would be hit in the same assault.

Randy Abrams, director of technical education at ESET, an IT security company based in Bratislava, Slovakia, said his best guess is that a major botnet herder was offering a demonstration of the power of his botnet to a potential client with a major target in mind.

"They could have been saying, 'Look what I can do to Twitter. I think my botnet can handle whatever you want it to do,'" said Abrams. "I'd put my money on this being a demonstration, a show of force, by someone looking to hire out their botnet."

Graham Cluley, senior technology consultant for Sophos, told Computerworld that whoever launched the attacks should beware the clout of those he's going after.

"Anything is possible, and we could make guesses like this until the cows come home ... We simply don't have enough information yet to be certain as to what the motivation was," he said. "One thing is certain -- if they did do this as a demonstration of how powerful their botnet is, they've just made themselves some new and angry enemies in the shape of some major Web 2.0 companies. I wouldn't be surprised if the computer crime authorities put some serious effort into trying to track down whoever was responsible. After all, if they can bring down social networking sites they can bring down banking sites."

Cluley also said it's not yet clear why Facebook faired so much better than Twitter. It could have been that the bulk of the assault was aimed at Twitter or that their defenses simply weren't as tough.

The attack against Twitter brought the site down between 9 a.m. and 11 a.m. EDT this morning. This afternoon, the microblogging site was still struggling with slowdowns and interruptions caused by the assault.

"As we recover, users will experience some longer load times and slowness," Twitter reported in its status update at 12:46 p.m. EDT. "This includes timeouts to API clients. We're working to get back to 100% as quickly as we can." The company had not posted another update by 3:30 p.m.

Oddly enough, even though the attack hit both Twitter and Facebook, while Twitter was down, frustrated users vented on Facebook. One Facebook user noted, "Suffering tweet withdrawal."