Apple is claiming that it’s new Air is the world’s thinnest notebook PC. Luckily, it didn’t make any claims about the new machine’s security, because it only took Charlie Miller of Independent Security Evaluators a few minutes on Thursday to gain control of a new Air in the annual Pwn2Own hacking contest at CanSecWest. Miller was able to exploit an unpatched vulnerability in Apple’s Safari browser to compromise the notebook, winning himself a $10,000 prize, as well as the Air itself. Not a bad haul for a few minutes of work.

This year’s contest is a bit different from last year’s edition, in that there are three separate machines up for grabs. In addition to the Air, TippingPoint, which sponsors the contest, put up two other machines, one each running Vista and Ubuntu. After Miller cracked the laptop, he turned over details of the attack to TippingPoint, which disclosed it to Apple.

It’s been a couple of weeks since security researcher Dancho Danchev raised the red flag about IFrame redirects attackers have been using to corrupt hundreds of thousands of websites, and how the likely culprit is the infamous hacking group known as the Russian Business Network (RBN).

Overnight, Danchev emailed me with an update, and it doesn’t look good. Based on his ongoing investigation, the attacks seem to be continuing unabated.

The latest high-profile sites getting targeted includes usatoday.com, abcnews.com, news.com, target.com, packardbell.com, Walmart.com, Rediff.com, Miamiherald.com, Bloomingdales.com, Patentstorm.us, Webshots.com, Sears.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu.

This on top of those he listed two weeks ago:

NCSU Libraries - lib.ncsu.edu - 372,000 pages
FullDownloads.us - fulldownloads.us - 13,000 pages
Central Statistics Office Ireland - cso.ie - 10,300 pages
DBLife Frontpage - dblife.cs.wisc.edu - 1,130 pages
School of Mathematics and Statistics - www-history.mcs.st-andrews.ac.uk - 1040 pages
eHawaii Portal - ehawaii.gov - 992 pages
The World Clock - timeanddate.com - 944 pages
Boise State University - boisestate.edu - 471 pages
The U.S. Administration on Aging (AoA) - aoa.gov - 425 pages
Gustavus Adolphus College - gustavus.edu - 312 pages
Internet Archive - archive.org - 261 pages
Stanford Business School Alumni Association - gsbapps.stanford.edu - 157 pages
BushTorrent - bushtorrent.com - 147 pages
ChildCareExchange - ccie.com - 131 pages
The University of Vermont - uvm.edu - 120 pages
Hippodrome State Theatre - Gainesville, FL - thehipp.org - 112 pages
Minnesota State University Mankato - mnsu.edu - 94 pages
The California Majority Report - camajorityreport.com - 16 pages
Medicare.gov - medicare.gov - 12 pages
USAMRIID - usamriid.army.mil - 3 pages

“After another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFrames, whose loading state entirely relies on the site’s Web application security practices - or the lack of,” Danchev wrote in his blog. ”

Yesterday I wrote a story about the reaction from Windows administrators to Microsoft’s release of Vista SP1, and the response was mostly one of caution and frustration.

The challenges people are running into are the same ‘ol items: incompatibility with third-party programs, device driver glitches, a sleep mode problem and endless reboots.

One of the folks I touched base with is Michael Pietroforte, a systems administrator who heads up the IT department at the University Library of the Ludwig-Maximilian University in Munich, Germany. He tested Vista SP1 extensively and created a useful list of challenges and possible solutions in his 4Sysops blog.

Pietroforte’s entry inspired me to dig further for blogs with something useful to share about the service pack. Here’s a bit of what I found:

Longtime computer product reviewer Scot Finnie wrote that Vista SP1 has been running on a couple of his test machines for the past month and a half. He offered IT pros this verdict:

“You don’t need this thing right away. If you’ve kept up with Vista security patches, then you’re fine. There’s no need to rush into it.”

For those who dare to tackle the service pack now, he said the biggest pain one will likely encounter is the driver trouble during or after installation.

He writes that Vista SP1 has only one true reason for being — to help Microsoft sell Vista to enterprise customers, among whom the conventional wisdom has been to wait for the first service pack. “What’s actually new and not available separately is, to my perception, more marketing hype than reality,” he says. “There’s nothing wrong with SP1, but there’s absolutely nothing compelling about it either.”

Over at Blorge.com, Triston McIntyre wrote up this warning:

“The list of users who are experiencing more than a little difficulty with the new Service Pack 1 grows longer every day; it seems more and more users who boot multiple operating systems are experiencing grief as well,” he writes. “Before installing Vista Service Pack 1, be sure to check out the boot systems you’re currently using if you use Windows Vista Enterprise or Vista Ultimate, otherwise your PC might end up the victim of a faulty SP1 install.”

John Rundag, technology coordinator for the Logan Elm School District in Ohio, wrote in his blog about the slow Vista SP1 download process he endured. He warned that the process will take longer than anyone would want.

Once downloading Vista SP1, he says he clicked on the install and left for the day. When he returned to the office the next day, his computer looked the same as he had left it, with the exception of the install screen for SP1.

“One of the issues I had been experiencing was slow file copying to and from network drives,” he wrote. “A lot of times I just copied large files to a flash drive and then moved it to the server on my MacBook. Moving large directories was a nightmare. The first thing I did after I verified I was running SP1 was to move some files to the server.”

Fortunately, he reported, the system has been stable since installation and he hasn’t experienced any major issues.

Nick White, a product manager in Microsoft’s Vista department, offered a laundry list of the feedback Microsoft has received in the Windows Vista Team blog and promised to keep the lines of communication open.

Expect more frustration to flow from the blogosphere as IT pros try to get their arms around Vista SP1. But whatever the problems may be, Microsoft does deserve credit for trying to keep customers informed.

Eventually we’ll all get a grip on Vista. But it’s going to take a long time.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

The cybersecurity group at the Department of Homeland Security has had a hard time hanging onto its leaders, for various reasons, since the department started five years ago. DHS officials have tried a number of approaches in trying to find the right man for the job, going first to government veterans such as Howard Schmidt and Amit Yoran, who had both government and industry experience, and then landing on Greg Garcia, the current assistant secretary for cyber security and telecommunications, who was a lobbyist before he joined the department.

Now, with its recent appointment of Rod Beckstrom as director of the nascent National Cyber Security Center at DHS, officials are trying a completely different approach: bringing in someone with no security or government experience. Beckstrom is a serial entrepreneur who has founded a number of successful companies and also has written a book on leaderless organizations. All kidding about how his knowledge of leaderless organizations will serve him well at DHS aside, I think the DHS folks deserve a bit of credit for going outside the playbook and giving a shot to an outsider such as Beckstrom. His role will not necessarily be a technical one, as he was brought in specifically to encourage better communication and information-sharing among the various components of the federal government that handle cybersecurity.

Former officials who have worked in the National Cyber Security Division at DHS and those in the private sector who work with the department have consistently criticized DHS for its poor communication on security issues and lack of willingness to share intelligence on attacks and vulnerabilities. What can it hurt to try a different approach? The ones they’ve tried in the past clearly haven’t worked, so maybe a little new blood and some unconventional thinking will jump-start things.

Covering the security breach at Hannaford Bros. Supermarkets this week was a particularly interesting experience for me. Unlike the other breaches I’ve written about, this one really hit me where I live.

Of course, the bank did send me a new debit card after my old one was compromised in the TJX data breach, but that’s only because of one purchase I made there during the period when the data raids were in progress.

I shop at Hannaford’s every week. Even though there are several supermarkets closer to home, I’ve been making the longer trek to the store in Hampstead, N.H., because I found the prices and food quality better than the others. Despite, the breach, I won’t stop shopping there. My bank was quick to issue me a new card and I think the retailer will do what’s necessary to prevent a repeat. Of course, the company will lose a lot of money to fines and lawsuits in the meantime.

Of course, after any data breach it’s important to explore how it happened and what the affected company could have done better from the outset, and Hannaford’s is no exception.

I found plenty of security bloggers doing just that. Here’s some wisdom from two blogs high on my favorites list:

Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, wrote in his blog that since the information was stolen during the authorization process and was distributed over many locations, a compromise of the central authorizations system or the credit card processor is the likely source. “It could be as simple as sniffing unencrypted communications, or a more complex compromise of a database or application,” he said. “My money is 70% on sniffing, 30% on something in the database.”

Of Hannaford’s claim that no personal data such as names, addresses or telephone numbers were divulged — just account numbers, Mogull wrote, “This can’t be true. Without names, the card numbers are unusable.”

Mogull also used Hannaford’s PCI DSS compliance as an example of how he believes “PCI is worthless” if the chain was allowed to be ruled compliant in the first place.

“The fraud was detected by the banks or credit card companies, then it took a little under two weeks to contain,” he wrote. “Not great, and indicative of either a little sophistication on the attacker’s part, or a lack of sophistication on Hannaford’s part. How to prevent this? We won’t know until more information is out, but since they shouldn’t be PCI compliant if they transmitted credit card numbers in the clear, perhaps my guess of sniffing is off. I’m still laying odds on that, and if so, encryption is the answer.”

Security blogger Martin McKeay wrote of a silver lining in the Hannaford’s breach.

“Hannaford does not associate card numbers and expiration dates with the cardholder names and addresses,” he noted. “This in a day when your local grocery store offers you a discount if you’ll just enter your phone number at the PIN pad so they can track every single purchase you make and send you a personalized weekly ad. Most stores would have had card numbers, your home address, the names of all of your relations and possibly the name your teacher in first grade. Well, maybe not the last one, but they would have every purchase of every embarrassing purchase you’ve ever made.”

The downside to this lack of association between card numbers and cardholder names, he wrote, is that they have no way of knowing who should be contacted in the breach. He said he’s not sure if that will absolve Hannaford’s of having to contact anyone or make it necessary for them to contact all of their customers. They probably haven’t figured that one out yet either, he said.

Good points from both. I’ll end by saying that the big reason Hannaford’s won’t lose me as a customer is because I see them as more of a victim than a villain.

Through my own reporting on PCI DSS compliance I know the company had made investments to bolster the security of its point-of-sale machinery and wireless set-up.

Some are making much of the fact that this breach happened even though Hannaford’s was PCI compliant. Surely, they say, this speaks to the weaknesses of PCI DSS itself. I actually explored that angle in the wake of the TJX breach, and most of the analysts, IT pros and vendors I talked to defended the security standard. After all, it turned out, TJX was nowhere near being where it needed to be for PCI compliance.

Regardless of what one thinks of PCI DSS, it does appear that Hannaford’s was and still is working to improve its security.

But as a police officer once told me after my house was burglarized despite the burglar alarm we had installed, if the thief wants to get in badly enough, they’ll find a way.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

We’ve been reporting for some time that the NAC market is on shaky ground, with demand for the technology failing to meet the expectations of a couple years ago. We saw more proof of that this week, when Lockdown quietly posted this message on it’s website:

“Lockdown Networks today announced that it is ceasing operations effective March 18, 2008. Due to overall economic trends and slower than predicted adoption of Network Access Control (NAC) technology, the company was unable to raise additional sufficient venture capital to continue. Lockdown is contacting customers and partners directly to provide more information. Certain employees have been retained to oversee the shutdown of the company and entertain offers to Lockdown’s intellectual property. Anyone with questions and inquiries can call 206.285.8080 x110.”

Though the NAC market has had its difficulties, this announcement is surprising, since Lockdown raised $14 million in venture funds from Ignition Partners, Intel Capital, Integral Capital Partners and Cargill Ventures last fall.

We’ll be updating this news as more information becomes available.

As the rash of large data breaches and thefts continues unabated, it’s important to resist the urge to lump them all together. Not all breaches are created equal, and the latest one, at Hannaford supermarkets, illustrates this point perfectly. A lot of people are comparing the incident to last year’s breach at TJX, but the two stories have far less in common that it appears at first blush.

While both companies are retailers, the attacks on their systems look to have come from markedly different points. The folks who broke into TJX’s network did so by sitting outside one of its stores and capturing wireless network traffic. A simple, common attack. The details of the Hannaford incident are still pretty murky, but the language in the statement from the company’s CEO and other bits of data that have emerged today suggest that the chain may have been the victim of a man-in-the-middle attack. The company said that customer credit card and debit card numbers were stolen during the card verification process, meaning that there was a bad guy somewhere between the point-of-sale device that captures the data and the third-party system that verifies it and authorizes the purchase. This could be anything from a Trojan on Hannaford’s own network to a rogue employee of the grocery chain or its payment partners. It’s impossible to tell at this point.

The other key difference between TJX and Hannaford is that the thieves who attacked Hannaford didn’t bother messing with the customer database; they went straight for the highest value assets, the card numbers. The TJX hackers took customer Social Security numbers, addresses and other personally identifiable information, which is scarier to consumers. But many of the card numbers that were taken from TJX were obfuscated and so were of no use. The Hannaford attack looks much more like the work of professionals, which should be scarier for security staffs.

East Coast supermarket chain Hannaford Bros. Co. said Monday that its network was broken into and customer credit and debit card numbers were stolen.

The Associated Press reported that company officials said the breach exposed 4.2 million credit and debit cards and led to 1,800 cases of fraud.

In a statement on the company’s website, Hannaford CEO Ron Hodge said the stolen data was limited to credit and debit card numbers and expiration dates; no personal data was accessed. The card numbers were stolen from Hannaford’s computer systems during transmission of card authorization.

The breach affected Hannaford stores in New England and New York, Sweetbay stores in Florida and some independently-owned retail locations in the Northeast that carry Hannaford products. Hannaford discovered the intrusion on Feb. 27 and alerted law enforcement officials.

The company advised customers that made purchases at its stores using credit and debit cards over the last three months, and who suspect their accounts may have been compromised, to immediately notify their card issuer or bank.

In his statement, Hodge said Hannaford “doesn’t collect, know or keep any personally identifiable customer information from transactions.” He added, “We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry.”

Meanwhile, the Massachusetts Bankers Association said in a statement Monday that Visa and MasterCard have notified 60 to 70 banks in Massachusetts about a large data breach involving what the card companies would only describe as a major retailer.

The MBA estimates that “hundreds of thousands” of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected, and urged consumers to monitor their accounts. The association said it has been in discussions with the card companies and pursuing legislative alternatives that would require that the name of the retailer involved in a breach be released.

I’m listening to a panel discussion right now featuring six former members of the L0pht hacking collective and Mudge, perhaps the most famous member of the group, just told a great story about the group going to ask Battery Ventures for the money to help fund @stake. Speaking to Chris Wysopal, aka Weld Pond, he said:
“I remember going to pick you up at your house to go see Battery and you said, Do I wear a suit? And both your wife and I said, When you’re asking someone for ten million dollars, you wear a [expletive deleted] suit.”

Just in case you’re in the market for ten million bucks, there’s the dress code.

Security researcher Dancho Danchev has raised the red flag in his blog about a new scam the bad guys are using to corrupt hundreds of thousands of websites with IFrame redirects. Visit one of these corrupt pages and you just might find yourself caught on another site rigged with malicious code.

The infamous hacking group known as the Russian Business Network (RBN) appears to have a hand in this, he says.

“The ongoing monitoring of this campaign reveals that the group is continuing to expand the campaign, introducing over a hundred new bogus .info domains acting as traffic redirection points to the campaigns hardcoded within the secondary redirection point, in this case radt.info where a new malware variant of Zlob is attempting to install though an ActiveX object.”

Danchev says these are the high-profile sites targeted by the same group within the past 48 hours, with the number of locally cached and IFrame injected pages within their search engines :

NCSU Libraries - lib.ncsu.edu - 372,000 pages
FullDownloads.us - fulldownloads.us - 13,000 pages
Central Statistics Office Ireland - cso.ie - 10,300 pages
DBLife Frontpage - dblife.cs.wisc.edu - 1,130 pages
School of Mathematics and Statistics - www-history.mcs.st-andrews.ac.uk - 1040 pages
eHawaii Portal - ehawaii.gov - 992 pages
The World Clock - timeanddate.com - 944 pages
Boise State University - boisestate.edu - 471 pages
The U.S. Administration on Aging (AoA) - aoa.gov - 425 pages
Gustavus Adolphus College - gustavus.edu - 312 pages
Internet Archive - archive.org - 261 pages
Stanford Business School Alumni Association - gsbapps.stanford.edu - 157 pages
BushTorrent - bushtorrent.com - 147 pages
ChildCareExchange - ccie.com - 131 pages
The University of Vermont - uvm.edu - 120 pages
Hippodrome State Theatre - Gainesville, FL - thehipp.org - 112 pages
Minnesota State University Mankato - mnsu.edu - 94 pages
The California Majority Report - camajorityreport.com - 16 pages
Medicare.gov - medicare.gov - 12 pages
USAMRIID - usamriid.army.mil - 3 pages

More than 400,000 pages appear to have been compromised.

“To sum up — it’s a mess that I’ll continue trying to structure, and it’s a single group exploiting input validation capability within the sites’ search engines we’re talking about,” Danchev said. “With this segmented targeting of sites with high page ranks, and their persistence, is already positioning hundreds of thousands of keywords within the top search results, with the targeted sites are acting as the redirectors to the malware locations.”