Hacker busts IE8 on Windows 7 in 2 minutes

Yesterday, two researchers at the Pwn2Own hacking contest walked away with a nice sum of $10,000 each after they managed to bypass important security features in Windows 7.

Both Peter Vreugdenhil of the Netherlands and a German researcher who only would give his first name of Nils, managed to find ways to disable DEP (data execution prevention) and ASLR (address space layout randomization) in Windows 7. Two features that have been well publicized in Windows 7’s anti-exploit features. Each of the took down the fully patched 64-bit version of Windows 7 and managed to by pass it’s defences.

Peter Vreugdenhil was first up to the table and used a double exploit combination to first bypass the ASLR feature and then disable DEP, then 2 minutes later he was successfully hacked Internet Explorer 8. Half an hour later, Nils gave it a go using Mozilla Firefox 3.6 and managed to bypass the same defensive mechanisms only minutes later.

For their efforts, they were both awarded with $10,000 each and the notebook they both exploited. What’s more they also receive a paid trip to the DefCon hackers conference in Las Vegas this July.

Aaron Portnoy,who is the team leader for security research with 3Com TippingPoint, as well as being the contest sponsor, and the organizer of Pwn2Own was very impressed, he said in an interview at the end of the day on Wednesday.

“Every exploit today has been top-notch,” “The one on IE8 was particularly impressive.”

Both hackers managed to use Microsoft’s own code against them to bypass the security features and Vreugdenhil has published in detail how he managed to do this in a PDF which you can download here

As I said earlier, the two features the managed to bypass were;

ASLR (Address space layout randomization) - What this does is it randomly shuffles the positions of key memory areas. As a result this makes it much more difficult for hackers to predict where their attacking code will actually run.

The second feature DEP ( Data Execution Prevention ) was introduced by Microsoft back in 2004 with Windows XP SP 2 and it was intended to prevents malicious code from executing in sections of memory not intended for code execution and is a defense against, among other things, buffer-overflow attacks.

Both Microsoft and Mozilla had representatives at the event to watch as their software was exploited by the hundreds of hackers and researchers at the event.

Jerry Bryant, a senior manager with the Microsoft Security Research Center acknowledged the vulnerabilities exploited by Vreugdenhil, but that was about it

He said that

“Microsoft is aware of a new vulnerability in Internet Explorer introduced at CanSecWest in the Pwn2own contest.”We are investigating the issue and we will take appropriate steps to protect customers when the investigation is complete.”

However he never said when or if Microsoft would be releasing a patch for it. The company’s next scheduled Patch Tuesday is April 13, but Microsoft typically takes much longer to produce fixes, as testing time alone can often run between 30 and 60 days.

So I think we can all learn a valuable lesson from the Pwn2Own hacking contest. When there is a prize and money involved, it seems everyone’s software can be hacked into. This contest was established to discover flaws and vulnerabilities in software and so far it seems to be doing a very good job.

As Charlie Miller, another of Wednesday’s winners said;

What you can see at Pwn2Own is that bugs are still in software, and exploit mitigations like DEP and ASLR don’t work. Even as [defensive measures] improve, researchers still end up winning.”

Upgrade Antivirus to Maintain PC Security

For conducting day to day activities, we are dependent on the computer. Computer is like a workplace for everyone so you need to make sure that your workplace should be highly secure when it comes to the security concerns.

In order to secure your data from unauthorized access, you need to have antivirus software. Antivirus protects all the information or data stored in the computer from being infected by unwanted stuff. But it is necessary for you to upgrade antivirus software because day to day new viruses are being designed. You can’t keep on continuing with your old antivirus software for the detection of viruses, which evolve on daily basis. To protect your computer from newly evolved virus you will need to upgrade antivirus.

Features

You can upgrade antivirus software in two ways. First way is to uninstall the residing version of antivirus and install its latest version. Other way is to go for antivirus software with the features that suits to your computer according to the nature of your work. Different types of antivirus software available in the market are Norton, McAfee, AVG and Kaspersky etc. We can discuss the procedure to upgrade AVG Internet Security 8.0 to 8.5. Go through the instructions given below to upgrade antivirus.

STEP 1- Go to the official website of AVG. Then choose the latest version of software and click “Renew and Upgrade” to upgrade.

STEP 2- Click on “Renew Your AVG Protection” listed under the section “Renew and Upgrade”.

STEP 3- Write your license number in the text box appears on the window and click the “Renew or Upgrade my AVG” option.

STEP 4- Select the appropriate subscription such as one or two year subscription program and enter credit card information. Click “Next” to proceed further.

STEP 5- Finally click “OK” to begin the download process. Once you download the AVG, run the application. Your computer will take few seconds to install AVG.

Usability

Apart from AVG there could be many other antivirus software that you can upgrade. Above mentioned procedure is same for the upgrade of commonly used antivirus software. By following the instructions given, you could be able upgrade antivirus to meet our PC security requirements.

Recommendation

In case you feel uncomfortable to uninstall antivirus through the procedure given above then you can go for technical support vendors, which provide dedicated technical support to upgrade antivirus. Their technical experts will access your computer remotely via Internet and will upgrade and install antivirus as per the configuration of your PC.

Internet password security

Today’s computer and internet technologies are developing so rapidly, that there inevitably appear not only the pleasant things like comfort and mobility, but unfortunately more and more tools for internet swindle and hacking. To protect your accounts from break-ins, you need to follow certain internet password security rules.
In case when somebody is using some software or other methods to break your password, it won’t be a big trouble for him to deal with it, if you don’t follow the simple rules below:
• Do not use your personal info or words, easily associated with you.
• Do not ever use such words! Whether it is your dog’s name, or your grandmother’s birth date, for a hacker it’s an easy plunder.
• Do not using words that are in a dictionary.
• Nowadays there are software ways to try all dictionary words and find out your password.
• Do use special characters and letters of both upper and lower case.
• It’s much more secure than just letters and numbers.
• Do not make your password short.
• Take at least 8 symbols for a password.
• Do not use the same passwords for many accounts.
• And here is why: since one is broken – all the rest are broken too.
Other problem concerning internet password security is key loggers. A key logger is software or hardware that is tracking all the keys struck on the keyboard. You can never be sure that the keyboard you use in a public place doesn’t have a key logger. Some ways to avoid troublesome consequences of the encounter with a key logger are:

• Not using any keyboard except your own.
• Taking a laptop everywhere you go.

You can solve the both problems above and many other by using a security password manager. It is special software designed to make your password management easier and much more secure.

First of all, your internet password security level is never higher than with random passwords. And such software usually has tools for generating strong random passwords, without making you memorize them.
You can install a manager on a flash drive, and have it with you anywhere (much more convenient than carrying a laptop, isn’t it?). With such a program you won’t have to type your passwords – it will do it automatically. Here’s a way to defend against key loggers.
Internet password security suggests following the tips above, along with frequent changing of passwords. Whether you decide to manage your passwords yourself, or to rely on a password manager – do not forget to change passwords at least every two months.

Have a secure Internet surfing!