In a report provided to the New York Times, a team from the Munk Centre for International Studies in Toronto said at least 1,295 computers in 103 countries had been breached in less than two years by the spy system, which has been dubbed “GhostNet”.

Embassies, foreign ministries, government offices and the Dalai Lama’s Tibetan exile centres in India, Brussels, London and New York were among those infiltrated, said the researchers, who have detected computer espionage in the past.

The researchers came to the conclusion that computers based almost exclusively in China were responsible for the intrusions, although they stopped short of saying the Chinese Government was involved in the system, which they said was still active.

“We’re a bit more careful about it, knowing the nuance of what happens in the subterranean realms,” said Ronald Deibert, a member of the research group – “This could well be the CIA or the Russians. It’s a murky realm that we’re lifting the lid on.”

A spokesman for the Chinese Consulate in New York dismissed the idea China was involved. “These are old stories and they are nonsense,” the spokesman, Wenqi Gao, told the Times. “The Chinese Government is opposed to and strictly forbids any cybercrime.”

The researchers began investigating after a request from the office of the Dalai Lama, the exiled Tibetan spiritual leader, to examine its computers for signs of malicious software, or malware.

The network they found possessed remarkable “Big Brother-style” capabilities, allowing it, among other things, to turn on the camera and audio-recording functions of infected computers for potential in-room monitoring, the report said.

The system was focused on the governments of South Asian and Southeast Asian nations and the Dalai Lama, while computers at the Indian Embassy in Washington were infiltrated and a NATO computer was also being monitored.

The first vulnerability was found on Wednesday by researcher Aviv Raff, who discovered that the browser was open to a highly-publicised ‘carpet bombing’ attack first found in Safari. The Safari hole was patched earlier this year, but because Chrome uses Apple’s WebKit software, the flaw has reappeared in the Google browser.

A proof of concept page was published demonstrating how an attacker could embed malicious code on a web page and then use it to conduct a remote malware installation with a separate specially-crafted Java applet.

Then researchers Rishi Narang and JanDeMooij posted separate reports of a vulnerability in the browser’s chromium.dll component that was exposed through the browser’s URL bar. The flaw can be made to cause an application crash, though neither report mentioned the possibility of remote code execution.

Squid is a popular open source web proxy server and web caching software. It has a wide variety of uses, from speeding up a web server by caching repeated requests, to caching web, DNS and other network lookups for groups of people sharing network resources and (which is of most interest to us for the purposes of this post) by aiding security via traffic filtering. It was originally inteneded for Unix/Linux but has been ported to a number of platforms.

Squid has powerful ACL (access control list). The primary use of the ACL system is to implement simple access control. This can be used to deny a user from accessing particular site.

In order to do this we have to edit the Squid configuration file.

e.g. # vi /etc/squid/squid.conf

Search for `Access Controls’ and append the following lines (in this example we are blocking access to ‘nastysite.com’):
acl badsite dstdomain .nastysite.com
http_access deny badsite

Save and close the file, and then restart Squid:
# /etc/init.d/squid restart

 If required, you can specify more than one site to be blocked:
acl badsite dstdomain .nastysite.com  .anothernastysite.com
http_access deny badsite

You can also use regex expressions to block access to more than one website. for example,  if you would like to deny access for any sites where the URL contains the word “twitter”, use the following ACL lines:
acl badsitegroup url_regex -i twitter
http_access deny badsitegroup

More information on Squid commands can be found at: http://wiki.squid-cache.org/FrontPage

A ZDNet blog post contains a bit more ‘measured’ information about it along with responses from one of the guys who reported the exploit.

The update will include seven items rated as ‘critical’, the highest of Microsoft’s security alert levels. All of these will address issues that may allow an attacker to remotely execute code on a targeted system.

Four of the critical fixes relate to Office issues, one addresses critical flaws in Windows 2000, XP and Server 2003, another fixes a critical issue in Windows Media Player while the last addresses a critical vulnerability in Internet Explorer.

Also planned are five fixes rated as ‘important’. The patches include two remote code execution flaws in Windows and one in Office. The other two updates address information disclosure vulnerabilities found in Windows Messenger, Outlook Express and Windows itself.

The company plans to release the update on Tuesday 12th August. The release will also include non-security updates for the Windows Malicious Software Removal Tool and the Windows Update, Microsoft Update and Software Update Services

Also – you should note that while attackers may be able to redirect you to a bogus IP, they will not be able to replicate a digitally trusted security certificate. So if you go to your online banking site and see that you are on an ‘http’ page or if you get the IE7 warning page about untrusted/mismatched certificates then you should be careful. Of course, many sites use Shared certificates so it is quite common to see this warning message but you shouldn’t expect to see it when using online banking or similar.

A “high” severity flaw affecting how BlackBerry Enterprise Server (BES) opens PDF files may be used to compromise a network. RIM disclosed the flaw last week but is yet to issue a patch, stating that no timeframe for a fix was available.

Until then, customers asre advised to disable the BlackBerry Attachment Service, which allows BES to process PDF attachments for users to view on their BlackBerry devices. The flaw relates to how the service processes PDF files, which can be exploited via a maliciously crafted PDF.

Vulnerable systems include BES software version 4.1 Service Pack 3 (4.1.3) through to 4.1 Service Pack 5 (4.1.5). RIM has given the advisory a “high” severity rating.

“If a BlackBerry smartphone user on a BlackBerry Enterprise Server opens and views the specially crafted PDF file attachment on the BlackBerry smartphone, the arbitrary code execution could compromise the computer,” RIM states on its advisory.

According to Sense of Security’s principal consultant, Jason Edelstein, this means that corporate networks are at risk due to the flaw. Most organisations place the BES within key networks, such as email servers, giving it privileged access to other computers on that network.

“Most organisations put the BES on an internal server on the network, which actually is a conduit between the internal server and RIM’s servers based in Canada,” he said.

“If someone loses their device and it’s not locked in some way, you could browse internally to that company’s Web-based resources,” he said.

“The way the end user can determine if they are vulnerable is to try to open the browser on the BlackBerry and attempt to access your intranet resources — if it comes up on the BlackBerry and you know it’s not published on the internet, that should raise alarm bells.”

Blackberry/RIM Knowledgebase article

The virus, which has been dubbed ‘Gpcode’, infiltrates a user’s computer via unpatched browsers. Once active it encodes most of the data on the computer, including .doc, .txt, .pdf, .xls, .jpg and .png files, with a 1024 bit key and then demands money from the user to obtain the decryption key.

The malware is a revision of a previous virus, thought to be from the same author, which appeared two years ago but only used a 660 bit key.

So far, Kaspersky and other security vendors have been successful in cracking the 660 bit key, but efforts to decode the 1024 bit key have proven unsuccessful.

Kaspersky has estimated that it would take around 15 million modern computers, running for about a year, to crack the 1024 bit encryption key.

In light of this, Kaspersky has launched a global initiative called Stop Gpcode and put out an international call for all cryptography experts, governmental research bodies, and other antivirus vendors to pitch in and crack the code.

Kaspersky has said it is prepared to provide any additional information at its disposal with experts wishing to participate in the Stop Gpcode initiative.

It has also set up a Stop Gpcode forum to help coordinate the activity of all participants involved.

‘Gpcode’ is thought to access PCs via unpatched browsers. Once active it encodes most of the data on the computer, including .doc, .txt, .pdf, .xls, .jpg and .png files, with a 1,024-bit key.

Once all the files have been encrypted a ReadMe file is left on the machine giving an email address to send money in order to get the decryption key.

The malware is a revision of a previous virus, thought to be from the same author, which appeared two years ago but only used a 660-bit key.

“Virus researchers have been able to crack keys up to 660 bits,” said Timur Tsoriev of Kaspersky Labs.

“This was the result of a detailed analysis of the RSA algorithm implementation. If the encryption algorithm is implemented correctly, it could take one PC with a 2.2GHz processor around 30 years to crack a 660-bit key.”

The company has urged users struck by the virus not to reboot or shut down the infected machine.

Instead they should get in contact immediately with the last few websites they visited to determine what, if any, programs were running.

“We urge infected users not to yield to the blackmailer, but to contact us and your local cyber-crime law enforcement units,” said Tsoriev. “Yielding to blackmailers only continues the cycle.”

The National E-security Awareness Week is a Government initiative aimed at boosting awareness of e-security risks.

The alert service, announced today, is a free subscription-based service that provides vulnerability and threat information while advising users how to manage outbreaks.

“I am pleased to announce the new Stay Smart Online Alert Service with up-to-date advice on the latest e-security risks tailored for Australian internet users,” said Communications Minister Stephen Conroy.

“Many people find internet security challenging and are looking for simple guidance on what they can do to stay smart online,” he said.

As part of the week’s announcements, Conroy said the new alert service, available on the Stay Smart Online website, will also include a new Small Business Self-assessment Tool.

“[This] will help small businesses analyse their online security practices and adopt appropriate measures to improve online security,” Conroy said.

According to Conroy, partners of National E-Security Awareness week will host public information sessions and events throughout the week providing information to customers, members and staff and internet security.

Partners include the Australian High Tech Crime Centre, eBay, McAfee, Microsoft Australia, Sophos, Symantec and Telstra.

Former Communications Minister, Senator Helen Coonan introduced National E-Security Awareness Week and its StaySmartOnline government Website in October 2006 to inform Australian online users about e-security basics.