New microchipped passports designed to be foolproof against identity theft can be cloned and manipulated in minutes and accepted as genuine by the computer software recommended for use at international airports.

Tests for The Times exposed security flaws in the microchips introduced to protect against terrorism and organised crime. The flaws also undermine claims that 3,000 blank passports stolen last week were worthless because they could not be forged.

In the tests, a computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.

A well-known researcher specializing in website security has strongly criticized safety on Google, arguing the world’s biggest search engine needlessly puts its millions of users at risk.

“Google is and will be and always has been vulnerable,” Robert Hansen, CEO of secTheory, told a standing-room-only audience at the Defcon security conference in Las Vegas. “They haven’t been open with consumers. Ultimately, this all comes down the the fact that they just want to track you guys.”

At issue is Google’s policy of hosting untested third-party applications that users can automatically embed into personalized Google home pages. During a talk titled “Xploiting Google Gadgets: Gmalware & Beyond,” Hansen and fellow researcher Tom Stracener laid out a variety of attacks that can be unleashed using the programs.

The most devastating is the ability of Google gadgets to immediately redirect victims who log into iGoogle.com to a page under the control of an attacker. This creates a phishing hazard, particularly for less tech-savvy users who don’t know to check the browser bar. Even if they do, the bar shows up at gmodules.com, an address many mistakenly believe is safe because it is maintained by Google.

Hansen, who frequently goes by the moniker Rsnake, said he discussed the vulnerability with Google security engineers, and they told him the redirection was a feature rather than a flaw.

Google gadgets make other attacks possible, including: the ability to:

* carry out port scanning on a victim’s internal network to conduct surveillance

* use cross-site request forgery techniques to force victim PCs to follow links to malicious sites (for instance, those that host child pornography) and

* cause a victim’s browser to access a home router and change domain name system server addresses or other sensitive settings.

Hansen and Stracener acknowledged that in-the-wild attacks that use Google gadgets are rare, but they said that’s likely to change.

“Once money actually starts flowing through, once the financial incentive for malware exists, then you’re going to start seeing more of this type of thing pop up,” Stracener said.

Security researcher Dan Kaminsky has offered more details about a fundamental flaw in the Domain Name System and the extent of the vulnerability.

In a presentation at the Black Hat security conference in Las Vegas on Wednesday, Kaminsky gave details of how a successful DNS cache poisoning attack could be launched by taking advantage of the flaw.

Kaminsky explained that transaction IDs, which are supposed to prevent “bad guys” from assigning their own IP address numbers to any domain, are ineffective as security measures. An attacker could flood a DNS server with multiple, slightly varied requests for a domain, such as “1.foo.com” or “2.foo.com.” As transaction IDs can only be a number between 0 and 65535, and the attacker can launch multiple requests, eventually the attacker could spoof a domain by matching the ID through chance.

Once this domain is spoofed, the attacker can flood a name server with spoofed replies to poison its cache for the domain being attacked–for example, “foo.com.” Requests for foo.com would direct a user to a site of the attacker’s choosing.

This vulnerability can be exploited by using multiple vectors of attack, according to Kaminsky. Web browsers can be forced to look up what the attacker wants, as links, images, and ads can cause a DNS look-up. Mail servers will look up what an attacker wants when performing functions such as a spam check, or when trying to deliver a bounce, newsletter, or bona fide e-mail response.

Kaminsky warned that it is also possible to pollute top-level domains such as .com, .net and .org.

Update: Here is the MIT banned presentation.

A federal judge on Saturday granted the Massachusetts transit authority’s request for an injunction preventing three MIT students from giving a presentation about hacking smartcards used in the Boston subway system.

The Electronic Frontier Foundation, which is representing the students, anticipates appealing the ruling, said EFF senior staff attorney Kurt Opsahl.

The undergraduate students had been scheduled to give a presentation Sunday afternoon at the Defcon hacker conference here that they had said would describe “several attacks to completely break the CharlieCard,” an RFID card that the Massachusetts Bay Transportation Authority uses on the Boston T subway line. They also planned to release card-hacking software they had created, but canceled both the presentation and the release of the software.

U.S. District Judge Douglas Woodlock on Saturday ordered the students not to provide “program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System.” Woodlock granted the MBTA’s request after a hastily convened hearing in Massachusetts that took place at 8 a.m. PDT on Saturday.

EFF staff attorney Kurt Opsahl said that the temporary restraining order is “violating their First Amendment rights”; another EFF attorney said a court order pre-emptively gagging security researchers was “unprecedented.”

Want to break into the computer network in an ultra-secure building? Ship a hacked iPhone there to a nonexistent employee and hope the device sits in the mailroom, scanning for nearby wireless connections.

How about stealing someone’s computer passwords? Forget trying to fool the person into downloading a malicious program that logs keystrokes. A tiny microphone hidden near the keyboard could do the same thing, since each keystroke emits slightly different sounds that can be used to reconstruct the words the target is typing.

Hackers at the DefCon conference here were demonstrating these and other novel techniques for infiltrating facilities Friday.

This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees.

Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista’s Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user’s machine using a variety of objects, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.

While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren’t based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista’s fundamental architecture. According to Dino Dai Zovi, a popular security researcher, “the genius of this is that it’s completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That’s completely game over.”

Oracle broke its regular patch release cycle on Wednesday to issue a patch for a vulnerability in WebLogic that has become the target of hacker attacks over recent days.

Multiple versions of Oracle (formerly BEA) WebLogic application server software are affected by a buffer overflow flaw involving the Apache plug-in component of the enterprise package. Oracle issued workarounds last week soon after the flaw became the target of active exploits. The flaw creates a means to crash or, in the worst case, inject hostile code into vulnerable systems.

Eleven people, including a U.S. Secret Service informant, have been charged in connection with the hacking of nine major retailers and the theft and sale of more than 41 million credit and debit card numbers, the Justice Department announced Tuesday.

The data breach is believed to be the largest hacking and identity theft case ever prosecuted by the Department of Justice, which said the suspects were charged with conspiracy, computer intrusion, fraud and identity theft.

Three of those charged are U.S. citizens while the others are from places such as Estonia, Ukraine, Belarus and China.

The indictment returned Tuesday by a federal grand jury in Boston alleges that the suspects hacked into the wireless computer networks of retailers including TJX Cos., BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW and set up programs that captured card numbers, passwords and account information.

“They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves,” Attorney General Michael Mukasey said at a news conference. “And in total, they caused widespread losses by banks, retailers, and consumers.”

Mukasey called the total dollar amount of the alleged theft “impossible to quantify at this point.” U.S. Attorney Michael J. Sullivan said that while most of the victims were in the United States, officials still haven’t identified all the people who had a card number stolen.

“I suspect that a lot of people are unaware that their identifying information has been compromised,” he said.

At the Black Hat computer security conference in Las Vegas next week, researchers will demonstrate software they’ve developed that could steal online credentials from users of popular Web sites such as Facebook, eBay, and Google.

The attack relies on a new type of hybrid file that looks like different things to different programs. By placing these files on Web sites that allow users to upload their own images, the researchers can circumvent security systems and take over the accounts of Web surfers who use these sites.

“We’ve been able to come up with a Java applet that for all intents and purposes is an image,” said John Heasman, vice president of research at NGS Software.

They call this type of file a GIFAR, a contraction of GIF and JAR, the two file types that are mixed. At Black Hat, the researchers will show attendees how to create the GIFAR while omitting a few key details to prevent it from being used immediately in any widespread attack.

To the Web server, the file looks exactly like a .gif file, however a browser’s Java virtual machine will open it up as a Java Archive file and then run it as an applet. That gives the attacker an opportunity to run Java code in the victim’s browser. For its part, the browser treats this malicious applet as though it were written by the Web site’s developers.

China’s blocking of Web sites has embarrassed the International Olympic Committee, but a computer security expert said on Thursday that visitors to Beijing also needed to protect their data from prying eyes.

“People who are going to China should take a clean computer, one with no data at all,” said Phil Dunkelberger, chief executive of security software firm PGP Corp.

Travelers carrying smart cell phones, blackberries or laptop computers could unwittingly be offering up sensitive personal or business information to officials who monitor state-controlled telecommunications carriers, Dunkelberger said.

He said that without data encryption, executives could have business plans or designs pilfered, while journalists’ lists of contacts could be exposed, putting sources at risk.

Dunkelberger said that during unrest in Tibet in March, overseas Tibetan activists found their computer systems under heavy pressure from Chinese security agencies trying to trace digital communications.

“What the Chinese tried to do was infiltrate their security to see who in China the Tibet movement was talking to,” he said.

HD Moore has been owned. That’s hacker talk, meaning that Moore, the creator of the popular Metasploit hacking toolkit, has become the victim of a computer attack.

It happened on Tuesday morning, when Moore’s company, BreakingPoint, had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what’s known as a cache poisoning attack on a DNS server on AT&T’s network that was serving the Austin, Texas, area. One of BreakingPoint’s servers was forwarding DNS traffic to the AT&T server, so when it was compromised, so was HD Moore’s company. (Listen to a podcast about a recent DNS attack.)

When Moore tried to visit Google.com, he was actually redirected to a fake page that served up a Google page in one HTML frame along with three other pages designed to automatically click on advertisements.

No BreakingPoint computer was actually compromised by the incident, but it was still pretty annoying.

A British computer expert lost his appeal on Wednesday against extradition to the United States where he is accused of “the biggest military hack of all time” and could face up to 70 years in prison.

Gary McKinnon was arrested in 2002 after U.S. prosecutors charged him with illegally accessing computers, including the Pentagon, U.S. army, navy and NASA systems, and causing $700,000 worth of damage.

McKinnon told Reuters in 2006 he was just a computer nerd who wanted to find out whether aliens really existed and became obsessed with trawling large military networks for proof.

However, Britain’s highest court, the House of Lords, ruled the gravity of the charges should not be understated and they would carry a maximum life sentence under English law. It turned down his appeal against extradition.