By Gregg Keizer, TechWeb News A dirt-cheap, do-it-yourself hacking kit sold by a Russian Web site is being used by more than 1,000 malicious Web sites, a security company said Monday. Those sites have confiscated hundreds of thousands of computers using the “smartbomb” kit, which sniffs for seven unpatched vulnerabilities in Internet Explorer and Firefox, then attacks the easiest-to-exploit weakness. For $15 to $20, hackers can buy the “Web Attacker Toolkit,” said San Diego-based Websense in an online alert. The tool, which uses a point-and-click interface, can be planted on malicious sites — or on previously-compromised computers — to ambush unsuspecting users. “It puts a bunch of code on a site that not only detects what browser the victim is running, but then selects one of seven different vulnerabilities to exploit, depending on how well patched the browser is,” said Dan Hubbard, senior director of security and research at Websense. Both Firefox and Internet Explorer vulnerabilities are among the seven. Websense has detected the kit being used about 1,000 sites, which then plant a Trojan horse on vulnerable computers. The Trojan is installed in a silent “drive-by download” that doesn’t require any user intervention; in fact, it installs in the background, so the user has no idea her computer has been hacked. The Trojan can log keystrokes, download additional code, or open backdoors, said Websense. “What’s interesting is that these sites all have an administration console on them with statistics. We’ve managed to capture a couple of screenshots.” Those screens, posted with Websense’s advisory, detail the browsers running on the compromised computers and keep a running tally of the most successful vulnerabilities. According to the screenshots, the single site that Websense illustrated had attracted 51,896 computers, the bulk of them — 76 percent, in fact — running Microsoft Internet Explorer. (About 12 percent ran Firefox; the remainder were unspecified.) This site, however, only used 4 of the 7 vulnerabilities, all of them directed at IE. The most successful of the quartet as one tagged as MS03-11 to match the security bulletin MS03-011, which published a patch for a bug in Microsoft Virtual Machine in April 2003. The malicious site managed to compromise 1,773 PCs using that three-year-old flaw, a 3.42 percent infection rate. “And this is just one site,” Hubbard said. “Together, these sites have compromised tens if not hundreds of thousands of systems.” The next-most useful vulnerability was dubbed “0-day” (zero-day), but was actually the “createTextRange” bug that was discovered last month and patched April 11 by Microsoft, said Hubbard. That vulnerability was used to compromise 1,507 PCs (2.9 percent success rate). “Everyone knows they should patch their browsers,” said Hubbard, “but this is further evidence that that’s not happening as much as it should be.” The trend toward hackers sharing attack code, even selling simpleton software “kits,” has been well-documented. Just last week, in fact, McAfee’s research labs reported a major increase in the use of rootkits to cloak worms, Trojans, and spyware; the boost is largely due to cut-and-paste-style tools that automatically add rootkit components to other malicious code, Stuart McClure, chief of McAfee’s research lab, said in an interview last week. “The use of multiple vulnerabilities isn’t commonplace,” added Websense’s Hubbard. “But this [toolkit] shows how hackers are becoming more and more organized.”

By W. David Gardner, TechWeb News The good times for highly skilled IT professionals continue to roll, as the Yoh Index of Technology Wages reported Monday that wages continue to rise faster than non-farm hourly wages nationwide. Compared with the same quarter in the previous year, IT wages rose 4.62 percent. “There’s been an unabated growth in the last three quarters,” said Jim Lanzalotto, Yoh’s vice president of strategy and marketing, in an interview “And I don’t see anything that can slow it down.” Yoh noted that the U.S. Bureau of Labor Statistics revealed that there were 211,000 job additions to non-farm payrolls in March and the unemployment rate dropped to 4.7 percent representing a four and one-half year low. The tight labor supply and the increase in the economy are also working to propel IT wages. Topping pay in IT job titles is the ERP Functional Consultant, which Yoh found is paying a whopping $81.58 an hour. Jobs in this category include expertise in SAP, SAS, Oracle, and PeopleSoft. “Companies are being realistic now,” said Lanzalotto. “They know they have to lock up great talent. It’s very difficult to find the right people at the right price.” While IT pay is surging now, it still isn’t reaching the nosebleed pay levels of the late 1990s when companies were desperate to hire anyone with Web design experience. Lanazlotto observed that IT pay has been increasing gradually over the past few quarters. Yoh is also finding that employers are increasingly particular in their hiring demands, asking, for instance, to hire analysts with specific expertise in specific industries. “They say, ‘Get me a CRM (customer relations management) expert with a background in Siebel and the pharmaceutical industry,’” he said. Other IT positions commanding top hourly dollar are: hardware engineer, $69.01; project manager, $61.46; java developer, $59.06; embedded engineer, $55.72; and database administrator, $55.42. Lanzalotto indicated the boom in IT salaries will have a ripple effect and influence other segments of the economy positively. “With the demand for technology talent growing,” he said, “the industry will become an even more significant driver of progress in the overall employment market, presenting new opportunities for experienced professionals as well as workers in struggling industries looking to re-enter the labor force along a more promising path.”

By Antone Gonsalves, TechWeb News The U.S. Computer Emergency Readiness Team is advising people to upgrade to the latest versions of the Firefox Web browser and the Thunderbird email program to plug numerous critical security holes. Issued this week, the warning from the agency within the Department of Homeland Security said failing to use the latest versions would leave computers open to malware that could enable an attacker to commandeer a PC. US-CERT said some of the vulnerabilities involved the way Firefox and Thunderbird handle URLs or images. “By taking advantage of one or more vulnerabilities in Mozilla products, an attacker may be able to take control of your computer,” US-CERT said. Last week, Mozilla Corp., maker of the open source browser and email client, updated Firefox to patch two-dozen vulnerabilities, most of them critical. Firefox 1.5.0.2 debuted just days after rival Microsoft Corp. fixed 10 security problems within Internet Explorer. Mozilla also has released fixes for Thunderbird and for the Sea Monkey browser suite, the replacement for the now-defunct Mozilla suite.

We’ve always been told that you can find the beauty in and draw inspiration from anything. Well here’s one interesting place, Japanese Manhole Covers displays tons of simply beautiful manhole covers. Another resource to draw inspiration from is Speak Up’s Word It. According to them Word It is…

your opportunity to express in as many words, and as many other graphic elements as you need, what best describes each monthly topic. Each month we will choose a specific topic, idea or theme. For example: the first theme was “inspiration.” So you would go home, or do it at work, and find words, images, artwork, whatever that best describes what inspiration means to you. It could be anything: music, cats, chocolate, museum, love, laundry. Anything that reflects what inspiration is to you. You can do whatever you want to it: vectorize it, photoshop it, scan it or build it and then send it to us.