Advisory ID: cisco-sa-20091109-tls
http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml
Revision 1.0
For Public Release 2009 November 9 1600 UTC (GMT)
An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml.
----------
Worm 'Rick Rolls' iPhones
First IPhone Worm Spreads Rick Astley Wallpaper
The first worm written for Apple's iPhone has been unleashed and is infecting phones in Australia.
----------
Gumblar Malware's Home Domain Active Again
ScanSafe researchers are seeing renewed activity regarding Gumblar, a multifunctional piece of malware that spreads by attacking PCs visiting hacked Web pages.
----------
Yahoo Now on China's Porn Offense List
A Chinese government watchdog has ordered Yahoo China to clean pornographic content from a photo-sharing site it hosted, a reminder of the regulatory challenges often faced by foreign Internet companies in China.
----------
CDC Tracking H1N1 in Near Real Time
The Centers for Disease Control have settled on a private, nationwide database with the electronic medical records of 14 million people run by General Electric in order to track potential outbreaks of the H1N1 virus.
----------
Study: Security Certs are IT's Hottest
The survey of more than 1,500 IT workers found that 37 percent intend to pursue a security certification over the next five years. Another 18 percent of IT workers said they will seek ethical hacking certifications during the same time period, while 13 percent identified forensics as their next certification target. The results are included in the CompTIA study 'IT Training and Certification: Insights and Opportunities.'
----------
Bardin: What DLP Companies Don't Tell You
What you are not told during the sales pitch is the Pandora’s Box you not only are about to open but completely unhinge. What you really need to understand is how deep does the business want you to go?
----------
Data breach notifications one step closer to law... again
about 2 hours ago - by Jacqui Cheng Posted in: Law & Disorder
It's frustrating to be a consumer these days, especially knowing that your personal information could be exposed anytime there's a major data breach. Two new Senate bills aim to improve notification to customers when their information is exposed to thieves and, despite their shortfalls, experts are still holding out hope.
----------
The ACTA Internet provisions: DMCA goes worldwide
about 16 hours ago - by Nate Anderson Posted in: Law & Disorder
New details about the Internet section of the Anti-Counterfeiting Trade Agreement (ACTA) have leaked, and critics are already claiming that they mandate "three strikes" policies and will put an end to Flickr and YouTube. The reality is less sensational but just as important: ACTA is really about taking the DMCA global.
----------
Worker Lost Her Job Over Error by FBI's NCIC Database
In July 2009, a woman lost a $58,000 a year accounting job with Corporate Mailing Services of Arbutus after a background check reported a non-existent criminal record. Her employer won a contact with the Social Security Administration (SSA), which required that the company submit all employees to a criminal background check. The FBI's National Crime Information Center database reported in error that the employee had a criminal record. The Social Security Administration reported back to her employer within 2 weeks acknowledging the mistake and stated that the account could in fact work on the project. The company has not reinstated the dismissed worker. There are long running issues regarding the accuracy of NCIC database. In 2003 the DOJ exempted the FBI, which manages the NCIC, from Federal Privacy Act obligations for data accuracy. The administration is moving forward with a plan to require all federal government contractors submit E-verify checks conducted by the Department of Homeland Security to determine whether they can be employed. There are questions about accuracy of this system and the potential for inaccurate reporting. Accuracy requirements for information held in databases is critical to the protection of privacy rights.
Fired due to error in background check, Carroll woman still jobless, Scott Calvert, Baltimore Sun, October 28, 2009
----------
Microsoft to release six updates next Patch Tuesday
Microsoft has announced that it will release four updates for Windows and two updates for Office on the next Patch Tuesday, the 10th of November more…
----------
Microsoft to deliver six patches covering 15 flaws
Dan Kaplan November 05, 2009
November's security update from Microsoft comes with six patches for 15 vulnerabilities -- nearly 20 fewer than last month.
----------
Former Employees Face Five-Year Sentence After Allegedly Hacking Company Database
Nov 05,2009
System access was still possible for almost two years using old passwords, indictment says
----------
New Security Certification On The Horizon For Cloud Services
Nov 04,2009
Cloud security cert would go beyond existing SAS 70, ISO 27001 standards
There's no official security certification for cloud security service providers today: some use the SAS 70 or the ISO 27001 standards as their security certifications, neither of which is sufficient for providing potential cloud customers with assurances that the provider has deployed the proper security or that their data is sufficiently locked down, experts say.
"There needs to be a certification that is specifically for cloud providers," says Jim Reavis, co-founder and executive director of the Cloud Security Alliance. The Cloud Security Alliance is working with other key players in cloud security and auditing to determine which organizations should provide the certification, as well as what such a certification should include.
"This is going to be a shared thing," he says, noting that the certification is likely to be managed by multiple bodies. He says to expect a statement of direction for a cloud security certification around the first quarter of 2010.
----------
Malware breaks Win 7 UAC defenses
Dancho Danchev: A recently conducted test by malware researchers reveals that eight out of ten malware samples used in the test, successfully bypassed Windows 7's default UAC (user access control) settings.
----------
Lawsuit claims iPhone games stole phone numbers
Browse the App Store for developer Storm8's many popular iPhone games, and you'll encounter the...
----------
AP IMPACT: Framed for child porn — by a PC virus AP – Mon Nov 9, 12:10 am ET
AP
Of all the sinister things that Internet viruses do, this might be the worst: They can make you an unsuspecting collector of child pornography.
----------
Monday, November 9, 2009
Tuesday, November 3, 2009
Monday 11/02/09
Trade talks hone in on Internet abuse, ISP liability
ISPs around the world may be forced to snoop on their subscribers and cut them off if they are found to have shared copyright-protected music on the Internet, under an international agreement being promoted by the U.S.
----------
Catbird tunes security software for virtual environments
Catbird has announced a new version of its security software for virtual environments that is tweaked to perform vulnerability monitoring of resources running in Amazon's EC2 cloud.
----------
Software shields online banking on infected PCs
Cybercriminals are developing increasingly sophisticated software that, in what is known as man-in-the-middle or man-in-the-browser attacks, can intercept online banking transactions while in progress and transfer funds with the user believing nothing is awry.
SafeOnline installs its own kernel-level driver on Windows PCs. During a secure browsing session, all information from the keyboard is routed through that driver, which defeats attempts to record keystrokes or other interference, said Mel Morris, Prevx's CEO and CTO.
----------
Password rules: Change them every 25 years
There are four basic ways for a bad guy to get your password:
(a) Ask for it. So-called "Phishing" and "Social Engineering" attacks still work, and always will
(b) Try dictionary words at the login prompt in the hope to get lucky ("Brute Force")
(c) Obtain the encryped/hashed password somehow, and crack it
(d) Leech the password off your computer with keylogger malware
None of these four scenarios becomes less likely if you change your password every 90 days. If the bad guy can't break the password hash (c) within a couple days, he'll likely just look for an easier target. Attack (b) is also out for quick wins - either it works within the first couple dozen passwords tried, or the bad guy moves on to easier prey. If (b) or (c) are successful, or the attacker already has the password through (a) or (d), 45 days on average is more than enough to empty out your bank account or use your email address for a big spam run.
The concept of password expiry remained the same for the last 25 years or so. Infosec professionals, auditors, PCI, ISO27002, COBIT, etc all keep requiring it, unchanged, even though the threats have changed quite a bit. Forcing a user who had a weak password to change it will just make him pick another weak one. Forcing a user who had a very strong password to change it will eventually annoy the user into using simpler passwords.
So what gives? There is one practical benefit. If someone has your password, and all they want is to read your email and remain undetected, they can do so forever, unless you eventually change your sign-in secret. Thus, regularly changing the password doesn't help much against someone breaking in and making it off with your goods, but it DOES give you a chance to shake off any stalkers or snoopers you might have accessing your account. Yes, this is good. But whether this benefit alone is worth the hassle and mentioned disadvantages of forcing users to change their password every 90 days, I have my doubts.
Infosec risk management is about identifying threats and vulnerabilities, and then picking a countermeasure. But if the chosen countermeasure doesn't in fact make the identified threats less likely, all we do is play security theater, and the countermeasure is one that we don't need.
Unless, of course, "best practice standards" and audits force us to have it.
----------
Nation's School Districts are Failing to Protect Children's Privacy
A Fordham Law School study found that state educational databases across the country ignore key privacy protections for the nation’s school children. The study reports that at least 32% of states warehouse children’s social security numbers; at least 22% of states record student pregnancies; and at least 46% of the states track mental health, illness, and jail sentences as part of the children’s educational records. Some states outsource the data processing without any restrictions on use or confidentiality for children’s information. Access to this information and the disclosure of personal data may occur for decades and follow children well into their adult lives. These findings come as Congress is considering the Student Aid and Financial Responsibility Act, which would expand and integrate the 43 existing state databases without taking into account the critical privacy failures in the states’ electronic warehouses of children’s information. For more information on children’s privacy issues see Children’s Online Privacy Protection Act.
----------
Cable modem hacker busted by feds
According to the U.S. Department of Justice (DOJ), Ryan Harris, 26, ran a San Diego company called TCNISO that sold customizable cable modems and software that could be used to get free Internet service or a speed boost for paying subscribers.
Harris, also known as DerEngel, was charged on Aug. 16, but the grand jury indictment was not unsealed until Monday, several days after his Oct. 23 arrest. He faces a maximum sentence of 20 years in prison and a $250,000 fine, the DOJ said. The six-count indictment charges him with conspiracy, computer intrusion and wire fraud. He was charged in U.S. District Court for the District of Massachusetts.
...
----------
Microsoft links malware rates to pirated Windows
"There is a direct correlation between piracy and the malware infection rate," said Jeff Williams, the principal group program manager for the Microsoft Malware Protection Center. Williams was touting the newest edition of his company's biannual security intelligence report.
----------
Swedish Government Promises Citizens 100MB Broadband
by TechCrunch Europe on November 3, 2009
[Sweden] The Swedish government is following in the footsteps of the Finns (well almost), as their IT-ministry is now promising that 90 percent of all Swedish homes will have access to a 100 mbit/s broadband connection before 2020.
----------
US cyber center opens to battle computer attacks AP – Fri Oct 30, 7:38 pm ET
WASHINGTON - The United States is well behind the curve in the fight against computer criminals, Sen. Joe Lieberman said Friday, as Homeland Security officials opened a $9 million operations center to better coordinate the government's response to cyberattacks.
----------
Researchers Create Hypervisor-Based Tool For Blocking Rootkits Nov 03,2009 New technology 'patches' the operating system kernel, protects it from rootkits
----------
Delayed Again: Red Flags Rule Deadline Now June 1, 2010
Bowing to Congressional pressure, the FTC is delaying enforcement of the Red Flags Rule until June 1, 2010, for financial institutions and creditors. Here, IT security pros weigh in on what the rule means for them.
The FTC made the announcement Friday, the same day the U.S. District Court for the District of Columbia ruled that the commission can't apply the rule to attorneys.
The Red Flags Rule was instituted under the Fair and Accurate Credit Transactions Act, where Congress ordered the FTC and other agencies to make regulations forcing creditors and financial institutions to address security holes that could lead to identity theft. The rule requires all such entities that have covered accounts to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities -- known as red flags -- that could indicate identity theft.
----------
Congress locks radio stations, record labels into boardroom
by Nate Anderson Posted in: Law & Disorder
Radio doesn't want to pay more to play music; music labels don't want radio to keep free-riding. How to settle this blood feud? Congress has ordered both sides into a Capitol Hill conference room for two weeks, and it will vote on whatever emerges.
----------
...
But the Wisconsin men won. They won big. They won $1.26 billion dollars.
How did they win? By default judgment. PepsiCo’s lawyers never responded to the complaint, and the judge awarded the Wisconsin plaintiffs a default judgment.
Why did the Pepsi people never respond? Meet PepsiCo legal secretary, Kathy Henry.
Continue reading "Legal Secretary of the Day: Pepsi’s $1.26 Billion Mistake"
----------
Jailbroken iPhones held for $5 ransom
Dancho Danchev: A message popped up on the screens of a large number of automatically exploited Dutch iPhone users, demanding $4.95 for instructions on how to secure their iPhones and remove the message from appearing at startup.
----------
COMPUTER AGE LITIGATION. There may be hope for old forms of communication after all. An extremely odd dispute in Arizona may bring hope to the makers of pen and paper. The tale is told in an Arizona Supreme Court opinion called Lake v. City of Phoenix in which the city insisted that even though it had to turn over a public record, it didn't have to turn over the public record's "metadata." Really. The city's lawyers were arguing that the code showing the history of a document wasn't actually part of the public record even though the document was. And this dispute went all the way to the state supreme court. Apparently no one was too concerned that this really looked like someone was trying to cover something up. The court thought this was silly, ruled against the city, and then offered an out for future coverups that old media lovers should appreciate: "That a public record currently exists in an electronic format, and is subject to disclosure in that format, does not itself determine whether there is a statutory obligation to preserve it electronically." A lot of agencies and companies will be going back to pencils and erasers.
----------
Mossad Hacked Syrian Official’s Computer Before Bombing Mysterious Facility
The intelligence agents planted a Trojan horse on the official’s computer in late 2006 while he was staying at a hotel in the Kensington district of London, the German newspaper reported Monday in an extensive account of the bombing attack.
The official reportedly left his computer in his hotel room when he went out, making it easy for agents to install the malware that siphoned files from the laptop. The files contained construction plans for the Al Kabir complex in eastern Syria — said to be an illicit nuclear facility — as well as letters and hundreds of detailed photos showing the complex at various stages of construction.
----------
First Test for Election Cryptography
By Erica NaoneMonday, November 02, 2009
Novel voting technology will be used in a local government election.
----------
ISPs around the world may be forced to snoop on their subscribers and cut them off if they are found to have shared copyright-protected music on the Internet, under an international agreement being promoted by the U.S.
----------
Catbird tunes security software for virtual environments
Catbird has announced a new version of its security software for virtual environments that is tweaked to perform vulnerability monitoring of resources running in Amazon's EC2 cloud.
----------
Software shields online banking on infected PCs
Cybercriminals are developing increasingly sophisticated software that, in what is known as man-in-the-middle or man-in-the-browser attacks, can intercept online banking transactions while in progress and transfer funds with the user believing nothing is awry.
SafeOnline installs its own kernel-level driver on Windows PCs. During a secure browsing session, all information from the keyboard is routed through that driver, which defeats attempts to record keystrokes or other interference, said Mel Morris, Prevx's CEO and CTO.
----------
Password rules: Change them every 25 years
There are four basic ways for a bad guy to get your password:
(a) Ask for it. So-called "Phishing" and "Social Engineering" attacks still work, and always will
(b) Try dictionary words at the login prompt in the hope to get lucky ("Brute Force")
(c) Obtain the encryped/hashed password somehow, and crack it
(d) Leech the password off your computer with keylogger malware
None of these four scenarios becomes less likely if you change your password every 90 days. If the bad guy can't break the password hash (c) within a couple days, he'll likely just look for an easier target. Attack (b) is also out for quick wins - either it works within the first couple dozen passwords tried, or the bad guy moves on to easier prey. If (b) or (c) are successful, or the attacker already has the password through (a) or (d), 45 days on average is more than enough to empty out your bank account or use your email address for a big spam run.
The concept of password expiry remained the same for the last 25 years or so. Infosec professionals, auditors, PCI, ISO27002, COBIT, etc all keep requiring it, unchanged, even though the threats have changed quite a bit. Forcing a user who had a weak password to change it will just make him pick another weak one. Forcing a user who had a very strong password to change it will eventually annoy the user into using simpler passwords.
So what gives? There is one practical benefit. If someone has your password, and all they want is to read your email and remain undetected, they can do so forever, unless you eventually change your sign-in secret. Thus, regularly changing the password doesn't help much against someone breaking in and making it off with your goods, but it DOES give you a chance to shake off any stalkers or snoopers you might have accessing your account. Yes, this is good. But whether this benefit alone is worth the hassle and mentioned disadvantages of forcing users to change their password every 90 days, I have my doubts.
Infosec risk management is about identifying threats and vulnerabilities, and then picking a countermeasure. But if the chosen countermeasure doesn't in fact make the identified threats less likely, all we do is play security theater, and the countermeasure is one that we don't need.
Unless, of course, "best practice standards" and audits force us to have it.
----------
Nation's School Districts are Failing to Protect Children's Privacy
A Fordham Law School study found that state educational databases across the country ignore key privacy protections for the nation’s school children. The study reports that at least 32% of states warehouse children’s social security numbers; at least 22% of states record student pregnancies; and at least 46% of the states track mental health, illness, and jail sentences as part of the children’s educational records. Some states outsource the data processing without any restrictions on use or confidentiality for children’s information. Access to this information and the disclosure of personal data may occur for decades and follow children well into their adult lives. These findings come as Congress is considering the Student Aid and Financial Responsibility Act, which would expand and integrate the 43 existing state databases without taking into account the critical privacy failures in the states’ electronic warehouses of children’s information. For more information on children’s privacy issues see Children’s Online Privacy Protection Act.
----------
Cable modem hacker busted by feds
According to the U.S. Department of Justice (DOJ), Ryan Harris, 26, ran a San Diego company called TCNISO that sold customizable cable modems and software that could be used to get free Internet service or a speed boost for paying subscribers.
Harris, also known as DerEngel, was charged on Aug. 16, but the grand jury indictment was not unsealed until Monday, several days after his Oct. 23 arrest. He faces a maximum sentence of 20 years in prison and a $250,000 fine, the DOJ said. The six-count indictment charges him with conspiracy, computer intrusion and wire fraud. He was charged in U.S. District Court for the District of Massachusetts.
...
----------
Microsoft links malware rates to pirated Windows
"There is a direct correlation between piracy and the malware infection rate," said Jeff Williams, the principal group program manager for the Microsoft Malware Protection Center. Williams was touting the newest edition of his company's biannual security intelligence report.
----------
Swedish Government Promises Citizens 100MB Broadband
by TechCrunch Europe on November 3, 2009
[Sweden] The Swedish government is following in the footsteps of the Finns (well almost), as their IT-ministry is now promising that 90 percent of all Swedish homes will have access to a 100 mbit/s broadband connection before 2020.
----------
US cyber center opens to battle computer attacks AP – Fri Oct 30, 7:38 pm ET
WASHINGTON - The United States is well behind the curve in the fight against computer criminals, Sen. Joe Lieberman said Friday, as Homeland Security officials opened a $9 million operations center to better coordinate the government's response to cyberattacks.
----------
Researchers Create Hypervisor-Based Tool For Blocking Rootkits Nov 03,2009 New technology 'patches' the operating system kernel, protects it from rootkits
----------
Delayed Again: Red Flags Rule Deadline Now June 1, 2010
Bowing to Congressional pressure, the FTC is delaying enforcement of the Red Flags Rule until June 1, 2010, for financial institutions and creditors. Here, IT security pros weigh in on what the rule means for them.
The FTC made the announcement Friday, the same day the U.S. District Court for the District of Columbia ruled that the commission can't apply the rule to attorneys.
The Red Flags Rule was instituted under the Fair and Accurate Credit Transactions Act, where Congress ordered the FTC and other agencies to make regulations forcing creditors and financial institutions to address security holes that could lead to identity theft. The rule requires all such entities that have covered accounts to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities -- known as red flags -- that could indicate identity theft.
----------
Congress locks radio stations, record labels into boardroom
by Nate Anderson Posted in: Law & Disorder
Radio doesn't want to pay more to play music; music labels don't want radio to keep free-riding. How to settle this blood feud? Congress has ordered both sides into a Capitol Hill conference room for two weeks, and it will vote on whatever emerges.
----------
...
But the Wisconsin men won. They won big. They won $1.26 billion dollars.
How did they win? By default judgment. PepsiCo’s lawyers never responded to the complaint, and the judge awarded the Wisconsin plaintiffs a default judgment.
Why did the Pepsi people never respond? Meet PepsiCo legal secretary, Kathy Henry.
Continue reading "Legal Secretary of the Day: Pepsi’s $1.26 Billion Mistake"
----------
Jailbroken iPhones held for $5 ransom
Dancho Danchev: A message popped up on the screens of a large number of automatically exploited Dutch iPhone users, demanding $4.95 for instructions on how to secure their iPhones and remove the message from appearing at startup.
----------
COMPUTER AGE LITIGATION. There may be hope for old forms of communication after all. An extremely odd dispute in Arizona may bring hope to the makers of pen and paper. The tale is told in an Arizona Supreme Court opinion called Lake v. City of Phoenix in which the city insisted that even though it had to turn over a public record, it didn't have to turn over the public record's "metadata." Really. The city's lawyers were arguing that the code showing the history of a document wasn't actually part of the public record even though the document was. And this dispute went all the way to the state supreme court. Apparently no one was too concerned that this really looked like someone was trying to cover something up. The court thought this was silly, ruled against the city, and then offered an out for future coverups that old media lovers should appreciate: "That a public record currently exists in an electronic format, and is subject to disclosure in that format, does not itself determine whether there is a statutory obligation to preserve it electronically." A lot of agencies and companies will be going back to pencils and erasers.
----------
Mossad Hacked Syrian Official’s Computer Before Bombing Mysterious Facility
The intelligence agents planted a Trojan horse on the official’s computer in late 2006 while he was staying at a hotel in the Kensington district of London, the German newspaper reported Monday in an extensive account of the bombing attack.
The official reportedly left his computer in his hotel room when he went out, making it easy for agents to install the malware that siphoned files from the laptop. The files contained construction plans for the Al Kabir complex in eastern Syria — said to be an illicit nuclear facility — as well as letters and hundreds of detailed photos showing the complex at various stages of construction.
----------
First Test for Election Cryptography
By Erica NaoneMonday, November 02, 2009
Novel voting technology will be used in a local government election.
----------
Monday, October 26, 2009
Monday 10/26/09
Swine flu national emergency should spur businesses to action President Obama's declaration of a national swine flu emergency should send up a red flag to businesses that are still unprepared for a pandemic. Read more...
President Barack Obama declared the H1N1 flu outbreak a national emergency this past weekend, giving health-care systems the ability to bypass some federal regulatory requirements in order to quickly implement disaster plans should they become overwhelmed.
Similar to declaring a hurricane emergency as a storm approaches landfall, the national emergency declaration gives authority to health-care facilities to submit waivers to establish alternate care sites, and modified patient triage protocols, patient transfer procedures and other actions that occur when they fully implement disaster operations plans.
----------
Bugs and Fixes: Stymie Malicious Media, Attacks
Essential OS fixes are big this month. And fans of free software need to update their Firefox and OpenOffice copies.
----------
U.S. gov't cybersecurity spending to grow significantly, study says
U.S. government spending on cybersecurity will grow at a compound rate of 8.1 percent a year between 2009 and 2014, outpacing general IT spending, according to the government analyst firm Input.
Spending on vendor-supplied information security products and services will increase from $7.9 billion in 2009 to $11.7 billion in 2014, Input predicted. General IT spending by the U.S. government will increase by 3.5% a year during the same time frame, said Kevin Plexico, Input's senior vice president of research and analysis.
----------
Virginia man to serve prison term for selling counterfeit software
Gregory William Fair, of Falls Church, was sentenced Thursday in U.S. District Court for the District of Columbia. In addition to the prison term, Judge R.W. Roberts ordered Fair to pay $743,098 in restitution.
Fair also forfeited $144,000 seized from a safety deposit box and residence, a BMW 525i, a Hummer H2, a Mercedes CL600 and a 1969 Pontiac GTO. All the cars were purchased using funds from his counterfeit software operation, the DOJ said.
----------
China ready for cyberwar, espionage, report says
Looking to gain the upper hand in any future cyber conflicts, China is probably spying on U.S. companies and government, according to a report commissioned by a Congressional advisory panel monitoring the security implications of trade with China.
The report outlines the state of China's hacking and cyber warfare capabilities, concluding that "China is likely using its maturing computer network exploitation capability to support intelligence collection against the U.S. government and industry by conducting a long term, sophisticated computer network exploitation campaign."
Published Thursday, the report was written by Northrop Grumman analysts commissioned by the U.S.-China Economic and Security Review Commission.
----------
Botnets contributing more than ever to click fraud
For the third quarter of the year, 42.6% of fraudulent clicks came from botnet-infected computers, according to Click Forensics, a company that produces tools to detect and filter out fraudulent clicks. The figure is the highest in four years, when Click Forensics began producing reports. For the same quarter a year ago, botnets accounted for 27.5% of bad clicks.
----------
DHS to get big boost in cybersecurity spending in 2010
The U.S. Senate yesterday passed legislation approving a budget of nearly $43 billion for the DHS for fiscal 2010. Of that, about $397 million is supposed to go toward improving cybersecurity within the agency. That's $84 million, or about 27%, more than the $313 million that was allocated for information security in fiscal 2009.
----------
Swiss foreign ministry hit by computer attack
AFP – 2 hrs 35 mins ago
GENEVA (AFP) - Unidentified hackers have penetrated the Swiss foreign ministry's computer system to seize data, forcing parts of it to be shut down for several days, the ministry revealed Monday.
----------
Nigeria's anti graft police shuts 800 scam websites
AFP – Thu Oct 22, 1:02 pm ET
LAGOS (AFP) - Nigeria's anti-corruption police said Friday they had shut down some 800 scam websites and busted 18 syndicates of email fraudsters in a drive to curb cyber-crime the country is notorious for.
----------
How Victims Encourage Cybercrime
Security firm Kaspersky notes that anonymity of users can mask cyber threats and make them tougher to prevent.
----------
Cybersecurity Quiz: Know Your Threats
Separate cybersecurity fact from fiction in this survey of the threats posed by cyberattacks.
----------
ERIC TOTALLY DISAGREES:
From Security Perspective, Windows 7 Off To A Rocky Start
Oct 22,2009
Experts express consternation over early vulnerabilities, UAC configuration issues
----------
Major Secure Email Products And Services Miss Spear-Phishing Attack
Oct 22,2009
Experiment successfully slips fake LinkedIn invite from 'Bill Gates' into inboxes
----------
Metasploit Project Sold To Rapid7
Oct 21,2009
Open-source Metasploit penetration testing tool creator HD Moore joins Rapid7, commercial Metasploit products to come
----------
The Internet is set to undergo one of the biggest changes in its four-decade history with the expected approval this week of international domain names — or addresses — that can be written in languages other than English, an official said Monday.
----------
Microsoft to open up Outlook .PST data format
----------
Google Oops! User Voice Mails Disclosed in Search Engine
Reported flaw in Google's voice mail service said to expose users' messages to search engine users. The messages are reported to include the audio file and transcript of the call, but also included the callers name and phone number.
Random users Google Voice mail is searchable by anyone?, Michael Bettiol, Boygeniusreport.com, October 19, 2009
----------
Answers to Windows 7 upgrade questions
Ed Bott: My compatriots in the Windows blogosphere aren't always discriminating in giving out advice. I read a staggering number of rumors, many of them promulgated by people who should have known better.
----------
OFF TOPIC:
Groups Challenge SoCal Desalination Project
By SONYA ANGELICA DIEHN
VISTA, Calif. (CN) - Environmentalists are challenging the City of Carlsbad over a $300 million desalination plant planned for drought-stricken Southern California. Two groups say Carlsbad and Poseidon Resources' enormous project has undergone too many changes for a 2006 environmental impact report to still apply.
----------
BAD NEWS:
LifeLock settles with Experian to not set fraud alerts
Dan Kaplan October 23, 2009
A lawsuit settlement affirms that third parties are not permitted to set fraud alerts with the major credit bureaus.
----------
Blogger: Time Warner Routers Still Hackable Despite Company Assurance
A blogger who stumbled across a vulnerability in more than 65,000 Time Warner Cable customer routers says the routers are still vulnerable to remote attack, despite claims by the company last week that it patched the routers.
Last Tuesday, David Chen, an internet startup-founder, published information about the vulnerability in Time Warner’s SMC8014 series cable modem/Wi-Fi router combo, made by SMC. The problem would allow a hacker to remotely access the device’s administrative menu over the internet and potentially change the settings to intercept traffic, making possible all sorts of nefarious activity.
----------
President Barack Obama declared the H1N1 flu outbreak a national emergency this past weekend, giving health-care systems the ability to bypass some federal regulatory requirements in order to quickly implement disaster plans should they become overwhelmed.
Similar to declaring a hurricane emergency as a storm approaches landfall, the national emergency declaration gives authority to health-care facilities to submit waivers to establish alternate care sites, and modified patient triage protocols, patient transfer procedures and other actions that occur when they fully implement disaster operations plans.
----------
Bugs and Fixes: Stymie Malicious Media, Attacks
Essential OS fixes are big this month. And fans of free software need to update their Firefox and OpenOffice copies.
----------
U.S. gov't cybersecurity spending to grow significantly, study says
U.S. government spending on cybersecurity will grow at a compound rate of 8.1 percent a year between 2009 and 2014, outpacing general IT spending, according to the government analyst firm Input.
Spending on vendor-supplied information security products and services will increase from $7.9 billion in 2009 to $11.7 billion in 2014, Input predicted. General IT spending by the U.S. government will increase by 3.5% a year during the same time frame, said Kevin Plexico, Input's senior vice president of research and analysis.
----------
Virginia man to serve prison term for selling counterfeit software
Gregory William Fair, of Falls Church, was sentenced Thursday in U.S. District Court for the District of Columbia. In addition to the prison term, Judge R.W. Roberts ordered Fair to pay $743,098 in restitution.
Fair also forfeited $144,000 seized from a safety deposit box and residence, a BMW 525i, a Hummer H2, a Mercedes CL600 and a 1969 Pontiac GTO. All the cars were purchased using funds from his counterfeit software operation, the DOJ said.
----------
China ready for cyberwar, espionage, report says
Looking to gain the upper hand in any future cyber conflicts, China is probably spying on U.S. companies and government, according to a report commissioned by a Congressional advisory panel monitoring the security implications of trade with China.
The report outlines the state of China's hacking and cyber warfare capabilities, concluding that "China is likely using its maturing computer network exploitation capability to support intelligence collection against the U.S. government and industry by conducting a long term, sophisticated computer network exploitation campaign."
Published Thursday, the report was written by Northrop Grumman analysts commissioned by the U.S.-China Economic and Security Review Commission.
----------
Botnets contributing more than ever to click fraud
For the third quarter of the year, 42.6% of fraudulent clicks came from botnet-infected computers, according to Click Forensics, a company that produces tools to detect and filter out fraudulent clicks. The figure is the highest in four years, when Click Forensics began producing reports. For the same quarter a year ago, botnets accounted for 27.5% of bad clicks.
----------
DHS to get big boost in cybersecurity spending in 2010
The U.S. Senate yesterday passed legislation approving a budget of nearly $43 billion for the DHS for fiscal 2010. Of that, about $397 million is supposed to go toward improving cybersecurity within the agency. That's $84 million, or about 27%, more than the $313 million that was allocated for information security in fiscal 2009.
----------
Swiss foreign ministry hit by computer attack
AFP – 2 hrs 35 mins ago
GENEVA (AFP) - Unidentified hackers have penetrated the Swiss foreign ministry's computer system to seize data, forcing parts of it to be shut down for several days, the ministry revealed Monday.
----------
Nigeria's anti graft police shuts 800 scam websites
AFP – Thu Oct 22, 1:02 pm ET
LAGOS (AFP) - Nigeria's anti-corruption police said Friday they had shut down some 800 scam websites and busted 18 syndicates of email fraudsters in a drive to curb cyber-crime the country is notorious for.
----------
How Victims Encourage Cybercrime
Security firm Kaspersky notes that anonymity of users can mask cyber threats and make them tougher to prevent.
----------
Cybersecurity Quiz: Know Your Threats
Separate cybersecurity fact from fiction in this survey of the threats posed by cyberattacks.
----------
ERIC TOTALLY DISAGREES:
From Security Perspective, Windows 7 Off To A Rocky Start
Oct 22,2009
Experts express consternation over early vulnerabilities, UAC configuration issues
----------
Major Secure Email Products And Services Miss Spear-Phishing Attack
Oct 22,2009
Experiment successfully slips fake LinkedIn invite from 'Bill Gates' into inboxes
----------
Metasploit Project Sold To Rapid7
Oct 21,2009
Open-source Metasploit penetration testing tool creator HD Moore joins Rapid7, commercial Metasploit products to come
----------
The Internet is set to undergo one of the biggest changes in its four-decade history with the expected approval this week of international domain names — or addresses — that can be written in languages other than English, an official said Monday.
----------
Microsoft to open up Outlook .PST data format
----------
Google Oops! User Voice Mails Disclosed in Search Engine
Reported flaw in Google's voice mail service said to expose users' messages to search engine users. The messages are reported to include the audio file and transcript of the call, but also included the callers name and phone number.
Random users Google Voice mail is searchable by anyone?, Michael Bettiol, Boygeniusreport.com, October 19, 2009
----------
Answers to Windows 7 upgrade questions
Ed Bott: My compatriots in the Windows blogosphere aren't always discriminating in giving out advice. I read a staggering number of rumors, many of them promulgated by people who should have known better.
----------
OFF TOPIC:
Groups Challenge SoCal Desalination Project
By SONYA ANGELICA DIEHN
VISTA, Calif. (CN) - Environmentalists are challenging the City of Carlsbad over a $300 million desalination plant planned for drought-stricken Southern California. Two groups say Carlsbad and Poseidon Resources' enormous project has undergone too many changes for a 2006 environmental impact report to still apply.
----------
BAD NEWS:
LifeLock settles with Experian to not set fraud alerts
Dan Kaplan October 23, 2009
A lawsuit settlement affirms that third parties are not permitted to set fraud alerts with the major credit bureaus.
----------
Blogger: Time Warner Routers Still Hackable Despite Company Assurance
A blogger who stumbled across a vulnerability in more than 65,000 Time Warner Cable customer routers says the routers are still vulnerable to remote attack, despite claims by the company last week that it patched the routers.
Last Tuesday, David Chen, an internet startup-founder, published information about the vulnerability in Time Warner’s SMC8014 series cable modem/Wi-Fi router combo, made by SMC. The problem would allow a hacker to remotely access the device’s administrative menu over the internet and potentially change the settings to intercept traffic, making possible all sorts of nefarious activity.
----------
Monday, October 19, 2009
Monday 10/19/09
Mozilla unblocks one sneaky Microsoft plug-in
... Late on Friday, Mozilla added .Net Framework Assistant and the accompanying Windows Presentation Foundation plug-in to its rarely-used blocking list, which then threw up a warning to users notifying them that the pair was being barred from Firefox.
----------
Microsoft issues first Windows 7 patches
Windows 7 was affected by nine of the 34 vulnerabilities, or 26% of the total.
Windows Vista, meanwhile, was impacted by 19 of the 34 vulnerabilities -- 56% of the total.
Windows XP was affected by the most vulnerabilities of all: 24 out of 34, or 71% of the total.
----------
Phishers Reveal Poor Passwords
----------
Medical Records: Stored in the Cloud, Sold on the Open Market
... unknown to patients, an increasing number of outside vendors that manage electronic health records also have access to that data, and are reselling the information as a commodity.
http://www.patientprivacyrights.org/site/DocServer/Zones_of_Privacy.pdf?docID=881
----------
ASCII Art spam is back
The ASCII art spam is not limited to only non-word characters. It can be numbers, alphabets and combinations of all, which can make things even worse for certain spam filters:
d""b8 88 db 88 88 dP"Y8
dP 88 dPYb 88 88 `bo
Yb 88 dP__Yb 88 88 `Y8b
boodP 88 dP""""Yb 88ood8 88 8bodP'
----------
How hackers find your weak spots
While there are an infinite number of social engineering exploits, typical ones include the...
----------
SECURITY: RISK AND REWARD
New secure password rules
Most companies have some form of policy on passwords. The rules go back more than a decade and are repeated...
----------
Hiring hackers: A rebuttal (part 2)
The original articles on hiring hackers and criminal hackers into IT groups as programmers, network...
----------
38 Oracle security patches coming next week
----------
Scareware earns cybercriminals £850,000 a year
Cybercriminals are earning as much as £858,000 a year out of scareware, says Symantec.
----------
A Guide to Windows 7 Security
Until now, Windows Vista was the most secure version of the Windows operating system. Windows 7...
----------
"Google Voice Mails have been discovered in Google's search engine, providing audio files, names, and phone number as if you were logged in and checking your own voice mail. Some appear to be test messages, while others are clearly not. Google has since disabled indexing of voice mails outside your own website."
----------
Helpful Hint for Fugitives: Don't Update Your Location on Facebook
"Fugitive caught after updating his status on Facebook."
----------
Microsoft's Free AV Got 1.5 Million Downloads in First Week PC World – Fri Oct 16, 3:10 pm ET
Microsoft registered more than 1.5 million downloads of its free antivirus software in the week after it shipped.
----------
... Late on Friday, Mozilla added .Net Framework Assistant and the accompanying Windows Presentation Foundation plug-in to its rarely-used blocking list, which then threw up a warning to users notifying them that the pair was being barred from Firefox.
----------
Microsoft issues first Windows 7 patches
Windows 7 was affected by nine of the 34 vulnerabilities, or 26% of the total.
Windows Vista, meanwhile, was impacted by 19 of the 34 vulnerabilities -- 56% of the total.
Windows XP was affected by the most vulnerabilities of all: 24 out of 34, or 71% of the total.
----------
Phishers Reveal Poor Passwords
----------
Medical Records: Stored in the Cloud, Sold on the Open Market
... unknown to patients, an increasing number of outside vendors that manage electronic health records also have access to that data, and are reselling the information as a commodity.
http://www.patientprivacyrights.org/site/DocServer/Zones_of_Privacy.pdf?docID=881
----------
ASCII Art spam is back
The ASCII art spam is not limited to only non-word characters. It can be numbers, alphabets and combinations of all, which can make things even worse for certain spam filters:
d""b8 88 db 88 88 dP"Y8
dP 88 dPYb 88 88 `bo
Yb 88 dP__Yb 88 88 `Y8b
boodP 88 dP""""Yb 88ood8 88 8bodP'
----------
How hackers find your weak spots
While there are an infinite number of social engineering exploits, typical ones include the...
----------
SECURITY: RISK AND REWARD
New secure password rules
Most companies have some form of policy on passwords. The rules go back more than a decade and are repeated...
----------
Hiring hackers: A rebuttal (part 2)
The original articles on hiring hackers and criminal hackers into IT groups as programmers, network...
----------
38 Oracle security patches coming next week
----------
Scareware earns cybercriminals £850,000 a year
Cybercriminals are earning as much as £858,000 a year out of scareware, says Symantec.
----------
A Guide to Windows 7 Security
Until now, Windows Vista was the most secure version of the Windows operating system. Windows 7...
----------
"Google Voice Mails have been discovered in Google's search engine, providing audio files, names, and phone number as if you were logged in and checking your own voice mail. Some appear to be test messages, while others are clearly not. Google has since disabled indexing of voice mails outside your own website."
----------
Helpful Hint for Fugitives: Don't Update Your Location on Facebook
"Fugitive caught after updating his status on Facebook."
----------
Microsoft's Free AV Got 1.5 Million Downloads in First Week PC World – Fri Oct 16, 3:10 pm ET
Microsoft registered more than 1.5 million downloads of its free antivirus software in the week after it shipped.
----------
Monday, October 12, 2009
Monday 10/12/09
Researchers advise cyber self defense in the cloud
Security researchers are warning that Web-based applications are increasing the risk of identity theft or losing personal data more than ever before.
The best defense against data theft, malware and viruses in the cloud is self defense, researchers at the Hack In The Box (HITB) security conference said. But getting people to change how they use the Internet, such as what personal data they make public, won't be easy.
----------
Expert provides more proof hackers hijacked Hotmail accounts
It's almost certain that hackers obtained the Hotmail passwords that leaked to the Internet through a botnet-based attack, a researcher said today as she provided more proof that Microsoft's explanation was probably off-base. Read more...
----------
Sidekick users livid over Microsoft server failure
On Saturday, Microsoft announced that users' data stored on its servers "almost certainly has been lost as a result of a server failure at Microsoft/Danger," referring to Danger Inc., the Microsoft subsidiary that provides data services for Sidekick phones sold by T-Mobile.
...
"I just spoke to a lawyer and explain[ed] the entire situation," said a user tagged as "Calsmail" last Thursday. "He informed me he would be happy to start a class-action suit against T-Mobile. He said he could not only get us out of our contracts but can more than likely get $50 per contact lost."
----------
UC Berkeley tightens personal data security with data-masking tool
----------
No Facebook at work in most US companies
By News Room Yesterday
----------
What's replacing P2P, BitTorrent as pirate hangouts?
----------
EU High Court Amassing Strength & Reach
By NICK WILSON
As the European Court of Justice continues a dramatic rise in power and volume of cases, a comparison is inevitably made with the U.S. Supreme Court where an initially weak political body grew into an enormously powerful interpreter of the law in a vast region of wealth and population. But there are also key differences between the two high courts, based on the greater power held in the U.S. Constitution and the less competitive relationship between the courts of the European nations and the EU's high court.
----------
Google patches DoS vulnerabilities in Android
Researchers at the Open Source Computer Emergency Response Team (oCERT) disclosed two denial-of-service vulnerabilities in Google Inc.'s Android 1.5 mobile phone platform, both of which have already been patched by the vendor.
----------
Hackers exploit this year's fourth PDF zero-day
The bug in the popular Reader PDF viewer and the Acrobat PDF maker is being exploited in "limited targeted attacks," Adobe said yesterday. That phrasing generally means hackers are sending the rigged PDF documents to a short list of users, oftentimes company executives or others whose PCs contain a treasure trove of confidential information.
Adobe promised to patch the vulnerability on Tuesday, Oct. 13, the same day that Microsoft plans to issue its biggest-ever collection of security updates.
----------
Security researchers are warning that Web-based applications are increasing the risk of identity theft or losing personal data more than ever before.
The best defense against data theft, malware and viruses in the cloud is self defense, researchers at the Hack In The Box (HITB) security conference said. But getting people to change how they use the Internet, such as what personal data they make public, won't be easy.
----------
Expert provides more proof hackers hijacked Hotmail accounts
It's almost certain that hackers obtained the Hotmail passwords that leaked to the Internet through a botnet-based attack, a researcher said today as she provided more proof that Microsoft's explanation was probably off-base. Read more...
----------
Sidekick users livid over Microsoft server failure
On Saturday, Microsoft announced that users' data stored on its servers "almost certainly has been lost as a result of a server failure at Microsoft/Danger," referring to Danger Inc., the Microsoft subsidiary that provides data services for Sidekick phones sold by T-Mobile.
...
"I just spoke to a lawyer and explain[ed] the entire situation," said a user tagged as "Calsmail" last Thursday. "He informed me he would be happy to start a class-action suit against T-Mobile. He said he could not only get us out of our contracts but can more than likely get $50 per contact lost."
----------
UC Berkeley tightens personal data security with data-masking tool
----------
No Facebook at work in most US companies
By News Room Yesterday
----------
What's replacing P2P, BitTorrent as pirate hangouts?
----------
EU High Court Amassing Strength & Reach
By NICK WILSON
As the European Court of Justice continues a dramatic rise in power and volume of cases, a comparison is inevitably made with the U.S. Supreme Court where an initially weak political body grew into an enormously powerful interpreter of the law in a vast region of wealth and population. But there are also key differences between the two high courts, based on the greater power held in the U.S. Constitution and the less competitive relationship between the courts of the European nations and the EU's high court.
----------
Google patches DoS vulnerabilities in Android
Researchers at the Open Source Computer Emergency Response Team (oCERT) disclosed two denial-of-service vulnerabilities in Google Inc.'s Android 1.5 mobile phone platform, both of which have already been patched by the vendor.
----------
Hackers exploit this year's fourth PDF zero-day
The bug in the popular Reader PDF viewer and the Acrobat PDF maker is being exploited in "limited targeted attacks," Adobe said yesterday. That phrasing generally means hackers are sending the rigged PDF documents to a short list of users, oftentimes company executives or others whose PCs contain a treasure trove of confidential information.
Adobe promised to patch the vulnerability on Tuesday, Oct. 13, the same day that Microsoft plans to issue its biggest-ever collection of security updates.
----------
McAfee Labs’ October Spam Report
Monday October 12, 2009 at 8:36 am CSTPosted by David Marcus
Cybercriminals are taking advantage of American concerns about healthcare by flooding the internet with spam. According to our October Spam Report, 70 percent of global spam is now “Canadian” pharmacy spam that takes advantage of fears of Swine Flu and rising costs of Medicare and pharmaceuticals.
Spammers generate more than 150 billion spam messages daily; that’s enough to send everyone in the world more than 30 emails every day (including people without computers). Nearly 19 out of every 20 emails are spam, and cybercriminals are growing more sophisticated with their attacks. No brands seem to be safe, and this month’s report analyzes how spammers are abusing the brands of Monopoly, The Hollywood Reporter and even the Jewish organization Chabad to distribute malware.
The report can be downloaded here.
----------
Posted at 2:00 PM ET, 10/12/2009
Avoid Windows Malware: Bank on a Live CD
http://blogs.washingtonpost.com/securityfix/
The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online.
----------
Monday, October 5, 2009
Monday 10/05/09
Let's start today with a bit of 'bright-and-shiny':
Microsoft Demos Prototype Multi-Touch Mice
The other day, I went on a short tour of some of Microsoft’s Labs, where they do everything from rapid prototypes of new products to acoustic testing in anechoic chambers. Most of my time was spent in the Applied Sciences group’s labs, where they are working on some seriously interesting devices.
And they’re not just into mice; in fact, the lab’s specialty seemed to be anything to do with optics and/or input. This lab worked on Project Natal, and also on the pressure-sensitive keyboard I wrote about a while back.
They were kind enough to show me all these crazy multi-touch mice, and, when I was too inept to demo even one of them solo, offered to go through them with me on video.
----------
Malware and standards – is it possible?
I am excited to be involved in the joint industry effort of defining an XML format which will allow for the rapid exchange of information between security companies. This work was done by the “Malware Working Group” operating as part of the “Industry Connections Security Group” (ICSG) and under the umbrella of the IEEE. If you Google for “IEEE” and “ICSG” you should have the link at the top of the list – IEEE ICSG .
There were about 20 people from multiple security companies who contributed to the development of the proposal for the standard and I am very pleased with the results. It is a simple, flexible and powerful format that is already being used by 4 anti-malware companies to transmit meta-data about the prevalence of malware in the field. Wider adoption of this meta-data sharing will replace the trivial malware sample exchange of the past with a real-time exchange of threat intelligence data. Communicating the relationships between malware samples, domains, IPs will open endless possibilities for improving the security of all Internet users.
For example, it will allow us to describe the whole history of domains/IPs that were used by a specific malware writing group, which malware they hosted and even how the malware got installed onto users’ computers. And this can be expressed in an unambiguous way suitable for rapid automated analysis. In a word – it’s powerful!
----------
Testing email with encryption
It can be very useful to be able to talk directly with your SMTP or IMAP server for diagnostic purposes. Things get a bit more complicated when encryption rears its ugly head, but with the right tools, it doesn't have to be a black art more…
----------
Plug-in service to protect Mozilla browser
Mozilla's Plug-in Finder Server checks the versions of installed Firefox plug-ins to warn users of security holes more…
----------
Gmail Login Gets CSRF Protection
Google has silently implemented cross-site request forgery protection for Gmail authentication. The new feature comes in the form of a unique token stored in a browser cookie and checked when the login request is submitted.
----------
Hotmail hacked: Thousands of account details published online
Zack Whittaker: Microsoft admits that several thousand Windows Live Hotmail customers' credentials were exposed on a third-party site due to a phishing scheme.
----------
DRAM error rates: Nightmare on DIMM street
Robin Harris: A two-and-a-half year study of DRAM on 10s of thousands Google servers found DIMM error rates are hundreds to thousands of times higher than thought - a mean of 3,751 correctable errors per DIMM per year.
----------
Attorney Admits to Trading Settlement Money
By NICK MCCANN
(CN) - An Orange County lawyer has agreed to plead guilty to losing virtually all of a multimillion-dollar class-action settlement through high-risk day trading, the Justice Department announced.
----------
Visa creates guidance for merchants wanting to encrypt
Dan Kaplan October 05, 2009
Visa has taken a leading role in establishing best practices for end-to-end encryption implementation.
----------
Credit Card Skimming Survey: What’s Your Magstripe Worth?
Ever wonder how much the data on the back of your credit card is worth to a corrupt food service worker? The answer, it turns out, depends on which restaurants you frequent in Florida.
For some reason, the Sunshine State is a hotbed of federal prosecutions for “skimming”, in which a retail or service worker with a criminal bent swipes your credit card through a pocket-sized magstripe reader when you’re not looking — capturing your name, card number, expiration date and other information.
In the online black market, wholesalers peddle this data to credit card counterfeiters for as much as $50 for a corporate Visa or Mastercard. (Asian and European cards go for even more.) But how much does the poor food service worker get for putting his job on the line in the first place?
----------
Hackers plan to clobber the cloud, spy on Blackberries
A new era of computing is on the rise and viruses, spies and malware developers are tagging along...
----------
60% of Brits store personal data on their phone
Over 60 percent of Brits keep sensitive personal data on their smartphone, says The Carphone...
----------
Cyber Security Awareness Month - Day 5 port 31337
Backdoors and malware and trojans oh my!
----------
Microsoft Demos Prototype Multi-Touch Mice
The other day, I went on a short tour of some of Microsoft’s Labs, where they do everything from rapid prototypes of new products to acoustic testing in anechoic chambers. Most of my time was spent in the Applied Sciences group’s labs, where they are working on some seriously interesting devices.
And they’re not just into mice; in fact, the lab’s specialty seemed to be anything to do with optics and/or input. This lab worked on Project Natal, and also on the pressure-sensitive keyboard I wrote about a while back.
They were kind enough to show me all these crazy multi-touch mice, and, when I was too inept to demo even one of them solo, offered to go through them with me on video.
----------
Malware and standards – is it possible?
I am excited to be involved in the joint industry effort of defining an XML format which will allow for the rapid exchange of information between security companies. This work was done by the “Malware Working Group” operating as part of the “Industry Connections Security Group” (ICSG) and under the umbrella of the IEEE. If you Google for “IEEE” and “ICSG” you should have the link at the top of the list – IEEE ICSG .
There were about 20 people from multiple security companies who contributed to the development of the proposal for the standard and I am very pleased with the results. It is a simple, flexible and powerful format that is already being used by 4 anti-malware companies to transmit meta-data about the prevalence of malware in the field. Wider adoption of this meta-data sharing will replace the trivial malware sample exchange of the past with a real-time exchange of threat intelligence data. Communicating the relationships between malware samples, domains, IPs will open endless possibilities for improving the security of all Internet users.
For example, it will allow us to describe the whole history of domains/IPs that were used by a specific malware writing group, which malware they hosted and even how the malware got installed onto users’ computers. And this can be expressed in an unambiguous way suitable for rapid automated analysis. In a word – it’s powerful!
----------
Testing email with encryption
It can be very useful to be able to talk directly with your SMTP or IMAP server for diagnostic purposes. Things get a bit more complicated when encryption rears its ugly head, but with the right tools, it doesn't have to be a black art more…
----------
Plug-in service to protect Mozilla browser
Mozilla's Plug-in Finder Server checks the versions of installed Firefox plug-ins to warn users of security holes more…
----------
Gmail Login Gets CSRF Protection
Google has silently implemented cross-site request forgery protection for Gmail authentication. The new feature comes in the form of a unique token stored in a browser cookie and checked when the login request is submitted.
----------
Hotmail hacked: Thousands of account details published online
Zack Whittaker: Microsoft admits that several thousand Windows Live Hotmail customers' credentials were exposed on a third-party site due to a phishing scheme.
----------
DRAM error rates: Nightmare on DIMM street
Robin Harris: A two-and-a-half year study of DRAM on 10s of thousands Google servers found DIMM error rates are hundreds to thousands of times higher than thought - a mean of 3,751 correctable errors per DIMM per year.
----------
Attorney Admits to Trading Settlement Money
By NICK MCCANN
(CN) - An Orange County lawyer has agreed to plead guilty to losing virtually all of a multimillion-dollar class-action settlement through high-risk day trading, the Justice Department announced.
----------
Visa creates guidance for merchants wanting to encrypt
Dan Kaplan October 05, 2009
Visa has taken a leading role in establishing best practices for end-to-end encryption implementation.
----------
Credit Card Skimming Survey: What’s Your Magstripe Worth?
Ever wonder how much the data on the back of your credit card is worth to a corrupt food service worker? The answer, it turns out, depends on which restaurants you frequent in Florida.
For some reason, the Sunshine State is a hotbed of federal prosecutions for “skimming”, in which a retail or service worker with a criminal bent swipes your credit card through a pocket-sized magstripe reader when you’re not looking — capturing your name, card number, expiration date and other information.
In the online black market, wholesalers peddle this data to credit card counterfeiters for as much as $50 for a corporate Visa or Mastercard. (Asian and European cards go for even more.) But how much does the poor food service worker get for putting his job on the line in the first place?
----------
Hackers plan to clobber the cloud, spy on Blackberries
A new era of computing is on the rise and viruses, spies and malware developers are tagging along...
----------
60% of Brits store personal data on their phone
Over 60 percent of Brits keep sensitive personal data on their smartphone, says The Carphone...
----------
Cyber Security Awareness Month - Day 5 port 31337
Backdoors and malware and trojans oh my!
----------
Monday, September 28, 2009
Monday 09/28/09
Ass Bomber
Nobody tell the TSA, but last month someone tried to assassinate a Saudi prince by exploding a bomb stuffed in his rectum. He pretended to be a repentant militant, when in fact he was a Trojan horse:
The resulting explosion ripped al-Asiri to shreds but only lightly injured the shocked prince -- the target of al-Asiri's unsuccessful assassination attempt.
...
Lewis Page, an "improvised-device disposal operator tasked in support of the UK mainland police from 2001-2004," pointed out that this isn't much of a threat for three reasons: 1) you can't stuff a lot of explosives into a body cavity, 2) detonation is, um, problematic, and 3) the human body can stifle an explosion pretty effectively (think of someone throwing himself on a grenade to save his friends).
----------
A Stick Figure Guide to AES
Nice.
----------
Ants vs. worms
Since ants are pretty good at locating and defending against enemies in the real world, a team of researchers decided to try reproducing an ant-type model on computer networks. Initial tests proved to be a success more…
----------
Internet Explorer supports free certificates
With its last update, Microsoft has added StartCom to the pre-installed root certificates in its operating system. As a result, Microsoft products (such as Internet Explorer) now accept certificates issued by StartCom without prompting the user or requiring any special configurations for the certificates. Third-party programs that use the operating system's certificate memory will also accept the certificates without asking further questions.
StartCom offers free certificates for the signing of e-mails (S/MIME) and for SSL server access, such as HTTPS. Unfortunately, with these "Class 1 certificates", the applicant's email address is generally the only thing tested.
While StartCom has been in the certificate store of Mozilla programs like Firefox and Thunderbird for some time, other issuers who offer free server certificates (such as CACert) are not currently included in the Root CA lists of commonly used programs. Users therefore have to inspect and confirm each server certificate or add the root certificate of such issuers to their certificate store.
The root certificate update is available as an option via Windows Update.
----------
Reddit Attacked by XSS Exploit
An XSS hole allowed comments to be booby-trapped with JavaScript code which posted multiple comments into the social news aggregator. The script was triggered by logged in users merely hovering the cursor over a comment. more…
----------
Belgian Government Workers Ordered to Drop Firefox and Return to IE6
The government of the Walloon Region has ordered its local administrations to ban the use of Firefox on their networks...
----------
Windows 7 reliability scorecard
Adrian Kingsley-Hughes: Since December Windows 7 has been my default OS on several systems that are in daily use. During that time I've captured a lot of real-world reliability data for the OS.
...
So, how reliable is Windows 7?
In a word, very.
...looking at a small number of shutdown issues <== ERIC SEES THESE TOO!
----------
Rampant brute-force attack against Yahoo Mail
A widespread brute-force attack against Yahoo email users aims to obtain login credentials and then use the hijacked accounts for spamming, a researcher at Breach Security disclosed last week.
Yahoo Mail's main login page utilizes a number of security mechanisms to protect against brute force attacks -- when crooks try every possible combination of username/password until they can break in -- including providing a generic "error" page that does not reveal whether it was the username or password that the user got wrong. Also, Yahoo tracks the number of failed login attempts and requires that users solve a CAPTCHA if they have exceeded a certain number of incorrect tries.
----------
Judge Orders Gmail Account Deactivated After Bank Screws Up
By Kim Zetter
September 25, 2009
A California federal judge has ordered Google to temporarily de-activate a Gmail account after a bank mistakenly sent sensitive data to the account.
U.S. District Judge James Ware also ordered Google to disclose the identity of the Gmail account holder.
----------
AT&T Cleverly Flips Google Voice Fight On Its Head
... it wasn't too surprising to see AT&T flip the Google Voice fiasco on its head by sending a letter to the FCC late last week accusing Google of anti-competitive behavior for blocking user access to FreeConferenceCall.com. In AT&T's letter, the carrier suggests this violates a looming fifth neutrality principle
----------
Phishing fraud hits two year high
Phishing attacks reached a record high during the second quarter of 2009, with 151,000 unique attacks, according to a study by brand reputation firm MarkMonitor.
----------
Computer hacker may have tapped personal data on 236,000 women in UNC mammography study By News Room Today
----------
Drudge, other sites flooded with malicious ads
Criminals flooded several online ad networks with malicious advertisements over the weekend,...
----------
http://www.nytimes.com/2009/09/27/weekinreview/27shane.html?_r=1
... those news reports masked a surprising and perhaps heartening long-term trend: Many students of terrorism believe that in important ways, Al Qaeda and its ideology of global jihad are in a pronounced decline — with its central leadership thrown off balance as operatives are increasingly picked off by missiles and manhunts and, more important, with its tactics discredited in public opinion across the Muslim world.
“Al Qaeda is losing its moral argument about the killing of innocent civilians,” said Emile A. Nakhleh, who headed the Central Intelligence Agency’s strategic analysis program on political Islam until 2006. “They’re finding it harder to recruit. They’re finding it harder to raise money.”
----------
Blast from the past: Fresh wave of targeted attacks using PowerPoint
The use of social engineering to grab attention of recipients and to deliver malware is not something novel. The latest trend in spreading malware is to manipulate a happening celebrity story, disaster or other high profile news event. The threat could be delivered as emails or poisoned search engine results which leads to malware. In the past, we have come across innumerable incidents like Michael Jackson demise or Benazir Bhutto assassination used as an arena to spread malware. Lately, we have observed an increase in the number of OLE files being used as targeted attacks against various high profile users.
----------
Microsoft buys Interactive Supercomputing, kills top product: Microsoft has purchased the assets of Interactive Supercomputing (ISC), maker of the desktop parallel computing platform Star-P. Redmond plans to discontinue Star-P but to integrate ISC's technologies into its own solutions.
----------
Google v Microsoft: Giants War Over $7.25M Deal for LA Email
latimes.com — The two tech giants are clashing over a $7.25-million contract to replace Los Angeles' outdated e-mail system. City officials have been told that Microsoft Chief Exec Steve Ballmer and Google CEO Eric Schmidt "would be more than happy to come and visit with you." More…
----------
http://www.neatorama.com/2007/01/04/the-5-smallest-countries-in-the-world/
The official languages of the Vatican City are Latin and Italian. In fact, its ATMs are the only ones in the world that offer services in Latin! And here you thought that Latin is a dead language…
----------
Cyber Security Awareness Month OCTOBER
----------
Organized Crime and Retail Theft: Facts and Myths
Small, loosely connected gangs illustrate the challenge of stopping organized retail theft.
----------
Organized Cybercrime Revealed
The shadow economy for stolen identity and account information continues to evolve.
----------
Sep 26, 10:42 am
Security Software Sales Expected to Climb
The market for security software will grow 8% in 2009, Gartner analysts predict.
----------
IRS Scam Now World's Biggest E-mail Virus Problem PC World – Fri Sep 25, 6:40 pm ET
Criminals are waging a nasty online campaign right now, hoping that their victims' fears of the tax collecter will lead them to inadvertently install malicious software.
----------
Med students' tweets, posts expose patient info
Future doctors are too frequently putting inappropriate postings and sometimes confidential patient information on social sites like Facebook and Twitter, according to a study published in the Journal of the American Medical Association.
In a survey of medical colleges, 60% reported incidents of medical students' posting unprofessional content online. Thirteen percent reported that students had violated patient confidentiality in postings on social networking sites.
The survey also showed that 39% of colleges found medical students posting pictures of themselves in which they were intoxicated, and 38% reported medical students posting sexually suggestive material. The study, published this week, surveyed deans or their counterparts at 78 U.S. medical colleges.
----------
Microsoft's Server Message Block (SMB) has been a vulnerability for years, so they introduced a new version (SMB 2). Now they recommend turning off SMB2 due to too many vulnerabilities...
http://blogs.technet.com/srd/
----------
Nobody tell the TSA, but last month someone tried to assassinate a Saudi prince by exploding a bomb stuffed in his rectum. He pretended to be a repentant militant, when in fact he was a Trojan horse:
The resulting explosion ripped al-Asiri to shreds but only lightly injured the shocked prince -- the target of al-Asiri's unsuccessful assassination attempt.
...
Lewis Page, an "improvised-device disposal operator tasked in support of the UK mainland police from 2001-2004," pointed out that this isn't much of a threat for three reasons: 1) you can't stuff a lot of explosives into a body cavity, 2) detonation is, um, problematic, and 3) the human body can stifle an explosion pretty effectively (think of someone throwing himself on a grenade to save his friends).
----------
A Stick Figure Guide to AES
Nice.
----------
Ants vs. worms
Since ants are pretty good at locating and defending against enemies in the real world, a team of researchers decided to try reproducing an ant-type model on computer networks. Initial tests proved to be a success more…
----------
Internet Explorer supports free certificates
With its last update, Microsoft has added StartCom to the pre-installed root certificates in its operating system. As a result, Microsoft products (such as Internet Explorer) now accept certificates issued by StartCom without prompting the user or requiring any special configurations for the certificates. Third-party programs that use the operating system's certificate memory will also accept the certificates without asking further questions.
StartCom offers free certificates for the signing of e-mails (S/MIME) and for SSL server access, such as HTTPS. Unfortunately, with these "Class 1 certificates", the applicant's email address is generally the only thing tested.
While StartCom has been in the certificate store of Mozilla programs like Firefox and Thunderbird for some time, other issuers who offer free server certificates (such as CACert) are not currently included in the Root CA lists of commonly used programs. Users therefore have to inspect and confirm each server certificate or add the root certificate of such issuers to their certificate store.
The root certificate update is available as an option via Windows Update.
----------
Reddit Attacked by XSS Exploit
An XSS hole allowed comments to be booby-trapped with JavaScript code which posted multiple comments into the social news aggregator. The script was triggered by logged in users merely hovering the cursor over a comment. more…
----------
Belgian Government Workers Ordered to Drop Firefox and Return to IE6
The government of the Walloon Region has ordered its local administrations to ban the use of Firefox on their networks...
----------
Windows 7 reliability scorecard
Adrian Kingsley-Hughes: Since December Windows 7 has been my default OS on several systems that are in daily use. During that time I've captured a lot of real-world reliability data for the OS.
...
So, how reliable is Windows 7?
In a word, very.
...looking at a small number of shutdown issues <== ERIC SEES THESE TOO!
----------
Rampant brute-force attack against Yahoo Mail
A widespread brute-force attack against Yahoo email users aims to obtain login credentials and then use the hijacked accounts for spamming, a researcher at Breach Security disclosed last week.
Yahoo Mail's main login page utilizes a number of security mechanisms to protect against brute force attacks -- when crooks try every possible combination of username/password until they can break in -- including providing a generic "error" page that does not reveal whether it was the username or password that the user got wrong. Also, Yahoo tracks the number of failed login attempts and requires that users solve a CAPTCHA if they have exceeded a certain number of incorrect tries.
----------
Judge Orders Gmail Account Deactivated After Bank Screws Up
By Kim Zetter
September 25, 2009
A California federal judge has ordered Google to temporarily de-activate a Gmail account after a bank mistakenly sent sensitive data to the account.
U.S. District Judge James Ware also ordered Google to disclose the identity of the Gmail account holder.
----------
AT&T Cleverly Flips Google Voice Fight On Its Head
... it wasn't too surprising to see AT&T flip the Google Voice fiasco on its head by sending a letter to the FCC late last week accusing Google of anti-competitive behavior for blocking user access to FreeConferenceCall.com. In AT&T's letter, the carrier suggests this violates a looming fifth neutrality principle
----------
Phishing fraud hits two year high
Phishing attacks reached a record high during the second quarter of 2009, with 151,000 unique attacks, according to a study by brand reputation firm MarkMonitor.
----------
Computer hacker may have tapped personal data on 236,000 women in UNC mammography study By News Room Today
----------
Drudge, other sites flooded with malicious ads
Criminals flooded several online ad networks with malicious advertisements over the weekend,...
----------
http://www.nytimes.com/2009/09/27/weekinreview/27shane.html?_r=1
... those news reports masked a surprising and perhaps heartening long-term trend: Many students of terrorism believe that in important ways, Al Qaeda and its ideology of global jihad are in a pronounced decline — with its central leadership thrown off balance as operatives are increasingly picked off by missiles and manhunts and, more important, with its tactics discredited in public opinion across the Muslim world.
“Al Qaeda is losing its moral argument about the killing of innocent civilians,” said Emile A. Nakhleh, who headed the Central Intelligence Agency’s strategic analysis program on political Islam until 2006. “They’re finding it harder to recruit. They’re finding it harder to raise money.”
----------
Blast from the past: Fresh wave of targeted attacks using PowerPoint
The use of social engineering to grab attention of recipients and to deliver malware is not something novel. The latest trend in spreading malware is to manipulate a happening celebrity story, disaster or other high profile news event. The threat could be delivered as emails or poisoned search engine results which leads to malware. In the past, we have come across innumerable incidents like Michael Jackson demise or Benazir Bhutto assassination used as an arena to spread malware. Lately, we have observed an increase in the number of OLE files being used as targeted attacks against various high profile users.
----------
Microsoft buys Interactive Supercomputing, kills top product: Microsoft has purchased the assets of Interactive Supercomputing (ISC), maker of the desktop parallel computing platform Star-P. Redmond plans to discontinue Star-P but to integrate ISC's technologies into its own solutions.
----------
Google v Microsoft: Giants War Over $7.25M Deal for LA Email
latimes.com — The two tech giants are clashing over a $7.25-million contract to replace Los Angeles' outdated e-mail system. City officials have been told that Microsoft Chief Exec Steve Ballmer and Google CEO Eric Schmidt "would be more than happy to come and visit with you." More…
----------
http://www.neatorama.com/2007/01/04/the-5-smallest-countries-in-the-world/
The official languages of the Vatican City are Latin and Italian. In fact, its ATMs are the only ones in the world that offer services in Latin! And here you thought that Latin is a dead language…
----------
Cyber Security Awareness Month OCTOBER
----------
Organized Crime and Retail Theft: Facts and Myths
Small, loosely connected gangs illustrate the challenge of stopping organized retail theft.
----------
Organized Cybercrime Revealed
The shadow economy for stolen identity and account information continues to evolve.
----------
Sep 26, 10:42 am
Security Software Sales Expected to Climb
The market for security software will grow 8% in 2009, Gartner analysts predict.
----------
IRS Scam Now World's Biggest E-mail Virus Problem PC World – Fri Sep 25, 6:40 pm ET
Criminals are waging a nasty online campaign right now, hoping that their victims' fears of the tax collecter will lead them to inadvertently install malicious software.
----------
Med students' tweets, posts expose patient info
Future doctors are too frequently putting inappropriate postings and sometimes confidential patient information on social sites like Facebook and Twitter, according to a study published in the Journal of the American Medical Association.
In a survey of medical colleges, 60% reported incidents of medical students' posting unprofessional content online. Thirteen percent reported that students had violated patient confidentiality in postings on social networking sites.
The survey also showed that 39% of colleges found medical students posting pictures of themselves in which they were intoxicated, and 38% reported medical students posting sexually suggestive material. The study, published this week, surveyed deans or their counterparts at 78 U.S. medical colleges.
----------
Microsoft's Server Message Block (SMB) has been a vulnerability for years, so they introduced a new version (SMB 2). Now they recommend turning off SMB2 due to too many vulnerabilities...
http://blogs.technet.com/srd/
----------
Subscribe to:
Posts (Atom)
