Wednesday, April 30, 2008

Wednesday News Feed 4/30/2008

Dream job at Microsoft turns out to be too good to be true A New York man faces four years in prison for posting fake job ads for companies such as Microsoft, PayPal and Yahoo. Read more...





Conn. man gets 30 months in prison for 'warez' operation A Woodbury, Conn., man is sentenced to 30 months in prison for his role in Web sites selling unauthorized copies of movies, music and software. Read more...





Microsoft botnet-hunting tool helps bust hackers
"Although Microsoft is reluctant to give out details on its botnet buster -- the company said that even revealing its name could give cybercriminals a clue on how to thwart it -- company executives discussed it at a closed-door conference held for law enforcement professionals Monday. The tool includes data and software that helps law enforcers get a better picture of the data being provided by Microsoft's users, said Tim Cranton, associate general counsel with Microsoft's World Wide Internet Safety Programs. "I think of it ... as botnet intelligence," he said."





Microsoft highlights efforts to police the Net






http://www.crime-research.org/news/28.04.2008/3337/
Cybercrime in the UK has dropped in the first quarter of 2008 by nearly 2 per cent, compared to the same period last year, a new report reveals.While studies show an increase in Web-based threats globally compared to 2007, the UK only hosts 1.1 per cent of Web-based malware, compared to 3 per cent in the same period last year.

However, the Security Threat Report by IT security and control firm Sophos shows a new infected website is found every five seconds, compared to with one every 14 seconds last year.The US in particular has experienced unprecedented growth, from hosting less than 25 per cent of all infected pages overall in 2007, to almost half in the first three months of 2008.China has demonstrated the biggest drop, from hosting more than half of all the infected pages in 2007, to just under a third in the first quarter of 2008.

The report reveals that data leakage continues to be a major concern for organisations. Several high profile cases of businesses losing sensitive customer information were reported during the first three months of 2008.

The largest reported data breach this year involved the credit card numbers of more than four million customers being stolen from US supermarket chain Hannaford Bros. The data, taken by cyber criminals using malware installed on servers at the chain’s branches, have already been used in approximately 1,800 fraud cases.






Microsoft: June 30 not end of Windows XP support





Researcher finds new flaw in QuickTime for Windows
"More and more hackers are turning to exploiting vulnerabilities in applications as a means of launching attacks, since it's becoming increasingly difficult to find problems in operating systems, Alan Paller, director of research for the SANS Institute, said last week at the Infosec conference in London."




Antivirus vendors slam Defcon virus contest


After Web defacement, university warns of data breach






'Long-Term' Phishing Attack Underway - 4/28/2008 5:15:00 PM New phishing exploit doesn't bother asking for passwords, and its stealthy malware hides out on victim's machine

"The latest tack is phishing emails posing as Comerica Bank and Colonial Bank that ask banking customers to renew their digital certificates. When they click on the link for more information on the phony renewal process, it downloads the nasty Trojan onto their desktops."






Court rejects RIAA's 'making available' piracy argument
news.com — In Atlantic v. Howell, Judge Neil V. Wake denied the labels' motion for summary judgment in a 17-page decision (PDF), allowing the suit to proceed to trial. The argument--that merely the act of making music files available for download constituted copyright infringement--has been the basis for the Recording Industry Association of America's legal bMore… (Political News)







US Supreme Court Upholds Indiana Voter ID Law
The Supreme Court on Monday upheld (pdf) Indiana’s voter-identification law, declaring that a requirement to produce photo identification is not unconstitutional and that the state has a “valid interest” in improving election procedures as well as deterring fraud. EPIC had submitted a brief (pdf) detailing problems with the law. "Not only has the state failed to establish the need for the voter identification law or to address the disparate impact of the law, the state's voter ID system is imperfect, and relies on a flawed federal identification system."
Supreme Court Upholds Voter Identification Law in Indiana, New York Times, April 29, 2008.







(Minor) evolution in Mac DNS changer malware
Published: 2008-04-30,Last Updated: 2008-04-30 09:27:16 UTC
by Bojan Zdrnja (Version: 1)

Back in November last year we published a diary about Mac DNS changer malware (http://isc.sans.org/diary.html?storyid=3595). The main idea about this was to let Mac users aware that the bad guys are not ignoring this platform any more.
While the malware itself was not anything spectacular (i.e. it did not exploit any vulnerabilities, but was based on social engineering), the way it was packed showed that the attackers meant real business.

All the malware did was change local DNS servers to couple of servers in a known bad network, and tell the command and control server that a new victim is ready.

The anti-virus coverage was especially disappointing. Only couple of anti-virus programs detected the original sample (a DMG file). This improved a bit over the time, so when I tested the sample again today on VirusTotal, 10 anti-virus programs detected it.

One of our readers, Matt, submitted a new sample today. I quickly analyzed it and the sample does exactly the same thing as the one from September – it changes the DNS servers and reports to a C&C server.

However, one thing I noticed was that the attackers started obfuscating the installation code. The obfuscation is very, very simple (they only use the tr command) but, unfortunately, it was enough to fool almost *all* anti-virus programs – according to VirusTotal, this new sample was detected by only 2 (!!) AV programs. Signature detection failure I would say …
...






SQL Injection Attacks Against Automatic License Plate Scanners
This picture is almost certainly Photoshopped, and a joke, but it's certainly a clever idea. As automatic license plate scanners become more common, why not get a SQL injection attack as a plate?
Reminds me of this xkcd cartoon.
Posted on April 29, 2008 at 03:21 PM26 Comments
View Blog Reactions






Virtual Kidnapping
A real crime in Mexico:
"We've got your child," he says in rapid-fire Spanish, usually adding an expletive for effect and then rattling off a list of demands that might include cash or jewels dropped off at a certain street corner or a sizable deposit made to a local bank.

The twist is that little Pablo or Teresa is safe and sound at school, not duct-taped to a chair in a rundown flophouse somewhere or stuffed in the back of a pirate taxi. But when the cellphone call comes in, that is not at all clear.
[...]

But identifying the phone numbers — they are now listed on a government Web site — has done little to slow the extortion calls. Nearly all the calls are from cellphones, most of them stolen, authorities say.

On top of that, many extortionists are believed to be pulling off the scams from prisons.
Authorities say hundreds of different criminal gangs are engaged in various telephone scams. Besides the false kidnappings, callers falsely tell people they have won cars or money. Sometimes, people are told to turn off their cellphones for an hour so the service can be repaired; then, relatives are called and told that the cellphone’s owner has been kidnapped. Ransom demands have even been made by text message.
Posted on April 29, 2008 at 05:29 AM31 Comments
View Blog Reactions







More Trouble With Ads on ISPs' Error Pages
http://blogs.washingtonpost.com/securityfix/
Posted at 06:00 AM ET, 04/30/2008
Last week, Security Fix examined new research suggesting that some major Internet service providers are exposing their customers to security flaws when they redirect wayward Web surfers to ad-filled pages. I'm revisiting this controversial practice because another major provider of these services (for one of the nation's largest ISPs) was found to be similarly vulnerable.

As noted here last week, Earthlink and a few other ISPs are using a service from a U.K. company called BareFruit, which helps ISPs redirect users to ad-filled pages when they either request a Web site that does not exist or when they mistype a real domain, e.g., ww.example.com (notice the missing "w"). Researcher Dan Kaminsky found that BareFruit's servers contained a security flaw that would have made it easy for hackers and scammers to trick the ISP's customers into visiting phishing sites or downloading malicious software.
...






German intel agency blasted for cyber espionageNews Brief, 2008-04-29Eight months after the nation's chancellor accused China of information attacks, Germany finds itself in the spotlight over planting programs to spy on other countries' officials.







Experts warn over SQL injection attacksNews Brief, 2008-04-28Attackers have exploited common vulnerabilities to leave behind code on thousands of sites, redirecting visitors to servers that host malicious downloads.






"We now know how the Whitehouse managed to lose about five million emails. It seems that they 'upgraded' their Lotus Notes system, which had an automatic retention and backup system, for Microsoft Exchange, which did not support the automatic system. So they changed it to a manual process, where aides would manually sort emails one by one into individual PST files, which they call a 'journaling' archive system. They're still building a replacement for the retention system. Right when they had one finished, the White House CIO complained that it made Microsoft Exchange too slow, so they hired yet another contractor to build another one, causing a senior IT official to quit in protest. So they still haven't completed the project after almost eight years, and rely on humans to sort millions of emails."








"The release of Wikiscanner last year brought much attention to white washing of controversial pages on the community generated encyclopedia. Apparently Wikipedia is very serious in fighting such behavior as they've temporarily blocked the US Department of Justice from editing pages for suspicious edits."







"As reported in the Washington Post's Security Fix blog, a substantial hunk of IP address space has apparently been taken over by notorious mass e-mailing company Media Breakaway, LLC, formerly known as OptInRealBig, via means that are at best questionable. The block in question is 134.17.0.0/16, which I documented in depth in an independent investigation. (Apparently, the President of Media Breakaway has now admitted to the Washington Post that his company has been occupying and using the 134.17.0.0/16 block and that front company JKS Media, which provides routing to the block, is actually owned by Media Breakaway.) Remarkably, the president of Media Breakaway, who happens to be an attorney, is trying to defend his company's apparent snatching of this block based upon his own rather novel legal theory that ARIN doesn't have jurisdiction over any IP address space that was handed out before ARIN was formed, in 1997."







Marvel Should Keep A Tighter Leash On Its Lawyers
from the yikes dept
On Tuesday, Mike Arrington of TechCrunch took a straw poll on Twitter and decided to set up a screening of the new movie Iron Man, based on the comic. By Wednesday morning the details were set. He had rented out the Metreon by calling the "Group Sales" phone number on the Iron Man website, and paid for 600 seats for the showing. He posted the info to his blog, and asked people to pay $1 per seat in order to hold the spot (and to avoid no-shows). All this was perfectly reasonable. And then... a lawyer from Marvel Comics sent Arrington a threatening cease-and-desist letter demanding that he pull down the information about the show, claiming that Arrington wasn't authorized to set up such a showing. Again, the whole thing was arranged by Arrington by calling the "Group Sales" line on the Iron Man website. All of the tickets were paid for. It's hard to see what Marvel can possibly be complaining about. Also, I know for a fact that Arrington's event is hardly the only such event... because I got invited to a different one (also tomorrow, though at a different time and location and organized by a different group) and have a ticket on my desk for the show.

As a guess, perhaps Marvel is upset that Arrington made his an open invite system. The other showings I'm aware of are all private invite-only showings. But, even if that's true, it's rather ridiculous for Marvel to be complaining, and this is giving the company a ton of totally unnecessary bad press for an event that was generating plenty of enthusiasm and excitement for the movie. It appears to be yet another case where a lawyer is complaining because he can, and not because it's a good business move. As of right now, AMC Theatres, which sold Arrington the tickets, is standing behind the showing, and hopefully someone higher up at Marvel is figuring out what a ridiculous move this is, and will apologize by morning.







How Do You Enforce An EULA On Malware?
"... Most EULAs are backed up via the power of copyright law, but that obviously doesn't work in this case. So how are the malware authors enforcing it? In typical organized crime fashion: with threats to destroy everything else you've got. Specifically, if it catches anyone violating the terms, it promises to send their botnet code to various antispyware companies -- effectively handing over the location of their secret hideout to the malware police..."







Mailbot.f (a.k.a “Kraken”) gets stealthier - Update
Tuesday April 29, 2008 at 10:26 am CST
Over the past week, Mailbot.f (a.k.a “Kraken”) was thoroughly studied and reverse engineered by various security researchers. As mentioned in my previous blog, we focused mainly towards the network behavior of the bot and observed a few interesting things.

After the bot installs on a victim machine, it attempts to contact mx.google.com via TCP destination port 25 (SMTP) 3 times. This looks to be a network connectivity test by the bot. If this test fails, the bot does not send out any spam at a later stage. (Note that the bot does not use mx.google.com to spam). Next, the bot downloads the front page of 3 different popular web sites (mostly news sites), such as nytimes.com, cbsnews.com, news.com, cnn.com, reuters.com, msn.com, google.com, etc. We have not observed the use of these web pages in the spam sent out by this bot, however.






Declassified NSA Document Reveals the Secret History of TEMPEST

Tuesday, April 29, 2008

Tuesday News Feed 4/29/08

I don't normally put these out on tuesdays or thursdays anymore, but I just found this little story about the FBI and their Regional Computer Forensics Laboratories (RCFL) interesting.

Solving cases by examining digital devices—that's what these high-tech computer labs are all about.
Read the story at: http://www.fbi.gov/page2/april08/rcfl_042908.html

Monday, April 28, 2008

Monday News Feed 4/28/08

Huge Web hack attack infects 500,000 pages
Microsoft's IIS Web server may be to blame, says researcher
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080580






Researcher finds new flaw in QuickTime for Windows A rather tricky vulnerability in QuickTime could be exploited remotely to attack Windows PCs running Vista SP1 or XP SP2. Read more...






With antivirus vendors already processing some 30,000 samples each day, there's no need for any more samples, said Roger Thompson, chief research officer at AVG Technologies. "It's hard to see an upside for encouraging people to write more viruses," he said via instant message. "It's a dumb idea."
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9080658&taxonomyId=17&intsrc=kc_top






Securing the Internet's DNS - 4/24/2008 5:30:00 PM Internet's .arpa, .org, and .uk domains soon to adopt DNSSEC







Researchers Infiltrate and 'Pollute' Storm Botnet - 4/23/2008 3:45:00 PM European botnet experts devise a method that disrupts stubborn peer-to-peer botnets like Storm






Companies May Be Held Liable for Deals With Terrorists, ID Thieves - 4/23/2008 5:25:00 PM New and little-known regulations could mean fines, or even jail time, for companies that do business with bad guys






Ten myths about Identity Fraud
http://www.darkreading.com/document.asp?doc_id=145823







Questions about Web Server Attacks
Posted Friday, April 25, 2008 9:44 PM by MSRCTEAM
Hi there this is Bill Sisk.

There have been conflicting public reports describing a recent rash of web server attacks. I want to bring some clarification about the reports and point you to the IIS blog for additional information.

To begin with, our investigation has shown that there are no new or unknown vulnerabilities being exploited. This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server. We have also determined that these attacks are in no way related to Microsoft Security Advisory (951306).

The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application's database. To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here. Our counterparts over on the IIS blog have written a post with a wealth of information for web developers and IT Professionals can take to minimize their exposure to these types of attacks by minimizing the attack surface area in their code and server configurations. Additional information can be found here: http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-servers.aspx








FBI Director Wants Broad Power to Monitor Internet Activity
The FBI on Wednesday called for new legislation that would allow federal police to monitor the Internet for "illegal activity." The suggestion from FBI Director Robert Mueller, which came during a House of Representatives Judiciary Committee hearing, appears to go beyond a current plan to monitor traffic on federal-government networks. Mueller seemed to suggest that the bureau should have a broad "omnibus" authority to conduct monitoring and surveillance of private-sector networks as well. If any omnibus Internet-monitoring proposal became law, it could implicate the Fourth Amendment's guarantee of freedom from unreasonable searches and seizures. In general, courts have ruled that police need search warrants to obtain the content of communication.
FBI wants widespread monitoring of 'illegal' Internet activity, CNet News.com, April 23, 2008.
Posted by EPIC on April 24, 2008.Permanent link to this item.







Cyber Espionage
Interesting investigative article from Business Week on Chinese cyber espionage against the U.S. government, and the government's reaction.

When the deluge began in 2006, officials scurried to come up with software "patches," "wraps," and other bits of triage. The effort got serious last summer when top military brass discreetly summoned the chief executives or their representatives from the 20 largest U.S. defense contractors to the Pentagon for a "threat briefing." BusinessWeek has learned the U.S. government has launched a classified operation called Byzantine Foothold to detect, track, and disarm intrusions on the government's most critical networks. And President George W. Bush on Jan. 8 quietly signed an order known as the Cyber Initiative to overhaul U.S. cyber defenses, at an eventual cost in the tens of billions of dollars, and establishing 12 distinct goals, according to people briefed on its contents. One goal in particular illustrates the urgency and scope of the problem: By June all government agencies must cut the number of communication channels, or ports, through which their networks connect to the Internet from more than 4,000 to fewer than 100. On Apr. 8, Homeland Security Dept. Secretary Michael Chertoff called the President's order a cyber security "Manhattan Project."
It can only help for the U.S. government to get its own cybersecurity house in order.
Posted on April 28, 2008 at 06:45 AM9 Comments
View Blog Reactions






WordPress PHP Code Execution and Cross-Site Scripting - Highly critical - From remoteIssued 4 hours ago. Two vulnerabilities have been reported in WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and to compromise a vulnerable system.







"The first naturally occurring superheavy element has been found. An international team of scientists found several nuclei of unbibium in a sample of the naturally occurring heavy metal thorium. Unbibium has an atomic number of 122 and an atomic weight of 292. In general, very heavy elements tend to be unstable but scientists have long predicted that even heavier nuclei would be stable. The group that found unbibium in thorium say it has a half life in excess of 100 million years and an abundance of about 10^(-12) relative to thorium, which itself is about as abundant as lead."








All the rage in Europe: Firefox market share climbs higher
Month by month, Firefox continues to make gains in Europe, where the browser approaches a 50 percent market share in some countries. Firefox also has stronger usage on weekends, when people get to use the browser of their choice.
April 27, 2008 - 06:58PM CT - by Ryan Paul

Two more indicted on E-Rate fraud charges

After Web defacement, university warns of data breach

China worries hackers will strike during Beijing Olympics


Judge orders White House to resolve e-mail backup 'ambiguity'

Researcher finds new way to hack Oracle database









If Top Gov't Officials Need To Leave Blackberries Outside A Meeting, Shouldn't Someone Guard Them?
from the just-a-thought dept

Apparently a Mexican press attache at a meeting with White House officials in New Orleans saw an opportunity and swiped the Blackberries of a bunch of White House staffers. At many such meetings, it's required for attendees to leave their phones and mobile devices outside of the meeting room. You would think that with such high-powered government officials that someone would then be left to guard the devices, but apparently not. This guy grabbed a bunch of the devices and made a run for the airport, where he was caught by Secret Service officials, who promptly showed him the surveillance camera footage of him taking the devices. His response was that he thought the devices had been left behind, and he was merely picking them up to return them to their owners, which might be more believable if the folks weren't still in the meeting room when he grabbed all the devices. Who knows if it's true, but I'm still wondering why no one was guarding the Blackberries.








Google Analytics getting my passwords? NOT!
Friday April 25, 2008 at 8:15 am CSTPosted by Pedro Bueno
http://www.avertlabs.com/research/blog/index.php/2008/04/25/google-analytics-getting-my-passwords-not/
So, on a bright Friday morning here in Brazil, I was analyzing an interesting piece of malware. Well, this piece of malware was sending encoded data to gooqle-analytics.com…hmmmm maybe trying to get infection statistics?

We have seen this before…but something wasn’t quite clear… it seemed that this was all that the malware was doing… hmmmm ok… checking a little closer, I could see the traffic generated… it was encoded traffic… not common for Google Analytics…

A little more research revealed that there was a dll injected in the svchost process, and analyzing this packed dll revealed that its purpose was to steal information and send to gooqle-analytics… but what the heck? Is Google stealing my info? NOT!!! As some of you noticed reading this blog, I did not misspell the name… it was sending the info to gooqle-analytics.com, and not google-analytics.com…

This gooqle thing domain is hosted on a IP in Italy…yea…bad,bad gooQle…!








Hacker denies using tool to break into Dish Network security
Jim Carr April 25, 2008
A software engineer testified that he was hired by a unit of News Corp. to develop software that could reverse engineer code on satellite receiver smart cards, but denies hacking.








Another Apple QuickTime bug reported
Dan Kaplan April 24, 2008
US-CERT has issued an alert concerning a new zero-day vulnerability in the Apple QuickTime media player.








Which Gov Agency Should Be Your Computer's Firewall?
By Ryan Singel April 25, 2008 8:05:10 PMCategories: Cybarmageddon!, Spooks Gone Wild
First the NSA says it needs to examine every search and email on the internet to prevent an e-9/11 attack, then President Bush signs a secret cyber-security Presidential Directive to make that possible, while the Air Force has set up a cyber warfare division where cyber-security is played like a game of Space Invaders.

Not to be left out on the cybarmegeddon! action, the Department of Homeland Security plans to spearhead a "Manhattan Project" attempt to secure the internet. But there's no way FBI chief Robert Mueller is gonna let DHS honcho Michael Chertoff have all the bits, so this week he told a House committee that G-Men need to be living in the tubes, too.

The great thing about all of these agencies deciding that they need to be inspecting packets on the interweb is that soon you will no longer have to buy anti-virus or security software, you'll just have to choose which government agency you hand your computer password to.
But the question is, which one should you choose to protect your Win98 box?
Submit your favorite agency (with logo link if you have one) or vote up other choices here. Defend your vote in the comments, if you like.
Show agencies that are: hot new






The originator of “Red Heart China” gets his website hacked!! Europeans responsible?








Bluetooth Mobile Phone Hacked Right Before Your Eyes
Published 03/27/2008
Watch How Scammers Turn Bluetooth Technology Into Hard Cold Cash In The Below Video






http://www.nationalcybersecurity.com/blogs/626/Tornado-Hacking-Tool-For-Rent.html
Security researchers have discovered a new web-based attack tool which exploits up to 14 browser vulnerabilities and installs malware on the user's system.

Symantec researcher Liam O'Murchu said that 'Tornado' is commonly installed on a server by a single 'administrator', who then offers accounts on the server to other attackers.

The attackers then inject code into other web pages to redirect users to the Tornado server, where the exploit and malware installation is conducted.






Google Docs gets new features, templates soon








More URI handler issues to come
Nate McFeters: A new command injection flaw was discovered, this time in IBM's Lotus Expeditor. What's most interesting about this class of vulnerability is that it can be deployed quite simply

Wednesday, April 23, 2008

Wednesday News Feed 4/23/08

I received this site from Brian Serr, who is living in Japan right now. It's true and interesting, but also just a rant.
http://www.ranum.com/security/computer_security/editorials/dumb/





http://www.thedarkvisitor.com/2008/04/495/
...
"Beijing’s call for an apology from CNN may have been seen as tacit support for the attack. Or, at least that there would be no retribution if one did take place. This might be the most important factor of all."
...
"The QQ numbers listed six headquarters units (probably the more experienced hackers), 42 regular groups (actually 44, since he started with zero and may have accidentally listed group 32 twice), and one propaganda unit."






ICANN Chooses AEP Keyper to Help Secure the Internet DNS System By Grey McKenzie Today





China's CERT released their annual security report (in Chinese for the time being), outlining the local threatscape with data indicating the increasing efficiency applied by Turkish web site defacement groups, in between the logical increases in spam/phishing and malware related incidents. Here's an excerpt from the report :
"According CNCERT / CC monitoring found that in 2007 China's mainland are implanted into the host Trojans alarming increase in the number of IP is 22 times last year, the Trojans have become the largest Internet hazards.







Britain Reports 96 Percent of Companies With Over 500 Employees Affected By Security Breaches By Grey McKenzie Today






Market's Message to Security Pros: Adapt or DieShifts in economy, business are forcing re-prioritization in the IT security department, studies say







Microsoft Report: Physical Data Theft, Trojans Up; Bug Disclosure DownTrojan attacks jump by 300 percent, but publicly disclosed vulnerabilities reach three-year ebb







US China & Russia Count For 72.4 Percent of Web Based Malware By Grey McKenzie Today








Rock Phish Gang Phishing Sites Rigged For Drive By Downloads By Grey McKenzie Yesterday







Cyber Criminals Shifting Targets To Mobiles By Grey McKenzie 04/21/2008






LONDON MessageLabs Finds 13 Olympic-Themed Targeted Trojans







Tornado exploit kit touches down
Sue Marquette Poremba April 22, 2008
The recently discovered Tornado exploit toolkit is one of the most sophisticated toolkits released and may be precursor of things to come. According to Symantec, it's chilling evidence of how hackers take can advantage of vulnerabilities.







XSS flaw on Obama page sends visitors to Clinton site
Dan Kaplan April 22, 2008
The battle between Democratic presidential hopefuls Barack Obama and Hillary Rodham Clinton extended to cyberspace when a prankster over the weekend exploited a cross-site scripting (XSS) vulnerability on the website of the Illinois senator to redirect traffic to Clinton's homepage.






Microsoft's Final 'Up Yours' To Those Who Bought Into Its DRM Story
from the playsforwhatnow? dept
Remember a few years back when Microsoft launched a new type of DRM under the name "PlaysForSure"? The idea was to create a standard DRM that a bunch of different online music download stores could use, and which makers of digital music devices could build for. Except... like any DRM, it had its problems. And, like any DRM, its real purpose was to take away features, not add them, making all of the content hindered by it less valuable. Yet, because Microsoft was behind it, many people assumed that at least Microsoft would keep supporting it. Well, you've now learned your lesson. Playsforsure was so bad that Microsoft didn't even use it for its own Zune digital media device. Along with that, Microsoft shut down its failed online music store, and now for the kicker, it's telling anyone who was suckered into buying that DRM'd content that it's about to nuke the DRM approval servers that let you transfer the music to new machines. That means you need to authorize any songs you have on whatever machine you want -- and that's the only place they'll be able to reside forever. And, of course, any upgrade to your operating system (say from XP to Vista) and you lose access to your music as well. By now, hopefully, everyone is aware of why DRM is problematic, but it's nice of Microsoft to give one final demonstration by basically taking away more rights for the music it sold people with the promise that Microsoft would keep the music available.








Researcher discovers QuickTime zero-day
Larry Dignan: Hacker Petko D. Petkov has discovered a zero-day vulnerability in a patched version of Apple's QuickTime player for XP and Vista and has the video to prove it.







Laptop searches at the border: No reason? No problem
The Ninth Circuit says that customs agents in the US can legally search laptops without needing a reason. The debate turns on whether a laptop is more like a piece of luggage or the human mind.
April 23, 2008 - 06:45AM CT - by Nate Anderson





"New Scientist reports on a University of Washington project aiming to marshal swarms of 'good' computers to take on botnets. Their approach — called Phalanx — uses its distributed network to shield a server from DDoS attacks. Instead of that server being accessed directly, all information must pass through the swarm of 'mailbox' computers, which are swapped around randomly and only pass on information to the shielded server when it requests it. Initially the researchers propose using the servers in networks such as Akamai as mailboxes; ultimately they would like to piggyback the good-botnet functionality onto BitTorrent."





Adobe Products BMP Handling Buffer Overflow Vulnerability - Highly critical - From remoteIssued 1 day ago. A vulnerability has been reported in multiple Adobe products, which potentially can be exploited by malicious people to compromise a user's system.








NJ Supreme Court Rules That Subscribers Have Privacy Right In Their Internet Data
The Supreme Court of New Jersey became the first court in the nation yesterday to rule that people have an expectation of privacy when they are online, and law enforcement officials need a grand jury warrant to have access to their private information. In state proceedings, the ruling will take precedence over what attorneys describe as weaker U.S. Supreme Court decisions that hold there is no right to privacy on the internet. "The reality is that people do expect a measure of privacy when they use the Internet," said Grayson Barber, a lawyer representing the American Civil Liberties Union, Electronic Frontier Foundation and the Electronic Privacy Information Center, among other groups that filed friend-of-the-court briefs (pdf) in the case.
N.J. justices call e-privacy surfers' right, Newark Star-Ledger, April 22, 2008.
Posted by EPIC on April 22, 2008.Permanent link to this item.







Hannaford to spend 'millions' on IT security upgrades after breach






Microsoft data shows Web attacks on the rise






Microsoft: We took out Storm botnet
April 22, 2008 (Computerworld) Microsoft Corp. today took credit for crushing the Storm botnet, saying that the malware search-and-destroy tool it distributes to Windows users disinfected so many bots that the hackers threw in the towel.
"They realized they were in our gun sights," said Jimmy Kuo, a principal architect with Microsoft's malware protection center, the group responsible for the Malicious Software Removal Tool (MSRT). Microsoft updates and automatically redistributes the software tool to Windows users each month on Patch Tuesday.





No suspicion needed to search laptops at U.S. borders, says Ninth Circuit

Monday, April 21, 2008

Monday News Feed 4/21/08

Chinese anti-CNN hacking group disbands
Computerworld
, USA
- Apr 21, 2008
- 6 hours ago
... the Chinese hacking group "Revenge of the Flame" postponed their attack, claiming there was too much public awareness of their plans. ...
clipped from Google - 4/2008






Rupert Murdoch Firm Goes on Trial for Alleged Tech Sabotage
Wired News
- Apr 20, 2008
- 10 hours ago
As laid out in the allegations, NDS' hacking is said to have begun in 1997 after its own access cards were cracked and it was at risk of losing clients like ...
clipped from Google - 4/2008






Browsing centres are now dens for hackers
Times of India
- Apr 20, 2008
- 11 hours ago
According to information gathered by the cyber crime cell of central crime branch (CCB), there is a hacking community functioning out of browsing centres in ...
clipped from Google - 4/2008





INTERNET LAW - Cyber Crimes Tool Kits for Sale on Internet with ...
IBLS INTERNET LAW (subscription)
, USA
- Apr 21, 2008
- 13 minutes ago
These cyber crime tool kits make possible automated fraud, and the top hacking tools are now being sold for prices ranging from less than $100 up to $1000. ...






Web-Hosting Providers – Beware!
Friday April 18, 2008 at 12:39 pm CSTPosted by Karthik Raman
No Comments
Late on Thursday Microsoft released an advisory about a new privilege escalation vulnerability affecting IIS and SQL Server on Windows XP, 2003, Vista, and Server 2008.
It’s likely that this is the same flaw discussed by Cesar Cerrudo in his talk, “Token Kidnapping”, at the HITB Security Conference 2008 in Dubai. Cerrudo had discovered a privilege-escalation vulnerability earlier, and said in March, “Design weaknesses can be abused on Windows XP, Vista, Internet Information Services 7 and Windows Server 2003 and 2008”.







University of Miami admits to stolen medical records
Dan Kaplan April 18, 2008
The University of Miami disclosed on Friday that one of its storage vendors lost a number of back-up tapes containing the personal information of more than two million patients.







ISPs' Error Page Ads Let Hackers Hijack Entire Web, Researcher Discloses
By Ryan Singel April 19, 2008 2:00:00 PM







Srizbi maintains large spam botnet April 18, 2008Srizbi maintains a large spam botnet using simple techniques to recruit new bot members.





Does Microsoft's Plan To Sell Software As A Service Make Sense?
from the keep-an-eye-on-this dept







I Don't Want To Burst Your Bubble
By ROBERT KAHN
Quoz. That was the answer to everything 200 years ago. So says Charles Mackay in "Extraordinary Popular Delusions and the Madness of Crowds." Mackay, whose excellent book was published in 1841, reviewed a litany of human idiocies - most of which are still with us today.In his chapter, "Popular Follies of Great Cities," Mackay wondered why it is that nonsensical sayings spring suddenly to everyone's lips, remain there for months, then disappear until the next idiocy appears.

"Quoz" was an all-purpose term to express disbelief, challenge, ridicule, boredom, or just about anything, in London, in the early 1800s. It was replaced, in this order, by "What a shocking bad hat!", "Walker!", "There he goes with his eye out!", "Has your mother sold her mangle?" and then the fabulously popular, "Flare up," which could be used for almost anything.
http://www.courthousenews.com/






Digital Sound Separator
By John BorlandWednesday, April 16, 2008
New software can modify the individual notes of a recorded chord.





Data Leakage, preserving confidentiality
by Ricky M. Magalhaes
Articles / Content Security (Email & FTP)
Article focusing on data leakage and how this information asset is lost and the result of exposure. This vulnerability may be the result of inadequate measures, or poorly implemented controls that expose organizations and their clients.







RIAA spent $2 million lobbying for tougher IP laws in 2007
All groups lobbying Congress and the executive branch are required to disclose how much they spent on the task each year. During 2007, the RIAA spent $2.08 million lobbying lawmakers for tougher copyright laws, among other things.
April 21, 2008 - 05:05AM CT - by Eric Bangeman

PayPal to fight phishers by blocking old browsers
Paypal has long been a prime target for phishing attacks, and the company is anxious to shed both the image and underlying problem. Paypal demonstrated the approach its taken to limit customer exposure to phishing attacks at the RSA Conference this week, with impressive results.
April 19, 2008 - 02:33PM CT - by
Joel Hruska







EU states agree that inciting terrorism on the Internet is a crime
It's official: "public provocation to commit a terrorist offense" will be a crime in the EU, and that includes "terrorist propaganda" distributed via the Internet. Enforcement will be another matter.
April 19, 2008 - 08:30AM CT - by Jon Stokes

"Today Lenovo retired the last NON-widescreen laptop they offered (the T61 14.1) from the market, and Lenovo is just an example (Apple, Sony, HP, etc. are the same). I understand the motivation behind all the laptop manufacturers to move to widescreen: they can still advertise that they offer 14.1 or 15.4 screens, but the screen area is smaller, and thus they save more money. Some people might like widescreens (they are useful for some tasks), but any developer knows that vertical space matters! Less vertical space = less lines of code in the screen = more scrolling = less productivity. How can laptop manufacturers still claim that they look after their customers when the move to widescreens is clearly a selfish one? I just wish they offered non-widescreen laptops, even if it were for a plus (that I'd be more than happy to pay)."

http://slashdot.org/







"The Transportation Security Administration has announced that it's beginning pilot tests of millimeter wave scanning technology at Los Angeles International Airport (LAX) and John F. Kennedy International Airport (JFK) that allow TSA personnel to see concealed weapons and other items that may be hidden beneath clothes. TSA Administrator Kip Hawley says that that the potentially revealing body scans (YouTube) would not be stored and that 90% of passengers subject to secondary screening opt for a millimeter wave scan over a pat-down. The agency added that security officers viewing the scans would do so remotely, where they will not be able to recognize passengers but will be able to trigger an alarm if needed. The agency also said that a blurring algorithm is applied to passengers' faces in scanned images as an additional privacy protection."






Chertoff Says Fingerprints Aren't Personal Data
Homeland Security Secretary Michael Chertoff says:
QUESTION: Some are raising that the privacy aspects of this thing, you know, sharing of that kind of data, very personal data, among four countries is quite a scary thing.
SECRETARY CHERTOFF: Well, first of all, a fingerprint is hardly personal data because you leave it on glasses and silverware and articles all over the world, they're like footprints. They're not particularly private.
Sounds like he's confusing "secret" data with "personal" data. Lots of personal data isn't particularly secret.
Posted on April 21, 2008 at 06:54 AM16 Comments
View Blog Reactions






IIS Vulnerability Documented by Microsoft - Includes Workarounds
Published: 2008-04-18,Last Updated: 2008-04-19 22:25:00 UTCby John Bambenek (Version: 1) 0 comment(s)
digg_url = 'http://isc.sans.org/diary.html?storyid=4306&rss';
digg_title = 'IIS Vulnerability Documented by Microsoft - Includes Workarounds';
digg_skin='compact';
digg_topic = 'security';

Microsoft has just put out an advisory for a privilege escalation vulnerability in Windows that affects IIS and potential SQL server (951306). Basically, authenticated users can use this vulnerability to become LocalSystem. This is probably more of a problem for shared hosting environments were clients could upload malicious code to the webserver and run the exploit to gain additional rights. SQL is less of a problem because permissions have to be explicitly given to allow a SQL user to run code.
The advisory contains workarounds for IIS 6 and 7 that is claimed to blunt this vulnerability. The only negative impact of those workarounds is to add some extra work when adding users but does block the vector of attack.
There is a public report of this, but apparently no exploits yet. More when we get additional information, but refer to MSFT's advisory with details on how to workaround.

Update
Cesar's paper has been released and you can see it here






http://isc.sans.org/diary.html?storyid=4310
The Patch Window is Gone: Automated Patch-Based Exploit Generation







Microsoft admits it sent Office nag to all WSUS servers






Bull crams crypto chips into bootable USB hard disk drive







Universities Rocked by Data Thefts - 4/18/2008 4:20:00 PM The Universities of Miami and Virginia acknowledge lost data on stolen tapes and laptops






An Rx for Doctors Suffering From Spam Attacks - 4/18/2008 1:05:00 PM Health Care Notification Network (HCNN) for physicians aims to streamline alerts, as well as protect doctors from spam and other attacks







Microsoft XP SP3 on track to RTM on April 21

Friday, April 18, 2008

Friday News Feed 4/18/09

MSRC Blog: Microsoft Security Advisory 951306
Posted Thursday, April 17, 2008 6:38 PM by MSRCTEAM
Hello, Bill here,

I wanted to let you know that we have just posted Microsoft Security Advisory (951306).
This advisory contains information regarding a new public report of a vulnerability within Microsoft Windows which allows for privilege escalation from authenticated user to LocalSystem. Our investigation has shown that this vulnerability affects Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

At this time, we are not aware of attacks attempting to use the reported vulnerability, but we will continue to track this issue. The advisory contains several workarounds that customers can use to help protect themselves. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release.

We will continue to monitor the situation and post updates to the advisory and the MSRC Blog as we become aware of any important new information.

In the meantime, we encourage customers to review the advisory and implement the workarounds.






Chinese hackers poised for anti-CNN attack over the weekend An announced denial-of-service attack against CNN is allegedly planned by Chinese hackers incensed over world scrutiny of the crackdown in Tibet. Read more...





Apple makes minor concession on pushing Safari to Windows users





CEO-phishing scam fires up anew





Kingston, IronKey announce new FIPS-certified USB drives





MySpace hack reveals profile visitors





Privacy advocates: Consumer education isn't enough





Study: LimeWire remains top P2P software; uTorrent fast-rising No. 2





Survey: 12% of U.S., U.K. consumers 'borrow' free Wi-Fi





Update: Apple patches Safari's $10,000 bug, fixes other flaws





Comcast's Net Neutrality Strategy
The news of Comcast effectively walking away from the entire Net neutrality process got me to draw lines between that and Microsoft's bid for ISO approval of OOXML. Comcast is clearly taking a different path. More





SANS solves mystery of mass Web site infections InfoWorld - Thu Apr 17, 1:02 PM ET
San Francisco - The SANS Institute has uncovered what they've termed a "rare gem" as far as computer security investigations go that sheds new light on how up to 20,000 Web sites have been hacked since January.





Court Battle over Video Game Ban Takes Strange Turn
Judges around the country generally haven't had much trouble in striking down laws that crack down on the sale of video games to minors. But a battle over a Minnesota statute has inspired some peculiar contortions by a federal appeals court judge.Section 325I.06 of the Minnesota code bars minors from buying or renting video games rated “Mature” or “Adult Only.” In a March 17 decision, the 8th U.S. Circuit Court of Appeals concluded it was not narrowly tailored to address the state’s compelling interest in protecting children from psychological and moral harm resulting from their interaction with violent video games.
http://www.onpointnews.com/







Potential Microsoft Works ActiveX Zero-Day Surfaces
Thursday April 17, 2008 at 11:15 am CSTPosted by Kevin Beets
1 Comment
A Microsoft Works ActiveX potential zero-day threat has been disclosed on a handful of Chinese blog sites. This threat was originally posted as a proof of concept that caused a Windows host to crash, but very soon after, a working exploit was posted. (Show of hands: Who’s surprised?)
Here’s the meat of this: The flaw lies in an ActiveX component of Microsoft Works Image Server (WkImgSrv.dll). Yes, it appears successful exploitation would allow for code execution via a controlled pointer. For this to occur, the victim would need to visit a malicious Web site.
On the plus side, this control is not marked safe, and attempts to use it should be accompanied with a warning from Internet Explorer. Even though this is the case, you will want to set the kill bit for clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6 to help mitigate. Initial testing on Windows XP SP2 and Internet Explorer 7 shows this to be easily exploitable once past the “warning” hurdle.
In the mean time, McAfee Avert Labs will continue researching this issue.






Srizbi maintains large spam botnet April 18, 2008Srizbi maintains a large spam botnet using simple techniques to recruit new bot members.








Growing Number Of ISPs Injecting Own Content Into Websites
from the this-is-not-a-good-trend dept
With growing concerns over companies like Phorm and NebuAd enabling ISPs to insert their own ads into your web surfing, some researchers decided to see if this is already happening -- and were surprised to find it more prevalent than they expected. It's still not a huge number, but in tests, they found that there definitely are some ISPs already using such technology to inject ads, though they tend to be smaller "no name" ISPs. The one big exception was XO Communications -- though XO claims that any ad injections must be done by downstream resellers of its wholesale service. Either way, this ought to raise some questions about what rights ISPs have to get in the middle and alter the data that you requested and which was served by a third party.
13 Comments Leave a Comment..






NBC Universal Now Says It Should Be Apple's Responsibility To Stop Piracy








Los Angeles botmaster pleads guilty
Dan Kaplan April 17, 2008
A Los Angeles man pleaded guilty on Wednesday to charges he oversaw a collection of hundreds of thousands of zombie computers that he used to steal personal data and perpetrate identity theft.






Woman accused of using RootsWeb to steal IDs of dead people
A California woman has been accused of using the Social Security Administration's Death Index and popular genealogy site RootsWeb to obtain social security numbers of recently deceased individuals for the purpose of credit card fraud.
April 18, 2008 - 09:47AM CT - by Ryan Paul

DoJ wants more money to scour P2P networks for child porn
The DOJ is looking for more money to monitor not only P2P networks, but web sites and chat rooms, all in the name of fighting child porn.
April 18, 2008 - 06:10AM CT - by
Jon Stokes

Effects of Earth's Magnetotail on the MoonEarth’s powerful magnetic field is shaped by the solar wind into a tear-like elongate... [read >>]
in Space, 18 April, 12:33 GMT

Targeted spear phishing attacks
Posted by Nathan McFeters @ 11:33 pm

A colleague of mine, Dave Wong, from Ernst & Young’s Advanced Security Center in New York, pointed me to a really interesting article on targeted spear phishing attacks by John Markoff of the New York Times. Phishing has been really interesting to me lately, as I’ve seen a wave of discussions, black hat presentations, and technologies abound that deal with phishing and identity theft. In fact, this article comes just one day after I watched another colleague, Nitesh Dhanjani, provide a presentation to a Security Interest Group here in Chicago, organized by Kevin Richards of Ernst & Young and involving numerous large companies from the Midwest area. The phishing and identity theft talk that Nitesh gave really raised some eyebrows, especially when he discussed the targeted spear phishing attacks.







Oklahoma Data Leak
Usually I don't bother blogging about these, but this one is particularly bad. Anyone with with basic SQL knowledge could have registered anyone he wanted as a sex offender.

One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back.

The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years. Up until yesterday, April 13 2008, anyone with a web browser and the knowledge from Chapter One of SQL For Dummies could have easily accessed ­ and possibly, changed ­ any data within the DOC’s databases. It took me all of a minute to figure out how to download 10,597 records ­ SSNs and all ­ from their website.
Posted on April 18, 2008 at 06:16 AM27 Comments
View Blog Reactions







CA Products DSM gui_cm_ctrls ActiveX Control Code Execution - Highly critical - From remoteIssued 1 day ago. A vulnerability has been reported in various CA products, which can be exploited by malicious people to compromise a vulnerable system.






Safari Multiple Vulnerabilities - Highly critical - From remoteIssued 1 day ago. Some vulnerabilities have been reported in Safari, which can be exploited by malicious people to conduct cross-site scripting attacks or potentially to compromise a user's system.








Mozilla Firefox Javascript Garbage Collector Vulnerability - Highly critical - From remoteIssued 1 day ago. A vulnerability has been reported in Mozilla Firefox, which can potentially be exploited by malicious people to compromise a user's system.







Windows Vista Service Pack 1: Not for the Impatient
Microsoft has released a bundle of security and stability updates for Windows Vista users. What follows is a long-overdue primer on this package of goodies from Redmond known as Service Pack 1.
http://blogs.washingtonpost.com/securityfix/

Wednesday, April 16, 2008

Wednesday News Feed 4/16/08

Consumer groups urge 'do not track' registry The FTC asked for mechanism that would keep advertisers from being able to collect information from users. Read more...





Malicious microprocessor opens new doors for attack






Criminals phish for CEOs via fake subpoenas






MiFare RFID crack more extensive than previously thought






ClamAV confirms critical bug, offers up patch






Hacker releases working GDI-bug attack code






April 16, 2008 Asia Hindered by Lack of Cybercrime Laws
http://www.crime-research.org/news/16.04.2008/3313/







April 16, 2008 FBI cyber crime chief on botnets, web terror and the social network threat
http://www.crime-research.org/news/16.04.2008/3312/
Scott O'Neal oversees the FBI's response to computer hacking and botnet attacks by criminals, terrorists and foreign powers.

The cyber division is one of the faster growing operational departments within the FBI. The growth of international cyber crime and terrorism over the past five years has spurred the FBI to establish dedicated cyber squads at each of its 56 field offices across the US and support 70 cyber task forces nationwide, backed up by global intelligence gathering by its Internet Crime Complaint Centre.

O'Neal works at the cyber division headquarters at the FBI main office in Washington. The division tackles computer intrusion and cyber crime. Computer intrusion mainly focuses on criminal hacking and distributed denial of service attacks but also deals with terrorist and state-sponsored threats. The cyber crime department's main priority is tackling child pornography but it also combats online fraud, such as phishing, and property rights investigations.








Wireless Security Gets Boost From New Round of Products - 4/16/2008 11:55:00 AM Wireless isn't the problem child it used to be, but authentication and management still challenge enterprises







PayPal Outlines Strategy to Slow Phishing - 4/15/2008 6:05:00 PM Web's biggest phishing target published multi-layered plan to reduce delivery of fake emails and warn users of phishing sites






CA Exec: Security Pros Need to Be Unburied From the Org Chart - 4/14/2008 6:00:00 PM To succeed, IT security must raise its profile in the business, says former CIO


SAN FRANCISCO -- RSA Conference 2008 -- Security pros need to stop fighting fires in the data center and start getting themselves noticed in the boardroom, a former CIO and top-ranking security executive said here last week.

Many IT security people see themselves primarily as technologists and problem-solvers, said Dave Hansen, former CIO at Computer Associates and currently senior vice president and general manager of CA's Security Management business unit. But as security becomes more critical to the business, CSOs need to delegate some of the operations functions and get more tied into the business, he said.

"Right now, 46 percent of CSOs spend up to a third of their day just analyzing security event reports," Hansen said. "That’s not the way to maximize value to the organization -- and it needs to change."









Bush Administration Seeks to Use Spy Programs in US Over Congressional Objections
The Bush administration said that it plans to start using the nation's most advanced spy technology for domestic purposes soon, rebuffing challenges by House Democrats over the idea's legal authority. The administration in May 2007 gave DHS authority to coordinate requests for satellite imagery, radar, electronic-signal information, chemical detection and other monitoring capabilities that have been used for decades within U.S. borders for mapping and disaster response. But Congress delayed launch of the new office last October. Critics cited its potential to expand the role of military assets in domestic law enforcement, to turn new or as-yet-undeveloped technologies against Americans without adequate public debate, and to divert the existing civilian and scientific focus of some satellite work to security uses.
Administration Set to Use New Spy Program in U.S., Washington Post, April 12, 2008.
Posted by EPIC on April 15, 2008.Permanent link to this item. --> -->







Microsoft Suggests Tiered Privacy Approach for Online Ads
Microsoft has proposed a tiered approach to protecting the privacy of people targeted by online advertising, saying advertisers should get permission before using sensitive, personally identifiable information to deliver ads. Microsoft filed comments on Friday in response to the U.S. Federal Trade Commission's request for comments on its proposed privacy principles that would be self-administered by the online advertising industry. Microsoft's proposal operates under the idea that the greater the risk to privacy, the greater the protection data should receive, Microsoft officials said.
Microsoft Proposes Tiered Privacy in Online Advertising, IDG News Service, April 11, 2008.
Posted by EPIC on April 15, 2008.Permanent link to this item.








The 10.000 web sites infection mystery solved
Published: 2008-04-16,Last Updated: 2008-04-16 13:32:09 UTCby Bojan Zdrnja (Version: 2)

Back in January there were multiple reports about a large number of web sites being compromised and serving malware. Fellow handler Mary wrote the initial diary at http://isc.sans.org/diary.html?storyid=3834.
Later we did several diaries where we analyzed the attacks, such as the one I wrote at http://isc.sans.org/diary.html?storyid=3823. Most of the reports about these attacks we received pointed to exploitation of SQL Injection vulnerabilities.
Yesterday, one of our old friends, Dr. Neal Krawetz, pointed us to another site hosting malicious JavaScript files with various exploits. While those exploits where more or less standard, we managed to uncover a rare gem between them – the actual executable that is used by the bad guys in order to compromise web sites.







DivX Player Subtitle Parsing Buffer Overflow Vulnerability








Identity Theft Smash & Grab, CEO Style
Tens of thousands of corporate executives were the target of a series of identity-theft scams this week, e-mail-borne schemes that appear to have netted close to 2,000 victims so far.
http://blogs.washingtonpost.com/securityfix/







"Web tripwires" reveal 1.3% of web pages altered in transit
That web page you just received might not be a perfect copy of the original. New research shows that one percent of pages are monkeyed with between the server and your browser, but not all those changes are bad.
April 16, 2008 - 11:04AM CT - by Nate Anderson


Vista SP1 available in more languages
Mary Jo Foley: Users can manually install (x86 and x64) versions of SP1 either manually via Windows Update or by downloading the standalone installer from the Microsoft Download Center.








Did DirecTV Hire Satellite Hackers To Leak Dish TV Smart Cards?







Security experts split on "cyberterrorism" threatReuters - 41 minutes ago
LONDON (Reuters) - International experts called on Wednesday for greater cooperation to fight threats to computer networks but they differed on the definition of cyberterrorism, with a top British security official describing it as a "myth."








Attackers exploit recent Microsoft fix
Sue Marquette Poremba April 15, 2008
Hackers continue trying to exploit a patched vulnerability in Microsoft's Graphic Display Interface (GDI), researchers said this week.






Cybersecurity lobby merges with IT trade group
Dan Kaplan April 15, 2008
The Information Technology Association of America has absorbed the Cyber Security Industry Alliance, a lobby that has been pressuring lawmakers to pass federal data security and breach notification measures.






S.P.A.M. Experiment Update
Wednesday April 16, 2008 at 6:58 am CSTPosted by Toralv Dirro
No Comments
Meeting the German participants of the McAfee SPAM Experiment for dinner yesterday turned out to be very interesting and provided some unexpected results. After 14 days living on a Spam-mail diet they are still in good shape. Some are so into it that they even installed SiteAdvisor to find out, in advance, if a site is likely to send you spam when you leave your email address there…