DC Goes for a Universal City ID Document
The District of Columbia has announced an ambitious plan to link multi-use documents to a centralized tracking system that would span a wide range of city services including summer jobs programs, public schools, attendance at public meetings, metro fare cards, and city health service offices. The citywide ID plan is proposed in a climate where a national ID debate is advanced under the scheme called REAL ID.
New ID Card Serves Students, Rec Centers, Libraries in D.C., Washington Post, June 27, 2008
Posted by EPIC on June 27, 2008.Permanent link to this item.
Pentagon Consulting Social Scientists on Security
This seems like a good idea:
Eager to embrace eggheads and ideas, the Pentagon has started an ambitious and unusual program to recruit social scientists and direct the nation’s brainpower to combating security threats like the Chinese military, Iraq, terrorism and religious fundamentalism.
The article talks a lot about potential conflicts of interest and such, and less on what sorts of insights the social scientists can offer. I think there is a lot of potential value here.
Posted on June 30, 2008 at 12:13 PM • 2 Comments •
View Blog Reactions
Internet Explorer 6 Window "location" Handling Vulnerability - Moderately critical - From remoteIssued 4 days ago. Updated 3 days ago. Ph4nt0m Security Team has discovered a vulnerability in Internet Explorer 6, which can be exploited by malicious people to conduct cross-domain scripting attacks.
Internet Explorer 7 Frame Location Handling Vulnerability - Moderately critical - From remoteIssued 4 days ago. Updated 10 hours ago. sirdarckcat has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct spoofing attacks.
http://blogs.washingtonpost.com/securityfix/
Posted at 08:00 AM ET, 06/30/2008
Data Breach Reports Up 69 Percent in 2008
Businesses, governments and universities reported a record number of data breaches in the first half of this year, a 69 percent increase over the same period in 2007 driven by a spike in data thefts attributed to employees and contractors, according to an analysis by identity theft experts.
The San Diego-based Identity Theft Resource Center tracked 342 data breach reports from Jan. 1 to June 27. Nearly 37 percent of reports came from businesses -- an increase from almost 29 percent last year.
Breach-notification laws not working? Robert Lemos, 2008-06-25 Research fails to find a correlation between states with disclosure laws and reduced identity theft, suggesting the best defense for concerned citizens is to take action themselves.
EU advisors: Secure ISPs, form "cyber-NATO"News Brief, 2008-06-26Academic researchers tasked with making information-security recommendations to the European Union call for Internet service providers to clean up their networks and for the creation of a group to aid international investigations.
Controls? What controls?
Pentagon Worker Spent Tax MoneyOn Exotic Dancer, Prosecutors Say
By JOE HARRIS
ST. LOUIS (CN) - A Defense Department civilian employee and an exotic dancer charged more than $56,000 on the employee's Defense Department credit card, federal prosecutors say. Steven C. Brown, 49, of Godfrey, Ill., and the dancer, Teressa V. Shrum, 33, of Hannibal, Mo., were indicted on 20 felony counts of theft of public money.
Phone Phreak Rap: You're In Jail, and I'm Not
With Stuart Rosoff and his gang of SWATters all sentenced to up to five years in prison for sending cops bursting into the homes of their party line enemies, phone hackers and ersatz hip-hop artists Lucky225 and Lotus recorded this (.mp3) nerdcore track to taunt their convicted foes.
FBI access to private data in Europe pending
Richard Thurston June 30, 2008
The European Commission is said to be close to finalizing an agreement with the U.S. that would allow the FBI to see the credit card histories and internet browsing habits of European citizens.
Researchers reveal VoIP vulnerabilities
Sue Marquette Poremba June 27, 2008
VoIPshield Laboratories has alerted companies that market voice over IP systems of new security vulnerabilities.
Report: Montgomery Ward fails to alert victims of breach
Chuck Miller June 27, 2008
Mongomery Ward, an old-line merchant now operating as an internet retailer, suffered a breach of some 51,000 customer credit card numbers, and failed to report it to customers.
New PDF exploits: “Old wine in a new bottle!”
Thursday June 26, 2008 at 8:30 pm CSTPosted by Yichong Lin
No CommentsPermanent Link
We came across some samples and some vendors claims that the these samples were exploiting the new PDF vulnerability CVE-2008-2641.
We took a look at this issue and found that this is not the case, it’s still exploiting the old vulnerability CVE-2007-5659, which is a buffer overflow vulnerability in JavaScript function Collab.collectEmailInfo in Adobe PDF Reader’s own JavaScript Engine.
Good Always Comes Out of Bad
Not sure I agree, but it's more reading about the Turkish hackers who grabbed ICANN's DNS records...
Monday, June 30, 2008
Friday, June 27, 2008
Friday News Feed 6/27/08
Hackers hijack critical Internet organizations Turkish hackers on Thursday managed to deface the Web sites of the international organizations that run the Internet's critical routing infrastructure and regulate domain names. Read more...
Turkish gang redirect ICANN, IANA traffic, taunt 'We control the domains!'
Web firewalls trumping other options as PCI deadline nears
'Vista Capable' lawyers bicker over document discovery
Researchers warn of IE6 zero-day bug
Avaya, Cisco and Nortel face VoIP vulnerabilities
Preventing SQL injection
Startup Promises to Slow Software Tampering - 6/25/2008 12:03:00 PM Metaforic says its anti-hacking tools aren't invulnerable, but definitely will make software exploits less fun
News from FIRST 2008: Driving Security Response Excellence and Innovation
Laptop Searches at Airports Raises Privacy Questions
TSA agents' search of air travelers' laptops is under scrutiny by the US Senate. The search of air travelers' luggage is routine, while the search of electronic devices is not. The practice by government agents at airports of accessing and copying the content of computers and other digital devices have raised 4th Amendment questions. The Senate Judiciary Subcommittee hearing Laptop Searches and Other Violations of Privacy Faced by Americans Returning from Overseas Travel explored the issue.
Laptop Searches in Airports Draw Fire at Senate Hearing, New York Times, June 26, 2008
Posted by EPIC on June 26, 2008.Permanent link to this item.
Carrier Pigeons Bringing Contraband into Prisons
In Brazil.
I think this is the first security vulnerability found in RFC 1149: "Standard for the transmission of IP datagrams on avian carriers." Deep packet inspection seems to be the only way to prevent this attack, although adequate fencing will prevent the protocol from running in the first place.
Posted on June 27, 2008 at 6:32 AM
Internet Explorer 7 Frame Location Handling Vulnerability - Moderately critical - From remoteIssued 1 day ago. sirdarckcat has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct spoofing attacks.
Internet Explorer 6 Window "location" Handling Vulnerability - Moderately critical - From remoteIssued 1 day ago. Updated 11 hours ago. Ph4nt0m Security Team has discovered a vulnerability in Internet Explorer 6, which can be exploited by malicious people to conduct cross-domain scripting attacks.
New PDF exploits: “Old wine in a new bottle!”
National health-record privacy law in Congress
Chuck Miller June 26, 2008
A new law in Congress would require every U.S. citizen to have electronic health records by 2014. It would also set up privacy rules for those records, requiring information keepers to notify patients of security breaches.
Privacy standards help safeguard online health data
Dan Kaplan June 26, 2008
Just a few months after Google and Microsoft announced they were launching online consumer health platforms, a nonprofit has unveiled a common framework to protect sensitive medical records.
Man's "Parrot Fever" Death Tests Products Liability Law
The family of a Texas man who allegedly died of a disease contracted from a sick cockatiel has sued PetSmart for wrongful death, but the fate of similar cases around the country suggests their products liability theory will not fly.
http://www.onpointnews.com/
Former White House Advisor: Hackers Didn't Cause 2003 Blackout
By Kevin Poulsen June 27, 2008 1:38:56 PMCategories: Cybarmageddon!
Cyber security consultant Paul Kurtz threw some cold water this week on a report that Chinese hackers caused the massive 2003 northeastern U.S. blackout. He worked for the White House at the time of the outage.
Marshall Islands email paralysed by 'zombie' attack AFP - Tue Jun 24, 6:42 AM ET
MAJURO (AFP) - Email communication in the Marshall Islands was paralysed Tuesday after hackers launched a "zombie" computer attack on the western Pacific nation's only Internet service provider, officials said.
Antispam Group Outlines Defenses to Block Botnet SpamPC World - Thu Jun 26, 9:40 AM ET
A major antispam organization is pushing a set of new best practices for ISPs to stop increasing volumes of spam generated by...
Russian hackers working inside China…
Summary: Chinese cyberwarfare threat by the Heritage Foundation
European Union Study Security Economics and The Internal Market By Grey McKenzie Today
Can Your Employer Read Your Personal Email After You Are No Longer Employed There?
from the questions-for-the-courts dept
While we already know that plenty of companies have systems in place to monitor your corporate email, what about your personal email accounts? And, just to make it more interesting, what about your personal email accounts after you are no longer employed at the firm? That's what's at stake in a new lawsuit, filed by a guy who was fired from a company, and later learned that they were reading his personal Yahoo email -- including messages he sent to his lawyer about responding to the firing.
Apparently, he left a computer at the office logged in to his Yahoo account, and that made it easy for the company to read his email -- and the company claims that since it's on a company computer, it's fair game. It's not exactly clear how he found out they were reading his email, however. Also, the company claims that the reason they looked at his email was because after getting fired, he used a computer (in plain view of other employees) to send himself various confidential company info. Even if that's true, it's not clear that the company should still be able to read emails in his personal account.
Nate McFeters: Another Trojan hits Mac OS X
Nate McFeters: Russian hackers planning attacks against Baltic countries and Ukraine
The World of Warcraft developer is announcing that it plans to release a "Blizzard Authenticator". It’s a keychain addition which gives all WoW players a six digit security code designed especially by the company to "help prevent unauthorized account access".
.confusion: ICANN opens up Pandora's Box of new TLDs
ICANN voted today on a measure that will allow businesses and other organizations to apply for almost any new top level domain they can think of. The organization believes the measure will help foster growth in online properties, despite some looming concerns about user frustration.
June 26, 2008 - 12:11PM CT - by Jacqui Cheng
Breach-notification laws not working? Robert Lemos, 2008-06-25 Research fails to find a correlation between states with disclosure laws and reduced identity theft, suggesting the best defense for concerned citizens is to take action themselves.
EU advisors: Secure ISPs, form "cyber-NATO"News Brief, 2008-06-26Academic researchers tasked with making information-security recommendations to the European Union call for Internet service providers to clean up their networks and for the creation of a group to aid international investigations.
Turkish gang redirect ICANN, IANA traffic, taunt 'We control the domains!'
Web firewalls trumping other options as PCI deadline nears
'Vista Capable' lawyers bicker over document discovery
Researchers warn of IE6 zero-day bug
Avaya, Cisco and Nortel face VoIP vulnerabilities
Preventing SQL injection
Startup Promises to Slow Software Tampering - 6/25/2008 12:03:00 PM Metaforic says its anti-hacking tools aren't invulnerable, but definitely will make software exploits less fun
News from FIRST 2008: Driving Security Response Excellence and Innovation
Laptop Searches at Airports Raises Privacy Questions
TSA agents' search of air travelers' laptops is under scrutiny by the US Senate. The search of air travelers' luggage is routine, while the search of electronic devices is not. The practice by government agents at airports of accessing and copying the content of computers and other digital devices have raised 4th Amendment questions. The Senate Judiciary Subcommittee hearing Laptop Searches and Other Violations of Privacy Faced by Americans Returning from Overseas Travel explored the issue.
Laptop Searches in Airports Draw Fire at Senate Hearing, New York Times, June 26, 2008
Posted by EPIC on June 26, 2008.Permanent link to this item.
Carrier Pigeons Bringing Contraband into Prisons
In Brazil.
I think this is the first security vulnerability found in RFC 1149: "Standard for the transmission of IP datagrams on avian carriers." Deep packet inspection seems to be the only way to prevent this attack, although adequate fencing will prevent the protocol from running in the first place.
Posted on June 27, 2008 at 6:32 AM
Internet Explorer 7 Frame Location Handling Vulnerability - Moderately critical - From remoteIssued 1 day ago. sirdarckcat has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct spoofing attacks.
Internet Explorer 6 Window "location" Handling Vulnerability - Moderately critical - From remoteIssued 1 day ago. Updated 11 hours ago. Ph4nt0m Security Team has discovered a vulnerability in Internet Explorer 6, which can be exploited by malicious people to conduct cross-domain scripting attacks.
New PDF exploits: “Old wine in a new bottle!”
National health-record privacy law in Congress
Chuck Miller June 26, 2008
A new law in Congress would require every U.S. citizen to have electronic health records by 2014. It would also set up privacy rules for those records, requiring information keepers to notify patients of security breaches.
Privacy standards help safeguard online health data
Dan Kaplan June 26, 2008
Just a few months after Google and Microsoft announced they were launching online consumer health platforms, a nonprofit has unveiled a common framework to protect sensitive medical records.
Man's "Parrot Fever" Death Tests Products Liability Law
The family of a Texas man who allegedly died of a disease contracted from a sick cockatiel has sued PetSmart for wrongful death, but the fate of similar cases around the country suggests their products liability theory will not fly.
http://www.onpointnews.com/
Former White House Advisor: Hackers Didn't Cause 2003 Blackout
By Kevin Poulsen June 27, 2008 1:38:56 PMCategories: Cybarmageddon!
Cyber security consultant Paul Kurtz threw some cold water this week on a report that Chinese hackers caused the massive 2003 northeastern U.S. blackout. He worked for the White House at the time of the outage.
Marshall Islands email paralysed by 'zombie' attack AFP - Tue Jun 24, 6:42 AM ET
MAJURO (AFP) - Email communication in the Marshall Islands was paralysed Tuesday after hackers launched a "zombie" computer attack on the western Pacific nation's only Internet service provider, officials said.
Antispam Group Outlines Defenses to Block Botnet SpamPC World - Thu Jun 26, 9:40 AM ET
A major antispam organization is pushing a set of new best practices for ISPs to stop increasing volumes of spam generated by...
Russian hackers working inside China…
Summary: Chinese cyberwarfare threat by the Heritage Foundation
European Union Study Security Economics and The Internal Market By Grey McKenzie Today
Can Your Employer Read Your Personal Email After You Are No Longer Employed There?
from the questions-for-the-courts dept
While we already know that plenty of companies have systems in place to monitor your corporate email, what about your personal email accounts? And, just to make it more interesting, what about your personal email accounts after you are no longer employed at the firm? That's what's at stake in a new lawsuit, filed by a guy who was fired from a company, and later learned that they were reading his personal Yahoo email -- including messages he sent to his lawyer about responding to the firing.
Apparently, he left a computer at the office logged in to his Yahoo account, and that made it easy for the company to read his email -- and the company claims that since it's on a company computer, it's fair game. It's not exactly clear how he found out they were reading his email, however. Also, the company claims that the reason they looked at his email was because after getting fired, he used a computer (in plain view of other employees) to send himself various confidential company info. Even if that's true, it's not clear that the company should still be able to read emails in his personal account.
Nate McFeters: Another Trojan hits Mac OS X
Nate McFeters: Russian hackers planning attacks against Baltic countries and Ukraine
The World of Warcraft developer is announcing that it plans to release a "Blizzard Authenticator". It’s a keychain addition which gives all WoW players a six digit security code designed especially by the company to "help prevent unauthorized account access".
.confusion: ICANN opens up Pandora's Box of new TLDs
ICANN voted today on a measure that will allow businesses and other organizations to apply for almost any new top level domain they can think of. The organization believes the measure will help foster growth in online properties, despite some looming concerns about user frustration.
June 26, 2008 - 12:11PM CT - by Jacqui Cheng
Breach-notification laws not working? Robert Lemos, 2008-06-25 Research fails to find a correlation between states with disclosure laws and reduced identity theft, suggesting the best defense for concerned citizens is to take action themselves.
EU advisors: Secure ISPs, form "cyber-NATO"News Brief, 2008-06-26Academic researchers tasked with making information-security recommendations to the European Union call for Internet service providers to clean up their networks and for the creation of a group to aid international investigations.
Thursday, June 26, 2008
Thursday News Feed 6/26/08
Researchers warn of IE6 zero-day bug
Cross-site scripting flaw is variant of a bug reported to Microsoft in May
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9103859&taxonomyId=17&intsrc=kc_top
Fired Director of IT accused of destroying organ donor information of former company
http://www.wyff4.com/news/16710144/detail.html
GREENVILLE, S.C. -- Greenville County technical staff members told county council members Thursday that least five county-owned computers have been accessed illegally. Thursday's meeting included nine council members, but Councilman Tony Trout was not one of them.
The FBI has accused Trout of accessing information on county administrator Joe Kernell's computer as well as council chairman Butch Kirven's computer.
State attorney general becomes identity theft victim
http://www.kentucky.com/210/story/444133.html
Avaya, Cisco and Nortel face VoIP vulnerabilities
Cleaning Chinese malware sites a 'bigger challenge' than in U.S., says researcher
ISP backs off behavioral ad plan
Senators question border laptop searches
$1B market for meddling with DNS poses security problem
CNET employees notified after data breach
Cross-site scripting flaw is variant of a bug reported to Microsoft in May
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9103859&taxonomyId=17&intsrc=kc_top
Fired Director of IT accused of destroying organ donor information of former company
http://www.wyff4.com/news/16710144/detail.html
GREENVILLE, S.C. -- Greenville County technical staff members told county council members Thursday that least five county-owned computers have been accessed illegally. Thursday's meeting included nine council members, but Councilman Tony Trout was not one of them.
The FBI has accused Trout of accessing information on county administrator Joe Kernell's computer as well as council chairman Butch Kirven's computer.
State attorney general becomes identity theft victim
http://www.kentucky.com/210/story/444133.html
Avaya, Cisco and Nortel face VoIP vulnerabilities
Cleaning Chinese malware sites a 'bigger challenge' than in U.S., says researcher
ISP backs off behavioral ad plan
Senators question border laptop searches
$1B market for meddling with DNS poses security problem
CNET employees notified after data breach
Wednesday, June 25, 2008
Wednesday Daily Feed 6/25/08
SQL Injection Attacks Exploiting Unverified User Data InputPosted Tuesday, June 24, 2008 11:35 AM by MSRCTEAM
New tools to block and eradicate SQL injection
Adobe Reader and Acrobat 8.1.2 Security Update
Vulnerability in Adobe Acrobat leads to public exploit
Dan Kaplan June 24, 2008
Adobe has updated its Reader and Acrobat products to shore up a major vulnerability that already is being exploited in the wild.
Using Google Earth to Find Unguarded Houses
UK teens are using Google Earth to find swimming pools they can crash.
How long before someone finds a more serious crime that can be aided by Google Earth?
Malicious Spam Traffic Triples in One Week - 6/25/2008 6:30:00 AM Sudden massive bot recruitment campaign by Srizbi botnet drives malicious spam up 9.9%, according to researchers at Marshal
The Difference Between Application and Session Layer Firewalls
by Ricky M. Magalhaes
Articles / Firewalls & VPNs
A review of the differences between Application and Session layer firewalls.
Two new Linux kernel vulnerabilities discovered & patched
Safari update fixes "carpet bomb" flawNews Brief, 2008-06-20Apple releases a patch for the Windows version of its browser, fixing four flaws including one that allows attackers to place an unlimited number of untrusted executable files on the desktop.
You Thought You Hated Windows? Check Out What Bill Gates Had To Say
from the classic dept
This one is getting passed around pretty quickly, but as he retires from Microsoft, we couldn't resist highlighting this fantastic internal email from Bill Gates complaining about the usability of some Windows features. It's old -- from 2003 -- but it's difficult to read it and not identify with some of the complaints.
New tools to block and eradicate SQL injection
Adobe Reader and Acrobat 8.1.2 Security Update
Vulnerability in Adobe Acrobat leads to public exploit
Dan Kaplan June 24, 2008
Adobe has updated its Reader and Acrobat products to shore up a major vulnerability that already is being exploited in the wild.
Using Google Earth to Find Unguarded Houses
UK teens are using Google Earth to find swimming pools they can crash.
How long before someone finds a more serious crime that can be aided by Google Earth?
Malicious Spam Traffic Triples in One Week - 6/25/2008 6:30:00 AM Sudden massive bot recruitment campaign by Srizbi botnet drives malicious spam up 9.9%, according to researchers at Marshal
The Difference Between Application and Session Layer Firewalls
by Ricky M. Magalhaes
Articles / Firewalls & VPNs
A review of the differences between Application and Session layer firewalls.
Two new Linux kernel vulnerabilities discovered & patched
Safari update fixes "carpet bomb" flawNews Brief, 2008-06-20Apple releases a patch for the Windows version of its browser, fixing four flaws including one that allows attackers to place an unlimited number of untrusted executable files on the desktop.
You Thought You Hated Windows? Check Out What Bill Gates Had To Say
from the classic dept
This one is getting passed around pretty quickly, but as he retires from Microsoft, we couldn't resist highlighting this fantastic internal email from Bill Gates complaining about the usability of some Windows features. It's old -- from 2003 -- but it's difficult to read it and not identify with some of the complaints.
Monday, June 23, 2008
Monday News Feed 6/23/08
Laptops break - Do your backups!
Flooded Firms Reassess Disaster Recovery Plans Executives from companies in Cedar Falls, Iowa, said they are assessing how the massive Midwestern floods are affecting their IT operations, and how it is forcing them to reassess disaster recovery plans. Read more...
Microsoft security fix clobbers 2 million password stealers
One-third of IT admins admit snooping with privileged passwords
Filling Out Forms: Still a Dangerous Game - 6/20/2008 5:00:00 PM Despite upgrades and fixes, most browsers are still vulnerable to attacks via Web forms, researcher says
Tech Insight: Finding Security-Sensitive Data – on a Shoestring Budget - 6/20/2008 2:50:00 PM Thanks to open-source tools, discovering the heart of your data doesn't always mean paying an arm and a leg
Fraud-Fighting Community Launches in US - 6/19/2008 5:40:00 PM Subscribers share information about fraudulent online transactions in online service
FCC moves ahead with plan for smut-free wireless broadband
Serious Security Vulnerabilty In Apple OS X Leopard
An unpatched security hole in Apple's OS X operating system could be used by attackers to change key system settings or to take control of vulnerable computers, security researchers warn.
In a posting to news-for-nerds site Slashdot.org on Wednesday, an anonymous reader noted that a core component of OS X 10.4 (Tiger) and 10.5 (Leopard) called Apple Remote Desktop Agent could be leveraged by any user on the machine to install new programs or alter important system settings. Generally, these tasks are reserved for only the "root" account -- the most powerful user account on the system -- or at the very least they require the user to first enter a password for the requested changes to take effect.
Researchers disclose Firefox 3 flawsNews Brief, 2008-06-19Looking to make a big splash, at least three researchers publish details of flaws a few hours after the release of Mozilla's latest browser.
SPY PICTURE: First image of Virgin Galactic SpaceShipTwo structure
http://www.flightglobal.com/articles/2008/06/21/224834/spy-picture-first-image-of-virgin-galactic-spaceshiptwo-structure.html
MPAA Explains Why Proof Shouldn't Be Necessary In Copyright Infringement Cases
Disgruntled hacker sentenced to five years
Sue Marquette Poremba June 20, 2008
A network engineer and technical services manager for San Diego's Council of Community Health Clinics was sentenced to 63 months in prison on federal hacking charges.
The Web's Dark Energy
By Jonathan Zittrain 0 Comments
Community policing can help make the Web safe.
Your Medical Data Online
By Amanda Schaffer 0 Comments
Google and Microsoft are offering rival programs that let people manage their own health information. Do potential users understand the risks?
Four Shanghai hackers admit to DoS extortion - promise not to do it again.
Bank Accounts And PINs Stolen Over Internet Reap Hackers Millions From Citibank By Grey McKenzie 06/20/2008
Flooded Firms Reassess Disaster Recovery Plans Executives from companies in Cedar Falls, Iowa, said they are assessing how the massive Midwestern floods are affecting their IT operations, and how it is forcing them to reassess disaster recovery plans. Read more...
Microsoft security fix clobbers 2 million password stealers
One-third of IT admins admit snooping with privileged passwords
Filling Out Forms: Still a Dangerous Game - 6/20/2008 5:00:00 PM Despite upgrades and fixes, most browsers are still vulnerable to attacks via Web forms, researcher says
Tech Insight: Finding Security-Sensitive Data – on a Shoestring Budget - 6/20/2008 2:50:00 PM Thanks to open-source tools, discovering the heart of your data doesn't always mean paying an arm and a leg
Fraud-Fighting Community Launches in US - 6/19/2008 5:40:00 PM Subscribers share information about fraudulent online transactions in online service
FCC moves ahead with plan for smut-free wireless broadband
Serious Security Vulnerabilty In Apple OS X Leopard
An unpatched security hole in Apple's OS X operating system could be used by attackers to change key system settings or to take control of vulnerable computers, security researchers warn.
In a posting to news-for-nerds site Slashdot.org on Wednesday, an anonymous reader noted that a core component of OS X 10.4 (Tiger) and 10.5 (Leopard) called Apple Remote Desktop Agent could be leveraged by any user on the machine to install new programs or alter important system settings. Generally, these tasks are reserved for only the "root" account -- the most powerful user account on the system -- or at the very least they require the user to first enter a password for the requested changes to take effect.
Researchers disclose Firefox 3 flawsNews Brief, 2008-06-19Looking to make a big splash, at least three researchers publish details of flaws a few hours after the release of Mozilla's latest browser.
SPY PICTURE: First image of Virgin Galactic SpaceShipTwo structure
http://www.flightglobal.com/articles/2008/06/21/224834/spy-picture-first-image-of-virgin-galactic-spaceshiptwo-structure.html
MPAA Explains Why Proof Shouldn't Be Necessary In Copyright Infringement Cases
Disgruntled hacker sentenced to five years
Sue Marquette Poremba June 20, 2008
A network engineer and technical services manager for San Diego's Council of Community Health Clinics was sentenced to 63 months in prison on federal hacking charges.
The Web's Dark Energy
By Jonathan Zittrain 0 Comments
Community policing can help make the Web safe.
Your Medical Data Online
By Amanda Schaffer 0 Comments
Google and Microsoft are offering rival programs that let people manage their own health information. Do potential users understand the risks?
Four Shanghai hackers admit to DoS extortion - promise not to do it again.
Bank Accounts And PINs Stolen Over Internet Reap Hackers Millions From Citibank By Grey McKenzie 06/20/2008
Friday, June 20, 2008
Friday News Feed 6/20/08
Apple does about-face, fixes Safari's 'carpet bomb' bug Apple has updated the Windows version of Safari, patching four flaws including one that prompted rival Microsoft to urge users to stop using Apple's browser. Read more...
Safari 3.1.2 for Windows released to address vulnerabilities
EBay boosts fraud protections for PayPal users
Fraudulent ATM transactions overseas could be tied to Indiana bank breach
Microsoft admits XP's Bluetooth patch didn't work
Mozilla investigates critical Firefox 3.0 bug
Windows, Mac and Linux versions all have the vulnerability
June 19, 2008 (Computerworld) Mozilla Corp. today downplayed a threat posed by the first vulnerability reported for Firefox 3.0, telling users that the risk is "minimal."
"There is no public exploit, the details are private, and so the risk to users is minimal," Window Snyder, Mozilla's chief security officer, said in an entry to a company blog.
...
Snyder was responding to news yesterday that 3Com Corp.'s TippingPoint, a security vendor that runs the Zero Day Initiative bug bounty program, had purchased a critical Firefox 3.0 vulnerability from an unnamed researcher and then forwarded information on the bug to Mozilla.
Nuance sues start-up Vlingo over speech recognition patent infringement
I wonder who their lawyers are... ;-)
Patch-blocking bug also stymies Microsoft's WSUS
Fraud-Fighting Community Launches in US - 6/19/2008 5:40:00 PM Subscribers share information about fraudulent online transactions in online service
ID Protection Startup Prepares Commercial Push - 6/19/2008 10:00:00 AM After completing identity theft study and numerous breach response engagements, Debix says it's good to go
Stolen Healthcare, Airline Credentials Found on Servers - 6/18/2008 5:45:00 PM Researchers at Finjan say cybercriminals are looking beyond stolen credit card accounts
Why Global Hackers Are Nearly Impossible to Catch
livescience.com — They're in our computers, reading our files. The Chinese government, that is, according to two U.S. Congressmen who recently accused Beijing of sending hackers to ferret out secret documents stored on Congressional computers. The Chinese deny any involvement, but if they were lying, would we be able to prove it?More… (Security)
Teens Charged With Loading Spyware, Changing GradesPC World - Wed Jun 18, 8:30 PM ET
Two Orange County teenagers have been charged with breaking into school computers, installing spyware and altering grades.
MS08-030 Re-released for Windows XP SP2 and SP3
Federal Court Limits Employers' Access to Employees' E-Communications
The 9th Circuit Court upheld the workplace privacy rights of employees in its decision in Quon v. Arch Wireless. Sgt. Jeff Quon and 3 other officers sued Arch Wireless for sharing wireless communication records with their employer, the Ontario Police Department. The City contracted for text messaging service for employees, and later obtained records to investigate whether all communications were work related. The court's decision reversed a lower court ruling, and found that the carrier was in violation of the 4th Amendment and California constitutional guarantees.
Court limits employer access to worker messages, Associated Press, June 19, 2008
Posted by EPIC on June 19, 2008.Permanent link to this item.
Citibank to Replace ATMs Following Crime Spree
http://blogs.washingtonpost.com/securityfix/
One of my sources, the other day, tipped me off that Citibank was in the process of replacing most of its automated teller machines (ATMs), but the source couldn't definitively say why. Citibank told ATM & Debit News that it was replacing some 2,000 proprietary ATMs in "a bid to improve customer service." But a story today by Wired.com reporter Kevin Poulsen suggests that the financial giant is responding to a computer intrusion into a Citibank server that processes ATM withdrawals, an incident that appears to have led to an ATM crime spree.
FISA deal worries privacy groupsNews Brief, 2008-06-18Congressional leaders are reportedly close to a compromise on revamping the Foreign Intelligence Surveillance Act and allowing telecoms a way to sidestep wiretapping lawsuits.
...And worth every penny...
Windows Live OneCare 2.0 Available for Free
Microsoft is indeed offering Windows Live OneCare 2.0 for free, but only the 90-day trial period version. However, the fully fledged security solution can be grabbed from Amazon.com for a total cost of $0. The official price of the product is $49.95. But the actual deducted price is just $30, the e-commerce website offering no less than 40%, or $19.95 off. But in addition to the discount, Amazon.com has also set up a rebate of no less than $30, e...
AP: China admits taking, burying US POW (AP)
Local root escalation vulnerability in Mac OS X 10.4 and 10.5 discovered
Breaking News… NOT!
Friday June 20, 2008 at 4:18 am CSTPosted by Kevin McGhee
No CommentsPermanent Link
There mustn’t be much going on in the world today as the Nuwar spammers have moved from jumping on real news of natural disasters and current affairs to creating their own fictional events! This high volume spam campaign is using some wacky subjects to lure people into clicking on the links:
Subject: Britney found hanged in locker room
Subject: White House hit by lightning, catches fire
Subject: Oprah found sleeping the streets
Subject: Eiffel Tower damaged by massive earthquake
Subject: Donald Trump missing, feared kidnapped
Subject: Lastest! Obama quits presidential race
This clever social engineering technique plays on peoples inquisitiveness in news of natural disasters and celebrities. The emails also follow the simple format of some text and a link that looks fairly harmless to the uneducated user.
All the links go to a fake pornotube page hosted on legitimate sites that have been hacked. If you click on the video (that’s actually just an image) it tries to download a .exe file. This is detected as BackDoor-DNM and the spam is also currently detected with our Anti-Spam products.
So it goes without saying.. NEVER click on links in an email unless you are sure of its origin, keep your Anti-Virus software up-to-date and if you have a website make sure its properly secured so you’re not hosting stuff like this.
Disgruntled hacker sentenced to five years
Sue Marquette Poremba June 19, 2008
A network engineer and technical services manager for San Diego's Council of Community Health Clinics was sentenced to 63 months in prison on federal hacking charges.
Kentucky Agrees To Stop Selectively Blocking State Employees From Reading Critical Blogs
Lame NHS loses 31,000 patient records
Michael Krigsman:Setting an example for irresponsibility while violating internal Department of Health policies, the UK National Health Service has lost unencrypted data on 31,000 patients.
Safari 3.1.2 for Windows released to address vulnerabilities
EBay boosts fraud protections for PayPal users
Fraudulent ATM transactions overseas could be tied to Indiana bank breach
Microsoft admits XP's Bluetooth patch didn't work
Mozilla investigates critical Firefox 3.0 bug
Windows, Mac and Linux versions all have the vulnerability
June 19, 2008 (Computerworld) Mozilla Corp. today downplayed a threat posed by the first vulnerability reported for Firefox 3.0, telling users that the risk is "minimal."
"There is no public exploit, the details are private, and so the risk to users is minimal," Window Snyder, Mozilla's chief security officer, said in an entry to a company blog.
...
Snyder was responding to news yesterday that 3Com Corp.'s TippingPoint, a security vendor that runs the Zero Day Initiative bug bounty program, had purchased a critical Firefox 3.0 vulnerability from an unnamed researcher and then forwarded information on the bug to Mozilla.
Nuance sues start-up Vlingo over speech recognition patent infringement
I wonder who their lawyers are... ;-)
Patch-blocking bug also stymies Microsoft's WSUS
Fraud-Fighting Community Launches in US - 6/19/2008 5:40:00 PM Subscribers share information about fraudulent online transactions in online service
ID Protection Startup Prepares Commercial Push - 6/19/2008 10:00:00 AM After completing identity theft study and numerous breach response engagements, Debix says it's good to go
Stolen Healthcare, Airline Credentials Found on Servers - 6/18/2008 5:45:00 PM Researchers at Finjan say cybercriminals are looking beyond stolen credit card accounts
Why Global Hackers Are Nearly Impossible to Catch
livescience.com — They're in our computers, reading our files. The Chinese government, that is, according to two U.S. Congressmen who recently accused Beijing of sending hackers to ferret out secret documents stored on Congressional computers. The Chinese deny any involvement, but if they were lying, would we be able to prove it?More… (Security)
Teens Charged With Loading Spyware, Changing GradesPC World - Wed Jun 18, 8:30 PM ET
Two Orange County teenagers have been charged with breaking into school computers, installing spyware and altering grades.
MS08-030 Re-released for Windows XP SP2 and SP3
Federal Court Limits Employers' Access to Employees' E-Communications
The 9th Circuit Court upheld the workplace privacy rights of employees in its decision in Quon v. Arch Wireless. Sgt. Jeff Quon and 3 other officers sued Arch Wireless for sharing wireless communication records with their employer, the Ontario Police Department. The City contracted for text messaging service for employees, and later obtained records to investigate whether all communications were work related. The court's decision reversed a lower court ruling, and found that the carrier was in violation of the 4th Amendment and California constitutional guarantees.
Court limits employer access to worker messages, Associated Press, June 19, 2008
Posted by EPIC on June 19, 2008.Permanent link to this item.
Citibank to Replace ATMs Following Crime Spree
http://blogs.washingtonpost.com/securityfix/
One of my sources, the other day, tipped me off that Citibank was in the process of replacing most of its automated teller machines (ATMs), but the source couldn't definitively say why. Citibank told ATM & Debit News that it was replacing some 2,000 proprietary ATMs in "a bid to improve customer service." But a story today by Wired.com reporter Kevin Poulsen suggests that the financial giant is responding to a computer intrusion into a Citibank server that processes ATM withdrawals, an incident that appears to have led to an ATM crime spree.
FISA deal worries privacy groupsNews Brief, 2008-06-18Congressional leaders are reportedly close to a compromise on revamping the Foreign Intelligence Surveillance Act and allowing telecoms a way to sidestep wiretapping lawsuits.
...And worth every penny...
Windows Live OneCare 2.0 Available for Free
Microsoft is indeed offering Windows Live OneCare 2.0 for free, but only the 90-day trial period version. However, the fully fledged security solution can be grabbed from Amazon.com for a total cost of $0. The official price of the product is $49.95. But the actual deducted price is just $30, the e-commerce website offering no less than 40%, or $19.95 off. But in addition to the discount, Amazon.com has also set up a rebate of no less than $30, e...
AP: China admits taking, burying US POW (AP)
Local root escalation vulnerability in Mac OS X 10.4 and 10.5 discovered
Breaking News… NOT!
Friday June 20, 2008 at 4:18 am CSTPosted by Kevin McGhee
No CommentsPermanent Link
There mustn’t be much going on in the world today as the Nuwar spammers have moved from jumping on real news of natural disasters and current affairs to creating their own fictional events! This high volume spam campaign is using some wacky subjects to lure people into clicking on the links:
Subject: Britney found hanged in locker room
Subject: White House hit by lightning, catches fire
Subject: Oprah found sleeping the streets
Subject: Eiffel Tower damaged by massive earthquake
Subject: Donald Trump missing, feared kidnapped
Subject: Lastest! Obama quits presidential race
This clever social engineering technique plays on peoples inquisitiveness in news of natural disasters and celebrities. The emails also follow the simple format of some text and a link that looks fairly harmless to the uneducated user.
All the links go to a fake pornotube page hosted on legitimate sites that have been hacked. If you click on the video (that’s actually just an image) it tries to download a .exe file. This is detected as BackDoor-DNM and the spam is also currently detected with our Anti-Spam products.
So it goes without saying.. NEVER click on links in an email unless you are sure of its origin, keep your Anti-Virus software up-to-date and if you have a website make sure its properly secured so you’re not hosting stuff like this.
Disgruntled hacker sentenced to five years
Sue Marquette Poremba June 19, 2008
A network engineer and technical services manager for San Diego's Council of Community Health Clinics was sentenced to 63 months in prison on federal hacking charges.
Kentucky Agrees To Stop Selectively Blocking State Employees From Reading Critical Blogs
Lame NHS loses 31,000 patient records
Michael Krigsman:Setting an example for irresponsibility while violating internal Department of Health policies, the UK National Health Service has lost unencrypted data on 31,000 patients.
Wednesday, June 18, 2008
Wednesday News Feed 06/18/2008
iPhone 3G's business-readiness still in question, Gartner says
On Friday, analyst Jack Gold, of J.Gold Associates LLC, issued a report citing security and support concerns regarding the iPhone 3G, concluding that it is "still coming up short for the enterprise." Gold said he was particularly concerned about the lack of native encryption to protect data on the device if it is stolen. Research in Motion Ltd. offers encryption of the data on its BlackBerries, and the latest versions of Windows Mobile and some other operating systems offer similar functionality, according to Gold
Dulaney said the new iPhone 3g has neither a firewall nor native encryption, "so banks and federal officials are not going to use it." He said Nokia Corp. has introduced native encryption on its E series devices, and he added that the iPhone 3G could eventually have something comparable, but so far it does not.
Blogging gets more dangerous as worldwide arrests triple A University of Washington study found that arrests of bloggers not affiliated with news organizations tripled from 2006 to 2007, mostly due to organizing or reporting on protest movements or exposing public corruption. Read more...
China quake fake in police custody
IBM's Roadrunner zooms to No. 1 on Top500 supercomputer list
Former 'spam king' must pay MySpace $6 million
Iowa floods forcing firms to race to keep IT afloat
June 17, 2008 (Computerworld) As historic floodwaters continue to hammer Cedar Falls, Iowa, local businesses are already assessing the environmental disaster's impact on IT operations, and how their disaster recovery plans are faring.
As of today, 100 blocks in the city's downtown are underwater and 3,900 homes have been evacuated in Cedar Falls.
Microsoft fixes patch-blocking bug
The problem, which Microsoft acknowledged late last Friday, affected administrators using System Center Configuration Manager (ConfigMgr) 2007 to update users' PCs running System Management Server (SMS) 2003 software.
System Center Configuration Manager 2007 is the successor to SMS 2003 that assesses, deploys and updates server and client computers.
According to Microsoft, customers with that combination had been unable to push June's security updates to end users' PCs. Those updates, which patched 10 vulnerabilities in Windows and Internet Explorer, were released on June 10.
June 17, 2008 Ex-official readies suit over bogus child porn rap
http://www.crime-research.org/news/17.06.2008/3417/
...“The overall forensics of the laptop suggest that it had been compromised by a virus,” said Jake Wark, spokesman for Suffolk District Attorney Daniel Conley.
Nationally recognized computer forensic analyst Tami Loehrs told the Herald Michael Fiola’s ordeal was “one of the most horrific cases I’ve seen.” “As soon as you mention child pornography, everybody’s senses go out the window,” she said. Loehrs, who spent a month dissecting the computer for the defense, explained in a 30-page report that the laptop was running corrupted virus-protection software, and Fiola was hit by spammers and crackers bombarding its memory with images of incest and pre-teen porn not visible to the naked eye.
Two forensic examinations conducted by the state Attorney General’s Office for the prosecution concurred with that conclusion, Wark said. Still, Fiola, 53, whose wife, Robin, described as “computer-illiterate,” wants his day in court. He intends to sue the DIA for “destroying our lives.”
“Our lives have been hell,” said Fiola, a former state park ranger now living in Rhode Island. “I hope to recover my reputation, but our friends all ran.”
DIA spokeswoman Linnea Walsh confirmed Fiola “was terminated,” but declined to say if any internal discipline has been meted out as a result of his name being cleared in court.“We stand by our decision,” she said.
Encryption: DLP's Newest Ingredient - 6/17/2008 6:00:00 PM Major vendors increasingly add encryption offerings to their data loss prevention packages
New DNS Trojan Hacks Home Routers - 6/17/2008 5:40:00 PM Researchers discover new variant of DNSChanger that changes DNS settings in home routers
Olympics Part II
On June 16th we published a short diary asking for comments about the dangers of bringing laptops, PDAs, cell phones, etc. to China if you are planning to attend the Olympics in August. We've received a number of interesting comments and I want to share two of them with our readers.
"...I can say that senior scientists and engineers employed by great Asian nations have not been bringing any laptops/notebooks/gadgets to said meetings (in the US). When they carry cel phones/PDAs, these are all scrupiously powered off and tucked out of sight, prior to entering "foreign" (to them) corporate campuses. It is a parking lot ritual of sorts that I have personally witnessed. "
Online Terror Threats Result in Jail Time
A federal court sentenced a Wisconsin man to 6 months in jail plus house arrest for false online threats. 14-Jun-2008
Dallas Airport's Very Revealing Passenger Screening
The Dallas Fort Worth International Airport is testing two millimeter wave whole body imaging machines on travelers. The technology allows a very detailed view of what is under clothing. Unlike an x-ray which penetrates skin, this technology does not. The technology also known as Backscatter X-Ray has been called a virtual strip-search.
New security scan at DFW Airport has privacy advocates worried, Dallas Morning News, June 16, 2008
Posted by EPIC on June 16, 2008.Permanent link to this item.
Magnetic Ring Attack on Electronic Locks
Impressive:
The 'ring of the devil' is capable of attacking this kind of electronic motor lock on two ways.
From http://www.schneier.com/blog/
In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information harder to use. We all know the former doesn't work, so that leaves the latter. If Congress wanted to solve the problem for real, one of the things it would do is make fraud alerts permanent for everybody. But the credit industry's lobbyists would never allow that.
from http://blogs.washingtonpost.com/securityfix/
...
Out of the 15,000 spam-advertised domains we examined, nearly half -- 7,142 names -- were registered through a Broomfield, Colo. company called Dynamic Dolphin. As I noted in my previous story, Dynamic Dolphin is the seventh most-popular registrar among spammers who provide patently false information in their public WHOIS records.
Dynamic Dolphin is owned by a company called CPA Empire, which in turn is owned by Media Breakaway LLC. The CEO of Media Breakaway is none other than Scott Richter, the once self-avowed "Spam King" who claims to have quit the business. Anti-spam groups also have recently implicated Media Breakaway in the alleged hijacking of more than 65,000 Internet addresses for use in sending e-mail and hosting commercial Web sites.
...
Continue reading this post »»
"Web traffic volumes will almost double every two years from 2007 to 2012, driven by video and web 2.0 applications, according to a report from Cisco Systems. Cisco's Visual Networking Index (PDF) predicts that visual networking will account for 90 per cent of the traffic coursing through the world's IP networks by 2012. The upward trend is not only driven by consumer demand for YouTube clips and IPTV, according to the report, as business use of video conferencing will grow at 35 per cent CAGR over the same period."
"Craig Wright discovered that the Jura F90 Coffee maker, with its honest-to-God Jura Internet Connection Kit, can be taken over by a remote attacker, who can cause the coffee to be weaker or stronger; change the amount of water per cup; or cause the machine to require service (call this one a DDoC). 'Best yet, the software allows a remote attacker to gain access to the Windows XP system it is running on at the level of the user.' An Internet-enabled, remote-controlled coffee-machine and XP backdoor — what more could a hacker ask for?"
How to repair a dropped Wi-Fi signal on Vista laptops
Virginia Won't Stop Publishing People's Social Security Numbers; But Will Fine You For Republishing Them
Vendor IT security software revenue increases
Dan Kaplan June 17, 2008
Fueled by continued compliance demands and an evolving threat landscape, global software security revenue totaled $10.4 billion last year, a jump of nearly 20 percent, an analyst firm said Tuesday.
Breaking Phone-Call Encryption
By Erica NaoneTuesday, June 17, 2008
A data compression scheme could leave Internet phone calls vulnerable to eavesdroppers.
Bogus Domain Registrar Scamming Small Business, FTC Says
Anonymouse proxy now blocked in PRC
Stolen Medical, Business and Airline Data Discovered on Crimeware Servers in Argentina and Malaysia By Grey McKenzie Today
Islamic Jihad Adds Cyber-War Division To Its Armed Al-Quds Brigades By Grey McKenzie Today
On Friday, analyst Jack Gold, of J.Gold Associates LLC, issued a report citing security and support concerns regarding the iPhone 3G, concluding that it is "still coming up short for the enterprise." Gold said he was particularly concerned about the lack of native encryption to protect data on the device if it is stolen. Research in Motion Ltd. offers encryption of the data on its BlackBerries, and the latest versions of Windows Mobile and some other operating systems offer similar functionality, according to Gold
Dulaney said the new iPhone 3g has neither a firewall nor native encryption, "so banks and federal officials are not going to use it." He said Nokia Corp. has introduced native encryption on its E series devices, and he added that the iPhone 3G could eventually have something comparable, but so far it does not.
Blogging gets more dangerous as worldwide arrests triple A University of Washington study found that arrests of bloggers not affiliated with news organizations tripled from 2006 to 2007, mostly due to organizing or reporting on protest movements or exposing public corruption. Read more...
China quake fake in police custody
IBM's Roadrunner zooms to No. 1 on Top500 supercomputer list
Former 'spam king' must pay MySpace $6 million
Iowa floods forcing firms to race to keep IT afloat
June 17, 2008 (Computerworld) As historic floodwaters continue to hammer Cedar Falls, Iowa, local businesses are already assessing the environmental disaster's impact on IT operations, and how their disaster recovery plans are faring.
As of today, 100 blocks in the city's downtown are underwater and 3,900 homes have been evacuated in Cedar Falls.
Microsoft fixes patch-blocking bug
The problem, which Microsoft acknowledged late last Friday, affected administrators using System Center Configuration Manager (ConfigMgr) 2007 to update users' PCs running System Management Server (SMS) 2003 software.
System Center Configuration Manager 2007 is the successor to SMS 2003 that assesses, deploys and updates server and client computers.
According to Microsoft, customers with that combination had been unable to push June's security updates to end users' PCs. Those updates, which patched 10 vulnerabilities in Windows and Internet Explorer, were released on June 10.
June 17, 2008 Ex-official readies suit over bogus child porn rap
http://www.crime-research.org/news/17.06.2008/3417/
...“The overall forensics of the laptop suggest that it had been compromised by a virus,” said Jake Wark, spokesman for Suffolk District Attorney Daniel Conley.
Nationally recognized computer forensic analyst Tami Loehrs told the Herald Michael Fiola’s ordeal was “one of the most horrific cases I’ve seen.” “As soon as you mention child pornography, everybody’s senses go out the window,” she said. Loehrs, who spent a month dissecting the computer for the defense, explained in a 30-page report that the laptop was running corrupted virus-protection software, and Fiola was hit by spammers and crackers bombarding its memory with images of incest and pre-teen porn not visible to the naked eye.
Two forensic examinations conducted by the state Attorney General’s Office for the prosecution concurred with that conclusion, Wark said. Still, Fiola, 53, whose wife, Robin, described as “computer-illiterate,” wants his day in court. He intends to sue the DIA for “destroying our lives.”
“Our lives have been hell,” said Fiola, a former state park ranger now living in Rhode Island. “I hope to recover my reputation, but our friends all ran.”
DIA spokeswoman Linnea Walsh confirmed Fiola “was terminated,” but declined to say if any internal discipline has been meted out as a result of his name being cleared in court.“We stand by our decision,” she said.
Encryption: DLP's Newest Ingredient - 6/17/2008 6:00:00 PM Major vendors increasingly add encryption offerings to their data loss prevention packages
New DNS Trojan Hacks Home Routers - 6/17/2008 5:40:00 PM Researchers discover new variant of DNSChanger that changes DNS settings in home routers
Olympics Part II
On June 16th we published a short diary asking for comments about the dangers of bringing laptops, PDAs, cell phones, etc. to China if you are planning to attend the Olympics in August. We've received a number of interesting comments and I want to share two of them with our readers.
"...I can say that senior scientists and engineers employed by great Asian nations have not been bringing any laptops/notebooks/gadgets to said meetings (in the US). When they carry cel phones/PDAs, these are all scrupiously powered off and tucked out of sight, prior to entering "foreign" (to them) corporate campuses. It is a parking lot ritual of sorts that I have personally witnessed. "
Online Terror Threats Result in Jail Time
A federal court sentenced a Wisconsin man to 6 months in jail plus house arrest for false online threats. 14-Jun-2008
Dallas Airport's Very Revealing Passenger Screening
The Dallas Fort Worth International Airport is testing two millimeter wave whole body imaging machines on travelers. The technology allows a very detailed view of what is under clothing. Unlike an x-ray which penetrates skin, this technology does not. The technology also known as Backscatter X-Ray has been called a virtual strip-search.
New security scan at DFW Airport has privacy advocates worried, Dallas Morning News, June 16, 2008
Posted by EPIC on June 16, 2008.Permanent link to this item.
Magnetic Ring Attack on Electronic Locks
Impressive:
The 'ring of the devil' is capable of attacking this kind of electronic motor lock on two ways.
From http://www.schneier.com/blog/
In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information harder to use. We all know the former doesn't work, so that leaves the latter. If Congress wanted to solve the problem for real, one of the things it would do is make fraud alerts permanent for everybody. But the credit industry's lobbyists would never allow that.
from http://blogs.washingtonpost.com/securityfix/
...
Out of the 15,000 spam-advertised domains we examined, nearly half -- 7,142 names -- were registered through a Broomfield, Colo. company called Dynamic Dolphin. As I noted in my previous story, Dynamic Dolphin is the seventh most-popular registrar among spammers who provide patently false information in their public WHOIS records.
Dynamic Dolphin is owned by a company called CPA Empire, which in turn is owned by Media Breakaway LLC. The CEO of Media Breakaway is none other than Scott Richter, the once self-avowed "Spam King" who claims to have quit the business. Anti-spam groups also have recently implicated Media Breakaway in the alleged hijacking of more than 65,000 Internet addresses for use in sending e-mail and hosting commercial Web sites.
...
Continue reading this post »»
"Web traffic volumes will almost double every two years from 2007 to 2012, driven by video and web 2.0 applications, according to a report from Cisco Systems. Cisco's Visual Networking Index (PDF) predicts that visual networking will account for 90 per cent of the traffic coursing through the world's IP networks by 2012. The upward trend is not only driven by consumer demand for YouTube clips and IPTV, according to the report, as business use of video conferencing will grow at 35 per cent CAGR over the same period."
"Craig Wright discovered that the Jura F90 Coffee maker, with its honest-to-God Jura Internet Connection Kit, can be taken over by a remote attacker, who can cause the coffee to be weaker or stronger; change the amount of water per cup; or cause the machine to require service (call this one a DDoC). 'Best yet, the software allows a remote attacker to gain access to the Windows XP system it is running on at the level of the user.' An Internet-enabled, remote-controlled coffee-machine and XP backdoor — what more could a hacker ask for?"
How to repair a dropped Wi-Fi signal on Vista laptops
Virginia Won't Stop Publishing People's Social Security Numbers; But Will Fine You For Republishing Them
Vendor IT security software revenue increases
Dan Kaplan June 17, 2008
Fueled by continued compliance demands and an evolving threat landscape, global software security revenue totaled $10.4 billion last year, a jump of nearly 20 percent, an analyst firm said Tuesday.
Breaking Phone-Call Encryption
By Erica NaoneTuesday, June 17, 2008
A data compression scheme could leave Internet phone calls vulnerable to eavesdroppers.
Bogus Domain Registrar Scamming Small Business, FTC Says
Anonymouse proxy now blocked in PRC
Stolen Medical, Business and Airline Data Discovered on Crimeware Servers in Argentina and Malaysia By Grey McKenzie Today
Islamic Jihad Adds Cyber-War Division To Its Armed Al-Quds Brigades By Grey McKenzie Today
Sunday, June 15, 2008
Monday News Feed 6/16/08
Microsoft snafu blocks enterprise patching
System Center Configuration Manager problem stymies last week's security updates
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9098078&taxonomyId=17&intsrc=kc_top
June 15, 2008 (Computerworld) Microsoft confirmed late Friday that enterprise administrators using one of its patch distribution tools have not been able to install last week's security updates.
The company offered a workaround and said it is working on a fix.
"We're aware of an issue that is affecting the deployment of the June 2008 security updates," acknowledged Christopher Budd, spokesman for the Microsoft Security Response Center (MSRC), in a post to the group's blog Friday night.
Only corporate administrators using System Center Configuration Manager (ConfigMgr) 2007, which itself was just updated to Service Pack 1 (SP1), are affected, Budd said, and only those systems running System Management Server (SMS) 2003 client software refuse to update. "The impact of this issue is that customers in this configuration cannot deploy the June 2008 security updates to their SMS 2003 clients," said Budd.
Security Advisory 954474: Deployment Issue affecting System Center Configuration Manager 2007servers with SMS 2003 clients
Man gets six months for posting terror threat online
Online Terror Threats Result in Jail Time
A federal court sentenced a Wisconsin man to 6 months in jail plus house arrest for false online threats. 14-Jun-2008
iPhone 3G not there yet for widescale business use
Danish filter catches Romanian child-porn sites
Experts: Spyware legislation needs more work
June 14, 2008 Forensic computer analysts become real employment in police divisions
http://www.crime-research.org/news/14.06.2008/3411/
Email Surveillance Switch Pays Off at Brokerage - 6/13/2008 3:25:00 PM Frustrated by high rate of false positives, Scott and Stringfellow moves to Orchestria
"Some time ago, most electronics were soldered with old-fashioned lead solder, which has been tried and tested for decades. In 2006, the EU banned lead in solder, and so most manufacturers switched to a lead-free solder. Most made the switch in advance, I guess due to shelf-life of products and ironing out problems working with the new material. Lead is added to solder as it melts at low temperature, but also, it prevents the solder from growing 'whiskers' — crystalline limbs of metal. The affect of whiskers on soldered equipment would include random short-circuits and strange RF-effects. Whiskers can grow fairly quickly and become quite long. Robert Cringley wrote this up this some time ago, but it seems that the world has not been taking notice. I guess cars (probably around 30 processors in a modern car) and almost every appliance would be liable to fail sooner than expected due to tin whiskers. Note that accelerated life-expectancy tests can't simulate the passing of time for whiskers to grow. I've googled, and there is plenty of research into the effects of tin whiskers. I should point out that the Wikipedia page linked to above states that tin whisker problems 'are negligible in modern alloys,' but can we trust Wikipedia? So: was the tin whisker problem overhyped, was it an initial problem that has been solved in the few years since lead-free solder came into use, or is it affecting anyone already?"
"Verizon has declared it will no longer offer access to the entire alt.* hierarchy of Usenet newsgroups to its customers. This stems from last week's agreement for major ISPs to cut off access to 'newsgroups and Web sites' that make child pornography available. The story notes, 'No law requires Verizon to do this. Instead, the company (and, to varying extents, Time Warner Cable and Sprint) agreed to restrictions on Usenet in response to political strong-arming by New York State Attorney General Andrew Cuomo, a Democrat. Cuomo claimed that his office found child porn on 88 newsgroups — out of roughly 100,000 newsgroups that exist.' In response, Verizon will cut its customers off from a large portion of Usenet, as it will only carry newsgroups in the Big 8."
EFF, others fighting privacy-invading border laptop searches
The Electronic Frontier Foundation and the Association of Corporate Travel Executives have challenged a court decision allowing border patrols to search and seize citizens' laptops for no reason. They argue that it's not only an "enormous" privacy invasion, the decision also renders the Fourth Amendment of the US constitution useless.
June 13, 2008 - 01:26PM CT - by Jacqui Cheng
Microsoft warns: Get ready for IE 8
Mary Jo Foley: Microsoft is cautioning Web site owners now that they need to be prepping now for possible problems the new, more standards-compliant browser may cause.
'Free Software' Scammers Fined $2.2 Million
from the this-is-not-the-'free'-business-model-we're-talking-about dept
Floods, tornadoes may encourage internet trickery
Dan Kaplan June 13, 2008
The deadly twisters that ripped through Kansas this week and the historic floods sweeping across the Upper Midwest will soon give rise to donation scams and malicious attacks, the SANS Storm Center warned on Friday.
FTC says fining would aid in spyware deterrence
Sue Marquette Poremba June 13, 2008
The Federal Trade Commission wants the power to punish and fine spyware purveyors.
Doubling Laptop Battery Life
By Kate GreeneFriday, June 13, 2008
Intel's new integrated power management could dramatically reduce power consumption in your laptop by shutting down operations not being used.
Containing Internet Worms
By Erica NaoneThursday, June 12, 2008
A new method could stop Internet worms from spreading.
Judge Scuttles Ameritrade Hacking Settlement
British Hacker Faces Extradition Hearing Next Week PC World - Fri Jun 13, 6:00 AM ET
A British hacker fighting extradition to the U.S. on charges of computer hacking is preparing for his final U.K. appeal on...
Nation States' Espionage and Counterespionage
An overview of the 2007 Global Economic Espionage Landscape
» full story
Green Computing & Virtualization – June 24thLearn virtualization best practices and tips - Discover how to reduce energy and IT costs while increasing the efficiency, utilization, and flexibility of your existing computer hardware.
System Center Configuration Manager problem stymies last week's security updates
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9098078&taxonomyId=17&intsrc=kc_top
June 15, 2008 (Computerworld) Microsoft confirmed late Friday that enterprise administrators using one of its patch distribution tools have not been able to install last week's security updates.
The company offered a workaround and said it is working on a fix.
"We're aware of an issue that is affecting the deployment of the June 2008 security updates," acknowledged Christopher Budd, spokesman for the Microsoft Security Response Center (MSRC), in a post to the group's blog Friday night.
Only corporate administrators using System Center Configuration Manager (ConfigMgr) 2007, which itself was just updated to Service Pack 1 (SP1), are affected, Budd said, and only those systems running System Management Server (SMS) 2003 client software refuse to update. "The impact of this issue is that customers in this configuration cannot deploy the June 2008 security updates to their SMS 2003 clients," said Budd.
Security Advisory 954474: Deployment Issue affecting System Center Configuration Manager 2007servers with SMS 2003 clients
Man gets six months for posting terror threat online
Online Terror Threats Result in Jail Time
A federal court sentenced a Wisconsin man to 6 months in jail plus house arrest for false online threats. 14-Jun-2008
iPhone 3G not there yet for widescale business use
Danish filter catches Romanian child-porn sites
Experts: Spyware legislation needs more work
June 14, 2008 Forensic computer analysts become real employment in police divisions
http://www.crime-research.org/news/14.06.2008/3411/
Email Surveillance Switch Pays Off at Brokerage - 6/13/2008 3:25:00 PM Frustrated by high rate of false positives, Scott and Stringfellow moves to Orchestria
"Some time ago, most electronics were soldered with old-fashioned lead solder, which has been tried and tested for decades. In 2006, the EU banned lead in solder, and so most manufacturers switched to a lead-free solder. Most made the switch in advance, I guess due to shelf-life of products and ironing out problems working with the new material. Lead is added to solder as it melts at low temperature, but also, it prevents the solder from growing 'whiskers' — crystalline limbs of metal. The affect of whiskers on soldered equipment would include random short-circuits and strange RF-effects. Whiskers can grow fairly quickly and become quite long. Robert Cringley wrote this up this some time ago, but it seems that the world has not been taking notice. I guess cars (probably around 30 processors in a modern car) and almost every appliance would be liable to fail sooner than expected due to tin whiskers. Note that accelerated life-expectancy tests can't simulate the passing of time for whiskers to grow. I've googled, and there is plenty of research into the effects of tin whiskers. I should point out that the Wikipedia page linked to above states that tin whisker problems 'are negligible in modern alloys,' but can we trust Wikipedia? So: was the tin whisker problem overhyped, was it an initial problem that has been solved in the few years since lead-free solder came into use, or is it affecting anyone already?"
"Verizon has declared it will no longer offer access to the entire alt.* hierarchy of Usenet newsgroups to its customers. This stems from last week's agreement for major ISPs to cut off access to 'newsgroups and Web sites' that make child pornography available. The story notes, 'No law requires Verizon to do this. Instead, the company (and, to varying extents, Time Warner Cable and Sprint) agreed to restrictions on Usenet in response to political strong-arming by New York State Attorney General Andrew Cuomo, a Democrat. Cuomo claimed that his office found child porn on 88 newsgroups — out of roughly 100,000 newsgroups that exist.' In response, Verizon will cut its customers off from a large portion of Usenet, as it will only carry newsgroups in the Big 8."
EFF, others fighting privacy-invading border laptop searches
The Electronic Frontier Foundation and the Association of Corporate Travel Executives have challenged a court decision allowing border patrols to search and seize citizens' laptops for no reason. They argue that it's not only an "enormous" privacy invasion, the decision also renders the Fourth Amendment of the US constitution useless.
June 13, 2008 - 01:26PM CT - by Jacqui Cheng
Microsoft warns: Get ready for IE 8
Mary Jo Foley: Microsoft is cautioning Web site owners now that they need to be prepping now for possible problems the new, more standards-compliant browser may cause.
'Free Software' Scammers Fined $2.2 Million
from the this-is-not-the-'free'-business-model-we're-talking-about dept
Floods, tornadoes may encourage internet trickery
Dan Kaplan June 13, 2008
The deadly twisters that ripped through Kansas this week and the historic floods sweeping across the Upper Midwest will soon give rise to donation scams and malicious attacks, the SANS Storm Center warned on Friday.
FTC says fining would aid in spyware deterrence
Sue Marquette Poremba June 13, 2008
The Federal Trade Commission wants the power to punish and fine spyware purveyors.
Doubling Laptop Battery Life
By Kate GreeneFriday, June 13, 2008
Intel's new integrated power management could dramatically reduce power consumption in your laptop by shutting down operations not being used.
Containing Internet Worms
By Erica NaoneThursday, June 12, 2008
A new method could stop Internet worms from spreading.
Judge Scuttles Ameritrade Hacking Settlement
British Hacker Faces Extradition Hearing Next Week PC World - Fri Jun 13, 6:00 AM ET
A British hacker fighting extradition to the U.S. on charges of computer hacking is preparing for his final U.K. appeal on...
Nation States' Espionage and Counterespionage
An overview of the 2007 Global Economic Espionage Landscape
» full story
Green Computing & Virtualization – June 24thLearn virtualization best practices and tips - Discover how to reduce energy and IT costs while increasing the efficiency, utilization, and flexibility of your existing computer hardware.
Friday, June 13, 2008
Friday News Feed 6/13/08
FUD Watch: Patch Tuesday Panic? No Thanks
Are security vendors right to bang the alarm bell every Patch Tuesday? Yes. But only to a point.
Read more
Microsoft warns: Get ready for IE 8
Mary Jo Foley: Microsoft is cautioning Web site owners now that they need to be prepping now for possible problems the new, more standards-compliant browser may cause.
Mary Jo Foley: Microsoft caves: 'Super-standards' mode to become IE 8 default
The 16 TB RAM PC: When?
Robin Harris: The next version of Mac OS X will address 16 TB of RAM. Who will ever have 16 TB--16,000 GB--of RAM on a home computer? If the past is any guide, it might be a while.
Will The RIAA Sue Judge Kozinski For Sharing MP3s?
from the just-wondering dept
While judge Alex Kozinski is getting a ton of press for accidentally sharing pornographic images from his webserver, Justin Levine notes that the report concerning what was on the server also found music MP3s from musicians like Johnny Cash, Bob Dylan and Weird Al Yankovic. Levine wonders if the RIAA will now sue this federal judge as well. In fact, things could get tricky in that some research suggests not only was Kozinski storing MP3s, he may have actively been sharing some of those MP3s as well. That same link mentions that in one of many copyright infringement lawsuits concerning the company Perfect 10, Kozinski wrote a dissenting opinion suggesting that facilitating copyright infringement should be seen as infringement as well:
Do You Need To Schedule Your Technology Down Time?
from the shut-down-and-go-outside dept
One of the best decisions I made when I first start blogging on Techdirt oh-so-many-years ago, was that I wouldn't blog on weekends. While it wasn't on purpose, it's worked out nicely as it gives me plenty of time on weekends to disconnect and do other stuff. I've found (surprising to some, I'm sure) that it's not at all difficult for me to pretty much ignore my computer for the weekend if I need to. And, then, there are some weekends where I do end up using the computer, either for fun or to catch up on some work-related things. However, I never considered setting up an official "schedule" of tech down time. Yet, Mark Glaser, over at MediaShift notes that a growing number of people are setting aside "tech sabbaths" to force themselves to disconnect.
Even Lawyers Are Confused About What's Legal Or Not In The Prince/Radiohead Spat
UK Police Accused Of Violating Copyright By Listening To Music In Police Stations
from the keep-quiet dept
While we've seen performing rights groups like ASCAP be overly aggressive in trying to collect money from anyone holding a "performance" of music, it seems that the UK's "Performing Right Society" (PRS) is pushing the boundaries even more. This is the same group that we noted last year had sued a bunch of auto mechanics for listening to radios in their garages loud enough that customers in the waiting room could hear them. Yes, the PRS insisted that this required a performance license.
Job-Hunter Forged SEC Letter, Feds Say
MANHATTAN (CN) - A man trying to get hired as CFO of an international company has been charged with forging a letter on SEC letterhead, claiming to be from an SEC attorney, recommending him for the $300,000 job.
Report: Data breaches, stolen data, organized crime rampant
Chuck Miller June 12, 2008
A new report from Verizon Business Security Solutions shows that there is an escalating worldwide black market for stolen data.
Congressmen allege China-based PC hackings
Dan Kaplan June 11, 2008
Two lawmakers said on Wednesday that their office computers were infiltrated by hackers operating out of China.
British Hacker Faces Extradition Hearing Next WeekPC World - Fri Jun 13, 6:00 AM ET
A British hacker fighting extradition to the U.S. on charges of computer hacking is preparing for his final U.K. appeal on...
EU states extend life of Internet security body Reuters - Thu Jun 12, 10:28 AM ET
LUXEMBOURG (Reuters) - European Union telecoms ministers agreed on Thursday to extend the life of the bloc's Internet security watchdog by three years as threats to the Web increase.
Japan and France Agree to Closer Ties on Cybercrime PC World - Thu Jun 12, 5:20 AM ET
Japanese and French government ministers agreed at a meeting in Tokyo on Thursday to work more closely on cybercrime.
38,000 Credit Card Numbers Stolen From The Cotton Traders Website By Hackers By Grey McKenzie Today
Uniloc’s Top Ten Rules for Combating Cyber Attacks on Critical Infrastructure By Grey McKenzie Today
Cyber-Dissident Huang Qi kidnapped & Foreign Journalists Arrested In Sichuan By Grey McKenzie Today
United States Cyber Security Policy Frustrating & Dysfunctional Says Former DHS Official By Grey McKenzie Yesterday
NVD Primary Resources
Vulnerability Search Engine (CVE software flaws and CCE misconfigurations)
National Checklist Program (automatable security configuration guidance in XCCDF and OVAL)
ISAP/SCAP (program and protocol that NVD supports)
SCAP Compatible Tools
SCAP Data Feeds (CVE, CCE, CPE, CVSS, XCCDF, OVAL)
Product Dictionary (CPE)
Impact Metrics (CVSS)
Common Weakness Enumeration (CWE)
"Differences in the type of memory and I/O controllers used in USB drives can make one device perform two or three times faster and last 10 times longer than another, even if both sport the USB 2.0 logo, according to a Computerworld story. While a slow USB drive may be fine for moving a few dozen megabytes of files around, when you get into larger data transfers, that's when bandwidth contrictions become noticeable. In 2009, controller manufacturers are expected to begin shipping drives with dual- and even four-channel controllers, which will increase speeds even for slower drives."
Top 5 Security Reasons to Use Windows Vista
by Derek Melber
Articles / Windows OS Security
The top 5 security based reasons to move to Windows Vista for all users in the environment. The reasons are valid and very reasonable.
Study: consumers lust after high-speed broadband, not HDTV
Top Secret Al Qaeda Documents Left on London Train
Oops. At least they were found and returned.
Keith Vaz MP, chairman of the powerful Home Affairs select committee told the BBC: "Such confidential documents should be locked away...they should not be read on trains."
You think?
Malware Silently Alters Wireless Router Settings
http://blogs.washingtonpost.com/securityfix/
A new Trojan horse masquerading as a video "codec" required to view content on certain Web sites tries to change key settings on the victim's Internet router so that all of the victim's Web traffic is routed through servers controlled by the attackers.
http://www.routerpasswords.com/ has all the manufacturer's default passwords.
The 2008 Olympics and Your Privacy
Businesses and federal officials are being warned that attendance at the 2008 Olympics will likely put data on laptops and e-mail devices at risk. Chinese intelligence services may actively work to breach data devices in search of secrets, install surveillance technology, and access secure networks.
Olympic visitors' data is at risk, USA Today, June 10, 2008
Posted by EPIC on June 12, 2008.Permanent link to this item.
Verizon Study Links External Hacks to Internal Mistakes - 6/12/2008 10:50:00 AM Most breaches come from outside the company, but they are often triggered by unfound errors on the inside
Danish filter catches Romanian child-porn sites
Experts: Spyware legislation needs more work
ACLU files lawsuit on behalf of Virginia privacy advocate
Are security vendors right to bang the alarm bell every Patch Tuesday? Yes. But only to a point.
Read more
Microsoft warns: Get ready for IE 8
Mary Jo Foley: Microsoft is cautioning Web site owners now that they need to be prepping now for possible problems the new, more standards-compliant browser may cause.
Mary Jo Foley: Microsoft caves: 'Super-standards' mode to become IE 8 default
The 16 TB RAM PC: When?
Robin Harris: The next version of Mac OS X will address 16 TB of RAM. Who will ever have 16 TB--16,000 GB--of RAM on a home computer? If the past is any guide, it might be a while.
Will The RIAA Sue Judge Kozinski For Sharing MP3s?
from the just-wondering dept
While judge Alex Kozinski is getting a ton of press for accidentally sharing pornographic images from his webserver, Justin Levine notes that the report concerning what was on the server also found music MP3s from musicians like Johnny Cash, Bob Dylan and Weird Al Yankovic. Levine wonders if the RIAA will now sue this federal judge as well. In fact, things could get tricky in that some research suggests not only was Kozinski storing MP3s, he may have actively been sharing some of those MP3s as well. That same link mentions that in one of many copyright infringement lawsuits concerning the company Perfect 10, Kozinski wrote a dissenting opinion suggesting that facilitating copyright infringement should be seen as infringement as well:
Do You Need To Schedule Your Technology Down Time?
from the shut-down-and-go-outside dept
One of the best decisions I made when I first start blogging on Techdirt oh-so-many-years ago, was that I wouldn't blog on weekends. While it wasn't on purpose, it's worked out nicely as it gives me plenty of time on weekends to disconnect and do other stuff. I've found (surprising to some, I'm sure) that it's not at all difficult for me to pretty much ignore my computer for the weekend if I need to. And, then, there are some weekends where I do end up using the computer, either for fun or to catch up on some work-related things. However, I never considered setting up an official "schedule" of tech down time. Yet, Mark Glaser, over at MediaShift notes that a growing number of people are setting aside "tech sabbaths" to force themselves to disconnect.
Even Lawyers Are Confused About What's Legal Or Not In The Prince/Radiohead Spat
UK Police Accused Of Violating Copyright By Listening To Music In Police Stations
from the keep-quiet dept
While we've seen performing rights groups like ASCAP be overly aggressive in trying to collect money from anyone holding a "performance" of music, it seems that the UK's "Performing Right Society" (PRS) is pushing the boundaries even more. This is the same group that we noted last year had sued a bunch of auto mechanics for listening to radios in their garages loud enough that customers in the waiting room could hear them. Yes, the PRS insisted that this required a performance license.
Job-Hunter Forged SEC Letter, Feds Say
MANHATTAN (CN) - A man trying to get hired as CFO of an international company has been charged with forging a letter on SEC letterhead, claiming to be from an SEC attorney, recommending him for the $300,000 job.
Report: Data breaches, stolen data, organized crime rampant
Chuck Miller June 12, 2008
A new report from Verizon Business Security Solutions shows that there is an escalating worldwide black market for stolen data.
Congressmen allege China-based PC hackings
Dan Kaplan June 11, 2008
Two lawmakers said on Wednesday that their office computers were infiltrated by hackers operating out of China.
British Hacker Faces Extradition Hearing Next WeekPC World - Fri Jun 13, 6:00 AM ET
A British hacker fighting extradition to the U.S. on charges of computer hacking is preparing for his final U.K. appeal on...
EU states extend life of Internet security body Reuters - Thu Jun 12, 10:28 AM ET
LUXEMBOURG (Reuters) - European Union telecoms ministers agreed on Thursday to extend the life of the bloc's Internet security watchdog by three years as threats to the Web increase.
Japan and France Agree to Closer Ties on Cybercrime PC World - Thu Jun 12, 5:20 AM ET
Japanese and French government ministers agreed at a meeting in Tokyo on Thursday to work more closely on cybercrime.
38,000 Credit Card Numbers Stolen From The Cotton Traders Website By Hackers By Grey McKenzie Today
Uniloc’s Top Ten Rules for Combating Cyber Attacks on Critical Infrastructure By Grey McKenzie Today
Cyber-Dissident Huang Qi kidnapped & Foreign Journalists Arrested In Sichuan By Grey McKenzie Today
United States Cyber Security Policy Frustrating & Dysfunctional Says Former DHS Official By Grey McKenzie Yesterday
NVD Primary Resources
Vulnerability Search Engine (CVE software flaws and CCE misconfigurations)
National Checklist Program (automatable security configuration guidance in XCCDF and OVAL)
ISAP/SCAP (program and protocol that NVD supports)
SCAP Compatible Tools
SCAP Data Feeds (CVE, CCE, CPE, CVSS, XCCDF, OVAL)
Product Dictionary (CPE)
Impact Metrics (CVSS)
Common Weakness Enumeration (CWE)
"Differences in the type of memory and I/O controllers used in USB drives can make one device perform two or three times faster and last 10 times longer than another, even if both sport the USB 2.0 logo, according to a Computerworld story. While a slow USB drive may be fine for moving a few dozen megabytes of files around, when you get into larger data transfers, that's when bandwidth contrictions become noticeable. In 2009, controller manufacturers are expected to begin shipping drives with dual- and even four-channel controllers, which will increase speeds even for slower drives."
Top 5 Security Reasons to Use Windows Vista
by Derek Melber
Articles / Windows OS Security
The top 5 security based reasons to move to Windows Vista for all users in the environment. The reasons are valid and very reasonable.
Study: consumers lust after high-speed broadband, not HDTV
Top Secret Al Qaeda Documents Left on London Train
Oops. At least they were found and returned.
Keith Vaz MP, chairman of the powerful Home Affairs select committee told the BBC: "Such confidential documents should be locked away...they should not be read on trains."
You think?
Malware Silently Alters Wireless Router Settings
http://blogs.washingtonpost.com/securityfix/
A new Trojan horse masquerading as a video "codec" required to view content on certain Web sites tries to change key settings on the victim's Internet router so that all of the victim's Web traffic is routed through servers controlled by the attackers.
http://www.routerpasswords.com/ has all the manufacturer's default passwords.
The 2008 Olympics and Your Privacy
Businesses and federal officials are being warned that attendance at the 2008 Olympics will likely put data on laptops and e-mail devices at risk. Chinese intelligence services may actively work to breach data devices in search of secrets, install surveillance technology, and access secure networks.
Olympic visitors' data is at risk, USA Today, June 10, 2008
Posted by EPIC on June 12, 2008.Permanent link to this item.
Verizon Study Links External Hacks to Internal Mistakes - 6/12/2008 10:50:00 AM Most breaches come from outside the company, but they are often triggered by unfound errors on the inside
Danish filter catches Romanian child-porn sites
Experts: Spyware legislation needs more work
ACLU files lawsuit on behalf of Virginia privacy advocate
Wednesday, June 11, 2008
Wednesday News Feed 6/11/08
Out of cycle patch here:
Internet Explorer "substringData()" Memory Corruption Vulnerability - Highly critical - From remoteIssued 1 day ago. Updated 11 hours ago.
A vulnerability has been reported in Internet Explorer, which can be exploited by malicious people to compromise a user's system.
OpenOffice 2.4.1 Out - Fixes One Vuln
CitectSCADA Buffer Overflow Vulnerability
If you don't know what SCADA systems are then read this and change your underwear...
The TSA has a new photo ID requirement:
Beginning Saturday, June 21, 2008 passengers that willfully refuse to provide identification at security checkpoint will be denied access to the secure area of airports. This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining their identity.
This new procedure will not affect passengers that may have misplaced, lost or otherwise do not have ID but are cooperative with officers. Cooperative passengers without ID may be subjected to additional screening protocols, including enhanced physical screening, enhanced carry-on and/or checked baggage screening, interviews with behavior detection or law enforcement officers and other measures.
That's right; people who refuse to show ID on principle will not be allowed to fly, but people who claim to have lost their ID will. I feel well-protected against terrorists who can't lie.
I don't think any further proof is needed that the ID requirement has nothing to do with security, and everything to do with control.
Apple QuickTime Multiple Vulnerabilities - Highly critical - From remote
Issued 2 days ago. Updated 8 hours ago.
Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system.
Boycott spotlights antivirus testing issues Robert Lemos, 2008-06-09 Security firm Trend Micro refuses to apply for future VB100 certifications, highlighting a debate over how to best test antivirus software.
Safari flaw enables Windows attack
"Google largely conquered the Earth — now it is taking aim at space. At least co-founder Sergei Brin is. Brin today said he put down $5 million toward a flight to the International Space Station in 2011. Brin's space travel will be brokered by Space Adventures, the space outfit that sent billionaire software developer Charles Simonyi to the station in 2007. Computer game developer (and son of a former NASA astronaut) Richard Garriott is currently planning a mission to the ISS in October 2008. Garriott is paying at least $30 million to launch toward the space station aboard a Russian Soyuz spaceship according to Space Adventures."
"Researchers at Ohio State University and the University of California, Irvine conducted a telephone study by randomly surveying individuals employed full-time who use computers in an office environment at least five hours per week. They netted 912 respondents, of which 29.8 percent claimed to use IM in the workplace 'to keep connected with coworkers and clients.' Neither occupation, education, gender, nor age seem to have an impact on whether an individual is an IM user or not. The study theorizes that using IM enables individuals to 'flag their availability.' Doing so can limit when IM interruptions occur. Even if an IM interruption comes when it is not necessarily convenient to the recipient, it is 'often socially acceptable' to ignore an incoming message or respond with a terse reply stating that the recipient is too busy at the moment to properly respond."
Also another study recently found that water is wet, and a third study found that most studies waste money.
Overview of the Windows Server 2008 Firewall with Advanced Security Part 2: Inbound and Outbound Firewall Rules
by Thomas Shinder
Articles / Firewalls & VPNs
The inbound and outbound firewall rules that you can create to control incoming and outgoing connections to and from the Windows Server 2008 computer.
Dancho Danchev: Fake ImageShack site serving malware, links distributed over IM
Father's Day gifts for gadget freaks
Openoffice vs Microsoft Office
Microsoft has applied for a patent on a system for "device manner policy" (DMP). Basically, such a DMP system would restrict the use of certain features in certain locations. So, for example, a mobile phone that has the DMP technology might not be able to ring in a movie theater, but would instead shift to vibrate.
WILMINGTON, DEL. (CN) - LandSource Communities Development, whose assets include the 15,000-acre Newhall Land and Farming Co. north of Los Angeles, have filed for bankruptcy, listing more than $1 billion in debts. The California Public Employees' Retirement System, or CalPERS, owns 68% of LandSource; Lennar Corp. and Cerberus Capital Management's LNR Property each own 16% of it, Reuters reported.
This is not a phishing site. Now, be a good victim and enter your login credentials in the form!
Kaiser Permanente partners with Microsoft on health records
Sue Marquette Poremba June 10, 2008
Kaiser Permanente and Microsoft are partnering on a new pilot program to provide patients with better access to their medical records.
Faster, cheaper iPhone portends IT security headaches
Jim Carr June 09, 2008
While the throngs are going crazy about the new iPhone's lower cost and faster download speeds, IT professionals are gearing up for more security headaches from the Apple's latest smart phone.
Tuesday, June 10, 2008 11:52 AM
MS08-036: PGM? What is PGM?
This morning we released MS08-036 to fix two denial-of-service vulnerabilities in the Windows implementation of the Pragmatic General Multicast (PGM) protocol (RFC 3208). You probably have never heard of PGM. Only one engineer on our team had ever heard of it and he previously worked as a tester on the core network components team. PGM is a multicast transport protocol that guarantees reliable delivery from multiple sources to multiple receivers. It is a layer 4 transport protocol, peer to TCP and UDP.
Secret Spy Court Repeatedly Questions FBI Eavesdropping Network
Tech Problem Stumps Yahoo, Forces Mail Features RollbackPC World - Tue Jun 10, 9:10 PM ET
Yahoo is rolling back security and anti-spam enhancements to its Webmail service because they interfered with users' ability...
Hacker Pleads Guilty to Attacking Anti-phishing Group PC World - Tue Jun 10, 7:00 PM ET
A California hacker pleaded guilty to launching a computer attack last year that almost knocked the Castlecops anti-phishing...
10 Tips To Keep Your Kids Safe Online By Grey McKenzie Today
Russian Drug Maker GlavMed Teams Up With Spammers To Make Millions By Grey McKenzie Today
Canadian Law Enforcement Partners With Microsoft To Deal With Cyber Security By Grey McKenzie Today
Electronic Audit Trails From 259,761 High-Risk Consumers Prove Consumer Participation Can Virtually Eliminate New Account Fraud By Grey McKenzie Yesterday
FBI Charges Blind Phone Phreak With Intimidating a Verizon Security Official By Grey McKenzie Yesterday
Police Routinely Gain Access to Cellphone Information
Law enforcement rarely have trouble gaining access to cellphone information from service providers. If the request for information comes within the cellphone service providers retention period then it is often shared with police.
Law Enforcement Use of Cell Info Raises New Privacy Concerns, Heartland Institute, (June 8, 2008)
Cellphone Users' Locations Tracked by Study
A study that used data on 100,000 cellphone users' locations was published in "Nature." The study found that 75% of those tracked remained within a 20-mile radius of their home. Participation in the study was nonconsensual. The research involved information provided by cellphone service providers on its users. Similar tracking of US cellphone customers is technically possible be illegal without the user's permission.
Study tracking people via cell phone raises privacy issues, CNet News.com, June 5, 2008
Researchers Link Storm Botnet to Illegal Pharmaceutical Sales - 6/11/2008 10:10:00 AM Prescription drug spammers are bankrolling botnet's growth, IronPort study says
Major Security Vendors' Sites Could Be Launchpads for Phishing Attacks - 6/10/2008 10:45:00 AM McAfee, Symantec, and VeriSign sites all found to contain cross-site scripting flaws
Safari 'carpet bomb' attack code released
Microsoft hires antiphishing crusader
June 10, 2008 (IDG News Service) Microsoft Corp. has hired Paul Laudanski, the man behind the antiphishing CastleCops.com Web site, to help with the software company's phishing and spam investigations.
Laudanski, a former volunteer firefighter, announced the move on CastleCops.com last week, saying that he's looking to find someone else to run the site that he founded in 2002.
With his new job at Microsoft, he simply doesn't have time to keep up with the CastleCops work, he said in an interview on Tuesday. "I won't be able to ensure the same kind of support that I was able to provide in the past," he said. "I won't be able to do it justice."
CastleCops had been a full-time job for Laudanski and his wife, Robin, since 2005.
At Microsoft, he will work as an Internet safety investigator for Microsoft's live consumer services group. Microsoft has a large Internet safety enforcement team that works with law enforcement to fight spam, viruses, botnets, typo-squatting and even child pornography on the Internet.
At CastleCops, Laudanski managed a team of about 120 volunteers who processed user-submitted spam, phishing and malicious code reports. The group worked as a clearinghouse for complaints and was often active in taking down malicious Web sites and servers. On a typical day, it processes about 1,000 phishing attempts, Laudanski said.
CastleCops clearly has the attention of the bad guys.
Last year, it was attacked by Gregory King, a 21-year-old hacker who operated a botnet network of 7,000 hacked computers. On Tuesday, King pleaded guilty to attacking CastleCops with a distributed denial-of-service attack and is facing a two-year prison sentence.
Internet Explorer "substringData()" Memory Corruption Vulnerability - Highly critical - From remoteIssued 1 day ago. Updated 11 hours ago.
A vulnerability has been reported in Internet Explorer, which can be exploited by malicious people to compromise a user's system.
OpenOffice 2.4.1 Out - Fixes One Vuln
CitectSCADA Buffer Overflow Vulnerability
If you don't know what SCADA systems are then read this and change your underwear...
The TSA has a new photo ID requirement:
Beginning Saturday, June 21, 2008 passengers that willfully refuse to provide identification at security checkpoint will be denied access to the secure area of airports. This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining their identity.
This new procedure will not affect passengers that may have misplaced, lost or otherwise do not have ID but are cooperative with officers. Cooperative passengers without ID may be subjected to additional screening protocols, including enhanced physical screening, enhanced carry-on and/or checked baggage screening, interviews with behavior detection or law enforcement officers and other measures.
That's right; people who refuse to show ID on principle will not be allowed to fly, but people who claim to have lost their ID will. I feel well-protected against terrorists who can't lie.
I don't think any further proof is needed that the ID requirement has nothing to do with security, and everything to do with control.
Apple QuickTime Multiple Vulnerabilities - Highly critical - From remote
Issued 2 days ago. Updated 8 hours ago.
Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system.
Boycott spotlights antivirus testing issues Robert Lemos, 2008-06-09 Security firm Trend Micro refuses to apply for future VB100 certifications, highlighting a debate over how to best test antivirus software.
Safari flaw enables Windows attack
"Google largely conquered the Earth — now it is taking aim at space. At least co-founder Sergei Brin is. Brin today said he put down $5 million toward a flight to the International Space Station in 2011. Brin's space travel will be brokered by Space Adventures, the space outfit that sent billionaire software developer Charles Simonyi to the station in 2007. Computer game developer (and son of a former NASA astronaut) Richard Garriott is currently planning a mission to the ISS in October 2008. Garriott is paying at least $30 million to launch toward the space station aboard a Russian Soyuz spaceship according to Space Adventures."
"Researchers at Ohio State University and the University of California, Irvine conducted a telephone study by randomly surveying individuals employed full-time who use computers in an office environment at least five hours per week. They netted 912 respondents, of which 29.8 percent claimed to use IM in the workplace 'to keep connected with coworkers and clients.' Neither occupation, education, gender, nor age seem to have an impact on whether an individual is an IM user or not. The study theorizes that using IM enables individuals to 'flag their availability.' Doing so can limit when IM interruptions occur. Even if an IM interruption comes when it is not necessarily convenient to the recipient, it is 'often socially acceptable' to ignore an incoming message or respond with a terse reply stating that the recipient is too busy at the moment to properly respond."
Also another study recently found that water is wet, and a third study found that most studies waste money.
Overview of the Windows Server 2008 Firewall with Advanced Security Part 2: Inbound and Outbound Firewall Rules
by Thomas Shinder
Articles / Firewalls & VPNs
The inbound and outbound firewall rules that you can create to control incoming and outgoing connections to and from the Windows Server 2008 computer.
Dancho Danchev: Fake ImageShack site serving malware, links distributed over IM
Father's Day gifts for gadget freaks
Openoffice vs Microsoft Office
Microsoft has applied for a patent on a system for "device manner policy" (DMP). Basically, such a DMP system would restrict the use of certain features in certain locations. So, for example, a mobile phone that has the DMP technology might not be able to ring in a movie theater, but would instead shift to vibrate.
WILMINGTON, DEL. (CN) - LandSource Communities Development, whose assets include the 15,000-acre Newhall Land and Farming Co. north of Los Angeles, have filed for bankruptcy, listing more than $1 billion in debts. The California Public Employees' Retirement System, or CalPERS, owns 68% of LandSource; Lennar Corp. and Cerberus Capital Management's LNR Property each own 16% of it, Reuters reported.
This is not a phishing site. Now, be a good victim and enter your login credentials in the form!
Kaiser Permanente partners with Microsoft on health records
Sue Marquette Poremba June 10, 2008
Kaiser Permanente and Microsoft are partnering on a new pilot program to provide patients with better access to their medical records.
Faster, cheaper iPhone portends IT security headaches
Jim Carr June 09, 2008
While the throngs are going crazy about the new iPhone's lower cost and faster download speeds, IT professionals are gearing up for more security headaches from the Apple's latest smart phone.
Tuesday, June 10, 2008 11:52 AM
MS08-036: PGM? What is PGM?
This morning we released MS08-036 to fix two denial-of-service vulnerabilities in the Windows implementation of the Pragmatic General Multicast (PGM) protocol (RFC 3208). You probably have never heard of PGM. Only one engineer on our team had ever heard of it and he previously worked as a tester on the core network components team. PGM is a multicast transport protocol that guarantees reliable delivery from multiple sources to multiple receivers. It is a layer 4 transport protocol, peer to TCP and UDP.
Secret Spy Court Repeatedly Questions FBI Eavesdropping Network
Tech Problem Stumps Yahoo, Forces Mail Features RollbackPC World - Tue Jun 10, 9:10 PM ET
Yahoo is rolling back security and anti-spam enhancements to its Webmail service because they interfered with users' ability...
Hacker Pleads Guilty to Attacking Anti-phishing Group PC World - Tue Jun 10, 7:00 PM ET
A California hacker pleaded guilty to launching a computer attack last year that almost knocked the Castlecops anti-phishing...
10 Tips To Keep Your Kids Safe Online By Grey McKenzie Today
Russian Drug Maker GlavMed Teams Up With Spammers To Make Millions By Grey McKenzie Today
Canadian Law Enforcement Partners With Microsoft To Deal With Cyber Security By Grey McKenzie Today
Electronic Audit Trails From 259,761 High-Risk Consumers Prove Consumer Participation Can Virtually Eliminate New Account Fraud By Grey McKenzie Yesterday
FBI Charges Blind Phone Phreak With Intimidating a Verizon Security Official By Grey McKenzie Yesterday
Police Routinely Gain Access to Cellphone Information
Law enforcement rarely have trouble gaining access to cellphone information from service providers. If the request for information comes within the cellphone service providers retention period then it is often shared with police.
Law Enforcement Use of Cell Info Raises New Privacy Concerns, Heartland Institute, (June 8, 2008)
Cellphone Users' Locations Tracked by Study
A study that used data on 100,000 cellphone users' locations was published in "Nature." The study found that 75% of those tracked remained within a 20-mile radius of their home. Participation in the study was nonconsensual. The research involved information provided by cellphone service providers on its users. Similar tracking of US cellphone customers is technically possible be illegal without the user's permission.
Study tracking people via cell phone raises privacy issues, CNet News.com, June 5, 2008
Researchers Link Storm Botnet to Illegal Pharmaceutical Sales - 6/11/2008 10:10:00 AM Prescription drug spammers are bankrolling botnet's growth, IronPort study says
Major Security Vendors' Sites Could Be Launchpads for Phishing Attacks - 6/10/2008 10:45:00 AM McAfee, Symantec, and VeriSign sites all found to contain cross-site scripting flaws
Safari 'carpet bomb' attack code released
Microsoft hires antiphishing crusader
June 10, 2008 (IDG News Service) Microsoft Corp. has hired Paul Laudanski, the man behind the antiphishing CastleCops.com Web site, to help with the software company's phishing and spam investigations.
Laudanski, a former volunteer firefighter, announced the move on CastleCops.com last week, saying that he's looking to find someone else to run the site that he founded in 2002.
With his new job at Microsoft, he simply doesn't have time to keep up with the CastleCops work, he said in an interview on Tuesday. "I won't be able to ensure the same kind of support that I was able to provide in the past," he said. "I won't be able to do it justice."
CastleCops had been a full-time job for Laudanski and his wife, Robin, since 2005.
At Microsoft, he will work as an Internet safety investigator for Microsoft's live consumer services group. Microsoft has a large Internet safety enforcement team that works with law enforcement to fight spam, viruses, botnets, typo-squatting and even child pornography on the Internet.
At CastleCops, Laudanski managed a team of about 120 volunteers who processed user-submitted spam, phishing and malicious code reports. The group worked as a clearinghouse for complaints and was often active in taking down malicious Web sites and servers. On a typical day, it processes about 1,000 phishing attempts, Laudanski said.
CastleCops clearly has the attention of the bad guys.
Last year, it was attacked by Gregory King, a 21-year-old hacker who operated a botnet network of 7,000 hacked computers. On Tuesday, King pleaded guilty to attacking CastleCops with a distributed denial-of-service attack and is facing a two-year prison sentence.
Subscribe to:
Posts (Atom)