Great write-up on Capture-the-Flag event across three nights at a recent convention. Written up by one of the guys from Pauldotcom.com security podcast.
http://pauldotcom.com/2008/10/ice2-games-lessons-learned-fro.html
Palin email intruder indicted, faces up to five years in prison
Dan Kaplan October 08, 2008
A 20-year-old Tennessee man has been indicted on charges he accessed GOP vice presidential candidate Sarah Palin's Yahoo email account without permission.
China's Eye on Web Chatter
By Erica NaoneMonday, October 06, 2008
Poorly protected files reveal a massive surveillance scheme.
China’s Cyber Police Map (with links)
(Cool map at the site of China's web police locations)
Recently I’ve been interested in China’s Cyber Police and how they function. Nothing worth sharing yet but some of our readers are Chinese linguist and might find this map and links to cyber police websites interesting.
On a side note, many of the web addresses for Chinese cyber police stations include the number 110. For example, the Shandong Cyber Police web address is http://www.sd110.gov.cn/. In China, as well as Taiwan, 110 is similar to the 911 emergency number. However in China, 110 is the exclusive contact number for the police. Other emergency services, such as the fire department, use different contact numbers. The fire department’s number is 119.
Chinese Cyber Police links just below map.
Israeli Super Hacker Ehud Tenenbaum "The Analyzer" May Be Extradited To US
http://www.nationalcybersecurity.com/blogs/843/Israeli-Super-Hacker-Ehud-Tenenbaum-The-Analyzer-May-Be-Extradited-To-US.html
Canada will be asked to extradite computer hacker Ehud Tenenbaum "The Analyzer" for alleged theft of millions of dollars.
According to the US Tenunbaum was one of the masterminds who hacked into financial institutions in Russia, Turkey, Holland, Sweden, Germany and other countries.
Last month he was arrested in Canada for cyber theft from a local bank.He was about to be released on $30,000 bail until just before his release, a new arrest order issued in connection with the U.S. extradition request held him in prison.
Firefox extension blocks dangerous Web attack
A popular free security tool for the Firefox browser has been upgraded to block one of the most dangerous and troubling security problems facing the Web today.
NoScript is a small application that integrates into Firefox. It blocks scripts in programming languages such as JavaScript and Java from executing on untrusted Web pages. The scripts could be used to launch an attack on a PC.
The latest release of NoScript, version 1.8.2.1, will stop so-called "clickjacking," where a person browsing the Web clicks on a malicious, invisible link without realizing it, said Giorgio Maone, an Italian security researcher who wrote and maintains the program.
Clickjacking has been known for several years but is drawing attention again after two security researchers, Robert Hansen and Jeremiah Grossman, warned last month of new scenarios that could compromise a person's privacy or even worse, steal money from a bank account.
New and Updated VMware Security Advisories for VirtualCenter, ESXi, ESX, VCB and VMware Hosted Products
Today, VMware released a new version of VirtualCenter, VC2.5 Update 3, a new version of Virtual Consolidated Backup, VCB 1.1 Update 1, and patches for ESXi and ESX 3.5. These and the recently released versions of VMware's hosted products and patches for ESX 3.0.1, 3.0.2 and 3.0.3 address several security issues. The issues are described in a new and an updated security advisory published today.One of the fixed security issues is a privilege escalation on certain 64-bit guest operating systems, CVE-2008-4279. It allows an attacker with a login account on a guest operating system to elevate their privileges on that system. The flaw doesn't allow for compromising the host system. The other security issues involve password disclosure and an update to JRE.
Symantec to acquire MessageLabs for $695 million
Angela Moscaritolo October 08, 2008
With its acquisition of MessageLabs, a British online messaging and web security services provider, Symantec hopes to expand its software-as-a-service offerings.
European hackers charged with DDoS attacks in the U.S.
Angela Moscaritolo October 07, 2008
Two European men have been charged with hacking U.S. retail websites and causing more than $400,000 in damage through a series of distributed denial-of-service attacks in 2003.
Stolen McCain party laptop had minimal data safeguards
Dan Kaplan October 06, 2008
A laptop containing "strategic" GOP data was stolen from the Kansas City field office for Sen. John McCain -- but the machine lacked encryption.
Study: Hotel network security lacking
Angela Moscaritolo October 06, 2008
Hotel guests across the country could be connecting their laptops to an insecure connection, a new study concludes.
Dutch to MBTA: Sorry CharlieCard. Your crypto is crap-o
Two months after the Massachussetts Bay Transit Authority went to court to stop US students from talking about weaknesses in the CharlieCard RFID authentication system, researchers in the Netherlands have published evidence that the MIFARE technology that underlies Charlie (and many other mass transits) is fundamentally flawed.
October 08, 2008 - 06:20AM CT - by Joel Hruska
Clickjacking
Good Q&A on clickjacking:
In plain English, clickjacking lets hackers and scammers hide malicious stuff under the cover of the content on a legitimate site. You know what happens when a carjacker takes a car? Well, clickjacking is like that, except that the click is the car.
"Clickjacking" is a stunningly sexy name, but the vulnerability is really just a variant of cross-site scripting. We don't know how bad it really is, because the details are still being withheld. But the name alone is causing dread.
Posted on October 6, 2008 at 1:45 PM
Spammers Favor Obama Over McCain 7 to 1
http://voices.washingtonpost.com/securityfix/2008/10/spammers_favor_obama_over_mcca.html
Report: Data Breaches Expose About 30M Records in '08
http://voices.washingtonpost.com/securityfix/2008/10/516_data_breaches_in_2008_expo.html
Privacy survey urged for counterterror programsNews Brief, 2008-10-07
The National Research Council calls for all U.S. agencies to evaluate their programs based on how effective they are and whether they protect privacy.
TiVo Wins Appeal On Patents For Pause, Ffwd, Rwd
After years of wrangling, TiVo has won its day in court against Dish Network, formerly known as the EchoStar, when the Supreme Court declined to take up Dish Network's appeal, forcing the satellite television company to pay $104 million in damages. According to the article, 'TiVo originally won a patent infringement case in 2004 against Dish, which was then named EchoStar Communications. It charged that Dish illegally copied its technology, which allows people to pause, rewind, and record live television on digital video recorders.' Despite an injunction, Dish continued distributing its set-top boxes in the belief that the work-around they had implemented avoided infringing TiVo's patents. Now the case goes back to the lower court for review to determine if they did indeed steer clear of those patents.
New Bill To Rein In DHS Laptop Seizures
The Travelers Privacy Protection Act, a bill written by US Senators Russ Feingold, D-Wis., and Maria Cantwell, D-Wash., and Rep. Adam Smith, D-Wash., would allow border agents to search electronic devices only if they had reasonable suspicions of wrongdoing. In addition, the legislation would limit the length of time that a device could be out of its owner's possession to 24 hours, after which the search becomes a seizure, requiring probable cause.
Sequoia's Optical Scan Vote Counting Machines Giving Different Results Every Time
from the well-that's-reassuring dept
Supreme Court Hears Arguments on Bad Police Data
The Supreme Court hears arguments on the implications of police acting on their own inaccurate information. Police suspected that Herring, an Alabama resident, had a warrant. The police checked county records and finding no warrant checked a neighboring county which in error reported an outstanding warrant. Upon a search of Herring, as a result of the false warrant claim, he was found to be in possession of controlled substances. The case seeks a ruling from the court on whether the police can be insulated because they acted on erroneous information from a police county clerk. Criminal record database errors are further complicated by the practice of interlinking law enforcement databases.
Supreme Court Mull Whether Bad Databases Make for Illegal Searches, Wired News, October 4, 2008
Domaincontrol (GoDaddy) Nameservers DNS Poisoning
We knew it would be happening for the forseeable future, until some version of SecDNS is implemented.
Adobe Flash Player "Clickjacking" Security Bypass Vulnerability
Issued 10 hours ago. //
A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions and disclose potentially sensitive information.
'Clickjackers' could hijack webcams, microphones, Adobe warns
Why Security Pros Hate Microsoft SharePoint (and What to Do About It)
Microsoft's SharePoint collaboration platform is all the rage in today's business world, especially since third parties gained the ability to plug security holes. But managing it can still be a nightmare for IT security shops.
Read more
Court orders spammers to pay $236M to Iowa ISP
Shell fingers IT contractor in theft of employee data
New health-care privacy laws heighten need for HIPAA compliance in California
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment