Wednesday, October 15, 2008

Security News Feed Wednesday 10/15/08

Update: Cisco Security Advisory: Multiple Multicast Vulnerabilities in Cisco IOS Software






Yesterday's Microsoft security bulletins are as follows:

MS08-056 Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)

MS08-057 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)

MS08-058 Cumulative Security Update for Internet Explorer (956390)

MS08-059 Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)

MS08-060 Vulnerability in Active Directory Could Allow Remote Code Execution (957280)

MS08-061 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)

MS08-062 Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)

MS08-063 Vulnerability in SMB Could Allow Remote Code Execution (957095)

MS08-064 Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)

MS08-065 Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)

MS08-066 Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)

Advisory 956391 Cumulative Security Update of ActiveX Kill Bits






FBI: Several nations eye U.S. cybertargets
But FBI official stresses need to protect networks rather than finding source of cyberthreats.

October 15, 2008 (IDG News Service) About two dozen nations have developed cyberattack capabilities and have their eyes on targets inside the U.S. government or businesses, the top cybercrime law enforcement official in the U.S. said today.

"There are countries who have an interest in obtaining information from the U.S., in terms of the electronic theft of data," said Shawn Henry, the assistant director in charge of the FBI's Cyber Division.






FTC, New Zealand hit one of world's largest spam operations
October 15, 2008 (IDG News Service) Government agencies in the U.S. and New Zealand say they have sued the people behind one of the world's largest spamming operations.

The lawsuits were filed in federal court in Illinois and New Zealand High Court in Christchurch over the past week. They describe an international spamming operation run out of New Zealand, Australia and the U.S. that sold the kinds of phony male-enhancement pills, knock-off prescription drugs, sex toys and replica watches that have gummed up e-mail in-boxes for years.






Ex-hacker 'Mafiaboy' tells all in memoir
http://www.crime-research.org/news/14.10.2008/3625/
A former hacker, who temporarily shut down several major websites and led the RCMP and the FBI on a manhunt when he was 15, has written a tell-all memoir about his criminal past.






Microsoft issues mega-patch to crush 20 bugs in Windows, Office, IE






Patch releases push down Microsoft's stock, researcher says






Bush signs PRO-IP antipiracy law

Intellectual Property Bill Becomes Law: Critics Say It Goes Too Far - 10/14/2008 5:54:00 PM New law gives authorities more leeway to prosecute thieves who steal sensitive data for piracy or espionage






Tough economic climate can heighten insider threat






'Experimental' security fix is malware, Microsoft says






Anonymous Proxy Servers: Necessary Or Evil?
Some security experts believe anonymous proxy servers are only necessary if you're up to no good, while others see them as a legitimate tool for research, pen testing and the like. Who's right?
Read more





Radiohead Reveal Success of 'In Rainbows' Download
nme.com — The statistics behind the pay-what-you-like release of Radiohead's 'In Rainbows' album, released on October 10 last year online, have been revealed today.More…

"...Warner Chappell concluded that the new release style was a financial success, but did not reveal whether Radiohead plan to release an album in a similar way in the future."






Teacher's Boozy MySpace Scotches Job






Four Security Lessons From the World Bank Breach
The World Bank is making headlines after a disputed report claims hackers managed to access their secure network for over a year. One security pro offers takeaways that everyone can learn from the breach.

"...The problem is, no matter how much technology you put in place there is always this human element," he said. "Humans can't be upgraded with new patches. But it's humans who are making mistakes and bad decisions which will often introduce security problems into organizations."






NSA's Warrantless Eavesdropping Targets Innocent Americans
Remember when the U.S. government said it was only spying on terrorists? Anyone with any common sense knew it was lying -- power without oversight is always abused -- but even I didn't thinkit was this bad:

Faulk says he and others in his section of the NSA facility at Fort Gordon routinely shared salacious or tantalizing phone calls that had been intercepted, alerting office mates to certain time codes of "cuts" that were available on each operator's computer.

"Hey, check this out," Faulk says he would be told, "there's good phone sex or there's some pillow talk, pull up this call, it's really funny, go check it out. It would be some colonel making pillow talk and we would say, 'Wow, this was crazy'," Faulk told ABC News.

Warrants are a security device. They protect us against government abuse of power.
Posted on October 15, 2008 at 12:39 PM






Insiders dodge security for productivity, RSA saysNews Brief, 2008-10-15
In its latest survey of IT workers, the company finds that more than half found ways to work around security policies to get their work done.






...preliminary investigations into a Qantas Airbus A330 mishap where 51 passengers were injured has concluded that it was due to the Air Data Inertial Reference System feeding incorrect information into the flight control system — not interference from passenger electronics, as Qantas had initially claimed.







Microsoft aims for Vista SP2 before Win 7
Mary Jo Foley: The Windows team is readying second service packs (SP2) for Vista--and for its server complement, Windows Server 2008--and is aiming to deliver these SP2s before it releases Windows 7.






Clickjacking
Lately, the topic of clickjacking has gained popularity in discussions on the internet. It is a new type of web attack. I decided to find out what it’s all about.

I found an online video of OWASP NYC AppSec 2008 here. In the video, Jeremiah Grossman & Robert “RSnake” Hansen reported this new vulnerability in a presentation titled “New Zero-Day Browser Exploits –ClickJacking”. I also found a demo of this vulnerability here.

In the videos they describe only parts of the vulnerability, but it is enough for us to have a basic idea of what clickjacking is.

To explain this, let’s use an example. You have a web page A controlled by an attacker. A contains an element B. In a clickjack attack, B would be set to transparent and the z-index property of the layer set to higher than other elements of page A via CSS. B will also need to be so big so that the user can click it’s content. The attacker can then place any button to do anything he wants in B. Then the attacker can place some buttons on page A. The location of the buttons in B must match the buttons in A. So when the user clicks on a button on page A, they are actually clicking the button in B because the z-index property of B’s buttons are higher than A’s buttons. This attack uses DHTML, does not require Javascript, so disabling Javascript will not help.

This vulnerability affects multiple web browsers. Unfortunately, no patch for it is currently available, so users should be careful. The vulnerability has also been found to affect Adobe Flash Player, the most popular rich media internet application today. Adobe has released a security advisory and provided a workaround.







Cybersting: FBI ran DarkMarket forum to catch cybercriminals
Angela Moscaritolo October 14, 2008
The FBI used the DarkMarket.ws cybercriminal forum to create profiles of identity thieves looking to share tips and purchase stolen data.






More than 5,000 pirated eBay credentials found on web
Dan Kaplan October 14, 2008
A security researcher has discovered a loot of eBay credentials on a Google cache.






Frame injection exploits Google flaw
Angela Moscaritolo October 13, 2008
The login page for Google Mail can be spoofed so that an attacker can steal a user's credentials.






FBI sees rise in computer crimeReuters - 19 minutes ago
WASHINGTON (Reuters) - Computer spying and theft of personal information have risen notably in the past year, costing tens of millions of dollars and threatening U.S. security, the FBI's cyber division head said on Wednesday.





30 Million Computers are Infected by Fake Antivirus Programs Generating Nearly $14 Million for Cyber-crooks By Grey McKenzie Today







Three potential scenarios for the future of identity federation
I spent a day last week with SURFnet. And, no, SURFnet has nothing to do with Moondoggie, Gidget,...

No comments: