Tuesday, November 25, 2008

Security News Feed Tuesday 11/25/08

Former Hunton Partner Gets 70 Months for Child Porn on Firm Laptop
http://www.law.com/jsp/article.jsp?id=1202426266809&rss=newswire

A former Hunton & Williams partner was sentenced Monday to 70 months in federal prison for using his firm's laptop to download and store videos of child pornography.

The lawyer, Emerson Briggs, who made partner at Hunton & Williams in 2003, pleaded guilty in September to one count of receiving child pornography. Judge Colleen Kollar-Kotelly of U.S. District Court for the District of Columbia also sentenced Briggs, 41, to 10 years of supervised release and ordered him to pay a $12,500 fine.

Briggs has been in custody since his plea hearing. Steptoe & Johnson partner Bruce Bishop, who represented Briggs, declined to comment. Briggs is "ashamed and remorseful about his past actions," his wife wrote in a letter to the judge. Briggs entered counseling after losing his job at Hunton & Williams.






TPM 1.2 specifications moves forward to become ISO/IEC standards






Lenovo Service Disables Laptops With Text Message Lenovo on Tuesday announced a service that allows users to remotely disable a PC by sending a text message.





Bug allowed free access to Sirius radio service





U.S. agency sees robots replacing humans in service jobs by 2025





Update: FTC asks Supreme Court to review Rambus antitrust case





Facebook wins $873M judgment in spam suit
Facebook won a case against a spammer who was ordered to pay the social-networking giant $837 million in damages.





Verizon cans workers who snooped Obama's cell phone, CNN reports
Any CIO knows you can't have staffers perusing records -- especially the president-elect's -- but this applies to all of us.





Holiday Travel: Ways to Keep Your Laptop, Privacy Safe





Microsoft's Ballmer ordered to testify in 'Vista Capable' suit





Hands-off hackers: Crooks opt for surgical strikes AP - Mon Nov 24, 7:16 AM ET
SAN JOSE, Calif. - Internet criminals have been getting more "professional" for years, trying to run their businesses like Big Business to get better and more profitable at selling stolen data online. Now the bad guys of the cyber-underworld are exhibiting other unexpected traits: remarkable patience and restraint in stalking their victims.





Pentagon bans computer flash drives AP - Fri Nov 21, 4:35 PM ET
WASHINGTON - The Pentagon has banned, at least temporarily, the use of external computer flash drives because of a virus threat officials detected on Defense Department networks.





Virus strikes some Pentagon computers: official AFP - Fri Nov 21, 1:13 PM ET
WASHINGTON (AFP) - Some Defense Department computer networks have been infected with a "global virus" and steps are being taken to mitigate it, the Pentagon said Friday.





Can Obama Keep His BlackBerry?
Analysis: Any responsible enterprise has security measures to handle mobile devices, so Obama should be able to take his BlackBerry into the West Wing with a little planning.





Tech Insight: Free Network Tool Shows The Bigger PictureNov 21,2008 A hands-on look at the new NetWitness Investigator network analysis tool and how it can team with Wireshark






Large quantity SQL Injection mitigation
As botnets and other automated tools are hammering at websites trying to exploit SQL injection vulnerabilities, site operators are trying hard at defending their websites. ASProx and other botnets were hitting hard at the ASP + MS SQL platform, millions of websites fell victims to the SQL injection vulnerabilities already. Although there has been a decline of wild SQL scanning by ASPRox type of botnet, we are still not in the clear yet. The unauthenticated portion of some sites might be secure, but the authenticated portion might be totally vulnerable. Since most scans only target what can be seen by Googlebots, there are still tons of web pages out there vulnerable waiting for exploitation.






Why Mass. 201 CMR 17 Deadline Was Extended
Companies that live or do business in Massachusetts have a few extra months to meet compliance deadlines for the state's tough 201 CMR 17 data protection law. The simple reason: Too few understand the law to meet the original January deadline (Part 1 in a series).
Read more





Two Weeks Out, Spam Volumes Still Way Down
Permalink
A full two weeks after a Web hosting firm identified by the computer security community as a major host of organizations engaged in spam activity was taken offline, the volume of spam sent globally each day has yet to bounce back.

The block graph over at e-mail security firm IronPort suggests that the company blocked around 35 billion spam messages on Monday. Prior to hosting provider McColo's shutdown, IronPort was flagging somewhere around 160 billion junk e-mails per day.

A quick glance at the volume flagged by Spamcop.net shows that they're still detecting well below half of the spam volumes they were just two weeks ago.





... the US National Telecommunications and Information Administration has gotten plenty of feedback on its call for comments on securing the root zone using DNSSEC. The comment period closed yesterday, and more than 30 network and security experts urged the NTIA to implement DNSSEC stat. There were a couple of dissenting voices and a couple of trolls.
Read More





Symantec is warning of a sharp jump in online attacks that appear to be targeting a recently patched bug in Microsoft's Windows operating system, an analysis that some other security companies disputed. Symantec raised its Threat Con security alert level from one to two because of the attacks, with two denoting 'increased alertness.' The attacks spotted by Symantec target a flaw in the Windows Server Service that Microsoft says could be exploited to create a self-copying worm attack.
Read More





Cybercriminals release Christmas themed web malware exploitation kit






From an unclassified DHS Report: Between 1993 and 2007, at least 16 confirmed ricin incidents involving domestic extremists have occurred; none resulted in any fatalities.

Tuesday, November 18, 2008

Security News Feed Tuesday 11/18/08

I wanted to gather a collection of recent news together regarding device encryption. There are new laws going into effect in Nevada and Massachusetts that may affect how data for their citizens are handled.





Massachusetts encryption law even stricter than Nevada’s
Written by Dan Blacharski on October 24, 2008

I recently wrote about Arizona’s new law concerning encryption of personal data. Several states are enacting similar legislation, and encrypting such data is becoming a de facto national policy. Most recently, Massachusetts issued new regulations on the same subject last month, and that state’s laws will take effect on January 1, 2009.

The Massachusetts legislation, known as the Standards for the Protection of Personal Information of Residents of the Commonwealth, is very far-reaching and considered the strictest regulations to date. The new law adds to Massachusetts’ already stringent security regulations, by requiring all portable personal data about any Massachusetts resident to be encrypted. This applies to data transmitted over public networks, or that is stored on a laptop, or on any type of removable memory device. The law requires other mandatory security procedures, including updated user authentication and authorization.

There is a technical difference between Nevada’s and Massachusetts’ statute in how encryption is defined. For the Nevada law, “encryption” is defined as the use of a protective or disruptive measure, including cryptography, enciphering, encoding, or a computer contaminant, to render data unintelligible. The Massachusetts statute is more specific, stating that “encryption” is an algorithmic process that requires a confidential process or key to decode. Some have argued that since the Nevada law does not use the word “algorithmic,” then password-protection is adequate to adhere to the letter of the law.

Also, the laws differ in scope. Nevada’s law focuses on the electronic transmission of data, while Massachusetts also includes portability. Accordingly, if you have data on a resident of Massachusetts on your hard drive, even if you do not send it via email or over the Internet, you still must encrypt that data.





New Data Privacy Laws Set For Firms
WSJ October 16, 2008

Alicia Granstedt, a Las Vegas-based hair stylist who works for private clients and on movie sets, never worried about conducting most of her business through email.

Ms. Granstedt regularly receives emails from customers containing payment details, such as credit-card numbers and bank-account transfers. Since she travels frequently, she often stores the emails on her iPhone.

But a Nevada law that took effect this month requires all businesses there to encrypt personally-identifiable customer data, including names and credit-card numbers, that are transmitted electronically.

After hearing about the new law, Ms. Granstedt started using email-encryption software, which requires her clients to enter a password to read her messages and send responses. It is a hassle, "but I can't afford to be responsible for someone having their identity stolen," she said.

Nevada is the first of several states adopting new laws that will force businesses -- from hair stylists to hospitals -- to revamp the way they protect customer data. Starting in January, Massachusetts will require businesses that collect information about that state's residents to encrypt sensitive data stored on laptop computers and other portable devices. Michigan and Washington state are considering similar regulations.

While just a few states have adopted such measures so far, the new patchwork of regulations is something many businesses will have to navigate, since the laws apply to out-of-state companies with operations or customers in those states.

That's one reason the Massachusetts law has the attention of Andrew Speirs, information security officer for National Life Group, an insurance company based in Montpelier, Vt. "We do business in all 50 states so we're definitely reviewing it," he said. Mr. Speirs said that National Life has a program in place to protect data, but that the Massachusetts law "is a little more particular" than other state laws. He is checking his company's program for any holes.

...





https://blogs.sonnenschein.com/icdp/Lists/Posts/Post.aspx?ID=21
Sonnenschein Nath & Rosenthal LLP

Massachusetts Rules Require Protection of Personal Information; Nevada Law Requires Encryption of Personal Information
On Sept. 19, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) issued final rules governing how businesses must protect and store personal information. The rules take effect January 1, 2009. Under the rules, businesses that own license, store, or maintain personal information of a Mass. resident must develop and implement a written information security program and implement certain system security measures, including encryption of personal information during transmission (to the “extent technically feasible”) and encryption of personal information stored on laptops and other portable devices. A copy of the rules can be found on the OCABR website.

A Nevada statute (N.R.S. 597.970) that takes effect October 1, 2008 requires businesses “in this State” to encrypt all customer personal information (other than facsimiles) that is electronically transmitted “outside the secure system of the business.” The statute refers to Nevada's data breach statute for the definition of "personal information," which is defined as first name or first initial and last name in combination with any of the following elements: SSN; driver’s license or ID card number; or account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account. (N.R.S. 603A.040) The statute does not include a definition of what it means to be a "business in this state," thus making it unclear as to whether the statute would only apply to businesses physically located in the state or to all entities conducting business with Nevada residents.

Both the Massachusetts regulations and Nevada encryption statute are part of a growing trend in state legislation (and industry standards) to require businesses to implement certain controls to protect personal information. A number of states (including California and Nevada) have statutes in place requiring entities that maintain records containing personal information state residents to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure. Likewise, the Payment Card Industry Data Security Standard (“PCI DSS”) also requires all entities processing credit card payments to implement an array of security controls, including firewalls, access controls, monitoring, and encryption of cardholder data during transmission and storage. The message is clear: entities must implement reasonable security controls to protect personal data.





State Data Encryption Laws Ready to Take Effect
http://www.scottandscottllp.com/main/state_data_encryption_laws.aspx

By now, many U.S. businesses (hopefully) have taken steps to familiarize themselves and to contend with the patchwork quilt of state laws that sets forth standards regarding what must be done in the wake of an IT security breach affecting customer data. (Click here for more background on that topic.) While contingency planning in light of these laws (now present in 44 states and the District of Columbia) usually entails some up-front costs in the form of diverted resources and attorney’s fees, the overall cost of implementation has been relatively low. It may be fitting, then, that the perceived benefit of these laws has been similarly minimal, with some estimating only a 2% reduction in identify theft in recent years that can be attributed to data breach notification legislation.

It is perhaps as a result of such low estimated return that some states now are starting to implement tougher standards describing the steps that businesses bust take in order to prevent such breaches from occurring in the first place. Nevada’s law is the first and went into effect on October 1, 2008. Massachusetts is set to follow with a more detailed set of regulations in January, with Michigan and Washington State in the process of considering similar measures.

The Nevada provision is succinct:
A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.
“Encryption” and “personal information” are defined by reference to other statutes and have meanings similar to those typically used in the notification laws. (See NRS 597.970.)

The effect of the Nevada law is to give a victim of identify theft resulting from data breach a statutory standard of care to enforce against the business that, as a result of negligent (or other) non-compliance with the law, experienced the breach that led to the identify theft in question. Other questions pertaining to the practical implementation of the standard remain, including how to show a causal link between the breach and the ID theft and whether some injury short of ID theft – such as the cost of signing up for credit monitoring – would be support a damages claim sufficient to allow a case to proceed to trial. However, it is clear that companies doing business in Nevada now have a tangible interest in deploying encryption technology to protect the data of customers living in that state.

In Massachusetts, the stakes could be even higher. There, the state’s Office of Consumer Affairs & Business Regulation has adopted regulations, to become effective on January 1, 2009, that provide detailed definitions of the standards businesses must meet in order to bring their data handling technology and protocols into compliance. (See 201 CMR 17.00.) While the Massachusetts regulations’ enabling statute does not create a private cause of action for failure to comply, it does give the state attorney general the authority to file a lawsuit for injunctive relief and, in some cases, civil penalties up to $5,000.00 per violation.

As with the notification laws, there is no unified, federal standard for data handling to pre-empt what may become another medley of state laws for businesses to navigate. If these laws become more commonplace (and it appears that they very well may), it will become even more critical for companies conducting interstate transactions to work closely with counsel in order to ensure their compliance with all applicable data handling standards and safeguards.




Where can I get the latest information on HIPAA?

For the complete HIPAA regulations, visit the Department of Health and Human Services.

To learn more about HIPAA insurance reform or HIPAA administrative simplification, visit Center for Medicare & Medicaid Services (CMS).

To learn more about what the Navy and TMA is doing to comply with HIPAA requirements, visit the Navy Medicine HIPAA site and the TMA HIPAA site.

The WorkGroup for Electronic Data Interchange provides information and white papers on Transactions, Security and Privacy.

Questions about HIPAA regulatory compliance (transactions, code sets, national identifiers, and security) can be directed to the Centers for Medicare and Medicaid (CMS) at 410-786-4232 (local) or 1-866-282-0659 (toll-free).

Monday, November 17, 2008

Security News Feed Monday 11/17/08

Google patches Chrome file-stealing bug





Laid-Off Sysadmin Arrested for Threats to Harm Servers
A systems administrator who was laid off this month by a New York-based financial services firm was arrested in New Jersey last week for allegedly threatening to damage the company's servers if it didn't increase his severance pay.

Viktor Savtyrev, a 29-year-old New Jersey resident, also demanded extended medical coverage and "excellent" job references in e-mails and phone calls to officials at the firm, federal prosecutors said. They declined to identify the firm, but Third Avenue Management LLC confirmed that it is the company involved in the case.






Microsoft: First Exploit Ratings Show Success
Microsoft Corp. last week called its first crack at predicting whether hackers would create exploit code for its software flaws a success -- even though its forecasts were less than 50% accurate.





Can a Cybercrook Get $21,619 off of You?
Too many users neglect their antivirus updates and other cybersecurity measures, a British survey reports.






Wanted: Programmers with Ethics
Morals and ethics join communication and programming skills in a survey of wish lists for IT workers.






A competitor to the free Wireshark packet sniffer program is available for free. It offers some interesting additions beyond the free product. The fully functional and licensed free version of NetWitness Investigator is at: http://download.netwitness.com.





Employees Ignore Online Shopping Risk






Rich Mogull: 7 Infosec Trends for 2009
Shrinking budgets, the collapse of the database security market, DLP going mainstream - the former Gartner pundit places his bets for the coming year. (Part of the What Happens Next security predictions series.)
Read more

Data Loss Prevention goes mainstream. In late 2009 DLP will finally go early mainstream due to the push from the big vendors. Content discovery will drive more deals than network monitoring, and provide more value to most users.







FOIA docs show feds can lojack mobiles without telco help
Documents obtained by civil liberties groups suggest the feds can track cell phone locations without the help of providers.
November 16, 2008 - 10:45PM CT - by Julian Sanchez





Tuesday, November 11, 2008 10:40 AM
MS08-068: SMB credential reflection defense
Today Microsoft released a security update, MS08-068, which addresses an NTLM reflection vulnerability in the SMB protocol. The vulnerability is rated Important on most operating systems, except Vista and Windows Server 2008 where it has a rating of Moderate. This blog post is intended to explain why the issue is less severe on Vista and Windows Server 2008, and provide some additional details to help people determine the risk they face in their environment.

This vulnerability allows an attacker to redirect an incoming SMB connection back to the machine it came from and then access the victim machine using the victim’s own credentials. (Hence the term “credential reflection”). In typical Windows XP configurations where SMB sharing is enabled and the user is a member of the Administrators group, this allows the attacker to easily take over the machine. Public tools, including a Metasploit module, are available to perform this attack.

Typical attack vectors for this vulnerability will leverage HTML either via a web browser or e-mail. Resources within the HTML document (such as IMG tags) can be used to reference a file on the attacker’s machine, and these file are then retrieved using the SMB protocol. The attacker’s machine prompts the victim for credentials and then reflects these credentials to the victim’s machine, gaining access. In cases where the attacker is on the same network as the victim, even “trusted” websites can be leveraged to perform this attack – since network data can be modified before the victim receives it.





Google "Flu Trends" Raises Privacy Concerns

Google announced this week a new web tool that may make it possible to detect flu outbreaks before they might otherwise be reported. Google Flu Trends relies on individual search terms, such as "flu symptoms," provided by Internet users. Google has said that it will only reveal aggregate data, but there are no clear legal or technological privacy safeguards to prevent the disclosure of individual search histories concerning the flu, or related medical concerns, such as "AIDS symptoms," "ritalin," or "Paxil." Privacy and medical groups have urged Google to be more transparent and publish the algorithm on which Flu Trends data is based so that the public can determine whether the privacy safeguards are adequate. At some point aggregate data is identifiable data. Advocacy groups are seeking information on the privacy protections intended to safeguard against abuse or misuse of search information.
Is There a Privacy Risk in Google Flu Trends?, New York Times, November 13, 2008





"NASA has built a new software package to track problems with the Space Shuttle using open source tools from Mozilla. '[Alonso Vera, the lead of the Ames Human-Computer Interaction Group] wouldn't say exactly how much the new systems cost to build, but he said they were an order of magnitude cheaper than what was being used before, closer to $100,000 than the $1 million it would have cost in the past.' The Space Shuttle Endeavor launched successfully on Friday, so the new system is being used to track any problems which may crop up in the current mission. As one commentator pointed out, 'A system like this could save more than money; it could save lives.'"

Read More






"TorrentFreak reports that Toyota's lawyers have recently contacted computer wallpaper site Desktop Nexus in a blatant example of DMCA abuse. Toyota issued a blanket request to demand the immediate removal of all member-uploaded wallpapers featuring a Toyota, Lexus, or Scion vehicle (citing copyright violation), regardless of whether Toyota legally holds the copyright to the photos or not. When site owner Harry Maugans requested clarification on exactly which wallpapers were copyrighted by Toyota, he was told that for them to cite specifics (in order to file proper DMCA Takedown Notices), they would invoice Desktop Nexus for their labor."

Read More





Intrepid iPhone developers bypass security for functionality
The Apple iPhone is vulnerable to a new bug related to the signing of iPhone applications. Applications that are created with the official iPhone SDK need to be cryptographically signed by the author and Apple before they’re allowed into the App store or installed on an iPhone. The digital signing is a security measure that serves two purposes; helping to identify the developer in case of any problems and making sure that an approved application hasn’t been modified.

An iPhone developer discovered the bug while looking for a way to duplicate a feature of Apple created iPhone applications: dynamic default.png files. The default.png file is displayed when an iPhone application is launched and can be used as a static splashscreen. When you quit an Apple created application, it takes a snapshot of the screen when you quit and saves it as default.png within itself. The next time you start the app it loads the new default.png, and everything looks like it was when it was last run. The application hasn’t fully loaded yet, but the saved default.png trick makes it look that way.

Unlike Apple’s apps, those created by other developers can’t modify their default.png files. Since the default.png is stored within the application as a part of itself, it gets digitally signed. Modifying the image file and thus the app, makes the digital signature invalid. An alternative would be to use a default.png in the application’s data directory, but only the file within the application is supported on the iPhone.
...






Cybersecurity advice for President-elect Obama to be previewed at SC World Congress
Greg Masters November 14, 2008
Recommendations from the Commission on Cyber Security for the 44th Presidency will be previewed at the SC World Congress.







Email ruse uses Federal Reserve Bank name to drop PDF exploit
Dan Kaplan November 14, 2008
Bucking the trend of declines in spam this week, a new socially engineered attack is making the rounds.






Black Friday Takedown Notices Hitting Mailboxes
While retailers don't anticipate a widely profitable Black Friday, they're already rounding up the lawyers to threaten websites who publish pre-released sale prices for the day after Thanksgiving shopping stampede.

Consider Wal-Mart, which has already begun sending takedown notices demanding the online removal of their Black Friday ads. Wal-Mart and a host of other retailing concerns perform this act every year ahead of Black Friday.






PLA armor brigade exercise fails due to computer virus
According to news.ifeng, an unidentified PLA armor brigade was the victim of a computer virus that caused electronic ammunition resupply orders to show up blank. During the force-on-force, Red and Blue exercise, operations were hampered due to a computer virus that left the main attack force without ammunition resupply.

During the exercise, the Red Army basic command post, command and control station, received information from the main attack force that 3/4 of their ammunition had been depleted. A resupply order was immediately sent to the rear command post. However, after transmission, the order form appeared blank.

Ten minutes later, the main attack force once again sent a request for ammunition resupply. They were told to wait, that the request for resupply had already been processed. In the end, the main attack force had no hope of getting their ammunition. The ammunition was exhausted, people died and the exercise was lost.

NOTE: When the article states that people died, they are speaking in terms of the exercise. There were no actual fatalities.

Friday, November 14, 2008

Security News Feed Friday 11/14/08

Google patches Chrome file-stealing bug Google has patched its Chrome browser to prevent attackers from stealing files from PCs running the open-source app. Read more...





Apple plays catch-up, ads anti-fraud safeguard to Safari
Apple yesterday added anti-phishing protection to Safari, the last major browser to receive the feature that blocks known identity-stealing sites.





Data pain: University of Florida warns 333,000 dental school patients of breach






Storage, security raises issues for telepresence
Telepresence, the high-end form of videoconferencing now coming from several vendors, is the first technology that might let enterprises easily record high-quality versions of all their meetings, essentially with the press of a button.

Though recording and playback features for these systems are still emerging, some issues are already being raised, including storage capacity, liability and playback quality. Those problems may grow as more enterprises seek to cut back on travel and bring dispersed teams together through telepresence.





Sysadmin under house arrest for blackmailing finance company






New US travel security measure takes effect Jan 12AP - Fri Nov 14, 7:40 AM ET
BRUSSELS, Belgium - U.S. officials say Europeans and others who travel visa-free to the United States must start registering their trips electronically as part of a new online security screening process which takes effect Jan. 12, 2009.






AVG Offers Free Subscription for Deleting Key File PC Magazine - Thu Nov 13, 6:40 PM ET
Security vendor AVG said Thursday that the company will offer a free year of service, after its antivirus software misidentified a key Windows system file as malware.






Despite Risks, Employees Still Holiday Shop at Work
As Cyber Monday approaches, research suggests a majority of workers will use their work computer to shop this holiday season. But despite the continued growth in online shopping, employees and business still don't understand the risk.






One Million UK Kids Make Illicit Online Purchases
Parents unaware kids are using their credit cards.






Researchers Find Flaws In Microsoft VoIP AppsNov 14,2008
Vulnerabilities could lead to denial of service attacks, researchers say







Widespread Account-Sharing Threatens Corporate Security, RevenuesNov 13,2008 Many users break security defenses by simply handing over their credentials to colleagues, friends, experts say






MS08-068: SMB credential reflection defense
Today Microsoft released a security update, MS08-068, which addresses an NTLM reflection vulnerability in the SMB protocol. The vulnerability is rated Important on most operating systems, except Vista and Windows Server 2008 where it has a rating of Moderate. This blog post is intended to explain why the issue is less severe on Vista and Windows Server 2008, and provide some additional details to help people determine the risk they face in their environment.

This vulnerability allows an attacker to redirect an incoming SMB connection back to the machine it came from and then access the victim machine using the victim’s own credentials. (Hence the term “credential reflection”). In typical Windows XP configurations where SMB sharing is enabled and the user is a member of the Administrators group, this allows the attacker to easily take over the machine. Public tools, including a Metasploit module, are available to perform this attack.

Typical attack vectors for this vulnerability will leverage HTML either via a web browser or e-mail. Resources within the HTML document (such as IMG tags) can be used to reference a file on the attacker’s machine, and these file are then retrieved using the SMB protocol. The attacker’s machine prompts the victim for credentials and then reflects these credentials to the victim’s machine, gaining access. In cases where the attacker is on the same network as the victim, even “trusted” websites can be leveraged to perform this attack – since network data can be modified before the victim receives it.






"Monty Python's 'Dead Parrot sketch' — which featured John Cleese — is some 1,600 years old. A classic scholar has proved the point, by unearthing a Greek version of the world-famous piece. A comedy duo called Hierocles and Philagrius told the original version, only rather than a parrot they used a slave. It concerns a man who complains to his friend that he was sold a slave who dies in his service. His companion replies: 'When he was with me, he never did any such thing!' The joke was discovered in a collection of 265 jokes called Philogelos: The Laugh Addict, which dates from the fourth century AD. Hierocles had gone to meet his maker, and Philagrius had certainly ceased to be, long before John Cleese and Michael Palin reinvented the yarn in 1969."







Exploit-MS08-067 Bundled in Commercial Malware Kit
Probably the most widely reported topic in the Chinese Security community this month will be the availability of a commercial MS08-067 attack pack, customized for Chinese users. On October 26th, 2008, exploit code was posted on to a well-known public repository site. In a few days, malware kit author, WolfTeeth, was quick to sell a MS08-067 port scanning tool with attack capability to his “customers”, using free code from the Internet.






New attack targeting Windows Mobile phones
Angela Moscaritolo November 13, 2008
The attack on Windows mobile devices combines two old techniques used in the PC world.






Net Neutrality Advocates In Charge Of Obama Team Review of FCC






Palin 'Hacker' Trial Pushed Back to May






Chinese hacker attack flowchart

Thursday, November 13, 2008

Security News Feed Wednesday 10/13/08

Visa Tests Credit Card With Random Number GeneratorNov 11,2008
Built-in second factor of authentication could slow online card fraud






November Black Tuesday Overview
MS08-068
The NTLM protocol allows an attacking server to reflect credentials and use them against the client gaining the rights of the logged on user.Replaces MS06-030 and MS05-011.

MS08-069
Multiple vulnerabilities allow memory corruption (code execution with the rights of the logged on user), cross domain scripting and cross domain information leaks.Replaces MS07-042.






Microsoft's exploit predictions are right less than half the time Microsoft says its efforts to predict whether hackers will create exploit code for its bugs are a success -- even though the company got its first monthly forecast right less than half the time. Read more...





Microsoft explains seven-year-old patch delay
In a post to the Microsoft Security Response Center blog, MSRC spokesman Christopher Budd acknowledged the seven-year stretch between the time when the vulnerability was first discussed and when the patch was released. Then he launched into an explanation.
...
Microsoft may have been prompted to act by the appearance earlier this year of an SMB relay attack module for the popular open-source Metasploit penetration and attack framework, argued Schultze. "It looks like exploit code came out in the last four or five months," he said, which made it easier for someone to create the Metasploit module.





IBM's ISS blasts security rival Trend Micro over bugs





Spam plummets after Calif. hosting service shuttered
Spam volumes plunged by more than 40% after a major bot hosting network was shut down, researchers at IronPort Systems Inc. said today.

On Tuesday, McColo Corp. was kicked offline when its primary Internet providers severed its connection to the Web, reported The Washington Post, which led an investigation of the San Jose-based hosting service. According to the newspaper, McColo's clients included cybercriminal groups that ran some of the biggest spam-spewing and malware-spreading botnets.
...
"McColo was the hosting firm for some of the biggest spam botnets, including Srizbi and Rustock,"






Ancient IBM drive rescues Apollo moon data
Thankfully, the tapes stored at Sydney University were still available. However, what was not readily available was a IBM 729 Mark V tape drive needed to read the data.

The IBM 729 magnetic tape drive was used by IBM from the late 1950s through the mid-1960s. It used a half-inch magnetic tape that was up to 2,400 feet in length on a reel measuring up to 10.5 in. in diameter.







AVG Antivirus Update Mistakenly Deletes System FileNewsFactor - Tue Nov 11, 4:50 PM ET

An update for the AVG 8 antivirus software for Windows 2000, XP and Vista released Saturday mistakenly warned that the Windows system file user32.dll was a Trojan horse. The problem affected the Dutch, French, Italian, Portuguese and Spanish versions.






How Recessions Make Good People Do Bad Things In a corporate environment, we tend to trust our co-workers -- but we might want to fight our instincts on this one.






Survey: Most Data Security Risks Internal One in 10 employees surveyed admitted stealing data or corporate devices, selling them for a profit, or knowing fellow employees who did.






Federal Reserve phishing message leads to pornography.November 11, 2008
Phishing messages sent by the Srizbi botnet appears to be a pornographic advertisment.





Survey style Phish targets JPMorgan Chase & Co.






$1 million reward for arrest of cyberextortionists
Dan Kaplan November 12, 2008
A pharmacy benefits firm offers $1 million for information leading to the conviction of a band of data thief extortionists.







A questionnaire being sent to those seeking high-ranking posts in the Obama administration may be the most extensive — some say invasive — application ever.
Questionnaire for Job Applicants (pdf)







Anti-malware testing group release standardsNews Brief, 2008-11-11
A coalition of security-software companies, testing firms and information-technology publications issue two sets of guidelines setting out the responsibilities of each group during software tests.







Marshal, 8e6 Technologies merge to form Marshal8e6
Internet security vendors Marshal and 8e6 Technologies have announced a merger to form a new...

Monday, November 10, 2008

Security News Feed Monday 11/10/08

Former IT employee sues Lehman Brothers over job losses
A software developer is suing his former employer Lehman Brothers Holdings Inc. in a $5 million lawsuit over the mass layoffs of IT staffers without the required notice.

The lawsuit was filed on behalf of over 100 former employees by computer programmer Miron Berenshteyen, who was laid off by the failed investment bank.
...
When Lehman Brothers filed for bankruptcy in September, it had 25,000 staffers in total, including more than 5,000 in the U.K. The bank spent $1.14 billion last year on IT.





Dell ships laptops with self-encrypting drives
Dell Inc. announced today that it is offering Seagate Technology LLC's self-encrypting hard drives in its Latitude laptops, Precision Mobile Workstations and OptiPlex desktops as a security precaution in case those machines are lost or stolen. Seagate also announced today that it has begun shipping its 320GB and 500GB self-encrypting disk drives to laptop manufacturers worldwide.

Seagate shipped its first 160GB, self-encrypting drive to a handful of resellers about a year and a half ago. But this announcement marks the first generally available release of Seagate's new, higher-capacity, self-encrypting Momentus drives.

Seagate said it has also partnered with McAfee Inc. to certify its ePolicy Orchestrator (ePO) management software for use with the drives.
...






ActiveX Poses Threat to Vista, Microsoft Says





Judge orders newly hired Apple VP to stop work





Thousands hit in broad Web hack
Hackers have launched a massive Web hacking campaign, putting malicious links on as many as 10,000 servers, security vendor Kaspersky Lab warned on Friday.

"We’re estimating that in the last two days alone, between 2,000 and 10,000 servers, mainly Western European and American ones, have been hacked," Kaspersky wrote on its Web site Friday, "It’s not yet clear who’s doing this."

The attackers are most likely using compromised accounts on the Web sites or launching what's known as a SQL injection attack, in which hackers trick Web sites' software into inadvertently running malicious commands.

The criminals add a line of JavaScript code onto the hacked sites that redirects victims to one of six servers. These sites, in turn, redirect the visitor to a server in China. That server can launch a variety of attacks, targeting known flaws in Firefox, Internet Explorer, Adobe Systems Inc.'s Flash Player and ActiveX, Kaspersky said.





Arizona state agency loses data on 40,000 children in disk theft
... the disks were stored in a leased storage unit at a local Extra Space Storage facility that was broken into on Oct. 14, and were part of a much broader array of items — including furniture and electronics — that were taken from multiple units at the facility.






Romanian NASA hacker gets suspended sentence






Survey: One DNS Server in 10 Is 'trivially Vulnerable'
Over a million of the Internet's DNS servers are still vulnerable to a cache-poisoning attack patched in July.






http://www.pcworld.com/businesscenter/article/153553/states_ramp_up_data_security_laws.html
Beginning on January 1, 2009, all businesses that collect personal data from or about Massachusetts residents will need to adopt a comprehensive written security program, conduct internal and external security reviews and complete employee training regarding their programs.






WPA Cracked - additional details
UPDATE: The WPA whitepaper is out: "Practical attacks against WEP and WPA" (from aircrack-ng website).

Yesterday, fellow handler Joel provided an early warning about the recently announced WPA Crack. Although we won't know all the technical details until next week (at least in whitepaper or presentation format), I tried to provide some light about this issue on my personal blog, RaDaJo. It is important to highlight that PoC exploit code is available.

The recomendation is simple: Migrate to WPA2! If for any reason you cannot do it before finishing reading this post, check some of the quick mitigation recommendations (like reducing the renew key interval; please, test it before making the change on your production environment), and increase your wireless detection stance and check for multiple MIC failure messages.






7 Requirements of Data Loss Prevention
Incorporate best practices from many companies using DLP solutions.






CSO — SEATTLE (11/06/2008) - Antivirus developer SMobile released software this week to protect users of the G1 Android phone, although one security analyst wondered if people really need it.

Even though Android, the software developed by Google and running on just one phone sold by T-Mobile, is open source, it is unlikely to be more susceptible to malware than other, proprietary mobile operating systems, said Charlie Miller, principal analyst at Independent Security Evaluators and the researcher who found the first Android vulnerability.






Spam gets 1 response per 12,500,000 emails
techradar.com — A new study details how spammers – the bane of our email inboxes – still make pots of money, despite only receiving a response to one in every 12,500,000 emails they spam out.More…






Secret Service code names for new First Family
President-elect Barack Obama: Renegade
Michelle Obama: Renaissance
Malia Obama: Radiance
Sasha Obama: Rosebud
Vice President-elect Joe Biden: Celtic
Jill Biden: Capri






Anti-Terror Law Mission Creep in the U.K.
First terrorists, then trash cans:

More than half of town halls admit using anti-terror laws to spy on families suspected of putting their rubbish out on the wrong day.

Their tactics include putting secret cameras in tin cans, on lamp posts and even in the homes of 'friendly' residents.

The local authorities admitted that one of their main aims was to catch householders who put their bins out early.
Posted on November 7, 2008 at 8:18 AM







Critical Windows, Office fixes coming
Ryan Naraine: Microsoft is planning a small Patch Tuesday this month - just two bulletins affecting Windows and Office users.






Mephistopheles encouters the E.U.L.A.:
http://imgs.xkcd.com/comics/faust_20.png






Did the Chinese government sponsor White House cyberattacks?
Security CEOs say it's possible the Chinese government sponsored a White House cyberattack, and this isn't the first time state-sponsored hacking has occurred.






Google revises its OpenID implementation to accept all Relying Parties
Google got to its position in the pantheon of technology companies by not being always right. It...

Friday, November 7, 2008

Security News Feed Friday 11/07/08

Obama, McCain get a lesson in cybersecurityNews Brief, 2008-11-05
Both the Obama and McCain campaigns' computer systems were breached over the summer, allegedly by a foreign attacker, Newsweek reports.






Foreign governments attack White House, Obama, McCain campaign systems
In the middle of summer, Obama campaign leaders were told in no uncertain terms by the Secret Service and FBI that they had suffered a serious breach:

“You have a problem way bigger than what you understand,” an agent told Obama’s team. “You have been compromised, and a serious amount of files have been loaded off your system."






Adobe Reader vulnerability exploited in the wild
– these PDF documents exploit the JavaScript buffer overflow vulnerability. This is not surprising, though, as a fully working PoC has been recently published as well, but it's interesting to see that the attackers modified the PoC a little bit, probably in order to evade anti-virus detection.

And indeed – at the time of writing this article, according to VirusTotal 0 (yes – ZERO) AV products detected this malicious PDF. Very, very bad.

The payload is in a JavaScript object embedded in the PDF document.







Instant Messaging: Friend or Foe?
by Ricky M. Magalhaes
Articles / Misc Network Security
Taking a look at the security fundamentals and IM risks associated with opening up the messaging client access to the world.






Virtual Worlds Riskier in Financial CrisisNov 05,2008
Criminals 'follow the money' to where virtual and real-world economies converge






Social Engineering: Eight Common Tactics
Stealing your company's 'hold' music, spoofing caller ID, pumping up penny stocks - social engineers blend old and new methods to grab passwords or profits. Being aware of their tricks is the first line of defense.
Read more







Apple leapfrogs RIM for #2 slot on smartphone sales list
Apple and RIM both made gains in smartphone market share at the expense of market leader Nokia. Microsoft has dropped to number four.
November 07, 2008 - 11:48AM CT - by Chris Foresman






November 2008 Advanced NotificationPosted Thursday, November 06, 2008 10:07 AM by MSRCTEAM
Hello, Bill here.
I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release which will occur on Tuesday, Nov. 11, 2008 around 10 a.m. Pacific Standard Time.
It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.
As part of our regularly scheduled bulletin release, we’re currently planning to release two security bulletins:

· One Microsoft Security Bulletin affecting Microsoft Windows/Microsoft Office rated as Critical, and one affecting Windows rated as Important. These updates may require a restart and will be detectable using the Microsoft Baseline Security Analyzer.






Extortionists Target Major Pharmacy Processor

One of the nation's largest processors of pharmacy prescriptions said Thursday that extortionists are threatening to disclose personal and medical information on millions of Americans if the company fails to meet payment demands.

St. Louis-based Express Scripts said that in early October it received a letter that included the names, birth dates, Social Security numbers and in some cases prescription data on 75 of its customers. The authors threatened to expose millions of consumer records if the company declined to pay up, Express Scripts said in a statement.






Hackers launch PDF attacks, exploit just-patched Reader bug A security researcher at the SANS Institute's Internet Storm Center warned Adobe Reader users to update their software as soon as possible now that attackers are exploiting a vulnerability in the software patched earlier this week. Read more...





FBI probes data theft blackmail scheme






Researcher: Android may not need antivirus software






Text Messaging, Facebook Can Get You in Legal Trouble





Politics: Obama Launches Change.gov







James Bond would like this:
20 Megapixel Cameras on Mobile Phones from Ericsson








Craigslist Tries To CloseMajor Security Breaches
SAN JOSE (CN) - Craigslist claims 12 copyright violators are selling illegal software with which users can bypass its security to post thousands of repetitive ads, maliciously interfering with Craigslist's business. The defendants advertise with statements such as, "I have unlimited phone numbers to verified craigslist accounts! Once you become my member, I will give you the discount to support your posting work!" according to the federal complaint.






http://www.avertlabs.com/research/blog/
Following on from Pedro’s blog yesterday [Election day is over] and the recent news that the computers of both Campaigners were hacked during the summer [Security focus blog], I wanted to give you a short overview of the different Malware we saw here at McAfee Avert Labs during the US Presidential race.

Due to the high media attention which Barack Obama received, it seems that the Malware Authors specifically targeted him instead of John McCain as a means of luring users into clicking on the Malware.

One of the first pieces of malware we saw which exploited the campaign was in August. This was a spammed email which contained a link to get_flash_updates.exe . The email contained the subject “Obama bribes countrymen to win votes”, if the user followed the link it would download Get_Flash_updates.exe which was a BackDoor-DNM Trojan.







Sinowal Trojan Keylogger Grabs Half Million Bank Credit Accounts From Microsoft PC Users By Grey McKenzie 10/31/2008

Wednesday, November 5, 2008

Security News Feed Wednesday 11/05/08

Websense® Security LabsT ThreatSeekerT Network has discovered further activity from malware authors using the news of the U.S. Presidential campaign outcome as bait to attract users into executing malicious executables. So far we have over 25,000 emails through our systems that use the technique described below. In a very quick response to the outcome of the U.S. Presidential attacks we have now seen both localized and globalized attacks.



The email offers news of Barack Obama's speech, recorded the day after the election results were published. Clicking on the link leads the user to a purposely registered domain which advises the user that they need to install the latest version of Adobe Flash player before the video can be viewed. The malicious Web site actually links to a file called 'adobe_flash.exe'








Why Law Departments Should Beware Super-Sized Firms

http://www.law.com/jsp/ihc/PubArticleIHC.jsp?id=1202425818568&rss=newswire


Adobe fixes 6 flaws in Flash For the second time in two days, Adobe Systems has issued a security update to fix multiple vulnerabilities in one of its most-popular programs, Flash Player. Read more...


Opinion: Card breaches shake faith in e-payments

Ex-Intel worker indicted on $1B trade secrets theft

Once thought safe, WPA Wi-Fi encryption is cracked

A smaller Window for Internet attacks

A jailbreak for Google's Android






Malware Piggybacks on Obama Win
http://voices.washingtonpost.com/securityfix/2008/11/malware_piggybacks_on_obama_wi.html

Cyber criminals are blasting out massive amounts of spam touting a video of President-elect Barack Obama's victory speech. Recipients who click the included link are taken to a site that prompts visitors to install an Adobe Flash Player update. The bogus update, however, is actually a data-stealing Trojan horse.

The messages, with such subject lines as "election results winner," and "the new president's cabinet?", and "fear of a black president," direct recipients to a site featuring a picture of Obama beneath an official U.S. government seal and the domain name america.gov (the real domain names used to host these fraudulent sites appear to differ from message to message). Beside Obama's visage is an embedded video player that reads "loading player." A few seconds after the site loads, the visitor is prompted to download the malware, disguised as "adobe_flash9.exe".







http://www.microsoft.com/security/portal/sir.aspx
The Latest Microsoft Security Intelligence Report
The Microsoft Security Intelligence Report (SIR) provides an in-depth perspective on the changing threat landscape including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software. Using data derived from hundreds of millions of Windows users, and some of the busiest online services on the Internet, this report also provides a detailed analysis of the threat landscape and the changing face of threats and countermeasures and includes updated data on privacy and breach notifications. The fifth volume of the report is now available:
SIR Volume 5 (January through June 2008) and Key Findings Summary

Monday, November 3, 2008

Security News Feed Monday 11/03/08

Three ways Internet crime has changed Rather than taking down high-profile networks, today's cybercriminals are quietly taking over vulnerable Web sites as part of an elaborate process in the underground economy. Read more...





ActiveX bugs pose threat to Vista, Microsoft reports
Although computers running Windows Vista are significantly less likely to be infected with attack code than machines running Windows XP, the newer operating system continues to be threatened by Microsoft Corp.'s own ActiveX browser plug-in technology, according to a report issued Monday by the company.

In the most recent installment of its twice-yearly security intelligence report, Microsoft said that PCs running Windows XP Service Pack 2 (SP2) were more than three times as likely to be infected with malware as computers running Windows Vista SP1. Machines powered by the newest XP security update, SP3, meanwhile, were more than twice as likely to be infected.
...
Microsoft's numbers echo data collected by Symantec Corp. for the latter half of 2007, when ActiveX bugs accounted for 79% of all those discovered in browser plug-ins during that period.






Windows 7 leaks to Web, pirates downloading






Revision of IT security rules could cost feds $600M over four years
A proposed bill aimed at strengthening the provisions of the Federal Information Security Management Act would require the U.S. government to spend an additional $610 million on FISMA implementation costs over the next four years if it is passed, according to an estimate by the Congressional Budget Office.

The CBO said in a cost estimate released on Tuesday (download PDF) that the bill could also affect spending on security by agencies, such as the U.S. Postal Service, that don't receive annual funding for compliance with the act. But any increase in costs at those agencies is likely to be relatively small and could be offset by increasing the fees they charge for their services, the CBO added.






Out of this world election: NASA astronauts vote from space






Antivirus 'Scareware' is LucrativeOct 31,2008
Rogue antivirus software circulating on the Web potentially making top distributors millions of dollars a year






Recycled Tapes Yield Data On Former OwnersOct 30,2008
Study of 100 "recertified" tapes turns up sensitive data from major bank, hospital






New Phishing Attacks Target Legitimate Web Domain Owners Oct 30,2008
Phishing campaign could be fallout from pressure to shutter notorious registrar associated with spammers, cybercrime






Google moving toward SSO with OpenID






MTV Pulls a Profit from Piracy
If you can't beat 'em, make money off 'em seems to be the new philosophy as MTV drops ads into copyrighted content.






Trojan Steals 500K Bank, Credit Card Log-ons
Russian gang kept 'extraordinary' malware on the prowl for nearly three years.





Virtual Heist Nets 500,000+ Bank, Credit Accounts
http://voices.washingtonpost.com/securityfix/2008/10/virtual_bank_heist_nets_500000.html
A single cyber crime group has stolen more than a half million bank, credit and debit card accounts over the past two-and-a-half years using one of the most advanced strains of computer spyware in existence, according to research to be published today. The discovery is among the largest stolen data caches ever recovered.

Researchers at RSA's FraudAction Research Lab unearthed the massive trove of purloined data while tracking the activities of a family of spyware known as the "Sinowal" Trojan, designed to steal data from Microsoft Windows PCs.






DC Police Begin Random Searches of Metro Passengers' Bags
The District of Columbia has begun "random" searching of Metro rail passengers's bags. There is no information on which of the 86 rail stations or 12,000 bus stops would be subject to searches. Passengers will be confront by police before entering train stations or boarding a bus. It is estimated that 1.2 million passengers use the rail and bus system each week day. A protest by citizens in opposition of the searches is being planned for October 29, 2008 from 3-7 pm. Those interested should go to their most convenient Metro station.
Metro to Randomly Search Riders' Bags, Washington Post, October 28, 2008






MS08-067 Worm in the wild?
We have received a report of a wild MS08-067 worm.

Reference: http://www.f-secure.com/weblog/archives/00001526.html
Reported file size 16,384 bytes:
http://www.threatexpert.com/report.aspx?uid=919a973d-9fe1-4196-b202-731ebaaffa5d

Kaspersky Lab detect the new wave asExploit.Win32.MS08-067.gand
Microsoft asExploit:Win32/MS08067.gen!A
Sophos uses name Mal/Generic-A.






THIS IS WHY SSL PROXYING IS NECESSARY:
Web security firm warns of obfuscated codeNews Brief, 2008-10-29
In its monthly whitepaper on Internet threats, Finjan describes a recent compromise at a corporation that succeeded because static software defenses failed to catch an encrypted attack.






Secure hash competition kicks off Robert Lemos, 2008-11-03
Dozens of amateur and professional cryptographers have joined the United States' first open competition for creating an uncrackable algorithm for generating hashes -- the digital fingerprints widely used in a variety of security functions.






In UK, 12M Taxpayers Lost With USB Stick
"Ministers have been forced to order an emergency shutdown of a key Government computer system to protect millions of people's private details. The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system, which covers everything from tax returns to parking tickets. An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost."






"Three strikes" P2P rule inches closer to law in France
France's "three strikes" legislation, which would cut off Internet access for repeat copyright infringers, has received the overwhelming support of the French Senate. The National Assembly still has to vote on the measure, but passage looks increasingly likely.
November 02, 2008 - 10:00PM CT - by Jacqui Cheng






Firefox Add-On Simulates Great Firewall Of ChinaGovernment oppression from the comfort of your own home...09:41AM Sunday Nov 02 2008 by Karl Bode
User wifi4milez submits this Information Week report highlighting a new Firefox add-on that simulates the "Great Firewall of China." Users of the China Channel Firefox Add-on can experience what it's like to have your Internet access restricted by a highly oppressive government entity, if simply being spied on by your own government isn't enjoyable enough.

The plugin allows you to "take an unforgettable virtual trip to China and experience the technical expertise of the Chinese Ministry of Information Industry," says the plugin authors (who also offer this video). Torture and extensive imprisonment not included.






Penn hacker sentenced, avoids child porn charges AP - Wed Oct 22, 4:17 AM ET
PHILADELPHIA - A federal judge questioned why a white Ivy League student found during a computer hacking probe with thousands of images of child pornography was not charged with that crime, sparing him a decade-long prison sentence that a black convicted child pornographer faced at the same hearing.