December 2008 Advanced NotificationPosted Thursday, December 04, 2008 9:59 AM by MSRCTEAM
Hello, Bill here.
I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release which will occur on Tuesday, Dec. 9, 2008 around 10 a.m. Pacific Standard Time.
It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.
As part of our regularly scheduled bulletin release, we’re currently planning to release eight security bulletins:
· Six Microsoft Security Bulletins rated as Critical and two rated as Important.
Digging Deeper Into the CheckFree Attack
Permalink
The hijacking of the nation's largest e-bill payment system this week offers a glimpse of an attack that experts say is likely to become more common in 2009.
Atlanta based CheckFree acknowledged Wednesday that hackers had, for several hours, redirected visitors to its customer login page to a Web site in Ukraine that tried to install password-stealing software.
While this attack garnered few headlines, there are clues that suggest it may have affected a large number of people. CheckFree claims that more than 24 million people use its services. Avivah Litan, a fraud analyst with Gartner Inc., said CheckFree controls between 70 to 80 percent of the U.S. online bill pay market. Among the 330 kinds of bills consumers can pay through CheckFree are military credit accounts, utility bills, insurance payments, mortgage and loan payments.
A spokeswoman for Network Solutions, the Herndon, Va., domain registrar that CheckFree used to register its Web site name, told Security Fix Wednesday that someone had used the correct credentials needed to access and make changes to CheckFree's Web site records.
Mumbai Terrorists Used Google Earth, Boats, Food
The Mumbai terrorists used Google Earth to help plan their attacks. This is bothering some people...
Think tank panel recommends that feds make major cybersecurity changes A commission set up by a think tank said in a report that the U.S. government should impose sweeping new cybersecurity regulations on businesses and create a centralized cybersecurity office in the White House. Read more...
Vulnerabilities play only a minor role in malware spread, says researcher
Computer users are their own worst enemies, a security company warned today as it released data that showed software bugs were the source of just 5% of the year's infections.
The majority of the attacks carried out by 2008's top 100 pieces of malware were caused by users surfing to malicious sites, then accepting some kind of download, Trend Micro Inc. researchers said today.
From Jan. 1 to Nov. 25, the top 100 attack programs infected 53% of their victims by duping them into downloading something from the Internet. An additional 12% of the infections tracked globally were caused by users opening e-mail attachments.
Just 5% of the infections were related to an exploit of a software vulnerability, said Trend's analysis.
A brief tour of the software pirate underground scene
When people think of software pirates, they usually envision college kids downloading games off BitTorrent, or adults getting too-good-to-be-true bargains on eBay, or street stalls lined with DVDs in Third World cities.
The real pirate scene, however, is much larger and hidden, and yet in plain sight, say experts.
Feds Nab More Members of Alleged Identity Theft Gang
Federal authorities say they have taken another step toward busting a multinational identity-theft ring that allegedly used stolen personal data to withdraw millions of dollars from home equity line-of-credit accounts at U.S. banks.
Four U.S. residents were arrested in late November in connection with the scheme, which netted more than $2.5 million, according to the U.S. attorney's office in New Jersey. Four other men had been arrested between August and October.
Fugitive Danish IT chief surrenders to L.A. police
Stein Bagger, the head of a Danish IT company wanted for fraud by Interpol, surrendered to L.A. police on Saturday.
FAQ: Why Obama may give up his BlackBerry while he's in the White House
Could Barack Obama ever expect to continue using his BlackBerry once he officially becomes president?
According to experts on security, mobile phones and presidential communications, the answer is no.
Facebook Worm Refuses to DiePC World - 1 minute ago
A worm program that has been tricking Facebook users into downloading malicious software since July has resurfaced.
Court Allows Spyware Program to Go Back on Sale PC World - 6 minutes ago
A Florida company that sells a spyware program must change advertising pitches that emphasize the product's clandestine nature, but the company can continue to sell the application, a U.S. federal court has ruled.
China irks US with computer security review rules AP - Mon Dec 8, 10:30 AM ET
BEIJING - The Chinese government is stirring trade tensions with Washington with a plan to require foreign computer security technology to be submitted for government approval, in a move that might require suppliers to disclose business secrets.
Microsoft, RSA Partner To Integrate DLP, Identity ManagementDec 04,2008
Broad adoption of data classification technology could be "game changer" for both DLP and Microsoft
Popular Home DSL Routers At Risk Of CSRF AttackDec 03,2008
Researcher demonstrates ease of hacking home routers with insidious cross-site request forgery (CSRF) attack
Adobe Admits New PDF Password Protection is Weaker
Adobe made a critical change to the algorithm used to password-protect PDF documents in Acrobat 9, making it much easier to recover a password and raising concern over the safety of documents, according to Russian security firm Elcomsoft.
Elcomsoft specializes in making software that can recover the passwords for Adobe documents. The software is used by companies to open documents after employees have forgotten their passwords, and by law enforcement services in their investigations.
For its Reader 9 and Acrobat 9 products, Adobe implemented 256-bit AES (Advanced Encryption Standard) encryption, up from the 128-bit AES encryption used in previous Acrobat products.
The original 128-bit encryption is strong, and in some cases it would take years to test all possible keys to uncover a password, said Dmitry Sklyarov, information security analyst with Elcomsoft.
But Elcomsoft said the change in the underlying algorithm for Acrobat 9 makes cracking a weak password -- especially a short one with only upper and lower case letters -- up to 100 times faster than in Acrobat 8, Sklyarov said. Despite using 256-bit encryption, the change to the algorithm still undermines a document's security.
MySpace gripe about patient sparks federal privacy complaint
Healthcare workers are as prone to kvetching about work as the rest of the human race, but especially in the Internet era, medical privacy statutes mean venting in the wrong venue can have dire consequences. Stephanie Sicilia, an employee at an OB/GYN office in Mc Kees Rocks, Pennsylvania, has discovered that the hard way: A woman who read some trash talk about patients on Sicilia's MySpace page has filed a complaint with the Department of Health and Human Services, alleging that the posts violate the Health Insurance Portability and Accountability Act.
Return of the Mega-D
December 4, 2008
Spam increases again due in no small part to Mega-D.
First Thing We Do Is Automate Away All The Lawyers...
from the paraphrasing-shakespeare dept
Since we write about an awful lot of lawsuits and public policy issues around here, we often can be pretty harsh on lawyers (admittedly, we often fall short of appreciating the good lawyers who protect everyone from the worst abuses). But, one thing that has seemed pretty clear is that, by opening up more legal issues, the pace of technology innovation has increased the demand for more lawyers. But will that always be the case? Apparently, some believe that a business ripe for disintermediation, thanks to the internet, will be the legal profession. The idea is that a lot of basic (high margin) legal work can now be automated. Part of this is probably true. The amount that businesses have to pay for fairly routine processes can be quite ridiculous at times.
However, I doubt that the legal profession is really facing a shift as major as those facing, say, the entertainment industry. It may cut out some margins on the low end of stuff usually handled by paralegals or new associates, but it seems likely that there will be plenty of room for lawyers. Sometimes, in fact, it seems like our elected representatives are really mostly focused on a program of "full employment for lawyers," by passing laws that only require more lawyers.
12 Comments Leave a Comment..
Spore's DRM So Effective It Was The Most Downloaded Game Of The Year
from the nice-work,-EA dept
It never really made sense for EA to be so insistent on having draconian DRM on games. Before the company even launched Spore people made it quite clear the plan would backfire, but EA went forward with it anyway, creating a PR nightmare. And all for what? Turns out (not surprisingly) the DRM didn't do squat to stop unauthorized file sharing. Spore has now been declared the most downloaded video game of the year. And, even though the year's not over, no other game is going to catch up. And, it's worth noting, the game only launched in October, so this is only over a couple of months. In other words, EA's "antipiracy strategy" backfired almost completely. The company got a huge PR blackeye which probably only encouraged more people to download the game via file sharing. Can someone explain, again, why any company thinks DRM works?
Interesting Conflict
By MILT POLICZER
0 comments
Here's an interesting conflict of interest question: Can you accept clients who may want to sue an industry that paid for your education?
Think of it in medical terms. Do you really want to get prescriptions from a doctor that went to Johnson & Johnson University?
Much as I love idle questions, this isn't one because I was astonished to spot a press release the other day that began with this: "Boston College Law School has announced a $3.1 million gift from Liberty Mutual Group to establish the Liberty Mutual Insurance Professorship in property and casualty insurance law."
It's brilliant!
Liberty Mutual just stopped a substantial group of potential Massachusetts lawyers from ever being able to take a case against them. In fact, if you want to get fussy about it, all those BC law students may never be able to sue anyone in the insurance industry.
DNSChanger Trojans v4.0
Earlier today SANS posted an excellent blog on a recent variant of a DNSChanger Trojan. There are some significant implications to this threat, but before I go into those, here’s a brief rundown of the main DNS-changing Trojan tactics used to date:
Modify Windows Hosts file to map specific domain names to specific IP addresses (McAfee classifies these Trojans as QHOSTS Trojans, more of a precursor to DNSChangers
Modify Windows registry settings to reference specific (rogue) DNS servers [DNSChanger.f]
Create a scheduled task under Mac OS X to reference specific (rogue) DNS servers [OSX/Puper]
Exploit cross-site request forgery vulnerabilities in routers to overwrite the DNS server configuration offered to local area network clients [DNSChanger.f]
We’ve now seen a new tactic, which has the potential of impacting most devices on the local network–independent of the operating system or device (Windows, Linux, Internet-capable MP3 players, digital picture frames, refrigerators, you name it). The tactic involves serving the rogue DNS server configuration over DHCP, the protocol responsible for distributing dynamic IP addresses, as well as other information, including DNS settings.
5 Things I bet you didn't know your Cisco ASA FW could do by Jamey Heary
I've compiled 5 very useful ASA features that I find most customers don't know about yet. You've probably heard of one or...
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment