Friday, January 30, 2009

Friday 01/30/09

P2P networks rife with sensitive health care data, researcher warns Data leaks over P2P networks involving the health care sector pose a significant threat to patients, providers and payers, a study by a Dartmouth researcher finds. Read more...

----------

With economic slump, concerns rise over data theft
January 29, 2009 (IDG News Service) Is the worsening economic situation going to turn some employees into data thieves?

That's a top concern amongst IT decision-makers, many of whom say that laid-off employees are the biggest security threat created by the economic downturn. In a McAfee Inc.-sponsored worldwide survey (registration required) of 1,000 IT decision-makers, the company found that 42% of respondents felt that laid-off employees represented the biggest IT security threat caused by the recession. That's more than were worried about outside intruders. And 36% said that they were worried about security problems caused by employees in financial stress.

Crime rates spike during hard times, and with thousands of workers being laid off each week lately, there may be an added incentive for laid-off employees to take intellectual property with them to bolster their chances of getting hired with a competitor, to use with a start-up company of their own, or maybe even to sell.

----------


Feds allege plot to destroy Fannie Mae dataAP - 34 minutes ago
HAGERSTOWN, Md. - A fired Fannie Mae contract worker pleaded not guilty on Friday to charges he planted a virus designed to destroy all the data on the mortgage giant's 4,000 computer servers nationwide, according to federal prosecutors.

----------

About 90 Percent of All Corporate Email is Spam

----------

AVG Notes Rise in Number of Malicious Web Sites
Web sites rigged with malicious code are becoming more numerous by the day, according to new research from security vendor AVG...

----------

Third-Party Cookie Use on WhiteHouse.gov Questioned
Privacy advocates are concerned about a new waiver to Web site's privacy policy.

----------

SQL Server Database Hack Tricks ForensicsJan 29,2009
Black Hat researcher will show how the bad guys can use a database's own features against it

----------

Microsoft Study: Users Worry About Privacy But Know Little About Threats

----------

Worm Floats Obama's Head on your Desktop
Should a floating head of U.S. President Barack Obama pop up on your desktop Monday morning, know this: You've been hit with the Obama worm.
Read more

----------

Google Earth reveals two-acre field of weed to Swiss police

----------

Posted at 12:59 PM ET, 01/30/2009
Troubled Ukrainian Host Sidelined

A Ukrainian Web hosting provider that, according to published reports, has long served as home base to a prolific and invasive family of malicious software has been taken offline following abuse reports from Security Fix to the company's Internet provider.

Since at least 2005, and perhaps earlier, an entity known as UkrTeleGroup Ltd. has hosted hundreds of Web servers that control a vast network of computers infected with some variant of "DNSChanger," according to security software vendor McAfee, which monitors worldwide malware. DNSChanger is a Trojan horse program that changes the host system's settings so that all of the Internet traffic flowing to and from the infected computer is sent through servers controlled by the attackers.

In a report issued last month, McAfee said it found more than 400 DNS servers on UkrTeleGroup's network that appeared to be set up to to re-direct Web traffic for systems infected with DNSChanger.

UkrTeleGroup has been sharing Internet address space with a customer of Miami-based FPL FiberNet LCC, a subsidiary of FPL Group, a publicly-traded (NYSE:FPL) company that claims roughly $15 billion in annual revenues. FPL is not accused of wrongdoing.

Permalink

----------

Google fixes security vulnerabilities in Chrome

----------

It seems that the DRM on the PC version of Gears of War came with a built-in shut-off date; the digital certificate for the game was only good until January 28, 2009. Now, the game fails to work unless you adjust your system's clock. What is Epic's response? 'We're working on it.'

----------

Microsoft neuters UAC in Windows 7
Adrian Kingsley-Hughes: In an attempt to make Windows 7 generate fewer UAC (User Account Control) prompts Microsoft has neutered the mechanism to the point where it's next to useless.

----------

Lawyer Sues Citibank For Not Stopping Him From Losing Money In Nigerian Scam
from the blame-goes-around dept
A lawyer in Houston is suing Citibank after he got scammed in a variation on the classic Nigerian email scam. There are a few interesting tidbits here that are worth discussing. First, the details: the lawyer, who does collections work, was contacted via email by a company that claimed to be a Japanese company that was trying to collect money from four clients in the US -- offering a contingency fee to the lawyer for help in getting the customers to pay up. Soon after that, the "Japanese company" claimed that one client had agreed to pay some of what it owed -- and it sent the law firm a check for $367,500. Citibank said the check cleared, and the law firm wired $182,500 to the company. Of course, it later turned out that the check was fraudulent, and the law firm was out the $182,500.

This is a variation on a popular version of the Nigerian email scam. The way it usually works is that the scammer buys something that's for sale... and then sends a check that's for significantly more than the purchase price using some sort of excuse. Once the check "clears," the seller is asked to wire back the excess money. This version is interesting in that it's slightly more sophisticated -- carefully going after law firms that do collections. Rather than being a totally "out of the blue" situation, they worked hard to make it seem like business as usual until the scam is done. Sneaky.

While it's easy to mock the lawyer for getting tricked, the basic version of the scam and this more sophisticated version both rely on a very unclear part concerning check processing. Most people assume that once a check "clears" it's confirmed as valid. That's not true. Banks clear the check before it's actually validated, and the scammers exploit both the time between these two events and the fact that most people assume (or are told) that once a check clears, the money is definitely theirs. There are a few ways to solve this that banks could take. They could not clear the check until it's absolutely declared valid. Or, they could make it much clearer that, while the money is available, the check has not been validated and the money could be pulled. Since most banks do neither, the guy's lawsuit against Citibank is at least somewhat understandable -- though, it's unlikely a court will agree with him.

----------

6-Month Sentence in Prostitution Case
MANHATTAN (CN) - Cecil Suwal was sentenced to 6 months in prison on Thursday for his part in the Emperors Club VIP online prostitution ring that brought down Gov. Eliot Spitzer. Suwal, 24, was sentenced for conspiring to promote prostitution and to launder money. He ran the company's Web site, the U.S. Attorney's Office said.

----------

CIA Spy Enlisted Son to Collect Espionage Debts, Feds Say
The son of a disgraced CIA agent convicted of funneling classified information to the Russians was indicted Thursday on allegations of helping his imprisoned father collect overdue bills for his dad's nefarious activities.

Wednesday, January 28, 2009

Wednesday 01/28/09

Microsoft SharePoint: A Weak Link In Enterprise Security?Jan 28,2009
Popular collaboration tool is easy to deploy, but hard to secure, experts say
Jan 28, 2009 05:50 PM
By Tim Wilson DarkReading

-->SharePoint, one of the fastest-growing applications in the Windows environment, may also be turning into one of its most serious security liabilities, according to researchers and security vendors.

The SharePoint collaboration tool, which has been licensed more than 85 million times to an estimated 17,000 companies, is one of the easiest-to-use tools in the Windows suite, experts say. In fact, it's so simple that many employees and workgroups deploy it without even asking the IT department for help. But this ease of use has a price: Many IT organizations haven't properly secured their SharePoint deployments, and many others don't know what sensitive data might be stored or exchanged there.

In a survey published earlier this week and sponsored by security vendor Trend Micro, Osterman Research reported that only 60 percent of companies have deployed security tools specifically for SharePoint, while the other 40 percent are relying on traditional server and endpoint security applications. But founder and president Michael Osterman observes that SharePoint data tends to travel beyond these boundaries -- SharePoint data is often shared across networks and applications, and sometimes even outside the company.

"Deploying antimalware software at the endpoint or on a server does not fully secure the SharePoint environment -- the underlying database, Web pages, etc.," Osterman says.

Osterman's findings are supported by another study conducted by Courion, also a SharePoint security provider, back in September. In that study, Courion found that 25 percent of IT managers believed their SharePoint security was weak, or that they weren't sure and were worried about it. Nine percent of respondents said their organizations had suffered a breach that may have been attributable to a leak of sensitive data from SharePoint.

...

"The shocking truth that this survey validates is that enterprises are deploying collaboration applications with little to no security policies that can enforce access controls," Buckley said. Such deployments may not only make organizations vulnerable to breaches, but also may jeopardize their compliance with regulatory requirements, he noted.






Cookie use in YouTube videos on WhiteHouse.gov prompts privacy concerns The Obama administration is already facing an IT controversy: Privacy advocates are criticizing its decision to let third-party cookies be installed in video files on the White House Web site. Read more...





IE8's clickjacking protection will have 'zero impact,' says researcher
January 28, 2009 (Computerworld) Microsoft Corp. provided more information today about how Internet Explorer's new anti-clickjacking feature works, but one of the researchers who first reported the problem last year said it will have "zero impact" on protecting users.

Clickjacking is the term given last September to a new class of browser-based attacks that tricks users into clicking on site buttons or Web forms. Such attacks hide malicious actions under the cover of a legitimate site, and they theoretically can be used to empty online bank accounts, secretly turn on Web cameras or even change a computer's security settings to make it vulnerable to additional attack.






Russian 'cybermilitia' knocks Kyrgyzstan offline
Same tactics used in '08 attack against Georgia, but hackers getting faster, says researcher

January 28, 2009 (Computerworld)

A Russian "cybermilitia" has knocked the central Asian country of Kyrgyzstan off the Internet, a security researcher said today, demonstrating that the hackers are able to respond even faster than last year, when they waged a digital war against another former Soviet republic, Georgia.

Since Jan. 18, the two biggest Internet service providers in Kyrgyzstan have been under a "massive, sustained distributed denial-of-service attack," said Don Jackson, the director of threat intelligence at SecureWorks Inc.






Third State Department worker pleads guilty to passport snooping






Marshal8e6 Security Threats ReleasedJanuary 28, 2009
The Marshal8e6 Security Threats report is now available. It is our latest roundup of security threats encountered by TRACE security analysts.








Malware Swipes Millions of Credit Cards
By John Borland 01/22/2009
A security breach shows failings in security rules.

Tens of millions of credit cards could be at risk of fraudulent use thanks to a serious computer-security breach at financial-transactions company Heartland Payment Systems. Earlier this week, Heartland revealed that a piece of malicious software, apparently installed inside the company's transaction-processing system last year, had compromised credit-card data as it crossed the network.

The breach was announced on Tuesday--the day of the U.S. presidential inauguration--and, according to some experts, it shows that attackers are successfully defeating the financial industry's tough computer-security rules. "The potential is certainly there for this to be one of the biggest, if not the biggest breach we've seen," says Rich Mogull, founder of computer-security consulting company Securosis. "Something huge had to have gone wrong here."

It's not clear precisely what kind of malicious software was used, or how many credit-card accounts were compromised. But company president Robert Baldwin has said that Heartland handles as many as 100 million transactions per month.

Tuesday, January 27, 2009

Tuesday 01/27/2009

Coming soon: Full-disk encryption for all computer drives The six largest hard drive makers, acting as part of the Trusted Computer Group, have unveiled final specifications that will allow full-disk encryption on all consumer and enterprise-class devices. Read more...






Groups push for health IT privacy safeguards

U.S. lawmakers need to make sure privacy safeguards are in place before pushing electronic health records (EHR) on the public, senators and witnesses said at a Senate Judiciary Committee hearing today.


Health IT improvements are needed to improve the quality and efficiency of health care in the U.S., but patients might be wary of electronic health records without strong privacy safeguards built in, Sen. Patrick Leahy (D-Vt.) said.

Why Your Church Needs a Security Plan
The FBI does not keep statistics that specifically correlate violent incidents in churches. But Jeffrey Hawkins believes a glance at the headlines on many days will turn up at least one incident involving a faith-based organization.

Hawkins, most recently a chief security officer for a large international Christian ministry, has more than 27 years in security, risk management, and law enforcement. He recently launched the Christian Security Network, a niche organization he says will fill a gap in the security-services industry.

The Christian Security Network will offer consulting and training for faith-based organizations, with an emphasis on Christian churches.








ICANN ponders ways to stop scammy Web sites
The Internet Corporation for Assigned Names and Numbers (ICANN) has issued an initial report (download PDF) on fast flux, a technique that allows a Web site's domain name to resolve to multiple IP addresses.

Fast flux allows an administrator to quickly point a domain name to a new IP address, for example, if the server at the first address fails or comes under a denial-of-service attack. It is legitimately used by content-distribution networks such as Akamai Technologies Inc. to balance loads, improve performance and lower data-transmission costs.

But the technique has also been embraced by hackers and cybercriminals, who use it to make it harder for Internet service providers and law enforcement officials to close down phishing Web sites and other sites illegally hawking goods such as pharmaceuticals.







Hackers exploit Obama site to spread malware
My.BarackObama.com still serving up Trojan a week after being notified, says Websense






Reflex offers secure virtual systems management






Security Firm Sees Alarming Rise in ‘Transient’ Threats PC World - Tue Jan 27, 10:52 AM ET
Anti-virus firm AVG Technologies says an alarming rise in the number of virus-laden sites that are here today and gone tomorrow is causing security experts to re-think traditional virus protection strategies.






Former Energy Worker Admits Trying To Sell Nuclear SecretsJan 27,2009 Janitor pleads guilty to offering next-generation nuclear materials to France in exchange for $200,000






Used MP3 Player Comes With Secret Military Files
New Zealand man paid $10 for an MP3 player that surprisingly included military personnel lists and a mission briefing.






Post-McColo, Spam Is Back with a VengeanceNewsFactor - 1 hour, 55 minutes ago
The e-mail-using world rejoiced in November when the McColo network was busted and spam levels dropped 70 percent. But spam levels are now back up 150 percent, according to Postini Message Security.






Monster.com Reports Another Breach Of Its User DatabaseJan 26,2009 Attackers accessed username and passwords, as well as email addresses and phone numbers, popular job-hunting site says







Mac malware will become endemic amongst high-risk groups
Adam O'Donnell: Two Mac trojan outbreaks were spotted in the past week leaving several people, including myself, to wonder if the tipping point for the Mac malware epidemic has arrived.






RIAA Found To Have Sued Yet Another Woman Without A Computer







Email worm spreads under guise of Valentine's Day greetings
Angela Moscaritolo January 27, 2009
The criminal group behind the Waledac email worm, distributed last week in inauguration-related phishing attacks, is now leveraging Valentine's Day to distribute malware and expand a botnet.






China Aggressively Pursuing Cyber Warfare Says 2008 U.S.-China Economic & Security Review Commission By Grey McKenzie 11/24/2008

Friday, January 16, 2009

Friday 01/15/09

Two big, bad botnets gone, but replacements step up, says researcher






'Amazing' worm attack infects 9 million PCs

1 in 3 Windows PCs vulnerable to worm attack

Conficker Worm using Metasploit payload to spread






Downadup Worm Races Onto Millions of PCsNewsFactor - 1 hour, 53 minutes ago
The Win32.Worm.Downadup is raging across the Internet, using new tricks to spread undetected. The worm spreads by exploiting a vulnerability in the Windows RPC Server Service and has infected millions of Windows PCs in the last two weeks.






UK Ministry of Defence Stung by Rapidly Spreading Virus PC World - Fri Jan 16, 7:30 AM ET
The U.K. Ministry of Defence is in the midst of an electronic fight with a computer virus that rapidly spread through its computer networks starting Jan. 6.






New York kills contract for public safety wireless network






Judge allows streaming of courtroom video in music piracy case






Internet security task force downplays online threats to children; critics blast report






AVG to acquire ID theft prevention specialist Sana CNET - Tue Jan 13, 2:17 PM ET
Antivirus provider AVG Technologies on Tuesday announced that it is acquiring Sana Security, which sells identity fraud prevention software.







Jan 16, 2:55 pm
Russian Firm Offers Wi-Fi Encryption Cracker
The technique behind the software, which can decipher WPA/WPA2-PSK passwords, is just a few months old. And now it has a price -- nearly $1,000.






$6 billion broadband infusion in House appropriations bill
Broadband development will get up to $6 billion of loot in a new $550 billion package being considered by Congress. But public interest groups want some accountability strings attached.
January 16, 2009 - 09:17AM CT - by Matthew Lasar






Misconceptions About Laptop Encryption May Put Data At Risk Overconfidence in encryption's capabilities may cause workers to ignore best practices, Ponemon study says
Jan 15, 2009 02:27 PM
http://www.darkreading.com/security/client/showArticle.jhtml;jsessionid=H2GM5MLNRFD2MQSNDLPCKHSCJUNN2JVN?articleID=212900803
By Tim Wilson DarkReading

-->Now that they have encryption capabilities on their laptops, many end users may be overconfident about the safety of the data that resides on them, according to a study published this week.

The laptop encryption study, conducted by Ponemon Institute and sponsored by security vendor Absolute Software, found that many workers think the data on their encrypted PCs is safe, but that their behavior on the road may continue to put that data at risk.
The survey of more than 1,500 individuals -- including approximately 700 IT security professionals and more than 800 non-IT workers -- indicates that users with laptop encryption are now in the majority, about 58 percent of the study sample. However, Ponemon says that non-IT workers may have developed misconceptions about the power of those encryption capabilities to protect their data.

For example, 61 percent of non-IT workers believe that encryption "prevents the theft of my information by cybercriminals," the study says. Sixty-six percent say they no longer worry about losing their laptops because the data is encrypted. Sixty percent agree that encryption "makes it unnecessary to use other security measures."

These misconceptions may cause employees to disregard other important security practices, Ponemon suggests. For example, 30 percent of non-IT workers say they frequently leave their laptops with strangers while traveling, while 28 percent say they frequently leave their computers alone in insecure locations. Sixty-nine percent say they never physically lock their computers to their desks, and 73 percent say they never use a privacy shield to protect their computer screens from prying eyes.

In addition, Ponemon says, many users are lax in their use of encryption technology. In the survey, some 56 percent of non-IT workers admitted to turning off the encryption capabilities on their laptops for some period of time. Twenty-eight percent admit to sharing their encryption passwords with others, and 36 percent say they remember their passwords with a paper document, such as a post-it note. Sixty-eight percent say they rarely, if ever, use complex passwords.

"We believe that the primary conclusion that can be drawn from this study is that business managers are either negligent in the protection of sensitive and confidential information on their laptops, or they may be overly dependent on encryption to keep this information secure," the study says.

"Encryption is an excellent security tool," the study observes. "However, if encryption is turned off, if passwords are shared, or if other risks are taken, organizations that utilize encryption technologies alone to ensure the security of confidential information may not be well-protected from the possibility of a data breach."




Supreme Court Says Law Enforcement Database Errors Okay

The Supreme Court decision allows police to use false information contained in a police database as the evidence for an arrest. Chief Justice Roberts held that, "when police mistakes are the result of negligence such as that described here, rather than systemic error or reckless disregard of constitutional requirements, any marginal deterrence does not 'pay its way.'" Justice Ginsburg, writing for four of the Justices in dissent, said that "negligent record-keeping errors by law enforcement threaten individual liberty, are susceptible to deterrence by the exclusionary rule, and cannot be remedied effectively through other means." The dissent in the case sited a friend of the court brief that outlined privacy and civil liberty consequences of errors in databases.

Tapped, The American Prospect, January 2009






16 January 2009
Alert! Symantec closes critical hole in AppStream
The problem is caused by unsafe methods in an ActiveX control that is marked "safe for scripting". Attackers can use a forged server to inject and execute arbitrary code on a Windows client more…






14 January 2009
Banking details can be stolen through a new JavaScript exploit
A web site can exploit the vulnerability to identify the bank page a user is logged into, then activate a pop-up window, requesting the login be repeated more…







Download Free Tool to Resolve All Vista Apps Incompatibility Issues
Even with Windows 7 beta Build 7000 fresh out the door, Microsoft's focus on Windows Vista remains strong. In thi...[ more >> ]






Xarvester, the new Srizbi?January 12, 2009
Xarvester has become a top spamming botnet since the shutdown of McColo, and has some surprising similarities to Srizbi.






Malware purposely not infecting machines in certain countries
Angela Moscaritolo January 16, 2009
Researchers have spotted a jump in malware that is designed to avoid infecting users in certain countries -- an attempt to stay out of the purview of law enforcement.

Thursday, January 15, 2009

Tuesday 01/15/2009

RIM patch fixes BlackBerry attachment flaw
A hacker could send malicious code in a PDF file to a BlackBerry
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9125840
January 13, 2009 (IDG News Service) Research In Motion Ltd. issued a software update to address a BlackBerry software vulnerability that could let a hacker send malicious code in a PDF file.

The update, released on Monday, fixes multiple vulnerabilities in the way that the BlackBerry Attachment Service handles certain PDF files. The attachment service, a component of the BlackBerry Enterprise Service, displays e-mail attachments such as PDF, Word, PowerPoint, Excel and HTML files for BlackBerry users.

The vulnerabilities could let a hacker send an e-mail message with a PDF file that, when opened by a BlackBerry user, could cause memory corruption or launch code on the computer that hosts the BlackBerry Attachment Service, RIM said in the security advisory.

Monday, January 12, 2009

Monday 01/12/2009

An example of what happens when e-discovery goes against you:
Judge: Rambus destroyed docs related to patent lawsuit Rambus plans to appeal a decision by a Delaware judge who found that the company had destroyed documents related to patent lawsuits it has filed against other DRAM makers, ruling the patents unenforceable. Read more...





Regarding tomorrows MS patch day:
As part of our regularly scheduled bulletin release, we’re currently planning to release one security bulletin:

· One Microsoft Security Bulletin rated as Critical. The update will require a restart and will be detectable using the Microsoft Baseline Security Analyzer.






Group to detail 25 most dangerous coding errors hackers exploit
Most of the vulnerabilities that hackers exploit to attack Web sites and corporate servers are usually the result of common and well-understood programming errors.

A list of 25 of the most serious such coding errors is scheduled to be released later today by a group of 30 high-profile organizations, including Microsoft, Symantec, the U.S. Department of Homeland Security (DHS) and the National Security Agency's Information Assurance Division. The initiative was coordinated by the SANS Institute and The MITRE Corp., a federally funded research-and-development center.





LinkedIn pages that promise prurient pics link to malware






It's all about Reputation:
Hackers deface NATO, U.S. Army Web sites






SanDisk puts 'one-touch' backup on flash drive






Web designers admit to trashing client's Web site
Executives from a Seattle-area consulting company are facing prison time after pleading guilty to charges that they wiped a client's Web site off the Internet following a contract dispute.

Minecode, in Bellevue, Wash., had built the online gift shop for wine retailer Vinado, but things soured in late 2006, according to a statement released Thursday by the U.S. Department of Justice. In December, Minecode President and CEO Pradyumna Samal ordered Sandeep Verma, a project manager at the company, to disable the Web site's gift shop. The next month, Samal "caused commands to be transmitted to Vinado's Web site that resulted in the deletion of Vinado's Web site, e-mail server and database in its entirety," the DOJ said.






Oracle to issue 41 security patches






E-mail snafu exposes names of confidential witnesses in federal probe
From the how-not-to-keep-a-secret department comes the tale of an official at U.S Attorney Patrick Fitzgerald's office in Chicago who inadvertently e-mailed a document containing the names of more than 20 confidential witnesses in a federal probe to the media.






Fake CNN malware attack spins Gaza angle





Opinion: Most CIOs 'dinosaurs,' heading for career Ice Age
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=331923
The mass extinction that IT professionals should be worried about will very nearly wipe out CIOs as we know them. You can be certain that it will happen; in fact, the events are already in motion. I predict that when the dust clears, 60% of the CIOs on the planet will not have survived to see the next era.

The asteroid has already hit. It is the macroeconomic meltdown now besetting the world's markets. As with the dinosaurs, there is no escape for most CIOs.







UK hacker offers guilty plea to avoid extraditionAP - Mon Jan 12, 10:27 AM ET
LONDON - A British man accused of hacking into U.S. military computers is offering to plead guilty to a criminal charge in Britain to avoid extradition to the United States, his lawyer said Monday.






Slow And Silent Targeted Attacks On The RiseJan 08,2009
Targeted, methodical attacks difficult to detect





Reports: Spammers Cooking Up More Financial FraudJan 09,2009
Financial spam scams tripled so far this year over last, spammers to target 'tiny URLs'






Crafting a Security RFP
Creating RFPs for security solutions and processing the responses is not an easy task. Having responded to a fair number of such RFPs, I found that many of them are created hastily, and don’t allow the issuer to benefit from quality responses.

Here's my list of the top 10 mistakes organizations make when crafting a security RFP:
  1. Create the RFP in a silo, without considering input from stakeholders throught the organization.
  2. Provide very little information about the infrastructure in scope for the security solution.
  3. Use the RFP process in situations where it slows you down, without offering substantial benefits.
  4. Avoid defining a criteria for objectively evaluating RFP responses.
  5. Select the solution or vendor in advance, using the RFP to mark a checkbox.
  6. Underestimate the time your staff needs to devote to processing RFP responses.
  7. Don't define a process for allowing RFP responders to ask clarifying questions.
  8. Don't ask detailed clarifying questions after receiving RFP responses.
  9. Forget to define your business requirements, hoping that RFP responders will do that for you.
  10. Issue the RFP before your organization is ready to make use of the requested solution.
If this is useful to you, you may also benefit from the longer "cheat sheet" I created for issuing RFPs specific to security assessments.






Obama Inauguration Puts Spotlight on Executive Protection
Between the pending presidential inauguration and roiling anti-corporate sentiment, executive protection is more critical than ever. Expert Robert Oatman explains the elements of a good program, the impact of technology, and more.
Read more






10 Things That WON'T Happen in 2009
GFI's David Kelleher says much of the IT security wish list for this year will still be on the wish list next year.
Read more






Actual UK broadband speeds only 50% of advertised maximum
The UK decided to do something novel: actually go measure its citizens' Internet speeds. On average, broadband users only received 49 percent of the maximum speeds advertised prominently by ISPs.
January 12, 2009 - 11:48AM CT - by Nate Anderson






Tiny Charges Often Precede Big Trouble
Security experts advise consumers to keep a close eye on their bank and credit card statements, and for good reason: Small, unauthorized charges often are the first sign that thieves have made off with your account number and are getting ready to sell it to other crooks or use it to rack up thousands of dollars in fraudulent purchases.

The Boston Globe writes this week about one such scam, which shows up on consumer accounts as 25-cent charges to a mysterious company called Adele Services, supposedly in New York.

Two theories of what is going on have advanced on message boards and among consumer advocates: Someone is trying to find out whether an illegally obtained credit card number will work before making a bigger charge, or they're trying to rip off tiny amounts from tons of people.

Permalink






Six Vista annoyances fixed in Windows 7






Microsoft Windows Server RPC bug finds new way to spread
Dan Kaplan January 09, 2009
One-and-a-half months after the release of an out-of-cycle patch from Microsoft, a vulnerability impacting Windows Server Service is still generating buzz.






China: Number of QQ users now surpasses total US population
... As most of you know, if you want to contact a Chinese hacker for a DDoS attack or any other nefarious reason, you have to do it via his or her QQ number.

Wednesday, January 7, 2009

Wednesday 01/07/09

Teleworker Alert: Home Networks Are Growing More Sophisticated
There are two obvious reasons – and perhaps a few more under the radar – for businesses to pay attention to developments on the home-networking front. More complex home networks suggest the growing sophistication of the general populace. This clearly comes into play when designing systems for people to use at work. The other realization is that home networks will be used by teleworkers as well as consumers. Both telework and home networking will be hot issues this year. The increased emphasis on broadband infrastructure that will come with the Obama Administration will make it possible for more folks to work from home. There also has been a spate of home-networking news. At the end of December, Parks Associates released a study suggesting that mobility is the next frontier in home networks.






Hackers hijack Obama's, Britney's Twitter accounts






Three Ways a Twitter Hack Can Hurt You
As Twitter investigates how several high-profile accounts were attacked, security expert Graham Cluley points to the potentials risks to all users when a system is compromised. Full Story »





Exclusive Survey: State of the CIO 2009





The Future of Open Source
11 leaders outline the challenges and opportunities ahead. Full Story »






Data breaches rose sharply in 2008, study says More than 35 million data records were breached in 2008 in the U.S., a figure that underscores continuing difficulties in securing information, according to the Identity Theft Resource Center. Read more...






CheckFree warns 5 million customers after hack
CheckFree Corp. and some of the banks that use its electronic bill payment service are notifying more than 5 million customers that criminals took control of several of the company's Internet domains and redirected customer traffic to a malicious Web site hosted in the Ukraine.

The Dec. 2 attack was widely publicized shortly after it occurred, but in a notice filed with the New Hampshire Attorney General, CheckFree disclosed that it was warning many more customers than previously thought.

That's because CheckFree is not only notifying users of its own CheckFree.com Web site of the breach, it is also working with banks to contact people who tried to pay bills from banks that use the CheckFree bill payment service.

"The 5 million people who were notified about the CheckFree redirection were a combination of two groups," said Melanie Tolley, vice president of communications at CheckFree's parent company, Fiserv Inc., in a statement. "1.) those who we were able to identify who had attempted to pay bills from our client's bill pay sites and minus those who actually completed sessions on our site, and 2.) anyone enrolled in mycheckfree.com."






Start-up Ctera will offer cloud storage through carriers






Vista's flaws surface again on eve of Windows 7 beta






'Cybergeddon' fear stalks US: FBIAFP - Tue Jan 6, 7:34 PM ET
NEW YORK (AFP) - Cyber attacks pose the greatest threat to the United States after nuclear war and weapons of mass destruction -- and they are increasingly hard to prevent, FBI experts said Tuesday.






Fake celeb LinkedIn profiles lead to malware CNET - Tue Jan 6, 2:03 PM ET
A security researcher has discovered fake profiles for celebrities on LinkedIn that have links to malicious code, according to a blog posting on Trend Micro's site.





The Five Most Dangerous Security Myths
Dispelling these persistent myths can go a long way towards keeping you safe online. Here's the first.






The Five Most Dangerous Security Myths: Myth #3
Today's gotcha: You're fine if you're just careful where you surf.





The Five Most Dangerous Security Myths: Myth #2
The fallacy: All you need is a good antivirus program.






Researchers Hack Into Intel's VPro
Researchers say they've found vulnerabilities in Intel's Trusted Execution Technology.





Hack Simplifies Attacks On Cisco RoutersJan 06,2009
New technique for hijacking routers reinforces need for regular IOS patching

Security researcher Dan Kaminsky says FX's hack disproves conventional wisdom in enterprises that routers are at low risk of attack, and that patching them is riskier than an attack due to the potential network outages that patching can incur.

"Patching is hard. Patching something that, if there's a failure, causes widespread network outages. Having a vaguely credible reason not to patch, like 'the attacker would have to build an attack specifically targeted to my specific version of IOS,' has been something of a mantra for those who haven't wanted to risk updating their systems," says Kaminsky, who is director of penetration testing for IOActive. "The mantra is [now] visibly, irrevocably disproved. FX has shown that however much changes from one version to another, there's a little piece of every Cisco router that's the same, and he can use that piece to attack most of the hardware out there."





Cisco IOS Exploitation Technique and Defense In Depth

As many of you have seen, The Register and other main stream media sources are starting to discuss a new technique to reliably compromise a small subset of Cisco gear. The new technique was discovered by FX of Phenoelit and was presented last week at the Chaos Communication Congress(CCC) and is probably the best known cisco exploit researchers.

At the moment, he did not find a way to reliably run exploit code on all Cisco gears. In fact, the method only runs on a small set of powerpc systems (the 1700 and 2600). The method he found uses the Cisco boot loader (ROMMON) and a tool named CIR from cir.recurity-labs.com which works well for the 1700 and 2600 Cisco routers. Using this technique is may be possible to reliably exploit a vulnerability across a number of routers.

By showing this technique at the CCC, he showed the deep need for multiple layers of defenses for the routing infrastructure. If the attackers are able to send packets directly to the router interfaces, then we will continue to have very serious issues with trusting the infrastructure. However, it is recommended that all routers, switches, and other forms of network gear should have appropriate access controls for any traffic which terminates at the router interface. If ACLs are not a viable option, using rate limiting this same traffic may help to slow attacks which require multiple packets to find the sweet spot for execution.

More detailed information about the technique is available in the presentation by FX.

Scott Fendley ISC Handler





The 4 Security Rules Employees Love to Break
Cisco CSO John Stewart gives his take on four security rules employees bend a lot, and what you can do to set them straight.
Read more






Apple, labels both win with DRM-free iTunes, tiered pricing
Apple has apparently crafted a compromise with the major record labels, dropping DRM and introducing tiered pricing.
January 06, 2009 - 01:48PM CT - by Erica Sadun






Spamhaus: Google Now 4th Most Spam-Friendly Provider
Permalink






Caveat Emptor: Watch Out for Phantom Stores
Permalink
Most people are proud to say they would never fall for a phishing scam, that they would never give their personal and financial information away at fake banking sites, just because someone asked them to in an e-mail. But how many people will use that same common sense when a too-good-to-be-true bargain presents itself at a no-name online electronics shop?

A slew of fake electronics sites, some of them apparently being promoted by major online search engines and comparison-shopping sites, have been swindling consumers out of cash and credit card numbers for several weeks. The Web sites are confusingly named after legitimate electronics and clothing shops in the United States. All say they accept major credit cards and PayPal, and some carry seals boasting that they are "hacker safe."

But customers who order something from these sites soon find their accounts charged increasing amounts for unauthorized transactions.






Censorship on Google Maps
"Blurred Out: 51 Things You Aren't Allowed to See on Google Maps." An interesting list.
http://www.curiousread.com/2008/12/blurred-out-51-things-you-arent-allowed.html






Certification authorities respond to MD5 hack
Certification agencies have responded to work by a research group that demonstrated the lack of security of MD5. The group faked a certificate that allowed them to issue further certificates with arbitrary identities more…





News: $30B IT Stimulus Will Create Almost 1 Million Jobs
"This report takes a look at how many jobs you get if you invest $10 billion each in three different IT infrastructure projects — broadband, health IT and the smart grid. It argues that if you are going to be spending billions on a stimulus package, investing in 'digital infrastructure' creates more jobs than physical infrastructure (e.g. roads and bridges) in the short-term, and you get a whole host of other benefits in the long-term."







Where's the Gold? Man Asks Wachovia
ROCKVILLE, Md. (CN) - Wachovia Bank drilled into a customer's safe deposit box without notice, though its rent was paid up, and removed and lost more than $500,000 worth of gold and gems, the man claims. He says Wachovia did not notify him of it for nearly a year, and drilled into 100 other customers' boxes without notifying them.






Google code project abused by spammers
Google’s code hosting project is the latest free service to be abused by web spammers. We’ve seen one or two previously but over the holidays the situation appears to have got much worse.






CA makes DLP play with acquisition of Orchestria
Dan Kaplan January 06, 2009
CA is the latest heavy hitter to acquire a data-loss prevention provider.





Weak Password Brings 'Happiness' to Twitter Hacker
An 18-year-old hacker with a history of celebrity pranks has admitted to Monday's hijacking of multiple high-profile Twitter accounts, including President-Elect Barack Obama's, and the official feed for Fox News.

The hacker, who goes by the handle GMZ, told Threat Level on Tuesday he gained entry to Twitter's administrative control panel by pointing an automated password-guesser at a popular user's account. The user turned out to be a member of Twitter's support staff, who'd chosen the weak password "happiness."

Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.





Troubleshooting Kerberos in a SharePoint environment (Part 1)
by Jesper M. Christensen
Articles / Authentication, Access Control & Encryption
Creating a test environment to show which error-messages come from configuration problems.






Broadband on Rails
By Rachel KremenTuesday, December 30, 2008
A compact lens could make high-speed Internet access commonplace on trains.

Monday, January 5, 2009

Monday 01/05/09

Microsoft Tells How It Missed Critical IE Bug Microsoft developers missed a critical bug in Internet Explorer because they weren't properly trained and didn't have the right testing tools, the company's secure code expert acknowledged. Read more...





Expert: Microsoft made $1.5B on 'Vista Capable' campaign
The lawsuit, which began in April 2007, claims that marking hardware as Vista Capable inflated the prices of PCs that were able to run only Vista Home Basic, the lowest-priced edition of the operating system that lacks such features as the Aero user interface. Microsoft has denied that it duped consumers and has countered that Home Basic is a legitimate version of Vista.






Regulator Fines E-Trade Units $1 Million
The online brokerage E-Trade has been fined $1 million for having inadequate policies to prevent money laundering.







The State of Spam: What to Expect in 2009
A look at the scourge of spam in 2008 and some predictions for spam in 2009.






Computer Security's Six Most Important Words Of 2008
For good or ill, these six words were top of mind for security pros -- and hackers -- in the past year






Blocking access to MD5 signed certs
A few people have written in regarding the Firefox plugin SSL Blacklist.

The tool has been around for a while, but they have added the ability to detect MD5 signed certificates and block access. It might be a nice addition to the arsenal. Whilst the address bars in FF and IE do seem to turn green when the site has a SHA signed cert (at least it did for the sites I tested), this might be a bit more obvious. You only get the padlock when the site is MD5 signed.






Trends in Counterfeit Currency
It's getting worse:
More counterfeiters are using today's ink-jet printers, computers and copiers to make money that's just good enough to pass, he said, even though their product is awful.

In the past, he said, the best American counterfeiters were skilled printers who used heavy offset presses to turn out decent 20s, 50s and 100s. Now that kind of work is rare and almost all comes from abroad.
...
Part of the problem, Green said, is that the government has changed the money so much to foil counterfeiting. With all the new bills out there, citizens and even many police officers don't know what they're supposed to look like.

Moreover, many people see paper money less because they use credit or debit cards.

The result: Ink-jet counterfeiting accounted for 60 percent of $103 million in fake money removed from circulation from October 2007 to August 2008, the Secret Service reports. In 1995, the figure was less than 1 percent.






Just prior to its premiere at MacWorld later this week, CNet has a review of MacHeads, the new documentary film covering the obsessive world of Apple fanboyism. MacHeads features commentary from original Apple employees, the self-confessed Apple-obsessed and girls who claim they'll never sleep with Windows users. Summed up by CNet: 'MacHeads is a superb film that will give Apple haters a few cheap laughs, and Apple fans a few cheap thrills. But it'll entertain both equally, while educating everybody else.'






"The Zune 30 failure became national news when it happened just three days ago. The source code for the bad driver leaked soon after, and now, someone has come up with a very detailed explanation for where the code was bad as well as a number of solutions to deal with it. From a coding/QA standpoint, one has to wonder how this bug was missed if the quality assurance team wasn't slacking off. Worse yet: this bug affects every Windows CE device carrying this driver."






WSJ Confirms RIAA Fired MediaSentry on Sunday January 04, @10:23PM






Photographer Duane Kerzic was standing on the public platform in New York's Penn Station, taking pictures of trains in hopes of winning the annual photo contest that Amtrak had been running since 2003. Amtrak police arrested him for refusing to delete the photos when asked, though they later charged him with trespassing.

"Obviously, there is a lack of communication between Amtrak's marketing department, which promotes the annual contest, called Picture Our Trains, and its police department, which has a history of harassing photographers for photographing these same trains. Not much different than the JetBlue incident from earlier this year where JetBlue flight attendants had a woman arrested for refusing to delete a video she filmed in flight while the JetBlue marketing department hosted a contest encouraging passengers to take photos in flight."

Kerzic's blog has an account of the arrest on Dec. 21 and the aftermath.







Long-term personal data storage
Robin Harris: With so much of the world's data - and yours - in digital form, more people wonder: How do I keep my pictures, music, videos, documents and more around for decades? Here's how.








Is $230K Deal to Cover up Sex Assault Legal?
By MATTHEW HELLER
The enforceability of a "hush money" contract is at issue in the case of a casino host who alleges a Virginia businessman has reneged on an agreement to pay her $230,000 for not telling police that he sexually assaulted her. more






MD5 insecurity affects all internet users
Angela Moscaritolo December 31, 2008
Certification Authorities that have not moved to a more secure cryptographic hash function than MD5 have come under fire in the security world.





The current state of wireless carriers:
According to Verizon filings with the SEC, their acquisition of Alltel will close on January 9. Verizon will pay $5.9 billion and acquire $22.2 billion in Alltel debt, but will be acquiring about 13 million customers -- creating the largest wireless phone company in the country, with 83 million customers (AT&T has 74.9 million, Sprint has 50.5 million, and T-Mobile has 32.1 million).






Long-term personal data storage







U.S. officials crack down on Chinese ‘honey laundering.’ So-called "honey laundering" involves elaborate schemes in which cheap, diluted or contaminated honey from China is brought in after being "laundered" in another country to disguise its origin and evade tariffs and health inspections.
...
The concern about Chinese honey stems from the use of a toxic antibiotic to fight a contagious bacterial epidemic that raged through hives across China in 1997. The drug, chloramphenicol, has been banned from all food products by the FDA. The administration says tainted honey from China is at the top of its watch list and has issued three "import alerts" to port and border inspectors about tainted Chinese honey.
Source: http://www.telegraph.co.uk/news/worldnews/northamerica/usa/4043733/US-officials-crack-down-on-Chinese-honey-laundering.html

Friday, January 2, 2009

Friday 01/02/09

With Gaza conflict, cyberattacks come too The conflict raging in Gaza between Israel and Palestine has spilled over to the Internet. Read more...





About 90 percent of all email is spam: Cisco






The State of Spam: What to Expect in 2009
A look at the scourge of spam in 2008 and some predictions for spam in 2009.







Four Threats For '09 That You've Probably Never Heard Of (Or Thought About)Dec 31,2008 What could keep you up at night in the new year may not be what you expect -- a look at some of the lesser-known threats predicted for 2009






SANS' predictions for 2009:
Donald Smith, a fellow handler, provided these thoughts:
"Watch for a LARGE rise in work from home scams.With a large unemployment base of professionals many will want to try one of the various work from home schemes. While a few of those are legitimate most are MULE or sell our work from home plans.

Disgruntled employees may increase slightly however most people with a job won't want to do anything to jeopardize it or make future employment difficult.

Now disgruntled EX-employees may rise with the unemployment rate. They can do a lot of damage even if they are no longer an "insider" especially if they know how things work at their old company;)Tax and refund scams will rise due to the "homeowner" bailout plan. Since it is new it will be ripe for abuse esp social engineering.

I expect to see lots of network and network element vulnerabilities (such as the DNS one or the PKI md5 certs one just announced). Tools to discover these types of things have been getting better and better AND the market for such things had developed into a fairly solid model (there is money in finding things like this:)

I expect old school defacements (for bragging rights) to dwindle further as that has become a useful skill for the drive by install and scareware industry. (antivirus 2009 and similar stuff)."






MS08-067 Worm on the Loose







Schneier: Declassified comsec documents worth a read






Not directly related to security:
The 5 Most Badass Presidents of All-Time
http://www.cracked.com/article_15895_p5.html






The year in IPv4 addresses: almost 200 million served
The world used 197 million new IPv4 addresses in 2008, leaving 926 million addresses still available. The US remains the biggest user of new addresses, but China is catching up quick.
January 02, 2009 - 12:31PM CT - by Iljitsch van Beijnum






30GB Zune apocalypse arrives as devices enter digital coma (Updated 4x, now with more explanation)
Judgment day has arrived for owners of 30GB Zunes. The music player inexplicably entered a worldwide coma last night, and players are completely nonresponsive. Whoops.
December 31, 2008 - 10:05AM CT - by David Chartier






Sex Offenders In Georgia Required To Hand Over Passwords... To Protect The Children






Defense Contractors See $$$ in Cyber Security
The profits of (conventional) war must not be as good as they used to be.

Lockheed Martin and Boeing have decided the next cash cow is cyber defense.

According to Bloomberg, both companies, "eager to capture a share of a market that may reach $11 billion in 2013," have formed new business units to attract money that the U.S. government will be spending to secure U.S. government computers and, no doubt, to break the security of enemy computer systems.

The companies awoke to the money-making opportunity after President Bush signed a National Security Directive in January, which is commonly known as the Comprehensive National Cyber Security Initiative and is estimated will cost $30 billion or more to implement.






25C3: Many RFID cards poorly encrypted
Karsten Nohl, the security investigator who had a big hand in cracking NXP's Mifare Classic chips, says many RFID smartcards from other manufacturers are also vulnerable to a simple hacker attack more…