FCC Fines 600 Carriers For Privacy Issues
Many didn't adhere to new anti-pretexting regulations....
The FCC this week levied more than $13.3 million in fines on some 660 small telecommunications companies for failing to adhere to new FCC guidelines regarding customer privacy. After complaints in recent years surfaced about data brokers illegally gleaning consumer information from many carriers (like in the HP scandal), the FCC crafted new regulations for carriers aimed at protecting this data, and a new reporting method aimed at ensuring carriers are protecting Customer Proprietary Network Information (CPNI).
----------
Adobe Acrobat pdf 0-day exploit, No JavaScript needed!
So there is a brief blog post linked below that highlights the fact that the new adobe PDF vulnerability can be exploited without the use of JavaScript. This is obviously really bad news for anyone who is responsible for protecting environments where PDF's are present. I think what a lot of people will find is just how prevalent JBIG2 streams are in "run of the mill" PDF files that are floating around their systems. This means that simply looking for JavaScript + JBig streams in PDF files is not going to do you much good moving forward.
All of the current observed samples are still utilizing JavaScript; this will NOT be the case moving forward!
Let me repeat again. YOU DO NOT NEED JS TO MAKE THIS EXPLOIT WORK. The JavaScript method employed by these attacks is "tried and true" when it comes to creating the right conditions for a reliable exploit.
----------
20 cynical project management tips
Michael Krigsman: Ever wonder why so many projects fail? Well, here's your guide to the seamy underbelly of IT project management.
----------
Pushdo's "Classmates" Invitation is a TrojanFebruary 27, 2009Fake Classmates video invitations are being spammed by Pushdo to spread infostealing Malware.
----------
ID Theft Is Top Consumer Complaint
WASHINGTON (CN) - Identity theft accounted for 26% of the consumer complaints sent to the Federal Trade Commission in 2008 - 313,982 of the 1,223,370 complaints the agency received - the FTC said in a report released Thursday.
----------
Spoofed Delta Airlines emails contain trojan
Angela Moscaritolo February 27, 2009
Emails spoofed to look like they are coming from Delta Airlines to confirm a ticket purchase are attempting to infect users with a trojan.
----------
Obama's budget proposal increases spending for cybersecurity
Chuck Miller February 26, 2009
President Obama is asking for $355 million in next year's budget to fund the Department of Homeland Security's cybersecurity work.
----------
Crooks use "trendy" tactic to poison Google search results
Angela Moscaritolo February 26, 2009
Many of the 100 most popular Google search terms now yield a malicious site serving fake anti-virus software in the highest search results, Craig Schmugar, threat research manager for McAfee Avert Labs told SCMagazineUS.com Thursday.
----------
Techies end-run feds on DNS security
Authentication alternatives proliferate as U.S. delays signing of Internet root zone.
----------
Despite patch by Cisco, Microsoft, others, DNS is not secure, researcher says
Permanent fix needed for DNS security issues, Kaminsky warns
VeriSign: We will support DNS security in 2011
----------
Parkingticket.com just announced new compatibility with the Safari web browser on Apple's iPhone, giving you new tools to immediately contest a parking ticket. The site is so confident in their service that if all steps are followed and the ticket is still not dismissed they will pay $10 towards your ticket.
----------
Clipped from another article:
"... last month's news about Microsoft laying off the entire Flight Simulator dev team..."
----------
25 February 2009
Microsoft fixes AutoRun disable option
Microsoft has announced an update to fix the option that allows administrators to disable AutoRun as a precaution against Conficker worm infection more…
----------
Several vulnerabilities in SHA-3 candidates
Experts have found buffer overflows and other security problems in some of the implementations of the candidates for the new hash standard more…
----------
The Cryptography Olympics : the hash algorithm contest
36 teams have qualified for the international competition for the best encryption algorithm more…
----------
More information about the new Excel vulnerability
This morning, we posted Security Advisory 968272 notifying of a new Excel binary file format vulnerability being exploited in targeted attacks. We wanted to share more information about the vulnerability to help you assess risk and protect your environment.
Office 2007 being targeted
The current attacks we have seen target users of Office 2007 running an earlier version of Windows (Windows 2000, XP, 2003). The exploit technique used in these attacks would not work on Windows Vista or earlier versions of Microsoft Office without substantial improvements made by attackers.
We analyze a lot of Office content type exploits and this is the first time we have seen a working exploit in-the-wild that is able to run code on Office 2007.
----------
Hope for a New Cybersecurity Administration
----------
Report: More Than 500,000 Websites Hit By New Form Of SQL Injection In '08Feb 25,2009 New Web breach incident report finds the bad guys deploying more automated attacks, targeting customers rather than data on sites
----------
Obama's e-health plan: Three heavyweight health IT leaders weigh in
They say consumers, as well as their physicians, should have control of their health care records in a coordinated approach
Friday, February 27, 2009
Tuesday, February 24, 2009
Tuesday 02/24/2009
Microsoft Releases Security Advisory 968272 Relating To A Vulnerability In Office Excel
http://www.microsoft.com/technet/security/advisory/968272.mspx
Microsoft says:
Advisory Status: The issue is currently under investigation.
http://www.microsoft.com/technet/security/advisory/968272.mspx
Microsoft says:
Advisory Status: The issue is currently under investigation.
Friday, February 20, 2009
Friday 02/20/09
Permanent fix needed for DNS security issues, Kaminsky warns at Black Hat Dan Kaminsky, the security researcher who discovered a major flaw in the DNS protocol last year, said this week that broad adoption of DNS Security Extensions technology may be needed to protect systems, despite its complexity. Read more...
----------
Hackers exploit unpatched Adobe Reader bug
Hackers have been exploiting a critical bug in Adobe Reader, the popular PDF-viewing software, for at least nine days, researchers said Friday, but a patch may not be ready for another three weeks.
"We reported this to Adobe on Feb. 12," said Kevin Haley, a director in Symantec Corp.'s security response group. "That was the same day that we had a sample of the exploit."
Attacks have been spotted in Asia, primarily in Japan, said Haley, as well as in a few other countries. But their small number led him to characterize them as "targeted," meaning the victims had been specially selected.
----------
Conficker worm gets an evil twin
The criminals behind the widespread Conficker worm have released a new version of the malware that could signal a major shift in the way the worm operates.
----------
DHS names privacy chief
... "Homeland security and privacy are not mutually exclusive, and having a seasoned professional like Mary Ellen on the team further ensures that privacy is built into everything we do," said DHS Secretary Janet Napolitano in a statement. (See also: "Why your company needs a chief privacy officer")
----------
Laptop face-recognition tech easy to hack, warns Black Hat researcher
...
Nguyen Minh Duc, a researcher at Bach Khoa Internetwork Security Centre, a Hanoi-based security firm that is commonly known as Bkis, showed how attackers could break into laptops from Lenovo, Toshiba and Asus featuring face-recognition technologies, simply by using digitized images of the actual user of the systems in each case. The attacks were conducted on a Lenovo system with its Veriface III technology, an Asus system featuring its Smart Logon software and a laptop using Toshiba's Face Recognition technology.
----------
VeriSign: Internet Domain Names Grow To 177 Million In 2008
----------
Security Challenges of Electronic Medical Records
President Obama has made the widespread deployment of Electronic Medical Records (EMRs) a priority in his latest stimulus plan. Feisal Nanji, Executive Director at Techumen, gives an overview of the security challenges involved.
Read more
----------
Symbian-based mobile worm circulating in the wild
Dancho Danchev: F-Secure and Fortinet are investigating a newly discovered mobile malware identified as SymbOS/Yxes.A!worm or "Sexy View."
----------
----------
Hackers exploit unpatched Adobe Reader bug
Hackers have been exploiting a critical bug in Adobe Reader, the popular PDF-viewing software, for at least nine days, researchers said Friday, but a patch may not be ready for another three weeks.
"We reported this to Adobe on Feb. 12," said Kevin Haley, a director in Symantec Corp.'s security response group. "That was the same day that we had a sample of the exploit."
Attacks have been spotted in Asia, primarily in Japan, said Haley, as well as in a few other countries. But their small number led him to characterize them as "targeted," meaning the victims had been specially selected.
----------
Conficker worm gets an evil twin
The criminals behind the widespread Conficker worm have released a new version of the malware that could signal a major shift in the way the worm operates.
----------
DHS names privacy chief
... "Homeland security and privacy are not mutually exclusive, and having a seasoned professional like Mary Ellen on the team further ensures that privacy is built into everything we do," said DHS Secretary Janet Napolitano in a statement. (See also: "Why your company needs a chief privacy officer")
----------
Laptop face-recognition tech easy to hack, warns Black Hat researcher
...
Nguyen Minh Duc, a researcher at Bach Khoa Internetwork Security Centre, a Hanoi-based security firm that is commonly known as Bkis, showed how attackers could break into laptops from Lenovo, Toshiba and Asus featuring face-recognition technologies, simply by using digitized images of the actual user of the systems in each case. The attacks were conducted on a Lenovo system with its Veriface III technology, an Asus system featuring its Smart Logon software and a laptop using Toshiba's Face Recognition technology.
----------
VeriSign: Internet Domain Names Grow To 177 Million In 2008
----------
Security Challenges of Electronic Medical Records
President Obama has made the widespread deployment of Electronic Medical Records (EMRs) a priority in his latest stimulus plan. Feisal Nanji, Executive Director at Techumen, gives an overview of the security challenges involved.
Read more
----------
Symbian-based mobile worm circulating in the wild
Dancho Danchev: F-Secure and Fortinet are investigating a newly discovered mobile malware identified as SymbOS/Yxes.A!worm or "Sexy View."
----------
Wednesday, February 18, 2009
Wednesday 02/18/09
Hackers Steal Thousands of Wyndham Credit Card NumbersPC World - Wed Feb 18, 5:30 PM ET
Hackers broke into a computer at Wyndham Hotels and Resorts last July and stole tens of thousands of customer credit card numbers, the hotel chain warns.
----------
MS09-002 exploit in the wild
----------
Bot busts newest Hotmail CAPTCHA
----------
Fugitive hacker indicted for running VoIP scam
----------
Black Hat DC: U.S. Must Consider Impact Of 'Militarization' Of CyberspaceFeb 18,2009 Homeland security and cybersecurity expert Paul Kurtz calls for public debate on cyberweapons, cyberattack response, and the role of the intelligence community
----------
Western Digital unveils remotely accessible NAS server for home use
----------
Hackers break into government travel site, feed users attack code
----------
Are Facebook's outraged users getting a wake-up call?
----------
Judge dismisses privacy case over Google Street View images
----------
Computer thefts prompt Los Alamos security review
----------
Trend Micro unveils anti-virus software for routers Reuters - Tue Feb 17, 3:51 PM ET
BOSTON (Reuters) - Japan's Trend Micro Inc, the No 3 maker of computer security programs, introduced a new line of software on Tuesday that runs on home networking gear, protecting groups of PCs from viruses.
----------
Smartphone Threats IntensifyFeb 17,2009 Enterprise data at risk, according to new McAfee report, which shows mobile device manufacturers seeing more malware attacks than ever before
----------
HIPAA Accountability in Stimulus Bill
On page 379 of the current stimulus bill, there's a bit about establishing a website of companies that lost patient information
----------
IE 8's list of 2,400 incompatible sites
Mary Jo Foley: Microsoft is tracking the compatibility of Web sites for its upcoming Internet Explorer 8 browser and has posted a list that now contains about 2,400 incompatible sites - including Microsoft.com.
----------
Santa Clara County busts identify theft, gambling, drug ring in San Francisco
http://www.mercurynews.com/topstories/ci_11730695?nclick_check=1
----------
CVS to pay $2.25 million to settle HIPAA violation
Dan Kaplan February 18, 2009
CVS Caremark has agreed to pay nearly $2.3 million for violating federal privacy laws regarding the protection of patient information.
Hackers broke into a computer at Wyndham Hotels and Resorts last July and stole tens of thousands of customer credit card numbers, the hotel chain warns.
----------
MS09-002 exploit in the wild
----------
Bot busts newest Hotmail CAPTCHA
----------
Fugitive hacker indicted for running VoIP scam
----------
Black Hat DC: U.S. Must Consider Impact Of 'Militarization' Of CyberspaceFeb 18,2009 Homeland security and cybersecurity expert Paul Kurtz calls for public debate on cyberweapons, cyberattack response, and the role of the intelligence community
----------
Western Digital unveils remotely accessible NAS server for home use
----------
Hackers break into government travel site, feed users attack code
----------
Are Facebook's outraged users getting a wake-up call?
----------
Judge dismisses privacy case over Google Street View images
----------
Computer thefts prompt Los Alamos security review
----------
Trend Micro unveils anti-virus software for routers Reuters - Tue Feb 17, 3:51 PM ET
BOSTON (Reuters) - Japan's Trend Micro Inc, the No 3 maker of computer security programs, introduced a new line of software on Tuesday that runs on home networking gear, protecting groups of PCs from viruses.
----------
Smartphone Threats IntensifyFeb 17,2009 Enterprise data at risk, according to new McAfee report, which shows mobile device manufacturers seeing more malware attacks than ever before
----------
HIPAA Accountability in Stimulus Bill
On page 379 of the current stimulus bill, there's a bit about establishing a website of companies that lost patient information
----------
IE 8's list of 2,400 incompatible sites
Mary Jo Foley: Microsoft is tracking the compatibility of Web sites for its upcoming Internet Explorer 8 browser and has posted a list that now contains about 2,400 incompatible sites - including Microsoft.com.
----------
Santa Clara County busts identify theft, gambling, drug ring in San Francisco
http://www.mercurynews.com/topstories/ci_11730695?nclick_check=1
----------
CVS to pay $2.25 million to settle HIPAA violation
Dan Kaplan February 18, 2009
CVS Caremark has agreed to pay nearly $2.3 million for violating federal privacy laws regarding the protection of patient information.
Friday, February 13, 2009
Friday 02/13/09
MSRT Removing Srizbi
February 12, 2009
Microsoft has added Srizbi to their Malicious Software Removal Tool.
This free tool runs on every PC just after the monthly patches are distributed.
----------
The Law and Technology:
Authors Guild Digs Itself In Deeper Concerning Kindle Text-To-Speech
We were among many different sites that laughed at the ridiculous assertions by Authors Guild executive director Paul Aiken's attempt to rewrite copyright law concerning the "right" for people with a legally purchased ebook to have a Kindle ebook reader with text-to-speech read the book aloud. Aiken said:
"They don't have the right to read a book out loud. That's an audio right, which is derivative under copyright law."
This is, of course, incorrect. To demonstrate how incorrect it was, we applied it to other scenarios: such as reading to your kids at night. This wasn't to suggest that we actually thought Aiken meant you couldn't read to your kids at night, but to show how wrong the original comment was. Amusingly, the Authors Guild seems to have thought we actually believed this, and has issued an attempted clarification, which only serves to make things worse.
----------
How tech will benefit from stimulus plan
Sam Diaz: Already, there are those who are criticizing the plan's investment in tech as being too complex or favoring big corporations over small businesses. But others see the tech industry comes out a winner.
READ FULL STORY
----------
A reward of $250,000 (£172,000) has been offered by Microsoft to find who is behind the Downadup/Conficker virus.
http://news.bbc.co.uk/2/hi/technology/7887577.stm
----------
Entertainment Industry Lawyer Predicts The Demise Of Free Culture
----------
The lawyer above seems to follow this - Douglas Adam's old saying:
1) everything that's already in the world when you're born is just normal;
2) anything that gets invented between then and before you turn thirty is incredibly exciting and creative and with any luck you can make a career out of it;
3) anything that gets invented after you're thirty is against the natural order of things and the beginning of the end of civilisation as we know it until it's been around for about ten years when it gradually turns out to be alright really.
----------
From the FBI:
The New Face of Organized Crime
La Cosa Nostra is no longer the only game in town—read about our efforts to combat Eurasian and Asian crime groups. Story
----------
Pump & Dumper Made $21 Million, SEC Says
PHILADELPHIA (CN) - A Toronto man made $21 million by manipulating the stock of four companies he controlled - Avicena Group, Neutron Enterprises, Hydrogen Hybrid Technologies and Northern Ethanol - through pump-and-dump schemes and other ruses, the SEC says in Federal Court. The SEC sued George Georgiou, suspended trading in the shares, and, the Commission said, federal prosecutors have charged him criminally.
----------
Massachusetts data security law compliance extended
Dan Kaplan February 12, 2009
The deadline to comply with the stringent Massachusetts data security regulations, which mandate the encryption of all portable devices, such as laptops, has been extended from May 1 until Jan. 1, 2010.
----------
FTC revises online privacy guidelines
Chuck Miller February 12, 2009
The Federal Trade Commission has issued revised guidelines on how online advertisers should protect consumers' privacy when collecting information about their online activities.
----------
Los Alamos computers go missing
Angela Moscaritolo February 12, 2009
At least 69 computers are missing from the Los Alamos National Laboratory, a national security research institution in New Mexico.
-----------
Obama orders 60-day cybersecurity review
----------
In Spy Case, Obama's Justice Department Holds Fast to State Secrets Privilege
The Obama administration on Thursday invoked the state secrets privilege for the second time in a week, this time in a closely watched spy case weighing whether a U.S. president may bypass Congress and establish a program of eavesdropping on Americans without warrants.
----------
Stolen Wallets, Not Hacks, Cause the Most ID Theft? Debunked
A new report from Javelin Research is getting attention for its extraordinary claim that data breaches are responsible for only a tiny minority of identity theft cases, compared to lost wallets and other low-tech exposures. But a closer look at Javelin's numbers casts serious doubt on the company's conclusions.
----------
Users warned to avoid Android's web browser
----------
$7.2 Billion Broadband Stimulus Almost Finalized$350 million to mapping, network neutrality language preserved...01:52PM Friday Feb 13 2009 by Karl Bode
For those interested in what $789 billion will buy you these days, you can check out what should be the final infrastructure stimulus plan here (hat tip to Stacey Higginbotham). While the $7.2 million dedicated to broadband retains network neutrality language, all of the speed-specific language we've talked about previously has been stripped from the bill, after cable-industry lobbyists complained that the 100Mbps watermark was too fast, and others claimed that Verizon would net a huge $1.6 billion payday for doing virtually nothing differently. Grants for rural deployment will be doled out by the NTIA ($4.7 billion) and the Department of Agriculture’s Rural Utilities Service ($2.5 billion), both of whom have a mixed track record on getting the money where it's needed, and actually getting broadband deployed. $350 million will be reserved for the mapping of broadband penetration in the United States.
----------
How to steal $9M from ATMs in 30 minutes
How did hackers execute one of the most frightening well-coordinated heists police have ever seen? Cisco security expert James Heary explains.
How did the hackers steal $9 million in one 30-minute time period using only 100 ATM cards you ask? That shouldn’t be possible given the daily limits (usually about $500/day) placed on all ATM cards. Well it turns out that the hackers applied military like precision to old ATM Scam techniques and added a touch of devious ingenuity to pull this one off. Here is a look at how the theft was perpetrated.
First, the bad guys had to obtain the ATM cards. To accomplish this they hacked into RBS WorldPay and stole at least 100 payroll cards. According to RBS WorldPay, “Payroll cards are used by a growing number of U.S. firms to pay wages to employees. A payroll card is a reloadable stored value card that can be used at any point of sale that accepts credit and debit cards.”
Second, the bad guys had to figure out how to reload the cards. To accomplish this they hacked into RBS WorldPay’s systems once again. Once this was done they had the power to reload the payroll cards with new fake deposits that they could turn into cold hard cash via an ATM withdrawal.
Third, the bad guys had to clone the card info they stole into thousands of real ATM payroll cards. This is easily and cheaply done using various over the counter card printing devices. Given that this market is completely non-regulated, anyone can buy all of the gear necessary to make your very own credit, ATM, Bank, etc. Cards.
Fourth, the bad guys needed to recruit an Army of “cashers” to physically go to an ATM machine with the newly minted counterfeit (but valid) payroll cards and withdrawal cash. Cashers is the name given to the street-level thugs that do the actual cash withdrawals at ATMs. It is hypothesized that there were dozens of them recruited for this scam.
----------
Apple Claims That Jail-Breaking Is Illegal
----------
The Doghouse: Raidon's Staray-S Encrypted Hard Drives
Turns out the algorithm is linear.
When you're buying security products, you have to trust the vendor. That's why I don't buy any of these hardware-encrypted drives. I don't trust the vendors.
----------
The Microsoft Security Response Center (MSRC)
Conficker Activity Update
First, today we’re making public, the work we and many other industry and academic partners have been doing behind the scenes to help combat the Conficker worm.
Second, we’ve provided additional information from our research to our Microsoft Active Protections Program (MAPP) partners and our Microsoft Security Response Alliance (MSRA) partners and posted it to the MSRC weblog in an effort to help customers and other researchers.
Finally, we have announced a US$250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker worm.
----------
Canadian judge: No warrant needed to see ISP logs
----------
Major Vendors Propose Interoperability Standard For Key Management Feb 12,2009
IBM, HP, RSA head up list of vendors supporting guidelines designed to ease deployment and management of encryption
----------
Researchers Hack Faces In Biometric Facial Authentication SystemsFeb 12,2009
Vietnamese researchers have cracked facial recognition technology in Lenovo, Asus, and Toshiba laptops; demonstration planned for Black Hat DC next week
----------
New Vulnerability Found In BlackBerry's Web Application LoaderFeb 11,2009
Flaw could allow attackers to gain control of the device, researchers warn
----------
Romanian Hacker Breaches Third Security Vendor Site Feb 12, 2009
F-Secure joins Kaspersky, BitDefender as victim of SQL injection attack MORE KEYHOLE
----------
Geek news:
Today is Friday the 13th, and also the day when we reach the symbolic 1234567890th second of Unix time. This will occur at 11:31:30pm UTC on Feb 13, 2009.
----------
And finally, this one does nto tie in with Security news but I found it interesting:
Court sides with science, says no vaccine-autism link
about 6 hours ago - by Matt Ford Posted in: Nobel Intent
The special court overseeing the US National Vaccine Injury Compensation Program has ruled against three families who claim that thiomersal and the MMR vaccine are responsible for their children's autism.
Read more
February 12, 2009
Microsoft has added Srizbi to their Malicious Software Removal Tool.
This free tool runs on every PC just after the monthly patches are distributed.
----------
The Law and Technology:
Authors Guild Digs Itself In Deeper Concerning Kindle Text-To-Speech
We were among many different sites that laughed at the ridiculous assertions by Authors Guild executive director Paul Aiken's attempt to rewrite copyright law concerning the "right" for people with a legally purchased ebook to have a Kindle ebook reader with text-to-speech read the book aloud. Aiken said:
"They don't have the right to read a book out loud. That's an audio right, which is derivative under copyright law."
This is, of course, incorrect. To demonstrate how incorrect it was, we applied it to other scenarios: such as reading to your kids at night. This wasn't to suggest that we actually thought Aiken meant you couldn't read to your kids at night, but to show how wrong the original comment was. Amusingly, the Authors Guild seems to have thought we actually believed this, and has issued an attempted clarification, which only serves to make things worse.
----------
How tech will benefit from stimulus plan
Sam Diaz: Already, there are those who are criticizing the plan's investment in tech as being too complex or favoring big corporations over small businesses. But others see the tech industry comes out a winner.
READ FULL STORY
----------
A reward of $250,000 (£172,000) has been offered by Microsoft to find who is behind the Downadup/Conficker virus.
http://news.bbc.co.uk/2/hi/technology/7887577.stm
----------
Entertainment Industry Lawyer Predicts The Demise Of Free Culture
----------
The lawyer above seems to follow this - Douglas Adam's old saying:
1) everything that's already in the world when you're born is just normal;
2) anything that gets invented between then and before you turn thirty is incredibly exciting and creative and with any luck you can make a career out of it;
3) anything that gets invented after you're thirty is against the natural order of things and the beginning of the end of civilisation as we know it until it's been around for about ten years when it gradually turns out to be alright really.
----------
From the FBI:
The New Face of Organized Crime
La Cosa Nostra is no longer the only game in town—read about our efforts to combat Eurasian and Asian crime groups. Story
----------
Pump & Dumper Made $21 Million, SEC Says
PHILADELPHIA (CN) - A Toronto man made $21 million by manipulating the stock of four companies he controlled - Avicena Group, Neutron Enterprises, Hydrogen Hybrid Technologies and Northern Ethanol - through pump-and-dump schemes and other ruses, the SEC says in Federal Court. The SEC sued George Georgiou, suspended trading in the shares, and, the Commission said, federal prosecutors have charged him criminally.
----------
Massachusetts data security law compliance extended
Dan Kaplan February 12, 2009
The deadline to comply with the stringent Massachusetts data security regulations, which mandate the encryption of all portable devices, such as laptops, has been extended from May 1 until Jan. 1, 2010.
----------
FTC revises online privacy guidelines
Chuck Miller February 12, 2009
The Federal Trade Commission has issued revised guidelines on how online advertisers should protect consumers' privacy when collecting information about their online activities.
----------
Los Alamos computers go missing
Angela Moscaritolo February 12, 2009
At least 69 computers are missing from the Los Alamos National Laboratory, a national security research institution in New Mexico.
-----------
Obama orders 60-day cybersecurity review
----------
In Spy Case, Obama's Justice Department Holds Fast to State Secrets Privilege
The Obama administration on Thursday invoked the state secrets privilege for the second time in a week, this time in a closely watched spy case weighing whether a U.S. president may bypass Congress and establish a program of eavesdropping on Americans without warrants.
----------
Stolen Wallets, Not Hacks, Cause the Most ID Theft? Debunked
A new report from Javelin Research is getting attention for its extraordinary claim that data breaches are responsible for only a tiny minority of identity theft cases, compared to lost wallets and other low-tech exposures. But a closer look at Javelin's numbers casts serious doubt on the company's conclusions.
----------
Users warned to avoid Android's web browser
----------
$7.2 Billion Broadband Stimulus Almost Finalized$350 million to mapping, network neutrality language preserved...01:52PM Friday Feb 13 2009 by Karl Bode
For those interested in what $789 billion will buy you these days, you can check out what should be the final infrastructure stimulus plan here (hat tip to Stacey Higginbotham). While the $7.2 million dedicated to broadband retains network neutrality language, all of the speed-specific language we've talked about previously has been stripped from the bill, after cable-industry lobbyists complained that the 100Mbps watermark was too fast, and others claimed that Verizon would net a huge $1.6 billion payday for doing virtually nothing differently. Grants for rural deployment will be doled out by the NTIA ($4.7 billion) and the Department of Agriculture’s Rural Utilities Service ($2.5 billion), both of whom have a mixed track record on getting the money where it's needed, and actually getting broadband deployed. $350 million will be reserved for the mapping of broadband penetration in the United States.
----------
How to steal $9M from ATMs in 30 minutes
How did hackers execute one of the most frightening well-coordinated heists police have ever seen? Cisco security expert James Heary explains.
How did the hackers steal $9 million in one 30-minute time period using only 100 ATM cards you ask? That shouldn’t be possible given the daily limits (usually about $500/day) placed on all ATM cards. Well it turns out that the hackers applied military like precision to old ATM Scam techniques and added a touch of devious ingenuity to pull this one off. Here is a look at how the theft was perpetrated.
First, the bad guys had to obtain the ATM cards. To accomplish this they hacked into RBS WorldPay and stole at least 100 payroll cards. According to RBS WorldPay, “Payroll cards are used by a growing number of U.S. firms to pay wages to employees. A payroll card is a reloadable stored value card that can be used at any point of sale that accepts credit and debit cards.”
Second, the bad guys had to figure out how to reload the cards. To accomplish this they hacked into RBS WorldPay’s systems once again. Once this was done they had the power to reload the payroll cards with new fake deposits that they could turn into cold hard cash via an ATM withdrawal.
Third, the bad guys had to clone the card info they stole into thousands of real ATM payroll cards. This is easily and cheaply done using various over the counter card printing devices. Given that this market is completely non-regulated, anyone can buy all of the gear necessary to make your very own credit, ATM, Bank, etc. Cards.
Fourth, the bad guys needed to recruit an Army of “cashers” to physically go to an ATM machine with the newly minted counterfeit (but valid) payroll cards and withdrawal cash. Cashers is the name given to the street-level thugs that do the actual cash withdrawals at ATMs. It is hypothesized that there were dozens of them recruited for this scam.
----------
Apple Claims That Jail-Breaking Is Illegal
----------
The Doghouse: Raidon's Staray-S Encrypted Hard Drives
Turns out the algorithm is linear.
When you're buying security products, you have to trust the vendor. That's why I don't buy any of these hardware-encrypted drives. I don't trust the vendors.
----------
The Microsoft Security Response Center (MSRC)
Conficker Activity Update
First, today we’re making public, the work we and many other industry and academic partners have been doing behind the scenes to help combat the Conficker worm.
Second, we’ve provided additional information from our research to our Microsoft Active Protections Program (MAPP) partners and our Microsoft Security Response Alliance (MSRA) partners and posted it to the MSRC weblog in an effort to help customers and other researchers.
Finally, we have announced a US$250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker worm.
----------
Canadian judge: No warrant needed to see ISP logs
----------
Major Vendors Propose Interoperability Standard For Key Management Feb 12,2009
IBM, HP, RSA head up list of vendors supporting guidelines designed to ease deployment and management of encryption
----------
Researchers Hack Faces In Biometric Facial Authentication SystemsFeb 12,2009
Vietnamese researchers have cracked facial recognition technology in Lenovo, Asus, and Toshiba laptops; demonstration planned for Black Hat DC next week
----------
New Vulnerability Found In BlackBerry's Web Application LoaderFeb 11,2009
Flaw could allow attackers to gain control of the device, researchers warn
----------
Romanian Hacker Breaches Third Security Vendor Site Feb 12, 2009
F-Secure joins Kaspersky, BitDefender as victim of SQL injection attack MORE KEYHOLE
----------
Geek news:
Today is Friday the 13th, and also the day when we reach the symbolic 1234567890th second of Unix time. This will occur at 11:31:30pm UTC on Feb 13, 2009.
----------
And finally, this one does nto tie in with Security news but I found it interesting:
Court sides with science, says no vaccine-autism link
about 6 hours ago - by Matt Ford Posted in: Nobel Intent
The special court overseeing the US National Vaccine Injury Compensation Program has ruled against three families who claim that thiomersal and the MMR vaccine are responsible for their children's autism.
Read more
Monday, February 9, 2009
Monday 02/09/2009
Electronics Firm Faces FTC Lawsuit Following Multiple HacksFeb 05,2009
Federal case says Compgeeks didn't do enough to prevent well-known SQL injection attacks
----------
The Top 10 Internet Registrars Hosting Spammers, Illicit SitesFeb 05,2009
New Knujon report identifies registrars hosting 83 percent of spamming and badware Websites worldwide
----------
Antivirus firm confirms hackers breached site
Moscow-based Kaspersky Lab admitted today that a database containing customer data had been exposed for almost 11 days -- until the security firm learned of the breach from Romanian hackers. Read more...
----------
BitDefender website also leaking
Kaspersky is not alone, as BitDefender's Portuguese site is found to be vulnerable to SQL injection by the same hacker who discovered the Kaspersky problem more…
----------
Data Breaches Continue to Get More Costly
The average cost of data breaches to the companies hit by them continues to increase, according to a report by the Ponemon Institute.
The study of 43 breaches disclosed last year found that costs averaged $202 per compromised customer record -- up from $197 in 2007 and $182 in 2006. Overall costs ranged from $613,000 to $32 million, with the number of compromised records ranging from about 4,200 to 113,000.
Increasingly, the biggest cost to companies is lost business, which accounted for $139 of the average breach cost, said Larry Ponemon, the think tank's chairman.
----------
Geeks.com agrees to security audits in wake of data breach
----------
E-Verify requirement in Obama stimulus plan sparks controversy
A proposal initially included in President Barack Obama's economic stimulus package that requires entities getting federal funds or tax breaks to use the government's E-Verify program to vet the immigration status of workers is proving to be controversial.
Supporters of the idea say it is needed to prevent illegal immigrants from securing jobs paid for by the stimulus package -- especially in the construction sector, which is slated to receive $104 billion if the measure makes it through Congress intact.
----------
HP urges LaserJet users to patch printers
Hewlett-Packard Co. has warned owners of some of its laser printers to update their devices' firmware or risk having remote attackers access previously printed documents.
In an advisory published Wednesday, HP said users of certain LaserJet, Color LaserJet and Digital Sender models are affected, and it urged them to immediately download and install firmware upgrades.
The devices include 10 LaserJet models, ranging from the 2410 to the 9050; two Color LaserJet models; and the 9200C Digital Sender, a sheet-fed document scanner.
According to San Antonio-based Digital Defense Inc., the security company that reported the problem to HP last October, attackers can exploit a bug in the printers' Web-based control interface to "read arbitrary system configuration files, cached documents, etc."
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01623905
----------
Top 10 spam-friendly registrars named and shamed
----------
Microsoft caves in, will change Windows 7 UAC
----------
Calif. DMV tried to sneak in biometrics for driver's licenses, groups claim
Consumer rights groups in California are protesting what they claim is an attempt by the state Department of Motor Vehicles to sneak in via the backdoor a fingerprint and facial-recognition system for issuing driver's licenses in the state.
----------
Fake stimulus payments
----------
Google turns on Exchange for iPhone and Windows Mobile users
----------
White-hat hacker to show way to clone passport card data
Dan Kaplan February 06, 2009
With $250 in easy-to-obtain equipment and 20 minutes, a researcher was able to clone the RFID tags of two U.S. passport cards.
----------
Are Chinese hackers forcing Indian Officials off the web?
----------
New Valentine Scam on the Loose
One word: PUPPIES!
Federal case says Compgeeks didn't do enough to prevent well-known SQL injection attacks
----------
The Top 10 Internet Registrars Hosting Spammers, Illicit SitesFeb 05,2009
New Knujon report identifies registrars hosting 83 percent of spamming and badware Websites worldwide
----------
Antivirus firm confirms hackers breached site
Moscow-based Kaspersky Lab admitted today that a database containing customer data had been exposed for almost 11 days -- until the security firm learned of the breach from Romanian hackers. Read more...
----------
BitDefender website also leaking
Kaspersky is not alone, as BitDefender's Portuguese site is found to be vulnerable to SQL injection by the same hacker who discovered the Kaspersky problem more…
----------
Data Breaches Continue to Get More Costly
The average cost of data breaches to the companies hit by them continues to increase, according to a report by the Ponemon Institute.
The study of 43 breaches disclosed last year found that costs averaged $202 per compromised customer record -- up from $197 in 2007 and $182 in 2006. Overall costs ranged from $613,000 to $32 million, with the number of compromised records ranging from about 4,200 to 113,000.
Increasingly, the biggest cost to companies is lost business, which accounted for $139 of the average breach cost, said Larry Ponemon, the think tank's chairman.
----------
Geeks.com agrees to security audits in wake of data breach
----------
E-Verify requirement in Obama stimulus plan sparks controversy
A proposal initially included in President Barack Obama's economic stimulus package that requires entities getting federal funds or tax breaks to use the government's E-Verify program to vet the immigration status of workers is proving to be controversial.
Supporters of the idea say it is needed to prevent illegal immigrants from securing jobs paid for by the stimulus package -- especially in the construction sector, which is slated to receive $104 billion if the measure makes it through Congress intact.
----------
HP urges LaserJet users to patch printers
Hewlett-Packard Co. has warned owners of some of its laser printers to update their devices' firmware or risk having remote attackers access previously printed documents.
In an advisory published Wednesday, HP said users of certain LaserJet, Color LaserJet and Digital Sender models are affected, and it urged them to immediately download and install firmware upgrades.
The devices include 10 LaserJet models, ranging from the 2410 to the 9050; two Color LaserJet models; and the 9200C Digital Sender, a sheet-fed document scanner.
According to San Antonio-based Digital Defense Inc., the security company that reported the problem to HP last October, attackers can exploit a bug in the printers' Web-based control interface to "read arbitrary system configuration files, cached documents, etc."
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01623905
----------
Top 10 spam-friendly registrars named and shamed
----------
Microsoft caves in, will change Windows 7 UAC
----------
Calif. DMV tried to sneak in biometrics for driver's licenses, groups claim
Consumer rights groups in California are protesting what they claim is an attempt by the state Department of Motor Vehicles to sneak in via the backdoor a fingerprint and facial-recognition system for issuing driver's licenses in the state.
----------
Fake stimulus payments
----------
Google turns on Exchange for iPhone and Windows Mobile users
----------
White-hat hacker to show way to clone passport card data
Dan Kaplan February 06, 2009
With $250 in easy-to-obtain equipment and 20 minutes, a researcher was able to clone the RFID tags of two U.S. passport cards.
----------
Are Chinese hackers forcing Indian Officials off the web?
----------
New Valentine Scam on the Loose
One word: PUPPIES!
Wednesday, February 4, 2009
Wednesday 02/04/09
Obama health care plan said to boost security, privacy controls
Privacy advocates say President Obama's e-health plans answer many of their complaints about current HIPAA security and privacy controls. Read more...
----------
Google offers tool to let you track your friends' movements
The tracking feature, called Latitude, will appear on compatible mobile devices in a new version of Google Maps, Version 3.0.0. It can also be added as a gadget on iGoogle, the company's personalizable home page service.
...
The service will indicate users' locations with a small photo icon superimposed on a map. It is initially available for the BlackBerry and devices running Nokia's S60 or Microsoft's Windows Mobile software. An Android version will follow in a few days, said Gundotra, and he expects an iPhone version will follow "very soon."
----------
Removing admin rights stymies 92% of Microsoft's bugs
The vast majority of critical Microsoft vulnerabilities -- 92% of them -- could have been mitigated by stripping users of administrative rights, said John Moyer, the CEO of BeyondTrust. "This speaks to what enterprises should be doing," Moyer said. "Clearly, eliminating administrative rights can close the window of opportunity of attack."
----------
Google privacy trial opens in Milan
Google privacy execs to face criminal charges in Italian court
The trial of four Google Inc. executives charged with privacy violations opened in Milan today in a groundbreaking test of European Internet law.
None of the suspects, who each risk a maximum penalty of three years in prison, was present in court, and the hearing lasted only five minutes, according to one of the lawyers present.
The Google executives are accused of defamation and failure to exercise control over personal data following the posting of a cell-phone video showing a teenage boy with Down Syndrome being harassed by four classmates.
----------
Federal workers notified after virus breach at tech consulting firm
Employees at federal security agencies are being notified that their personal information may have been compromised after hackers planted a virus on computer networks of government contractor SRA International.
----------
Gears of War maker says bug caused by anticheat technology, not DRM
The bug in Gears of War that locked out players starting last Thursday was caused by flaws in the game's anticheating software, not antipiracy technology, said an executive at maker Epic Games Inc.
The bug had only locked out players with legitimate versions of Gears, not the many users with pirated copies of the popular game, say multiple reports.
----------
Experts question fallout from new Monster hackAP - 2 hours, 29 minutes ago
SAN FRANCISCO - For the second time in less than 18 months, the job-search Web site Monster.com was breached, along with USAJobs.gov, which Monster's parent company runs for the federal government. And yet Monster might suffer little fallout — because the overall state of computer security is so bad anyway.
----------
Google Glitch Labels Internet as Malware PC Magazine - Sat Jan 31, 8:42 PM ET
An alarming glitch that plagued Google's search engine Saturday morning was blamed on human error, Google said in a blog post.
----------
A New Internet Attack: Parking Tickets Crooks in North Dakota are attempting to lure victims into installing malware by starting with fake parking tickets on cars.
----------
MySpace Evicts 90,000 Sex Offenders The social networking site cleans house, but keeping cyberspace safe for kids is a challenge on several levels.
----------
Unauthorized Web Use On The Rise, Sneaking By ITFeb 04,2009
New data shows businesses may be clueless about proxy abuse in their organizations
----------
January 30, 2009 VMSA-2009-0001
ESX patches address an issue loading corrupt virtual disks and update Service Console packages
[more]
----------
Nearly 83 percent of all Web sites advertised through spam can be traced back to just 10 domain name registrars, according to a study to be released this week.
The data come from millions of junk messages collected over the past year by Knujon ("no junk" spelled backwards and pronounced "new john"), an anti-spam outfit that tries to convince registrars to dismantle spam sites.
While there are roughly 900 accredited domain name registrars, spammers appear to register the Web sites they advertise in junk e-mail through just one percent of those registrars.
Continue reading this post »»
----------
Vulnerabilities in UltraVNC and TightVNC
Bugs in the clients could lead to a system compromise. An update for UltraVNC is available, but TightVNC users will have to wait a little while more…
----------
IBM study says many security vulnerabilities remain unpatched
According to IBM, no patches were issued for 53 per cent of the vulnerabilities discovered in 2008. Most of those affected Apple's Mac OS X more…
----------
New style of DNS amplification can yield powerful DDoS attacks
Angela Moscaritolo February 04, 2009
The coming wave of distributed denial-of-service attacks will leverage non-recursive DNS name servers to overwhelm targets, and many ISPs likely are vulnerable, a researcher said this week.
----------
China’s zombies are down but they lead the U.S.
China’s use of zombies for spam is down, but the country now leads the United States in McAfee’s February Spam Report, available here for download.
The United States has long been the leading supplier spam, but with the overall amount of spam decreasing, China is catching up. It’s not clear what China is doing, but the vast amount of computers that have been controlled by zombies, are no longer being used for that purpose. One certainly has to wonder what they are being used for.
Additionally, in Switzerland (owner of the .ch domain), we have seen is big increase in the amount of spam offering “cheap” software.
Clearly, money and profit are still the driving forces for malware and spam these day.
Privacy advocates say President Obama's e-health plans answer many of their complaints about current HIPAA security and privacy controls. Read more...
----------
Google offers tool to let you track your friends' movements
The tracking feature, called Latitude, will appear on compatible mobile devices in a new version of Google Maps, Version 3.0.0. It can also be added as a gadget on iGoogle, the company's personalizable home page service.
...
The service will indicate users' locations with a small photo icon superimposed on a map. It is initially available for the BlackBerry and devices running Nokia's S60 or Microsoft's Windows Mobile software. An Android version will follow in a few days, said Gundotra, and he expects an iPhone version will follow "very soon."
----------
Removing admin rights stymies 92% of Microsoft's bugs
The vast majority of critical Microsoft vulnerabilities -- 92% of them -- could have been mitigated by stripping users of administrative rights, said John Moyer, the CEO of BeyondTrust. "This speaks to what enterprises should be doing," Moyer said. "Clearly, eliminating administrative rights can close the window of opportunity of attack."
----------
Google privacy trial opens in Milan
Google privacy execs to face criminal charges in Italian court
The trial of four Google Inc. executives charged with privacy violations opened in Milan today in a groundbreaking test of European Internet law.
None of the suspects, who each risk a maximum penalty of three years in prison, was present in court, and the hearing lasted only five minutes, according to one of the lawyers present.
The Google executives are accused of defamation and failure to exercise control over personal data following the posting of a cell-phone video showing a teenage boy with Down Syndrome being harassed by four classmates.
----------
Federal workers notified after virus breach at tech consulting firm
Employees at federal security agencies are being notified that their personal information may have been compromised after hackers planted a virus on computer networks of government contractor SRA International.
----------
Gears of War maker says bug caused by anticheat technology, not DRM
The bug in Gears of War that locked out players starting last Thursday was caused by flaws in the game's anticheating software, not antipiracy technology, said an executive at maker Epic Games Inc.
The bug had only locked out players with legitimate versions of Gears, not the many users with pirated copies of the popular game, say multiple reports.
----------
Experts question fallout from new Monster hackAP - 2 hours, 29 minutes ago
SAN FRANCISCO - For the second time in less than 18 months, the job-search Web site Monster.com was breached, along with USAJobs.gov, which Monster's parent company runs for the federal government. And yet Monster might suffer little fallout — because the overall state of computer security is so bad anyway.
----------
Google Glitch Labels Internet as Malware PC Magazine - Sat Jan 31, 8:42 PM ET
An alarming glitch that plagued Google's search engine Saturday morning was blamed on human error, Google said in a blog post.
----------
A New Internet Attack: Parking Tickets Crooks in North Dakota are attempting to lure victims into installing malware by starting with fake parking tickets on cars.
----------
MySpace Evicts 90,000 Sex Offenders The social networking site cleans house, but keeping cyberspace safe for kids is a challenge on several levels.
----------
Unauthorized Web Use On The Rise, Sneaking By ITFeb 04,2009
New data shows businesses may be clueless about proxy abuse in their organizations
----------
January 30, 2009 VMSA-2009-0001
ESX patches address an issue loading corrupt virtual disks and update Service Console packages
[more]
----------
Nearly 83 percent of all Web sites advertised through spam can be traced back to just 10 domain name registrars, according to a study to be released this week.
The data come from millions of junk messages collected over the past year by Knujon ("no junk" spelled backwards and pronounced "new john"), an anti-spam outfit that tries to convince registrars to dismantle spam sites.
While there are roughly 900 accredited domain name registrars, spammers appear to register the Web sites they advertise in junk e-mail through just one percent of those registrars.
Continue reading this post »»
----------
Vulnerabilities in UltraVNC and TightVNC
Bugs in the clients could lead to a system compromise. An update for UltraVNC is available, but TightVNC users will have to wait a little while more…
----------
IBM study says many security vulnerabilities remain unpatched
According to IBM, no patches were issued for 53 per cent of the vulnerabilities discovered in 2008. Most of those affected Apple's Mac OS X more…
----------
New style of DNS amplification can yield powerful DDoS attacks
Angela Moscaritolo February 04, 2009
The coming wave of distributed denial-of-service attacks will leverage non-recursive DNS name servers to overwhelm targets, and many ISPs likely are vulnerable, a researcher said this week.
----------
China’s zombies are down but they lead the U.S.
China’s use of zombies for spam is down, but the country now leads the United States in McAfee’s February Spam Report, available here for download.
The United States has long been the leading supplier spam, but with the overall amount of spam decreasing, China is catching up. It’s not clear what China is doing, but the vast amount of computers that have been controlled by zombies, are no longer being used for that purpose. One certainly has to wonder what they are being used for.
Additionally, in Switzerland (owner of the .ch domain), we have seen is big increase in the amount of spam offering “cheap” software.
Clearly, money and profit are still the driving forces for malware and spam these day.
Subscribe to:
Posts (Atom)
