Friday, May 29, 2009
Friday 05/29/09
In the first case of its type, a federal judge in California has ruled that police can forcibly take DNA samples, including drawing blood with a needle, from Americans who have been arrested but not convicted of a crime.
U.S. Magistrate Judge Gregory Hollows ruled on Thursday that a federal law allowing DNA samples upon arrest for a felony was constitutional and did not violate the Fourth Amendment's prohibition of "unreasonable searches and seizures."
----------
Experts: Gumblar attack is alive, worse than Conficker
The Web site compromise attack known as Gumblar has added new domain names that are downloading malware onto unsuspecting computers, stealing FTP credentials to compromise more sites, and tampering with Web traffic, a security firm said on Thursday.
The Gumblar attack started in March with Web sites being compromised and attack code hidden on them. Originally, the malware downloaded onto computers accessing those sites came from the gumblar.cn domain, a Chinese domain associated with Russian and Latvian IP addresses that were delivering code from servers in the U.K., ScanSafe said last week.
----------
Microsoft to patch new DirectX hole
Microsoft on Thursday said it is working on a security patch for a vulnerability in its DirectX streaming media technology in Windows that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.
Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable but all versions of Windows Vista and Windows Server 2008 are not vulnerable, according to the advisory.
----------
Hackers exploit unpatched Windows bug For the third time in the last 90 days, Microsoft Corp. has warned that hackers are exploiting an unpatched critical vulnerability in its software.
Late Thursday, Microsoft issued a security advisory that said malicious hackers were already using attack code that leveraged a bug in DirectX, a Windows subsystem crucial to games and used when streaming video from Web sites.
----------
Snort To Go Virtual
Open source IDS/IPS celebrates its tenth year with an all-new platform in the works, a new release candidate, and plans for a commercial a virtual appliance
----------
Obama outlines cybersecurity plans, cites grave threat to cyberspace
The nation's digital infrastructure is under grave threat from a range of adversaries and needs to be protected as a strategic national security asset, President Barack Obama said this morning at a news conference outlining his administration's proposals to secure cyberspace.
Speaking to reporters at the White House, the President also announced the creation of a cybersecurity coordinator role at the White House who will be responsible for overseeing a national strategy for securing American interests in cyberspace.
----------
Microsoft not only firm banning IM access to U.S. enemy nations
Microsoft confirmed late last week that it had stopped offering its Windows Live Messenger service to users in Cuba, Syria, Iran, Sudan and North Korea.
All five countries are subject to trade embargoes overseen by the United States Office of Foreign Assets Control (OFAC), a division of the Department of the Treasury.
A Google spokesperson also confirmed that it bans the download of both Google Talk, its instant messaging app, and Google Earth, its satellite mapping software, to Sudan, due to "U.S. export controls and economic sanctions regulations."
----------
New travel rules kick in June 1 amid concerns over RFID-tagged passport cards
New travel requirements go into effect June 1 at U.S. land and sea borders amid security concerns over an RFID-enabled passport card that has been approved for U.S. travelers.
----------
Aetna warns 65,000 about Web site data breach
Insurance company Aetna has contacted 65,000 current and former employees whose Social Security numbers (SSNs) may have been compromised in a Web site data breach.
The job application Web site also held names, phone numbers, e-mail and mailing addresses for up to 450,000 applicants, Aetna spokeswoman Cynthia Michener said. SSNs for those people were not stored on the site, which was maintained by an external vendor.
----------
Time Warner ditches troubled AOL unit
----------
ID Theft Use of Credit Cards Leaps
Thieves’ use of stolen credit card numbers has more than doubled in ID theft cases, according to a new report, but there’s good news as well.
----------
May 28, 2009 VMSA-2009-0007
VMware Hosted products and ESX and ESXi patches resolve security issues
[more]
----------
Blog: More on the MS IIS WebDAV Vulnerability
Just weeks ago, on May 18th, Microsoft released their Security Advisory 971492 (1), on the vulnerability regarding Internet Information Services, which is Microsoft web server solution. The problem found in the WebDAV extension allows anonymous, remote and unauthorized access to the server, bypassing access and authentication controls.
I would like to explain what WebDAV actually does and then discuss some actions to avoid or mitigate this risk.
----------
Senate goes medieval on Web loyalty programs, monthly fees
May 29, 1:55 p.m. UTC - by Nate Anderson
Thousands of consumers have complained about "mysterious" $9-12 charges that appear monthly on their credit card bills, and the Senate Commerce Committee has heard the scream of their collective rage. The source of the charges is "online loyalty programs" that appear on sites like Orbitz, and Sen. Jay Rockefeller has some tough questions for the operators.
Read more
----------
Microsoft Update Quietly Installs Firefox Extension
A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser.
Continue reading this post »
----------
News from the Fingerprint Biometrics World
A Singapore cancer patient was held for four hours by immigration officials in the United States when they could not detect his fingerprints -- which had apparently disappeared because of a drug he was taking.
----------
No Smiling in Driver's License Photographs
In other biometric news, four states have banned smiling in driver's license photographs.
The serious poses are urged by DMVs that have installed high-tech software that compares a new license photo with others that have already been shot. When a new photo seems to match an existing one, the software sends alarms that someone may be trying to assume another driver's identity.
But there's a wrinkle in the technology: a person's grin. Face-recognition software can fail to match two photos of the same person if facial expressions differ in each photo, says Carnegie Mellon University robotics professor Takeo Kanade.
----------
29 May 2009
Steganography with TCP retransmissions
A hidden channel, said to be hard to spot in normal internet traffic, can be established by provoking data retransmissions and replacing data content more…
----------
29 May 2009
DSL router remotely controlled by URL
Attackers can make the Linksys WAG54G2 DSL WLAN router execute system commands hidden in a URL more…
----------
Wired is reporting that Palm's new handheld device, the Pre, will be able to sync automagically with Apple's iTunes. Thanks to a team of ex-Apple engineers the Pre will sync everything but iPhone applications and some of the older Fairplay DRM music.
"It does it by faking out iTunes, making the jukebox software think that it is connected to a real iPod. Hook it up and you'll be given three options: USB mass storage device, charging only or iTunes sync. This is a ballsy move from Palm, and we totally love it: a big fat middle finger at Apple. Apple will, we are sure, be readying its legal attack dogs as I write, and don't be at all surprised if an iTunes update pops up around June 6th. This fight just got a lot more interesting."
Read More...
----------
Wikipedia Bans Church of Scientology
In what is the first move on behalf of Wikipedia against such a large group of users, members of the Church of Sciento...[ more >>
----------
Big ID Theft Ring Used Bank Tellers, DA Says
By JONATHAN PERLOW
MANHATTAN (CN) - Two Bronx men and 16 others have been charged with running an identity theft and counterfeit check ring that cashed millions of dollars in bogus checks with the help of bank tellers throughout the city. The two leaders allegedly used 950 "soldiers" to deposit and cash counterfeit checks from bank accounts belonging to schools, hospitals, churches and businesses - including the Police Department.
----------
Digital Translators, Propeller Counterweights, Taiwanese Longan & More
Click on the document icon for new federal regulations.
http://www.courthousenews.com/2009/05/27/Federal%20Regulation%20Brief%20May%2021,%202009.doc
----------
McAfee documents riskiest search terms
Dan Kaplan May 28, 2009
Be wary while searching the internet for screensavers or lyrics -- or anything free, for that matter, according to a new report from McAfee.
----------
Vista SP, Windows Server 2008 available
Mary Jo Foley: As one Microsoft official acknowledged last week, Microsoft has begun making the second service pack for Vista and Windows Server 2008 available to the public on May 26.
----------
Wednesday, May 27, 2009
Wednesday 05/27/09
In one of three decisions issued to an unusually sparse courthouse audience, the majority in Montejo v. Louisiana (pdf) overruled Michigan v. Jackson, the 1986 decision that bars police from initiating interrogation of a criminal defendant once he or she has asked for a lawyer at an arraignment or a similar proceeding.
----------
CIS issues free benchmark on iPhone security
The nonprofit Center for Internet Security today released what it termed the industry's only consensus security benchmark for the iPhone. Read more...
----------
RIM patches another BlackBerry Enterprise Server PDF flaw
CIO - BlackBerry-maker Research In Motion Ltd. yesterday issued a security fix to address yet another flaw in its BlackBerry Enterprise Server's (BES) BlackBerry Attachment Service, which processes message attachments for viewing on BlackBerry devices.
Problems with the BlackBerry Attachment Service are somewhat common at this point, and RIM has fixed multiple issues related to the BES PDF distiller component in the past months.
The problem: Flaws in the BES PDF distiller could allow attackers to distribute messages with malicious PDF files attached that, if opened via BlackBerry, could lead to device memory corruption and in turn, harmful code could be executed on corporate computers hosting the BES Blackberry Attachment Service.
This particular flaw is found in BES version 4.1 Service Pack 3 (4.1.3) through 5.0 and BlackBerry Professional Software 4.1 Service Pack 4 (4.1.4). The vulnerability is a critical one with a Common Vulnerability Scoring System (CVSS) rating of 9.3 out of 10, according to RIM.
If you or your organization employs affected BES software click here to download an interim fix. If you use affected BlackBerry Professional Software you'll want to go here.
Visit RIM's website for more specifics on the vulnerability, as well as a handful of potential workarounds to disable PDF viewing on enterprise BlackBerrys.
----------
BC student to get his computers back after high court throws out search warrant
Massachusetts' highest court ruled there was no probable cause for Boston College police to seize computers from the room of a student who was being investigated for allegedly sending an e-mail claiming that a fellow student was gay.
----------
Twitter gets targeted again by worm-like phishing attack
The culprit is a Web site called TwitterCut. Some Twitter users began getting a message that appeared to be from one of their friends and included a link to the TwitterCut Web site. The message implied they could gain more Twitter contacts by following the link.
At one time TwitterCut looked quite similar to the real Twitter login page, said Mikko Hypponen, chief research offer for the security vendor F-Secure.
If a person entered their login details, TwitterCut would then send the same message via Twitter to all of the victim's contacts, a kind of phishing attack with worm-like characteristics. No malicious software is installed on a user's machine, Hypponen said.
----------
90 percent of e-mail is spam, Symantec says
...Symantec, which reported Tuesday that unsolicited e-mail made up 90.4 percent of messages on corporate networks last month.
That represents a 5.1 percent increase over last month's numbers, but it's nothing out of the ordinary. For years, spam has made up somewhere between 80 percent and 95 percent of all e-mail on the Internet.
----------
Sisyphus defined:
Seven AGs call on Craigslist to show plan to prevent racy ads
----------
Ericsson offers phone location service to counter credit card fraud
Banks are increasingly blocking credit card transactions in certain high-risk countries due to increasing levels of fraud. A business traveler who lives in the U.K. but goes to Russia can likely have a transaction rejected if the person hasn't informed the credit card company of travel plans.
Ericsson's IPX Country Lookup service uses a person's mobile phone to provide a confirmation that a person is in the country where the transaction is carried out, said Peter Garside, U.K. and Ireland regional manager for Ericsson's IPX products.
For the service to work, Ericsson's technology must be installed on a mobile operator's network.
----------
Security Experts Raise Alarm Over Insider Threats
May 26,2009
Economic troubles raising the stakes on potential threats, FIRST members say
----------
More research needed here:
NSA-Funded 'Cauldron' Tool Goes Commercial
May 26,2009
Vulnerability analysis tool aggregates, correlates, and visually maps attack patterns and possibilities
----------
WebDAV write-up
Published: 2009-05-27,Last Updated: 2009-05-27 17:50:15 UTCby donald smith (Version: 1)
SusanB wrote in today to tell us about a really good write-up on understanding Microsoft’s KB971492 IIS5/IIS6 WebDAV vulnerability by Steve Friedl of is available here.http://unixwiz.net/techtips/ms971492-webdav-vuln.htmlThis was written because Steve and some of others at unixwiz.net found Microsoft’s "guidance confusing for users who were not IIS experts". This includes a very good flowchart that should assist anyone who is confused, detailed descriptions of WebDAV, remediation ideas, and links to other WebDAV references.
Keywords: WebDAV Friedl microsoft KB971492
----------
US Cyber Security Report Due May 29th
The President will release the 60-Day Cyber Space policy review report at the Whitehouse on Friday, May 29, 2009. The administration recognizes the very serious threats Public & Private sector Networks face from cyber-crime and cyber-attack. Recognizing these threats the President has elevated cybersecurity to a major administration priority by undertaking an early comprehensive interagency review. The administration is also committed to establishing the proper structure within the government to insure that cybersecurity issues continue to receive top-level attention and enhanced coordination.
----------
Bad Program Logic Amplifies Baofeng Attack
A distributed denial-of-service (DDOS) attack on DNS servers of a domain registrar coupled with bad program logic in a popular media application caused network outages in parts of China last week.
----------
Upgrade to Suite B security algorithms
Most companies do not know what level of cryptography is required to properly protect their data...
----------
Obama’s Supreme Court Pick Schooled in Cyberlaw
By Beth Sommer
Today
If elevated to the U.S. Supreme Court, Judge Sonia Sotomayor would become the first justice to join the court with a history of precedent-setting rulings on cyberlaw issues, legal experts say.
----------
Data Breach Exposes RAF Staff to Blackmail
By Kim Zetter
May 27, 2009
Yet another breach of sensitive, unencrypted data is making news in the United Kingdom. This time the breach puts Royal Air Force staff at serious risk of being targeted for blackmail by foreign intelligence services or others.
The breach involves audio recordings with high-ranking air force officers who were being interviewed in-depth for a security clearance. In the interviews, the officers disclosed information about extra-marital affairs, drug abuse, visits to prostitutes, medical conditions, criminal convictions and debt histories — information the military needed to determine their security risk.
The recordings were stored on three unencrypted hard drives that disappeared last year.
----------
AT&T Announces HSPA 7.2 Upgrade
7.2Mbps speeds coming later this year...
----------
Instant Messenger Phishing
An MSN instant messenger phishing attack uses a personalized trick to deceive unsuspecting users.
----------
Microsoft releases Vista SP2 to the public
Chuck Miller May 26, 2009
The latest service packs (SP2) for Windows Vista and Windows Server 2008 have been released to manufacturing and are now publically available as standalone installers.
----------
The Scrap Value of a Hacked PC
Computer users often dismiss Internet security best practices because they find them inconvenient, or because they think the rules don't apply to them. Many cling to the misguided belief that because they don't bank or shop online, that bad guys won't target them. The next time you hear this claim, please refer the misguided person to this blog post, which attempts to examine some of the more common -- yet often overlooked -- ways that cyber crooks can put your PC to criminal use.
Permalink
----------
Monster mashup: mapping every plane in the air
----------
Friday, May 22, 2009
Friday 05/22/09
----------
Guilty plea for man behind creative E-Trade scam
Michael Largent, 23, of Plumas Lake, Calif. pleaded guilty Thursday to computer fraud charges in connection with the scam, which ran between November 2007 and May 2008.
Largent's arrest was widely covered on the Internet last May, where it was likened to so-called Salami Slicing scams depicted in movies such as Superman III and Office Spaces.
----------
Twitter hit with phishing attacks
Twitter users who thought friends were directing them to a "funny blog" Thursday ended up experiencing something completely different: a phishing scam.
Twitter was hit by two different rounds of phishing Thursday, as criminals tried to take control of user accounts and then use them as a springboard to attack others.
----------
DNS attack downs Internet in parts of China
An attack on the servers of a domain registrar in China caused an online video application to cripple Internet access in parts of the country late on Wednesday.
Internet access was affected in five northern and coastal provinces after the DNS (domain name system) attack, which targeted just one company but caused unanswered information requests to flood China's telecommunications networks, China's IT ministry said in a statement on its Web site. The DNS is what computers use to find each other on the Internet.
The incident revealed holes in China's DNS that are "very strange" for such a big country, said Konstantin Sapronov, head of Kaspersky's Virus Lab in China.
----------
Conficker still infecting 50,000 PCs per day
The worm is infecting about 50,000 new PCs each day, according to researchers at Symantec, who reported Wednesday that the U.S., Brazil and India have been hit the hardest.. "Much of the media hype seems to have died down around Conficker/Downadup, but it is still out there spreading far and wide," Symantec said in a blog post.
----------
NebuAd closing doors after Internet privacy woes AP – Wed May 20, 5:11 pm ET
PHILADELPHIA - NebuAd Inc., a company that sought to target ads to consumers based on their online behavior, is going out of business after facing scrutiny over whether its technology infringed on the privacy of Internet surfers.
----------
Angered by Apple Delay, Hacker Posts Mac Java Attack PC World – Wed May 20, 4:30 pm ET
In an effort to draw attention to an long-standing security problem in Apple's Mac OS X operating system, a security researcher has posted attack code that exploits the flaw.
----------
Almost 30,000 Videos On YouTube Contain Comments With Links To A Malicious Web Page
----------
Half Of Social Networking Sites Keep Users' Photos After Deletion: Study
----------
19.7% of 2009 college grads who applied for work got a job
abcnews.go.com — In comparison, 51 percent of those graduating in 2007 and 26 percent of those graduating in 2008 who had applied for a job had one in hand by the time of graduation. More…
ERIC SAYS: I wonder what those unemployed but fully trained programmers are going to do while waiting for a job...
----------
Forbes reports on a new military-funded program aimed at leveraging an untapped resource: the population of geeky high school and college students in the US. The Cyber Challenge will create three new national competitions for high school and college students intended to foster a young generation of cybersecurity researchers. 'The contests will test skills applicable to both government and private industry: attacking and defending digital targets, stealing data, and tracing how others have stolen it. [...] The Department of Defense's Cyber Crime Center will expand its Digital Forensics Challenge, a program it has run since 2006, to include high school and college participants, tasking them with problems like tracing digital intrusions and reconstructing incomplete data sources. In the most controversial move, the SANS Institute, an independent organization, plans to organize the Network Attack Competition, which challenges students to find and exploit vulnerabilities in software, compromise enemy systems and steal data. Talented entrants may be recruited for cyber training camps planned for summer 2010, nonprofit camps run by the military and funded in part by private companies, or internships at agencies including the National Security Agency, the Department of Energy or Carnegie Mellon's Computer Emergency Response Team.'
----------
Where is Vista SP2?
Mary Jo Foley: Even though Microsoft seems increasingly reticent to say the "V" word (Vista), some users still do care. I've had several readers ask me when the Redmondians are going to release Vista SP2 on the Microsoft Download site.
----------
Instant Messenger Phishing
May 21, 2009
An MSN instant messenger phishing attack uses a personalized trick to deceive unsuspecting users.
----------
Cuomo Uses Craigslist To Bust Prostitution Ring... Still Blaming Craigslist
Following Craigslist's big announcement last week on the changes to how it handles "adult" ads, Andrew Cuomo angrily denounced the changes, claiming that several weeks before, "we informed Craigslist of an impending criminal case that implicated its website." It seems the details of that case have now become clear, as a prostitution ring that solely worked via Craigslist was busted by Cuomo. Yet, rather than recognize that the information on Craigslist allowed them to track down and arrest this crew, Cuomo is still lashing out at the site...
----------
Continental Sues Pilots Over Divorces
HOUSTON (CN) - Continental Airlines claims nine pilots got "sham divorces" from their wives to get their retirement money paid in lump sums to the women without retiring, and without really intending to split up.
----------
Experts offer tips to deal with Gumblar malware
Chuck Miller May 21, 2009
A number of security organizations are offering tips to deal with the Gumblar drive-by exploit, which is growing ever more pervasive.
----------
Report: Faulty Communications Imperil President
The U.S. Secret Service is asking for $34 million to help upgrade its communication system, and says that without the money the president’s life could be in danger, according to a news report.
The agency says that its communication system is incompatible with the White House communication system, resulting in a “dangerous gap” that could “prevent the attainment of the performance target of 100 percent protection.”
----------
…and boy are my arms tired
Hey guys, just got back from China and picked up a couple of books that should be of interest.
...
The second book is Internet Wars (Win the Internet, Win the Future) and the author is described as an internet researcher with a background in policy.
----------
Wednesday, May 20, 2009
Wednesday 05/20/09
Computerworld - Hard on the heels of the success of the revamped Star Trek franchise, security company Sophos has released a Klingon-language version of a free malware scanning tool it uses to show Earth-bound customers how its technology stacks up against rivals' software.
Dubbed Klingon Anti-Virus (KAV), the software is actually a tweaked version of Sophos' Threat Detection Test translated into the language spoken by Klingons in the fictional Star Trek universe.
Downloads of KAV have been "through the roof," said Carole Theirault, a senior security consultant with Sophos. "It's been huge. I'm just shocked."
----------
Facing criticism, Adobe rethinks PDF security
Blasted in February for being slow to fix a zero-day vulnerability in its popular PDF viewer, Adobe today pledged to root out bugs in older code, speed up the patching process and release regular security updates for Adobe Reader and Acrobat. Read more...
----------
Wi-Fi hikes security for handoffs between Wi-Fi, 3G networks
...
The newly added protocols, EAP-AKA (Authentication and Key Agreement) and EAP-FAST (Flexible Authentication via Secure Tunneling), are designed to better secure enterprise Wi-Fi LANs.
...
----------
CA unveils Compliance Manager for z/OS for mainframe policy control
----------
Hard drive with Clinton-era data missing from National Archives
Drive holds Social Security numbers, addresses of White House employees
----------
One in four mobile users admits driving while texting
While texting is on the rise, 83% back laws against the practice
----------
Craigslist fires back, sues South Carolina attorney general
Turning the legal tables, Craigslist Inc. this morning filed a lawsuit against the attorney general of South Carolina for threatening to file criminal charges against the online classified advertising service.
Craigslist, which is known for selling everything from toasters to escort services, said today that it had filed a lawsuit in federal court in South Carolina against Attorney General Henry McMaster. The company is seeking a restraining order and declaratory relief, which is a court's judgment on a party's rights without awarding damages or ordering anything to be done.
----------
Advanced Algorithms Enlisted To Fight Cyberwars
PC World - Tue May 19, 6:50 PM ET
First Estonia. Then Georgia. Increasingly, the theoretical potential for cyberwar is becoming hard reality. One new report argues that the unchecked proliferation of cyber warfare weapons is comparable to that of nuclear warheads. At least one branch of the US military, United States Navy takes the threat seriously and monitors cyber threats on a daily basis.
----------
Chinese Regulations Target Rising Cybercrime PC World - Tue May 19, 12:26 PM ET
China has targeted cybercrime in three new sets of regulations issued this month as the activity starts to look like an established industry in the country.
----------
IIS 6 Attack Could Let Hackers Snoop on Servers PC World - Mon May 18, 5:20 PM ET
Security vendors are warning users of Microsoft's Internet Information Services 6 Web-server software that a new online attack could put their data at risk.
----------
Trusted Computing Group Widens Security Specs Beyond Enterprise NetworksMay 18,2009 New specs include support for SCADA systems, physical access control systems, guest PCs, printers, and VOIP phones
----------
CiscoWorks TFTP Directory Traversal Vulnerability
Cisco has announced that a directory traversal flaw has been discovered in its CiscoWorks product line. According to the announcement:
Products that have TFTP services enabled and that run CiscoWorksCommon Services versions 3.0.x, 3.1.x, and 3.2.x are vulnerable.Only CiscoWorks Common Services systems running on Microsoft Windowsoperating systems are affected.
----------
Cyber Warfare and Kylin thoughts
I believe that most of our readers heard about the Kylin OS.
This is suppose to be the super Chinese Operating system, designed to be US-proof...in other words, an OS that would make the US cyber-warfare tactics useless. More here on the Post article.
My personal opinion is that it is a huge hype on this.First, Kylin is available for download, (Kylin 2.1.1a at kylin.org.cn ) and if this is the one being used by China to be their secure OS, or better yet, a US-Cyber-Warfare-bullet-proof, then there may be some problems...
----------
Speling and Grammur Opshunall
Capitalizing on the burgeoning desire on the part of every red-blooded male to see the U.S. President's main squeeze in the buff, some enterprising malware knotheads have been seeding various comment boards out there with links "photos" of the First Ta-Ta's.
----------
Antivirus Taste Test: One Man's Quest for (Nearly) Objective Rankings
Security Consultant Chaz Sowers did a semi-scientific comparison of antivirus software. The results may surprise you.
Read more
----------
Google result-manipulating Gumblar exploit picking up steam
May 19, 5:18 p.m. UTC - by Jacqui Cheng Posted in: Security
A malware exploit that has been circulating since March or so is picking up the pace lately, hijacking more than 3,000 websites as of this week. Gumblar's goal is to manipulate Google's results in order to affect as many PCs as possible, which has some researchers describing it as "a botnet of compromised websites."
Read more
----------
Wednesday, May 20, 2009 10:06 AM
Answers to the IIS WebDAV authentication bypass questions
We have heard several questions from customers about the WebDAV authentication bypass issue on IIS. We wanted to post common questions and answers here to help anyone else who might have the same question.
Question: Is Sharepoint vulnerable to the authentication bypass?
Answer: No, Sharepoint is not vulnerable to this vulnerability. The Sharepoint team does not use the same code as IIS. Their DAV server goes against their backend SQL store, not the file system.
Question: Is Outlook Web Access (OWA) vulnerable to the authentication bypass?
Answer: No, OWA is not vulnerable to this vulnerability. Exchange 2007 and earlier supported the WebDAV protocol but they did so with an Exchange implementation of WebDAV which only reads/write to/from the Exchange store. It does not interact with the filesystem directly.
Question: How can I find IIS servers in my environment running WebDAV?
Answer: You can use the IIS Manager interface on the server to quickly tell whether the server is running WebDAV. If you want to do so remotely, you can issue an HTTP request to the server directly:
...
----------
Microsoft Bans Memcopy()
This seems smart:
Microsoft plans to formally banish the popular programming function that's been responsible for an untold number of security vulnerabilities over the years, not just in Windows but in countless other applications based on the C language. Effective later this year, Microsoft will add memcpy(), CopyMemory(), and RtlCopyMemory() to its list of function calls banned under its secure development lifecycle.
Here's the list of banned function calls. This doesn't help secure legacy code, of course, but you have to start somewhere.
----------
20 May 2009
Microsoft releases free tool for secure software development
The tool is aimed at enabling programmers to integrate the knowledge accumulated through Microsoft's Security Development Lifecycle (SDL) into their software development environment more…
----------
"The ODF Alliance has prepared a Fact Sheet for governments and others interested in how Microsoft's SP2 for Office 2007 handles ODF. The report revealed 'serious shortcomings that, left unaddressed, would break the open standards based interoperability that the marketplace, especially governments, is demanding.'"
----------
The sky is falling? GPS in trouble?
Matthew Miller: The convenience and utility of GPS may be impacted over the next year or two as the satellites circling our planet begin to expire while funding and management issues keep replacement satellites grounded.
----------
Lots of recent buzz about this site:
http://www.wolframalpha.com/
----------
Hexzone, Virut and Pushdo
Some interesting relationships between Hexzone, Virut and Pushdo suggest a complex and sophisticated malware distribution network.
----------
Netbook comes with factory-sealed malware
Chuck Miller May 20, 2009
In a rare occurrence, a brand-new factory-sealed netbook has been found to contain malware, according to researchers at Kaspersky Lab.
----------
Researcher publishes Java proof-of-concept to urge Apple action
Dan Kaplan May 19, 2009
Calling Apple's patching process "opaque," a security researcher has decided that publishing a proof-of-concept exploit is the best way to force the computing giant to fix a months-old flaw.
----------
Download My Hakin9 Article “Anatomy of Malicious PDF Documents”
----------
Monday, May 18, 2009
Monday 05/18/09
Identity thieves who hit Facebook last week with another round of phishing attacks are harvesting users' passwords for profit, a security researcher said today. Read more...
----------
Heartland Breach Cost Firm $12.6M -- So Far
Heartland Payment Systems Inc. last week disclosed that it has so far spent or set aside more than $12.6 million to cover costs related to a major data breach that the credit card payment processor disclosed in January.
The company blamed the breach in part for a loss in its latest quarter.
----------
Google's Chrome was 'hackable' at Pwn2Own contest
Although Google's Chrome was the only browser left standing after March's Pwn2Own hacking contest, it was vulnerable to the same bug that a German college student used to bring down Apple's Safari, Google acknowledged this week.
Although Google patched the Chrome vulnerability May 7, it waited until last Wednesday to reveal that the bug was the same WebKit flaw that Apple patched the day before.
----------
McAfee to buy Solidcore for whitelisting technology
Security software vendor McAfee Inc. today announced it intends to acquire Solidcore Systems for about $33 million in cash and an additional $14 million if certain performance targets are met.
McAfee indicated its interest in the acquisition centered on Solidcore's whitelisting technology that can set controls on what applications are allowed to run on a computer. After the acquisition is completed, McAfee expects to bring Solidcore's whitelisting and compliance enforcement mechanisms into the McAfee product line under the management umbrella of the McAfee ePolicy Orchestrator (ePO) management console.
----------
McAfee, EMC team up vs. Symantec in online backup
Reuters - Mon May 18, 8:30 AM ET
BOSTON (Reuters) - McAfee Inc, the No. 2 computer security company, plans to team up with EMC Corp to offer online PC backup services, and announced the acquisition of a company that protects ATMs against hackers.
----------
Teens Hack Just for Fun
Curiosity, amusement fuel 'casual hacking' by teens, often on social networks, a study reports.
----------
Malware's Newest Threat: Fake URLs
Cybercrooks are flooding the Internet with URLs containing names of actual sites.
----------
Report: Over 60 Percent of Websites Contain Serious Vulnerabilities
May 18,2009
Newly released client data from White Hat Security finds organizations are slow to close known security holes in their Websites
----------
Cisco SAFE Security Reference Guide Updated
A number of years ago I found myself in a new role responsible for consulting on the security of a VoIP platform. Having never been responsible for VoIP security I went looking for Internet sources which I could use as a reference. What I discovered was the Cisco SAFE security guides. Although the SAFE VoIP security guide is long gone, the Cisco SAFE Security Reference Guide has recently been updated. The Reference Guide is the omnibus document containing design standards for all aspects of network security. Although Cisco-centric the Guide is a very complete and can be adapted to whatever technologies you choose to deploy in your networks. In addition to the Reference Guide, the SAFE home page contains other papers which may be of use in interpreting SAFE.
-- Rick Wanner rwanner at isc dot sans dot org
----------
Botnet Battle: How to Fight Back, Part 3
CSO Senior Editor Bill Brenner interviews Gunter Ollmann, vice president of research at Damballa, Inc., about what he sees as the largest and most insidious botnets -- and what security pros should be doing to keep them at bay.
Read more
----------
http://www.cnn.com/2009/TRAVEL/05/18/airport.security.body.scans/
ATLANTA, Georgia (CNN) -- Privacy advocates plan to call on the U.S. Department of Homeland Security to suspend use of "whole-body imaging," the airport security technology that critics say performs "a virtual strip search" and produces "naked" pictures of passengers, CNN has learned.
----------
Hackers crack flight sim community site, ruin it for everyone
May 17, 8:03 p.m. UTC - by Chris Foresman Posted in: The Web
Avsim, a popular website for flight simulator aficionados, was "destroyed" by hackers. The move is a blow to the flight sim community, and the senseless move will give more fodder for anti-hacking sentiment.
Read more
----------
DOE stimulus drops $2.4 billion on carbon sequestration
The past administration had helped foster a few pilot CCS projects, but its plans to build a large-scale demonstration project were shelved indefinitely. So, to an extent, the programs announced by Chu represent the nation's first real attempt at getting CCS technology off the ground.
----------
Citing $130K in legal bills, Jammie Thomas' lawyer withdraws
May 18, 2:01 a.m. UTC - by Eric Bangeman Posted in: Law & Disorder
With a copyright infringement retrial looming for Jammie Thomas-Rasset on June 15, her attorney Brian Toder has asked to withdraw from the case, citing nearly $130,000 of unpaid legal bills and the prospect of even more. It also appears that communications between Toder and Thomas-Rasset may have broken down in the wake of a failed settlement conference.
Read more
----------
How to get cheap(er) FiOS: buy it from someone else
May 17, 11:04 p.m. UTC - by Nate Anderson Posted in: Law & Disorder
Want that 50Mbps FiOS goodness but don't want to pay $144.95 for it? Verizon now sells wholesale fiber access to other ISPs, one of which is offering 50Mbps service over the same lines for only $99.95.
Read more
----------
Posted at 7:00 AM ET, 05/18/2009
MyIDscore.com Offers Free ID Theft Risk Score
Consumers trying to determine their risk of becoming an identity theft victim typically are told to check their credit report for signs of unauthorized or suspicious activity. But a new Web-based service aims to give users a view into tricks ID thieves use that credit reports often miss, such as when crooks use only parts of a victim's identity to fabricate a new one.
Permalink
----------
Pirate Terrorists in Chesapeake Bay
This is a great movie-plot threat:
Pirates could soon find their way to the waters of the Chesapeake Bay. That's assuming that a liquefied natural gas terminal gets built at Sparrows Point.
The folks over at the LNG Opposition Team have long said that building an LNG plant on the shores of the bay would surely invite terrorists to attack. They say a recent increase in piracy off the Somali coast is fodder for their argument.
Remember—if you don't like something, claim that it will enable, embolden, or entice terrorists. Works every time.
Posted on May 18, 2009 at 1:38 PM
----------
Kylin: New Chinese Operating System
Interesting:
China has developed more secure operating software for its tens of millions of computers and is already installing it on government and military systems, hoping to make Beijing's networks impenetrable to U.S. military and intelligence agencies.
The secure operating system, known as Kylin, was disclosed to Congress during recent hearings that provided new details on how China's government is preparing to wage cyberwarfare with the United States.
...
----------
Spammers harvesting emails from Twitter - in real time
Dancho Danchev: If you're sending your e-mail to a friend on Twitter, there could be more recipients - and responders - than you intended.
----------
Should Police Be Arrested For Illegal Hacking For Setting Up Fake Facebook Profile?
from the we-should-be-fair,-right? dept
In the Lori Drew case, she was convicted for "computer hacking" because she violated MySpace's terms of service by setting up a profile of a fake person. And for this, she deserves years in jail? Well, if that's the case, reader Roni Evron wants to know if some police officers are going to face the same charges after they set up a fake Facebook profile in order to bust up an after-prom high school party. Apparently, they set up a fake Facebook profile and friended a bunch of the kids at school, who apparently were "cavalier about accepting people into their network of friends." That, of course, is fine... but it's basically the same thing that Drew was arrested and convicted of doing.
----------
California water company insider steals $9 million, flees country
Angela Moscaritolo May 15, 2009
An insider at the California Water Service Co. in San Jose broke into the company's computer system and transferred $9 million into offshore bank accounts and fled the country.
----------
Study: Majority of adolescents online have tried hacking
Greg Masters May 15, 2009
A new study from Panda Security found that 67 percent of teenagers surveyed admitted to having tried to hack into friends' instant messaging or social network accounts.
Wednesday, May 13, 2009
Friday 05/15/09
PC World - Thu May 14, 3:38 PM ET
A new round of Web sites hijacks is attempting to install malicious, Google-focused software on unpatched PCs, according to security company ScanSafe, further cementing the drive-by-download approach as a bad-guy tactic of choice.
----------
Court Rules for FBI Agent Who Made Sex Tapes
By ANNIE YOUDERIAN
(CN) - The FBI improperly removed a special agent for videotaping his off-duty sexual encounters with three women, including two FBI employees, the Federal Circuit ruled.
----------
Nearly half of IT security budgets deemed insufficient
Angela Moscaritolo May 13, 2009
It's no news that the current economic situation has put a strain on companies' finances, but a recent survey aimed to quantify the toll the recession has taken on IT budgets.
----------
Who will check the security of cloud providers?
The most basic facts about your data – like where it is exactly and how it is replicated – become...
----------
FakeAlert Trojan Holds Systems For Ransom
In March 2009, we notified our customers on a new variant of the infamous Vundo trojan family which we detected as Ransom-F and raised its risk assessment to a Low-Profiled threat. It was possibly the first indicators of a shift in the FakeAlert criminal model from instilling fear, to holding information technology resources for ransom but certainly not the last.
Last week, we came across to a new variant of a rogue security program branded by its creators as “System Security 2009″ and detected them as FakeAlert-CO, and some of its past similarly branded cousins as FakeAlert-SystemSecurity.
The updated variants were discovered from a web page hosted on trustedw{blocked}security.com.As most other rogue security programs to date, FakeAlert-CO displays spurious alerts and making fraudulent claims of infections that requires the user to pay a fee to “repair”. Following the trend of Ransom-F, we noticed “new features” in FakeAlert-COthat resembles some common characteristics of ransomware trojans.
Once installed, FakeAlert-CO may either terminates all running user process or prompts the user to reboot.
----------
Class Objects to 3-Way Gas Nozzles
By KARINA BROWN
LOS ANGELES (CN) - Big gas companies installed single-nozzle gas pumps that save them money but cheat consumers by mixing grades of gas they dispense, a class claims in Federal Court. Lead plaintiff Jonathan Alvarez says Chevron, Exxon-Mobile, BP, Shell, and Valero all replaced their three-nozzle system with a single nozzle that dispenses all three grades of gas.
----------
Consumer Class Action
Fry's Electronics refuses to refund the sales tax on returned items, a class action claims in Los Angeles Superior Court.
----------
Malware most potent on social networks
Chuck Miller May 12, 2009
Malware distributed via social networking sites is 10 times more effective than malware spread via email.
----------
Court Rules Breach Victims Not Entitled to Restitution
By Kim Zetter
May 13, 2009
A federal judge has ruled that victims whose bank card numbers were stolen in a data breach are not entitled to sue if their losses were already reimbursed. Only customers who weren’t reimbursed for fraudulent charges may sue.
----------
Most Claims Dismissed in Hannaford Data Breach Suit
All but one of the legal claims filed against Hannaford Bros., the Maine-based retailer that suffered a security breach exposing some four million credit cards, have been dismissed.
----------
Botnet War: The Story So Far
CSO has been running a series on the fight against botnet herders and will release the next chapter Monday. Need to get up to speed? Here's the story so far.
Read more
----------
Heartland Breach Blamed for Failed Membership Renewals
http://blogs.washingtonpost.com/securityfix/
In February, Bill Oesterle began seeing nearly twice the normal number of transactions being declined for customers who had set up auto-billing on their accounts. The co-founder of Angie's List -- a service that aggregates consumer reviews of local contractors and physicians -- said he originally assumed more customers were simply having trouble making ends meet in a down economy.
But as that trend continued into March and April, the company shifted its suspicions to another probable culprit: credit card processing giant Heartland Payment Systems.
The data breach last year at Heartland -- a company that processes roughly 100 million card transactions a month for more than 175,000 businesses, has forced at least 600 banks to re-issue untold thousands of new cards in a bid to stave off fraud.
Wednesday 05/13/09
Computerworld - Owners of Apple, Dell and Hewlett-Packard laptops have combined their lawsuits against Nvidia in an attempt to force the graphics chip maker to replace allegedly flawed processors, according to court documents.
If granted class-action status, the case could involve millions of laptop computer owners, the plaintiffs said.
The five plaintiffs, including a Louisiana man who bought an Apple MacBook Pro a year ago, filed an amended complaint last week in a San Francisco federal court, accusing Nvidia of violating consumer-protection laws.
Nvidia admitted to the problem in July 2008, when it said some older chipsets that had shipped in "significant quantities" of notebooks were flawed. In a subsequent filing with the U.S. Securities and Exchange Commission (SEC), the company argued that its chip suppliers, the laptop makers and even consumers were to blame.
...
----------
Care to see what kind of legal cases are being worked on:
http://pdfserver.amlaw.com/ca/health919_1.pdf
----------
Apple delivers jumbo security update for Mac OS X
Patches 67 bugs, including two used to hack Macs at Pwn2Own contest.
----------
Groups rip secrecy over IP protection talks
The secrecy surrounding an anticounterfeiting trade agreement that's being negotiated by several countries, including the U.S., is heightening concerns about the intent of the pact.
Adding a sense of urgency to the concerns is that the trade agreement talks are expected to move on to new Internet provisions that could have broad implications for Internet users and service providers.
----------
Microsoft delivers mega PowerPoint patch
Fixes 14 flaws in Windows version, delays Mac update until June.
Vulnerabilities in Works 8.5 and 9.0
No fixes available for Office 2004, Office 2008, Works 8.5 nor Works 9.0
----------
Click fraud identification guidelines released
The Interactive Advertising Bureau has published guidelines for determining when fraudsters are taking advantage of pay-per-click (PPC) advertisements.
PPC ads, which most often appear as text boxes along with search results, are the most popular online ad format but are vulnerable to click fraud. The subject has long been controversial and advertisers have sometimes complained that the major search engine companies minimize the severity of the problem.
----------
Aruba unveils low-priced WLAN gear
Customers plug in the new remote access points, connect them to a gateway or other WAN link, and the devices automatically connect to a central Aruba controller and download the necessary WLAN security, usage and management configurations for the local site and its user, the company says. The access points and local controllers can be administered remotely. No VPN software needs to be loaded on to local clients.
----------
Teenager pleads guilty to Scientology Web attack
IDG News Service - A 19-year-old New Jersey man has pleaded guilty to knocking the Church of Scientology's Web site offline in a series of January 2008 online attacks.
----------
The Trouble with Craigslist's 'Erotic Services' Shutdown
After Craigslist's "erotic services" space is removed, folks will simply find alternate venues once again.
----------
The Hidden Secrets of Online Quizzes
You can have a ball taking online quizzes on Facebook and other sites, but here are some things you should know before you do.
----------
Check the Strength of Your Password
Microsoft's free password-checking site tells you instantly if your password is hacker-friendly or Pentagon-safe.
Don't worry: Microsoft isn't secretly collecting passwords for its own eeeeevil purposes.
----------
Adobe Acrobat (reader) patches released
CVE-2009-1492 and CVE-2009-1493 are fixed.
http://www.adobe.com/support/security/bulletins/apsb09-06.html
----------
Insider May Have Breached More Than 10,000 Patient Records At Johns Hopkins
May 13,2009 Employee had access to patient database as part of her job, report says
----------
IronKey Partners With Synnex To Expand Distribution Throughout North America
----------
Fed Bank IT Worker Charged With Insider Data Theft
IT employee allegedly used administrative access to collect co-workers' personal data and obtain bank loans in their names
----------
FCC will run nationwide DTV "soft test" on May 21
----------
WiFi goes gigabit... but it won't go through walls
May 13, 12:19 p.m. UTC - by Nate Anderson Posted in: Chipster
The Wireless Gigabit Alliance wants to bring gigabit data rates to the 60GHz band, and it wants to have the spec ready this year. But this won't replace WiFi; in fact, it won't even go through walls.
Read more
----------
Police can't track your car with GPS—or can they?
May 13, 1:07 a.m. UTC - by Jacqui Cheng Posted in: Law & Disorder
Police can't use a GPS on your car to track your whereabouts at all times—or can they? Appeals courts in Wisconsin and New York seem to disagree on whether such activities violate your Fourth Amendment rights, although they do agree that law enforcement shouldn't be allowed to do it willy nilly.
Read more
Monday, May 11, 2009
Monday 05/11/09
Orbitz CISO Ed Bellis explains how the proliferation of vulnerability assessment products and services has created chaos, and how SCAP may be the answer.
Read more
----------
Sysinternal Updates 3 Applications
Autoruns v9.5: This update to Autoruns, a powerful autostart manager, adds display of audio and video codecs, which are gaining popularity as an extension mechanism used by malware to gain automatic execution.
PsLoglist v2.7: This version of PsLoglist, a command-line event log display utility, now properly displays event log entries for default event log sources on Windows Vista and higher and accepts wildcard matching for event sources.
PsExec v1.95: This version of PsExec, a utility for executing applications remotely, fixes an issue that prevented the -i (interactive) switch from working on Windows XP systems with a recent hotfix and includes a number of minor bug fixes.
----------
Is your Symantec Antivirus Alerting working correctly?
In the past several months multiple difficulties have arisen with Symantec AMS (Alert Management System). The situation may sound familiar. One minute the settings are configured correctly and alerting properly, the next thing you know, days have gone by without any detection. This is great, right? No viruses in our network! Wrong… A careful inspection of the SAV console showed numerous detections without any alerts. AMS doesn’t show alerting is configured.
Symantec informed the network technician that the AMS server needed to be reloaded. This method was tried a few times each time services stopped again within days. Finally a Symantec tech said that this was a “known issue”. The workaround was to continue to reload the AMS services every time they stop working and take a chance we wouldn’t receive alerts or to use the alternative, the Reporting Server for alerting.
Days later on April 28, 2009, Symantec released four security vulnerabilities in SYM-09-007 involving some of the same Intel services that were involved in the issues experienced above. At this point, it is unclear as to whether the vulnerabilities are related to the malfunctioning alerts, but it wouldn’t hurt to check your configurations. The mitigations sound familiar.
...
----------
Shared SQL Injection Lessons Learned blog item
The X-Force Frequency Blog has a great read posted yeaterday by Harlan Carvey sharing some IR lessons learned, SQL Injection Lessons from X-Force Emergency Response Service Investigations.
The Frequency X blog has visited the topic of SQL Injection on a number of occasions; however, it is worth delving into again to emphasize exactly how much internal network access attackers can gain through vulnerable web applications. Over the past several years, SQL injection has been THE means for accessing entire infrastructures on many of the engagements that our Emergency Response Service (ERS) team has handled.
...
----------
Malicious Content on the Web
The first is a fake/Trojanized Windows 7 Release Candidate (RC) build release. The Trojan is being referred too as TROJ_DROPPER.SPX.
The second item is a possible infection your typical "your computer is infected, click here to scan and clean it" on the usatoday.com website. We have received more than one report of this but have not been able to confirm. We suspect if it indeed is there that it is an ad somewhere on their site. Several of the handlers have tried to find the offending ad and have so far been unsuccessful. We have contacted the appropriate individuals at usatoday.com to advise them of the reports.
Other reports that we have received is that an adware program is being installed on computers when clicking on the link to get the free chicken coupon from Oprah's website. I have sent an email to the webmaster and have heard nothing back yet. The scary thing about the chicken coupon is that hundreds of people have downloaded this coupon. Just think of all of the computers that now have the malware installed. Again I can't confirm this because I haven't tried to download the coupon and I haven't heard anything back from their webmaster.
----------
Unusable, Unreadable, or Indecipherable? No Breach reporting required
Recent HIPAA legislation promised guidance identifying "the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009" (ARRA). The guidance was issued (link below).
So if a covered entity loses the jewels and it's technoligies and methodologies are up to snuff, they do not have to report it.
At this point, the way TLS is referenced, it looks to me that the guidance points to TLS impacts on organizations and security vendors/service providers. YMMV.
There are a large number of high impact HIPAA changes written into ARRA, see;
The American Recovery and Reinvestment Act of 2009
For TITLE XIII-HEALTH INFORMATION TECHNOLOGY - see Page 112 of 407For PART 1-IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS see Page 146 0f 407
The Guidance;
DEPARTMENT OF HEALTH AND HUMAN SERVICES45 CFR PARTS 160 and 164Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009
...
----------
Jamming cell phones in prisons? "We're not there yet."
May 11, 2:31 p.m. UTC - by Matthew Lasar Posted in: Law & Disorder
If cell phone use in prisons is a growing problem, what's the solution? Not signal jamming, says the mobile industry. Ars spoke with a CTIA Vice President about alternative fixes.
Read more
----------
Flu cases subside as people contemplate "flu parties"
May 8, 8:06 p.m. UTC - by John Timmer Posted in: Nobel Intent
As public health authorities clear their testing backlog, it looks like the number of new flu infections is declining precipitously. After the fact, a debate is emerging about the wisdom of "flu parties" and deliberate infections.
Read more
----------
New finds in latest iPhone beta: compass, parental controls
----------
Windows 7 and Server 2008 R2 will be ready by holiday 2009
At Microsoft TechEd North America 2009, Microsoft today announced that Windows 7 and Windows Server 2008 R2 will both be available to customers in time for the holiday shopping season.
----------
What is new in TrueCrypt 6.2 (released May 11, 2009)
----------
A secure USB disk from Lenovo
Having examined some low cost USB crypto hard disks and found them disappointing we take a look at a more up-market product from Lenovo more…
http://www.h-online.com/security/A-secure-USB-disk-from-Lenovo--/features/113192
Looks like our current standard for USB sticks, with a keypad on the outside of the drive to unlock it!
----------
"Baby monitors and wireless TV transmitters are responsible for slowing down Wi-Fi connections in built-up areas, according to a report commissioned by British telecoms regulator Ofcom. The research smashes the myth that overlapping Wi-Fi networks in heavily congested towns and cities are to blame for faltering connection speeds. Instead it claims that unlicensed devices operating in the 2.4GHz band are dragging down signals. "It only requires a single device, such as an analogue video sender, to severely affect Wi-Fi services within a short range, such that a single large building or cluster of houses can experience difficulties with using a single Wi-Fi channel," the report claims."
----------
Multiple Antivirus Websites XSSed in One Hit
Websites belonging to no less than six antivirus vendors have been found to suffer from cross-site scripting weaknesses that could facilitate phishing attacks. Most of these companies were faced with similar flaws affecting their online resources in the past.
A grey-hat hacker, going by the name of Methodman, who seems to have specialized in finding XSS vulnerabilities in high-profile websites, has just announced another hit. More specifically, he has disclosed cross-site scripting flaws in eight websites operated by six antivirus vendors: Symantec, Kaspersky, AVG, Eset, F-Secure and Trend Micro.
----------
Incoming - Real and fake Win7 patches
Mary Jo Foley: Microsoft has made available a patch to a Windows 7 bug in the Release Candidate and is preparing to roll out some "fake" test patches to verify Windows 7's automatic-updating abilities this week.
----------
Woman Can Sue Over Indecent Yahoo! Profiles
By ANNIE YOUDERIAN
(CN) - Yahoo! is not immune from a lawsuit accusing the Internet company of failing to remove two bogus online profiles that a woman's ex-boyfriend posted, the 9th Circuit ruled. The phony profiles contained nude photographs, purportedly solicited sex, and listed her actual work email, phone number and address.
----------
NERC president: Emergency cybersecurity help needed
Angela Moscaritolo
Efforts of the North American Electric Reliability Corp. (NERC) to secure the nation's power grid against cyberthreats cannot substitute for additional emergency authority at the federal level, urged Richard Sergel, president and CEO of NERC, in testimony during a Senate hearing on cybersecurity Tuesday.
----------
Air Marshals’ Secret Communication Weapon
If you’re a U.S. Air Marshal patrolling the friendly skies, you’ll want to communicate discreetly with fellow on-board marshals, airport ground crew, cockpit crew and flight attendants if you need to thwart an attack.
You might also want to tap into the plane’s digital system to know where you are at any time, how far the nearest airport is and how much fuel you have left on the plane.
To do this, you’ll want something like the Federal Air Marshal Service Communication System (FAMSCOM), an application that runs on any off-the-shelf wireless PDA.
Continue Reading “Air Marshals’ Secret Communication Weapon” »
----------
It’s a man baby!
In the last few days, the story of Yinghacker, “the most beautiful female hacker in China,” has been making the rounds in Chinese news outlets and blogs. Her exploits and earnings, in this male dominated society, have been posted by numerous online sources. The number of male friends added to her blog since the story first appeared have been impressive.
Problem: Yinghacker is a man baby! He thinks it’s kinda funny to pretend to be a MM (girl) online.
----------
Elsevier Had A Whole Division Publishing Fake Medical Journals
Remember a week ago when we wrote about pharma giant Merck and publishing giant Elsevier working together to publish a fake journal that talked up various Merck drugs and was used by doctors to show that the drugs were safe and useful? Well, you knew the story wouldn't end there, right? Slashdot points us to the discovery that there is actually a whole division at Elsevier that would publish such journals and tried to duck this fact before sort of (but not fully) admitting it...
----------
Do Social Networks Invite Hackers into the Office?
Social networks are proving a useful professional tool, but they may raise security risks for the enterprise.
----------
Digitize Everything for Lasting Family Archives
Life happens, and here's why (and how) you might find value in digitizing all of the items that are important to you.
----------
In China, $700 Puts a Spammer in Business
PC World - Fri May 8, 7:30 PM ET
It's a great deal, if you're a spammer.
You pay US$700 to use a server in China that lets you send all the spam you like. It's called bulletproof hosting, and to the people who fight spam and cybercrime it's becoming a big problem.
...
----------
Inside a data leak audit
When the director of IT at a Boston-based, midsize pharmaceutical firm was first approached to participate in a data leakage audit, he was thrilled. He figured the audit would uncover a few weak spots in the company's data leak defenses and he would then be able to leverage the audit results into funding for additional security resources. Read more...
...
That said, Spinosa was shocked at what he found -- more than 700 leaks of critical information, such as Social Security numbers, pricing, financial information and other sensitive data in violation of the Payment Card Industry's standards. He also found serious lapses – more than 4,000 – that ran counter to HIPAA and Defense Department Information Assurance Certification rules.
----------