Interesting Security program for iPhone:
http://www.phoenixfreeze.com/
Uses Bluetooth on your iPhone or Blackberry & on your laptop to login or lock the console, depending on your range from the computer.
----------
Cisco Security Advisory: Cisco IOS Software Border Gateway Protocol 4-Byte Autonomous System Number Vulnerabilities
----------
Symantec's Strategy: Are Customers Getting What They Need?
CSO Senior Editor Bill Brenner talks to Symantec VP Francis deSouza about the vendor's latest strategy to address customer concerns over compliance, DLP and cloud security (podcast).
Read more
----------
First Family Safe House Details Leak Via P2P
Details about a U.S. Secret Service safe house for the First Family -- to be used in a national emergency -- were found to have leaked out on a LimeWire file-sharing network recently, members of the House Oversight and Government Reform Committee were told this morning.
Also unearthed on LimeWire networks in recent days were presidential motorcade routes and a sensitive but unclassified document listing details on every nuclear facility in the country, Robert Boback, CEO of Tiversa Inc. told committee members.
The disclosures prompted the chairman of the committee, Rep. Edolphus Towns, (D-N.Y.), to call for a ban on the use of peer-to-peer (P2P) software on all government and contractor computers and networks. "For our sensitive government information, the risk is simply too great to ignore," said Towns who plans to introduce a bill to enforce just such a P2P ban.
----------
Black Hat 2009: More Holes in Web's SSL Security Protocol
Security researchers have found some serious flaws in software that uses the SSL (Secure Sockets Layer) encryption protocol used to secure communications on the Internet.
At the Black Hat conference in Las Vegas on Thursday, researchers unveiled a number of attacks that could be used to compromise secure traffic travelling between Web sites and browsers.
----------
Wired: Military may ban Twitter, Facebook
----------
eBay told it can't use core Skype tech, attempts workaround
July 31, 3:59 p.m. UTC - by Jacqui Cheng Posted in: Software
Technology from Joltid currently powers Skype's P2P connections, but perhaps not for long. Skype has revealed that it's working on an alternative to Joltid's software thanks to a licensing dispute between the two companies, but notes that such a switch could still be detrimental to the service.
Read more
----------
Over 1 billion served: Firefox passes download milestone
----------
Windows 7 Family Pack and Anytime Upgrade pricing unveiled
Microsoft today announced that the Family Pack for Windows 7, which allows you to upgrade three PCs to Windows 7 Home Premium, will cost $149.99 in the US ($199.99 in Canada), which is a savings of about $200 for the three upgrade licenses. A Microsoft spokesperson told Ars the company didn't have pricing details for any country other than the US and Canada. The Windows 7 Family Pack will be available on October 22, 2009, the day of general availability date of Windows 7, until supplies in the US and other select markets.
----------
DeKalb GA Police Officers Suspended After President Obama Background Check
Officers Ryan White and C.M. Route have been suspended following their use of a police computer to run a background check on President Obama. The computer, inside of a police car, was used to access the National Crime Information Center database managed by the FBI. Databases that are engineered to support data-mining present significant challenges to privacy rights because of the potential for their abuse and misuse. The NCIC has also faced challenges from privacy and civil liberties advocates because Federal Privacy Act requirements of accuracy do not apply.
Officers Run Background Check On Obama; Placed on Leave, WSBTV, July 29, 2009
----------
Cheerleader Sues Coach Over Accessing Personal Facebook Account
A high school cheerleader claims that her coach demanded that she provide access information to a personal Facebook account. The coach is said to have used that access to logon and then shared content from the account with other school officials. The student was punished by school officials due to what the student claimed was information found on her Facebook account. The student is suing the school, and teacher for violations of her Constitutional rights of privacy, free speech, and association.
Cheerleader sues school, coach after illicit Facebook log-in
----------
Following the Money: Rogue Anti-virus Software
By its very nature, the architecture and limited rules governing the Web make it difficult to track individuals who might be involved in improper activity. Cyber-sleuths often must navigate through a maze of dead-end records, pseudonyms or anonymous corporations, usually based overseas. The success rate is fairly low.
Even if you manage to trace one link in the chain -- such as a payment processor or Web host -- the business or person involved claims that he or she was merely providing a legal service to an unknown client who turns out to be a scammer.
But every so often, subtle links between the various layers suggest a more visible role by various parties involved. This was what I found recently, when I began investigating a Web site name called innovagest2000.com.
Permalink
----------
More information about Microsoft's ATL problems
Following the release of two emergency patches last Tuesday, more background information about the critical holes in the Active Template Library (ATL) has come to light more…
----------
Landlord-Tenant Battle Takes Tweet Libel Twist
By MATTHEW HELLER
A first-of-its-kind defamation lawsuit over a Chicago apartment renter's 16-word Twitter post appears to be the poisonous fruit of a tenant-friendly housing ordinance that landlords say punishes them unfairly for petty violations. more
----------
Researchers simulate a botnet of 1 million zombies
Angela Moscaritolo July 31, 2009
Computer scientists working for the U.S. Department of Energy announced this week that they have been able to create a simulated botnet consisting of more than one million machines.
----------
Adobe updates Flash Player for 10 vulnerabilities
Angela Moscaritolo July 30, 2009
Adobe on Thursday issued a security update for Flash Player and AIR to address a number of critical vulnerabilities which could potentially allow an attacker to take control of the affected system.
----------
Black Hat: Clampi banking trojan spreading rapidly
Dan Kaplan July 30, 2009
A newly revealed banking trojan is considered one of the biggest threats on the internet because of the way it can quickly spread.
----------
Security Camera Hack Conceals Heists Behind Dummy Video
LAS VEGAS — Technology has caught up with Hollywood heist films in a new hack being demonstrated at DefCon Friday, which involves hijacking IP video streams and seamlessly replacing them with new content.
In its simplest form, the hack — conducted with two free tools developed by researchers at Sipera Systems’ Viper Lab — allows someone to intercept and copy video from IP surveillance cameras to spy on the secured premises. But it would also allow the hacker to replace a legitimate video stream with a bogus stream, permitting a thief or corporate spy to enter an office while the security guard sees only a still-image of an empty room on his monitor.
“There are tools that can prevent this outright, but when you don’t have security in place, you can run these types of attacks,” said Jason Ostrom, director of Viper Lab. “Most of the enterprises we see don’t have the security controls in place.”
----------
Anti-theft software could create security hole
AP – Thu Jul 30, 7:50 pm ET
LAS VEGAS - A piece of anti-theft software built into many laptops at the factory opens a serious security hole, according to research presented Thursday.
The "Computrace" software, made by Vancouver-based Absolute Software Corp., is part of a subscription service that's used to find lost or stolen computers. Many people don't know it's on their machines, but it's included in computers from the biggest PC makers.
----------
'MonkeyFist' Launches Dynamic CSRF Web Attacks
Jul 30,2009
Researchers release tool that automates cross-site request forgery attacks
----------
Overview of the out-of-band release
Today we released Security Advisory 973882 and with it, two out-of-band security bulletins. These updates are MS09-034 (an Internet Explorer update) and MS09-035 (a Visual Studio update). At this time for customers who have applied MS09-032 we are not aware of any “in the wild” exploits that leverage the vulnerabilities documented in 973882 and MS09-035. However, MS09-034 and MS09-035 work together to build further defenses against the known vulnerabilities in ATL.
...
----------
Windows 7 Ultimate on sale for $1
Oh my, Chinese hackers may have cracked Windows 7. No need to connect to Microsoft activation server...
According to other articles, this cert has been revoked.
----------
Crisis communications: A primer for teams (Part 1)
When problems strike, organizations need clear lines of communications that have been established through careful functional analysis, documented thoroughly, tested in multiple realistic trials, and improved repeatedly to reflect reality. In my white paper on "Computer Security Incident Response Team Management," which was integrated into Michael Miora's chapter on that subject in the Computer Security Handbook, 5th Edition (Wiley, 2009; Bosworth, Kabay & Whyne, eds), I wrote, "The CSIRT should include members from every sector of the organization; key members include operations, facilities, legal staff, public relations, information technology, and at least one respected and experienced manager with a direct line to top management."
...
----------
Friday, July 31, 2009
Monday, July 27, 2009
Monday 07/27/09
Network Solutions warns merchants after hack
Criminals may have stolen more than half a million credit card numbers from merchant servers hosted by Networks Solutions, the Internet hosting company warned Friday.
In a letter sent to merchants who use its Ecommerce Hosting services, the company said that someone illegally installed software on company servers used handle credit card transactions initiated by 573,928 people between March 12 and June 8, 2009.
The code "may have been used to transfer data on certain transactions for approximately 4,343 of our more than 10,000 merchant Websites outside the company," Network Solutions said in the letter, signed by company chairman and CEO Roy Dunbar and sent to merchants on Friday.
----------
Microsoft to rush out emergency IE patch
Microsoft is taking the unusual step of rushing out two emergency security patches ahead of its regularly scheduled updates on Aug. 11.
The patches will include a critical fix for Internet Explorer as well as a related Visual Studio patch rated "moderate" urgency by Microsoft.
"The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin," Microsoft said in a blog posting late Friday.
The patches are set to be released on Tuesday at 10:00 a.m. West coast time.
----------
Security certificate warnings don't work, researchers say
They say things like "There is a problem with this Web site's security certificate." If you're like most people, you may feel vaguely uneasy, and -- according to a new paper from researchers at Carnegie Mellon University -- there's a good chance you'll ignore the warning and click through anyway.
In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users).
...
In the Firefox 3 browser, Mozilla tried to use simpler language and better warnings for bad certificates. And the browser makes it harder to ignore a bad certificate warning. In the Carnegie Mellon lab, Firefox 3 users were the least likely to click through after being shown a warning.
The researchers experimented with several redesigned security warnings they'd written themselves, which appeared to be even more effective. They plan to report their findings Aug. 14th at the Usenix Security Symposium in Montreal.
----------
Teamwork crucial to fighting cyber crime: Microsoft
AFP – Mon Jul 27, 9:08 am ET
AFP/File
SAN FRANCISCO (AFP) - Longtime computer security rivals are joining forces to battle increasingly sophisticated online attacks by cyber criminals.
----------
RSA Software Boosts iPhone Security
The encryption company finds a way to turn the iPhone into an authenticator, addressing enterprise concerns.
RSA, The Security Division of EMC, announced the availability of the RSA SecurID Software Token for iPhone Devices that enables an iPhone to be used as an RSA SecurID authenticator, providing convenient and cost-effective two-factor authentication to enterprise applications and resources. The RSA SecurID Software Token App is now available on the App Store at no charge. The required RSA SecurID software token seed as well as RSA Authentication Manager -- the software that powers the RSA SecurID system -- are both available for purchase worldwide.
----------
Missouri Passes Breach Notification Law: Gap Still Exists for Banking Account Information
Earlier this month, Missouri passed a breach notification law as part of on omnibus package of laws under HB 62, It's the a few paragraphs after the law that bans beer-bongs on rivers in Missouri [1]. It is a slightly different variant than most other breach laws but not by much. Here is a brief synopsis of the law with the usual disclaimers [2]. There is still the encryption immunity (if you lose encrypted data you don't have to report). Other than that, it defines private information as name plus and of the following:
Aussie 'Net filtering trial deemed a success despite problems
July 27, 11:18 a.m. UTC - by Eric Bangeman Posted in: Law & Disorder
A round of testing for Australia's Internet filters has concluded. Five of the nine participating ISPs are happy with the results, even though only 15 customers from one decided to take part in the test.
Read more
----------
Network Solutions was PCI compliant before breach
Angela Moscaritolo July 27, 2009
Web hosting firm Network Solutions on Friday announced that, despite its being PCI compliant, a breach had compromised approximately 573,928 individuals' credit card information.
----------
Malware served up thanks to solar eclipse
Chuck Miller July 24, 2009
In a reprise of an old trick, cybercriminals are using SEO poisoning to attract victims to a rogue software site, according to Trend Micro.
----------
Citing Privacy Concerns, Senate Seeks Legal Justifications for Govt. Cybersecurity Plan
The Senate Intelligence Committee is demanding that the Obama administration supply it with the legal justifications it has produced for conducting government cybersecurity operations, or face losing funding for the projects, NextGov reports.
“During the next three years, the executive branch will begin new and unprecedented cybersecurity programs with new technology,” the senators write in a report (.pdf) released Wednesday, which accompanies the senate’s version of the FY2010 Intelligence Authorization Act, which will be voted on at an undetermined date.
----------
Verizon: 3.1 Million FiOS Customers
Verizon issued their second quarter earnings this morning, reporting that they saw reduced net income of $1.48 billion, down from $1.88 billion one year earlier. Verizon added 1.1 million new wireless subscribers compared to AT&T's 1.4 million, bringing Verizon's wireless subscriber total to 87.7 million. Despite the lure of the iPhone, Verizon retains the wireless industry's lowest postpaid customer defection (churn) rate of 1.01 percent.
----------
802.11N Becomes Official In September
Last Friday, Bob Heile, the chairman of the IEEE 802.15 working group on Personal Area Networks, noted that the 802.11N Wi-Fi standard has finally been sent on to the Standards Review Committee. That means, assuming no further hiccups, that the standard will become finalized by September. The ratification process stems back nearly five years, slowed by a factionalized debate over competing technologies. A a draft version of 802.11n was approved in January 2006, and the first wave of 802.11N hardware hit the market -- with all subsequent evolutions (supposedly) applied by firmware update.
----------
Adobe Flash zero-day attack underway
Ryan Naraine: Malicious hackers have found a new vulnerability in Adobe's ever-present Flash software and are using rigged PDF documents to launch exploits against Windows targets.
----------
Criminals may have stolen more than half a million credit card numbers from merchant servers hosted by Networks Solutions, the Internet hosting company warned Friday.
In a letter sent to merchants who use its Ecommerce Hosting services, the company said that someone illegally installed software on company servers used handle credit card transactions initiated by 573,928 people between March 12 and June 8, 2009.
The code "may have been used to transfer data on certain transactions for approximately 4,343 of our more than 10,000 merchant Websites outside the company," Network Solutions said in the letter, signed by company chairman and CEO Roy Dunbar and sent to merchants on Friday.
----------
Microsoft to rush out emergency IE patch
Microsoft is taking the unusual step of rushing out two emergency security patches ahead of its regularly scheduled updates on Aug. 11.
The patches will include a critical fix for Internet Explorer as well as a related Visual Studio patch rated "moderate" urgency by Microsoft.
"The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin," Microsoft said in a blog posting late Friday.
The patches are set to be released on Tuesday at 10:00 a.m. West coast time.
----------
Security certificate warnings don't work, researchers say
They say things like "There is a problem with this Web site's security certificate." If you're like most people, you may feel vaguely uneasy, and -- according to a new paper from researchers at Carnegie Mellon University -- there's a good chance you'll ignore the warning and click through anyway.
In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users).
...
In the Firefox 3 browser, Mozilla tried to use simpler language and better warnings for bad certificates. And the browser makes it harder to ignore a bad certificate warning. In the Carnegie Mellon lab, Firefox 3 users were the least likely to click through after being shown a warning.
The researchers experimented with several redesigned security warnings they'd written themselves, which appeared to be even more effective. They plan to report their findings Aug. 14th at the Usenix Security Symposium in Montreal.
----------
Teamwork crucial to fighting cyber crime: Microsoft
AFP – Mon Jul 27, 9:08 am ET
AFP/File
SAN FRANCISCO (AFP) - Longtime computer security rivals are joining forces to battle increasingly sophisticated online attacks by cyber criminals.
----------
RSA Software Boosts iPhone Security
The encryption company finds a way to turn the iPhone into an authenticator, addressing enterprise concerns.
RSA, The Security Division of EMC, announced the availability of the RSA SecurID Software Token for iPhone Devices that enables an iPhone to be used as an RSA SecurID authenticator, providing convenient and cost-effective two-factor authentication to enterprise applications and resources. The RSA SecurID Software Token App is now available on the App Store at no charge. The required RSA SecurID software token seed as well as RSA Authentication Manager -- the software that powers the RSA SecurID system -- are both available for purchase worldwide.
----------
Missouri Passes Breach Notification Law: Gap Still Exists for Banking Account Information
Earlier this month, Missouri passed a breach notification law as part of on omnibus package of laws under HB 62, It's the a few paragraphs after the law that bans beer-bongs on rivers in Missouri [1]. It is a slightly different variant than most other breach laws but not by much. Here is a brief synopsis of the law with the usual disclaimers [2]. There is still the encryption immunity (if you lose encrypted data you don't have to report). Other than that, it defines private information as name plus and of the following:
- Social Security Number
- Driver's License Number
- Health Information
- Insurance Information
- Financial Account Number (with whatever other information gives access to account)
- "Unique Electronic Identifier" or Routing Code (with whatever other information gives access to account)
Aussie 'Net filtering trial deemed a success despite problems
July 27, 11:18 a.m. UTC - by Eric Bangeman Posted in: Law & Disorder
A round of testing for Australia's Internet filters has concluded. Five of the nine participating ISPs are happy with the results, even though only 15 customers from one decided to take part in the test.
Read more
----------
Network Solutions was PCI compliant before breach
Angela Moscaritolo July 27, 2009
Web hosting firm Network Solutions on Friday announced that, despite its being PCI compliant, a breach had compromised approximately 573,928 individuals' credit card information.
----------
Malware served up thanks to solar eclipse
Chuck Miller July 24, 2009
In a reprise of an old trick, cybercriminals are using SEO poisoning to attract victims to a rogue software site, according to Trend Micro.
----------
Citing Privacy Concerns, Senate Seeks Legal Justifications for Govt. Cybersecurity Plan
The Senate Intelligence Committee is demanding that the Obama administration supply it with the legal justifications it has produced for conducting government cybersecurity operations, or face losing funding for the projects, NextGov reports.
“During the next three years, the executive branch will begin new and unprecedented cybersecurity programs with new technology,” the senators write in a report (.pdf) released Wednesday, which accompanies the senate’s version of the FY2010 Intelligence Authorization Act, which will be voted on at an undetermined date.
----------
Verizon: 3.1 Million FiOS Customers
Verizon issued their second quarter earnings this morning, reporting that they saw reduced net income of $1.48 billion, down from $1.88 billion one year earlier. Verizon added 1.1 million new wireless subscribers compared to AT&T's 1.4 million, bringing Verizon's wireless subscriber total to 87.7 million. Despite the lure of the iPhone, Verizon retains the wireless industry's lowest postpaid customer defection (churn) rate of 1.01 percent.
----------
802.11N Becomes Official In September
Last Friday, Bob Heile, the chairman of the IEEE 802.15 working group on Personal Area Networks, noted that the 802.11N Wi-Fi standard has finally been sent on to the Standards Review Committee. That means, assuming no further hiccups, that the standard will become finalized by September. The ratification process stems back nearly five years, slowed by a factionalized debate over competing technologies. A a draft version of 802.11n was approved in January 2006, and the first wave of 802.11N hardware hit the market -- with all subsequent evolutions (supposedly) applied by firmware update.
----------
Adobe Flash zero-day attack underway
Ryan Naraine: Malicious hackers have found a new vulnerability in Adobe's ever-present Flash software and are using rigged PDF documents to launch exploits against Windows targets.
----------
Friday, July 24, 2009
Friday 07/24/09
YA0D (Yet Another 0-Day) in Adobe Flash player
Well, it looks like the last two weeks have definitely been marked by multiple 0-day exploits actively used in the wild.
The last one exploits a vulnerability in Adobe Flash player (versions 9 and 10) as well as Adobe Reader and Acrobat 9.1.2. Besides being a 0-day there are some other interesting things about this exploit.
----------
L0pht Makes Comeback (Sorta) With Hacker News Network
Its new Web site and the Hacker News Network are online, but the L0pht is not getting back together
Read more
----------
Mass 201 CMR 17: A Survival Guide for the Anxious
Security experts offer tips for navigating Mass 201 CMR 17. Will your business be ready?
Read more
----------
How to Build Your Own Digital Forensics Lab - for Cheap
Step-by-step instructions for downloading and using free or inexpensive digital forensics tools.
Read more
----------
Social Networking In The Enterprise: What Should Security Pros Do About It?Jul 24,2009 As Facebook and LinkedIn become more popular at work, security solutions become trickier for IT
----------
One In Two Security Pros Unhappy In Their JobsJul 23,2009 Major career survey finds security professionals are well-paid, but feel unchallenged and underutilized
----------
Hacking The Handshake Between ApplicationsJul 22,2009 Researchers to shed light on a new generation of attacks that exploit the relationship between browsers and their plug-ins -- or between any applications that share information -- and take over a victim's computer
----------
iPhone Security: Not Beefy Enough for Businesses? Can the iPhone 3GS can be hacked in two minutes with readily available freeware?
----------
EA puts sexual bounty on the heads of its own booth babes
EA has a new way to annoy its own models: give out prizes for Comic Con attendees who commit acts of lust with their booth babes. Also, if you win, you get to take the lady out to dinner! This is going to end well for everyone involved.
----------
Service Offers to Retrieve Stolen Data, For a Fee
A former cyber cop in the United Kingdom is heading up a new online portal that claims to offer a searchable database of about 120 million consumer records that have been phished, hacked or otherwise stolen by computer crooks. Visitors who search for their information and find a match can verify which data were stolen -- for a £10 ($16.50) fee.
Continue reading this post »
----------
SHA-3 Second Round Candidates Announced
NIST has announced the 14 SHA-3 candidates that have advanced to the second round: BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein.
In February, I chose my favorites: Arirang, BLAKE, Blue Midnight Wish, ECHO, Grøstl, Keccak, LANE, Shabal, and Skein. Of the ones NIST eventually chose, I am most surprised to see CubeHash and most surprised not to see LANE.
Here's my 2008 essay on SHA-3. Here's NIST's SHA-3 page. And here's the page on my own submission, Skein.
----------
Social Security Numbers are Not Random
Social Security Numbers are not random. In some cases, you can predict them with date and place of birth.
----------
Protecting SSH from brute force attacks
Using just open source tools and a few tweaks, it is possible to detect and block suspicious login attempts more…
----------
Technology: UK ISP Disconnects Customers For File Sharing
"Karoo, an ISP in Hull, in the UK, is disconnecting subscribers without warning if they file-share, or are even suspected of file-sharing. Karoo is the only ISP in the area. Copyright owners are working with the ISP helping them identify and report suspected filesharers using their services. In order to get service restored, subscribers have to go to Karoo's office and sign a form admitting guilt and promising not to do it again. The article states that some subscribers have had their access cut off for more than two years."
Update: 07/24 16:29 GMT by KD : The Register is reporting that Karoo has relented and has changed its policy. A spokesman said: "It is evident that we have been exceeding the expectation of copyright owners..."
----------
MS agrees to browser choice in Europe
Mary Jo Foley: Microsoft is going to provide Windows 7 users in Europe with a choice of browsers, rather than no browser. Windows 7 E is still seemingly on the table.
Special Report: Windows 7
Ed Bott: Ultimate Windows 7 upgrade FAQ
----------
Major spam campaign abusing Yahoo Groups
Angela Moscaritolo July 23, 2009
About one million spam emails per hour are being sent to Yahoo Groups and other free web services, including Google Groups and LiveJournal, containing bogus pharmaceutical advertising content.
----------
FBI Processes 600 Billion Fingerprint Sets a Day — Update: No It Doesn’t
By Kim Zetter
July 23, 2009
An underground fingerprint lab in West Virginia is the nexus point for every crime committed in the country and even for some committed overseas.
The FBI’s Criminal Justice Information Services building in Clarksburg houses a multibillion-dollar computer system that processes 600 billion fingerprint sets a day, according to a CBS news reporter who visited the lab. (Correction: It’s actually more like 200,000. See update below). The prints come in 24 hours a day from crime scenes around the country, as well as from overseas, such as in Iraq where prints lifted from IED explosives are sent to CJIS to match against known terrorist suspects.
----------
Bell Canada Employs DNS RedirectionLatest to create revenue stream from typing mistakes...10:21AM Thursday Jul 23 2009 by Karl Bode
According to user posts in our Bell Canada forum, it appears that Bell Canada is the latest ISP to implement DNS redirection advertising. The technology, controversial to some 'Net purists, replaces the traditional 404 page with an ad-laden search portal (see screenshot) -- effectively giving ISPs a new revenue stream off of mistyped URLs. Comcast was the most recent ISP in the States to implement such functionality, which was originally more controversial because ISPs weren't offering users working opt-out options or "clean" DNS servers.
----------
Hacking Oracle's database will soon get easier Reuters – Wed Jul 22, 3:55 pm ET
BOSTON (Reuters) - Hackers will soon gain a powerful new tool for breaking into Oracle Corp's database, the top-selling business software used by companies to store electronic information.
----------
Microsoft admits it can't stop Office file format hacks
Microsoft's plan to "sandbox" Office documents in the next version of its application suite is an admission that the company can't keep hackers from exploiting file format bugs, a security analyst said today.
"What's been happening is that Office has lots of vulnerabilities," said John Pescatore, Gartner's primary security analyst. "For the past 18 months, hackers have been fuzzing Office file formats," he said, referring to the practice of "fuzzing," a tactic that relies on automated tools that drop random data into applications to see if, and where, breakdowns occur.
----------
Report: Michael Jackson's death certificate improperly accessed
At least six unauthorized employees viewed record more than 300 times in two weeks, says L.A. Times
----------
Adobe promises patch for seven-month old Flash flaw
Vendor knew about critical vulnerability in December 2008, never fixed it, slates updates for late next week.
----------
Windows 7 RTM leaked to BitTorrent last week
----------
Congress eyes biometric authentication for job eligibility
In a move likely to heighten concerns among opponents of a national ID card, some lawmakers are proposing that biometrics be used to authenticate the identity of anyone seeking a job in the U.S.
----------
Well, it looks like the last two weeks have definitely been marked by multiple 0-day exploits actively used in the wild.
The last one exploits a vulnerability in Adobe Flash player (versions 9 and 10) as well as Adobe Reader and Acrobat 9.1.2. Besides being a 0-day there are some other interesting things about this exploit.
----------
L0pht Makes Comeback (Sorta) With Hacker News Network
Its new Web site and the Hacker News Network are online, but the L0pht is not getting back together
Read more
----------
Mass 201 CMR 17: A Survival Guide for the Anxious
Security experts offer tips for navigating Mass 201 CMR 17. Will your business be ready?
Read more
----------
How to Build Your Own Digital Forensics Lab - for Cheap
Step-by-step instructions for downloading and using free or inexpensive digital forensics tools.
Read more
----------
Social Networking In The Enterprise: What Should Security Pros Do About It?Jul 24,2009 As Facebook and LinkedIn become more popular at work, security solutions become trickier for IT
----------
One In Two Security Pros Unhappy In Their JobsJul 23,2009 Major career survey finds security professionals are well-paid, but feel unchallenged and underutilized
----------
Hacking The Handshake Between ApplicationsJul 22,2009 Researchers to shed light on a new generation of attacks that exploit the relationship between browsers and their plug-ins -- or between any applications that share information -- and take over a victim's computer
----------
iPhone Security: Not Beefy Enough for Businesses? Can the iPhone 3GS can be hacked in two minutes with readily available freeware?
----------
EA puts sexual bounty on the heads of its own booth babes
EA has a new way to annoy its own models: give out prizes for Comic Con attendees who commit acts of lust with their booth babes. Also, if you win, you get to take the lady out to dinner! This is going to end well for everyone involved.
----------
Service Offers to Retrieve Stolen Data, For a Fee
A former cyber cop in the United Kingdom is heading up a new online portal that claims to offer a searchable database of about 120 million consumer records that have been phished, hacked or otherwise stolen by computer crooks. Visitors who search for their information and find a match can verify which data were stolen -- for a £10 ($16.50) fee.
Continue reading this post »
----------
SHA-3 Second Round Candidates Announced
NIST has announced the 14 SHA-3 candidates that have advanced to the second round: BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein.
In February, I chose my favorites: Arirang, BLAKE, Blue Midnight Wish, ECHO, Grøstl, Keccak, LANE, Shabal, and Skein. Of the ones NIST eventually chose, I am most surprised to see CubeHash and most surprised not to see LANE.
Here's my 2008 essay on SHA-3. Here's NIST's SHA-3 page. And here's the page on my own submission, Skein.
----------
Social Security Numbers are Not Random
Social Security Numbers are not random. In some cases, you can predict them with date and place of birth.
----------
Protecting SSH from brute force attacks
Using just open source tools and a few tweaks, it is possible to detect and block suspicious login attempts more…
----------
Technology: UK ISP Disconnects Customers For File Sharing
"Karoo, an ISP in Hull, in the UK, is disconnecting subscribers without warning if they file-share, or are even suspected of file-sharing. Karoo is the only ISP in the area. Copyright owners are working with the ISP helping them identify and report suspected filesharers using their services. In order to get service restored, subscribers have to go to Karoo's office and sign a form admitting guilt and promising not to do it again. The article states that some subscribers have had their access cut off for more than two years."
Update: 07/24 16:29 GMT by KD : The Register is reporting that Karoo has relented and has changed its policy. A spokesman said: "It is evident that we have been exceeding the expectation of copyright owners..."
----------
MS agrees to browser choice in Europe
Mary Jo Foley: Microsoft is going to provide Windows 7 users in Europe with a choice of browsers, rather than no browser. Windows 7 E is still seemingly on the table.
Special Report: Windows 7
Ed Bott: Ultimate Windows 7 upgrade FAQ
----------
Major spam campaign abusing Yahoo Groups
Angela Moscaritolo July 23, 2009
About one million spam emails per hour are being sent to Yahoo Groups and other free web services, including Google Groups and LiveJournal, containing bogus pharmaceutical advertising content.
----------
FBI Processes 600 Billion Fingerprint Sets a Day — Update: No It Doesn’t
By Kim Zetter
July 23, 2009
An underground fingerprint lab in West Virginia is the nexus point for every crime committed in the country and even for some committed overseas.
The FBI’s Criminal Justice Information Services building in Clarksburg houses a multibillion-dollar computer system that processes 600 billion fingerprint sets a day, according to a CBS news reporter who visited the lab. (Correction: It’s actually more like 200,000. See update below). The prints come in 24 hours a day from crime scenes around the country, as well as from overseas, such as in Iraq where prints lifted from IED explosives are sent to CJIS to match against known terrorist suspects.
----------
Bell Canada Employs DNS RedirectionLatest to create revenue stream from typing mistakes...10:21AM Thursday Jul 23 2009 by Karl Bode
According to user posts in our Bell Canada forum, it appears that Bell Canada is the latest ISP to implement DNS redirection advertising. The technology, controversial to some 'Net purists, replaces the traditional 404 page with an ad-laden search portal (see screenshot) -- effectively giving ISPs a new revenue stream off of mistyped URLs. Comcast was the most recent ISP in the States to implement such functionality, which was originally more controversial because ISPs weren't offering users working opt-out options or "clean" DNS servers.
----------
Hacking Oracle's database will soon get easier Reuters – Wed Jul 22, 3:55 pm ET
BOSTON (Reuters) - Hackers will soon gain a powerful new tool for breaking into Oracle Corp's database, the top-selling business software used by companies to store electronic information.
----------
Microsoft admits it can't stop Office file format hacks
Microsoft's plan to "sandbox" Office documents in the next version of its application suite is an admission that the company can't keep hackers from exploiting file format bugs, a security analyst said today.
"What's been happening is that Office has lots of vulnerabilities," said John Pescatore, Gartner's primary security analyst. "For the past 18 months, hackers have been fuzzing Office file formats," he said, referring to the practice of "fuzzing," a tactic that relies on automated tools that drop random data into applications to see if, and where, breakdowns occur.
----------
Report: Michael Jackson's death certificate improperly accessed
At least six unauthorized employees viewed record more than 300 times in two weeks, says L.A. Times
----------
Adobe promises patch for seven-month old Flash flaw
Vendor knew about critical vulnerability in December 2008, never fixed it, slates updates for late next week.
----------
Windows 7 RTM leaked to BitTorrent last week
----------
Congress eyes biometric authentication for job eligibility
In a move likely to heighten concerns among opponents of a national ID card, some lawmakers are proposing that biometrics be used to authenticate the identity of anyone seeking a job in the U.S.
----------
Wednesday, July 22, 2009
Wednesday 07/22/09
Firefox 3.5 and IE8 Abused to Spy Inside Intranets
By using HTTP requests as pseudo pings
http://news.softpedia.com/news/Firefox-3-5-and-IE8-Abused-to-Spy-Inside-Intranets-117269.shtml
Two security researchers have devised proof-of-concept "ping sweeping" attacks, which leverage on the new Cross-Origin Resource Sharing implementation in Firefox 3.5, as well as the one already existing in Internet Explorer 8. A design weakness can allow attackers to remotely map Web servers on an internal network by using HTTP requests as pings.
XMLHttpRequest is a common API used in AJAX libraries in order to send HTTP requests directly to web servers and return the results as XML or plain text directly into the scripting language. In previous browser implementations, XMLHttpRequest was limited by the JavaScript same origin policy, meaning that HTTP or HTTPS requests could only be sent by an application to the domain that loaded it.
All of that changed with the introduction of the Cross-Origin Resource Sharing (CORS) specification, which allows such requests to be made cross-site. For security purposes, the specification requires the exchange of specific headers, which servers can use to enforce origin-domain restrictions.
However, as reputed Web security researcher Robert "RSnake" Hansen points out, even if with such resource-accessing restrictions are put in place, the ability to make the request itself can be abused. "Although an attacker is not allowed to know if the page was there or not (only if it was allowed to see the content or not), the attacker is still allowed to make an initial request. In doing so that initial request can be used as a pseudo 'ping' sweep," he explains.
Obviously, this is not a real ICMP ping, but an HTTP variant, which can still be used to "tell if the site is there or not because it will either return immediately […] or it will wait around much longer […] before the browser gives up." By leveraging on this architectural weak spot, Hansen claims that a "substantial amount of internal address space" can be scanned for web servers rather quickly.
In order to support his theory, the researcher has created a PoC example, which scans a limited number of intranet IP addresses if the client visiting the page is behind a local router. It is also worth mentioning that port 80 does not necessarily have to be opened in order for this attack to work.
Fortunately, the popular NoScript Firefox extension can be used to mitigate the issue, because of its ABE (Application Boundaries Enforcer) component. Disabling JavaScript globally, something which NoScript does by default, will also block such attacks.
However, Internet Explorer 8 has its own proprietary variant of XMLHttpRequest too. It is called XDomainRequest and is implemented using the same Cross-Origin Resource Sharing specification. Inspired by RSnake's idea, another application security researcher, going by the online handle of Inferno, has devised a similar attack against Microsoft's browser.
----------
Malware is their Business…and Business is Good!
I cribbed the title from Megadeth - I admit it. However when looking at this year’s growth in malware it seems disturbingly appropriate. Economic downturn globally or not, malware production continues at a record setting pace because this is how many cybercriminals make their money (malware long ago stopped being about fun and bragging).
We here at Avert Labs have seen almost as much unique malware in the first half of 2009 as we did in ALL 2008. This is quite something when you consider that in 2008 we saw the greatest growth in malware ever:
...
----------
Solar storms have caused serious disruptions
This is the second of a three-part summary of a recent National Research Council report Severe...
Rerouted flights cost airlines $10,000 to $100,000 per flight. Numerous anomalies were reported by deep space missions and by satellites at all orbits. GSFC Space Science Mission Operations Team indicated that approximately 59% of the Earth and Space science missions were impacted. The storms are suspected to have caused the loss of the $640 million ADEOS-2 spacecraft. On board the ADEOS-2 was the $150 million NASA SeaWinds instrument. Due to the variety and intensity of this solar activity outbreak, most industries vulnerable to space weather experienced some degree of impact to their operations.
----------
UK couple chases bank over 'phantom' withdrawals
When Emma Woolf of London logged into her online account with Abbey National bank in early March,...
----------
"Panda Burning Incense" author to work in “Computer Security”
According to Yangtze River News, the author of the virus “Panda Burning Incense,” is due to be released from prison at year’s end and plans on working in computer security. Li Jun, also known as the “Virus King,” designed the “Panda Burning Incense” virus that wreaked havoc across the Chinese internet from December of 2006 to January of 2007. The virus infected between 300-500,000 computers daily; with at least 10 million infected in total. The virus earned Li between 3-5,000 yuan each day and the highest day’s income was 10,000 yuan.
----------
43 Minutes LateIs Out, Circuit Rules
By JEFF GORMAN
(CN) - A creditor is not entitled to participate in bankruptcy proceedings because it missed the filing deadline by 43 minutes, the 7th Circuit ruled.
----------
Companies offer to pay breach fines
Chuck Miller July 21, 2009
Two credit-card payment processors are offering to cover merchants' fines and penalties in the event of a data breach.
----------
Web browser flaw enables attacks against EV SSL
Angela Moscaritolo July 21, 2009
Two security researchers are set to show how, due to a common browser vulnerability, extended-validation SSL certifications don't offer much more protection than traditional certs.
----------
Industry group releases software integrity framework
Dan Kaplan July 21, 2009
Not enough emphasis is placed on the integrity of software, according to a software assurance group, which hopes to change that mentality with a new framework.
----------
Author of Torture Memos Pranked in Classroom
John Yoo, a former deputy attorney general who has faced intense criticism for authoring constitutionally-questionable memos justifying torture and the government’s warrantless wiretapping program, was confronted last week during a lecture he was giving on international law at Chapman University School of Law, a private school in Southern California.
After Yoo mentions the Constitution during his lecture, and asks the students if they have any questions, an Australian comedian from the show Chaser’s War on Everything is seen wearing a black hooded robe and standing on top of his desk with his arms outstretched, recalling one of the most iconic images of U.S. torture captured in the now-infamous Abu Ghraib photos.
The comedian says, “Actually, Professor, I’ve got one question. Uhm, how long can I be required to stand here ’til it counts as torture?”
----------
'Freak With Bullhorn' Visits Verizon CEOAfter easily purchasing his cell information online...02:18PM Wednesday Jul 22 2009 by Karl Bode
Apparently Verizon's recent shiny privacy facelift didn't impress some people. The Consumerist points to one self-proclaimed "freak with bullhorn" from Zug.com who visited the home address of Verizon CEO Ivan Seidenberg to complain about lax privacy policies, after he was easily able to buy the CEO's personal cell phone information online. Verizon faced a privacy backlash earlier this year over the way the carrier shares privacy information within the Vodafone/Verizon family of companies. Seidenberg never appears during the somewhat useless but amusing effort, a video of which is here. When Verizon recently proclaimed that consumer protection laws weren't needed because public shame would keep the company honest, it's doubtful that this is what they had in mind.
----------
Australian Police Start War DrivingWill fight against unsecured APs for 'mum, grandma and grandpa...'01:09PM Tuesday Jul 21 2009 by Karl Bode
According to the Sydney Morning Herald, The Queensland Police "fraud squad" is crowing about being the first police force in the world to drive around scanning for open Wi-Fi hotspots, warning AP owners that they need to tighten up security. Detective Superintendent Hay tells the Herald that "it was illegal to use someone else's network bandwidth without their permission," though in most countries the laws are unclear on the subject. Trying to bring down the world's largest free ISP (linksys) is probably an uphill battle, though Hay tells the paper the effort will "save mum, grandma and grandpa from losing their life savings, having their identity stolen or losing their kids' inheritance."
----------
Tiburon Wants To Photograph Every Car Entering And Leaving... But Don't Worry About Your Privacy
Tiburon is a nice little wealthy coastal town a little ways north from where I happen to live. It's a cozy place to go for a nice meal out or something -- usually somewhere I'll take visiting friends or relatives. It's certainly not a place where you'd expect there to be a big crime problem, and, indeed, the facts seem to bear that out. But, apparently, that's not stopping the local gov't from deciding to set up cameras to photograph and record every car entering and leaving the town. It will also record and use the license plate info. If that sounds like a bit of an invasion of privacy, well, the town's Manager, Peggy Curran, insists you're just paranoid...
----------
Chinese Worker Kills Himself over Missing iPhone Prototype
A 25-year-old Chinese worker for Foxconn, Sun Danyong, has reportedly committed suicide after finding out that a fourth-generation iPhone prototype he was entrusted with went missing. According to DigitalBeat, this story is mainly meant to show how Apple’s secretive ways put a large amount of pressure all the way to the bottom of its international supply chain.
----------
Apple: iPhone adoption in the enterprise to climb
In its quarterly investor report, Apple executives said that 5.2 million iPhones were sold in the quarter, a year-over-year unit growth of 626 percent thanks to the release of the iPhone 3G S. The new iPhone is currently constrained worldwide, and managers couldn’t say when the supply problem would ease. In addition, the supply issue could slow upcoming introductions in some world markets by a number of week, executives said.
Just as interesting were the statements about acceptance of enterprise and government market customers for the iPhone. In Tuesday’s analyst conference call, Apple CFO Peter Oppenheimer said the company saw great opportunity in these markets.
According to Oppenheimer, some 20 percent of Fortune 100 companies had placed orders of 10,000 units or more. And some governmental agencies had made orders up to 25,000 units.
The security and encryption features of iPhone OS 3.0 is the difference, he said.
Check Out: Bits from Apple’s iPhone deployment guide for the enterprise
----------
Cybercrime Paper
"Distributed Security: A New Model of Law Enforcement," Susan W. Brenner and Leo L. Clarke.
Abstract:Cybercrime, which is rapidly increasing in frequency and in severity, requires us to rethink how we should enforce our criminal laws. The current model of reactive, police-based enforcement, with its origins in real-world urbanization, does not and cannot protect society from criminals using computer technology. This article proposes a new model of distributed security that can supplement the traditional model and allow us to deal effectively with cybercrime.
----------
Permalink
Microsoft may soon be taking the unusual step of issuing an out-of-band security update to address multiple weaknesses that stem from a Windows security flaw that the software giant tried to fix earlier this month, Security Fix has learned.
... As a result, Flake concluded, Microsoft may have fixed only a subset of the problem on Windows with its patch this month.
----------
Mind Games: How Social Engineers Win Your Confidence
Brian Brushwood, founder of Scam School, demonstrates the four simple psychological mechanisms underlying social engineering mind games.
Read more
----------
E-commerce Fraud: The Latest Criminal Schemes
Sebbe Jones, manager of fraud and disputes at 2Checkout, details the latest criminal techniques using online payment transactions.
Read more
----------
CIOs: Add Extortion to Your Worry Lists
July 21, 2009 · Comment
By Cara Garretson, Veteran Business and Technology Journalist
The idea of having confidential records shopped to competitors and then offered up for sale to the highest bidder would be enough to keep any CIO up at night. Yet, as scary as this scenario is, cyber extortion remains rare. The bigger threat - one that should legitimately keep IT professionals up at night - is on the inside.
----------
Tools for Detecting Spoofed Email Headers
July 20, 2009 · Comment
By Bozidar Spirovski, CISSP, MCSA, MCP
In the age where a huge percentage of all attacks are done through e-mail, very few of us know how to analyze where this e-mail was sent from. This analysis must go beyond the sender e-mail displayed in your e-mail client (which are easily spoofed). Here is a simple tutorial on analyzing Internet headers.
----------
Lawmakers: Electric utilities ignore cyber warnings
The U.S. electrical grid remains vulnerable to cyber and electromagnetic pulse attacks despite years of warnings, several U.S. lawmakers said today.
The electric industry has pushed against federal cybersecurity standards and some utilities appear to be avoiding industry self-regulatory efforts by declining to designate their facilities or equipment as critical assets that need special protection, said U.S. Rep. Yvette Clarke, a New York Democrat and chairwoman of the House Homeland Security Committee's Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.
"This effort seems to epitomize the head-in-the-sand mentality that seems to permeate broad sections of the electric industry," Clarke said.
----------
BlackBerry maker: UAE partner's update was spyware AP – 53 mins ago
DUBAI, United Arab Emirates - BlackBerry users in the Mideast business centers of Dubai and Abu Dhabi who were directed by their service provider to upgrade their phones were actually installing spy software that could allow outsiders to peer inside, according to the device's maker.
----------
Report: Shortage of cyber experts may hinder govt AP – Wed Jul 22, 6:27 am ET
AFP
WASHINGTON - Federal agencies are facing a severe shortage of computer specialists, even as a growing wave of coordinated cyberattacks against the government poses potential national security risks, a private study found.
----------
By using HTTP requests as pseudo pings
http://news.softpedia.com/news/Firefox-3-5-and-IE8-Abused-to-Spy-Inside-Intranets-117269.shtml
Two security researchers have devised proof-of-concept "ping sweeping" attacks, which leverage on the new Cross-Origin Resource Sharing implementation in Firefox 3.5, as well as the one already existing in Internet Explorer 8. A design weakness can allow attackers to remotely map Web servers on an internal network by using HTTP requests as pings.
XMLHttpRequest is a common API used in AJAX libraries in order to send HTTP requests directly to web servers and return the results as XML or plain text directly into the scripting language. In previous browser implementations, XMLHttpRequest was limited by the JavaScript same origin policy, meaning that HTTP or HTTPS requests could only be sent by an application to the domain that loaded it.
All of that changed with the introduction of the Cross-Origin Resource Sharing (CORS) specification, which allows such requests to be made cross-site. For security purposes, the specification requires the exchange of specific headers, which servers can use to enforce origin-domain restrictions.
However, as reputed Web security researcher Robert "RSnake" Hansen points out, even if with such resource-accessing restrictions are put in place, the ability to make the request itself can be abused. "Although an attacker is not allowed to know if the page was there or not (only if it was allowed to see the content or not), the attacker is still allowed to make an initial request. In doing so that initial request can be used as a pseudo 'ping' sweep," he explains.
Obviously, this is not a real ICMP ping, but an HTTP variant, which can still be used to "tell if the site is there or not because it will either return immediately […] or it will wait around much longer […] before the browser gives up." By leveraging on this architectural weak spot, Hansen claims that a "substantial amount of internal address space" can be scanned for web servers rather quickly.
In order to support his theory, the researcher has created a PoC example, which scans a limited number of intranet IP addresses if the client visiting the page is behind a local router. It is also worth mentioning that port 80 does not necessarily have to be opened in order for this attack to work.
Fortunately, the popular NoScript Firefox extension can be used to mitigate the issue, because of its ABE (Application Boundaries Enforcer) component. Disabling JavaScript globally, something which NoScript does by default, will also block such attacks.
However, Internet Explorer 8 has its own proprietary variant of XMLHttpRequest too. It is called XDomainRequest and is implemented using the same Cross-Origin Resource Sharing specification. Inspired by RSnake's idea, another application security researcher, going by the online handle of Inferno, has devised a similar attack against Microsoft's browser.
----------
Malware is their Business…and Business is Good!
I cribbed the title from Megadeth - I admit it. However when looking at this year’s growth in malware it seems disturbingly appropriate. Economic downturn globally or not, malware production continues at a record setting pace because this is how many cybercriminals make their money (malware long ago stopped being about fun and bragging).
We here at Avert Labs have seen almost as much unique malware in the first half of 2009 as we did in ALL 2008. This is quite something when you consider that in 2008 we saw the greatest growth in malware ever:
...
----------
Solar storms have caused serious disruptions
This is the second of a three-part summary of a recent National Research Council report Severe...
Rerouted flights cost airlines $10,000 to $100,000 per flight. Numerous anomalies were reported by deep space missions and by satellites at all orbits. GSFC Space Science Mission Operations Team indicated that approximately 59% of the Earth and Space science missions were impacted. The storms are suspected to have caused the loss of the $640 million ADEOS-2 spacecraft. On board the ADEOS-2 was the $150 million NASA SeaWinds instrument. Due to the variety and intensity of this solar activity outbreak, most industries vulnerable to space weather experienced some degree of impact to their operations.
----------
UK couple chases bank over 'phantom' withdrawals
When Emma Woolf of London logged into her online account with Abbey National bank in early March,...
----------
"Panda Burning Incense" author to work in “Computer Security”
According to Yangtze River News, the author of the virus “Panda Burning Incense,” is due to be released from prison at year’s end and plans on working in computer security. Li Jun, also known as the “Virus King,” designed the “Panda Burning Incense” virus that wreaked havoc across the Chinese internet from December of 2006 to January of 2007. The virus infected between 300-500,000 computers daily; with at least 10 million infected in total. The virus earned Li between 3-5,000 yuan each day and the highest day’s income was 10,000 yuan.
----------
43 Minutes LateIs Out, Circuit Rules
By JEFF GORMAN
(CN) - A creditor is not entitled to participate in bankruptcy proceedings because it missed the filing deadline by 43 minutes, the 7th Circuit ruled.
----------
Companies offer to pay breach fines
Chuck Miller July 21, 2009
Two credit-card payment processors are offering to cover merchants' fines and penalties in the event of a data breach.
----------
Web browser flaw enables attacks against EV SSL
Angela Moscaritolo July 21, 2009
Two security researchers are set to show how, due to a common browser vulnerability, extended-validation SSL certifications don't offer much more protection than traditional certs.
----------
Industry group releases software integrity framework
Dan Kaplan July 21, 2009
Not enough emphasis is placed on the integrity of software, according to a software assurance group, which hopes to change that mentality with a new framework.
----------
Author of Torture Memos Pranked in Classroom
John Yoo, a former deputy attorney general who has faced intense criticism for authoring constitutionally-questionable memos justifying torture and the government’s warrantless wiretapping program, was confronted last week during a lecture he was giving on international law at Chapman University School of Law, a private school in Southern California.
After Yoo mentions the Constitution during his lecture, and asks the students if they have any questions, an Australian comedian from the show Chaser’s War on Everything is seen wearing a black hooded robe and standing on top of his desk with his arms outstretched, recalling one of the most iconic images of U.S. torture captured in the now-infamous Abu Ghraib photos.
The comedian says, “Actually, Professor, I’ve got one question. Uhm, how long can I be required to stand here ’til it counts as torture?”
----------
'Freak With Bullhorn' Visits Verizon CEOAfter easily purchasing his cell information online...02:18PM Wednesday Jul 22 2009 by Karl Bode
Apparently Verizon's recent shiny privacy facelift didn't impress some people. The Consumerist points to one self-proclaimed "freak with bullhorn" from Zug.com who visited the home address of Verizon CEO Ivan Seidenberg to complain about lax privacy policies, after he was easily able to buy the CEO's personal cell phone information online. Verizon faced a privacy backlash earlier this year over the way the carrier shares privacy information within the Vodafone/Verizon family of companies. Seidenberg never appears during the somewhat useless but amusing effort, a video of which is here. When Verizon recently proclaimed that consumer protection laws weren't needed because public shame would keep the company honest, it's doubtful that this is what they had in mind.
----------
Australian Police Start War DrivingWill fight against unsecured APs for 'mum, grandma and grandpa...'01:09PM Tuesday Jul 21 2009 by Karl Bode
According to the Sydney Morning Herald, The Queensland Police "fraud squad" is crowing about being the first police force in the world to drive around scanning for open Wi-Fi hotspots, warning AP owners that they need to tighten up security. Detective Superintendent Hay tells the Herald that "it was illegal to use someone else's network bandwidth without their permission," though in most countries the laws are unclear on the subject. Trying to bring down the world's largest free ISP (linksys) is probably an uphill battle, though Hay tells the paper the effort will "save mum, grandma and grandpa from losing their life savings, having their identity stolen or losing their kids' inheritance."
----------
Tiburon Wants To Photograph Every Car Entering And Leaving... But Don't Worry About Your Privacy
Tiburon is a nice little wealthy coastal town a little ways north from where I happen to live. It's a cozy place to go for a nice meal out or something -- usually somewhere I'll take visiting friends or relatives. It's certainly not a place where you'd expect there to be a big crime problem, and, indeed, the facts seem to bear that out. But, apparently, that's not stopping the local gov't from deciding to set up cameras to photograph and record every car entering and leaving the town. It will also record and use the license plate info. If that sounds like a bit of an invasion of privacy, well, the town's Manager, Peggy Curran, insists you're just paranoid...
----------
Chinese Worker Kills Himself over Missing iPhone Prototype
A 25-year-old Chinese worker for Foxconn, Sun Danyong, has reportedly committed suicide after finding out that a fourth-generation iPhone prototype he was entrusted with went missing. According to DigitalBeat, this story is mainly meant to show how Apple’s secretive ways put a large amount of pressure all the way to the bottom of its international supply chain.
----------
Apple: iPhone adoption in the enterprise to climb
In its quarterly investor report, Apple executives said that 5.2 million iPhones were sold in the quarter, a year-over-year unit growth of 626 percent thanks to the release of the iPhone 3G S. The new iPhone is currently constrained worldwide, and managers couldn’t say when the supply problem would ease. In addition, the supply issue could slow upcoming introductions in some world markets by a number of week, executives said.
Just as interesting were the statements about acceptance of enterprise and government market customers for the iPhone. In Tuesday’s analyst conference call, Apple CFO Peter Oppenheimer said the company saw great opportunity in these markets.
According to Oppenheimer, some 20 percent of Fortune 100 companies had placed orders of 10,000 units or more. And some governmental agencies had made orders up to 25,000 units.
The security and encryption features of iPhone OS 3.0 is the difference, he said.
Check Out: Bits from Apple’s iPhone deployment guide for the enterprise
----------
Cybercrime Paper
"Distributed Security: A New Model of Law Enforcement," Susan W. Brenner and Leo L. Clarke.
Abstract:Cybercrime, which is rapidly increasing in frequency and in severity, requires us to rethink how we should enforce our criminal laws. The current model of reactive, police-based enforcement, with its origins in real-world urbanization, does not and cannot protect society from criminals using computer technology. This article proposes a new model of distributed security that can supplement the traditional model and allow us to deal effectively with cybercrime.
----------
Permalink
Microsoft may soon be taking the unusual step of issuing an out-of-band security update to address multiple weaknesses that stem from a Windows security flaw that the software giant tried to fix earlier this month, Security Fix has learned.
... As a result, Flake concluded, Microsoft may have fixed only a subset of the problem on Windows with its patch this month.
----------
Mind Games: How Social Engineers Win Your Confidence
Brian Brushwood, founder of Scam School, demonstrates the four simple psychological mechanisms underlying social engineering mind games.
Read more
----------
E-commerce Fraud: The Latest Criminal Schemes
Sebbe Jones, manager of fraud and disputes at 2Checkout, details the latest criminal techniques using online payment transactions.
Read more
----------
CIOs: Add Extortion to Your Worry Lists
July 21, 2009 · Comment
By Cara Garretson, Veteran Business and Technology Journalist
The idea of having confidential records shopped to competitors and then offered up for sale to the highest bidder would be enough to keep any CIO up at night. Yet, as scary as this scenario is, cyber extortion remains rare. The bigger threat - one that should legitimately keep IT professionals up at night - is on the inside.
----------
Tools for Detecting Spoofed Email Headers
July 20, 2009 · Comment
By Bozidar Spirovski, CISSP, MCSA, MCP
In the age where a huge percentage of all attacks are done through e-mail, very few of us know how to analyze where this e-mail was sent from. This analysis must go beyond the sender e-mail displayed in your e-mail client (which are easily spoofed). Here is a simple tutorial on analyzing Internet headers.
----------
Lawmakers: Electric utilities ignore cyber warnings
The U.S. electrical grid remains vulnerable to cyber and electromagnetic pulse attacks despite years of warnings, several U.S. lawmakers said today.
The electric industry has pushed against federal cybersecurity standards and some utilities appear to be avoiding industry self-regulatory efforts by declining to designate their facilities or equipment as critical assets that need special protection, said U.S. Rep. Yvette Clarke, a New York Democrat and chairwoman of the House Homeland Security Committee's Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.
"This effort seems to epitomize the head-in-the-sand mentality that seems to permeate broad sections of the electric industry," Clarke said.
----------
BlackBerry maker: UAE partner's update was spyware AP – 53 mins ago
DUBAI, United Arab Emirates - BlackBerry users in the Mideast business centers of Dubai and Abu Dhabi who were directed by their service provider to upgrade their phones were actually installing spy software that could allow outsiders to peer inside, according to the device's maker.
----------
Report: Shortage of cyber experts may hinder govt AP – Wed Jul 22, 6:27 am ET
AFP
WASHINGTON - Federal agencies are facing a severe shortage of computer specialists, even as a growing wave of coordinated cyberattacks against the government poses potential national security risks, a private study found.
----------
Monday, July 20, 2009
Monday 07/20/09
Zer01's mobile offer: Too good to be true? Imagine downloading a two-hour HD movie in three minutes to you cell phone, then plugging the phone into your TV to watch the film. Make unlimited phone calls, surf online as much as you like and send unlimited text messaging for $70 a month, no contract. That's the pitch, but is it too good to be true? Read more...
----------
IT exec who sabotaged organ donation records sentenced
The IT director of a nonprofit organ procurement center for more than 200 hospitals in Texas was sentenced last week to two years in prison for intentionally deleting numerous organ donation records and other data after being fired from her job.
Danielle Duann, 51 was also sentenced to three years of supervised release upon completion of her term and ordered to pay more thanb $94,000 in restitution to her former employer, LifeGift Organ Donation Center. Duann in April had pleaded guilty to one count of unauthorized access to a protected computer.
----------
Adobe doles out bug-filled PDF Reader to users
Adobe delivers an out-of-date version of Reader to users who download the popular application from its Web site, a security company warned today.
The edition Adobe currently offers includes at least 14 security vulnerabilities that have been patched by the company in the last two months.
----------
iPhone 3GS Limited To 384kbps UpstreamNew video-centric phone doesn't support HSUPA
10:29AM Monday Jul 20 2009 by Karl Bode
Our friend and wireless networking guru Glenn Fleishman offers up an interesting read over at MacWorld, exploring some of the bandwidth constraints inherent in the new iPhone 3GS. While the 3GS seems ready to handle AT&T's planned upgrades to 7.2 Mbps downstream HSPA, interestingly, it doesn't appear able to handle AT&T's upgrades to HSUPA technology, which boosted uspstream wireless bandwidth on the AT&T network to between 500kbps and 800kbps. It's interesting the 3GS only supports UMTS, topping out at 384 kbps, given the phone's primary function is to upload video -- but maybe that will be a selling point of next year's inevitable model.
Five technologies Iran is using to censor the Web
----------
A year after Terry Childs case, privileged user problem grows
One year after former network administrator Terry Childs made national headlines for locking up...
Just yesterday, Lesmany Nunez, a former computer support technician at Quantum Technology Partners (QTP) in Miami, was sentenced to a year in jail for illegally using his administrator account and password to shut down the company's servers from his home computer. Nunez also changed the passwords of all the IT systems administrators at the company and deleted certain files that would have made data restoration from backup tapes easier. His actions resulted in more than $30,000 in damages to QTP.
Numerous similar cases, including ones involving Fannie Mae and Pacific Energy Resources Ltd. have been reported over the past few months, each one causing considerable damage and disruption to the companies involved.
----------
McAfee getting more aggressive on cloud-based security
McAfee Monday said it intends to expand its security-as-a-service offerings in recognition that...
----------
Microsoft opens 20,000 lines of Linux
Mary Jo Foley: Pigs do fly. Microsoft is releasing three Microsoft-developed Linux drivers to the Linux community for possible inclusion in the Linux source tree.
----------
Don't Bother Calling
... I did what I'm guessing is what a lot of you would have done - I got the Pomona court's phone number from the L. A. Superior Court website and I called it.
Just in case you don't believe what I'm about to tell you next, here's the phone number: (909) 620-3006. The phone rang. A recorded voice answered.
This is what it said: "You have reached the Los Angeles Superior Court East District Pomona Court office. Please do not leave a message as messages are not retrievable on this line. Thank you and have a nice day."
...
----------
26% of Chinese would-be criminals prefer hacking
Published by jumper under China internet, poll
A recent online poll asked Chinese netizens: “Given a 100,000RMB/month salary, what criminal job would you prefer?” – the largest percentage of respondents chose “Freelance Hacker” over Human Trafficker, Assassin, Drug Dealer, Gambler, Gang Leader, Spy and Robber.
----------
Korea Held a Cyber War, But Nobody Came
July 20, 2009 by ADMIN · Comment
By Richard Stiennon, Chief Research Analyst, IT-Harvest
Last week’s DDoS attacks against South Korean and US web sites have now gone through the whole media hype cycle.
Initial excitement and headlines have given way to the security guru’s who tell us that:
1) This was an amateurish attack using old (therefore un-sexy) malware. (See Ariel Silverstone’s blog)
2) There is not a shred of evidence that North Korea had anything to do with it. (See Alex Eckelberry’s blog)
3) The attacks were really wimpy. Only 35 Mbps of floods. Yawn. (See Jose Nazario’s blog)
Bruce Schneier chimed in on the events in a Minnesota Public Radio column. He says
If this is what an international cyberattack looks like, it hardly seems worth worrying about at all.
----------
US the origin of 16 per cent of spam
Sophos' spam trend report shows a change in the distribution of spam sources worldwide in the second quarter of 2009 more…
----------
Inflight WiFi Netiquette Rules For The Savvy Traveler
hothardware.com — We've heard of crazy recommendations and pointless surveys, but man, this is just world-class comedy here. . A recent survey commissioned by 3M found that four in five business travelers admitted that they wanted inflight Wi-Fi, so they sought travel expert Chris McGinnis to type out the following "manners list" to follow while surfing at 30k feet. More…
----------
----------
IT exec who sabotaged organ donation records sentenced
The IT director of a nonprofit organ procurement center for more than 200 hospitals in Texas was sentenced last week to two years in prison for intentionally deleting numerous organ donation records and other data after being fired from her job.
Danielle Duann, 51 was also sentenced to three years of supervised release upon completion of her term and ordered to pay more thanb $94,000 in restitution to her former employer, LifeGift Organ Donation Center. Duann in April had pleaded guilty to one count of unauthorized access to a protected computer.
----------
Adobe doles out bug-filled PDF Reader to users
Adobe delivers an out-of-date version of Reader to users who download the popular application from its Web site, a security company warned today.
The edition Adobe currently offers includes at least 14 security vulnerabilities that have been patched by the company in the last two months.
----------
iPhone 3GS Limited To 384kbps UpstreamNew video-centric phone doesn't support HSUPA
10:29AM Monday Jul 20 2009 by Karl Bode
Our friend and wireless networking guru Glenn Fleishman offers up an interesting read over at MacWorld, exploring some of the bandwidth constraints inherent in the new iPhone 3GS. While the 3GS seems ready to handle AT&T's planned upgrades to 7.2 Mbps downstream HSPA, interestingly, it doesn't appear able to handle AT&T's upgrades to HSUPA technology, which boosted uspstream wireless bandwidth on the AT&T network to between 500kbps and 800kbps. It's interesting the 3GS only supports UMTS, topping out at 384 kbps, given the phone's primary function is to upload video -- but maybe that will be a selling point of next year's inevitable model.
Five technologies Iran is using to censor the Web
----------
A year after Terry Childs case, privileged user problem grows
One year after former network administrator Terry Childs made national headlines for locking up...
Just yesterday, Lesmany Nunez, a former computer support technician at Quantum Technology Partners (QTP) in Miami, was sentenced to a year in jail for illegally using his administrator account and password to shut down the company's servers from his home computer. Nunez also changed the passwords of all the IT systems administrators at the company and deleted certain files that would have made data restoration from backup tapes easier. His actions resulted in more than $30,000 in damages to QTP.
Numerous similar cases, including ones involving Fannie Mae and Pacific Energy Resources Ltd. have been reported over the past few months, each one causing considerable damage and disruption to the companies involved.
----------
McAfee getting more aggressive on cloud-based security
McAfee Monday said it intends to expand its security-as-a-service offerings in recognition that...
----------
Microsoft opens 20,000 lines of Linux
Mary Jo Foley: Pigs do fly. Microsoft is releasing three Microsoft-developed Linux drivers to the Linux community for possible inclusion in the Linux source tree.
----------
Don't Bother Calling
... I did what I'm guessing is what a lot of you would have done - I got the Pomona court's phone number from the L. A. Superior Court website and I called it.
Just in case you don't believe what I'm about to tell you next, here's the phone number: (909) 620-3006. The phone rang. A recorded voice answered.
This is what it said: "You have reached the Los Angeles Superior Court East District Pomona Court office. Please do not leave a message as messages are not retrievable on this line. Thank you and have a nice day."
...
----------
26% of Chinese would-be criminals prefer hacking
Published by jumper under China internet, poll
A recent online poll asked Chinese netizens: “Given a 100,000RMB/month salary, what criminal job would you prefer?” – the largest percentage of respondents chose “Freelance Hacker” over Human Trafficker, Assassin, Drug Dealer, Gambler, Gang Leader, Spy and Robber.
----------
Korea Held a Cyber War, But Nobody Came
July 20, 2009 by ADMIN · Comment
By Richard Stiennon, Chief Research Analyst, IT-Harvest
Last week’s DDoS attacks against South Korean and US web sites have now gone through the whole media hype cycle.
Initial excitement and headlines have given way to the security guru’s who tell us that:
1) This was an amateurish attack using old (therefore un-sexy) malware. (See Ariel Silverstone’s blog)
2) There is not a shred of evidence that North Korea had anything to do with it. (See Alex Eckelberry’s blog)
3) The attacks were really wimpy. Only 35 Mbps of floods. Yawn. (See Jose Nazario’s blog)
Bruce Schneier chimed in on the events in a Minnesota Public Radio column. He says
If this is what an international cyberattack looks like, it hardly seems worth worrying about at all.
----------
US the origin of 16 per cent of spam
Sophos' spam trend report shows a change in the distribution of spam sources worldwide in the second quarter of 2009 more…
----------
Inflight WiFi Netiquette Rules For The Savvy Traveler
hothardware.com — We've heard of crazy recommendations and pointless surveys, but man, this is just world-class comedy here. . A recent survey commissioned by 3M found that four in five business travelers admitted that they wanted inflight Wi-Fi, so they sought travel expert Chris McGinnis to type out the following "manners list" to follow while surfing at 30k feet. More…
----------
Friday, July 17, 2009
Friday 07/17/09
RIM settles Visto suit for $267 million
IDG News Service - Research In Motion has agreed to pay rival Visto US$267.5 million to license and buy patents, settling a long-running legal battle. As part of the deal, RIM received a perpetual and fully paid license on all Visto patents and acquired some Visto intellectual property. The companies also dropped all outstanding lawsuits.
The deal closes a legal battle that started just after RIM settled a disagreement in 2006 with NTP that threatened to shut down BlackBerry phones. RIM agreed to pay NTP $612 million after NTP asked the court for an injunction that would have halted e-mail delivery to the phones.
Visto, which recently bought mobile e-mail provider Good Technology from Motorola...
----------
Obama administration defends Bush wiretapping
Lawyers from the U.S. Department of Justice and the Electronic Frontier Foundation squared off in a San Francisco courtroom Wednesday over a warrantless wiretapping program instituted by the Bush administration.
----------
CEOs underestimate security risks, survey finds
Compared to other key corporate executives, CEOs appear to underestimate the IT security risks faced by their own organizations, according to a survey of C-level executives released today by the Ponemon Institute.
The Ponemon survey (download PDF) of 213 CEOs, CIOs, COOs and other senior executives reveals what appears to be a perception gap between CEOs and other senior managers concerning information security issues. For instance, 48% of CEOs surveyed said they believe hackers rarely try to access corporate data. On the other hand, some 53% of other C-level executives believe that their company's data is under attack on a daily or even hourly basis.
----------
Chinese Company Sues American Retailers For Selling 'Knockoffs'
from the yes,-read-that-again dept
Jake points us to a story that (as Jake notes) makes you read the headline twice to make sure you got it right: Chinese Company Sues in U.S. to Block "Knockoff". It's not really "knockoffs" that they're suing over. It's a patent infringement claim from Changzhou Asian Endergonic Electronic Technology Co., which is upset that Best Buy, Wal-Mart and some other retailers are selling a competitors' dashboard mount that it claims is covered by its own patent.
Now, there are a bunch of points worth discussing here. First, apparently this is the first such case of a Chinese company (based in China) suing in the US over a patent infringement claim (a claim that really surprises me). Considering the long history of China copying (blatantly) American products and then reselling them, it's really quite fascinating to see a Chinese company now complain about the "reverse." Of course, as we've been highlighting recently, there's been a big push in China to build up a belief in patents. It seems this firm has already learned the basics of the American patent system: it's suing in Texas, of course!
The other odd thing about this case is filing the lawsuit against the retailers. The company is also suing the manufacturer (another Chinese company) which makes sense, but I've never understood why going after the retailer makes sense. Best Buy, Wal-Mart and others shouldn't need to investigate every product they sell to determine whether it violates someone else's patents. Let that be handled between vendors. Dragging the retailers into the lawsuit is just a waste of resources.
----------
Cosmetic Surgery Company 'Fesses Up To Widespread Campaign Of Fake Reviews; Pays Fine
The NY Times has an article about how LifeStyle Lift, a company that does cosmetic surgery (facelifts) has reached a settlement with NY Attorney General Andrew Cuomo over posting fake reviews on its site. It wasn't just a case of some "rogue" employees posting some fake positive reviews, either. The company apparently sent out emails to employees telling them to "devote the day to doing more postings on the Web as a satisfied client." It also created its own fake facelift review websites that (of course) reflected positively on themselves. The company has apologized and agreed to pay $300,000.
----------
Belgium Fines Yahoo For Protecting User Privacy On Its US Servers
For many years, we've discussed the many challenges faced by countries in trying to recognize that "jurisdiction" on the internet isn't what they probably think it is. Many countries want to interpret internet jurisdiction as "if it's accessible here via the internet, it's covered by our laws." But it doesn't take much scenario planning to recognizing what a disaster would result from such an interpretation. Effectively that means that the most restrictive legislation anywhere in the world (think: China, Iran, Saudi Arabia, etc.) would apply everywhere else.
That's why it's quite worrisome to find out that Belgium is trying to fine Yahoo for protecting its users' privacy and refusing to hand over user data to Belgian officials. Yahoo noted, accurately, that it does not have any operation in Belgium, and the data in question was held on US servers, not subject to Belgian law. On top of that, the US and Belgium have a good diplomatic relationship, such that such a data request could have gone through established diplomatic channels to make sure that US laws were properly obeyed as well. But, instead, Belgian officials just demanded the info from Yahoo's US headquarters directly, and then took the company to criminal court where the judge issued the fine.
----------
Michigan Supreme Court Issues New Stop Twittering Rule For Juries
There have been a few recent stories about jury members using Twitter, and courts have been trying to figure out how to deal with it. Well, over in Michigan, the Supreme Court has issued new rules for judges to tell jurors concerning their use of text messaging and other communication services. While it doesn't name Twitter specifically, it seems like the new rules are pretty clearly directed at jurors who might Twitter or use some other similar communication tool to explain what's happening in the case.
----------
PCI clarifies procedures to secure Wi-Fi
Angela Moscaritolo July 17, 2009
With a new guidance document, the Payment Card Industry Security Standards Council aims to clarify what retailers must do to secure their Wi-Fi networks.
----------
Microsoft sues to stop Windows Live Messenger spam
Dan Kaplan July 17, 2009
Microsoft has filed a lawsuit against a company that allegedly delivered spam over instant messenger, known as "spim," to thousands of its 320 million Windows Live Messenger users.
----------
4 Years After TJX Hack, Payment Industry Sets Security Standards
http://media.haymarketmedia.com/Documents/9/PCI_DSS_Wireless_Guidance_July_09_FINAL_071309_2221.pdf
----------
China: 338 Million internet users, 13 million websites
China Daily reporting the new numbers from CNNIC on internet growth in China:
- 338 million internet users, 13.4% increase since end of 2008
- 12.96 million websites holding .cn domain
- 155 million people access the internet via their mobile phone
- 87.88 million people shopping online, an increase of 14 million
- 320 million users have broadband
----------
HTC issues hotfix for Bluetooth vulnerability in smartphones
HTC released a software update on Thursday that fixes a Bluetooth vulnerability disclosed earlier...
The vulnerability, found in an HTC Bluetooth driver, obexfile.dll, could allow an attacker to gain access to all files on a phone by connecting to it via Bluetooth, according to Alberto Moreno Tablado, the researcher who discovered the bug in the OBEX FTP service and first reported it earlier this year.
The OBEX FTP directory traversal attack requires that a victim's phone has Bluetooth switched on and Bluetooth file sharing is activated. The vulnerability allows an attacker to move from the phone's Bluetooth shared folder into other folders. This gives the attacker access to contact details, e-mails, pictures or other data stored on the phone. They can also upload software to the phone, including malicious code.
----------
Former County Council Member Jailed for Installing Spyware
Tony Trout, a former Greenville County Council member, has been sentenced to 366 days in prison for installing a spyware program on the computer of County Administrator Joe Kernell, and intercepting his personal emails. Trout claimed that he did it in order to prove that Kernell, his employee, was involved in illegal activities.
[ more >> ]
"Don't take the law into your own hands. If you believe that someone is behaving illegally it's not your job to gather evidence yourself by breaking the law. If you really feel a crime is being committed, inform the authorities and ask them to look into it," advises Graham Cluley, senior technology consultant at Sophos.
----------
Microsoft bets big on a new platform subscription license
Microsoft quietly started rolling out a new subscription licensing option, known as Application Platform Agreement (APA) at the start of this year. But it is in the coming Microsoft fiscal year, which kicks off on July 1, that the APA will start gaining some serious traction, the Softies predict.
Microsoft execs will be talking up the new APA license at the company’s upcoming Worldwide Partner Conference in New Orleans in mid-July, hoping to get its partners onboard with selling Microsoft’s core enterprise products via the APA.
The APA — which is somewhat like the company’s existing Software Assurance (SA) license — is an add-on to Microsoft’s Enterprise Agreement license, which it offers to business users who buy in volume. It is a subscription license, meaning that users who pay for it are entitled to upgrades to the covered set of products for three years. (Microsoft receives recurring revenues even if it doesn’t release updates to the covered wares in that period.) The Directions on Microsoft research firm has described APA as an “all you can eat” license for Microsoft’s server products.
----------
Google Apps Security Questioned After Twitter Leak
Analysis: Twitter suffers a significant security breach, brought on by a Twitter employee's Google Apps account being hacked.
----------
Seven Ways to Secure Windows 7
Windows 7 comes with important safeguards out of the box, but it isn't hard to make it even more secure.
----------
IDG News Service - Research In Motion has agreed to pay rival Visto US$267.5 million to license and buy patents, settling a long-running legal battle. As part of the deal, RIM received a perpetual and fully paid license on all Visto patents and acquired some Visto intellectual property. The companies also dropped all outstanding lawsuits.
The deal closes a legal battle that started just after RIM settled a disagreement in 2006 with NTP that threatened to shut down BlackBerry phones. RIM agreed to pay NTP $612 million after NTP asked the court for an injunction that would have halted e-mail delivery to the phones.
Visto, which recently bought mobile e-mail provider Good Technology from Motorola...
----------
Obama administration defends Bush wiretapping
Lawyers from the U.S. Department of Justice and the Electronic Frontier Foundation squared off in a San Francisco courtroom Wednesday over a warrantless wiretapping program instituted by the Bush administration.
----------
CEOs underestimate security risks, survey finds
Compared to other key corporate executives, CEOs appear to underestimate the IT security risks faced by their own organizations, according to a survey of C-level executives released today by the Ponemon Institute.
The Ponemon survey (download PDF) of 213 CEOs, CIOs, COOs and other senior executives reveals what appears to be a perception gap between CEOs and other senior managers concerning information security issues. For instance, 48% of CEOs surveyed said they believe hackers rarely try to access corporate data. On the other hand, some 53% of other C-level executives believe that their company's data is under attack on a daily or even hourly basis.
----------
Chinese Company Sues American Retailers For Selling 'Knockoffs'
from the yes,-read-that-again dept
Jake points us to a story that (as Jake notes) makes you read the headline twice to make sure you got it right: Chinese Company Sues in U.S. to Block "Knockoff". It's not really "knockoffs" that they're suing over. It's a patent infringement claim from Changzhou Asian Endergonic Electronic Technology Co., which is upset that Best Buy, Wal-Mart and some other retailers are selling a competitors' dashboard mount that it claims is covered by its own patent.
Now, there are a bunch of points worth discussing here. First, apparently this is the first such case of a Chinese company (based in China) suing in the US over a patent infringement claim (a claim that really surprises me). Considering the long history of China copying (blatantly) American products and then reselling them, it's really quite fascinating to see a Chinese company now complain about the "reverse." Of course, as we've been highlighting recently, there's been a big push in China to build up a belief in patents. It seems this firm has already learned the basics of the American patent system: it's suing in Texas, of course!
The other odd thing about this case is filing the lawsuit against the retailers. The company is also suing the manufacturer (another Chinese company) which makes sense, but I've never understood why going after the retailer makes sense. Best Buy, Wal-Mart and others shouldn't need to investigate every product they sell to determine whether it violates someone else's patents. Let that be handled between vendors. Dragging the retailers into the lawsuit is just a waste of resources.
----------
Cosmetic Surgery Company 'Fesses Up To Widespread Campaign Of Fake Reviews; Pays Fine
The NY Times has an article about how LifeStyle Lift, a company that does cosmetic surgery (facelifts) has reached a settlement with NY Attorney General Andrew Cuomo over posting fake reviews on its site. It wasn't just a case of some "rogue" employees posting some fake positive reviews, either. The company apparently sent out emails to employees telling them to "devote the day to doing more postings on the Web as a satisfied client." It also created its own fake facelift review websites that (of course) reflected positively on themselves. The company has apologized and agreed to pay $300,000.
----------
Belgium Fines Yahoo For Protecting User Privacy On Its US Servers
For many years, we've discussed the many challenges faced by countries in trying to recognize that "jurisdiction" on the internet isn't what they probably think it is. Many countries want to interpret internet jurisdiction as "if it's accessible here via the internet, it's covered by our laws." But it doesn't take much scenario planning to recognizing what a disaster would result from such an interpretation. Effectively that means that the most restrictive legislation anywhere in the world (think: China, Iran, Saudi Arabia, etc.) would apply everywhere else.
That's why it's quite worrisome to find out that Belgium is trying to fine Yahoo for protecting its users' privacy and refusing to hand over user data to Belgian officials. Yahoo noted, accurately, that it does not have any operation in Belgium, and the data in question was held on US servers, not subject to Belgian law. On top of that, the US and Belgium have a good diplomatic relationship, such that such a data request could have gone through established diplomatic channels to make sure that US laws were properly obeyed as well. But, instead, Belgian officials just demanded the info from Yahoo's US headquarters directly, and then took the company to criminal court where the judge issued the fine.
----------
Michigan Supreme Court Issues New Stop Twittering Rule For Juries
There have been a few recent stories about jury members using Twitter, and courts have been trying to figure out how to deal with it. Well, over in Michigan, the Supreme Court has issued new rules for judges to tell jurors concerning their use of text messaging and other communication services. While it doesn't name Twitter specifically, it seems like the new rules are pretty clearly directed at jurors who might Twitter or use some other similar communication tool to explain what's happening in the case.
----------
PCI clarifies procedures to secure Wi-Fi
Angela Moscaritolo July 17, 2009
With a new guidance document, the Payment Card Industry Security Standards Council aims to clarify what retailers must do to secure their Wi-Fi networks.
----------
Microsoft sues to stop Windows Live Messenger spam
Dan Kaplan July 17, 2009
Microsoft has filed a lawsuit against a company that allegedly delivered spam over instant messenger, known as "spim," to thousands of its 320 million Windows Live Messenger users.
----------
4 Years After TJX Hack, Payment Industry Sets Security Standards
http://media.haymarketmedia.com/Documents/9/PCI_DSS_Wireless_Guidance_July_09_FINAL_071309_2221.pdf
----------
China: 338 Million internet users, 13 million websites
China Daily reporting the new numbers from CNNIC on internet growth in China:
- 338 million internet users, 13.4% increase since end of 2008
- 12.96 million websites holding .cn domain
- 155 million people access the internet via their mobile phone
- 87.88 million people shopping online, an increase of 14 million
- 320 million users have broadband
----------
HTC issues hotfix for Bluetooth vulnerability in smartphones
HTC released a software update on Thursday that fixes a Bluetooth vulnerability disclosed earlier...
The vulnerability, found in an HTC Bluetooth driver, obexfile.dll, could allow an attacker to gain access to all files on a phone by connecting to it via Bluetooth, according to Alberto Moreno Tablado, the researcher who discovered the bug in the OBEX FTP service and first reported it earlier this year.
The OBEX FTP directory traversal attack requires that a victim's phone has Bluetooth switched on and Bluetooth file sharing is activated. The vulnerability allows an attacker to move from the phone's Bluetooth shared folder into other folders. This gives the attacker access to contact details, e-mails, pictures or other data stored on the phone. They can also upload software to the phone, including malicious code.
----------
Former County Council Member Jailed for Installing Spyware
Tony Trout, a former Greenville County Council member, has been sentenced to 366 days in prison for installing a spyware program on the computer of County Administrator Joe Kernell, and intercepting his personal emails. Trout claimed that he did it in order to prove that Kernell, his employee, was involved in illegal activities.
[ more >> ]
"Don't take the law into your own hands. If you believe that someone is behaving illegally it's not your job to gather evidence yourself by breaking the law. If you really feel a crime is being committed, inform the authorities and ask them to look into it," advises Graham Cluley, senior technology consultant at Sophos.
----------
Microsoft bets big on a new platform subscription license
Microsoft quietly started rolling out a new subscription licensing option, known as Application Platform Agreement (APA) at the start of this year. But it is in the coming Microsoft fiscal year, which kicks off on July 1, that the APA will start gaining some serious traction, the Softies predict.
Microsoft execs will be talking up the new APA license at the company’s upcoming Worldwide Partner Conference in New Orleans in mid-July, hoping to get its partners onboard with selling Microsoft’s core enterprise products via the APA.
The APA — which is somewhat like the company’s existing Software Assurance (SA) license — is an add-on to Microsoft’s Enterprise Agreement license, which it offers to business users who buy in volume. It is a subscription license, meaning that users who pay for it are entitled to upgrades to the covered set of products for three years. (Microsoft receives recurring revenues even if it doesn’t release updates to the covered wares in that period.) The Directions on Microsoft research firm has described APA as an “all you can eat” license for Microsoft’s server products.
----------
Google Apps Security Questioned After Twitter Leak
Analysis: Twitter suffers a significant security breach, brought on by a Twitter employee's Google Apps account being hacked.
----------
Seven Ways to Secure Windows 7
Windows 7 comes with important safeguards out of the box, but it isn't hard to make it even more secure.
----------
Wednesday, July 15, 2009
Wednesday 07/15/09
Sino-Turkish cyber conflict in the making?
Published by Heike under Nationalism, Other attacks
On 11 July 2009, Turkish hackers defaced China’s National Satellite Meteorological Center website. Even though the motivations behind the attack were unclear, Chinese netizens viewed it as the opening salvo in an online war over Xinjiang.
On 13 July 2009, a Chinese hacker calling himself the Mafia Baron defaced the Turkish Embassy in China and posted a message on their website demanding they stay out of China’s internal affairs: ...
----------
Microsoft delivers 9 patches, but leaves one hole open
Microsoft today delivered six security updates that patched nine vulnerabilities. The patches fix...
----------
Background articles:
Considering remote access for IT professionals
by Jesper M. Christensen
Articles / Firewalls & VPNs
Taking a look on some different types of remote access solutions that you can use for internal and external support.
----------
DirectAccess: Microsoft's Newest VPN Solution - Part 1: Overview of Current Remote Access Solutions
by Thomas Shinder
Articles / Authentication, Access Control & Encryption
Taking a look at DirectAccess, Microsoft’s latest VPN solution and assessing the current Remote Access Solutions.
----------
AT&T boasts new backbone recovery capability
AT&T says it has successfully demonstrated the ability to recover from a major backbone outage by...
----------
Researchers to Spotlight Darknets at Black Hat
In one of the first talks at this year's Black Hat USA, Billy Hoffman and Matt Wood, both security...
----------
Oracle issues security patches across seven product lines
Chuck Miller July 15, 2009
Oracle issued "Critical Patch Updates" Tuesday for 30 security vulnerabilities in seven of its product lines, part of its regular quarterly patch cycle.
----------
Investigation of government DDoS attacks deepens
Angela Moscaritolo July 14, 2009
A Vietnamese security vendor says it has traced the recent DDoS attack on U.S. and South Korean websites to a server in the U.K., but another cybersecurity expert says the ultimate source of the attacks is still unknown.
----------
D.A. Showed Around Photos of Girl's Sexual Assault, Family Says
By BRIDGET FREELAND
(CN) - A county attorney in Kansas violated a girl's privacy by showing around photos of her sexual assault, the teen and her mother claim in Topeka Federal Court. The Anderson County Attorney refused to prosecute the assailant, but showed other parents photos of the sexual assault, and was suspended from practicing law for 6 months for it, the family says.
----------
Texting Teen Partially Liable for Manhole Fall?
By MATTHEW HELLER
Sewer workers in Staten Island, N.Y., may not be solely responsible for the injuries of a multitasking teenager who fell into an uncovered manhole while apparently walking and text-messaging at the same time. more
----------
Your Rights Online: India To Issue Over a Billion Biometric ID Cards
"The Unique Identification Authority is a new state department in India charged with assigning every living Indian an exclusive number and biometric ID card. The program is designed to alleviate problems with the 20 current types of proof of identity currently available. These problems range from difficulties for the very poor in obtaining state handouts, corruption, illegal immigration, and terrorism issues. Issuing the cards may be difficult, however, as less than 7% of the population is registered for income tax, and voter lists are thought to be inaccurate, partly due to corruption. The government has said the first cards will be issued in 18 months."
----------
China Bans Shock Treatment For Internet Addiction
"China has banned the use of shock therapy to treat Internet addiction after its use at one hospital sparked nationwide controversy. The hospital drew wide media coverage in recent months after Internet users claiming to have received the treatment wrote in blogs and forums about being tied down and subjected to shocks for 30 minutes at a time."
----------
Possible DNS Hack at Ireland's Largest ISP [UPDATED]
Customers of Eircom, the largest Internet service provider in Ireland, experienced serious DNS slowdowns and weirdness over the weekend. Users from different parts of the country reported that trying to open legit URLs in browsers redirected them to advertising pages.Some of them suggested on forums that there were two separate incidents related to Eircom's DNSs. The first reports appeared around July 1st, when multiple customers complained about significant DNS slowdowns and timeouts. "I'm having terri...
----------
RFID passports: A tragedy waiting
Robin Harris: In a recent article Todd Lewan accompanied ethical hacker Chris Paget as he found chipped tourists around San Francisco's Fishermans Wharf - from a van. Your Canadian flag patch won't save you now.
----------
1 billion of Apple's app downloads may be bogus
----------
Ancient global warming shows the limits of our knowledge
... In the end, the numbers they came up with indicated that the amount of carbon in circulation went up to about 1.7 times the level just prior to the PETM. Using the best estimates of the atmospheric carbon levels at that time, they calculate that 3,000 Petagrams of carbon were involved. That took atmospheric CO2 levels from 1,000 parts-per-million up to 1,700 ppm (it was much warmer during the Paleocene than it is now, so atmospheric CO2 was likely to be higher). In contrast, human activity has taken current levels from 280ppm to 390ppm.
----------
RIAA: Tenenbaum "fair use" defense is laughable
July 14, 5:31 p.m. UTC - by Nate Anderson Posted in: Law & Disorder
The first P2P trial in the US ended with a $1.92 million verdict. The second begins in two weeks, but the recording industry has just moved for summary judgment on the issue of "fair use," hoping to undermine one of the key defense strategies.
Read more
----------
New Hardened Thumb Drive Self-Destructs When Breached
Jul 14,2009
IronKey's new S200 includes strong encryption, anti-malware controls, and security policy management
----------
Make sure you update that Java
One of our readers, Tom Ueltschi, sent an e-mail with details about an exploit that is exploiting a Java vulnerability. While such exploits are not rare, this particular exploit targeted a vulnerability that was published in December 2008 by iDefense, and a reliable exploit became publicly available couple of months ago, in April this year.
However, it took some time for the bad guys to start using this exploit in their attack kits. The vulnerability exists in Java JRE release 6, in update versions lower than 13 and release 5, update versions lower than 18.
...
----------
Published by Heike under Nationalism, Other attacks
On 11 July 2009, Turkish hackers defaced China’s National Satellite Meteorological Center website. Even though the motivations behind the attack were unclear, Chinese netizens viewed it as the opening salvo in an online war over Xinjiang.
On 13 July 2009, a Chinese hacker calling himself the Mafia Baron defaced the Turkish Embassy in China and posted a message on their website demanding they stay out of China’s internal affairs: ...
----------
Microsoft delivers 9 patches, but leaves one hole open
Microsoft today delivered six security updates that patched nine vulnerabilities. The patches fix...
----------
Background articles:
Considering remote access for IT professionals
by Jesper M. Christensen
Articles / Firewalls & VPNs
Taking a look on some different types of remote access solutions that you can use for internal and external support.
----------
DirectAccess: Microsoft's Newest VPN Solution - Part 1: Overview of Current Remote Access Solutions
by Thomas Shinder
Articles / Authentication, Access Control & Encryption
Taking a look at DirectAccess, Microsoft’s latest VPN solution and assessing the current Remote Access Solutions.
----------
AT&T boasts new backbone recovery capability
AT&T says it has successfully demonstrated the ability to recover from a major backbone outage by...
----------
Researchers to Spotlight Darknets at Black Hat
In one of the first talks at this year's Black Hat USA, Billy Hoffman and Matt Wood, both security...
----------
Oracle issues security patches across seven product lines
Chuck Miller July 15, 2009
Oracle issued "Critical Patch Updates" Tuesday for 30 security vulnerabilities in seven of its product lines, part of its regular quarterly patch cycle.
----------
Investigation of government DDoS attacks deepens
Angela Moscaritolo July 14, 2009
A Vietnamese security vendor says it has traced the recent DDoS attack on U.S. and South Korean websites to a server in the U.K., but another cybersecurity expert says the ultimate source of the attacks is still unknown.
----------
D.A. Showed Around Photos of Girl's Sexual Assault, Family Says
By BRIDGET FREELAND
(CN) - A county attorney in Kansas violated a girl's privacy by showing around photos of her sexual assault, the teen and her mother claim in Topeka Federal Court. The Anderson County Attorney refused to prosecute the assailant, but showed other parents photos of the sexual assault, and was suspended from practicing law for 6 months for it, the family says.
----------
Texting Teen Partially Liable for Manhole Fall?
By MATTHEW HELLER
Sewer workers in Staten Island, N.Y., may not be solely responsible for the injuries of a multitasking teenager who fell into an uncovered manhole while apparently walking and text-messaging at the same time. more
----------
Your Rights Online: India To Issue Over a Billion Biometric ID Cards
"The Unique Identification Authority is a new state department in India charged with assigning every living Indian an exclusive number and biometric ID card. The program is designed to alleviate problems with the 20 current types of proof of identity currently available. These problems range from difficulties for the very poor in obtaining state handouts, corruption, illegal immigration, and terrorism issues. Issuing the cards may be difficult, however, as less than 7% of the population is registered for income tax, and voter lists are thought to be inaccurate, partly due to corruption. The government has said the first cards will be issued in 18 months."
----------
China Bans Shock Treatment For Internet Addiction
"China has banned the use of shock therapy to treat Internet addiction after its use at one hospital sparked nationwide controversy. The hospital drew wide media coverage in recent months after Internet users claiming to have received the treatment wrote in blogs and forums about being tied down and subjected to shocks for 30 minutes at a time."
----------
Possible DNS Hack at Ireland's Largest ISP [UPDATED]
Customers of Eircom, the largest Internet service provider in Ireland, experienced serious DNS slowdowns and weirdness over the weekend. Users from different parts of the country reported that trying to open legit URLs in browsers redirected them to advertising pages.Some of them suggested on forums that there were two separate incidents related to Eircom's DNSs. The first reports appeared around July 1st, when multiple customers complained about significant DNS slowdowns and timeouts. "I'm having terri...
----------
RFID passports: A tragedy waiting
Robin Harris: In a recent article Todd Lewan accompanied ethical hacker Chris Paget as he found chipped tourists around San Francisco's Fishermans Wharf - from a van. Your Canadian flag patch won't save you now.
----------
1 billion of Apple's app downloads may be bogus
----------
Ancient global warming shows the limits of our knowledge
... In the end, the numbers they came up with indicated that the amount of carbon in circulation went up to about 1.7 times the level just prior to the PETM. Using the best estimates of the atmospheric carbon levels at that time, they calculate that 3,000 Petagrams of carbon were involved. That took atmospheric CO2 levels from 1,000 parts-per-million up to 1,700 ppm (it was much warmer during the Paleocene than it is now, so atmospheric CO2 was likely to be higher). In contrast, human activity has taken current levels from 280ppm to 390ppm.
----------
RIAA: Tenenbaum "fair use" defense is laughable
July 14, 5:31 p.m. UTC - by Nate Anderson Posted in: Law & Disorder
The first P2P trial in the US ended with a $1.92 million verdict. The second begins in two weeks, but the recording industry has just moved for summary judgment on the issue of "fair use," hoping to undermine one of the key defense strategies.
Read more
----------
New Hardened Thumb Drive Self-Destructs When Breached
Jul 14,2009
IronKey's new S200 includes strong encryption, anti-malware controls, and security policy management
----------
Make sure you update that Java
One of our readers, Tom Ueltschi, sent an e-mail with details about an exploit that is exploiting a Java vulnerability. While such exploits are not rare, this particular exploit targeted a vulnerability that was published in December 2008 by iDefense, and a reliable exploit became publicly available couple of months ago, in April this year.
However, it took some time for the bad guys to start using this exploit in their attack kits. The vulnerability exists in Java JRE release 6, in update versions lower than 13 and release 5, update versions lower than 18.
...
----------
Subscribe to:
Posts (Atom)