Friday 07/24/09

YA0D (Yet Another 0-Day) in Adobe Flash player
Well, it looks like the last two weeks have definitely been marked by multiple 0-day exploits actively used in the wild.

The last one exploits a vulnerability in Adobe Flash player (versions 9 and 10) as well as Adobe Reader and Acrobat 9.1.2. Besides being a 0-day there are some other interesting things about this exploit.

----------

L0pht Makes Comeback (Sorta) With Hacker News Network
Its new Web site and the Hacker News Network are online, but the L0pht is not getting back together
Read more

----------

Mass 201 CMR 17: A Survival Guide for the Anxious
Security experts offer tips for navigating Mass 201 CMR 17. Will your business be ready?
Read more

----------

How to Build Your Own Digital Forensics Lab - for Cheap
Step-by-step instructions for downloading and using free or inexpensive digital forensics tools.
Read more

----------

Social Networking In The Enterprise: What Should Security Pros Do About It?Jul 24,2009 As Facebook and LinkedIn become more popular at work, security solutions become trickier for IT

----------

One In Two Security Pros Unhappy In Their JobsJul 23,2009 Major career survey finds security professionals are well-paid, but feel unchallenged and underutilized

----------

Hacking The Handshake Between ApplicationsJul 22,2009 Researchers to shed light on a new generation of attacks that exploit the relationship between browsers and their plug-ins -- or between any applications that share information -- and take over a victim's computer

----------

iPhone Security: Not Beefy Enough for Businesses? Can the iPhone 3GS can be hacked in two minutes with readily available freeware?

----------

EA puts sexual bounty on the heads of its own booth babes
EA has a new way to annoy its own models: give out prizes for Comic Con attendees who commit acts of lust with their booth babes. Also, if you win, you get to take the lady out to dinner! This is going to end well for everyone involved.

----------

Service Offers to Retrieve Stolen Data, For a Fee
A former cyber cop in the United Kingdom is heading up a new online portal that claims to offer a searchable database of about 120 million consumer records that have been phished, hacked or otherwise stolen by computer crooks. Visitors who search for their information and find a match can verify which data were stolen -- for a £10 ($16.50) fee.

Continue reading this post »

----------

SHA-3 Second Round Candidates Announced
NIST has announced the 14 SHA-3 candidates that have advanced to the second round: BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein.

In February, I chose my favorites: Arirang, BLAKE, Blue Midnight Wish, ECHO, Grøstl, Keccak, LANE, Shabal, and Skein. Of the ones NIST eventually chose, I am most surprised to see CubeHash and most surprised not to see LANE.

Here's my 2008 essay on SHA-3. Here's NIST's SHA-3 page. And here's the page on my own submission, Skein.

----------

Social Security Numbers are Not Random
Social Security Numbers are not random. In some cases, you can predict them with date and place of birth.

----------

Protecting SSH from brute force attacks
Using just open source tools and a few tweaks, it is possible to detect and block suspicious login attempts more…

----------

Technology: UK ISP Disconnects Customers For File Sharing
"Karoo, an ISP in Hull, in the UK, is disconnecting subscribers without warning if they file-share, or are even suspected of file-sharing. Karoo is the only ISP in the area. Copyright owners are working with the ISP helping them identify and report suspected filesharers using their services. In order to get service restored, subscribers have to go to Karoo's office and sign a form admitting guilt and promising not to do it again. The article states that some subscribers have had their access cut off for more than two years."

Update: 07/24 16:29 GMT by KD : The Register is reporting that Karoo has relented and has changed its policy. A spokesman said: "It is evident that we have been exceeding the expectation of copyright owners..."

----------

MS agrees to browser choice in Europe
Mary Jo Foley: Microsoft is going to provide Windows 7 users in Europe with a choice of browsers, rather than no browser. Windows 7 E is still seemingly on the table.
Special Report: Windows 7
Ed Bott: Ultimate Windows 7 upgrade FAQ

----------

Major spam campaign abusing Yahoo Groups
Angela Moscaritolo July 23, 2009
About one million spam emails per hour are being sent to Yahoo Groups and other free web services, including Google Groups and LiveJournal, containing bogus pharmaceutical advertising content.

----------

FBI Processes 600 Billion Fingerprint Sets a Day — Update: No It Doesn’t

By Kim Zetter
July 23, 2009

An underground fingerprint lab in West Virginia is the nexus point for every crime committed in the country and even for some committed overseas.

The FBI’s Criminal Justice Information Services building in Clarksburg houses a multibillion-dollar computer system that processes 600 billion fingerprint sets a day, according to a CBS news reporter who visited the lab. (Correction: It’s actually more like 200,000. See update below). The prints come in 24 hours a day from crime scenes around the country, as well as from overseas, such as in Iraq where prints lifted from IED explosives are sent to CJIS to match against known terrorist suspects.

----------

Bell Canada Employs DNS RedirectionLatest to create revenue stream from typing mistakes...10:21AM Thursday Jul 23 2009 by Karl Bode
According to user posts in our Bell Canada forum, it appears that Bell Canada is the latest ISP to implement DNS redirection advertising. The technology, controversial to some 'Net purists, replaces the traditional 404 page with an ad-laden search portal (see screenshot) -- effectively giving ISPs a new revenue stream off of mistyped URLs. Comcast was the most recent ISP in the States to implement such functionality, which was originally more controversial because ISPs weren't offering users working opt-out options or "clean" DNS servers.

----------

Hacking Oracle's database will soon get easier Reuters – Wed Jul 22, 3:55 pm ET
BOSTON (Reuters) - Hackers will soon gain a powerful new tool for breaking into Oracle Corp's database, the top-selling business software used by companies to store electronic information.

----------

Microsoft admits it can't stop Office file format hacks
Microsoft's plan to "sandbox" Office documents in the next version of its application suite is an admission that the company can't keep hackers from exploiting file format bugs, a security analyst said today.

"What's been happening is that Office has lots of vulnerabilities," said John Pescatore, Gartner's primary security analyst. "For the past 18 months, hackers have been fuzzing Office file formats," he said, referring to the practice of "fuzzing," a tactic that relies on automated tools that drop random data into applications to see if, and where, breakdowns occur.

----------

Report: Michael Jackson's death certificate improperly accessed
At least six unauthorized employees viewed record more than 300 times in two weeks, says L.A. Times

----------

Adobe promises patch for seven-month old Flash flaw
Vendor knew about critical vulnerability in December 2008, never fixed it, slates updates for late next week.

----------

Windows 7 RTM leaked to BitTorrent last week

----------

Congress eyes biometric authentication for job eligibility
In a move likely to heighten concerns among opponents of a national ID card, some lawmakers are proposing that biometrics be used to authenticate the identity of anyone seeking a job in the U.S.

----------