Friday 07/31/09

Interesting Security program for iPhone:
http://www.phoenixfreeze.com/
Uses Bluetooth on your iPhone or Blackberry & on your laptop to login or lock the console, depending on your range from the computer.

----------

Cisco Security Advisory: Cisco IOS Software Border Gateway Protocol 4-Byte Autonomous System Number Vulnerabilities

----------

Symantec's Strategy: Are Customers Getting What They Need?
CSO Senior Editor Bill Brenner talks to Symantec VP Francis deSouza about the vendor's latest strategy to address customer concerns over compliance, DLP and cloud security (podcast).
Read more

----------

First Family Safe House Details Leak Via P2P
Details about a U.S. Secret Service safe house for the First Family -- to be used in a national emergency -- were found to have leaked out on a LimeWire file-sharing network recently, members of the House Oversight and Government Reform Committee were told this morning.

Also unearthed on LimeWire networks in recent days were presidential motorcade routes and a sensitive but unclassified document listing details on every nuclear facility in the country, Robert Boback, CEO of Tiversa Inc. told committee members.

The disclosures prompted the chairman of the committee, Rep. Edolphus Towns, (D-N.Y.), to call for a ban on the use of peer-to-peer (P2P) software on all government and contractor computers and networks. "For our sensitive government information, the risk is simply too great to ignore," said Towns who plans to introduce a bill to enforce just such a P2P ban.

----------

Black Hat 2009: More Holes in Web's SSL Security Protocol
Security researchers have found some serious flaws in software that uses the SSL (Secure Sockets Layer) encryption protocol used to secure communications on the Internet.

At the Black Hat conference in Las Vegas on Thursday, researchers unveiled a number of attacks that could be used to compromise secure traffic travelling between Web sites and browsers.

----------

Wired: Military may ban Twitter, Facebook

----------

eBay told it can't use core Skype tech, attempts workaround
July 31, 3:59 p.m. UTC - by Jacqui Cheng Posted in: Software
Technology from Joltid currently powers Skype's P2P connections, but perhaps not for long. Skype has revealed that it's working on an alternative to Joltid's software thanks to a licensing dispute between the two companies, but notes that such a switch could still be detrimental to the service.
Read more

----------

Over 1 billion served: Firefox passes download milestone

----------

Windows 7 Family Pack and Anytime Upgrade pricing unveiled
Microsoft today announced that the Family Pack for Windows 7, which allows you to upgrade three PCs to Windows 7 Home Premium, will cost $149.99 in the US ($199.99 in Canada), which is a savings of about $200 for the three upgrade licenses. A Microsoft spokesperson told Ars the company didn't have pricing details for any country other than the US and Canada. The Windows 7 Family Pack will be available on October 22, 2009, the day of general availability date of Windows 7, until supplies in the US and other select markets.

----------

DeKalb GA Police Officers Suspended After President Obama Background Check

Officers Ryan White and C.M. Route have been suspended following their use of a police computer to run a background check on President Obama. The computer, inside of a police car, was used to access the National Crime Information Center database managed by the FBI. Databases that are engineered to support data-mining present significant challenges to privacy rights because of the potential for their abuse and misuse. The NCIC has also faced challenges from privacy and civil liberties advocates because Federal Privacy Act requirements of accuracy do not apply.
Officers Run Background Check On Obama; Placed on Leave, WSBTV, July 29, 2009

----------

Cheerleader Sues Coach Over Accessing Personal Facebook Account

A high school cheerleader claims that her coach demanded that she provide access information to a personal Facebook account. The coach is said to have used that access to logon and then shared content from the account with other school officials. The student was punished by school officials due to what the student claimed was information found on her Facebook account. The student is suing the school, and teacher for violations of her Constitutional rights of privacy, free speech, and association.

Cheerleader sues school, coach after illicit Facebook log-in

----------

Following the Money: Rogue Anti-virus Software
By its very nature, the architecture and limited rules governing the Web make it difficult to track individuals who might be involved in improper activity. Cyber-sleuths often must navigate through a maze of dead-end records, pseudonyms or anonymous corporations, usually based overseas. The success rate is fairly low.

Even if you manage to trace one link in the chain -- such as a payment processor or Web host -- the business or person involved claims that he or she was merely providing a legal service to an unknown client who turns out to be a scammer.

But every so often, subtle links between the various layers suggest a more visible role by various parties involved. This was what I found recently, when I began investigating a Web site name called innovagest2000.com.

Permalink

----------

More information about Microsoft's ATL problems
Following the release of two emergency patches last Tuesday, more background information about the critical holes in the Active Template Library (ATL) has come to light more…

----------

Landlord-Tenant Battle Takes Tweet Libel Twist
By MATTHEW HELLER
A first-of-its-kind defamation lawsuit over a Chicago apartment renter's 16-word Twitter post appears to be the poisonous fruit of a tenant-friendly housing ordinance that landlords say punishes them unfairly for petty violations. more

----------

Researchers simulate a botnet of 1 million zombies
Angela Moscaritolo July 31, 2009
Computer scientists working for the U.S. Department of Energy announced this week that they have been able to create a simulated botnet consisting of more than one million machines.

----------

Adobe updates Flash Player for 10 vulnerabilities
Angela Moscaritolo July 30, 2009
Adobe on Thursday issued a security update for Flash Player and AIR to address a number of critical vulnerabilities which could potentially allow an attacker to take control of the affected system.

----------

Black Hat: Clampi banking trojan spreading rapidly
Dan Kaplan July 30, 2009
A newly revealed banking trojan is considered one of the biggest threats on the internet because of the way it can quickly spread.

----------

Security Camera Hack Conceals Heists Behind Dummy Video
LAS VEGAS — Technology has caught up with Hollywood heist films in a new hack being demonstrated at DefCon Friday, which involves hijacking IP video streams and seamlessly replacing them with new content.

In its simplest form, the hack — conducted with two free tools developed by researchers at Sipera Systems’ Viper Lab — allows someone to intercept and copy video from IP surveillance cameras to spy on the secured premises. But it would also allow the hacker to replace a legitimate video stream with a bogus stream, permitting a thief or corporate spy to enter an office while the security guard sees only a still-image of an empty room on his monitor.

“There are tools that can prevent this outright, but when you don’t have security in place, you can run these types of attacks,” said Jason Ostrom, director of Viper Lab. “Most of the enterprises we see don’t have the security controls in place.”

----------

Anti-theft software could create security hole
AP – Thu Jul 30, 7:50 pm ET
LAS VEGAS - A piece of anti-theft software built into many laptops at the factory opens a serious security hole, according to research presented Thursday.

The "Computrace" software, made by Vancouver-based Absolute Software Corp., is part of a subscription service that's used to find lost or stolen computers. Many people don't know it's on their machines, but it's included in computers from the biggest PC makers.

----------

'MonkeyFist' Launches Dynamic CSRF Web Attacks
Jul 30,2009
Researchers release tool that automates cross-site request forgery attacks

----------

Overview of the out-of-band release
Today we released Security Advisory 973882 and with it, two out-of-band security bulletins. These updates are MS09-034 (an Internet Explorer update) and MS09-035 (a Visual Studio update). At this time for customers who have applied MS09-032 we are not aware of any “in the wild” exploits that leverage the vulnerabilities documented in 973882 and MS09-035. However, MS09-034 and MS09-035 work together to build further defenses against the known vulnerabilities in ATL.

...

----------

Windows 7 Ultimate on sale for $1
Oh my, Chinese hackers may have cracked Windows 7. No need to connect to Microsoft activation server...

According to other articles, this cert has been revoked.

----------

Crisis communications: A primer for teams (Part 1)
When problems strike, organizations need clear lines of communications that have been established through careful functional analysis, documented thoroughly, tested in multiple realistic trials, and improved repeatedly to reflect reality. In my white paper on "Computer Security Incident Response Team Management," which was integrated into Michael Miora's chapter on that subject in the Computer Security Handbook, 5th Edition (Wiley, 2009; Bosworth, Kabay & Whyne, eds), I wrote, "The CSIRT should include members from every sector of the organization; key members include operations, facilities, legal staff, public relations, information technology, and at least one respected and experienced manager with a direct line to top management."

...

----------