An analysis piece:
Categories of Common Malware Traits
----------
Mass Data Breach Law In The Crosshairs
Podcast: At the (ISC)2 Secure Boston event, a panel of legal and security experts examine the most problematic parts of Mass. 201 CMR 17 and offer a strategy for achieving both compliance and true security. (Part 1 of 2)
----------
Spammers Love Idaho the Most
September 24, 2009 — IDG News Service — No one is quite sure why, but Idaho now gets spammed a little more heavily than any other state in the U.S.
"Looking at the e-mail traffic that's being sent to business users in that particular state, 93.8 percent of all their e-mail traffic will be spam," said Paul Wood, a senior analyst with Symantec's MessageLabs group, which released research on the topic Thursday. "That's actually higher than the global spam average."
----------
Businesses Pandemic-Ready? (Survey: No.)
SEE ALSO: A Swine Flu (H1N1) Business Continuity Planning Guide
----------
China Clamps Down on Net Before 60th Anniv.
September 25, 2009 — IDG News Service — Security forces with black masks and machine guns on the streets of China's capital are just the more visible side of a security clampdown in the country this month: there is also its secretive battle to control the Internet.
The heightened security comes ahead of a massive military parade Beijing will hold in the heart of the city next week to celebrate China's 60th anniversary of communist rule, an event the government hopes will showcase the country's development and go untarnished by security threats or shows of dissent. China's newest nuclear missiles will be included in the arsenal of weapons and equipment shown off in the parade, according to state-run media.
Security measures have included a crackdown this month on online tools that help users circumvent the "Great Firewall," the set of technical measures China uses to filter the Internet, according to providers of the tools.
----------
Fingerprints Not Enough for Gov. Systems
...
Under what’s called the Next-Generation Identification (NGI) program, the FBI is looking toward replacing its current Integrated Automated Fingerprint Identification System (IAFIS) for a totally revamped biometrics system that over the years will not only be a repository for individuals’ fingerprints, but also store additional biometrics expected to include iris scans, 2D-to-3D facial imaging, palm prints, voice and DNA.
...
----------
Texas Instruments Signing Keys Broken
Texas Instruments' calculators use RSA digital signatures to authenticate any updates to their operating system. Unfortunately, their signing keys are too short: 512-bits. Earlier this month, a collaborative effort factored the moduli and published the private keys. Texas Instruments responded by threatening websites that published the keys with the DMCA, but it's too late.
So far, we have the operating-system signing keys for the TI-92+, TI-73, TI-89, TI-83+/TI-83+ Silver Edition, Voyage 200, TI-89 Titanium, and the TI-84+/TI-84 Silver Edition, and the date-stamp signing key for the TI-73, Explorer, TI-83 Plus, TI-83 Silver Edition, TI-84 Plus, TI-84 Silver Edition, TI-89, TI-89 Titanium, TI-92 Plus, and the Voyage 200.
Moral: Don't assume that if your application is obscure, or if there's no obvious financial incentive for doing so, that your cryptography won't be broken if you use too-short keys.
----------
Sears Spies on its Customers
It's not just hackers who steal financial and medical information:
Between April 2007 and January 2008, visitors to the Kmart and Sears web sites were invited to join an "online community" for which they would be paid $10 with the idea they would be helping the company learn more about their customers. It turned out they learned a lot more than participants realized or that the feds thought was reasonable.
To join the "My SHC Community," users downloaded software that ended up grabbing some members' prescription information, emails, bank account data and purchases on other sites.
Reminds me of the 2005 Sony rootkit, which -- oddly enough -- is in the news again too:
----------
After purchasing an Anastacia CD, the plaintiff played it in his computer but his anti-virus software set off an alert saying the disc was infected with a rootkit. He went on to test the CD on three other computers. As a result, the plaintiff ended up losing valuable data.
Claiming for his losses, the plaintiff demanded 200 euros for 20 hours wasted dealing with the virus alerts and another 100 euros for 10 hours spent restoring lost data. Since the plaintiff was self-employed, he also claimed for loss of profits and in addition claimed 800 euros which he paid to a computer expert to repair his network after the infection. Added to this was 185 euros in legal costs making a total claim of around 1,500 euros.
The judge's assessment was that the CD sold to the plaintiff was faulty, since he should be able to expect that the CD could play on his system without interfering with it.
The court ordered the retailer of the CD to pay damages of 1,200 euros.
----------
Flood of patches from Cisco
Cisco has published eleven security advisories concerning its IOS router operating system and the Unified Communications Manager. Attackers can reboot routers or hack into systems more…
----------
TechDirt is running a piece on Corona, CA, where officials are considering ignoring a California law that authorizes red-light cameras — cutting the state and the county out of their portion of the take — in order to increase the city's revenue. The story was first reported a week ago. The majority of tickets are being (automatically) issued for "California stops" before a right turn on red, which studies have shown rarely contribute to an accident. TechDirt notes the apparent unconstitutionality of what Corona proposes to do:
"The problem here is that Corona is shredding the Sixth Amendment of the US Constitution, the right to a trial by jury. By reclassifying a moving violation... to an administrative violation... Corona is doing something really nefarious. In order to appeal an administrative citation you have to admit guilt, pay the full fine, and then apply for a hearing in front of an administrative official, not a judge in a court. The city could simply deny all hearings for administrative violations or schedule them far out in advance knowing full well that they have your money, which you had to pay before you could appeal."
----------
Hardware: New Phoenix BIOS Starts Windows 7 Boot In 1 Second
"Phoenix is showing off a few interesting things at IDF, but the real standout is their new Instant Boot BIOS [video here], a highly optimized UEFI implementation that can start loading an OS in just under a second. Combined with Windows 7's optimized startup procedure, that means you're looking at incredibly short boot times — we saw a retrofitted Dell Adamo hit the Windows desktop in 20 seconds, while a Lenovo T400s with a fast SSD got there in under 10."
----------
Hackers pay 43 cents per hijacked Mac
A network of Russian malware writers and spammers paid hackers 43 cents for each Mac machine they...
----------
Drudge, other sites flooded with malicious ads
Criminals flooded several online ad networks with malicious advertisements over the weekend,...
----------
Russian cybergangs make the Web a dangerous place
Russian cybergangs have established a robust system for promoting Web sites that sell fake...
----------
Firefox Aims to Unplug Scripting Attacks
By Robert Lemos 06/29/2009 1 Comment
How websites can block code from unknown sources.
Sites that rely on user-created content can unwittingly be employed to attack their own users via JavaScript and other common forms of Web code. This security issue, known as cross-site scripting (XSS), can, for example, allow an attacker to access a victim's account and steal personal data.
Now the makers of the Firefox Web browser plan to adopt a strategy to help block the attacks. The technology, called Content Security Policy (CSP), will let a website's owner specify what Internet domains are allowed to host the scripts that run on its pages.
----------
Online Conspiracy Theorists Latch Onto Census GPS Units
By Kevin Poulsen
September 24, 2009
The hanging death of a Kentucky census worker is likely to raise tensions among counters in the 2010 census, who have already been the focus of emotionally charged online rhetoric this year because they use GPS.
----------
House subcommittee passes cybersecurity R&D bill
Angela Moscaritolo September 25, 2009
The Cybersecurity Research and Development Amendments Act of 2009 would require federal agencies to develop cybersecurity research-and-development plans, as well as authorize grant funding and establish a scholarship program.
----------
Wanna feel paranoid?
Up To 9 Percent Of Machines In An Enterprise Are Bot-Infected
Sep 24,2009
Most are members of tiny, unknown botnets built for targeting victim organizations
----------
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment