Monday, September 14, 2009

Monday 09/14/09

Apple missed security boat with Snow Leopard, says researcher Apple missed a golden opportunity to lock down when it again failed to fully implement security technology that Microsoft perfected nearly three years ago in Windows Vista, a noted Mac researcher said today. Read more...

----------

Windows Bug Enables PC Hijacking, Microsoft Warns
Microsoft Corp. last week confirmed that a bug in Windows Vista, Windows Server 2008, and the release candidates of Windows 7 and Windows Server 2008 R2 could be used to hijack PCs.
The vulnerability in the Server Message Block (SMB) 2 network file- and print-sharing protocol that ships with those versions of the Windows operating system was first disclosed late last Monday, when a researcher posted exploit code.

The next day, Microsoft issued a security advisory confirming the bug and the fact that it could be used to "take complete control of an affected system."

----------

NY Times warns of rogue antivirus on Web site
Online scammers have apparently found a new way to reach their marks: They've started running ads on the Web site of The New York Times.

The newspaper warned readers Sunday that so-called rogue antivirus sellers had been spotted on its Web site, NYTimes.com. Their products, often promoted by Eastern European criminal organizations, are either ineffective or actually end up infecting the computers of people who purchase them.

----------

Researchers slam fickle iPhone anti-fraud feature
The iPhone's new defense -- meant to prevent users from reaching phishing sites -- is inconsistent at best, a security researcher said today, with some users getting warnings about dangerous links, while others are allowed to blithely surf to criminal URLs.

----------

Steganography meets VoIP in hacker world
Researchers and hackers are developing tools to execute a new data-leak threat: sneaking proprietary information out of networks by hiding it within Voice-over-IP (VoIP) traffic.

----------

Apple fixes Flash snafu in Snow Leopard, patches 33 bugs in Leopard
Less than two weeks after Apple launched Snow Leopard, the company today issued the new operating system's first security update. In a separate upgrade, Apple patched 33 vulnerabilities in 2007's Leopard, and about half as many in the even older Tiger.

Today's updates were the third and fourth from Apple in the last two days.

----------

Cyber criminals targeting small businesses AP – 2 hrs 5 mins ago
WASHINGTON - Cyber criminals are increasingly targeting small and medium-sized businesses that don't have the resources to keep updating their computer security, according to federal authorities. Full Story »

----------

Trojan Hides Its Brain in Google Groups PC World – Fri Sep 11, 4:40 pm ET
Virus writers keep getting sneakier. In an effort to evade detection, they've begun hiding their command and control instructions in legitimate Web 2.0 sites such as Google Groups and Twitter.

----------

Patience Grasshopper: Wait to Update Your Jailbroken iPhone to 3.1 If you have a jailbroken iPhone and were wondering if you should update to 3.1 via iTunes, do yourself a favor and just wait a few more days.

----------

Windows autoplay behavior updated (improved)
Published: 2009-09-13

Microsoft has delivered on their promise to backport the improved autoplay behavior in Win7 to older versions of Windows. This is definitely a good thing and I for one am going to be implementing this on every system I have any sort of control over. I'd encourage y'all to do the same.
http://support.microsoft.com/kb/971029

----------

Robert Sawyer's Alibis
Back in 2002, science fiction author Robert J. Sawyer wrote an essay about the trade-off between privacy and security, and came out in favor of less privacy. I disagree with most of what he said, and have written pretty much the opposite essay -- and others on the value of privacy and the future of privacy -- several times since then.

The point of this blog entry isn't really to debate the topic, though. It's to reprint the opening paragraph of Sawyer's essay, which I've never forgotten:

Whenever I visit a tourist attraction that has a guest register, I always sign it. After all, you
never know when you'll need an alibi.

Since I read that, whenever I see a tourist attraction with a guest register, I do the same thing. I sign "Robert J. Sawyer, Toronto, ON" -- because you never know when he'll need an alibi.
Posted on September 14, 2009 at 7:24 AM

----------

Botnet discovered on Linux servers
The servers in question register with dynamic DNS services to distribute malware more…

----------

"It's frequent that we hear of a country or city or company switching from Windows to Linux, but it's rare that we hear of one third of a million employees being told to use Lotus Symphony (IBM's OO.o variant) over MS Office, and also to use the Open Document Format when saving files. The change has been mandated to take place in the next 10 days. Of course, they are doing this to illustrate that they actually offer a full-fledged alternative to Microsoft. With i4i stirring stuff up against MS Office and absolving OO.o from litigation, are we on the verge of a potential break from Microsoft's dominant document suite? Hopefully IBM supports OO.o past Sun's acquisition by Oracle instead of concentrating on Lotus Symphony."

----------

Microsoft pushes Win 7 upgrades - now
Mary Jo Foley: Windows 7's consumer launch is just over a month away. But there's no reason business users should delay their Windows 7 deployment plans, according to the company.

----------

802.11n ratified ... finally
There’s no official announcement from the IEEE yet, but confirmation of ratification has been sent to WiFi chip manufacturers.

----------

Red Light Camera Vendor Not Doing So Well With Public Opposition Driving Down Its Revenue

There's been significant growing opposition to red light camera programs, which have a long history of showing absolutely no safety benefit, and are often run for-profit by local governments in combination with private companies. That opposition is leading more and more cities and towns to dump the red light cameras -- while some operators are getting caught illegally decreasing the time of the yellow or amber lights to try to issue more fines.

Jeff Nolan alerts us to the news that one of the biggest players in the space, Redflex, has announced that public opposition to its cameras has created a real drain on revenue, and its profits were down significantly. This would be the same Redflex that just so happened to fail to live up to its contract in Denver to deliver data that could be used to determine whether or not the cameras were really effective.

----------

Steven Hoy alerts us to a story of a couple who are suing their bank, after someone masquerading as them accessed their account and transferred $26,000 to Austria. The details of the case are a bit complex, but basically, the couple claims that the bank did not live up to basic standards in authentication, and cite the Federal Financial Institutions Examination Council's claim that notes that "single-factor authentication is inadequate and calls on banks to implement two-factor systems." Thus, the argument goes, the fault was the bank's security, and thus, the bank should be liable. The judge found that to be convincing:

"In light of Citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access.... If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts."

Chalk one up for those who believe "identity theft" is actually a "bank robbery."

----------

How registrars tackle domain name abuse
Some rogue registrars are happy to turn a blind eye to domain-name abuse; others are fighting back.

----------

FTC forces Sears, Kmart out of the spyware business
about 17 hours ago - by Nate Anderson Posted in: Law & Disorder
When Sears and Kmart offered visitors the chance to earn $10 by participating in some research, few realized that they would be sending even secure session browsing information to the big retailers. Now, the government has put the kibosh on this "blue light special."

----------

Cyber Crooks Target Public & Private Schools
A gang of organized cyber criminals that has stolen millions from businesses across the United States over the past month appears to have turned its sights on public schools and universities.

On the morning of Aug. 17, hackers who had broken into computers at the Sanford School District in tiny Sanford, Colorado initiated a batch of bogus transfers out of the school's payroll account. Each of the transfers was kept just below $10,000 to avoid banks' anti-money laundering reporting requirements, and went out to at least 17 different accomplices or "money mules" that the attackers had hired via work-at-home job scams.

A school employee spotted the bogus payments on the morning of the 19th, when the school district learned that $117,000 had been siphoned from its coffers by cyber crooks.

Sanford Superintendent Kevin Edgar said the school successfully reversed two of the transfers totaling $18,000, but that rest of the stolen money remains in limbo.

"We've been told that if we do get any more of these reversed, it may take 30 to 45 days to get that money back," Edgar said. Meanwhile, the school district's bank is playing hardball, insisting that the school is at fault for the unauthorized transfers.

Permalink

----------

No comments: