Wednesday, September 16, 2009

Wednesday 09/16/09

Cloud security through control vs.ownership Cloud computing makes auditors cringe. It's something we hear consistently from enterprise customers: it was hard enough to make virtualization "palatable" to auditors; cloud is going to be even harder. By breaking the links between hardware and software, virtualization liberates workloads from the physical constraints of a single machine. Cloud takes that a step further making the physical location irrelevant and even obscure. Read more...

----------

Web server attacks, poor app patching make for nasty mix
In a groundbreaking study that matched attack trends with patching cycle data, some conclusions came as a shock, said Rohit Dhamankar, the director of security research at 3Com TippingPoint, which contributed real-world attack information -- acquired from its intrusion detection systems -- to the report.

"The sheer number of attacks against Web servers was surprising," said Dhamankar. "In terms of attack volume, they were almost 60% of all so far this year. Hackers are after a foothold in the corporate network, to conduct client-side attacks against visitors of the site, but also once they have that foothold, to gain much higher privileges and use those to also steal data."

----------

Company hosting Joe Wilson fundraising site recovers from DDoS attack
The attack on Piryx began Friday afternoon and lasted into the early hours of Saturday morning, temporarily disrupting a Wilson fundraising effort that was under way at that time, Piryx CEO Tom Serres said. It also knocked out services for about 150 other Piryx clients, he said.

----------

Failing to buy Emulex, Broadcom sues
Broadcom filed a patent infringement suit against networking company Emulex on Monday, just months after abandoning a nearly year-long effort to buy the company.

Broadcom on Monday filed suit in the U.S. District Court for the Central District of California alleging Emulex infringed 10 patents covering a broad range of high speed data and storage networking technologies.

----------

DHS to review report on vulnerability in West Coast power grid
The U.S. Department of Homeland Security is looking at a report by a research scientist in China that shows how a well-placed attack against a small power subnetwork could trigger a cascading failure of the entire West Coast power grid.

Jian-Wei Wang, a network analyst at China's Dalian University of Technology, used publicly available information to model how the West Coast power grid and its component subnetworks are connected. Wang and another colleague then investigated how a major outage in one subnetwork would affect adjacent subnetworks, according to an article in New Scientist.

----------

Microsoft issues XP, Vista anti-worm updates
Microsoft responded by changing Windows 7 so that the AutoPlay dialog no longer let users run programs, except when the device was a nonremovable optical drive, like a CD or DVD drive. After the change, a flash drive connected to a Windows 7 system only let users open a folder to browser a list of files.
...
Microsoft issued the updates almost three weeks ago, on Aug. 25, but did not push them to users automatically via Windows Update, or the corporate patch service Windows Server Update Services (WSUS). Instead, users must steer to Microsoft's download site, then download and install the appropriate update manually. Links to the download are included in a document posted on the company's support site.

The Windows XP update weighs in at 3MB, while the one for Vista is about 7MB.

----------

Heartland CEO: Credit card encryption needed
Credit card numbers are not now required in payment card industry guidelines to be encrypted in transit between retailers, payment processors and card issuers, Robert Carr, chairman and CEO of Heartland Payment Systems, told a U.S. Senate committee. Heartland in January announced the discovery of a data breach that left tens of millions of credit card numbers exposed to a gang of hackers.

"I now know that this industry needs to, and can, do more to better protect it against the ever-more-sophisticated methods used by these cybercriminals," Carr told the Senate Homeland Security and Governmental Affairs Committee. "I believe it is critical to implement new technology, not just at Heartland, but industrywide." The purpose of the committee hearing was, in part, to determine whether new legislation is needed to fight cybercrime.

----------

Microsoft: No TCP/IP patches for you, XP
The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4.

"We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible," said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP.

"An update for Windows XP will not be made available," Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast (transcript here).

----------

Unpatched Applications Are #1 Cyber Security Risk PC World – Wed Sep 16, 9:06 am ET
Unpatched client software and vulnerable Internet-facing web sites are the most serious cyber security risks for business. Lesser threats include operating system holes and a rising number of zero-day vulnerabilities, according to a new study.

----------

Internet Scammers Leap on Patrick Swayze's Death
Malware ghouls took just a few hours to begin preying on the death of actor Patrick Swayze with a new version of a familiar phony anti-virus scam.

----------

Microsoft Gives Away Free Fuzzer, Secure Development Tool
Sep 16,2009
More Security Development Lifecycle tools, ROI paper released

----------

News Flash: Data Debauchery That Happens in Vegas Doesn't Stay There
Digital ID World 2009: Organizations collect as much data as possible on people to verify their trustworthiness as a potential employee or customer. Here's why the practice isn't working.

----------

A Swine Flu (H1N1) Business Continuity Planning Guide
Concerned about the coming flu season and the impact H1N1 will have on the workforce? Here's a fear-free roundup of articles, columns and podcasts to help you keep improving your preparedness plan.

----------

Monday, September 14, 2009 10:00 AM
OffVis updated, Office file format training video created
In July, we released a beta Office file format viewer application called OffVis as a downloadable tool. We are pleased today to announce an updated version of OffVis and a 30 minute training video to help you understand the legacy Office binary file format.

----------

Data Breach Highlights Role Of 'Money Mules'
On Friday, Brunswick, Maine-based heating and hardware firm Downeast Energy & Building Supply sent a letter notifying at least 850 customers that the company had suffered a data breach. Downeast sent the notice after discovering that hackers had broken in and stolen more than $200,000 from the company's online bank account.

This type of crime is impossible without the cooperation of so-called "money mules," willing or unwitting individuals typically hired via Internet job search Web sites to act as "local agents" or "financial agents" responsible for moving money on behalf of a generic-sounding international corporation, legal experts say.The mules are then instructed to withdraw the cash and wire it via Western Union or Moneygram to fraud gangs overseas, typically in Eastern Europe.

It is not uncommon for a single cyber robbery to depend on the help of dozens of money mules:

-In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company by initiating a large batch of transfers from Ferma's online bank account to 39 money mules.

-Also in July, attackers stole $415,000 from Bullitt County, Ky. by sending bogus payroll deposits to more than two dozen mules.

-In May, a Texas company was robbed of $1.2 million with the assistance of nearly 40 money mules.

While essential, money mules also are frequently the weakest link in any organized cyber crime ring. Indeed, Peters said the first indications of fraud came when his chief financial officer received a phone call from a bank in Texas, asking whether the company had approved a suspicious transfer to a local resident in the amount of $9,800.
...
Ms. Durastanti said when Kenneth went to wire the money via Western Union to individuals in Ukraine, he made a small but important error.

"He put the money wire in his name and to his own name, and so the transfer came back to him. He ended up giving the money back to the bank," she said. "Thank goodness, I think his stupidity saved him."

Permalink

----------

Skein News
Skein is one of the 14 SHA-3 candidates chosen by NIST to advance to the second round. As part of the process, NIST allowed the algorithm designers to implement small "tweaks" to their algorithms. We've tweaked the rotation constants of Skein. This change does not affect Skein's performance in any way.

The revised Skein paper contains the new rotation constants, as well as information about how we chose them and why we changed them, the results of some new cryptanalysis, plus new IVs and test vectors. Revised source code is here.

The latest information on Skein is always here.

----------

Security disaster averted by financial firm's quick actions
While most of the IT world has been spared a devasting security attack like Blaster and Sasser for...

----------

No comments: