Monday, November 30, 2009

Monday 11/30/09

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
Still hot, still waiting for fixes...

----------

Microsoft Internet Explorer Cascading Style Sheets Remote Code Execution Vulnerability

----------

Virgin Media Starts Snooping In User Packets
Using deep packet inspection to measure copyright infringement

UK Cable provider Virgin Media says they're experimenting with a new deep packet inspection solution that will snoop into customer packets to determine if they're trading copyrighted files. The trial will cover 40% of the company's customers, though no action will be taken against users (nor will they be informed of the snooping).

----------

ICANN Slams DNS RedirectionCalls such efforts a 'destabilizing practice'
ICANN (Internet Corporation for Assigned Names and Numbers) on Tuesday condemned the practice of redirecting Internet users to a third-party portal when they mistype, or enter a nonexistent URL. You'll recall that the practice gained international attention when Verisign implemented their heavily-loathed Sitefinder initiative in 2003.

----------

Telecommunications Act changes backed by forensics expert
A call for intercepted data to be destroyed "as soon as it is no longer required" has been...

----------

Profitable 'Pay Us Or We'll Sue You For File Sharing' Scheme About To Send 30,000 More Letters

Remember ACS:Law? The shakedown organization that appears to have taken over where Davenport Lyons left off (including using some of the identical documents), and who has "partnered" with DigiProtect, the company that gleefully admits that it purposely puts files on file sharing networks just to collect the IP addresses of anyone who downloads, is asking for the identifying info on 30,000 UK users. To put that in perspective, in the years long campaign by the RIAA to sue people for file sharing, they apparently requested info on about 35,000 IP addresses. Of course, when spreading such a big net, it's no surprise that tons of innocent people get caught in it. But that's really of little concern, since no real lawsuits have been filed. They're just hoping a bunch of people feel that it's easier to pay up. It's not about stopping piracy or getting people to buy -- it's about shaking people down for as much money as possible.

----------

Credit-Card Scammers Drilled Dentists
MANHATTAN (CN) - A man was sentenced to nearly 10 years in prison for leading a credit-card fraud ring that stole the identities of 176 dentists. Michael A. Roseboro and his crew stole $1.75 million from dentists around the country by claiming to be an investigator with Visa or Bank of America who was looking into potentially fraudulent charges on the dentists' credit cards.

----------

Spam magnate Ralsky sentenced to more than four years
Dan Kaplan November 24, 2009
Alan Ralsky, mastermind of a fraud campaign that delivered tens of thousands of junk mail messages designed to inflate stock prices, was sentenced Monday to 51 months in prison.

----------

iPhone Virus-Writer’s New Job: Building iPhone Apps
An Australian youth who created a worm that attacked iPhone users has been hired by a company that creates applications for the iPhone.

----------

The Psychology of Being Scammed
This is a very interesting paper: Understanding scam victims: seven principles for systems security, by Frank Stajano and Paul Wilson. Paul Wilson produces and stars in the British television show The Real Hustle, which does hidden camera demonstrations of con games.

----------

Ransomware blocks Net access
Ryan Naraine: Security researchers have stumbled upon a new piece of ransomware that blocks an infected computer from accessing the Internet until a fee is paid via text message.
New LoroBot ransomware encrypts files, demands $100 for decryption

----------

I Was Wrong: There Probably Will Be an Electronic Pearl Harbor
Ira Winkler says the emerging smart grid makes doomsayers' unlikely predictions more likely

----------

Checklist: 11 Security Tips for Black Friday, Cyber Monday
This holiday shopping season, IT and physical security practitioners have the tough task of protecting customer data and preventing shoplifting. Here are 11 tips to bring sanity to the process.

----------

I Was Wrong: There Probably Will Be an Electronic Pearl Harbor

New Banking Trojan Horses Gain Polish

Race on Between Hackers, Microsoft Over IE Zero-Day

Hacks of Chinese Temple Were Online Kung Fu, Abbot Says

----------

Monday, November 23, 2009

Monday 11/23/09

http://www.ietf.org/id/draft-ietf-tls-renegotiation-00.txt
http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml
http://securitytracker.com/id?1023148
http://www.unleashnetworks.com/blog/?p=134
http://extendedsubset.com/

SSL/TLS Renegotiation bug. Many patches coming.

----------

REASON TO UPGRADE TO IE8:

http://www.csoonline.com/article/508525/New_Attack_Fells_Internet_Explorer
The code was posted Friday to the Bugtraq mailing list by an unidentified hacker. According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer.

"Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7," the company wrote on its Web site Saturday. "We expect that a fully-functional reliable exploit will be available in the near future."

Security consultancy Vupen Security has also confirmed that the attack works, saying it worked on a Windows XP Service Pack 3 system running IE 6 or IE7. Neither company was able to confirm that the attack worked on Microsoft's latest browser, IE 8.

----------

Cisco's Free IPhone App Grabs Security Feeds

----------

NSA Helped with Windows 7 Development
The National Security Agency (NSA) worked with Microsoft on the development of Windows 7, an agency official acknowledged yesterday during testimony before Congress.

----------

New Olive Planting Method Prompts California Oil Boom
An oil boom is under way in California's agricultural heartland, as evolving tastes and a trend toward healthy fare have transformed a profession as old as civilization: olive production for the extra virgin market....

----------

Latest jailbroken iPhone worm tries filching bank passwords
41 minutes ago - by Jacqui Cheng Posted in: Infinite Loop
Users who have jailbroken their iPhones just can't catch a break—another malicious worm is making its way around the Internet and tries to steal bank passwords for users in the Netherlands, Portugal, Hungary, and Australia. Users with locked-down iPhones are still safe.

----------

Creepy insurance company pulls coverage due to Facebook pics
about 14 hours ago - by Jacqui Cheng Posted in: The Web
Can people diagnosed with depression go to a party and look like they're having fun? Most of us would say yes, but one insurance company thinks not. A woman in Canada got her sick leave coverage pulled after she posted photos of her birthday party to her private, locked-down Facebook account.

----------

Queen: We sank the Armada, we can sink some P2P pirates!
3 days ago - by Nate Anderson Posted in: Law & Disorder
The Queen opened the UK parliamentary session yesterday and announced that an Internet disconnection bill would be coming soon. But will it actually be legal?

----------

Nation's School Districts are Failing to Protect Children's Privacy
A Fordham Law School study found that state educational databases across the country ignore key privacy protections for the nation’s school children.
.

----------

Al Qaeda Secret Code Broken
I would sure like to know more about this:

Top code-breakers at the Government Communications Headquarters in the United Kingdom have succeeded in breaking the secret language that has allowed imprisoned leaders of al-Qaida to keep in touch with other extremists in U.K. jails as well as 10,000 "sleeper agents" across the islands....
...
The code the terrorists devised consists of words chosen from no fewer than 20 dialects from Afghanistan, Iran, Pakistan, Yemen and Sudan.

----------

Fedora 12 allows users install privilege - Update 2
Fedora 12 has changed its security policy to allow unprivileged users to install software without requiring the root password more…

----------

Report: Cyberattacks against the U.S. "rising sharply"
Angela Moscaritolo November 20, 2009
During just the first half 2009, there were 43, 785 cyberattack incidents against the DoD, a new report states. If this volume is maintained for the rest of the year, it will represent a 60 percent increase over 2008.

----------

Prosecutors Ending Lawsuit Against Lori Drew

----------

Thousands of web sites redirected
Dancho Danchev: Security researchers have detected a massive blackhat SEO campaign consisting of over 200,000 compromised web sites, all redirecting to fake security software.

----------

Microsoft: 'TaterF' Worm Top Malware Threat So Far This Month
Nov 23,2009
Software giant reveals November stats from Malicious Software Removal Tool

----------

Monday, November 9, 2009

Monday 11/09/09

Advisory ID: cisco-sa-20091109-tls
http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml
Revision 1.0
For Public Release 2009 November 9 1600 UTC (GMT)

An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml.

----------

Worm 'Rick Rolls' iPhones
First IPhone Worm Spreads Rick Astley Wallpaper
The first worm written for Apple's iPhone has been unleashed and is infecting phones in Australia.

----------

Gumblar Malware's Home Domain Active Again
ScanSafe researchers are seeing renewed activity regarding Gumblar, a multifunctional piece of malware that spreads by attacking PCs visiting hacked Web pages.

----------

Yahoo Now on China's Porn Offense List
A Chinese government watchdog has ordered Yahoo China to clean pornographic content from a photo-sharing site it hosted, a reminder of the regulatory challenges often faced by foreign Internet companies in China.

----------

CDC Tracking H1N1 in Near Real Time
The Centers for Disease Control have settled on a private, nationwide database with the electronic medical records of 14 million people run by General Electric in order to track potential outbreaks of the H1N1 virus.

----------

Study: Security Certs are IT's Hottest
The survey of more than 1,500 IT workers found that 37 percent intend to pursue a security certification over the next five years. Another 18 percent of IT workers said they will seek ethical hacking certifications during the same time period, while 13 percent identified forensics as their next certification target. The results are included in the CompTIA study 'IT Training and Certification: Insights and Opportunities.'

----------

Bardin: What DLP Companies Don't Tell You
What you are not told during the sales pitch is the Pandora’s Box you not only are about to open but completely unhinge. What you really need to understand is how deep does the business want you to go?

----------

Data breach notifications one step closer to law... again
about 2 hours ago - by Jacqui Cheng Posted in: Law & Disorder
It's frustrating to be a consumer these days, especially knowing that your personal information could be exposed anytime there's a major data breach. Two new Senate bills aim to improve notification to customers when their information is exposed to thieves and, despite their shortfalls, experts are still holding out hope.

----------

The ACTA Internet provisions: DMCA goes worldwide
about 16 hours ago - by Nate Anderson Posted in: Law & Disorder
New details about the Internet section of the Anti-Counterfeiting Trade Agreement (ACTA) have leaked, and critics are already claiming that they mandate "three strikes" policies and will put an end to Flickr and YouTube. The reality is less sensational but just as important: ACTA is really about taking the DMCA global.

----------

Worker Lost Her Job Over Error by FBI's NCIC Database

In July 2009, a woman lost a $58,000 a year accounting job with Corporate Mailing Services of Arbutus after a background check reported a non-existent criminal record. Her employer won a contact with the Social Security Administration (SSA), which required that the company submit all employees to a criminal background check. The FBI's National Crime Information Center database reported in error that the employee had a criminal record. The Social Security Administration reported back to her employer within 2 weeks acknowledging the mistake and stated that the account could in fact work on the project. The company has not reinstated the dismissed worker. There are long running issues regarding the accuracy of NCIC database. In 2003 the DOJ exempted the FBI, which manages the NCIC, from Federal Privacy Act obligations for data accuracy. The administration is moving forward with a plan to require all federal government contractors submit E-verify checks conducted by the Department of Homeland Security to determine whether they can be employed. There are questions about accuracy of this system and the potential for inaccurate reporting. Accuracy requirements for information held in databases is critical to the protection of privacy rights.

Fired due to error in background check, Carroll woman still jobless, Scott Calvert, Baltimore Sun, October 28, 2009

----------

Microsoft to release six updates next Patch Tuesday
Microsoft has announced that it will release four updates for Windows and two updates for Office on the next Patch Tuesday, the 10th of November more…

----------

Microsoft to deliver six patches covering 15 flaws
Dan Kaplan November 05, 2009
November's security update from Microsoft comes with six patches for 15 vulnerabilities -- nearly 20 fewer than last month.

----------

Former Employees Face Five-Year Sentence After Allegedly Hacking Company Database
Nov 05,2009
System access was still possible for almost two years using old passwords, indictment says

----------

New Security Certification On The Horizon For Cloud Services
Nov 04,2009
Cloud security cert would go beyond existing SAS 70, ISO 27001 standards

There's no official security certification for cloud security service providers today: some use the SAS 70 or the ISO 27001 standards as their security certifications, neither of which is sufficient for providing potential cloud customers with assurances that the provider has deployed the proper security or that their data is sufficiently locked down, experts say.

"There needs to be a certification that is specifically for cloud providers," says Jim Reavis, co-founder and executive director of the Cloud Security Alliance. The Cloud Security Alliance is working with other key players in cloud security and auditing to determine which organizations should provide the certification, as well as what such a certification should include.

"This is going to be a shared thing," he says, noting that the certification is likely to be managed by multiple bodies. He says to expect a statement of direction for a cloud security certification around the first quarter of 2010.

----------

Malware breaks Win 7 UAC defenses
Dancho Danchev: A recently conducted test by malware researchers reveals that eight out of ten malware samples used in the test, successfully bypassed Windows 7's default UAC (user access control) settings.

----------

Lawsuit claims iPhone games stole phone numbers
Browse the App Store for developer Storm8's many popular iPhone games, and you'll encounter the...

----------

AP IMPACT: Framed for child porn — by a PC virus AP – Mon Nov 9, 12:10 am ET
AP
Of all the sinister things that Internet viruses do, this might be the worst: They can make you an unsuspecting collector of child pornography.

----------

Tuesday, November 3, 2009

Monday 11/02/09

Trade talks hone in on Internet abuse, ISP liability
ISPs around the world may be forced to snoop on their subscribers and cut them off if they are found to have shared copyright-protected music on the Internet, under an international agreement being promoted by the U.S.

----------

Catbird tunes security software for virtual environments
Catbird has announced a new version of its security software for virtual environments that is tweaked to perform vulnerability monitoring of resources running in Amazon's EC2 cloud.

----------

Software shields online banking on infected PCs
Cybercriminals are developing increasingly sophisticated software that, in what is known as man-in-the-middle or man-in-the-browser attacks, can intercept online banking transactions while in progress and transfer funds with the user believing nothing is awry.

SafeOnline installs its own kernel-level driver on Windows PCs. During a secure browsing session, all information from the keyboard is routed through that driver, which defeats attempts to record keystrokes or other interference, said Mel Morris, Prevx's CEO and CTO.

----------

Password rules: Change them every 25 years
There are four basic ways for a bad guy to get your password:
(a) Ask for it. So-called "Phishing" and "Social Engineering" attacks still work, and always will
(b) Try dictionary words at the login prompt in the hope to get lucky ("Brute Force")
(c) Obtain the encryped/hashed password somehow, and crack it
(d) Leech the password off your computer with keylogger malware

None of these four scenarios becomes less likely if you change your password every 90 days. If the bad guy can't break the password hash (c) within a couple days, he'll likely just look for an easier target. Attack (b) is also out for quick wins - either it works within the first couple dozen passwords tried, or the bad guy moves on to easier prey. If (b) or (c) are successful, or the attacker already has the password through (a) or (d), 45 days on average is more than enough to empty out your bank account or use your email address for a big spam run.

The concept of password expiry remained the same for the last 25 years or so. Infosec professionals, auditors, PCI, ISO27002, COBIT, etc all keep requiring it, unchanged, even though the threats have changed quite a bit. Forcing a user who had a weak password to change it will just make him pick another weak one. Forcing a user who had a very strong password to change it will eventually annoy the user into using simpler passwords.

So what gives? There is one practical benefit. If someone has your password, and all they want is to read your email and remain undetected, they can do so forever, unless you eventually change your sign-in secret. Thus, regularly changing the password doesn't help much against someone breaking in and making it off with your goods, but it DOES give you a chance to shake off any stalkers or snoopers you might have accessing your account. Yes, this is good. But whether this benefit alone is worth the hassle and mentioned disadvantages of forcing users to change their password every 90 days, I have my doubts.

Infosec risk management is about identifying threats and vulnerabilities, and then picking a countermeasure. But if the chosen countermeasure doesn't in fact make the identified threats less likely, all we do is play security theater, and the countermeasure is one that we don't need.

Unless, of course, "best practice standards" and audits force us to have it.

----------

Nation's School Districts are Failing to Protect Children's Privacy
A Fordham Law School study found that state educational databases across the country ignore key privacy protections for the nation’s school children. The study reports that at least 32% of states warehouse children’s social security numbers; at least 22% of states record student pregnancies; and at least 46% of the states track mental health, illness, and jail sentences as part of the children’s educational records. Some states outsource the data processing without any restrictions on use or confidentiality for children’s information. Access to this information and the disclosure of personal data may occur for decades and follow children well into their adult lives. These findings come as Congress is considering the Student Aid and Financial Responsibility Act, which would expand and integrate the 43 existing state databases without taking into account the critical privacy failures in the states’ electronic warehouses of children’s information. For more information on children’s privacy issues see Children’s Online Privacy Protection Act.

----------

Cable modem hacker busted by feds
According to the U.S. Department of Justice (DOJ), Ryan Harris, 26, ran a San Diego company called TCNISO that sold customizable cable modems and software that could be used to get free Internet service or a speed boost for paying subscribers.

Harris, also known as DerEngel, was charged on Aug. 16, but the grand jury indictment was not unsealed until Monday, several days after his Oct. 23 arrest. He faces a maximum sentence of 20 years in prison and a $250,000 fine, the DOJ said. The six-count indictment charges him with conspiracy, computer intrusion and wire fraud. He was charged in U.S. District Court for the District of Massachusetts.
...

----------

Microsoft links malware rates to pirated Windows
"There is a direct correlation between piracy and the malware infection rate," said Jeff Williams, the principal group program manager for the Microsoft Malware Protection Center. Williams was touting the newest edition of his company's biannual security intelligence report.

----------

Swedish Government Promises Citizens 100MB Broadband

by TechCrunch Europe on November 3, 2009
[Sweden] The Swedish government is following in the footsteps of the Finns (well almost), as their IT-ministry is now promising that 90 percent of all Swedish homes will have access to a 100 mbit/s broadband connection before 2020.

----------

US cyber center opens to battle computer attacks AP – Fri Oct 30, 7:38 pm ET
WASHINGTON - The United States is well behind the curve in the fight against computer criminals, Sen. Joe Lieberman said Friday, as Homeland Security officials opened a $9 million operations center to better coordinate the government's response to cyberattacks.

----------

Researchers Create Hypervisor-Based Tool For Blocking Rootkits Nov 03,2009 New technology 'patches' the operating system kernel, protects it from rootkits

----------

Delayed Again: Red Flags Rule Deadline Now June 1, 2010
Bowing to Congressional pressure, the FTC is delaying enforcement of the Red Flags Rule until June 1, 2010, for financial institutions and creditors. Here, IT security pros weigh in on what the rule means for them.

The FTC made the announcement Friday, the same day the U.S. District Court for the District of Columbia ruled that the commission can't apply the rule to attorneys.

The Red Flags Rule was instituted under the Fair and Accurate Credit Transactions Act, where Congress ordered the FTC and other agencies to make regulations forcing creditors and financial institutions to address security holes that could lead to identity theft. The rule requires all such entities that have covered accounts to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities -- known as red flags -- that could indicate identity theft.

----------

Congress locks radio stations, record labels into boardroom
by Nate Anderson Posted in: Law & Disorder
Radio doesn't want to pay more to play music; music labels don't want radio to keep free-riding. How to settle this blood feud? Congress has ordered both sides into a Capitol Hill conference room for two weeks, and it will vote on whatever emerges.

----------

...
But the Wisconsin men won. They won big. They won $1.26 billion dollars.

How did they win? By default judgment. PepsiCo’s lawyers never responded to the complaint, and the judge awarded the Wisconsin plaintiffs a default judgment.

Why did the Pepsi people never respond? Meet PepsiCo legal secretary, Kathy Henry.
Continue reading "Legal Secretary of the Day: Pepsi’s $1.26 Billion Mistake"

----------

Jailbroken iPhones held for $5 ransom
Dancho Danchev: A message popped up on the screens of a large number of automatically exploited Dutch iPhone users, demanding $4.95 for instructions on how to secure their iPhones and remove the message from appearing at startup.

----------

COMPUTER AGE LITIGATION. There may be hope for old forms of communication after all. An extremely odd dispute in Arizona may bring hope to the makers of pen and paper. The tale is told in an Arizona Supreme Court opinion called Lake v. City of Phoenix in which the city insisted that even though it had to turn over a public record, it didn't have to turn over the public record's "metadata." Really. The city's lawyers were arguing that the code showing the history of a document wasn't actually part of the public record even though the document was. And this dispute went all the way to the state supreme court. Apparently no one was too concerned that this really looked like someone was trying to cover something up. The court thought this was silly, ruled against the city, and then offered an out for future coverups that old media lovers should appreciate: "That a public record currently exists in an electronic format, and is subject to disclosure in that format, does not itself determine whether there is a statutory obligation to preserve it electronically." A lot of agencies and companies will be going back to pencils and erasers.

----------

Mossad Hacked Syrian Official’s Computer Before Bombing Mysterious Facility
The intelligence agents planted a Trojan horse on the official’s computer in late 2006 while he was staying at a hotel in the Kensington district of London, the German newspaper reported Monday in an extensive account of the bombing attack.

The official reportedly left his computer in his hotel room when he went out, making it easy for agents to install the malware that siphoned files from the laptop. The files contained construction plans for the Al Kabir complex in eastern Syria — said to be an illicit nuclear facility — as well as letters and hundreds of detailed photos showing the complex at various stages of construction.

----------

First Test for Election Cryptography
By Erica NaoneMonday, November 02, 2009
Novel voting technology will be used in a local government election.

----------