Monday, December 21, 2009

Monday 12/21/09

Deconstructing Facebook's New Privacy Settings
Forrester Research analyst Chenxi Wang picks apart Facebook's new privacy settings so the rest of us can figure out how to navigate and even benefit from them.

----------

Check Your Friends! Facebook IMs May Lead To Trouble
Monday December 21, 2009 at 7:27 am CST
I ran into a few strange IMs over the weekend. When I was not shoveling out my driveway from the 15 inches of snow that covered it I was logged into Facebook telling people about it…. It was then that I started receiving some VERY interesting IMs from a friend extolling the virtues of a clean colon (yep – you read that right)...

----------

Cisco Regains Top Spot in IPS Market by Jamey Heary
Cisco Snatches Q3 Security Market Share from its Competitors

----------

Federal Government to streamline online authentication
The Federal Government has moved to streamline the use of authentication tools among departments...

----------

Ford Pushes For Wi-Fi Enabled Vehicles
New SYNC vehicles will take USB 3G modems

----------

Are you ready for 4k sector drives?
Robin Harris: Western Digital has started shipping drives that drop the ancient 512 byte disk sector for a 4096 byte - 4k - sector. What's in it for you? And what will it do to you?

...

Gotchas?
If you are in either of these 2 groups:
  • Windows XP users
  • Windows users who clone disks with software like Norton Ghost
there are a couple of gotchas if you want to use a 4k drive. Since most drives aren’t 4k and won’t be for another year or more, this may not affect you either. Vista and W7 users are cool except for cloning.

1) Windows XP does not automatically align writes on 4k boundaries, which hurts performance. WD has software - the Advanced Format Align Utility for their drives. I assume other vendors will too when they start shipping.
XP users need to run this utility once to use a 4k drive with a clean install, cloning software or a do-it-yourself USB drive. WD-branded 4k USB drives are already aligned so it isn’t needed for those drives.

2) Windows clone software vendors have yet to implement 4k support. If you clone an XP, Vista or W7 drive you should run the align utility. The cloning vendors need to get on board Real Soon Now. Vendors are welcome to comment on their plans.

----------

David Pogue Weighs In On Ebook DRM: Non-DRM'd Ebook Increased His Sales
Pogue relates his own experience in running a test with his publisher (which is O'Reilly) in putting out a non-DRM'd ebook, and he found that sales increased...

----------

Heartland settles with American Express over breach
Dan Kaplan December 18, 2009
Heartland Payment Systems has settled its first lawsuit with a card brand over the 2008 data breach.

----------

Thief steals U.S. Army laptop from employee's home
Angela Moscaritolo December 17, 2009
A laptop containing the personal information of tens of thousands of U.S. Army soldiers, family members and U.S. Department of Defense employees was recently stolen.

----------

Judge grants TJX hacker sentencing delay over health
Angela Moscaritolo December 17, 2009
A psychiatric evaluation has determined that Albert Gonzalez's actions were consistent with the behaviors of someone who suffers from Asperger's syndrome, and his sentencing has been delayed until March.

----------

Facebook sues three over alleged spam, phishing
Dan Kaplan December 17, 2009
Fresh off a $711 million spam judgment in its favor, Facebook this week sued three more individuals that it contends assaulted its members with spam.

----------

Cisco WebEx WRF Player Vulnerabilities
Cisco today released details of a set of buffer overflow vulnerabilities and fixes for their WebEx WRF player. The exploits describe multiple buffer overflows caused by a maliciously crafted WRF file (generally posted on a website), or by attending a WebEx meeting with an attacker attending. The results of the exploit can result in execution of arbitrary code on the target system.

http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml

----------

Is Netflix "borking" lesbians with subscriber data releases?

2 days ago - by Nate Anderson Posted in: Law & Disorder
An Ohio lesbian doesn't want to be outed by her Netflix recommendations, and she is part of a new class-action lawsuit against the movie rental company.

----------

Suspected NKoreans hack war plan for SKorea AFP – Thu Dec 17, 11:27 pm ET
AFP/File
SEOUL (AFP) - Computer hackers who may be from North Korea have gained access to a secret US-South Korean plan to defend the peninsula in case of war, the defence ministry said Friday.

----------

Cybercrooks Target File-Sharing Networks
Security experts at Kaspersky Labs warn that cybercriminals are shifting their focus from worms and spams to file-sharing services.

----------

Twitter's DNS Provider Denies Hack
Rerouting was managed from within Twitter's own account, says the microblogging site's domain manager.

----------

Italian Police Arrest Hacker Sought for Fraud
Italian police have arrested an alleged hacker who is accused of defrauding banks and mobile phone operators out of several million dollars.

----------

Adobe explains PDF patch delay
Unless users apply one of the workarounds that Adobe's suggested, the decision will leave systems open to attack until Jan. 12, when the patch is released. According to several security firms, the flaw has been in use by criminals since at least Nov. 20. Adobe only found out Monday that the vulnerability in its Reader and Acrobat applications was being actively exploited.

----------

Drone incident serves up data encryption lesson

In a story that's receiving widespread attention, the Wall Street Journal yesterday reported that Iranian-backed groups in Iraq and Afghanistan were tapping into live feeds from Predator drones using a $26 software tool called SkyGrabber from Russian company SkySoftware.

The hitherto largely unknown software product doesn't require Internet connectivity and is designed to intercept music, photos, video and TV satellite programming for free. Insurgents in Iraq, however, were able to use SkyGrabber to grab live video feeds from unmanned Predator drones because the transmissions were being sent unencrypted to ground control stations.

----------

Monday, December 14, 2009

Monday 12/14/09

Rather than patch, Microsoft blocks buggy code
http://www.computerworld.com/s/article/9142140/Rather_than_patch_Microsoft_blocks_buggy_code?taxonomyId=17
Microsoft has decided to disable a 17-year-old video codec in older versions of Windows rather than patch multiple vulnerabilities, according to the company's security team.

----------

Top Five Reasons For Security FAIL
Adi Ruppin admits the Internet security industry has seen every type of product fail. The good news, he says, is that there's much to learn from such failures. Here are five such lessons.

The weakest link
Industry standard vs. proprietary
The right solution to the wrong problem
The human factor
Usability

----------

DHS: Counterfeit Goods Still Rampant in U.S.
Phony products seizures fell slightly, but counterfeiting continues to be big business

----------

Not Security but...
Britain's First 140mph Train Service Begins

----------

Secret Copyright Treaty Timeline Shows Global DMCA
Michael Geist, a leading critic of the ACTA secret copyright treaty, has produced a new interactive timeline that traces its development. The timeline includes links to leaked documents, videos, and public interest group letters that should generate increasing concern with a deal that could lead to a global three-strikes and you're out policy.

----------

Building a Global Cyber Police Force
One of the biggest obstacles to fighting hackers and cyber-criminals is that many operate in the safe harbors of their home countries, insulated from prosecution by authorities in foreign countries where their targets reside. As Larry Walsh writes in his blog, several security vendors and a growing number of countries are now beginning to consider the creation of a global police force that would have trans-border jurisdiction to investigate and arrest suspected hackers.

----------

Supreme Court Takes Texting Case
http://www.nytimes.com/2009/12/15/us/15scotus.html?_r=1&hp
WASHINGTON — The Supreme Court agreed on Monday to decide whether a police department violated the constitutional privacy rights of an employee when it inspected personal text messages sent and received on a government pager.

The case opens “a new frontier in Fourth Amendment jurisprudence,” according to a three-judge panel of an appeals court that ruled in favor of the employee, a police sergeant on the Ontario, Calif., SWAT team.

----------

National data breach notification bill passed in U.S. House
Angela Moscaritolo December 10, 2009
The Data Accountability and Trust Act would require any organization that experiences a breach of electronic data containing personal information to notify all affected U.S. residents.

----------

Report finds enterprises failing to protect sensitive data
Angela Moscaritolo December 09, 2009
Just 40 percent of respondents in a recent survey said all of their organizations sensitive data is adequately secured.

----------

The Machine SID Duplication Myth
by Mark Russinovich

----------

Plastic Surgery Allows Exploit of Biometric ID System
Now what you are born with may not be as secure as biometric ID systems are purported to be. Lin Rong is accused by Japanese authorities of having her fingerprints surgically altered to enter the country illegally. She is reported to have had surgery to switch the finger tips of her right and left hand. The ruse was discovered by Japanese authorities after she was arrest for an unrelated offense.
'Fake fingerprint' Chinese woman fools Japan controls , BBC, December 7, 2009

----------

Full Disk Encryption: What It Can And Can't Do For Your Data
Dec 14,2009
Protection depends on how implementation -- and user know-how
Warning: disk is unlocked when it is on (duh!)

----------

FBI: Rogue Antivirus Scammers Have Made $150M
PC World – Fri Dec 11, 2:50 pm ET
They're the scourge of the Internet right now and the U.S. Federal Bureau of Investigation says they've also raked in more than US$150 million for scammers. Security experts call them rogue antivirus programs.

----------

Amazon's data center outage reads like a thriller

----------

Monday, December 7, 2009

Monday 12/07/09

December 2009 Bulletin Release Advance Notification
"we will be addressing the vulnerability discussed in Security Advisory 977981 in the IE bulletin on Tuesday" - Not the SSL/TLS bug!

----------

Great research paper on security and user education:
http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf

----------

Louisiana firm sues Capital One after losing thousands in online bank fraud

An electronics testing firm in Louisiana is suing its bank, Capital One, alleging that the financial institution was negligent when it failed to stop hackers from transferring nearly $100,000 out of its account earlier this year.

In August, Security Fix wrote about the plight of Baton Rouge-based JM Test Systems, an electronics testing firm that in February lost more than $97,000 from two separate unauthorized bank transfers a week apart.

According to JM Test, Capital One has denied any responsibility for the losses. On Friday, JM Test filed suit in a Louisiana district court, alleging breach of contract and negligence by the bank. The firm says it is still out a total of $89,000, and that it has spent roughly $70,00
0 investigating and responding to the breaches.

"Capital One was not willing to make good on our losses or attempt any type of settlement," said Happy McKnight, JM Test's controller. "The banks are clearly taking a 'Hey, don't look at me!' stance. It is so sad to wonder how many business failures this type of fraud has caused."
Permalink

----------

Sprint Provides U.S. Law Enforcement with Cell Phone Customer Location Data
Feds ‘Pinged’ Sprint GPS Data 8 Million Times Over a Year

----------

Phishing losses add up
Although the number of banking customers who fall victim to phishing attacks is small, it all adds up to a lucrative business for cyber criminals. It's estimated that every US banking institute loses more than $9 million per million customers more…

----------

Wall Street Journal Website Hacked
A Romanian grey hat hacker has disclosed a serious SQL injection vulnerability on the Wa...

----------

Dell releases BIOS updates
Adrian Kingsley-Hughes: "Throttlegate": Some owners of Dell notebooks were experiencing severe underperformance and overthrottling, so much so that performance was being cut to a fraction of what it should be.

----------

Can You Copyright An SQL Query?
... the district had contracted out the process to a guy who charged them $500 per year, to basically write and then run an SQL query that exported the data. Each year, all he had to do was change the date, but he still charged them $500.

----------

Former Partner Blasts Seyfarth Shaw
By TIM HULL
LOS ANGELES (CN) - An attorney with Seyfarth Shaw says the firm's managing partners forced him to take the fall for Tae Boe creator Billy Blanks' $30 million legal malpractice suit, and turned the office into a place where "the pursuit and collection of money" from clients - referred to as "bozos on the bus" - became "the primary directive" for attorneys and "the chief preoccupation" of the managers.

----------

NASA sites hacked via SQL injection
Angela Moscaritolo December 07, 2009
Two of NASA's sites were accessed by an individual, apparently claiming to demonstrate they were susceptible to SQL injection.

----------

Adobe plans Flash update, investigates Illustrator flaw
Dan Kaplan December 04, 2009
An Adobe Flash Player update is due out on Tuesday to close a number of security holes.

----------

Microsoft slates six fixes for year's final Patch Tuesday
Dan Kaplan December 03, 2009
Microsoft's planned patches for Tuesday include a fix for a null pointer reference vulnerability in Internet Explorer, for which proof-of-concept code has been published.

----------

TSA Leaks Sensitive Airport Screening Manual
Government workers preparing the release of a Transportation Security Administration manual that details airport screening procedures badly bungled their redaction of the .pdf file. Result: The full text of a document considered “sensitive security information” was inadvertently leaked.

Anyone who’s interested can read about which passengers are more likely to be targeted for secondary screening, who is exempt from screening, TSA procedures for screening foreign dignitaries and CIA-escorted passengers, and extensive instructions for calibrating Siemens walk-through metal detectors.

The 93-page document also includes sample images of DHS, CIA (see above) and congressional identification cards, with instructions on what to look for to verify an authentic pass.

----------

Ex-KGB Officers May Be Behind the Hacked Climate Emails
treehugger.comThe computer hack, said a senior member of the Inter-governmental Panel on Climate Change, was not an amateur job, but a highly sophisticated, politically motivated operation. And others went further. The guiding hand behind the leaks, the allegation went, was that of the Russian secret services.

----------

The Fruit of the Poisoned Tree
Should we hire criminal hackers as security experts? This is the second of a two-part attack on the idea from a 1995 debate in which I participated.

----------

Mapping the Mal Web: McAfee’s 3rd Annual Report
For the first time combining data from McAfee’s SiteAdvisor and TrustedSource, the report is even more comprehensive than last year’s, naming Cameroon (.cm) as the riskiest place to surf with a whopping 36.7 percent of the domains posing a security risk.

----------

Microsoft Warns Of Malware-Laced Counterfeit Software
Dec 07,2009
Complaints about counterfeit software infected with malware doubled in past two weeks

----------


Thanksgiving Webcam Promo Leads to Malware PC World – Thu Dec 3, 8:20 pm ET
The US$10 webcam that Anna Giesman bought her daughter at Office Depot over the Thanksgiving weekend sounds like one of those deals that's too good to be true. And for her, it was.

----------

Update: Judge affirms $675k verdict in RIAA music piracy case

----------