When PDFs And Flash Files Attack Posted by John H. Sawyer
It's getting harder to protect our users from threats coming at them from seemingly trusted places. The Websites they've been using for years are suddenly the source of attacks through malicious advertisements being pushed to the "trusted" site by a third-party advertising service. File format attacks against Adobe's Flash and Acrobat are becoming the exploit du jour for attackers.
----------
Adobe Reader's Patch Tuesday Posted by Wolfgang Kandek
Next Tuesday, Jan. 12, is Microsoft Patch Tuesday. Beyond the usual patches from Microsoft, we will also get a critical update for a piece of software that increasingly plays a role in exploiting desktop systems -- the Adobe Reader from Adobe Systems.
----------
Facebook Security:
http://digg.com/security/Facebook_s_Zuckerberg_I_know_that_people_don_t_want_privacy
----------
Chrome sets browser security standard, says expert
Wow, a browser from an advertising company?!?
---
Chrome has included sandboxing since its September 2008 debut. And while Dai Zovi considers it easily the leader in security because of that, other browser have, or will, make their own stabs at reducing users' risks.
For example, Microsoft's Internet Explorer 7 (IE7) and IE8 on Vista and Windows 7 include a feature dubbed "Protected Mode," which reduces the privileges of the application so that it's difficult for attackers to write, alter or destroy data on the machine, or to install malware. But it's not a true sandbox as far as Dai Zovi is concerned.
...
----------
White House calls for IT boost to fight terrorism
... In listing the various causes for this failure (underwear bomber), the report noted that information technology within the counter-terrorism community "did not sufficiently enable the correlation of data that would have enabled analysts to highlight the relevant threat information."
----------
More flash drive firms warn of security flaw; NIST investigates
http://www.kingston.com/driveupdate/
Kingston's Secure USB Drive Information PageIt has recently been brought to our attention that a skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data contained on the following Kingston Secure USB drives:
DataTraveler BlackBox (DTBB)
DataTraveler Secure – Privacy Edition (DTSP)
DataTraveler Elite – Privacy Edition (DTEP)
It is important to note that the following Kingston Secure USB drives are NOT AFFECTED:
DataTraveler Locker (DTL)
DataTraveler Locker+ (DTL+)
DataTraveler Vault (DTV)
DataTraveler Vault – Privacy Edition (DTVP)
DataTraveler Elite (DTE)
DataTraveler Secure (DTS)
----------
Heartland to pay up to $60M to Visa over breach
----------
Fake Android Application
Somehow I missed that "First Tech Credit Union" warned its users late in December about a fake Android application which pilfers user's passwords [1].
This is a somewhat expected event. Malware is frequently willingly installed by users. As users move to new platform like mobile devices, malware is going to follow them. This particular application, "Droid09" has since been removed from the Android Market Place. But it is probably just a matter of time for the next application to show up. It is probably possible for a similar application to sneak past the iTunes store approval process as well. In each case, the more managed software delivery environment limits the expose time but doesn't eliminate it.
[1] http://www.firsttechcu.com/home/security/fraud/security_fraud.html
----------
Survey: 54 Percent Of Organizations Plan To Add Smartphone Antivirus This Year In anticipation of increased mobile threats in the next year, 40 percent of organizations worldwide plan to recruit mobile security staff
----------
GREAT analysis of Airport Security Theater by Bruce Schneier:
Post-Underwear-Bomber Airport Security
----------
Hidden admin access on D-Link routers
A flawed implementation of the Home Network Administration Protocol (HNAP) reportedly allows attackers to gain unauthorised admin access to numerous D-Link router models more…
----------
Not Security related, but very cool:
http://content.zdnet.com/2346-13615_22-382181.html?tag=col1;post-11005
----------
Airport Scanners Can Store, Transmit Images
By Kim Zetter
January 11, 2010
Categories: Surveillance
Contrary to public statements made by the Transportation Security Administration, full-body airport scanners do have the ability to store and transmit images, according to documents obtained by the American Civil Liberties Union.
----------
L.A. Apple Store shoppers targeted by thieves
The L.A. Times Blog reports about an ongoing series of thefts targeting more than 100 Los...
----------
McAfee Labs’ January Spam Report
Angelina Jolie and Barack Obama are the #1 celeb subjects of choice for spammers, according to our January Spam Report.
----------
Spiceworks Is Becoming The Facebook For IT Managers; Raises $16 Million Series C
by Leena Rao on January 11, 2010
Spiceworks, a startup that develops Web-connected social IT management software, has raised $16 million in Series C funding round led by Institutional Venture Partners with Austin Ventures and Shasta Ventures participating. This brings the startup’s total funding to $29 million.
Spiceworks develops a desktop software suite that helps a company’s IT staff collaborate with each other and manage “everything IT.” The IT management software, which is free and ad-supported, is currently being used by 850,000 IT professionals at small to medium businesses in 196 countries to inventory, monitor, troubleshoot, report on and run a help desk for their IT networks. Currently more than 25 percent of all businesses with greater than 100 employees rely on Spiceworks to manage part of their IT operations.
----------
More Researchers Going On The Offensive To Kill Botnets
Jan 11,2010
Another botnet bites the dust, as more researchers looking at more aggressive ways to beat cybercriminals
----------
Researcher Rates Mac OS X Vulnerability 'High'
Jan 08,2010
Flaw in versions 10.5 and 10.6 can be exploited by a remote attacker, says SecurityReason
----------
Monday, January 11, 2010
Monday, January 4, 2010
Monday 01/04/10
TSA Gaffe Shows Pitfalls of Redaction
The inadvertent exposure of a sensitive Transportation Security Administration security manual last month serves as a sobering reminder about the pitfalls of trying to redact, or hide, electronic text.
The lapse occurred when a contract employee posted the improperly redacted security manual -- which described TSA airport screening methods that are designed to thwart terrorists -- on a public Web site for federal procurements.
Other organizations, such as HSBC Bank and Facebook Inc., have also had embarrassing incidents in which text in electronic documents that they thought was unreadable was revealed.
----------
Google Chrome OS may be security hot spot in 2010
Chrome OS will be targeted by attackers, probably even before it's officially released, said Sam Masiello, the director of threat management at antivirus vendor McAfee Inc.
"It'll be the new kid on the block, that's one of the primary drivers why we think cybercriminals will target Chrome OS," said Masiello. "The same thing happened to Windows Vista and Windows 7, even before they were finished. Since Chrome OS is new, it's going to be of interest to security researchers, and it's going to be poked by cybercriminals as well."
----------
Hacker Pleads Guilty in Massive Fraud Case PC World – Wed Dec 30, 1:20 am ET
A hacker from Miami pled guilty to conspiracy to hack into computer networks at major U.S. retail and financial groups, and to steal data on tens of millions of credit cards and debit cards on Tuesday.
----------
Top 10 Security Nightmares of the Decade PC World – Tue Dec 29, 9:00 pm ET
Blame the Internet for the latest decade of security lessons. Without it, you probably wouldn't even recognize the terms phishing, cybercrime, data breach, or botnet. Let's revisit the top security horrors of the past ten years, and try to remember what we learned from each. Full Story »
----------
Target Co was victim of hacker Albert Gonzalez Reuters – Tue Dec 29, 7:03 pm ET
BOSTON/NEW YORK (Reuters) - Target Co said it was among the victims of computer hacker Albert Gonzalez, mastermind of the biggest identity theft in U.S. history.
----------
Hackers Show It's Easy to Snoop on a GSM Call PC World – Mon Dec 28, 9:40 pm ET
Computer security researchers say that the GSM phones used by the majority of the world's mobile-phone users can be listened in on with just a few thousand dollars worth of hardware and some free open-source tools.
----------
Good Guys Bring Down the Mega-D Botnet PC World – Sun Dec 27, 9:00 pm ET
For two years as a researcher with security company FireEye, Atif Mushtaq worked to keep Mega-D bot malware from infecting clients' networks. In the process, he learned how its controllers operated it. Last June, he began publishing his findings online. In November, he suddenly switched from defense to offense. And Mega-D--a powerful, resilient botnet that had forced 250,000 PCs to do its bidding--went down.
----------
FBI probing cyber theft at Citibank: WSJ AFP – Tue Dec 22, 1:10 pm ET
AFP/File
WASHINGTON (AFP) - The US Federal Bureau of Investigation is probing an attack by suspected Russian computer hackers on Citigroup Inc. that resulted in the theft of tens of millions of dollars, The Wall Street Journal reported Tuesday.
----------
Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324
Couple of days ago one of our readers, Ric, submitted a suspicious PDF document to us. As you know, malicious PDF documents are not rare these days, especially when the exploit for a yet unpatched vulnerability is wide spread.
Quick analysis of the document confirmed that it is exploiting this vulnerability (CVE-2009-4324 – the doc.media.newPlayer vulnerability). This can be easily seen in the included JavaScript in the PDF document, despite horrible detection (only 6 out of 40 AV vendors detected this when I initially submitted it here).
----------
FTC: Orgs Liable for Employee Statements on Facebook, Twitter?
Michael Overly looks at FTC regulations that went into effect in December.
New FTC guidelines (http://www.ftc.gov/os/2009/10/091005revisedendorsementguides.pdf) that went into effect on December 1, 2009, may impose liability on businesses for statements their employees make on social networking sites like Facebook, Twitter, LinkedIn, MySpace, personal blogs, and other sites – even if the company had no actual knowledge those statements were being made. Specifically, if an employee makes comments about the business’ products and services and that employee fails to disclose their employment relationship with the business, the business may be subject to an enforcement action for deceptive endorsements.
----------
NIST-certified USB Flash drives with hardware encryption cracked
Security firm SySS has found that supposedly secure NIST certified USB Flash drives from three of the top vendors can be cracked with relative ease more…
...
When notified by SySS about this worst case security scenario, the respective vendors responded quite differently. Kingston started a recall of the affected products; SanDisk and Verbatim issued woolly security bulletins about a "potential vulnerability in the access control application" and provided a software update. When asked by heise Security, Verbatim Europe said that none of the affected drives have been sold in Europe – and that none will be shipped before the hole has been closed.
----------
Adobe working on new automatic updater
Ryan Naraine: In the wake of a dramatic surge in malware attacks against Adobe's Reader, Acrobat, and Flash Player, the company plans to ship a new automatic updater mechanism that will silently patch security holes without any user action.
----------
Waldec spreading through fake New Year's e-cards
Angela Moscaritolo December 31, 2009
The Waledac botnet is spreading spam messages that contain the subject line "Happy New Year 2010" and provide a link for what the email claims to be a New Year's greeting card.
----------
How to Automate Windows 7 Backups
(Video) How to set up and automate backups in Windows 7.
----------
The inadvertent exposure of a sensitive Transportation Security Administration security manual last month serves as a sobering reminder about the pitfalls of trying to redact, or hide, electronic text.
The lapse occurred when a contract employee posted the improperly redacted security manual -- which described TSA airport screening methods that are designed to thwart terrorists -- on a public Web site for federal procurements.
Other organizations, such as HSBC Bank and Facebook Inc., have also had embarrassing incidents in which text in electronic documents that they thought was unreadable was revealed.
----------
Google Chrome OS may be security hot spot in 2010
Chrome OS will be targeted by attackers, probably even before it's officially released, said Sam Masiello, the director of threat management at antivirus vendor McAfee Inc.
"It'll be the new kid on the block, that's one of the primary drivers why we think cybercriminals will target Chrome OS," said Masiello. "The same thing happened to Windows Vista and Windows 7, even before they were finished. Since Chrome OS is new, it's going to be of interest to security researchers, and it's going to be poked by cybercriminals as well."
----------
Hacker Pleads Guilty in Massive Fraud Case PC World – Wed Dec 30, 1:20 am ET
A hacker from Miami pled guilty to conspiracy to hack into computer networks at major U.S. retail and financial groups, and to steal data on tens of millions of credit cards and debit cards on Tuesday.
----------
Top 10 Security Nightmares of the Decade PC World – Tue Dec 29, 9:00 pm ET
Blame the Internet for the latest decade of security lessons. Without it, you probably wouldn't even recognize the terms phishing, cybercrime, data breach, or botnet. Let's revisit the top security horrors of the past ten years, and try to remember what we learned from each. Full Story »
----------
Target Co was victim of hacker Albert Gonzalez Reuters – Tue Dec 29, 7:03 pm ET
BOSTON/NEW YORK (Reuters) - Target Co said it was among the victims of computer hacker Albert Gonzalez, mastermind of the biggest identity theft in U.S. history.
----------
Hackers Show It's Easy to Snoop on a GSM Call PC World – Mon Dec 28, 9:40 pm ET
Computer security researchers say that the GSM phones used by the majority of the world's mobile-phone users can be listened in on with just a few thousand dollars worth of hardware and some free open-source tools.
----------
Good Guys Bring Down the Mega-D Botnet PC World – Sun Dec 27, 9:00 pm ET
For two years as a researcher with security company FireEye, Atif Mushtaq worked to keep Mega-D bot malware from infecting clients' networks. In the process, he learned how its controllers operated it. Last June, he began publishing his findings online. In November, he suddenly switched from defense to offense. And Mega-D--a powerful, resilient botnet that had forced 250,000 PCs to do its bidding--went down.
----------
FBI probing cyber theft at Citibank: WSJ AFP – Tue Dec 22, 1:10 pm ET
AFP/File
WASHINGTON (AFP) - The US Federal Bureau of Investigation is probing an attack by suspected Russian computer hackers on Citigroup Inc. that resulted in the theft of tens of millions of dollars, The Wall Street Journal reported Tuesday.
----------
Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324
Couple of days ago one of our readers, Ric, submitted a suspicious PDF document to us. As you know, malicious PDF documents are not rare these days, especially when the exploit for a yet unpatched vulnerability is wide spread.
Quick analysis of the document confirmed that it is exploiting this vulnerability (CVE-2009-4324 – the doc.media.newPlayer vulnerability). This can be easily seen in the included JavaScript in the PDF document, despite horrible detection (only 6 out of 40 AV vendors detected this when I initially submitted it here).
----------
FTC: Orgs Liable for Employee Statements on Facebook, Twitter?
Michael Overly looks at FTC regulations that went into effect in December.
New FTC guidelines (http://www.ftc.gov/os/2009/10/091005revisedendorsementguides.pdf) that went into effect on December 1, 2009, may impose liability on businesses for statements their employees make on social networking sites like Facebook, Twitter, LinkedIn, MySpace, personal blogs, and other sites – even if the company had no actual knowledge those statements were being made. Specifically, if an employee makes comments about the business’ products and services and that employee fails to disclose their employment relationship with the business, the business may be subject to an enforcement action for deceptive endorsements.
----------
NIST-certified USB Flash drives with hardware encryption cracked
Security firm SySS has found that supposedly secure NIST certified USB Flash drives from three of the top vendors can be cracked with relative ease more…
...
When notified by SySS about this worst case security scenario, the respective vendors responded quite differently. Kingston started a recall of the affected products; SanDisk and Verbatim issued woolly security bulletins about a "potential vulnerability in the access control application" and provided a software update. When asked by heise Security, Verbatim Europe said that none of the affected drives have been sold in Europe – and that none will be shipped before the hole has been closed.
----------
Adobe working on new automatic updater
Ryan Naraine: In the wake of a dramatic surge in malware attacks against Adobe's Reader, Acrobat, and Flash Player, the company plans to ship a new automatic updater mechanism that will silently patch security holes without any user action.
----------
Waldec spreading through fake New Year's e-cards
Angela Moscaritolo December 31, 2009
The Waledac botnet is spreading spam messages that contain the subject line "Happy New Year 2010" and provide a link for what the email claims to be a New Year's greeting card.
----------
How to Automate Windows 7 Backups
(Video) How to set up and automate backups in Windows 7.
----------
Subscribe to:
Posts (Atom)