Monday, January 4, 2010

Monday 01/04/10

TSA Gaffe Shows Pitfalls of Redaction
The inadvertent exposure of a sensitive Transportation Security Administration security manual last month serves as a sobering reminder about the pitfalls of trying to redact, or hide, electronic text.

The lapse occurred when a contract employee posted the improperly redacted security manual -- which described TSA airport screening methods that are designed to thwart terrorists -- on a public Web site for federal procurements.

Other organizations, such as HSBC Bank and Facebook Inc., have also had embarrassing incidents in which text in electronic documents that they thought was unreadable was revealed.

----------

Google Chrome OS may be security hot spot in 2010
Chrome OS will be targeted by attackers, probably even before it's officially released, said Sam Masiello, the director of threat management at antivirus vendor McAfee Inc.

"It'll be the new kid on the block, that's one of the primary drivers why we think cybercriminals will target Chrome OS," said Masiello. "The same thing happened to Windows Vista and Windows 7, even before they were finished. Since Chrome OS is new, it's going to be of interest to security researchers, and it's going to be poked by cybercriminals as well."

----------

Hacker Pleads Guilty in Massive Fraud Case PC World – Wed Dec 30, 1:20 am ET
A hacker from Miami pled guilty to conspiracy to hack into computer networks at major U.S. retail and financial groups, and to steal data on tens of millions of credit cards and debit cards on Tuesday.

----------

Top 10 Security Nightmares of the Decade PC World – Tue Dec 29, 9:00 pm ET
Blame the Internet for the latest decade of security lessons. Without it, you probably wouldn't even recognize the terms phishing, cybercrime, data breach, or botnet. Let's revisit the top security horrors of the past ten years, and try to remember what we learned from each. Full Story »

----------

Target Co was victim of hacker Albert Gonzalez Reuters – Tue Dec 29, 7:03 pm ET
BOSTON/NEW YORK (Reuters) - Target Co said it was among the victims of computer hacker Albert Gonzalez, mastermind of the biggest identity theft in U.S. history.

----------

Hackers Show It's Easy to Snoop on a GSM Call PC World – Mon Dec 28, 9:40 pm ET
Computer security researchers say that the GSM phones used by the majority of the world's mobile-phone users can be listened in on with just a few thousand dollars worth of hardware and some free open-source tools.

----------

Good Guys Bring Down the Mega-D Botnet PC World – Sun Dec 27, 9:00 pm ET
For two years as a researcher with security company FireEye, Atif Mushtaq worked to keep Mega-D bot malware from infecting clients' networks. In the process, he learned how its controllers operated it. Last June, he began publishing his findings online. In November, he suddenly switched from de­­fense to offense. And Mega-D--a powerful, resilient botnet that had forced 250,000 PCs to do its bidding--went down.

----------

FBI probing cyber theft at Citibank: WSJ AFP – Tue Dec 22, 1:10 pm ET
AFP/File
WASHINGTON (AFP) - The US Federal Bureau of Investigation is probing an attack by suspected Russian computer hackers on Citigroup Inc. that resulted in the theft of tens of millions of dollars, The Wall Street Journal reported Tuesday.

----------

Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324
Couple of days ago one of our readers, Ric, submitted a suspicious PDF document to us. As you know, malicious PDF documents are not rare these days, especially when the exploit for a yet unpatched vulnerability is wide spread.

Quick analysis of the document confirmed that it is exploiting this vulnerability (CVE-2009-4324 – the doc.media.newPlayer vulnerability). This can be easily seen in the included JavaScript in the PDF document, despite horrible detection (only 6 out of 40 AV vendors detected this when I initially submitted it here).

----------

FTC: Orgs Liable for Employee Statements on Facebook, Twitter?
Michael Overly looks at FTC regulations that went into effect in December.

New FTC guidelines (http://www.ftc.gov/os/2009/10/091005revisedendorsementguides.pdf) that went into effect on December 1, 2009, may impose liability on businesses for statements their employees make on social networking sites like Facebook, Twitter, LinkedIn, MySpace, personal blogs, and other sites – even if the company had no actual knowledge those statements were being made. Specifically, if an employee makes comments about the business’ products and services and that employee fails to disclose their employment relationship with the business, the business may be subject to an enforcement action for deceptive endorsements.

----------

NIST-certified USB Flash drives with hardware encryption cracked
Security firm SySS has found that supposedly secure NIST certified USB Flash drives from three of the top vendors can be cracked with relative ease more…
...
When notified by SySS about this worst case security scenario, the respective vendors responded quite differently. Kingston started a recall of the affected products; SanDisk and Verbatim issued woolly security bulletins about a "potential vulnerability in the access control application" and provided a software update. When asked by heise Security, Verbatim Europe said that none of the affected drives have been sold in Europe – and that none will be shipped before the hole has been closed.

----------

Adobe working on new automatic updater
Ryan Naraine: In the wake of a dramatic surge in malware attacks against Adobe's Reader, Acrobat, and Flash Player, the company plans to ship a new automatic updater mechanism that will silently patch security holes without any user action.

----------

Waldec spreading through fake New Year's e-cards
Angela Moscaritolo December 31, 2009
The Waledac botnet is spreading spam messages that contain the subject line "Happy New Year 2010" and provide a link for what the email claims to be a New Year's greeting card.

----------

How to Automate Windows 7 Backups
(Video) How to set up and automate backups in Windows 7.

----------

No comments: