http://www.crime-research.org/news/18.03.2008/3256/
Hannaford, Security Industry Hunt for Cause of Massive Breach - 3/18/2008 6:07:00 PM Speculation runs rampant as grocery retailer attempts to find out how 4.2 million credit card records were stolen
Get-em-one-way-or-another:
FTC Deal Suggests Enterprises Could Be Liable for Poor Security - 3/17/2008 5:50:00 PM ValueClick found negligent when Commission discovers vulnerabilites contrary to privacy policies promising encryption and 'reasonable security measures'
Apple Patches 93 Security Holes
Apple issues mega-monster security update Just a day after a remarkably large Safari update, Apple released a "frighteningly large" security update that patched nearly 90 vulnerabilities in both its own code and the third-party applications it bundles with its Tiger and Leopard operating systems. Read more...
Hackers vs. Windows, Mac, Linux next week in big money contest
Pennsylvania pulls plug on voter site after data leak
Seattle man gets 51 months in jail in ID theft case
Hackers vs. Windows, Mac, Linux next week in big money contest
Beijing Olympics Face Another Issue - Too Many Squat Toilets
aol.com.au — The Beijing Olympics are being hit with another problem, at least by Western standards. The issue came up over the weekend when the San Diego Padres played the Los Angeles Dodgers at the new Olympic baseball venue. The portable toilets trucked in were the squat variety, the style used widely in Asia. More…
Comcast: FCC lacks any authority to act on P2P blocking
arstechnica.com — Comcast says the FCC has no jurisdiction over its traffic-shaping practices. Is the company engaging in legal saber rattling, or would it really sue the FCC if the agency moved to protect broadband consumers?More…
March 2008 MS08-014 Re-releasePosted Wednesday, March 19, 2008 7:40 AM by MSRCTEAM
Hello, this is Tim Rains.
Very quickly, I wanted to let you know that we've just re-released MS08-014 for Microsoft Office Excel 2003 Service Pack 2 and Service Pack 3 only.
The original version released on March 11, 2008 did fully protect against the security issues discussed in the bulletin. However, after release we discovered that the security update caused a calculation error in Microsoft Excel 2003 when a Real Time Data source was used in a user-created Visual Basic for Applications solution (in other words a custom-built VBA function). For additional details, please refer to KB950340.
If you're not running Microsoft Excel 2003, this re-release doesn't apply to you and you don't need to take any action.
If you are running Microsoft Excel 2003 Service Pack 2 or Service Pack 3, you should use the guidance provided in Knowledge Base article KB950340 to deploy the new update. It is being released through all the same distribution channels as the original MS08-014 security update. It is also supported by the same detection and deployment tools as the original update.
VMware has announced a new security advisory that includes a set of updates for VMware Workstation, Player, Server, ACE, and Fusion (VMSA-2008-0005), resolving this vulnerability plus a few other relevant security issues:
a. Host to guest shared folder (HGFS) traversal vulnerability (CVE-2008-0923)
b. Insecure named pipes (CVE-2008-1361, CVE-2008-1362)
c. Updated libpng library to version 1.2.22 to address various security vulnerabilities (CVE-2007-5269)
d. Updated OpenSSL library to address various security vulnerabilities (CVE-2006-2940, CVE-2006-2937, CVE-2006-4343, CVE-2006-4339)
e. VIX API default setting changed to a more secure default value
f. Windows 2000 based hosted products privilege escalation vulnerability (CVE-2007-5618)
g. DHCP denial of service vulnerability (CVE-2008-1364)
h. Local Privilege Escalation on Windows based platforms by Hijacking VMware VMX configuration file (CVE-2008-1363)
i. Virtual Machine Communication Interface (VMCI) memory corruption resulting in denial of service (CVE-2008-1340)
The latest versions are:
VMware Workstation 6.0.3
VMware Workstation 5.5.6
VMware Player 2.0.3
VMware Player 1.0.6
VMware ACE 2.0.3
VMware ACE 1.0.5
VMware Server 1.0.5
VMware Fusion 1.1.1
Update as soon as possible!
Kerberos Multiple Vulnerabilities - Highly critical - From remoteIssued 11 hours ago. Some vulnerabilities have been reported in Kerberos, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system.
German court tightens up ISP, phone data retention rules
Germany's Constitutional Court ruled this week that access to e-mail and phone records should only be granted in serious investigations. It has also struck down indiscriminate license plate scanning and put curbs on police spyware.
March 19, 2008 - 02:14PM CT - by Nate Anderson
Israel rebukes US: Our copyright laws are fine, thanks
The Israeli government defends its copyright laws against content industry critics in the US who say that they don't go far enough.
March 18, 2008 - 09:40PM CT - by Nate Anderson
Yahoo offers peek into crystal ball to justify bigger payday
In this game of high-stakes poker, Microsoft might win in the end, but the victory won't come cheap. Yahoo! just upped the ante again with an investor presentation that paints a rosy financial outlook for the company.
March 18, 2008 - 11:45AM CT - by Anders Bylund
Why Would The Gov't Hide Documents About A .xxx Domain?
from the please-explain dept
The back and forth over the potential for a .xxx domain reserved for porn has been discussed at length, though, it's still rather amusing to see one set of politicians who believe it's a good thing, as it would keep porn away from children, and another set of politicians who believe it's a bad thing because it somehow "legitimizes" porn (this would be known as the "head-in-sand" position, considering that porn online hardly needs to be "legitimized" at this point). Either way, the Bush administration came down on the "head-in-sand" side after receiving pressure from family groups. That resulted in pressure on ICANN who, despite claiming independence from the US gov't, rejected the proposal after originally being for it. The folks behind the .xxx proposal were (understandably) livid, and have filed Freedom of Information requests to find out what kind of discussions the gov't had in determining its position. Oddly, while some documents were released, the State Department and Commerce Department withheld many documents relating to discussions over the .xxx domain. A lawsuit was quickly filed, and a court has now ruled that the government doesn't have to reveal all the documents unless it's been shown that it blocked .xxx for "nefarious purposes." I had no idea that was a component of making FoIA decisions. Having a separate .xxx domain seems totally unnecessary (and just a way for registrars to soak up some extra money), but that still doesn't explain why the government felt the need to not release certain documents explaining its position. Kind of ironic that this comes out during Sunshine Week, which is supposed to highlight gov't openness.
52 Comments Leave a Comment..
Is It Time For Computer Security Experts To Get Jobs In The Medical Device Arena?
from the dance,-heart-patient,-dance! dept
Last week, one of the stories that got a few headlines and made the rounds concerned the news that some popular heart monitors could be hacked, potentially in a way that would provide powerful shocks to to the heart of someone who had such a device implanted. The reports made it very clear that the likelihood of such a hack was incredibly slim, as it would require a tremendous amount of access. So, this isn't something to worry about today, but it does suggest one area where it may pay for medical device makers to start thinking a little bit more about security. There was a report, about two years ago, that also warned of something similar, which we played down as a bit of fear-mongering (it had no real details, just suggesting that pacemakers would become a hacking target). It still seems like this is not going to be a huge threat any time in the near future, but that doesn't mean that those who design medical devices, especially those with connections to the outside world, shouldn't at least think through the potential security concerns and design these devices with security in mind from the beginning. That seems a lot safer than having to fix all of the installed devices down the road.
6 Comments Leave a Comment..
Reported Zero-Day in CA Software
Tuesday March 18, 2008 at 3:18 pm CSTPosted by Karthik Raman
No CommentsPermanent Link
Here’s a quick post about a claimed zero-day vulnerability in CA BrightStor ARCserve Backup, software that provides backup functionality for Windows systems. Proof-of-concept exploit code for this vulnerability is public.
A specially crafted Web page could trigger a stack overflow in the AddColumn() method in the ListCtrl Active X Control. For an attack to occur, a user would have to be tricked into visiting a malicious Web site. The exploit writer states that he has successfully run his attack code against CA BrightStor ARCserve Backup r11.5, with Internet Explorer 6 running on Microsoft Windows XP SP2 (the Polish edition).
McAfee Avert Labs is analyzing the flaw. As an aside, our research database reveals that the last known vulnerability in CA BrightStor ARCserve Backup was disclosed on November 26, 2007: CVE-2007-5328. CA worked with the discloser to release a patch for the vulnerability on the same day.
Breach of Britney Spears patient data highlights health care security shortfalls
Jim Carr March 19, 2008
Reports this week that the UCLA Medical Center has moved to fire 13 employees and suspended six others for unauthorized access to confidential medical records of pop star Britney Spears is a sign that training and regulations may not be working in some hospitals, experts told SCMagazineUS.com.
The Technology That Toppled Eliot Spitzer
By John BorlandWednesday, March 19, 2008
Anti-money-laundering software scrutinizes bank customers' every move, no matter how
Pro-Tibet groups bombarded with abusive calls, virusesAFP - Wed Mar 19, 12:11 PM ET
BEIJING (AFP) - Pro-Tibet activists said Wednesday they have been bombarded with abusive phone calls and virus emails as they try to contact witnesses in Tibet and nearby amid a clampdown following anti-Chinese riots.
Ding dong: 3Com, Bain, Huawei deal is dead
