Friday, April 24, 2009

Around The Horn vol.1,88

OAuth Session Fixation Security Flaw Discovered

By Robert A. on Vulns

From the advisory "The attack starts with the attacker logging into an account he owns at the (honest) Consumer site. The attacker initiates the OAuth authorization process but rather than follow the redirect from the Consumer to obtain authorization, the attacker instead saves the authorization request URI (which includes the Request...

Device identification in online banking is privacy threat, expert says

By Elinor Mills

SAN FRANCISCO--A widely used technology to authenticate users when they log in for online banking may help reduce fraud, but it does so at the expense of consumer privacy, a civil liberties attorney said during a panel at the RSA security conference on Thursday.

When logging into bank Web sites, ...

Google fixes severe Chrome security hole

By Stephen Shankland

Google released a new version of its Chrome browser Thursday to fix a high-severity security problem.

The problem affects Google's mainstream stable version of Chrome and is fixed in the new version 1.0.154.59 (download). Google has built Chrome so it updates itself automatically with no user ...

Hacking online games a widespread problem

By Daniel Terdiman

SAN FRANCISCO--It will likely come as no surprise to anyone familiar with virtual worlds and online games that they can be hacked. But what might come as a shock is the sheer breadth of types of exploits that are possible.

That was the broad message of a Thursday panel called, ...

Originally posted at News - Gaming and Culture

Conficker infected critical hospital equipment, expert says

By Elinor Mills

SAN FRANCISCO--The Conficker worm infected several hundred machines and critical medical equipment in an undisclosed number of hospitals recently, a security expert said on Thursday in a panel at the RSA security conference.

"It was not widespread, but it raises the awareness of what we would do if there were ...

Malware on Demand

By Rik Ferguson on malicious code

I came across a very well designed and presented SEO pay-per-click “affiliate program” a couple of days ago.   This scheme offers the affiliate a customised “file” (detected by Trend Micro as TROJ_DROPPER.JLA) which you can then distribute to your victims using whichever means are the most convenient for you.   Maybe you want to push it out through [...]

Spammers Recover from McColo Shutdown - Spam Back To 91%

By Darknet on symantec

You might remember back in November last year Spam ISP McColo was Cut Off From the Internet and there was a fairly drastic drop in spam e-mail traffic. Well it looks like the spammers have got their acts back together as spam levels are back up to 91% of their previous volume. Having McColo shut down was [...]

Researchers show how to take control of Windows 7

Security researchers demonstrated how to take control of a computer running Microsoft's upcoming Windows 7 operating system at the Hack In The Box Security Conference (HITB) in Dubai on Thursday.

Hathaway advocates direct White House role on cybersecurity

Endorsing a viewpoint that's been gaining currency in the security industry, President Obama's acting senior director for cyberspace Wednesday called for a more direct White House role in coordinating national cybersecurity efforts.

Vendors release password cracking, management tools

As full-disk encryption becomes increasingly used to protect data, new software tools that can recover lost passwords or change forgotten ones are being released.

Symantec: Malaysian SMBs will spend on security

Malaysian small and medium businesses (SMBs) will continue to spend on security and storage, according to security solutions firm Symantec Malaysia.

Flaws in 'Internet SAFETY' bill

Friend and colleague Robert Gezelter points to serious deficiencies in the thinking behind legislation currently under consideration in the House and Senate.

New surveys on small business security and success

Understanding small business is tough because there are so many of them and they vary so widely. But all small businesses share certain problems, attitudes, and approaches to those problems. Let's give a hand to Symantec and Network Solutions for doing their part to discover the state of security and creating (and studying) the Small Business Success Index.

Security promises in the cloud

A survey released this week at RSA is troubling in that it says businesses using cloud services are concerned about security, but don't verify what providers do to meet the security promises they make.

Why the Top U.S. Cyber Official is Losing Sleep

The United States' top cybersecurity official already knew the world's digital infrastructure needed help before she took on a 60-day cyberspace policy review. With the review now complete, she admits the gravity of the situation seeps into her dreams and disturbs her sleep.

Cloud computing a 'security nightmare,' says Cisco CEO

If anyone has the right to be excited about cloud computing, it's John Chambers. But on Wednesday Cisco's Chairman and CEO conceded that the computing industry's move to sell pay-as-you-go computing cycles available as a service on the Internet was also "a security nightmare."

Click fraud rate dropped in Q1

Click fraud, a scam based on the highly profitable search advertising business, dipped in the first quarter after hitting an all-time high in the last three months of 2008.

Criminal Infrastructure Lets Malware Thrive

The lurking Trojan and the password-hungry keylogger are only the tip of the iceberg.

RSA chief calls for inventive collaboration among vendors

Two years after suggesting that independent security vendors were headed for extinction, Art Coviello, president of RSA, is calling for "inventive collaboration" among vendors for dealing with the expanding range of threats facing business and government.

Obama administration said to consider military cyber command

The Obama administration is considering a new military cyber command for protecting Department of Defense networks and developing offensive cyber war capabilities, according to a report in the Wall Street Journal.

Security maven sics 'special ops' on botnet gangs
League of net justice

RSA Sometimes fighting botnets, spam, and other online crime is like raking leaves on a windy day. Bag one operation and almost overnight there are a half-dozen more that take its place.…

For security's sake! Send your kid to hacker camp
No easy fix for doom and gloom

RSA A computer security expert has called on the United States government to train the nation's youth in offensive and defensive cyber technologies so the country is less vulnerable to attacks on its critical infrastructure.…

Doubt cast over ContactPoint security assurances
No, Minister

A UK government minister has issued assurances about the security of the government's child protection database ContactPoint, but the minister's assurances are incomplete, if not misguided, says one expert.…

GPS, swipe cards to monitor Welsh school kids
We know what you're doing at the back, boyo

Councils in North Wales are equipping school buses with GPS and swipe card technology to help monitor attendance and antisocial behaviour.…

Botnet speed test uncovers drag racers of malware
Supercharged spam powerhouses revealed

Researchers have discovered that Zombie machines within the Xarvester and Rustock botnets are capable of sending up to 25,000 junk mail messages per hour.…

Big boost for Aussie firewall
Another shrimp on anti-prawnography trial barbie

The controversial Great Aussie Firewall got a big boost yesterday when Australia's second largest ISP Optus agreed to join the pilot.…

Spy chiefs size up net snoop gear
Deep packet inspection bonanza

The security minister has confirmed officials are considering installing technology that could enable on-demand wiretapping of all communications passing over the internet by the intelligence services and law enforcement.…

Under-caution spam faxer fined over £6,000
Debt firm fax up

A man who sent hundreds of spam faxes while under caution from privacy regulator the Information Commissioner's Office (ICO) faces more than £6,000 in fines for his actions.…

Data Leak Prevention: Proactive Security Requirements of Breach Notification Laws, (Fri, Apr 24th)

I'm beginning to prepare for a talk I plan to give at SANSFIRE 09 on Data Leak Prevention. The talk ...(more)...

Some trendmicro.com services down, (Thu, Apr 23rd)

A couple of people have reported that TrendMicro is having network issues and the following site has ...(more)...

Possible MS09-013 activity, (Thu, Apr 23rd)

Jack sends us notice that Symantec is alerting on possible MS09-013 activity. This information ...(more)...

RSA researcher Ari Juels: RFID tags may be easily hacked

By Neil Roiter

SearchSecurity.com caught up with Dr. Ari Juels and asked the well-known cryptographer about RFID security, cloud storage innovations and his new novel.

Operational risks could mire virtualization deployment, panel says

By Robert Westervelt

Future virtualization platforms and features could cause confusion when managing who owns virtual machines within an organization and how network traffic can be monitored.

Compliance drives opportunities for security integrators

By Kelley Damore

At the 2009 RSA Conference, new regulations and initiatives such as NERC, HITRUST and CNCI could signal some opportunities in healthcare and energy verticals.

Cyberspace Director Urges National Dialogue on Threats (NewsFactor)

In business

NewsFactor - A little over two months ago, President Barack Obama appointed Melissa Hathaway as the acting senior director for cyberspace for the National Security Council and the Homeland Security Council. Her primary task, the president said, was a two-month review of the nation's cybersecurity readiness and to propose improvements.

China insists it does not hack into US computers (AFP)

In technology

AFP - China insisted on Thursday it was opposed to Internet crimes, following a US media report that said Chinese hackers may have been behind a cyber attack on computers linked to a new US fighter jet.

Woz interviewed about hackery, life (Macworld.com)

In technology

Macworld.com - While you may know that Apple co-founder Steve Wozniak tore it up on ABC's Dancing with the Stars and has recently joined hardware startup Fusion-IO, I sure didn't know that he's still using Eudora, a program that I stopped using circa 2002, as his everyday e-mail client.

RSA: The Elusive Structure of the Cyber-criminal Economy

At the RSA Conference in San Francisco, security researchers outlined the underground economy for cyber-crooks. The black market for stolen data is thriving in an increasingly sophisticated and compartmentalized landscape.
- As it turns out, stealing credentials is actually the easy part of cyber-theft. The hard part is using them to steal the get away with pilfering bank accounts. Fortunately for phishers, they have no shortage of help in that regard. This ecosystem of hackers, malware writers and money mules was on f...

FBI Spyware Could Look Like Your Average Trojan

OPINION: For years the FBI has been using a Trojan Horse program to spy on suspects' computers.
- In response to a Freedom of Information Act request the FBI has released some details and history of a spyware program they have used over the years to gather details on suspects' computers, according to a recent article in Wired. Information on the CIPAV or quot;Computer and Internet Protocol Add...

How Terrorism Touches the 'Cloud' at RSA

At the RSA Conference, former U.S. military officer Jeff Bardin showed attendees the cyber-world aspects of terrorism, where supporters of groups such as al Qaeda use social networks to recruit and spread their message. In an interview with eWEEK, Bardin discussed some of the things he has seen online.
- When it comes to the war on terrorism, not all battles, intelligence gathering and recruitment happen in the street. Some of it occurs in the more elusive world of the Internet, where supporters of terrorist networks build social networking sites to recruit and spread their message. Enter J...

Windows 7 Security Enhancements Summed Up

OPINION: Enterprises can expect security of authentication, data protection, privilege levels and the DNS to improve for users running the next client version of Windows.
- The evidence that Windows Vista is far more secure than XP, both in theory and in practice, is abundant. With new features and standards Microsoft hopes to make Windows 7 even more secure, especially for enterprises. A paper on their Technet site explores several new security features in Windows 7 ...

The 10 Most Interesting Products at RSA 2009

More than 450 exhibitors are showing their stuff at this year's RSA Conference in San Francisco. eWEEK Labs' Cameron Sturdevant has been scouring the expo floor to find the most compelling products for the enterprise. This year, virtualization security tools were an area of focus, but old standbys-still very much needed in our Windows XP/physical server world-are garnering attention. Read on for Cameron's picks for the 10 most interesting products at the show and visit https://cm.rsaconference.com/US09/catalog/exhibitorCatalog.do for a complete catalog. By Cameron Sturdevant
- ...

Report Claims DNS Cache Poisoning Attack Against Brazilian Bank and ISP

OPINION: Attack shows the potential for serious spoofing attacks that could leave end users helpless. The only real solution is DNSSEC, which will take years to implement under the best of circumstances.
- An unsubstantiated report claims that a successful DNS cache poisoning attack was conducted recently against Banco Bradesco, a Brazilian bank. The reports are in Portuguese. This Google translation explains it in typically clumsy, broken English. The actual DNS cache belonged to Brazilian ISP...

U.S. Cyber-Security Requires Partnerships, Obama Official Says

At the RSA Conference, cyberspace security official Melissa Hathaway called for increased cooperation between the government, academia and the private sector. Hathaway was in charge of the recently completed review of U.S. cyber-security mandated by the Obama administration.
- Academia, government and the private sector need to come together in the name of cyber-security that was the message Melissa Hathaway brought to this year's RSA Conference in San Francisco. Hathaway is acting senior director for cyberspace for the National Security and Homeland Security counc...

Finjan Reveals 1.9 Million-Strong Botnet at RSA

Researchers at Finjan detailed their discovery of a 1.9 million-strong botnet at the RSA Conference in San Francisco. Some 45 percent of the infected bots are believed to be located in the United States.
- Researchers at Finjan have uncovered a massive botnet controlling some 1.9 million zombie computers. The security vendor disclosed the discovery at the RSA Conference in San Francisco. According to reports, the nearly two million bots include machines in 77 government domains in the U.S., U.K. a...

Mozilla Patches 10 Firefox Bugs, Additional Vulnerabilities Fixed

Mozilla developers have fixed several stability bugs identified in the Firefox Web browser and other Mozilla products. However, these crashes showed evidence of memory corruption under certain circumstances, and Mozilla is cautioning that a dedicated hacker could exploit this aspect to run arbitrary code.
- The Mozilla Foundation posted a quot;critical quot; security advisory on April 21, stating that crashes of certain Mozilla products had revealed evidence of memory corruption under certain circumstances. Mozilla cautions that this corruption could be exploited to run arbitrary code. The affec...

What's the Big Idea at RSA? Virtualization

Virtualization provides the opportunity for a security do-over.
- The lead keynote speaker of the 2009 RSA Conference tried to sound a note of revolutionary change, but did so mostly by proxy. Most of RSA President Art Coviello's remarks on April 21 were vague exhortations for greater cooperation among security vendors and mild instructions for practitioners ...

Cyber Criminals Industrialize to Increase Effectiveness

By Kim Zetter

Hackers are becoming service providers, running temp agencies to supply crooks with disposable subcontractors to buy merchandise with stolen credit cards. And, for a fee, they'll install another criminal's malicious code on your machine.

Hackers Expolit 2008 Word Bug to Hijack PCs

Chinese hackers are seeking out PCs not patched with December fix.

Security Pro to Companies: Assume You're Owned

The smart business will assume it has been invaded and seek out the intruders, says a hacker expert.

Forget Computers, Phone Crime Is Worrying Banks

Criminals are using call-spoofing to game financial fraud detection

Hathaway Advocates Direct White House Role on Cybersecurity

Acting U.S. senior director for cyberspace says federal government isn't 'organized appropriately' to address cyberthreats.

Researchers Show How to Take Control of Windows 7

Proof-of-concept code takes control of the computer during the boot process

No comments:

Post a Comment

My Blog List