Aurora Report: May 2009

Friday, May 29, 2009

Around The Horn vol.1,111

Experts: Gumblar attack is alive, worse than Conficker

By Elinor Mills

The Web site compromise attack known as Gumblar has added new domain names that are downloading malware onto unsuspecting computers, stealing FTP credentials to compromise more sites, and tampering with Web traffic, a security firm said on Thursday.

The Gumblar attack started in March with Web sites being compromised and ...

Microsoft to patch new DirectX hole

By Elinor Mills

Microsoft on Thursday said it is working on a security patch for a vulnerability in its DirectX streaming media technology in Windows that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.

Microsoft offers an easy way to enable a workaround for the...

Snort To Go Virtual

Open source IDS/IPS celebrates a decade with new release candidate and new features in Snort 2.8.4

Miscreants Already Gaming SCADA

In Vulnerability Research

Infrastructure security has been an issue with plenty of hype but too few real-world examples of the involved risks. A simple hack unearthed By researchers via YouTube paints the picture nicely, however.

Obama directs review of data classifications

President Barack Obama has directed a review of how the government classifies information and how it handles sensitive but unclassified data.

Q & A: High-tech cutter reaches milestone

Coast Guard Rear Adm. Gary Blore expects the first National Security Cutter to receive certification for classified communications in the near future.

Microsoft Warns Of 'Browse-And-Get-Owned' DirectX Flaw

The flaw could allow a remote attacker to execute malicious code by convincing or duping a user to open a specially crafted QuickTime media file.

Government Wrestles With Social Media Records Retention Policies

The National Archives is trying to navigate complex regulations that require capturing and storing all sorts of content in the age of social media, cloud computing, and seemingly endless storage.

White House Launching Transparency Blog

In a nod to openness and citizen participation in government, the Obama administration also will open White House blogs to public comments.

New travel rules kick in June 1 amid concerns over RFID-tagged passport cards

New travel requirements go into effect June 1 at U.S. land and sea borders amid security concerns over an RFID-enabled passport card that has been approved for U.S. travelers.

Must-have Fix for New, Under-attack Microsoft Flaw

A critical new zero-day flaw involving Microsoft DirectShow's processing of QuickTime content is under attack, Microsoft reported today.

Spammed Hong Kong

Hong Kong has become the most spammed country in the world, according to security vendor MessageLabs.

US gov't panel calls for new privacy rules

The U.S. government needs to rewrite the rules it has been using for 35 years to govern its use of personal data by focusing on new technologies for storing and retrieving data, a government advisory board recommended.

Defence trials sneaky cameras

The Defence Science Technology Organisation (DSTO) is running facial recognition trials which will underpin biometric initiatives across the Department of Defence, Immigration and new smartcard driver's licences.

Study: Operators should use DNSSEC to improve security

Various challenges are making many operators hesitate to adopt DNSSEC (Domain Name System Security Extensions) to prevent hackers from tampering with DNS information and redirecting Web traffic, according to a study from European Union's cybersecurity agency.

Close the Java security hole in many browsers

As we noted earlier, there's a rather large security hole with Java in Web browsers in all versions of OS X. Because of the way Java applets work, you can be attacked by simply visiting (not even clicking a link on, or downloading a file from) a Web site containing a malicious Java applet.

Massive ID fraud and cheque scam busted in NYC

Impersonation scheme sees 18 bank workers pinched

A corporate identity theft ring that exploited the identities of local corporations, religious institutions, hospitals and even schools to run a cheque fraud scam has been busted in New York.…

EU backs advanced network tech to boost resilience

IPv6 and DNSSec to bolster backbone

An EU security agency is calling for greater use of advanced networking technologies - specifically IPv6, DNSSec and MPLS - to improve the resilience of communication networks.…

Judge throws the book at phishing fraudster

100 months of solitude

A fraudster has been sentenced to eight and a half years in prison after copping to a series of phishing scams that affected 7,000 victims and netted an estimated $700,000 in illicit income.…

Critical Windows vulnerability under attack, Microsoft warns

Drive-by web exploits possible

Microsoft has warned of a critical security bug in older versions of its Windows operating system that is already being exploited in the wild to remotely execute malware on vulnerable machines.…

Hiding secret messages in internet traffic: a new how-to

Covert messages exploit TCP

Researchers have demonstrated a new way to hide secret messages in internet traffic that can elude even vigilant network operators.…

VMWare Patches Released, (Fri, May 29th)

Patches were released yesterday to fix a DoS vulnerability and potential arbitrary code execution.&n ...(more)...

Blackberry Server Vulnerability, (Fri, May 29th)

For all of you running around with a Blackberry, be careful of opening .pdf files ...(more)...

Microsoft DirectShow vulnerability, (Thu, May 28th)

Microsoft have recently announced aMicrosoft DirectShow vulnerability via an advisory an ...(more)...

Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert

By Robert Westervelt

Kaspersky Lab researchers have tracked more than 25,000 malware samples spreading through social networks in 2009.

HP-UX Execution of Arbitrary Code and Other Vulnerabilities

. These vulnerabilities could allow unauthorized access, privilege escalation, execution of arbitrary code, and Denial of Service (DoS).

Nortel Contact Center Manager Server Password Disclosure Vulnerability

…

SonicWALL Global Security Client Privilege Escalation Vulnerability

…

ATEN IP KVM Switch Multiple Vulnerabilities

ATEN produces several IP KVM Switches. These devices can be used like normal kvm switches with an attached keyboard, mouse and monitor. However, it is also possible to access the hosts connected to them via a network using an ordinary PC as a client. As this function can be used via an insecure network, it is very important that this connection is cryptographically protected against sniffing of confidential data (e.g. keystrokes, monitor signals) and man in the middle attacks. The affected products provide an SSL encrypted web interface. After authenticating to the web interface the user can download a client program (java or windows). The ATEN client program contains temporary authentication data so that it can connect to the kvm switch without asking the user for username/password again.

IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability

…

HP Printers and HP Digital Senders Unauthorized Access to Files

…

Android Improper Package Verification

…

Sun Communications Express Multiple XSS

…

Sun Solaris Integer Overflow Vulnerability

This can be exploited to cause a heap-based buffer overflow via a specially crafted RPC request. Successful exploitation may allow execution of arbitrary code.

Novell GroupWise Internet Agent Remote Buffer Overflow Vulnerabilities

…

Armorlogic Profense Web Application Firewall Multiple Vulnerabilities

…

DotNetNuke ErrorPage.aspx Cross-Site Scripting Vulnerability

DotNetNuke is prone to a cross-site scripting vulnerability because the application fails to properly sanitise user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Microsoft DirectX Vulnerability Under Attack

Microsoft says hackers are targeting a security flaw in the DirectX feature of Windows. According to Microsoft, attackers are using malicious QuickTime videos to exploit the bug.
- Microsoft is investigating reports of a vulnerability in Microsoft DirectX that is under attack by hackers using malicious QuickTime videos. According to a Microsoft advisory, the vulnerability can be exploited by hackers to remotely execute code with the rights of the logged-on user. Specific...

Whodunit? Finding Security Vulnerabilities in Application Code

Application security has to start during the development process. That means fixing vulnerable code before applications are ever pushed out to the public. Much has been written about the secure software development lifecycle now its time to test security pros and developers alike. Can you find the vulnerabilities in the code? Sorry there is no prize involved, just a minor brainteaser for those of you who design applications or are charged with assessing their security. The code on the slides was provided by Veracode and Qualys.

Department of Interior Computers Missing, Report Finds

According to a report, the U.S. Department of Interior can't locate nearly 20 percent of the computers that are supposed to be in its care. The report also finds that many PCs are not encrypted, and the disposal process for computers is not uniform.
- A report by the U.S. Department of Interiors inspector generals office does not paint a rosy picture of the departments IT. On the heels of a separate report alleging widespread failures around the tracking and managing of passports, the inspector general found that the department cannot locate ...

Microsoft Update Quietly Installs Firefox Extension

In New Patches

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser. Earlier this year, Microsoft shipped a bundle of updates known as a "service pack" for a programming platform called the Microsoft .NET Framework, which Microsoft and plenty of third-party developers use to run a variety of interactive programs on Windows. The service pack for the .NET Framework, like other updates, was pushed out to users through the Windows Update Web site. A number of readers had never heard of this platform before Windows Update started offering the service pack for it, and many of you wanted to know whether it was okay to go ahead and install this thing. Having earlier checked to see whether the service pack had caused any widespread problems or

Obama in new bid to thwart cyber spies, hackers (AFP)

In politics

AFP - US President Barack Obama Friday announced he will appoint a cyber czar to manage attempts to repel mounting criminal and espionage attacks on government and private virtual world computer networks.

Cyber security, FEMA meeting on Obama's agenda (AP)

In politics

AP - President Barack Obama is to address a 21st century defense threat — protecting the nation against a cyber attack.

Obama to create cyber czar in awareness effort (AP)

In politics

AP - The Obama administration is creating a "cyber czar" within the White House to coordinate the nation's computer security. Critics already say the post will not have enough authority to haul the government into the digital age.

Microsoft Security Advisory 971778 Vulnerability in Microsoft DirectShow Released

By MSRCTEAM

We’ve just released Microsoft Security Advisory 971778 today. This discusses a new vulnerability in Microsoft DirectShow affecting Windows 2000, Windows XP and Windows Server 2003 that is under limited attack. The advisory outlines information about the vulnerability and steps customers can take to protect themselves while we’re working on a security update to address the issue.

Our investigation has shown that the vulnerable code was removed as part of our work building Windows Vista. This means that Windows Vista and versions of Windows since Windows Vista (Windows Server 2008, Windows 7) are not vulnerable.

The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.

Our investigation has found three workarounds that you can implement to protect yourself and we’ve documented these in the security advisory. In addition, we’ve got more technical details on the workarounds and the issue over at the Security Research and Defense (SRD)blog.

Most importantly, we have found one workaround in particular that is simple and effective and protects against the vulnerability with limited impact. In fact, this particular workaround is simple enough that we’ve been able to give you a way to automatically implement the workaround with the click of a button. Our Customer Service and Support (CSS) group has a new capability called “Fix it” that can automatically apply simple solutions to your system. We’ve gone ahead and built a “Fix it” that implements the “Disable the parsing of QuickTime content in quartz.dll” registry change workaround. We have also built a "Fix it" that will undo the workaround automatically.

To automatically implement the workaround, go to the KB article for the advisory. In the KB article, there’s a section titled “Fix it for me”. Click on the “Fix this problem” button under "Enable Workaround" in that section. You will then be offered an installer package from the Microsoft website. After you’ve confirmed that you trust the source of this package, run it on your system. The package will automatically set the appropriate registry keys on your system to implement the workaround. When you want to undo the workaround, click on the "Fix this problem" button under "Disable Workaround" in the same section.

We’re also sharing information about this vulnerability and the limited attacks that we’ve seen with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) program to provide information that they can use to provide broader protections to customers.

As always, we’ll continue monitoring the situation and providing more information through the security advisory and the MSRC weblog.

Thanks

Christopher

Push For Electronic Medical Records Must Slow Down, For Security's Sake

The federal push for electronic medical records could be a security nightmare if rushed too fast.

Must-have Fix for New, Under-attack Microsoft Flaw

Crooks are currently attacking a new DirectShow vulnerability, Microsoft disclosed today. Be sure to apply the temporary fix.

Study: Operators Should Use DNSSEC to Improve Security

Operators should adopt DNSSEC to prevent hackers from tampering with DNS information and redirecting Web traffic to their sites.

HTML5 Could Be the OS Killer

While the browser isn't more important than operating system today, Google this week firmly suggested it is only a matter of time.

Thursday, May 28, 2009

Around The Horn vol.1,110

Report: spam-wielding botnets are working 9 to 5

By jacqui@arstechnica.com (Jacqui Cheng) on Symantec

Spam levels have risen over the past month to more than 90 percent of all corporate e-mail, according to Symantec’s May 2009 MessageLabs Intelligence Report (PDF). The latest report effectively communicates the concept of "spam, boy there sure is a lot of it," but goes into detail about the latest trends in spamming activity like botnet activity and the use of social networks.

In May, spam rose by 5.1 percent over April, with 57.6 of it coming from known botnets. One particular botnet called Donbot was named as the most active, and is responsible for 18.2 percent of all spam. Symantec wrote that much of the remainder (42.4 percent) of spam originated out of smaller or unclassified botnets.

Understanding Microsoft's KB971492 IIS5/IIS6 WebDAV Vulnerability

By Robert A. on Vulns

Steve Friedl posted the following to bugtraq this afternoon. "There has been a fair amount written on the vulnerability itself, but there's a large cohort who has no idea if their systems are at risk ("What is WebDAV, and how do I know if I have or need it???"). So I've...

UK Military Exposed to Blackmail Risk Through Lost Data

By Rik Ferguson on countermeasures

The UK military admitted on a television program (Who’s Watching You, BBC2) this Monday(25th May) that they had lost a large amount of highly sensitive information which could potentially exposes high-ranking service men and women to bribery, extortion, compromise, identity theft and fraud to name but a few possible outcomes. The British Royal Air Force reported [...]

WarVOX 1.0.1 Released - Telephony Analysis & War Dialing Suite

By Darknet on warvox

WarVOX is a suite of tools for exploring, classifying, and auditing telephone systems. Unlike normal wardialing tools, WarVOX works with the actual audio from each call and does not use a modem directly. This model allows WarVOX to find and classify a wide range of interesting lines, including modems, faxes, voice mail boxes, PBXs, loops, [...]

More Than 80% Of Phishing Attacks Use Hijacked, Legitimate Websites

Anti-Phishing Working Group research shows how phishers are better covering their tracks -- and what to do when phishers compromise your Website

Insurance Company Endures an HR Website Nightmare

In social security

Aetna, one of the world's largest health insurance providers, had to do something special for its customers following a security "oops" reported May 26 involving its Website. It turns out that a number of human resource-related e-mails containing important personal...

Cheating on Your Security Audits

In Risk Management

Think security pros don't know how to cut corners? Think again. A survey from Tufin Technologies found many security specialists cheat on their audit reports.

Attackers Add Curses to YouTube Comments

In YouTube

Attackers are using YouTube comments to lure users to their spambot infection sites.

US-VISIT tests new approaches to exit system

The Homeland Security Department will begin testing two methods for collecting biometric data electronically from non-citizens as they leave through U.S. airports.

Long-awaited cybersecurity report to arrive Friday, White House says

The report is based on the results of the Obama administration’s 60-day review of the federal government’s cybersecurity policy.

FBI, U.S. Marshals reconnect after security problems

The FBI said its external unclassified network is back online and a U.S. Marshals spokesman said computers affected last week by a virus should be fixed by later this week.

Government Panel Calls For Privacy Policy Overhaul

Report to OMB outlines the creation of a chief privacy officer role and chief privacy officers at every federal agency that already has a CFO.

VMware Invests $20 Million In Terremark Cloud Services

The virtualization giant will own 5% of Terremark, which produces cloud and managed IT services for large companies and government agencies.

Department Of The Interior Can't Locate Many PCs

The federal agency can't locate 20% of its computers and, because it has no encryption requirements, the missing PCs could be vulnerable to data theft or loss.

Who digs the elephant trap?

By Igor Muttik on Web and Internet Safety

It is ironic but the extreme growth rate of malware attacks is actually partly due to how successful AV technology really is. Quite simply - if AV scanners were not so successful in blocking trojans and viruses there would be little need for the bad guys to write new ones. One can even say that [...]

Aetna contacts 65,000 after Web site data breach

Insurance company Aetna has contacted 65,000 current and former employees whose Social Security numbers (SSNs) may have been compromised in a Web site data breach.

Enterprise Data Security: Definition and Solutions

What is enterprise data security?

Security and regulatory concerns slow some server virtualization efforts

Some organizations, including Stanford Hospital and Clinics, have prescribed a cautious approach to virtualization, mindful that "there's uncertainty" about what’s still seen as a new technology.

Analyst: Mac Java Hack Signals Big Trouble

Last week, security researcher Landon Fuller posted attack code for a Java vulnerability in Apple's Mac OS X that hackers can use. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept," Fuller wrote on his blog.

CIS issues free benchmark on iPhone security

The nonprofit Center for Internet Security today released what it termed the industry's only consensus security benchmark for the iPhone.

Cloud Security Alliance, Jericho Forum sign pact

The Jericho Forum and the Cloud Security Alliance have made a formal commitment to jointly develop and promote best security practices in cloud computing.

BC student to get his computers back after high court throws out search warrant

Massachusetts' highest court ruled there was no probable cause for Boston College police to seize computers from the room of a student who was being investigated for allegedly sending an e-mail claiming that a fellow student was gay.

Twitter gets targeted again by worm-like phishing attack

Twitter users have been tricked into divulging their login and password details to a Web site that then spammed their contacts.

Spammers Work by US Clocks and Target Facebook, Twitter

While many working Americans are heading into the office and starting their day, spammers are busy, too, readying for their next onslaught of junk messages. According to a new report from Symantec, spammers favor the same work schedule as the typical American office worker (Read another report on the findings here).

Swedish politicians challenge EU data retention directive

Sweden is being sued by the European Commission for not implementing a European Union directive requiring network operators to retain details of phone calls and e-mail messages. Instead of hurrying up the implementation process, some politicians view the suit as an opportunity to challenge the directive's consistency with the European Convention on Human Rights.

Latest Kaspersky mobile software wipes data via SMS

Kaspersky Lab's latest mobile security software due to be released next week can wipe data with a text message command even if a thief has swapped out the phone's SIM card.

RIM warns over PDF peril

BlackBerry squash potential

Research In Motion (RIM) has warned of a vulnerability in how BlackBerry servers handle malformed PDF files that potentially leaves the door open to hacking attacks.…

Lost laptop exposes thousands of pension records

Quest to free all world's imprisoned data continues

Exclusive A lost laptop containing the personal data of 109,000 Pensions Trust members has sparked the latest in a growing list of information security breach alerts.…

Dutch cat skinner publishes critics' personal details

Kitty handbag artist tracks hatemailers across cyberspace

The Dutch "artist" who in 2004 turned her pussy into a handbag under the performance art title "My dearest cat Pinkeltje (2004)" has published personal details of those who emailed her expressing their disgust.…

Microsoft fortifies Windows 7 kernel with overrun buster

Safe unlinking coming to a PC near you

Microsoft engineers have fortified the latest version of Windows with a feature designed to make it significantly harder for attackers to exploit bugs that may be lurking deep inside the operating system.…

Fraud guardian uses 'unfair business practices', Judge rules

LifeLock encroaches on Experian operation

Fraud-prevention service LifeLock engages in unfair business practices because it violates parts of a federal law governing the safeguarding of consumer credit reports, a federal judge has ruled.…

Seminal password tool rises from Symantec ashes

L0phtcrack returns

More than three years after Symantec unceremoniously pulled the plug on L0phtcrack, the seminal tool for auditing and cracking passwords is back with a set of new capabilities.…

BNP DDoS 'mega-assault' not actually mega in the least

It was eight, no ten really big lads that jumped me

A supposedly massive denial of service attack against the British National Party website has been exposed as a gross exaggeration.…

Stego in TCP retransmissions, (Thu, May 28th)

I just started reading an intersting new paper out of the Warsaw University of Technology entitled H ...(more)...

More new volatility plugins, (Thu, May 28th)

If you follow our diary at all, by now, you know I am a big fan of volatility for doing analysis of ...(more)...

Host file black lists , (Wed, May 27th)

Henry Hertz Hobbit who maintains a black list of bad hosts wrote in today with some host ...(more)...

WebDAV write-up , (Wed, May 27th)

SusanB wrote in today to tell us about a really good write-up on understanding Microsofts KB9 ...(more)...

International Telecom Union Publishes Cybercrime Legislation Toolkit (May 24, 2009)

The International Telecommunications Union (ITU) has published a toolkit for cyber crime legislation to provide guidance to countries when developing cyber crime legislation.......

French Anti Piracy Law Draws Criticism (May 22, 2009)

France's controversial anti-piracy legislation could see a thousand users lose Internet service every day.......

Committee Calls for National Cyber Security Coordination Center (May 22, 2009)

The National Security Telecommunications Advisory Committee has approved a proposal calling for a national cyber security coordination center.......

Bank Employee Draws 39-Month Sentence in Theft Scheme (May 25, 2009)

A former bank employee has been sentenced to more than three years in jail for attempting to steal GBP 1.......

Guilty Plea on Online Brokerage Account Fraud (May 21 & 22, 2009)

Michael Largent of California has pleaded guilty to wire fraud and computer fraud charges for a scheme in which he opened thousands of phony online brokerage accounts and amassed thousands of dollars from the micro-deposits the companies made to test the authenticity of the accounts.......

Judge Quashes Search Warrant in Boston University Case (May 25, 2009)

A judge in Boston has ordered that computer equipment and other items be returned to a Boston University student because investigators failed to demonstrate probable cause that Riccardo Calixte had committed a crime.......

Defense Department Looks at Expanding Cyber Threat Data Sharing Model (May 25, 2009)

For the last two years, the US Defense Department Cyber Crime Center has acted at the hub for cyber threat information sharing between DoD and more than two dozen major US defense contractors.......

Missing Hard Drives Also Contain Sensitive Personal Information of RAF Personnel (May 24, 2009)

A memo obtained through the Britain's Freedom of Information legislation reveals that three hard drives reported missing from an RAF facility in September 2008 contained more than banking information, as was initially reported.......

NHS Had 140 Data Security Breaches in First Four Months of 2009 (May 25, 2009)

The UK Department of Health said that 140 data security breaches were reported by NHS in the first four months of this year alone.......

Gumblar Responsible for Spike in Drive-By Download Attacks (May 22 & 25, 2009)

The US Computer Emergency Readiness Team (US-CERT) has issued a warning about a significant spike in drive-by download attacks.......

DDoS Attack Causes Internet Outage in China (May 21 & 22, 2009)

A distributed denial-of-service (DDoS) attack on a Chinese domain registrar caused connectivity problems in several of the country's provinces last week.......

RBS WorldPay Is Now PCI DSS Compliant (May 21, 2009)

RBS WorldPay is now certified under Payment Card Industry Data Security Standard version 1.......

Banks, e-commerce sites use device identification to stop fraud

By Marcia Savage

Companies battling online fraud can use device identification technology to help authenticate users and screen out fraudsters.

EMC adds configuration management with Configuresoft acquisition

By Robert Westervelt

EMC said it would move Configuresoft into its Resource Management Software Group. The software could detect configuration changes in both virtual and physical environments.

Is Mobile Security an Oxymoron?

eWEEK Labs does its own investigation of the security of mobile apps such as those from Apple's App Store. Labs found that mobile apps may be broadcasting much more than you know. Indeed, you might say that your smartphone is talking about you.
- A couple months ago, I pondered the security of mobile application transmissions when used over insecure networks, specifically over unencrypted Wi-Fi hot spots. Whereas a mobile device browser shows the little lock so users know SSL is being employed to protect certain data, mobile applicati...

McAfee IDs Most Dangerous Web Search

In a new report, McAfee identifies what popular search keywords are most likely to lead to malware. The answers may surprise you, and give you pause as you search for your favorite song lyrics on Google.
- Last year, Google detected one trillion unique URLs on the Web at once. The vehicle that gets users to those places is search, but within those trillion URLs are a lot of dark alleyways that are home to attackers. According to McAfee, some of the riskiest searches on the Internet today are assoc...

Twitter Gets Targeted Again by Worm-like Phishing Attack (PC World)

In technology

PC World - Twitter users have been tricked into divulging their login and password details to a Web site that then spammed their contacts.

Malware-fighting firewalls miss the mark (InfoWorld)

In technology

InfoWorld - In the beginning was the firewall, and it was pretty good.

Data Breach Exposes RAF Staff to Blackmail

By Kim Zetter

The Ministry of Defence loses three hard drives containing audio recordings with high-ranking air force officers being interviewed in-depth for a security clearance. In the interviews, the officers disclosed information about extra-marital affairs, drug abuse, visits to prostitutes, medical conditions, criminal convictions and debt histories.

Autonomy Tool Analyzes Data From Facebook, Social Networks

Autonomy has released a new tool that provides companies with a way to mine information from social-media networks.

ID Theft Use of Credit Cards Leaps

Thieves’ use of stolen credit card numbers has more than doubled in ID theft cases, according to a new report, but there’s good news as well.

Twitter Gets Targeted Again by Worm-like Phishing Attack

Twitter users have been tricked into divulging their login and password details to a Web site that then spammed their contacts.

Google Waves Goodbye to E-Mail, Welcomes Real-Time Communication

By Michael Calore

Google unveils a new web app that integrates chat, mail and wikis. It's all in real time — including keystroke reveals of comments in progress.

White House Launching Transparency Blog

In a nod to openness and citizen participation in government, the Obama Administration will also open White House blogs to public comments.

Obama Should Scrap Cybersecurity Czar, Analyst Says

Gartner expert says president's plan to protect nation's computing infrastructure won't work.

Anti-U.S. Hackers Infiltrate Army Servers

Exclusive: Defense Department investigators subpoena records from Google, Microsoft, and Yahoo in connection with ongoing probe.

Wednesday, May 27, 2009

Around The Horn vol.1,109

Report: Spam now 90 percent of all e-mail

By Lance Whitney

Spam now accounts for 90.4 percent of all e-mail, according to a report released Monday from security vendor Symantec. This means that 1 out of every 1.1 e-mails is junk. The report also notes that spam shot up 5.1 percent just from April to May.

Spam on the rise

Spam on ...

Obama To Create Cyber Security Czar In White House

By Darknet on white house

It looks like Obama is taking a serious stance on Cyber Security and Cyber Crime with his introduction of a new position which will be known as the ‘Cyber Czar’. As a senior White House official this is quite a serious position with the responsibility of protecting both the US government networks and looking out for [...]

Security Experts Raise Alarm Over Insider Threats

Insider threats escalating as economy continues to struggle, security experts say

NSA-Funded 'Cauldron' Tool Goes Commercial

Vulnerability analysis tool aggregates, correlates, and visually maps attack patterns and possibilities

Royal Air Force Breach Exposed Potential Blackmail Data

In Risk Management

Last year, the British Royal Air Force admitted three USB devices with personnel data were lost. What they didn't say was that the data included information on extra-marital affairs and drug abuse that could be used for blackmail.

Audit: TSA has weak IT security controls

The agency took some corrective action in fiscal 2008 but still fell short in critical areas, according to a recent audit.

Obama, White House To Oversee Cybersecurity Leadership

The national security staff will include new positions for addressing cybersecurity, information sharing on terrorism, border security, and preparedness and response.

Firefox Extension Malware Raises Security Questions

Mozilla's diligent cleanup rather than catching malicious add-ons before they reach the public has rankled some in the security community.

Bad Program Logic Amplifies Baofeng Attack

By HongZheng Zhou on Web and Internet Safety

A distributed denial-of-service (DDOS) attack on DNS servers of a domain registrar coupled with bad program logic in a popular media application caused network outages in parts of China last week. Baofeng is a widely popular media player in China, with a total of 200 million users and several million users online simultaneously. The player starts [...]

Security metrics research

One of the most difficult aspects of managing risk in information assurance (IA) is that our statistical information is so poor. We don't know about security breaches that we have not noticed; we don't report all the breaches that we do notice to any central collection point; and we use dreadful methodology for collecting information using poorly-constructed surveys that have tiny percentages of respondents, no internal validation, and no follow-up verification.

90 percent of e-mail is spam, Symantec says

Spammers seem to be working a little bit harder these days, according to Symantec, which reported Tuesday that unsolicited e-mail made up 90.4 percent of messages on corporate networks last month.

Report: Obama to name cybersecurity czar this week

President Obama is expected to name a cybersecurity czar later this week, the Washington Post reports.

New attack vectors in Greater China: TippingPoint

The US-based network security solutions provider TippingPoint ThreatLinQ has uncovered a significant amount of data on the state of network security in China, including:

7.6 cases of 'spamvertising' and phishing in HK each year

The numbers of 'spamvertising' and phishing cases using '.hk' domains have continued to decrease over the past year, according to the Hong Kong Internet Registration Corp. (HKIRC)." '

Tipping Point: Attacks from Hong Kong on the rise

The number of attacks originates from Hong Kong is increasing, said Tipping Point recently.

Mobile phone location technology fights card fraud

Ericsson is courting major banks with a security service the company thinks could cut down on credit card fraud as well as eliminate an inconvenience for travelers using cards overseas.

Watchful eye better than Web filters

The federal government's Internet filters will be outpaced by the emergence of offensive Web pages and won't stop offensive material appearing in e-mail inboxes, according to the Internet Society of Australia.

Junk email volumes hit two year high

Spam volume increases despite swine flu

Nine in ten emails in circulation are spam, resulting in junk mail volumes not experienced since September 2007, according to the latest stats from email security services outfit MessageLabs.…

BNP pleads for cash after reported DDoS assault

'Largest cyber-assault in history'

Updated The website of the British National Party is back online following a reported distributed denial of service attack over the weekend.…

Water utility auditor resigns, transfers $9m offshore

In that order

California and federal officials are searching for a former employee of a large water utility who is suspected of trying to transfer more than $9m to an offshore account after quitting the company.…

Obama to invent cybersecurity czar

Announcement expected this week

President Obama is expected to announce late this week his decision to create a senior White House official responsible for protecting the nation's government-run and private computer networks from attack, according to a published report.…

Vista & Win2K8 SP2 available, (Tue, May 26th)

Microsoft Windows Vista and 2008 Service Pack 2 is now officially available for download (32 bit and ...(more)...

A new Web application security blog, (Tue, May 26th)

If you have any interest in Web application security, you might want to check out this new SANS Web ...(more)...

White House cybersecurity czar faces major hurdles

By Robert Westervelt

A new cyberczar must reduce interagency squabbles, work with Congress on legislation, but avoid getting bogged down in red tape and bureaucracy, experts say.

Organizations struggle with data leakage prevention, rights management

By Eric Ogren

Employee use of Web-based services and poor judgment can easily defeat the technologies. But better use of the audit, discovery and reporting features can make them more effective.

Obama Set to Release Cyber-Security Review

U.S. President Barack Obama is expected to name a cyber-security czar this week and release the results of the 60-day review on cyber-security he ordered earlier this year. The review was completed last month but has been under wraps since then.
- U.S. President Barack Obama is expected to name a cyber-security czar and release the much-anticipated results of an extensive security review of the countrys cyber infrastructure on Friday, according to press reports. The cyber-security position would be part of a newly consolidated body ...

Nokia Ovi Store Lays Out Security Policy for Third-Party Apps

Nokia opened the Ovi Store today, offering mobile applications, games and other tools. Some of the apps available through the Ovi Store are developed by third-parties, and Nokia wants to ensure those apps are secure enough for primetime before users download them.
- Nokia officially put the welcome mat at the door of its Ovi Store today, stocking its virtual shelves with mobile applications, games, productivity tools and more for dozens of models of Nokia phones. Just like in the Apple App Store, some of those applications are developed by third-parties ...

Correcting the Rhetoric: Windows Vista Is Secure

NEWS ANALYSIS: Windows Vista has come under fire for not being as secure as some would like. But is that criticism really fair? We take a look.
- Windows Vista has come under fire for not being as secure as some would like. At the same time, Vista security can be enhanced when IT managers simply force employees to run as users with limited rights. It effectively creates a situation where the employee can only engage in business activities ...

The Scrap Value of a Hacked PC

In Latest Warnings

Computer users often dismiss Internet security best practices because they find them inconvenient, or because they think the rules don't apply to them. Many cling to the misguided belief that because they don't bank or shop online, that bad guys won't target them. The next time you hear this claim, please refer the misguided person to this blog post, which attempts to examine some of the more common -- yet often overlooked -- ways that cyber crooks can put your PC to criminal use. The graphic above (click it for a larger version) shows the different reasons criminals may want access to your system. I've explained each category in more detail below: Illicit Web Hosting Cyber criminals commonly use hacked PCs as a host for a variety of dodgy Web hosting schemes, including: - Spam Web sites - Phishing Web sites - Malware download sites - "Warez" servers, or hosts

90 Percent of E-mail Is Spam, Symantec Says (PC World)

In technology

PC World - Spammers seem to be working a little bit harder these days, according to Symantec, which reported Tuesday that unsolicited e-mail made up 90.4 percent of messages on corporate networks last month.

SB09-146: Vulnerability Summary for the Week of May 18, 2009

Vulnerability Summary for the Week of May 18, 2009

Cisco Security Center: IntelliShield Cyber Risk Report

May 18-24, 2009

Report Highlight: Examining Business Privacy Challenges in the Cloud

Obama's Supreme Court Pick Schooled in Cyberlaw

By David Kravets

Sonia Sotomayor, President Barack Obama's nominee to the Supreme Court, would come to the court schooled in cyberlaw, having already ruled on hot-button issues ranging from copyright law in a digitized world, warrantless computer searches, so-called click-wrap agreements and national security letters.

Judge Threatens Sanctions in NSA Wiretap Case

By David Kravets

A federal judge in a closely watched wiretapping case is threatening to rule against the Obama administration for "failing to obey the court's orders."

Vista Service Pack 2 Now Ready for Download

Microsoft has released the final version of Windows Vista Service Pack 2.

Hands On With Intel's Moblin Linux for Netbooks

Intel's Moblin 2.0 Linux desktop for netbooks is really still too raw to be called a beta, but it's showing great promise.

Tuesday, May 26, 2009

Around The Horn vol.1,108

Technitium FREE MAC Address Changer v5 R2 Released for Windows

By Darknet on windows 7 rc

It’s been a while since the last update of Technitium back in June 2008, the latest release is v5 R2 with support for Windows 7 RC. Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a [...]

DNS DDoS Attack Takes Down China Internet

By Darknet on great-firewall-of-china

The latest news is a few million Chinese Internet users had trouble accessing any websites yesterday due to a DDoS attack on the DNS system from one of the countries registrars. It just shows that China has an inherently weak infrastructure if such a large portion of people can be disrupted with an attack to a [...]

NTPD autokey vulnerability, (Mon, May 25th)

US Cert published VU#853097 the other day detailing an exploitable buffer overflow in the implementa ...(more)...

Wireshark-1.0.8 released, (Mon, May 25th)

Speaking of wireshark, a new version was released last week which fixes a vulnerability in the PCNFS ...(more)...

More tools for (US) Memorial Day, (Mon, May 25th)

For those of you (in the US anyway) enjoying a day off and BBQ-ing, here is another cool new tool I ...(more)...

Brief: Judge tosses BU "hacker" search warrant

Judge tosses BU "hacker" search warrant

-- Aurora Report says check out issue 107 for the long weekends articles.

Monday, May 25, 2009

Around The Horn vol.1,107

—Happy Memorial Day! Semper Fi!

Orange.fr compromised - 245,000 clear text passwords exposed?

By Rik Ferguson on SQL Injection

Treat your password like your toothbrush, don’t let anyone else use it and change it every six months. (Clifford Stoll) It looks like HackersBlog have come out of retirement, and with a bang. (see here for an earlier interview I did with HackersBlog) They have posted a couple of stories this month, one regarding a SQL injection [...]

Facebook phising using Belgium (.be) domains, (Sun, May 24th)

This is not new or exciting, but as we have received several reports during the weekend (thanks to a ...(more)...

Analyzing malicious PDF documents, (Sun, May 24th)

As we announced in a recent ISC diary, Adobe is changing its patching model and strategy, but it see ...(more)...

IIS admins, help finding WebDAV remotely using nmap, (Sun, May 24th)

If you are concerned about the recent unpatched IIS 6.0 WebDav Remote Auth Bypass vulnerability (CVE ...(more)...

IT Managers Feel Pressured to Relax Security Policies (May 20, 2009)

According to a recent survey of 1,300 IT managers, 86 percent said they were being pressured by company executives, marketing departments, and sales departments to relax web security policies to allow access to web-based platforms such as Google Apps.......

GAO Report Says Federal Agencies Still Have Security Control Deficiencies (May 21, 2009)

According to a report from the US Government Accountability Office (GAO), all but one of the 24 major government agencies have weak data access control in their information security programs.......

Deleted Photos Do Not Always Disappear Right Away (May 21, 2009)

Researchers have found that photos posted on social networking websites are sometimes available even after users have deleted them.......

Defense Lawyer in Palin eMail Hacking Case Says Messages Already a Matter of Public Record (May 20, 2009)

A lawyer on the defense team for David Kernell, the Tennessee college student accused of illegally accessing the emails of Alaska Governor and then-vice-presidential candidate Sarah Palin, says that a judge had already declared Palin's emails to be a matter of public record.......

Malware Infects Computers at US Marshals Service and FBI (May 21, 2009)

Part of the computer system at the US Marshals Service was shut down Thursday morning after malware was detected.......

Missing Hard Drive Holds Clinton Presidency Data (May 19 & 20, 2009)

Federal investigators are looking into the disappearance of a hard drive from the US National Archives facility in College Park, Maryland.......

Java Flaw Still Unpatched in OS X (May 19 & 20, 2009)

In December 2008, Sun Microsystems warned of a flaw in its Java virtual machine that could be exploited to execute code on vulnerable computers.......

Adobe to Establish Regular Security Updates (May 20 & 21, 2009)

Adobe has announced that it will institute a quarterly security update schedule for its Reader and Acrobat products to harden code and improve its response to reported security flaws.......

Laptop Stolen From Car Holds UK Soldiers' Data (May 20, 2009)

A laptop computer stolen from a parked car near Edinburgh holds personally identifiable information of thousands of soldiers.......

Former Texas State Lottery Employee Arrested for Alleged Data Theft (May 20, 2009)

A man who used to work for the Texas state lottery has been arrested and charged with possession of personally identifiable information of 140 lottery employees and winners.......

Ball State Server Breach Not Due to IIS Flaw (May 21, 2009)

Ball State University network administrators now say that a computer security breach at the Muncie, Indiana school was due to misuse of an authorized Ball State user account and not to an exploit of a known zero-day privilege elevation vulnerability in Microsoft's Internet Information Services (IIS) web server, as was previously reported.......

Interesting Opportunities for both AJAX Technologies and Hacking Communities

XMLHttpRequest, the backbone of Web 2.......

HP Remote Graphics Software (RGS) Sender Running Easy Login, Unauthorized Access

…

Coppermine Photo Gallery Cross-Site Scripting

…

MyBB Cross-Site Scripting Vulnerability

…

TIBCO SmartSockets Stack Buffer Overflow Vulnerability

…

Microsoft PowerPoint Integer Overflow Vulnerability

Remote exploitation of an integer overflow vulnerability in Microsoft Corp.'s PowerPoint could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs during the parsing of two related PowerPoint record types. The first record type is used to specify collaboration information for different slides. One of the fields in this record contains a 32-bit integer that is used to specify the number of a specific type of records that are present in the file. This integer is used in a multiplication operation that calculates the size of a heap buffer that will be used to store the records as they are read in from the file. The calculation can overflow, resulting in an undersized heap buffer being allocated. By providing a large value for the record count, and inserting enough dummy records, it is possible to trigger a heap based buffer overflow.

From Facebook to Twitter, Tips for Dealing With Phishers

Phishers using Twitter and Facebook is nothing new, but the security community expects it is only a matter of time before social networks are used as a launch pad for phishing attacks against enterprises. Here are a few tips to keep in mind when talking to your employees about phishing.
- Two of the Webs most popular social networks, Facebook and Twitter, made the news last week when they were hit with phishing scams. Despite the publicity, most phishers targeting enterprise data are not hooking victims via social networks - at least not yet. "Weve yet to respond to an incident wher...

Defender's Dilemma vs Intruder's Dilemma

By Richard Bejtlich

This is a follow-up to my post Response for Daily Dave. I realized I had a similar exchange three years ago, summarized in my post Response to Daily Dave Thread. Since I don't seem to be making much progress in this debate, I decided to render it in two slides.
First, I think everyone is familiar with the Defender's Dilemma.

The intruder only needs to exploit one of the victims in order to compromise the enterprise.
You might argue that this isn't true for some networks, but in most places if you gain a foothold it's quickly game over elsewhere.
What Dave and company don't seem to appreciate is that there is a similar problem for attackers. I call it the Intruder's Dilemma.

The defender only needs to detect one of the indicators of the intruder’s presence in order to initiate incident response within the enterprise.
What's interesting about this reality is that it applies to a single system or to a collection of systems. Even if the intruder only compromises a single system, the variety of indicators available make it possible to detect the attacker. Knowing where and when to look, and what to look for, becomes the challenge. However, as the scope of the incident expands to other systems, the probability of discovery increases. So, perversely, the bigger the incident, the more likely someone is going to notice.
Whether or not you can actually detect the intruder's presence depends on the amount of visibility you can achieve, and that is often outside the control of the security team because the security team doesn't own computing assets. However, this point of view can help you argue why you need the visibility to detect and respond to intrusions, even though you can't prevent them.

Response for Daily Dave

By Richard Bejtlich

Recently on the Daily Dave mailing list, Dave Aitel posted the following:
...The other thing that keeps coming up is memory forensics. You can do a lot with it today to find trojan .sys's that hackers are using - but it has a low ceiling I think. Most rootkits "hide processes", or "hide sockets". But it's an insane thing to do in the kernel. If you're in the kernel, why do you need a process at all? For the GUI? What are we writing here, MFC trojans? There's not a ton of entropy in the kernel, but there's enough that the next generation of rootkits is going to be able to avoid memory forensics as a problem they even have to think about. The gradient here is against memory forensics tools - they have to do a ton of work to counteract every tiny thing a rootkit writer does.
With exploits it's similar. Conducting memory forensics on userspace in order to find traces of CANVAS shellcode is a losing game in even the medium run. Anything thorough enough to catch shellcode is going to have too many false positives to be useful. Doesn't mean there isn't work to be done here, but it's not a game changer.
Since I'm not 31337 to get my post through Dave's moderation, I'll just publish my reply here:
Dave and everyone,
I'm not the guy to defend memory forensics at the level of an Aaron Walters, but I can talk about the general approach. Dave, I think you're applying the same tunnel vision to this issue that you apply to so-called intrusion detection systems. (We talked about this a few years ago, maybe at lunch at Black Hat?)
Yes, you can get your exploit (and probably your C2) by most detection mechanisms (which means you can bypass the "prevention" mechanism too). However, are you going to be able to hide your presence on the system and network -- perfectly, continuously, perpetually? (Or at least as long as it takes to accomplish your mission?) The answer is no, and this is how professional defenders deal with this problem on operational networks.
Memory forensics is the same. At some point the intruder is likely to take some action that reveals his presence. If the proper instrumentation and retention systems are deployed, once you know what to look for you can find the intruder. I call this retrospective security analysis, and it's the only approach that's ever worked against the most advanced threats, analog or digital. [1] The better your visibility, threat intelligence, and security staff resources,
the smaller the exposure window (compromise -> adversary mission completion). Keeping the window small is the best we can do; keeping it closed is impossible against advanced intruders.
Convincing developers and asset owners to support visibility remains a problem though.
Sincerely,
Richard

Saturday, May 23, 2009

Around The Horn vol.1,106

Compromising web content served over SSL via malicious proxies

By Robert A. on Vulns

Microsoft research has published an excellent paper describing many browser flaws. The use case primary involves an attacker hijacking the explicitly configured proxy used by the user and via HTTP code trickery they can access the content on an HTTPS established connection. It also outlines browser flaws involving caching of SSL...

Tech Insight: How To Protect Your Organization From Malicious Insiders

New report offers insights on how to prevent malicious insiders from stealing or damaging enterprise data

Adware Stalks Torrents, Social Networks

In Spam

New adware programs are piggybacking on file-sharing services to creep over into everything from users' browsers to their social networks.

Standard updated for reporting suspicious activity

The government has updated its standard for reporting suspicious activity that could be linked to terrorism to deal with issues raised by civil liberties groups and police.

Rolling Review: Trust Digital Enterprise Mobility Management

Platform centralizes management for diverse smartphone environments.

Tech Road Map: 3G Security Is Getting Better, But It's Still Incomplete

Safeguarding wireless traffic in transit is only part of the equation. Pay attention to devices and endpoints, too.

Army Deploying Vista On Hundreds Of Thousands Of Computers

The migration is driven by the better security offered in Windows Vista and Office 2007.

President Clinton Data On Hard Drive Lost By National Archives

The drive contains snapshots of the hard drives of departing administration officials, information that had been stored on 113 4-mm tape cartridges.

Verizon Beefs Up Handset Security

The over-the-air authentication service enables workers to securely access business networks from handsets nearly anywhere in the world.

YouTube Launches U.S. Government Portal

The channel aggregates videos from the White House, CDC, NASA, and other federal agencies using a player that complies with government privacy regulations.

Mac OS X Users Warned About Java Vulnerability

SoyLatte, an X11-based port of the FreeBSD Java 1.6 "patchset" to Mac OS X Intel machines, is also reportedly vulnerable.

Interop 2009 Show Winners

This year's champs come from every corner of IT -- cloud computing, virtualization, network management, security, wireless -- and more. Judges also handed out a green award, and picked a favorite startup before announcing the coveted Best Of Interop winner.

Microsoft Issues IIS Security Advisory

An exploit of the vulnerability could give an attacker access to a directory that normally requires authentication.

Schools' Cybersecurity Needs Improvement

While more than half of surveyed schools reported a breach last year, 75% say their security infrastructure is adequate.

Facebook Users Targeted By Another Phishing Attack

Two weeks after a similar attack, hackers successfully gathered passwords from some of Facebook's 200 million users.

U.S. Defense Department Official Charged With Espionage

A civilian employee at the Pentagon has been charged with conspiring to provide classified information to an agent with ties to the People's Republic of China.

DHS Disaster Recovery Plans Lacking, Report Finds

Eight of the Department of Homeland Security's 27 critical systems don't have an identified alternate processing site.

Apple Mac OS X Update Has Nearly 70 Security Fixes

Version 10.5.7 addresses several issues with Apple's iCal and Mail applications, as well as its Parental Controls control panel.

Microsoft Patches PowerPoint Flaws, But Not For Mac

One of the 14 Patch Tuesday bulletins is rated "critical" and the rest are rated "important." All of them could lead to remote code execution.

Google Morocco Not Hacked, Company Insists

Internet users trying to reach Google Morocco were, for a few hours, sent to a Web site unaffiliated with Google.

Viral Art: A Gallery Of Security Threats

Visually, online threats such as viruses, worms, and Trojans can be as beautiful as they are menacing to individual PC users, enterprises, and IT security professionals.

Data Loss Prevention Rolling Review: Safend Safeguards At The Endpoint

Low-cost endpoint specialist gets the job done -- most of the time.

UC Berkeley Health Service Data Stolen By Overseas Criminals

The breach went undiscovered for six months, during which time Social Security numbers and health insurance information were stolen.

Air Traffic Control System Repeatedly Hacked

A security audit finds a total of 763 high-risk, 504 medium-risk, and 2,590 low-risk vulnerabilities, such as weak passwords and unprotected folders.

Mass. Criminal Database Deemed Public Safety Risk

The 25-year-old system cannot reconcile arrests with court dispositions or use fingerprints to verify criminal history, state auditor Joe DeNucci finds.

Google Chrome Update Scheme Beats Firefox, Safari, Opera

By automatically updating the browser every five hours, Google Chrome provides greater security than its competitors, according to a new study.

EU Consumer Guide Seeks To Spur, Protect Web Users

An Internet consumers' bill of rights for citizens of the EU aims to promote online shopping and address security concerns.

Windows 7 Retains Windows Explorer Security Risk

A feature in Windows Explorer, the operating system's file management application, enables virus writers to disguise executable files, security researcher says.

NoScript Developer Apologizes For Meddling With AdBlock

His methods caused a furor in the Mozilla community over the weekend because he did not provide clear notification about what his software was doing.

Virginia Health Data Potentially Held Hostage

An extortion demand seeks $10 million to return more than 8 million patient records allegedly stolen from Virginia Department of Health Professions.

Cyberchief Needs To Be In White House

No date has been set for when, or if, such an appointment would be made.

Facebook Expands Security Tools While Combating Phishing Attack

The site has come under siege this week by FBaction.net, which has delivered messages among Facebook friends, telling them to check out a link.

Twitter Employee Account Hijacked

A security breach of a Yahoo Mail account let one hacker peer at info about Barack Obama, Britney Spears, and others.

GPS Evidence Too Unreliable For Legal Purposes

GPS devices can be easily jammed and their data can be spoofed, particularly when tied to cellular systems, experts argue.

Bill Would Shift Government Cybersecurity Requirements

The U.S. Information and Communications Enhancement Act of 2009 would require more continuous monitoring of systems and effectiveness of agencies' cybersecurity measures.

Panda Security Offers Free 'Cloud Antivirus'

The antivirus company says its approach protects against malware 100 times faster than traditional signature-based solutions.

More Companies Requiring IT Security Certification

The study reflects responses from more than 1,000 IT employees.

Swine Flu Fears Fanned By Spammers

Some of these messages contain no malware or malicious links and appear to be information harvesting campaigns.

Microsoft Releases Office 2007 SP2

The productivity suite update adds built-in support for Open Document Format and a slew of other tweaks, including improved Outlook performance.

Q & A: Gen. Colin Powell On Leadership In Times Of Change

Former Secretary of State Colin Powell speaks with <i>InformationWeek</i> about "commander's risk," cybersecurity, H1-B visas, Facebook, and his most immediate concerns for the United States.

InformationWeek Analytics: Endpoint Security And DLP

A smart mix of policies, education, and new technologies like data loss prevention can help IT balance access and protection.

Cybersecurity Balancing Act

Government IT pros struggle to meet mandates as computer system threats keep growing.

Facebook Users Approve Terms Of Use

The changes increase user control while improving account deletion and limiting sublicenses and reducing data exchanges between application developers.

Report For Obama To Say No Quick Cybersecurity Fix

In one instance, 130 automated teller machines in 49 cities around the world were emptied in a 30-minute period last November.

Pentagon Creating Cyber Warfare Command

The Defense Department will unify information security for all the military branches under a command focused on waging cyberwarfare.

Urban ‘Attack’ on Infrastructure

By Francois Paget on Web and Internet Safety

Supervisory Control and Data Acquisition, or SCADA, stands for large-scale distributed remote processing systems that gather data in real time to control critical industrial, infrastructure, or facility processes and equipment. SCADA is used in power plants as well as in oil and gas refining, telecommunications, transportation, and water and waste control. Stories about intruders who damage [...]

Insurers keep an eye on cloud security threats

Data loss is possible anywhere, including in the networks of cloud computing providers, but the unique challenges there are significant enough that they are getting a special look from insurers.

Insider at Cal Water steals $9M and runs

On the night of April 27, 2009, hours after he had resigned from his job as an auditor at the California Water Services Company, Abdirahman Ismail Abdi used his still active electronic key card to steal over more than $9 million electronically.

Phishing using scary bait

Job offers in phishing e-mail are designed to trick users into revealing confidential personally identifiable information (PII); they may also be hoping to fool victims into sending criminals some money.

Yuuguu adds Skype to conferencing app

Web conferencing newcomer Yuuguu has added Skype integration to a roster of features that already lists instant messaging (IM) integration and screen sharing.

US military shows off hack-by-numbers battlefield gadget

Cyber warfare made easier

As the US military strives to boost its ability to wage cyber warfare, it's looking for ways to make it easier for non-expert soldiers on the front lines to wreak havoc on enemy networks.…

Dodgy McAfee update slaps viral warning on Spotify

Was someone listening to Phil Collins again?

Security software from McAfee wrongly identified the Spotify application as a virus, following a misfiring update published on Thursday.…

FBI and US Marshals laid low by mystery virus

Tommy Lee Jones' paperwork delayed

A mystery viral infection forced the FBI and US Marshals Service to pull the plug on parts of their respective computer networks on Thursday, AP reports.…

E-trade scammer pleads guilty to Office Space scam

We're not going to white-collar resort prison. No, no, no

A Californian man who raked in $50,000 after opening thousands of bogus accounts with online brokers, sometimes in the name of cartoon characters, has pleaded guilty to fraud.…

AppSec - Cross Site Request Forgery: What Attackers Don't Want You to Know

Category: Application/Database Sec

Paper Added: May 22, 2009

AppSec - Protecting Your Web Apps: Two Big Mistakes and 12 Practical Tips to Avoid Them

Category: Application/Database Sec

Paper Added: March 3, 2009

Patching and Apple - Java issue, (Fri, May 22nd)

At the other end of the spectrum is Apple. There is a java issue (CVE-2008-5353)which wa ...(more)...

Patching and Adobe, (Fri, May 22nd)

We all remember the beating Adobe received back in February regarding the JBIG2 issue. T ...(more)...

Google Chrome 2.0 Browser Brings More Web Security

Google Chrome 2.0 includes some new security features with which to arm itself as it competes in a browser market still dominated by Microsoft Internet Explorer. The new Chrome features include protections against cross-site request forgery and clickjacking.
- The latest update to Google Chrome came with a few new bells and whistles, and lots of talk about speed. But what about security? Browser vendors have been struggling to keep pace with the growing Web threat landscape. Internet Explorer 8 added a number of security features. In the latest release ...