Congressman calls for P2P ban after sensitive data leaks
By ars@lasarletter.net (Matthew Lasar) on Thomas Sydnor
When he opened Wednesday's hearing on the hazards of inadvertent file sharing via peer-to-peer software, Representative Edolphus Towns (D-NY) said he was done with letting the industry solve the problem. By the end of the hearing Towns had lowered the boom, announcing that he plans to introduce a bill to bar LimeWire-style software from government and government contractor computers and their networks.
One extra ampersand in code leads to IE exploit
By emil.protalinski@arstechnica.com (Emil Protalinski) on Internet Explorer
Microsoft has admitted that one of the out-of-band security updates it released yesterday was actually caused by a single typo in the code. The security flaw in Internet Explorer was caused by an unnecessary ampersand character, according to The Security Development Lifecycle blog: "The extra '&' character in the vulnerable code causes the code to write potentially untrusted data, of size cbSize, to the address of the pointer to the array, pbArray, rather than write the data into the array, and the pointer is on the stack. This is a stack-based buffer overrun vulnerability." The typo corrupted the code of the MSVidCtl ActiveX control used by Internet Explorer.
Cheerleader sues school, coach after illicit Facebook log-in
By jtimmer@arstechnica.com (John Timmer) on privacy
At this point, you would think that most users would be aware that they should keep embarrassing information off of Facebook. Everyone from potential employers to the press regularly check users' accounts on the service, looking for evidence of illicit or debauched behavior, and a number of jobs have been lost due to the information found there. Still, many fail to exercise discretion when using the service, people in positions of power are catching on, and there continue to be problems that result from the blurring of boundaries between public and private.
Benign security warnings have trained users to ignore them
By jacqui@arstechnica.com (Jacqui Cheng) on study
Internet users have grown immune to security certificate warnings and are more than happy to click past them, according to a new report out of Carnegie Mellon University. Researchers found that users won't hesitate to engage in this risky browsing behavior, especially since most warnings are for benign things like expired certificates. This behavior leaves them vulnerable to man-in-the-middle attacks, and the report calls for a reform in how warnings are handled in both safe and dangerous situations.
IE and VS out-of-band security patches coming tomorrow
By emil.protalinski@arstechnica.com (Emil Protalinski) on Visual Studio
Late on Friday, Microsoft issued an advance notification for two out-of-band security bulletins, one for Internet Explorer and one for Visual Studio, to be released tomorrow. Microsoft typically releases security patches the second Tuesday of every month and did not say why this out-of-band release was necessary. While this release encompasses Internet Explorer (Critical rating) and Visual Studio (Moderate rating), Microsoft says the patches address a single issue that can be exploited via Remote Code Execution. Both patches will require a restart. The good news Microsoft relayed was that customers who are up-to-date on their security updates are protected from known attacks related to this out-of-band release.
New iPhone hardware encryption not even close to hack proof
By chris.foresman@arstechnica.com (Chris Foresman) on security
Apple has attempted to improve the security of iPhone data two ways with recent updates. One new feature is encrypted backups, available to any phone running iPhone OS 3.0 and iTunes 8.2 or later. Another is hardware-based encryption, available on the iPhone 3GS. On the surface, these things may seem industrial-grade, but iPhone data forensics expert Jonathan Zdziarski told Ars that it's trivial to get around these features.
Flash security vulnerability exploited in PDFs
By segphault@arstechnica.com (Ryan Paul) on Flash
When Adobe released Acrobat 9 last year, the company introduced support for embedding Flash media in PDF files. This feature is now being used by attackers who are exploiting a new vulnerability in Adobe's Flash media plugin. The vulnerability allows remote code execution, making it a potential vector for malware deployment.
WASC Threat Classification 2.0 Sneak Peek
By Robert A. on XSS
Here is a sneak peek at the WASC Threat Classification v2.0. We've been working on this for more than a year and it's been a very challenging, educational experience to say the least. Sections that are gray are currently in peer review and are not completed. Mission statement "The Threat Classification...
Fuzzware 1.5 released
By Robert A. on Tools
"Fuzzware is tool for pen-testers and software security testers that is designed to simplify the fuzzing process, while maximising the fuzzing quality and effectiveness. Fuzzware is adaptable to various testing scenarios (e.g. file fuzzing, Web Services fuzzing, etc), gives you fine grain control over the fuzzing techniques used and ensures any...
Social Security Numbers Can Be Extrapolated From Public Data
By Robert A. on IndustryNews
"For years, government officials have urged consumers to protect their social security numbers by giving out the nine-digit codes only when absolutely necessary. Now it turns out that all the caution in the world may not be enough: New research shows that social security numbers can be predicted from publicly available...
New Attack on AES
By Robert A. on Research
A new attack has been discovered against AES. "Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the rst key recovery attack that works for all the keys and has complexity 2119, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key...
Security Guard Busted For Hacking Hospital's HVAC, Patient Information Computers
By Robert A. on IndustryNews
"A former security guard for a Dallas hospital has been arrested by federal authorities for allegedly breaking into the facility's HVAC and confidential patient information computer systems. In a bizarre twist, he posted videos of his hacks on YouTube, and was trying to recruit other hackers to help him wage a...
Three Web Application Firewall Advisories, Whitepaper Published
By Robert A. on Web Application Firewalls
Michael Kirchner and Wolfgang Neudorfer have published 3 advisories in various Web Application Firewall products. Artofdefence Hyperguard Web Application Firewal (Remote Denial of Service) http://www.h4ck1nb3rg.at/wafs/advisory_artofdefence_hyperguard_200907.txt phion airlock Web Application Firewall (Remote Denial of Service via Management Interface (unauthenticated) and Command Execution) http://www.h4ck1nb3rg.at/wafs/advisory_phion_airlock_200907.txt radware AppWall Web Application Firewall (Source code disclosure on...
Researchers exploit flaws in SSL and domain authentication system
By Elinor Mills
LAS VEGAS - Two researchers have separately uncovered flaws in the way domain names are verified on the Internet that could allow attackers to impersonate a site and steal information from unsuspecting Web surfers.
Researchers attack my iPhone via SMS
By Elinor Mills
LAS VEGAS--Researchers have discovered a way to take complete control over an iPhone merely by sending special SMS messages...
Hackers rumored to have cracked Windows 7 activation
By Dong Ngo
Microsoft only just released final code for Windows 7 to manufacturers and the company is already facing a security risk.
The Windows Genuine Advantage antipiracy system in the Windows 7 Ultimate release to manufacturers (RTM) has reportedly been compromised by some Chinese hackers, according to a variety of Chinese forums, ...
Security experts' sites hacked on eve of Black Hat conference
By Elinor Mills
LAS VEGAS--Web sites of a handful of security experts and groups were hacked and passwords, e-mails, IM chats and other information was posted on the Internet on Tuesday, the eve of the Black Hat security conference.
Jailbreaking iPhone could pose threat to national security, Apple claims
By Dong Ngo
I just got my new iPhone 3GS the other day and the first thing I did with it was get it jailbroken, just how I handled my iPhone 3G.
Single misplaced '&' caused latest IE exploit
By Lance Whitney
A security hole in Internet Explorer that opened the browser to hackers since early July was caused by a single typo in Microsoft's code.
An errant ampersand ("&") took the blame for the exploit, admitted Microsoft in a blog published Tuesday at its Security Development Lifecycle (SDL) Web site.
Clampi Trojan stealing online bank data from consumers and businesses
By Elinor Mills
LAS VEGAS--Hundreds of thousands of Windows computers are believed to be infected with a Trojan called "Clampi" that has been stealing banking and other ...
Report: Spam and malware at all-time highs
By Lance Whitney
Spam and botnets have hit their highest levels ever, according to McAfee's second-quarter Threats Report, released Wednesday. McAfee's Avert Labs says spam recorded in the second quarter shot up 80 percent compared with the first quarter of the year.
Report finds fake antivirus on the rise
By Elinor Mills
Malware posing as antivirus software is spreading fast with tens of millions of computers infected each month, according to a report to be released on Wednesday from PandaLabs.
Microsoft offers patches to ward off ActiveX attacks
By Elinor Mills
Microsoft released an emergency patch on Tuesday to protect Internet Explorer users from a hole in technology used to build ActiveX controls and other Web application components that has been targeted in attacks.
Researchers attack my iPhone via SMS
Two security researchers prove to a reporter during Black Hat that they can indeed "Pwn" ...Web users ignoring security certificate warnings
By Tom Espiner
Digital certificate warnings in Web browsers are not an effective security measure, according to Carnegie Mellon researchers.
Talent search is on for cybersecurity students
By Elinor Mills
The U.S. government on Monday launched a national talent search for high school and college students interested in working in cybersecurity.
Network Solutions breach exposes nearly 600,000
By Elinor Mills
Network Solutions is investigating a breach on its servers that may have led to the theft of credit card data of 573,928 people who made purchases on Web sites hosted by the company.
AVG temporarily blocked iTunes, labeling it malware
By Elinor Mills
AVG's free antivirus product temporarily blocked users from getting to iTunes late last week, detecting it as a Trojan, the company said on Monday.
Microsoft says security programs are paying off
By Elinor Mills
One year after launching three security programs designed to improve security industry-wide, Microsoft is finding that more security patches are beating exploits out the door.
From iPhones to smart grids at Black Hat, Defcon
By Elinor Mills
My favorite security show each year is one at which there are no sales pitches, the speakers favor black T-shirts and dyed hair over suits and ties, and the talks tend to be controversial enough to prompt legal threats and even arrests.
HP researchers develop browser-based darknet
By Tom Espiner
Two researchers for Hewlett-Packard have created a browser-based darknet, an idea that could make it easier for businesses to keep eavesdroppers from uncovering confidential information.
Darknets are encrypted peer-to-peer networks normally used to communicate files between closed groups of people. Most darknets require a ...
Microsoft to fix critical hole in IE
By Elinor Mills
In a rare move, Microsoft on Friday said it would be releasing security updates on Tuesday--outside of its monthly patch cycle--for a critical vulnerability in Internet Explorer and a moderate vulnerability in Visual Studio.
Expert: iPhone 3GS crypto is easily crackable
By Elinor Mills
The encryption functionality of the iPhone 3GS is so easy to crack that it is essentially "broken" as far as protecting sensitive personal data like credit card and social security numbers, according to a forensics expert and iPhone developer.
Facebook closes API loophole that let people see strangers' photos
By Elinor Mills
Facebook has changed its application-programming interface to close a loophole developers were using to write applications based on access to photo albums set to be viewable by everyone.
Obama Safe House location leaked over P2P
By Rik Ferguson on Opinion
In an article published today by Computerworld, it was revealed that the details of a US Secret Service safe house - one meant for the US First family in the event of a national emergency - had been leaked over peer-to-peer networks using the popular LimeWire client. This is of course not the fault of LimeWire [...]
ZF05, Kaminsky = 0wned, Mitnick = 0wned
By Rik Ferguson on vulnerability
The hacker group Zero for Owned have released their latest zine, and this time, in their own words it’s “a big one”. The group have compromised Kevin Mitnick and Dan Kaminsky to name just the two highest profile victims. The timing of the release can be no coincidence, with BlackHat opening this week.
Dutch Spammer fined €250000
By Rik Ferguson on email
Subsequent to official warnings given in 2005, OPTA, the telecoms watchdog in the Netherlands, has issued a fine of €250000 against Dutch national Reinier Schenkhuizen whom they label a “persistent spammer” . The fine comprises €150000 for sending the mails and €100000 for not including a link to unsubscribe from the mailings and will be increased by€5000 [...]
New malicious tweet run on Twitter
By Rik Ferguson on web
Only two days after Twitter had a major clear-out of spambot accounts, a new malicious tweet campaign is gathering speed, (currently at an under-the-radar speed of 33tph (tweets per hour)) using hundreds of accounts that appear to have been created just for this purpose. The creation of the accounts actually predates Twitter’s clean-up operation in most cases, with the accounts [...]
Get Intimate with Facebook
By Rik Ferguson on web
There has been a considerable amount of talk on various social networks recently about how a Facebook user’s personal content can be used in advertising. In truth it seems there are two separate technical issues issues at play here. Although (in keeping with an earlier blog post) the real problem boils down to a lack [...]
crack.pl – SHA1 & MD5 Hash Cracking Tool
By Darknet on sha1 password cracker
crack.pl is a tool for cracking SHA1 & MD5 hashes, including a new BETA tool which can crack MD5 that have been salted. You can use a dictionary file or bruteforce and it can be used to generate tables itself. NOTE – Salt function is currently only available for md5, you need to append ‘\’ infront [...]
Hacker Group L0pht Making A Comeback
By Darknet on symantec
L0pht has been a staple of the hacking scene since the Internet existed, with the ever fabulous L0phtcrack being their best known offering. Of course when that was sold off to Symantec then subsequently discontinued, things changed a lot. Well now the Hacker News Network is back online, one of the side projects of L0pht Heavy Industries [...]
Wireshark 1.2.1 Released – Network Protocol Analyzer
By Darknet on wireshark
Wireshark is the world’s foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998. Many of you will know it as Ethereal. Features Deep [...]
UAE Telco Etisalat Installs Spyware On Users Blackberries
By Darknet on uae
Now this is pretty disgusting behaviour from a national telco provider, but well is it really surprising in Dubai? For me..no it’s not. I’ve spent a reasonable amount of time in Dubai on various projects, and my first surprise was Flickr being blocked. Especially as Dubai is probably the most liberal place in the
Microsoft Vulnerability Underscores Importance of Strong SDL
In Vulnerability Research
At the heart of the security issue involving the MSVidCtl ActiveX control was a single piece of code - an "&" symbol. Microsoft says it was hard to catch in a code review, but either way it underscores the importance of having good policies in place to catch vulnerabilities.
Black Hat: Security Research Celebs Prepare to Rock Black Hat
In Vulnerability Research
All the ethical hacking and vulnerability management rock stars are ready to go in Vegas at Black Hat.
Black Hat: Microsoft Touts Progress of Security Initiatives
In Vulnerability Research
Microsoft is claiming signifcant progress with some of the vulnerability information sharing projects it launched in late 2008.
Twitter Attacks Getting Smarter
In Web 2.0
Twitter-borne attacks just keep on getting slicker. It might not be long before they so well mimic real user interactions that it's impossible to tell the difference.
In Malware Schemes, Sex Still Selling
In Virus and Spyware
Sex still sells in the world of malware, if evidenced only by attackers' continued devotion to the world's oldest social engineering tactic.
Conficker Mystery to Continue at Black Hat Conference
In Vulnerability Research
An F-Secure researcher was planning to reveal the secrets of the group behind the infamous Conficker worm but has been derailed. But that doesn't mean there won't be plenty to talk about.
The Business of Botnets
In Spam
Everyone knows botnets are a big business. But how big? Kaspersky Lab has some statistics that may surprise you.
As Malware Bell Tolls, Time Marches On
In Virus and Spyware
McAfee reports that it has seen nearly as many unique attacks over the course of first-half 2009 as it observed during all of 2008.
Security risks evolve alongside social media
Facebook and Twitter make it possible for government agencies to communicate and interact with the public in ways not possible just two years ago. But these social media tools also create new types of security risks that agencies must anticipate and plan for.
Private cybersecurity commission to continue
The Center for Strategic and International Studies' cybersecurity commission plans to give more recommendations about how the government can better secure cyberspace.
Got cyber skills? Uncle Sam wants you
A new program tries to find young people that could meet the government's need for more highly skilled cybersecurity professionals.
Official: Panel wants privacy protection for electronic medical records
A federal advisory panel wants encryption and access controls to protect patients' medical records. official says.
DDoS Malware Was Produced in Korea
Posted by InfoSec News on Jul 28
http://www.koreatimes.co.kr/www/news/tech/2009/07/129_49163.html
By Kim Tong-hyung
Staff Reporter
Korea Times
07-27-2009
The powerful Internet attack that crippled South Korean computers earlier this month may have been initiated by local hackers after all, according to a police report...
Cyber Wars: Experts say Armenia IT sector vulnerable to attack
Posted by InfoSec News on Jul 28
http://armenianow.com/?action=viewArticle&AID=3971&CID=3762&IID=1245&lng=eng
By Georg Khachaturyan
Armenianow.com
24 July, 2009
A cyber security expert has predicted a rise in the number of hacker attacks against Armenian web resources pointing an accusatory finger at ...
Microsoft Unveils Security Tools, Resources At Black Hat
Posted by InfoSec News on Jul 28
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=218600627
By Thomas Claburn
InformationWeek
July 27, 2009
At the Black Hat conference in Las Vegas this week, Microsoft (NSDQ: MSFT) plans to provide a progress report on the security initiatives ...
Researchers Try to Stalk Botnets Used by Hackers
Posted by InfoSec News on Jul 28
http://www.nytimes.com/2009/07/28/science/28comp.html
By JOHN MARKOFF
The New York Times
July 27, 2009
Researchers at Sandia National Laboratories in Livermore, Calif., are creating what is in effect a vast digital petri dish able to hold one million operating systems at once in an effort...
Security researchers unpick botnet economics
Posted by InfoSec News on Jul 28
http://www.theregister.co.uk/2009/07/24/botnet_economics/
By John Leyden
The Register
24th July 2009
The economics of botnets and the sale of stolen information in
underground bazaars have been detailed in greater depth then ever before in new research from Kasperky Lab.
Microsoft rushes to fix IE kill-bit bypass attack
Posted by InfoSec News on Jul 28
http://www.computerworld.com/s/article/9135950/Microsoft_rushes_to_fix_IE_kill_bit_bypass_attack?taxonomyId=17
By Robert McMillan
IDG News Service
July 27, 2009
Microsoft has been forced to issue emergency patches for its Windows operating system after researchers discovered a way to...
10 Tips for iPhone Users at DEFCON 17
Posted by InfoSec News on Jul 27
http://wikee.iphwn.org/howto:iphones_at_defcon
iPhone Dev Team
2009/07/27
This week, MuscleNerd and a few other unnamed dev team members will be at DEFCON 17 in Las Vegas. We'll of course be carrying our iPhones on us like last year. Bringing an iPhone to a conference packed with hackers...
Network Solutions warns merchants after hack
Posted by InfoSec News on Jul 27
http://www.computerworld.com/s/article/9135905/Network_Solutions_warns_merchants_after_hack?taxonomyId=17
By Robert McMillan
IDG News Service
July 25, 2009
Criminals may have stolen more than half a million credit card numbers from merchant servers hosted by Networks Solutions, the...
US set to hike aid aimed at Iranians
Posted by InfoSec News on Jul 27
http://www.boston.com/news/nation/washington/articles/2009/07/26/us_to_increase_funding_for_hackivists_aiding_iranians/
By Farah Stockman
Boston Globe Staff
July 26, 2009
WASHINGTON - The Obama administration is poised to dramatically increase funding aimed at helping Iranian activists...
Rising Internet Fraud, Darknets On Agenda At Black Hat
Posted by InfoSec News on Jul 27
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=218600423
By Thomas Claburn
InformationWeek
July 23, 2009
The economy may still be sputtering but for hackers and scammers, opportunities abound. At the Black Hat security conference in Las Vegas next...
Click, click ... counting down to Cyber 911
Posted by InfoSec News on Jul 27
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2009/07/25/IN6K18S60M.DTL
By John Arquilla
San Francisco Chronicle
Sunday Insight
July 26, 2009
When it comes to national security, our leaders are overly focused on nuclear weapons of mass destruction; more thought should be given to the ...
Blumenthal defers judgment on FISMA use
Posted by InfoSec News on Jul 27
http://fcw.com/articles/2009/07/24/blumenthal-defers-judgment-on-fisma-use.aspx
By Alice Lipowicz
FCW.com
July 24, 2009
The top federal official for health information technology has not taken a position on one of the pressing issues that affects nationwide sharing of health information...
One In Two Security Pros Unhappy In Their Jobs
Posted by InfoSec News on Jul 24
http://www.darkreading.com/security/management/showArticle.jhtml?articleID=218600434
By Kelly Jackson Higgins
DarkReading
July 23, 2009
You'd think most professionals in a hot industry like IT security would feel content and challenged technically and creatively in their jobs -- but not...
Hacker Group L0pht Makes a Comeback, of Sorts
Posted by InfoSec News on Jul 24
http://www.cio.com/article/497967/Hacker_Group_L_pht_Makes_a_Comeback_of_Sorts
By Robert McMillan
IDG News Service
July 23, 2009
The news report begins with shots of a tense space shuttle launch.
Engineers hunch over computer banks and techno music pounds in the background. There is a...
Energy gets jump on implementing DNS security on ESnet research network
Posted by InfoSec News on Jul 24
http://gcn.com/articles/2009/07/27/update1-esnet-dns-security.aspx
By William Jackson
GCN.com
July 23, 2009
The Energy Department has started implementing Domain Name System Security Extensions on its high-performance Energy Sciences Network (ESnet), using a commercial appliance to...
Black Hat: Android, iPhone SMS Flaws Revealed
Security researchers have identified several SMS vulnerabilities that can be used to deny service to mobile phones. They're presenting on Thursday but their findings have been published.
Fake Security Software Steals $34 Million Monthly
Cybercriminals are making a fortune by preying on gullible computer users.
Apple Fears Jailbroken iPhones Could Kill Phone Networks
Fighting an attempt to win a copyright law exemption that would sanction the use of unauthorized iPhone software, Apple claims phone networks are at risk when it's not in charge.
Black Hat: Smart Meter Worm Attack Planned
IOActive's Mike Davis intends to unleash a worm on a smart meter at the Black Hat security conference on Thursday.
Google Hot Trends Dictate Malware Targeting
Popular search terms get more dangerous, a security report finds. And crossword puzzle players should be particularly vigilant.
Microsoft Issues Emergency Fixes For IE, Visual Studio
Outside of its normal patch cycle, Microsoft has released two security bulletins to fix critical flaws.
AT&T Says DoS Attack Prompted Block Of 4chan Site
The popular bulletin board site had been under a constant attack by hackers for three weeks before it was detected by the telecom company.
Security Worries Ratcheting Up; Spending Down
One in five IT managers expects to curtail investments in encryption, authentication, application security, and protection against DoS attacks this year, survey says.
Microsoft Plans Emergency Patch Tuesday
Two out-of-band security bulletins will be issued tomorrow to fix a critical flaw in Internet Explorer and a related issue in Visual Studio. Microsoft is withholding details until the patches are released.
Microsoft Plans Emergency Patch Tuesday
Two out-of-band security bulletins will be issued tomorrow to fix a critical flaw in Internet Explorer and a related issue in Visual Studio. Microsoft is withholding details until the patches are released.
Global CIO: An Open Letter To Cisco CEO John Chambers
In an open letter to Cisco CEO John Chambers, this column notes that Cisco is expanding beyond its traditional networking business with its Unified Computing System, telepresence, and other enterprise-level efforts. While this offers great potential, it also raises this question: What business is Cisco in today?
Microsoft Unveils Security Tools, Resources At Black Hat
Dealing with the changing threat landscape requires information sharing, Microsoft says, and it has developed software, guidelines, and programs to help make that happen.
Microsoft Unveils Security Tools, Resources At Black Hat
Dealing with the changing threat landscape requires information sharing, Microsoft says, and it has developed software, guidelines, and programs to help make that happen.
Apple iPhone Security Weaknesses Exposed On YouTube
Deleted voice mail, e-mail, and other data on the iPhone 3GS is vulnerable to hackers, a security expert claims in two video tutorials.
The AP Plans 'News Registry' To Protect Content
The world's oldest and largest news gathering organization aims to fight online theft of its content with digital tracking beacons.
Q2 Threat Report Released and its all about botnets and spam
By David Marcus on Vulnerability Research
Today we released our Q2 Threat Report. Some trends have continued. Some new trends and threats have been established and some old friends have even outdone themselves. Spam volumes have increased 141 percent since March, continuing the longest streak of increasing spam volumes ever. We also highlights the dramatic expansion of botnets and the threat [...]
Counting Badness
By Toralv Dirro on Web and Internet Safety
Following up on the recent post by my colleague Dave Marcus concerning malware growth, the guys from AV-Test in Germany just released their updated stats. To avoid confusion when comparing the different numbers, here’s a quick explanation of the different counts: AV-Test counts unique binaries. Unique means different cryptographic hashes. So the same Trojan, obfuscated with [...]
Verizon offers free service to help developers test for Microsoft ATL flaw
Verizon Business is offering a free scanning service for developers to help them determine whether any controls or components they built using Microsoft's ATL are vulnerable to flaws Microsoft patched on Tuesday.
Extra '&' in Microsoft development code gave hackers IE exploit
Microsoft on Tuesday confirmed that a single superfluous character in its own development code is responsible for the bug that has let hackers exploit Internet Explorer (IE) since early July.
Apple: Jailbreaking could knock out transmission towers
Apple has told the U.S. Copyright Office that modifying the iPhone's operating system could crash a mobile phone network's transmission towers or allow people to avoid paying for phone calls.
Mobile Security: How Gadgets Evolved
CSO Publisher Bob Bragdon is a self-proclaimed "gadget head." His collection, which spans from 1987, runs the gamut from primitive digital address book to the latest generations of today's Blackberry and iPhone (Check out the slideshow to see pictures of all of them).
Security vendor McAfee spills 1,400 customer names
In a story just dripping with irony, e-mail security vendor McAfee has accidentally sent the contact details of some1400 conference attendees in a spreadsheet attached to a thank you message.
Some SMS networks vulnerable to attack
Flaws in the way some mobile-phone networks handle SMS (short message service) signaling data could leave them open to a whole new range of attacks.
iPhone SMS attack to be unleashed at Black Hat
Apple has just over a day left to patch a bug in it's iPhone software that could let hackers take over the iPhone, just by sending out an SMS message.
Microsoft delivers emergency patches to IE, code library
As promised, Microsoft today patched six vulnerabilities in Internet Explorer (IE) and Visual Studio with the first "out-of-cycle" update since it plugged a hole last October that the Conficker worm later used to run rampant.
Microsoft Issues Emergency Patches for IE
Microsoft today took the unusual step of releasing out-of-band patches for severe security flaws in all versions of Internet Explorer, along with related holes in the Microsoft Active Template Library included with Visual Studio.
Microsoft rushes patches to fix 'big deal' programming flaw
As promised, Microsoft today patched six vulnerabilities in IE and Visual Studio with its first "out-of-cycle" update since last October, when it plugged a hole later exploited by the Conficker worm.
CDT wants US gov't to detail computer monitoring program
U.S. President Barack Obama's administration needs to answer several questions about the privacy implications of a new version of a computer intrusion detection system that can reportedly read e-mail, a privacy and civil rights advocacy group said.
Brits won't use firms involved in security breaches
Almost half of Brits claim they wouldn't purchase good or services from a company that had suffered a security breach, says SafeNet UK.
Researchers clam up about Microsoft's rush patches
Microsoft Corp. has dropped a cone of silence over several security researchers who have recently divulged details of the vulnerabilities that the company will patch later today with a pair of emergency updates.
Tories' NHS IT proposals slammed by own party member
David Davis has heavily criticised his own party's plans to allow NHS patient records to be stored online by IT suppliers.
Online banking security boost: Credit union shifts to two-factor authentication
Addison Avenue Federal Credit Union is strengthening its online banking security by implementing two-factor variable-password authentication.
F-Secure: Chinese firms write world's first SMS worm
Three Chinese companies -- XiaMen Jinlonghuatian Technology, ShenZhen ChenGuangWuXian Technology, and XinZhongLi TianJin -- created the 'Sexy Space' worms or Yxe Worm (Worm:SymbOS/Yxe.D) and submitted to Symbian OS-based phones through the express signing procedure, said F-Secure Security Labs recently.
Almost all Windows users vulnerable to Flash zero-day attacks
More than 90% of Windows users are vulnerable to the Flash zero-day vulnerability that Adobe won't patch until Thursday, a Danish security company said today.
AT&T's 4chan Block Raises Issue of Net Neutrality
It appears some of AT&T's broadband customers across the United States were intentionally blocked from accessing the infamous forum 4chan over the weekend. The message board's founder Christopher "Moot" Poole posted a notice on the 4chan Status blog yesterday claiming AT&T was "filtering/blocking img.4chan.org (/b/ & /r9k/) for many of [its] customers." Poole encouraged 4chan users to contact AT&T to complain. The 4chan black out lasted for about 12 hours and was reportedly over by 11 p.m. Pacific Time.
New initiative is looking for a few good cybersecurity pros
Amid concerns that the U.S. has a shortage of cybersecurity professionals, a new consortium of U.S. government and private organizations aims to identify students with strong computer skills and train them as cybersecurity guardians, warriors and "top guns."
PCI breaches shed light on cloud securityi
Credit card numbers compromised in an attack against Web hosting provider Network Solutions exposes one of the security problems faced by cloud computing.
Adobe users face week of exploit angst
For at least the next week users of Adobe's Acrobat Reader and Flash Player will be vulnerable to a zero-day exploit now rated as 'highly critical', security companies are warning.
Karoo u-turn over internet piracy policy
Karoo, the Hull-based ISP that suspended the accounts of web users caught illegally file-sharing, has changed its policy for tackling internet piracy.
Karoo suspends accounts of illegal file-sharers
A UK ISP has suspended the accounts of a number of customers it suspects have been involved in file-sharing activity.
Twitter breach revives security issues with cloud computing
Security and privacy issues over cloud computing are not very different from those surrounding any sort of IT outsourcing and need to be treated that way, security managers and analysts say in the wake of breaches involving Twitter and Google Apps.
Best data loss prevention tools
Finding the right data loss prevention tool means striking a balance between speed, success rate at detecting and/or blocking sensitive data from exiting the network, and adequate coverage across a broad range of rule-sets and protocols.
Microsoft rushes clutch patch for 'deep' bug in Windows, third-party apps
The emergency patches Microsoft plans to rush out on Tuesday will fix a flaw that runs through several critical Windows components and an unknown number of third-party applications, according to a pair of security researchers.
Network Solutions warns merchants after hack
Criminals may have stolen more than half a million credit card numbers from merchant servers hosted by Networks Solutions, the Internet hosting company warned Friday.
Microsoft to rush out emergency IE patch
Microsoft is taking the unusual step of rushing out two emergency security patches ahead of its regularly scheduled updates on Aug. 11.
Bugs & Fixes: Failure to launch bugs
This week, Apple released updates to its Final Cut and Logic products. (Macworld has extensive coverage of the new features in Logic as well as the Final Cut Studio suite.)
Beware of Privacy-Policy Loopholes
"We won't share your information with third parties." You've no doubt seen that common phrase in Web site privacy policies many times. You might think that the site in question won't divulge details about your visit to other companies or organizations. But according to a study by privacy researchers at the University of California, Berkeley, sites have a huge amount of wiggle room with that promise.
Can privacy and consumer protection coexist online?
Legislation that would create privacy regulations for online advertising could cause consumers to get fewer free services and isn't necessary because privacy advocates have shown no harm from data collection, the co-author of a study on online advertising said.
Security certificate warnings don't work, researchers say
Every Web surfer has seen them. Those "invalid certificate" warnings you sometimes get when you're trying to visit a secure Web site.
Palm Updates Pre OS With an Eye on the Enterprise
Palm on Thursday released another update to the Pre's mobile operating system, webOS v1.1.0, and it includes a variety of valuable features meant for corporate IT departments supporting Pres in the enterprise.
iPhone Security: Not Beefy Enough for Businesses?
The iPhone has evolved from a casual smart phone into one with the potential to serve businesses across the globe. Its latest iteration, the iPhone 3GS, comes packaged with an encryption feature supposedly perfect for sensitive information stored on the device.
Hacker group L0pht makes a comeback, of sorts
The news report begins with shots of a tense space shuttle launch. Engineers hunch over computer banks and techno music pounds in the background. There is a countdown, a lift-off, and then you see a young man in a black T-shirt and sunglasses, apparently reporting from space.
EFF urges members to pressure Google on books privacy
Digital liberties group the Electronic Frontier Foundation is urging its supporters to pressure Google to build significant privacy protections into its Book Search service, with the EFF suggesting the service gives Google access to new personal information.
Microsoft admits it can't stop Office file format hacks
Microsoft's plan to "sandbox" Office documents in the next version of its application suite is an admission that it can't keep hackers from exploiting file format bugs, a security analyst said today.
HSBC fined over £3m for data security failings
HSBC has received an almost £3.2 million (US$5.3 million) fine from the Financial Services Authority (FSA) after three of its firms lost computer discs and posted unencrypted customer details.
Asia launches online traveler tracker
A travel security online service that provides real-time traveler tracking service was launched in Asia on Tuesday (July 21).
Mass 201 CMR 17: A Survival Guide for the Anxious
David Escalante has as much cause as any IT security practitioner to be nervous about Mass 201 CMR 17, the tough Massachusetts data protection requirements organizations must comply with by Jan. 1, 2010.
EU backs renewal of anti-terror bank scrutiny deal
Follow the money
The EU is in talks to renew an agreement allowing US authorities to scrutinise European banking transactions as part of US anti-terrorism efforts.…
Wildcard certificate spoofs web authentication
SSL felled by null string
Black Hat In a blow to one of the net's most widely used authentication technologies, a researcher has devised a simple way to spoof SSL certificates used to secure websites, virtual private networks, and email servers.…
Security elite pwned on Black Hat eve
Kaminsky, Mitnick, et al
On the eve of the Black Hat security conference, malicious hackers posted a 29,000-line file detailing embarrassing attacks that took complete control of servers and websites run by several high-profile security researchers, including Dan Kaminsky and Kevin Mitnick.…
Translation services used to pump out polyglot spam
Sie haben multi sprachliche Trödelpost
Spammers are making greater use of automated translation services and templates to create multiple language junk mail runs.
BIND crash bug prompts urgent update call
Master server flaw could break the interwebs
A vulnerability in BIND creates a means for miscreants to crash vulnerable Domain Name System servers, posing a threat to overall internet stability as a result.…
IBM piles on security pounds with Ounce Labs buy
Big cheque confirms code checking firm checks out
IBM has announced a deal to buy privately-held code security review firm Ounce Labs. The terms of the deal, announced on Tuesday, were undisclosed.…
Microsoft emergency fix kills bugs in IE, Visual Studio
Just in time
Microsoft issued two emergency updates on Tuesday to fix critical security bugs that leave users of Internet Explorer and an untold number of third-party applications vulnerable to remote attacks that completely commandeer their computers.…
Dutch spam suspect fined €250K
Clogged interwebs with 21m junk mails
Dutch telecoms regulators have fined a junk email spammer €250,000.…
Facebook slaps faces on ads
Rogue ad network to blame for photo privacy violation, apparently
The appearance of Facebook users' photos in ads that crop up on their friends' pages has once again raised questions about the social networking website's privacy policies.…
SHA-3 hash contest enters second round
Crypto Olympiad hots up
The competition for the next generation of cryptographic hash algorithms has moved on to its second stage.…
New attack resurrects previously patched security bugs
Coming soon: The Windows killbit bypass manual
Researchers may have figured out how to bypass a common technique Microsoft and other software makers have used to fix hundreds of security vulnerabilities over the past decade, according to a brief video previewing a talk scheduled for later this week at the Black Hat security conference.…
Smut page ransomware Trojan ransacks browsers
Pay or it'll display
Russian cybercrooks have come up with a variant of ransomware scams, which works by displaying an invasive advert for online smut in users' browsers that victims are extorted to pay to remove.…
AVG update gags iTunes
Security scanner strikes a duff note
A dodgy AVG update over the weekend left users with crippled iTunes installations.…
Microsoft to issue emergency patches Tuesday
Relief for what ails IE, Visual Studio
Microsoft plans to issue two emergency patches next week that fix vulnerabilities in the Internet Explorer browser and Visual Studio developer suite that allow attackers to remotely execute malware.…
Network Solutions breach exposed 500k card accounts
The case of the 3-month hack
A breach at Network Solutions has exposed details for more than 500,000 credit and debit cards after hackers penetrated a system it used to deliver e-commerce services and planted software that diverted transactions to a rogue server, the hosting company said late Friday.…
Remote IT support tool hijacks customer webserver
TeamViewer turns outage into ad time
On Thursday morning, IT consultant Paul Nash received an urgent call from a client whose Apache webserver had crashed the previous night and inexplicably wouldn't restart. Equally vexing, people who tried to visit the client's website during the 10-hour outage received a message advertising TeamViewer, a maker of widely used software for remotely managing PCs and servers.…
Security researchers unpick botnet economics
Baron Samedi's nice little earner
The economics of botnets and the sale of stolen information in underground bazaars have been detailed in greater depth then ever before in new research from Kasperky Lab.…
MS adds sandboxing to Office 2010
Harm reduction tactic aims to block bug exploitation
Microsoft has announced plans to introduce sandboxing technology with the next version of its Office suite.…
Adobe promises fix for critical Flash hole next week
Long hot weekend
Adobe has promised to fix a critical vulnerability in its Flash player software by the end of next week.…
Tackling ISO 27001: A Project to Build an ISMS
Category: Management & Leadership
Paper Added: July 27, 2009
BIND 9 DoS attacks in the wild, (Wed, Jul 29th)
Earlier today Marc posted a short diary about a vulnerability in the Internet Systems Consortium's B ...(more)...
Increasing number of attacks on security sites, (Wed, Jul 29th)
In last couple of weeks we have been all witnesses of multiple compromises of (in some cases) pretty ...(more)...
BIND 9 Issue, (Wed, Jul 29th)
The Internet Systems Consortium announced a DoS condition in BIND 9. Details are on their web ...(more)...
Twitter spam/phish, (Tue, Jul 28th)
Ben wrote in that: There's a new worm going around Twitter. Victim feeds it her username ...(more)...
MS released two OOB bulletins and an advisory, (Tue, Jul 28th)
Microsoft has released two Out of Band (OOB) bulletins and one advisory. The security advisory (9738 ...(more)...
YYAMCCBA, (Tue, Jul 28th)
Yes Yet Another Massive Credit Card Breach Alas, this time Network Solutions. They appear to still b ...(more)...
Filemon and Regmon are dead, long life to Procmon!, (Mon, Jul 27th)
Frequent reader and contributor, Roseman, called our attention about a new update to the Sysinternal ...(more)...
New Hacker Challenge: Prison Break - Breaking, Entering & Decoding, (Mon, Jul 27th)
Hey, ISC readers and challenge fans! Ed Skoudis has posted one of his famous and always entertain ...(more)...
New Volatility plugins, (Sun, Jul 26th)
There isn't a lot of activity on the Internet Storm Center radar at the moment, Isuppose it is ...(more)...
Microsoft Out of Band Patch, (Fri, Jul 24th)
Several readers have pointed out that Microsoft has provided notification of an Out-of-Band patch to ...(more)...
US Cyber Challenge Seeks Top Cyber Security Potential (July 27, 2009)
A consortium of government and private organizations have established the US Cyber Challenge, an initiative that seeks to find 10,000 people with the potential to become the cyber security leaders of the future.......
Leahy Introduces US Data Security Legislation (July 22 & 24, 2009)
US Senator Patrick Leahy (D-Vt.......
Summary Judgment in Downloading Undermines Defense (July 27, 2009)
Opening arguments are set to begin on Tuesday, July 28 in the filesharing case against a Boston University student.......
Network Solutions Data Breach (July 24, 25 & 27, 2009)
More than 4,000 e-commerce websites hosted by Network Solutions had their credit card sales transactions compromised in a data security breach.......
UK ISP Reverses Course on Hasty Anti-Piracy Measures (July 24 & 27, 2009)
UK Internet service provider (ISP) Karoo has changed its tune regarding Internet piracy.......
Guilty Plea in Movie Uploading Case (July 22 & 23, 2009)
A California man has pleaded guilty to uploading a copyrighted work being prepared for commercial distribution.......
Adobe Promises Patches for Flash, Reader, and Acrobat By End of Week (July 23, 24 & 27, 2009)
A fix for the zero-day flaw in Adobe Flash, Reader and Acrobat will be available at the end of this week.......
Microsoft Out-of-Cycle Patches Affect Internet Explorer and Visual Studio (July 24 & 25, 2009)
Microsoft plans to issue two out-of-cycle fixes on Tuesday, July 28.......
Alico Breach Believed to be Connected to Credit Card Fraud (July 27 & 28, 2009)
A data security breach at insurance company Alico Japan has exposed credit card information related to as many as 130,000 insurance contracts.......
Twitter Weeds Out Spam Accounts (July 24, 2009)
Last week, Twitter purged accounts believed to have been created for the purpose of spamming, leaving some Twitterers with significant decreases in their number of followers.......
Post-Transaction Marketers Drawing Shoppers' Ire (July 24, 2009)
Thousands of people who have shopped at certain online retailers have found unexpected charges on their credit card statements.......
Study Says Government Facing Shortage of Cyber Security Talent (July 22 & 23, 2009)
Although President Obama has called the threat of cyber attacks "one of the most serious economic and national security challenges," the government is likely to be facing a shortage of well-qualified cyber security specialists, according to a study from the Partnership for Public Service and Booz Allen Hamilton.......
Kundra Letter Addresses Need to Correct Flaws in FISMA Cyber Security Metrics (July 21, 2009)
In a letter to the Government Accountability Office (GAO) director of information security issues Gregory Wilshusen, US federal CIO Vivek Kundra says that the Office of Management and Budget (OMB) is looking for new ways to measure government agencies' cyber security postures.......
Committee Attaches Disclosure Requirements to FY10 Intelligence Authorization Bill (July 23, 2009)
Funding for cyber security programs initiated by the US government will depend in part upon disclosure of each program's legality and privacy impact.......
Information Commissioner's Office Will Have Authorization to Impose Fines Next Year (July 23, 2009)
As of April 2010, the UK Information Commissioner's Office (ICO) will have the authority to levy new fines against organizations that fail to adequately protect personal data.......
Ministry of Defence Lost Server Last Year (July 21, 2009)
In detailing data loss incidents as part of its Annual Report and Accounts document, the UK's Ministry of Defence (MOD) acknowledged losing a server from a secured building in 2008.......
Adobe Will Patch Critical Flaw in Flash, Reader, and Acrobat Next Week (July 22 & 23, 2009)
Adobe plans to release fixes for a critical vulnerability in Flash, Reader, and Acrobat next week.......
Adobe Site Offers Vulnerable Version of Reader (July 21 & 22, 2009)
The version of Adobe Reader currently offered for download on the company's website leaves users' computers vulnerable to attacks.......
Conflicting Reports on Flaw in Firefox 3.5.1 (July 19 & 20, 2009)
While reports from several sources suggest that the just-released update for Firefox, version 3.......
Mozilla Releases Security Update for Firefox 3.0 (July 22, 2009)
Mozilla has released an update for Firefox 3.......
HSBC Firms Fined GBP 3.2 Million (US $5.28 Million) for Data Handling Problems (July 22 & 23, 2009)
The Financial Services Authority (FSA) has fined three HSBC firms GBP 3.......
Malicious Banner Ads Infect Some Digital Spy Subscribers' Computers (July 20, 2009)
The computers of US and Australian subscribers to the Digital Spy gossip website have been infected with malware from banner ads on the site.......
Windows 7 Released to Manufacturing (July 22 & 23, 2009)
Microsoft Windows 7 and Microsoft Windows Server 2008 R2 have been released to manufacturing, putting the operating system on track for a late October launch.......
Serious interoperability vulnerabilities affect multiple vendors, say researchers
By Robert Westervelt
Complex interoperability vulnerabilities affect browser plug-ins and other components that transmit data between different components of an operating system. The serious holes could be exploited to execute malicious code and gain access to a system.
Kaminsky reveals critical flaws in X.509 certificates at Black Hat
By Michael S. Mimoso
Researcher Dan Kaminsky returns to Black Hat with new research on X.509 certificates and explains a hacking method that enables him to spoof legitimate SSL certificates.
Expert: Information security spending often restricts innovation
By Robert Westervelt
In the opening keynote at the Black Hat USA 2009 conference, a former Google executive urged security pros to stop spending money on technologies that place restrictions on employees and instead empower end users to be security aware.
Microsoft issues emergency Active Template Library updates
By Robert Westervelt
Security updates address flaws the Active Template Library affecting Internet Explorer and Visual Studio. An IE fix also blocks a method that allows attackers to bypass killbits.
Network Solutions data security breach exposes a half-million credit card numbers
By SearchSecurity.com Staff
Company says intruders planted malicious code on Web servers supporting its e-commerce customers.
Microsoft to issue security report card, new tool at Black Hat
By Robert Westervelt
In addition to updating the public on its new security programs, the software giant is issuing a guide outlining its patching process and how to assess vulnerability data.
Microsoft to release emergency bulletins for Visual Studio, IE
By Robert Westervelt
An update correcting vulnerabilities in Internet Explorer is rated critical.
Massive spam campaign hits Yahoo Groups, LiveJournal
By Robert Westervelt
Spammers are using a spam technique that uses automated CAPTCHA-breaking software to set up accounts and use free file storage for links and images.
Symantec Profits Fall in Q1
Symantec's profits tumbled in the first quarter of fiscal 2010, the security company reports. Symantec officials say businesses are slow to adopt long-term contracts.
- Symantec saw profits drop year-over-year for the first quarter of fiscal 2010, as the company has found enterprises less willing to sign long-term deals. quot;On the enterprise side, some customers focused their spending on shorter-term contracts or maintenance renewals, resulting in fewer new...
Researcher Unmasks Sneaky Clampi Trojan at Black Hat
At the Black Hat security conference in Las Vegas, SecureWorks researcher Joe Stewart discusses his analysis of the Clampi Trojan, which has remained largely under the radar outside security circles despite infecting hundreds of thousands of users. According to Stewart, the group behind Clampi is running one of the most sophisticated Trojan criminal operations on the Internet.
Symbian Smartphones: 1 in 63 Infected
A study by mobile security company SMobile Systems claims smartphones running the Symbian operating system are breeding grounds for spyware, viruses, worms and Trojans. SMobile says most users of the infected Symbian smartphones are unaware of the infections.
Microsoft Rushes Out Visual Studio, IE Fixes
Microsoft issues two out-of-band security bulletins to address problems in Visual Studio and Internet Explorer. The patches address an attack that could bypass Microsoft's killbit security feature, and bugs in the Microsoft Active Template Library included with Visual Studio.
IBM Buys Ounce Labs, Could Challenge HP
IBM acquires Ounce Labs to build out its application testing capabilities. The purchase, which follows continued growth in the market, may trigger a reaction from HP and other vendors.
Kundra Considers Opening Federal Website Cookie Jar
Federal CIO Vivek Kundra proposes removing the ban on placing tracking cookies on federal Websites and instead adopting a policy of using cookies to provide better customer service and allow for enhanced Web analytics.
A Day in the Life of the Rustock Botnet
It's a busy time for botnets. According to Marshal8e6, spam levels are up 60 percent between January and June. The vast majority of that spam comes from massive botnets such as Cutwail and Mega-D. Today, eWEEK is focusing on just one of those botnets Rustock which has been spamming users for the past few years. In its latest biannual report, TRACELabs Marshal8e6 noted Rustock uses rootkit functionality to hide itself, and changes spam templates often. It typically uses HTML templates from legitimate newsletters and inserts its own images and links to give Rustock spam a mask of respectability. This also allows it to dodge spam filters. In this slideshow, eWEEK has gathered images of Rustock in action to help illustrate a day in the life a prolific botnet. (Images courtesy of SecureWorks, Symantec, Marshal8e6 and FireEye)
Will Google Chrome OS Security Be Tough Enough?
There has been no shortage of speculation on the security of Google Chrome OS, even as Google remains quiet on exactly what its plans are. What is certain is that Google's focus on the cloud means the security requirements of Chrome OS will be significantly different from those of traditional operating systems.
ATandT Lifts 4chan Block, Denies Censorship
AT T says it has lifted a block it put on part of the notorious 4chan.org bulletin board. AT T says the block was a security move in response to a denial-of-service attack against one of its customers, but the incident has touched a nerve among those concerned about net neutrality and censorship.
Leahy Takes Third Shot at Data Breach Notifications
Having failed twice before to convince the U.S. Senate of the necessity for a national data breach notification standard, Sen. Patrick Leahy tees up the Personal Data Privacy and Security Act again.
Apple iPhone 3GS Security Holes Revealed in YouTube Videos
A security researcher is backing up his claims that the Apple iPhone 3GS is not enterprise-ready, with YouTube videos demonstrating how an attacker could get your private data.
Microsoft Pushing Out Critical Security Patches Next Week
Microsoft will release two out-of-band security bulletins July 28, targeting issues in Internet Explorer and the Microsoft Visual Studio product line.
Weaponizing Web 2.0
In From the Bunker
Imagine simply visiting a Web forum and finding that doing so forced your browser to post an embarrassing Twitter message to all of your contacts, or caused you to admit a stranger to your online social network. Now consider the same dynamic being used to move money out of your online auction account or delete the contents of your e-mail inbox. These are just a taste of the Web 2.0 cross-site trust issues explored in a talk delivered at the Black Hat security conference in Las Vegas today. The presenters, researchers Nathan Hamiel and Shawn Moyer, delivered a related talk at Black Hat last year called "Satan is on my Friends List," that was highly entertaining and relevant to similar trust concerns that plague dozens of social networking sites.
Report: First Lady Safehouse Route, Govt. Mafia Trial Info, Leaked on P2P Networks
In U.S. Government
Update, 2:15 p.m. ET: A previous version of this story incorrectly stated that files were found on P2P networks that listed the location of nuclear missile silos in the United States. A spokesman for the committee said the information regarding nuclear installations is related to sensitive documents accidentally published on the Web site of the Government Printing Office recently, which included a "detailed list of the civilian nuclear complex, including precise locations of weapons grade nuclear fuel." An earlier version also incorrectly stated that on information the location of a safe house for Michelle Obama was compromised.
Microsoft's Emergency Patch Mess
In New Patches
Microsoft today released a pair of emergency software updates (Redmond calls them "out-of-band" updates). Yes, that's right folks: If you use Windows -- and especially if you browse the Web with Internet Exploder Explorer - it's once again time to update. The backstory to these patches is a bit complex, so here's the short version: A while back, Microsoft introduced several security flaws into a set of widely-used third-party software development tools, and today it's correcting that error by issuing an updated set of tools. Another update tries to block attackers from exploiting those weaknesses while third-party software makers figure out how to fix their code with the updated tools. On a scale of 1 to 10, with 10 being the most dire and far-reaching, Eric Schultze, chief technology officer at Shavlik Technologies, said he'd put the seriousness of today's out-of-band patch releases at an 8.
Microsoft to Issue Emergency Patches Next Week
In New Patches
As Security Fix predicted earlier this week, Microsoft says it plans to issue at least two out-of-band software updates next week to plug a series of unusually stubborn and critical security holes in the Windows operating system and its Internet Explorer Web browser. Microsoft says it will issue two patches -- one to deal with problems in Internet Explorer, and another to fix a bug in its Visual Studio software suite. From Microsoft: While we can't go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications. The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin. The Internet Explorer update will also address vulnerabilities rated as Critical that are unrelated to the Visual Studio bulletin
Network Solutions Hack Compromises 573,000 Credit, Debit Accounts
In Latest Warnings
Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months, Security Fix has learned. Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores, Network Solutions spokeswoman Susan Wade said. Wade said the company is working with federal law enforcement and a commercial data breach forensics team to determine the cause and source of the break-in.
Direct Financial Cost of Intrusions
By Richard Bejtlich
Thanks to the blog reader who directed me to the Washington Times story Contractor returns money to Pentagon:
Apptis Inc., a military information technology provider, repaid $1.3 million of a $5.4 million Pentagon contract after investigators said the company provided inadequate computer security and a subcontractors system was hacked from an Internet address in China...
Apptis agreed to the repayment after the Defense Criminal Investigative Service concluded the company and a subcontractor failed to provide "proper network security and information assurance services," according to the report, released in June.
The subcontractors system under Apptis management was intruded upon "with total access to the root network" from an Internet address in China, the report said.
Wow. Can anyone think of another case where a company was "fined" by a customer for an intrusion? Usually we only hear of PCI issues.
Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Cyber-criminals targeting social networks: experts (AFP)
In technology
AFP - Facebook, MySpace and other social networking sites are inceasingly being targeted by cyber-criminals drawn to the wealth of personal information supplied by users, experts warn.
Mac flaw could let hackers get scrambled data (Reuters)
In technology
Reuters - A Mac security expert has uncovered a technique that hackers could use to take control of Apple Inc computers and steal data that is scrambled to protect it from identity thieves.
Mac flaw could let hackers get scrambled data (Reuters)
In technology
Reuters - A Mac security expert has uncovered a technique that hackers could use to take control of Apple Inc computers and steal data that is scrambled to protect it from identity thieves.
Out-of-Cycle Patches May Make IE Vulnerabilities Worse (NewsFactor)
In business
NewsFactor - Microsoft on Tuesday released two out-of-cycle patches to fix vulnerabilities found in Active Template Library, a set of software developer tools used in the creation of COM and ActiveX modules. ActiveX modules are commonly used in Microsoft Internet Explorer and are traditional targets for hackers.
Spam Volumes Up 141 Percent, Aided By Botnets (PC Magazine)
In technology
PC Magazine - Was your spam inbox extra full these past few months? Spam volumes increased by 141 percent since March, thanks in part to the more than 14 million computers that were taken over by botnets this quarter, according to a Wednesday study from McAfee.
IPhone SMS Attack to Be Unleashed at Black Hat (PC World)
In technology
PC World - Apple has just over a day left to patch a bug in it's iPhone software that could let hackers take over the iPhone, just by sending out and SMS (Short Message Service) message.
Microsoft releases security patch for Web browser (AFP)
In us
AFP - Microsoft released a security patch on Tuesday aimed at preventing hackers from exploiting a vulnerability in its Web browser, Internet Explorer.
Check Point 2Q profit down slightly; tops forecast (AP)
In business
AP - Check Point Software Technologies Ltd., which makes Internet security products, said Tuesday its second-quarter profit slipped nearly 5 percent on one-time charges.
Teamwork crucial to fighting cyber crime: Microsoft (AFP)
In us
AFP - Longtime computer security rivals are joining forces to battle increasingly sophisticated online attacks by cyber criminals.
Hacker Group L0pht Makes a Comeback, of Sorts (PC World)
In technology
PC World - The news report begins with shots of a tense space shuttle launch. Engineers hunch over computer banks and techno music pounds in the background. There is a countdown, a lift-off, and then you see a young man in a black T-shirt and sunglasses, apparently reporting from space.
Spammers go multilingual, use automatic translation services
By Dancho Danchev on Spam and Phishing
For years spammers relied on basic mass marketing concepts in an attempt to target everyone, everywhere, thereby sacrificing quality for quantity. Things changed, at least for some of them. Realizing the advantages of market segmentation, certain spammers started segmenting the databases of harvested or emails based on their country of origin, followed by an attempt to [...]
419 scammers using Dilbert.com
By Dancho Danchev on Spam and Phishing
Scammers too, know Dilbert. On their way to search for clean IPs through which to send out yet another scam email, 419 con-artists (Mrs Sharon Goetz Massey) have recently started using Dilbert.com’s recommendation feature in an attempt to bypass anti-spam filters — and it works. The use of Dilbert.com’s clean IP reputation comes a month after [...]
Microsoft to ship emergency IE, Visual Studio patches
By Ryan Naraine on Zero-day attacks
Less than a month after a first pass at patching a troublesome flaw affecting its dominant Internet Explorer browser, Microsoft has announced plans to release two emergency updates with a comprehensive fix for the problem. The unusual move comes on the heels of a bombshell blog post by reverse engineering specialist Halvar Flake that the original [...]
A Good Year for Security Collaboration
By Ryan Naraine on Zero-day attacks
Guest Editorial by George Stathakopoulos It seems like just yesterday when I was at Black Hat. Now as I get ready to fly to Las Vegas again, I look forward to seeing a lot of security researchers, hearing their latest exploits and how they fared over the last 352 days. At the same time, it is [...]
Adobe 'zero-day' flaw is eight months old
By Ryan Naraine on Zero-day attacks
The current zero-day attacks against Adobe Flash Player are not quite zero-day after all. According to new information, Adobe’s security response team knew about the vulnerability since December 31, 2008 (see image below) but it was misdiagnosed as a “data loss corruption” issue. When word of the attacks surfaced this week, Adobe quickly locked access to [...]
SB09-208: Vulnerability Summary for the Week of July 20, 2009
Vulnerability Summary for the Week of July 20, 2009
TA09-209A: Microsoft Windows, Internet Explorer, and Active Template Library (ATL) Vulnerabilities
Microsoft Windows, Internet Explorer, and Active Template Library (ATL) Vulnerabilities
MS09-035 - Moderate: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706) - Version:1.0
Severity Rating: Moderate - Revision Note: V1.0 (July 28, 2009): Bulletin published.Summary: This security update addresses several privately reported vulnerabilities in the public versions of the Microsoft Active Template Library (ATL) included with Visual Studio. This security update is specifically intended for developers of components and controls. Developers who build and redistribute components and controls using ATL should install the update provided in this bulletin and follow the guidance provided to create, and distribute to their customers, components and controls that are not vulnerable to the vulnerabilities described in this security bulletin.
MS09-034 - Critical: Cumulative Security Update for Internet Explorer (972260) - Version:1.0
Severity Rating: Critical - Revision Note: V1.0 (July 28, 2009): Bulletin published.Summary: This security update is being released out of band in conjunction with Microsoft Security Bulletin MS09-035, which describes vulnerabilities in those components and controls that have been developed using vulnerable versions of the Microsoft Active Template Library (ATL). As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035. This security update also resolves three privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft Security Advisory (973882): Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
Revision Note: V1.0 (July 28, 2009): Advisory published.Summary: Security Advisory
Microsoft Security Bulletin Advance Notification for July 2009
Revision Note: Advance Notification publishedSummary: This advance notification lists security bulletins to be released for July 2009.
MS09-035 - Moderate: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)
Bulletin Severity Rating:Moderate - This security update addresses several privately reported vulnerabilities in the public versions of the Microsoft Active Template Library (ATL) included with Visual Studio. This security update is specifically intended for developers of components and controls. Developers who build and redistribute components and controls using ATL should install the update provided in this bulletin and follow the guidance provided to create, and distribute to their customers, components and controls that are not vulnerable to the vulnerabilities described in this security bulletin.
MS09-034 - Critical: Cumulative Security Update for Internet Explorer (972260)
Bulletin Severity Rating:Critical - This security update is being released out of band in conjunction with Microsoft Security Bulletin MS09-035, which describes vulnerabilities in those components and controls that have been developed using vulnerable versions of the Microsoft Active Template Library (ATL). As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035. This security update also resolves three privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Security Bulletin Webcast Questions and Answers – Out-Of-Band July 2009
By MSRCTEAM
Hi,
In conjunction with the Microsoft July 2009 Out-of-Band Bulletin release, we conducted two public webcasts to assist customers. During these webcasts, we were able to address 60 questions in the time allotted. The questions centered primarily on MS09-034: the Internet Explorer Cumulative Update Bulletin and MS09-035: the Visual Studio Bulletin. We also addressed questions regarding the Microsoft Security Advisory 973882 and the ATL issues as a whole.
Here is the link to the full Q&A so you can see all of the answers that were provided for these great questions:
http://blogs.technet.com/msrc/pages/security-bulletin-webcast-q-a-oob-july-2009.aspx
Also, here is the link to the Q&A index page in case you want to view previous months:
http://blogs.technet.com/msrc/pages/microsoft-security-bulletin-webcast-q-a-index-page.aspx
As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:
Customers in the U.S. and Canada can receive technical support from Microsoft Customer Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Thanks!
Al Brown
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Microsoft Security Advisory 973882, Microsoft Security Bulletins MS09-034 and MS09-035 Released
By MSRCTEAM
Today, we’re releasing guidance and security updates to help better protect customers from responsibly reported security vulnerabilities discovered in the Microsoft Active Template Library ( ).
Because libraries function as building blocks that can be used to build software, vulnerabilities in software libraries can be complex issues and benefit from what we call community based defense – broad collaboration and action from Microsoft, the security community and industry. Because of this, in addition to the updates and guidance we’re releasing today, we’ve been actively engaged with the industry through programs like the Microsoft Active Protections Program (MAPP), Microsoft Security Vulnerability Research (MSVR) and working with organizations such as Industry Consortium for the Advancement of Security on the Internet (ICASI) to provide a broad, industry-wide response to help better protect customers. While this is a complex issue, we believe a broad, industry-wide response can help minimize the impact to customers.
The vulnerability that we addressed with Microsoft Security Bulletin MS09-032 was a result of this issue. While that issue was attacked before a security update was released, that is the only known attack that we’re aware of against an issue related to vulnerabilities in the
. However, we are releasing our guidance and updates outside of our regular monthly release cycle because our updates are of appropriate quality for broad distribution, we are aware of one attack which was addressed through MS09-032, and we believe that there is a greater risk to customer safety from broader disclosure of this issue if we wait until our next scheduled release on August 11, 2009.
We have focused our efforts on this issue around two main fronts:
1. Helping developers to identify and address instances where the
vulnerability manifests in their controls or components
2. Mitigating the impact of future attacks on customers
Some of the steps that we’re taking to help developers include:
1. Releasing MS09-035 for Visual Studio which provides an updated copy of the
that developers can use to build new controls and components if needed. It is important to note that not all controls built using the vulnerable versions of the
are vulnerable – this will depend on decisions the developer made when building the control or component.
2. Posting a special developer resource page with detailed information on how developers can identify if their control or component is exploitable using the vulnerabilities in the
3. Working with ICASI who is partnering with Verizon Business to offer customers a no-charge service that will scan developers’ controls and components and provide initial indications if the control or component is vulnerable and what potential next steps customers or developers should take to modify the control.
4. Working with vendors responsible for widely used controls and components through our Microsoft Security Vulnerability Research to help them identify and address instances where the
vulnerability manifests in their controls or components.
5. Reiterating our commitment to third party developers to set “killbits” for their ActiveX controls on request in a Microsoft Update.
Some of the steps we’re taking to mitigate the impact of future attacks on customers include:
1. Releasing MS09-034 for Internet Explorer. While Internet Explorer is not itself vulnerable to the
issue, the IE team has built a defense-in-depth change that can help protect against attempts to attack controls or components containing the
vulnerabilities. More detailed information on how this works is provided at the Security Research and Defense blog. This update also addresses an issue where attackers can attempt to bypass the “killbit” protections in IE. Finally, this update also addresses three unrelated, responsibly disclosed vulnerabilities.
2. Providing information to our MAPP partners to help ensure security protection providers have key technical information to help them build protections for customers more quickly.
3. Committing to set “killbits” in a Microsoft Update for vulnerable third-party ActiveX controls identified as vulnerable or under attack when no vendor can be identified.
Home Users and IT Pros should go ahead deploy the IE update, MS09-034 so they can benefit from the protections it introduces. Additionally, Internet Explorer 8 provides additional security enhancements that can further lessen the impact of this issue. There’s more details on that at the IE blog. Also, enabling automatic updates for third-party software (where available) may help you get the latest updates for those products.
Developers should take the same steps as home users and IT Pros but should also review the information we’ve provided to help you determine if the
vulnerability manifests in your component or control. Additionally, you should consider using the service offered by ICASI who is partnering with Verizon Business to identify any components or controls that are vulnerable.
Because we know folks will have additional questions, we’ve posted additional information on our security blogs. Our colleagues at the Security Research and Defense blog have several posts related to this that Jonathan Ness points to in his overview post. Michael Howard over at the SDL blog has one going into some more detail around the actual underlying issue. Katie Moussouris and Adrian Stone talk about MSVR’s work with other vendors on this issue over at the Ecostrat blog. And, finally, Ryan Smith, Mark Dowd and David Dewey, the security researchers who brought this issue to us, discuss their work on the issue with us over at the BlueHat blog.
Our worldwide security teams have been mobilized working around the clock to deliver these protections to customers and we will be continuing to watch the threat landscape closely. We will work closely with our partners in the industry and notify customers with any new information about this situation through our security advisory and the MSRC weblog.
Thanks.
Christopher
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Advance Notification for July 2009 Out-of-Band Releases
By MSRCTEAM on Internet Explorer (IE)
We have just published our advance notification for an out-of-band security bulletin release, with a target of 10:00 AM Pacific Time next Tuesday, July 28, 2009.
While this release is to address a single, overall issue, in order to provide the broadest protections possible to customers, we’ll be releasing two separate security bulletins:
1. One Security Bulletin for Visual Studio
2. One Security Bulletin for Internet Explorer
While we can’t go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications. The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin. The Internet Explorer update will also address vulnerabilities rated as Critical that are unrelated to the Visual Studio bulletin that were privately and responsibly reported.
Customers who are up to date on their security updates are protected from known attacks related to this Out of Band release.
We’ll be holding two webcasts to give you details and take your questions:
· Webcast: July 28, 2009 1:00 p.m. Pacific Time
· Encore Webcast: July 28, 2009 4:00 p.m. Pacific Time
A reminder that this information is subject to change and that when we do release the security bulletins, we’ll let you know through the MSRC weblog.
Thanks,
Mike Reavey
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Active Template Library (ATL) Vulnerability
In Cisco Security Advisory
Certain Cisco products that use Microsoft Active Template Libraries (ATL) and headers may be vulnerable to remote code execution. In some instances, the vulnerability may be exploited against Microsoft Internet Explorer to perform kill bit bypass. In order to exploit this vulnerability, an attacker must convince a user to visit a malicious web site.
Multiple Vulnerabilities in Wireless LAN Controllers
In Cisco Security Advisory
Multiple vulnerabilities exist in the Cisco Wireless LAN Controller (WLC) platforms.
Cisco Security Center: IntelliShield Cyber Risk Report
July 20-26, 2009
Report Highlight: University of Washington Software Allows for Time-Limited Access of Encrypted Data
Posts
