Thursday, July 9, 2009

Around The Horn vol.1,134

Session Attacks and ASP.NET - Part 1

By Robert A. on Vulns

Sans has published part 1 of an article discussing Session Fixation attacks against .NET applications. "I’ve spent some time recently looking for updated information regarding session attacks as they apply to ASP.NET and am still not completely satisfied with how Microsoft has decided to implement session management in ASP.NET 2.0+ (haven’t...

What will Google's Chrome OS watch you do?

By Josh Lowensohn

Google has a long history of tracking user activity, and the introduction of its Chrome operating system later this year is sure to follow suit. While we know that it's being built off of Linux, one big thing we don't know is how its terms of service will differ from those found in other Google products, and what kinds of user data it will be collecting. Based on the company's track record of watching and monetizing user data, it could be anything from which applications you're using, to all the information that's coming in and out of your computer.

To provide a better picture on what to expect, let's take a look at some of the ways Google is currently monitoring user activity in a handful of its products and how that may trickle down into the OS:

Google personalized Web search--Google's bread and butter business is its search engine, and its personalized search is a way to put a face on the data. When you're signed in with your Google account you can opt in to having your Web history tracked; Google archives all of the sites you've clicked on from search results, as well as what time of day you clicked on them.

For those who are not signed in, the company uses identifiers like cookies and IP addresses. But when you're signed in it can actually aggregate that data no matter what computer you're on. With a system-level log-in, it could theoretically do this no matter what browser you're using, giving Google a far richer set of data.

Chrome browser--When Chrome was first released, Google got in some hot water over its terms of service, which stated that Google had the rights to license any content that went through the browser. It quickly backtracked on the claim, citing that the terms heavily borrowed from other Google products and that it didn't make sense for Chrome. This would have given Google licensing control over things like user photos, videos, and words.

The one area where Google's Chrome can still access some of that information is with its reports system. This is an opt-in program for users to provide Google with crash reports and detailed information about what features they're using. Google has said this does not include any information from form fields, or from users' Google accounts. However, it does track what sites and search terms you've entered into the address bar.

Gmail--Google's Web mail service was one of the first Web mail services to provide contextual advertising, meaning it actually goes through your e-mail messages to give you advertisements that match up with a conversation you're having. Did you mention skiing in that last e-mail? Don't be surprised if you start seeing ads for local lift tickets or a new pair of ski boots.

Gmail also tracks what features users are using, including...

Originally posted at Webware

Does Google's OS decrease or increase security risks?

By Larry Magid

Wednesday's two big technology stories--Google's Chrome-based operating system and cyberattacks against U.S. and South Korean government Web sites are oddly related. The stories are connected because if Google does well at gaining market share for its browser, we could see fewer successful attacks. Or maybe we'

...

Originally posted at Larry Magid at Large

Shortened URLs spike in e-mail spam

By Elinor Mills

In yet another piece of anecdotal evidence of the increasing threat from shortened URLs, e-mail security provider MessageLabs said on Tuesday it saw a dramatic spike in the number ...

Security expert blesses Google Native Client technology

By Elinor Mills

Mark Dowd, X-Force research engineer at IBM Internet Security Systems and winner of the Google Native Client security contest along with partner Ben Hawkes.

Two security researchers are splitting a cash prize from Google after winning a bug hunt contest designed to improve the security of Google Native Client ...

FAQ: How to vanquish mobile spam

By Elinor Mills

I got my first SMS spam message last week and it infuriated me.

The mortgage-related text message was more than just a nuisance, like e-mail spam is. It also was a strong indication of how marketers have managed to invade every private communication space consumers have.

And it was frustrating ...

Originally posted at News - Wireless

MultiISO LiveDVD v1.0 – BackTrack, Knoppix & Ophcrack

By Darknet on security live dvd

MultiISO LiveDVD is an integrated Live DVD technology which combines some of the very popular Live CD ISOs already available on the internet. It can be used for security reconnaissance, vulnerability identification, penetration testing, system rescue, media center and multimedia, system recovery, etc. It’s a all-in-one multipurpose LiveDVD put together. There’s something in it for [...]

Report: North Korea May Be Behind DDOS Attacks On U.S., Korean Government Sites

News report says North Korean sympathizers may be behind attacks on U.S., South Korean government and infrastructure sites

Google Discloses Plans For New Malware-Resistant OS

Upcoming Chrome OS aimed at eliminating malware issues for desktops with lightweight platform and cloud-based application model

SecureWorks-Verisign Deal Highlights Acquisition Trend In Security Services

SecureWorks acquisition of Verisign's managed security services business highlights consolidation trend

Bug Now Being Exploited In Microsoft Zero-Day Attacks Was Reported A Year Ago

Attacks exploiting an unpatched Windows vulnerability are spreading to some .com, .org Websites

Trojans, Tweets Lead Malware Surge

In Web 2.0

Trojan attacks and dirty Tweets were major trends across the malware spectrum during Q2 2009.

Social Security Numbers Not as Safe as We Thought?

In Social networking

The Social Security Administration says people shouldn't panic - recent research from Carnegie Mellon University does not mean identity thieves have a foolproof way of guessing your social security information.

Vintage Spam Recipes: Remixing Nigerian and HTML

In Virus and Spyware

Spammers are once again enlisting HTML attachments to deliver their goods, some of which are also using traditional 419 money laundering scams.

Bill would give VA's IT programs $767.6 million more

The Senate Appropriations Committee has approved a bill that would provide hundreds of millions more for the Veterans Affairs Department's information technology programs -- but some strings are attached.

Contractors must use E-Verify system

Homeland Security Secretary Janet Napolitano today said enforcement of mandatory E-Verify for federal contractors will start September 8.

Questions dog DHS plans to upgrade advanced cybersecurity system

Reports in The Washington Post and The Wall Street Journal explain the Obama administration's plans and considerations in moving ahead with DHS' next generation tool to protect civilian government computer networks.

U.S., South Korean agencies hit by cyberattacks

The Web sites of government agencies in the United States and South Korea were hit this week by a distributed denial-of-service attack that South Korea’s intelligence agency said could have come from North Korea.

'Noisy' cyberattacks have little effect

The attacks, which spiked late July 6 and early July 7, are not particularly sophisticated and can be mitigated by organizations that are prepared for them, experts say.

Registered Traveler customers file class-action lawsuit

Two law firms have filed a class-action lawsuit on behalf of customers of a private operator of Registered Traveler services that shut down abruptly in late June.

Virtualization: Organizations getting better at disaster recovery

A Symantec survey reveals the "rising [disaster recovery] pressures on organizations caused by soaring downtime costs and more stringent IT service-level requirements to mitigate risk to the business."

With passwords, simplicity can equal strength

Longer passphrases can be easier to remember and provide more security than shorter but more complex passwords with multiple character sets.

Google Chrome OS: Vaporware Or Victory?

Chrome OS, Google's newly announced operating system, isn't just a swipe at Microsoft. It's an attempt to realize the cloud computing future that Google's been predicting.

Details Emerge In U.S. Cyber Attacks

Malware that targeted Web sites of The White House, Department of Homeland Security, the FAA, and others appears to be a MyDoom variant.

Details Emerge In U.S. Cyber Attacks

Malware that targeted Web sites of The White House, Department of Homeland Security, the FAA, and others appears to be a MyDoom variant.

Web Link Shrinkage Powers Spam Surge

The popularity of Twitter has lead to a proliferation of URL shortening services. Now spammers are taking notice and using link reduction to hide spam links.

Cyber Attacks Hit U.S. Government Sites; North Korean Eyed

Attacks crippled at least 11 U.S. government and private Web sites for much of the weekend. No data is believed to have been stolen.

Cyber Attacks Hit U.S. Government Sites; North Korea Eyed

Attacks crippled at least 11 U.S. government and private Web sites for much of the weekend. No data is believed to have been stolen.

Social Security Number Prediction Makes Identity Theft Easy

Posting your birthday on Facebook could help identity thieves predict your social security number, a new study finds.

Social Security Number Prediction Makes Identity Theft Easy

Posting your birthday on Facebook could help identity thieves predict your Social Security number, a new study finds.

Social Security Number Prediction Makes Identity Theft Easy

Posting your birthday on Facebook could help identity thieves predict your Social Security number, a new study finds.

PostgreSQL Upgrades Open Source Database Performance Tools

The 8.4 release of the database project offers improved administration, security, monitoring, and SQL features.

Apple's iPhone Vulnerable To Hotspot Hijacking

The new iPhone 3.0 software automatically launches the Safari browser in certain circumstances, a feature that makes the iPhone more usable and less secure.

Goldman's Alleged Code Thief Makes Bail

Programmer Sergey Aleynikov is under travel and computer use restrictions while awaiting trial.

Microsoft Warns Of 'Browse-And-Get-Owned' Attack

Attacks have been reported that attempt to exploit an unpatched vulnerability in Microsoft's Video ActiveX Control.

Dell Launches Forensics Service For Police

Digital-forensics package of hardware, software, and services would help police reduce data backlogs. Dell partners include Intel, EMC, Oracle, and Symantec.

Dell Launches Forensics Service For Police

Digital-forensics package of hardware, software, and services would help police reduce data backlogs. Dell partners include Intel, EMC, Oracle, and Symantec.

InformationWeek Analytics: Data Loss Prevention

Security pros continue the shift from protecting systems to protecting data, and it's about time. Technologies like data loss prevention purport to help. Here's what you need to know about this emerging discipline.

Network Security Defeats Microsoft Video ActiveX Exploit

By Ravi Balupari on Zero-Day

As a follow-up to our two recent blogs, we want to provide some details for this zero-day exploit from the perspective of the McAfee Network Security Platform (formerly known as IntruShield). Unlike traditional ActiveX exploits, in this case the Microsoft Video ActiveX controls are being used to load malicious image files and trigger the vulnerability. McAfee [...]

Variant of Mac Malware Another Party Puper

By Lokesh Kumar on Malware Research

We recently received a new sample of the Mac malware OSX/Puper.a. This file [MD5 Sum: 428143005E07E510302BA431FE0C28CC], which disguises itself as a Mac Cinema Installer, was recently mentioned in PC Magazine. When the DMG file is executed on the Mac, it displays the following message: As the execution continues, the malware gets installed on the machine with the [...]

SWF Flash Exploits: Old Wine in a New Bottle

By Rahul Mohandas on Vulnerability Research

Adobe Flash applications have been a major security concern during the past couple of years. The large number of Flash vulnerabilities published, coupled with its popularity and wide distribution, makes Flash files an attractive target for cybercriminals. Infecting banner ads are not new; these Flash-based “malvertisements” have plagued adservers and popular websites for a very [...]

Updated MyDoom responsible for DDOS attacks, says AhnLab

An updated version of the MyDoom virus is responsible for a large DDOS (distributed denial of service) attack that took down major U.S. Web sites over the weekend and South Korean Web sites on Wednesday, according to Korean computer security company AhnLab.

Newest IE bug could be next Conficker, says researcher

The critical flaw that Microsoft confirmed on Monday -- but has yet to patch -- is a prime candidate for another Conficker-scale attack, a security researcher said.

TalkTalk follows BT and dumps Phorm

Following BT's announcement this week that it has dropped controversial targeted advertising system Phorm, ISP TalkTalk has also broken off its agreement with the service.

Majority of vulnerabilities now being exploited

The number of exploits being written to target specific software vulnerabilities could be at all-time highs, new threat figures have suggested.

Online attack hits US government Web sites

A botnet comprised of about 50,000 infected computers has been waging a war against U.S. government Web sites and causing headaches for businesses in the U.S. and South Korea.

US authorities extradite Indian on hacking charges

An Indian man has pleaded not guilty to charges that he hacked into online brokerage accounts in order to manipulate stock prices.

Cyber attack his South Korean Web sites

A number of South Korean government Web sites were inaccessible on Wednesday, apparently taken offline by a large cyber-attack that had earlier hit U.S. government sites.

AMiloration of security: Milo and future hacking

Every year, the Master of Science in Information Assurance (MSIA) program at Norwich University hosts the annual three-day Graduate Security Conference for our graduating classes. We always have a plenary session with a distinguished keynote speaker; this year we were honored to welcome well-known antimalware researcher Dr. Richard Ford, Research Professor at the Center for Information Assurance of the Florida Institute of Technology. Dr. Ford spoke about unintended consequences in security in a riveting and highly stimulating presentation which, at my request, included no PowerPoint slides.

Norton Internet Security 2010 beta: Different approach, new features, some glitches

Symantec's newly released beta of NIS 2010 showcases its new reputation-based approach to malware detection, along with several additional features. However, testers should go carefully -- this is truly beta software.

BT drops Phorm WebWise system

BT has dropped the controversial internet tracking ad-delivery system WebWise, dealing out a huge blow to its developer Phorm.

New MI6 chief’s details posted on Facebook

The photos and private details of the next foreign spy chief were posted on an easily accessible Facebook page, it has emerged.

Symantec's Norton 2010 betas go live

Symantec has released live betas of Norton Internet Security 2010 and Norton AntiVirus 2010. The updates to Symantec's flagship antimalware products feature reputation-based security technologies as part of what the company is calling a new security model - codenamed "Quorum" - that Symantec says will 'tackle undiscovered malware and today's toughest threats head-on'.

Study: Social Security numbers are predictable

Social Security numbers may not be as random as believed, as a new study contends that powerful mathematical techniques combined with open-source research can, in some cases, reveal a person's secret number.

Protecting Social Security numbers online is a futile exercise

News today that Social Security numbers may not be as random nor secure as believed is just one more security problem the ubiquitous identification number faces.

Researchers Expose Security Flaw in Social Security Numbers

Have you posted your date of birth and birthplace on any of your social networks? If so, you may have provided enough information for hackers to figure out your Social Security number. Well, in theory, anyway. Researchers at Carnegie Mellon University have successfully devised a way to guess a person's Social Security number using statistical analysis.

MyDoom dabs spotted on mega cyberassault
Traces of guilt

An updated version of the MyDoom worm is blamed for ongoing denial of service attack against high-profile US and South Korean websites, according to preliminary analysis.…

OpenSSH exploit rumours swarm
As milw0rm shuts up shop

Rumours are circulating about the active exploitation of systems running older versions of OpenSSH, the open source remote administration utility.…

Plod to get computer forensics 'breathalyser' next year
Commercial offerings fail forensic tests

UK police may be forced to develop a bespoke digital forensics device for seized computers after testing of market offerings failed to meet price, technical and speed standards.…

Short URLs in spam skyrocket
The Twitter effect

Incidents of shortened URLs in spam messages have skyrocketed since the start of this week.…

Cops swoop on e-crime gangs after banks pool intelligence
Early success for new task force

Two London-based cybercrime gangs have been busted, following an agreement by banks and credit card companies to share intelligence on network attacks and malware.…

Moderatrix to gain even more sinister powers
Cyberbullies quail as online reputation software launches

A new system to improve the behaviour of visitors to internet sites, by granting more draconian exclusion powers to moderators, is launching this week in the UK.…

Spam tool developer faces six years in chokey
Ralsky cohort cops a plea

A US software writer has pleaded guilty to developing a botnet-based spamming tool used by notorious spammer Alan Ralsky.…

US websites buckle under sustained DDoS attacks
South Korea, too

Websites belonging to the federal government, regulatory agencies and private companies have been struggling against sustained online attacks that began on the Independence Day holiday, according to multiple published reports.…

Schneier says he was 'probably wrong' on masked passwords
Security guru gets a bit carried away by the moment

Security expert Bruce Schneier has said that he probably made a mistake when he backed a usability expert's plea to website operators to stop masking passwords as users type because it does not improve security and makes sites harder to use.…

Opera CEO: Unite not a security risk
Au contraire!

Opera has been defending its Unite product, claiming that far from causing security problems it actually increases the security for users who would otherwise be dependent on the cloud.…

Safari 4.0.2 update published, (Wed, Jul 8th)

It looks like Apple released safari 4.0 ...(more)...

Milw0rm offline, (Wed, Jul 8th)

We've received multiple emails today from readers who cannot reach Milw0rm. The site's owner, ...(more)...

RFI: DDoS Against Government and Civilian Web Sites, (Wed, Jul 8th)

We are aware of an ongoing DDoS against several high-profile web sites. Public details are in ...(more)...

* INFOCON Status - staying green, (Tue, Jul 7th)

We had some internal discussion overnight about whether to raise our Infocon status to YELLOW becaus ...(more)...

OpenSSH Rumors, (Tue, Jul 7th)

Over the past 24 hours we've had a number of readers tell us that there is an OpenSSH exploit in act ...(more)...

Revised Rockefeller-Snowe Cybersecurity Bill To Move Forward in July (June 26, 2009)

The most far-reaching US legislative proposal on Cybersecurity is being modified to eliminate problematic language (such as the language that gave the government the right to "shut-off the Internet" during a national emergency) and will be moving ahead during July with a major rewrite and an additional hearing followed by a full-committee vote.......

Former Employee Arrested for Alleged Code Theft (July 6, 2009)

A former Goldman Sachs employee has been arrested for allegedly stealing code from the company.......

Woman Sentenced for Identity Fraud (July 6, 2009)

Labiska Gibbs has been sentenced to two-and-a-half years in prison for her role in an identity fraud scam that compromised personal information of Library of Congress employees and defrauded Target and other retailers of US $30,000.......

MI6 Chief's Information Exposed on Wife's Facebook Page (July 5 & 6, 2009)

Personal information about Sir John Sawers posted on his wife's Facebook account does not constitute a security breach, according to Foreign Secretary David Miliband.......

Seattle Data Center Fire Hobbles Bing's Travel Section and Other Sites (July 6, 2009)

Hundreds of websites were unavailable for as long as 36 hours over the US holiday weekend after an electrical fire damaged a Seattle data center late last week.......

Microsoft No Longer Supporting Java Virtual Machine (July 1 & 6, 2009)

Microsoft has ended support for Microsoft Java Virtual Machine (MSJVM) as of June 30, 2009.......

Bord Gais Data Breach Affects more Than 100,000 Customers (July 5, 2009)

The laptop stolen from a Bord Gais office in Dublin affects more customers than was first believed.......

Microsoft Warns of Unpatched Flaw in Video Access Control (July 6, 2009)

Microsoft is warning of a vulnerability for which no patch is currently available that can be exploited to take control of users' machines.......

Twitter Increasingly Used for Questionable Purposes (July 6, 2009)

Twitter is being used increasingly as a vector of attack, owing to the ease with which accounts are obtainable.......

Cold Fusion Attacks (July 2, 3 & 6, 2009)

Attackers appear to be targeting websites with old installations of certain Cold Fusion applications; a large number of websites have reportedly been compromised in the last several days.......

Malware Targets Latin American Best Buy Website Customers (July 3, 2009)

Latin American visitors to the Best Buy website have been targeted with malware.......

Online Game Bank Manager Stole Billions (July 3 & 6, 2009)

An Australian man who was one of the controllers of the virtual bank for the Eve Online game has admitted to stealing 200 billion credits, or eight percent of the bank's assets, and selling them for real world money.......

BT Puts Phorm On Hold (July 6, 2009)

Shares of Phorm, the online targeted advertising company, have fallen more than 43 percent after BT announced that it did not envision using the company's technology in the immediate future.......

Older Versions of McAfee Virus Scan Generate False Positives (July 3, 4 & 6, 2009)

Computer users running certain unsupported versions of McAfee's VirusScan engine found their computers crashing after downloading an update that identified legitimate files as malware and quarantined them.......

DDoS attacks hit U.S., South Korean government websites

By Robert Westervelt

The attacks, which started last weekend, shut down the Federal Trade Commission and Department of Transportation websites.

Researchers to demonstrate new EV SSL man-in-the-middle hacks

By Michael Mimoso

Security researchers Alexander Sotirov and Mike Zusman will demonstrate new offline man-in-the-middle hacks against extended validation SSL certificates at the Black Hat Briefings.

Researchers predict SSNs, crack algorithm putting identities at risk

By Robert Westervelt

The success rate is as high as 90% for individuals born after 1989 in less populous states. Some data was gleaned from social networking sites.

Compliance in the cloud

By Robert Westervelt

Rena Mears, global and U.S. privacy and data protection leader at Deloitte, discusses how cloud computing is transforming data classification and security.

Symantec Finds Spammers Abuse Faith in URL Shortening Services

Research by Symantec MessageLabs shows the amount of spam that contains links masked via URL shortening services has jumped dramatically in the past few days. While services like TinyURL and Cligs are popular for legitimate users, people should treat shortened URLs with at least as much caution as other links, security researchers say.
- It's no secret that the growth of Twitter and other social media sites has made URL shortening services a welcomed fact of life for many users. Unfortunately, it seems spammers have now taken notice, and are working shortened URLs into their schemes. According to Symantec, there has been a signi...

Details on Cyber-Attack on U.S., South Korea Emerge

As security researchers work to break down the malicious code tied to a DDOS attack targeting government and commercial sites in the United States and South Korea, more information is leaking out on how the attack happened. Still, much about the attacks-including the motives and identity of attackers-remains unknown.
- More details are surfacing about a massive denial-of-service attack that has hit both government and commercial Websites in the United States and South Korea in the past few days. According to security researchers, the attacks are the work of malware that infected users and routed traffic to gov...

Cyber-Attacks Prompt Call for New Laws

The distributed denial of service attacks that swept through U.S. and South Korean government sites has a key cyber-security senator renewing his push for a reform of the Federal Information Security Management Act. The legislation would change the focus of U.S. cyber-security from compliance to detection and prevention.
- The wave of distributed denial-of-service attacks that hit U.S. government Websites last week have prompted U.S. Sen. Tom Carper (D-Del.) to renew his call for legislation reforming the way federal agencies defend their sensitive information. Carper, chairman of the Senate Subcommittee on Federa...

Was Microsoft Slow to Patch Video ActiveX Vulnerability?

The vulnerability in the Video ActiveX control Microsoft has warned about was reported to the company in 2008, but that doesn't mean Microsoft dragged its feet too much when it came to patching, says one of the researchers who found the vulnerability. With hackers circling, however, users may not want to wait on a patch to protect them.
- The unpatched vulnerability in the Video ActiveX control that Microsoft has warned about was reported to the company in 2008, but one of the security researchers who found it refused to criticize Microsoft's response to the threat. The bug was uncovered by researchers Alex Wheeler and Ryan Smit...

Security Vulnerabilities Old and New Plague Users in June

Those old Microsoft vulnerabilities you read about are still being targeted successfully by hackers. According to research from Fortinet, its not just the latest exploits your IT admins and users have to be concerned with.
- When it comes to cyber-crime, its not always about test driving the newest brand of malware on the road. Sometimes, its about Old Betsy, the reliable piece of malware that will get you from point A to point B - the final location being a compromised computer. Research in Fortinets June Threat R...

How to Mitigate the Increasing Botnet Threat

A single malicious botnet can harness enough machines to take down key Internet infrastructure and create financial havoc. Millions of computers on the Internet can be compromised. But there are measures that network managers can take to mitigate these botnet threats, using many of the tools already available to help prevent attacks. Here, Knowledge Center contributor Darren Grabowski discusses the impact of these silent botnet threats and offers solutions that network managers can use to mitigate these botnet threats.
- The Internet is in the midst of a global network pandemic, with millions of computers on the Internet compromised in some fashion. It is estimated that the number of recent malware infections on the Internet is over 7 million, and over 70 percent of all e-mail messages are spam. It is also beli...

Washington Post, White House, FAA, DoD, Others, Targeted in Online Attack

In U.S. Government

Washingtonpost.com and Security Fix readers may have noticed that our site was a bit slow and occasionally unreachable today. Turns out, the site has been under attack by about 60,000 compromised PCs around the globe for several hours now. We weren't the only site reportedly picked on, though. According to several security researchers who asked to remain anonymous because they are still helping to investigate the assault, the same attackers targeted Web sites for the White House, the Department of Homeland Security, the Department of Defense and the Federal Aviation Administration, with varying success. The culprit is a piece of malicious software that orders infected PCs to visit the Web sites on its hit list over and over again, all in an apparent bid to render the targets unreachable to legitimate visitors. Joe Stewart, director of malware research at Atlanta-based SecureWorks, said he examined the attack software and found that

High Crimes Using Low-Tech Attacks

In Fraud

Criminals are resurrecting low-tech attacks to siphon tens of thousands of dollars from unsuspecting victims. According to financial fraud experts, so-called "man-in-the-phone" attacks require little more than a telephone and old-fashioned con artistry. The scam works like this: The criminal calls a target, claiming to be the fraud department of the target's bank calling to alert the mark to potential unauthorized activity. The recipient of the call is then told to please hold while a fraud specialist is brought on the line. The perpetrator then calls the victim's bank, and bridges the call, while placing his portion of the call on mute. When the bank's fraud department asks various questions in a bid to authenticate the victim, the criminal records the customer's answers. Depending on the institution, the answers may include the victim's Social Security number or national ID number, a PIN or password, and/or the amount of last deposit

Predicting Social Security Numbers

In Latest Warnings

The Washington Post today carries a story I wrote about new research, which found that it is possible to guess many -- if not all -- of the nine digits in an individual's Social Security number using publicly available information, a finding experts say compromises the security of one of the most widely used consumer identifiers in the United States. The full story is here. I'm mentioning it in the blog to call attention to some resources and additional information on this subject for readers who are interested in digging deeper. In the story, we wrote of the two Carnegie Mellon University researchers: Acquisti and Gross found that it was far easier to predict SSNs for people born after 1988, when the Social Security Administration began an effort to ensure that U.S. newborns obtained their SSNs shortly after birth. They were able to identify all nine digits for 8.5 percent

News: Web attacks hit U.S., South Korean sites

Web attacks hit U.S., South Korean sites

SKorea to set up cyber command against NKorea (AFP)

In technology

AFP - South Korea announced it would set up a military command next year to tackle the threat of cyber warfare from North Korea, amid suspicions the North was behind virus attacks earlier this week.

Cyber Attack in South Korea Set to Resume, Says AhnLab (PC World)

In technology

PC World - A denial of service attack that took down some of South Korea's highest profile Web sites on Wednesday is set to resume Thursday evening, according to computer security specialist AhnLab.

South Korea on high alert for more cyber attacks (AP)

In technology

AP - South Korea was on high alert Thursday for more cyber attacks amid suspicions that North Korea was behind a recent wave of Web site outages in the South and in the United States. The South warned that computer networks of key infrastructure could be targeted.

Google's OS Security Claims Called 'idiotic' (PC World)

In technology

PC World - Google, while announcing its new Chrome operating system late Tuesday, said users would no longer have to worry about viruses, malware and security updates, but security experts disagreed on whether Google can deliver on those promises.

White House, Pentagon websites targeted by cyberattack (AFP)

In politics

AFP - The White House, State Department and Pentagon websites were among those targeted in a coordinated cyberattack that also crippled sites in South Korea, computer security experts said Wednesday.

TinyURL Spam Growing, But It Can Be Beat (PC Magazine)

In technology

PC Magazine - Spammers are always looking for new ways to infiltrate your e-mail inbox, and it appears that many are now seizing on tiny URLs, or shorter versions of long Web site addresses, according to a report from MessageLabs.

Updated MyDoom Responsible for DDOS Attacks, Says AhnLab (PC World)

In technology

PC World - An updated version of the MyDoom virus is responsible for a large DDOS (distributed denial of service) attack that took down major U.S. Web sites over the weekend and South Korean Web sites on Wednesday, according to Korean computer security company AhnLab.

Software Developer Pleads Guilty to Spam Charge (PC World)

In technology

PC World - A Virginia software developer has pleaded guilty to charges related to creating and marketing software designed to send bulk commercial e-mail messages, in violation of the U.S. CAN-SPAM Act, the U.S. Department of Justice said.

Philippines cracks down on mobile phone spam (AFP)

In technology

AFP - Telecommunication regulators in the Philippines said Tuesday they would crack down on spam sent to mobile phones, and that service providers risked losing their licences for violations of a new ban.

Microsoft warns of serious computer security hole (AP)

In technology

AP - Microsoft Corp. has taken the rare step of warning about a serious computer security vulnerability it hasn't fixed yet.

DirectAccess: Microsoft's Newest VPN Solution - Part 1: Overview of Current Remote Access Solutions

By tshinder@tacteam.net (Thomas Shinder)

Taking a look at DirectAccess, Microsoft's latest VPN solution and assessing the current Remote Access Solutions.

Google Lists HP, Acer Among Chrome OS Partners

Google listed HP and Acer among the companies already developing devices for the Chrome OS.

Google OS Could Put Squeeze on Other Flavors of Linux

Google's new Chrome OS could provide more recognition for Linux, but steamroll other Linux OSes that are being used on netbooks.

Online Attack Hits US Government Websites

UPDATE: Since July 4, a DDoS attack has disrupted Web sites within South Korea and the U.S.

The U.S.-South Korea Cyberattack: How Did It Happen?

A massive attack is being blamed for crippling numerous government Web sites in the U.S. and South Korea this past week. Here's how it happened.

Google Chrome OS Could Be a Win for Road Warriors

Business travelers will have the most reason to take a closer look at Google Chrome OS. Here are few of the early pros and cons of the new operating system.

Google Chrome OS An Open Source Challenge to Windows

As has been predicted for some time, Google has announced a new operating system project that will put open source in the spotlight.

Updated MyDoom Responsible for DDOS Attacks, Says AhnLab

An updated version of the MyDoom virus is responsible for a large denial-of-service attack on U.S. and Korean Web sites, said computer security company AhnLab.

Online Attack Hits US Government Web Sites

Since July 4, a DDoS attack has disrupted Web sites within South Korea and the U.S.

US Authorities Extradite Indian on Hacking Charges

An Indian man charged with hacking U.S. brokerage accounts for a pump-and-dump scheme has pleaded not guilty in federal court.

Parents Need to Talk to Kids About Internet Use, Experts Say

Internet safety experts urge parents to talk to their kids about online safety during summer vacation.

Researchers Expose Security Flaw in Social Security Numbers

Researchers at Carnegie Mellon University have figured out how to guess your Social Security number based on your birth date and place of birth.

Study: Social Security Numbers Are Predictable

Social Security numbers may not be as random as believed and can in some cases be predicted, according to a new study.

Manage Your Passwords

Even if you come up with a perfect mnemonic to remember the passwords r[BYX9-5CY@P and b!MO.n5m862T, you may not be able to remember which one provides access to...

Remember Your Passwords

One objection to using a password utility is that you could someday find yourself without your Mac (or iPhone) and in need of one of your passwords. What then...

Lazy Hacker and Little Worm Set Off a Cyberwar Frenzy

By Kim Zetter

Denial-of-service attacks against U.S. and South Korean websites boost international tension with North Korea. But evidence suggests it's the work of an unambitious hacker wielding a five-year-old virus.

No comments:

Post a Comment

My Blog List