Aurora Report: Around The Horn vol.1,140

Mission possible: researchers make online text self-destruct

By jtimmer@arstechnica.com (John Timmer) on Vanish

As users flock to Web-based mail and social sites, more and more of their data is stored in cloud systems. As we've seen, some of that data can persist long after a user hits the delete button on it. Now, computer scientists have come up with a way to encrypt data so that it operates like the self-destructing messages in Mission Impossible. Their scheme, called Vanish, encrypts the message, and then essentially throws away the key. The trick is that the key will take a set amount of time before disappearing from view; during that time, it's still possible to access the data.

Operating Vanish

It's probably easiest to describe how the system operates in practical terms before discussing the technology behind it. Thanks to a FireFox plugin, it's possible to select text on any webpage—a Gmail message or Facebook posting, for example—and forward it to Vanish, which runs as a background process. Vanish will then encrypt the text, replacing it with the encrypted version if it's in an editable field, or providing the encrypted form in a popup window if not. Users can also create a drop folder for encrypting self-destructing files.

Chinese firms behind 'Sexy Space' Trojan

By Vivian Yeo

F-Secure has identified three China-based companies as the creators of the "Sexy Space" Trojan, which was identified last week to have passed through Symbian Foundation's digital-signing process.

XiaMen Jinlonghuatian Technology, ShenZhen ChenGuangWuXian Technology, and XinZhongLi TianJin cloaked the malware, also known as Yxe, and submitted it to the Symbian ...

Chrome security in limelight with Google OS plan

By Elinor Mills

(Credit: Google)

The techniques Google uses to protect Chrome users from browser-based attacks have taken on new importance with the company's plan to make the software the centerpiece of a Netbook operating system.

Two weeks ago, Google announced plans for the open-source Chrome OS designed for people who spend ...

Firefox 3.0.12 patches five critical problems

By Stephen Shankland

Mozilla on Tuesday released Firefox 3.0.12, an update to the open-source browser that fixes five critical security vulnerabilities and fixes a handful of other bugs.

"We strongly recommend that all Firefox 3.0.x users upgrade to this latest release," Mozilla said on its developer blog. "If you ...

LA officials question Google Apps plan

By Elinor Mills

A Los Angeles councilman and the head of a police group are questioning the city's plan to move government e-mail and other records onto Google's hosted Web service Google Apps.

"Anytime you go to a Web-based system, that puts you just a little further out than you were ...

Dodgy dealing & Info stealing.

By Rik Ferguson on snooping

The results of an investigation carried out by Sky News should be enough to worry anyone who is put in the unfortunate position of having to entrust their computer to a stranger. Researchers from Sky News set up a laptop with a keylogger and webcam enabled surveillance software. They gave the laptop a very common, easy [...]

GFI LANguard 9 Review – Network Security Scanner & Vulnerability Management Tool

By Darknet on windows security scanner

GFI LANguard is a product that has been around for a LONG time, I remember using it way back at version 3 or 4 and it was always my choice of platform if I was auditing a Windows based network. Especially internal Windows LAN setups with a domain, for Linux I always felt there were better [...]

Mozilla Denies Firefox 3.5 Bug Is Exploitable

By Darknet on milw0rm

Ah a bug in our beloved Firefox, after the latest 3.5 update (which sees some definite improvements). The last one I recall was the Clickjacking Vulnerability, which also effected Chrome. It seems like it’s not too serious of an issue and will only cause crashing, there’s no room for remote exploitation or code execution. So it may [...]

U.S. Leads the Way in Malware, Spam

In Trojan attacks

Sophos latest report puts the United States on top of the malware hosting and spam sending lists.

Online Scam Smiths Attempt to Hang the DJ

In Web 2.0

Crafty 419 scammers are finding aspiring DJs on sites like Facebook and attempting to lure them into forking over some cash to pursue their dreams on the ones and twos.

Who is Using Fast Flux?

In Virus and Spyware

Fast flux botnet control techniques continue to prove effective as registrars have not sufficiently stepped-up their efforts to choke it out, according to Team Cymru.

Witnesses: E-Verify system can't detect ID theft

Former agency officials told a Senate subcommittee that the E-Verify system for employment verification cannot detect identity theft.

Intel chief: Source of cyberattacks still unknown

The director of national intelligence said today federal officials aren't sure who was behind recent cyberattacks that knocked some government sites off-line.

House bill would restrict laptop searches

A House subcommittee today will consider legislation that would require DHS to strengthen protections for U.S. citizens whose laptops are searched at the borders.

Feds need help hiring cyber workforce

The government has problems hiring enough cybersecurity workers and needs to ratchet up recruiting, a study released today says.

6 steps to cutting the cord with departing employees

NASA uses a check in/check out de-provisioning checklist that invokes six inter-departmental actions that cut off outgoing workers from networks, applications, e-mail accounts and other agency resources.

Emergency IT authority for FERC gains support

Support is growing for proposals to give the Federal Energy Regulatory Commission additional authority to act during an emergency involving a cyberattack on the country's electric power system.

FBI's Dubree named assistant director of IT

Daniel Dubree is responsible for the operations of the bureau's information technology systems worldwide.

Researchers Bypass Secure Web Connections

EV SSL certificates are supposed to help people feel more secure online. But at Black Hat next week, two researchers plan to disclose a way around SSL protection.

HP Researchers Develop Browser-Based Darknet

HP security experts have developed a browser-based system for secure communications and plan to present their project at the upcoming Black Hat conference.

RIM Scrubs Spyware From UAE BlackBerrys

Users complained a firmware update -- unauthorized by RIM -- had led to decreased battery life and system crashes.

Google Apps Contract In LA Hits Security Headwind

The City of Los Angeles faces worries about privacy and security as it considers moving to Google Apps.

Senate Mulls Jamming Cell Phone Signals In Prisons

Proposed legislation seeks to halt the use of illegal cell phones in prisons but is countered by public interest agency officials.

Defense Dept. Seeks Cyberattack Protection

The main Web site of the Department of Defense was a target of a recent distributed denial of service attack.

Cyber Attack Code Starts Killing Infected PCs

Infected computers participating in the distributed denial of service attack on U.S. government and South Korean Web sites are set to destroy their own data.

DHS Systems More Secure, Inspector General Finds

Report indicates progress has been made certifying and accrediting the Department of Homeland Security's intelligence systems.

Cyber Attack Hits South Korea Web Sites Again

Attack denies access to some banking and U.S. government sites from South Korea and is similar to recent DDOS attacks there and in the U.S.

Details Emerge In U.S. Cyber Attacks

Malware that targeted Web sites of The White House, Department of Homeland Security, the FAA, and others appears to be a MyDoom variant.

Cyber Attacks Hit U.S. Government Sites; North Korea Eyed

Attacks crippled at least 11 U.S. government and private Web sites for much of the weekend. No data is believed to have been stolen.

Dell Launches Forensics Service For Police

Digital-forensics package of hardware, software, and services would help police reduce data backlogs. Dell partners include Intel, EMC, Oracle, and Symantec.

Defense Secretary Orders Cyberspace Command

Initiative aims to unify offense and defense in cyberspace under U.S. military command and enable responses "in Internet time rather than bureaucratic time."

Malware is their Business…and Business is Good!

By David Marcus on Rootkits and Stealth Malware

I cribbed the title from Megadeth - I admit it. However when looking at this year’s growth in malware it seems disturbingly appropriate. Economic downturn globally or not, malware production continues at a record setting pace because this is how many cybercriminals make their money (malware long ago stopped being about fun and bragging). We here [...]

UK couple chases bank over 'phantom' withdrawals

When Emma Woolf of London logged into her online account with Abbey National bank in early March, she expected to see a balance of £10,000 (US$16,300).

Adobe tries to explain Acrobat patch woe

Adobe has played down the charge that it has been serving users an insecure version of its Acrobat PDF Reader, claiming that the software is automatically updated after installation.

Data Leak Prevention On The Cheap

You may wonder if DLP is the updated version of RUN-DMC, but what it really stands for is Data Loss Prevention. Some call it “Data Leak Prevention” to emphasize that important company data often “leaks” away through no malicious action. But as compliance regulations like HIPAA, PCI-DSS, and FRCP multiply like acronym rabbits, more and more companies must take steps to stop data from leaving their business, whether it's lost, leaked or stolen.

RIM: UAE Carrier's Blackberry update was spyware

A Blackberry firmware update pushed out to subscribers of United Arab Emirates carrier Etisalat contained spyware, Research in Motion confirmed Tuesday.

Microsoft Office 2008 for Mac Service Pack 2 released

Microsoft's Macintosh Business Unit has released Microsoft Office 2008 for Mac Service Pack 2 on Monday, billed as a midcycle free update designed to improve the user experience with speed, stability and compatibility enhancements.

Adobe admits users vulnerable after downloading Reader

Adobe acknowledged that some users are vulnerable to attack after downloading an outdated version of Reader from its Web site, and said it is reevaluating how it updates the popular PDF reader.

Oracle's Security solution for Banks

The Reserve Bank of India (RBI) has recently set up guidelines for banks to avoid risks related to DBA (Database Administrator) access and control. To help the BFSI sector in India, they will now be able to use the Oracle Security and Compliance Solution, to meet these standard guidelines.

Decision Manager Helped Spice Jet Cut Online Fraud

SpiceJet is operating under fierce competition and online payment frauds became have become rampant. CyberSource's Decision Manager, an automated online risk management solution has helped Spice Jet to automatically evaluate credit card transactions in real time.

US named as top spam-producing country

The US has been named the world's biggest spam-producing country.

Panda cranks up cloud anti-virus

Panda Software has cranked up its forthcoming Cloud Antivirus product with a new beta featuring what the company says is greatly improved performance and stability.

Hilton hotels book in new CIO

Hilton Hotels Corporation, the global hotel chain. has hired Robert Webb as its new CIO from financial information providers Equifax.

OMB eyes new metrics for security at federal agencies

The White House Office of Management and Budget is looking for better ways to measure the readiness of government agencies to fend off cyberthreats, according to federal CIO Vivek Kundra.
Related Searches

Mozilla denies new Firefox bug is security risk

Mozilla is denying that a bug that crashes Firefox 3.5 is a security flaw, countering earlier reports that the company's latest browser contained a vulnerability, even though it had just been patched.

Ottawa MIA in cyberwarfare?

A Canadian anti-Internet censorship organization which recently exposed the activities of a China-based computer spy network says the Canadian government is dropping the ball in taking a pivotal role in leading a global effort against cybercrime such as the distributed-denial-of-service (DDoS) attacks now crippling major U.S. and South Korean Websites.

IT exec who sabotaged organ donation records sentenced

The IT director of a nonprofit organ procurement center for more than 200 hospitals in Texas has been sentenced to two years in prison for deleting numerous organ donation records and other data after being fired from her job.

Feds suffer from 'serious' IT security talent shortage

New report counts the ways

The United States government faces a serious shortage of skilled cybersecurity specialists, according to a new report, which estimates the country may need an 8-fold increase in the number nationally sponsored graduates with security degrees.…

Firefox laggards offered security update

3.0.12 release fixes multiple critical bugs

Mozilla has released a security and stability update for users still running 3.0.x versions of Firefox.…

Twitter, Facebook urged to improve security

'Vulnerable' defined in less than 140 characters

Social networking sites such as Twitter and Facebook have become feeding grounds for cybercrime.…

Adobe spanked for insecure Reader app

Download, install, then update

Adobe Systems has been taken to task for offering outdated software on its downloads page that contains dozens of security vulnerabilities, several of which are already being exploited in the wild to install harmful malware on users' machines.…

Open-source firmware vuln exposes wireless routers

Back door to complete control

A hacker has discovered a critical vulnerability in open-source firmware available for wireless routers made my Linksys and other manufacturers that allows attackers to remotely penetrate the device and take full control of it.…

Canadian privacy chief flunks Facebook

Lax data policies in sharp detail

Facebook does not protect personal information well enough to comply with Canadian data protection law, the Canadian Privacy Commissioner has said.…

Erin Andrews peephole footage spreads Trojan

Malware risk to the unwary horny

Updated Supposed hidden camera footage of US sports reporter Erin Andrews on offer online often leads to malware, security firm Sophos warns.…

NotW bosses fight back over hacking claims

Never done nothin' or nothin'

Tory communications boss Andy Coulson has assured MPs that he played no part in either condoning or facilitating phone hacking while editor of the News of the World.…

RIM fights BlackBerry snoop gaffe

Denies involvement in half-baked Etisalat scheme

RIM, maker of the BlackBerry mobile phone, has told the Reg that Etisalat is talking tosh and the BlackBerry remains a secure platform, after the United Arab Emirates operator "patched" the device with surveillance software.…

Deutsche Bank sacks two for spying

Lives of Others lives on

Deutsche Bank has sacked two senior executives for spying on its board of directors and two other people.…

Swine flu malware poses as pig plague update

Telling porkies

Wrongdoers have created a new strain of swine flu-themed malware.…

YA0D (Yet Another 0-Day) in Adobe Flash player, (Wed, Jul 22nd)

Well, it looks like the last two weeks have definitely been marked by multiple 0-day exploits active ...(more)...

DD-WRT Vulnerability, (Wed, Jul 22nd)

Paul wrote in to let us know about a new vulnerability in DD-WRT that was being reported in the Regi ...(more)...

Vulnerability in dhclient - Check Your Vendor For Patches, (Wed, Jul 22nd)

US-Cert releasedVU#410676 which deals with a vulnerability in the ISC DHCP dhclient applicatio ...(more)...

Firefox 3.0.12 is Available, (Wed, Jul 22nd)

For those Firefox users which have not upgraded to 3.5 ...(more)...

GAO Report Finds Problems With Agencies' Security Practices and FISMA Guidance (July 17, 2009)

A report from the US Government Accountability Office (GAO) found "persistent weaknesses in information security policies and practices that continue to threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets, and personnel of most federal agencies.......

Virtual Task Force Cooperation Helps Police Nab Cyber Criminals (July 8, 2009)

An agreement struck by banks and credit card companies to create a virtual task force to share information about cyber attacks and malware has resulted in busts of two cyber crime gangs, netting a total of 22 arrests.......

Police in Queensland, Australia to Seek Out Unsecured Wireless Networks and Warn Owners (July 17, 2009)

Police in Queensland, Australia plan to wardrive for unsecured wireless networks.......

Pirate Websites to go Legit (20 July, 2009)

In a move similar to that made by Napster, the companies behind Pirate Bay and Kazaa have decided to legitimize their respective business models.......

Microsoft Files Lawsuit Against Alleged Phishers (July 17, 2009)

Microsoft has filed a lawsuit in Washington state accusing two companies of using phishing tactics to trick Live Messenger users into divulging their login information.......

Amazon Deletes Purchased Books From Kindle Users' Devices (July 17, 2009)

Kindle owners who had purchased electronic copies of George Orwell's Animal Farm and 1984 were no doubt surprised to find the books deleted from their devices last week.......

City of Los Angeles Considering Move to Google-Provided Cloud Computing (July 16 & 17, 2009)

The city of Los Angeles has proposed moving its government e-mail, police records and other information management to Google's cloud computing services.......

JavaScript DOM Flaw Affects Most Browsers (July 16 & 17, 2009)

A security flaw in JavaScript's Document Object Model (DOM) affects most major web browsers.......

Mozilla Releases Firefox 3.5.1 (July 17, 2009)

On Thursday, July 16, Mozilla released Firefox 3.......

Google Chrome 2 Update Addresses Two Flaws (July 16 & 17, 2009)

Google has released version 2.......

Eircom Acknowledges Cache Poisoning Attacks (July 17, 2009)

Irish internet service provider (ISP) Eircom says that it was targeted by a cache poisoning attack that redirected customers to sites they did not intend to visit twice within the last few weeks.......

Consumer Devices with Embedded Web Interfaces are Vulnerable to Attacks (July 16, 2009)

Stanford University researchers tested 21 devices with embedded web interfaces, such as webcams, printers, network switches, and photo frames, and found that none was immune to attack.......

The United States Tops the Spam Table (July 20, 2009)

A recent study by Sophos shows that the United States is responsible for relaying more spam than any other country in the world.......

INFOSEC Leadership Council - Secrets of Great Security Managers

INFOSEC Leadership Council web cast on how to get security programs implemented when you have no authority to demand action......

Adobe acknowledges serious Flash zero-day vulnerability

By SearchSecurity.com Staff

Adobe Systems Inc. said it was investigating a potential Adobe Flash error. Symantec discovered attacks exploiting Flash in the wild.

Hacker skills include business plans to optimize revenue

By Eric Ogren

Cybercriminals take tips from business pros to expand their reach, optimize revenue and make the most money with the least amount of investment.

New hacker skills optimize revenue

By Eric Ogren

Cybercriminals take tips from business pros to expand their reach, optimize revenue and make the most money with the least amount of investment.

Hackers to award most over-hyped bug, epic fail

By Robert Westervelt

The annual Black Hat hackers conference will include an informal award ceremony recognizing security industry failures and over-hyped bugs.

GAO report cites government weaknesses, data leakage

By Robert Westervelt

Federal agencies continue to lack adequate access controls, encryption and risk assessments. Specialized security training was also weak, according to the report.

Novell Launching IAM into the Cloud

Novell is unveiling a cloud-based security service to perform identity and access management for hosted applications and hosted storage. The vendor plans to unveil the technology next week at a conference in San Diego.

Researchers to Unveil Browser-Based Darknet at Black Hat

HP security researchers are presenting a browser-based darknet at Black Hat. The darknet permits secure communication and file sharing, and could be accessed by any device with a browser - from a PC to an iPhone.

Smart Grid Security in the Spotlight at Black Hat

Security researchers have their eyes on the electric grid at the upcoming Black Hat security conference in Las Vegas. In separate talks, researchers will highlight some of the threats and concerns facing plans to deploy smart grid technology - and what can be done about them.

Microsoft Scrambling to Close Stubborn Security Hole

In Latest Warnings

Microsoft may soon be taking the unusual step of issuing an out-of-band security update to address multiple weaknesses that stem from a Windows security flaw that the software giant tried to fix earlier this month, Security Fix has learned. Last week, on its regularly scheduled Patch Tuesday (second Tuesday of the month), Redmond issued software updates to plug nine security holes. Among those was a patch for a flaw in Windows and Internet Explorer that hackers were exploiting to break into PCs. However, it soon became clear that Microsoft had known about this vulnerability since at least April 2008. On July 9, noted security researcher Halvar Flake published a blog post suggesting that the reason Microsoft took so long to fix the bug may be because the flaw was caused by a far more systemic problem in Windows.

Update for Norton Internet Security & Firefox 3.5

In New Patches

A few readers have asked me why their installation of Norton Internet Security 2009 won't play nice with their copy of Firefox 3.5. Symantec now has an update to fix this compatibility issue. The problem was with the Norton Toolbar, a component of NIS2009 that Symantec markets as a way to encrypt and securely store your passwords and logins, and other sensitive data. I know many people who use this feature, so if you're one of them, follow the instructions here to get this feature to work with Firefox 3.5. If you use NIS2009 but don't store your personal data with the toolbar, there is no need to install this update. NIS has earned a bad rap over the years for being a slow, resource-hogging beast of an anti-virus program, but when I trialed the program for a few months, I found NIS2009 to be very fast and unobtrusive.

Cloud Computing; The Past, The Present, The Future (Part 1)

By rickym@trencor.net (Ricky M. Magalhaes)

What a company needs to consider when evaluating a cloud service.

Hacking Oracle's database will soon get easier (Reuters)

In technology

Reuters - Hackers will soon gain a powerful new tool for breaking into Oracle Corp's database, the top-selling business software used by companies to store electronic information.

BlackBerry maker: UAE partner's update was spyware (AP)

In technology

AP - BlackBerry users in the Mideast business centers of Dubai and Abu Dhabi who were directed by their service provider to upgrade their phones were actually installing spy software that could allow outsiders to peer inside, according to the device's maker.

Report: Shortage of cyber experts may hinder govt (AP)

In technology

AP - Federal agencies are facing a severe shortage of computer specialists, even as a growing wave of coordinated cyberattacks against the government poses potential national security risks, a private study found.

BlackBerry cries foul over UAE 'spyware' (AFP)

In business

AFP - The makers of BlackBerry have charged that an update issued by UAE telecommunications company Etisalat was actually spyware, the local press reported on Wednesday.

RIM: UAE Carrier's Blackberry Update Was Spyware (PC World)

In technology

PC World - A Blackberry firmware update pushed out to subscribers of United Arab Emirates carrier Etisalat contained spyware, Research in Motion confirmed Tuesday.

Erin Andrews Video Attacks Target Macs and PCs (PC World)

In technology

PC World - Internet crooks love to create attack sites and e-mails that use lures based on popular news items and Internet porn. When the two come together, as with the recent news of an online "peephole" video of ESPN sportscaster Erin Andrews, the malware is sure to swarm.

Adobe ships insecure version of Reader from official site

By Dancho Danchev on Patch Watch

Following reports by users of Secunia’s Personal Software Inspector on a potential false positive for an insecure version of Adobe Reader, the company has found that Adobe is surprisingly shipping the insecure Adobe Reader 9.1.0 version from its official site, potentially exposing users to previously fixed flaws in the latest 9.1.2 version. Adobe’s comment on the [...]

Some important truths about pen-testing

By Ryan Naraine on Vulnerability research

Guest editorial by Alberto Soliño Penetration testing is a highly scientific, metrics-driven approach to IT security that has been in practice since almost the dawn of the modern computing era when programmers first began conducting organized tests, or “hacks” of their own, or others’ technologies to test their performance and reliability. From nearly the start, as developers [...]