Monday, August 17, 2009

Around The Horn vol.1,146

An Interview with Ron Gula from Tenable about the role of a vulnerability scanner in protecting sensitive information

Tenable's Ron Gula gives us an update on Nessus which now performs many of the industry standard web application tests such as SQL injection and Cross Site Scripting analysis. This, combined with Tenable's database, application and operating system configuration audits, can provide a much deeper form of analysis than pure black-box testing.

Three men indicted in largest U.S. data breach

By Elinor Mills

Two Russians and a Florida man were charged on Monday with hacking into Heartland Payment Systems, 7-Eleven, and the Hannaford Brothers supermarket chain, and stealing data related to more than 130 million credit and debit cards.

The indictment names 28-year-old Albert Gonzalez of Miami, who already has been charged with ...

Georgian cyber attacks launched by Russian crime gangs
With help from Twitter, Facebook and Microsoft

Last year's cyber attacks that brought internet traffic to a standstill in Georgia were carried out by civilians and Russian crime gangs, in some cases with the unwitting help of websites and software companies located in the US, according to researchers.…

YAMWD: Yet Another Mass Web Defacement, (Mon, Aug 17th)

Thousand of sites were mass defaced on yet another large web hoster (in this case servage.net) possi ...(more)...

Microsoft-sponsored reports find IE8 most secure browser (Updated)

By emil.protalinski@arstechnica.com (Emil Protalinski) on Safari

During July 2009, a company called NSS Labs performed two separate browser security tests, which Amy Barzdukas, General Manager of Internet Explorer, told Ars that Microsoft had sponsored. Right off the bat, your suspicions have probably been raised, and rightly so. Internet Explorer 8 performed very well in all the tests and, while Microsoft insists that it had no impact on the results, we must still be cautious when examining the reports.

Researchers "hack the vote" in real-world e-voting attack

By segphault@arstechnica.com (Ryan Paul) on evoting

A group of security researchers has published a fascinating study that demonstrates how to hack a Sequoia AVC Advantage voting machine. We have already seen several electronic voting machines hacked by experts in controlled environments, but this study goes a step further and shows that it can be done in the wild without privileged access to source code or other specialized materials.

The study was conducted by a group of voting machine security experts led by Ed Felten, the director of Princeton's Center for Information and Technology Policy. They used a technique called return-oriented programming to circumvent the built-in security mechanisms in an AVC Advantage voting machine and cause it to divert votes from one candidate to another in a simulated election.

New OS X Security Update (2009-004) patches DNS issue

By jacqui@arstechnica.com (Jacqui Cheng) on Software Update

What's that, you say? You just updated to Mac OS X 10.5.8 last week with all of its security fixing goodness? That's too bad, says Apple, because there's a new security update out for OS X. Security Update 2009-004 is, as usual, recommended for all users of both Leopard and Tiger (PPC and Intel) and rolls all previous security fixes into this update.

According to Apple's security page for the 2009-004 update, there's only one major fix included in this package, and it has to do with BIND. "By sending a maliciously crafted update message to the BIND DNS server, a remote attacker may be able to interrupt the BIND service," writes Apple. "The issue affects servers which are masters for one or more zones, regardless of whether they accept updates. BIND is included with Mac OS X and Mac OS X Server but it is not enabled by default. This update addresses the issue by properly rejecting messages with a record of type 'ANY' where an assertion would previously have been raised."

Because BIND is not enabled by default, it's unlikely that you need to go running for Software Update at this very second. However, it's always a good idea to keep updated, so get to downloading already. Chop chop.

New trojan that hijacks your Mac's DNS spotted in the wild

By chris.foresman@arstechnica.com (Chris Foresman) on trojan

A trojan disguising itself as a QuickTime player update has been identified in the wild. The trojan is related to similar previous trojans that disguised itself as a media player of some sort. However, this new version specifically attempts to hijack DNS requests, sending unsuspecting users to any website the trojan authors wish.

The latest version of this trojan, dubbed OSX_JAHLAV.D by Trend Micro, comes from a number of websites like comandtryx.com, simplexdoom.com, and sinisteer.com—all which originate from a server with the IP address 91.214.45.73. When clicking to play the videos on these sites (I can only assume it promises to be TEH BESTEST PR0N EVAR!!!), you'll be prompted to install a QuickTime update or plug-in. If you agree, a file called QuickTimeUpdate.dmg will be downloaded.

Symantec, 11 others, fail Virus Bulletin's August 2009 test (Updated)

By emil.protalinski@arstechnica.com (Emil Protalinski) on Virus Bulletin

Virus Bulletin (VB) conducted its latest test in July, posting the results this month. The security research company evaluated 35 anti-malware products for the 32-bit version of Windows Vista SP2 Business. The basic requirements for a product passing the test is detecting, both on demand and on access, in its default settings, all malware known to be "In the Wild" at the time of the review, and not detecting any false positives when scanning a set of clean files. The products were pitted against about 3,000 unique samples of malware that fall into four categories: WildList viruses, Worms and bots, Polymorphic viruses, and Trojans.

Three men indicted in largest U.S. data breach

By Elinor Mills

Two Russians and a Florida man were charged on Monday with hacking into Heartland Payment Systems, 7-Eleven, and the Hannaford Brothers supermarket chain, and stealing data related to more than 130 million credit and debit cards.

The indictment names 28-year-old Albert Gonzalez of Miami, who already has been charged with ...

How 10 digits will end privacy as we know it

By Ari Juels

Editors' note: This is a guest column. See Ari Juels' bio below.

Internet denizens and urban dwellers alike need to recognize that an era of anonymity is ending.

The population of the world stands at about 7 billion. So it takes only 10 digits ...

Researchers prove kernel is secure

By Tom Espiner

Australian researchers have demonstrated a way to prove core software for mission-critical systems is safe.

The researchers this week said they can prove mathematically that code they have developed, designed to govern the safety and security of systems in aircraft and motor vehicles, is free of many classes of error. ...

Security firms discover botnet on Twitter

By Caroline McCarthy

A Twitter account can be used as the command center for harnessing a "botnet" of virus-infected computers, security firms Arbor Networks and Symantec reported. In a blog post Friday, Symantec analyst Peter Coogan wrote that researchers found an account, @upd4t3, which was tweeting out links to download a piece malware ...

WSJ: China not requiring Green Dam software

By Lance Whitney

The Chinese government may be waving a white flag in response to all the criticism of its Green Dam filtering software.

Beijing won't force the widespread installation of the Internet filtering program on PCs and other consumer products, China's industry minister, Li Yizhong, said Thursday, according to a ...

Office, Windows get critical patches

By Ina Fried

Microsoft on Tuesday released nine patches, five of them critical, to plug holes in Windows and other software products.

The nine patches actually relate to 19 separate vulnerabilities in Windows, the .Net Framework, Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server, Microsoft BizTalk Server, and Remote Desktop Client for Mac...

Richard Dawkins forum compromised

By Rik Ferguson on web

The discussion forum at RichardDawkins.net appears to have been compromised   Richard Dawkins, the evolutionary biologist and popular science author, famed for his no-holds-barred approach to what he sees as the unsubstantiated claims made by religion, certainly has all the proof he needs to believe in the cybercriminal underground.   Members of the discussion forum over at RichardDawkins.net all [...]

Two more rogue Facebook apps linked to Fucabook scam

By Rik Ferguson on web

I have been continuing to look into the Facebook phishing/rogue application story that I blogged about yesterday, because it wasn’t at all clear to me how the application “sex sex sex and more sex!!!” was generating those messages pointing to the malicious web site.   My research has turned up two further Facebook applications which this time have quite clearly [...]

Rogue Facebook application leads to phishing

By Rik Ferguson on web

A rogue Facebook application appears to be sending notifications that lead users to a credential harvesting site.   Prospective marks receive a Facebook notification that a user has commented on one of their posts, as above. The notifications appear to come from an application called “sex sex sex and more sex!!!” which despite sounding shady and looking a bit of [...]

Spineless Twit

By Rik Ferguson on web

I returned from my two weeks of paternity leave, logged in to my various online accounts and started to get myself back up to speed this Sunday evening. When I logged into my Twitter account I noticed an incongruously malevolent sounding message that had been sent to me anonymously:   The message is designed to use the [...]

Twitter Being Used As Botnet Command Channel

By Darknet on worms

Ah Twitter in the news again, the bad guys sure do keep up with new trends. After being taken offline for a while by a Joejob DDoS attack Twitter is in the news again – this time it’s being used as the command channel for a Botnet. The normal method for controlling Botnets is via an [...]

sslsniff v0.6 Released – SSL MITM Tool

By Darknet on sslsniff

This tool was originally written to demonstrate and exploit IE’s vulnerability to a specific “basicConstraints” man-in-the-middle attack. While Microsoft has since fixed the vulnerability that allowed leaf certificates to act as signing certificates, this tool is still occasionally useful for other purposes. It is designed to MITM all SSL connections on a LAN and dynamically generates [...]

Wordpress 2.8.3 Admin Reset Exploit

By Darknet on wordpress-vulnerability

Ah it’s Wordpress again, sometimes I wonder how many holes there are in Wordpress. I guess a dedicated attacker could find some serious ones with the complexity of the code base. It’s suspected some of the recent high profile breaches have come from Wordpress exploits. The latest one to become public is a simple but effective flaw, [...]

Xplico – Network Forensic Analysis Tool

By Darknet on xplico

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic [...]

Twitter Used to Control Data-Stealing Botnet

In Web 2.0

Arbor Networks researcher Jose Nazario discovered a botnet using Twitter as a command and control. The tweets he found contained links to sites where bots could download new commands and executables.

Attack Variants Living Shorter Shelf-Lives

In Virus and Spyware

With over 50 percent of all new attacks living for less than 24 hours, it's becoming impossible for AV companies to keep up using traditional methods.

eBay Calls for Stricter Passwords for Developers

In eBay

eBay is requiring developers to adopt stronger passwords to protect their information, as the company has identified a way for attackers to access data with authorization.

Criminal Prescription: Fake Pharmacies Haunt Bing

In Virus and Spyware

Ads for illegal pharmacy sites dominate the results for related keyword searches on Microsoft's new Bing.com engine.

Open Source Web Anti-Malware Tool Released

In Web 2.0

Dasient launched a free open source iteration of its URL anti-infection software.

Trend Micro Uncovers DNS-Changing Mac Trojan

In Trojan attacks

Researchers at Trend Micro have published details of a new version of a DNS-changing Trojan targeting Macs.

True Love Never Dies

In Virus and Spyware

Attackers keep rolling back the clock on some old school techniques, and threats that attempt to tap into interest in matters of love are nearly as old as the popular concept of malware itself.

Spam Growing Upwards, Onwards

In Virus and Spyware

Spam seemingly only changes by returning to its roots, and ebbing its volumes ever upwards, no matter what we do about it.

Enterprises Crack Down on Web 2.0 Data Leaks

In Web 2.0

New research from Proofpoint shows that enterprises are increasingly dealing with data leaks on blogs, social networks and media sharing sites - and they are not taking it lightly. Many organizations are cracking down on employees for breaking data security policies surrounding blogs, Facebook and other Web 2.0 technology.

HHS walks a tightrope on health information exchange, advisory group says

HHS is walking a tightrope in trying to craft the right balance for health information exchanges, according to a federal advisory group's report.

Social media dominates new DOD Web site

Social media is the prominent feature on the new Defense Department's home page, which was launched today.

Passenger screening program to collect more data

U.S. airlines will begin collecting passengers' dates of birth and gender when they make reservations under the Transportation Security Administration’s Secure Flight program.

Schliesske lured by 'cool stuff'

After seeing the 'cool stuff' his twin brother and father were doing in the Army, Harold Schliesske left the private sector for government leadership — and he hasn’t looked back.

DHS plans cybersecurity wiki

The Homeland Security Department plans a new wiki that federal cybersecurity centers would use to coordinate efforts and improve situational awareness.

DHS expands global trusted traveler program

DHS' international trusted traveler program is expanding to more airports this month.

Agencies told to keep up with ID management

A senior GSA executive gives an inside look at governmentwide identity management initiatives at Virtual FOSE.

Navy CIO says cybersecurity is an urgent national issue

The Navy's CIO said today that cybersecurity must evolve rapidly to deal with the most serious economic and security challenge of the 21st century.

IG: Energy needs more protection for some data

The Energy Department's inspector general says more action is needed to protect the department's electronic information that is unclassified, but sensitive.

Virtual FOSE: Metrics, comparisons recommended for winning IT security support

Alan Paller, the director of research at the SANS Institute, recommends that IT security professionals without budget authority use reliable metrics, numbers and comparisons to win support from executives.

Navy's network security roadmap to be explained at Virtual FOSE

Navy Department Chief Information Officer Robert Carey will be the keynote speaker at tomorrow’s Virtual FOSE conference.

Business groups want Congress to address E-Verify concerns

TechAmerica and others ask lawmakers to deal with their worries about E-Verify.

Government, industry create threat forum for power grid

EnergySec has grown to include 200 members from the electric power industry, security vendors and government regulators since its formation in December to provide an alternative to the more formal ISAC for rapid sharing of information.

IG fears risks to DHS stimulus money

The Homeland Security Department's inspector general has said DHS should work to mitigate risks that may affect its capability to prudently spend, manage and report on $2.8 billion it got in stimulus money, including hundreds of millions for technology.

Security upgrades highlight DISA buying surge

The Defense Information Systems Agency plans to bolster security features embedded in its far-flung networks and data centers via several acquisition projects planned for the twilight of fiscal 2009.

US-CERT director resigns

Mischel Kwon, director of the Homeland Security Department's operational cybersecurity team that handles cyber incident detection, warning and response activities for civilian agencies’ networks, has resigned. She will join RSA in early September.

Rising Star Beth Sherry Maloney

Maloney served as social-media evangelist and educator, both within Palladian and in the federal IT community at large. She also managed the transition of the Treasury Department’s HSPD-12 initiative to the General Services Administration’s USAccess shared-services program.

Rising Star Alma Ritter Cole

Cole led the response to the Adobe Reader JBIG2 vulnerability. His team identified and tracked multiple spear-phishing e-mail messages that attempted to exploit this vulnerability. His team also tackled other zero-day security threats — that is, flaws for which no fixes are available.

Rising Star Mary Beth Murphy

Murphy managed the transition of the Treasury Department's HSPD-12 initiative to the General Services Administration's USAccess shared services program.

Rising Star Richard J. Renomeron

Renomeron led a team of engineers that provides the Office of Management Budget with an array of systems for developing budgets, including the much-lauded Max Federal Community wiki.

Murphy leads Treasury's HSPD-12 charge

Mary Beth Murphy shepherded Treasury's employee ID card effort.

Government rethinks ban on tracking Web site visitors

The government could adopt consumer technology, but it would require policy changes.

Peer pressure: Congress plans file-sharing ban

Peer-to-peer software, used to easily share computer files, poses a security risk and has no place on government or contractor networks, according to some members of Congress who held a hearing about the technology recently.

Biometrics integral to modern combat

Biometrics are essential for modern warfare and can bridge organizational gaps, experts say.

DeepSec 2009 - Preliminary Schedule is online

Posted by InfoSec News on Aug 17

The third DeepSec conference is taking place between 17th and 20th November at the Imperial Riding School Renaissance Hotel.

The in-depth security conference will include two days of security talks during the conference and...

Heartland CEO gets a smackdown after his CSO interview

Posted by InfoSec News on Aug 17

http://blogs.computerworld.com/14539/heartland_ceo_gets_a_smackdown_after_his_cso_interview

By Michael R. Farnum
Hitting the Security Nerve
Computerworld Blogs
August 13, 2009

If you are reading this, you probably know about Heartland Payment Systems and the credit card system breach...

Physical Penetration Testing Tells All

Posted by InfoSec News on Aug 17

http://www.darkreading.com/blog/archives/2009/08/physical_penetr.html

By John Sawyer
Dark Reading
Aug 14, 2009

Rob Enderle had a great post here on Dark Reading on the discrepancies between physical and system security and what happens when they don't match up. The problem is most...

US Cyber Challenge Training Hackers to Fight Criminals and Spies

Posted by InfoSec News on Aug 17

http://www.voanews.com/english/2009-08-14-voa54.cfm

By Meredith Hegg
Washington
VOA News
14 August 2009         

Computer security engineer Alan Paller recalls how the Soviet Union's 1957 launch of Sputnik, the world's first artificial satellite,...

Phone Hacking Threat Is Low, but it Exists

Posted by InfoSec News on Aug 17

http://gadgetwise.blogs.nytimes.com/2009/08/14/phone-hacking-threat-is-low-but-it-exists/

By Roy Furchgott
Gadget Wise
The New York Times
August 14, 2009

While the threat of bad guys hacking into your phone may remain minimal, it isn't non-existent. In fact, one security expert created...

Security Cyber Czar Steps Down

Posted by InfoSec News on Aug 17

Expert Contributor?!?

http://www.glgroup.com/News/Security-Cyber-Czar-Steps-Down-42498.html

August 15, 2009
Analysis by: GLG Expert Contributor
Analysis of: Security Cyber Czar Steps Down Published at: online.wsj.com

Summary

Without a Cyber Security Czar in the federal government...

Cuba capable of waging a cyberwar

Posted by InfoSec News on Aug 14

http://www.miamiherald.com/opinion/other-views/story/1183690.html

By Manuel Cereijo
Miami Herald
08.13.09

During the last few weeks there have been thousands of cyber attacks on computers and computer networks in the U.S. government and private entities. The United States, because of its...

DHS plans cybersecurity wiki

Posted by InfoSec News on Aug 14

http://fcw.com/articles/2009/08/13/web-cyber-ops-wiki.aspx

By Ben Bain
FCW.com
Aug 13, 2009

The Homeland Security Department plans to develop a cyber ops wiki that agencies can use to improve collaboration on cyber security efforts, according to a notice from the department.

The...

Report: NISTs Cybersecurity Guidelines Arent Enough

Posted by InfoSec News on Aug 14

http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=219300112

By J. Nicholas Hoover
InformationWeek
August 13, 2009

A set of cybersecurity controls recently recommended by the National Institute of Standards and Technology for federal agencies doesn't go...

Top Security Firm RSA Tries to Silence Blog

Posted by InfoSec News on Aug 14

http://www.wired.com/threatlevel/2009/08/rsa-tries-to-silence-blog/

By Kim Zetter
Threat Level
Wired.com
August 13, 2009

RSA security, one of the top security firms in the country, has sent takedown notices to a blogger and his hosting company in an effort to silence his discussion of a...

Twitter transformed into botnet command channel

Posted by InfoSec News on Aug 14

http://www.theregister.co.uk/2009/08/13/twitter_master_control_channel/

By Dan Goodin in San Francisco
The Register
13th August 2009

For the past couple weeks, Twitter has come under attacks that besieged it with more traffic than it could handle. Now comes evidence that the...

Cybersecurity resignations raise questions

Posted by InfoSec News on Aug 14

http://washingtontimes.com/news/2009/aug/13/key-cybersecurity-staff-quit/

By Shaun Waterman
THE WASHINGTON TIMES
August 13, 2009

The resignation last week of two of the government's top cybersecurity officials has raised questions about President Obama's much-touted effort to fix...

Reporting terrorism, affect your credit? (were doomed)

Posted by InfoSec News on Aug 13

Forwarded from: security curmudgeon <jericho (at) attrition.org>

http://attrition.org/security/rant/fbi01.html

Reporting terrorism, affect your credit? (we're doomed) Tue Aug 11 05:49:16 EDT 2009
security curmudgeon

Right as I am about to wind down for the night, ISN rolls in,...

Heartland CEO on Data Breach: QSAs Let Us Down

Posted by InfoSec News on Aug 13

http://www.csoonline.com/article/499527/Heartland_CEO_on_Data_Breach_QSAs_Let_Us_Down

By Bill Brenner
Senior Editor
CSO
August 12, 2009

For Heartland Payment Systems Inc. CEO Robert Carr, the year did not start off well, to say the least.

In January, the Princeton, N.J.-based...

NBA Star Warns Over Stolen Laptop

Posted by InfoSec News on Aug 13

http://www.thesmokinggun.com/archive/years/2009/0812091baron1.html

The Smoking Gun
August 12, 2009

A laptop containing "a variety of private images" of NBA star Baron Davis has been stolen and the athlete's lawyers are threatening legal action if the material is published....

Google Helped Twitter Deal With Attacks (GOOG)

Posted by InfoSec News on Aug 13

http://www.businessinsider.com/twitter-cofounder-google-helped-us-thwart-attacks-2009-8

By Nicholas Carlson
Silicon Alley Insider
Aug. 12, 2009

Google and Twitter might be cozier than we thought.

With Facebook and FriendFeed getting together, people are starting to wonder if Twitter...

Android security chief: Mobile-phone attacks coming

Posted by InfoSec News on Aug 13

http://www.computerworld.com/s/article/9136593/Android_security_chief_Mobile_phone_attacks_coming?taxonomyId=17

By Robert McMillan
August 12, 2009
IDG News Service

As smartphones become more popular, they're going to get some unwanted attention from criminals, Google Inc.'s head of...

Czar Prospect on Federal Cybersecurity

Posted by InfoSec News on Aug 13

http://www.govinfosecurity.com/articles.php?art_id=1697

By Eric Chabrow
Managing Editor
Gov Info Security
August 11, 2009

What's most important about the job of presidential cybersecurity coordinator isn't whether or not it reports to two bosses or how high on the White House...

UC Berkeley School of Journalism Server Hacked

Posted by InfoSec News on Aug 13

http://www.dailycal.org/article/106235/uc_berkeley_school_of_journalism_server_hacked

By Angelica Dongallo
Contributing Writer
The Daily Californian
August 10, 2009

Almost 500 applicants to the UC Berkeley Graduate School of Journalism were notified today that their Social Security...

FNA Managing Director Warns about Cyber War against Iran

Posted by InfoSec News on Aug 13

http://english.farsnews.com/newstext.php?nn=8805211171

13 Aug 2009

TEHRAN (FNA)- FNA managing Director Hamid Reza Moqaddamfar urged Iranian officials and people to keep vigilant against enemies' hostile moves against Iran through cyber and satellite technologies, viewing them as parts of...

Network Solutions Breach Revives PCI Debate

Posted by InfoSec News on Aug 11

http://www.bankinfosecurity.com/articles.php?art_id=1691

By Linda McGlasson
Managing Editor
Bank Info Security
August 10, 2009

The recent data breach at Internet domain administrator and host Network Solutions compromised more than 573,000 credit and debit cardholders and begs the...

Sandia to boot behemoth botnet

Posted by InfoSec News on Aug 11

http://gcn.com/articles/2009/08/10/sandia-botnet.aspx

By Joab Jackson
GCN.com
Aug 10, 2009

Starting in October, a huge botnet will be run not by nefarious underground figures but by the Energy Department's Sandia National Laboratories. The lab's Thunderbird supercomputer will...

Georgian blogger calls for Twitter attack probe

Posted by InfoSec News on Aug 11

http://www.theregister.co.uk/2009/08/10/cyxymu_letter_to_medvedev/

By Dan Goodin in San Francisco
The Register
10th August 2009

The pro-Georgian blogger who was the target of attacks that shut down micro-blogging website Twitter last week has called on Russian President Dmitry Medvedev...

Hacker with Aspergers Sentenced to 55 Months for Trucking Scheme

Posted by InfoSec News on Aug 11

http://www.wired.com/threatlevel/2009/08/truckers/

By Kevin Poulsen
Threat Level
Wired.com
August 10, 2009

A Los Angeles hacker received a slightly reduced sentence Monday of 55 months in prison for participating in a multi-million computer fraud scheme, after a federal judge took into...

Report: Less Budget, More Data Leaks

Posted by InfoSec News on Aug 11

http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=219100645

By Kelly Jackson Higgins
DarkReading
Aug 10, 2009

Half of all organizations say tighter budgets have hurt their ability to protect the leakage of sensitive or confidential information during the...

Cybersecurity Official Resigns

Posted by InfoSec News on Aug 10

http://www.washingtonpost.com/wp-dyn/content/article/2009/08/07/AR2009080702805.html

By Ellen Nakashima
Washington Post Staff Writer
August 8, 2009

A top operational official in charge of protecting civilian government computer networks has resigned, dealing another blow to the federal...

Computer hacker exposes MI5 security flaw

Posted by InfoSec News on Aug 10

http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article6788694.ece

By Kevin Dowling
The Sunday Times
August 9, 2009

A COMPUTER hacker who breached MI5รข€™s official website to reveal how criminals could spy on its users has criticised the agency’s security practices....

UK national ID card cloned in 12 minutes

Posted by InfoSec News on Aug 10

http://www.computerweekly.com/Articles/2009/08/06/237215/uk-national-id-card-cloned-in-12-minutes.htm

By Ian Grant
ComputerWeekly.com
06 Aug 2009

The prospective national ID card was broken and cloned in 12 minutes, the Daily Mail revealed this morning.

The newspaper hired computer...

IT admin charged in Xmas Eve rampage on charity

Posted by InfoSec News on Aug 10

http://www.theregister.co.uk/2009/08/07/it_admin_christmas_eve_rampage/

By Dan Goodin in San Francisco
The Register
7th August 2009

The former IT admin for a Florida-based charity stands accused of ransacking the organization's servers and phone systems last Christmas eve, more than a...

Hacker Indicted For Stealing 130 Million Credit Cards

A Miami resident and two unnamed co-conspirators have been indicted for hacking major retailers and stealing credit card data.

Cyber Attack Against Georgia Blurred Civilian And Military

Last year's cyber assault against Georgia represents a template for civilian involvement in military action.

Strategic Security: Server Virtualization

VMWare's VMsafe program is bringing more security options to the world of server virtualization.

Feds To Use Wiki For Cybersecurity Collaboration

The Department of Homeland Security and other federal agencies will use the platform to share operational information on cybersecurity threats and best practices.

Homeland Security Expands Biometric Security Program

The program, which speeds international travelers through airport security, is expanding to 13 new airports, with wider expansion expected.

Report: NIST's Cybersecurity Guidelines Aren't Enough

The Cyber Secure Institute finds that NIST's recently released cybersecurity recommendations may leave some federal systems inadequately protected.

Palm Addresses Pre Privacy Concerns

Developers were concerned after discovering the smartphone sends user location and application data to Palm daily.

Another U.S. Cybersecurity Official Resigns

The US Computer Emergency Readiness Team's director calls it quits, while a national cybersecurity czar has yet to be named by the Obama administration.

'Going Google' Worries Los Angeles Police

The LAPD isn't convinced that Google Apps is secure enough for its data. But Google says that its competitors are eager to see the deal delayed or derailed.

Twitter Attack Looks Politically Motivated

The denial of service attacks that hit Twitter, Blogger, Facebook and LiveJournal on Thursday appear to be an effort to silence a pro-Georgia blogger.

TSA OKs Biometric Security For Flight Crews

The stage is set for a Transportation Security Administration pilot program that accelerates flight crew security screening in airports.

NIST Lab Director Tackles Cybersecurity, Cloud Computing

Cita Furlani explains the nuts-and-bolts work of defining key government IT standards and the job of working with federal agencies on adoption and implementation.

Marine Corps Bans Social Media On Military Network

Wrestling with the changing nature of online communication and the need for operational security, the Marine Corps wants to formalize procedures for access to social sites on its network.

Mobile Data Startup Raises $9 Million

MobileIron's enterprise mobility platform offers a window on employees' smartphone use to increase security and cut costs.

Twitter Downed By Denial Of Service Attack

Following an denial of service attack on Thursday morning, Twitter is back online.

Apple Releases Mac OS X Leopard Update

The update, version 10.5.8, improves stability and security and includes many other improvements. Apple's next big operating system update, Snow Leopard, is due next month.

Mozilla Store Security Breached

GatewayCDI, which operates the Mozilla Store, suffered a security breach affecting an undisclosed number of customers.

ID Management Remains Challenge For Federal Agencies

Some of the hurdles faced by the U.S. government include funding, organizational structure, and data protection.

Northrop Grumman Opens Security Center

Outsourcer will keep tabs on more than 100,000 customers and 10,000 servers in effort to eliminate cyber threats.

U.S. Cybersecurity Official Quits

The resignation of Melissa Hathaway comes as the Obama Administration continues its search for a top cybersecurity coordinator.

Software Updates Vulnerable To Hijacking

Public Wi-Fi networks present a risk to connected users even if they're not surfing the Internet, thanks to applications that try to update themselves automatically.

Rolling Review: Symantec's DLP-9

Symantec's DLP software provides robust leak prevention for endpoints and on the network.

Hacker Gary McKinnon Loses Extradition Appeal

Fighting to avoid what he fears will be unfair treatment from U.S. courts, U.K. hacker Gary McKinnon lost another appeal in his attempt to avoid being extradited.

Apple Fixes iPhone SMS Vulnerability

Moving to close a hole revealed at the Black Hat security conference on Thursday, Apple has released iPhone OS 3.0.1.

Black Hat: Social Networks Reveal, Betray, Help Users

Researchers at security conference show how social networks can reveal more than users intend.

Black Hat: Mac OS X Rootkit Debuts

The development of a proof-of-concept rootkit for Mac OS X reinforces the fact that security concerns aren't just for Windows users.

Black Hat: Android, iPhone SMS Flaws Revealed

Security researchers have identified several SMS vulnerabilities that can be used to deny service to mobile phones. They're presenting on Thursday but their findings have been published.

Fake Security Software Steals $34 Million Monthly

Cybercriminals are making a fortune by preying on gullible computer users.

Apple Fears Jailbroken iPhones Could Kill Phone Networks

Fighting an attempt to win a copyright law exemption that would sanction the use of unauthorized iPhone software, Apple claims phone networks are at risk when it's not in charge.

Black Hat: Smart Meter Worm Attack Planned

IOActive's Mike Davis intends to unleash a worm on a smart meter at the Black Hat security conference on Thursday.

Google Hot Trends Dictate Malware Targeting

Popular search terms get more dangerous, a security report finds. And crossword puzzle players should be particularly vigilant.

Microsoft Issues Emergency Fixes For IE, Visual Studio

Outside of its normal patch cycle, Microsoft has released two security bulletins to fix critical flaws.

AT&T Says DoS Attack Prompted Block Of 4chan Site

The popular bulletin board site had been under a constant attack by hackers for three weeks before it was detected by the telecom company.

Security Worries Ratcheting Up; Spending Down

One in five IT managers expects to curtail investments in encryption, authentication, application security, and protection against DoS attacks this year, survey says.

Microsoft Plans Emergency Patch Tuesday

Two out-of-band security bulletins will be issued tomorrow to fix a critical flaw in Internet Explorer and a related issue in Visual Studio. Microsoft is withholding details until the patches are released.

Global CIO: An Open Letter To Cisco CEO John Chambers

In an open letter to Cisco CEO John Chambers, this column notes that Cisco is expanding beyond its traditional networking business with its Unified Computing System, telepresence, and other enterprise-level efforts. While this offers great potential, it also raises this question: What business is Cisco in today?

Microsoft Unveils Security Tools, Resources At Black Hat

Dealing with the changing threat landscape requires information sharing, Microsoft says, and it has developed software, guidelines, and programs to help make that happen.

Apple iPhone Security Weaknesses Exposed On YouTube

Deleted voice mail, e-mail, and other data on the iPhone 3GS is vulnerable to hackers, a security expert claims in two video tutorials.

The AP Plans 'News Registry' To Protect Content

The world's oldest and largest news gathering organization aims to fight online theft of its content with digital tracking beacons.

Privacy Tool Makes Internet Postings Vanish

The open source tool called Vanish encrypts any text that's entered into a browser and scatters it, in disappearing pieces, across a network.

Adobe Warns Of Critical Flash Vulnerability

Echoing security warnings issued earlier this year, Adobe is warning users of Flash Player, Reader, and Acrobat to exercise caution online due to a zero-day vulnerability that's being actively exploited.

Rising Internet Fraud, Darknets On Agenda At Black Hat

The information-security community is set to converge for the industry's premier conference as Black Hat comes to Las Vegas on July 25 - 30.

Researchers Bypass Secure Web Connections

EV SSL certificates are supposed to help people feel more secure online. But at Black Hat next week, two researchers plan to disclose a way around SSL protection.

HP Researchers Develop Browser-Based Darknet

HP security experts have developed a browser-based system for secure communications and plan to present their project at the upcoming Black Hat conference.

RIM Scrubs Spyware From UAE BlackBerrys

Users complained a firmware update -- unauthorized by RIM -- had led to decreased battery life and system crashes.

Google Apps Contract In LA Hits Security Headwind

The City of Los Angeles faces worries about privacy and security as it considers moving to Google Apps.

Adobe Offering Insecure Reader Software

Plagued by a series of vulnerabilities in its Reader software, Adobe has been tightening its security. Yet the company hasn't gotten around to offering a secure version of Reader on its Web site.

Drivers Frown On Texting, Even As Practice Spreads

While 86% of study respondents support a ban on texting while driving, the incidence of drivers sending SMS messages increased by 40% in the past year.

Wal-Mart Unveils New Customer Privacy Policy

The retailer will more aggressively market through new channels, including text messages to mobile phones, and share more data with its partners.

Review: Firefox 3.5 Makes Browsing Better

Mozilla's latest Web browser is a solid step forward, with features including private browsing, geolocation, and support for the latest audio, video, graphics, and HTML 5.

HTC Fixes Bluetooth Vulnerability In Smartphones

Security flaw allows attackers to gain access to all files on HTC's Windows Mobile phones running the 6.0 or 6.1 versions.

Twitter Hack Tars Google's Cloud

The distribution of internal Twitter documents by a hacker has revived doubts about the security of cloud computing. But Google wants everyone to know that security tools are available for those who want to use them.

Twitter Confidential Files Distributed By Hacker

The hacker who hijacked a Twitter admin account in May has been distributing sensitive files taken from the company, ostensibly to educate people about the risks of poor computer security.

Senate Mulls Jamming Cell Phone Signals In Prisons

Proposed legislation seeks to halt the use of illegal cell phones in prisons but is countered by public interest agency officials.

Firefox 3.5 Vulnerability Rated 'Highly Critical'

Exploit code for a vulnerability in Firefox was posted online on Monday. Mozilla says it is working on a fix.

Microsoft Fixes Nine Vulnerabilities In July Patch

Two zero-day vulnerabilities are addressed in Microsoft's July patch cycle, but a third flaw that was revealed on Monday remains.

Introducing the IEEE Industry Connections Security Group

By Jeff Green on Vulnerability Research

Agreement and collaboration have been two of the greatest challenges the security community has faced from the very beginning. In an effort to address this, The Industry Connections Security Group (ICSG), a new offering from the IEEE, allows like-minded companies to come together to solve industry or business problems that center on information security. Industry [...]

Pirate Party comes to the UK

A political party which aims to legalise file swapping for non-commercial reasons has been officially registered in the UK.

Lord Mandelson calls for internet piracy crackdown

Business Secretary Lord Mandelson is calling for tougher penalties for illegal downloaders, including fining the parents of children caught illegally file swapping.

IEEE program brings security vendors together

The IEEE standards group today announced an effort to bring security vendors together to collaborate on early-stage technologies.

Georgia cyberattacks linked to Russian organized crime

The cyberattacks against Georgia a year ago were conducted in close connection with Russian criminal gangs, and the attackers likely were tipped off about Russia's intent to invade the country, according to a new technical analysis, much of which remains secret.

Hackers put social networks such as Twitter in crosshairs

Web sites such as Twitter are becoming increasingly favored by hackers as places to plant malicious software in order to infect computers, according to a new study covering Web application security vulnerabilities.

IE8 whips rivals in blocking malware sites

Microsoft's Internet Explorer 8 again trounced rival browsers in a test of their malware-blocking abilities, catching 81% of attack code-infected sites, according to testing company NSS Labs.

Illinois outlaws sex offenders from using Facebook, MySpace

The state of Illinois made it a law this week banning convicted sex offenders from using social networking sites such as Facebook and MySpace.

IE 8 Beats Competition in Microsoft-sponsored Security Tests

Internet Explorer 8 blocked about four out of every five sites that attempt to trick visitors into downloading malicious software in browser security tests performed by NSS Labs.

Obama's cookies may not go down so easy

It's not some half-baked conspiracy theory whipped up by a TV demagogue, but the Obama Administration is planning changes that could impact the privacy of everyone who visits US Government Web sites.

Hackers clash over China's rule in Muslim province

Pro-China and pro-Muslim hackers have clashed online in a series of attacks on Web sites triggered by deadly ethnic riots in China's Muslim region last month.

Internet security threats last just 24 hours

Internet security threats such as worms and trojans last for just 24 hours, says Panda Security.

Should your credit report disqualify you for a job?

Employers are conducting job applicant and employee background checks and looking more frequently at credit records, criminal histories and other background information from a consumer reporting agencies lawsuits of this type are bound to grow exponentially.

UPS encrypts laptops and smart phones after data loss

Logistics giant UPS is encrypting all its laptops and smart phones, following the loss of payroll data last year.

Verizon brings IT security services to health care industry

Verizon Business is extending its Security Management Program capabilities and services to the health care industry to help providers maintain compliance with federal security guideline.

Government DNA database plans slammed again

Government plans to hold for 12 years the DNA data of people not found guilty of any crimes break human rights laws.

ICANN says new policy has killed 'domain tasting'

The entity in charge of the Internet's addressing system is declaring victory over an abusive trend in registering domain names.

Suspicious activities and my grandmother

Mark Gibbs is suspicious about a lot of acronyms, to wit, ISE's NSIS that collects SARs that, at least in L.A., includes pictures or video footage "with no apparent esthetic value". His grandmother's words are brought to mind.

Palm Pre debacle highlights location privacy issues

Reports about Palm keeping track of Pre users have shown how location services can backfire, and the importance of making users aware of how information is used.

China will not enforce Green Dam porn filter plan

China said Thursday it will not force PC makers to bundle an Internet filtering program with computers sold in the country, backing down from a plan that stirred global controversy.

Security Update 2009-004 fixes BIND vulnerability

With the security content of all the updates Apple has been rolling out in the last few weeks, you might have thought the tides of darkness stemmed. But hackers never sleep--or so it seems--so neither can Apple. On Wednesday, the company released Security Update 2009-004, which is recommended for all Mac OS X users.

Voting machine hack costs less than $100,000

Why spend millions of dollars campaigning when you can hack an election for less than 100 grand?

Report: Your Palm Pre May be Spying on You

Is your Palm Pre spying on you and sending your GPS coordinates and more back to the Palm mothership on a daily basis? According to mobile application developer Joey Hess that's exactly what is happening. He asserts on his personal blog that data on the location and app used on the Palm's Pre smartphone is being sent to Palm.

Heartland CEO on Data Breach: QSAs Let Us Down

For Heartland Payment Systems Inc. CEO Robert Carr, the year did not start off well, to say the least.

Android security chief: Mobile-phone attacks coming

As smartphones become more popular, they're going to get some unwanted attention from criminals, Google's head of Android security said Wednesday.

Twitter withstands second DDoS attack in a week

Twitter was able to withstand a yesterday's distributed denial-of-service attack far better than a similar attack last week.

Microsoft knew of critical Office ActiveX bug in '07

Three of the critical vulnerabilities Microsoft patched Tuesday were first reported to the company two years ago, according to the security firm that alerted Microsoft of the flaws.

H-1B Visa Sponsors: Surprise! You're Being Audited

Large U.S.-based technology companies and Indian IT outsourcing firms are paying close attention to proposed legislation aimed at tightening restrictions on and increasing oversight of the non-immigrant professional visas they use to place foreign professionals in roles stateside. But while the H-1B and L-1 Visa Reform Act, introduced by Senators Chuck Grassley (R-IA) and Dick Durbin (D-IL), remains in congressional committee, U.S. Citizenship & Immigration Services (USCIS), the agency that administers the H-1B and L-1 visa programs, has been increasing its anti-fraud enforcement efforts in response to reported abuse of the temporary worker programs.

Study: Air Cargo Security Seriously Lacking

There are serious security problems in international air cargo transportation and the controls around it, according to a report released this week by the International Transfer Center for Logistics and the Technische Universitรคt of Berlin (See also: What New Air Cargo Security Rules Mean for Business).

Twitter users targeted by Koobface again

Hackers are continuing to use Twitter to exploit people's PCs with the latest scam redirecting users to the malicious Koobface worm, according to PC Tools.

Apple patches 6 Safari security vulnerabilities

A month after it last patched Safari, Apple today plugged six security holes, four of them critical, in both the Mac and Windows versions of its Web browser.

Microsoft patches 19 bugs in sweeping security update

Microsoft today delivered nine security updates that patched 19 vulnerabilities in several crucial components of Windows, as well as in Windows Media Player, Outlook Express, IIS (Internet Information Server), Office and several other products.

ActiveX Overhaul in Microsoft Patch Batch

Microsoft's nine security bulletins released today close a range of security holes involving ActiveX controls, Windows Media files and other software that affect the full array of Windows versions.

eBay requires developers to change their account passwords

Members of the eBay Developers Program must change their account passwords because the e-commerce company recently discovered a way in which account information could be accessed by malicious hackers.

Enterprises have false sense of data security

The lack of a data quality initiative in enterprises today can be driven by the perception that the cost associated with poor data quality is a mere cost of doing business, said one analyst.

Microsoft fixes 19 bugs in big patch smorgasbord

Microsoft today delivered nine security updates that patched 19 vulnerabilities in several crucial components of Windows, as well as in Media Player, Outlook Express, IIS, Office and several other products.

Study: Adobe Flash cookies pose vexing privacy questions

Adobe's Flash program is being used on heavily trafficked Web sites to collect information on how people navigate those sites even if people believe they've restricted the data collection, according to a new study.

Phone calls & emails snooped on 500,000 times

The UK government has been accused of supporting a surveillance society akin to George Orwell's 1984 after new figures revealed that police, councils and intelligence services made more than 500,000 requests to access citizens' communications data in 2008.

Fortinet spies IPO as market bounces

After nine years of successful independence, security hardware vendor Fortinet has admitted it is plotting to turn itself into a public company.

Attacks on US, Korea Web sites leave a winding trail

The investigation into the attacks against high-profile Web sites in South Korea and the U.S. is a winding, twisty electronic goose chase that may not result in a definitive conclusion on the identity of the attackers.

61% of young adults illegal download music

Nearly two thirds of 14 to 24 year olds illegally download music over peer-to-peer (p2p) networks, says UK Music.

Police, councils spy on your calls, SMS and email

Official figures have revealed that in Britain each day last year, local authorities, police and the intelligence services had granted more than 1,500 requests to snoop on the public's phonecalls, emails and text messages.

Windows Event Viewer phishing scam remains active

What do you get when you combine malware, IP telephony and an offshore call centre? A new breed of brazen phishing scam designed to target unwary Windows users.

Secunia PSI Points Out Dangerous Software Holes

One of the best ways to protect your PC is to keep all your software up-to-date. Patching over security holes blocks online attackers who like nothing more than exploiting old software flaws to surreptitiously install Trojans and other malware. The free Secunia Personal Software Inspector makes it easy to find and fix old programs--even those that lack automatic update features--on your PC. Secunia PSI scans your computer to find out what versions of what software you have installed, and it reports on which might contain known security holes.

Cybersecurity: Curiouser and curiouser

Gibbs is an aficionado of Carrol's Alice and finds a curious parallel between the administration's cybersecurity office and believing six impossible things.

Verizon Business to Offer Risk-Based Security Service

Verizon Business announced on Wednesday a new risk-based suite of security tools that include cloud-and-premises-based services. Verizon's Next Generation Managed Security Services Platform is designed to compete with similar offerings from ArcSight and RSA.

Twitter Continues to Battle DDoS Attack

More than two days after experiencing a complete outage as a result of a distribute denial-of-service (DDoS) attack, Twitter and other social networking sites such as Facebook are still battling a surge in traffic related to the attack. Twitter has taken some steps to mitigate the spike in traffic and ensure that the site is not knocked offline again, but some of those steps are having an impact on third-party tools that link to Twitter through API's (application programming interface).

Code Library Bug Is Likely Patch Tuesday Target

This month's Patch Tuesday release will include nine security updates, five of them "critical" and all but one affecting Windows.

Hathaway Resigns From Cybersecurity Czar Post

Melissa Hathaway's decision to step down as acting senior director for cyberspace at the National Security Council could increase pressure on the Obama administration to name a cybersecurity czar.

Twitter Breach Revives Cloud Security Fears

The breach of a hosted Google Apps application used by Twitter employees has heightened concerns over the security of cloud computing systems.

Twitter Attack Was Another Political DDoS

The distributed denial-of-service attack that hampered access to social networking and blogging sites all went after one pro-Georgia blogger, according to security company reports.

App developers stung by Twitter's DOS woes

Developers who built applications for Twitter and generate money from them have been hard-hit by the micro-blogging service's many hours of downtime in the past day, as hackers pummel Twitter with an ongoing denial-of-service attack.

Learning Lessons From the Twitter Outage

Unless you have been living in a cave or off the grid for the past 24 hours or so, you are probably aware that Twitter experienced a two-hour outage yesterday morning as a result of a distributed denial-of-service (DDoS) attack that overwhelmed its servers. The same attack was also targeted at other sites such as Facebook and Google, but Facebook only experienced performance issues and Google seems to have been relatively unaffected. What can Twitter learn from Facebook or Google to help it handle future attacks without a site outage?

Twitter still struggling to recover from DOS attack

The DOS (denial-of-service) attack that crippled Twitter on Thursday is still affecting the micro-blogging service on Friday, the company said in a blog post.

TJX suspect indicted in Heartland, Hannaford breaches
Networks pierced by garden-variety exploit

Federal authorities have charged a previously indicted hacker with breaching additional corporate computers and stealing data for at least 130 million credit and debit cards, the biggest identity theft case ever prosecuted in the United States.…

Researchers forge secure kernel from maths proofs
Machine verified micro-kernel

Aussie boffins have developed an operating system micro-kernel mathematically established as free of many types of errors. The development points the road toward "safety-critical software of unprecedented levels of reliability" for applications such as aircraft and cars.…

HSBC Trojan warning tracked down as false alarm
Kaspersky blushes abound after bank site misfire

Updated A false alert left users of Kaspersky's internet security software fearing there was malware on HSBC's website last weekend.…

Facebook phishers cast multiple lines
Scammers bait social networking site with hooky apps

Miscreants have recently begun peppering Facebook with a variety of new phishing scams with sex, sex, sex and more sex featuring prominently.…

Online betting mogul cops plea, coughs up $43m in gains
The slow demise of BetonSports' Gary Kaplan

Gary S. Kaplan, the founder of online gambling empire BetonSports, pleaded guilty on Friday to multiple federal charges in an agreement that required him to forfeit more than $43m in criminal proceeds.…

Hacktivist vuln still plagues UN.org
Still lazy after all these years

The official website of the United Nations has yet to fix a vulnerability that more than two years ago allowed hacktivists to replace official content with their own activist messages.…

MS Zero-day security bug was two years in the making
Fix only followed exploit

A flaw in Office Web Components which Microsoft fixed on Tuesday was first reported to the software giant over two years ago, it has emerged.…

Labour MP exposes password credentials
'Excuse me but your CMS is showing'

Web admins for Gisela Stuart MP inadvertently left password credentials for her site publically accessible up until Thursday.…

Dutch news agency goof leaks VIP phone numbers
Low security in the Low Countries

Security shortcomings by Dutch press agency GPD exposed the private telephone numbers of politicians and other public figures to prying eyes until earlier this week.…

Bug exposes eight years of Linux kernel
Passes it's-not-crying-wolf test

Linux developers have issued a critical update for the open-source OS after researchers uncovered a vulnerability in its kernel that puts most versions built in the past eight years at risk of complete takeover.…

Twitter transformed into botnet command channel
Victim becomes enabler

For the past couple weeks, Twitter has come under attacks that besieged it with more traffic than it could handle. Now comes evidence that the microblogging website is being used to feed the very types of infected machines that took it out of commission.…

Autocad attacks return after four years in wilderness
The virus makes a comeback

Viruses attacking users of the Autocad computer assisted design application have recently resurfaced after taking a four-year hiatus, prompting a call from one security watcher for more to be done to done to prevent such outbreaks.…

Australian police charge banking Trojan suspect
Alleged perp also faces drug and botnet herding charges

Australian police have charged an as yet unnamed 20 year-old man on suspicion of creating a banking Trojan that infected an estimated 3,000 computers worldwide, as well as building up a 74,000 strong botnet of compromised machines.…

Virus arms race primes malware numbers surge
Half malware strains are junked after less than a day

Half (52 per cent) of new malware strains only stick around for 24 hours or less.…

Underground forum r00t-y0u.org gets pwned
S'kiddie defacement or law enforcement sting?

A notice on underground cybercrime forum r00t-y0u.org on Thursday suggested the site had become part of a law enforcement sting operation. However hacker hijinks and mischief making seem equally likely explanations for the incident, at the time of writing.…

Blaster anniversary recalls network worm heyday
Remembrance of flaws past

It's six years since the infamous Blaster worm crippled Windows systems worldwide.…

Vuln exposes eBay developer accounts
Password changes ordered

eBay security officials are requiring members of its developer program to change their passwords following the discovery of a vulnerability that could allow attackers to intercept sensitive account details.…

Apple update patches serious DNS flaw in Mac OS X
In a BIND no more

Two weeks after internet overlords warned of a serious vulnerability in one of the most widely used programs for resolving domain names, Apple has updated its Mac OS X operating systems to fix the security bug.…

Man gets 3 years in prison for stealing IDs over LimeWire
Dodgy download redux

A Washington state man who admitted using the LimeWire file-sharing program to steal tax returns and other sensitive documents has been sentenced to more than three years in federal prison.…

CA auto-immune update trashes systems
eTrust security software quarantines self, MS apps

Updated A beserker update to CA eTrust anti-virus software created all sorts of confusion on Wednesday.…

Apple hunts down Win and Mac flavoured Safari flaws
Return of the Mac attack Trojan

Apple has patched six security holes in its Safari web browser software.…

Twitter briefly knocked offline by hackers (again)
Just when you thought it was safe to go back into Twitter...

Twitter suffered from yet more security jitters on Tuesday night, after another attack left the site briefly unavailable.…

Nine MS security bulletins create busy updates workload
Patches needed for almost everything - except IE

Microsoft released the expected nine patches - five critical - as part of a busy August Patch Tuesday update that focuses primarily on client-side vulnerabilities.…

Sequoia e-voting machine commandeered by clever attack
Return-oriented programming strikes again

Computer scientists have figured out to how trick a widely used electronic voting machine into altering tallies with a technique that bypasses measures that are supposed to prevent unauthorized code from running on the device.…

Websense yanks censorware from Yemen
Filter spat highlights repressive regime dilemma

Websense has blocked two ISPs in Yemen from receiving updates after it emerged that they were using its filtering technology in a government-mandated censorship scheme.…

Campaign Monitor reels from hack and spam attack
Australian mail marketing firm stumped

Australian email marketing application developers Campaign Monitor warned on Tuesday that it had been the victim of a hacking attack over the weekend.…

Autistic trucking scam hacker jailed for 55 months
Quality of mercy

A convicted hacker with Asperger’s Syndrome has been given a slightly reduced sentence of 55 months imprisonment over his involvement in a multi-million dollar trucking scam.…

Georgian blogger calls for Twitter attack probe
'Dear Dmitry!'

The pro-Georgian blogger who was the target of attacks that shut down micro-blogging website Twitter last week has called on Russian President Dmitry Medvedev to track down the culprits.…

Fortinet plots rare IT security IPO
Under starter's orders

All in one security appliance firm Fortinet has announced plans to go public on the stock exchange.…

Obama loses (another) cybersecurity bigwig
Oh, the bureaucracy

Updated Yet another high-ranking government official in charge of securing the country's computer networks has resigned. This time, it's the head of the US Department of Homeland Security's Computer Emergency Readiness Team.…

Hotel prank call badboy tracked down to mum's flat
Alleged PrankNET leader forced to cower inside

Online news mag The Smoking Gun (TSG) claims it to have tracked down the leader of prank call website PrankNET to the suburban flat in Windsor, Ontario he shares with his mum.…

Twitter hack spawns spam and scareware scams
DDoS campaign opens Pandora's Box

Spam and scams have continued to flow from the fallout of last week's DDoS against Twitter.…

MoD website outflanked by XSS flaws
Medic!

Hackers have discovered cross-site scripting (XSS) vulnerabilities on the UK's Ministry of Defence website.…

US appeals court cans CAN-SPAM suit
A farewell to litigation factories

In a decision that could make it harder for internet users to take spammers to court, a federal appeals court has upheld the dismissal of a lawsuit against a company that sent a man more than 13,000 unsolicited emails.…

Tackling ISO 27001: A Project to Build an ISMS

Category: Management & Leadership

Paper Added: July 22, 2009

Protecting Against Insider Attacks

Category: Incident Handling

Paper Added: August 10, 2009

Surviving a third party onsite audit, (Sun, Aug 16th)

How serious are you about your company's information security? You will get very serious quick ...(more)...

Deja Vu - 2 Analysis Links, (Fri, Aug 14th)

...(more)...

Linux NULL pointer dereference due to incorrect proto_ops initializations (CVE-2009-2692) vulnerability, (Fri, Aug 14th)

Edward alerted us to a new Linux vulnerability coming from how Linux deals with unavailable operatio ...(more)...

Tools for extracting files from pcaps, (Thu, Aug 13th)

Often in the course of investigating a compromised machine or when analyzing malware in a sandnet or ...(more)...

New and updated cheat sheets, (Thu, Aug 13th)

A couple of things Inoticed on twitter today and thought you might be interested. Our fr ...(more)...

CA eTrust update crashes systems, (Thu, Aug 13th)

It appears that the latest update to Computer Associates eTrust ant ...(more)...

Apple Security Update Released for BIND DNS, (Wed, Aug 12th)

Apple released a security update today: APPLE-SA-2009-08-12-1 Security Update 200 ...(more)...

Blocking those Secret, Stubborn Cookies, (Wed, Aug 12th)

Robert wrote in last night in response to a story in the latest SANSNewsBites newsletter that ...(more)...

Safari 4.0.3, (Tue, Aug 11th)

Apple released today Safari 4.0 ...(more)...

Microsoft August 2009 Black Tuesday Overview, (Tue, Aug 11th)

Overview of the August 2009 Microsoft patches and their status. # ...(more)...

Wordpress unauthenticated administrator password reset, (Tue, Aug 11th)

Juha-Matti pointed out multiple reports on a vulnerability in the widely used wordpress blog softwar ...(more)...

Adobe Reader Patch available, (Mon, Aug 10th)

August must be the month for out of cycle patches. Following on the heels of https://isc ...(more)...

XML Libraries Data Parsing Vulnerabilities, (Sat, Aug 8th)

We have received reports that several vulnerabilities have been discovered in XML library implementa ...(more)...

Sun OpenSSO Enterprise/Sun Access Manager XML Vulnerabilities, (Sat, Aug 8th)

According to sun: Sun OpenSSO Enterprise (formerly Sun Access Manager and Sun Federation Manag ...(more)...

Researchers Use Return-Oriented Programming to Manipulate eVoting Machine (August 12, 2009)

Researchers from the University of Michigan, the University of California, San Diego, and Princeton University have discovered that the Sequoia AVC Advantage electronic voting machine is vulnerable to an attack that can alter voting tallies.......

Quantcast Casts Out Flash Cookies in Wake of Report (August 12, 2009)

In the wake of research published about Flash cookies, online tracking company Quantcast has stopped its practice of recreating customers' cookies with Flash after users deleted the regular cookies.......

Australian Man Charged in Data Theft Trojan and Botnet Case (August 13, 2009)

An Australian man has been charged with infecting 3,000 computers with a financial account-stealing Trojan horse program and creating a botnet of 74,000 computers around the world.......

Prison Sentence for Personal Data Theft Through LimeWire (August 12 & 13, 2009)

A Seattle man has been sentenced to 39 months in prison for using the LimeWire filesharing network to steal personal information, including tax returns and bank statements.......

UK Convicts Two for Refusing to Surrender Encryption Keys (August 11, 2009)

In the UK, two people have been convicted for refusing to surrender encryption keys.......

Judge Grants Preliminary Injunction Barring Sale of RealDVD (August 12, 2009)

A US District Court judge has granted a preliminary injunction that prohibits RealNetworks from selling its RealDVD software.......

Apple Issues OS X Updates to Fix BIND Vulnerability (August 13, 2009)

Apple has released a security update for Mac OS X 10.......

Microsoft Fixes 19 Vulnerabilities in Nine Security Bulletins (August 11 & 12, 2009)

On Tuesday August 11, Microsoft issued nine security bulletins to address a total of 19 vulnerabilities in Windows, the .......

Apple Releases Safari Update (August 12, 2009)

Apple has released an updated version of its Safari web browser.......

WordPress Password Reset Flaw Fixed (August 11 & 12, 2009)

WordPress blogging software has been updated to address a flaw that allowed attackers to reset administrator passwords.......

China Will Not Enforce Green Dam Mandate (August 13 & 14, 2009)

China has backed off from a mandate issued in May requiring that Internet filtering software known as Green Dam-Youth Escort be installed on or accompany all PCs sold in or shipped to that country.......

US-CERT Director Resigns (August 8 & 10, 2009)

The director of the Department of Homeland Security's (DHS) US Computer Emergency Readiness Team (US-CERT) has resigned.......

Appeals Court Upholds Ruling Dismissing Suit Against Alleged Spammer. (August 8, 2009)

The Ninth Circuit Court of Appeals has upheld a lower court ruling that says individuals may not sue spammers under the CAN-SPAM Act if the plaintiffs do not meet the requirements of being an Internet service provider.......

Man Arrested and Indicted for Alleged Attack on Former Employer's Systems (August 6, 7 & 8, 2009)

Luis Robert Altamarino has been arrested and indicted for allegedly breaking into his former employer's computer network and causing damage that took days to remedy.......

UK Defence Department Allowing Use of Social Networking Media (August 7, 2009)

In contrast to recent news that the US military is considering restricting or even banning social networking media altogether, the UK's Defense Ministry is encouraging its troops to make use of Twitter, Facebook, YouTube and other similar services.......

Citibank and Bank of America Issue New Cards to Massachusetts Customers (August 10, 2009)

Bank of America Corp.......

Secret, Stubborn Cookies (August 10, 2009)

Researchers from the University of California, Berkeley have reported that more than half of the Internet's websites are using Adobe Flash cookies to track users' behavior and interests, but these cookies are mentioned in just four privacy policies, though other suites mention the use of "tracking technology.......

ACLU Concerned About Proposed Increase of Cookie Use on Government Sites (August 10, 2009)

The American Civil Liberties Union (ACLU) is concerned about a proposal from the White House Office of Management and Budget (OMB) to allow broader use of cookies on government web sites.......

Microsoft to Issue Nine Bulletins on August 11 (August 7, 2009)

On Tuesday, August 11, Microsoft plans to release nine security bulletins to address vulnerabilities in Windows, Microsoft Office, Visual Studio, Microsoft ISA Server and Microsoft BizTalk Server.......

Attack on Twitter and Facebook Was a "JoeJob" (August 6, 7 & 10, 2009)

The denial-of-service attacks that hobbled Twitter and Facebook last week were not conducted through botnets, but instead were the result of a spam campaign aimed at a taking out accounts that belong to a pro-Republic of Georgia blogger.......

Compliance with NERC Standards No Guarantee of Security (August 7, 2009)

A survey of 100 information security specialists at US energy companies found that the majority believe that the cyber security standards established by the North American Electric Reliability Corp (NERC) are not adequate to protect the country's electric power grid.......

Sketpics Refute Beck's Allegation That Connecting To Cars.Gov Site Gives US Government The Right To Seize Computer (August 10, 2009)

Fox News commentator Glenn Beck has claimed that a policy statement on the Cars.......

Sandia to Launch Research Botnet (August 9 & 10, 2009)

Later this year, the US Department of Energy's Sandia National Laboratories plans to launch a simulated botnet comprising one million virtual machines.......

Three indicted for Hannaford, Heartland data breaches

By SearchSecurity.com Staff

A grand jury has charged three men for their role in stealing more than 130 million credit and debit cards from Heartland Payment Systems and several other companies.

Marines pull about face on social networks with Twitter ban

By Eric Ogren

Young soldiers will cannot use communication tools in a surprising move that is an example of paranoia seeping into security decisions, according to columnist Eric Ogren.

Marine Corps' Twitter ban example of security paranoia

By Eric Ogren

The Marine Corps' move is an example of paranoia seeping into security decisions, according to columnist Eric Ogren. Browser security and training is the right approach.

Patch management study shows IT taking significant risks

By Eric Ogren

IT pros need to take patch management processes seriously and more dilligently understand the plethora of applications being used by end users.

Trusteer CEO criticizes Adobe, touts better patch deployments

By Robert Westervelt

Despite critical Flash and Adobe Reader updates July 30, only a fraction of Adobe users have installed them, Trusteer says. Trusteer's CEO urges better patching mechanisms.

Microsoft fixes Office Web Components vulnerability, kill-bit bypass

By Robert Westervelt

Microsoft repaired critical vulnerabilities in Microsoft Office Web Components affecting Office Word, Excel and PowerPoint viewer as well as its ISA and BizTalk servers.

Data has become too distributed to secure, Forrester says

By Robert Westervelt

A Forrester Security Forum will address ways security pros can relax security policy and focus on mitigating the risks associated with employee use of Web-based tools and services.

Vulnerability mitigation study shows need for faster patching

By Robert Westervelt

Qualys CTO Wolfgang Kandek says vendors and administrators need to find ways to speed up the patching cycle.

Microsoft Security Essentials (MSE) shows no vision, expert says

By Eric Ogren

Microsoft's launch of Microsoft Security Essentials (MSE) doesn't give it a boost over competitive antivirus products, according to security columnist Eric Ogren.

SlideShowPro Director File Disclosure Vulnerability

SlideShowPro Director is vulnerable to a file disclosure flaw because it fails to perform proper validation and handling of input parameters. Attackers can exploit this vulnerability to read arbitrary files from the hosting web server. This issue exposes the confidentiality of any files residing on the same drive as the component including configuration files with system access credentials, the source code to application pages, and possibly customer data files.

Sun Java Pack200 Decoding Overflow Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Sun Java Runtime. User interaction is required in that a target must visit a malicious web page or open a malicious JNLP file.

Microsoft Internet Explorer Memory Corruption Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.

Fetchmail Improper SSL Certificate Subject Verification

Some Certificate Authorities sign certificates that contain embedded NUL characters in the Common Name or subjectAltName fields of ITU-T X.509 certificates. Applications that would treat such X.509 strings as NUL-terminated C strings (rather than strings that contain an explicit length field) would only check the part up to and excluding the NUL character, so that certificate names such as www.good.example\0www.bad.example.com would be mistaken as a certificate name for www.good.example. fetchmail also had this design and implementation flaw.

HP-UX Running IPFilter Remote Denial of Service

A potential security vulnerability has been identified with HP-UX running IPFilter. The vulnerability could be remotely exploited to create a Denial of Service (DoS).

Palm Pre WebOS Execution of Arbitrary Code

The Palm Pre WebOS version 1.0.4 and below allows a remote attacker to execute arbitrary HTML code on the phone via certain applications. The affected applications involve the native email client via the notifications system as well as the native calendar application.

Oracle Enterprise Manager SQL Injection Vulnerability

This vulnerability allow a Oracle Enterprise Manager user with VIEW (or more) privileges to execute a function call with the elevated privileges of the SYSMAN database user.

Indictments Hit for Largest U.S. Credit Card Breach

Charges pile up for Albert Gonzalez and two unnamed co-conspirators, who allegedly helped engineer SQL injection attacks on Heartland Payment Systems, 7-Eleven and Hannaford Brothers grocery store chain. Gonzales also faces different charges for hack on restaurant chain Dave Busters.
- Albert Gonzalez, a 28-year-old resident of the Miami, was indicted Aug. 17 for his participation in the largest alleged credit and debit card data breach ever charged in the United States. Gonzales' corporate victims include Heartland Payment Systems, a New Jersey-based card payment processor; 7-...

IE 8 Tops Firefox, Google Chrome, Others in Browser Security Smackdown

NSS Labs tests put Microsoft Internet Explorer 8 out in front of Firefox, Safari, Opera and Chrome when it comes to blocking rogue sites. According to the findings, IE 8 blocks 83 percent of phishing sites, compared with 26 percent stopped by Google Chrome.

Patching Security Holes Lags as Vulnerabilities Increase

Data from Trusteer and Qualys puts the spotlight on trouble in the vulnerability management process. It still typically takes a month for a patch to be deployed to half of vulnerable systems, Qualys reports, while Trusteer says nearly 80 percent of the computers it scans are running vulnerable versions of Adobe Flash.

Apple Fixes DNS Vulnerability in Mac OS X

Apple issues an update to fix a bug affecting Mac OS X, including server editions. The patch comes shortly after Apple pushed out 18 fixes to users.

Researchers Boot Million Linux Kernels to Help Botnet Research

Scientists at Sandia National Laboratories have demonstrated the ability to run more than 1 million Linux kernels as virtual machines, an effort they say will ultimately help researchers analyzing massive botnets.

Apple Fixes Safari Browser Flaws

Apple plugged six security holes in its Safari browser recently, a number of which left users vulnerable to code execution by attackers. But the patches are not just limited to just Mac OS X users.

Twitter Attack Knocks Out Service Again

Twitter experiences another distributed-denial-of-service attack, knocking out the microblogging service for a time. The attack follows a security incident Aug. 6 when Twitter was one of several Websites affected by a DDoS attack targeting a pro-Georgian blogger.

Microsoft Patches Windows Vulnerabilities

Microsoft pushes out patches for 19 vulnerabilities for Patch Tuesday. The August fixes cover a number of products, including Windows and Office Web Components. The security bulletins also address vulnerabilities in Microsoft's Active Template Library.

Nine Security Acquisitions We Would Love to See

Given the economy, maybe it is not surprising that there are security acquisitions going on, as it perhaps gives larger vendors an opportunity to buy smaller ones at somewhat cheaper price than in the best of times. The past few months have seen several acquisitions in the security space: IBM's purchase of Ounce Labs, Trend Micro's soon-to-be-closed acquisition of Third Brigade and McAfee's plans for MX Logic, just to name a few. With this in mind, eWEEK has compiled a list of security acquisitions we would like to see. This list was written without regard to any acquisition rumors that may be floating around about any of these companies, but with an eye toward the product portfolios of various vendors and their competitors.

ACLU Blasts Proposed Federal Cookie Policy

The American Civil Liberties Union wants more information on a proposal by the Obama administration to reverse a nine-year ban on use of cookies on federal Websites. Federal CIO Vivek Kundra is backing the plan to change current policy on governmental Web tracking.

Afilias, Neustar Team with ISC on DNS Security

Afilias and Neustar are partnering with the Internet Systems Consortium to bring a more secure DNS closer to reality. Both Afilias and Neustar are providing secondary DNS service for the consortium's DNSSEC Look-aside Validation zone.

Common PHP Security Mistakes and What You Can Do About Them

Researchers at Fortify Software have compiled a list of the most common vulnerabilities found in PHP code. Here is what they found, and some advice on what developers can do about it.

Twitter DDoS Attack Takes Twists and Turns

The fallout from the DDoS attack that hit Twitter, Facebook, YouTube and other Web 2.0 sites continued even after the attack had officially ended. Hacktivism or not, Web admins need to take precautions to protect against DDoS attacks.

TJX Hacker Indicted in Heartland, Hannaford Breaches

In Fraud

A federal grand jury has indicted three individuals for allegedly hacking into credit and debit card payment processing giant Heartland Payment Systems last year, as part of an investigation the Justice Department is calling the largest identity theft case ever prosecuted. According to indictments returned Monday in a New Jersey federal court, the government believes the same individuals were involved in a string of high-profile data breaches between October 2006 and May 2008, including intrusions at Hannaford Brothers Co., and 7-Eleven, Inc. In total, the government alleges the hackers stole data on more than 130 million credit and debit cards from Princeton, NJ-based Heartland. Read the full story, at this link here. A copy of the indictment is available here.

Security Patch Catchup: Java, Safari & OS X

In New Patches

Security Fix took a mini-vacation last week, but that's all it takes to fall behind in important software security updates. Here's a quick pointer to some recent updates that have recently happened. The last time I wrote about Java updates was at Update 13, but as several readers have pointed out, the latest version is now Update 16. Near as I could tell, Updates 14 and 16 did not include security updates. Indeed, Java maker Sun Microsystems says users who have Java SE 6 Update 15 have the latest security fixes and do not need to upgrade to version 16 to be current on security fixes. However, Update 15 shipped fixes for a number of serious security holes, so if you've got an earlier version of this program installed, take a few minutes to update. Don't know whether you have Java or what version you may have? Visit this link.

Microsoft Fixes 19 Windows Security Flaws

In New Patches

Microsoft today issued a raft of software updates to plug at least 19 security holes in its various Windows operating systems and other software, 15 of which earned the company's most dire "critical" rating. This month's batch of patches fix some fairly dangerous flaws. Redmond labels a security flaw "critical" if attackers could use it to seize control over a vulnerable system without any help from the victim. What's more, a dozen of the flaws earned the highest rating on Microsoft's "exploitability index," which is the software maker's best estimation of the likelihood that criminals will soon develop reliable ways to exploit them to break into Windows-based machines. Patches are available for Windows 2000, XP, Vista, Windows Server 2003 and Windows Server 2008. Microsoft said none of the vulnerabilities affect Windows 7, its newest operating system. Windows users can download the updates from Windows Update or via Automatic Updates Many

Brief: Apple patches Safari, DNS software

Apple patches Safari, DNS software

Brief: Brazen botnet uses Twitter comm channel

Brazen botnet uses Twitter comm channel

News: Two convicted in U.K. for refusal to decrypt data

Two convicted in U.K. for refusal to decrypt data

Brief: Microsoft patches ActiveX, Office flaws

Microsoft patches ActiveX, Office flaws

Brief: Survey: More companies monitoring e-mail

Survey: More companies monitoring e-mail

GE Is Hiring in Michigan

By Richard Bejtlich

In June in this post I linked to a speech that GE's CEO gave in Michigan. We're hiring about 1,200 people over the next few years, and the jobs are already appearing at gecareers.com. One of the jobs posted requests an IT Project Manager - Information Technology (Security). This candidate would work in a sister unit to our GE-CIRT doing Identity and Access Management (IAM). If this job looks interesting, please check it out. As other roles in our Corporate security group appear -- especially those in GE-CIRT -- I will let you know.

Obama criticizes a Cold War approach to defense (AP)

In politics

AP - President Barack Obama chastised the defense industry and a freespending Congress on Monday for wasting tax dollars "with doctrine and weapons better suited to fight the Soviets on the plains of Europe than insurgents in the rugged terrain of Afghanistan."

Georgia Cyberattacks Linked to Russian Organized Crime (PC World)

In technology

PC World - The cyberattacks against Georgia a year ago were conducted in close connection with Russian criminal gangs, and the attackers likely were tipped off about Russia's intent to invade the country, according to a new technical analysis, much of which remains secret.

Hackers Put Social Networks Such as Twitter in Crosshairs (PC World)

In technology

PC World - Web sites such as Twitter are becoming increasingly favored by hackers as places to plant malicious software in order to infect computers, according to a new study covering Web application security vulnerabilities.

Cyber warriors trawl web for extremist threats (AFP)

In technology

AFP - Nur Azlin Mohamed Yasin spends several hours a day trawling the Internet, but she is not your typical young surfer, descending into a world of bomb-making, militancy and extremism.

Australian charged with infecting 3,000 computers (AP)

In technology

AP - A 20-year-old Australian man has been charged with infecting more than 3,000 computers around the world with a virus designed to capture banking and credit card data, police said Thursday.

Security Update 2009-004 fixes BIND vulnerability (Macworld.com)

In technology

Macworld.com - With the security content of all the updates Apple has been rolling out in the last few weeks, you might have thought the tides of darkness stemmed. But hackers never sleep-or so it seems-so neither can Apple. On Wednesday, the company released Security Update 2009-004, which is recommended for all Mac OS X users.

Sex, videos, friends, games hot with kids online: Norton (AFP)

In us

AFP - Children are searching online for videos, social networks, games and, yes, porn as they grow up in an Internet Age, according to computer security firm Symantec.

Pro-Georgian blogger target of Internet attacks (AFP)

In technology

AFP - Cyber assaults that temporarily derailed the websites Twitter, Facebook and LiveJournal were aimed at a pro-Georgian blogger, according to Internet security company F-Secure.

Brazilian ID thieves using Twitter as botnet command channel

By Ryan Naraine on Web Applications

Arbor Networks security researcher Jose Nazario has stumbled upon a crimeware botnet using Twitter as its command-and-control operation. The botnet, which is linked to identity thieves in Brazil, uses Twitter status messages to communicate with bots — sending new links for the infected computers to contact and new commands and executables to download and run. Here’s a [...]

Apple drops (another) Mac OS X security patch

By Ryan Naraine on Uncategorized

Less than a week after fixing 19 Mac OS X security vulnerabilities, Apple is on the patch treadmill again. The company released Security Update 2009-004 to fix a solitary BIND vulnerability that could lead to denial of service attacks.  Apple warns: A logic issue in the handling of dynamic DNS update messages may cause an assertion to [...]

Advanced Mac OS X rootkit tools released

By Ryan Naraine on Vulnerability research

Security researcher Dino Dai Zovi (of Pwn2Own fame) has released a suite of tools to demonstrate how to load an advanced rootkit on Mac OS X machines. The tools were first discussed at this year’s Black Hat security conference where Dai Zovi (right) presented techniques to manipulate the way the Mach micro-kernel uses RPC calls to [...]

eBay warns of developer password-theft flaw

By Ryan Naraine on eBay

If you are a member of the eBay Developer Program, you might want to change your password immediately. According to a warning from eBay’s Kumar Kandaswamy, a vulnerability in the service allows malicious hackers to gain information to developer accounts.  The company is strongly encouraging its user base to change passwords to the developer.ebay.com portal.   The [...]

Apple plugs code execution, phishing holes in Safari browser

By Ryan Naraine on Windows Vista

Apple has released Safari 4.0.3 to fix at least six security vulnerabilities that put Mac and Windows users at risk of hacker attacks. The update is considered highly-critical and should be immediately applied on both Windows and Mac systems because of the risk of information disclosure, phishing and remote code execution attacks. Here’s a snapshot of the [...]

New Mac OS X DNS changer spreads through social engineering

By Dancho Danchev on Passwords

TrendMicro is reporting on a newly discovered 4th member of the OSX_JAHLAV malware family. The latest variant is once again relying on social engineering, this time spreading under a QuickTime Player update (QuickTimeUpdate.dmg) with a DNS changer component enabling the malware authors to redirect and monitor the traffic of the victim. More info on OSX_JAHLAV.D: The Trojan contains [...]

Microsoft: Exploits likely for 'critical' Windows vulnerabilities

By Ryan Naraine on Windows Vista

Microsoft today dropped a mega patch bundle with fixes for several “critical” vulnerabilities affecting the Windows platform and warned that “consistent, reliable exploit code” was likely to be released within 30 days. The Redmond, Wash. software maker released nine bulletins — five rated critical — to provide cover for a total of 19 documented security vulnerabilities.   [...]

Campaign Monitor hacked, accounts used for spamming

By Dancho Danchev on Uncategorized

E-mail marketing software developer Campaign Monitor warned users today of a server compromise that took place during the weekend. The compromise allowed the attackers to gain access to customer accounts, which they abused by importing their own lists of harvested emails in order to launch spam campaigns using the clean IP reputation of their servers. No [...]

Password-reset flaw haunts WordPress admins

By Ryan Naraine on Web Applications

Researchers are sounding the alarm for a serious administrator password-reset vulnerability affecting the latest version of WordPress, the popular open-source blog publishing platform. The flaw, which can be exploited via the browser, gives an attacker a trivial way to compromise the admin account of any WordPress of WordPress MU (multiple user) installation. Proof-of-concept code demonstrating the problem [...]

Microsoft's Bing invaded by pharmaceutical scammers

By Dancho Danchev on Uncategorized

Rogue online pharmacies have found a way to exploit Bing’s advertising program. According to a recently released report by KnujOn and LegitScript, 90% of the Bing sponsored pharmacy ads were rogue ones, shipping counterfeit prescription drugs, with the bogus companies participating part of larger affiliate networks like this one analyzed last year. The report also details a [...]

Browser flaws expose users to man-in-the-middle attacks

By Ryan Naraine on Vulnerability research

Security researchers at Microsoft have found a way to break the end-to-end security guarantees of HTTPS without breaking any cryptographic scheme. During a research project (.pdf) concluded earlier this year, the Microsoft Research team discovered a set of vulnerabilities exploitable by a malicious proxy targeting browsers’ rendering modules above the HTTP/HTTPS layer. Here’s the gist of the [...]

Patch Tuesday heads-up: 9 bulletins, 5 critical

By Ryan Naraine on Windows Vista

For Microsoft Windows users, next week’s Patch Tuesday will be somewhat hectic. The Redmond, Wash. software maker plans to release a total of nine bulletins to patch a wide range of serious vulnerabilities affecting Windows, Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server, Microsoft BizTalk Server and the .Net Framework. Five of the bulletins will be rated [...]

Federal forms themed blackhat SEO campaign serving scareware

By Dancho Danchev on Malware

An ongoing blackhat SEO (search engine optimization) campaign is actively hijacking a variety of U.S Federal Forms keywords in an attempt to serve the Personal Antivirus (Trojan.Win32.FakeXPA) scareware. Due to the automated and sophisticated PageRank boosting tools cybercriminals use in these campaigns, the hijacked keywords are always popping-up within the first ten to twenty search results [...]

Twitter knocked offline by DDoS attack; Koobface returns with a twist

By Ryan Naraine on Web 2.0

Popular microblogging service Twitter was knocked offline for an extended period this morning by what appears to be a massive distributed denial-of-service attacks. Twitter confirmed the outage was linked to malicious attackers in a brief status message posted around 11:00 a.m EST. We are defending against a denial-of-service attack, and will update status again shortly. Update: the site [...]

Major security holes in popular XML libraries

By Ryan Naraine on Web Applications

A security research outfit has issued a warning for several critical vulnerabilities in popular XML libraries used by a wide range of software vendors. The flaws, discovered earlier this year by Codenomicon, affect a wide range of technology products, including servers and server applications, workstations and end user applications, network devices,  embedded systems and mobile devices. [...]

Absolute Software downplays BIOS rootkit claims

By Dancho Danchev on Rootkits

Following a flood of calls from customers, the company behind the LoJack anti-theft service which researchers from Core Security Technologies recently portrait as a security threat, issued a statement downplaying the researchers’ claims. According to the statement, LoJack is neither a rootkit, nor does it behave in such a way. Moreover, the company insists that the [...]

Apple warns of Mac attack risk via image files

By Ryan Naraine on Zero-day attacks

Apple today warned that opening or viewing image files could lead to remote code execution attacks against Mac OS X users. In an update that contains fixes for a total of 19 documented vulnerabilities, Apple said malicious hackers could rig PNG (Portable Network Graphics) and other images to take complete control of unpatched Mac systems. Here’s the [...]

Mozilla shuts online store after security breach

By Ryan Naraine on Web Applications

The Mozilla Foundation has shuttered its e-commerce store after confirming a security breach at GatewayCDI, the third-party vendor that handles the store’s backend operations. The open-source groups said it has asked Gateway CDI to quickly notify individuals who had their sensitive data compromised.  Mozilla did not elaborate on the extent of compromised customer data. Mozilla said it [...]

Plugins compromised in SquirrelMail's web server hack

By Dancho Danchev on Uncategorized

According to a recently posted update by SquirrelMail’s Jonathan Angliss, the source code of three plugins was backdoored during the web server compromise of the popular web-based email application which took place last month. The compromised plugins were embedded with code that was forwarding accounting data to a server maintained by the people behind the hack, [...]

Microsoft Security Bulletin Summary for August 2009

Revision Note: Bulletin Summary published.Summary: This bulletin summary lists security bulletins released for August 2009.

MS09-044 - Critical: Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927) - Version:1.0

Severity Rating: Critical - Revision Note: Bulletin published.Summary: This security update resolves two privately reported vulnerabilities in Microsoft Remote Desktop Connection. The vulnerabilities could allow remote code execution if an attacker successfully convinced a user of Terminal Services to connect to a malicious

MS09-043 - Critical: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638) - Version:1.1

Severity Rating: Critical - Revision Note: V1.1 (August 12, 2009): Corrected the restart requirement for Visual Studio .NET 2003; updated the tables in the Detection and Deployment Tools and Guidance section; updated the impact description of the workaround, "Prevent Office Web Components Library from running in Internet Explorer;" corrected the update installation switches for Internet Security and Acceleration Server 2004 and Internet Security and Acceleration Server 2006; and performed miscellaneous edits.Summary: This security update resolves several privately reported vulnerabilities in Microsoft Office Web Components that could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS09-042 - Important: Vulnerability in Telnet Could Allow Remote Code Execution (960859) - Version:1.1

Severity Rating: Important - Revision Note: Bulletin published.Summary: This security update resolves a publicly disclosed vulnerability in the Microsoft Telnet service. The vulnerability could allow an attacker to obtain credentials and then use them to log back into affected systems. The attacker would then acquire user rights on a system identical to the user rights of the logged-on user. This scenario could ultimately result in remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS09-041 - Important: Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657) - Version:1.0

Severity Rating: Important - Revision Note: V1.0 (August 11, 2009): Bulletin published.Summary: This security update resolves a privately reported vulnerability in the Windows Workstation Service. The vulnerability could allow elevation of privilege if an attacker created a specially crafted RPC message and sent the message to an affected system. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials to a vulnerable system in order to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.

MS09-040 - Important: Vulnerability in Message Queuing Could Allow Elevation of Privilege (971032) - Version:1.0

Severity Rating: Important - Revision Note: V1.0 (August 11, 2009): Bulletin published.Summary: This security update resolves a privately reported vulnerability in the Windows Message Queuing Service (MSMQ). The vulnerability could allow elevation of privilege if a user received a specially crafted request to an affected MSMQ service. By default, the Message Queuing component is not installed on any affected operating system edition and can only be enabled by a user with administrative privileges. Only customers who manually install the Message Queuing component are likely to be vulnerable to this issue.

MS09-039 - Critical: Vulnerabilities in WINS Could Allow Remote Code Execution (969883) - Version:1.1

Severity Rating: Critical - Revision Note: V1.1 (August 12, 2009): Updated the Affected Software table to list KB961064 as the only KB replaced by this update in Microsoft Security Bulletin MS09-008Summary: This security update resolves two privately reported vulnerabilities in the Windows Internet Name Service (WINS). Either vulnerability could allow remote code execution if a user received a specially crafted WINS replication packet on an affected system running the WINS service. By default, WINS is not installed on any affected operating system version. Only customers who manually install this component are affected by this issue.

MS09-038 - Critical: Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557) - Version:1.0

Severity Rating: Critical - Revision Note: V1.0 (August 11, 2009): Bulletin published.Summary: This security update resolves two privately reported vulnerabilities in Windows Media file processing. Either vulnerability could allow remote code execution if a user opened a specially crafted AVI file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS09-037 - Critical: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908) - Version:1.1

Severity Rating: Critical - Revision Note: V1.1 (August 12, 2009): Removed erroneous reference to known issues from the Frequently Asked Questions (FAQ) Related to This Security Update section; added new entries to the section, FAQ for Microsoft Video ActiveX Control Vulnerability - CVE-2008-0015, describing the relationship between this bulletin and Microsoft Security Bulletin MS09-032; corrected restart requirements throughout the bulletin; and performed miscellaneous edits.Summary: This security update resolves several privately reported vulnerabilities in Microsoft Active Template Library (ATL). The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control hosted on a malicious website. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS09-036 - Important: Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957) - Version:1.0

Severity Rating: Important - Revision Note: Bulletin published.Summary: This security update addresses a privately reported Denial of Service vulnerability in the Microsoft .NET Framework component of Microsoft Windows. This vulnerability can be exploited only when Internet Information Services (IIS) 7.0 is installed and ASP.

Microsoft Security Advisory (973811): Extended Protection for Authentication

Revision Note: Advisory published.Summary: Microsoft is announcing the availability of a new feature, Extended Protection for Authentication, on the Windows platform. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA).

MS09-044 - Critical: Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927)

Bulletin Severity Rating:Critical - This security update resolves two privately reported vulnerabilities in Microsoft Remote Desktop Connection. The vulnerabilities could allow remote code execution if an attacker successfully convinced a user of Terminal Services to connect to a malicious

MS09-043 - Critical: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638)

Bulletin Severity Rating:Critical - This security update resolves several privately reported vulnerabilities in Microsoft Office Web Components that could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS09-042 - Important: Vulnerability in Telnet Could Allow Remote Code Execution (960859)

Bulletin Severity Rating:Important - This security update resolves a publicly disclosed vulnerability in the Microsoft Telnet service. The vulnerability could allow an attacker to obtain credentials and then use them to log back into affected systems. The attacker would then acquire user rig

MS09-041 - Important: Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657)

Bulletin Severity Rating:Important - This security update resolves a privately reported vulnerability in the Windows Workstation Service. The vulnerability could allow elevation of privilege if an attacker created a specially crafted RPC message and sent the message to an affected system. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials to a vulnerable system in order to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.

MS09-040 - Important: Vulnerability in Message Queuing Could Allow Elevation of Privilege (971032)

Bulletin Severity Rating:Important - This security update resolves a privately reported vulnerability in the Windows Message Queuing Service (MSMQ). The vulnerability could allow elevation of privilege if a user received a specially crafted request to an affected MSMQ service. By default, the Message Queuing component is not installed on any affected operating system edition and can only be enabled by a user with administrative privileges. Only customers who manually install the Message Queuing component are likely to be vulnerable to this issue.

MS09-039 - Critical: Vulnerabilities in WINS Could Allow Remote Code Execution (969883)

Bulletin Severity Rating:Critical - This security update resolves two privately reported vulnerabilities in the Windows Internet Name Service (WINS). Either vulnerability could allow remote code execution if a user received a specially crafted WINS replication packet on an affected system running the WINS service. By default, WINS is not installed on any affected operating system version. Only customers who manually install this component are affected by this issue.

MS09-038 - Critical: Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557)

Bulletin Severity Rating:Critical - This security update resolves two privately reported vulnerabilities in Windows Media file processing. Either vulnerability could allow remote code execution if a user opened a specially crafted AVI file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS09-037 - Critical: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)

Bulletin Severity Rating:Critical - This security update resolves several privately reported vulnerabilities in Microsoft Active Template Library (ATL). The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control hosted on a malicious website. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS09-036 - Important: Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957)

Bulletin Severity Rating:Important - This security update addresses a privately reported Denial of Service vulnerability in the Microsoft .NET Framework component of Microsoft Windows. This vulnerability can be exploited only when Internet Information Services (IIS) 7.0 is installed and ASP.

August 2009 Security Bulletin Webcast Video and Customer Q and A

By MSRCTEAM

As we do every month on the Wednesday following our standard second Tuesday security bulletin release, we conducted a live webcast where Adrian Stone and myself went through the bulletins in detail and then answered customer questions with the help of several subject matter experts (SMEs).

It is apparent that there is still a bit of confusion around the Active Template Library (ATL) issue and how current updates relate to work we have already done to provide mitigations, protections and guidance to customers. To try and provide some clarity:

  • Security Advisory 972890: This advisory was released in response to active attacks against the Microsoft Video ActiveX Control in order to provide guidance and mitigations (including a Microsoft Fix it solution) to customers while we worked towards an update for the underlying issue.
  • MS09-032 – Cumulative Update of ActiveX Kill Bits (973346): This bulletin provided an official kill bit update to replace the Microsoft Fix it solution provided by Security Advisory 972890. The update addresses additional kill bits and is also available through Microsoft update technologies such as Windows Update, Microsoft Update, and Windows Software Update Services (WSUS). This kill bit blocked the ability to instantiate the Microsoft Video ActiveX Control in Internet Explorer to mitigate against known attacks.
  • MS09-034 – Cumulative Security Update for Internet Explorer (972260): This bulletin provided a defense-in-depth update that helps mitigate known attack vectors within Internet Explorer. To be clear, Internet Explorer is not vulnerable to these attacks but the vulnerable components can be reached through Internet Explorer. Installing this update mitigates that threat.
  • MS09-035 – Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706): This update is specifically geared towards developers of components and controls who use ATL. The update addresses the underlying issue in our Visual Studio development tools. Developers who use ATL should install this update and recompile their components and controls following the guidance in this MSDN article.
  • MS09-037 – Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908): This bulletin provides updates for vulnerable components and controls that shipped with Windows products. These are Microsoft components and controls were built using ATL. Among the updates in this bulletin is a binary level update that addresses the vulnerability in the Microsoft Video ActiveX Control that has seen some active attacks. So we previously released a kill bit update to provide immediate protection for customers and are addressing the underlying vulnerability with this update.
  • Security Advisory 973882: This advisory provides information on our ongoing investigation in to the ATL issue and serves as a single source for all related information.

To be even clearer, not every ActiveX control is vulnerable and we have an ongoing investigation into this issue. We will continue to provide updates via Security Advisory 973882 and Security Bulletins as necessary.

Of course this is not the only issue we addressed this month and customers had quite a few questions during the webcast that we provided answers and guidance for. Please review the text version of the Q&A here>>.

Here is the video of the webcast that includes the bulletin by bulletin presentation and the complete Q&A session:

More viewing and listening options:

Please plan to join us for the next regularly scheduled webcast on September 9, 2009 at 11:00 a.m. (UTC-7) where we will again cover any new bulletins and address your questions in real time. Click here to register >>.

Finally, please visit our Security Research & Defense blog where you will find some great deep dive articles full of analysis and guidance on these and many other security issues. You may also find our new blog aggregator useful for getting a consolidated view of all of our Trustworthy Computing blogs.

Thanks,

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

August 2009 Bulletin Release

By MSRCTEAM on Risk Assessment

Summary of Microsoft’s Security Bulletin Release for August 2009

Hi everyone,

This month, we released nine security bulletins. Five of those are rated Critical and four have an aggregate severity rating of Important. Of the nine updates, eight affect Windows and the last one affects Office Web Components (OWC). It is also important to note that five of the six critical updates also have an Exploitability Index rating of “1” which means that we could expect there to be consistent, reliable code in the wild seeking to exploit one or more of these vulnerabilities within the first 30 days from release. The chart below shows the aggregate severity summary and exploitability index ratings for all nine bulletins. This overview chart should guide you in prioritizing this month’s updates in order to protect your systems efficiently and effectively.

Of particular note in this release is MS09-037 which is an update for Microsoft Active Template Library (ATL). Among the five updates in this bulletin is a binary level update for the Microsoft Video ActiveX Control. As you may recall, we originally released Security Advisory 972890 on July 6 in response to an active attack against this component and subsequently released Security Bulletin MS09-032 to supply an official kill bit update (rather than the temporary Microsoft Fix it supplied with the advisory). All of the included vulnerabilities were privately reported, have a critical severity and are rated “1” on our exploitability index. We encourage you to deploy this update as soon as possible. We will be updating Security Advisory 973882 to include a reference to this bulletin as it relates to ATL.

Another of the updates I would like to draw your attention to is MS09-043, which addresses the Office Web Components vulnerability discussed in Security Advisory 973472. We strongly encourage customers to review and deploy this bulletin if applicable given that we have seen exploitation in the wild. Even though this update addresses an ActiveX control issue, it is unrelated to the ATL issue we discuss in Security Advisory 973882.

If you are running a WINS server on either Windows 2000 or Windows Server 2003 then I would also call your attention to MS09-039 as this one has the potential for an un-authenticated, self-replicating attack across the network. Installing the update will protect your systems should any attacks be developed to exploit the vulnerabilities addressed in this update but at this time, we are not aware of any exploit code in the wild.

In the video below, Adrian Stone and I provide an overview of this month’s release and discuss the updates above in a little more detail. For even greater detail on all nine bulletins, please join us tomorrow, August 12 at 11:00 a.m. (UTC-7) for our monthly bulletin webcast where we will also address your questions concerning these updates. Click HERE to register >>

More viewing and listening options:

We are also re-releasing two bulletins this month:

  • MS09-029 to address a print spooler issue on various Windows platforms that could cause the print spooler to stop responding in certain scenarios. Please see Knowledge Base article 961371 for details.
  • MS09-035 to offer new updates for Visual Studio 2005 SP1, Visual Studio 2008 and Visual Studio 2008 SP1. The new security updates are for developers who use Visual Studio to create components and controls for mobile applications using ATL for Smart Devices. All Visual Studio developers should install these new updates so that they can use Visual Studio to create components and controls that are not vulnerable to the reported issues. For more information on this known issue, see Knowledge Base Article 969706.

To close this month’s blog post, I would encourage systems administrators and application developers to read through Security Advisory 973811 which was also released today. This is a non-security update that enables new protection technology that can be used to enhance the protection of credentials when authenticating network connections.

As always, please check the Security Research and Defense blog for additional technical information on these updates and we hope to see you at the webcast tomorrow.

Thanks,

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

No comments:

Post a Comment

My Blog List